npm - opencode-studio-server - Versions diffs - 1.2.1 → 1.3.0 - Mend

opencode-studio-server 1.2.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.env ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ GEMINI_CLIENT_ID=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com
2	+ GEMINI_CLIENT_SECRET=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

package/.env.example ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ GEMINI_CLIENT_ID=your_client_id_here
2	+ GEMINI_CLIENT_SECRET=your_client_secret_here

package/AGENTS.md ADDED Viewed

@@ -0,0 +1,37 @@
+# SERVER LAYER
+Express API backend (port 3001). Single-file architecture.
+## STRUCTURE
+| File | Purpose |
+|------|---------|
+| `index.js` | All routes, config IO, auth, skills, plugins, usage stats |
+| `cli.js` | npm bin entry, protocol URL parser, pending action queue |
+| `register-protocol.js` | OS-specific `opencodestudio://` handler registration |
+## WHERE TO LOOK
+| Task | Location |
+|------|----------|
+| Add API endpoint | `index.js` - add `app.get/post/delete` |
+| Config path detection | `index.js:getPaths()` - `CANDIDATE_PATHS` logic |
+| Auth profile management | `index.js:440-620` - profiles CRUD |
+| Google plugin switching | `index.js:803-860` - gemini/antigravity toggle |
+| Usage stats aggregation | `index.js:687-800` - reads message storage |
+| Protocol actions | `cli.js:34-84` - switch on action type |
+| Windows registry | `register-protocol.js:8-55` |
+## CONVENTIONS
+- All routes in single file (no route modules)
+- Studio prefs in `~/.config/opencode-studio/studio.json`, separate from opencode config
+- Auth profiles namespaced: `google.gemini`, `google.antigravity`
+- 30min idle timeout auto-shutdown
+## ANTI-PATTERNS
+- Hardcoding `~/.config/opencode` - use `getPaths().current`
+- Importing from `client-next/` - separate processes
+- Adding Next.js API routes - all API here
+- Modifying opencode.json structure without updating `client-next/src/types/`

package/cli.js CHANGED Viewed

@@ -40,16 +40,17 @@ if (protocolArg) {
                 break;
             case 'install-mcp':
-                // Queue MCP server installation
-                if (params.cmd || params.name) {
+                // Security: Do NOT accept 'cmd' or 'env' from deep links to prevent RCE.
+                // Only allow the name to be passed, user must configure the rest manually.
+                if (params.name) {
                     pendingAction = {
                         type: 'install-mcp',
-                        name: params.name || 'MCP Server',
-                        command: params.cmd ? decodeURIComponent(params.cmd) : null,
-                        env: params.env ? JSON.parse(decodeURIComponent(params.env)) : null,
+                        name: params.name,
+                        // command: params.cmd ? decodeURIComponent(params.cmd) : null, // DISABLED FOR SECURITY
+                        // env: params.env ? JSON.parse(decodeURIComponent(params.env)) : null, // DISABLED FOR SECURITY
                         timestamp: Date.now(),
                     };
-                    console.log(`Queued MCP install: ${pendingAction.name}`);
+                    console.log(`Queued MCP install (name only): ${pendingAction.name}`);
                 }
                 break;

package/index.js CHANGED Viewed

@@ -4,8 +4,24 @@ const bodyParser = require('body-parser');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const { spawn, exec } = require('child_process');
+// Atomic file write: write to temp file then rename to prevent corruption
+const atomicWriteFileSync = (filePath, data, options = 'utf8') => {
+    const dir = path.dirname(filePath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const tempPath = path.join(dir, `.${path.basename(filePath)}.${crypto.randomBytes(6).toString('hex')}.tmp`);
+    try {
+        fs.writeFileSync(tempPath, data, options);
+        fs.renameSync(tempPath, filePath);
+    } catch (err) {
+        // Clean up temp file if rename fails
+        try { fs.unlinkSync(tempPath); } catch {}
+        throw err;
+    }
+};
 const app = express();
 const PORT = 3001;
 const IDLE_TIMEOUT_MS = 30 * 60 * 1000;
@@ -63,6 +79,7 @@ function loadStudioConfig() {
         activeProfiles: {},
         activeGooglePlugin: 'gemini',
         availableGooglePlugins: [],
+        presets: [],
         pluginModels: {
             gemini: {
                 "gemini-3-pro-preview": {
@@ -204,9 +221,7 @@ function loadStudioConfig() {
 function saveStudioConfig(config) {
     try {
-        const dir = path.dirname(STUDIO_CONFIG_PATH);
-        if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(STUDIO_CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
+        atomicWriteFileSync(STUDIO_CONFIG_PATH, JSON.stringify(config, null, 2));
         return true;
     } catch (err) {
         console.error('Failed to save studio config:', err);
@@ -265,9 +280,7 @@ const loadConfig = () => {
 const saveConfig = (config) => {
     const configPath = getConfigPath();
     if (!configPath) throw new Error('No config path found');
-    const dir = path.dirname(configPath);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf8');
+    atomicWriteFileSync(configPath, JSON.stringify(config, null, 2));
 };
 app.get('/api/health', (req, res) => res.json({ status: 'ok' }));
@@ -317,6 +330,9 @@ app.get('/api/skills', (req, res) => {
 });
 app.get('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     const p = sd ? path.join(sd, req.params.name, 'SKILL.md') : null;
     if (!p || !fs.existsSync(p)) return res.status(404).json({ error: 'Not found' });
@@ -324,6 +340,9 @@ app.get('/api/skills/:name', (req, res) => {
 });
 app.post('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     if (!sd) return res.status(404).json({ error: 'No config' });
     const dp = path.join(sd, req.params.name);
@@ -333,12 +352,30 @@ app.post('/api/skills/:name', (req, res) => {
 });
 app.delete('/api/skills/:name', (req, res) => {
+    if (!/^[a-zA-Z0-9_\-\s]+$/.test(req.params.name)) {
+        return res.status(400).json({ error: 'Invalid skill name' });
+    }
     const sd = getSkillDir();
     const dp = sd ? path.join(sd, req.params.name) : null;
     if (dp && fs.existsSync(dp)) fs.rmSync(dp, { recursive: true, force: true });
     res.json({ success: true });
 });
+app.post('/api/skills/:name/toggle', (req, res) => {
+    const { name } = req.params;
+    const studio = loadStudioConfig();
+    studio.disabledSkills = studio.disabledSkills || [];
+    if (studio.disabledSkills.includes(name)) {
+        studio.disabledSkills = studio.disabledSkills.filter(s => s !== name);
+    } else {
+        studio.disabledSkills.push(name);
+    }
+    saveStudioConfig(studio);
+    res.json({ success: true, enabled: !studio.disabledSkills.includes(name) });
+});
 const getPluginDir = () => {
     const cp = getConfigPath();
     return cp ? path.join(path.dirname(cp), 'plugin') : null;
@@ -382,6 +419,79 @@ app.get('/api/plugins', (req, res) => {
     res.json(plugins);
 });
+app.get('/api/plugins/:name', (req, res) => {
+    const { name } = req.params;
+    const pd = getPluginDir();
+    const possiblePaths = [
+        path.join(pd, name + '.js'),
+        path.join(pd, name + '.ts'),
+        path.join(pd, name, 'index.js'),
+        path.join(pd, name, 'index.ts')
+    ];
+    for (const p of possiblePaths) {
+        if (fs.existsSync(p)) {
+            const content = fs.readFileSync(p, 'utf8');
+            return res.json({ name, content });
+        }
+    }
+    res.status(404).json({ error: 'Plugin not found' });
+});
+app.post('/api/plugins/:name', (req, res) => {
+    const { name } = req.params;
+    const { content } = req.body;
+    const pd = getPluginDir();
+    if (!fs.existsSync(pd)) fs.mkdirSync(pd, { recursive: true });
+    // Default to .js if new
+    const filePath = path.join(pd, name.endsWith('.js') || name.endsWith('.ts') ? name : name + '.js');
+    atomicWriteFileSync(filePath, content);
+    res.json({ success: true });
+});
+app.delete('/api/plugins/:name', (req, res) => {
+    const { name } = req.params;
+    const pd = getPluginDir();
+    const possiblePaths = [
+        path.join(pd, name),
+        path.join(pd, name + '.js'),
+        path.join(pd, name + '.ts')
+    ];
+    let deleted = false;
+    for (const p of possiblePaths) {
+        if (fs.existsSync(p)) {
+            if (fs.statSync(p).isDirectory()) {
+                fs.rmSync(p, { recursive: true, force: true });
+            } else {
+                fs.unlinkSync(p);
+            }
+            deleted = true;
+        }
+    }
+    if (deleted) res.json({ success: true });
+    else res.status(404).json({ error: 'Plugin not found' });
+});
+app.post('/api/plugins/:name/toggle', (req, res) => {
+    const { name } = req.params;
+    const studio = loadStudioConfig();
+    studio.disabledPlugins = studio.disabledPlugins || [];
+    if (studio.disabledPlugins.includes(name)) {
+        studio.disabledPlugins = studio.disabledPlugins.filter(p => p !== name);
+    } else {
+        studio.disabledPlugins.push(name);
+    }
+    saveStudioConfig(studio);
+    res.json({ success: true, enabled: !studio.disabledPlugins.includes(name) });
+});
 const getActiveGooglePlugin = () => {
     const studio = loadStudioConfig();
     return studio.activeGooglePlugin || null;
@@ -572,7 +682,7 @@ app.post('/api/auth/profiles/:provider', (req, res) => {
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
     const profilePath = path.join(dir, `${name || Date.now()}.json`);
-    fs.writeFileSync(profilePath, JSON.stringify(auth[provider], null, 2), 'utf8');
+    atomicWriteFileSync(profilePath, JSON.stringify(auth[provider], null, 2));
     res.json({ success: true, name: path.basename(profilePath, '.json') });
 });
@@ -603,7 +713,7 @@ app.post('/api/auth/profiles/:provider/:name/activate', (req, res) => {
     const cp = getConfigPath();
     const ap = path.join(path.dirname(cp), 'auth.json');
-    fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
     res.json({ success: true });
 });
@@ -643,30 +753,79 @@ app.put('/api/auth/profiles/:provider/:name', (req, res) => {
 app.post('/api/auth/login', (req, res) => {
     let { provider } = req.body;
+    // Security: Validate provider against allowlist to prevent command injection
+    const ALLOWED_PROVIDERS = [
+        "", "google", "anthropic", "openai", "xai",
+        "openrouter", "github-copilot", "gemini",
+        "together", "mistral", "deepseek", "amazon-bedrock", "azure"
+    ];
+    if (provider && !ALLOWED_PROVIDERS.includes(provider)) {
+        return res.status(400).json({ error: 'Invalid provider' });
+    }
     if (typeof provider !== 'string') provider = "";
     let cmd = 'opencode auth login';
     if (provider) cmd += ` ${provider}`;
     const platform = process.platform;
-    let terminalCmd;
     if (platform === 'win32') {
-        terminalCmd = `start "" cmd /c "call ${cmd} || pause"`;
+        const terminalCmd = `start "" cmd /c "call ${cmd} || pause"`;
+        console.log('Executing terminal command:', terminalCmd);
+        exec(terminalCmd, (err) => {
+            if (err) {
+                console.error('Failed to open terminal:', err);
+                return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
+            }
+            res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+        });
     } else if (platform === 'darwin') {
-        terminalCmd = `osascript -e 'tell application "Terminal" to do script "${cmd}"'`;
+        const terminalCmd = `osascript -e 'tell application "Terminal" to do script "${cmd}"'`;
+        console.log('Executing terminal command:', terminalCmd);
+        exec(terminalCmd, (err) => {
+            if (err) {
+                console.error('Failed to open terminal:', err);
+                return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
+            }
+            res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+        });
     } else {
-        terminalCmd = `x-terminal-emulator -e "${cmd}"`;
+        const linuxTerminals = [
+            { name: 'x-terminal-emulator', cmd: `x-terminal-emulator -e "${cmd}"` },
+            { name: 'gnome-terminal', cmd: `gnome-terminal -- bash -c "${cmd}; read -p 'Press Enter to close...'"` },
+            { name: 'konsole', cmd: `konsole -e bash -c "${cmd}; read -p 'Press Enter to close...'"` },
+            { name: 'xfce4-terminal', cmd: `xfce4-terminal -e "bash -c \\"${cmd}; read -p 'Press Enter to close...'\\"" ` },
+            { name: 'xterm', cmd: `xterm -e "bash -c '${cmd}; read -p Press_Enter_to_close...'"` }
+        ];
+        const tryTerminal = (index) => {
+            if (index >= linuxTerminals.length) {
+                const fallbackCmd = cmd;
+                return res.json({
+                    success: false,
+                    message: 'No terminal emulator found',
+                    note: 'Run this command manually in your terminal',
+                    command: fallbackCmd
+                });
+            }
+            const terminal = linuxTerminals[index];
+            console.log(`Trying terminal: ${terminal.name}`);
+            exec(terminal.cmd, (err) => {
+                if (err) {
+                    console.log(`${terminal.name} failed, trying next...`);
+                    tryTerminal(index + 1);
+                } else {
+                    res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
+                }
+            });
+        };
+        tryTerminal(0);
     }
-    console.log('Executing terminal command:', terminalCmd);
-    exec(terminalCmd, (err) => {
-        if (err) {
-            console.error('Failed to open terminal:', err);
-            return res.status(500).json({ error: 'Failed to open terminal', details: err.message });
-        }
-        res.json({ success: true, message: 'Terminal opened', note: 'Complete login in the terminal window' });
-    });
 });
 app.delete('/api/auth/:provider', (req, res) => {
@@ -675,7 +834,7 @@ app.delete('/api/auth/:provider', (req, res) => {
     delete authCfg[provider];
     const cp = getConfigPath();
     const ap = path.join(path.dirname(cp), 'auth.json');
-    fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
     const studio = loadStudioConfig();
     if (studio.activeProfiles) delete studio.activeProfiles[provider];
@@ -684,6 +843,332 @@ app.delete('/api/auth/:provider', (req, res) => {
     res.json({ success: true });
 });
+// ============================================
+// ACCOUNT POOL MANAGEMENT (Antigravity-style)
+// ============================================
+const POOL_METADATA_FILE = path.join(HOME_DIR, '.config', 'opencode-studio', 'pool-metadata.json');
+function loadPoolMetadata() {
+    if (!fs.existsSync(POOL_METADATA_FILE)) return {};
+    try {
+        return JSON.parse(fs.readFileSync(POOL_METADATA_FILE, 'utf8'));
+    } catch {
+        return {};
+    }
+}
+function savePoolMetadata(metadata) {
+    const dir = path.dirname(POOL_METADATA_FILE);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    atomicWriteFileSync(POOL_METADATA_FILE, JSON.stringify(metadata, null, 2));
+}
+function getAccountStatus(meta, now) {
+    if (!meta) return 'ready';
+    if (meta.cooldownUntil && meta.cooldownUntil > now) return 'cooldown';
+    if (meta.expired) return 'expired';
+    return 'ready';
+}
+function buildAccountPool(provider) {
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const profileDir = path.join(AUTH_PROFILES_DIR, namespace);
+    const profiles = [];
+    const now = Date.now();
+    const metadata = loadPoolMetadata();
+    const providerMeta = metadata[namespace] || {};
+    // Get current active profile from studio config
+    const studio = loadStudioConfig();
+    const activeProfile = studio.activeProfiles?.[provider] || null;
+    if (fs.existsSync(profileDir)) {
+        const files = fs.readdirSync(profileDir).filter(f => f.endsWith('.json'));
+        files.forEach(file => {
+            const name = file.replace('.json', '');
+            const meta = providerMeta[name] || {};
+            const status = name === activeProfile ? 'active' : getAccountStatus(meta, now);
+            profiles.push({
+                name,
+                email: meta.email || null,
+                status,
+                lastUsed: meta.lastUsed || 0,
+                usageCount: meta.usageCount || 0,
+                cooldownUntil: meta.cooldownUntil || null,
+                createdAt: meta.createdAt || 0
+            });
+        });
+    }
+    // Sort: active first, then by lastUsed (LRU)
+    profiles.sort((a, b) => {
+        if (a.status === 'active') return -1;
+        if (b.status === 'active') return 1;
+        return a.lastUsed - b.lastUsed;
+    });
+    const available = profiles.filter(p => p.status === 'active' || p.status === 'ready').length;
+    const cooldown = profiles.filter(p => p.status === 'cooldown').length;
+    return {
+        provider,
+        namespace,
+        accounts: profiles,
+        activeAccount: activeProfile,
+        totalAccounts: profiles.length,
+        availableAccounts: available,
+        cooldownAccounts: cooldown
+    };
+}
+// GET /api/auth/pool - Get account pool for Google (or specified provider)
+app.get('/api/auth/pool', (req, res) => {
+    const provider = req.query.provider || 'google';
+    const pool = buildAccountPool(provider);
+    // Also include quota estimate (local tracking)
+    const metadata = loadPoolMetadata();
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const quotaMeta = metadata._quota?.[namespace] || {};
+    const today = new Date().toISOString().split('T')[0];
+    const todayUsage = quotaMeta[today] || 0;
+    // Estimate: 1000 requests/day limit (configurable)
+    const dailyLimit = quotaMeta.dailyLimit || 1000;
+    const remaining = Math.max(0, dailyLimit - todayUsage);
+    const percentage = Math.round((remaining / dailyLimit) * 100);
+    const quota = {
+        dailyLimit,
+        remaining,
+        used: todayUsage,
+        percentage,
+        resetAt: new Date(new Date().setHours(24, 0, 0, 0)).toISOString(),
+        byAccount: pool.accounts.map(acc => ({
+            name: acc.name,
+            email: acc.email,
+            used: acc.usageCount,
+            limit: Math.floor(dailyLimit / Math.max(1, pool.totalAccounts))
+        }))
+    };
+    res.json({ pool, quota });
+});
+// POST /api/auth/pool/rotate - Rotate to next available account
+app.post('/api/auth/pool/rotate', (req, res) => {
+    const provider = req.body.provider || 'google';
+    const pool = buildAccountPool(provider);
+    if (pool.accounts.length === 0) {
+        return res.status(400).json({ error: 'No accounts in pool' });
+    }
+    const now = Date.now();
+    const available = pool.accounts.filter(acc =>
+        acc.status === 'ready' || (acc.status === 'cooldown' && acc.cooldownUntil && acc.cooldownUntil < now)
+    );
+    if (available.length === 0) {
+        return res.status(400).json({ error: 'No available accounts (all in cooldown or expired)' });
+    }
+    // Pick least recently used
+    const next = available.sort((a, b) => a.lastUsed - b.lastUsed)[0];
+    const previousActive = pool.activeAccount;
+    // Activate the new account
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const profilePath = path.join(AUTH_PROFILES_DIR, namespace, `${next.name}.json`);
+    if (!fs.existsSync(profilePath)) {
+        return res.status(404).json({ error: 'Profile file not found' });
+    }
+    const profileData = JSON.parse(fs.readFileSync(profilePath, 'utf8'));
+    // Update auth.json
+    const authCfg = loadAuthConfig() || {};
+    authCfg[provider] = profileData;
+    if (provider === 'google') {
+        authCfg[namespace] = profileData;
+    }
+    const cp = getConfigPath();
+    const ap = path.join(path.dirname(cp), 'auth.json');
+    atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
+    // Update studio config
+    const studio = loadStudioConfig();
+    if (!studio.activeProfiles) studio.activeProfiles = {};
+    studio.activeProfiles[provider] = next.name;
+    saveStudioConfig(studio);
+    // Update metadata
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    metadata[namespace][next.name] = {
+        ...metadata[namespace][next.name],
+        lastUsed: now
+    };
+    savePoolMetadata(metadata);
+    res.json({
+        success: true,
+        previousAccount: previousActive,
+        newAccount: next.name,
+        reason: 'manual_rotation'
+    });
+});
+// PUT /api/auth/pool/:name/cooldown - Mark account as in cooldown
+app.put('/api/auth/pool/:name/cooldown', (req, res) => {
+    const { name } = req.params;
+    const { duration = 3600000, provider = 'google' } = req.body; // default 1 hour
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    metadata[namespace][name] = {
+        ...metadata[namespace][name],
+        cooldownUntil: Date.now() + duration,
+        lastCooldownReason: req.body.reason || 'rate_limit'
+    };
+    savePoolMetadata(metadata);
+    res.json({ success: true, cooldownUntil: metadata[namespace][name].cooldownUntil });
+});
+// DELETE /api/auth/pool/:name/cooldown - Clear cooldown for account
+app.delete('/api/auth/pool/:name/cooldown', (req, res) => {
+    const { name } = req.params;
+    const provider = req.query.provider || 'google';
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    if (metadata[namespace]?.[name]) {
+        delete metadata[namespace][name].cooldownUntil;
+        savePoolMetadata(metadata);
+    }
+    res.json({ success: true });
+});
+// POST /api/auth/pool/:name/usage - Increment usage counter (for tracking)
+app.post('/api/auth/pool/:name/usage', (req, res) => {
+    const { name } = req.params;
+    const { provider = 'google' } = req.body;
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    if (!metadata[namespace][name]) metadata[namespace][name] = { usageCount: 0 };
+    metadata[namespace][name].usageCount = (metadata[namespace][name].usageCount || 0) + 1;
+    metadata[namespace][name].lastUsed = Date.now();
+    // Track daily quota
+    if (!metadata._quota) metadata._quota = {};
+    if (!metadata._quota[namespace]) metadata._quota[namespace] = {};
+    const today = new Date().toISOString().split('T')[0];
+    metadata._quota[namespace][today] = (metadata._quota[namespace][today] || 0) + 1;
+    savePoolMetadata(metadata);
+    res.json({ success: true, usageCount: metadata[namespace][name].usageCount });
+});
+// PUT /api/auth/pool/:name/metadata - Update account metadata (email, etc.)
+app.put('/api/auth/pool/:name/metadata', (req, res) => {
+    const { name } = req.params;
+    const { provider = 'google', email, createdAt } = req.body;
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    if (!metadata[namespace]) metadata[namespace] = {};
+    if (!metadata[namespace][name]) metadata[namespace][name] = {};
+    if (email !== undefined) metadata[namespace][name].email = email;
+    if (createdAt !== undefined) metadata[namespace][name].createdAt = createdAt;
+    savePoolMetadata(metadata);
+    res.json({ success: true });
+});
+// GET /api/auth/pool/quota - Get quota info
+app.get('/api/auth/pool/quota', (req, res) => {
+    const provider = req.query.provider || 'google';
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    const quotaMeta = metadata._quota?.[namespace] || {};
+    const today = new Date().toISOString().split('T')[0];
+    const todayUsage = quotaMeta[today] || 0;
+    const dailyLimit = quotaMeta.dailyLimit || 1000;
+    res.json({
+        dailyLimit,
+        remaining: Math.max(0, dailyLimit - todayUsage),
+        used: todayUsage,
+        percentage: Math.round(((dailyLimit - todayUsage) / dailyLimit) * 100),
+        resetAt: new Date(new Date().setHours(24, 0, 0, 0)).toISOString(),
+        byAccount: []
+    });
+});
+// POST /api/auth/pool/quota/limit - Set daily quota limit
+app.post('/api/auth/pool/quota/limit', (req, res) => {
+    const { provider = 'google', limit } = req.body;
+    const activePlugin = getActiveGooglePlugin();
+    const namespace = provider === 'google'
+        ? (activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini')
+        : provider;
+    const metadata = loadPoolMetadata();
+    if (!metadata._quota) metadata._quota = {};
+    if (!metadata._quota[namespace]) metadata._quota[namespace] = {};
+    metadata._quota[namespace].dailyLimit = limit;
+    savePoolMetadata(metadata);
+    res.json({ success: true, dailyLimit: limit });
+});
+// ============================================
+// END ACCOUNT POOL MANAGEMENT
+// ============================================
 app.get('/api/usage', async (req, res) => {
     try {
         const {projectId: fid, granularity = 'daily', range = '30d'} = req.query;
@@ -714,22 +1199,29 @@ app.get('/api/usage', async (req, res) => {
         if (!md) return res.json({ totalCost: 0, totalTokens: 0, byModel: [], byDay: [], byProject: [] });
         const pmap = new Map();
         if (fs.existsSync(sd)) {
-            fs.readdirSync(sd).forEach(d => {
+            const sessionDirs = await fs.promises.readdir(sd);
+            await Promise.all(sessionDirs.map(async d => {
                 const fp = path.join(sd, d);
-                if (fs.statSync(fp).isDirectory()) {
-                    fs.readdirSync(fp).forEach(f => {
-                        if (f.startsWith('ses_') && f.endsWith('.json')) {
-                            try {
-                                const m = JSON.parse(fs.readFileSync(path.join(fp, f), 'utf8'));
-                                pmap.set(f.replace('.json', ''), { name: m.directory ? path.basename(m.directory) : (m.projectID ? m.projectID.substring(0, 8) : 'Unknown'), id: m.projectID || d });
-                            } catch {}
-                        }
-                    });
-                }
-            });
+                try {
+                    const stats = await fs.promises.stat(fp);
+                    if (stats.isDirectory()) {
+                        const files = await fs.promises.readdir(fp);
+                        await Promise.all(files.map(async f => {
+                            if (f.startsWith('ses_') && f.endsWith('.json')) {
+                                try {
+                                    const m = JSON.parse(await fs.promises.readFile(path.join(fp, f), 'utf8'));
+                                    pmap.set(f.replace('.json', ''), {
+                                        name: m.directory ? path.basename(m.directory) : (m.projectID ? m.projectID.substring(0, 8) : 'Unknown'),
+                                        id: m.projectID || d
+                                    });
+                                } catch {}
+                            }
+                        }));
+                    }
+                } catch {}
+            }));
         }
         const stats = { totalCost: 0, totalTokens: 0, byModel: {}, byTime: {}, byProject: {} };
@@ -741,52 +1233,61 @@ app.get('/api/usage', async (req, res) => {
         else if (range === '30d') min = now - 2592000000;
         else if (range === '1y') min = now - 31536000000;
-        fs.readdirSync(md).forEach(s => {
+        const sessionDirs = await fs.promises.readdir(md);
+        await Promise.all(sessionDirs.map(async s => {
             if (!s.startsWith('ses_')) return;
             const sp = path.join(md, s);
-            if (fs.statSync(sp).isDirectory()) {
-                fs.readdirSync(sp).forEach(f => {
-                    if (!f.endsWith('.json') || seen.has(path.join(sp, f))) return;
-                    seen.add(path.join(sp, f));
-                    try {
-                        const msg = JSON.parse(fs.readFileSync(path.join(sp, f), 'utf8'));
-                        const pid = pmap.get(s)?.id || 'unknown';
-                        if (fid && fid !== 'all' && pid !== fid) return;
-                        if (min > 0 && msg.time.created < min) return;
-                        if (msg.role === 'assistant' && msg.tokens) {
-                            const c = msg.cost || 0, it = msg.tokens.input || 0, ot = msg.tokens.output || 0, t = it + ot;
-                            const d = new Date(msg.time.created);
-                            let tk;
-                            if (granularity === 'hourly') tk = d.toISOString().substring(0, 13) + ':00:00Z';
-                            else if (granularity === 'weekly') {
-                                const day = d.getDay(), diff = d.getDate() - day + (day === 0 ? -6 : 1);
-                                tk = new Date(d.setDate(diff)).toISOString().split('T')[0];
-                            } else if (granularity === 'monthly') tk = d.toISOString().substring(0, 7) + '-01';
-                            else tk = d.toISOString().split('T')[0];
-                            const mid = msg.modelID || (msg.model && (msg.model.modelID || msg.model.id)) || 'unknown';
-                            stats.totalCost += c; stats.totalTokens += t;
-                            [stats.byModel, stats.byProject].forEach((obj, i) => {
-                                const key = i === 0 ? mid : pid;
-                                if (!obj[key]) obj[key] = { name: key, id: key, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
-                                if (i === 1) obj[key].name = pmap.get(s)?.name || 'Unassigned';
-                                obj[key].cost += c; obj[key].tokens += t; obj[key].inputTokens += it; obj[key].outputTokens += ot;
-                            });
-                            if (!stats.byTime[tk]) stats.byTime[tk] = { date: tk, name: tk, id: tk, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
-                            const te = stats.byTime[tk];
-                            te.cost += c; te.tokens += t; te.inputTokens += it; te.outputTokens += ot;
-                            if (!te[mid]) te[mid] = 0;
-                            te[mid] += c;
+            try {
+                const spStats = await fs.promises.stat(sp);
+                if (spStats.isDirectory()) {
+                    const files = await fs.promises.readdir(sp);
+                    for (const f of files) {
+                        if (!f.endsWith('.json')) continue;
+                        const fullPath = path.join(sp, f);
+                        if (seen.has(fullPath)) continue;
+                        seen.add(fullPath);
+                        try {
+                            const msg = JSON.parse(await fs.promises.readFile(fullPath, 'utf8'));
+                            const pid = pmap.get(s)?.id || 'unknown';
+                            if (fid && fid !== 'all' && pid !== fid) continue;
+                            if (min > 0 && msg.time.created < min) continue;
-                            const kIn = `${mid}_input`, kOut = `${mid}_output`;
-                            te[kIn] = (te[kIn] || 0) + it;
-                            te[kOut] = (te[kOut] || 0) + ot;
-                        }
-                    } catch {}
-                });
-            }
-        });
+                            if (msg.role === 'assistant' && msg.tokens) {
+                                const c = msg.cost || 0, it = msg.tokens.input || 0, ot = msg.tokens.output || 0, t = it + ot;
+                                const d = new Date(msg.time.created);
+                                let tk;
+                                if (granularity === 'hourly') tk = d.toISOString().substring(0, 13) + ':00:00Z';
+                                else if (granularity === 'weekly') {
+                                    const day = d.getDay(), diff = d.getDate() - day + (day === 0 ? -6 : 1);
+                                    tk = new Date(d.setDate(diff)).toISOString().split('T')[0];
+                                } else if (granularity === 'monthly') tk = d.toISOString().substring(0, 7) + '-01';
+                                else tk = d.toISOString().split('T')[0];
+                                const mid = msg.modelID || (msg.model && (msg.model.modelID || msg.model.id)) || 'unknown';
+                                stats.totalCost += c; stats.totalTokens += t;
+                                if (!stats.byModel[mid]) stats.byModel[mid] = { name: mid, id: mid, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                stats.byModel[mid].cost += c; stats.byModel[mid].tokens += t; stats.byModel[mid].inputTokens += it; stats.byModel[mid].outputTokens += ot;
+                                if (!stats.byProject[pid]) stats.byProject[pid] = { name: pmap.get(s)?.name || 'Unassigned', id: pid, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                stats.byProject[pid].cost += c; stats.byProject[pid].tokens += t; stats.byProject[pid].inputTokens += it; stats.byProject[pid].outputTokens += ot;
+                                if (!stats.byTime[tk]) stats.byTime[tk] = { date: tk, name: tk, id: tk, cost: 0, tokens: 0, inputTokens: 0, outputTokens: 0 };
+                                const te = stats.byTime[tk];
+                                te.cost += c; te.tokens += t; te.inputTokens += it; te.outputTokens += ot;
+                                if (!te[mid]) te[mid] = 0;
+                                te[mid] += c;
+                                const kIn = `${mid}_input`, kOut = `${mid}_output`;
+                                te[kIn] = (te[kIn] || 0) + it;
+                                te[kOut] = (te[kOut] || 0) + ot;
+                            }
+                        } catch {}
+                    }
+                }
+            } catch {}
+        }));
         res.json({
             totalCost: stats.totalCost,
@@ -796,7 +1297,8 @@ app.get('/api/usage', async (req, res) => {
             byProject: Object.values(stats.byProject).sort((a, b) => b.cost - a.cost)
         });
     } catch (error) {
-        res.status(500).json({ error: 'Failed' });
+        console.error('Usage API error:', error);
+        res.status(500).json({ error: 'Failed to fetch usage statistics' });
     }
 });
@@ -809,11 +1311,14 @@ app.post('/api/auth/google/plugin', (req, res) => {
     try {
         const opencode = loadConfig();
         if (opencode) {
-            if (opencode.provider?.google) {
-                const models = studio.pluginModels[plugin];
-                if (models) {
-                    opencode.provider.google.models = models;
-                }
+            if (!opencode.provider) opencode.provider = {};
+            if (!opencode.provider.google) {
+                opencode.provider.google = { models: {} };
+            }
+            const models = studio.pluginModels[plugin];
+            if (models) {
+                opencode.provider.google.models = models;
             }
             if (!opencode.plugin) opencode.plugin = [];
@@ -844,7 +1349,7 @@ app.post('/api/auth/google/plugin', (req, res) => {
                 } else if (plugin === 'gemini' && authCfg['google.gemini']) {
                     authCfg.google = { ...authCfg['google.gemini'] };
                 }
-                fs.writeFileSync(ap, JSON.stringify(authCfg, null, 2), 'utf8');
+                atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
             }
         }
     } catch (err) {
@@ -859,6 +1364,202 @@ app.get('/api/auth/google/plugin', (req, res) => {
     res.json({ activePlugin: studio.activeGooglePlugin || null });
 });
+const GEMINI_CLIENT_ID = process.env.GEMINI_CLIENT_ID || "";
+const GEMINI_CLIENT_SECRET = process.env.GEMINI_CLIENT_SECRET || "";
+const GEMINI_SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/userinfo.profile"
+];
+const OAUTH_CALLBACK_PORT = 8085;
+const GEMINI_REDIRECT_URI = `http://localhost:${OAUTH_CALLBACK_PORT}/oauth2callback`;
+let pendingOAuthState = null;
+let oauthCallbackServer = null;
+function generatePKCE() {
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+    return { verifier, challenge };
+}
+function encodeOAuthState(payload) {
+    return Buffer.from(JSON.stringify(payload), 'utf8').toString('base64url');
+}
+app.post('/api/auth/google/start', async (req, res) => {
+    if (oauthCallbackServer) {
+        return res.status(400).json({ error: 'OAuth flow already in progress' });
+    }
+    const { verifier, challenge } = generatePKCE();
+    const state = encodeOAuthState({ verifier });
+    pendingOAuthState = { verifier, status: 'pending', startedAt: Date.now() };
+    const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+    authUrl.searchParams.set('client_id', GEMINI_CLIENT_ID);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('redirect_uri', GEMINI_REDIRECT_URI);
+    authUrl.searchParams.set('scope', GEMINI_SCOPES.join(' '));
+    authUrl.searchParams.set('code_challenge', challenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
+    authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('access_type', 'offline');
+    authUrl.searchParams.set('prompt', 'consent');
+    const callbackApp = express();
+    callbackApp.get('/oauth2callback', async (callbackReq, callbackRes) => {
+        const { code, state: returnedState, error } = callbackReq.query;
+        if (error) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>Error: ' + error + '</p><script>window.close()</script></body></html>');
+            shutdownCallbackServer();
+            return;
+        }
+        if (!code) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error: 'No authorization code received' };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>No code received</p><script>window.close()</script></body></html>');
+            shutdownCallbackServer();
+            return;
+        }
+        try {
+            const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                    client_id: GEMINI_CLIENT_ID,
+                    client_secret: GEMINI_CLIENT_SECRET,
+                    code,
+                    grant_type: 'authorization_code',
+                    redirect_uri: GEMINI_REDIRECT_URI,
+                    code_verifier: pendingOAuthState.verifier
+                })
+            });
+            if (!tokenResponse.ok) {
+                const errText = await tokenResponse.text();
+                throw new Error(errText);
+            }
+            const tokens = await tokenResponse.json();
+            let email = null;
+            try {
+                const userInfoRes = await fetch('https://www.googleapis.com/oauth2/v1/userinfo?alt=json', {
+                    headers: { 'Authorization': `Bearer ${tokens.access_token}` }
+                });
+                if (userInfoRes.ok) {
+                    const userInfo = await userInfoRes.json();
+                    email = userInfo.email;
+                }
+            } catch {}
+            const cp = getConfigPath();
+            const ap = path.join(path.dirname(cp), 'auth.json');
+            const authCfg = fs.existsSync(ap) ? JSON.parse(fs.readFileSync(ap, 'utf8')) : {};
+            const studio = loadStudioConfig();
+            const activePlugin = studio.activeGooglePlugin || 'gemini';
+            const namespace = activePlugin === 'antigravity' ? 'google.antigravity' : 'google.gemini';
+            const credentials = {
+                refresh_token: tokens.refresh_token,
+                access_token: tokens.access_token,
+                expiry: Date.now() + (tokens.expires_in * 1000),
+                email
+            };
+            authCfg.google = credentials;
+            authCfg[namespace] = credentials;
+            atomicWriteFileSync(ap, JSON.stringify(authCfg, null, 2));
+            pendingOAuthState = { ...pendingOAuthState, status: 'success', email };
+            callbackRes.send(`
+                <html>
+                <head><style>body{font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#f0fdf4}
+                .card{background:white;padding:2rem;border-radius:12px;box-shadow:0 4px 12px rgba(0,0,0,0.1);text-align:center}
+                h2{color:#16a34a;margin:0 0 0.5rem}</style></head>
+                <body><div class="card"><h2>✓ Login Successful!</h2><p>Logged in as ${email || 'Google User'}</p><p style="color:#666;font-size:0.875rem">You can close this window.</p></div>
+                <script>setTimeout(()=>window.close(),2000)</script></body></html>
+            `);
+        } catch (err) {
+            pendingOAuthState = { ...pendingOAuthState, status: 'error', error: err.message };
+            callbackRes.send('<html><body><h2>Login Failed</h2><p>' + err.message + '</p><script>window.close()</script></body></html>');
+        }
+        shutdownCallbackServer();
+    });
+    function shutdownCallbackServer() {
+        if (oauthCallbackServer) {
+            oauthCallbackServer.close();
+            oauthCallbackServer = null;
+        }
+    }
+    try {
+        oauthCallbackServer = callbackApp.listen(OAUTH_CALLBACK_PORT, () => {
+            console.log(`OAuth callback server listening on port ${OAUTH_CALLBACK_PORT}`);
+        });
+        oauthCallbackServer.on('error', (err) => {
+            console.error('Failed to start OAuth callback server:', err);
+            pendingOAuthState = { status: 'error', error: `Port ${OAUTH_CALLBACK_PORT} in use` };
+            oauthCallbackServer = null;
+        });
+        setTimeout(() => {
+            if (oauthCallbackServer && pendingOAuthState?.status === 'pending') {
+                pendingOAuthState = { ...pendingOAuthState, status: 'error', error: 'OAuth timeout (2 minutes)' };
+                shutdownCallbackServer();
+            }
+        }, 120000);
+        const platform = process.platform;
+        let openCmd;
+        if (platform === 'win32') {
+            openCmd = `start "" "${authUrl.toString()}"`;
+        } else if (platform === 'darwin') {
+            openCmd = `open "${authUrl.toString()}"`;
+        } else {
+            openCmd = `xdg-open "${authUrl.toString()}"`;
+        }
+        exec(openCmd, (err) => {
+            if (err) console.error('Failed to open browser:', err);
+        });
+        res.json({ success: true, authUrl: authUrl.toString(), message: 'Browser opened for Google login' });
+    } catch (err) {
+        pendingOAuthState = null;
+        res.status(500).json({ error: err.message });
+    }
+});
+app.get('/api/auth/google/status', (req, res) => {
+    if (!pendingOAuthState) {
+        return res.json({ status: 'idle' });
+    }
+    res.json(pendingOAuthState);
+});
+app.post('/api/auth/google/cancel', (req, res) => {
+    if (oauthCallbackServer) {
+        oauthCallbackServer.close();
+        oauthCallbackServer = null;
+    }
+    pendingOAuthState = null;
+    res.json({ success: true });
+});
 app.get('/api/pending-action', (req, res) => {
     if (pendingActionMemory) return res.json({ action: pendingActionMemory });
     if (fs.existsSync(PENDING_ACTION_PATH)) {
@@ -908,4 +1609,113 @@ app.post('/api/plugins/config/add', (req, res) => {
     res.json({ added, skipped });
 });
+// Presets
+app.get('/api/presets', (req, res) => {
+    const studio = loadStudioConfig();
+    res.json(studio.presets || []);
+});
+app.post('/api/presets', (req, res) => {
+    const { name, description, config } = req.body;
+    const studio = loadStudioConfig();
+    const id = crypto.randomUUID();
+    const preset = { id, name, description, config };
+    studio.presets = studio.presets || [];
+    studio.presets.push(preset);
+    saveStudioConfig(studio);
+    res.json(preset);
+});
+app.put('/api/presets/:id', (req, res) => {
+    const { id } = req.params;
+    const { name, description, config } = req.body;
+    const studio = loadStudioConfig();
+    const index = (studio.presets || []).findIndex(p => p.id === id);
+    if (index === -1) return res.status(404).json({ error: 'Preset not found' });
+    studio.presets[index] = { ...studio.presets[index], name, description, config };
+    saveStudioConfig(studio);
+    res.json(studio.presets[index]);
+});
+app.delete('/api/presets/:id', (req, res) => {
+    const { id } = req.params;
+    const studio = loadStudioConfig();
+    studio.presets = (studio.presets || []).filter(p => p.id !== id);
+    saveStudioConfig(studio);
+    res.json({ success: true });
+});
+app.post('/api/presets/:id/apply', (req, res) => {
+    const { id } = req.params;
+    const { mode } = req.body; // 'exclusive', 'additive'
+    const studio = loadStudioConfig();
+    const preset = (studio.presets || []).find(p => p.id === id);
+    if (!preset) return res.status(404).json({ error: 'Preset not found' });
+    const config = loadConfig() || {};
+    const cp = getConfigPath();
+    const configDir = path.dirname(cp);
+    const skillDir = path.join(configDir, 'skill');
+    const pluginDir = path.join(configDir, 'plugin');
+    // Skills
+    if (preset.config.skills !== undefined && preset.config.skills !== null) {
+        const targetSkills = new Set(preset.config.skills);
+        if (mode === 'exclusive') {
+            const allSkills = [];
+            if (fs.existsSync(skillDir)) {
+                const dirents = fs.readdirSync(skillDir, { withFileTypes: true });
+                for (const dirent of dirents) {
+                    if (dirent.isDirectory()) {
+                        if (fs.existsSync(path.join(skillDir, dirent.name, 'SKILL.md'))) {
+                            allSkills.push(dirent.name);
+                        }
+                    } else if (dirent.name.endsWith('.md')) {
+                        allSkills.push(dirent.name.replace('.md', ''));
+                    }
+                }
+            }
+            studio.disabledSkills = allSkills.filter(s => !targetSkills.has(s));
+        } else { // additive
+            studio.disabledSkills = (studio.disabledSkills || []).filter(s => !targetSkills.has(s));
+        }
+    }
+    // Plugins
+    if (preset.config.plugins !== undefined && preset.config.plugins !== null) {
+        const targetPlugins = new Set(preset.config.plugins);
+        if (mode === 'exclusive') {
+            const allPlugins = [...(config.plugin || [])];
+            if (fs.existsSync(pluginDir)) {
+                const files = fs.readdirSync(pluginDir).filter(f => f.endsWith('.js') || f.endsWith('.ts'));
+                allPlugins.push(...files.map(f => f.replace(/\.[^/.]+$/, "")));
+            }
+            const uniquePlugins = [...new Set(allPlugins)];
+            studio.disabledPlugins = uniquePlugins.filter(p => !targetPlugins.has(p));
+        } else { // additive
+            studio.disabledPlugins = (studio.disabledPlugins || []).filter(p => !targetPlugins.has(p));
+        }
+    }
+    // MCPs
+    if (preset.config.mcps !== undefined && preset.config.mcps !== null) {
+        const targetMcps = new Set(preset.config.mcps);
+        if (config.mcp) {
+            for (const key in config.mcp) {
+                if (mode === 'exclusive') {
+                    config.mcp[key].enabled = targetMcps.has(key);
+                } else { // additive
+                    if (targetMcps.has(key)) config.mcp[key].enabled = true;
+                }
+            }
+        }
+    }
+    saveStudioConfig(studio);
+    saveConfig(config);
+    res.json({ success: true });
+});
 app.listen(PORT, () => console.log(`Server running at http://localhost:${PORT}`));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-studio-server",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "Backend server for OpenCode Studio - manages opencode configurations",
   "main": "index.js",
   "bin": {