opencode-gemini-auth 1.1.6 → 1.3.3

package/README.md

@@ -1,96 +1,173 @@
 # Gemini OAuth Plugin for Opencode
 
-Authenticate the Opencode CLI with your Google account so you can use your
-existing Gemini plan and its included quota instead of API billing.
+![License](https://img.shields.io/npm/l/opencode-gemini-auth)
+![Version](https://img.shields.io/npm/v/opencode-gemini-auth)
 
-## Setup
+**Authenticate the Opencode CLI with your Google account.** This plugin enables
+you to use your existing Gemini plan and quotas (including the free tier)
+directly within Opencode, bypassing separate API billing.
 
-1. Add the plugin to your [Opencode config](https://opencode.ai/docs/config/):
+## Prerequisites
 
-   ```json
-   {
-     "$schema": "https://opencode.ai/config.json",
-     "plugin": ["opencode-gemini-auth"]
-   }
+- [Opencode CLI](https://opencode.ai) installed.
+- A Google account with access to Gemini.
+
+## Installation
+
+Add the plugin to your Opencode configuration file
+(`~/.config/opencode/config.json` or similar):
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-gemini-auth"]
+}
+```
+
+## Usage
+
+1. **Login**: Run the authentication command in your terminal:
+
+   ```bash
+   opencode auth login
    ```
 
-2. Run `opencode auth login`.
-3. Choose the Google provider and select **OAuth with Google (Gemini CLI)**.
+2. **Select Provider**: Choose **Google** from the list.
+3. **Authenticate**: Select **OAuth with Google (Gemini CLI)**.
+   - A browser window will open for you to approve the access.
+   - The plugin spins up a temporary local server to capture the callback.
+   - If the local server fails (e.g., port in use or headless environment),
+     you can manually copy/paste the callback URL as instructed.
 
-The plugin spins up a local callback listener, so after approving in the
-browser you'll land on an "Authentication complete" page with no URL
-copy/paste required. If that port is already taken, the CLI automatically
-falls back to the classic copy/paste flow and explains what to do.
+Once authenticated, Opencode will use your Google account for Gemini requests.
 
-## Updating
+## Configuration
 
-> [!WARNING]
-> OpenCode does NOT auto-update plugins
+### Google Cloud Project
 
-To get the latest version:
+By default, the plugin attempts to provision or find a suitable Google Cloud
+project. To force a specific project, set the `projectId` in your configuration:
 
-```bash
-(cd ~ && sed -i.bak '/"opencode-gemini-auth"/d' .cache/opencode/package.json && \
-rm -rf .cache/opencode/node_modules/opencode-gemini-auth && \
-echo "Plugin update script finished successfully.")
+```json
+{
+  "provider": {
+    "google": {
+      "options": {
+        "projectId": "your-specific-project-id"
+      }
+    }
+  }
+}
 ```
 
-```bash
-opencode  # Reinstalls latest
-```
+### Thinking Models
 
-## Local Development
+Configure "thinking" capabilities for Gemini models using the `thinkingConfig`
+option in your `config.json`.
 
-First, clone the repository and install dependencies:
+**Gemini 3 (Thinking Level)**
+Use `thinkingLevel` (`"low"`, `"high"`) for Gemini 3 models.
 
-```bash
-git clone https://github.com/jenslys/opencode-gemini-auth.git
-cd opencode-gemini-auth
-bun install
+```json
+{
+  "provider": {
+    "google": {
+      "models": {
+        "gemini-3-pro-preview": {
+          "options": {
+            "thinkingConfig": {
+              "thinkingLevel": "high",
+              "includeThoughts": true
+            }
+          }
+        }
+      }
+    }
+  }
+}
 ```
 
-When you want Opencode to use a local checkout of this plugin, point the
-`plugin` entry in your config to the folder via a `file://` URL:
+**Gemini 2.5 (Thinking Budget)**
+Use `thinkingBudget` (token count) for Gemini 2.5 models.
 
 ```json
 {
-  "$schema": "https://opencode.ai/config.json",
-  "plugin": ["file:///absolute/path/to/opencode-gemini-auth"]
+  "provider": {
+    "google": {
+      "models": {
+        "gemini-2.5-flash": {
+          "options": {
+            "thinkingConfig": {
+              "thinkingBudget": 8192,
+              "includeThoughts": true
+            }
+          }
+        }
+      }
+    }
+  }
 }
 ```
 
-Replace `/absolute/path/to/opencode-gemini-auth` with the absolute path to
-your local clone.
+## Troubleshooting
 
-## Manual Google Cloud Setup
+### Manual Google Cloud Setup
 
-If automatic provisioning fails, use the console:
+If automatic provisioning fails, you may need to set up the project manually:
 
-1. Go to the Google Cloud Console and create (or select) a project, e.g. `gemini`.
-2. Select that project.
-3. Enable the **Gemini for Google Cloud API** (`cloudaicompanion.googleapis.com`).
-4. Re-run `opencode auth login` and enter the project **ID** (not the display name).
+1. Go to the [Google Cloud Console](https://console.cloud.google.com/).
+2. Create or select a project.
+3. Enable the **Gemini for Google Cloud API**
+   (`cloudaicompanion.googleapis.com`).
+4. Configure the `projectId` in your Opencode config as shown above.
 
-## Debugging Gemini Requests
+### Debugging
 
-Set `OPENCODE_GEMINI_DEBUG=1` in the environment when you run an Opencode
-command to capture every Gemini request/response that this plugin issues. When
-enabled, the plugin writes to a timestamped `gemini-debug-<ISO>.log` file in
-your current working directory so the CLI output stays clean.
+To view detailed logs of Gemini requests and responses, set the
+`OPENCODE_GEMINI_DEBUG` environment variable:
 
 ```bash
 OPENCODE_GEMINI_DEBUG=1 opencode
 ```
 
-The logger shows the transformed URL, HTTP method, sanitized headers (the
-`Authorization` header is redacted), whether the call used streaming, and a
-truncated preview (2 KB) of both the request and response bodies. This is handy
-when diagnosing "Bad Request" responses from Gemini. Remember that payloads may
-still include parts of your prompt or response, so only enable this flag when
-you're comfortable keeping that information in the generated log file.
-
-**404s on `gemini-2.5-flash-image`.** Opencode fires internal
-summarization/title requests at `gemini-2.5-flash-image`. The plugin
-automatically remaps those payloads to `gemini-2.5-flash`, eliminating the extra
-404s for accounts without image access. If you still see a 404, confirm your
-project actually has access to the fallback model.
+This will generate `gemini-debug-<timestamp>.log` files in your working
+directory containing sanitized request/response details.
+
+### Updating
+
+Opencode does not automatically update plugins. To update to the latest version,
+you must clear the cached plugin:
+
+```bash
+# Clear the specific plugin cache
+rm -rf ~/.cache/opencode/node_modules/opencode-gemini-auth
+
+# Run Opencode to trigger a fresh install
+opencode
+```
+
+## Development
+
+To develop on this plugin locally:
+
+1. **Clone**:
+
+   ```bash
+   git clone https://github.com/jenslys/opencode-gemini-auth.git
+   cd opencode-gemini-auth
+   bun install
+   ```
+
+2. **Link**:
+   Update your Opencode config to point to your local directory using a
+   `file://` URL:
+
+   ```json
+   {
+     "plugin": ["file:///absolute/path/to/opencode-gemini-auth"]
+   }
+   ```
+
+## License
+
+MIT

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.1.6",
+  "version": "1.3.3",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [
@@ -11,11 +11,11 @@
   "license": "MIT",
   "type": "module",
   "devDependencies": {
-    "@opencode-ai/plugin": "^0.15.30",
+    "@opencode-ai/plugin": "^0.15.31",
     "@types/bun": "latest"
   },
   "peerDependencies": {
-    "typescript": "^5"
+    "typescript": "^5.9.3"
   },
   "dependencies": {
     "@openauthjs/openauth": "^0.4.3"

package/src/gemini/oauth.ts

@@ -14,7 +14,6 @@ interface PkcePair {
 
 interface GeminiAuthState {
   verifier: string;
-  projectId: string;
 }
 
 /**
@@ -23,7 +22,6 @@ interface GeminiAuthState {
 export interface GeminiAuthorization {
   url: string;
   verifier: string;
-  projectId: string;
 }
 
 interface GeminiTokenExchangeSuccess {
@@ -32,7 +30,6 @@ interface GeminiTokenExchangeSuccess {
   access: string;
   expires: number;
   email?: string;
-  projectId: string;
 }
 
 interface GeminiTokenExchangeFailure {
@@ -74,14 +71,13 @@ function decodeState(state: string): GeminiAuthState {
   }
   return {
     verifier: parsed.verifier,
-    projectId: typeof parsed.projectId === "string" ? parsed.projectId : "",
   };
 }
 
 /**
- * Build the Gemini OAuth authorization URL including PKCE and optional project metadata.
+ * Build the Gemini OAuth authorization URL including PKCE.
  */
-export async function authorizeGemini(projectId = ""): Promise<GeminiAuthorization> {
+export async function authorizeGemini(): Promise<GeminiAuthorization> {
   const pkce = (await generatePKCE()) as PkcePair;
 
   const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
@@ -91,17 +87,13 @@ export async function authorizeGemini(projectId = ""): Promise<GeminiAuthorizati
   url.searchParams.set("scope", GEMINI_SCOPES.join(" "));
   url.searchParams.set("code_challenge", pkce.challenge);
   url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set(
-    "state",
-    encodeState({ verifier: pkce.verifier, projectId: projectId || "" }),
-  );
+  url.searchParams.set("state", encodeState({ verifier: pkce.verifier }));
   url.searchParams.set("access_type", "offline");
   url.searchParams.set("prompt", "consent");
 
   return {
     url: url.toString(),
     verifier: pkce.verifier,
-    projectId: projectId || "",
   };
 }
 
@@ -113,7 +105,7 @@ export async function exchangeGemini(
   state: string,
 ): Promise<GeminiTokenExchangeResult> {
   try {
-    const { verifier, projectId } = decodeState(state);
+    const { verifier } = decodeState(state);
 
     const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
       method: "POST",
@@ -155,15 +147,12 @@ export async function exchangeGemini(
       return { type: "failed", error: "Missing refresh token in response" };
     }
 
-    const storedRefresh = `${refreshToken}|${projectId || ""}`;
-
     return {
       type: "success",
-      refresh: storedRefresh,
+      refresh: refreshToken,
       access: tokenPayload.access_token,
       expires: Date.now() + tokenPayload.expires_in * 1000,
       email: userInfo.email,
-      projectId: projectId || "",
     };
   } catch (error) {
     return {

package/src/plugin/auth.ts

@@ -22,9 +22,17 @@ export function parseRefreshParts(refresh: string): RefreshParts {
  * Serializes refresh token parts into the stored string format.
  */
 export function formatRefreshParts(parts: RefreshParts): string {
+  if (!parts.refreshToken) {
+    return "";
+  }
+
+  if (!parts.projectId && !parts.managedProjectId) {
+    return parts.refreshToken;
+  }
+
   const projectSegment = parts.projectId ?? "";
-  const base = `${parts.refreshToken}|${projectSegment}`;
-  return parts.managedProjectId ? `${base}|${parts.managedProjectId}` : base;
+  const managedSegment = parts.managedProjectId ?? "";
+  return `${parts.refreshToken}|${projectSegment}|${managedSegment}`;
 }
 
 /**

package/src/plugin/project.ts

@@ -48,7 +48,7 @@ class ProjectIdRequiredError extends Error {
    */
   constructor() {
     super(
-      "Google Gemini requires a Google Cloud project. Enable the Gemini for Google Cloud API on a project you control, rerun `opencode auth login`, and supply that project ID when prompted.",
+      "Google Gemini requires a Google Cloud project. Enable the Gemini for Google Cloud API on a project you control, then set `provider.google.options.projectId` in your Opencode config (or set OPENCODE_GEMINI_PROJECT_ID).",
     );
   }
 }
@@ -109,8 +109,21 @@ export function invalidateProjectContextCache(refresh?: string): void {
     projectContextResultCache.clear();
     return;
   }
+
   projectContextPendingCache.delete(refresh);
   projectContextResultCache.delete(refresh);
+
+  const prefix = `${refresh}|cfg:`;
+  for (const key of projectContextPendingCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextPendingCache.delete(key);
+    }
+  }
+  for (const key of projectContextResultCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextResultCache.delete(key);
+    }
+  }
 }
 
 /**
@@ -220,13 +233,19 @@ export async function onboardManagedProject(
 export async function ensureProjectContext(
   auth: OAuthAuthDetails,
   client: PluginClient,
+  configuredProjectId?: string,
 ): Promise<ProjectContextResult> {
   const accessToken = auth.access;
   if (!accessToken) {
     return { auth, effectiveProjectId: "" };
   }
 
-  const cacheKey = getCacheKey(auth);
+  const cacheKey = (() => {
+    const base = getCacheKey(auth);
+    if (!base) return undefined;
+    const project = configuredProjectId?.trim() ?? "";
+    return project ? `${base}|cfg:${project}` : base;
+  })();
   if (cacheKey) {
     const cached = projectContextResultCache.get(cacheKey);
     if (cached) {
@@ -240,21 +259,24 @@ export async function ensureProjectContext(
 
   const resolveContext = async (): Promise<ProjectContextResult> => {
     const parts = parseRefreshParts(auth.refresh);
-    if (parts.projectId || parts.managedProjectId) {
+    const effectiveConfiguredProjectId = configuredProjectId?.trim() || undefined;
+    const projectId = effectiveConfiguredProjectId ?? parts.projectId;
+
+    if (projectId || parts.managedProjectId) {
       return {
         auth,
-        effectiveProjectId: parts.projectId || parts.managedProjectId || "",
+        effectiveProjectId: projectId || parts.managedProjectId || "",
       };
     }
 
-    const loadPayload = await loadManagedProject(accessToken, parts.projectId);
+    const loadPayload = await loadManagedProject(accessToken, projectId);
     if (loadPayload?.cloudaicompanionProject) {
       const managedProjectId = loadPayload.cloudaicompanionProject;
       const updatedAuth: OAuthAuthDetails = {
         ...auth,
         refresh: formatRefreshParts({
           refreshToken: parts.refreshToken,
-          projectId: parts.projectId,
+          projectId,
           managedProjectId,
         }),
       };
@@ -283,13 +305,13 @@ export async function ensureProjectContext(
       throw new ProjectIdRequiredError();
     }
 
-    const managedProjectId = await onboardManagedProject(accessToken, tierId, parts.projectId);
+    const managedProjectId = await onboardManagedProject(accessToken, tierId, projectId);
     if (managedProjectId) {
       const updatedAuth: OAuthAuthDetails = {
         ...auth,
         refresh: formatRefreshParts({
           refreshToken: parts.refreshToken,
-          projectId: parts.projectId,
+          projectId,
           managedProjectId,
         }),
       };

package/src/plugin/request-helpers.ts

@@ -27,15 +27,19 @@ export interface GeminiUsageMetadata {
 }
 
 /**
- * Normalized thinking configuration accepted by Gemini.
+ * Thinking configuration accepted by Gemini.
+ * - Gemini 3 models use thinkingLevel (string: 'low', 'medium', 'high')
+ * - Gemini 2.5 models use thinkingBudget (number)
  */
 export interface ThinkingConfig {
   thinkingBudget?: number;
+  thinkingLevel?: string;
   includeThoughts?: boolean;
 }
 
 /**
- * Ensures thinkingConfig is valid: includeThoughts only allowed when budget > 0.
+ * Normalizes thinkingConfig - passes through values as-is without mapping.
+ * User should use thinkingLevel for Gemini 3 and thinkingBudget for Gemini 2.5.
  */
 export function normalizeThinkingConfig(config: unknown): ThinkingConfig | undefined {
   if (!config || typeof config !== "object") {
@@ -44,15 +48,14 @@ export function normalizeThinkingConfig(config: unknown): ThinkingConfig | undef
 
   const record = config as Record<string, unknown>;
   const budgetRaw = record.thinkingBudget ?? record.thinking_budget;
+  const levelRaw = record.thinkingLevel ?? record.thinking_level;
   const includeRaw = record.includeThoughts ?? record.include_thoughts;
 
   const thinkingBudget = typeof budgetRaw === "number" && Number.isFinite(budgetRaw) ? budgetRaw : undefined;
+  const thinkingLevel = typeof levelRaw === "string" && levelRaw.length > 0 ? levelRaw.toLowerCase() : undefined;
   const includeThoughts = typeof includeRaw === "boolean" ? includeRaw : undefined;
 
-  const enableThinking = thinkingBudget !== undefined && thinkingBudget > 0;
-  const finalInclude = enableThinking ? includeThoughts ?? false : false;
-
-  if (!enableThinking && finalInclude === false && thinkingBudget === undefined && includeThoughts === undefined) {
+  if (thinkingBudget === undefined && thinkingLevel === undefined && includeThoughts === undefined) {
     return undefined;
   }
 
@@ -60,8 +63,11 @@ export function normalizeThinkingConfig(config: unknown): ThinkingConfig | undef
   if (thinkingBudget !== undefined) {
     normalized.thinkingBudget = thinkingBudget;
   }
-  if (finalInclude !== undefined) {
-    normalized.includeThoughts = finalInclude;
+  if (thinkingLevel !== undefined) {
+    normalized.thinkingLevel = thinkingLevel;
+  }
+  if (includeThoughts !== undefined) {
+    normalized.includeThoughts = includeThoughts;
   }
   return normalized;
 }

package/src/plugin/types.ts

@@ -26,6 +26,7 @@ export interface ProviderModel {
 
 export interface Provider {
   models?: Record<string, ProviderModel>;
+  options?: Record<string, unknown>;
 }
 
 export interface LoaderResult {
@@ -41,7 +42,7 @@ export interface AuthMethod {
     url: string;
     instructions: string;
     method: string;
-    callback: (callbackUrl: string) => Promise<GeminiTokenExchangeResult>;
+    callback: (() => Promise<GeminiTokenExchangeResult>) | ((callbackUrl: string) => Promise<GeminiTokenExchangeResult>);
   }>;
 }
 

package/src/plugin.ts

@@ -1,8 +1,9 @@
+import { spawn } from "node:child_process";
+
 import { GEMINI_PROVIDER_ID, GEMINI_REDIRECT_URI } from "./constants";
 import { authorizeGemini, exchangeGemini } from "./gemini/oauth";
 import type { GeminiTokenExchangeResult } from "./gemini/oauth";
 import { accessTokenExpired, isOAuthAuth } from "./plugin/auth";
-import { promptProjectId } from "./plugin/cli";
 import { ensureProjectContext } from "./plugin/project";
 import { startGeminiDebugRequest } from "./plugin/debug";
 import {
@@ -36,6 +37,17 @@ export const GeminiCLIOAuthPlugin = async (
         return null;
       }
 
+      const providerOptions =
+        provider && typeof provider === "object"
+          ? ((provider as { options?: Record<string, unknown> }).options ?? undefined)
+          : undefined;
+      const projectIdFromConfig =
+        providerOptions && typeof providerOptions.projectId === "string"
+          ? providerOptions.projectId.trim()
+          : "";
+      const projectIdFromEnv = process.env.OPENCODE_GEMINI_PROJECT_ID?.trim() ?? "";
+      const configuredProjectId = projectIdFromEnv || projectIdFromConfig || undefined;
+
       if (provider.models) {
         for (const model of Object.values(provider.models)) {
           if (model) {
@@ -75,7 +87,7 @@ export const GeminiCLIOAuthPlugin = async (
            */
           async function resolveProjectContext(): Promise<ProjectContextResult> {
             try {
-              return await ensureProjectContext(authRecord, client);
+              return await ensureProjectContext(authRecord, client, configuredProjectId);
             } catch (error) {
               if (error instanceof Error) {
                 console.error(error.message);
@@ -120,8 +132,6 @@ export const GeminiCLIOAuthPlugin = async (
         label: "OAuth with Google (Gemini CLI)",
         type: "oauth",
         authorize: async () => {
-          console.log("\n=== Google Gemini OAuth Setup ===");
-
           const isHeadless = !!(
             process.env.SSH_CONNECTION ||
             process.env.SSH_CLIENT ||
@@ -133,40 +143,25 @@ export const GeminiCLIOAuthPlugin = async (
           if (!isHeadless) {
             try {
               listener = await startOAuthListener();
-              const { host } = new URL(GEMINI_REDIRECT_URI);
-              console.log("1. You'll be asked to sign in to your Google account and grant permission.");
-              console.log(
-                `2. We'll automatically capture the browser redirect on http://${host}. No need to paste anything back here.`,
-              );
-              console.log("3. Once you see the 'Authentication complete' page in your browser, return to this terminal.");
             } catch (error) {
-              console.log("1. You'll be asked to sign in to your Google account and grant permission.");
-              console.log("2. After you approve, the browser will try to redirect to a 'localhost' page.");
-              console.log(
-                "3. This page will show an error like 'This site can't be reached'. This is perfectly normal and means it worked!",
-              );
-              console.log(
-                "4. Once you see that error, copy the entire URL from the address bar, paste it back here, and press Enter.",
-              );
               if (error instanceof Error) {
-                console.log(`\nWarning: Couldn't start the local callback listener (${error.message}). Falling back to manual copy/paste.`);
+                console.log(
+                  `Warning: Couldn't start the local callback listener (${error.message}). You'll need to paste the callback URL.`,
+                );
               } else {
-                console.log("\nWarning: Couldn't start the local callback listener. Falling back to manual copy/paste.");
+                console.log(
+                  "Warning: Couldn't start the local callback listener. You'll need to paste the callback URL.",
+                );
               }
             }
           } else {
-            console.log("Headless environment detected. Using manual OAuth flow.");
-            console.log("1. You'll be asked to sign in to your Google account and grant permission.");
-            console.log("2. After you approve, the browser will redirect to a 'localhost' URL.");
-            console.log(
-              "3. Copy the ENTIRE URL from your browser's address bar (it will look like: http://localhost:8085/oauth2callback?code=...&state=...)",
-            );
-            console.log("4. Paste the URL back here and press Enter.");
+            console.log("Headless environment detected. You'll need to paste the callback URL.");
           }
-          console.log("\n");
 
-          const projectId = await promptProjectId();
-          const authorization = await authorizeGemini(projectId);
+          const authorization = await authorizeGemini();
+          if (!isHeadless) {
+            openBrowserUrl(authorization.url);
+          }
 
           if (listener) {
             return {
@@ -206,7 +201,7 @@ export const GeminiCLIOAuthPlugin = async (
           return {
             url: authorization.url,
             instructions:
-              "Visit the URL above, complete OAuth, ignore the localhost connection error, and paste the full redirected URL (e.g., http://localhost:8085/oauth2callback?code=...&state=...): ",
+              "Complete OAuth in your browser, then paste the full redirected URL (e.g., http://localhost:8085/oauth2callback?code=...&state=...)",
             method: "code",
             callback: async (callbackUrl: string): Promise<GeminiTokenExchangeResult> => {
               try {
@@ -253,3 +248,20 @@ function toUrlString(value: RequestInfo): string {
   }
   return value.toString();
 }
+
+function openBrowserUrl(url: string): void {
+  try {
+    // Best-effort: don't block auth flow if spawning fails.
+    const platform = process.platform;
+    const command =
+      platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+    const args =
+      platform === "win32" ? ["/c", "start", "", url] : [url];
+    const child = spawn(command, args, {
+      stdio: "ignore",
+      detached: true,
+    });
+    child.unref?.();
+  } catch {
+  }
+}

package/src/plugin/cli.ts

@@ -1,15 +0,0 @@
-import { createInterface } from "node:readline/promises";
-import { stdin as input, stdout as output } from "node:process";
-
-/**
- * Prompts the user for a project ID via stdin/stdout.
- */
-export async function promptProjectId(): Promise<string> {
-  const rl = createInterface({ input, output });
-  try {
-    const answer = await rl.question("Project ID (leave blank to use your default project): ");
-    return answer.trim();
-  } finally {
-    rl.close();
-  }
-}