stravinsky 0.1.2__py3-none-any.whl → 0.2.38__py3-none-any.whl

mcp_bridge/__init__.py

@@ -1,5 +1 @@
-# Stravinsky MCP Bridge
-# Provides MCP tools for OAuth-authenticated access to Gemini and OpenAI models
-
-__version__ = "0.1.0"
-__author__ = "David Andrews"
+__version__ = "0.2.32"

mcp_bridge/auth/cli.py

@@ -1,7 +1,16 @@
 """
-Authentication CLI for Claude Superagent MCP Bridge
+Stravinsky Authentication CLI (stravinsky-auth)
 
-Handles OAuth authentication for Gemini and OpenAI.
+OAuth authentication for Gemini (Google) and OpenAI (ChatGPT Plus/Pro).
+No API keys required - uses browser-based OAuth flows.
+
+Usage:
+    stravinsky-auth login gemini    # Authenticate with Google (Gemini)
+    stravinsky-auth login openai    # Authenticate with OpenAI (ChatGPT Plus/Pro)
+    stravinsky-auth status          # Check authentication status
+    stravinsky-auth logout gemini   # Remove stored credentials
+    stravinsky-auth refresh gemini  # Manually refresh access token
+    stravinsky-auth init            # Bootstrap current repository
 """
 
 import argparse
@@ -9,6 +18,7 @@ import sys
 import time
 
 from .token_store import TokenStore
+from ..tools.init import bootstrap_repo
 from .oauth import perform_oauth_flow as gemini_oauth, refresh_access_token as gemini_refresh
 from .openai_oauth import (
     perform_oauth_flow as openai_oauth,
@@ -19,53 +29,53 @@ from .openai_oauth import (
 def cmd_login(provider: str, token_store: TokenStore) -> int:
     """
     Perform OAuth login for a provider.
-    
+
     For Gemini: Uses Google OAuth with Antigravity credentials
     For OpenAI: Uses OpenAI OAuth (ChatGPT Plus/Pro subscription)
     """
     if provider == "gemini":
         print(f"Starting Google OAuth for Gemini...")
-        
+
         try:
             result = gemini_oauth()
-            
+
             expires_at = int(time.time()) + result.tokens.expires_in
-            
+
             token_store.set_token(
                 provider="gemini",
                 access_token=result.tokens.access_token,
                 refresh_token=result.tokens.refresh_token,
                 expires_at=expires_at,
             )
-            
+
             print(f"\n✓ Successfully authenticated as: {result.user_info.email}")
             print(f"  Token expires in: {result.tokens.expires_in // 60} minutes")
             return 0
-            
+
         except Exception as e:
             print(f"\n✗ OAuth failed: {e}", file=sys.stderr)
             return 1
-            
+
     elif provider == "openai":
         print(f"Starting OpenAI OAuth for ChatGPT Plus/Pro...")
         print("Note: Requires ChatGPT Plus/Pro subscription and port 1455 available")
-        
+
         try:
             result = openai_oauth()
-            
+
             expires_at = int(time.time()) + result.expires_in
-            
+
             token_store.set_token(
                 provider="openai",
                 access_token=result.access_token,
                 refresh_token=result.refresh_token,
                 expires_at=expires_at,
             )
-            
+
             print(f"\n✓ Successfully authenticated with OpenAI")
             print(f"  Token expires in: {result.expires_in // 60} minutes")
             return 0
-            
+
         except Exception as e:
             print(f"\n✗ OAuth failed: {e}", file=sys.stderr)
             print("\nTroubleshooting:")
@@ -73,7 +83,7 @@ def cmd_login(provider: str, token_store: TokenStore) -> int:
             print("  - Stop Codex CLI if running: killall codex")
             print("  - Or use Codex CLI directly: codex login")
             return 1
-        
+
     else:
         print(f"Unknown provider: {provider}", file=sys.stderr)
         print("Supported providers: gemini, openai")
@@ -90,12 +100,12 @@ def cmd_logout(provider: str, token_store: TokenStore) -> int:
 def cmd_status(token_store: TokenStore) -> int:
     """Show authentication status for all providers."""
     print("Authentication Status:\n")
-    
+
     for provider in ["gemini", "openai"]:
         has_token = token_store.has_valid_token(provider)
         status = "✓ Authenticated" if has_token else "✗ Not authenticated"
         print(f"  {provider.capitalize()}: {status}")
-        
+
         if has_token:
             token = token_store.get_token(provider)
             if token and token.get("expires_at"):
@@ -107,7 +117,7 @@ def cmd_status(token_store: TokenStore) -> int:
                     print(f"    Expires in: {hours}h {minutes}m")
                 else:
                     print(f"    Token expired")
-    
+
     print()
     return 0
 
@@ -119,10 +129,10 @@ def cmd_refresh(provider: str, token_store: TokenStore) -> int:
         print(f"No refresh token found for {provider}")
         print(f"Please run: python -m mcp_bridge.auth.cli login {provider}")
         return 1
-    
+
     try:
         print(f"Refreshing {provider} token...")
-        
+
         if provider == "gemini":
             result = gemini_refresh(token["refresh_token"])
         elif provider == "openai":
@@ -130,19 +140,19 @@ def cmd_refresh(provider: str, token_store: TokenStore) -> int:
         else:
             print(f"Refresh not supported for {provider}")
             return 1
-        
+
         expires_at = int(time.time()) + result.expires_in
-        
+
         token_store.set_token(
             provider=provider,
             access_token=result.access_token,
             refresh_token=result.refresh_token or token["refresh_token"],
             expires_at=expires_at,
         )
-        
+
         print(f"✓ Token refreshed, expires in {result.expires_in // 60} minutes")
         return 0
-        
+
     except Exception as e:
         print(f"✗ Refresh failed: {e}", file=sys.stderr)
         return 1
@@ -151,47 +161,79 @@ def cmd_refresh(provider: str, token_store: TokenStore) -> int:
 def main():
     """CLI entry point."""
     parser = argparse.ArgumentParser(
-        description="Stravinsky Authentication CLI",
-        prog="python -m mcp_bridge.auth.cli",
+        description="Stravinsky OAuth authentication for Gemini and OpenAI. "
+        "Authenticate via browser-based OAuth flows (no API keys).",
+        prog="stravinsky-auth",
+        epilog="Examples:\n"
+        "  stravinsky-auth login gemini     # Login to Google (Gemini)\n"
+        "  stravinsky-auth login openai     # Login to OpenAI (ChatGPT Plus/Pro)\n"
+        "  stravinsky-auth status           # Check all provider status\n",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
     )
-    
-    subparsers = parser.add_subparsers(dest="command", help="Available commands")
-    
+
+    subparsers = parser.add_subparsers(dest="command", help="Available commands", metavar="COMMAND")
+
     # login command
-    login_parser = subparsers.add_parser("login", help="Authenticate with a provider")
+    login_parser = subparsers.add_parser(
+        "login",
+        help="Authenticate with a provider via browser OAuth",
+        description="Opens browser for OAuth authentication. Tokens are stored securely in system keyring.",
+    )
     login_parser.add_argument(
         "provider",
         choices=["gemini", "openai"],
-        help="Provider to authenticate with",
+        metavar="PROVIDER",
+        help="Provider to authenticate with: gemini (Google) or openai (ChatGPT Plus/Pro)",
     )
-    
+
     # logout command
-    logout_parser = subparsers.add_parser("logout", help="Remove stored credentials")
+    logout_parser = subparsers.add_parser(
+        "logout",
+        help="Remove stored OAuth credentials",
+        description="Deletes stored access and refresh tokens for the specified provider.",
+    )
     logout_parser.add_argument(
         "provider",
         choices=["gemini", "openai"],
-        help="Provider to logout from",
+        metavar="PROVIDER",
+        help="Provider to logout from: gemini or openai",
     )
-    
+
     # status command
-    subparsers.add_parser("status", help="Show authentication status")
-    
+    subparsers.add_parser(
+        "status",
+        help="Show authentication status for all providers",
+        description="Displays authentication status and token expiration for Gemini and OpenAI.",
+    )
+
     # refresh command
-    refresh_parser = subparsers.add_parser("refresh", help="Refresh access token")
+    refresh_parser = subparsers.add_parser(
+        "refresh",
+        help="Manually refresh access token",
+        description="Force-refresh the access token using the stored refresh token.",
+    )
     refresh_parser.add_argument(
         "provider",
         choices=["gemini", "openai"],
-        help="Provider to refresh token for",
+        metavar="PROVIDER",
+        help="Provider to refresh token for: gemini or openai",
     )
-    
+
+    # init command
+    subparsers.add_parser(
+        "init",
+        help="Bootstrap current repository for Stravinsky",
+        description="Creates .stravinsky/ directory structure and copies default configuration files.",
+    )
+
     args = parser.parse_args()
-    
+
     if not args.command:
         parser.print_help()
         return 1
-    
+
     token_store = TokenStore()
-    
+
     if args.command == "login":
         return cmd_login(args.provider, token_store)
     elif args.command == "logout":
@@ -200,7 +242,10 @@ def main():
         return cmd_status(token_store)
     elif args.command == "refresh":
         return cmd_refresh(args.provider, token_store)
-    
+    elif args.command == "init":
+        print(bootstrap_repo())
+        return 0
+
     return 0
 
 

mcp_bridge/auth/oauth.py

@@ -37,12 +37,26 @@ ANTIGRAVITY_SCOPES = [
 ]
 
 # API Endpoints
+# NOTE: Prefer production; sandbox endpoints may require special access.
+ANTIGRAVITY_ENDPOINT_PROD = "https://cloudcode-pa.googleapis.com"
+ANTIGRAVITY_ENDPOINT_DAILY = "https://daily-cloudcode-pa.sandbox.googleapis.com"
+ANTIGRAVITY_ENDPOINT_AUTOPUSH = "https://autopush-cloudcode-pa.sandbox.googleapis.com"
+
+# Default to production only.
+# Set STRAVINSKY_ANTIGRAVITY_ENABLE_SANDBOX_ENDPOINTS=1 to also try sandbox endpoints.
 ANTIGRAVITY_ENDPOINTS = [
-    "https://daily-cloudcode-pa.sandbox.googleapis.com",  # dev
-    "https://autopush-cloudcode-pa.sandbox.googleapis.com",  # staging
-    "https://cloudcode-pa.googleapis.com",  # prod
+    ANTIGRAVITY_ENDPOINT_PROD,
 ]
 
+if os.getenv("STRAVINSKY_ANTIGRAVITY_ENABLE_SANDBOX_ENDPOINTS") in {"1", "true", "True"}:
+    ANTIGRAVITY_ENDPOINTS.extend(
+        [
+            ANTIGRAVITY_ENDPOINT_DAILY,
+            ANTIGRAVITY_ENDPOINT_AUTOPUSH,
+        ]
+    )
+
+
 # Default Project ID
 ANTIGRAVITY_DEFAULT_PROJECT_ID = "rising-fact-p41fc"
 
@@ -50,14 +64,18 @@ ANTIGRAVITY_DEFAULT_PROJECT_ID = "rising-fact-p41fc"
 ANTIGRAVITY_API_VERSION = "v1internal"
 
 # Request Headers
+# Per API spec: User-Agent should be "antigravity/{version} {platform}/{arch}"
 ANTIGRAVITY_HEADERS = {
-    "User-Agent": "google-api-nodejs-client/9.15.1",
+    "User-Agent": "antigravity/1.11.5 windows/amd64",
     "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
-    "Client-Metadata": json.dumps({
-        "ideType": "IDE_UNSPECIFIED",
-        "platform": "PLATFORM_UNSPECIFIED",
-        "pluginType": "GEMINI",
-    }),
+    "Client-Metadata": json.dumps(
+        {
+            "ideType": "IDE_UNSPECIFIED",
+            "platform": "PLATFORM_UNSPECIFIED",
+            "pluginType": "GEMINI",
+        },
+        separators=(",", ":"),
+    ),
 }
 
 # Google OAuth endpoints
@@ -72,6 +90,7 @@ TOKEN_REFRESH_BUFFER_MS = 60_000
 @dataclass
 class PKCEPair:
     """PKCE verifier and challenge pair."""
+
     verifier: str
     challenge: str
     method: str = "S256"
@@ -80,6 +99,7 @@ class PKCEPair:
 @dataclass
 class TokenResult:
     """OAuth token exchange result."""
+
     access_token: str
     refresh_token: str
     expires_in: int
@@ -89,6 +109,7 @@ class TokenResult:
 @dataclass
 class UserInfo:
     """User info from Google."""
+
     email: str
     name: str | None = None
     picture: str | None = None
@@ -97,6 +118,7 @@ class UserInfo:
 @dataclass
 class OAuthResult:
     """Complete OAuth flow result."""
+
     tokens: TokenResult
     user_info: UserInfo
     verifier: str
@@ -105,17 +127,17 @@ class OAuthResult:
 def generate_pkce_pair() -> PKCEPair:
     """
     Generate PKCE verifier and challenge pair.
-    
+
     Uses SHA-256 for the challenge (S256 method).
     """
     # Generate 32-byte random verifier
     verifier_bytes = secrets.token_bytes(32)
     verifier = base64.urlsafe_b64encode(verifier_bytes).rstrip(b"=").decode("ascii")
-    
+
     # Generate challenge from verifier using SHA-256
     challenge_bytes = hashlib.sha256(verifier.encode("ascii")).digest()
     challenge = base64.urlsafe_b64encode(challenge_bytes).rstrip(b"=").decode("ascii")
-    
+
     return PKCEPair(verifier=verifier, challenge=challenge, method="S256")
 
 
@@ -135,7 +157,7 @@ def decode_state(encoded: str) -> dict[str, Any]:
     padding = 4 - len(encoded) % 4
     if padding != 4:
         encoded += "=" * padding
-    
+
     try:
         decoded = base64.b64decode(encoded).decode("utf-8")
         return json.loads(decoded)
@@ -150,15 +172,15 @@ def build_auth_url(
 ) -> tuple[str, str]:
     """
     Build Google OAuth authorization URL with PKCE.
-    
+
     Returns:
         Tuple of (auth_url, pkce_verifier)
     """
     pkce = generate_pkce_pair()
-    
+
     redirect_uri = f"http://localhost:{port}/oauth-callback"
     state = encode_state(pkce.verifier, project_id)
-    
+
     params = {
         "client_id": client_id,
         "redirect_uri": redirect_uri,
@@ -170,7 +192,7 @@ def build_auth_url(
         "access_type": "offline",
         "prompt": "consent",
     }
-    
+
     url = f"{GOOGLE_AUTH_URL}?{urlencode(params)}"
     return url, pkce.verifier
 
@@ -184,17 +206,17 @@ def exchange_code(
 ) -> TokenResult:
     """
     Exchange authorization code for tokens.
-    
+
     Args:
         code: Authorization code from OAuth callback
         verifier: PKCE verifier from initial auth request
         port: Callback server port
-        
+
     Returns:
         Token exchange result with access and refresh tokens.
     """
     redirect_uri = f"http://localhost:{port}/oauth-callback"
-    
+
     data = {
         "client_id": client_id,
         "client_secret": client_secret,
@@ -203,19 +225,19 @@ def exchange_code(
         "redirect_uri": redirect_uri,
         "code_verifier": verifier,
     }
-    
+
     with httpx.Client() as client:
         response = client.post(
             GOOGLE_TOKEN_URL,
             data=data,
             headers={"Content-Type": "application/x-www-form-urlencoded"},
         )
-        
+
         if response.status_code != 200:
             raise Exception(f"Token exchange failed: {response.status_code} - {response.text}")
-        
+
         result = response.json()
-        
+
         return TokenResult(
             access_token=result["access_token"],
             refresh_token=result.get("refresh_token", ""),
@@ -231,10 +253,10 @@ def refresh_access_token(
 ) -> TokenResult:
     """
     Refresh an access token using a refresh token.
-    
+
     Args:
         refresh_token: Valid refresh token
-        
+
     Returns:
         New token result.
     """
@@ -244,19 +266,19 @@ def refresh_access_token(
         "refresh_token": refresh_token,
         "grant_type": "refresh_token",
     }
-    
+
     with httpx.Client() as client:
         response = client.post(
             GOOGLE_TOKEN_URL,
             data=data,
             headers={"Content-Type": "application/x-www-form-urlencoded"},
         )
-        
+
         if response.status_code != 200:
             raise Exception(f"Token refresh failed: {response.status_code} - {response.text}")
-        
+
         result = response.json()
-        
+
         return TokenResult(
             access_token=result["access_token"],
             refresh_token=refresh_token,  # Keep original refresh token
@@ -268,10 +290,10 @@ def refresh_access_token(
 def fetch_user_info(access_token: str) -> UserInfo:
     """
     Fetch user info from Google's userinfo API.
-    
+
     Args:
         access_token: Valid access token
-        
+
     Returns:
         User info with email, name, and picture.
     """
@@ -280,12 +302,12 @@ def fetch_user_info(access_token: str) -> UserInfo:
             f"{GOOGLE_USERINFO_URL}?alt=json",
             headers={"Authorization": f"Bearer {access_token}"},
         )
-        
+
         if response.status_code != 200:
             raise Exception(f"Failed to fetch user info: {response.status_code}")
-        
+
         data = response.json()
-        
+
         return UserInfo(
             email=data.get("email", ""),
             name=data.get("name"),
@@ -295,38 +317,41 @@ def fetch_user_info(access_token: str) -> UserInfo:
 
 class OAuthCallbackHandler(BaseHTTPRequestHandler):
     """HTTP request handler for OAuth callback."""
-    
+
     callback_result: dict[str, Any] = {}
     server_ready = threading.Event()
-    
+
     def log_message(self, format, *args):
         """Suppress HTTP server logs."""
         pass
-    
+
     def do_GET(self):
         """Handle OAuth callback GET request."""
         parsed = urlparse(self.path)
-        
+
         if parsed.path == "/oauth-callback":
             params = parse_qs(parsed.query)
-            
+
             OAuthCallbackHandler.callback_result = {
                 "code": params.get("code", [""])[0],
                 "state": params.get("state", [""])[0],
                 "error": params.get("error", [None])[0],
             }
-            
-            if OAuthCallbackHandler.callback_result["code"] and not OAuthCallbackHandler.callback_result["error"]:
+
+            if (
+                OAuthCallbackHandler.callback_result["code"]
+                and not OAuthCallbackHandler.callback_result["error"]
+            ):
                 body = b"<html><body><h1>Login successful!</h1><p>You can close this window.</p></body></html>"
             else:
                 body = b"<html><body><h1>Login failed</h1><p>Please check the CLI output.</p></body></html>"
-            
+
             self.send_response(200)
             self.send_header("Content-Type", "text/html")
             self.send_header("Content-Length", str(len(body)))
             self.end_headers()
             self.wfile.write(body)
-            
+
             # Signal completion
             OAuthCallbackHandler.server_ready.set()
         else:
@@ -340,68 +365,68 @@ def perform_oauth_flow(
 ) -> OAuthResult:
     """
     Perform full OAuth flow with browser-based authentication.
-    
+
     1. Start local callback server
     2. Open browser for Google auth
     3. Wait for callback
     4. Exchange code for tokens
     5. Fetch user info
-    
+
     Args:
         project_id: Optional project ID for state
         timeout: Timeout in seconds (default 5 minutes)
-        
+
     Returns:
         Complete OAuth result with tokens and user info.
     """
     # Reset callback state
     OAuthCallbackHandler.callback_result = {}
     OAuthCallbackHandler.server_ready.clear()
-    
+
     # Start callback server
     server = HTTPServer(("localhost", 0), OAuthCallbackHandler)
     port = server.server_address[1]
-    
+
     server_thread = threading.Thread(target=lambda: server.handle_request())
     server_thread.daemon = True
     server_thread.start()
-    
+
     try:
         # Build auth URL and open browser
         auth_url, verifier = build_auth_url(port, project_id)
-        
-        print(f"\nOpening browser for Google authentication...")
+
+        print("\nOpening browser for Google authentication...")
         print(f"If browser doesn't open, visit:\n{auth_url}\n")
-        
+
         webbrowser.open(auth_url)
-        
+
         # Wait for callback
         if not OAuthCallbackHandler.server_ready.wait(timeout):
             raise Exception("OAuth callback timeout")
-        
+
         result = OAuthCallbackHandler.callback_result
-        
+
         if result.get("error"):
             raise Exception(f"OAuth error: {result['error']}")
-        
+
         if not result.get("code"):
             raise Exception("No authorization code received")
-        
+
         # Verify state
         state = decode_state(result["state"])
         if state.get("verifier") != verifier:
             raise Exception("PKCE verifier mismatch - possible security issue")
-        
+
         # Exchange code for tokens
         tokens = exchange_code(result["code"], verifier, port)
-        
+
         # Fetch user info
         user_info = fetch_user_info(tokens.access_token)
-        
+
         print(f"✓ Authenticated as: {user_info.email}")
-        
+
         return OAuthResult(tokens=tokens, user_info=user_info, verifier=verifier)
-        
+
     finally:
         server.server_close()