opencode-studio-server 1.2.1 → 1.2.2

package/.env

@@ -0,0 +1,2 @@
+GEMINI_CLIENT_ID=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com
+GEMINI_CLIENT_SECRET=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

package/.env.example

@@ -0,0 +1,2 @@
+GEMINI_CLIENT_ID=your_client_id_here
+GEMINI_CLIENT_SECRET=your_client_secret_here

package/AGENTS.md

@@ -0,0 +1,37 @@
+# SERVER LAYER
+
+Express API backend (port 3001). Single-file architecture.
+
+## STRUCTURE
+
+| File | Purpose |
+|------|---------|
+| `index.js` | All routes, config IO, auth, skills, plugins, usage stats |
+| `cli.js` | npm bin entry, protocol URL parser, pending action queue |
+| `register-protocol.js` | OS-specific `opencodestudio://` handler registration |
+
+## WHERE TO LOOK
+
+| Task | Location |
+|------|----------|
+| Add API endpoint | `index.js` - add `app.get/post/delete` |
+| Config path detection | `index.js:getPaths()` - `CANDIDATE_PATHS` logic |
+| Auth profile management | `index.js:440-620` - profiles CRUD |
+| Google plugin switching | `index.js:803-860` - gemini/antigravity toggle |
+| Usage stats aggregation | `index.js:687-800` - reads message storage |
+| Protocol actions | `cli.js:34-84` - switch on action type |
+| Windows registry | `register-protocol.js:8-55` |
+
+## CONVENTIONS
+
+- All routes in single file (no route modules)
+- Studio prefs in `~/.config/opencode-studio/studio.json`, separate from opencode config
+- Auth profiles namespaced: `google.gemini`, `google.antigravity`
+- 30min idle timeout auto-shutdown
+
+## ANTI-PATTERNS
+
+- Hardcoding `~/.config/opencode` - use `getPaths().current`
+- Importing from `client-next/` - separate processes
+- Adding Next.js API routes - all API here
+- Modifying opencode.json structure without updating `client-next/src/types/`

package/cli.js

@@ -40,16 +40,17 @@ if (protocolArg) {
                 break;
 
             case 'install-mcp':
-                // Queue MCP server installation
-                if (params.cmd || params.name) {
+                // Security: Do NOT accept 'cmd' or 'env' from deep links to prevent RCE.
+                // Only allow the name to be passed, user must configure the rest manually.
+                if (params.name) {
                     pendingAction = {
                         type: 'install-mcp',
-                        name: params.name || 'MCP Server',
-                        command: params.cmd ? decodeURIComponent(params.cmd) : null,
-                        env: params.env ? JSON.parse(decodeURIComponent(params.env)) : null,
+                        name: params.name,
+                        // command: params.cmd ? decodeURIComponent(params.cmd) : null, // DISABLED FOR SECURITY
+                        // env: params.env ? JSON.parse(decodeURIComponent(params.env)) : null, // DISABLED FOR SECURITY
                         timestamp: Date.now(),
                     };
-                    console.log(`Queued MCP install: ${pendingAction.name}`);
+                    console.log(`Queued MCP install (name only): ${pendingAction.name}`);
                 }
                 break;
 

package/index.js

@@ -4,8 +4,24 @@ const bodyParser = require('body-parser');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const { spawn, exec } = require('child_process');
 
+// Atomic file write: write to temp file then rename to prevent corruption
+const atomicWriteFileSync = (filePath, data, options = 'utf8') => {
+    const dir = path.dirname(filePath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const tempPath = path.join(dir, `.${path.basename(filePath)}.${crypto.randomBytes(6).toString('hex')}.tmp`);
+    try {
+        fs.writeFileSync(tempPath, data, options);
+        fs.renameSync(tempPath, filePath);
+    } catch (err) {
+        // Clean up temp file if rename fails
+        try { fs.unlinkSync(tempPath); } catch {}
+        throw err;
+    }
+};
+
 const app = express();
 const PORT = 3001;
 const IDLE_TIMEOUT_MS = 30 * 60 * 1000; 
@@ -204,9 +220,7 @@ function loadStudioConfig() {
 
 function saveStudioConfig(config) {
     try {
-        const dir = path.dirname(STUDIO_CONFIG_PATH);
-        if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(STUDIO_CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
+        atomicWriteFileSync(STUDIO_CONFIG_PATH, JSON.stringify(config, null, 2));
         return true;
     } catch (err) {
         console.error('Failed to save studio config:', err);
@@ -265,9 +279,7 @@ const loadConfig = () => {
 const saveConfig = (config) => {
     const configPath = getConfigPath();
     if (!configPath) throw new Error('No config path found');
-    const dir = path.dirname(configPath);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf8');
+    atomicWriteFileSync(configPath, JSON.stringify(config, null, 2));
 };
 
 app.get('/api/health', (req, res) => res.json({ status: 'ok' }));
@@ -317,6 +329,9 @@ app.get('/api/skills', (req, res) => {
 });
 
 app.get('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     const p = sd ? path.join(sd, req.params.name, 'SKILL.md') : null;
     if (!p || !fs.existsSync(p)) return res.status(404).json({ error: 'Not found' });
@@ -324,6 +339,9 @@ app.get('/api/skills/:name', (req, res) => {
 });
 
 app.post('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     if (!sd) return res.status(404).json({ error: 'No config' });
     const dp = path.join(sd, req.params.name);
@@ -333,6 +351,9 @@ app.post('/api/skills/:name', (req, res) => {
 });
 
 app.delete('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     const dp = sd ? path.join(sd, req.params.name) : null;
     if (dp && fs.existsSync(dp)) fs.rmSync(dp, { recursive: true, force: true });
@@ -572,7 +593,7 @@ app.post('/api/auth/profiles/:provider', (req, res) => {
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
     
     const profilePath = path.join(dir, `${name || Date.now()}.json`);
-    fs.writeFileSync(profilePath, JSON.stringify(auth[provider], null, 2), 'utf8');
+    atomicWriteFileSync(profilePath, JSON.stringify(auth[provider], null, 2));
     res.json({ success: true, name: path.basename(profilePath, '.json') });
 });
 
@@ -603,7 +624,7 @@ app.post('/api/auth/profiles/:provider/:name/activate', (req, res) => {
     
     const cp = getConfigPath();
     const ap = path.join(path.dirname(cp), 'auth.json');
-    fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
     res.json({ success: true });
 });
 
@@ -643,30 +664,79 @@ app.put('/api/auth/profiles/:provider/:name', (req, res) => {
 
 app.post('/api/auth/login', (req, res) => {
     let { provider } = req.body;
+    
+    // Security: Validate provider against allowlist to prevent command injection
+    const ALLOWED_PROVIDERS = [
+        "", "google", "anthropic", "openai", "xai", 
+        "openrouter", "github-copilot", "gemini",
+        "together", "mistral", "deepseek", "amazon-bedrock", "azure"
+    ];
+
+    if (provider && !ALLOWED_PROVIDERS.includes(provider)) {
+        return res.status(400).json({ error: 'Invalid provider' });
+    }
+
     if (typeof provider !== 'string') provider = "";
     
     let cmd = 'opencode auth login';
     if (provider) cmd += ` ${provider}`;
     
     const platform = process.platform;
-    let terminalCmd;
+    
     if (platform === 'win32') {
-        terminalCmd = `start "" cmd /c "call ${cmd} || pause"`;
+        const terminalCmd = `start "" cmd /c "call ${cmd} || pause"`;
+        console.log('Executing terminal command:', terminalCmd);
+        exec(terminalCmd, (err) => {
+            if (err) {
+                console.error('Failed to open terminal:', err);
+                return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
+            }
+            res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+        });
     } else if (platform === 'darwin') {
-        terminalCmd = `osascript -e 'tell application "Terminal" to do script "${cmd}"'`;
+        const terminalCmd = `osascript -e 'tell application "Terminal" to do script "${cmd}"'`;
+        console.log('Executing terminal command:', terminalCmd);
+        exec(terminalCmd, (err) => {
+            if (err) {
+                console.error('Failed to open terminal:', err);
+                return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
+            }
+            res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+        });
     } else {
-        terminalCmd = `x-terminal-emulator -e "${cmd}"`;
+        const linuxTerminals = [
+            { name: 'x-terminal-emulator', cmd: `x-terminal-emulator -e "${cmd}"` },
+            { name: 'gnome-terminal', cmd: `gnome-terminal -- bash -c "${cmd}; read -p 'Press Enter to close...'"` },
+            { name: 'konsole', cmd: `konsole -e bash -c "${cmd}; read -p 'Press Enter to close...'"` },
+            { name: 'xfce4-terminal', cmd: `xfce4-terminal -e "bash -c \\"${cmd}; read -p 'Press Enter to close...'\\"" ` },
+            { name: 'xterm', cmd: `xterm -e "bash -c '${cmd}; read -p Press_Enter_to_close...'"` }
+        ];
+        
+        const tryTerminal = (index) => {
+            if (index >= linuxTerminals.length) {
+                const fallbackCmd = cmd;
+                return res.json({ 
+                    success: false, 
+                    message: 'No terminal emulator found', 
+                    note: 'Run this command manually in your terminal',
+                    command: fallbackCmd
+                });
+            }
+            
+            const terminal = linuxTerminals[index];
+            console.log(`Trying terminal: ${terminal.name}`);
+            exec(terminal.cmd, (err) => {
+                if (err) {
+                    console.log(`${terminal.name} failed, trying next...`);
+                    tryTerminal(index + 1);
+                } else {
+                    res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+                }
+            });
+        };
+        
+        tryTerminal(0);
     }
-    
-    console.log('Executing terminal command:', terminalCmd);
-    
-    exec(terminalCmd, (err) => {
-        if (err) {
-            console.error('Failed to open terminal:', err);
-            return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
-        }
-        res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
-    });
 });
 
 app.delete('/api/auth/:provider', (req, res) => {
@@ -675,7 +745,7 @@ app.delete('/api/auth/:provider', (req, res) => {
     delete authCfg[provider];
     const cp = getConfigPath();
     const ap = path.join(path.dirname(cp), 'auth.json');
-    fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
     
     const studio = loadStudioConfig();
     if (studio.activeProfiles) delete studio.activeProfiles[provider];
@@ -684,6 +754,332 @@ app.delete('/api/auth/:provider', (req, res) => {
     res.json({ success: true });
 });
 
+// ============================================
+// ACCOUNT POOL MANAGEMENT (Antigravity-style)
+// ============================================
+
+const POOL_METADATA_FILE = path.join(HOME_DIR, '.config', 'opencode-studio', 'pool-metadata.json');
+
+function loadPoolMetadata() {
+    if (!fs.existsSync(POOL_METADATA_FILE)) return {};
+    try {
+        return JSON.parse(fs.readFileSync(POOL_METADATA_FILE, 'utf8'));
+    } catch {
+        return {};
+    }
+}
+
+function savePoolMetadata(metadata) {
+    const dir = path.dirname(POOL_METADATA_FILE);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    atomicWriteFileSync(POOL_METADATA_FILE, JSON.stringify(metadata, null, 2));
+}
+
+function getAccountStatus(meta, now) {
+    if (!meta) return 'ready';
+    if (meta.cooldownUntil && meta.cooldownUntil > now) return 'cooldown';
+    if (meta.expired) return 'expired';
+    return 'ready';
+}
+
+function buildAccountPool(provider) {
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const profileDir = path.join(AUTH_PROFILES_DIR, namespace);
+    const profiles = [];
+    const now = Date.now();
+    const metadata = loadPoolMetadata();
+    const providerMeta = metadata[namespace] || {};
+    
+    // Get current active profile from studio config
+    const studio = loadStudioConfig();
+    const activeProfile = studio.activeProfiles?.[provider] || null;
+    
+    if (fs.existsSync(profileDir)) {
+        const files = fs.readdirSync(profileDir).filter(f => f.endsWith('.json'));
+        files.forEach(file => {
+            const name = file.replace('.json', '');
+            const meta = providerMeta[name] || {};
+            const status = name === activeProfile ? 'active' : getAccountStatus(meta, now);
+            
+            profiles.push({
+                name,
+                email: meta.email || null,
+                status,
+                lastUsed: meta.lastUsed || 0,
+                usageCount: meta.usageCount || 0,
+                cooldownUntil: meta.cooldownUntil || null,
+                createdAt: meta.createdAt || 0
+            });
+        });
+    }
+    
+    // Sort: active first, then by lastUsed (LRU)
+    profiles.sort((a, b) => {
+        if (a.status === 'active') return -1;
+        if (b.status === 'active') return 1;
+        return a.lastUsed - b.lastUsed;
+    });
+    
+    const available = profiles.filter(p => p.status === 'active' || p.status === 'ready').length;
+    const cooldown = profiles.filter(p => p.status === 'cooldown').length;
+    
+    return {
+        provider,
+        namespace,
+        accounts: profiles,
+        activeAccount: activeProfile,
+        totalAccounts: profiles.length,
+        availableAccounts: available,
+        cooldownAccounts: cooldown
+    };
+}
+
+// GET /api/auth/pool - Get account pool for Google (or specified provider)
+app.get('/api/auth/pool', (req, res) => {
+    const provider = req.query.provider || 'google';
+    const pool = buildAccountPool(provider);
+    
+    // Also include quota estimate (local tracking)
+    const metadata = loadPoolMetadata();
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const quotaMeta = metadata._quota?.[namespace] || {};
+    const today = new Date().toISOString().split('T')[0];
+    const todayUsage = quotaMeta[today] || 0;
+    
+    // Estimate: 1000 requests/day limit (configurable)
+    const dailyLimit = quotaMeta.dailyLimit || 1000;
+    const remaining = Math.max(0, dailyLimit - todayUsage);
+    const percentage = Math.round((remaining / dailyLimit) * 100);
+    
+    const quota = {
+        dailyLimit,
+        remaining,
+        used: todayUsage,
+        percentage,
+        resetAt: new Date(new Date().setHours(24, 0, 0, 0)).toISOString(),
+        byAccount: pool.accounts.map(acc => ({
+            name: acc.name,
+            email: acc.email,
+            used: acc.usageCount,
+            limit: Math.floor(dailyLimit / Math.max(1, pool.totalAccounts))
+        }))
+    };
+    
+    res.json({ pool, quota });
+});
+
+// POST /api/auth/pool/rotate - Rotate to next available account
+app.post('/api/auth/pool/rotate', (req, res) => {
+    const provider = req.body.provider || 'google';
+    const pool = buildAccountPool(provider);
+    
+    if (pool.accounts.length === 0) {
+        return res.status(400).json({ error: 'No accounts in pool' });
+    }
+    
+    const now = Date.now();
+    const available = pool.accounts.filter(acc => 
+        acc.status === 'ready' || (acc.status === 'cooldown' && acc.cooldownUntil && acc.cooldownUntil < now)
+    );
+    
+    if (available.length === 0) {
+        return res.status(400).json({ error: 'No available accounts (all in cooldown or expired)' });
+    }
+    
+    // Pick least recently used
+    const next = available.sort((a, b) => a.lastUsed - b.lastUsed)[0];
+    const previousActive = pool.activeAccount;
+    
+    // Activate the new account
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const profilePath = path.join(AUTH_PROFILES_DIR, namespace, `${next.name}.json`);
+    if (!fs.existsSync(profilePath)) {
+        return res.status(404).json({ error: 'Profile file not found' });
+    }
+    
+    const profileData = JSON.parse(fs.readFileSync(profilePath, 'utf8'));
+    
+    // Update auth.json
+    const authCfg = loadAuthConfig() || {};
+    authCfg[provider] = profileData;
+    if (provider === 'google') {
+        authCfg[namespace] = profileData;
+    }
+    
+    const cp = getConfigPath();
+    const ap = path.join(path.dirname(cp), 'auth.json');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
+    
+    // Update studio config
+    const studio = loadStudioConfig();
+    if (!studio.activeProfiles) studio.activeProfiles = {};
+    studio.activeProfiles[provider] = next.name;
+    saveStudioConfig(studio);
+    
+    // Update metadata
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    metadata[namespace][next.name] = {
+        ...metadata[namespace][next.name],
+        lastUsed: now
+    };
+    savePoolMetadata(metadata);
+    
+    res.json({
+        success: true,
+        previousAccount: previousActive,
+        newAccount: next.name,
+        reason: 'manual_rotation'
+    });
+});
+
+// PUT /api/auth/pool/:name/cooldown - Mark account as in cooldown
+app.put('/api/auth/pool/:name/cooldown', (req, res) => {
+    const { name } = req.params;
+    const { duration = 3600000, provider = 'google' } = req.body; // default 1 hour
+    
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    
+    metadata[namespace][name] = {
+        ...metadata[namespace][name],
+        cooldownUntil: Date.now() + duration,
+        lastCooldownReason: req.body.reason || 'rate_limit'
+    };
+    
+    savePoolMetadata(metadata);
+    res.json({ success: true, cooldownUntil: metadata[namespace][name].cooldownUntil });
+});
+
+// DELETE /api/auth/pool/:name/cooldown - Clear cooldown for account
+app.delete('/api/auth/pool/:name/cooldown', (req, res) => {
+    const { name } = req.params;
+    const provider = req.query.provider || 'google';
+    
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    if (metadata[namespace]?.[name]) {
+        delete metadata[namespace][name].cooldownUntil;
+        savePoolMetadata(metadata);
+    }
+    
+    res.json({ success: true });
+});
+
+// POST /api/auth/pool/:name/usage - Increment usage counter (for tracking)
+app.post('/api/auth/pool/:name/usage', (req, res) => {
+    const { name } = req.params;
+    const { provider = 'google' } = req.body;
+    
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    if (!metadata[namespace][name]) metadata[namespace][name] = { usageCount: 0 };
+    
+    metadata[namespace][name].usageCount = (metadata[namespace][name].usageCount || 0) + 1;
+    metadata[namespace][name].lastUsed = Date.now();
+    
+    // Track daily quota
+    if (!metadata._quota) metadata._quota = {};
+    if (!metadata._quota[namespace]) metadata._quota[namespace] = {};
+    const today = new Date().toISOString().split('T')[0];
+    metadata._quota[namespace][today] = (metadata._quota[namespace][today] || 0) + 1;
+    
+    savePoolMetadata(metadata);
+    res.json({ success: true, usageCount: metadata[namespace][name].usageCount });
+});
+
+// PUT /api/auth/pool/:name/metadata - Update account metadata (email, etc.)
+app.put('/api/auth/pool/:name/metadata', (req, res) => {
+    const { name } = req.params;
+    const { provider = 'google', email, createdAt } = req.body;
+    
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    if (!metadata[namespace][name]) metadata[namespace][name] = {};
+    
+    if (email !== undefined) metadata[namespace][name].email = email;
+    if (createdAt !== undefined) metadata[namespace][name].createdAt = createdAt;
+    
+    savePoolMetadata(metadata);
+    res.json({ success: true });
+});
+
+// GET /api/auth/pool/quota - Get quota info
+app.get('/api/auth/pool/quota', (req, res) => {
+    const provider = req.query.provider || 'google';
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    const quotaMeta = metadata._quota?.[namespace] || {};
+    const today = new Date().toISOString().split('T')[0];
+    const todayUsage = quotaMeta[today] || 0;
+    const dailyLimit = quotaMeta.dailyLimit || 1000;
+    
+    res.json({
+        dailyLimit,
+        remaining: Math.max(0, dailyLimit - todayUsage),
+        used: todayUsage,
+        percentage: Math.round(((dailyLimit - todayUsage) / dailyLimit) * 100),
+        resetAt: new Date(new Date().setHours(24, 0, 0, 0)).toISOString(),
+        byAccount: []
+    });
+});
+
+// POST /api/auth/pool/quota/limit - Set daily quota limit
+app.post('/api/auth/pool/quota/limit', (req, res) => {
+    const { provider = 'google', limit } = req.body;
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    
+    const metadata = loadPoolMetadata();
+    if (!metadata._quota) metadata._quota = {};
+    if (!metadata._quota[namespace]) metadata._quota[namespace] = {};
+    metadata._quota[namespace].dailyLimit = limit;
+    
+    savePoolMetadata(metadata);
+    res.json({ success: true, dailyLimit: limit });
+});
+
+// ============================================
+// END ACCOUNT POOL MANAGEMENT
+// ============================================
+
 app.get('/api/usage', async (req, res) => {
     try {
         const {projectId: fid, granularity = 'daily', range = '30d'} = req.query;
@@ -714,22 +1110,29 @@ app.get('/api/usage', async (req, res) => {
 
         if (!md) return res.json({ totalCost: 0, totalTokens: 0, byModel: [], byDay: [], byProject: [] });
 
-
         const pmap = new Map();
         if (fs.existsSync(sd)) {
-            fs.readdirSync(sd).forEach(d => {
+            const sessionDirs = await fs.promises.readdir(sd);
+            await Promise.all(sessionDirs.map(async d => {
                 const fp = path.join(sd, d);
-                if (fs.statSync(fp).isDirectory()) {
-                    fs.readdirSync(fp).forEach(f => {
-                        if (f.startsWith('ses_') && f.endsWith('.json')) {
-                            try {
-                                const m = JSON.parse(fs.readFileSync(path.join(fp, f), 'utf8'));
-                                pmap.set(f.replace('.json', ''), { name: m.directory ? path.basename(m.directory) : (m.projectID ? m.projectID.substring(0, 8) : 'Unknown'), id: m.projectID || d });
-                            } catch {}
-                        }
-                    });
-                }
-            });
+                try {
+                    const stats = await fs.promises.stat(fp);
+                    if (stats.isDirectory()) {
+                        const files = await fs.promises.readdir(fp);
+                        await Promise.all(files.map(async f => {
+                            if (f.startsWith('ses_') && f.endsWith('.json')) {
+                                try {
+                                    const m = JSON.parse(await fs.promises.readFile(path.join(fp, f), 'utf8'));
+                                    pmap.set(f.replace('.json', ''), { 
+                                        name: m.directory ? path.basename(m.directory) : (m.projectID ? m.projectID.substring(0, 8) : 'Unknown'), 
+                                        id: m.projectID || d 
+                                    });
+                                } catch {}
+                            }
+                        }));
+                    }
+                } catch {}
+            }));
         }
 
         const stats = { totalCost: 0, totalTokens: 0, byModel: {}, byTime: {}, byProject: {} };
@@ -741,52 +1144,61 @@ app.get('/api/usage', async (req, res) => {
         else if (range === '30d') min = now - 2592000000;
         else if (range === '1y') min = now - 31536000000;
 
-        fs.readdirSync(md).forEach(s => {
+        const sessionDirs = await fs.promises.readdir(md);
+        await Promise.all(sessionDirs.map(async s => {
             if (!s.startsWith('ses_')) return;
             const sp = path.join(md, s);
-            if (fs.statSync(sp).isDirectory()) {
-                fs.readdirSync(sp).forEach(f => {
-                    if (!f.endsWith('.json') || seen.has(path.join(sp, f))) return;
-                    seen.add(path.join(sp, f));
-                    try {
-                        const msg = JSON.parse(fs.readFileSync(path.join(sp, f), 'utf8'));
-                        const pid = pmap.get(s)?.id || 'unknown';
-                        if (fid && fid !== 'all' && pid !== fid) return;
-                        if (min > 0 && msg.time.created < min) return;
-                        if (msg.role === 'assistant' && msg.tokens) {
-                            const c = msg.cost || 0, it = msg.tokens.input || 0, ot = msg.tokens.output || 0, t = it + ot;
-                            const d = new Date(msg.time.created);
-                            let tk;
-                            if (granularity === 'hourly') tk = d.toISOString().substring(0, 13) + ':00:00Z';
-                            else if (granularity === 'weekly') {
-                                const day = d.getDay(), diff = d.getDate() - day + (day === 0 ? -6 : 1);
-                                tk = new Date(d.setDate(diff)).toISOString().split('T')[0];
-                            } else if (granularity === 'monthly') tk = d.toISOString().substring(0, 7) + '-01';
-                            else tk = d.toISOString().split('T')[0];
-
-                            const mid = msg.modelID || (msg.model && (msg.model.modelID || msg.model.id)) || 'unknown';
-                            stats.totalCost += c; stats.totalTokens += t;
-                            [stats.byModel, stats.byProject].forEach((obj, i) => {
-                                const key = i === 0 ? mid : pid;
-                                if (!obj[key]) obj[key] = { name: key, id: key, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
-                                if (i === 1) obj[key].name = pmap.get(s)?.name || 'Unassigned';
-                                obj[key].cost += c; obj[key].tokens += t; obj[key].inputTokens += it; obj[key].outputTokens += ot;
-                            });
-
-                            if (!stats.byTime[tk]) stats.byTime[tk] = { date: tk, name: tk, id: tk, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
-                            const te = stats.byTime[tk];
-                            te.cost += c; te.tokens += t; te.inputTokens += it; te.outputTokens += ot;
-                            if (!te[mid]) te[mid] = 0;
-                            te[mid] += c;
+            try {
+                const spStats = await fs.promises.stat(sp);
+                if (spStats.isDirectory()) {
+                    const files = await fs.promises.readdir(sp);
+                    for (const f of files) {
+                        if (!f.endsWith('.json')) continue;
+                        const fullPath = path.join(sp, f);
+                        if (seen.has(fullPath)) continue;
+                        seen.add(fullPath);
+                        
+                        try {
+                            const msg = JSON.parse(await fs.promises.readFile(fullPath, 'utf8'));
+                            const pid = pmap.get(s)?.id || 'unknown';
+                            if (fid && fid !== 'all' && pid !== fid) continue;
+                            if (min > 0 && msg.time.created < min) continue;
                             
-                            const kIn = `${mid}_input`, kOut = `${mid}_output`;
-                            te[kIn] = (te[kIn] || 0) + it;
-                            te[kOut] = (te[kOut] || 0) + ot;
-                        }
-                    } catch {}
-                });
-            }
-        });
+                            if (msg.role === 'assistant' && msg.tokens) {
+                                const c = msg.cost || 0, it = msg.tokens.input || 0, ot = msg.tokens.output || 0, t = it + ot;
+                                const d = new Date(msg.time.created);
+                                let tk;
+                                if (granularity === 'hourly') tk = d.toISOString().substring(0, 13) + ':00:00Z';
+                                else if (granularity === 'weekly') {
+                                    const day = d.getDay(), diff = d.getDate() - day + (day === 0 ? -6 : 1);
+                                    tk = new Date(d.setDate(diff)).toISOString().split('T')[0];
+                                } else if (granularity === 'monthly') tk = d.toISOString().substring(0, 7) + '-01';
+                                else tk = d.toISOString().split('T')[0];
+
+                                const mid = msg.modelID || (msg.model && (msg.model.modelID || msg.model.id)) || 'unknown';
+                                stats.totalCost += c; stats.totalTokens += t;
+                                
+                                if (!stats.byModel[mid]) stats.byModel[mid] = { name: mid, id: mid, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                stats.byModel[mid].cost += c; stats.byModel[mid].tokens += t; stats.byModel[mid].inputTokens += it; stats.byModel[mid].outputTokens += ot;
+
+                                if (!stats.byProject[pid]) stats.byProject[pid] = { name: pmap.get(s)?.name || 'Unassigned', id: pid, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                stats.byProject[pid].cost += c; stats.byProject[pid].tokens += t; stats.byProject[pid].inputTokens += it; stats.byProject[pid].outputTokens += ot;
+
+                                if (!stats.byTime[tk]) stats.byTime[tk] = { date: tk, name: tk, id: tk, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                const te = stats.byTime[tk];
+                                te.cost += c; te.tokens += t; te.inputTokens += it; te.outputTokens += ot;
+                                if (!te[mid]) te[mid] = 0;
+                                te[mid] += c;
+                                
+                                const kIn = `${mid}_input`, kOut = `${mid}_output`;
+                                te[kIn] = (te[kIn] || 0) + it;
+                                te[kOut] = (te[kOut] || 0) + ot;
+                            }
+                        } catch {}
+                    }
+                }
+            } catch {}
+        }));
 
         res.json({
             totalCost: stats.totalCost,
@@ -796,7 +1208,8 @@ app.get('/api/usage', async (req, res) => {
             byProject: Object.values(stats.byProject).sort((a, b) => b.cost - a.cost)
         });
     } catch (error) {
-        res.status(500).json({ error: 'Failed' });
+        console.error('Usage API error:', error);
+        res.status(500).json({ error: 'Failed to fetch usage statistics' });
     }
 });
 
@@ -809,11 +1222,14 @@ app.post('/api/auth/google/plugin', (req, res) => {
     try {
         const opencode = loadConfig();
         if (opencode) {
-            if (opencode.provider?.google) {
-                const models = studio.pluginModels[plugin];
-                if (models) {
-                    opencode.provider.google.models = models;
-                }
+            if (!opencode.provider) opencode.provider = {};
+            if (!opencode.provider.google) {
+                opencode.provider.google = { models: {} };
+            }
+            
+            const models = studio.pluginModels[plugin];
+            if (models) {
+                opencode.provider.google.models = models;
             }
 
             if (!opencode.plugin) opencode.plugin = [];
@@ -844,7 +1260,7 @@ app.post('/api/auth/google/plugin', (req, res) => {
                 } else if (plugin === 'gemini' && authCfg['google.gemini']) {
                     authCfg.google = { ...authCfg['google.gemini'] };
                 }
-                fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+                atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
             }
         }
     } catch (err) {
@@ -859,6 +1275,202 @@ app.get('/api/auth/google/plugin', (req, res) => {
     res.json({ activePlugin: studio.activeGooglePlugin || null });
 });
 
+const GEMINI_CLIENT_ID = process.env.GEMINI_CLIENT_ID || "";
+const GEMINI_CLIENT_SECRET = process.env.GEMINI_CLIENT_SECRET || "";
+const GEMINI_SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/userinfo.profile"
+];
+const OAUTH_CALLBACK_PORT = 8085;
+const GEMINI_REDIRECT_URI = `http://localhost:${OAUTH_CALLBACK_PORT}/oauth2callback`;
+
+let pendingOAuthState = null;
+let oauthCallbackServer = null;
+
+function generatePKCE() {
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+    return { verifier, challenge };
+}
+
+function encodeOAuthState(payload) {
+    return Buffer.from(JSON.stringify(payload), 'utf8').toString('base64url');
+}
+
+app.post('/api/auth/google/start', async (req, res) => {
+    if (oauthCallbackServer) {
+        return res.status(400).json({ error: 'OAuth flow already in progress' });
+    }
+    
+    const { verifier, challenge } = generatePKCE();
+    const state = encodeOAuthState({ verifier });
+    
+    pendingOAuthState = { verifier, status: 'pending', startedAt: Date.now() };
+    
+    const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+    authUrl.searchParams.set('client_id', GEMINI_CLIENT_ID);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('redirect_uri', GEMINI_REDIRECT_URI);
+    authUrl.searchParams.set('scope', GEMINI_SCOPES.join(' '));
+    authUrl.searchParams.set('code_challenge', challenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
+    authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('access_type', 'offline');
+    authUrl.searchParams.set('prompt', 'consent');
+    
+    const callbackApp = express();
+    
+    callbackApp.get('/oauth2callback', async (callbackReq, callbackRes) => {
+        const { code, state: returnedState, error } = callbackReq.query;
+        
+        if (error) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>Error: ' + error + '</p><script>window.close()</script></body></html>');
+            shutdownCallbackServer();
+            return;
+        }
+        
+        if (!code) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error: 'No authorization code received' };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>No code received</p><script>window.close()</script></body></html>');
+            shutdownCallbackServer();
+            return;
+        }
+        
+        try {
+            const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    client_id: GEMINI_CLIENT_ID,
+                    client_secret: GEMINI_CLIENT_SECRET,
+                    code,
+                    grant_type: 'authorization_code',
+                    redirect_uri: GEMINI_REDIRECT_URI,
+                    code_verifier: pendingOAuthState.verifier
+                })
+            });
+            
+            if (!tokenResponse.ok) {
+                const errText = await tokenResponse.text();
+                throw new Error(errText);
+            }
+            
+            const tokens = await tokenResponse.json();
+            
+            let email = null;
+            try {
+                const userInfoRes = await fetch('https://www.googleapis.com/oauth2/v1/userinfo?alt=json', {
+                    headers: { 'Authorization': `Bearer ${tokens.access_token}` }
+                });
+                if (userInfoRes.ok) {
+                    const userInfo = await userInfoRes.json();
+                    email = userInfo.email;
+                }
+            } catch {}
+            
+            const cp = getConfigPath();
+            const ap = path.join(path.dirname(cp), 'auth.json');
+            const authCfg = fs.existsSync(ap) ? JSON.parse(fs.readFileSync(ap, 'utf8')) : {};
+            
+            const studio = loadStudioConfig();
+            const activePlugin = studio.activeGooglePlugin || 'gemini';
+            const namespace = activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini';
+            
+            const credentials = {
+                refresh_token: tokens.refresh_token,
+                access_token: tokens.access_token,
+                expiry: Date.now() + (tokens.expires_in * 1000),
+                email
+            };
+            
+            authCfg.google = credentials;
+            authCfg[namespace] = credentials;
+            
+            atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
+            
+            pendingOAuthState = { ...pendingOAuthState, status: 'success', email };
+            
+            callbackRes.send(`
+                <html>
+                <head><style>body{font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#f0fdf4}
+                .card{background:white;padding:2rem;border-radius:12px;box-shadow:0 4px 12px rgba(0,0,0,0.1);text-align:center}
+                h2{color:#16a34a;margin:0 0 0.5rem}</style></head>
+                <body><div class="card"><h2>✓ Login Successful!</h2><p>Logged in as ${email || 'Google User'}</p><p style="color:#666;font-size:0.875rem">You can close this window.</p></div>
+                <script>setTimeout(()=>window.close(),2000)</script></body></html>
+            `);
+        } catch (err) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error: err.message };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>' + err.message + '</p><script>window.close()</script></body></html>');
+        }
+        
+        shutdownCallbackServer();
+    });
+    
+    function shutdownCallbackServer() {
+        if (oauthCallbackServer) {
+            oauthCallbackServer.close();
+            oauthCallbackServer = null;
+        }
+    }
+    
+    try {
+        oauthCallbackServer = callbackApp.listen(OAUTH_CALLBACK_PORT, () => {
+            console.log(`OAuth callback server listening on port ${OAUTH_CALLBACK_PORT}`);
+        });
+        
+        oauthCallbackServer.on('error', (err) => {
+            console.error('Failed to start OAuth callback server:', err);
+            pendingOAuthState = { status: 'error', error: `Port ${OAUTH_CALLBACK_PORT} in use` };
+            oauthCallbackServer = null;
+        });
+        
+        setTimeout(() => {
+            if (oauthCallbackServer && pendingOAuthState?.status === 'pending') {
+                pendingOAuthState = { ...pendingOAuthState, status: 'error', error: 'OAuth timeout (2 minutes)' };
+                shutdownCallbackServer();
+            }
+        }, 120000);
+        
+        const platform = process.platform;
+        let openCmd;
+        if (platform === 'win32') {
+            openCmd = `start "" "${authUrl.toString()}"`;
+        } else if (platform === 'darwin') {
+            openCmd = `open "${authUrl.toString()}"`;
+        } else {
+            openCmd = `xdg-open "${authUrl.toString()}"`;
+        }
+        
+        exec(openCmd, (err) => {
+            if (err) console.error('Failed to open browser:', err);
+        });
+        
+        res.json({ success: true, authUrl: authUrl.toString(), message: 'Browser opened for Google login' });
+        
+    } catch (err) {
+        pendingOAuthState = null;
+        res.status(500).json({ error: err.message });
+    }
+});
+
+app.get('/api/auth/google/status', (req, res) => {
+    if (!pendingOAuthState) {
+        return res.json({ status: 'idle' });
+    }
+    res.json(pendingOAuthState);
+});
+
+app.post('/api/auth/google/cancel', (req, res) => {
+    if (oauthCallbackServer) {
+        oauthCallbackServer.close();
+        oauthCallbackServer = null;
+    }
+    pendingOAuthState = null;
+    res.json({ success: true });
+});
+
 app.get('/api/pending-action', (req, res) => {
     if (pendingActionMemory) return res.json({ action: pendingActionMemory });
     if (fs.existsSync(PENDING_ACTION_PATH)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-studio-server",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "description": "Backend server for OpenCode Studio - manages opencode configurations",
   "main": "index.js",
   "bin": {