diff --git a/CHANGELOG.md b/CHANGELOG.md index ac86fa449..b14aa5d53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ Docs: https://docs.clawd.bot - **BREAKING:** `clawdbot plugins install ` now copies into `~/.clawdbot/extensions` (use `--link` to keep path-based loading). ### Changes +- Plugins: ship bundled plugins disabled by default, allow overrides by installed versions, and add bundled Antigravity + Gemini CLI OAuth + Copilot Proxy provider plugins. (#1066) — thanks @ItzR3NO. - Tools: improve `web_fetch` extraction using Readability (with fallback). - Tools: add Firecrawl fallback for `web_fetch` when configured. - Tools: send Chrome-like headers by default for `web_fetch` to improve extraction on bot-sensitive sites. diff --git a/docs/cli/index.md b/docs/cli/index.md index 9e9b5ee54..4d4c6d261 100644 --- a/docs/cli/index.md +++ b/docs/cli/index.md @@ -292,7 +292,7 @@ Options: - `--non-interactive` - `--mode ` - `--flow ` -- `--auth-choice ` +- `--auth-choice ` - `--token-provider ` (non-interactive; used with `--auth-choice token`) - `--token ` (non-interactive; used with `--auth-choice token`) - `--token-profile-id ` (non-interactive; default: `:manual`) @@ -527,7 +527,7 @@ Surfaces: Notes: - Data comes directly from provider usage endpoints (no estimates). -- Providers: Anthropic, GitHub Copilot, Gemini CLI, Antigravity, OpenAI Codex OAuth, plus z.ai when an API key is configured. +- Providers: Anthropic, GitHub Copilot, OpenAI Codex OAuth, plus Gemini CLI/Antigravity when those provider plugins are enabled. - If no matching credentials exist, usage is hidden. - Details: see [Usage tracking](/concepts/usage-tracking). diff --git a/docs/cli/plugins.md b/docs/cli/plugins.md index 09fdf5e79..593996984 100644 --- a/docs/cli/plugins.md +++ b/docs/cli/plugins.md @@ -25,6 +25,9 @@ clawdbot plugins update clawdbot plugins update --all ``` +Bundled plugins ship with Clawdbot but start disabled. Use `plugins enable` to +activate them. + ### Install ```bash diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md index 12834317f..6c94d379e 100644 --- a/docs/concepts/model-providers.md +++ b/docs/concepts/model-providers.md @@ -83,7 +83,12 @@ Clawdbot ships with the pi‑ai catalog. These providers require **no** - Providers: `google-vertex`, `google-antigravity`, `google-gemini-cli` - Auth: Vertex uses gcloud ADC; Antigravity/Gemini CLI use their respective auth flows -- CLI: `clawdbot onboard --auth-choice antigravity` (others via interactive wizard) +- Antigravity OAuth is shipped as a bundled plugin (`google-antigravity-auth`, disabled by default). + - Enable: `clawdbot plugins enable google-antigravity-auth` + - Login: `clawdbot models auth login --provider google-antigravity --set-default` +- Gemini CLI OAuth is shipped as a bundled plugin (`google-gemini-cli-auth`, disabled by default). + - Enable: `clawdbot plugins enable google-gemini-cli-auth` + - Login: `clawdbot models auth login --provider google-gemini-cli --set-default` ### Z.AI (GLM) diff --git a/docs/plugin.md b/docs/plugin.md index facd7c2c8..78132db99 100644 --- a/docs/plugin.md +++ b/docs/plugin.md @@ -41,6 +41,9 @@ See [Voice Call](/plugins/voice-call) for a concrete example plugin. - [Matrix](/channels/matrix) — `@clawdbot/matrix` - [Zalo](/channels/zalo) — `@clawdbot/zalo` - [Microsoft Teams](/channels/msteams) — `@clawdbot/msteams` +- Google Antigravity OAuth (provider auth) — bundled as `google-antigravity-auth` (disabled by default) +- Gemini CLI OAuth (provider auth) — bundled as `google-gemini-cli-auth` (disabled by default) +- Copilot Proxy (provider auth) — bundled as `copilot-proxy` (disabled by default) Clawdbot plugins are **TypeScript modules** loaded at runtime via jiti. They can register: @@ -58,16 +61,26 @@ Plugins run **in‑process** with the Gateway, so treat them as trusted code. Clawdbot scans, in order: -1) Global extensions -- `~/.clawdbot/extensions/*.ts` -- `~/.clawdbot/extensions/*/index.ts` +1) Config paths +- `plugins.load.paths` (file or directory) 2) Workspace extensions - `/.clawdbot/extensions/*.ts` - `/.clawdbot/extensions/*/index.ts` -3) Config paths -- `plugins.load.paths` (file or directory) +3) Global extensions +- `~/.clawdbot/extensions/*.ts` +- `~/.clawdbot/extensions/*/index.ts` + +4) Bundled extensions (shipped with Clawdbot, **disabled by default**) +- `/extensions/*` + +Bundled plugins must be enabled explicitly via `plugins.entries..enabled` +or `clawdbot plugins enable `. Installed plugins are enabled by default, +but can be disabled the same way. + +If multiple plugins resolve to the same id, the first match in the order above +wins and lower-precedence copies are ignored. ### Package packs diff --git a/extensions/copilot-proxy/README.md b/extensions/copilot-proxy/README.md new file mode 100644 index 000000000..bf1261659 --- /dev/null +++ b/extensions/copilot-proxy/README.md @@ -0,0 +1,24 @@ +# Copilot Proxy (Clawdbot plugin) + +Provider plugin for the **Copilot Proxy** VS Code extension. + +## Enable + +Bundled plugins are disabled by default. Enable this one: + +```bash +clawdbot plugins enable copilot-proxy +``` + +Restart the Gateway after enabling. + +## Authenticate + +```bash +clawdbot models auth login --provider copilot-proxy --set-default +``` + +## Notes + +- Copilot Proxy must be running in VS Code. +- Base URL must include `/v1`. diff --git a/extensions/copilot-proxy/index.ts b/extensions/copilot-proxy/index.ts new file mode 100644 index 000000000..16fa6910e --- /dev/null +++ b/extensions/copilot-proxy/index.ts @@ -0,0 +1,139 @@ +const DEFAULT_BASE_URL = "http://localhost:3000/v1"; +const DEFAULT_API_KEY = "n/a"; +const DEFAULT_CONTEXT_WINDOW = 128_000; +const DEFAULT_MAX_TOKENS = 8192; +const DEFAULT_MODEL_IDS = [ + "gpt-5.2", + "gpt-5.2-codex", + "gpt-5.1", + "gpt-5.1-codex", + "gpt-5.1-codex-max", + "gpt-5-mini", + "claude-opus-4.5", + "claude-sonnet-4.5", + "claude-haiku-4.5", + "gemini-3-pro", + "gemini-3-flash", + "grok-code-fast-1", +] as const; + +function normalizeBaseUrl(value: string): string { + const trimmed = value.trim(); + if (!trimmed) return DEFAULT_BASE_URL; + let normalized = trimmed; + while (normalized.endsWith("/")) normalized = normalized.slice(0, -1); + if (!normalized.endsWith("/v1")) normalized = `${normalized}/v1`; + return normalized; +} + +function validateBaseUrl(value: string): string | undefined { + const normalized = normalizeBaseUrl(value); + try { + new URL(normalized); + } catch { + return "Enter a valid URL"; + } + return undefined; +} + +function parseModelIds(input: string): string[] { + const parsed = input + .split(/[\n,]/) + .map((model) => model.trim()) + .filter(Boolean); + return Array.from(new Set(parsed)); +} + +function buildModelDefinition(modelId: string) { + return { + id: modelId, + name: modelId, + api: "openai-completions", + reasoning: false, + input: ["text", "image"], + cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 }, + contextWindow: DEFAULT_CONTEXT_WINDOW, + maxTokens: DEFAULT_MAX_TOKENS, + }; +} + +const copilotProxyPlugin = { + id: "copilot-proxy", + name: "Copilot Proxy", + description: "Local Copilot Proxy (VS Code LM) provider plugin", + register(api) { + api.registerProvider({ + id: "copilot-proxy", + label: "Copilot Proxy", + docsPath: "/providers/models", + auth: [ + { + id: "local", + label: "Local proxy", + hint: "Configure base URL + models for the Copilot Proxy server", + kind: "custom", + run: async (ctx) => { + const baseUrlInput = await ctx.prompter.text({ + message: "Copilot Proxy base URL", + initialValue: DEFAULT_BASE_URL, + validate: validateBaseUrl, + }); + + const modelInput = await ctx.prompter.text({ + message: "Model IDs (comma-separated)", + initialValue: DEFAULT_MODEL_IDS.join(", "), + validate: (value) => + parseModelIds(value).length > 0 ? undefined : "Enter at least one model id", + }); + + const baseUrl = normalizeBaseUrl(baseUrlInput); + const modelIds = parseModelIds(modelInput); + const defaultModelId = modelIds[0] ?? DEFAULT_MODEL_IDS[0]; + const defaultModelRef = `copilot-proxy/${defaultModelId}`; + + return { + profiles: [ + { + profileId: "copilot-proxy:local", + credential: { + type: "token", + provider: "copilot-proxy", + token: DEFAULT_API_KEY, + }, + }, + ], + configPatch: { + models: { + providers: { + "copilot-proxy": { + baseUrl, + apiKey: DEFAULT_API_KEY, + api: "openai-completions", + authHeader: false, + models: modelIds.map((modelId) => buildModelDefinition(modelId)), + }, + }, + }, + agents: { + defaults: { + models: Object.fromEntries( + modelIds.map((modelId) => [`copilot-proxy/${modelId}`, {}]), + ), + }, + }, + }, + defaultModel: defaultModelRef, + notes: [ + "Start the Copilot Proxy VS Code extension before using these models.", + "Copilot Proxy serves /v1/chat/completions; base URL must include /v1.", + "Model availability depends on your Copilot plan; edit models.providers.copilot-proxy if needed.", + ], + }; + }, + }, + ], + }); + }, +}; + +export default copilotProxyPlugin; diff --git a/extensions/copilot-proxy/package.json b/extensions/copilot-proxy/package.json new file mode 100644 index 000000000..40f24a829 --- /dev/null +++ b/extensions/copilot-proxy/package.json @@ -0,0 +1,9 @@ +{ + "name": "@clawdbot/copilot-proxy", + "version": "2026.1.15", + "type": "module", + "description": "Clawdbot Copilot Proxy provider plugin", + "clawdbot": { + "extensions": ["./index.ts"] + } +} diff --git a/extensions/google-antigravity-auth/README.md b/extensions/google-antigravity-auth/README.md new file mode 100644 index 000000000..2d33c03dd --- /dev/null +++ b/extensions/google-antigravity-auth/README.md @@ -0,0 +1,24 @@ +# Google Antigravity Auth (Clawdbot plugin) + +OAuth provider plugin for **Google Antigravity** (Cloud Code Assist). + +## Enable + +Bundled plugins are disabled by default. Enable this one: + +```bash +clawdbot plugins enable google-antigravity-auth +``` + +Restart the Gateway after enabling. + +## Authenticate + +```bash +clawdbot models auth login --provider google-antigravity --set-default +``` + +## Notes + +- Antigravity uses Google Cloud project quotas. +- If requests fail, ensure Gemini for Google Cloud is enabled. diff --git a/extensions/google-antigravity-auth/index.ts b/extensions/google-antigravity-auth/index.ts new file mode 100644 index 000000000..e4050d24e --- /dev/null +++ b/extensions/google-antigravity-auth/index.ts @@ -0,0 +1,428 @@ +import { createHash, randomBytes } from "node:crypto"; +import { readFileSync } from "node:fs"; +import { createServer } from "node:http"; + +// OAuth constants - decoded from pi-ai's base64 encoded values to stay in sync +const decode = (s: string) => Buffer.from(s, "base64").toString(); +const CLIENT_ID = decode( + "MTA3MTAwNjA2MDU5MS10bWhzc2luMmgyMWxjcmUyMzV2dG9sb2poNGc0MDNlcC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbQ==", +); +const CLIENT_SECRET = decode("R09DU1BYLUs1OEZXUjQ4NkxkTEoxbUxCOHNYQzR6NnFEQWY="); +const REDIRECT_URI = "http://localhost:51121/oauth-callback"; +const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"; +const TOKEN_URL = "https://oauth2.googleapis.com/token"; +const DEFAULT_PROJECT_ID = "rising-fact-p41fc"; +const DEFAULT_MODEL = "google-antigravity/claude-opus-4-5-thinking"; + +const SCOPES = [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/userinfo.profile", + "https://www.googleapis.com/auth/cclog", + "https://www.googleapis.com/auth/experimentsandconfigs", +]; + +const CODE_ASSIST_ENDPOINTS = [ + "https://cloudcode-pa.googleapis.com", + "https://daily-cloudcode-pa.sandbox.googleapis.com", +]; + +const RESPONSE_PAGE = ` + + + + Clawdbot Antigravity OAuth + + +
+

Authentication complete

+

You can return to the terminal.

+
+ +`; + +function generatePkce(): { verifier: string; challenge: string } { + const verifier = randomBytes(32).toString("hex"); + const challenge = createHash("sha256").update(verifier).digest("base64url"); + return { verifier, challenge }; +} + +function isWSL(): boolean { + if (process.platform !== "linux") return false; + try { + const release = readFileSync("/proc/version", "utf8").toLowerCase(); + return release.includes("microsoft") || release.includes("wsl"); + } catch { + return false; + } +} + +function isWSL2(): boolean { + if (!isWSL()) return false; + try { + const version = readFileSync("/proc/version", "utf8").toLowerCase(); + return version.includes("wsl2") || version.includes("microsoft-standard"); + } catch { + return false; + } +} + +function shouldUseManualOAuthFlow(isRemote: boolean): boolean { + return isRemote || isWSL2(); +} + +function buildAuthUrl(params: { challenge: string; state: string }): string { + const url = new URL(AUTH_URL); + url.searchParams.set("client_id", CLIENT_ID); + url.searchParams.set("response_type", "code"); + url.searchParams.set("redirect_uri", REDIRECT_URI); + url.searchParams.set("scope", SCOPES.join(" ")); + url.searchParams.set("code_challenge", params.challenge); + url.searchParams.set("code_challenge_method", "S256"); + url.searchParams.set("state", params.state); + url.searchParams.set("access_type", "offline"); + url.searchParams.set("prompt", "consent"); + return url.toString(); +} + +function parseCallbackInput( + input: string, +): { code: string; state: string } | { error: string } { + const trimmed = input.trim(); + if (!trimmed) return { error: "No input provided" }; + + try { + const url = new URL(trimmed); + const code = url.searchParams.get("code"); + const state = url.searchParams.get("state"); + if (!code) return { error: "Missing 'code' parameter in URL" }; + if (!state) return { error: "Missing 'state' parameter in URL" }; + return { code, state }; + } catch { + return { error: "Paste the full redirect URL (not just the code)." }; + } +} + +async function startCallbackServer(params: { timeoutMs: number }) { + const redirect = new URL(REDIRECT_URI); + const port = redirect.port ? Number(redirect.port) : 51121; + + let settled = false; + let resolveCallback: (url: URL) => void; + let rejectCallback: (err: Error) => void; + + const callbackPromise = new Promise((resolve, reject) => { + resolveCallback = (url) => { + if (settled) return; + settled = true; + resolve(url); + }; + rejectCallback = (err) => { + if (settled) return; + settled = true; + reject(err); + }; + }); + + const timeout = setTimeout(() => { + rejectCallback(new Error("Timed out waiting for OAuth callback")); + }, params.timeoutMs); + timeout.unref?.(); + + const server = createServer((request, response) => { + if (!request.url) { + response.writeHead(400, { "Content-Type": "text/plain" }); + response.end("Missing URL"); + return; + } + + const url = new URL(request.url, `${redirect.protocol}//${redirect.host}`); + if (url.pathname !== redirect.pathname) { + response.writeHead(404, { "Content-Type": "text/plain" }); + response.end("Not found"); + return; + } + + response.writeHead(200, { "Content-Type": "text/html; charset=utf-8" }); + response.end(RESPONSE_PAGE); + resolveCallback(url); + + setImmediate(() => { + server.close(); + }); + }); + + await new Promise((resolve, reject) => { + const onError = (err: Error) => { + server.off("error", onError); + reject(err); + }; + server.once("error", onError); + server.listen(port, "127.0.0.1", () => { + server.off("error", onError); + resolve(); + }); + }); + + return { + waitForCallback: () => callbackPromise, + close: () => + new Promise((resolve) => { + server.close(() => resolve()); + }), + }; +} + +async function exchangeCode(params: { + code: string; + verifier: string; +}): Promise<{ access: string; refresh: string; expires: number }> { + const response = await fetch(TOKEN_URL, { + method: "POST", + headers: { "Content-Type": "application/x-www-form-urlencoded" }, + body: new URLSearchParams({ + client_id: CLIENT_ID, + client_secret: CLIENT_SECRET, + code: params.code, + grant_type: "authorization_code", + redirect_uri: REDIRECT_URI, + code_verifier: params.verifier, + }), + }); + + if (!response.ok) { + const text = await response.text(); + throw new Error(`Token exchange failed: ${text}`); + } + + const data = (await response.json()) as { + access_token?: string; + refresh_token?: string; + expires_in?: number; + }; + + const access = data.access_token?.trim(); + const refresh = data.refresh_token?.trim(); + const expiresIn = data.expires_in ?? 0; + + if (!access) throw new Error("Token exchange returned no access_token"); + if (!refresh) throw new Error("Token exchange returned no refresh_token"); + + const expires = Date.now() + expiresIn * 1000 - 5 * 60 * 1000; + return { access, refresh, expires }; +} + +async function fetchUserEmail(accessToken: string): Promise { + try { + const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", { + headers: { Authorization: `Bearer ${accessToken}` }, + }); + if (!response.ok) return undefined; + const data = (await response.json()) as { email?: string }; + return data.email; + } catch { + return undefined; + } +} + +async function fetchProjectId(accessToken: string): Promise { + const headers = { + Authorization: `Bearer ${accessToken}`, + "Content-Type": "application/json", + "User-Agent": "google-api-nodejs-client/9.15.1", + "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1", + "Client-Metadata": JSON.stringify({ + ideType: "IDE_UNSPECIFIED", + platform: "PLATFORM_UNSPECIFIED", + pluginType: "GEMINI", + }), + }; + + for (const endpoint of CODE_ASSIST_ENDPOINTS) { + try { + const response = await fetch(`${endpoint}/v1internal:loadCodeAssist`, { + method: "POST", + headers, + body: JSON.stringify({ + metadata: { + ideType: "IDE_UNSPECIFIED", + platform: "PLATFORM_UNSPECIFIED", + pluginType: "GEMINI", + }, + }), + }); + + if (!response.ok) continue; + const data = (await response.json()) as { + cloudaicompanionProject?: string | { id?: string }; + }; + + if (typeof data.cloudaicompanionProject === "string") { + return data.cloudaicompanionProject; + } + if ( + data.cloudaicompanionProject && + typeof data.cloudaicompanionProject === "object" && + data.cloudaicompanionProject.id + ) { + return data.cloudaicompanionProject.id; + } + } catch { + // ignore + } + } + + return DEFAULT_PROJECT_ID; +} + +async function loginAntigravity(params: { + isRemote: boolean; + openUrl: (url: string) => Promise; + prompt: (message: string) => Promise; + note: (message: string, title?: string) => Promise; + progress: { update: (msg: string) => void; stop: (msg?: string) => void }; +}): Promise<{ + access: string; + refresh: string; + expires: number; + email?: string; + projectId: string; +}> { + const { verifier, challenge } = generatePkce(); + const state = randomBytes(16).toString("hex"); + const authUrl = buildAuthUrl({ challenge, state }); + + let callbackServer: Awaited> | null = null; + const needsManual = shouldUseManualOAuthFlow(params.isRemote); + if (!needsManual) { + try { + callbackServer = await startCallbackServer({ timeoutMs: 5 * 60 * 1000 }); + } catch { + callbackServer = null; + } + } + + if (!callbackServer) { + await params.note( + [ + "Open the URL in your local browser.", + "After signing in, copy the full redirect URL and paste it back here.", + "", + `Auth URL: ${authUrl}`, + `Redirect URI: ${REDIRECT_URI}`, + ].join("\n"), + "Google Antigravity OAuth", + ); + } + + if (!needsManual) { + params.progress.update("Opening Google sign-in…"); + try { + await params.openUrl(authUrl); + } catch { + // ignore + } + } + + let code = ""; + let returnedState = ""; + + if (callbackServer) { + params.progress.update("Waiting for OAuth callback…"); + const callback = await callbackServer.waitForCallback(); + code = callback.searchParams.get("code") ?? ""; + returnedState = callback.searchParams.get("state") ?? ""; + await callbackServer.close(); + } else { + params.progress.update("Waiting for redirect URL…"); + const input = await params.prompt("Paste the redirect URL: "); + const parsed = parseCallbackInput(input); + if ("error" in parsed) throw new Error(parsed.error); + code = parsed.code; + returnedState = parsed.state; + } + + if (!code) throw new Error("Missing OAuth code"); + if (returnedState !== state) { + throw new Error("OAuth state mismatch. Please try again."); + } + + params.progress.update("Exchanging code for tokens…"); + const tokens = await exchangeCode({ code, verifier }); + const email = await fetchUserEmail(tokens.access); + const projectId = await fetchProjectId(tokens.access); + + params.progress.stop("Antigravity OAuth complete"); + return { ...tokens, email, projectId }; +} + +const antigravityPlugin = { + id: "google-antigravity-auth", + name: "Google Antigravity Auth", + description: "OAuth flow for Google Antigravity (Cloud Code Assist)", + register(api) { + api.registerProvider({ + id: "google-antigravity", + label: "Google Antigravity", + docsPath: "/providers/models", + aliases: ["antigravity"], + auth: [ + { + id: "oauth", + label: "Google OAuth", + hint: "PKCE + localhost callback", + kind: "oauth", + run: async (ctx) => { + const spin = ctx.prompter.progress("Starting Antigravity OAuth…"); + try { + const result = await loginAntigravity({ + isRemote: ctx.isRemote, + openUrl: ctx.openUrl, + prompt: async (message) => String(await ctx.prompter.text({ message })), + note: ctx.prompter.note, + progress: spin, + }); + + const profileId = `google-antigravity:${result.email ?? "default"}`; + return { + profiles: [ + { + profileId, + credential: { + type: "oauth", + provider: "google-antigravity", + access: result.access, + refresh: result.refresh, + expires: result.expires, + email: result.email, + projectId: result.projectId, + }, + }, + ], + configPatch: { + agents: { + defaults: { + models: { + [DEFAULT_MODEL]: {}, + }, + }, + }, + }, + defaultModel: DEFAULT_MODEL, + notes: [ + "Antigravity uses Google Cloud project quotas.", + "Enable Gemini for Google Cloud on your project if requests fail.", + ], + }; + } catch (err) { + spin.stop("Antigravity OAuth failed"); + throw err; + } + }, + }, + ], + }); + }, +}; + +export default antigravityPlugin; diff --git a/extensions/google-antigravity-auth/package.json b/extensions/google-antigravity-auth/package.json new file mode 100644 index 000000000..a80c91d98 --- /dev/null +++ b/extensions/google-antigravity-auth/package.json @@ -0,0 +1,9 @@ +{ + "name": "@clawdbot/google-antigravity-auth", + "version": "2026.1.15", + "type": "module", + "description": "Clawdbot Google Antigravity OAuth provider plugin", + "clawdbot": { + "extensions": ["./index.ts"] + } +} diff --git a/extensions/google-gemini-cli-auth/README.md b/extensions/google-gemini-cli-auth/README.md new file mode 100644 index 000000000..6e4bdbd2b --- /dev/null +++ b/extensions/google-gemini-cli-auth/README.md @@ -0,0 +1,24 @@ +# Google Gemini CLI Auth (Clawdbot plugin) + +OAuth provider plugin for **Gemini CLI** (Google Code Assist). + +## Enable + +Bundled plugins are disabled by default. Enable this one: + +```bash +clawdbot plugins enable google-gemini-cli-auth +``` + +Restart the Gateway after enabling. + +## Authenticate + +```bash +clawdbot models auth login --provider google-gemini-cli --set-default +``` + +## Env vars + +- `CLAWDBOT_GEMINI_OAUTH_CLIENT_ID` / `GEMINI_CLI_OAUTH_CLIENT_ID` +- `CLAWDBOT_GEMINI_OAUTH_CLIENT_SECRET` / `GEMINI_CLI_OAUTH_CLIENT_SECRET` diff --git a/extensions/google-gemini-cli-auth/index.ts b/extensions/google-gemini-cli-auth/index.ts new file mode 100644 index 000000000..b4ccf585b --- /dev/null +++ b/extensions/google-gemini-cli-auth/index.ts @@ -0,0 +1,88 @@ +import { loginGeminiCliOAuth } from "./oauth.js"; + +const PROVIDER_ID = "google-gemini-cli"; +const PROVIDER_LABEL = "Gemini CLI OAuth"; +const DEFAULT_MODEL = "google-gemini-cli/gemini-3-pro-preview"; +const ENV_VARS = [ + "CLAWDBOT_GEMINI_OAUTH_CLIENT_ID", + "CLAWDBOT_GEMINI_OAUTH_CLIENT_SECRET", + "GEMINI_CLI_OAUTH_CLIENT_ID", + "GEMINI_CLI_OAUTH_CLIENT_SECRET", +]; + +const geminiCliPlugin = { + id: "google-gemini-cli-auth", + name: "Google Gemini CLI Auth", + description: "OAuth flow for Gemini CLI (Google Code Assist)", + register(api) { + api.registerProvider({ + id: PROVIDER_ID, + label: PROVIDER_LABEL, + docsPath: "/providers/models", + aliases: ["gemini-cli"], + envVars: ENV_VARS, + auth: [ + { + id: "oauth", + label: "Google OAuth", + hint: "PKCE + localhost callback", + kind: "oauth", + run: async (ctx) => { + const spin = ctx.prompter.progress("Starting Gemini CLI OAuth…"); + try { + const result = await loginGeminiCliOAuth({ + isRemote: ctx.isRemote, + openUrl: ctx.openUrl, + log: (msg) => ctx.runtime.log(msg), + note: ctx.prompter.note, + prompt: async (message) => String(await ctx.prompter.text({ message })), + progress: spin, + }); + + spin.stop("Gemini CLI OAuth complete"); + const profileId = `google-gemini-cli:${result.email ?? "default"}`; + return { + profiles: [ + { + profileId, + credential: { + type: "oauth", + provider: PROVIDER_ID, + access: result.access, + refresh: result.refresh, + expires: result.expires, + email: result.email, + projectId: result.projectId, + }, + }, + ], + configPatch: { + agents: { + defaults: { + models: { + [DEFAULT_MODEL]: {}, + }, + }, + }, + }, + defaultModel: DEFAULT_MODEL, + notes: [ + "If requests fail, set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID.", + ], + }; + } catch (err) { + spin.stop("Gemini CLI OAuth failed"); + await ctx.prompter.note( + "Trouble with OAuth? Ensure your Google account has Gemini CLI access.", + "OAuth help", + ); + throw err; + } + }, + }, + ], + }); + }, +}; + +export default geminiCliPlugin; diff --git a/extensions/google-gemini-cli-auth/oauth.ts b/extensions/google-gemini-cli-auth/oauth.ts new file mode 100644 index 000000000..0fc68aa5a --- /dev/null +++ b/extensions/google-gemini-cli-auth/oauth.ts @@ -0,0 +1,496 @@ +import { createHash, randomBytes } from "node:crypto"; +import { readFileSync } from "node:fs"; +import { createServer } from "node:http"; + +const CLIENT_ID_KEYS = ["CLAWDBOT_GEMINI_OAUTH_CLIENT_ID", "GEMINI_CLI_OAUTH_CLIENT_ID"]; +const CLIENT_SECRET_KEYS = [ + "CLAWDBOT_GEMINI_OAUTH_CLIENT_SECRET", + "GEMINI_CLI_OAUTH_CLIENT_SECRET", +]; +const REDIRECT_URI = "http://localhost:8085/oauth2callback"; +const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"; +const TOKEN_URL = "https://oauth2.googleapis.com/token"; +const USERINFO_URL = "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"; +const CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com"; +const SCOPES = [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/userinfo.profile", +]; + +const TIER_FREE = "free-tier"; +const TIER_LEGACY = "legacy-tier"; +const TIER_STANDARD = "standard-tier"; + +export type GeminiCliOAuthCredentials = { + access: string; + refresh: string; + expires: number; + email?: string; + projectId: string; +}; + +export type GeminiCliOAuthContext = { + isRemote: boolean; + openUrl: (url: string) => Promise; + log: (msg: string) => void; + note: (message: string, title?: string) => Promise; + prompt: (message: string) => Promise; + progress: { update: (msg: string) => void; stop: (msg?: string) => void }; +}; + +function resolveEnv(keys: string[]): string | undefined { + for (const key of keys) { + const value = process.env[key]?.trim(); + if (value) return value; + } + return undefined; +} + +function resolveOAuthClientConfig(): { clientId: string; clientSecret?: string } { + const clientId = resolveEnv(CLIENT_ID_KEYS); + if (!clientId) { + throw new Error( + "Missing Gemini OAuth client ID. Set CLAWDBOT_GEMINI_OAUTH_CLIENT_ID (or GEMINI_CLI_OAUTH_CLIENT_ID).", + ); + } + const clientSecret = resolveEnv(CLIENT_SECRET_KEYS); + return { clientId, clientSecret }; +} + +function isWSL(): boolean { + if (process.platform !== "linux") return false; + try { + const release = readFileSync("/proc/version", "utf8").toLowerCase(); + return release.includes("microsoft") || release.includes("wsl"); + } catch { + return false; + } +} + +function isWSL2(): boolean { + if (!isWSL()) return false; + try { + const version = readFileSync("/proc/version", "utf8").toLowerCase(); + return version.includes("wsl2") || version.includes("microsoft-standard"); + } catch { + return false; + } +} + +function shouldUseManualOAuthFlow(isRemote: boolean): boolean { + return isRemote || isWSL2(); +} + +function generatePkce(): { verifier: string; challenge: string } { + const verifier = randomBytes(32).toString("hex"); + const challenge = createHash("sha256").update(verifier).digest("base64url"); + return { verifier, challenge }; +} + +function buildAuthUrl(challenge: string, verifier: string): string { + const { clientId } = resolveOAuthClientConfig(); + const params = new URLSearchParams({ + client_id: clientId, + response_type: "code", + redirect_uri: REDIRECT_URI, + scope: SCOPES.join(" "), + code_challenge: challenge, + code_challenge_method: "S256", + state: verifier, + access_type: "offline", + prompt: "consent", + }); + return `${AUTH_URL}?${params.toString()}`; +} + +function parseCallbackInput( + input: string, + expectedState: string, +): { code: string; state: string } | { error: string } { + const trimmed = input.trim(); + if (!trimmed) return { error: "No input provided" }; + + try { + const url = new URL(trimmed); + const code = url.searchParams.get("code"); + const state = url.searchParams.get("state") ?? expectedState; + if (!code) return { error: "Missing 'code' parameter in URL" }; + if (!state) return { error: "Missing 'state' parameter. Paste the full URL." }; + return { code, state }; + } catch { + if (!expectedState) return { error: "Paste the full redirect URL, not just the code." }; + return { code: trimmed, state: expectedState }; + } +} + +async function waitForLocalCallback(params: { + expectedState: string; + timeoutMs: number; + onProgress?: (message: string) => void; +}): Promise<{ code: string; state: string }> { + const port = 8085; + const hostname = "localhost"; + const expectedPath = "/oauth2callback"; + + return new Promise<{ code: string; state: string }>((resolve, reject) => { + let timeout: NodeJS.Timeout | null = null; + const server = createServer((req, res) => { + try { + const requestUrl = new URL(req.url ?? "/", `http://${hostname}:${port}`); + if (requestUrl.pathname !== expectedPath) { + res.statusCode = 404; + res.setHeader("Content-Type", "text/plain"); + res.end("Not found"); + return; + } + + const error = requestUrl.searchParams.get("error"); + const code = requestUrl.searchParams.get("code")?.trim(); + const state = requestUrl.searchParams.get("state")?.trim(); + + if (error) { + res.statusCode = 400; + res.setHeader("Content-Type", "text/plain"); + res.end(`Authentication failed: ${error}`); + finish(new Error(`OAuth error: ${error}`)); + return; + } + + if (!code || !state) { + res.statusCode = 400; + res.setHeader("Content-Type", "text/plain"); + res.end("Missing code or state"); + finish(new Error("Missing OAuth code or state")); + return; + } + + if (state !== params.expectedState) { + res.statusCode = 400; + res.setHeader("Content-Type", "text/plain"); + res.end("Invalid state"); + finish(new Error("OAuth state mismatch")); + return; + } + + res.statusCode = 200; + res.setHeader("Content-Type", "text/html; charset=utf-8"); + res.end( + "" + + "

Gemini CLI OAuth complete

" + + "

You can close this window and return to Clawdbot.

", + ); + + finish(undefined, { code, state }); + } catch (err) { + finish(err instanceof Error ? err : new Error("OAuth callback failed")); + } + }); + + const finish = (err?: Error, result?: { code: string; state: string }) => { + if (timeout) clearTimeout(timeout); + try { + server.close(); + } catch { + // ignore close errors + } + if (err) { + reject(err); + } else if (result) { + resolve(result); + } + }; + + server.once("error", (err) => { + finish(err instanceof Error ? err : new Error("OAuth callback server error")); + }); + + server.listen(port, hostname, () => { + params.onProgress?.(`Waiting for OAuth callback on ${REDIRECT_URI}…`); + }); + + timeout = setTimeout(() => { + finish(new Error("OAuth callback timeout")); + }, params.timeoutMs); + }); +} + +async function exchangeCodeForTokens(code: string, verifier: string): Promise { + const { clientId, clientSecret } = resolveOAuthClientConfig(); + const body = new URLSearchParams({ + client_id: clientId, + code, + grant_type: "authorization_code", + redirect_uri: REDIRECT_URI, + code_verifier: verifier, + }); + if (clientSecret) { + body.set("client_secret", clientSecret); + } + + const response = await fetch(TOKEN_URL, { + method: "POST", + headers: { "Content-Type": "application/x-www-form-urlencoded" }, + body, + }); + + if (!response.ok) { + const errorText = await response.text(); + throw new Error(`Token exchange failed: ${errorText}`); + } + + const data = (await response.json()) as { + access_token: string; + refresh_token: string; + expires_in: number; + }; + + if (!data.refresh_token) { + throw new Error("No refresh token received. Please try again."); + } + + const email = await getUserEmail(data.access_token); + const projectId = await discoverProject(data.access_token); + const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000; + + return { + refresh: data.refresh_token, + access: data.access_token, + expires: expiresAt, + projectId, + email, + }; +} + +async function getUserEmail(accessToken: string): Promise { + try { + const response = await fetch(USERINFO_URL, { + headers: { Authorization: `Bearer ${accessToken}` }, + }); + if (response.ok) { + const data = (await response.json()) as { email?: string }; + return data.email; + } + } catch { + // ignore + } + return undefined; +} + +async function discoverProject(accessToken: string): Promise { + const envProject = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID; + const headers = { + Authorization: `Bearer ${accessToken}`, + "Content-Type": "application/json", + "User-Agent": "google-api-nodejs-client/9.15.1", + "X-Goog-Api-Client": "gl-node/clawdbot", + }; + + const loadBody = { + cloudaicompanionProject: envProject, + metadata: { + ideType: "IDE_UNSPECIFIED", + platform: "PLATFORM_UNSPECIFIED", + pluginType: "GEMINI", + duetProject: envProject, + }, + }; + + let data: { + currentTier?: { id?: string }; + cloudaicompanionProject?: string | { id?: string }; + allowedTiers?: Array<{ id?: string; isDefault?: boolean }>; + } = {}; + + try { + const response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, { + method: "POST", + headers, + body: JSON.stringify(loadBody), + }); + + if (!response.ok) { + const errorPayload = await response.json().catch(() => null); + if (isVpcScAffected(errorPayload)) { + data = { currentTier: { id: TIER_STANDARD } }; + } else { + throw new Error(`loadCodeAssist failed: ${response.status} ${response.statusText}`); + } + } else { + data = (await response.json()) as typeof data; + } + } catch (err) { + if (err instanceof Error) { + throw err; + } + throw new Error("loadCodeAssist failed"); + } + + if (data.currentTier) { + const project = data.cloudaicompanionProject; + if (typeof project === "string" && project) return project; + if (typeof project === "object" && project?.id) return project.id; + if (envProject) return envProject; + throw new Error( + "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.", + ); + } + + const tier = getDefaultTier(data.allowedTiers); + const tierId = tier?.id || TIER_FREE; + if (tierId !== TIER_FREE && !envProject) { + throw new Error( + "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.", + ); + } + + const onboardBody: Record = { + tierId, + metadata: { + ideType: "IDE_UNSPECIFIED", + platform: "PLATFORM_UNSPECIFIED", + pluginType: "GEMINI", + }, + }; + if (tierId !== TIER_FREE && envProject) { + onboardBody.cloudaicompanionProject = envProject; + (onboardBody.metadata as Record).duetProject = envProject; + } + + const onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, { + method: "POST", + headers, + body: JSON.stringify(onboardBody), + }); + + if (!onboardResponse.ok) { + throw new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}`); + } + + let lro = (await onboardResponse.json()) as { + done?: boolean; + name?: string; + response?: { cloudaicompanionProject?: { id?: string } }; + }; + + if (!lro.done && lro.name) { + lro = await pollOperation(lro.name, headers); + } + + const projectId = lro.response?.cloudaicompanionProject?.id; + if (projectId) return projectId; + if (envProject) return envProject; + + throw new Error( + "Could not discover or provision a Google Cloud project. Set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID.", + ); +} + +function isVpcScAffected(payload: unknown): boolean { + if (!payload || typeof payload !== "object") return false; + const error = (payload as { error?: unknown }).error; + if (!error || typeof error !== "object") return false; + const details = (error as { details?: unknown[] }).details; + if (!Array.isArray(details)) return false; + return details.some( + (item) => + typeof item === "object" && item && (item as { reason?: string }).reason === "SECURITY_POLICY_VIOLATED", + ); +} + +function getDefaultTier( + allowedTiers?: Array<{ id?: string; isDefault?: boolean }>, +): { id?: string } | undefined { + if (!allowedTiers?.length) return { id: TIER_LEGACY }; + return allowedTiers.find((tier) => tier.isDefault) ?? { id: TIER_LEGACY }; +} + +async function pollOperation( + operationName: string, + headers: Record, +): Promise<{ done?: boolean; response?: { cloudaicompanionProject?: { id?: string } } }> { + for (let attempt = 0; attempt < 24; attempt += 1) { + await new Promise((resolve) => setTimeout(resolve, 5000)); + const response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, { + headers, + }); + if (!response.ok) continue; + const data = (await response.json()) as { + done?: boolean; + response?: { cloudaicompanionProject?: { id?: string } }; + }; + if (data.done) return data; + } + throw new Error("Operation polling timeout"); +} + +export async function loginGeminiCliOAuth(ctx: GeminiCliOAuthContext): Promise { + const needsManual = shouldUseManualOAuthFlow(ctx.isRemote); + await ctx.note( + needsManual + ? [ + "You are running in a remote/VPS environment.", + "A URL will be shown for you to open in your LOCAL browser.", + "After signing in, copy the redirect URL and paste it back here.", + ].join("\n") + : [ + "Browser will open for Google authentication.", + "Sign in with your Google account for Gemini CLI access.", + "The callback will be captured automatically on localhost:8085.", + ].join("\n"), + "Gemini CLI OAuth", + ); + + const { verifier, challenge } = generatePkce(); + const authUrl = buildAuthUrl(challenge, verifier); + + if (needsManual) { + ctx.progress.update("OAuth URL ready"); + ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`); + ctx.progress.update("Waiting for you to paste the callback URL..."); + const callbackInput = await ctx.prompt("Paste the redirect URL here: "); + const parsed = parseCallbackInput(callbackInput, verifier); + if ("error" in parsed) throw new Error(parsed.error); + if (parsed.state !== verifier) { + throw new Error("OAuth state mismatch - please try again"); + } + ctx.progress.update("Exchanging authorization code for tokens..."); + return exchangeCodeForTokens(parsed.code, verifier); + } + + ctx.progress.update("Complete sign-in in browser..."); + try { + await ctx.openUrl(authUrl); + } catch { + ctx.log(`\nOpen this URL in your browser:\n\n${authUrl}\n`); + } + + try { + const { code } = await waitForLocalCallback({ + expectedState: verifier, + timeoutMs: 5 * 60 * 1000, + onProgress: (msg) => ctx.progress.update(msg), + }); + ctx.progress.update("Exchanging authorization code for tokens..."); + return await exchangeCodeForTokens(code, verifier); + } catch (err) { + if ( + err instanceof Error && + (err.message.includes("EADDRINUSE") || + err.message.includes("port") || + err.message.includes("listen")) + ) { + ctx.progress.update("Local callback server failed. Switching to manual mode..."); + ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`); + const callbackInput = await ctx.prompt("Paste the redirect URL here: "); + const parsed = parseCallbackInput(callbackInput, verifier); + if ("error" in parsed) throw new Error(parsed.error); + if (parsed.state !== verifier) { + throw new Error("OAuth state mismatch - please try again"); + } + ctx.progress.update("Exchanging authorization code for tokens..."); + return exchangeCodeForTokens(parsed.code, verifier); + } + throw err; + } +} diff --git a/extensions/google-gemini-cli-auth/package.json b/extensions/google-gemini-cli-auth/package.json new file mode 100644 index 000000000..7cc273536 --- /dev/null +++ b/extensions/google-gemini-cli-auth/package.json @@ -0,0 +1,9 @@ +{ + "name": "@clawdbot/google-gemini-cli-auth", + "version": "2026.1.15", + "type": "module", + "description": "Clawdbot Gemini CLI OAuth provider plugin", + "clawdbot": { + "extensions": ["./index.ts"] + } +} diff --git a/src/cli/program/register.onboard.ts b/src/cli/program/register.onboard.ts index 97cc86c48..9294e152f 100644 --- a/src/cli/program/register.onboard.ts +++ b/src/cli/program/register.onboard.ts @@ -51,7 +51,7 @@ export function registerOnboardCommand(program: Command) { .option("--mode ", "Wizard mode: local|remote") .option( "--auth-choice ", - "Auth: setup-token|claude-cli|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|synthetic-api-key|codex-cli|antigravity|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip", + "Auth: setup-token|claude-cli|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|synthetic-api-key|codex-cli|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip", ) .option( "--token-provider ", diff --git a/src/commands/antigravity-oauth.ts b/src/commands/antigravity-oauth.ts deleted file mode 100644 index f879846cd..000000000 --- a/src/commands/antigravity-oauth.ts +++ /dev/null @@ -1,384 +0,0 @@ -/** - * VPS-aware Antigravity OAuth flow. - * - * On local machines: Uses the standard pi-ai loginAntigravity with local server callback. - * On VPS/SSH/headless: Shows URL and prompts user to paste the callback URL manually. - */ - -import { createHash, randomBytes } from "node:crypto"; -import { readFileSync } from "node:fs"; -import { stdin, stdout } from "node:process"; -import { createInterface } from "node:readline/promises"; -import { loginAntigravity, type OAuthCredentials } from "@mariozechner/pi-ai"; - -// OAuth constants - decoded from pi-ai's base64 encoded values to stay in sync -const decode = (s: string) => Buffer.from(s, "base64").toString(); -const CLIENT_ID = decode( - "MTA3MTAwNjA2MDU5MS10bWhzc2luMmgyMWxjcmUyMzV2dG9sb2poNGc0MDNlcC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbQ==", -); -const CLIENT_SECRET = decode("R09DU1BYLUs1OEZXUjQ4NkxkTEoxbUxCOHNYQzR6NnFEQWY="); -const REDIRECT_URI = "http://localhost:51121/oauth-callback"; -const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"; -const TOKEN_URL = "https://oauth2.googleapis.com/token"; -// Antigravity requires these additional scopes -const SCOPES = [ - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/userinfo.email", - "https://www.googleapis.com/auth/userinfo.profile", - "https://www.googleapis.com/auth/cclog", - "https://www.googleapis.com/auth/experimentsandconfigs", -]; -// Fallback project ID when discovery fails (same as pi-ai) -const DEFAULT_PROJECT_ID = "rising-fact-p41fc"; - -/** - * Detect if running in WSL (Windows Subsystem for Linux). - */ -function isWSL(): boolean { - if (process.platform !== "linux") return false; - try { - const release = readFileSync("/proc/version", "utf8").toLowerCase(); - return release.includes("microsoft") || release.includes("wsl"); - } catch { - return false; - } -} - -/** - * Detect if running in WSL2 specifically. - */ -function isWSL2(): boolean { - if (!isWSL()) return false; - try { - const version = readFileSync("/proc/version", "utf8").toLowerCase(); - return version.includes("wsl2") || version.includes("microsoft-standard"); - } catch { - return false; - } -} - -/** - * Detect if running in a remote/headless environment where localhost callback won't work. - */ -export function isRemoteEnvironment(): boolean { - // SSH session indicators - if (process.env.SSH_CLIENT || process.env.SSH_TTY || process.env.SSH_CONNECTION) { - return true; - } - - // Container/cloud environments - if (process.env.REMOTE_CONTAINERS || process.env.CODESPACES) { - return true; - } - - // Linux without display (and not WSL which can use wslview) - if ( - process.platform === "linux" && - !process.env.DISPLAY && - !process.env.WAYLAND_DISPLAY && - !isWSL() - ) { - return true; - } - - return false; -} - -/** - * Whether to skip the local OAuth callback server. - */ -export function shouldUseManualOAuthFlow(): boolean { - return isWSL2() || isRemoteEnvironment(); -} - -/** - * Generate PKCE verifier and challenge using Node.js crypto. - */ -function generatePKCESync(): { verifier: string; challenge: string } { - const verifier = randomBytes(32).toString("hex"); - const challenge = createHash("sha256").update(verifier).digest("base64url"); - return { verifier, challenge }; -} - -/** - * Build the Antigravity OAuth authorization URL. - */ -function buildAuthUrl(challenge: string, verifier: string): string { - const params = new URLSearchParams({ - client_id: CLIENT_ID, - response_type: "code", - redirect_uri: REDIRECT_URI, - scope: SCOPES.join(" "), - code_challenge: challenge, - code_challenge_method: "S256", - state: verifier, - access_type: "offline", - prompt: "consent", - }); - return `${AUTH_URL}?${params.toString()}`; -} - -/** - * Parse the OAuth callback URL or code input. - */ -function parseCallbackInput( - input: string, - expectedState: string, -): { code: string; state: string } | { error: string } { - const trimmed = input.trim(); - if (!trimmed) { - return { error: "No input provided" }; - } - - try { - // Try parsing as full URL - const url = new URL(trimmed); - const code = url.searchParams.get("code"); - const state = url.searchParams.get("state") ?? expectedState; - - if (!code) { - return { error: "Missing 'code' parameter in URL" }; - } - if (!state) { - return { error: "Missing 'state' parameter. Paste the full URL." }; - } - - return { code, state }; - } catch { - // Not a URL - treat as raw code (need state from original request) - if (!expectedState) { - return { error: "Paste the full redirect URL, not just the code." }; - } - return { code: trimmed, state: expectedState }; - } -} - -/** - * Exchange authorization code for tokens. - */ -async function exchangeCodeForTokens(code: string, verifier: string): Promise { - const response = await fetch(TOKEN_URL, { - method: "POST", - headers: { - "Content-Type": "application/x-www-form-urlencoded", - }, - body: new URLSearchParams({ - client_id: CLIENT_ID, - client_secret: CLIENT_SECRET, - code, - grant_type: "authorization_code", - redirect_uri: REDIRECT_URI, - code_verifier: verifier, - }), - }); - - if (!response.ok) { - const errorText = await response.text(); - throw new Error(`Token exchange failed: ${errorText}`); - } - - const data = (await response.json()) as { - access_token: string; - refresh_token: string; - expires_in: number; - }; - - if (!data.refresh_token) { - throw new Error("No refresh token received. Please try again."); - } - - // Fetch user email - const email = await getUserEmail(data.access_token); - - // Fetch project ID - const projectId = await fetchProjectId(data.access_token); - - // Calculate expiry time (same as pi-ai: current time + expires_in - 5 min buffer) - const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000; - - return { - refresh: data.refresh_token, - access: data.access_token, - expires: expiresAt, - projectId, - email, - }; -} - -/** - * Get user email from access token. - */ -async function getUserEmail(accessToken: string): Promise { - try { - const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", { - headers: { - Authorization: `Bearer ${accessToken}`, - }, - }); - if (response.ok) { - const data = (await response.json()) as { email?: string }; - return data.email; - } - } catch { - // Ignore errors, email is optional - } - return undefined; -} - -/** - * Fetch the Antigravity project ID using the access token. - */ -async function fetchProjectId(accessToken: string): Promise { - const headers = { - Authorization: `Bearer ${accessToken}`, - "Content-Type": "application/json", - "User-Agent": "google-api-nodejs-client/9.15.1", - "X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1", - "Client-Metadata": JSON.stringify({ - ideType: "IDE_UNSPECIFIED", - platform: "PLATFORM_UNSPECIFIED", - pluginType: "GEMINI", - }), - }; - - // Try endpoints in order: prod first, then sandbox - const endpoints = [ - "https://cloudcode-pa.googleapis.com", - "https://daily-cloudcode-pa.sandbox.googleapis.com", - ]; - - for (const endpoint of endpoints) { - try { - const response = await fetch(`${endpoint}/v1internal:loadCodeAssist`, { - method: "POST", - headers, - body: JSON.stringify({ - metadata: { - ideType: "IDE_UNSPECIFIED", - platform: "PLATFORM_UNSPECIFIED", - pluginType: "GEMINI", - }, - }), - }); - - if (!response.ok) continue; - - const data = (await response.json()) as { - cloudaicompanionProject?: string | { id?: string }; - }; - - if (typeof data.cloudaicompanionProject === "string") { - return data.cloudaicompanionProject; - } - if ( - data.cloudaicompanionProject && - typeof data.cloudaicompanionProject === "object" && - data.cloudaicompanionProject.id - ) { - return data.cloudaicompanionProject.id; - } - } catch { - // ignore failed endpoint, try next - } - } - - // Use fallback project ID - return DEFAULT_PROJECT_ID; -} - -/** - * Prompt user for input via readline. - */ -async function promptInput(message: string): Promise { - const rl = createInterface({ input: stdin, output: stdout }); - try { - return (await rl.question(message)).trim(); - } finally { - rl.close(); - } -} - -/** - * VPS-aware Antigravity OAuth login. - * - * On local machines: Uses the standard pi-ai flow with automatic localhost callback. - * On VPS/SSH: Shows URL and prompts user to paste the callback URL manually. - */ -export async function loginAntigravityVpsAware( - onUrl: (url: string) => void | Promise, - onProgress?: (message: string) => void, -): Promise { - // Check if we're in a remote environment - if (shouldUseManualOAuthFlow()) { - return loginAntigravityManual(onUrl, onProgress); - } - - // Use the standard pi-ai flow for local environments - try { - return await loginAntigravity( - async ({ url, instructions }) => { - await onUrl(url); - onProgress?.(instructions ?? "Complete sign-in in browser..."); - }, - (msg) => onProgress?.(msg), - ); - } catch (err) { - // If the local server fails (e.g., port in use), fall back to manual - if ( - err instanceof Error && - (err.message.includes("EADDRINUSE") || - err.message.includes("port") || - err.message.includes("listen")) - ) { - onProgress?.("Local callback server failed. Switching to manual mode..."); - return loginAntigravityManual(onUrl, onProgress); - } - throw err; - } -} - -/** - * Manual Antigravity OAuth login for VPS/headless environments. - * - * Shows the OAuth URL and prompts user to paste the callback URL. - */ -export async function loginAntigravityManual( - onUrl: (url: string) => void | Promise, - onProgress?: (message: string) => void, -): Promise { - const { verifier, challenge } = generatePKCESync(); - const authUrl = buildAuthUrl(challenge, verifier); - - // Show the URL to the user - await onUrl(authUrl); - - onProgress?.("Waiting for you to paste the callback URL..."); - - console.log("\n"); - console.log("=".repeat(60)); - console.log("VPS/Remote Mode - Manual OAuth"); - console.log("=".repeat(60)); - console.log("\n1. Open the URL above in your LOCAL browser"); - console.log("2. Complete the Google sign-in"); - console.log("3. Your browser will redirect to a localhost URL that won't load"); - console.log("4. Copy the ENTIRE URL from your browser's address bar"); - console.log("5. Paste it below\n"); - console.log("The URL will look like:"); - console.log("http://localhost:51121/oauth-callback?code=xxx&state=yyy\n"); - - const callbackInput = await promptInput("Paste the redirect URL here: "); - - const parsed = parseCallbackInput(callbackInput, verifier); - if ("error" in parsed) { - throw new Error(parsed.error); - } - - // Verify state matches - if (parsed.state !== verifier) { - throw new Error("OAuth state mismatch - please try again"); - } - - onProgress?.("Exchanging authorization code for tokens..."); - - return exchangeCodeForTokens(parsed.code, verifier); -} diff --git a/src/commands/auth-choice-options.ts b/src/commands/auth-choice-options.ts index 3f83b8aa0..40cb1a110 100644 --- a/src/commands/auth-choice-options.ts +++ b/src/commands/auth-choice-options.ts @@ -61,8 +61,8 @@ const AUTH_CHOICE_GROUP_DEFS: { { value: "google", label: "Google", - hint: "Antigravity + Gemini API key", - choices: ["antigravity", "gemini-api-key"], + hint: "Gemini API key", + choices: ["gemini-api-key"], }, { value: "openrouter", @@ -181,10 +181,6 @@ export function buildAuthChoiceOptions(params: { }); options.push({ value: "moonshot-api-key", label: "Moonshot AI API key" }); options.push({ value: "synthetic-api-key", label: "Synthetic API key" }); - options.push({ - value: "antigravity", - label: "Google Antigravity (Claude Opus 4.5, Gemini 3, etc.)", - }); options.push({ value: "github-copilot", label: "GitHub Copilot (GitHub device login)", diff --git a/src/commands/auth-choice.apply.oauth.ts b/src/commands/auth-choice.apply.oauth.ts index ea4ea7e42..9e618e4c5 100644 --- a/src/commands/auth-choice.apply.oauth.ts +++ b/src/commands/auth-choice.apply.oauth.ts @@ -1,5 +1,4 @@ -import type { OAuthCredentials } from "@mariozechner/pi-ai"; -import { isRemoteEnvironment, loginAntigravityVpsAware } from "./antigravity-oauth.js"; +import { isRemoteEnvironment } from "./oauth-env.js"; import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js"; import { loginChutes } from "./chutes-oauth.js"; import { createVpsAwareOAuthHandlers } from "./oauth-flow.js"; @@ -94,105 +93,5 @@ export async function applyAuthChoiceOAuth( return { config: nextConfig }; } - if (params.authChoice === "antigravity") { - let nextConfig = params.config; - let agentModelOverride: string | undefined; - const noteAgentModel = async (model: string) => { - if (!params.agentId) return; - await params.prompter.note( - `Default model set to ${model} for agent "${params.agentId}".`, - "Model configured", - ); - }; - - const isRemote = isRemoteEnvironment(); - await params.prompter.note( - isRemote - ? [ - "You are running in a remote/VPS environment.", - "A URL will be shown for you to open in your LOCAL browser.", - "After signing in, copy the redirect URL and paste it back here.", - ].join("\n") - : [ - "Browser will open for Google authentication.", - "Sign in with your Google account that has Antigravity access.", - "The callback will be captured automatically on localhost:51121.", - ].join("\n"), - "Google Antigravity OAuth", - ); - const spin = params.prompter.progress("Starting OAuth flow…"); - let oauthCreds: OAuthCredentials | null = null; - try { - oauthCreds = await loginAntigravityVpsAware( - async (url) => { - if (isRemote) { - spin.stop("OAuth URL ready"); - params.runtime.log(`\nOpen this URL in your LOCAL browser:\n\n${url}\n`); - } else { - spin.update("Complete sign-in in browser…"); - await openUrl(url); - params.runtime.log(`Open: ${url}`); - } - }, - (msg) => spin.update(msg), - ); - spin.stop("Antigravity OAuth complete"); - if (oauthCreds) { - await writeOAuthCredentials("google-antigravity", oauthCreds, params.agentDir); - nextConfig = applyAuthProfileConfig(nextConfig, { - profileId: `google-antigravity:${oauthCreds.email ?? "default"}`, - provider: "google-antigravity", - mode: "oauth", - }); - const modelKey = "google-antigravity/claude-opus-4-5-thinking"; - nextConfig = { - ...nextConfig, - agents: { - ...nextConfig.agents, - defaults: { - ...nextConfig.agents?.defaults, - models: { - ...nextConfig.agents?.defaults?.models, - [modelKey]: nextConfig.agents?.defaults?.models?.[modelKey] ?? {}, - }, - }, - }, - }; - if (params.setDefaultModel) { - const existingModel = nextConfig.agents?.defaults?.model; - nextConfig = { - ...nextConfig, - agents: { - ...nextConfig.agents, - defaults: { - ...nextConfig.agents?.defaults, - model: { - ...(existingModel && "fallbacks" in (existingModel as Record) - ? { - fallbacks: (existingModel as { fallbacks?: string[] }).fallbacks, - } - : undefined), - primary: modelKey, - }, - }, - }, - }; - await params.prompter.note(`Default model set to ${modelKey}`, "Model configured"); - } else { - agentModelOverride = modelKey; - await noteAgentModel(modelKey); - } - } - } catch (err) { - spin.stop("Antigravity OAuth failed"); - params.runtime.error(String(err)); - await params.prompter.note( - "Trouble with OAuth? See https://docs.clawd.bot/start/faq", - "OAuth help", - ); - } - return { config: nextConfig, agentModelOverride }; - } - return null; } diff --git a/src/commands/auth-choice.apply.openai.ts b/src/commands/auth-choice.apply.openai.ts index 542113c57..4be7762bd 100644 --- a/src/commands/auth-choice.apply.openai.ts +++ b/src/commands/auth-choice.apply.openai.ts @@ -2,7 +2,7 @@ import { loginOpenAICodex } from "@mariozechner/pi-ai"; import { CODEX_CLI_PROFILE_ID, ensureAuthProfileStore } from "../agents/auth-profiles.js"; import { resolveEnvApiKey } from "../agents/model-auth.js"; import { upsertSharedEnvVar } from "../infra/env-file.js"; -import { isRemoteEnvironment } from "./antigravity-oauth.js"; +import { isRemoteEnvironment } from "./oauth-env.js"; import { formatApiKeyPreview, normalizeApiKeyInput, diff --git a/src/commands/auth-choice.preferred-provider.ts b/src/commands/auth-choice.preferred-provider.ts index 82d6ca2fe..9d2d8e273 100644 --- a/src/commands/auth-choice.preferred-provider.ts +++ b/src/commands/auth-choice.preferred-provider.ts @@ -15,7 +15,6 @@ const PREFERRED_PROVIDER_BY_AUTH_CHOICE: Partial> = { "moonshot-api-key": "moonshot", "gemini-api-key": "google", "zai-api-key": "zai", - antigravity: "google-antigravity", "synthetic-api-key": "synthetic", "github-copilot": "github-copilot", "minimax-cloud": "minimax", diff --git a/src/commands/models/auth.ts b/src/commands/models/auth.ts index b6f04760c..1ff30cd5f 100644 --- a/src/commands/models/auth.ts +++ b/src/commands/models/auth.ts @@ -23,7 +23,7 @@ import { import type { RuntimeEnv } from "../../runtime.js"; import { stylePromptHint, stylePromptMessage } from "../../terminal/prompt-style.js"; import { applyAuthProfileConfig } from "../onboard-auth.js"; -import { isRemoteEnvironment } from "../antigravity-oauth.js"; +import { isRemoteEnvironment } from "../oauth-env.js"; import { openUrl } from "../onboard-helpers.js"; import { createVpsAwareOAuthHandlers } from "../oauth-flow.js"; import { updateConfig } from "./shared.js"; diff --git a/src/commands/oauth-env.ts b/src/commands/oauth-env.ts new file mode 100644 index 000000000..1f2967f8b --- /dev/null +++ b/src/commands/oauth-env.ts @@ -0,0 +1,32 @@ +import { readFileSync } from "node:fs"; + +function isWSL(): boolean { + if (process.platform !== "linux") return false; + try { + const release = readFileSync("/proc/version", "utf8").toLowerCase(); + return release.includes("microsoft") || release.includes("wsl"); + } catch { + return false; + } +} + +export function isRemoteEnvironment(): boolean { + if (process.env.SSH_CLIENT || process.env.SSH_TTY || process.env.SSH_CONNECTION) { + return true; + } + + if (process.env.REMOTE_CONTAINERS || process.env.CODESPACES) { + return true; + } + + if ( + process.platform === "linux" && + !process.env.DISPLAY && + !process.env.WAYLAND_DISPLAY && + !isWSL() + ) { + return true; + } + + return false; +} diff --git a/src/commands/onboard-non-interactive/local/auth-choice.ts b/src/commands/onboard-non-interactive/local/auth-choice.ts index 7351614dd..bfc51ea80 100644 --- a/src/commands/onboard-non-interactive/local/auth-choice.ts +++ b/src/commands/onboard-non-interactive/local/auth-choice.ts @@ -334,11 +334,9 @@ export async function applyNonInteractiveAuthChoice(params: { if ( authChoice === "oauth" || authChoice === "chutes" || - authChoice === "openai-codex" || - authChoice === "antigravity" + authChoice === "openai-codex" ) { - const label = authChoice === "antigravity" ? "Antigravity" : "OAuth"; - runtime.error(`${label} requires interactive mode.`); + runtime.error("OAuth requires interactive mode."); runtime.exit(1); return null; } diff --git a/src/commands/onboard-types.ts b/src/commands/onboard-types.ts index 891c16402..5dd610777 100644 --- a/src/commands/onboard-types.ts +++ b/src/commands/onboard-types.ts @@ -16,7 +16,6 @@ export type AuthChoice = | "moonshot-api-key" | "synthetic-api-key" | "codex-cli" - | "antigravity" | "apiKey" | "gemini-api-key" | "zai-api-key" diff --git a/src/plugins/bundled-dir.ts b/src/plugins/bundled-dir.ts new file mode 100644 index 000000000..33524c36f --- /dev/null +++ b/src/plugins/bundled-dir.ts @@ -0,0 +1,33 @@ +import fs from "node:fs"; +import path from "node:path"; +import { fileURLToPath } from "node:url"; + +export function resolveBundledPluginsDir(): string | undefined { + const override = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR?.trim(); + if (override) return override; + + // bun --compile: ship a sibling `extensions/` next to the executable. + try { + const execDir = path.dirname(process.execPath); + const sibling = path.join(execDir, "extensions"); + if (fs.existsSync(sibling)) return sibling; + } catch { + // ignore + } + + // npm/dev: walk up from this module to find `extensions/` at the package root. + try { + let cursor = path.dirname(fileURLToPath(import.meta.url)); + for (let i = 0; i < 6; i += 1) { + const candidate = path.join(cursor, "extensions"); + if (fs.existsSync(candidate)) return candidate; + const parent = path.dirname(cursor); + if (parent === cursor) break; + cursor = parent; + } + } catch { + // ignore + } + + return undefined; +} diff --git a/src/plugins/discovery.test.ts b/src/plugins/discovery.test.ts index c70133826..77c2584fe 100644 --- a/src/plugins/discovery.test.ts +++ b/src/plugins/discovery.test.ts @@ -15,7 +15,9 @@ function makeTempDir() { async function withStateDir(stateDir: string, fn: () => Promise) { const prev = process.env.CLAWDBOT_STATE_DIR; + const prevBundled = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR; process.env.CLAWDBOT_STATE_DIR = stateDir; + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; vi.resetModules(); try { return await fn(); @@ -25,6 +27,11 @@ async function withStateDir(stateDir: string, fn: () => Promise) { } else { process.env.CLAWDBOT_STATE_DIR = prev; } + if (prevBundled === undefined) { + delete process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR; + } else { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = prevBundled; + } vi.resetModules(); } } diff --git a/src/plugins/discovery.ts b/src/plugins/discovery.ts index c49e9a379..06d93e40d 100644 --- a/src/plugins/discovery.ts +++ b/src/plugins/discovery.ts @@ -2,6 +2,7 @@ import fs from "node:fs"; import path from "node:path"; import { CONFIG_DIR, resolveUserPath } from "../utils.js"; +import { resolveBundledPluginsDir } from "./bundled-dir.js"; import type { PluginDiagnostic, PluginOrigin } from "./types.js"; const EXTENSION_EXTS = new Set([".ts", ".js", ".mts", ".cts", ".mjs", ".cjs"]); @@ -271,29 +272,7 @@ export function discoverClawdbotPlugins(params: { const candidates: PluginCandidate[] = []; const diagnostics: PluginDiagnostic[] = []; const seen = new Set(); - - const globalDir = path.join(CONFIG_DIR, "extensions"); - discoverInDirectory({ - dir: globalDir, - origin: "global", - candidates, - diagnostics, - seen, - }); - const workspaceDir = params.workspaceDir?.trim(); - if (workspaceDir) { - const workspaceRoot = resolveUserPath(workspaceDir); - const workspaceExt = path.join(workspaceRoot, ".clawdbot", "extensions"); - discoverInDirectory({ - dir: workspaceExt, - origin: "workspace", - workspaceDir: workspaceRoot, - candidates, - diagnostics, - seen, - }); - } const extra = params.extraPaths ?? []; for (const extraPath of extra) { @@ -309,6 +288,38 @@ export function discoverClawdbotPlugins(params: { seen, }); } + if (workspaceDir) { + const workspaceRoot = resolveUserPath(workspaceDir); + const workspaceExt = path.join(workspaceRoot, ".clawdbot", "extensions"); + discoverInDirectory({ + dir: workspaceExt, + origin: "workspace", + workspaceDir: workspaceRoot, + candidates, + diagnostics, + seen, + }); + } + + const globalDir = path.join(CONFIG_DIR, "extensions"); + discoverInDirectory({ + dir: globalDir, + origin: "global", + candidates, + diagnostics, + seen, + }); + + const bundledDir = resolveBundledPluginsDir(); + if (bundledDir) { + discoverInDirectory({ + dir: bundledDir, + origin: "bundled", + candidates, + diagnostics, + seen, + }); + } return { candidates, diagnostics }; } diff --git a/src/plugins/loader.test.ts b/src/plugins/loader.test.ts index f48581c0f..223a1bde8 100644 --- a/src/plugins/loader.test.ts +++ b/src/plugins/loader.test.ts @@ -9,6 +9,7 @@ import { loadClawdbotPlugins } from "./loader.js"; type TempPlugin = { dir: string; file: string; id: string }; const tempDirs: string[] = []; +const prevBundledDir = process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR; function makeTempDir() { const dir = path.join(os.tmpdir(), `clawdbot-plugin-${randomUUID()}`); @@ -32,10 +33,49 @@ afterEach(() => { // ignore cleanup failures } } + if (prevBundledDir === undefined) { + delete process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR; + } else { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = prevBundledDir; + } }); describe("loadClawdbotPlugins", () => { + it("disables bundled plugins by default", () => { + const bundledDir = makeTempDir(); + const bundledPath = path.join(bundledDir, "bundled.ts"); + fs.writeFileSync(bundledPath, "export default function () {}", "utf-8"); + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = bundledDir; + + const registry = loadClawdbotPlugins({ + cache: false, + config: { + plugins: { + allow: ["bundled"], + }, + }, + }); + + const bundled = registry.plugins.find((entry) => entry.id === "bundled"); + expect(bundled?.status).toBe("disabled"); + + const enabledRegistry = loadClawdbotPlugins({ + cache: false, + config: { + plugins: { + allow: ["bundled"], + entries: { + bundled: { enabled: true }, + }, + }, + }, + }); + + const enabled = enabledRegistry.plugins.find((entry) => entry.id === "bundled"); + expect(enabled?.status).toBe("loaded"); + }); it("loads plugins from config paths", () => { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; const plugin = writePlugin({ id: "allowed", body: `export default function (api) { api.registerGatewayMethod("allowed.ping", ({ respond }) => respond(true, { ok: true })); }`, @@ -52,12 +92,13 @@ describe("loadClawdbotPlugins", () => { }, }); - expect(registry.plugins.length).toBe(1); - expect(registry.plugins[0]?.status).toBe("loaded"); + const loaded = registry.plugins.find((entry) => entry.id === "allowed"); + expect(loaded?.status).toBe("loaded"); expect(Object.keys(registry.gatewayHandlers)).toContain("allowed.ping"); }); it("denylist disables plugins even if allowed", () => { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; const plugin = writePlugin({ id: "blocked", body: `export default function () {}`, @@ -75,10 +116,12 @@ describe("loadClawdbotPlugins", () => { }, }); - expect(registry.plugins[0]?.status).toBe("disabled"); + const blocked = registry.plugins.find((entry) => entry.id === "blocked"); + expect(blocked?.status).toBe("disabled"); }); it("fails fast on invalid plugin config", () => { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; const plugin = writePlugin({ id: "configurable", body: `export default {\n id: "configurable",\n configSchema: {\n parse(value) {\n if (!value || typeof value !== "object" || Array.isArray(value)) {\n throw new Error("bad config");\n }\n return value;\n }\n },\n register() {}\n};`, @@ -99,11 +142,13 @@ describe("loadClawdbotPlugins", () => { }, }); - expect(registry.plugins[0]?.status).toBe("error"); + const configurable = registry.plugins.find((entry) => entry.id === "configurable"); + expect(configurable?.status).toBe("error"); expect(registry.diagnostics.some((d) => d.level === "error")).toBe(true); }); it("registers channel plugins", () => { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; const plugin = writePlugin({ id: "channel-demo", body: `export default function (api) { @@ -139,11 +184,12 @@ describe("loadClawdbotPlugins", () => { }, }); - expect(registry.channels.length).toBe(1); - expect(registry.channels[0]?.plugin.id).toBe("demo"); + const channel = registry.channels.find((entry) => entry.plugin.id === "demo"); + expect(channel).toBeDefined(); }); it("registers http handlers", () => { + process.env.CLAWDBOT_BUNDLED_PLUGINS_DIR = "/nonexistent/bundled/plugins"; const plugin = writePlugin({ id: "http-demo", body: `export default function (api) { @@ -162,8 +208,9 @@ describe("loadClawdbotPlugins", () => { }, }); - expect(registry.httpHandlers.length).toBe(1); - expect(registry.httpHandlers[0]?.pluginId).toBe("http-demo"); - expect(registry.plugins[0]?.httpHandlers).toBe(1); + const handler = registry.httpHandlers.find((entry) => entry.pluginId === "http-demo"); + expect(handler).toBeDefined(); + const httpPlugin = registry.plugins.find((entry) => entry.id === "http-demo"); + expect(httpPlugin?.httpHandlers).toBe(1); }); }); diff --git a/src/plugins/loader.ts b/src/plugins/loader.ts index c8d0842ec..40b33a418 100644 --- a/src/plugins/loader.ts +++ b/src/plugins/loader.ts @@ -86,6 +86,7 @@ function buildCacheKey(params: { function resolveEnableState( id: string, + origin: PluginRecord["origin"], config: NormalizedPluginsConfig, ): { enabled: boolean; reason?: string } { if (!config.enabled) { @@ -98,9 +99,15 @@ function resolveEnableState( return { enabled: false, reason: "not in allowlist" }; } const entry = config.entries[id]; + if (entry?.enabled === true) { + return { enabled: true }; + } if (entry?.enabled === false) { return { enabled: false, reason: "disabled in config" }; } + if (origin === "bundled") { + return { enabled: false, reason: "bundled (disabled by default)" }; + } return { enabled: true }; } @@ -237,8 +244,29 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi interopDefault: true, }); + const seenIds = new Map(); + for (const candidate of discovery.candidates) { - const enableState = resolveEnableState(candidate.idHint, normalized); + const existingOrigin = seenIds.get(candidate.idHint); + if (existingOrigin) { + const record = createPluginRecord({ + id: candidate.idHint, + name: candidate.packageName ?? candidate.idHint, + description: candidate.packageDescription, + version: candidate.packageVersion, + source: candidate.source, + origin: candidate.origin, + workspaceDir: candidate.workspaceDir, + enabled: false, + configSchema: false, + }); + record.status = "disabled"; + record.error = `overridden by ${existingOrigin} plugin`; + registry.plugins.push(record); + continue; + } + + const enableState = resolveEnableState(candidate.idHint, candidate.origin, normalized); const entry = normalized.entries[candidate.idHint]; const record = createPluginRecord({ id: candidate.idHint, @@ -256,6 +284,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi record.status = "disabled"; record.error = enableState.reason; registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); continue; } @@ -266,6 +295,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi record.status = "error"; record.error = String(err); registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); registry.diagnostics.push({ level: "error", pluginId: record.id, @@ -324,6 +354,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi record.status = "error"; record.error = `invalid config: ${validatedConfig.errors?.join(", ")}`; registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); registry.diagnostics.push({ level: "error", pluginId: record.id, @@ -337,6 +368,7 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi record.status = "error"; record.error = "plugin export missing register/activate"; registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); registry.diagnostics.push({ level: "error", pluginId: record.id, @@ -362,10 +394,12 @@ export function loadClawdbotPlugins(options: PluginLoadOptions = {}): PluginRegi }); } registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); } catch (err) { record.status = "error"; record.error = String(err); registry.plugins.push(record); + seenIds.set(candidate.idHint, candidate.origin); registry.diagnostics.push({ level: "error", pluginId: record.id, diff --git a/src/plugins/types.ts b/src/plugins/types.ts index fc4cc9ec5..709700bed 100644 --- a/src/plugins/types.ts +++ b/src/plugins/types.ts @@ -175,7 +175,7 @@ export type ClawdbotPluginApi = { resolvePath: (input: string) => string; }; -export type PluginOrigin = "global" | "workspace" | "config"; +export type PluginOrigin = "bundled" | "global" | "workspace" | "config"; export type PluginDiagnostic = { level: "warn" | "error";