opencode-gemini-auth 1.4.6 → 1.4.8

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.4.6",
+  "version": "1.4.8",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [
@@ -22,7 +22,7 @@
     "typescript": "^5.9.3"
   },
   "dependencies": {
-    "@opencode-ai/plugin": "^1.2.10",
+    "@opencode-ai/plugin": "^1.2.20",
     "@openauthjs/openauth": "^0.4.3"
   }
 }

package/src/plugin/oauth-authorize.ts

@@ -4,13 +4,16 @@ import { authorizeGemini, exchangeGeminiWithVerifier } from "../gemini/oauth";
 import type { GeminiTokenExchangeResult } from "../gemini/oauth";
 import { isGeminiDebugEnabled, logGeminiDebugMessage } from "./debug";
 import { resolveProjectContextFromAccessToken } from "./project";
+import { resolveConfiguredProjectId } from "./provider";
 import { startOAuthListener, type OAuthListener } from "./server";
 import type { OAuthAuthDetails } from "./types";
 
 /**
  * Builds the OAuth authorize callback used by plugin auth methods.
  */
-export function createOAuthAuthorizeMethod(): () => Promise<{
+export function createOAuthAuthorizeMethod(options?: {
+  getConfiguredProjectId?: () => Promise<string | undefined> | string | undefined;
+}): () => Promise<{
   url: string;
   instructions: string;
   method: string;
@@ -24,12 +27,9 @@ export function createOAuthAuthorizeMethod(): () => Promise<{
         return result;
       }
 
-      const projectFromEnv = process.env.OPENCODE_GEMINI_PROJECT_ID?.trim() ?? "";
-      const googleProjectFromEnv =
-        process.env.GOOGLE_CLOUD_PROJECT?.trim() ??
-        process.env.GOOGLE_CLOUD_PROJECT_ID?.trim() ??
-        "";
-      const configuredProjectId = projectFromEnv || googleProjectFromEnv || undefined;
+      const configuredProjectId = resolveConfiguredProjectId({
+        configProjectId: await options?.getConfiguredProjectId?.(),
+      });
 
       try {
         const authSnapshot = {
@@ -97,19 +97,38 @@ export function createOAuthAuthorizeMethod(): () => Promise<{
         method: "auto",
         callback: async (): Promise<GeminiTokenExchangeResult> => {
           try {
-            const callbackUrl = await listener.waitForCallback();
-            const code = callbackUrl.searchParams.get("code");
-            const state = callbackUrl.searchParams.get("state");
-
-            if (!code || !state) {
-              return { type: "failed", error: "Missing code or state in callback URL" };
-            }
-            if (state !== authorization.state) {
-              return { type: "failed", error: "State mismatch in callback URL (possible CSRF attempt)" };
+            while (true) {
+              const callbackUrl = await listener.waitForCallback();
+              const callbackError = callbackUrl.searchParams.get("error");
+              const callbackErrorDescription = callbackUrl.searchParams.get("error_description");
+              if (callbackError) {
+                return {
+                  type: "failed",
+                  error: callbackErrorDescription || callbackError,
+                };
+              }
+
+              const code = callbackUrl.searchParams.get("code");
+              const state = callbackUrl.searchParams.get("state");
+              if (!code || !state) {
+                continue;
+              }
+              if (state !== authorization.state) {
+                if (isGeminiDebugEnabled()) {
+                  logGeminiDebugMessage("Ignoring OAuth callback with mismatched state");
+                }
+                continue;
+              }
+
+              const exchangeResult = await exchangeGeminiWithVerifier(code, authorization.verifier);
+              if (shouldIgnoreMalformedAuthCode(exchangeResult)) {
+                if (isGeminiDebugEnabled()) {
+                  logGeminiDebugMessage("Ignoring malformed OAuth callback code and waiting for the next redirect");
+                }
+                continue;
+              }
+              return await maybeHydrateProjectId(exchangeResult);
             }
-            return await maybeHydrateProjectId(
-              await exchangeGeminiWithVerifier(code, authorization.verifier),
-            );
           } catch (error) {
             return {
               type: "failed",
@@ -196,3 +215,11 @@ function openBrowserUrl(url: string): void {
     child.unref?.();
   } catch {}
 }
+
+function shouldIgnoreMalformedAuthCode(result: GeminiTokenExchangeResult): boolean {
+  if (result.type !== "failed") {
+    return false;
+  }
+
+  return /invalid_grant/i.test(result.error) && /malformed auth code/i.test(result.error);
+}

package/src/plugin/project/context.ts

@@ -3,7 +3,13 @@ import { formatRefreshParts, parseRefreshParts } from "../auth";
 import type { OAuthAuthDetails, PluginClient, ProjectContextResult } from "../types";
 import { loadManagedProject, onboardManagedProject } from "./api";
 import { FREE_TIER_ID, LEGACY_TIER_ID, ProjectIdRequiredError } from "./types";
-import { buildIneligibleTierMessage, getCacheKey, normalizeProjectId, pickOnboardTier } from "./utils";
+import {
+  buildIneligibleTierMessage,
+  getCacheKey,
+  normalizeProjectId,
+  pickOnboardTier,
+  throwIfValidationRequired,
+} from "./utils";
 
 const projectContextResultCache = new Map<string, ProjectContextResult>();
 const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
@@ -44,9 +50,10 @@ export async function resolveProjectContextFromAccessToken(
   persistAuth?: (auth: OAuthAuthDetails) => Promise<void>,
 ): Promise<ProjectContextResult> {
   const parts = parseRefreshParts(auth.refresh);
-  const projectId = configuredProjectId?.trim() || parts.projectId;
+  const configuredProject = configuredProjectId?.trim();
+  const projectId = configuredProject || parts.projectId;
 
-  if (projectId || parts.managedProjectId) {
+  if (!configuredProject && (projectId || parts.managedProjectId)) {
     return {
       auth,
       effectiveProjectId: projectId || parts.managedProjectId || "",
@@ -68,6 +75,10 @@ export async function resolveProjectContextFromAccessToken(
   }
 
   const currentTierId = loadPayload.currentTier?.id;
+  if (!currentTierId) {
+    throwIfValidationRequired(loadPayload.ineligibleTiers);
+  }
+
   if (currentTierId) {
     if (projectId) {
       return { auth, effectiveProjectId: projectId };

package/src/plugin/project/types.ts

@@ -20,7 +20,10 @@ export interface CloudAiCompanionProject {
 }
 
 export interface GeminiIneligibleTier {
+  reasonCode?: string;
   reasonMessage?: string;
+  validationUrl?: string;
+  validationLearnMoreUrl?: string;
 }
 
 export interface LoadCodeAssistPayload {
@@ -65,3 +68,27 @@ export class ProjectIdRequiredError extends Error {
     );
   }
 }
+
+export class AccountValidationRequiredError extends Error {
+  validationUrl?: string;
+  validationLearnMoreUrl?: string;
+
+  constructor(
+    message: string,
+    validationUrl?: string,
+    validationLearnMoreUrl?: string,
+  ) {
+    const parts = [message.trim()];
+    if (validationUrl) {
+      parts.push(`Complete validation: ${validationUrl}`);
+    }
+    if (validationLearnMoreUrl) {
+      parts.push(`Learn more: ${validationLearnMoreUrl}`);
+    }
+
+    super(parts.join("\n"));
+    this.name = "AccountValidationRequiredError";
+    this.validationUrl = validationUrl;
+    this.validationLearnMoreUrl = validationLearnMoreUrl;
+  }
+}

package/src/plugin/project/utils.ts

@@ -1,5 +1,6 @@
 import type { OAuthAuthDetails } from "../types";
 import {
+  AccountValidationRequiredError,
   CODE_ASSIST_METADATA,
   LEGACY_TIER_ID,
   type CloudAiCompanionProject,
@@ -68,6 +69,26 @@ export function buildIneligibleTierMessage(tiers?: GeminiIneligibleTier[]): stri
   return reasons.length > 0 ? reasons.join(", ") : undefined;
 }
 
+export function throwIfValidationRequired(tiers?: GeminiIneligibleTier[]): void {
+  if (!tiers || tiers.length === 0) {
+    return;
+  }
+
+  const validationTier = tiers.find((tier) => {
+    const reasonCode = tier?.reasonCode?.trim().toUpperCase();
+    return reasonCode === "VALIDATION_REQUIRED" && !!tier.validationUrl?.trim();
+  });
+  if (!validationTier) {
+    return;
+  }
+
+  throw new AccountValidationRequiredError(
+    validationTier.reasonMessage?.trim() || "Verify your account to continue.",
+    validationTier.validationUrl?.trim(),
+    validationTier.validationLearnMoreUrl?.trim(),
+  );
+}
+
 /**
  * Detects VPC-SC errors from Cloud Code responses.
  */

package/src/plugin/project.test.ts

@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, mock } from "bun:test";
 
+import { formatRefreshParts } from "./auth";
 import { resolveProjectContextFromAccessToken } from "./project";
 import type { OAuthAuthDetails } from "./types";
 
@@ -109,4 +110,112 @@ describe("resolveProjectContextFromAccessToken", () => {
       resolveProjectContextFromAccessToken(baseAuth, baseAuth.access ?? ""),
     ).rejects.toThrow("Google Gemini requires a Google Cloud project");
   });
+
+  it("continues with an allowed paid tier even when free tier is ineligible", async () => {
+    let onboardBody: Record<string, unknown> | undefined;
+    const fetchMock = mock(async (input: RequestInfo, init?: RequestInit) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "standard-tier", isDefault: true }],
+            ineligibleTiers: [
+              {
+                reasonCode: "INELIGIBLE_ACCOUNT",
+                reasonMessage: "Not eligible for free tier",
+                tierId: "free-tier",
+              },
+            ],
+          }),
+          { status: 200 },
+        );
+      }
+      if (url.includes(":onboardUser")) {
+        const rawBody = typeof init?.body === "string" ? init.body : "{}";
+        onboardBody = JSON.parse(rawBody) as Record<string, unknown>;
+        return new Response(
+          JSON.stringify({
+            done: true,
+            response: { cloudaicompanionProject: { id: "configured-project" } },
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      baseAuth,
+      baseAuth.access ?? "",
+      "configured-project",
+    );
+
+    expect(result.effectiveProjectId).toBe("configured-project");
+    expect(onboardBody?.cloudaicompanionProject).toBe("configured-project");
+  });
+
+  it("throws validation-required errors before tier onboarding even when allowed tiers exist", async () => {
+    const fetchMock = mock(async (input: RequestInfo) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "standard-tier", isDefault: true }],
+            ineligibleTiers: [
+              {
+                reasonCode: "VALIDATION_REQUIRED",
+                reasonMessage: "Verify your account to continue.",
+                validationUrl: "https://example.com/verify",
+                validationLearnMoreUrl: "https://example.com/help",
+              },
+            ],
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    await expect(
+      resolveProjectContextFromAccessToken(baseAuth, baseAuth.access ?? "", "configured-project"),
+    ).rejects.toThrow("Complete validation: https://example.com/verify");
+  });
+
+  it("prefers a configured project id over a persisted managed project id", async () => {
+    const authWithManagedProject: OAuthAuthDetails = {
+      ...baseAuth,
+      refresh: formatRefreshParts({
+        refreshToken: "refresh-token",
+        managedProjectId: "managed-project",
+      }),
+    };
+
+    let loadBody: Record<string, unknown> | undefined;
+    const fetchMock = mock(async (input: RequestInfo, init?: RequestInit) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        const rawBody = typeof init?.body === "string" ? init.body : "{}";
+        loadBody = JSON.parse(rawBody) as Record<string, unknown>;
+        return new Response(
+          JSON.stringify({
+            currentTier: { id: "standard-tier" },
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      authWithManagedProject,
+      authWithManagedProject.access ?? "",
+      "configured-project",
+    );
+
+    expect(result.effectiveProjectId).toBe("configured-project");
+    expect(loadBody?.cloudaicompanionProject).toBe("configured-project");
+  });
 });

package/src/plugin/provider.test.ts

@@ -0,0 +1,83 @@
+import { describe, expect, it } from "bun:test";
+import type { Config } from "@opencode-ai/sdk";
+
+import {
+  resolveConfiguredProjectId,
+  resolveConfiguredProjectIdFromClient,
+  resolveConfiguredProjectIdFromConfig,
+} from "./provider";
+import type { PluginClient, Provider } from "./types";
+
+describe("resolveConfiguredProjectId", () => {
+  it("reads project id from provider options", () => {
+    const provider = {
+      id: "google",
+      name: "Google",
+      source: "config",
+      env: [],
+      options: {
+        projectId: "  provider-project  ",
+      },
+      models: {},
+    } satisfies Provider;
+
+    expect(
+      resolveConfiguredProjectId({
+        provider,
+        env: {},
+      }),
+    ).toBe("provider-project");
+  });
+
+  it("falls back to the top-level config project id when provider options are unavailable", () => {
+    const config = {
+      provider: {
+        google: {
+          options: {
+            projectId: "config-project",
+          },
+        },
+      },
+    } satisfies Config;
+
+    expect(resolveConfiguredProjectIdFromConfig(config)).toBe("config-project");
+    expect(
+      resolveConfiguredProjectId({
+        config,
+        env: {},
+      }),
+    ).toBe("config-project");
+  });
+
+  it("prefers OPENCODE_GEMINI_PROJECT_ID over config and google cloud env vars", () => {
+    expect(
+      resolveConfiguredProjectId({
+        configProjectId: "config-project",
+        env: {
+          OPENCODE_GEMINI_PROJECT_ID: "opencode-project",
+          GOOGLE_CLOUD_PROJECT: "google-project",
+        },
+      }),
+    ).toBe("opencode-project");
+  });
+
+  it("reads the current project id from the Opencode config API when available", async () => {
+    const client = {
+      config: {
+        get: async () => ({
+          data: {
+            provider: {
+              google: {
+                options: {
+                  projectId: "live-config-project",
+                },
+              },
+            },
+          } satisfies Config,
+        }),
+      },
+    } satisfies PluginClient;
+
+    await expect(resolveConfiguredProjectIdFromClient(client)).resolves.toBe("live-config-project");
+  });
+});

package/src/plugin/provider.ts

@@ -0,0 +1,70 @@
+import type { Config } from "@opencode-ai/sdk";
+
+import { GEMINI_PROVIDER_ID } from "../constants";
+import type { PluginClient, Provider } from "./types";
+
+interface ResolveConfiguredProjectIdInput {
+  provider?: Provider | null;
+  config?: Config | null;
+  configProjectId?: string;
+  env?: NodeJS.ProcessEnv;
+}
+
+export function resolveConfiguredProjectId(
+  input: ResolveConfiguredProjectIdInput = {},
+): string | undefined {
+  const env = input.env ?? process.env;
+
+  return (
+    normalizeProjectId(env.OPENCODE_GEMINI_PROJECT_ID) ??
+    resolveConfiguredProjectIdFromProvider(input.provider) ??
+    normalizeProjectId(input.configProjectId) ??
+    resolveConfiguredProjectIdFromConfig(input.config) ??
+    normalizeProjectId(env.GOOGLE_CLOUD_PROJECT) ??
+    normalizeProjectId(env.GOOGLE_CLOUD_PROJECT_ID)
+  );
+}
+
+export function resolveConfiguredProjectIdFromProvider(
+  provider: Provider | null | undefined,
+): string | undefined {
+  if (!provider || typeof provider !== "object") {
+    return undefined;
+  }
+  return normalizeProjectId(provider.options?.projectId);
+}
+
+export function resolveConfiguredProjectIdFromConfig(
+  config: Config | null | undefined,
+): string | undefined {
+  if (!config?.provider || typeof config.provider !== "object") {
+    return undefined;
+  }
+
+  const providerConfig = config.provider[GEMINI_PROVIDER_ID];
+  return normalizeProjectId(providerConfig?.options?.projectId);
+}
+
+export async function resolveConfiguredProjectIdFromClient(
+  client: PluginClient | null | undefined,
+): Promise<string | undefined> {
+  if (!client?.config?.get) {
+    return undefined;
+  }
+
+  try {
+    const result = await client.config.get();
+    return resolveConfiguredProjectIdFromConfig(result?.data);
+  } catch {
+    return undefined;
+  }
+}
+
+function normalizeProjectId(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}

package/src/plugin/server.ts

@@ -37,23 +37,12 @@ export async function startOAuthListener(
     : 80;
   const origin = `${redirectUri.protocol}//${redirectUri.host}`;
 
-  let settled = false;
-  let resolveCallback: (url: URL) => void;
-  let rejectCallback: (error: Error) => void;
-  const callbackPromise = new Promise<URL>((resolve, reject) => {
-    resolveCallback = (url: URL) => {
-      if (settled) return;
-      settled = true;
-      if (timeoutHandle) clearTimeout(timeoutHandle);
-      resolve(url);
-    };
-    rejectCallback = (error: Error) => {
-      if (settled) return;
-      settled = true;
-      if (timeoutHandle) clearTimeout(timeoutHandle);
-      reject(error);
-    };
-  });
+  const callbackQueue: URL[] = [];
+  const callbackWaiters: Array<{
+    resolve: (url: URL) => void;
+    reject: (error: Error) => void;
+  }> = [];
+  let terminalError: Error | undefined;
 
 const successResponse = `<!DOCTYPE html>
 <html lang="en">
@@ -182,8 +171,27 @@ const successResponse = `<!DOCTYPE html>
   </body>
 </html>`;
 
+  const deliverCallback = (url: URL) => {
+    const waiter = callbackWaiters.shift();
+    if (waiter) {
+      waiter.resolve(url);
+      return;
+    }
+    callbackQueue.push(url);
+  };
+
+  const failPendingWaiters = (error: Error) => {
+    if (terminalError) {
+      return;
+    }
+    terminalError = error;
+    while (callbackWaiters.length > 0) {
+      callbackWaiters.shift()?.reject(error);
+    }
+  };
+
   const timeoutHandle = setTimeout(() => {
-    rejectCallback(new Error("Timed out waiting for OAuth callback"));
+    failPendingWaiters(new Error("Timed out waiting for OAuth callback"));
   }, timeoutMs);
   timeoutHandle.unref?.();
 
@@ -201,14 +209,18 @@ const successResponse = `<!DOCTYPE html>
       return;
     }
 
+    const hasCode = !!url.searchParams.get("code");
+    const hasState = !!url.searchParams.get("state");
+    const hasError = !!url.searchParams.get("error");
+    if (!hasError && (!hasCode || !hasState)) {
+      response.writeHead(400, { "Content-Type": "text/plain; charset=utf-8" });
+      response.end("Ignoring incomplete OAuth callback. Return to the Google sign-in flow.");
+      return;
+    }
+
     response.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
     response.end(successResponse);
-
-    resolveCallback(url);
-
-    setImmediate(() => {
-      server.close();
-    });
+    deliverCallback(url);
   });
 
   await new Promise<void>((resolve, reject) => {
@@ -224,11 +236,21 @@ const successResponse = `<!DOCTYPE html>
   });
 
   server.on("error", (error) => {
-    rejectCallback(error instanceof Error ? error : new Error(String(error)));
+    failPendingWaiters(error instanceof Error ? error : new Error(String(error)));
   });
 
   return {
-    waitForCallback: () => callbackPromise,
+    waitForCallback: async () => {
+      if (callbackQueue.length > 0) {
+        return callbackQueue.shift() as URL;
+      }
+      if (terminalError) {
+        throw terminalError;
+      }
+      return await new Promise<URL>((resolve, reject) => {
+        callbackWaiters.push({ resolve, reject });
+      });
+    },
     close: () =>
       new Promise<void>((resolve, reject) => {
         server.close((error) => {
@@ -236,9 +258,10 @@ const successResponse = `<!DOCTYPE html>
             reject(error);
             return;
           }
-          if (!settled) {
-            rejectCallback(new Error("OAuth listener closed before callback"));
+          if (timeoutHandle) {
+            clearTimeout(timeoutHandle);
           }
+          failPendingWaiters(new Error("OAuth listener closed before callback"));
           resolve();
         });
       }),

package/src/plugin/types.ts

@@ -52,6 +52,11 @@ export interface PluginClient {
   auth: {
     set(input: { path: { id: string }; body: OAuthAuthDetails }): Promise<void>;
   };
+  config?: {
+    get(options?: unknown): Promise<{
+      data?: Config;
+    } | undefined>;
+  };
   tui?: {
     showToast(input: {
       body: {

package/src/plugin.ts

@@ -9,6 +9,11 @@ import {
 } from "./plugin/quota";
 import { isGeminiDebugEnabled, logGeminiDebugMessage, startGeminiDebugRequest } from "./plugin/debug";
 import { maybeShowGeminiCapacityToast, maybeShowGeminiTestToast } from "./plugin/notify";
+import {
+  resolveConfiguredProjectId,
+  resolveConfiguredProjectIdFromClient,
+  resolveConfiguredProjectIdFromConfig,
+} from "./plugin/provider";
 import {
   isGenerativeLanguageRequest,
   prepareGeminiRequest,
@@ -42,143 +47,141 @@ let latestGeminiConfiguredProjectId: string | undefined;
  */
 export const GeminiCLIOAuthPlugin = async (
   { client }: PluginContext,
-): Promise<PluginResult> => ({
-  config: async (config) => {
-    config.command = config.command || {};
-    config.command[GEMINI_QUOTA_COMMAND] = {
-      description: "Show Gemini Code Assist quota usage",
-      template: GEMINI_QUOTA_COMMAND_TEMPLATE,
-    };
-  },
-  tool: {
-    [GEMINI_QUOTA_TOOL_NAME]: createGeminiQuotaTool({
-      client,
-      getAuthResolver: () => latestGeminiAuthResolver,
-      getConfiguredProjectId: () => latestGeminiConfiguredProjectId,
-    }),
-  },
-  auth: {
-    provider: GEMINI_PROVIDER_ID,
-    loader: async (getAuth: GetAuth, provider: Provider): Promise<LoaderResult | null> => {
-      latestGeminiAuthResolver = getAuth;
-      const auth = await getAuth();
-      if (!isOAuthAuth(auth)) {
-        return null;
-      }
+): Promise<PluginResult> => {
+  const resolveLatestConfiguredProjectId = async (provider?: Provider): Promise<string | undefined> => {
+    const configProjectId =
+      (await resolveConfiguredProjectIdFromClient(client)) ?? latestGeminiConfiguredProjectId;
+    const resolvedProjectId = resolveConfiguredProjectId({
+      provider,
+      configProjectId,
+    });
+    latestGeminiConfiguredProjectId = resolvedProjectId;
+    return resolvedProjectId;
+  };
 
-      const configuredProjectId = resolveConfiguredProjectId(provider);
-      latestGeminiConfiguredProjectId = configuredProjectId;
-      normalizeProviderModelCosts(provider);
-      const thinkingConfigDefaults = resolveThinkingConfigDefaults(provider);
+  return {
+    config: async (config) => {
+      latestGeminiConfiguredProjectId = resolveConfiguredProjectIdFromConfig(config);
+      config.command = config.command || {};
+      config.command[GEMINI_QUOTA_COMMAND] = {
+        description: "Show Gemini Code Assist quota usage",
+        template: GEMINI_QUOTA_COMMAND_TEMPLATE,
+      };
+    },
+    tool: {
+      [GEMINI_QUOTA_TOOL_NAME]: createGeminiQuotaTool({
+        client,
+        getAuthResolver: () => latestGeminiAuthResolver,
+        getConfiguredProjectId: () => latestGeminiConfiguredProjectId,
+      }),
+    },
+    auth: {
+      provider: GEMINI_PROVIDER_ID,
+      loader: async (getAuth: GetAuth, provider: Provider): Promise<LoaderResult | null> => {
+        latestGeminiAuthResolver = getAuth;
+        const auth = await getAuth();
+        if (!isOAuthAuth(auth)) {
+          return null;
+        }
 
-      return {
-        apiKey: "",
-        async fetch(input, init) {
-          if (!isGenerativeLanguageRequest(input)) {
-            return fetch(input, init);
-          }
+        await resolveLatestConfiguredProjectId(provider);
+        normalizeProviderModelCosts(provider);
+        const thinkingConfigDefaults = resolveThinkingConfigDefaults(provider);
 
-          const latestAuth = await getAuth();
-          if (!isOAuthAuth(latestAuth)) {
-            return fetch(input, init);
-          }
+        return {
+          apiKey: "",
+          async fetch(input, init) {
+            if (!isGenerativeLanguageRequest(input)) {
+              return fetch(input, init);
+            }
 
-          let authRecord = resolveCachedAuth(latestAuth);
-          if (accessTokenExpired(authRecord)) {
-            const refreshed = await refreshAccessToken(authRecord, client);
-            if (!refreshed) {
+            const latestAuth = await getAuth();
+            if (!isOAuthAuth(latestAuth)) {
               return fetch(input, init);
             }
-            authRecord = refreshed;
-          }
 
-          if (!authRecord.access) {
-            return fetch(input, init);
-          }
+            let authRecord = resolveCachedAuth(latestAuth);
+            if (accessTokenExpired(authRecord)) {
+              const refreshed = await refreshAccessToken(authRecord, client);
+              if (!refreshed) {
+                return fetch(input, init);
+              }
+              authRecord = refreshed;
+            }
+
+            if (!authRecord.access) {
+              return fetch(input, init);
+            }
 
-          const projectContext = await ensureProjectContextOrThrow(
-            authRecord,
-            client,
-            configuredProjectId,
-          );
-          await maybeShowGeminiTestToast(client, projectContext.effectiveProjectId);
-          await maybeLogAvailableQuotaModels(
-            authRecord.access,
-            projectContext.effectiveProjectId,
-          );
-          const transformed = prepareGeminiRequest(
-            input,
-            init,
-            authRecord.access,
-            projectContext.effectiveProjectId,
-            thinkingConfigDefaults,
-          );
-          const debugContext = startGeminiDebugRequest({
-            originalUrl: toUrlString(input),
-            resolvedUrl: toUrlString(transformed.request),
-            method: transformed.init.method,
-            headers: transformed.init.headers,
-            body: transformed.init.body,
-            streaming: transformed.streaming,
-            projectId: projectContext.effectiveProjectId,
-          });
+            const configuredProjectId = await resolveLatestConfiguredProjectId(provider);
+            const projectContext = await ensureProjectContextOrThrow(
+              authRecord,
+              client,
+              configuredProjectId,
+            );
+            await maybeShowGeminiTestToast(client, projectContext.effectiveProjectId);
+            await maybeLogAvailableQuotaModels(
+              authRecord.access,
+              projectContext.effectiveProjectId,
+            );
+            const transformed = prepareGeminiRequest(
+              input,
+              init,
+              authRecord.access,
+              projectContext.effectiveProjectId,
+              thinkingConfigDefaults,
+            );
+            const debugContext = startGeminiDebugRequest({
+              originalUrl: toUrlString(input),
+              resolvedUrl: toUrlString(transformed.request),
+              method: transformed.init.method,
+              headers: transformed.init.headers,
+              body: transformed.init.body,
+              streaming: transformed.streaming,
+              projectId: projectContext.effectiveProjectId,
+            });
 
-          /**
-           * Retry transport/429 failures while preserving the requested model.
-           * We intentionally do not auto-downgrade model tiers to avoid misleading users.
-           */
-          const response = await fetchWithRetry(transformed.request, transformed.init);
-          await maybeShowGeminiCapacityToast(
-            client,
-            response,
-            projectContext.effectiveProjectId,
-            transformed.requestedModel,
-          );
-          return transformGeminiResponse(
-            response,
-            transformed.streaming,
-            debugContext,
-            transformed.requestedModel,
-          );
+            /**
+             * Retry transport/429 failures while preserving the requested model.
+             * We intentionally do not auto-downgrade model tiers to avoid misleading users.
+             */
+            const response = await fetchWithRetry(transformed.request, transformed.init);
+            await maybeShowGeminiCapacityToast(
+              client,
+              response,
+              projectContext.effectiveProjectId,
+              transformed.requestedModel,
+            );
+            return transformGeminiResponse(
+              response,
+              transformed.streaming,
+              debugContext,
+              transformed.requestedModel,
+            );
+          },
+        };
+      },
+      methods: [
+        {
+          label: "OAuth with Google (Gemini CLI)",
+          type: "oauth",
+          authorize: createOAuthAuthorizeMethod({
+            getConfiguredProjectId: () => resolveLatestConfiguredProjectId(),
+          }),
         },
-      };
+        {
+          provider: GEMINI_PROVIDER_ID,
+          label: "Manually enter API Key",
+          type: "api",
+        },
+      ],
     },
-    methods: [
-      {
-        label: "OAuth with Google (Gemini CLI)",
-        type: "oauth",
-        authorize: createOAuthAuthorizeMethod(),
-      },
-      {
-        provider: GEMINI_PROVIDER_ID,
-        label: "Manually enter API Key",
-        type: "api",
-      },
-    ],
-  },
-});
+  };
+};
 
 export const GoogleOAuthPlugin = GeminiCLIOAuthPlugin;
 const loggedQuotaModelsByProject = new Set<string>();
 
-function resolveConfiguredProjectId(provider: Provider): string | undefined {
-  const providerOptions =
-    provider && typeof provider === "object"
-      ? ((provider as { options?: Record<string, unknown> }).options ?? undefined)
-      : undefined;
-  const projectIdFromConfig =
-    providerOptions && typeof providerOptions.projectId === "string"
-      ? providerOptions.projectId.trim()
-      : "";
-  const projectIdFromEnv = process.env.OPENCODE_GEMINI_PROJECT_ID?.trim() ?? "";
-  const googleProjectIdFromEnv =
-    process.env.GOOGLE_CLOUD_PROJECT?.trim() ??
-    process.env.GOOGLE_CLOUD_PROJECT_ID?.trim() ??
-    "";
-
-  return projectIdFromEnv || projectIdFromConfig || googleProjectIdFromEnv || undefined;
-}
-
 function normalizeProviderModelCosts(provider: Provider): void {
   if (!provider.models) {
     return;