opencode-gemini-auth 1.3.10 → 1.4.0

package/src/plugin/project/context.ts

@@ -0,0 +1,187 @@
+import { GEMINI_PROVIDER_ID } from "../../constants";
+import { formatRefreshParts, parseRefreshParts } from "../auth";
+import type { OAuthAuthDetails, PluginClient, ProjectContextResult } from "../types";
+import { loadManagedProject, onboardManagedProject } from "./api";
+import { FREE_TIER_ID, LEGACY_TIER_ID, ProjectIdRequiredError } from "./types";
+import { buildIneligibleTierMessage, getCacheKey, normalizeProjectId, pickOnboardTier } from "./utils";
+
+const projectContextResultCache = new Map<string, ProjectContextResult>();
+const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
+
+/**
+ * Clears cached project context results and pending promises.
+ */
+export function invalidateProjectContextCache(refresh?: string): void {
+  if (!refresh) {
+    projectContextPendingCache.clear();
+    projectContextResultCache.clear();
+    return;
+  }
+
+  projectContextPendingCache.delete(refresh);
+  projectContextResultCache.delete(refresh);
+
+  const prefix = `${refresh}|cfg:`;
+  for (const key of projectContextPendingCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextPendingCache.delete(key);
+    }
+  }
+  for (const key of projectContextResultCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextResultCache.delete(key);
+    }
+  }
+}
+
+/**
+ * Resolves a project context for an access token, optionally persisting updated auth.
+ */
+export async function resolveProjectContextFromAccessToken(
+  auth: OAuthAuthDetails,
+  accessToken: string,
+  configuredProjectId?: string,
+  persistAuth?: (auth: OAuthAuthDetails) => Promise<void>,
+): Promise<ProjectContextResult> {
+  const parts = parseRefreshParts(auth.refresh);
+  const projectId = configuredProjectId?.trim() || parts.projectId;
+
+  if (projectId || parts.managedProjectId) {
+    return {
+      auth,
+      effectiveProjectId: projectId || parts.managedProjectId || "",
+    };
+  }
+
+  const loadPayload = await loadManagedProject(accessToken, projectId);
+  if (!loadPayload) {
+    throw new ProjectIdRequiredError();
+  }
+
+  const managedProjectId = normalizeProjectId(loadPayload.cloudaicompanionProject);
+  if (managedProjectId) {
+    const updatedAuth = withProjectAuth(auth, parts.refreshToken, projectId, managedProjectId);
+    if (persistAuth) {
+      await persistAuth(updatedAuth);
+    }
+    return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+  }
+
+  const currentTierId = loadPayload.currentTier?.id;
+  if (currentTierId) {
+    if (projectId) {
+      return { auth, effectiveProjectId: projectId };
+    }
+    const ineligibleMessage = buildIneligibleTierMessage(loadPayload.ineligibleTiers);
+    if (ineligibleMessage) {
+      throw new Error(ineligibleMessage);
+    }
+    throw new ProjectIdRequiredError();
+  }
+
+  const tier = pickOnboardTier(loadPayload.allowedTiers);
+  const tierId = tier.id ?? LEGACY_TIER_ID;
+  if (tierId !== FREE_TIER_ID && !projectId) {
+    throw new ProjectIdRequiredError();
+  }
+
+  const onboardedProjectId = await onboardManagedProject(accessToken, tierId, projectId);
+  if (onboardedProjectId) {
+    const updatedAuth = withProjectAuth(auth, parts.refreshToken, projectId, onboardedProjectId);
+    if (persistAuth) {
+      await persistAuth(updatedAuth);
+    }
+    return { auth: updatedAuth, effectiveProjectId: onboardedProjectId };
+  }
+
+  if (projectId) {
+    return { auth, effectiveProjectId: projectId };
+  }
+  throw new ProjectIdRequiredError();
+}
+
+/**
+ * Resolves an effective project ID for the current auth state, caching results per refresh token.
+ */
+export async function ensureProjectContext(
+  auth: OAuthAuthDetails,
+  client: PluginClient,
+  configuredProjectId?: string,
+): Promise<ProjectContextResult> {
+  const accessToken = auth.access;
+  if (!accessToken) {
+    return { auth, effectiveProjectId: "" };
+  }
+
+  const cacheKey = buildProjectCacheKey(auth, configuredProjectId);
+  if (cacheKey) {
+    const cached = projectContextResultCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const pending = projectContextPendingCache.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
+  }
+
+  const resolveContext = async (): Promise<ProjectContextResult> =>
+    resolveProjectContextFromAccessToken(
+      auth,
+      accessToken,
+      configuredProjectId,
+      async (updatedAuth) => {
+        await client.auth.set({
+          path: { id: GEMINI_PROVIDER_ID },
+          body: updatedAuth,
+        });
+      },
+    );
+
+  if (!cacheKey) {
+    return resolveContext();
+  }
+
+  const promise = resolveContext()
+    .then((result) => {
+      const nextKey = getCacheKey(result.auth) ?? cacheKey;
+      projectContextPendingCache.delete(cacheKey);
+      projectContextResultCache.set(nextKey, result);
+      if (nextKey !== cacheKey) {
+        projectContextResultCache.delete(cacheKey);
+      }
+      return result;
+    })
+    .catch((error) => {
+      projectContextPendingCache.delete(cacheKey);
+      throw error;
+    });
+
+  projectContextPendingCache.set(cacheKey, promise);
+  return promise;
+}
+
+function withProjectAuth(
+  auth: OAuthAuthDetails,
+  refreshToken: string,
+  projectId: string | undefined,
+  managedProjectId: string,
+): OAuthAuthDetails {
+  return {
+    ...auth,
+    refresh: formatRefreshParts({
+      refreshToken,
+      projectId,
+      managedProjectId,
+    }),
+  };
+}
+
+function buildProjectCacheKey(auth: OAuthAuthDetails, configuredProjectId?: string): string | undefined {
+  const base = getCacheKey(auth);
+  if (!base) {
+    return undefined;
+  }
+  const project = configuredProjectId?.trim() ?? "";
+  return project ? `${base}|cfg:${project}` : base;
+}

package/src/plugin/project/index.ts

@@ -0,0 +1,6 @@
+export { loadManagedProject, onboardManagedProject, retrieveUserQuota } from "./api";
+export {
+  ensureProjectContext,
+  invalidateProjectContextCache,
+  resolveProjectContextFromAccessToken,
+} from "./context";

package/src/plugin/project/types.ts

@@ -0,0 +1,67 @@
+export const FREE_TIER_ID = "free-tier";
+export const LEGACY_TIER_ID = "legacy-tier";
+
+export const CODE_ASSIST_METADATA = {
+  ideType: "IDE_UNSPECIFIED",
+  platform: "PLATFORM_UNSPECIFIED",
+  pluginType: "GEMINI",
+} as const;
+
+export interface GeminiUserTier {
+  id?: string;
+  isDefault?: boolean;
+  userDefinedCloudaicompanionProject?: boolean;
+  name?: string;
+  description?: string;
+}
+
+export interface CloudAiCompanionProject {
+  id?: string;
+}
+
+export interface GeminiIneligibleTier {
+  reasonMessage?: string;
+}
+
+export interface LoadCodeAssistPayload {
+  cloudaicompanionProject?: string | CloudAiCompanionProject;
+  currentTier?: {
+    id?: string;
+    name?: string;
+  };
+  allowedTiers?: GeminiUserTier[];
+  ineligibleTiers?: GeminiIneligibleTier[];
+}
+
+export interface OnboardUserPayload {
+  name?: string;
+  done?: boolean;
+  response?: {
+    cloudaicompanionProject?: {
+      id?: string;
+    };
+  };
+}
+
+export interface RetrieveUserQuotaBucket {
+  remainingAmount?: string;
+  remainingFraction?: number;
+  resetTime?: string;
+  tokenType?: string;
+  modelId?: string;
+}
+
+export interface RetrieveUserQuotaResponse {
+  buckets?: RetrieveUserQuotaBucket[];
+}
+
+/**
+ * Error raised when a required Google Cloud project is missing during Gemini onboarding.
+ */
+export class ProjectIdRequiredError extends Error {
+  constructor() {
+    super(
+      "Google Gemini requires a Google Cloud project. Enable the Gemini for Google Cloud API on a project you control, then set `provider.google.options.projectId` in your Opencode config (or set OPENCODE_GEMINI_PROJECT_ID / GOOGLE_CLOUD_PROJECT).",
+    );
+  }
+}

package/src/plugin/project/utils.ts

@@ -0,0 +1,120 @@
+import type { OAuthAuthDetails } from "../types";
+import {
+  CODE_ASSIST_METADATA,
+  LEGACY_TIER_ID,
+  type CloudAiCompanionProject,
+  type GeminiIneligibleTier,
+  type GeminiUserTier,
+} from "./types";
+
+/**
+ * Builds metadata headers required by the Code Assist API.
+ */
+export function buildMetadata(projectId?: string, includeDuetProject = true): Record<string, string> {
+  const metadata: Record<string, string> = {
+    ideType: CODE_ASSIST_METADATA.ideType,
+    platform: CODE_ASSIST_METADATA.platform,
+    pluginType: CODE_ASSIST_METADATA.pluginType,
+  };
+  if (projectId && includeDuetProject) {
+    metadata.duetProject = projectId;
+  }
+  return metadata;
+}
+
+/**
+ * Normalizes project identifiers from API payloads or config.
+ */
+export function normalizeProjectId(value?: string | CloudAiCompanionProject): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    return trimmed ? trimmed : undefined;
+  }
+  if (typeof value === "object" && typeof value.id === "string") {
+    const trimmed = value.id.trim();
+    return trimmed ? trimmed : undefined;
+  }
+  return undefined;
+}
+
+/**
+ * Selects the default tier ID from the allowed tiers list.
+ */
+export function pickOnboardTier(allowedTiers?: GeminiUserTier[]): GeminiUserTier {
+  if (allowedTiers && allowedTiers.length > 0) {
+    for (const tier of allowedTiers) {
+      if (tier?.isDefault) {
+        return tier;
+      }
+    }
+    return allowedTiers[0] ?? { id: LEGACY_TIER_ID, userDefinedCloudaicompanionProject: true };
+  }
+  return { id: LEGACY_TIER_ID, userDefinedCloudaicompanionProject: true };
+}
+
+/**
+ * Builds a concise error message from ineligible tier payloads.
+ */
+export function buildIneligibleTierMessage(tiers?: GeminiIneligibleTier[]): string | undefined {
+  if (!tiers || tiers.length === 0) {
+    return undefined;
+  }
+  const reasons = tiers
+    .map((tier) => tier?.reasonMessage?.trim())
+    .filter((message): message is string => !!message);
+  return reasons.length > 0 ? reasons.join(", ") : undefined;
+}
+
+/**
+ * Detects VPC-SC errors from Cloud Code responses.
+ */
+export function isVpcScError(payload: unknown): boolean {
+  if (!payload || typeof payload !== "object") {
+    return false;
+  }
+  const error = (payload as { error?: unknown }).error;
+  if (!error || typeof error !== "object") {
+    return false;
+  }
+  const details = (error as { details?: unknown }).details;
+  if (!Array.isArray(details)) {
+    return false;
+  }
+  return details.some((detail) => {
+    if (!detail || typeof detail !== "object") {
+      return false;
+    }
+    return (detail as { reason?: unknown }).reason === "SECURITY_POLICY_VIOLATED";
+  });
+}
+
+/**
+ * Safely parses JSON, returning null on failure.
+ */
+export function parseJsonSafe(text: string): unknown {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Promise-based delay utility.
+ */
+export function wait(ms: number): Promise<void> {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+
+/**
+ * Generates a cache key for project context based on refresh token.
+ */
+export function getCacheKey(auth: OAuthAuthDetails): string | undefined {
+  const refresh = auth.refresh?.trim();
+  return refresh ? refresh : undefined;
+}

package/src/plugin/quota.test.ts

@@ -0,0 +1,62 @@
+import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { formatGeminiQuotaOutput, formatRelativeResetTime } from "./quota";
+import type { RetrieveUserQuotaBucket } from "./project/types";
+
+const REAL_DATE_NOW = Date.now;
+const FIXED_NOW = Date.parse("2026-02-21T00:00:00.000Z");
+
+describe("formatRelativeResetTime", () => {
+  beforeEach(() => {
+    Date.now = () => FIXED_NOW;
+  });
+
+  afterEach(() => {
+    Date.now = REAL_DATE_NOW;
+  });
+
+  it("formats future reset times as relative labels", () => {
+    const reset = new Date(FIXED_NOW + 90 * 60 * 1000).toISOString();
+    expect(formatRelativeResetTime(reset)).toBe("resets in 1h 30m");
+  });
+
+  it("returns reset pending when reset time is in the past", () => {
+    const reset = new Date(FIXED_NOW - 60 * 1000).toISOString();
+    expect(formatRelativeResetTime(reset)).toBe("reset pending");
+  });
+});
+
+describe("formatGeminiQuotaOutput", () => {
+  beforeEach(() => {
+    Date.now = () => FIXED_NOW;
+  });
+
+  afterEach(() => {
+    Date.now = REAL_DATE_NOW;
+  });
+
+  it("renders sorted, model-specific usage lines", () => {
+    const buckets: RetrieveUserQuotaBucket[] = [
+      {
+        modelId: "gemini-2.5-pro",
+        tokenType: "requests",
+        remainingFraction: 0.5,
+        remainingAmount: "100",
+        resetTime: new Date(FIXED_NOW + 60 * 60 * 1000).toISOString(),
+      },
+      {
+        modelId: "gemini-2.5-flash",
+        remainingAmount: "20",
+      },
+    ];
+
+    const output = formatGeminiQuotaOutput("test-project", buckets);
+    expect(output).toContain("Gemini quota usage for project `test-project`");
+    expect(output).toContain("- gemini-2.5-flash: 20 remaining");
+    expect(output).toContain(
+      "- gemini-2.5-pro (requests): 50.0% remaining (100 left), resets in 1h",
+    );
+    expect(output.indexOf("gemini-2.5-flash")).toBeLessThan(
+      output.indexOf("gemini-2.5-pro"),
+    );
+  });
+});

package/src/plugin/quota.ts

@@ -0,0 +1,182 @@
+import { tool } from "@opencode-ai/plugin";
+import { accessTokenExpired, isOAuthAuth } from "./auth";
+import { resolveCachedAuth } from "./cache";
+import { ensureProjectContext, retrieveUserQuota } from "./project";
+import type { RetrieveUserQuotaBucket } from "./project/types";
+import { refreshAccessToken } from "./token";
+import type { GetAuth, PluginClient } from "./types";
+
+export const GEMINI_QUOTA_TOOL_NAME = "gemini_quota";
+
+interface GeminiQuotaToolDependencies {
+  client: PluginClient;
+  getAuthResolver: () => GetAuth | undefined;
+  getConfiguredProjectId: () => string | undefined;
+}
+
+export function createGeminiQuotaTool({
+  client,
+  getAuthResolver,
+  getConfiguredProjectId,
+}: GeminiQuotaToolDependencies) {
+  return tool({
+    description:
+      "Retrieve current Gemini Code Assist quota usage for the authenticated user and project.",
+    args: {},
+    async execute() {
+      const getAuth = getAuthResolver();
+      if (!getAuth) {
+        return "Gemini quota is unavailable before Google auth is initialized. Authenticate with the Google provider and retry.";
+      }
+
+      const auth = await getAuth();
+      if (!isOAuthAuth(auth)) {
+        return "Gemini quota requires OAuth with Google. Run `opencode auth login` and choose `OAuth with Google (Gemini CLI)`.";
+      }
+
+      let authRecord = resolveCachedAuth(auth);
+      if (accessTokenExpired(authRecord)) {
+        const refreshed = await refreshAccessToken(authRecord, client);
+        if (!refreshed?.access) {
+          return "Gemini quota lookup failed because the access token could not be refreshed. Re-authenticate and retry.";
+        }
+        authRecord = refreshed;
+      }
+
+      if (!authRecord.access) {
+        return "Gemini quota lookup failed because no access token is available. Re-authenticate and retry.";
+      }
+
+      try {
+        const projectContext = await ensureProjectContext(
+          authRecord,
+          client,
+          getConfiguredProjectId(),
+        );
+        if (!projectContext.effectiveProjectId) {
+          return "Gemini quota lookup failed because no Google Cloud project could be resolved.";
+        }
+
+        const quota = await retrieveUserQuota(
+          authRecord.access,
+          projectContext.effectiveProjectId,
+        );
+        if (!quota?.buckets?.length) {
+          return `No Gemini quota buckets were returned for project \`${projectContext.effectiveProjectId}\`.`;
+        }
+
+        return formatGeminiQuotaOutput(
+          projectContext.effectiveProjectId,
+          quota.buckets,
+        );
+      } catch (error) {
+        const message = error instanceof Error ? error.message : "unknown error";
+        return `Gemini quota lookup failed: ${message}`;
+      }
+    },
+  });
+}
+
+export function formatGeminiQuotaOutput(
+  projectId: string,
+  buckets: RetrieveUserQuotaBucket[],
+): string {
+  const sortedBuckets = [...buckets].sort(compareQuotaBuckets);
+  const lines = [`Gemini quota usage for project \`${projectId}\``, ""];
+
+  for (const bucket of sortedBuckets) {
+    lines.push(formatQuotaBucketLine(bucket));
+  }
+
+  return lines.join("\n");
+}
+
+function compareQuotaBuckets(
+  left: RetrieveUserQuotaBucket,
+  right: RetrieveUserQuotaBucket,
+): number {
+  const leftModel = left.modelId ?? "";
+  const rightModel = right.modelId ?? "";
+  if (leftModel !== rightModel) {
+    return leftModel.localeCompare(rightModel);
+  }
+
+  const leftTokenType = left.tokenType ?? "";
+  const rightTokenType = right.tokenType ?? "";
+  if (leftTokenType !== rightTokenType) {
+    return leftTokenType.localeCompare(rightTokenType);
+  }
+
+  return (left.resetTime ?? "").localeCompare(right.resetTime ?? "");
+}
+
+function formatQuotaBucketLine(bucket: RetrieveUserQuotaBucket): string {
+  const modelId = bucket.modelId?.trim() || "unknown-model";
+  const tokenType = bucket.tokenType?.trim();
+  const usageRemaining = formatUsageRemaining(bucket);
+  const resetLabel = formatRelativeResetTime(bucket.resetTime);
+  const subject = tokenType ? `${modelId} (${tokenType})` : modelId;
+
+  return resetLabel
+    ? `- ${subject}: ${usageRemaining}, ${resetLabel}`
+    : `- ${subject}: ${usageRemaining}`;
+}
+
+function formatUsageRemaining(bucket: RetrieveUserQuotaBucket): string {
+  const remainingAmount = formatRemainingAmount(bucket.remainingAmount);
+  const remainingFraction = bucket.remainingFraction;
+  const hasFraction =
+    typeof remainingFraction === "number" && Number.isFinite(remainingFraction);
+
+  if (hasFraction) {
+    const percent = Math.max(0, remainingFraction * 100).toFixed(1);
+    return remainingAmount
+      ? `${percent}% remaining (${remainingAmount} left)`
+      : `${percent}% remaining`;
+  }
+
+  if (remainingAmount) {
+    return `${remainingAmount} remaining`;
+  }
+
+  return "remaining unknown";
+}
+
+function formatRemainingAmount(value: string | undefined): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsed)) {
+    return value;
+  }
+  return parsed.toLocaleString("en-US");
+}
+
+export function formatRelativeResetTime(resetTime: string | undefined): string | undefined {
+  if (!resetTime) {
+    return undefined;
+  }
+
+  const resetAt = new Date(resetTime).getTime();
+  if (Number.isNaN(resetAt)) {
+    return undefined;
+  }
+
+  const diffMs = resetAt - Date.now();
+  if (diffMs <= 0) {
+    return "reset pending";
+  }
+
+  const totalMinutes = Math.ceil(diffMs / (1000 * 60));
+  const hours = Math.floor(totalMinutes / 60);
+  const minutes = totalMinutes % 60;
+
+  if (hours > 0 && minutes > 0) {
+    return `resets in ${hours}h ${minutes}m`;
+  }
+  if (hours > 0) {
+    return `resets in ${hours}h`;
+  }
+  return `resets in ${minutes}m`;
+}