coding-proxy 0.1.0__py3-none-any.whl

coding/proxy/__init__.py

@@ -0,0 +1,3 @@
+"""coding-proxy: Claude Code 多后端智能代理."""
+
+__version__ = "0.1.0"

coding/proxy/__main__.py

@@ -0,0 +1,5 @@
+"""入口: uv run coding-proxy."""
+
+from coding.proxy.cli import app
+
+app()

coding/proxy/auth/__init__.py

@@ -0,0 +1,13 @@
+"""OAuth 认证管理模块."""
+
+from .providers.base import OAuthProvider
+from .providers.github import GitHubDeviceFlowProvider
+from .providers.google import GoogleOAuthProvider
+from .runtime import ReauthState, RuntimeReauthCoordinator
+from .store import ProviderTokens, TokenStoreManager
+
+__all__ = [
+    "OAuthProvider", "GitHubDeviceFlowProvider", "GoogleOAuthProvider",
+    "RuntimeReauthCoordinator", "ReauthState",
+    "ProviderTokens", "TokenStoreManager",
+]

coding/proxy/auth/providers/__init__.py

@@ -0,0 +1,6 @@
+"""OAuth Provider 实现."""
+
+from .github import GitHubDeviceFlowProvider
+from .google import GoogleOAuthProvider
+
+__all__ = ["GitHubDeviceFlowProvider", "GoogleOAuthProvider"]

coding/proxy/auth/providers/base.py

@@ -0,0 +1,35 @@
+"""OAuth Provider 抽象基类."""
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+from ..store import ProviderTokens
+
+
+class OAuthProvider(ABC):
+    """OAuth 登录提供者抽象基类."""
+
+    @abstractmethod
+    def get_name(self) -> str:
+        """返回 Provider 唯一标识（用于 Token Store 的 key）."""
+
+    @abstractmethod
+    async def login(self) -> ProviderTokens:
+        """执行 OAuth 登录流程，返回获取到的 Token."""
+
+    @abstractmethod
+    async def refresh(self, tokens: ProviderTokens) -> ProviderTokens:
+        """使用 refresh_token 刷新 access_token."""
+
+    @abstractmethod
+    async def validate(self, tokens: ProviderTokens) -> bool:
+        """验证当前 Token 是否仍然有效."""
+
+    def needs_login(self, tokens: ProviderTokens) -> bool:
+        """判断是否需要重新登录（默认：无凭证或已过期且无 refresh_token）."""
+        if not tokens.has_credentials:
+            return True
+        if tokens.is_expired and not tokens.refresh_token:
+            return True
+        return False

coding/proxy/auth/providers/github.py

@@ -0,0 +1,133 @@
+"""GitHub Device Authorization Flow — 浏览器免回调的 OAuth 登录."""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import time
+from typing import Any
+
+import webbrowser
+
+import httpx
+
+from ..store import ProviderTokens
+from .base import OAuthProvider
+
+logger = logging.getLogger(__name__)
+
+# GitHub Copilot VS Code 扩展的公开 client_id
+# SOT（权威源）: coding.proxy.config.schema.AuthConfig.github_client_id
+# 此处默认值仅作 fallback，生产环境应通过 config.yaml 的 auth 段覆盖
+_COPILOT_CLIENT_ID = "Iv1.b507a08c87ecfe98"
+
+_DEVICE_CODE_URL = "https://github.com/login/device/code"
+_ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token"
+_POLL_INTERVAL = 5  # seconds
+_MAX_POLL_ATTEMPTS = 60  # 5 minutes total
+_COPILOT_PERMISSIVE_SCOPES = "read:user user:email repo workflow"
+
+
+class GitHubDeviceFlowProvider(OAuthProvider):
+    """GitHub Device Authorization Flow 实现.
+
+    无需本地 HTTP 服务器，用户在浏览器中输入 user_code 即可完成授权。
+    获取的 GitHub OAuth token 可用于 Copilot token 交换。
+    """
+
+    def __init__(self, client_id: str = _COPILOT_CLIENT_ID) -> None:
+        self._client_id = client_id
+        self._http = httpx.AsyncClient(timeout=httpx.Timeout(30.0))
+
+    def get_name(self) -> str:
+        return "github"
+
+    async def login(self) -> ProviderTokens:
+        """执行 GitHub Device Flow，返回 OAuth token."""
+        # Step 1: 请求 device code
+        resp = await self._http.post(
+            _DEVICE_CODE_URL,
+            data={"client_id": self._client_id, "scope": _COPILOT_PERMISSIVE_SCOPES},
+            headers={"accept": "application/json"},
+        )
+        resp.raise_for_status()
+        device_data: dict[str, Any] = resp.json()
+
+        user_code = device_data["user_code"]
+        verification_uri = device_data["verification_uri"]
+        device_code = device_data["device_code"]
+        interval = device_data.get("interval", _POLL_INTERVAL)
+
+        # 优先使用预填充 user_code 的完整链接
+        verification_url = device_data.get(
+            "verification_uri_complete", verification_uri
+        )
+
+        # Step 2: 引导用户在浏览器中授权
+        logger.info("请在浏览器中访问 %s 并输入代码: %s", verification_uri, user_code)
+        print(f"\n  🔗 请在浏览器中访问: {verification_uri}")
+        print(f"  📋 并输入代码: {user_code}\n")
+
+        webbrowser.open(verification_url)
+
+        # Step 3: 轮询等待用户完成授权
+        for attempt in range(_MAX_POLL_ATTEMPTS):
+            await asyncio.sleep(interval)
+
+            token_resp = await self._http.post(
+                _ACCESS_TOKEN_URL,
+                data={
+                    "client_id": self._client_id,
+                    "device_code": device_code,
+                    "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                },
+                headers={"accept": "application/json"},
+            )
+            token_data = token_resp.json()
+
+            if "access_token" in token_data:
+                logger.info("GitHub OAuth 授权成功")
+                return ProviderTokens(
+                    access_token=token_data["access_token"],
+                    token_type=token_data.get("token_type", "bearer"),
+                    scope=token_data.get("scope", ""),
+                )
+
+            error = token_data.get("error", "")
+            if error == "authorization_pending":
+                continue
+            elif error == "slow_down":
+                interval += 5
+                continue
+            elif error == "expired_token":
+                raise RuntimeError("Device code 已过期，请重新登录")
+            elif error == "access_denied":
+                raise RuntimeError("用户拒绝了授权")
+            else:
+                raise RuntimeError(f"GitHub OAuth 错误: {error}")
+
+        raise RuntimeError("GitHub Device Flow 超时，请重试")
+
+    async def refresh(self, tokens: ProviderTokens) -> ProviderTokens:
+        """GitHub Device Flow 不支持 refresh_token，需要重新登录."""
+        return await self.login()
+
+    async def validate(self, tokens: ProviderTokens) -> bool:
+        """验证 GitHub token 是否有效."""
+        if not tokens.access_token:
+            return False
+        try:
+            resp = await self._http.get(
+                "https://api.github.com/user",
+                headers={
+                    "authorization": f"token {tokens.access_token}",
+                    "accept": "application/json",
+                },
+            )
+            return resp.status_code == 200
+        except httpx.HTTPError:
+            return False
+
+    async def close(self) -> None:
+        if not self._http.is_closed:
+            await self._http.aclose()

coding/proxy/auth/providers/google.py

@@ -0,0 +1,237 @@
+"""Google OAuth2 Authorization Code Flow — 本地回调服务器."""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import secrets
+import time
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from typing import Any
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import httpx
+
+from ..store import ProviderTokens
+from .base import OAuthProvider
+
+logger = logging.getLogger(__name__)
+
+# Antigravity Enterprise 公开 OAuth 凭据
+# SOT（权威源）: coding.proxy.config.schema.AuthConfig
+# 此处默认值仅作 fallback，生产环境应通过 config.yaml 的 auth 段覆盖
+_DEFAULT_CLIENT_ID = (
+    "1071006060591-tmhssin2h21lcre235vtolojh4g403ep"
+    ".apps.googleusercontent.com"
+)
+_DEFAULT_CLIENT_SECRET = "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"
+
+_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
+_TOKEN_URL = "https://oauth2.googleapis.com/token"
+_SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/userinfo.profile",
+    "https://www.googleapis.com/auth/cclog",
+    "https://www.googleapis.com/auth/experimentsandconfigs",
+]
+_REQUIRED_SCOPE_SET = frozenset(_SCOPES)
+
+
+class _CallbackHandler(BaseHTTPRequestHandler):
+    """OAuth 回调 HTTP 处理器.
+
+    使用实例级 result dict 避免类属性在并发场景下的交叉污染.
+    """
+
+    def __init__(self, *args: Any, result: dict[str, str | None], **kwargs: Any) -> None:
+        self._result = result
+        super().__init__(*args, **kwargs)
+
+    def do_GET(self) -> None:
+        parsed = urlparse(self.path)
+        params = parse_qs(parsed.query)
+
+        if parsed.path == "/callback":
+            if "error" in params:
+                self._result["error"] = params["error"][0]
+                self._respond("授权失败，请关闭此页面返回终端。")
+            elif "code" in params and "state" in params:
+                self._result["auth_code"] = params["code"][0]
+                self._result["state"] = params["state"][0]
+                self._respond("授权成功！请关闭此页面返回终端。")
+            else:
+                self._respond("无效的回调参数。")
+        else:
+            self.send_response(404)
+            self.end_headers()
+
+    def _respond(self, message: str) -> None:
+        self.send_response(200)
+        self.send_header("content-type", "text/html; charset=utf-8")
+        self.end_headers()
+        self.wfile.write(f"<html><body><h2>{message}</h2></body></html>".encode())
+
+    def log_message(self, format: str, *args: Any) -> None:
+        pass  # 静默 HTTP 日志
+
+
+class GoogleOAuthProvider(OAuthProvider):
+    """Google OAuth2 Authorization Code Flow 实现.
+
+    启动本地 HTTP 回调服务器捕获 authorization code，
+    交换为 access_token + refresh_token。
+    """
+
+    def __init__(
+        self,
+        client_id: str = _DEFAULT_CLIENT_ID,
+        client_secret: str = _DEFAULT_CLIENT_SECRET,
+    ) -> None:
+        self._client_id = client_id
+        self._client_secret = client_secret
+        self._http = httpx.AsyncClient(timeout=httpx.Timeout(30.0))
+
+    def get_name(self) -> str:
+        return "google"
+
+    @staticmethod
+    def has_required_scopes(scope: str) -> bool:
+        granted = {item for item in scope.split() if item}
+        return _REQUIRED_SCOPE_SET.issubset(granted)
+
+    async def login(self) -> ProviderTokens:
+        """执行 Google OAuth2 Code Flow，返回 Token."""
+        state = secrets.token_urlsafe(32)
+        result: dict[str, str | None] = {"auth_code": None, "state": None, "error": None}
+
+        def _make_handler(*args: Any, **kwargs: Any) -> _CallbackHandler:
+            return _CallbackHandler(*args, result=result, **kwargs)
+
+        # 绑定到 port 0，由 OS 分配可用端口，避免 TOCTOU 竞态
+        server = HTTPServer(("127.0.0.1", 0), _make_handler)
+        redirect_port = server.server_address[1]
+        redirect_uri = f"http://127.0.0.1:{redirect_port}/callback"
+
+        params = urlencode({
+            "client_id": self._client_id,
+            "redirect_uri": redirect_uri,
+            "response_type": "code",
+            "scope": " ".join(_SCOPES),
+            "state": state,
+            "access_type": "offline",
+            "prompt": "consent",
+        })
+        auth_url = f"{_AUTH_URL}?{params}"
+
+        logger.info("请在浏览器中完成 Google 授权")
+        print(f"\n  🔗 请在浏览器中访问以下链接完成授权:\n")
+        print(f"  {auth_url}\n")
+
+        # 打开浏览器
+        import webbrowser
+        webbrowser.open(auth_url)
+
+        # 等待回调
+        for _ in range(120):  # 最多等 2 分钟
+            server.handle_request()
+            if result["auth_code"] or result["error"]:
+                break
+            await asyncio.sleep(1)
+
+        server.server_close()
+
+        if result["error"]:
+            raise RuntimeError(f"Google OAuth 错误: {result['error']}")
+
+        if not result["auth_code"]:
+            raise RuntimeError("Google OAuth 超时，请重试")
+
+        if result["state"] != state:
+            raise RuntimeError("OAuth state 不匹配，可能遭受 CSRF 攻击")
+
+        # 交换 code → token
+        return await self._exchange_code(result["auth_code"], redirect_uri)
+
+    async def _exchange_code(
+        self, code: str, redirect_uri: str
+    ) -> ProviderTokens:
+        """将 authorization code 交换为 access_token + refresh_token."""
+        resp = await self._http.post(
+            _TOKEN_URL,
+            data={
+                "client_id": self._client_id,
+                "client_secret": self._client_secret,
+                "code": code,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+            },
+            headers={"content-type": "application/x-www-form-urlencoded"},
+        )
+        resp.raise_for_status()
+        data = resp.json()
+
+        expires_at = 0.0
+        if "expires_in" in data:
+            expires_at = time.time() + data["expires_in"]
+
+        return ProviderTokens(
+            access_token=data.get("access_token", ""),
+            refresh_token=data.get("refresh_token", ""),
+            expires_at=expires_at,
+            scope=data.get("scope", ""),
+            token_type=data.get("token_type", "bearer"),
+        )
+
+    async def refresh(self, tokens: ProviderTokens) -> ProviderTokens:
+        """使用 refresh_token 刷新 access_token."""
+        if not tokens.refresh_token:
+            return await self.login()
+
+        resp = await self._http.post(
+            _TOKEN_URL,
+            data={
+                "client_id": self._client_id,
+                "client_secret": self._client_secret,
+                "refresh_token": tokens.refresh_token,
+                "grant_type": "refresh_token",
+            },
+            headers={"content-type": "application/x-www-form-urlencoded"},
+        )
+
+        if resp.status_code >= 400:
+            logger.warning("Google token refresh 失败，需要重新登录")
+            return await self.login()
+
+        data = resp.json()
+        expires_at = 0.0
+        if "expires_in" in data:
+            expires_at = time.time() + data["expires_in"]
+
+        return ProviderTokens(
+            access_token=data.get("access_token", ""),
+            refresh_token=tokens.refresh_token,  # refresh_token 通常不变
+            expires_at=expires_at,
+            scope=data.get("scope", tokens.scope),
+            token_type=data.get("token_type", "bearer"),
+        )
+
+    async def validate(self, tokens: ProviderTokens) -> bool:
+        """验证 Google token 是否有效."""
+        if not tokens.access_token:
+            return False
+        try:
+            resp = await self._http.get(
+                "https://www.googleapis.com/oauth2/v1/tokeninfo",
+                params={"access_token": tokens.access_token},
+            )
+            if resp.status_code != 200:
+                return False
+            data = resp.json()
+            return self.has_required_scopes(data.get("scope", tokens.scope))
+        except httpx.HTTPError:
+            return False
+
+    async def close(self) -> None:
+        if not self._http.is_closed:
+            await self._http.aclose()

coding/proxy/auth/runtime.py

@@ -0,0 +1,122 @@
+"""运行时 OAuth 重认证协调器 — 后台触发浏览器登录并热更新凭证."""
+
+from __future__ import annotations
+
+import asyncio
+import enum
+import logging
+import time
+from typing import Callable
+
+from .providers.base import OAuthProvider
+from .store import TokenStoreManager
+
+logger = logging.getLogger(__name__)
+
+
+class ReauthState(enum.Enum):
+    """重认证状态."""
+
+    IDLE = "idle"
+    PENDING = "pending"
+    COMPLETED = "completed"
+    FAILED = "failed"
+
+
+class RuntimeReauthCoordinator:
+    """运行时 OAuth 重认证协调器.
+
+    当 TokenManager 报告 needs_reauth=True 时，Router 调用
+    ``request_reauth()`` 在后台触发浏览器登录流程。
+
+    与熔断器的协同:
+    - 重认证期间 TokenManager 持续抛 TokenAcquireError
+    - Router 触发 failover → 熔断器 OPEN → 请求路由到下一层级
+    - 重认证完成后 TokenManager 获得新凭证 → 熔断器恢复 → 后端可用
+    """
+
+    def __init__(
+        self,
+        token_store: TokenStoreManager,
+        providers: dict[str, OAuthProvider],
+        token_updaters: dict[str, Callable[[str], None]],
+    ) -> None:
+        """
+        Args:
+            token_store: Token 持久化管理器
+            providers: provider_name → OAuthProvider 实例
+            token_updaters: provider_name → 更新 TokenManager 凭证的回调
+        """
+        self._token_store = token_store
+        self._providers = providers
+        self._token_updaters = token_updaters
+        self._states: dict[str, ReauthState] = {
+            name: ReauthState.IDLE for name in providers
+        }
+        self._locks: dict[str, asyncio.Lock] = {
+            name: asyncio.Lock() for name in providers
+        }
+        self._last_error: dict[str, str] = {}
+        self._last_completed: dict[str, float] = {}
+
+    async def request_reauth(self, provider_name: str) -> None:
+        """请求对指定 provider 进行重认证（幂等，后台执行）.
+
+        若已在进行中，直接返回不重复触发。
+        """
+        if provider_name not in self._providers:
+            logger.warning("未知 provider: %s", provider_name)
+            return
+
+        if self._states.get(provider_name) == ReauthState.PENDING:
+            return  # 已在进行中
+
+        asyncio.create_task(self._do_reauth(provider_name))
+
+    async def _do_reauth(self, provider_name: str) -> None:
+        """执行重认证流程（带锁保护的幂等实现）."""
+        lock = self._locks[provider_name]
+        if lock.locked():
+            return  # 另一个任务正在执行
+
+        async with lock:
+            self._states[provider_name] = ReauthState.PENDING
+            logger.info("开始 %s 重认证...", provider_name)
+
+            try:
+                provider = self._providers[provider_name]
+                tokens = await provider.login()
+                self._token_store.set(provider_name, tokens)
+
+                # 调用热更新回调
+                updater = self._token_updaters.get(provider_name)
+                if updater:
+                    # GitHub → access_token, Google → refresh_token
+                    if provider_name == "github":
+                        updater(tokens.access_token)
+                    elif provider_name == "google":
+                        updater(tokens.refresh_token)
+
+                self._states[provider_name] = ReauthState.COMPLETED
+                self._last_completed[provider_name] = time.monotonic()
+                self._last_error.pop(provider_name, None)
+                logger.info("%s 重认证成功", provider_name)
+
+            except Exception as exc:
+                self._states[provider_name] = ReauthState.FAILED
+                self._last_error[provider_name] = str(exc)
+                logger.error("%s 重认证失败: %s", provider_name, exc)
+
+    def get_status(self) -> dict[str, dict[str, str]]:
+        """返回所有 provider 的重认证状态."""
+        result = {}
+        for name in self._providers:
+            info: dict[str, str] = {"state": self._states[name].value}
+            if name in self._last_error:
+                info["error"] = self._last_error[name]
+            if name in self._last_completed:
+                info["completed_ago_seconds"] = str(
+                    int(time.monotonic() - self._last_completed[name])
+                )
+            result[name] = info
+        return result

coding/proxy/auth/store.py

@@ -0,0 +1,74 @@
+"""Token 持久化存储 — ~/.coding-proxy/tokens.json.
+
+``ProviderTokens`` 数据模型已迁移至 :mod:`coding.proxy.model.auth`。
+本文件保留 ``TokenStoreManager`` 持久化管理器，类型通过 re-export 提供。
+
+.. deprecated::
+    未来版本将移除类型 re-export，请直接从 :mod:`coding.proxy.model.auth` 导入。
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import time
+from pathlib import Path
+from typing import Any
+
+# noqa: F401
+from ..model.auth import ProviderTokens
+
+logger = logging.getLogger(__name__)
+
+_DEFAULT_STORE_PATH = Path("~/.coding-proxy/tokens.json")
+
+
+class TokenStoreManager:
+    """管理所有 Provider 的 Token 持久化."""
+
+    def __init__(self, store_path: Path | None = None) -> None:
+        self._path = (store_path or _DEFAULT_STORE_PATH).expanduser()
+        self._data: dict[str, dict[str, Any]] = {}
+
+    def load(self) -> None:
+        """从磁盘加载 Token 存储."""
+        if self._path.exists():
+            try:
+                with open(self._path) as f:
+                    self._data = json.load(f)
+                logger.debug("Token store loaded from %s", self._path)
+            except (json.JSONDecodeError, OSError) as exc:
+                logger.warning("Failed to load token store: %s", exc)
+                self._data = {}
+        else:
+            self._data = {}
+
+    def save(self) -> None:
+        """持久化 Token 到磁盘."""
+        self._path.parent.mkdir(parents=True, exist_ok=True)
+        with open(self._path, "w") as f:
+            json.dump(self._data, f, indent=2, ensure_ascii=False)
+        # 限制文件权限为仅 owner 可读写
+        self._path.chmod(0o600)
+        logger.debug("Token store saved to %s", self._path)
+
+    def get(self, provider: str) -> ProviderTokens:
+        """获取指定 Provider 的 Token."""
+        raw = self._data.get(provider, {})
+        return ProviderTokens(**raw) if raw else ProviderTokens()
+
+    def set(self, provider: str, tokens: ProviderTokens) -> None:
+        """设置指定 Provider 的 Token 并持久化."""
+        self._data[provider] = tokens.model_dump()
+        self.save()
+        logger.info("Token updated for provider: %s", provider)
+
+    def remove(self, provider: str) -> None:
+        """移除指定 Provider 的 Token."""
+        if provider in self._data:
+            del self._data[provider]
+            self.save()
+
+    def list_providers(self) -> list[str]:
+        """列出所有已存储 Token 的 Provider."""
+        return list(self._data.keys())