opencode-antigravity-auth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Jens
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,126 @@
+# Antigravity OAuth Plugin for Opencode
+
+[![npm version](https://img.shields.io/npm/v/opencode-antigravity-auth.svg)](https://www.npmjs.com/package/opencode-antigravity-auth)
+
+Enable Opencode to authenticate against **Antigravity** (Google's IDE) via OAuth so you can use Antigravity rate limits and access models like `gemini-3-pro-high` and `claude-opus-4-5-thinking` with your Google credentials.
+
+## What you get
+
+- **Google OAuth sign-in** with automatic token refresh
+- **Antigravity API compatibility** for OpenAI-style requests
+- **Debug logging** for requests and responses
+- **Drop-in setup**—Opencode auto-installs the plugin from config
+
+## Quick start
+
+1) **Add the plugin to config** (`~/.config/opencode/opencode.json` or project `.opencode.json`):
+
+```json
+{
+  "plugin": ["opencode-antigravity-auth"]
+}
+```
+
+2) **Authenticate**
+
+- Run `opencode auth login`.
+- Choose Google → **OAuth with Google (Antigravity)**.
+- Sign in via the browser and return to Opencode. If the browser doesn’t open, use the printed link.
+
+3) **Declare the models you want**
+
+Add Antigravity models under the `provider.google.models` section of your config:
+
+```json
+{
+  "plugin": ["opencode-antigravity-auth"],
+  "provider": {
+    "google": {
+      "models": {
+        "gemini-3-pro-high": {
+          "name": "Gemini 3 Pro High (Antigravity)",
+          "limit": { "context": 1048576, "output": 65535 }
+        },
+        "gemini-3-pro-low": {
+          "name": "Gemini 3 Pro Low (Antigravity)",
+          "limit": { "context": 1048576, "output": 65535 }
+        },
+        "claude-sonnet-4-5": {
+          "name": "Claude Sonnet 4.5 (Antigravity)",
+          "limit": { "context": 200000, "output": 64000 }
+        },
+        "claude-sonnet-4-5-thinking": {
+          "name": "Claude Sonnet 4.5 Thinking (Antigravity)",
+          "limit": { "context": 200000, "output": 64000 }
+        },
+        "claude-opus-4-5-thinking": {
+          "name": "Claude Opus 4.5 Thinking (Antigravity)",
+          "limit": { "context": 200000, "output": 64000 }
+        },
+        "gpt-oss-120b-medium": {
+          "name": "GPT-OSS 120B Medium (Antigravity)",
+          "limit": { "context": 131072, "output": 32768 }
+        }
+      }
+    }
+  }
+}
+```
+
+4) **Use a model**
+
+```bash
+opencode run "Hello world" --model=google/gemini-3-pro-high
+```
+
+## Debugging
+
+Enable verbose logging:
+
+```bash
+export OPENCODE_ANTIGRAVITY_DEBUG=1
+```
+
+Logs are written to the current directory (e.g., `antigravity-debug-<timestamp>.log`).
+
+## Development
+
+```bash
+npm install
+```
+
+## Safety, usage, and risk notices
+
+### Intended use
+
+- Personal / internal development only
+- Respect internal quotas and data handling policies
+- Not for production services or bypassing intended limits
+
+### Not suitable for
+
+- Production application traffic
+- High-volume automated extraction
+- Any use that violates Acceptable Use Policies
+
+### ⚠️ Warning (assumption of risk)
+
+By using this plugin, you acknowledge and accept the following:
+
+- **Terms of Service risk:** This approach may violate the Terms of Service of AI model providers (Anthropic, OpenAI, etc.). You are solely responsible for ensuring compliance with all applicable terms and policies.
+- **Account risk:** Providers may detect this usage pattern and take punitive action, including suspension, permanent ban, or loss of access to paid subscriptions.
+- **No guarantees:** Providers may change APIs, authentication, or policies at any time, which can break this method without notice.
+- **Assumption of risk:** You assume all legal, financial, and technical risks. The authors and contributors of this project bear no responsibility for any consequences arising from your use.
+
+Use at your own risk. Proceed only if you understand and accept these risks.
+
+## Legal
+
+- Not affiliated with Google. This is an independent open-source project and is not endorsed by, sponsored by, or affiliated with Google LLC.
+- "Antigravity", "Gemini", "Google Cloud", and "Google" are trademarks of Google LLC.
+- Software is provided "as is", without warranty. You are responsible for complying with Google's Terms of Service and Acceptable Use Policy.
+
+## Credits
+
+- Inspired by and different from [opencode-gemini-auth](https://github.com/jenslys/opencode-gemini-auth) by [jenslys](https://github.com/jenslys). Thanks for the groundwork! 🚀
+- Thanks to [CLIProxyAPI](https://github.com/router-for-me/CLIProxyAPI) for the inspiration.

package/index.ts

@@ -0,0 +1,14 @@
+export {
+  AntigravityCLIOAuthPlugin,
+  GoogleOAuthPlugin,
+} from "./src/plugin";
+
+export {
+  authorizeAntigravity,
+  exchangeAntigravity,
+} from "./src/antigravity/oauth";
+
+export type {
+  AntigravityAuthorization,
+  AntigravityTokenExchangeResult,
+} from "./src/antigravity/oauth";

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "opencode-antigravity-auth",
+  "module": "index.ts",
+  "version": "1.0.0",
+  "author": "noefabris",
+  "repository": "https://github.com/NoeFabris/opencode-antigravity-auth",
+  "files": [
+    "index.ts",
+    "src"
+  ],
+  "license": "MIT",
+  "type": "module",
+  "devDependencies": {
+    "@opencode-ai/plugin": "^0.15.30",
+    "@types/bun": "latest",
+    "@types/node": "^24.10.1"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "@openauthjs/openauth": "^0.4.3"
+  }
+}

package/src/antigravity/oauth.ts

@@ -0,0 +1,250 @@
+import { generatePKCE } from "@openauthjs/openauth/pkce";
+
+import {
+  ANTIGRAVITY_CLIENT_ID,
+  ANTIGRAVITY_CLIENT_SECRET,
+  ANTIGRAVITY_REDIRECT_URI,
+  ANTIGRAVITY_SCOPES,
+  ANTIGRAVITY_ENDPOINT_FALLBACKS,
+  ANTIGRAVITY_LOAD_ENDPOINTS,
+  ANTIGRAVITY_HEADERS,
+} from "../constants";
+
+interface PkcePair {
+  challenge: string;
+  verifier: string;
+}
+
+interface AntigravityAuthState {
+  verifier: string;
+  projectId: string;
+}
+
+/**
+ * Result returned to the caller after constructing an OAuth authorization URL.
+ */
+export interface AntigravityAuthorization {
+  url: string;
+  verifier: string;
+  projectId: string;
+}
+
+interface AntigravityTokenExchangeSuccess {
+  type: "success";
+  refresh: string;
+  access: string;
+  expires: number;
+  email?: string;
+  projectId: string;
+}
+
+interface AntigravityTokenExchangeFailure {
+  type: "failed";
+  error: string;
+}
+
+export type AntigravityTokenExchangeResult =
+  | AntigravityTokenExchangeSuccess
+  | AntigravityTokenExchangeFailure;
+
+interface AntigravityTokenResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+}
+
+interface AntigravityUserInfo {
+  email?: string;
+}
+
+/**
+ * Encode an object into a URL-safe base64 string.
+ */
+function encodeState(payload: AntigravityAuthState): string {
+  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+}
+
+/**
+ * Decode an OAuth state parameter back into its structured representation.
+ */
+function decodeState(state: string): AntigravityAuthState {
+  const normalized = state.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized.padEnd(normalized.length + ((4 - normalized.length % 4) % 4), "=");
+  const json = Buffer.from(padded, "base64").toString("utf8");
+  const parsed = JSON.parse(json);
+  if (typeof parsed.verifier !== "string") {
+    throw new Error("Missing PKCE verifier in state");
+  }
+  return {
+    verifier: parsed.verifier,
+    projectId: typeof parsed.projectId === "string" ? parsed.projectId : "",
+  };
+}
+
+/**
+ * Build the Antigravity OAuth authorization URL including PKCE and optional project metadata.
+ */
+export async function authorizeAntigravity(projectId = ""): Promise<AntigravityAuthorization> {
+  const pkce = (await generatePKCE()) as PkcePair;
+
+  const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
+  url.searchParams.set("client_id", ANTIGRAVITY_CLIENT_ID);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("redirect_uri", ANTIGRAVITY_REDIRECT_URI);
+  url.searchParams.set("scope", ANTIGRAVITY_SCOPES.join(" "));
+  url.searchParams.set("code_challenge", pkce.challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set(
+    "state",
+    encodeState({ verifier: pkce.verifier, projectId: projectId || "" }),
+  );
+  url.searchParams.set("access_type", "offline");
+  url.searchParams.set("prompt", "consent");
+
+  return {
+    url: url.toString(),
+    verifier: pkce.verifier,
+    projectId: projectId || "",
+  };
+}
+
+async function fetchProjectID(accessToken: string): Promise<string> {
+  const errors: string[] = [];
+  // Use CLIProxy-aligned headers for project discovery to match "real" Antigravity clients.
+  const loadHeaders: Record<string, string> = {
+    Authorization: `Bearer ${accessToken}`,
+    "Content-Type": "application/json",
+    "User-Agent": "google-api-nodejs-client/9.15.1",
+    "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
+    "Client-Metadata": ANTIGRAVITY_HEADERS["Client-Metadata"],
+  };
+
+  const loadEndpoints = Array.from(
+    new Set<string>([...ANTIGRAVITY_LOAD_ENDPOINTS, ...ANTIGRAVITY_ENDPOINT_FALLBACKS]),
+  );
+
+  for (const baseEndpoint of loadEndpoints) {
+    try {
+      const url = `${baseEndpoint}/v1internal:loadCodeAssist`;
+      const response = await fetch(url, {
+        method: "POST",
+        headers: loadHeaders,
+        body: JSON.stringify({
+          metadata: {
+            ideType: "IDE_UNSPECIFIED",
+            platform: "PLATFORM_UNSPECIFIED",
+            pluginType: "GEMINI",
+          },
+        }),
+      });
+
+      if (!response.ok) {
+        const message = await response.text().catch(() => "");
+        errors.push(
+          `loadCodeAssist ${response.status} at ${baseEndpoint}${
+            message ? `: ${message}` : ""
+          }`,
+        );
+        continue;
+      }
+
+      const data = await response.json();
+      if (typeof data.cloudaicompanionProject === "string" && data.cloudaicompanionProject) {
+        return data.cloudaicompanionProject;
+      }
+      if (
+        data.cloudaicompanionProject &&
+        typeof data.cloudaicompanionProject.id === "string" &&
+        data.cloudaicompanionProject.id
+      ) {
+        return data.cloudaicompanionProject.id;
+      }
+
+      errors.push(`loadCodeAssist missing project id at ${baseEndpoint}`);
+    } catch (e) {
+      errors.push(
+        `loadCodeAssist error at ${baseEndpoint}: ${
+          e instanceof Error ? e.message : String(e)
+        }`,
+      );
+    }
+  }
+
+  if (errors.length) {
+    console.warn("Failed to resolve Antigravity project via loadCodeAssist:", errors.join("; "));
+  }
+  return "";
+}
+
+/**
+ * Exchange an authorization code for Antigravity CLI access and refresh tokens.
+ */
+export async function exchangeAntigravity(
+  code: string,
+  state: string,
+): Promise<AntigravityTokenExchangeResult> {
+  try {
+    const { verifier, projectId } = decodeState(state);
+
+    const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        client_id: ANTIGRAVITY_CLIENT_ID,
+        client_secret: ANTIGRAVITY_CLIENT_SECRET,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: ANTIGRAVITY_REDIRECT_URI,
+        code_verifier: verifier,
+      }),
+    });
+
+    if (!tokenResponse.ok) {
+      const errorText = await tokenResponse.text();
+      return { type: "failed", error: errorText };
+    }
+
+    const tokenPayload = (await tokenResponse.json()) as AntigravityTokenResponse;
+
+    const userInfoResponse = await fetch(
+      "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
+      {
+        headers: {
+          Authorization: `Bearer ${tokenPayload.access_token}`,
+        },
+      },
+    );
+
+    const userInfo = userInfoResponse.ok
+      ? ((await userInfoResponse.json()) as AntigravityUserInfo)
+      : {};
+
+    const refreshToken = tokenPayload.refresh_token;
+    if (!refreshToken) {
+      return { type: "failed", error: "Missing refresh token in response" };
+    }
+
+    let effectiveProjectId = projectId;
+    if (!effectiveProjectId) {
+      effectiveProjectId = await fetchProjectID(tokenPayload.access_token);
+    }
+
+    const storedRefresh = `${refreshToken}|${effectiveProjectId || ""}`;
+
+    return {
+      type: "success",
+      refresh: storedRefresh,
+      access: tokenPayload.access_token,
+      expires: Date.now() + tokenPayload.expires_in * 1000,
+      email: userInfo.email,
+      projectId: effectiveProjectId || "",
+    };
+  } catch (error) {
+    return {
+      type: "failed",
+      error: error instanceof Error ? error.message : "Unknown error",
+    };
+  }
+}

package/src/constants.ts

@@ -0,0 +1,70 @@
+/**
+ * Constants used for Antigravity OAuth flows and Cloud Code Assist API integration.
+ */
+export const ANTIGRAVITY_CLIENT_ID = "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com";
+
+/**
+ * Client secret issued for the Antigravity OAuth application.
+ */
+export const ANTIGRAVITY_CLIENT_SECRET = "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";
+
+/**
+ * Scopes required for Antigravity integrations.
+ */
+export const ANTIGRAVITY_SCOPES: readonly string[] = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+  "https://www.googleapis.com/auth/cclog",
+  "https://www.googleapis.com/auth/experimentsandconfigs",
+];
+
+/**
+ * OAuth redirect URI used by the local CLI callback server.
+ */
+export const ANTIGRAVITY_REDIRECT_URI = "http://localhost:51121/oauth-callback";
+
+/**
+ * Root endpoints for the Antigravity API (in fallback order).
+ * CLIProxy and Vibeproxy use the daily sandbox endpoint first,
+ * then fallback to autopush and prod if needed.
+ */
+export const ANTIGRAVITY_ENDPOINT_DAILY = "https://daily-cloudcode-pa.sandbox.googleapis.com";
+export const ANTIGRAVITY_ENDPOINT_AUTOPUSH = "https://autopush-cloudcode-pa.sandbox.googleapis.com";
+export const ANTIGRAVITY_ENDPOINT_PROD = "https://cloudcode-pa.googleapis.com";
+
+/**
+ * Endpoint fallback order (daily → autopush → prod).
+ * Shared across request handling and project discovery to mirror CLIProxy behavior.
+ */
+export const ANTIGRAVITY_ENDPOINT_FALLBACKS = [
+  ANTIGRAVITY_ENDPOINT_DAILY,
+  ANTIGRAVITY_ENDPOINT_AUTOPUSH,
+  ANTIGRAVITY_ENDPOINT_PROD,
+] as const;
+
+/**
+ * Preferred endpoint order for project discovery (prod first, then fallbacks).
+ * loadCodeAssist appears to be best supported on prod for managed project resolution.
+ */
+export const ANTIGRAVITY_LOAD_ENDPOINTS = [
+  ANTIGRAVITY_ENDPOINT_PROD,
+  ANTIGRAVITY_ENDPOINT_DAILY,
+  ANTIGRAVITY_ENDPOINT_AUTOPUSH,
+] as const;
+
+/**
+ * Primary endpoint to use (daily sandbox - same as CLIProxy/Vibeproxy).
+ */
+export const ANTIGRAVITY_ENDPOINT = ANTIGRAVITY_ENDPOINT_DAILY;
+
+export const ANTIGRAVITY_HEADERS = {
+  "User-Agent": "antigravity/1.11.5 windows/amd64",
+  "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
+  "Client-Metadata": '{"ideType":"IDE_UNSPECIFIED","platform":"PLATFORM_UNSPECIFIED","pluginType":"GEMINI"}',
+} as const;
+
+/**
+ * Provider identifier shared between the plugin loader and credential store.
+ */
+export const ANTIGRAVITY_PROVIDER_ID = "google";

package/src/plugin/auth.ts

@@ -0,0 +1,38 @@
+import type { AuthDetails, OAuthAuthDetails, RefreshParts } from "./types";
+
+const ACCESS_TOKEN_EXPIRY_BUFFER_MS = 60 * 1000;
+
+export function isOAuthAuth(auth: AuthDetails): auth is OAuthAuthDetails {
+  return auth.type === "oauth";
+}
+
+/**
+ * Splits a packed refresh string into its constituent refresh token and project IDs.
+ */
+export function parseRefreshParts(refresh: string): RefreshParts {
+  const [refreshToken = "", projectId = "", managedProjectId = ""] = (refresh ?? "").split("|");
+  return {
+    refreshToken,
+    projectId: projectId || undefined,
+    managedProjectId: managedProjectId || undefined,
+  };
+}
+
+/**
+ * Serializes refresh token parts into the stored string format.
+ */
+export function formatRefreshParts(parts: RefreshParts): string {
+  const projectSegment = parts.projectId ?? "";
+  const base = `${parts.refreshToken}|${projectSegment}`;
+  return parts.managedProjectId ? `${base}|${parts.managedProjectId}` : base;
+}
+
+/**
+ * Determines whether an access token is expired or missing, with buffer for clock skew.
+ */
+export function accessTokenExpired(auth: OAuthAuthDetails): boolean {
+  if (!auth.access || typeof auth.expires !== "number") {
+    return true;
+  }
+  return auth.expires <= Date.now() + ACCESS_TOKEN_EXPIRY_BUFFER_MS;
+}

package/src/plugin/cache.ts

@@ -0,0 +1,65 @@
+import { accessTokenExpired } from "./auth";
+import type { OAuthAuthDetails } from "./types";
+
+const authCache = new Map<string, OAuthAuthDetails>();
+
+/**
+ * Produces a stable cache key from a refresh token string.
+ */
+function normalizeRefreshKey(refresh?: string): string | undefined {
+  const key = refresh?.trim();
+  return key ? key : undefined;
+}
+
+/**
+ * Returns a cached auth snapshot when available, favoring unexpired tokens.
+ */
+export function resolveCachedAuth(auth: OAuthAuthDetails): OAuthAuthDetails {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return auth;
+  }
+
+  const cached = authCache.get(key);
+  if (!cached) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(auth)) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(cached)) {
+    return cached;
+  }
+
+  authCache.set(key, auth);
+  return auth;
+}
+
+/**
+ * Stores the latest auth snapshot keyed by refresh token.
+ */
+export function storeCachedAuth(auth: OAuthAuthDetails): void {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return;
+  }
+  authCache.set(key, auth);
+}
+
+/**
+ * Clears cached auth globally or for a specific refresh token.
+ */
+export function clearCachedAuth(refresh?: string): void {
+  if (!refresh) {
+    authCache.clear();
+    return;
+  }
+  const key = normalizeRefreshKey(refresh);
+  if (key) {
+    authCache.delete(key);
+  }
+}

package/src/plugin/cli.ts

@@ -0,0 +1,15 @@
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+
+/**
+ * Prompts the user for a project ID via stdin/stdout.
+ */
+export async function promptProjectId(): Promise<string> {
+  const rl = createInterface({ input, output });
+  try {
+    const answer = await rl.question("Project ID (leave blank to use your default project): ");
+    return answer.trim();
+  } finally {
+    rl.close();
+  }
+}