jeo-code 0.1.0 → 0.4.5

package/src/ai/provider-status.ts

@@ -1,24 +1,25 @@
 /**
  * Provider credential/status inventory — the shared source of truth behind
- * `joc models`, the TUI `/provider` command, and `joc doctor`. Reports, for each
- * provider, how it will authenticate (API key / OAuth / keyless / none), its
- * effective base URL, and whether it is ready to serve a request.
+ * the TUI `/provider` command, `jeo doctor`, and setup probes. Reports, for
+ * each provider, how it will authenticate (API key / OAuth / keyless / none),
+ * its effective base URL, and whether it is ready to serve a request.
  */
-import { readGlobalConfig, type Config } from "../agent/state";
-import { resolveCredential, type AuthProvider } from "../auth";
+import { readGlobalConfig, type Config, type StoredOAuth } from "../agent/state";
+import type { AuthProvider, Credential } from "../auth";
+import { OAUTH_FLOW_REGISTRY } from "../auth/flows";
 import type { ProviderName } from "./types";
 
-export const PROVIDER_NAMES: readonly ProviderName[] = ["anthropic", "openai", "gemini", "ollama"];
+export const PROVIDER_NAMES: readonly ProviderName[] = ["anthropic", "openai", "gemini", "antigravity", "ollama"];
 
 /** Cloud providers that authenticate via API key / OAuth. Ollama is keyless. */
-export const CLOUD_PROVIDERS: readonly AuthProvider[] = ["anthropic", "openai", "gemini"];
+export const CLOUD_PROVIDERS: readonly AuthProvider[] = ["anthropic", "openai", "gemini", "antigravity"];
 
 export type CredentialKind = "api_key" | "oauth" | "keyless" | "none";
 
 export interface ProviderStatus {
   name: ProviderName;
   kind: CredentialKind;
-  /** Display label, e.g. "API key", "OAuth", "keyless (local)", "none (run 'joc setup')". */
+  /** Display label, e.g. "API key", "OAuth", "keyless (local)", "none (run 'jeo setup')". */
   label: string;
   /** Effective base URL when relevant (ollama / openai-compatible). */
   baseUrl?: string;
@@ -30,7 +31,7 @@ export interface ProviderStatus {
 
 /** The uppercase `<PROVIDER>_API_KEY` env var name for a cloud provider. */
 export function providerEnvVar(name: ProviderName): string | undefined {
-  if (name === "ollama") return undefined;
+  if (name === "ollama" || name === "antigravity") return undefined;
   return `${name.toUpperCase()}_API_KEY`;
 }
 
@@ -44,10 +45,32 @@ export function credentialLabel(kind: CredentialKind): string {
     case "keyless":
       return "keyless (local)";
     case "none":
-      return "none (run 'joc setup' or 'joc auth login')";
+      return "none (run 'jeo setup' or 'jeo auth login')";
   }
 }
 
+function oauthAccess(stored: string | StoredOAuth | undefined): string | undefined {
+  if (!stored) return undefined;
+  return typeof stored === "string" ? stored : stored.access;
+}
+
+function configuredCredential(provider: AuthProvider, cfg: Config): Credential {
+  const stored = cfg.oauth?.[provider];
+  const oauth = oauthAccess(stored);
+  if (oauth) return { kind: "oauth", provider, token: oauth, projectId: typeof stored === "object" ? stored.projectId : undefined };
+  const key = cfg.providers?.[provider];
+  if (key) return { kind: "api_key", provider, token: key };
+  return { kind: "none", provider };
+}
+
+/** Match the real call path: API keys are broader and win whenever both key + OAuth exist. */
+function effectiveCredential(provider: AuthProvider, cred: Credential, cfg: Config): Credential {
+  const key = cfg.providers?.[provider];
+  if (cred.kind === "oauth" && key) return { kind: "api_key", provider, token: key };
+  return cred;
+}
+
+
 /** Resolve the status of a single provider. */
 export async function describeProvider(name: ProviderName, config?: Config): Promise<ProviderStatus> {
   const cfg = config ?? (await readGlobalConfig());
@@ -55,15 +78,36 @@ export async function describeProvider(name: ProviderName, config?: Config): Pro
     const baseUrl = cfg.ollamaBaseUrl ?? "http://localhost:11434";
     return { name, kind: "keyless", label: credentialLabel("keyless"), baseUrl, ready: true };
   }
-  const cred = await resolveCredential(name as AuthProvider);
-  const kind: CredentialKind = cred.kind === "api_key" ? "api_key" : cred.kind === "oauth" ? "oauth" : "none";
-  const baseUrl = name === "openai" ? cfg.openaiBaseUrl : undefined;
-  // An OpenAI-compatible local server (LM Studio, vLLM) needs no key.
-  const ready = kind !== "none" || (name === "openai" && !!baseUrl);
+  const ownProvider = name as AuthProvider;
+  const ownCred = configuredCredential(ownProvider, cfg);
+  // Antigravity prefers its own login but accepts a gemini-cli OAuth fallback.
+  const cred = name === "antigravity" && ownCred.kind === "none" ? configuredCredential("gemini", cfg) : ownCred;
+  const credentialProvider: AuthProvider = name === "antigravity" && ownCred.kind === "none" ? "gemini" : ownProvider;
+  const effective = name === "antigravity" ? cred : effectiveCredential(credentialProvider, cred, cfg);
+  const kind: CredentialKind = effective.kind === "api_key" ? "api_key" : effective.kind === "oauth" ? "oauth" : "none";
+  const baseUrl = name === "openai" && kind !== "oauth" ? cfg.openaiBaseUrl : undefined;
+  let ready = kind !== "none" || (name === "openai" && !!cfg.openaiBaseUrl);
+  let label = ready && kind === "none" ? "keyless (local base URL)" : credentialLabel(kind);
+  if (name === "antigravity") {
+    const hasOwnOAuth = ownCred.kind === "oauth";
+    const hasGeminiFallback = !hasOwnOAuth && configuredCredential("gemini", cfg).kind === "oauth";
+    ready = hasOwnOAuth;
+    label = hasOwnOAuth
+      ? "OAuth (Antigravity Cloud Code Assist)"
+      : hasGeminiFallback
+        ? "OAuth catalog via Gemini CLI; calls need 'jeo auth login antigravity'"
+        : "none (run 'jeo auth login antigravity')";
+  } else if (kind === "oauth" && OAUTH_FLOW_REGISTRY[credentialProvider]?.verifiedEndToEnd === false) {
+    ready = false;
+    label = "OAuth (API key needed)";
+  } else if (name === "gemini" && kind === "oauth") {
+    // gemini-cli OAuth is served end-to-end via Cloud Code Assist — no API key.
+    label = "OAuth (Gemini CLI / Cloud Code Assist)";
+  }
   return {
     name,
     kind,
-    label: ready && kind === "none" ? "keyless (local base URL)" : credentialLabel(kind),
+    label,
     baseUrl,
     envVar: providerEnvVar(name),
     ready,

package/src/ai/providers/AGENTS.md

@@ -0,0 +1,42 @@
+<!-- Parent: ../../AGENTS.md -->
+<!-- Generated: 2026-06-11 | Updated: 2026-06-11 -->
+
+# providers
+
+## Purpose
+Concrete implementations for various LLM providers, translating generic requests into provider-specific API calls.
+
+## Key Files
+| File | Description |
+|------|-------------|
+| `anthropic.ts` | Anthropic Claude integration |
+| `openai.ts` | OpenAI (and Codex backend) integration |
+| `gemini.ts` | Google Gemini (and Cloud Code Assist) integration |
+| `antigravity.ts` | Antigravity desktop-app OAuth client integration |
+| `ollama.ts` | Local Ollama integration |
+
+## Subdirectories
+*(None)*
+
+## For AI Agents
+
+### Working In This Directory
+- Each provider must handle its specific tool-calling syntax and streaming chunk format.
+- Ensure strict parsing of SSE (Server-Sent Events) streams.
+
+### Testing Requirements
+- Unit test stream parsing with mock payloads.
+
+### Common Patterns
+- Native fetch calls with `for await` loops over text decoding streams.
+
+## Dependencies
+
+### Internal
+- `src/ai/types.ts` for interfaces.
+- `src/auth/` for retrieving tokens.
+
+### External
+- HTTP `fetch`.
+
+<!-- MANUAL: -->

package/src/ai/providers/anthropic.ts

@@ -1,54 +1,216 @@
+import { createHash, randomBytes, randomUUID } from "node:crypto";
 import type { Credential } from "../../auth";
 import type { CallOptions, Message, ProviderAdapter } from "../types";
 import { readSse } from "../sse";
-import { providerHttpError } from "./errors";
+import { ProviderHttpError, parseRetryAfter, parseRetryFromBody, providerHttpError } from "./errors";
 
 const ANTHROPIC_URL = "https://api.anthropic.com/v1/messages";
 
-function anthropicPayload(messages: Message[], options: CallOptions, stream: boolean): string {
-  const resolvedModel = options.model.startsWith("anthropic/") ? options.model.slice(10) : options.model;
-  const model = resolvedModel.includes("sonnet") ? "claude-3-5-sonnet-20241022" : resolvedModel;
+const DEPRECATED_TEMPERATURE = "`temperature` is deprecated for this model.";
+const CLAUDE_CODE_VERSION = "2.1.63";
+const CLAUDE_CODE_SYSTEM_INSTRUCTION = "You are a Claude agent, built on Anthropic's Claude Agent SDK.";
+const CLAUDE_BILLING_HEADER_PREFIX = "x-anthropic-billing-header:";
+const ANTHROPIC_OAUTH_BETA = [
+  "claude-code-20250219",
+  "oauth-2025-04-20",
+  "interleaved-thinking-2025-05-14",
+  "context-management-2025-06-27",
+  "prompt-caching-scope-2026-01-05",
+].join(",");
+
+interface AnthropicSystemBlock {
+  type: "text";
+  text: string;
+  cache_control?: { type: "ephemeral" };
+}
+
+function stripAnthropicPrefix(model: string): string {
+  return model.startsWith("anthropic/") ? model.slice(10) : model;
+}
+
+function shouldUseClaudeCodeOAuthShape(model: string, credential: Credential): boolean {
+  return credential.kind === "oauth" && !model.startsWith("claude-3-5-haiku");
+}
+
+function createClaudeCloakingUserId(): string {
+  return `user_${randomBytes(32).toString("hex")}_account_${randomUUID().toLowerCase()}_session_${randomUUID().toLowerCase()}`;
+}
+
+function createClaudeBillingHeader(payload: unknown): string {
+  const payloadJson = JSON.stringify(payload) ?? "";
+  const cch = createHash("sha256").update(payloadJson).digest("hex").slice(0, 5);
+  const randomBytes = new Uint8Array(2);
+  crypto.getRandomValues(randomBytes);
+  const buildHash = Array.from(randomBytes, byte => byte.toString(16).padStart(2, "0")).join("").slice(0, 3);
+  return `${CLAUDE_BILLING_HEADER_PREFIX} cc_version=${CLAUDE_CODE_VERSION}.${buildHash}; cc_entrypoint=cli; cch=${cch};`;
+}
+
+function anthropicSystemBlocks(
+  systemPrompt: string | undefined,
+  model: string,
+  credential: Credential,
+  billingPayload: Record<string, unknown>,
+): AnthropicSystemBlock[] | undefined {
+  const blocks: AnthropicSystemBlock[] = [];
+  if (shouldUseClaudeCodeOAuthShape(model, credential)) {
+    const billingSeed = systemPrompt ? { ...billingPayload, system: [systemPrompt] } : billingPayload;
+    blocks.push(
+      { type: "text", text: createClaudeBillingHeader(billingSeed) },
+      { type: "text", text: CLAUDE_CODE_SYSTEM_INSTRUCTION },
+    );
+  }
+  if (systemPrompt) {
+    blocks.push({ type: "text", text: systemPrompt });
+  }
+  if (blocks.length === 0) return undefined;
+
+  // Prompt caching (gjc parity): Anthropic cache breakpoints are cumulative. Put a
+  // single breakpoint on the last system block so Claude Code OAuth prelude + the
+  // real system prompt are cached together without burning multiple slots.
+  blocks[blocks.length - 1] = { ...blocks[blocks.length - 1], cache_control: { type: "ephemeral" } };
+  return blocks;
+}
+
+export function anthropicPayload(
+  messages: Message[],
+  options: CallOptions,
+  stream: boolean,
+  includeTemperature: boolean,
+  credential: Credential = { kind: "none", provider: "anthropic" },
+): string {
+  const model = stripAnthropicPrefix(options.model);
   const systemPrompt = options.systemPrompt ?? messages.find(m => m.role === "system")?.content;
-  const anthropicMessages = messages.filter(m => m.role !== "system").map(m => ({ role: m.role, content: m.content }));
+  // Image attachments (clipboard paste) become Anthropic content blocks; plain
+  // string content is kept for text-only messages (the overwhelmingly common case).
+  type ContentBlock = Record<string, unknown>;
+  const anthropicMessages: { role: string; content: string | ContentBlock[] }[] =
+    messages.filter(m => m.role !== "system").map(m => ({
+      role: m.role,
+      content: m.images?.length
+        ? [
+            ...m.images.map((img): ContentBlock => ({ type: "image", source: { type: "base64", media_type: img.mediaType, data: img.data } })),
+            ...(m.content ? [{ type: "text", text: m.content } as ContentBlock] : []),
+          ]
+        : m.content,
+    }));
+  // Conversation prompt caching (gjc parity — the main same-model latency gap):
+  // one breakpoint on the LAST message caches the entire conversation prefix, so
+  // each agent-loop step only pays input processing for the new tail instead of
+  // re-ingesting the whole growing history. Combined with the system-block
+  // breakpoint this uses 2 of Anthropic's 4 slots. Sub-minimum prompts (<1024
+  // tokens) ignore the marker harmlessly.
+  const last = anthropicMessages[anthropicMessages.length - 1];
+  if (last) {
+    if (typeof last.content === "string") {
+      if (last.content) last.content = [{ type: "text", text: last.content, cache_control: { type: "ephemeral" } }];
+    } else if (last.content.length > 0) {
+      const tail = last.content[last.content.length - 1]!;
+      last.content[last.content.length - 1] = { ...tail, cache_control: { type: "ephemeral" } };
+    }
+  }
   const payload: Record<string, unknown> = {
     model,
     messages: anthropicMessages,
     max_tokens: options.maxTokens ?? 4000,
-    temperature: options.temperature ?? 0.2,
   };
-  if (systemPrompt) payload.system = systemPrompt;
+  if (credential.kind === "oauth") payload.metadata = { user_id: createClaudeCloakingUserId() };
+  if (includeTemperature && options.temperature !== undefined) payload.temperature = options.temperature;
   if (stream) payload.stream = true;
+  const system = anthropicSystemBlocks(systemPrompt, model, credential, payload);
+  if (system) payload.system = system;
   return JSON.stringify(payload);
 }
 
+export function anthropicRequest(
+  messages: Message[],
+  options: CallOptions,
+  credential: Credential,
+  stream: boolean,
+  includeTemperature: boolean,
+): { url: string; headers: Record<string, string>; body: string } {
+  return {
+    url: ANTHROPIC_URL,
+    headers: headersFor(credential, stream),
+    body: anthropicPayload(messages, options, stream, includeTemperature, credential),
+  };
+}
+
+function isDeprecatedTemperatureError(status: number, detail: string): boolean {
+  return status === 400 && detail.includes(DEPRECATED_TEMPERATURE);
+}
+
+async function postAnthropic(
+  messages: Message[],
+  options: CallOptions,
+  credential: Credential,
+  stream: boolean,
+): Promise<Response> {
+  const send = (includeTemperature: boolean) => {
+    const { url, headers, body } = anthropicRequest(messages, options, credential, stream, includeTemperature);
+    return fetch(url, { method: "POST", headers, body, signal: options.signal });
+  };
+
+  let response = await send(true);
+  if (response.ok) return response;
+
+  const detail = await response.text().catch(() => "");
+  if (isDeprecatedTemperatureError(response.status, detail)) {
+    response = await send(false);
+    if (response.ok) return response;
+    throw await providerHttpError("Anthropic", response, stream ? "(stream)" : undefined);
+  }
+
+  throw new ProviderHttpError(
+    "Anthropic",
+    response.status,
+    detail,
+    stream ? "(stream)" : undefined,
+    parseRetryAfter(response.headers.get("retry-after")) ?? parseRetryFromBody(detail),
+  );
+}
+
+/** Anthropic usage: with prompt caching the input splits into uncached + cache read +
+ *  cache creation. Sum them so reported input reflects the TRUE prompt size. */
+interface AnthropicUsage {
+  input_tokens?: number;
+  output_tokens?: number;
+  cache_read_input_tokens?: number;
+  cache_creation_input_tokens?: number;
+}
+export function totalInputTokens(u: AnthropicUsage): number {
+  return (u.input_tokens ?? 0) + (u.cache_read_input_tokens ?? 0) + (u.cache_creation_input_tokens ?? 0);
+}
+
+/** Round-5 #1: HTTP-200-with-no-text must surface its CAUSE (stop_reason) instead
+ *  of returning "" — an empty reply just bounces in the JSON loop, burning billed
+ *  calls until the step budget dies. Mirrors gemini's blockedReason contract. */
+function emptyCompletionError(stopReason: string | undefined): Error {
+  const hint = stopReason === "max_tokens"
+    ? " — output budget exhausted before any text; raise maxTokens or lower the thinking level"
+    : "";
+  return new Error(`Anthropic returned no content${stopReason ? ` (stop_reason=${stopReason})` : ""}${hint}.`);
+}
 export const anthropicAdapter: ProviderAdapter = {
   name: "anthropic",
   async call(messages, options, credential) {
-    const response = await fetch(ANTHROPIC_URL, {
-      method: "POST",
-      headers: headersFor(credential),
-      body: anthropicPayload(messages, options, false),
-      signal: options.signal,
-    });
-    if (!response.ok) throw await providerHttpError("Anthropic", response);
-    const result = (await response.json()) as { content: { type: string; text: string }[]; usage?: { input_tokens?: number; output_tokens?: number } };
-    if (result.usage) options.onUsage?.({ inputTokens: result.usage.input_tokens, outputTokens: result.usage.output_tokens });
-    return result.content.find(c => c.type === "text")?.text ?? "";
+    const response = await postAnthropic(messages, options, credential, false);
+    const result = (await response.json()) as { content: { type: string; text: string }[]; stop_reason?: string; usage?: AnthropicUsage };
+    if (result.usage) options.onUsage?.({ inputTokens: totalInputTokens(result.usage), outputTokens: result.usage.output_tokens });
+    const text = result.content.find(c => c.type === "text")?.text ?? "";
+    if (!text) throw emptyCompletionError(result.stop_reason);
+    return text;
   },
   async *stream(messages, options, credential) {
-    const response = await fetch(ANTHROPIC_URL, {
-      method: "POST",
-      headers: headersFor(credential),
-      body: anthropicPayload(messages, options, true),
-      signal: options.signal,
-    });
-    if (!response.ok) throw await providerHttpError("Anthropic", response, "(stream)");
+    const response = await postAnthropic(messages, options, credential, true);
     if (!response.body) return;
+    let cachedInput: number | undefined;
+    let yieldedAny = false;
+    let stopReason: string | undefined;
     for await (const data of readSse(response.body)) {
       let evt: {
         type?: string;
-        delta?: { type?: string; text?: string };
-        message?: { usage?: { input_tokens?: number; output_tokens?: number } };
+        delta?: { type?: string; text?: string; stop_reason?: string };
+        message?: { usage?: AnthropicUsage };
         usage?: { output_tokens?: number };
       };
       try {
@@ -57,27 +219,84 @@ export const anthropicAdapter: ProviderAdapter = {
         continue;
       }
       if (evt.type === "content_block_delta" && evt.delta?.type === "text_delta" && evt.delta.text) {
+        yieldedAny = true;
         yield evt.delta.text;
       } else if (evt.type === "message_start" && evt.message?.usage) {
-        options.onUsage?.({ inputTokens: evt.message.usage.input_tokens, outputTokens: evt.message.usage.output_tokens });
-      } else if (evt.type === "message_delta" && evt.usage) {
-        options.onUsage?.({ outputTokens: evt.usage.output_tokens });
+        // Cache only — usage is reported ONCE at message_delta so an accumulating
+        // sink can't double-count input (and a pre-first-chunk retry that replays
+        // message_start is harmless).
+        cachedInput = totalInputTokens(evt.message.usage);
+      } else if (evt.type === "message_delta") {
+        if (evt.delta?.stop_reason) stopReason = evt.delta.stop_reason;
+        if (evt.usage) options.onUsage?.({ inputTokens: cachedInput, outputTokens: evt.usage.output_tokens });
       }
     }
+    if (!yieldedAny) throw emptyCompletionError(stopReason);
   },
 };
+function mapStainlessOs(platform: string): "MacOS" | "Windows" | "Linux" | "FreeBSD" | `Other::${string}` {
+  switch (platform.toLowerCase()) {
+    case "darwin":
+      return "MacOS";
+    case "windows":
+    case "win32":
+      return "Windows";
+    case "linux":
+      return "Linux";
+    case "freebsd":
+      return "FreeBSD";
+    default:
+      return `Other::${platform.toLowerCase()}`;
+  }
+}
+
+function mapStainlessArch(arch: string): "x64" | "arm64" | "x86" | `other::${string}` {
+  switch (arch.toLowerCase()) {
+    case "amd64":
+    case "x64":
+      return "x64";
+    case "arm64":
+    case "aarch64":
+      return "arm64";
+    case "386":
+    case "x86":
+    case "ia32":
+      return "x86";
+    default:
+      return `other::${arch.toLowerCase()}`;
+  }
+}
+
+function claudeCodeOAuthHeaders(stream: boolean): Record<string, string> {
+  return {
+    accept: stream ? "text/event-stream" : "application/json",
+    "anthropic-beta": ANTHROPIC_OAUTH_BETA,
+    "anthropic-dangerous-direct-browser-access": "true",
+    "user-agent": `claude-cli/${CLAUDE_CODE_VERSION} (external, cli)`,
+    "x-app": "cli",
+    "x-stainless-arch": mapStainlessArch(process.arch),
+    "x-stainless-lang": "js",
+    "x-stainless-os": mapStainlessOs(process.platform),
+    "x-stainless-package-version": "0.74.0",
+    "x-stainless-retry-count": "0",
+    "x-stainless-runtime": "node",
+    "x-stainless-runtime-version": "v24.3.0",
+    "x-stainless-timeout": "600",
+  };
+}
 
-function headersFor(credential: Credential): Record<string, string> {
+function headersFor(credential: Credential, stream: boolean): Record<string, string> {
   if (credential.kind === "oauth") {
     return {
       "content-type": "application/json",
       authorization: `Bearer ${credential.token}`,
       "anthropic-version": "2023-06-01",
-      "anthropic-beta": "oauth-2025-04-20",
+      ...claudeCodeOAuthHeaders(stream),
     };
   }
   if (credential.kind === "api_key") {
     return {
+      accept: stream ? "text/event-stream" : "application/json",
       "content-type": "application/json",
       "x-api-key": credential.token,
       "anthropic-version": "2023-06-01",