llm-cli-gateway 2.4.0 → 2.6.0

package/CHANGELOG.md

@@ -4,6 +4,51 @@ All notable changes to the llm-cli-gateway project.
 
 ## Unreleased
 
+## [2.6.0] - 2026-06-12: Gemini provider on Google Antigravity CLI
+
+### Changed
+
+- **Gemini provider now runs through Google Antigravity CLI (`agy`)** instead of
+  the Google Gemini CLI. `gemini_request` / `gemini_request_async` spawn `agy`;
+  install via `curl -fsSL https://antigravity.google/cli/install.sh | bash`;
+  upgrade via `agy update` (explicit version targets unsupported); session resume
+  via `--conversation <id>` (`sessionId`) or `--continue` (`resumeLatest`). Models
+  pass to `agy --model` (e.g. `gemini-3-pro-preview`, `gemini-2.5-flash`, `pro`,
+  `flash`, `latest`).
+- `gemini_request` parameter surface tightened to Antigravity's capabilities:
+  `approvalMode` accepts only `default` and `yolo` (`auto_edit`/`plan` are
+  rejected); `allowedTools`, `mcpServers`, non-`text` `outputFormat`,
+  `policyFiles`, `adminPolicyFiles`, `attachments`, and `skipTrust` are rejected
+  with an explanatory error (retained in the schema for caller parity).
+  `includeDirs` (`--add-dir`) and `sandbox` (`--sandbox`) remain supported.
+- Customer-facing documentation (README, the llm-cli-gateway.dev site, install
+  guide, dev.to tutorial) and the MCP server instructions string updated to match
+  the Antigravity-backed behavior. Verified by a four-reviewer cross-LLM evidence
+  gate (Codex/Gemini/Grok/Mistral); see
+  `docs/reviews/2026-06-12-customer-docs-antigravity.*`.
+
+### Added
+
+- Reply text is mirrored into MCP `structuredContent.response` on provider tool
+  responses (Issue #1), alongside the unchanged `content[0].text`.
+- Contract-driven code generation for the Grok provider's argv and tool schema
+  (`src/provider-codegen.ts`), proven byte-identical to the prior hand-written
+  surface by golden/parity tests.
+- Async-job stall telemetry (Issue #21).
+
+### Upstream provider maintenance
+
+- Grok Build v0.2.38: local binary upgraded from 0.2.33; full `--probe-installed` contract + subcommand drift scan executed (live source fetch performed in the run that produced the referenced report). 40 top-level flags + 23 subcommand paths all clean (`extraVsContract: []`, `missingFromBinary: []` across the board per the snapshot). Refreshed `docs/upstream/snapshots/grok.json` (new help surface hash capturing 0.2.38 agent subcommand surface) and `docs/upstream/reports/2026-06-09-grok.md`. `UPSTREAM_CLI_CONTRACTS.grok` now has 18 conformance fixtures (added `grok-0.2.38-agent-surface` as a dated top-level example); no flag, enum, arity, permission-mode, sandbox, output-format, or resume-behaviour changes to encode in the primary contract. `npm run upstream:contracts` and targeted grok/upstream tests pass. (Cross-LLM reviews from Claude and Codex independently reproduced the diff, commands, and fixture behaviour via their own tool inspections of the sources.)
+
+## [2.5.0] - 2026-06-08: Remote connector OAuth and workspaces
+
+- Added remote connector OAuth discovery and authorization-code support with
+  hash-only static client/shared-secret configuration, copy-once local secret
+  commands, and OAuth-first ChatGPT setup guidance.
+- Added workspace registry and workspace creation surfaces so provider requests
+  can select registered repo aliases and create local folders/Git repos only
+  under configured allowed roots.
+
 ## [2.4.0] - 2026-06-08: Direct Grok API provider and provider-owned sessions
 
 ### Added

package/README.md

@@ -44,6 +44,8 @@ Or use directly with `npx` from an MCP client:
 - Supports cache-aware `promptParts`, including explicit Claude `cache_control` when opted in.
 - Can run requests inside gateway-managed git worktrees for isolated multi-agent review and implementation loops.
 - Ships personal-appliance setup surfaces: HTTP transport with bearer-token auth, `doctor --json`, setup UI artifacts, provider setup snippets, Docker fallback, and checked release bundles.
+- Remote web connectors use MCP OAuth discovery and authorization-code setup with static client or shared-secret gates. Client secrets are generated locally, stored only as hashes, and printed only by explicit copy-once commands.
+- Provider CLI requests can select registered workspaces by alias via `workspace`; remote requests should use aliases, not arbitrary filesystem paths. New local folder/Git workspaces can be created only under configured allowed roots.
 
 ## Workflow Assets
 
@@ -233,11 +235,13 @@ npm install -g @openai/codex
 codex login
 ```
 
-### Gemini CLI
+### Gemini (Google Antigravity CLI)
+
+The Gemini provider runs through Google Antigravity CLI (`agy`).
 
 ```bash
-npm install -g @google/gemini-cli
-# Or: https://github.com/google-gemini/gemini-cli
+curl -fsSL https://antigravity.google/cli/install.sh | bash
+# Docs: https://antigravity.google/docs/cli-overview
 ```
 
 ### Grok Build CLI (xAI)
@@ -475,7 +479,7 @@ Fork an existing Codex session into a new branch (`codex fork <SESSION_ID|--last
 
 ##### `gemini_request`
 
-Execute a Gemini CLI request with session support.
+Execute a Google Antigravity CLI (`agy`) request with session support.
 
 **Parameters:**
 
@@ -484,18 +488,14 @@ Execute a Gemini CLI request with session support.
 - `sessionId` (string, optional): Session ID to resume
 - `resumeLatest` (boolean, optional): Resume the latest session automatically
 - `createNewSession` (boolean, optional): Always create a new session
-- `approvalMode` (string, optional): Gemini approval mode (`default|auto_edit|yolo|plan`) in legacy mode
+- `approvalMode` (string, optional): Antigravity approval mode in legacy mode. Only `default` (prompted execution) and `yolo` (emits `--dangerously-skip-permissions`) are accepted; `auto_edit` and `plan` are rejected with an error.
 - `approvalStrategy` (string, optional): `"legacy"` (default) or `"mcp_managed"`
 - `approvalPolicy` (string, optional): `"strict"`, `"balanced"`, or `"permissive"`
-- `mcpServers` (string[], optional): Allowed Gemini MCP server names
-- `allowedTools` (string[], optional): Restrict Gemini tools to this allow-list
-- `includeDirs` (string[], optional): Additional workspace directories for Gemini
-- `outputFormat` (string, optional): `text` (default), `json` (`-o json`), or `stream-json` (`-o stream-json`, NDJSON with usage extraction)
-- `sandbox` (boolean, optional): Run Gemini in sandbox mode (`-s`)
-- `policyFiles` / `adminPolicyFiles` (string[], optional): Policy / admin-policy file paths (one `--policy`/`--admin-policy` per file; paths must exist)
-- `attachments` (string[], optional): Absolute file paths prepended as `@<path>` tokens to the prompt
-- `skipTrust` (boolean, optional): Emit `--skip-trust` to trust the workspace for this session (required for headless runs in fresh workspaces)
-- `yolo` (boolean, optional): Auto-approve all; equivalent to `approvalMode: "yolo"`. Emits `--yolo` only when `--approval-mode yolo` is not already being emitted (never both)
+- `includeDirs` (string[], optional): Additional workspace directories (passed as `--add-dir`)
+- `sandbox` (boolean, optional): Run Antigravity in sandbox mode (`--sandbox`)
+- `outputFormat` (string, optional): `text` only. Antigravity print mode emits text; `json` and `stream-json` are rejected.
+- `mcpServers`, `allowedTools`, `policyFiles`, `adminPolicyFiles`, `attachments` (string[], optional) and `skipTrust` (boolean, optional): **Unsupported by Antigravity CLI** — non-empty values (or `skipTrust: true`) are rejected with an explanatory error. Retained in the schema for caller parity.
+- `yolo` (boolean, optional): Auto-approve all; equivalent to `approvalMode: "yolo"`. Emits `--dangerously-skip-permissions`
 - `worktree` (boolean|object, optional): Run inside a gateway-owned git worktree (slice λ)
 - `promptParts` (object, optional): Cache-aware structured prompt `{ system?, tools?, context?, task }`; mutually exclusive with `prompt`
 - `optimizePrompt` (boolean, optional): Optimize prompt for token efficiency, default: false
@@ -1044,7 +1044,7 @@ Plan or run an upgrade for one CLI.
 - Claude explicit target: `claude install <target>`
 - Codex latest: `codex update`
 - Codex explicit target: `npm install -g @openai/codex@<target>`
-- Gemini: `npm install -g @google/gemini-cli@<target>`
+- Gemini latest: `agy update` (Antigravity self-update; explicit version targets are unsupported)
 - Grok latest: `grok update`
 - Grok explicit target: `grok update --version <target>`
 - Mistral (Vibe): dispatches to the detected installer (`pip`/`uv`/`brew`); errors with guidance when none is detected (Vibe ships no self-update command)
@@ -1234,7 +1234,7 @@ Make sure the CLIs are installed and in your PATH:
 ```bash
 which claude
 which codex
-which gemini
+which agy
 ```
 
 The gateway extends PATH to include common locations:
@@ -1251,7 +1251,7 @@ If you encounter permission errors, ensure the CLI tools have proper permissions
 ```bash
 chmod +x $(which claude)
 chmod +x $(which codex)
-chmod +x $(which gemini)
+chmod +x $(which agy)
 ```
 
 ### Session Storage Issues
@@ -1304,7 +1304,7 @@ If you're vetting `llm-cli-gateway` through [Socket](https://socket.dev/npm/pack
 | Alert                            | Where                                                                                                                                                                                            | Why it's bounded                                                                                                                                                                                                                                                                                                                                             |
 | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | **Network access**               | `src/http-transport.ts` opens an HTTP MCP transport when started via `npm run start:http`. `src/endpoint-exposure.ts` issues a HEAD probe to verify configured public/tunnel URLs. Socket also flagged `dist/upstream-contracts.js` in v1.17.2 from descriptive text, not a network call. | The transport binds to `127.0.0.1` by default and requires `LLM_GATEWAY_AUTH_TOKEN` to be set. The default stdio MCP entry point (`npm start`) opens no sockets. `src/upstream-contracts.ts` stores provider CLI metadata and imports no HTTP client APIs.                                                                                                  |
-| **Shell access**                 | `src/executor.ts` uses `child_process.spawn(cmd, args, …)` to invoke the underlying LLM CLIs.                                                                                                    | `spawn` is called with an argument array and **never** `shell: true`, so there is no shell interpolation path for caller input. The command name is restricted to an allow-list of known CLI binaries (`claude`, `codex`, `gemini`, `grok`, `vibe`).                                                                                                         |
+| **Shell access**                 | `src/executor.ts` uses `child_process.spawn(cmd, args, …)` to invoke the underlying LLM CLIs.                                                                                                    | `spawn` is called with an argument array and **never** `shell: true`, so there is no shell interpolation path for caller input. The command name is restricted to an allow-list of known CLI binaries (`claude`, `codex`, `agy`, `grok`, `vibe`).                                                                                                         |
 | **Uses eval**                    | None in our source. Transitive: `@modelcontextprotocol/sdk` → `ajv@8` uses `new Function(...)` in `ajv/dist/compile/index.js` to compile JSON Schema validators.                                 | This is ajv's standard codegen path. Only known schemas (defined in our source and the MCP SDK) flow into it; no caller-supplied data ever reaches the compiled function body.                                                                                                                                                                               |
 | **SQLite adapter isolation**     | Persistence uses Node's built-in `node:sqlite` module (no native binding, no install scripts) through a single adapter, `src/sqlite-driver.ts`.                                                  | `node:sqlite` is touched by exactly one production module (the adapter); every other module talks to SQLite through its typed surface. We never call any `db.pragma()` helper (it does not exist on `node:sqlite`); SQLite setup uses fixed literal `db.exec("PRAGMA ...")` statements. `npm run security:audit` fails the release if production code references `node:sqlite` outside the adapter or reintroduces a `.pragma()` call.                                                            |
 | **Dependency ownership**         | A handful of small transitive packages (e.g. `media-typer` via `@modelcontextprotocol/sdk`) trip Socket's "unstable ownership" or "obfuscated code" heuristics.                                  | These are pinned, well-known micro-deps in the Node ecosystem with no known issues. We pin direct override versions of `content-type` and `type-is` in `package.json#overrides`. As of 2.0.0 the prod graph carries no native module (`better-sqlite3` moved to devDependencies; `node:sqlite` is built into Node), eliminating the entire `prebuild-install`/`tar-fs`/`tar-stream` install-time chain. Our earlier direct dependency on `toml@3.0.0` was replaced with `smol-toml`.        |

package/dist/async-job-manager.d.ts

@@ -61,10 +61,12 @@ export declare class AsyncJobManager {
     private onJobComplete?;
     private jobs;
     private evictionTimer;
+    private stallTimer;
     private processMonitor;
     private store;
     private flightRecorder;
     constructor(logger?: Logger, onJobComplete?: ((cli: LlmCli, durationMs: number, success: boolean) => void) | undefined, store?: JobStore | null, flightRecorder?: FlightRecorderLike);
+    checkStalledJobs(now?: number): void;
     hasStore(): boolean;
     private emitMetrics;
     private evictCompletedJobs;

package/dist/async-job-manager.js

@@ -1,6 +1,6 @@
 import { randomUUID } from "crypto";
-import { envWithExtendedPath, getExtendedPath, killProcessGroup, spawnCliProcess, unregisterProcessGroup, } from "./executor.js";
-import { noopLogger } from "./logger.js";
+import { envWithExtendedPath, getExtendedPath, killProcessGroup, providerCommandName, spawnCliProcess, unregisterProcessGroup, } from "./executor.js";
+import { noopLogger, logWarn } from "./logger.js";
 import { ProcessMonitor } from "./process-monitor.js";
 import { computeRequestKey } from "./job-store.js";
 import { NoopFlightRecorder } from "./flight-recorder.js";
@@ -8,6 +8,8 @@ const MAX_OUTPUT_SIZE = 50 * 1024 * 1024;
 const JOB_TTL_MS = 60 * 60 * 1000;
 const EVICTION_INTERVAL_MS = 5 * 60 * 1000;
 const OUTPUT_FLUSH_INTERVAL_MS = 1000;
+const STALL_CHECK_INTERVAL_MS = 60 * 1000;
+const STALL_WARNING_MARKS_MS = [5, 10, 15].map(min => min * 60 * 1000);
 function describeProcessLaunchError(cli, error) {
     const code = error.code;
     if (code === "ENOENT") {
@@ -55,6 +57,7 @@ export class AsyncJobManager {
     onJobComplete;
     jobs = new Map();
     evictionTimer = null;
+    stallTimer = null;
     processMonitor;
     store;
     flightRecorder;
@@ -97,6 +100,43 @@ export class AsyncJobManager {
         if (this.evictionTimer.unref) {
             this.evictionTimer.unref();
         }
+        this.stallTimer = setInterval(() => this.checkStalledJobs(), STALL_CHECK_INTERVAL_MS);
+        if (this.stallTimer.unref) {
+            this.stallTimer.unref();
+        }
+    }
+    checkStalledJobs(now = Date.now()) {
+        for (const job of this.jobs.values()) {
+            if (job.status !== "running")
+                continue;
+            if (Buffer.byteLength(job.stdout) > 0) {
+                job.stallWarnIndex = STALL_WARNING_MARKS_MS.length;
+                continue;
+            }
+            const idx = job.stallWarnIndex ?? 0;
+            if (idx >= STALL_WARNING_MARKS_MS.length)
+                continue;
+            const elapsedMs = now - new Date(job.startedAt).getTime();
+            if (elapsedMs < STALL_WARNING_MARKS_MS[idx])
+                continue;
+            let newIdx = idx;
+            while (newIdx < STALL_WARNING_MARKS_MS.length &&
+                elapsedMs >= STALL_WARNING_MARKS_MS[newIdx]) {
+                newIdx++;
+            }
+            job.stallWarnIndex = newIdx;
+            const crossedMarkMin = Math.round(STALL_WARNING_MARKS_MS[newIdx - 1] / 60000);
+            logWarn(this.logger, `Async job ${job.id} (${job.cli}) has produced no stdout after ~${crossedMarkMin}min — possible silent stall (issue #21)`, {
+                jobId: job.id,
+                cli: job.cli,
+                correlationId: job.correlationId,
+                elapsedMs,
+                stdoutBytes: 0,
+                stderrBytes: Buffer.byteLength(job.stderr),
+                model: job.flightRecorderEntry?.model,
+                promptLength: job.flightRecorderEntry?.prompt?.length,
+            });
+        }
     }
     hasStore() {
         return this.store !== null;
@@ -399,7 +439,7 @@ export class AsyncJobManager {
         }
         const id = randomUUID();
         const startedAt = new Date().toISOString();
-        const command = cli === "mistral" ? "vibe" : cli;
+        const command = providerCommandName(cli);
         const baseEnv = envWithExtendedPath(process.env, getExtendedPath());
         const child = spawnCliProcess(command, args, {
             cwd,

package/dist/auth.d.ts

@@ -8,8 +8,51 @@ export interface AuthResult {
     ok: boolean;
     status?: number;
     message?: string;
+    kind?: "disabled" | "gateway_bearer" | "oauth";
+    scopes?: string[];
+    clientId?: string;
 }
+export type OAuthRegistrationPolicy = "static_clients" | "shared_secret" | "open_dev";
+export interface RemoteOAuthClientConfig {
+    clientId: string;
+    clientSecretHash: string | null;
+    allowedRedirectUris: string[];
+    scopes: string[];
+}
+export interface RemoteOAuthSharedSecretConfig {
+    enabled: boolean;
+    secretHash: string | null;
+    promptLabel: string;
+}
+export interface RemoteOAuthConfig {
+    enabled: boolean;
+    issuer: string | "auto";
+    requirePkce: boolean;
+    allowPlainPkce: boolean;
+    registrationPolicy: OAuthRegistrationPolicy;
+    allowPublicClients: boolean;
+    tokenTtlSeconds: number;
+    clients: RemoteOAuthClientConfig[];
+    sharedSecret: RemoteOAuthSharedSecretConfig | null;
+    sources: {
+        configFile: string | null;
+        envOverrides: string[];
+    };
+}
+export declare function timingSafeStringEqual(left: string, right: string): boolean;
 export declare function loadAuthConfig(env?: NodeJS.ProcessEnv): AuthConfig;
 export declare function getRequiredBearerToken(env?: NodeJS.ProcessEnv): string | null;
+export declare function issueOAuthAccessToken(args: {
+    clientId: string;
+    scopes: string[];
+    ttlSeconds: number;
+    now?: number;
+}): {
+    accessToken: string;
+    expiresIn: number;
+    scope: string;
+};
 export declare function authorizeBearerRequest(req: IncomingMessage, token?: string | null): AuthResult;
-export declare function writeAuthFailure(res: ServerResponse, result: AuthResult): void;
+export declare function writeAuthFailure(res: ServerResponse, result: AuthResult, options?: {
+    resourceMetadataUrl?: string;
+}): void;

package/dist/auth.js

@@ -1,4 +1,15 @@
+import { randomBytes, timingSafeEqual } from "node:crypto";
 const AUTH_SCHEME = "Bearer ";
+const OAUTH_ACCESS_TOKEN_BYTES = 32;
+const oauthAccessTokens = new Map();
+export function timingSafeStringEqual(left, right) {
+    const leftBuffer = Buffer.from(left, "utf8");
+    const rightBuffer = Buffer.from(right, "utf8");
+    if (leftBuffer.length !== rightBuffer.length) {
+        return false;
+    }
+    return timingSafeEqual(leftBuffer, rightBuffer);
+}
 export function loadAuthConfig(env = process.env) {
     const token = env.LLM_GATEWAY_AUTH_TOKEN;
     const disabled = env.LLM_GATEWAY_AUTH_DISABLED === "1";
@@ -14,16 +25,32 @@ export function getRequiredBearerToken(env = process.env) {
         return null;
     return env.LLM_GATEWAY_AUTH_TOKEN || null;
 }
+export function issueOAuthAccessToken(args) {
+    const now = args.now ?? Date.now();
+    const ttlSeconds = Math.max(1, Math.floor(args.ttlSeconds));
+    const scopes = [...new Set(args.scopes.length ? args.scopes : ["mcp"])];
+    const accessToken = `oauth_${randomBytes(OAUTH_ACCESS_TOKEN_BYTES).toString("base64url")}`;
+    oauthAccessTokens.set(accessToken, {
+        clientId: args.clientId,
+        scopes,
+        issuedAt: now,
+        expiresAt: now + ttlSeconds * 1000,
+    });
+    return { accessToken, expiresIn: ttlSeconds, scope: scopes.join(" ") };
+}
+function validateOAuthAccessToken(token, now = Date.now()) {
+    const entry = oauthAccessTokens.get(token);
+    if (!entry)
+        return null;
+    if (entry.expiresAt <= now) {
+        oauthAccessTokens.delete(token);
+        return null;
+    }
+    return entry;
+}
 export function authorizeBearerRequest(req, token = getRequiredBearerToken()) {
     if (!loadAuthConfig().required) {
-        return { ok: true };
-    }
-    if (!token) {
-        return {
-            ok: false,
-            status: 503,
-            message: "HTTP transport requires LLM_GATEWAY_AUTH_TOKEN",
-        };
+        return { ok: true, kind: "disabled", scopes: [] };
     }
     const header = req.headers.authorization;
     const value = Array.isArray(header) ? header[0] : header;
@@ -31,16 +58,36 @@ export function authorizeBearerRequest(req, token = getRequiredBearerToken()) {
         return { ok: false, status: 401, message: "Unauthorized" };
     }
     const supplied = value.slice(AUTH_SCHEME.length);
-    if (supplied !== token) {
-        return { ok: false, status: 401, message: "Unauthorized" };
+    if (token && timingSafeStringEqual(supplied, token)) {
+        return { ok: true, kind: "gateway_bearer", scopes: [] };
     }
-    return { ok: true };
+    const oauthToken = validateOAuthAccessToken(supplied);
+    if (oauthToken) {
+        return {
+            ok: true,
+            kind: "oauth",
+            scopes: oauthToken.scopes,
+            clientId: oauthToken.clientId,
+        };
+    }
+    if (!token) {
+        return {
+            ok: false,
+            status: 503,
+            message: "HTTP transport requires LLM_GATEWAY_AUTH_TOKEN",
+        };
+    }
+    return { ok: false, status: 401, message: "Unauthorized" };
 }
-export function writeAuthFailure(res, result) {
+export function writeAuthFailure(res, result, options = {}) {
     const status = result.status ?? 401;
+    let wwwAuthenticate = 'Bearer realm="llm-cli-gateway"';
+    if (options.resourceMetadataUrl) {
+        wwwAuthenticate += `, resource_metadata="${options.resourceMetadataUrl}"`;
+    }
     res.writeHead(status, {
         "content-type": "application/json",
-        "www-authenticate": 'Bearer realm="llm-cli-gateway"',
+        "www-authenticate": wwwAuthenticate,
     });
     res.end(JSON.stringify({ error: result.message || "Unauthorized" }));
 }

package/dist/cli-updater.js

@@ -1,5 +1,5 @@
 import { spawnSync } from "node:child_process";
-import { executeCli } from "./executor.js";
+import { executeCli, providerCommandName } from "./executor.js";
 import { getProviderRuntimeStatus } from "./provider-status.js";
 const MISTRAL_VIBE_PACKAGE = "mistral-vibe";
 const LEGACY_VIBE_PACKAGE = "vibe-cli";
@@ -35,10 +35,7 @@ const VERSION_ARGS = {
     grok: ["--version"],
     mistral: ["--version"],
 };
-const NPM_PACKAGES = {
-    codex: "@openai/codex",
-    gemini: "@google/gemini-cli",
-};
+const CODEX_NPM_PACKAGE = "@openai/codex";
 export function buildCliUpgradePlan(cli, target = "latest", detectMistral = detectMistralInstallMethod) {
     const normalizedTarget = normalizeTarget(target);
     if (cli === "mistral") {
@@ -96,17 +93,28 @@ export function buildCliUpgradePlan(cli, target = "latest", detectMistral = dete
             requiresNetwork: true,
         };
     }
-    const packageName = cli === "codex" ? NPM_PACKAGES.codex : NPM_PACKAGES.gemini;
+    if (cli === "gemini") {
+        if (normalizedTarget !== "latest") {
+            throw new Error("Antigravity CLI upgrades support only the 'latest' target via 'agy update'.");
+        }
+        return {
+            cli,
+            target: normalizedTarget,
+            command: "agy",
+            args: ["update"],
+            strategy: "self-update",
+            requiresNetwork: true,
+            note: "Gemini provider requests now run through Google Antigravity CLI (`agy`).",
+        };
+    }
     return {
         cli,
         target: normalizedTarget,
         command: "npm",
-        args: ["install", "-g", `${packageName}@${normalizedTarget}`],
+        args: ["install", "-g", `${CODEX_NPM_PACKAGE}@${normalizedTarget}`],
         strategy: "npm-global-install",
         requiresNetwork: true,
-        note: cli === "codex"
-            ? "Explicit Codex targets use the documented npm package path; latest can use 'codex update'."
-            : "Gemini CLI does not expose a self-update command in the gateway-supported CLI surface, so upgrades use npm.",
+        note: "Explicit Codex targets use the documented npm package path; latest can use 'codex update'.",
     };
 }
 export async function getCliVersion(cli) {
@@ -115,7 +123,7 @@ export async function getCliVersion(cli) {
         const status = getProviderRuntimeStatus(cli);
         return {
             cli,
-            command: cli,
+            command: status.command,
             args,
             installed: status.installed,
             version: status.version || undefined,
@@ -191,10 +199,11 @@ function buildMistralUpgradePlan(normalizedTarget, detectMistral) {
 }
 async function fallbackCliVersion(cli, args) {
     try {
-        const result = await executeCli(cli, args, { timeout: 15_000 });
+        const command = providerCommandName(cli);
+        const result = await executeCli(command, args, { timeout: 15_000 });
         return {
             cli,
-            command: cli,
+            command,
             args,
             installed: true,
             version: extractVersion(result.stdout, result.stderr),

package/dist/config.d.ts

@@ -1,4 +1,5 @@
 import type { Logger } from "./logger.js";
+import type { RemoteOAuthConfig } from "./auth.js";
 export interface DatabaseConfig {
     connectionString: string;
     pool: {
@@ -75,3 +76,4 @@ export interface ProvidersConfig {
 }
 export declare function loadProvidersConfig(logger?: Logger): ProvidersConfig;
 export declare function isXaiProviderEnabled(config: ProvidersConfig, env?: NodeJS.ProcessEnv): boolean;
+export declare function loadRemoteOAuthConfig(logger?: Logger, env?: NodeJS.ProcessEnv): RemoteOAuthConfig;

package/dist/config.js

@@ -4,6 +4,7 @@ import path from "path";
 import { createRequire } from "module";
 import { z } from "zod/v3";
 import { logWarn, noopLogger } from "./logger.js";
+import { hashSecret, isSecretHash } from "./oauth.js";
 const DatabaseUrlSchema = z
     .string()
     .url()
@@ -75,6 +76,21 @@ function readPersistenceFile(configPath, logger) {
         return { raw: undefined, sourcePath: null };
     }
 }
+function readGatewayTomlFile(configPath, logger, fallbackLabel) {
+    if (!existsSync(configPath)) {
+        return { parsed: null, sourcePath: null };
+    }
+    try {
+        const require = createRequire(import.meta.url);
+        const TOML = require("smol-toml");
+        const text = readFileSync(configPath, "utf-8");
+        return { parsed: TOML.parse(text), sourcePath: configPath };
+    }
+    catch (err) {
+        logger.error(`Failed to parse gateway config at ${configPath}; using ${fallbackLabel} defaults`, err);
+        return { parsed: null, sourcePath: null };
+    }
+}
 function applyEnvOverrides(base, logger, sources) {
     const out = { ...base };
     const jobsDbEnv = process.env.LLM_GATEWAY_JOBS_DB;
@@ -332,3 +348,138 @@ export function isXaiProviderEnabled(config, env = process.env) {
         return false;
     return typeof env[keyEnv] === "string" && env[keyEnv].trim().length > 0;
 }
+const OAuthRegistrationPolicySchema = z.enum(["static_clients", "shared_secret", "open_dev"]);
+const OAuthClientSchema = z
+    .object({
+    client_id: z.string().min(1),
+    client_secret_hash: z.string().optional(),
+    allowed_redirect_uris: z.array(z.string().url()).default([]),
+    scopes: z.array(z.string().min(1)).default(["mcp"]),
+})
+    .strict();
+const OAuthSharedSecretSchema = z
+    .object({
+    enabled: z.boolean().default(false),
+    secret_hash: z.string().optional(),
+    prompt_label: z.string().min(1).default("Gateway access code"),
+})
+    .strict();
+const OAuthConfigSchema = z
+    .object({
+    enabled: z.boolean().default(false),
+    issuer: z.string().min(1).default("auto"),
+    require_pkce: z.boolean().default(true),
+    allow_plain_pkce: z.boolean().default(false),
+    registration_policy: OAuthRegistrationPolicySchema.default("static_clients"),
+    allow_public_clients: z.boolean().default(false),
+    token_ttl_seconds: z.number().int().positive().default(3600),
+    clients: z.array(OAuthClientSchema).default([]),
+    shared_secret: OAuthSharedSecretSchema.optional(),
+})
+    .strict();
+function disabledOAuthConfig(sourcePath = null, envOverrides = []) {
+    return {
+        enabled: false,
+        issuer: "auto",
+        requirePkce: true,
+        allowPlainPkce: false,
+        registrationPolicy: "static_clients",
+        allowPublicClients: false,
+        tokenTtlSeconds: 3600,
+        clients: [],
+        sharedSecret: null,
+        sources: { configFile: sourcePath, envOverrides },
+    };
+}
+function isSafeRedirectUri(uri) {
+    return isHttpsOrLoopbackUrl(uri);
+}
+export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
+    const configPath = defaultGatewayConfigPath();
+    const { parsed: configFile, sourcePath } = readGatewayTomlFile(configPath, logger, "OAuth");
+    const rawHttp = configFile?.http ?? {};
+    const rawOAuth = rawHttp.oauth ?? {};
+    const envOverrides = [];
+    const merged = { ...rawOAuth };
+    if (env.LLM_GATEWAY_OAUTH_ENABLED !== undefined) {
+        merged.enabled = env.LLM_GATEWAY_OAUTH_ENABLED === "1";
+        envOverrides.push("LLM_GATEWAY_OAUTH_ENABLED");
+    }
+    if (env.LLM_GATEWAY_OAUTH_REGISTRATION_SECRET || env.LLM_GATEWAY_OAUTH_SHARED_SECRET) {
+        const rawSecret = env.LLM_GATEWAY_OAUTH_REGISTRATION_SECRET || env.LLM_GATEWAY_OAUTH_SHARED_SECRET;
+        merged.registration_policy = "shared_secret";
+        merged.shared_secret = {
+            enabled: true,
+            secret_hash: rawSecret ? hashSecret(rawSecret) : undefined,
+            prompt_label: "Gateway access code",
+        };
+        envOverrides.push(env.LLM_GATEWAY_OAUTH_REGISTRATION_SECRET
+            ? "LLM_GATEWAY_OAUTH_REGISTRATION_SECRET"
+            : "LLM_GATEWAY_OAUTH_SHARED_SECRET");
+    }
+    const parsed = OAuthConfigSchema.safeParse(merged);
+    if (!parsed.success) {
+        logWarn(logger, "Invalid [http.oauth] config; remote OAuth disabled", {
+            error: parsed.error.message,
+        });
+        return disabledOAuthConfig(sourcePath, envOverrides);
+    }
+    const data = parsed.data;
+    if (data.issuer !== "auto" && !isHttpsOrLoopbackUrl(data.issuer)) {
+        logWarn(logger, "Invalid [http.oauth].issuer; remote OAuth disabled");
+        return disabledOAuthConfig(sourcePath, envOverrides);
+    }
+    for (const client of data.clients) {
+        if (!data.allow_public_clients && !client.client_secret_hash) {
+            logWarn(logger, "OAuth client secret hash is required when public clients are disabled", {
+                client_id: client.client_id,
+            });
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+        if (client.client_secret_hash && !isSecretHash(client.client_secret_hash)) {
+            logWarn(logger, "Invalid OAuth client secret hash; remote OAuth disabled", {
+                client_id: client.client_id,
+            });
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+        if (client.allowed_redirect_uris.length === 0 ||
+            client.allowed_redirect_uris.some(uri => !isSafeRedirectUri(uri))) {
+            logWarn(logger, "Invalid OAuth client redirect URI; remote OAuth disabled", {
+                client_id: client.client_id,
+            });
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+    }
+    if (data.shared_secret?.enabled) {
+        if (!data.shared_secret.secret_hash || !isSecretHash(data.shared_secret.secret_hash)) {
+            logWarn(logger, "Invalid [http.oauth.shared_secret] secret_hash; remote OAuth disabled");
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+    }
+    if (data.registration_policy === "open_dev" && env.LLM_GATEWAY_OAUTH_OPEN_DEV !== "1") {
+        logWarn(logger, "[http.oauth].registration_policy='open_dev' is intended for localhost/dev only");
+    }
+    return {
+        enabled: data.enabled,
+        issuer: data.issuer,
+        requirePkce: data.require_pkce,
+        allowPlainPkce: data.allow_plain_pkce,
+        registrationPolicy: data.registration_policy,
+        allowPublicClients: data.allow_public_clients,
+        tokenTtlSeconds: data.token_ttl_seconds,
+        clients: data.clients.map(client => ({
+            clientId: client.client_id,
+            clientSecretHash: client.client_secret_hash ?? null,
+            allowedRedirectUris: client.allowed_redirect_uris,
+            scopes: client.scopes,
+        })),
+        sharedSecret: data.shared_secret
+            ? {
+                enabled: data.shared_secret.enabled,
+                secretHash: data.shared_secret.secret_hash ?? null,
+                promptLabel: data.shared_secret.prompt_label,
+            }
+            : null,
+        sources: { configFile: sourcePath, envOverrides },
+    };
+}