opencode-gemini-auth 1.3.9 → 1.3.11

package/src/plugin/project/context.ts

@@ -0,0 +1,187 @@
+import { GEMINI_PROVIDER_ID } from "../../constants";
+import { formatRefreshParts, parseRefreshParts } from "../auth";
+import type { OAuthAuthDetails, PluginClient, ProjectContextResult } from "../types";
+import { loadManagedProject, onboardManagedProject } from "./api";
+import { FREE_TIER_ID, LEGACY_TIER_ID, ProjectIdRequiredError } from "./types";
+import { buildIneligibleTierMessage, getCacheKey, normalizeProjectId, pickOnboardTier } from "./utils";
+
+const projectContextResultCache = new Map<string, ProjectContextResult>();
+const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
+
+/**
+ * Clears cached project context results and pending promises.
+ */
+export function invalidateProjectContextCache(refresh?: string): void {
+  if (!refresh) {
+    projectContextPendingCache.clear();
+    projectContextResultCache.clear();
+    return;
+  }
+
+  projectContextPendingCache.delete(refresh);
+  projectContextResultCache.delete(refresh);
+
+  const prefix = `${refresh}|cfg:`;
+  for (const key of projectContextPendingCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextPendingCache.delete(key);
+    }
+  }
+  for (const key of projectContextResultCache.keys()) {
+    if (key.startsWith(prefix)) {
+      projectContextResultCache.delete(key);
+    }
+  }
+}
+
+/**
+ * Resolves a project context for an access token, optionally persisting updated auth.
+ */
+export async function resolveProjectContextFromAccessToken(
+  auth: OAuthAuthDetails,
+  accessToken: string,
+  configuredProjectId?: string,
+  persistAuth?: (auth: OAuthAuthDetails) => Promise<void>,
+): Promise<ProjectContextResult> {
+  const parts = parseRefreshParts(auth.refresh);
+  const projectId = configuredProjectId?.trim() || parts.projectId;
+
+  if (projectId || parts.managedProjectId) {
+    return {
+      auth,
+      effectiveProjectId: projectId || parts.managedProjectId || "",
+    };
+  }
+
+  const loadPayload = await loadManagedProject(accessToken, projectId);
+  if (!loadPayload) {
+    throw new ProjectIdRequiredError();
+  }
+
+  const managedProjectId = normalizeProjectId(loadPayload.cloudaicompanionProject);
+  if (managedProjectId) {
+    const updatedAuth = withProjectAuth(auth, parts.refreshToken, projectId, managedProjectId);
+    if (persistAuth) {
+      await persistAuth(updatedAuth);
+    }
+    return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+  }
+
+  const currentTierId = loadPayload.currentTier?.id;
+  if (currentTierId) {
+    if (projectId) {
+      return { auth, effectiveProjectId: projectId };
+    }
+    const ineligibleMessage = buildIneligibleTierMessage(loadPayload.ineligibleTiers);
+    if (ineligibleMessage) {
+      throw new Error(ineligibleMessage);
+    }
+    throw new ProjectIdRequiredError();
+  }
+
+  const tier = pickOnboardTier(loadPayload.allowedTiers);
+  const tierId = tier.id ?? LEGACY_TIER_ID;
+  if (tierId !== FREE_TIER_ID && !projectId) {
+    throw new ProjectIdRequiredError();
+  }
+
+  const onboardedProjectId = await onboardManagedProject(accessToken, tierId, projectId);
+  if (onboardedProjectId) {
+    const updatedAuth = withProjectAuth(auth, parts.refreshToken, projectId, onboardedProjectId);
+    if (persistAuth) {
+      await persistAuth(updatedAuth);
+    }
+    return { auth: updatedAuth, effectiveProjectId: onboardedProjectId };
+  }
+
+  if (projectId) {
+    return { auth, effectiveProjectId: projectId };
+  }
+  throw new ProjectIdRequiredError();
+}
+
+/**
+ * Resolves an effective project ID for the current auth state, caching results per refresh token.
+ */
+export async function ensureProjectContext(
+  auth: OAuthAuthDetails,
+  client: PluginClient,
+  configuredProjectId?: string,
+): Promise<ProjectContextResult> {
+  const accessToken = auth.access;
+  if (!accessToken) {
+    return { auth, effectiveProjectId: "" };
+  }
+
+  const cacheKey = buildProjectCacheKey(auth, configuredProjectId);
+  if (cacheKey) {
+    const cached = projectContextResultCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const pending = projectContextPendingCache.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
+  }
+
+  const resolveContext = async (): Promise<ProjectContextResult> =>
+    resolveProjectContextFromAccessToken(
+      auth,
+      accessToken,
+      configuredProjectId,
+      async (updatedAuth) => {
+        await client.auth.set({
+          path: { id: GEMINI_PROVIDER_ID },
+          body: updatedAuth,
+        });
+      },
+    );
+
+  if (!cacheKey) {
+    return resolveContext();
+  }
+
+  const promise = resolveContext()
+    .then((result) => {
+      const nextKey = getCacheKey(result.auth) ?? cacheKey;
+      projectContextPendingCache.delete(cacheKey);
+      projectContextResultCache.set(nextKey, result);
+      if (nextKey !== cacheKey) {
+        projectContextResultCache.delete(cacheKey);
+      }
+      return result;
+    })
+    .catch((error) => {
+      projectContextPendingCache.delete(cacheKey);
+      throw error;
+    });
+
+  projectContextPendingCache.set(cacheKey, promise);
+  return promise;
+}
+
+function withProjectAuth(
+  auth: OAuthAuthDetails,
+  refreshToken: string,
+  projectId: string | undefined,
+  managedProjectId: string,
+): OAuthAuthDetails {
+  return {
+    ...auth,
+    refresh: formatRefreshParts({
+      refreshToken,
+      projectId,
+      managedProjectId,
+    }),
+  };
+}
+
+function buildProjectCacheKey(auth: OAuthAuthDetails, configuredProjectId?: string): string | undefined {
+  const base = getCacheKey(auth);
+  if (!base) {
+    return undefined;
+  }
+  const project = configuredProjectId?.trim() ?? "";
+  return project ? `${base}|cfg:${project}` : base;
+}

package/src/plugin/project/index.ts

@@ -0,0 +1,6 @@
+export { loadManagedProject, onboardManagedProject, retrieveUserQuota } from "./api";
+export {
+  ensureProjectContext,
+  invalidateProjectContextCache,
+  resolveProjectContextFromAccessToken,
+} from "./context";

package/src/plugin/project/types.ts

@@ -0,0 +1,55 @@
+export const FREE_TIER_ID = "free-tier";
+export const LEGACY_TIER_ID = "legacy-tier";
+
+export const CODE_ASSIST_METADATA = {
+  ideType: "IDE_UNSPECIFIED",
+  platform: "PLATFORM_UNSPECIFIED",
+  pluginType: "GEMINI",
+} as const;
+
+export interface GeminiUserTier {
+  id?: string;
+  isDefault?: boolean;
+  userDefinedCloudaicompanionProject?: boolean;
+  name?: string;
+  description?: string;
+}
+
+export interface CloudAiCompanionProject {
+  id?: string;
+}
+
+export interface GeminiIneligibleTier {
+  reasonMessage?: string;
+}
+
+export interface LoadCodeAssistPayload {
+  cloudaicompanionProject?: string | CloudAiCompanionProject;
+  currentTier?: {
+    id?: string;
+    name?: string;
+  };
+  allowedTiers?: GeminiUserTier[];
+  ineligibleTiers?: GeminiIneligibleTier[];
+}
+
+export interface OnboardUserPayload {
+  name?: string;
+  done?: boolean;
+  response?: {
+    cloudaicompanionProject?: {
+      id?: string;
+    };
+  };
+}
+
+/**
+ * Error raised when a required Google Cloud project is missing during Gemini onboarding.
+ */
+export class ProjectIdRequiredError extends Error {
+  constructor() {
+    super(
+      "Google Gemini requires a Google Cloud project. Enable the Gemini for Google Cloud API on a project you control, then set `provider.google.options.projectId` in your Opencode config (or set OPENCODE_GEMINI_PROJECT_ID / GOOGLE_CLOUD_PROJECT).",
+    );
+  }
+}

package/src/plugin/project/utils.ts

@@ -0,0 +1,120 @@
+import type { OAuthAuthDetails } from "../types";
+import {
+  CODE_ASSIST_METADATA,
+  LEGACY_TIER_ID,
+  type CloudAiCompanionProject,
+  type GeminiIneligibleTier,
+  type GeminiUserTier,
+} from "./types";
+
+/**
+ * Builds metadata headers required by the Code Assist API.
+ */
+export function buildMetadata(projectId?: string, includeDuetProject = true): Record<string, string> {
+  const metadata: Record<string, string> = {
+    ideType: CODE_ASSIST_METADATA.ideType,
+    platform: CODE_ASSIST_METADATA.platform,
+    pluginType: CODE_ASSIST_METADATA.pluginType,
+  };
+  if (projectId && includeDuetProject) {
+    metadata.duetProject = projectId;
+  }
+  return metadata;
+}
+
+/**
+ * Normalizes project identifiers from API payloads or config.
+ */
+export function normalizeProjectId(value?: string | CloudAiCompanionProject): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    return trimmed ? trimmed : undefined;
+  }
+  if (typeof value === "object" && typeof value.id === "string") {
+    const trimmed = value.id.trim();
+    return trimmed ? trimmed : undefined;
+  }
+  return undefined;
+}
+
+/**
+ * Selects the default tier ID from the allowed tiers list.
+ */
+export function pickOnboardTier(allowedTiers?: GeminiUserTier[]): GeminiUserTier {
+  if (allowedTiers && allowedTiers.length > 0) {
+    for (const tier of allowedTiers) {
+      if (tier?.isDefault) {
+        return tier;
+      }
+    }
+    return allowedTiers[0] ?? { id: LEGACY_TIER_ID, userDefinedCloudaicompanionProject: true };
+  }
+  return { id: LEGACY_TIER_ID, userDefinedCloudaicompanionProject: true };
+}
+
+/**
+ * Builds a concise error message from ineligible tier payloads.
+ */
+export function buildIneligibleTierMessage(tiers?: GeminiIneligibleTier[]): string | undefined {
+  if (!tiers || tiers.length === 0) {
+    return undefined;
+  }
+  const reasons = tiers
+    .map((tier) => tier?.reasonMessage?.trim())
+    .filter((message): message is string => !!message);
+  return reasons.length > 0 ? reasons.join(", ") : undefined;
+}
+
+/**
+ * Detects VPC-SC errors from Cloud Code responses.
+ */
+export function isVpcScError(payload: unknown): boolean {
+  if (!payload || typeof payload !== "object") {
+    return false;
+  }
+  const error = (payload as { error?: unknown }).error;
+  if (!error || typeof error !== "object") {
+    return false;
+  }
+  const details = (error as { details?: unknown }).details;
+  if (!Array.isArray(details)) {
+    return false;
+  }
+  return details.some((detail) => {
+    if (!detail || typeof detail !== "object") {
+      return false;
+    }
+    return (detail as { reason?: unknown }).reason === "SECURITY_POLICY_VIOLATED";
+  });
+}
+
+/**
+ * Safely parses JSON, returning null on failure.
+ */
+export function parseJsonSafe(text: string): unknown {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Promise-based delay utility.
+ */
+export function wait(ms: number): Promise<void> {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+
+/**
+ * Generates a cache key for project context based on refresh token.
+ */
+export function getCacheKey(auth: OAuthAuthDetails): string | undefined {
+  const refresh = auth.refresh?.trim();
+  return refresh ? refresh : undefined;
+}

package/src/plugin/request/identifiers.ts

@@ -0,0 +1,100 @@
+import { randomUUID } from "node:crypto";
+
+import { isRecord, pickString } from "./shared";
+
+const PROCESS_SESSION_ID = randomUUID();
+
+function resolveUserPromptId(payload: Record<string, unknown>, request?: Record<string, unknown>): string {
+  const extra = isRecord(payload.extra_body) ? payload.extra_body : undefined;
+
+  return (
+    pickString(
+      payload.user_prompt_id,
+      payload.userPromptId,
+      payload.prompt_id,
+      payload.promptId,
+      payload.request_id,
+      payload.requestId,
+      request?.user_prompt_id,
+      request?.userPromptId,
+      request?.prompt_id,
+      request?.promptId,
+      request?.request_id,
+      request?.requestId,
+      extra?.user_prompt_id,
+      extra?.userPromptId,
+      extra?.prompt_id,
+      extra?.promptId,
+      extra?.request_id,
+      extra?.requestId,
+    ) ?? randomUUID()
+  );
+}
+
+function resolveSessionId(payload: Record<string, unknown>, request?: Record<string, unknown>): string {
+  const extra = isRecord(payload.extra_body) ? payload.extra_body : undefined;
+  return (
+    pickString(
+      request?.session_id,
+      request?.sessionId,
+      payload.session_id,
+      payload.sessionId,
+      extra?.session_id,
+      extra?.sessionId,
+    ) ?? PROCESS_SESSION_ID
+  );
+}
+
+function stripPromptIdentifierAliases(payload: Record<string, unknown>): void {
+  delete payload.user_prompt_id;
+  delete payload.userPromptId;
+  delete payload.prompt_id;
+  delete payload.promptId;
+  delete payload.request_id;
+  delete payload.requestId;
+}
+
+function stripSessionIdentifierAliases(payload: Record<string, unknown>): void {
+  delete payload.sessionId;
+}
+
+/**
+ * Applies canonical identifiers for wrapped Code Assist payloads.
+ *
+ * `user_prompt_id` and `session_id` are first-class identifiers in Gemini CLI
+ * request envelopes used for traceability, usage accounting, and support diagnostics.
+ */
+export function normalizeWrappedIdentifiers(
+  wrapped: Record<string, unknown>,
+): { userPromptId: string; sessionId: string } {
+  const request = isRecord(wrapped.request) ? { ...wrapped.request } : {};
+  const userPromptId = resolveUserPromptId(wrapped, request);
+  const sessionId = resolveSessionId(wrapped, request);
+
+  request.session_id = sessionId;
+  stripSessionIdentifierAliases(request);
+  wrapped.request = request;
+
+  wrapped.user_prompt_id = userPromptId;
+  stripPromptIdentifierAliases(wrapped);
+
+  return { userPromptId, sessionId };
+}
+
+/**
+ * Applies canonical identifiers for unwrapped request payloads before wrapping.
+ *
+ * We normalize aliases here so downstream logic has a single source of truth.
+ */
+export function normalizeRequestPayloadIdentifiers(
+  payload: Record<string, unknown>,
+): { userPromptId: string; sessionId: string } {
+  const userPromptId = resolveUserPromptId(payload);
+  const sessionId = resolveSessionId(payload);
+
+  payload.session_id = sessionId;
+  stripSessionIdentifierAliases(payload);
+  stripPromptIdentifierAliases(payload);
+
+  return { userPromptId, sessionId };
+}

package/src/plugin/request/index.ts

@@ -0,0 +1,3 @@
+export { prepareGeminiRequest } from "./prepare";
+export { transformGeminiResponse } from "./response";
+export { isGenerativeLanguageRequest } from "./shared";

package/src/plugin/request/openai.ts

@@ -0,0 +1,128 @@
+interface GeminiFunctionCallPart {
+  functionCall?: {
+    name: string;
+    args?: Record<string, unknown>;
+    [key: string]: unknown;
+  };
+  thoughtSignature?: string;
+  [key: string]: unknown;
+}
+
+interface OpenAIToolCall {
+  function?: {
+    name?: string;
+    arguments?: string;
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+}
+
+interface OpenAIMessage {
+  content?: string | null;
+  tool_calls?: OpenAIToolCall[];
+  [key: string]: unknown;
+}
+
+/**
+ * Transforms OpenAI `tool_calls` to Gemini `functionCall` parts.
+ */
+export function transformOpenAIToolCalls(requestPayload: Record<string, unknown>): void {
+  const messages = requestPayload.messages;
+  if (!messages || !Array.isArray(messages)) {
+    return;
+  }
+
+  for (const message of messages) {
+    if (!message || typeof message !== "object") {
+      continue;
+    }
+
+    const msgObj = message as OpenAIMessage;
+    const toolCalls = msgObj.tool_calls;
+    if (!toolCalls || !Array.isArray(toolCalls) || toolCalls.length === 0) {
+      continue;
+    }
+
+    const parts: GeminiFunctionCallPart[] = [];
+    if (typeof msgObj.content === "string" && msgObj.content.length > 0) {
+      parts.push({ text: msgObj.content });
+    }
+
+    for (const toolCall of toolCalls) {
+      if (!toolCall || typeof toolCall !== "object") {
+        continue;
+      }
+
+      const fn = toolCall.function;
+      if (!fn || typeof fn !== "object") {
+        continue;
+      }
+
+      const name = fn.name;
+      const args = parseJsonObject(fn.arguments);
+      parts.push({
+        functionCall: {
+          name: name ?? "",
+          args,
+        },
+        thoughtSignature: "skip_thought_signature_validator",
+      });
+    }
+
+    msgObj.parts = parts;
+    delete msgObj.tool_calls;
+    delete msgObj.content;
+  }
+}
+
+/**
+ * Adds synthetic thoughtSignature to function calls in both flat and wrapped payloads.
+ */
+export function addThoughtSignaturesToFunctionCalls(requestPayload: Record<string, unknown>): void {
+  const processContents = (contents: unknown): void => {
+    if (!contents || !Array.isArray(contents)) {
+      return;
+    }
+
+    for (const content of contents) {
+      if (!content || typeof content !== "object") {
+        continue;
+      }
+
+      const parts = (content as Record<string, unknown>).parts;
+      if (!parts || !Array.isArray(parts)) {
+        continue;
+      }
+
+      for (const part of parts) {
+        if (!part || typeof part !== "object") {
+          continue;
+        }
+        const partObj = part as Record<string, unknown>;
+        if (partObj.functionCall && !partObj.thoughtSignature) {
+          partObj.thoughtSignature = "skip_thought_signature_validator";
+        }
+      }
+    }
+  };
+
+  processContents(requestPayload.contents);
+  if (requestPayload.request && typeof requestPayload.request === "object") {
+    processContents((requestPayload.request as Record<string, unknown>).contents);
+  }
+}
+
+function parseJsonObject(value: unknown): Record<string, unknown> {
+  if (typeof value !== "string") {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(value);
+    if (parsed && typeof parsed === "object") {
+      return parsed as Record<string, unknown>;
+    }
+    return {};
+  } catch {
+    return {};
+  }
+}