opencode-provider-litellm 0.3.1 → 0.5.0

package/README.md

@@ -1,6 +1,6 @@
 # opencode-provider-litellm
 
-OpenCode plugin that auto-discovers models from any [LiteLLM](https://github.com/BerriAI/litellm) proxy — complete with costs, context limits, capabilities, and auth. Zero config, zero hand-maintained model lists.
+OpenCode plugin for any [LiteLLM](https://github.com/BerriAI/litellm) proxy — auto-discovers models, MCP tools, and auth. Zero config, zero hand-maintained model lists.
 
 ## Quick start
 
@@ -15,7 +15,7 @@ opencode plugin opencode-provider-litellm
 # 3. Restart OpenCode
 ```
 
-All models from your LiteLLM proxy appear in OpenCode's model picker automatically.
+All models and MCP tools from your LiteLLM proxy appear in OpenCode automatically.
 
 ## Configuration
 
@@ -26,6 +26,8 @@ All models from your LiteLLM proxy appear in OpenCode's model picker automatical
 | `LITELLM_URL` | Your LiteLLM proxy base URL |
 | `LITELLM_KEY` | API key for the proxy |
 | `LITELLM_PROVIDER_ID` | Provider ID in OpenCode (defaults to `LiteLLM`) |
+| `LITELLM_GCLOUD_TOKEN_AUTH` | Set to `1` to use Google ADC for auth (makes `LITELLM_KEY` optional) |
+| `GOOGLE_APPLICATION_CREDENTIALS` | Path to a Google ADC JSON file (used when `LITELLM_GCLOUD_TOKEN_AUTH=1`) |
 
 ### Inline config
 
@@ -42,9 +44,29 @@ Alternatively, provide `url` and `apiKey` directly in your `opencode.json`:
 }
 ```
 
-:::tip
-Environment variables take precedence over inline config. Use env vars to keep secrets out of checked-in files.
-:::
+> **Tip:** Environment variables take precedence over inline config. Use env vars to keep secrets out of checked-in files.
+
+### Google Vertex AI (gcloud token auth)
+
+When your LiteLLM proxy is backed by Google Vertex AI, you can skip `LITELLM_KEY` and let the plugin automatically fetch a gcloud OAuth token:
+
+```bash
+# 1. Authenticate with gcloud (creates an ADC JSON file)
+gcloud auth application-default login
+
+# 2. Set env vars (LITELLM_KEY is optional)
+export LITELLM_URL="https://your-litellm-proxy.example.com"
+export LITELLM_GCLOUD_TOKEN_AUTH=1
+
+# 3. Install and restart OpenCode
+opencode plugin opencode-provider-litellm
+```
+
+The plugin reads your [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials) JSON file and exchanges the refresh token for an access token before every LLM request. Tokens are cached for 50 minutes.
+
+To use a custom credentials file, set `GOOGLE_APPLICATION_CREDENTIALS` to its path.
+
+> **Note:** Only `authorized_user` credentials (from `gcloud auth application-default login`) are supported. Service account keys are not yet supported.
 
 ### /connect flow
 
@@ -56,21 +78,45 @@ You can also authenticate interactively via the OpenCode TUI:
 
 The key is stored in OpenCode's auth store.
 
+## Features
+
+### Model discovery
+
+Queries LiteLLM on startup and injects all models with rich metadata into OpenCode:
+
+- `/health` — model list with internal UUIDs
+- `/model/info?litellm_model_id={uuid}` — costs, context limits, vision, tool calling, reasoning, etc.
+
+Custom `model_info` updates via `/model/update` are respected — no hardcoded fallbacks.
+
+### MCP tools
+
+Discovers tools registered on LiteLLM's MCP servers at startup and exposes them as native OpenCode tools. Each tool keeps its original description and parameter schema.
+
+### Skills
+
+Skills registered in LiteLLM's [Skills Gateway](https://docs.litellm.ai/docs/skills_gateway) are made available to OpenCode via the [proxy-sidecar](../llm-server/proxy-sidecar/), which serves skills in OpenCode's native format. Add the sidecar URL to your config:
+
+```jsonc
+{
+  "skills": {
+    "urls": ["https://your-litellm-proxy.example.com/opencode/skills"]
+  }
+}
+```
+
+Skills appear in OpenCode's `/skills` menu and are loaded natively by the agent.
+
 ## How it works
 
-The plugin uses two OpenCode hooks:
+The plugin uses three OpenCode hooks:
 
 | Hook | Purpose |
 |------|---------|
-| `config` | Queries `/health` + `/model/info` on startup, discovers models with rich metadata (costs, limits, capabilities), and injects them into OpenCode |
+| `config` | Discovers models from LiteLLM and injects them into OpenCode |
 | `auth` | Provides a `/connect` entry point for pasting an API key |
-
-Model metadata is fetched from LiteLLM's admin API:
-
-- `/health` — model list with internal UUIDs
-- `/model/info?litellm_model_id={uuid}` — rich metadata per model (costs, context limits, vision, tool calling, reasoning, etc.)
-
-Custom model_info updates via `/model/update` are respected — no hardcoded fallbacks.
+| `tool` | Exposes discovered MCP tools as native OpenCode tools |
+| `chat.headers` | Injects `Authorization: Bearer <token>` when `LITELLM_GCLOUD_TOKEN_AUTH=1` |
 
 ## Troubleshooting
 
@@ -79,6 +125,7 @@ Custom model_info updates via `/model/update` are respected — no hardcoded fal
 | "Plugin config error" | Set `LITELLM_URL` and `LITELLM_KEY`, or add `url`/`apiKey` to plugin options |
 | "Access denied" (403) | Verify the API key has access to the LiteLLM proxy |
 | "No models discovered" | Check that the proxy is reachable and the `/health` endpoint responds |
+| Skills not showing | Verify the proxy-sidecar is running and the skills URL is in `opencode.json` |
 
 ## Development
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-provider-litellm",
-  "version": "0.3.1",
+  "version": "0.5.0",
   "description": "OpenCode plugin for any LiteLLM proxy — auto-discovers models, auth, and capabilities",
   "type": "module",
   "exports": {

package/src/gcloud-token.test.ts

@@ -0,0 +1,255 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+import { getGcloudToken, resetTokenCache, CACHE_TTL } from './gcloud-token.js'
+
+const mockReadFileSync = vi.hoisted(() => vi.fn())
+const mockExistsSync = vi.hoisted(() => vi.fn())
+const mockFetch = vi.hoisted(() => vi.fn())
+
+vi.mock('fs', () => ({
+  get readFileSync() { return mockReadFileSync },
+  get existsSync() { return mockExistsSync },
+}))
+
+// Mock global fetch
+beforeEach(() => {
+  vi.stubGlobal('fetch', mockFetch)
+})
+
+afterEach(() => {
+  vi.unstubAllGlobals()
+  vi.unstubAllEnvs()
+})
+
+const authorizedUserCredentials = {
+  type: 'authorized_user',
+  client_id: 'test-client-id.apps.googleusercontent.com',
+  client_secret: 'test-client-secret',
+  refresh_token: 'test-refresh-token',
+  account: 'test@example.com',
+}
+
+const serviceAccountCredentials = {
+  type: 'service_account',
+  private_key_id: 'key123',
+  private_key: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n',
+  client_email: 'test@project.iam.gserviceaccount.com',
+  client_id: '123456789',
+  auth_uri: 'https://accounts.google.com/o/oauth2/auth',
+  token_uri: 'https://oauth2.googleapis.com/token',
+}
+
+describe('getGcloudToken', () => {
+  afterEach(() => {
+    vi.clearAllMocks()
+    vi.unstubAllEnvs()
+    resetTokenCache()
+  })
+
+  it('returns token from authorized_user credentials', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'exchanged-access-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('exchanged-access-token')
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      'https://oauth2.googleapis.com/token',
+      expect.objectContaining({
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      }),
+    )
+  })
+
+  it('caches token within TTL', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'cached-token' }),
+    })
+
+    await getGcloudToken()
+    const cached = await getGcloudToken()
+    expect(cached).toBe('cached-token')
+    expect(mockFetch).toHaveBeenCalledTimes(1)
+  })
+
+  it('returns null when ADC file not found (no env, no default)', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', undefined)
+    vi.stubEnv('USERPROFILE', undefined)
+    vi.stubEnv('APPDATA', undefined)
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null when ADC file is invalid JSON', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue('not valid json{{{')
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null and warns for service_account type', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(serviceAccountCredentials))
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalledWith(
+      '[opencode-provider-litellm] Service account credentials are not yet supported. Use an authorized_user credential or set GOOGLE_APPLICATION_CREDENTIALS to an authorized_user JSON file.',
+    )
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null on token exchange failure', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: false,
+      status: 400,
+      text: async () => '{"error":"invalid_grant"}',
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('returns null on token exchange network error', async () => {
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockRejectedValue(new Error('network error'))
+
+    const token = await getGcloudToken()
+    expect(token).toBeNull()
+    expect(warnSpy).toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
+  it('reads default ADC location when GOOGLE_APPLICATION_CREDENTIALS is not set', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', '/home/test')
+    vi.stubEnv('APPDATA', undefined)
+
+    mockExistsSync.mockReturnValue(true)
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'default-loc-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('default-loc-token')
+    expect(mockReadFileSync).toHaveBeenCalledWith(
+      expect.stringContaining('application_default_credentials.json'),
+      'utf-8',
+    )
+  })
+
+  it('reads Windows APPDATA ADC location', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', undefined)
+    vi.stubEnv('HOME', undefined)
+    vi.stubEnv('APPDATA', 'C:\\Users\\test\\AppData\\Roaming')
+
+    mockExistsSync.mockImplementation((path: string) => {
+      return typeof path === 'string' && path.includes('AppData') && path.includes('gcloud')
+    })
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'windows-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('windows-token')
+    // On Linux, path.join mixes slashes; just check it contains the key parts
+    expect(mockReadFileSync).toHaveBeenCalledWith(
+      expect.stringContaining('gcloud'),
+      'utf-8',
+    )
+  })
+
+  it('respects GOOGLE_APPLICATION_CREDENTIALS path over default', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/custom/path/creds.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({ access_token: 'custom-path-token' }),
+    })
+
+    const token = await getGcloudToken()
+    expect(token).toBe('custom-path-token')
+    expect(mockReadFileSync).toHaveBeenCalledWith('/custom/path/creds.json', 'utf-8')
+  })
+
+  it('stale cache triggers new token fetch', async () => {
+    vi.stubEnv('GOOGLE_APPLICATION_CREDENTIALS', '/tmp/adc.json')
+    vi.stubEnv('HOME', '/home/test')
+
+    mockReadFileSync.mockReturnValue(JSON.stringify(authorizedUserCredentials))
+    mockFetch
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ access_token: 'token-v1' }),
+      })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ access_token: 'token-v2' }),
+      })
+
+    const first = await getGcloudToken()
+    expect(first).toBe('token-v1')
+
+    // Stub the cache to be stale
+    vi.spyOn(Date, 'now').mockReturnValue(Date.now() + CACHE_TTL + 1000)
+
+    const second = await getGcloudToken()
+    expect(second).toBe('token-v2')
+    expect(mockFetch).toHaveBeenCalledTimes(2)
+
+    vi.restoreAllMocks()
+  })
+})

package/src/gcloud-token.ts

@@ -0,0 +1,145 @@
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+
+let cachedToken: string | null = null
+let cachedAt: number = 0
+export const CACHE_TTL = 50 * 60 * 1000 // 50 minutes in ms
+
+interface AuthorizedUserCredentials {
+  type: 'authorized_user'
+  client_id: string
+  client_secret: string
+  refresh_token: string
+  account?: string
+  universe_domain?: string
+}
+
+interface ServiceAccountCredentials {
+  type: 'service_account'
+}
+
+type GoogleCredentials = AuthorizedUserCredentials | ServiceAccountCredentials
+
+const ADC_FILENAME = 'application_default_credentials.json'
+
+function getAdcPath(): string | null {
+  // 1. GOOGLE_APPLICATION_CREDENTIALS env var (all platforms)
+  const envPath = typeof process !== 'undefined' ? process.env.GOOGLE_APPLICATION_CREDENTIALS : undefined
+  if (envPath) {
+    return envPath
+  }
+
+  // 2. Default ADC locations (Google's official search order)
+  const candidates: string[] = []
+
+  // Linux / macOS: ~/.config/gcloud/
+  const home = typeof process !== 'undefined' ? process.env.HOME : undefined
+  if (home) {
+    candidates.push(join(home, '.config', 'gcloud', ADC_FILENAME))
+  }
+
+  // Windows: %APPDATA%/gcloud/
+  const appData = typeof process !== 'undefined' ? process.env.APPDATA : undefined
+  if (appData) {
+    candidates.push(join(appData, 'gcloud', ADC_FILENAME))
+  }
+
+  for (const path of candidates) {
+    if (existsSync(path)) {
+      return path
+    }
+  }
+
+  return null
+}
+
+function readCredentials(path: string): GoogleCredentials | null {
+  try {
+    const content = readFileSync(path, 'utf-8')
+    return JSON.parse(content) as GoogleCredentials
+  } catch {
+    return null
+  }
+}
+
+async function exchangeRefreshToken(credentials: AuthorizedUserCredentials): Promise<string | null> {
+  const body = new URLSearchParams({
+    grant_type: 'refresh_token',
+    client_id: credentials.client_id,
+    client_secret: credentials.client_secret,
+    refresh_token: credentials.refresh_token,
+  }).toString()
+
+  try {
+    const response = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body,
+      signal: AbortSignal.timeout(10_000),
+    })
+
+    if (!response.ok) {
+      const text = await response.text()
+      console.warn(`[opencode-provider-litellm] Token exchange failed (${response.status}): ${text}`)
+      return null
+    }
+
+    const data = await response.json()
+    return data.access_token || null
+  } catch (error) {
+    console.warn(`[opencode-provider-litellm] Token exchange failed: ${error}`)
+    return null
+  }
+}
+
+/**
+ * Gets a Google OAuth access token from the ADC JSON file, cached with a 50-minute TTL.
+ * Returns null if credentials are not available or the token cannot be fetched.
+ * Logs a warning on failure.
+ */
+export async function getGcloudToken(): Promise<string | null> {
+  // Return cached token if still valid
+  if (cachedToken && (Date.now() - cachedAt) < CACHE_TTL) {
+    return cachedToken
+  }
+
+  const adcPath = getAdcPath()
+  if (!adcPath) {
+    console.warn(
+      '[opencode-provider-litellm] No Google ADC file found. Set GOOGLE_APPLICATION_CREDENTIALS or run `gcloud auth application-default login`.',
+    )
+    return null
+  }
+
+  const credentials = readCredentials(adcPath)
+  if (!credentials) {
+    console.warn(`[opencode-provider-litellm] Failed to read ADC file: ${adcPath}`)
+    return null
+  }
+
+  if (credentials.type === 'authorized_user') {
+    const token = await exchangeRefreshToken(credentials)
+    if (token) {
+      cachedToken = token
+      cachedAt = Date.now()
+    }
+    return token
+  }
+
+  if (credentials.type === 'service_account') {
+    console.warn('[opencode-provider-litellm] Service account credentials are not yet supported. Use an authorized_user credential or set GOOGLE_APPLICATION_CREDENTIALS to an authorized_user JSON file.')
+    return null
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+  console.warn(`[opencode-provider-litellm] Unknown credential type: ${(credentials as { type: string }).type}`)
+  return null
+}
+
+/**
+ * Resets the token cache. Exported for testing purposes.
+ */
+export function resetTokenCache(): void {
+  cachedToken = null
+  cachedAt = 0
+}