npm - gsd-pi - Versions diffs - 2.76.0 → 2.77.0-dev.1d17f366c - Mend

gsd-pi 2.76.0 → 2.77.0-dev.1d17f366c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (932) hide show

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"google-gemini-cli.d.ts","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,sBAAsB,EAAE,MAAM,YAAY,CAAC;~~AAoPhG~~;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAEhH;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CACnC,MAAM,EAAE,CAAC,IAAI,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,EAC9D,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,EACtC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GACvC,OAAO,CAAC,gBAAgB,CAAC,CA0J3B;AAED,eAAO,MAAM,sBAAsB,EAAE,sBAqBpC,CAAC"}
1	+ {"version":3,"file":"google-gemini-cli.d.ts","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,sBAAsB,EAAE,MAAM,YAAY,CAAC;AA+PhG;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAEhH;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CACnC,MAAM,EAAE,CAAC,IAAI,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,EAC9D,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,EACtC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GACvC,OAAO,CAAC,gBAAgB,CAAC,CA0J3B;AAED,eAAO,MAAM,sBAAsB,EAAE,sBAqBpC,CAAC"}

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.js CHANGED Viewed

@@ -7,9 +7,22 @@
  */
 import { getGoogleUserEmail, parseRedirectUrl, refreshGoogleOAuthToken, startCallbackServer, } from "./google-oauth-utils.js";
 import { generatePKCE } from "./pkce.js";
-const decode = (s) => atob(s);
-const CLIENT_ID = decode("NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t");
-const CLIENT_SECRET = decode("R09DU1BYLTR1SGdNUG0tMW83U2stZ2VWNkN1NWNsWEZzeGw=");
+// Gemini CLI OAuth credentials (Google Cloud Code Assist)
+//
+// NOTE: These credentials are public in the source code. They should NOT be
+// obfuscated because security scanners flag obfuscated data as potentially
+// malicious (see: https://socket.dev/npm/package/gsd-pi/alerts/2.70.1?alert_name=obfuscatedFile)
+//
+// Google's OAuth implementation requires client_secret for Desktop App OAuth
+// clients even though it cannot be kept secret in distributed applications.
+// The actual security relies on:
+// - PKCE (Proof Key for Code Exchange) via code_verifier
+// - Redirect URI validation (localhost only)
+// - User consent and token scope limits
+//
+// See: https://developers.google.com/identity/protocols/oauth2/native-app
+const CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
+const CLIENT_SECRET = "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";
 const REDIRECT_URI = "http://localhost:8085/oauth2callback";
 const SCOPES = [
     "https://www.googleapis.com/auth/cloud-platform",

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"google-gemini-cli.js","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEN,kBAAkB,EAClB,gBAAgB,EAChB,uBAAuB,EACvB,mBAAmB,GACnB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAOzC,MAAM,MAAM,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACtC,MAAM,SAAS,GAAG,MAAM,CACvB,kGAAkG,CAClG,CAAC;AACF,MAAM,aAAa,GAAG,MAAM,CAAC,kDAAkD,CAAC,CAAC;AACjF,MAAM,YAAY,GAAG,sCAAsC,CAAC;AAC5D,MAAM,MAAM,GAAG;IACd,gDAAgD;IAChD,gDAAgD;IAChD,kDAAkD;CAClD,CAAC;AACF,MAAM,QAAQ,GAAG,8CAA8C,CAAC;AAChE,MAAM,SAAS,GAAG,qCAAqC,CAAC;AACxD,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AAEnE,gCAAgC;AAChC,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,aAAa,GAAG,iBAAiB,CAAC;AAmBxC,yCAAyC;AACzC,MAAM,SAAS,GAAG,WAAW,CAAC;AAC9B,MAAM,WAAW,GAAG,aAAa,CAAC;AAClC,MAAM,aAAa,GAAG,eAAe,CAAC;AAQtC;;GAEG;AACH,SAAS,IAAI,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,YAA0D;IACjF,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;IAC3E,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAC1D,OAAO,WAAW,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC5C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC,CAAC,OAAO,IAAI,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,KAAK,GAAI,OAAkC,CAAC,KAAK,CAAC;IACxD,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,0BAA0B,CAAC,CAAC;AACrF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC3B,aAAqB,EACrB,OAA+B,EAC/B,UAAsC;IAEtC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO,IAAI,EAAE,CAAC;QACb,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YACjB,UAAU,EAAE,CAAC,6CAA6C,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;YAC7E,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,eAAe,aAAa,EAAE,EAAE;YACnF,MAAM,EAAE,KAAK;YACb,OAAO;YACP,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAC;QACrE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACb,CAAC;QAED,OAAO,IAAI,CAAC,CAAC;IACd,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,WAAmB,EAAE,UAAsC;IACzF,8DAA8D;IAC9D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAE7F,MAAM,OAAO,GAAG;QACf,aAAa,EAAE,UAAU,WAAW,EAAE;QACtC,cAAc,EAAE,kBAAkB;QAClC,YAAY,EAAE,iCAAiC;QAC/C,mBAAmB,EAAE,iBAAiB;KACtC,CAAC;IAEF,kDAAkD;IAClD,UAAU,EAAE,CAAC,oDAAoD,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,4BAA4B,EAAE;QACrF,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,uBAAuB,EAAE,YAAY;YACrC,QAAQ,EAAE;gBACT,OAAO,EAAE,iBAAiB;gBAC1B,QAAQ,EAAE,sBAAsB;gBAChC,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,YAAY;aACzB;SACD,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,IAA2B,CAAC;IAEhC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACtB,IAAI,YAAqB,CAAC;QAC1B,IAAI,CAAC;YACJ,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACR,YAAY,GAAG,SAAS,CAAC;QAC1B,CAAC;QAED,IAAI,mBAAmB,CAAC,YAAY,CAAC,EAAE,CAAC;YACvC,IAAI,GAAG,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,CAAC;QAC/C,CAAC;aAAM,CAAC;YACP,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,0BAA0B,YAAY,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC,CAAC;QAC3G,CAAC;IACF,CAAC;SAAM,CAAC;QACP,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAA0B,CAAC;IAC7D,CAAC;IAED,yDAAyD;IACzD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,uBAAuB,CAAC;QACrC,CAAC;QACD,gFAAgF;QAChF,IAAI,YAAY,EAAE,CAAC;YAClB,OAAO,YAAY,CAAC;QACrB,CAAC;QACD,MAAM,IAAI,KAAK,CACd,0GAA0G;YACzG,wDAAwD,CACzD,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,SAAS,CAAC;IAErC,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CACd,0GAA0G;YACzG,wDAAwD,CACzD,CAAC;IACH,CAAC;IAED,UAAU,EAAE,CAAC,oEAAoE,CAAC,CAAC;IAEnF,0FAA0F;IAC1F,8DAA8D;IAC9D,MAAM,WAAW,GAA4B;QAC5C,MAAM;QACN,QAAQ,EAAE;YACT,OAAO,EAAE,iBAAiB;YAC1B,QAAQ,EAAE,sBAAsB;YAChC,UAAU,EAAE,QAAQ;SACpB;KACD,CAAC;IAEF,IAAI,MAAM,KAAK,SAAS,IAAI,YAAY,EAAE,CAAC;QAC1C,WAAW,CAAC,uBAAuB,GAAG,YAAY,CAAC;QAClD,WAAW,CAAC,QAAoC,CAAC,WAAW,GAAG,YAAY,CAAC;IAC9E,CAAC;IAED,2DAA2D;IAC3D,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,yBAAyB,EAAE;QACrF,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;QACjC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,uBAAuB,eAAe,CAAC,MAAM,IAAI,eAAe,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC,CAAC;IAC9G,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,CAAiC,CAAC;IAE7E,yDAAyD;IACzD,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IAClE,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,uBAAuB,EAAE,EAAE,CAAC;IAChE,IAAI,SAAS,EAAE,CAAC;QACf,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,IAAI,YAAY,EAAE,CAAC;QAClB,OAAO,YAAY,CAAC;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CACd,0DAA0D;QACzD,wFAAwF;QACxF,wDAAwD,CACzD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,YAAoB,EAAE,SAAiB;IACpF,OAAO,uBAAuB,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;AACvG,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,MAA8D,EAC9D,UAAsC,EACtC,iBAAyC;IAEzC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAErD,kCAAkC;IAClC,UAAU,EAAE,CAAC,6CAA6C,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAuB,MAAM,mBAAmB,CAAC,aAAa,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAEzG,IAAI,IAAwB,CAAC;IAE7B,IAAI,CAAC;QACJ,0BAA0B;QAC1B,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC;YACtC,SAAS,EAAE,SAAS;YACpB,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,YAAY;YAC1B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,cAAc,EAAE,SAAS;YACzB,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,SAAS;YACtB,MAAM,EAAE,SAAS;SACjB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEvD,iCAAiC;QACjC,MAAM,CAAC;YACN,GAAG,EAAE,OAAO;YACZ,YAAY,EAAE,uCAAuC;SACrD,CAAC,CAAC;QAEH,8DAA8D;QAC9D,UAAU,EAAE,CAAC,+BAA+B,CAAC,CAAC;QAE9C,IAAI,iBAAiB,EAAE,CAAC;YACvB,iDAAiD;YACjD,IAAI,WAA+B,CAAC;YACpC,IAAI,WAA8B,CAAC;YACnC,MAAM,aAAa,GAAG,iBAAiB,EAAE;iBACvC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBACf,WAAW,GAAG,KAAK,CAAC;gBACpB,MAAM,CAAC,UAAU,EAAE,CAAC;YACrB,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACd,WAAW,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAClE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrB,CAAC,CAAC,CAAC;YAEJ,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YAE1C,kDAAkD;YAClD,IAAI,WAAW,EAAE,CAAC;gBACjB,MAAM,WAAW,CAAC;YACnB,CAAC;YAED,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,sCAAsC;gBACtC,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACxB,mBAAmB;gBACnB,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBAC7C,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;YAED,yDAAyD;YACzD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,MAAM,aAAa,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBACjB,MAAM,WAAW,CAAC;gBACnB,CAAC;gBACD,IAAI,WAAW,EAAE,CAAC;oBACjB,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;oBAC7C,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBAC/C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;oBAChE,CAAC;oBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;gBACpB,CAAC;YACF,CAAC;QACF,CAAC;aAAM,CAAC;YACP,wCAAwC;YACxC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;QACF,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACnD,CAAC;QAED,2BAA2B;QAC3B,UAAU,EAAE,CAAC,6CAA6C,CAAC,CAAC;QAC5D,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACR,cAAc,EAAE,mCAAmC;aACnD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACzB,SAAS,EAAE,SAAS;gBACpB,aAAa,EAAE,aAAa;gBAC5B,IAAI;gBACJ,UAAU,EAAE,oBAAoB;gBAChC,YAAY,EAAE,YAAY;gBAC1B,aAAa,EAAE,QAAQ;aACvB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAI5C,CAAC;QAEF,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACjE,CAAC;QAED,iBAAiB;QACjB,UAAU,EAAE,CAAC,sBAAsB,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAE/D,mBAAmB;QACnB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QAE5E,2EAA2E;QAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAE3E,MAAM,WAAW,GAAqB;YACrC,OAAO,EAAE,SAAS,CAAC,aAAa;YAChC,MAAM,EAAE,SAAS,CAAC,YAAY;YAC9B,OAAO,EAAE,SAAS;YAClB,SAAS;YACT,KAAK;SACL,CAAC;QAEF,OAAO,WAAW,CAAC;IACpB,CAAC;YAAS,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;AACF,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAA2B;IAC7D,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,uCAAuC;IAC7C,kBAAkB,EAAE,IAAI;IAExB,KAAK,CAAC,KAAK,CAAC,SAA8B;QACzC,OAAO,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,iBAAiB,CAAC,CAAC;IAC5F,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA6B;QAC/C,MAAM,KAAK,GAAG,WAAgC,CAAC;QAC/C,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,uBAAuB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;IAED,SAAS,CAAC,WAA6B;QACtC,MAAM,KAAK,GAAG,WAAgC,CAAC;QAC/C,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IAC5E,CAAC;CACD,CAAC","sourcesContent":["/*\n Gemini CLI OAuth flow (Google Cloud Code Assist)\n * Standard Gemini models only (gemini-2.0-flash, gemini-2.5-)\n \n * NOTE: This module uses Node.js http.createServer for the OAuth callback.\n * It is only intended for CLI use, not browser environments.\n /\n\nimport {\n\ttype CallbackServerInfo,\n\tgetGoogleUserEmail,\n\tparseRedirectUrl,\n\trefreshGoogleOAuthToken,\n\tstartCallbackServer,\n} from \"./google-oauth-utils.js\";\nimport { generatePKCE } from \"./pkce.js\";\nimport type { OAuthCredentials, OAuthLoginCallbacks, OAuthProviderInterface } from \"./types.js\";\n\ntype GeminiCredentials = OAuthCredentials & {\n\tprojectId: string;\n};\n\nconst decode = (s: string) => atob(s);\nconst CLIENT_ID = decode(\n\t\"NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t\",\n);\nconst CLIENT_SECRET = decode(\"R09DU1BYLTR1SGdNUG0tMW83U2stZ2VWNkN1NWNsWEZzeGw=\");\nconst REDIRECT_URI = \"http://localhost:8085/oauth2callback\";\nconst SCOPES = [\n\t\"https://www.googleapis.com/auth/cloud-platform\",\n\t\"https://www.googleapis.com/auth/userinfo.email\",\n\t\"https://www.googleapis.com/auth/userinfo.profile\",\n];\nconst AUTH_URL = \"https://accounts.google.com/o/oauth2/v2/auth\";\nconst TOKEN_URL = \"https://oauth2.googleapis.com/token\";\nconst CODE_ASSIST_ENDPOINT = \"https://cloudcode-pa.googleapis.com\";\n\n// Callback server configuration\nconst CALLBACK_PORT = 8085;\nconst CALLBACK_PATH = \"/oauth2callback\";\n\ninterface LoadCodeAssistPayload {\n\tcloudaicompanionProject?: string;\n\tcurrentTier?: { id?: string };\n\tallowedTiers?: Array<{ id?: string; isDefault?: boolean }>;\n}\n\n/\n Long-running operation response from onboardUser\n /\ninterface LongRunningOperationResponse {\n\tname?: string;\n\tdone?: boolean;\n\tresponse?: {\n\t\tcloudaicompanionProject?: { id?: string };\n\t};\n}\n\n// Tier IDs as used by the Cloud Code API\nconst TIER_FREE = \"free-tier\";\nconst TIER_LEGACY = \"legacy-tier\";\nconst TIER_STANDARD = \"standard-tier\";\n\ninterface GoogleRpcErrorResponse {\n\terror?: {\n\t\tdetails?: Array<{ reason?: string }>;\n\t};\n}\n\n/\n Wait helper for onboarding retries\n /\nfunction wait(ms: number): Promise<void> {\n\treturn new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/\n Get default tier from allowed tiers\n /\nfunction getDefaultTier(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): { id?: string } {\n\tif (!allowedTiers \|\| allowedTiers.length === 0) return { id: TIER_LEGACY };\n\tconst defaultTier = allowedTiers.find((t) => t.isDefault);\n\treturn defaultTier ?? { id: TIER_LEGACY };\n}\n\nfunction isVpcScAffectedUser(payload: unknown): boolean {\n\tif (!payload \|\| typeof payload !== \"object\") return false;\n\tif (!(\"error\" in payload)) return false;\n\tconst error = (payload as GoogleRpcErrorResponse).error;\n\tif (!error?.details \|\| !Array.isArray(error.details)) return false;\n\treturn error.details.some((detail) => detail.reason === \"SECURITY_POLICY_VIOLATED\");\n}\n\n/\n Poll a long-running operation until completion\n /\nasync function pollOperation(\n\toperationName: string,\n\theaders: Record<string, string>,\n\tonProgress?: (message: string) => void,\n): Promise<LongRunningOperationResponse> {\n\tlet attempt = 0;\n\twhile (true) {\n\t\tif (attempt > 0) {\n\t\t\tonProgress?.(`Waiting for project provisioning (attempt ${attempt + 1})...`);\n\t\t\tawait wait(5000);\n\t\t}\n\n\t\tconst response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, {\n\t\t\tmethod: \"GET\",\n\t\t\theaders,\n\t\t\tsignal: AbortSignal.timeout(30_000),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`Failed to poll operation: ${response.status} ${response.statusText}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as LongRunningOperationResponse;\n\t\tif (data.done) {\n\t\t\treturn data;\n\t\t}\n\n\t\tattempt += 1;\n\t}\n}\n\n/\n Discover or provision a Google Cloud project for the user\n /\nasync function discoverProject(accessToken: string, onProgress?: (message: string) => void): Promise<string> {\n\t// Check for user-provided project ID via environment variable\n\tconst envProjectId = process.env.GOOGLE_CLOUD_PROJECT \|\| process.env.GOOGLE_CLOUD_PROJECT_ID;\n\n\tconst headers = {\n\t\tAuthorization: `Bearer ${accessToken}`,\n\t\t\"Content-Type\": \"application/json\",\n\t\t\"User-Agent\": \"google-api-nodejs-client/9.15.1\",\n\t\t\"X-Goog-Api-Client\": \"gl-node/22.17.0\",\n\t};\n\n\t// Try to load existing project via loadCodeAssist\n\tonProgress?.(\"Checking for existing Cloud Code Assist project...\");\n\tconst loadResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, {\n\t\tmethod: \"POST\",\n\t\theaders,\n\t\tbody: JSON.stringify({\n\t\t\tcloudaicompanionProject: envProjectId,\n\t\t\tmetadata: {\n\t\t\t\tideType: \"IDE_UNSPECIFIED\",\n\t\t\t\tplatform: \"PLATFORM_UNSPECIFIED\",\n\t\t\t\tpluginType: \"GEMINI\",\n\t\t\t\tduetProject: envProjectId,\n\t\t\t},\n\t\t}),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tlet data: LoadCodeAssistPayload;\n\n\tif (!loadResponse.ok) {\n\t\tlet errorPayload: unknown;\n\t\ttry {\n\t\t\terrorPayload = await loadResponse.clone().json();\n\t\t} catch {\n\t\t\terrorPayload = undefined;\n\t\t}\n\n\t\tif (isVpcScAffectedUser(errorPayload)) {\n\t\t\tdata = { currentTier: { id: TIER_STANDARD } };\n\t\t} else {\n\t\t\tconst errorText = await loadResponse.text();\n\t\t\tthrow new Error(`loadCodeAssist failed: ${loadResponse.status} ${loadResponse.statusText}: ${errorText}`);\n\t\t}\n\t} else {\n\t\tdata = (await loadResponse.json()) as LoadCodeAssistPayload;\n\t}\n\n\t// If user already has a current tier and project, use it\n\tif (data.currentTier) {\n\t\tif (data.cloudaicompanionProject) {\n\t\t\treturn data.cloudaicompanionProject;\n\t\t}\n\t\t// User has a tier but no managed project - they need to provide one via env var\n\t\tif (envProjectId) {\n\t\t\treturn envProjectId;\n\t\t}\n\t\tthrow new Error(\n\t\t\t\"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t\t);\n\t}\n\n\t// User needs to be onboarded - get the default tier\n\tconst tier = getDefaultTier(data.allowedTiers);\n\tconst tierId = tier?.id ?? TIER_FREE;\n\n\tif (tierId !== TIER_FREE && !envProjectId) {\n\t\tthrow new Error(\n\t\t\t\"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t\t);\n\t}\n\n\tonProgress?.(\"Provisioning Cloud Code Assist project (this may take a moment)...\");\n\n\t// Build onboard request - for free tier, don't include project ID (Google provisions one)\n\t// For other tiers, include the user's project ID if available\n\tconst onboardBody: Record<string, unknown> = {\n\t\ttierId,\n\t\tmetadata: {\n\t\t\tideType: \"IDE_UNSPECIFIED\",\n\t\t\tplatform: \"PLATFORM_UNSPECIFIED\",\n\t\t\tpluginType: \"GEMINI\",\n\t\t},\n\t};\n\n\tif (tierId !== TIER_FREE && envProjectId) {\n\t\tonboardBody.cloudaicompanionProject = envProjectId;\n\t\t(onboardBody.metadata as Record<string, unknown>).duetProject = envProjectId;\n\t}\n\n\t// Start onboarding - this returns a long-running operation\n\tconst onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {\n\t\tmethod: \"POST\",\n\t\theaders,\n\t\tbody: JSON.stringify(onboardBody),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tif (!onboardResponse.ok) {\n\t\tconst errorText = await onboardResponse.text();\n\t\tthrow new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}: ${errorText}`);\n\t}\n\n\tlet lroData = (await onboardResponse.json()) as LongRunningOperationResponse;\n\n\t// If the operation isn't done yet, poll until completion\n\tif (!lroData.done && lroData.name) {\n\t\tlroData = await pollOperation(lroData.name, headers, onProgress);\n\t}\n\n\t// Try to get project ID from the response\n\tconst projectId = lroData.response?.cloudaicompanionProject?.id;\n\tif (projectId) {\n\t\treturn projectId;\n\t}\n\n\t// If no project ID from onboarding, fall back to env var\n\tif (envProjectId) {\n\t\treturn envProjectId;\n\t}\n\n\tthrow new Error(\n\t\t\"Could not discover or provision a Google Cloud project. \" +\n\t\t\t\"Try setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t);\n}\n\n/\n Refresh Google Cloud Code Assist token\n /\nexport async function refreshGoogleCloudToken(refreshToken: string, projectId: string): Promise<OAuthCredentials> {\n\treturn refreshGoogleOAuthToken(refreshToken, CLIENT_ID, CLIENT_SECRET, \"Google Cloud\", { projectId });\n}\n\n/\n Login with Gemini CLI (Google Cloud Code Assist) OAuth\n \n @param onAuth - Callback with URL and optional instructions\n * @param onProgress - Optional progress callback\n * @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.\n * Races with browser callback - whichever completes first wins.\n /\nexport async function loginGeminiCli(\n\tonAuth: (info: { url: string; instructions?: string }) => void,\n\tonProgress?: (message: string) => void,\n\tonManualCodeInput?: () => Promise<string>,\n): Promise<OAuthCredentials> {\n\tconst { verifier, challenge } = await generatePKCE();\n\n\t// Start local server for callback\n\tonProgress?.(\"Starting local server for OAuth callback...\");\n\tconst server: CallbackServerInfo = await startCallbackServer(CALLBACK_PORT, CALLBACK_PATH, \"Gemini CLI\");\n\n\tlet code: string \| undefined;\n\n\ttry {\n\t\t// Build authorization URL\n\t\tconst authParams = new URLSearchParams({\n\t\t\tclient_id: CLIENT_ID,\n\t\t\tresponse_type: \"code\",\n\t\t\tredirect_uri: REDIRECT_URI,\n\t\t\tscope: SCOPES.join(\" \"),\n\t\t\tcode_challenge: challenge,\n\t\t\tcode_challenge_method: \"S256\",\n\t\t\tstate: verifier,\n\t\t\taccess_type: \"offline\",\n\t\t\tprompt: \"consent\",\n\t\t});\n\n\t\tconst authUrl = `${AUTH_URL}?${authParams.toString()}`;\n\n\t\t// Notify caller with URL to open\n\t\tonAuth({\n\t\t\turl: authUrl,\n\t\t\tinstructions: \"Complete the sign-in in your browser.\",\n\t\t});\n\n\t\t// Wait for the callback, racing with manual input if provided\n\t\tonProgress?.(\"Waiting for OAuth callback...\");\n\n\t\tif (onManualCodeInput) {\n\t\t\t// Race between browser callback and manual input\n\t\t\tlet manualInput: string \| undefined;\n\t\t\tlet manualError: Error \| undefined;\n\t\t\tconst manualPromise = onManualCodeInput()\n\t\t\t\t.then((input) => {\n\t\t\t\t\tmanualInput = input;\n\t\t\t\t\tserver.cancelWait();\n\t\t\t\t})\n\t\t\t\t.catch((err) => {\n\t\t\t\t\tmanualError = err instanceof Error ? err : new Error(String(err));\n\t\t\t\t\tserver.cancelWait();\n\t\t\t\t});\n\n\t\t\tconst result = await server.waitForCode();\n\n\t\t\t// If manual input was cancelled, throw that error\n\t\t\tif (manualError) {\n\t\t\t\tthrow manualError;\n\t\t\t}\n\n\t\t\tif (result?.code) {\n\t\t\t\t// Browser callback won - verify state\n\t\t\t\tif (result.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = result.code;\n\t\t\t} else if (manualInput) {\n\t\t\t\t// Manual input won\n\t\t\t\tconst parsed = parseRedirectUrl(manualInput);\n\t\t\t\tif (parsed.state && parsed.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = parsed.code;\n\t\t\t}\n\n\t\t\t// If still no code, wait for manual promise and try that\n\t\t\tif (!code) {\n\t\t\t\tawait manualPromise;\n\t\t\t\tif (manualError) {\n\t\t\t\t\tthrow manualError;\n\t\t\t\t}\n\t\t\t\tif (manualInput) {\n\t\t\t\t\tconst parsed = parseRedirectUrl(manualInput);\n\t\t\t\t\tif (parsed.state && parsed.state !== verifier) {\n\t\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t\t}\n\t\t\t\t\tcode = parsed.code;\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\t// Original flow: just wait for callback\n\t\t\tconst result = await server.waitForCode();\n\t\t\tif (result?.code) {\n\t\t\t\tif (result.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = result.code;\n\t\t\t}\n\t\t}\n\n\t\tif (!code) {\n\t\t\tthrow new Error(\"No authorization code received\");\n\t\t}\n\n\t\t// Exchange code for tokens\n\t\tonProgress?.(\"Exchanging authorization code for tokens...\");\n\t\tconst tokenResponse = await fetch(TOKEN_URL, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams({\n\t\t\t\tclient_id: CLIENT_ID,\n\t\t\t\tclient_secret: CLIENT_SECRET,\n\t\t\t\tcode,\n\t\t\t\tgrant_type: \"authorization_code\",\n\t\t\t\tredirect_uri: REDIRECT_URI,\n\t\t\t\tcode_verifier: verifier,\n\t\t\t}),\n\t\t\tsignal: AbortSignal.timeout(30_000),\n\t\t});\n\n\t\tif (!tokenResponse.ok) {\n\t\t\tconst error = await tokenResponse.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst tokenData = (await tokenResponse.json()) as {\n\t\t\taccess_token: string;\n\t\t\trefresh_token: string;\n\t\t\texpires_in: number;\n\t\t};\n\n\t\tif (!tokenData.refresh_token) {\n\t\t\tthrow new Error(\"No refresh token received. Please try again.\");\n\t\t}\n\n\t\t// Get user email\n\t\tonProgress?.(\"Getting user info...\");\n\t\tconst email = await getGoogleUserEmail(tokenData.access_token);\n\n\t\t// Discover project\n\t\tconst projectId = await discoverProject(tokenData.access_token, onProgress);\n\n\t\t// Calculate expiry time (current time + expires_in seconds - 5 min buffer)\n\t\tconst expiresAt = Date.now() + tokenData.expires_in 1000 - 5 * 60 * 1000;\n\n\t\tconst credentials: OAuthCredentials = {\n\t\t\trefresh: tokenData.refresh_token,\n\t\t\taccess: tokenData.access_token,\n\t\t\texpires: expiresAt,\n\t\t\tprojectId,\n\t\t\temail,\n\t\t};\n\n\t\treturn credentials;\n\t} finally {\n\t\tserver.server.close();\n\t}\n}\n\nexport const geminiCliOAuthProvider: OAuthProviderInterface = {\n\tid: \"google-gemini-cli\",\n\tname: \"Google Cloud Code Assist (Gemini CLI)\",\n\tusesCallbackServer: true,\n\n\tasync login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials> {\n\t\treturn loginGeminiCli(callbacks.onAuth, callbacks.onProgress, callbacks.onManualCodeInput);\n\t},\n\n\tasync refreshToken(credentials: OAuthCredentials): Promise<OAuthCredentials> {\n\t\tconst creds = credentials as GeminiCredentials;\n\t\tif (!creds.projectId) {\n\t\t\tthrow new Error(\"Google Cloud credentials missing projectId\");\n\t\t}\n\t\treturn refreshGoogleCloudToken(creds.refresh, creds.projectId);\n\t},\n\n\tgetApiKey(credentials: OAuthCredentials): string {\n\t\tconst creds = credentials as GeminiCredentials;\n\t\treturn JSON.stringify({ token: creds.access, projectId: creds.projectId });\n\t},\n};\n"]}
1	+ {"version":3,"file":"google-gemini-cli.js","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEN,kBAAkB,EAClB,gBAAgB,EAChB,uBAAuB,EACvB,mBAAmB,GACnB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAOzC,0DAA0D;AAC1D,EAAE;AACF,4EAA4E;AAC5E,2EAA2E;AAC3E,iGAAiG;AACjG,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,iCAAiC;AACjC,yDAAyD;AACzD,6CAA6C;AAC7C,wCAAwC;AACxC,EAAE;AACF,0EAA0E;AAC1E,MAAM,SAAS,GAAG,0EAA0E,CAAC;AAC7F,MAAM,aAAa,GAAG,qCAAqC,CAAC;AAC5D,MAAM,YAAY,GAAG,sCAAsC,CAAC;AAC5D,MAAM,MAAM,GAAG;IACd,gDAAgD;IAChD,gDAAgD;IAChD,kDAAkD;CAClD,CAAC;AACF,MAAM,QAAQ,GAAG,8CAA8C,CAAC;AAChE,MAAM,SAAS,GAAG,qCAAqC,CAAC;AACxD,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AAEnE,gCAAgC;AAChC,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,aAAa,GAAG,iBAAiB,CAAC;AAmBxC,yCAAyC;AACzC,MAAM,SAAS,GAAG,WAAW,CAAC;AAC9B,MAAM,WAAW,GAAG,aAAa,CAAC;AAClC,MAAM,aAAa,GAAG,eAAe,CAAC;AAQtC;;GAEG;AACH,SAAS,IAAI,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,YAA0D;IACjF,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;IAC3E,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAC1D,OAAO,WAAW,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC5C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC,CAAC,OAAO,IAAI,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,KAAK,GAAI,OAAkC,CAAC,KAAK,CAAC;IACxD,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,0BAA0B,CAAC,CAAC;AACrF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC3B,aAAqB,EACrB,OAA+B,EAC/B,UAAsC;IAEtC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO,IAAI,EAAE,CAAC;QACb,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YACjB,UAAU,EAAE,CAAC,6CAA6C,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;YAC7E,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,eAAe,aAAa,EAAE,EAAE;YACnF,MAAM,EAAE,KAAK;YACb,OAAO;YACP,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAC;QACrE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACb,CAAC;QAED,OAAO,IAAI,CAAC,CAAC;IACd,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,WAAmB,EAAE,UAAsC;IACzF,8DAA8D;IAC9D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAE7F,MAAM,OAAO,GAAG;QACf,aAAa,EAAE,UAAU,WAAW,EAAE;QACtC,cAAc,EAAE,kBAAkB;QAClC,YAAY,EAAE,iCAAiC;QAC/C,mBAAmB,EAAE,iBAAiB;KACtC,CAAC;IAEF,kDAAkD;IAClD,UAAU,EAAE,CAAC,oDAAoD,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,4BAA4B,EAAE;QACrF,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,uBAAuB,EAAE,YAAY;YACrC,QAAQ,EAAE;gBACT,OAAO,EAAE,iBAAiB;gBAC1B,QAAQ,EAAE,sBAAsB;gBAChC,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,YAAY;aACzB;SACD,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,IAA2B,CAAC;IAEhC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACtB,IAAI,YAAqB,CAAC;QAC1B,IAAI,CAAC;YACJ,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACR,YAAY,GAAG,SAAS,CAAC;QAC1B,CAAC;QAED,IAAI,mBAAmB,CAAC,YAAY,CAAC,EAAE,CAAC;YACvC,IAAI,GAAG,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,CAAC;QAC/C,CAAC;aAAM,CAAC;YACP,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,0BAA0B,YAAY,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC,CAAC;QAC3G,CAAC;IACF,CAAC;SAAM,CAAC;QACP,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAA0B,CAAC;IAC7D,CAAC;IAED,yDAAyD;IACzD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,uBAAuB,CAAC;QACrC,CAAC;QACD,gFAAgF;QAChF,IAAI,YAAY,EAAE,CAAC;YAClB,OAAO,YAAY,CAAC;QACrB,CAAC;QACD,MAAM,IAAI,KAAK,CACd,0GAA0G;YACzG,wDAAwD,CACzD,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,SAAS,CAAC;IAErC,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CACd,0GAA0G;YACzG,wDAAwD,CACzD,CAAC;IACH,CAAC;IAED,UAAU,EAAE,CAAC,oEAAoE,CAAC,CAAC;IAEnF,0FAA0F;IAC1F,8DAA8D;IAC9D,MAAM,WAAW,GAA4B;QAC5C,MAAM;QACN,QAAQ,EAAE;YACT,OAAO,EAAE,iBAAiB;YAC1B,QAAQ,EAAE,sBAAsB;YAChC,UAAU,EAAE,QAAQ;SACpB;KACD,CAAC;IAEF,IAAI,MAAM,KAAK,SAAS,IAAI,YAAY,EAAE,CAAC;QAC1C,WAAW,CAAC,uBAAuB,GAAG,YAAY,CAAC;QAClD,WAAW,CAAC,QAAoC,CAAC,WAAW,GAAG,YAAY,CAAC;IAC9E,CAAC;IAED,2DAA2D;IAC3D,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,GAAG,oBAAoB,yBAAyB,EAAE;QACrF,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;QACjC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,uBAAuB,eAAe,CAAC,MAAM,IAAI,eAAe,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC,CAAC;IAC9G,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,CAAiC,CAAC;IAE7E,yDAAyD;IACzD,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IAClE,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,uBAAuB,EAAE,EAAE,CAAC;IAChE,IAAI,SAAS,EAAE,CAAC;QACf,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,IAAI,YAAY,EAAE,CAAC;QAClB,OAAO,YAAY,CAAC;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CACd,0DAA0D;QACzD,wFAAwF;QACxF,wDAAwD,CACzD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,YAAoB,EAAE,SAAiB;IACpF,OAAO,uBAAuB,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;AACvG,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,MAA8D,EAC9D,UAAsC,EACtC,iBAAyC;IAEzC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAErD,kCAAkC;IAClC,UAAU,EAAE,CAAC,6CAA6C,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAuB,MAAM,mBAAmB,CAAC,aAAa,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAEzG,IAAI,IAAwB,CAAC;IAE7B,IAAI,CAAC;QACJ,0BAA0B;QAC1B,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC;YACtC,SAAS,EAAE,SAAS;YACpB,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,YAAY;YAC1B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,cAAc,EAAE,SAAS;YACzB,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,SAAS;YACtB,MAAM,EAAE,SAAS;SACjB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,GAAG,QAAQ,IAAI,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEvD,iCAAiC;QACjC,MAAM,CAAC;YACN,GAAG,EAAE,OAAO;YACZ,YAAY,EAAE,uCAAuC;SACrD,CAAC,CAAC;QAEH,8DAA8D;QAC9D,UAAU,EAAE,CAAC,+BAA+B,CAAC,CAAC;QAE9C,IAAI,iBAAiB,EAAE,CAAC;YACvB,iDAAiD;YACjD,IAAI,WAA+B,CAAC;YACpC,IAAI,WAA8B,CAAC;YACnC,MAAM,aAAa,GAAG,iBAAiB,EAAE;iBACvC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBACf,WAAW,GAAG,KAAK,CAAC;gBACpB,MAAM,CAAC,UAAU,EAAE,CAAC;YACrB,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACd,WAAW,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAClE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrB,CAAC,CAAC,CAAC;YAEJ,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YAE1C,kDAAkD;YAClD,IAAI,WAAW,EAAE,CAAC;gBACjB,MAAM,WAAW,CAAC;YACnB,CAAC;YAED,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,sCAAsC;gBACtC,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACxB,mBAAmB;gBACnB,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBAC7C,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;YAED,yDAAyD;YACzD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,MAAM,aAAa,CAAC;gBACpB,IAAI,WAAW,EAAE,CAAC;oBACjB,MAAM,WAAW,CAAC;gBACnB,CAAC;gBACD,IAAI,WAAW,EAAE,CAAC;oBACjB,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;oBAC7C,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBAC/C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;oBAChE,CAAC;oBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;gBACpB,CAAC;YACF,CAAC;QACF,CAAC;aAAM,CAAC;YACP,wCAAwC;YACxC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACpB,CAAC;QACF,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACnD,CAAC;QAED,2BAA2B;QAC3B,UAAU,EAAE,CAAC,6CAA6C,CAAC,CAAC;QAC5D,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACR,cAAc,EAAE,mCAAmC;aACnD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACzB,SAAS,EAAE,SAAS;gBACpB,aAAa,EAAE,aAAa;gBAC5B,IAAI;gBACJ,UAAU,EAAE,oBAAoB;gBAChC,YAAY,EAAE,YAAY;gBAC1B,aAAa,EAAE,QAAQ;aACvB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAI5C,CAAC;QAEF,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACjE,CAAC;QAED,iBAAiB;QACjB,UAAU,EAAE,CAAC,sBAAsB,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAE/D,mBAAmB;QACnB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QAE5E,2EAA2E;QAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAE3E,MAAM,WAAW,GAAqB;YACrC,OAAO,EAAE,SAAS,CAAC,aAAa;YAChC,MAAM,EAAE,SAAS,CAAC,YAAY;YAC9B,OAAO,EAAE,SAAS;YAClB,SAAS;YACT,KAAK;SACL,CAAC;QAEF,OAAO,WAAW,CAAC;IACpB,CAAC;YAAS,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;AACF,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAA2B;IAC7D,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,uCAAuC;IAC7C,kBAAkB,EAAE,IAAI;IAExB,KAAK,CAAC,KAAK,CAAC,SAA8B;QACzC,OAAO,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,iBAAiB,CAAC,CAAC;IAC5F,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA6B;QAC/C,MAAM,KAAK,GAAG,WAAgC,CAAC;QAC/C,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,uBAAuB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;IAED,SAAS,CAAC,WAA6B;QACtC,MAAM,KAAK,GAAG,WAAgC,CAAC;QAC/C,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IAC5E,CAAC;CACD,CAAC","sourcesContent":["/*\n Gemini CLI OAuth flow (Google Cloud Code Assist)\n * Standard Gemini models only (gemini-2.0-flash, gemini-2.5-)\n \n * NOTE: This module uses Node.js http.createServer for the OAuth callback.\n * It is only intended for CLI use, not browser environments.\n /\n\nimport {\n\ttype CallbackServerInfo,\n\tgetGoogleUserEmail,\n\tparseRedirectUrl,\n\trefreshGoogleOAuthToken,\n\tstartCallbackServer,\n} from \"./google-oauth-utils.js\";\nimport { generatePKCE } from \"./pkce.js\";\nimport type { OAuthCredentials, OAuthLoginCallbacks, OAuthProviderInterface } from \"./types.js\";\n\ntype GeminiCredentials = OAuthCredentials & {\n\tprojectId: string;\n};\n\n// Gemini CLI OAuth credentials (Google Cloud Code Assist)\n//\n// NOTE: These credentials are public in the source code. They should NOT be\n// obfuscated because security scanners flag obfuscated data as potentially\n// malicious (see: https://socket.dev/npm/package/gsd-pi/alerts/2.70.1?alert_name=obfuscatedFile)\n//\n// Google's OAuth implementation requires client_secret for Desktop App OAuth\n// clients even though it cannot be kept secret in distributed applications.\n// The actual security relies on:\n// - PKCE (Proof Key for Code Exchange) via code_verifier\n// - Redirect URI validation (localhost only)\n// - User consent and token scope limits\n//\n// See: https://developers.google.com/identity/protocols/oauth2/native-app\nconst CLIENT_ID = \"681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com\";\nconst CLIENT_SECRET = \"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\";\nconst REDIRECT_URI = \"http://localhost:8085/oauth2callback\";\nconst SCOPES = [\n\t\"https://www.googleapis.com/auth/cloud-platform\",\n\t\"https://www.googleapis.com/auth/userinfo.email\",\n\t\"https://www.googleapis.com/auth/userinfo.profile\",\n];\nconst AUTH_URL = \"https://accounts.google.com/o/oauth2/v2/auth\";\nconst TOKEN_URL = \"https://oauth2.googleapis.com/token\";\nconst CODE_ASSIST_ENDPOINT = \"https://cloudcode-pa.googleapis.com\";\n\n// Callback server configuration\nconst CALLBACK_PORT = 8085;\nconst CALLBACK_PATH = \"/oauth2callback\";\n\ninterface LoadCodeAssistPayload {\n\tcloudaicompanionProject?: string;\n\tcurrentTier?: { id?: string };\n\tallowedTiers?: Array<{ id?: string; isDefault?: boolean }>;\n}\n\n/\n Long-running operation response from onboardUser\n /\ninterface LongRunningOperationResponse {\n\tname?: string;\n\tdone?: boolean;\n\tresponse?: {\n\t\tcloudaicompanionProject?: { id?: string };\n\t};\n}\n\n// Tier IDs as used by the Cloud Code API\nconst TIER_FREE = \"free-tier\";\nconst TIER_LEGACY = \"legacy-tier\";\nconst TIER_STANDARD = \"standard-tier\";\n\ninterface GoogleRpcErrorResponse {\n\terror?: {\n\t\tdetails?: Array<{ reason?: string }>;\n\t};\n}\n\n/\n Wait helper for onboarding retries\n /\nfunction wait(ms: number): Promise<void> {\n\treturn new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/\n Get default tier from allowed tiers\n /\nfunction getDefaultTier(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): { id?: string } {\n\tif (!allowedTiers \|\| allowedTiers.length === 0) return { id: TIER_LEGACY };\n\tconst defaultTier = allowedTiers.find((t) => t.isDefault);\n\treturn defaultTier ?? { id: TIER_LEGACY };\n}\n\nfunction isVpcScAffectedUser(payload: unknown): boolean {\n\tif (!payload \|\| typeof payload !== \"object\") return false;\n\tif (!(\"error\" in payload)) return false;\n\tconst error = (payload as GoogleRpcErrorResponse).error;\n\tif (!error?.details \|\| !Array.isArray(error.details)) return false;\n\treturn error.details.some((detail) => detail.reason === \"SECURITY_POLICY_VIOLATED\");\n}\n\n/\n Poll a long-running operation until completion\n /\nasync function pollOperation(\n\toperationName: string,\n\theaders: Record<string, string>,\n\tonProgress?: (message: string) => void,\n): Promise<LongRunningOperationResponse> {\n\tlet attempt = 0;\n\twhile (true) {\n\t\tif (attempt > 0) {\n\t\t\tonProgress?.(`Waiting for project provisioning (attempt ${attempt + 1})...`);\n\t\t\tawait wait(5000);\n\t\t}\n\n\t\tconst response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, {\n\t\t\tmethod: \"GET\",\n\t\t\theaders,\n\t\t\tsignal: AbortSignal.timeout(30_000),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`Failed to poll operation: ${response.status} ${response.statusText}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as LongRunningOperationResponse;\n\t\tif (data.done) {\n\t\t\treturn data;\n\t\t}\n\n\t\tattempt += 1;\n\t}\n}\n\n/\n Discover or provision a Google Cloud project for the user\n /\nasync function discoverProject(accessToken: string, onProgress?: (message: string) => void): Promise<string> {\n\t// Check for user-provided project ID via environment variable\n\tconst envProjectId = process.env.GOOGLE_CLOUD_PROJECT \|\| process.env.GOOGLE_CLOUD_PROJECT_ID;\n\n\tconst headers = {\n\t\tAuthorization: `Bearer ${accessToken}`,\n\t\t\"Content-Type\": \"application/json\",\n\t\t\"User-Agent\": \"google-api-nodejs-client/9.15.1\",\n\t\t\"X-Goog-Api-Client\": \"gl-node/22.17.0\",\n\t};\n\n\t// Try to load existing project via loadCodeAssist\n\tonProgress?.(\"Checking for existing Cloud Code Assist project...\");\n\tconst loadResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, {\n\t\tmethod: \"POST\",\n\t\theaders,\n\t\tbody: JSON.stringify({\n\t\t\tcloudaicompanionProject: envProjectId,\n\t\t\tmetadata: {\n\t\t\t\tideType: \"IDE_UNSPECIFIED\",\n\t\t\t\tplatform: \"PLATFORM_UNSPECIFIED\",\n\t\t\t\tpluginType: \"GEMINI\",\n\t\t\t\tduetProject: envProjectId,\n\t\t\t},\n\t\t}),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tlet data: LoadCodeAssistPayload;\n\n\tif (!loadResponse.ok) {\n\t\tlet errorPayload: unknown;\n\t\ttry {\n\t\t\terrorPayload = await loadResponse.clone().json();\n\t\t} catch {\n\t\t\terrorPayload = undefined;\n\t\t}\n\n\t\tif (isVpcScAffectedUser(errorPayload)) {\n\t\t\tdata = { currentTier: { id: TIER_STANDARD } };\n\t\t} else {\n\t\t\tconst errorText = await loadResponse.text();\n\t\t\tthrow new Error(`loadCodeAssist failed: ${loadResponse.status} ${loadResponse.statusText}: ${errorText}`);\n\t\t}\n\t} else {\n\t\tdata = (await loadResponse.json()) as LoadCodeAssistPayload;\n\t}\n\n\t// If user already has a current tier and project, use it\n\tif (data.currentTier) {\n\t\tif (data.cloudaicompanionProject) {\n\t\t\treturn data.cloudaicompanionProject;\n\t\t}\n\t\t// User has a tier but no managed project - they need to provide one via env var\n\t\tif (envProjectId) {\n\t\t\treturn envProjectId;\n\t\t}\n\t\tthrow new Error(\n\t\t\t\"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t\t);\n\t}\n\n\t// User needs to be onboarded - get the default tier\n\tconst tier = getDefaultTier(data.allowedTiers);\n\tconst tierId = tier?.id ?? TIER_FREE;\n\n\tif (tierId !== TIER_FREE && !envProjectId) {\n\t\tthrow new Error(\n\t\t\t\"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t\t);\n\t}\n\n\tonProgress?.(\"Provisioning Cloud Code Assist project (this may take a moment)...\");\n\n\t// Build onboard request - for free tier, don't include project ID (Google provisions one)\n\t// For other tiers, include the user's project ID if available\n\tconst onboardBody: Record<string, unknown> = {\n\t\ttierId,\n\t\tmetadata: {\n\t\t\tideType: \"IDE_UNSPECIFIED\",\n\t\t\tplatform: \"PLATFORM_UNSPECIFIED\",\n\t\t\tpluginType: \"GEMINI\",\n\t\t},\n\t};\n\n\tif (tierId !== TIER_FREE && envProjectId) {\n\t\tonboardBody.cloudaicompanionProject = envProjectId;\n\t\t(onboardBody.metadata as Record<string, unknown>).duetProject = envProjectId;\n\t}\n\n\t// Start onboarding - this returns a long-running operation\n\tconst onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {\n\t\tmethod: \"POST\",\n\t\theaders,\n\t\tbody: JSON.stringify(onboardBody),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tif (!onboardResponse.ok) {\n\t\tconst errorText = await onboardResponse.text();\n\t\tthrow new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}: ${errorText}`);\n\t}\n\n\tlet lroData = (await onboardResponse.json()) as LongRunningOperationResponse;\n\n\t// If the operation isn't done yet, poll until completion\n\tif (!lroData.done && lroData.name) {\n\t\tlroData = await pollOperation(lroData.name, headers, onProgress);\n\t}\n\n\t// Try to get project ID from the response\n\tconst projectId = lroData.response?.cloudaicompanionProject?.id;\n\tif (projectId) {\n\t\treturn projectId;\n\t}\n\n\t// If no project ID from onboarding, fall back to env var\n\tif (envProjectId) {\n\t\treturn envProjectId;\n\t}\n\n\tthrow new Error(\n\t\t\"Could not discover or provision a Google Cloud project. \" +\n\t\t\t\"Try setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. \" +\n\t\t\t\"See https://goo.gle/gemini-cli-auth-docs#workspace-gca\",\n\t);\n}\n\n/\n Refresh Google Cloud Code Assist token\n /\nexport async function refreshGoogleCloudToken(refreshToken: string, projectId: string): Promise<OAuthCredentials> {\n\treturn refreshGoogleOAuthToken(refreshToken, CLIENT_ID, CLIENT_SECRET, \"Google Cloud\", { projectId });\n}\n\n/\n Login with Gemini CLI (Google Cloud Code Assist) OAuth\n \n @param onAuth - Callback with URL and optional instructions\n * @param onProgress - Optional progress callback\n * @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.\n * Races with browser callback - whichever completes first wins.\n /\nexport async function loginGeminiCli(\n\tonAuth: (info: { url: string; instructions?: string }) => void,\n\tonProgress?: (message: string) => void,\n\tonManualCodeInput?: () => Promise<string>,\n): Promise<OAuthCredentials> {\n\tconst { verifier, challenge } = await generatePKCE();\n\n\t// Start local server for callback\n\tonProgress?.(\"Starting local server for OAuth callback...\");\n\tconst server: CallbackServerInfo = await startCallbackServer(CALLBACK_PORT, CALLBACK_PATH, \"Gemini CLI\");\n\n\tlet code: string \| undefined;\n\n\ttry {\n\t\t// Build authorization URL\n\t\tconst authParams = new URLSearchParams({\n\t\t\tclient_id: CLIENT_ID,\n\t\t\tresponse_type: \"code\",\n\t\t\tredirect_uri: REDIRECT_URI,\n\t\t\tscope: SCOPES.join(\" \"),\n\t\t\tcode_challenge: challenge,\n\t\t\tcode_challenge_method: \"S256\",\n\t\t\tstate: verifier,\n\t\t\taccess_type: \"offline\",\n\t\t\tprompt: \"consent\",\n\t\t});\n\n\t\tconst authUrl = `${AUTH_URL}?${authParams.toString()}`;\n\n\t\t// Notify caller with URL to open\n\t\tonAuth({\n\t\t\turl: authUrl,\n\t\t\tinstructions: \"Complete the sign-in in your browser.\",\n\t\t});\n\n\t\t// Wait for the callback, racing with manual input if provided\n\t\tonProgress?.(\"Waiting for OAuth callback...\");\n\n\t\tif (onManualCodeInput) {\n\t\t\t// Race between browser callback and manual input\n\t\t\tlet manualInput: string \| undefined;\n\t\t\tlet manualError: Error \| undefined;\n\t\t\tconst manualPromise = onManualCodeInput()\n\t\t\t\t.then((input) => {\n\t\t\t\t\tmanualInput = input;\n\t\t\t\t\tserver.cancelWait();\n\t\t\t\t})\n\t\t\t\t.catch((err) => {\n\t\t\t\t\tmanualError = err instanceof Error ? err : new Error(String(err));\n\t\t\t\t\tserver.cancelWait();\n\t\t\t\t});\n\n\t\t\tconst result = await server.waitForCode();\n\n\t\t\t// If manual input was cancelled, throw that error\n\t\t\tif (manualError) {\n\t\t\t\tthrow manualError;\n\t\t\t}\n\n\t\t\tif (result?.code) {\n\t\t\t\t// Browser callback won - verify state\n\t\t\t\tif (result.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = result.code;\n\t\t\t} else if (manualInput) {\n\t\t\t\t// Manual input won\n\t\t\t\tconst parsed = parseRedirectUrl(manualInput);\n\t\t\t\tif (parsed.state && parsed.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = parsed.code;\n\t\t\t}\n\n\t\t\t// If still no code, wait for manual promise and try that\n\t\t\tif (!code) {\n\t\t\t\tawait manualPromise;\n\t\t\t\tif (manualError) {\n\t\t\t\t\tthrow manualError;\n\t\t\t\t}\n\t\t\t\tif (manualInput) {\n\t\t\t\t\tconst parsed = parseRedirectUrl(manualInput);\n\t\t\t\t\tif (parsed.state && parsed.state !== verifier) {\n\t\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t\t}\n\t\t\t\t\tcode = parsed.code;\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\t// Original flow: just wait for callback\n\t\t\tconst result = await server.waitForCode();\n\t\t\tif (result?.code) {\n\t\t\t\tif (result.state !== verifier) {\n\t\t\t\t\tthrow new Error(\"OAuth state mismatch - possible CSRF attack\");\n\t\t\t\t}\n\t\t\t\tcode = result.code;\n\t\t\t}\n\t\t}\n\n\t\tif (!code) {\n\t\t\tthrow new Error(\"No authorization code received\");\n\t\t}\n\n\t\t// Exchange code for tokens\n\t\tonProgress?.(\"Exchanging authorization code for tokens...\");\n\t\tconst tokenResponse = await fetch(TOKEN_URL, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams({\n\t\t\t\tclient_id: CLIENT_ID,\n\t\t\t\tclient_secret: CLIENT_SECRET,\n\t\t\t\tcode,\n\t\t\t\tgrant_type: \"authorization_code\",\n\t\t\t\tredirect_uri: REDIRECT_URI,\n\t\t\t\tcode_verifier: verifier,\n\t\t\t}),\n\t\t\tsignal: AbortSignal.timeout(30_000),\n\t\t});\n\n\t\tif (!tokenResponse.ok) {\n\t\t\tconst error = await tokenResponse.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst tokenData = (await tokenResponse.json()) as {\n\t\t\taccess_token: string;\n\t\t\trefresh_token: string;\n\t\t\texpires_in: number;\n\t\t};\n\n\t\tif (!tokenData.refresh_token) {\n\t\t\tthrow new Error(\"No refresh token received. Please try again.\");\n\t\t}\n\n\t\t// Get user email\n\t\tonProgress?.(\"Getting user info...\");\n\t\tconst email = await getGoogleUserEmail(tokenData.access_token);\n\n\t\t// Discover project\n\t\tconst projectId = await discoverProject(tokenData.access_token, onProgress);\n\n\t\t// Calculate expiry time (current time + expires_in seconds - 5 min buffer)\n\t\tconst expiresAt = Date.now() + tokenData.expires_in 1000 - 5 * 60 * 1000;\n\n\t\tconst credentials: OAuthCredentials = {\n\t\t\trefresh: tokenData.refresh_token,\n\t\t\taccess: tokenData.access_token,\n\t\t\texpires: expiresAt,\n\t\t\tprojectId,\n\t\t\temail,\n\t\t};\n\n\t\treturn credentials;\n\t} finally {\n\t\tserver.server.close();\n\t}\n}\n\nexport const geminiCliOAuthProvider: OAuthProviderInterface = {\n\tid: \"google-gemini-cli\",\n\tname: \"Google Cloud Code Assist (Gemini CLI)\",\n\tusesCallbackServer: true,\n\n\tasync login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials> {\n\t\treturn loginGeminiCli(callbacks.onAuth, callbacks.onProgress, callbacks.onManualCodeInput);\n\t},\n\n\tasync refreshToken(credentials: OAuthCredentials): Promise<OAuthCredentials> {\n\t\tconst creds = credentials as GeminiCredentials;\n\t\tif (!creds.projectId) {\n\t\t\tthrow new Error(\"Google Cloud credentials missing projectId\");\n\t\t}\n\t\treturn refreshGoogleCloudToken(creds.refresh, creds.projectId);\n\t},\n\n\tgetApiKey(credentials: OAuthCredentials): string {\n\t\tconst creds = credentials as GeminiCredentials;\n\t\treturn JSON.stringify({ token: creds.access, projectId: creds.projectId });\n\t},\n};\n"]}

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=google-gemini-cli.test.d.ts.map

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"google-gemini-cli.test.d.ts","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.test.ts"],"names":[],"mappings":""}

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.test.js ADDED Viewed

@@ -0,0 +1,67 @@
+import { describe, test } from "node:test";
+import assert from "node:assert/strict";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { geminiCliOAuthProvider } from "./google-gemini-cli.js";
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const packageRoot = join(__dirname, "..", "..", "..");
+const sourceDir = existsSync(join(__dirname, "google-gemini-cli.ts"))
+    ? __dirname
+    : join(packageRoot, "src", "utils", "oauth");
+function readSourceFile(name) {
+    return readFileSync(join(sourceDir, name), "utf-8");
+}
+describe("Gemini CLI OAuth — provider structure", () => {
+    test("has correct id and name", () => {
+        assert.equal(geminiCliOAuthProvider.id, "google-gemini-cli");
+        assert.equal(geminiCliOAuthProvider.name, "Google Cloud Code Assist (Gemini CLI)");
+    });
+    test("uses callback server", () => {
+        assert.equal(geminiCliOAuthProvider.usesCallbackServer, true);
+    });
+    test("has required methods", () => {
+        assert.equal(typeof geminiCliOAuthProvider.login, "function");
+        assert.equal(typeof geminiCliOAuthProvider.refreshToken, "function");
+        assert.equal(typeof geminiCliOAuthProvider.getApiKey, "function");
+    });
+    test("getApiKey returns JSON with token and projectId", () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+            projectId: "test-project-456",
+            email: "test@example.com",
+        };
+        const apiKey = geminiCliOAuthProvider.getApiKey(credentials);
+        assert.equal(typeof apiKey, "string");
+        const parsed = JSON.parse(apiKey);
+        assert.equal(parsed.token, "test-access-token");
+        assert.equal(parsed.projectId, "test-project-456");
+    });
+    test("refreshToken throws when projectId is missing", async () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+        };
+        await assert.rejects(geminiCliOAuthProvider.refreshToken(credentials), /Google Cloud credentials missing projectId/);
+    });
+});
+describe("Gemini CLI OAuth — credential regression", () => {
+    test("module imports successfully", () => {
+        assert.ok(geminiCliOAuthProvider);
+    });
+    test("CLIENT_ID and CLIENT_SECRET are plaintext", () => {
+        const content = readSourceFile("google-gemini-cli.ts");
+        assert.ok(content.includes('CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"'));
+        assert.ok(content.includes('CLIENT_SECRET = "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"'));
+        assert.ok(!content.includes("atob("));
+    });
+    test("security explanation comments are present", () => {
+        const content = readSourceFile("google-gemini-cli.ts");
+        assert.ok(content.includes("NOTE: These credentials are public"));
+        assert.ok(content.includes("obfuscated") || content.includes("security scanners"));
+    });
+});
+//# sourceMappingURL=google-gemini-cli.test.js.map

package/packages/pi-ai/dist/utils/oauth/google-gemini-cli.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"google-gemini-cli.test.js","sourceRoot":"","sources":["../../../src/utils/oauth/google-gemini-cli.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AACtD,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;IACpE,CAAC,CAAC,SAAS;IACX,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAE9C,SAAS,cAAc,CAAC,IAAY;IACnC,OAAO,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AACrD,CAAC;AAED,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACtD,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,EAAE,mBAAmB,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,EAAE,uCAAuC,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAC9D,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,iDAAiD,EAAE,GAAG,EAAE;QAC5D,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;YAC7B,SAAS,EAAE,kBAAkB;YAC7B,KAAK,EAAE,kBAAkB;SACzB,CAAC;QACF,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,OAAO,MAAM,EAAE,QAAQ,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CACnB,sBAAsB,CAAC,YAAY,CAAC,WAAW,CAAC,EAChD,4CAA4C,CAC5C,CAAC;IACH,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACzD,IAAI,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,EAAE,CAAC,sBAAsB,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACtD,MAAM,OAAO,GAAG,cAAc,CAAC,sBAAsB,CAAC,CAAC;QACvD,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CACf,wFAAwF,CACxF,CACD,CAAC;QACF,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,uDAAuD,CAAC,CAAC,CAAC;QACrF,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACtD,MAAM,OAAO,GAAG,cAAc,CAAC,sBAAsB,CAAC,CAAC;QACvD,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC","sourcesContent":["import { describe, test } from \"node:test\";\nimport assert from \"node:assert/strict\";\nimport { existsSync, readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport type { OAuthCredentials } from \"./types.js\";\nimport { geminiCliOAuthProvider } from \"./google-gemini-cli.js\";\n\nconst __dirname = fileURLToPath(new URL(\".\", import.meta.url));\nconst packageRoot = join(__dirname, \"..\", \"..\", \"..\");\nconst sourceDir = existsSync(join(__dirname, \"google-gemini-cli.ts\"))\n\t? __dirname\n\t: join(packageRoot, \"src\", \"utils\", \"oauth\");\n\nfunction readSourceFile(name: string): string {\n\treturn readFileSync(join(sourceDir, name), \"utf-8\");\n}\n\ndescribe(\"Gemini CLI OAuth — provider structure\", () => {\n\ttest(\"has correct id and name\", () => {\n\t\tassert.equal(geminiCliOAuthProvider.id, \"google-gemini-cli\");\n\t\tassert.equal(geminiCliOAuthProvider.name, \"Google Cloud Code Assist (Gemini CLI)\");\n\t});\n\n\ttest(\"uses callback server\", () => {\n\t\tassert.equal(geminiCliOAuthProvider.usesCallbackServer, true);\n\t});\n\n\ttest(\"has required methods\", () => {\n\t\tassert.equal(typeof geminiCliOAuthProvider.login, \"function\");\n\t\tassert.equal(typeof geminiCliOAuthProvider.refreshToken, \"function\");\n\t\tassert.equal(typeof geminiCliOAuthProvider.getApiKey, \"function\");\n\t});\n\n\ttest(\"getApiKey returns JSON with token and projectId\", () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t\tprojectId: \"test-project-456\",\n\t\t\temail: \"test@example.com\",\n\t\t};\n\t\tconst apiKey = geminiCliOAuthProvider.getApiKey(credentials);\n\t\tassert.equal(typeof apiKey, \"string\");\n\t\tconst parsed = JSON.parse(apiKey);\n\t\tassert.equal(parsed.token, \"test-access-token\");\n\t\tassert.equal(parsed.projectId, \"test-project-456\");\n\t});\n\n\ttest(\"refreshToken throws when projectId is missing\", async () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tawait assert.rejects(\n\t\t\tgeminiCliOAuthProvider.refreshToken(credentials),\n\t\t\t/Google Cloud credentials missing projectId/,\n\t\t);\n\t});\n});\n\ndescribe(\"Gemini CLI OAuth — credential regression\", () => {\n\ttest(\"module imports successfully\", () => {\n\t\tassert.ok(geminiCliOAuthProvider);\n\t});\n\n\ttest(\"CLIENT_ID and CLIENT_SECRET are plaintext\", () => {\n\t\tconst content = readSourceFile(\"google-gemini-cli.ts\");\n\t\tassert.ok(\n\t\t\tcontent.includes(\n\t\t\t\t'CLIENT_ID = \"681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com\"',\n\t\t\t),\n\t\t);\n\t\tassert.ok(content.includes('CLIENT_SECRET = \"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\"'));\n\t\tassert.ok(!content.includes(\"atob(\"));\n\t});\n\n\ttest(\"security explanation comments are present\", () => {\n\t\tconst content = readSourceFile(\"google-gemini-cli.ts\");\n\t\tassert.ok(content.includes(\"NOTE: These credentials are public\"));\n\t\tassert.ok(content.includes(\"obfuscated\") || content.includes(\"security scanners\"));\n\t});\n});"]}

package/packages/pi-ai/dist/utils/oauth/oauth-providers.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=oauth-providers.test.d.ts.map

package/packages/pi-ai/dist/utils/oauth/oauth-providers.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"oauth-providers.test.d.ts","sourceRoot":"","sources":["../../../src/utils/oauth/oauth-providers.test.ts"],"names":[],"mappings":""}

package/packages/pi-ai/dist/utils/oauth/oauth-providers.test.js ADDED Viewed

@@ -0,0 +1,289 @@
+import { describe, test } from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+// Test files that need to import from the OAuth modules
+import { githubCopilotOAuthProvider, normalizeDomain, getGitHubCopilotBaseUrl, } from "./github-copilot.js";
+import { antigravityOAuthProvider } from "./google-antigravity.js";
+import { geminiCliOAuthProvider } from "./google-gemini-cli.js";
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+// Helper to create a minimal model for testing
+function createModel(overrides = {}) {
+    return {
+        id: "test-model",
+        name: "Test Model",
+        api: "openai-completions",
+        provider: "test-provider",
+        baseUrl: "https://example.com",
+        reasoning: false,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 128000,
+        maxTokens: 8192,
+        ...overrides,
+    };
+}
+// ═══════════════════════════════════════════════════════════════════════════
+// GitHub Copilot OAuth Provider Tests
+// ═══════════════════════════════════════════════════════════════════════════
+describe("GitHub Copilot OAuth — normalizeDomain", () => {
+    test("returns null for empty input", () => {
+        assert.equal(normalizeDomain(""), null);
+        assert.equal(normalizeDomain("   "), null);
+    });
+    test("returns null for invalid domain", () => {
+        assert.equal(normalizeDomain("not a domain!@#"), null);
+    });
+    test("extracts hostname from full URL", () => {
+        assert.equal(normalizeDomain("https://github.com"), "github.com");
+        assert.equal(normalizeDomain("https://company.ghe.com"), "company.ghe.com");
+        assert.equal(normalizeDomain("http://example.com/path"), "example.com");
+    });
+    test("returns domain as-is when no protocol", () => {
+        assert.equal(normalizeDomain("github.com"), "github.com");
+        assert.equal(normalizeDomain("company.ghe.com"), "company.ghe.com");
+    });
+    test("trims whitespace", () => {
+        assert.equal(normalizeDomain("  github.com  "), "github.com");
+    });
+});
+describe("GitHub Copilot OAuth — getBaseUrlFromToken", () => {
+    test("extracts API URL from token with proxy-ep", () => {
+        // Token format: tid=...;exp=...;proxy-ep=proxy.individual.githubcopilot.com;...
+        const token = "tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;other=value";
+        const baseUrl = getGitHubCopilotBaseUrl(token);
+        assert.equal(baseUrl, "https://api.individual.githubcopilot.com");
+    });
+    test("extracts API URL from enterprise proxy-ep", () => {
+        const token = "tid=123;exp=1234567890;proxy-ep=proxy.company.ghe.com;other=value";
+        const baseUrl = getGitHubCopilotBaseUrl(token);
+        assert.equal(baseUrl, "https://api.company.ghe.com");
+    });
+    test("falls back to default when no token provided", () => {
+        const baseUrl = getGitHubCopilotBaseUrl();
+        assert.equal(baseUrl, "https://api.individual.githubcopilot.com");
+    });
+    test("falls back to default when token has no proxy-ep", () => {
+        const token = "tid=123;exp=1234567890;other=value";
+        const baseUrl = getGitHubCopilotBaseUrl(token);
+        assert.equal(baseUrl, "https://api.individual.githubcopilot.com");
+    });
+    test("uses enterprise domain when provided", () => {
+        const baseUrl = getGitHubCopilotBaseUrl(undefined, "company.ghe.com");
+        assert.equal(baseUrl, "https://copilot-api.company.ghe.com");
+    });
+    test("prioritizes token proxy-ep over enterprise domain", () => {
+        const token = "tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;other=value";
+        const baseUrl = getGitHubCopilotBaseUrl(token, "company.ghe.com");
+        assert.equal(baseUrl, "https://api.individual.githubcopilot.com");
+    });
+});
+describe("GitHub Copilot OAuth — provider structure", () => {
+    test("has correct id and name", () => {
+        assert.equal(githubCopilotOAuthProvider.id, "github-copilot");
+        assert.equal(githubCopilotOAuthProvider.name, "GitHub Copilot");
+    });
+    test("has required methods", () => {
+        assert.equal(typeof githubCopilotOAuthProvider.login, "function");
+        assert.equal(typeof githubCopilotOAuthProvider.refreshToken, "function");
+        assert.equal(typeof githubCopilotOAuthProvider.getApiKey, "function");
+    });
+    test("getApiKey returns access token", () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+        };
+        const apiKey = githubCopilotOAuthProvider.getApiKey(credentials);
+        assert.equal(apiKey, "test-access-token");
+    });
+    test("modifyModels preserves non-Copilot models", () => {
+        if (!githubCopilotOAuthProvider.modifyModels)
+            return;
+        const models = [createModel({ id: "gpt-4", provider: "openai" })];
+        const credentials = {
+            access: "test-token",
+            refresh: "test-refresh",
+            expires: Date.now() + 3600000,
+        };
+        const result = githubCopilotOAuthProvider.modifyModels(models, credentials);
+        assert.deepEqual(result, models);
+    });
+    test("modifyModels updates Copilot model baseUrl when token has proxy-ep", () => {
+        if (!githubCopilotOAuthProvider.modifyModels)
+            return;
+        const models = [
+            createModel({
+                id: "claude-3.5-sonnet",
+                provider: "github-copilot",
+                baseUrl: "https://api.default.com",
+            }),
+        ];
+        const credentials = {
+            access: "tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;",
+            refresh: "test-refresh",
+            expires: Date.now() + 3600000,
+        };
+        const result = githubCopilotOAuthProvider.modifyModels(models, credentials);
+        assert.equal(result[0].baseUrl, "https://api.individual.githubcopilot.com");
+    });
+    test("modifyModels applies model limits when available", () => {
+        if (!githubCopilotOAuthProvider.modifyModels)
+            return;
+        const models = [
+            createModel({
+                id: "claude-3.5-sonnet",
+                provider: "github-copilot",
+                baseUrl: "https://api.default.com",
+            }),
+        ];
+        const credentials = {
+            access: "test-token",
+            refresh: "test-refresh",
+            expires: Date.now() + 3600000,
+            modelLimits: {
+                "claude-3.5-sonnet": { contextWindow: 123456, maxTokens: 4096 },
+            },
+        };
+        const result = githubCopilotOAuthProvider.modifyModels(models, credentials);
+        assert.equal(result[0].contextWindow, 123456);
+        assert.equal(result[0].maxTokens, 4096);
+    });
+});
+// ═══════════════════════════════════════════════════════════════════════════
+// Antigravity OAuth Provider Tests
+// ═══════════════════════════════════════════════════════════════════════════
+describe("Antigravity OAuth — provider structure", () => {
+    test("has correct id and name", () => {
+        assert.equal(antigravityOAuthProvider.id, "google-antigravity");
+        assert.equal(antigravityOAuthProvider.name, "Antigravity (Gemini 3, Claude, GPT-OSS)");
+    });
+    test("uses callback server", () => {
+        assert.equal(antigravityOAuthProvider.usesCallbackServer, true);
+    });
+    test("has required methods", () => {
+        assert.equal(typeof antigravityOAuthProvider.login, "function");
+        assert.equal(typeof antigravityOAuthProvider.refreshToken, "function");
+        assert.equal(typeof antigravityOAuthProvider.getApiKey, "function");
+    });
+    test("getApiKey returns JSON with token and projectId", () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+            projectId: "test-project-123",
+            email: "test@example.com",
+        };
+        const apiKey = antigravityOAuthProvider.getApiKey(credentials);
+        assert.equal(typeof apiKey, "string");
+        const parsed = JSON.parse(apiKey);
+        assert.equal(parsed.token, "test-access-token");
+        assert.equal(parsed.projectId, "test-project-123");
+    });
+    test("refreshToken throws when projectId is missing", async () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+        };
+        await assert.rejects(antigravityOAuthProvider.refreshToken(credentials), /Antigravity credentials missing projectId/);
+    });
+});
+// ═══════════════════════════════════════════════════════════════════════════
+// Gemini CLI OAuth Provider Tests
+// ═══════════════════════════════════════════════════════════════════════════
+describe("Gemini CLI OAuth — provider structure", () => {
+    test("has correct id and name", () => {
+        assert.equal(geminiCliOAuthProvider.id, "google-gemini-cli");
+        assert.equal(geminiCliOAuthProvider.name, "Google Cloud Code Assist (Gemini CLI)");
+    });
+    test("uses callback server", () => {
+        assert.equal(geminiCliOAuthProvider.usesCallbackServer, true);
+    });
+    test("has required methods", () => {
+        assert.equal(typeof geminiCliOAuthProvider.login, "function");
+        assert.equal(typeof geminiCliOAuthProvider.refreshToken, "function");
+        assert.equal(typeof geminiCliOAuthProvider.getApiKey, "function");
+    });
+    test("getApiKey returns JSON with token and projectId", () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+            projectId: "test-project-456",
+            email: "test@example.com",
+        };
+        const apiKey = geminiCliOAuthProvider.getApiKey(credentials);
+        assert.equal(typeof apiKey, "string");
+        const parsed = JSON.parse(apiKey);
+        assert.equal(parsed.token, "test-access-token");
+        assert.equal(parsed.projectId, "test-project-456");
+    });
+    test("refreshToken throws when projectId is missing", async () => {
+        const credentials = {
+            access: "test-access-token",
+            refresh: "test-refresh-token",
+            expires: Date.now() + 3600000,
+        };
+        await assert.rejects(geminiCliOAuthProvider.refreshToken(credentials), /Google Cloud credentials missing projectId/);
+    });
+});
+// ═══════════════════════════════════════════════════════════════════════════
+// Regression tests for credential de-obfuscation
+//
+// These tests verify that OAuth credentials are stored in plaintext
+// (not base64-encoded) after the refactor in commit 289bb325c.
+// ═══════════════════════════════════════════════════════════════════════════
+describe("OAuth credentials — de-obfuscated regression", () => {
+    // Verify we can import the modules without decoding errors
+    test("GitHub Copilot module imports successfully", () => {
+        // If the module imports, the CLIENT_ID is valid plaintext
+        assert.ok(githubCopilotOAuthProvider);
+    });
+    test("Antigravity module imports successfully", () => {
+        assert.ok(antigravityOAuthProvider);
+    });
+    test("Gemini CLI module imports successfully", () => {
+        assert.ok(geminiCliOAuthProvider);
+    });
+    test("GitHub Copilot CLIENT_ID is plaintext (not base64)", () => {
+        const content = readFileSync(join(__dirname, "github-copilot.ts"), "utf-8");
+        // Should contain plaintext CLIENT_ID
+        assert.ok(content.includes('CLIENT_ID = "Iv1.b507a08c87ecfe98"'));
+        // Should NOT contain atob calls for de-obfuscation
+        assert.ok(!content.includes("atob("));
+    });
+    test("Antigravity CLIENT_ID and CLIENT_SECRET are plaintext", () => {
+        const content = readFileSync(join(__dirname, "google-antigravity.ts"), "utf-8");
+        // Should contain plaintext credentials
+        assert.ok(content.includes('CLIENT_ID = "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com"'));
+        assert.ok(content.includes('CLIENT_SECRET = "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"'));
+        // Should NOT contain atob calls for de-obfuscation
+        assert.ok(!content.includes("atob("));
+    });
+    test("Gemini CLI CLIENT_ID and CLIENT_SECRET are plaintext", () => {
+        const content = readFileSync(join(__dirname, "google-gemini-cli.ts"), "utf-8");
+        // Should contain plaintext credentials
+        assert.ok(content.includes('CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"'));
+        assert.ok(content.includes('CLIENT_SECRET = "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"'));
+        // Should NOT contain atob calls for de-obfuscation
+        assert.ok(!content.includes("atob("));
+    });
+    test("all OAuth files include security explanation comments", () => {
+        const files = [
+            "github-copilot.ts",
+            "google-antigravity.ts",
+            "google-gemini-cli.ts",
+        ];
+        for (const file of files) {
+            const content = readFileSync(join(__dirname, file), "utf-8");
+            // Should include explanation of why credentials are public
+            assert.ok(content.includes("NOTE: This credential is public") ||
+                content.includes("NOTE: These credentials are public"), `${file} should explain why credentials are public`);
+            assert.ok(content.includes("obfuscated") ||
+                content.includes("security scanners"), `${file} should reference the security scanner issue`);
+        }
+    });
+});
+//# sourceMappingURL=oauth-providers.test.js.map

package/packages/pi-ai/dist/utils/oauth/oauth-providers.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-providers.test.js","sourceRoot":"","sources":["../../../src/utils/oauth/oauth-providers.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAIzC,wDAAwD;AACxD,OAAO,EACN,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAQ/D,+CAA+C;AAC/C,SAAS,WAAW,CAAC,YAAiC,EAAE;IACvD,OAAO;QACN,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,YAAY;QAClB,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,qBAAqB;QAC9B,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE,CAAC,MAAM,CAAC;QACf,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;QAC1D,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,IAAI;QACf,GAAG,SAAS;KACE,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACvD,IAAI,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,oBAAoB,CAAC,EAAE,YAAY,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,yBAAyB,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC5E,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,yBAAyB,CAAC,EAAE,aAAa,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC,CAAC;QAC1D,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,gBAAgB,CAAC,EAAE,YAAY,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;IAC3D,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACtD,gFAAgF;QAChF,MAAM,KAAK,GAAG,gFAAgF,CAAC;QAC/F,MAAM,OAAO,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,0CAA0C,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACtD,MAAM,KAAK,GAAG,mEAAmE,CAAC;QAClF,MAAM,OAAO,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACzD,MAAM,OAAO,GAAG,uBAAuB,EAAE,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,0CAA0C,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC7D,MAAM,KAAK,GAAG,oCAAoC,CAAC;QACnD,MAAM,OAAO,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,0CAA0C,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sCAAsC,EAAE,GAAG,EAAE;QACjD,MAAM,OAAO,GAAG,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QACtE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,qCAAqC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC9D,MAAM,KAAK,GAAG,gFAAgF,CAAC;QAC/F,MAAM,OAAO,GAAG,uBAAuB,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,0CAA0C,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;IAC1D,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAC9D,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE;QAC3C,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACtD,IAAI,CAAC,0BAA0B,CAAC,YAAY;YAAE,OAAO;QACrD,MAAM,MAAM,GAAG,CAAC,WAAW,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAClE,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC5E,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC/E,IAAI,CAAC,0BAA0B,CAAC,YAAY;YAAE,OAAO;QACrD,MAAM,MAAM,GAAG;YACd,WAAW,CAAC;gBACX,EAAE,EAAE,mBAAmB;gBACvB,QAAQ,EAAE,gBAAgB;gBAC1B,OAAO,EAAE,yBAAyB;aAClC,CAAC;SACF,CAAC;QACF,MAAM,WAAW,GAAuB;YACvC,MAAM,EAAE,qEAAqE;YAC7E,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC5E,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,0CAA0C,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC7D,IAAI,CAAC,0BAA0B,CAAC,YAAY;YAAE,OAAO;QACrD,MAAM,MAAM,GAAG;YACd,WAAW,CAAC;gBACX,EAAE,EAAE,mBAAmB;gBACvB,QAAQ,EAAE,gBAAgB;gBAC1B,OAAO,EAAE,yBAAyB;aAClC,CAAC;SACF,CAAC;QACF,MAAM,WAAW,GAAuB;YACvC,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;YAC7B,WAAW,EAAE;gBACZ,mBAAmB,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE;aAC/D;SACD,CAAC;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC5E,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,mCAAmC;AACnC,8EAA8E;AAE9E,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACvD,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,EAAE,oBAAoB,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,EAAE,yCAAyC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACvE,MAAM,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,iDAAiD,EAAE,GAAG,EAAE;QAC5D,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;YAC7B,SAAS,EAAE,kBAAkB;YAC7B,KAAK,EAAE,kBAAkB;SACzB,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,OAAO,MAAM,EAAE,QAAQ,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CACnB,wBAAwB,CAAC,YAAY,CAAC,WAAW,CAAC,EAClD,2CAA2C,CAC3C,CAAC;IACH,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACtD,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,EAAE,mBAAmB,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,EAAE,uCAAuC,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAC9D,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,iDAAiD,EAAE,GAAG,EAAE;QAC5D,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;YAC7B,SAAS,EAAE,kBAAkB;YAC7B,KAAK,EAAE,kBAAkB;SACzB,CAAC;QACF,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,OAAO,MAAM,EAAE,QAAQ,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAqB;YACrC,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;SAC7B,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CACnB,sBAAsB,CAAC,YAAY,CAAC,WAAW,CAAC,EAChD,4CAA4C,CAC5C,CAAC;IACH,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,iDAAiD;AACjD,EAAE;AACF,oEAAoE;AACpE,+DAA+D;AAC/D,8EAA8E;AAE9E,QAAQ,CAAC,8CAA8C,EAAE,GAAG,EAAE;IAC7D,2DAA2D;IAC3D,IAAI,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACvD,0DAA0D;QAC1D,MAAM,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACpD,MAAM,CAAC,EAAE,CAAC,wBAAwB,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,wCAAwC,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,EAAE,CAAC,sBAAsB,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC/D,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5E,qCAAqC;QACrC,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC,CAAC,CAAC;QAClE,mDAAmD;QACnD,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAClE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAC;QAChF,uCAAuC;QACvC,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CACf,yFAAyF,CACzF,CACD,CAAC;QACF,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CAAC,uDAAuD,CAAC,CACzE,CAAC;QACF,mDAAmD;QACnD,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sDAAsD,EAAE,GAAG,EAAE;QACjE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,EAAE,OAAO,CAAC,CAAC;QAC/E,uCAAuC;QACvC,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CACf,wFAAwF,CACxF,CACD,CAAC;QACF,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CAAC,uDAAuD,CAAC,CACzE,CAAC;QACF,mDAAmD;QACnD,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAClE,MAAM,KAAK,GAAG;YACb,mBAAmB;YACnB,uBAAuB;YACvB,sBAAsB;SACtB,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YAC7D,2DAA2D;YAC3D,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAAC;gBAClD,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC,EACvD,GAAG,IAAI,4CAA4C,CACnD,CAAC;YACF,MAAM,CAAC,EAAE,CACR,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC7B,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EACtC,GAAG,IAAI,8CAA8C,CACrD,CAAC;QACH,CAAC;IACF,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC","sourcesContent":["import { describe, test } from \"node:test\";\nimport assert from \"node:assert/strict\";\nimport { readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport type { Model, Api } from \"../../types.js\";\nimport type { OAuthCredentials } from \"./types.js\";\n\n// Test files that need to import from the OAuth modules\nimport {\n\tgithubCopilotOAuthProvider,\n\tnormalizeDomain,\n\tgetGitHubCopilotBaseUrl,\n} from \"./github-copilot.js\";\nimport { antigravityOAuthProvider } from \"./google-antigravity.js\";\nimport { geminiCliOAuthProvider } from \"./google-gemini-cli.js\";\n\nconst __dirname = fileURLToPath(new URL(\".\", import.meta.url));\n\n// Local type for Copilot credentials (includes optional fields)\ntype CopilotCredentials = OAuthCredentials & {\n\tenterpriseUrl?: string;\n\tmodelLimits?: Record<string, { contextWindow: number; maxTokens: number }>;\n};\n\n// Helper to create a minimal model for testing\nfunction createModel(overrides: Partial<Model<Api>> = {}): Model<Api> {\n\treturn {\n\t\tid: \"test-model\",\n\t\tname: \"Test Model\",\n\t\tapi: \"openai-completions\",\n\t\tprovider: \"test-provider\",\n\t\tbaseUrl: \"https://example.com\",\n\t\treasoning: false,\n\t\tinput: [\"text\"],\n\t\tcost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },\n\t\tcontextWindow: 128000,\n\t\tmaxTokens: 8192,\n\t\t...overrides,\n\t} as Model<Api>;\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// GitHub Copilot OAuth Provider Tests\n// ═══════════════════════════════════════════════════════════════════════════\n\ndescribe(\"GitHub Copilot OAuth — normalizeDomain\", () => {\n\ttest(\"returns null for empty input\", () => {\n\t\tassert.equal(normalizeDomain(\"\"), null);\n\t\tassert.equal(normalizeDomain(\" \"), null);\n\t});\n\n\ttest(\"returns null for invalid domain\", () => {\n\t\tassert.equal(normalizeDomain(\"not a domain!@#\"), null);\n\t});\n\n\ttest(\"extracts hostname from full URL\", () => {\n\t\tassert.equal(normalizeDomain(\"https://github.com\"), \"github.com\");\n\t\tassert.equal(normalizeDomain(\"https://company.ghe.com\"), \"company.ghe.com\");\n\t\tassert.equal(normalizeDomain(\"http://example.com/path\"), \"example.com\");\n\t});\n\n\ttest(\"returns domain as-is when no protocol\", () => {\n\t\tassert.equal(normalizeDomain(\"github.com\"), \"github.com\");\n\t\tassert.equal(normalizeDomain(\"company.ghe.com\"), \"company.ghe.com\");\n\t});\n\n\ttest(\"trims whitespace\", () => {\n\t\tassert.equal(normalizeDomain(\" github.com \"), \"github.com\");\n\t});\n});\n\ndescribe(\"GitHub Copilot OAuth — getBaseUrlFromToken\", () => {\n\ttest(\"extracts API URL from token with proxy-ep\", () => {\n\t\t// Token format: tid=...;exp=...;proxy-ep=proxy.individual.githubcopilot.com;...\n\t\tconst token = \"tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;other=value\";\n\t\tconst baseUrl = getGitHubCopilotBaseUrl(token);\n\t\tassert.equal(baseUrl, \"https://api.individual.githubcopilot.com\");\n\t});\n\n\ttest(\"extracts API URL from enterprise proxy-ep\", () => {\n\t\tconst token = \"tid=123;exp=1234567890;proxy-ep=proxy.company.ghe.com;other=value\";\n\t\tconst baseUrl = getGitHubCopilotBaseUrl(token);\n\t\tassert.equal(baseUrl, \"https://api.company.ghe.com\");\n\t});\n\n\ttest(\"falls back to default when no token provided\", () => {\n\t\tconst baseUrl = getGitHubCopilotBaseUrl();\n\t\tassert.equal(baseUrl, \"https://api.individual.githubcopilot.com\");\n\t});\n\n\ttest(\"falls back to default when token has no proxy-ep\", () => {\n\t\tconst token = \"tid=123;exp=1234567890;other=value\";\n\t\tconst baseUrl = getGitHubCopilotBaseUrl(token);\n\t\tassert.equal(baseUrl, \"https://api.individual.githubcopilot.com\");\n\t});\n\n\ttest(\"uses enterprise domain when provided\", () => {\n\t\tconst baseUrl = getGitHubCopilotBaseUrl(undefined, \"company.ghe.com\");\n\t\tassert.equal(baseUrl, \"https://copilot-api.company.ghe.com\");\n\t});\n\n\ttest(\"prioritizes token proxy-ep over enterprise domain\", () => {\n\t\tconst token = \"tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;other=value\";\n\t\tconst baseUrl = getGitHubCopilotBaseUrl(token, \"company.ghe.com\");\n\t\tassert.equal(baseUrl, \"https://api.individual.githubcopilot.com\");\n\t});\n});\n\ndescribe(\"GitHub Copilot OAuth — provider structure\", () => {\n\ttest(\"has correct id and name\", () => {\n\t\tassert.equal(githubCopilotOAuthProvider.id, \"github-copilot\");\n\t\tassert.equal(githubCopilotOAuthProvider.name, \"GitHub Copilot\");\n\t});\n\n\ttest(\"has required methods\", () => {\n\t\tassert.equal(typeof githubCopilotOAuthProvider.login, \"function\");\n\t\tassert.equal(typeof githubCopilotOAuthProvider.refreshToken, \"function\");\n\t\tassert.equal(typeof githubCopilotOAuthProvider.getApiKey, \"function\");\n\t});\n\n\ttest(\"getApiKey returns access token\", () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tconst apiKey = githubCopilotOAuthProvider.getApiKey(credentials);\n\t\tassert.equal(apiKey, \"test-access-token\");\n\t});\n\n\ttest(\"modifyModels preserves non-Copilot models\", () => {\n\t\tif (!githubCopilotOAuthProvider.modifyModels) return;\n\t\tconst models = [createModel({ id: \"gpt-4\", provider: \"openai\" })];\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-token\",\n\t\t\trefresh: \"test-refresh\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tconst result = githubCopilotOAuthProvider.modifyModels(models, credentials);\n\t\tassert.deepEqual(result, models);\n\t});\n\n\ttest(\"modifyModels updates Copilot model baseUrl when token has proxy-ep\", () => {\n\t\tif (!githubCopilotOAuthProvider.modifyModels) return;\n\t\tconst models = [\n\t\t\tcreateModel({\n\t\t\t\tid: \"claude-3.5-sonnet\",\n\t\t\t\tprovider: \"github-copilot\",\n\t\t\t\tbaseUrl: \"https://api.default.com\",\n\t\t\t}),\n\t\t];\n\t\tconst credentials: CopilotCredentials = {\n\t\t\taccess: \"tid=123;exp=1234567890;proxy-ep=proxy.individual.githubcopilot.com;\",\n\t\t\trefresh: \"test-refresh\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tconst result = githubCopilotOAuthProvider.modifyModels(models, credentials);\n\t\tassert.equal(result[0].baseUrl, \"https://api.individual.githubcopilot.com\");\n\t});\n\n\ttest(\"modifyModels applies model limits when available\", () => {\n\t\tif (!githubCopilotOAuthProvider.modifyModels) return;\n\t\tconst models = [\n\t\t\tcreateModel({\n\t\t\t\tid: \"claude-3.5-sonnet\",\n\t\t\t\tprovider: \"github-copilot\",\n\t\t\t\tbaseUrl: \"https://api.default.com\",\n\t\t\t}),\n\t\t];\n\t\tconst credentials: CopilotCredentials = {\n\t\t\taccess: \"test-token\",\n\t\t\trefresh: \"test-refresh\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t\tmodelLimits: {\n\t\t\t\t\"claude-3.5-sonnet\": { contextWindow: 123456, maxTokens: 4096 },\n\t\t\t},\n\t\t};\n\t\tconst result = githubCopilotOAuthProvider.modifyModels(models, credentials);\n\t\tassert.equal(result[0].contextWindow, 123456);\n\t\tassert.equal(result[0].maxTokens, 4096);\n\t});\n});\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Antigravity OAuth Provider Tests\n// ═══════════════════════════════════════════════════════════════════════════\n\ndescribe(\"Antigravity OAuth — provider structure\", () => {\n\ttest(\"has correct id and name\", () => {\n\t\tassert.equal(antigravityOAuthProvider.id, \"google-antigravity\");\n\t\tassert.equal(antigravityOAuthProvider.name, \"Antigravity (Gemini 3, Claude, GPT-OSS)\");\n\t});\n\n\ttest(\"uses callback server\", () => {\n\t\tassert.equal(antigravityOAuthProvider.usesCallbackServer, true);\n\t});\n\n\ttest(\"has required methods\", () => {\n\t\tassert.equal(typeof antigravityOAuthProvider.login, \"function\");\n\t\tassert.equal(typeof antigravityOAuthProvider.refreshToken, \"function\");\n\t\tassert.equal(typeof antigravityOAuthProvider.getApiKey, \"function\");\n\t});\n\n\ttest(\"getApiKey returns JSON with token and projectId\", () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t\tprojectId: \"test-project-123\",\n\t\t\temail: \"test@example.com\",\n\t\t};\n\t\tconst apiKey = antigravityOAuthProvider.getApiKey(credentials);\n\t\tassert.equal(typeof apiKey, \"string\");\n\t\tconst parsed = JSON.parse(apiKey);\n\t\tassert.equal(parsed.token, \"test-access-token\");\n\t\tassert.equal(parsed.projectId, \"test-project-123\");\n\t});\n\n\ttest(\"refreshToken throws when projectId is missing\", async () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tawait assert.rejects(\n\t\t\tantigravityOAuthProvider.refreshToken(credentials),\n\t\t\t/Antigravity credentials missing projectId/,\n\t\t);\n\t});\n});\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Gemini CLI OAuth Provider Tests\n// ═══════════════════════════════════════════════════════════════════════════\n\ndescribe(\"Gemini CLI OAuth — provider structure\", () => {\n\ttest(\"has correct id and name\", () => {\n\t\tassert.equal(geminiCliOAuthProvider.id, \"google-gemini-cli\");\n\t\tassert.equal(geminiCliOAuthProvider.name, \"Google Cloud Code Assist (Gemini CLI)\");\n\t});\n\n\ttest(\"uses callback server\", () => {\n\t\tassert.equal(geminiCliOAuthProvider.usesCallbackServer, true);\n\t});\n\n\ttest(\"has required methods\", () => {\n\t\tassert.equal(typeof geminiCliOAuthProvider.login, \"function\");\n\t\tassert.equal(typeof geminiCliOAuthProvider.refreshToken, \"function\");\n\t\tassert.equal(typeof geminiCliOAuthProvider.getApiKey, \"function\");\n\t});\n\n\ttest(\"getApiKey returns JSON with token and projectId\", () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t\tprojectId: \"test-project-456\",\n\t\t\temail: \"test@example.com\",\n\t\t};\n\t\tconst apiKey = geminiCliOAuthProvider.getApiKey(credentials);\n\t\tassert.equal(typeof apiKey, \"string\");\n\t\tconst parsed = JSON.parse(apiKey);\n\t\tassert.equal(parsed.token, \"test-access-token\");\n\t\tassert.equal(parsed.projectId, \"test-project-456\");\n\t});\n\n\ttest(\"refreshToken throws when projectId is missing\", async () => {\n\t\tconst credentials: OAuthCredentials = {\n\t\t\taccess: \"test-access-token\",\n\t\t\trefresh: \"test-refresh-token\",\n\t\t\texpires: Date.now() + 3600000,\n\t\t};\n\t\tawait assert.rejects(\n\t\t\tgeminiCliOAuthProvider.refreshToken(credentials),\n\t\t\t/Google Cloud credentials missing projectId/,\n\t\t);\n\t});\n});\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Regression tests for credential de-obfuscation\n//\n// These tests verify that OAuth credentials are stored in plaintext\n// (not base64-encoded) after the refactor in commit 289bb325c.\n// ═══════════════════════════════════════════════════════════════════════════\n\ndescribe(\"OAuth credentials — de-obfuscated regression\", () => {\n\t// Verify we can import the modules without decoding errors\n\ttest(\"GitHub Copilot module imports successfully\", () => {\n\t\t// If the module imports, the CLIENT_ID is valid plaintext\n\t\tassert.ok(githubCopilotOAuthProvider);\n\t});\n\n\ttest(\"Antigravity module imports successfully\", () => {\n\t\tassert.ok(antigravityOAuthProvider);\n\t});\n\n\ttest(\"Gemini CLI module imports successfully\", () => {\n\t\tassert.ok(geminiCliOAuthProvider);\n\t});\n\n\ttest(\"GitHub Copilot CLIENT_ID is plaintext (not base64)\", () => {\n\t\tconst content = readFileSync(join(__dirname, \"github-copilot.ts\"), \"utf-8\");\n\t\t// Should contain plaintext CLIENT_ID\n\t\tassert.ok(content.includes('CLIENT_ID = \"Iv1.b507a08c87ecfe98\"'));\n\t\t// Should NOT contain atob calls for de-obfuscation\n\t\tassert.ok(!content.includes(\"atob(\"));\n\t});\n\n\ttest(\"Antigravity CLIENT_ID and CLIENT_SECRET are plaintext\", () => {\n\t\tconst content = readFileSync(join(__dirname, \"google-antigravity.ts\"), \"utf-8\");\n\t\t// Should contain plaintext credentials\n\t\tassert.ok(\n\t\t\tcontent.includes(\n\t\t\t\t'CLIENT_ID = \"1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com\"',\n\t\t\t),\n\t\t);\n\t\tassert.ok(\n\t\t\tcontent.includes('CLIENT_SECRET = \"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\"'),\n\t\t);\n\t\t// Should NOT contain atob calls for de-obfuscation\n\t\tassert.ok(!content.includes(\"atob(\"));\n\t});\n\n\ttest(\"Gemini CLI CLIENT_ID and CLIENT_SECRET are plaintext\", () => {\n\t\tconst content = readFileSync(join(__dirname, \"google-gemini-cli.ts\"), \"utf-8\");\n\t\t// Should contain plaintext credentials\n\t\tassert.ok(\n\t\t\tcontent.includes(\n\t\t\t\t'CLIENT_ID = \"681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com\"',\n\t\t\t),\n\t\t);\n\t\tassert.ok(\n\t\t\tcontent.includes('CLIENT_SECRET = \"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\"'),\n\t\t);\n\t\t// Should NOT contain atob calls for de-obfuscation\n\t\tassert.ok(!content.includes(\"atob(\"));\n\t});\n\n\ttest(\"all OAuth files include security explanation comments\", () => {\n\t\tconst files = [\n\t\t\t\"github-copilot.ts\",\n\t\t\t\"google-antigravity.ts\",\n\t\t\t\"google-gemini-cli.ts\",\n\t\t];\n\n\t\tfor (const file of files) {\n\t\t\tconst content = readFileSync(join(__dirname, file), \"utf-8\");\n\t\t\t// Should include explanation of why credentials are public\n\t\t\tassert.ok(\n\t\t\t\tcontent.includes(\"NOTE: This credential is public\") ||\n\t\t\t\t\tcontent.includes(\"NOTE: These credentials are public\"),\n\t\t\t\t`${file} should explain why credentials are public`,\n\t\t\t);\n\t\t\tassert.ok(\n\t\t\t\tcontent.includes(\"obfuscated\") ||\n\t\t\t\t\tcontent.includes(\"security scanners\"),\n\t\t\t\t`${file} should reference the security scanner issue`,\n\t\t\t);\n\t\t}\n\t});\n});\n"]}