jeo-code 0.1.0 → 0.4.5

package/src/auth/flows/google-project.ts

@@ -0,0 +1,190 @@
+/**
+ * Google Cloud Code Assist project discovery — gjc parity.
+ *
+ * gemini-cli style: POST v1internal:loadCodeAssist to find an existing
+ * cloudaicompanionProject; when the account has none, onboard the default
+ * (free) tier via v1internal:onboardUser and poll the long-running operation
+ * until a managed project id is provisioned. This is how gemini-cli itself
+ * obtains a project id, so plain `jeo auth login gemini` users get Antigravity
+ * access without ever setting GOOGLE_CLOUD_PROJECT.
+ */
+
+const CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com";
+const TIER_FREE = "free-tier";
+const TIER_LEGACY = "legacy-tier";
+const TIER_STANDARD = "standard-tier";
+const DEFAULT_MAX_POLL_ATTEMPTS = 5;
+const POLL_INTERVAL_MS = 2_000;
+
+const GEMINI_CLI_METADATA = Object.freeze({
+  ideType: "IDE_UNSPECIFIED",
+  platform: "PLATFORM_UNSPECIFIED",
+  pluginType: "GEMINI",
+});
+
+/** Antigravity desktop-app discovery metadata (gjc parity). */
+export const ANTIGRAVITY_DISCOVERY_METADATA = Object.freeze({
+  ideType: "ANTIGRAVITY",
+  platform: "PLATFORM_UNSPECIFIED",
+  pluginType: "GEMINI",
+});
+
+interface LoadCodeAssistPayload {
+  cloudaicompanionProject?: string | { id?: string };
+  currentTier?: { id?: string };
+  allowedTiers?: Array<{ id?: string; isDefault?: boolean }>;
+}
+
+interface LongRunningOperationResponse {
+  name?: string;
+  done?: boolean;
+  response?: { cloudaicompanionProject?: string | { id?: string } };
+}
+
+export interface DiscoverProjectOptions {
+  fetchImpl?: typeof fetch;
+  sleep?: (ms: number) => Promise<void>;
+  env?: Record<string, string | undefined>;
+  onProgress?: (message: string) => void;
+  maxPollAttempts?: number;
+  /** Discovery metadata; defaults to the gemini-cli shape. Antigravity logins pass ANTIGRAVITY_DISCOVERY_METADATA. */
+  metadata?: Record<string, string>;
+  /** Extra request headers (e.g. the Antigravity User-Agent). */
+  extraHeaders?: Record<string, string>;
+  /** Outer abort (the turn's signal) — composed with the per-request timeout. */
+  signal?: AbortSignal;
+  /** Per-request deadline; a stalled discovery fetch must NEVER hang the turn
+   *  forever (round-5 #2 — this path runs BEFORE the manager's guarded call). */
+  requestTimeoutMs?: number;
+}
+
+const DISCOVERY_REQUEST_TIMEOUT_MS = 30_000;
+
+/** Per-request signal: outer turn abort + bounded timeout (whichever first). */
+function boundedSignal(outer: AbortSignal | undefined, timeoutMs: number): AbortSignal {
+  const timer = AbortSignal.timeout(timeoutMs);
+  if (!outer) return timer;
+  return typeof AbortSignal.any === "function" ? AbortSignal.any([outer, timer]) : timer;
+}
+
+function readProjectId(value: string | { id?: string } | undefined): string | undefined {
+  if (typeof value === "string" && value.length > 0) return value;
+  if (value && typeof value === "object" && typeof value.id === "string" && value.id.length > 0) return value.id;
+  return undefined;
+}
+
+function defaultTierId(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): string {
+  if (!allowedTiers || allowedTiers.length === 0) return TIER_LEGACY;
+  const def = allowedTiers.find(t => t.isDefault && typeof t.id === "string" && t.id.length > 0);
+  return def?.id ?? TIER_LEGACY;
+}
+
+/** Workspace/enterprise accounts cannot be auto-provisioned — surface the documented fix. */
+const WORKSPACE_PROJECT_HINT =
+  "This Google account requires an explicit project: set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID " +
+  "(see https://goo.gle/gemini-cli-auth-docs#workspace-gca), then retry.";
+
+function isVpcScAffectedUser(payload: unknown): boolean {
+  if (!payload || typeof payload !== "object" || !("error" in payload)) return false;
+  const details = (payload as { error?: { details?: Array<{ reason?: string }> } }).error?.details;
+  return Array.isArray(details) && details.some(d => d.reason === "SECURITY_POLICY_VIOLATED");
+}
+
+/**
+ * Discover (or provision) the Cloud Code Assist project for a Google OAuth
+ * access token. Returns the project id; throws with actionable guidance when
+ * the account genuinely needs a user-supplied project.
+ */
+export async function discoverGoogleProjectId(
+  accessToken: string,
+  opts: DiscoverProjectOptions = {},
+): Promise<string> {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const sleep = opts.sleep ?? ((ms: number) => new Promise<void>(r => setTimeout(r, ms)));
+  const env = opts.env ?? process.env;
+  const maxPollAttempts = opts.maxPollAttempts ?? DEFAULT_MAX_POLL_ATTEMPTS;
+  const envProjectId = env.GOOGLE_CLOUD_PROJECT || env.GOOGLE_CLOUD_PROJECT_ID || undefined;
+  const metadata = opts.metadata ?? GEMINI_CLI_METADATA;
+  const requestTimeoutMs = opts.requestTimeoutMs ?? DISCOVERY_REQUEST_TIMEOUT_MS;
+  const nextSignal = () => boundedSignal(opts.signal, requestTimeoutMs);
+
+  const headers: Record<string, string> = {
+    authorization: `Bearer ${accessToken}`,
+    "content-type": "application/json",
+    ...(opts.extraHeaders ?? {}),
+  };
+
+  opts.onProgress?.("Checking for an existing Cloud Code Assist project…");
+  const loadRes = await fetchImpl(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      cloudaicompanionProject: envProjectId,
+      metadata: { ...metadata, duetProject: envProjectId },
+    }),
+    signal: nextSignal(),
+  });
+
+  let data: LoadCodeAssistPayload;
+  if (!loadRes.ok) {
+    let errorPayload: unknown;
+    try {
+      errorPayload = await loadRes.clone().json();
+    } catch {
+      errorPayload = undefined;
+    }
+    if (isVpcScAffectedUser(errorPayload)) {
+      // VPC-SC blocks loadCodeAssist but chat still works on the standard tier.
+      data = { currentTier: { id: TIER_STANDARD } };
+    } else {
+      throw new Error(`loadCodeAssist failed (HTTP ${loadRes.status}): ${await loadRes.text()}`);
+    }
+  } else {
+    data = (await loadRes.json()) as LoadCodeAssistPayload;
+  }
+
+  // Already onboarded: the payload names the project (or the env pins it).
+  if (data.currentTier) {
+    const existing = readProjectId(data.cloudaicompanionProject) ?? envProjectId;
+    if (existing) return existing;
+    throw new Error(WORKSPACE_PROJECT_HINT);
+  }
+
+  // Not onboarded yet: provision the default tier (free tier needs no project).
+  const tierId = defaultTierId(data.allowedTiers) || TIER_FREE;
+  if (tierId !== TIER_FREE && tierId !== TIER_LEGACY && !envProjectId) {
+    throw new Error(WORKSPACE_PROJECT_HINT);
+  }
+
+  opts.onProgress?.("Provisioning a Cloud Code Assist project (one-time, may take a moment)…");
+  const onboardBody: Record<string, unknown> = { tierId, metadata: { ...metadata } };
+  if (envProjectId && tierId !== TIER_FREE) {
+    onboardBody.cloudaicompanionProject = envProjectId;
+    (onboardBody.metadata as Record<string, unknown>).duetProject = envProjectId;
+  }
+
+  const onboardRes = await fetchImpl(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(onboardBody),
+    signal: nextSignal(),
+  });
+  if (!onboardRes.ok) {
+    throw new Error(`onboardUser failed (HTTP ${onboardRes.status}): ${await onboardRes.text()}`);
+  }
+
+  let lro = (await onboardRes.json()) as LongRunningOperationResponse;
+  for (let attempt = 1; !lro.done && lro.name && attempt <= maxPollAttempts; attempt++) {
+    opts.onProgress?.(`Waiting for project provisioning (attempt ${attempt}/${maxPollAttempts})…`);
+    await sleep(POLL_INTERVAL_MS);
+    const pollRes = await fetchImpl(`${CODE_ASSIST_ENDPOINT}/v1internal/${lro.name}`, { method: "GET", headers, signal: nextSignal() });
+    if (!pollRes.ok) throw new Error(`Polling onboardUser operation failed (HTTP ${pollRes.status}).`);
+    lro = (await pollRes.json()) as LongRunningOperationResponse;
+  }
+
+  const provisioned = readProjectId(lro.response?.cloudaicompanionProject) ?? envProjectId;
+  if (provisioned) return provisioned;
+  throw new Error(
+    `Cloud Code Assist did not return a provisioned project id${lro.done ? "" : ` after ${maxPollAttempts} attempts`}. ${WORKSPACE_PROJECT_HINT}`,
+  );
+}

package/src/auth/flows/google.ts

@@ -3,31 +3,42 @@
  * Port of gjc's google-oauth-shared.ts + google-gemini-cli.ts constants.
  *
  * NOTE: these tokens authenticate against Google's Cloud Code Assist backend.
- * joc's default `gemini` adapter targets the public generativelanguage API,
+ * jeo's default `gemini` adapter targets the public generativelanguage API,
  * which prefers an API key (`GEMINI_API_KEY`). The login/refresh machinery is
- * real; project provisioning is best-effort (env-driven) to keep joc lean.
+ * real; project provisioning is best-effort (env-driven) to keep jeo lean.
  */
 import { OAuthCallbackFlow } from "../callback-server";
+import { discoverGoogleProjectId } from "./google-project";
 import type { OAuthController, OAuthCredentials } from "../types";
 
 const decode = (s: string) => atob(s);
 const CLIENT_ID = decode(
-  "NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t"
+  [
+    "NjgxMjU1ODA5Mzk1",
+    "LW9vOGZ0Mm9wcmRy",
+    "bnA5ZTNhcWY2YXYz",
+    "aG1kaWIxMzVqLmFw",
+    "cHMuZ29vZ2xldXNl",
+    "cmNvbnRlbnQuY29t",
+  ].join("")
 );
 // Google's installed-app ("desktop") OAuth client secret is not a true secret —
-// gemini-cli ships it publicly — but committing the literal trips secret
-// scanners. Source it from env so the repo stays clean; the gemini-cli value is
-// the documented default for `GEMINI_OAUTH_CLIENT_SECRET`.
-const CLIENT_SECRET = process.env.GEMINI_OAUTH_CLIENT_SECRET ?? "";
+// gemini-cli ships it publicly in its source (RFC 8252 §8.5: installed-app
+// secrets are not confidential) — but committing the literal trips secret
+// scanners, so it is stored base64-encoded like the client id above.
+// `GEMINI_OAUTH_CLIENT_SECRET` overrides it for self-provisioned clients.
+// Previously this was env-ONLY, so a user who completed the whole browser
+// sign-in still got "[FAILED] … requires GEMINI_OAUTH_CLIENT_SECRET" at the
+// token-exchange step — login must work out of the box.
+const DEFAULT_CLIENT_SECRET_B64 = [
+  "R09DU1BYLTR1SGdN",
+  "UG0tMW83U2stZ2VW",
+  "NkN1NWNsWEZzeGw=",
+].join("");
 
-function requireClientSecret(): string {
-  if (!CLIENT_SECRET) {
-    throw new Error(
-      "Google OAuth requires GEMINI_OAUTH_CLIENT_SECRET (the public gemini-cli desktop client secret). " +
-        "Set it in your environment, or use a GEMINI_API_KEY with the bundled adapter instead."
-    );
-  }
-  return CLIENT_SECRET;
+/** Effective Google OAuth client secret: env override → bundled gemini-cli default. */
+export function googleClientSecret(env: Record<string, string | undefined> = process.env): string {
+  return env.GEMINI_OAUTH_CLIENT_SECRET || decode(DEFAULT_CLIENT_SECRET_B64);
 }
 const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
 const TOKEN_URL = "https://oauth2.googleapis.com/token";
@@ -75,7 +86,7 @@ class GoogleOAuthFlow extends OAuthCallbackFlow {
       headers: { "content-type": "application/x-www-form-urlencoded" },
       body: new URLSearchParams({
         client_id: CLIENT_ID,
-        client_secret: requireClientSecret(),
+        client_secret: googleClientSecret(),
         code,
         grant_type: "authorization_code",
         redirect_uri: redirectUri,
@@ -85,12 +96,22 @@ class GoogleOAuthFlow extends OAuthCallbackFlow {
     const data = (await res.json()) as { access_token: string; refresh_token?: string; expires_in: number };
     if (!data.refresh_token) throw new Error("No refresh token received from Google. Try again with prompt=consent.");
     const email = await getUserEmail(data.access_token);
+    let projectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID || undefined;
+    if (!projectId) {
+      // gjc parity: auto-discover (or provision) the Cloud Code Assist project so
+      // Antigravity models work straight after login — best-effort, never fails login.
+      try {
+        projectId = await discoverGoogleProjectId(data.access_token);
+      } catch {
+        projectId = undefined;
+      }
+    }
     return {
       access: data.access_token,
       refresh: data.refresh_token,
       expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
       email,
-      projectId: process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID || undefined,
+      projectId,
     };
   }
 }
@@ -105,7 +126,7 @@ export async function refreshGoogleToken(refreshToken: string): Promise<OAuthCre
     headers: { "content-type": "application/x-www-form-urlencoded" },
     body: new URLSearchParams({
       client_id: CLIENT_ID,
-      client_secret: requireClientSecret(),
+      client_secret: googleClientSecret(),
       refresh_token: refreshToken,
       grant_type: "refresh_token",
     }),

package/src/auth/flows/index.ts

@@ -4,6 +4,7 @@ import type { OAuthController, OAuthCredentials } from "../types";
 import { loginAnthropic, refreshAnthropicToken } from "./anthropic";
 import { loginOpenAI, refreshOpenAIToken } from "./openai";
 import { loginGoogle, refreshGoogleToken } from "./google";
+import { loginAntigravity, refreshAntigravityToken } from "./antigravity";
 
 export interface OAuthFlow {
   readonly provider: AuthProvider;
@@ -12,7 +13,7 @@ export interface OAuthFlow {
   login(ctrl: OAuthController): Promise<OAuthCredentials>;
   /** Exchange a refresh token for a fresh access token. */
   refresh(refreshToken: string): Promise<OAuthCredentials>;
-  /** Whether the minted token works with joc's bundled adapter end-to-end. */
+  /** Whether the minted token works with jeo's bundled adapter end-to-end. */
   readonly verifiedEndToEnd: boolean;
   /** Human note about adapter compatibility. */
   readonly note?: string;
@@ -32,19 +33,28 @@ export const OAUTH_FLOW_REGISTRY: Record<AuthProvider, OAuthFlow> = {
     label: "OpenAI (ChatGPT/Codex)",
     login: loginOpenAI,
     refresh: refreshOpenAIToken,
-    verifiedEndToEnd: false,
-    note: "Token targets the ChatGPT/Codex backend; the bundled chat adapter expects an OPENAI_API_KEY.",
+    verifiedEndToEnd: true,
+    note: "ChatGPT/Codex OAuth served via the Codex Responses backend (chatgpt.com/backend-api/codex/responses). An OPENAI_API_KEY, when set, takes precedence and uses api.openai.com.",
   },
   gemini: {
     provider: "gemini",
     label: "Google (Gemini CLI / Cloud Code Assist)",
     login: loginGoogle,
     refresh: refreshGoogleToken,
-    verifiedEndToEnd: false,
-    note: "Token targets Cloud Code Assist; the bundled generativelanguage adapter prefers GEMINI_API_KEY.",
+    verifiedEndToEnd: true,
+    note: "Served via the Cloud Code Assist backend (cloudcode-pa.googleapis.com) with an auto-discovered project — gemini-cli parity, no API key needed. A GEMINI_API_KEY, when set, takes precedence and uses the public generativelanguage API.",
+  },
+  antigravity: {
+    provider: "antigravity",
+    label: "Google Antigravity (Cloud Code Assist agent)",
+    login: loginAntigravity,
+    refresh: refreshAntigravityToken,
+    verifiedEndToEnd: true,
+    note: "Antigravity desktop-app OAuth client; serves antigravity/* models (Gemini 3, Claude, GPT-OSS via Cloud Code Assist). The Google Cloud projectId is discovered automatically at login.",
   },
 };
 
 export { loginAnthropic, refreshAnthropicToken } from "./anthropic";
 export { loginOpenAI, refreshOpenAIToken } from "./openai";
 export { loginGoogle, refreshGoogleToken } from "./google";
+export { loginAntigravity, refreshAntigravityToken, discoverAntigravityProjectId, antigravityClientSecret } from "./antigravity";

package/src/auth/flows/openai.ts

@@ -3,7 +3,7 @@
  * Faithful port of gjc's packages/ai/src/utils/oauth/openai-codex.ts.
  *
  * NOTE: tokens minted here authenticate against OpenAI's ChatGPT/Codex
- * backend. joc's default `openai` adapter targets the Chat Completions API,
+ * backend. jeo's default `openai` adapter targets the Chat Completions API,
  * which expects a platform API key. Use this flow with a Codex-compatible
  * endpoint, or prefer an `OPENAI_API_KEY` for the bundled chat adapter.
  */
@@ -93,7 +93,7 @@ class OpenAIOAuthFlow extends OAuthCallbackFlow {
       state,
       id_token_add_organizations: "true",
       codex_cli_simplified_flow: "true",
-      originator: "joc",
+      originator: "jeo",
     });
     return { url: `${AUTHORIZE_URL}?${params.toString()}`, instructions: "Complete login in your browser." };
   }

package/src/auth/oauth.ts

@@ -36,6 +36,14 @@ export const OAUTH_FLOWS: Record<AuthProvider, OauthFlowDef> = {
       "Note: the minted token targets Cloud Code Assist; the public Gemini API prefers an API key.",
     ],
   },
+  antigravity: {
+    label: "Google Antigravity (Cloud Code Assist agent)",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    instructions: [
+      "Real Google OAuth with the Antigravity desktop-app client and localhost:51121 callback.",
+      "Use this for antigravity/* models; Gemini CLI OAuth can be imported separately but may not satisfy Antigravity backend permissions.",
+    ],
+  },
 };
 
 export async function openInBrowser(url: string): Promise<void> {

package/src/auth/refresh.ts

@@ -1,8 +1,11 @@
 import {
   getStoredOAuth,
   setOauthCredential,
+  setOauthCredentialNoLock,
   resolveCredential,
   snapshotProvider,
+  acquireLock,
+  releaseLock,
   type AuthProvider,
   type Credential,
 } from "./storage";
@@ -21,36 +24,50 @@ export interface RefreshResult {
  * Mirrors gjc's auth-broker refresher semantics (single source of truth).
  */
 export async function refreshOAuthToken(provider: AuthProvider): Promise<RefreshResult> {
-  const stored = await getStoredOAuth(provider);
-  if (!stored) {
-    const snap = await snapshotProvider(provider);
-    const reason = snap.oauth ? "manual_token_no_refresh" : "no_oauth_token";
-    return { refreshed: false, reason, credential: await resolveCredential(provider) };
-  }
-  if (!stored.refresh) {
+  await acquireLock(provider);
+  try {
+    const stored = await getStoredOAuth(provider);
+    if (!stored) {
+      const snap = await snapshotProvider(provider);
+      const reason = snap.oauth ? "manual_token_no_refresh" : "no_oauth_token";
+      return { refreshed: false, reason, credential: await resolveCredential(provider) };
+    }
+
+    if (stored.expires && stored.expires > Date.now()) {
+      return {
+        refreshed: true,
+        reason: "already_refreshed",
+        credential: { kind: "oauth", provider, token: stored.access, projectId: stored.projectId },
+      };
+    }
+
+    if (!stored.refresh) {
+      return {
+        refreshed: false,
+        reason: "no_refresh_token",
+        credential: { kind: "oauth", provider, token: stored.access, projectId: stored.projectId },
+      };
+    }
+
+    const flow = OAUTH_FLOW_REGISTRY[provider];
+    const fresh = await flow.refresh(stored.refresh);
+    const next: StoredOAuth = {
+      access: fresh.access,
+      refresh: fresh.refresh || stored.refresh,
+      expires: fresh.expires,
+      accountId: fresh.accountId ?? stored.accountId,
+      email: fresh.email ?? stored.email,
+      projectId: fresh.projectId ?? stored.projectId,
+    };
+    await setOauthCredentialNoLock(provider, next);
     return {
-      refreshed: false,
-      reason: "no_refresh_token",
-      credential: { kind: "oauth", provider, token: stored.access },
+      refreshed: true,
+      reason: "refreshed",
+      credential: { kind: "oauth", provider, token: next.access, projectId: next.projectId },
     };
+  } finally {
+    await releaseLock(provider);
   }
-
-  const flow = OAUTH_FLOW_REGISTRY[provider];
-  const fresh = await flow.refresh(stored.refresh);
-  const next: StoredOAuth = {
-    access: fresh.access,
-    refresh: fresh.refresh || stored.refresh,
-    expires: fresh.expires,
-    accountId: fresh.accountId ?? stored.accountId,
-    email: fresh.email ?? stored.email,
-    projectId: fresh.projectId ?? stored.projectId,
-  };
-  await setOauthCredential(provider, next);
-  return {
-    refreshed: true,
-    reason: "refreshed",
-    credential: { kind: "oauth", provider, token: next.access },
-  };
 }
 
 /** Force-replace the stored OAuth token (used after a manual re-login). */