klaude-code 2.7.0__py3-none-any.whl → 2.8.1__py3-none-any.whl

klaude_code/auth/antigravity/oauth.py

@@ -0,0 +1,320 @@
+"""OAuth PKCE flow for Antigravity authentication."""
+
+import base64
+import json
+import secrets
+import time
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from threading import Thread
+from typing import Any, cast
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import httpx
+
+from klaude_code.auth.antigravity.exceptions import (
+    AntigravityNotLoggedInError,
+    AntigravityOAuthError,
+    AntigravityTokenExpiredError,
+)
+from klaude_code.auth.antigravity.pkce import generate_pkce
+from klaude_code.auth.antigravity.token_manager import AntigravityAuthState, AntigravityTokenManager
+
+# OAuth configuration (decoded from base64 for compatibility with pi implementation)
+CLIENT_ID = base64.b64decode(
+    "MTA3MTAwNjA2MDU5MS10bWhzc2luMmgyMWxjcmUyMzV2dG9sb2poNGc0MDNlcC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbQ=="
+).decode()
+CLIENT_SECRET = base64.b64decode("R09DU1BYLUs1OEZXUjQ4NkxkTEoxbUxCOHNYQzR6NnFEQWY=").decode()
+REDIRECT_URI = "http://localhost:51121/oauth-callback"
+REDIRECT_PORT = 51121
+
+# Google OAuth endpoints
+AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
+TOKEN_URL = "https://oauth2.googleapis.com/token"
+
+# Antigravity requires additional scopes
+SCOPES = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/userinfo.profile",
+    "https://www.googleapis.com/auth/cclog",
+    "https://www.googleapis.com/auth/experimentsandconfigs",
+]
+
+# Fallback project ID when discovery fails
+DEFAULT_PROJECT_ID = "rising-fact-p41fc"
+
+# Cloud Code Assist endpoint
+CLOUDCODE_ENDPOINT = "https://cloudcode-pa.googleapis.com"
+
+
+class OAuthCallbackHandler(BaseHTTPRequestHandler):
+    """HTTP request handler for OAuth callback."""
+
+    code: str | None = None
+    state: str | None = None
+    error: str | None = None
+
+    def log_message(self, format: str, *args: Any) -> None:
+        """Suppress HTTP server logs."""
+        pass
+
+    def do_GET(self) -> None:
+        """Handle GET request from OAuth callback."""
+        parsed = urlparse(self.path)
+        params = parse_qs(parsed.query)
+
+        OAuthCallbackHandler.code = params.get("code", [None])[0]
+        OAuthCallbackHandler.state = params.get("state", [None])[0]
+        OAuthCallbackHandler.error = params.get("error", [None])[0]
+
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+
+        if OAuthCallbackHandler.error:
+            html = f"""
+            <html><body style="font-family: sans-serif; text-align: center; padding: 50px;">
+            <h1>Authentication Failed</h1>
+            <p>Error: {OAuthCallbackHandler.error}</p>
+            <p>Please close this window and try again.</p>
+            </body></html>
+            """
+        else:
+            html = """
+            <html><body style="font-family: sans-serif; text-align: center; padding: 50px;">
+            <h1>Authentication Successful!</h1>
+            <p>You can close this window now.</p>
+            <script>setTimeout(function() { window.close(); }, 2000);</script>
+            </body></html>
+            """
+        self.wfile.write(html.encode())
+
+
+def _discover_project(access_token: str) -> str:
+    """Discover or provision a project for the user."""
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "Content-Type": "application/json",
+        "User-Agent": "google-api-nodejs-client/9.15.1",
+        "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
+        "Client-Metadata": json.dumps(
+            {
+                "ideType": "IDE_UNSPECIFIED",
+                "platform": "PLATFORM_UNSPECIFIED",
+                "pluginType": "GEMINI",
+            }
+        ),
+    }
+
+    try:
+        with httpx.Client() as client:
+            response = client.post(
+                f"{CLOUDCODE_ENDPOINT}/v1internal:loadCodeAssist",
+                headers=headers,
+                json={
+                    "metadata": {
+                        "ideType": "IDE_UNSPECIFIED",
+                        "platform": "PLATFORM_UNSPECIFIED",
+                        "pluginType": "GEMINI",
+                    },
+                },
+                timeout=30,
+            )
+
+            if response.status_code == 200:
+                data: dict[str, Any] = response.json()
+                project = data.get("cloudaicompanionProject")
+                if isinstance(project, str) and project:
+                    return project
+                if isinstance(project, dict):
+                    project_dict = cast(dict[str, Any], project)
+                    project_id = project_dict.get("id")
+                    if isinstance(project_id, str) and project_id:
+                        return project_id
+    except Exception:
+        pass
+
+    return DEFAULT_PROJECT_ID
+
+
+def _get_user_email(access_token: str) -> str | None:
+    """Get user email from the access token."""
+    try:
+        with httpx.Client() as client:
+            response = client.get(
+                "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
+                headers={"Authorization": f"Bearer {access_token}"},
+                timeout=10,
+            )
+            if response.status_code == 200:
+                data = response.json()
+                return data.get("email")
+    except Exception:
+        pass
+    return None
+
+
+class AntigravityOAuth:
+    """Handle OAuth PKCE flow for Antigravity authentication."""
+
+    def __init__(self, token_manager: AntigravityTokenManager | None = None):
+        self.token_manager = token_manager or AntigravityTokenManager()
+
+    def login(self) -> AntigravityAuthState:
+        """Run the complete OAuth login flow."""
+        verifier, challenge = generate_pkce()
+        state = secrets.token_urlsafe(32)
+
+        # Build authorization URL
+        auth_params = {
+            "client_id": CLIENT_ID,
+            "response_type": "code",
+            "redirect_uri": REDIRECT_URI,
+            "scope": " ".join(SCOPES),
+            "code_challenge": challenge,
+            "code_challenge_method": "S256",
+            "state": state,
+            "access_type": "offline",
+            "prompt": "consent",
+        }
+        auth_url = f"{AUTH_URL}?{urlencode(auth_params)}"
+
+        # Reset callback handler state
+        OAuthCallbackHandler.code = None
+        OAuthCallbackHandler.state = None
+        OAuthCallbackHandler.error = None
+
+        # Start callback server
+        server = HTTPServer(("localhost", REDIRECT_PORT), OAuthCallbackHandler)
+        server_thread = Thread(target=server.handle_request)
+        server_thread.start()
+
+        # Open browser for user to authenticate
+        webbrowser.open(auth_url)
+
+        # Wait for callback
+        server_thread.join(timeout=300)  # 5 minute timeout
+        server.server_close()
+
+        # Check for errors
+        if OAuthCallbackHandler.error:
+            raise AntigravityOAuthError(f"OAuth error: {OAuthCallbackHandler.error}")
+
+        if not OAuthCallbackHandler.code:
+            raise AntigravityOAuthError("No authorization code received")
+
+        if OAuthCallbackHandler.state is None or OAuthCallbackHandler.state != state:
+            raise AntigravityOAuthError("OAuth state mismatch")
+
+        # Exchange code for tokens
+        auth_state = self._exchange_code(OAuthCallbackHandler.code, verifier)
+
+        # Save tokens
+        self.token_manager.save(auth_state)
+
+        return auth_state
+
+    def _exchange_code(self, code: str, verifier: str) -> AntigravityAuthState:
+        """Exchange authorization code for tokens."""
+        data = {
+            "client_id": CLIENT_ID,
+            "client_secret": CLIENT_SECRET,
+            "code": code,
+            "grant_type": "authorization_code",
+            "redirect_uri": REDIRECT_URI,
+            "code_verifier": verifier,
+        }
+
+        with httpx.Client() as client:
+            response = client.post(TOKEN_URL, data=data, timeout=30)
+
+        if response.status_code != 200:
+            raise AntigravityOAuthError(f"Token exchange failed: {response.text}")
+
+        tokens = response.json()
+        access_token = tokens["access_token"]
+        refresh_token = tokens.get("refresh_token")
+        expires_in = tokens.get("expires_in", 3600)
+
+        if not refresh_token:
+            raise AntigravityOAuthError("No refresh token received. Please try again.")
+
+        # Get user email
+        email = _get_user_email(access_token)
+
+        # Discover project
+        project_id = _discover_project(access_token)
+
+        # Calculate expiry time with 5 minute buffer
+        expires_at = int(time.time()) + expires_in - 300
+
+        return AntigravityAuthState(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_at=expires_at,
+            project_id=project_id,
+            email=email,
+        )
+
+    def refresh(self) -> AntigravityAuthState:
+        """Refresh the access token using refresh token."""
+        state = self.token_manager.get_state()
+        if state is None:
+            raise AntigravityNotLoggedInError("Not logged in to Antigravity. Run 'klaude login antigravity' first.")
+
+        data = {
+            "client_id": CLIENT_ID,
+            "client_secret": CLIENT_SECRET,
+            "refresh_token": state.refresh_token,
+            "grant_type": "refresh_token",
+        }
+
+        with httpx.Client() as client:
+            response = client.post(TOKEN_URL, data=data, timeout=30)
+
+        if response.status_code != 200:
+            raise AntigravityTokenExpiredError(f"Token refresh failed: {response.text}")
+
+        tokens = response.json()
+        access_token = tokens["access_token"]
+        refresh_token = tokens.get("refresh_token", state.refresh_token)
+        expires_in = tokens.get("expires_in", 3600)
+
+        # Calculate expiry time with 5 minute buffer
+        expires_at = int(time.time()) + expires_in - 300
+
+        new_state = AntigravityAuthState(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_at=expires_at,
+            project_id=state.project_id,
+            email=state.email,
+        )
+
+        self.token_manager.save(new_state)
+        return new_state
+
+    def ensure_valid_token(self) -> tuple[str, str]:
+        """Ensure we have a valid access token, refreshing if needed.
+
+        Returns:
+            Tuple of (access_token, project_id).
+        """
+        state = self.token_manager.get_state()
+        if state is None:
+            raise AntigravityNotLoggedInError("Not logged in to Antigravity. Run 'klaude login antigravity' first.")
+
+        if state.is_expired():
+            state = self.refresh()
+
+        return state.access_token, state.project_id
+
+    def get_api_key_json(self) -> str:
+        """Get API key as JSON string for LLM client.
+
+        Returns:
+            JSON string with token and projectId.
+        """
+        access_token, project_id = self.ensure_valid_token()
+        return json.dumps({"token": access_token, "projectId": project_id})

klaude_code/auth/antigravity/pkce.py

@@ -0,0 +1,25 @@
+"""PKCE utilities for Antigravity OAuth."""
+
+import base64
+import hashlib
+import secrets
+
+
+def base64url_encode(data: bytes) -> str:
+    """Encode bytes as base64url string without padding."""
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def generate_pkce() -> tuple[str, str]:
+    """Generate PKCE code verifier and challenge.
+
+    Returns:
+        Tuple of (verifier, challenge).
+    """
+    verifier_bytes = secrets.token_bytes(32)
+    verifier = base64url_encode(verifier_bytes)
+
+    challenge_hash = hashlib.sha256(verifier.encode("ascii")).digest()
+    challenge = base64url_encode(challenge_hash)
+
+    return verifier, challenge

klaude_code/auth/antigravity/token_manager.py

@@ -0,0 +1,45 @@
+"""Token storage and management for Antigravity authentication."""
+
+from pathlib import Path
+from typing import Any
+
+from klaude_code.auth.base import BaseAuthState, BaseTokenManager
+
+
+class AntigravityAuthState(BaseAuthState):
+    """Stored authentication state for Antigravity."""
+
+    project_id: str
+    email: str | None = None
+
+
+class AntigravityTokenManager(BaseTokenManager[AntigravityAuthState]):
+    """Manage Antigravity OAuth tokens."""
+
+    def __init__(self, auth_file: Path | None = None):
+        super().__init__(auth_file)
+
+    @property
+    def storage_key(self) -> str:
+        return "antigravity"
+
+    def _create_state(self, data: dict[str, Any]) -> AntigravityAuthState:
+        return AntigravityAuthState.model_validate(data)
+
+    def get_access_token(self) -> str:
+        """Get access token, raising if not logged in."""
+        state = self.get_state()
+        if state is None:
+            from klaude_code.auth.antigravity.exceptions import AntigravityNotLoggedInError
+
+            raise AntigravityNotLoggedInError("Not logged in to Antigravity. Run 'klaude login antigravity' first.")
+        return state.access_token
+
+    def get_project_id(self) -> str:
+        """Get project ID, raising if not logged in."""
+        state = self.get_state()
+        if state is None:
+            from klaude_code.auth.antigravity.exceptions import AntigravityNotLoggedInError
+
+            raise AntigravityNotLoggedInError("Not logged in to Antigravity. Run 'klaude login antigravity' first.")
+        return state.project_id

klaude_code/auth/base.py

@@ -95,3 +95,7 @@ class BaseTokenManager[T: BaseAuthState](ABC):
         if self._state is None:
             self._state = self.load()
         return self._state
+
+    def clear_cached_state(self) -> None:
+        """Clear in-memory cached state to force reload from file on next access."""
+        self._state = None

klaude_code/auth/claude/oauth.py

@@ -125,25 +125,45 @@ class ClaudeOAuth:
             expires_at=int(time.time()) + int(expires_in),
         )
 
-    def refresh(self) -> ClaudeAuthState:
-        """Refresh the access token using refresh token."""
-        state = self.token_manager.get_state()
-        if state is None:
-            raise ClaudeNotLoggedInError("Not logged in to Claude. Run 'klaude login claude' first.")
-
+    def _do_refresh_request(self, refresh_token: str) -> httpx.Response:
+        """Send token refresh request to OAuth server."""
         payload = {
             "grant_type": "refresh_token",
             "client_id": CLIENT_ID,
-            "refresh_token": state.refresh_token,
+            "refresh_token": refresh_token,
         }
-
         with httpx.Client() as client:
-            response = client.post(
+            return client.post(
                 TOKEN_URL,
                 json=payload,
                 headers={"Content-Type": "application/json"},
             )
 
+    def refresh(self) -> ClaudeAuthState:
+        """Refresh the access token using refresh token.
+
+        Handles concurrent refresh race conditions by retrying with freshly loaded token
+        if the first attempt fails with invalid_grant error.
+        """
+        state = self.token_manager.get_state()
+        if state is None:
+            raise ClaudeNotLoggedInError("Not logged in to Claude. Run 'klaude login claude' first.")
+
+        response = self._do_refresh_request(state.refresh_token)
+
+        # Handle race condition: another process may have refreshed the token already
+        if response.status_code != 200 and "invalid_grant" in response.text:
+            # Reload token from file (another process may have updated it)
+            self.token_manager.clear_cached_state()
+            fresh_state = self.token_manager.load()
+            if fresh_state and fresh_state.refresh_token != state.refresh_token:
+                # Token was updated by another process
+                if not fresh_state.is_expired():
+                    # New token is still valid, use it directly
+                    return fresh_state
+                # New token expired, try refreshing with the new refresh_token
+                response = self._do_refresh_request(fresh_state.refresh_token)
+
         if response.status_code != 200:
             raise ClaudeAuthError(f"Token refresh failed: {response.text}")
 

klaude_code/auth/codex/exceptions.py

@@ -15,3 +15,7 @@ class CodexTokenExpiredError(CodexAuthError):
 
 class CodexOAuthError(CodexAuthError):
     """OAuth flow failed."""
+
+
+class CodexUnsupportedModelError(CodexAuthError):
+    """Model is not supported by codex_oauth protocol."""

klaude_code/cli/auth_cmd.py

@@ -24,6 +24,11 @@ def _select_provider() -> str | None:
             value="codex",
             search_text="codex",
         ),
+        SelectItem(
+            title=[("", "Google Antigravity "), ("ansibrightblack", "[OAuth]\n")],
+            value="antigravity",
+            search_text="antigravity",
+        ),
     ]
     # Add API key options
     for key_info in SUPPORTED_API_KEYS:
@@ -71,7 +76,7 @@ def _build_provider_help() -> str:
     from klaude_code.config.builtin_config import SUPPORTED_API_KEYS
 
     # Use first word of name for brevity (e.g., "google" instead of "google gemini")
-    names = ["codex", "claude"] + [k.name.split()[0].lower() for k in SUPPORTED_API_KEYS]
+    names = ["codex", "claude", "antigravity"] + [k.name.split()[0].lower() for k in SUPPORTED_API_KEYS]
     return f"Provider name ({', '.join(names)})"
 
 
@@ -149,6 +154,39 @@ def login_command(
             except Exception as e:
                 log((f"Login failed: {e}", "red"))
                 raise typer.Exit(1) from None
+        case "antigravity":
+            from klaude_code.auth.antigravity.oauth import AntigravityOAuth
+            from klaude_code.auth.antigravity.token_manager import AntigravityTokenManager
+
+            token_manager = AntigravityTokenManager()
+
+            if token_manager.is_logged_in():
+                state = token_manager.get_state()
+                if state and not state.is_expired():
+                    log(("You are already logged in to Antigravity.", "green"))
+                    if state.email:
+                        log(f"  Email: {state.email}")
+                    log(f"  Project ID: {state.project_id}")
+                    expires_dt = datetime.datetime.fromtimestamp(state.expires_at, tz=datetime.UTC)
+                    log(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S UTC')}")
+                    if not typer.confirm("Do you want to re-login?"):
+                        return
+
+            log("Starting Antigravity OAuth login flow...")
+            log("A browser window will open for authentication.")
+
+            try:
+                oauth = AntigravityOAuth(token_manager)
+                state = oauth.login()
+                log(("Login successful!", "green"))
+                if state.email:
+                    log(f"  Email: {state.email}")
+                log(f"  Project ID: {state.project_id}")
+                expires_dt = datetime.datetime.fromtimestamp(state.expires_at, tz=datetime.UTC)
+                log(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S UTC')}")
+            except Exception as e:
+                log((f"Login failed: {e}", "red"))
+                raise typer.Exit(1) from None
         case _:
             from klaude_code.config.builtin_config import SUPPORTED_API_KEYS
 
@@ -174,7 +212,7 @@ def login_command(
 
 
 def logout_command(
-    provider: str = typer.Argument("codex", help="Provider to logout (codex|claude)"),
+    provider: str = typer.Argument("codex", help="Provider to logout (codex|claude|antigravity)"),
 ) -> None:
     """Logout from a provider."""
     match provider.lower():
@@ -202,8 +240,20 @@ def logout_command(
             if typer.confirm("Are you sure you want to logout from Claude?"):
                 token_manager.delete()
                 log(("Logged out from Claude.", "green"))
+        case "antigravity":
+            from klaude_code.auth.antigravity.token_manager import AntigravityTokenManager
+
+            token_manager = AntigravityTokenManager()
+
+            if not token_manager.is_logged_in():
+                log("You are not logged in to Antigravity.")
+                return
+
+            if typer.confirm("Are you sure you want to logout from Antigravity?"):
+                token_manager.delete()
+                log(("Logged out from Antigravity.", "green"))
         case _:
-            log((f"Error: Unknown provider '{provider}'. Supported: codex, claude", "red"))
+            log((f"Error: Unknown provider '{provider}'. Supported: codex, claude, antigravity", "red"))
             raise typer.Exit(1)