)jAdZddlmZddlZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZmZmZmZejeZdZddgZd Zd Zd Zd Zd ZdZdZdZGddeZ Gdde Z!ddd:dZ"d;dZ#edddd+Z'd?d-Z(ddd)d@d/Z)e Gd0d1Z*ddd)dAd3Z+e Gd4d5Z,dddd6dBd9Z-dS)CuUGoogle Code Assist API client — project discovery, onboarding, quota. The Code Assist API powers Google's official gemini-cli. It sits at ``cloudcode-pa.googleapis.com`` and provides: - Free tier access (generous daily quota) for personal Google accounts - Paid tier access via GCP projects with billing / Workspace / Standard / Enterprise This module handles the control-plane dance needed before inference: 1. ``load_code_assist()`` — probe the user's account to learn what tier they're on and whether a ``cloudaicompanionProject`` is already assigned. 2. ``onboard_user()`` — if the user hasn't been onboarded yet (new account, fresh free tier, etc.), call this with the chosen tier + project id. Supports LRO polling for slow provisioning. 3. ``retrieve_user_quota()`` — fetch the ``buckets[]`` array showing remaining quota per model, used by the ``/gquota`` slash command. VPC-SC handling: enterprise accounts under a VPC Service Controls perimeter will get ``SECURITY_POLICY_VIOLATED`` on ``load_code_assist``. We catch this and force the account to ``standard-tier`` so the call chain still succeeds. Derived from opencode-gemini-auth (MIT) and clawdbot/extensions/google. The request/response shapes are specific to Google's internal Code Assist API, documented nowhere public — we copy them from the reference implementations. ) annotationsN) dataclassfield)AnyDictListOptionalz#https://cloudcode-pa.googleapis.comz1https://daily-cloudcode-pa.sandbox.googleapis.comz4https://autopush-cloudcode-pa.sandbox.googleapis.comz free-tierz legacy-tierz standard-tierz&google-api-nodejs-client/9.15.1 (gzip)zgl-node/24.0.0g>@ g@c2eZdZdZdddddddfdZxZS)CodeAssistErroraException raised by the Code Assist (``cloudcode-pa``) integration. Carries HTTP status / response / retry-after metadata so the agent's ``error_classifier._extract_status_code`` and the main loop's Retry-After handling (which walks ``error.response.headers``) pick up the right signals. Without these, 429s from the OAuth path look like opaque ``RuntimeError`` and skip the rate-limit path. code_assist_errorN)code status_coderesponse retry_afterdetailsmessagestrrr Optional[int]rrrOptional[float]rOptional[Dict[str, Any]]returnNonect|||_||_||_||_|pi|_dS)N)super__init__rrrrr)selfrrrrrr __class__s ?/home/wildlama/.hermes/hermes-agent/agent/google_code_assist.pyrzCodeAssistError.__init__NsR !!! ' ! '}" )rrrrrrrrrrrrrr)__name__ __module__ __qualname____doc__r __classcell__rs@rr r Dsb(%)'+,0%%%%%%%%%%%%r r c"eZdZddfd ZxZS) ProjectIdRequiredError%GCP project id required for this tierrrrrcNt|ddS)Ncode_assist_project_id_requiredr)rr)rrrs rrzProjectIdRequiredError.__init__os' 'HIIIIIr )r))rrrr)r!r"r#rr%r&s@rr(r(nsMJJJJJJJJJJJr r(user_agent_model access_tokenrr/rDict[str, str]c t}|r|d|}ddd||tttjdS)Nz model/zapplication/jsonzBearer )z Content-TypeAccept Authorizationz User-AgentzX-Goog-Api-Clientzx-activity-request-id)_GEMINI_CLI_USER_AGENT_X_GOOG_API_CLIENTruuiduuid4)r0r/uas r_build_headersr:wsZ B. - -+ - -*$1<11/!$TZ\\!2!2   r cddddS)uLMatch Google's gemini-cli exactly — unrecognized metadata may be rejected.IDE_UNSPECIFIEDPLATFORM_UNSPECIFIEDGEMINI)ideTypeplatform pluginTyperBr r_client_metadatarCs%*  r )timeoutr/urlbodyDict[str, Any]rDfloatc Xtj|d}tj||dt ||} tj||5}| dd}|rtj |nicdddS#1swxYwYdS#tj j $r} d} |  dd} n#t$rYnwxYwt| rtd | d | td | jd | p| jd| j | d} ~ wtj j$r} td| d | d} ~ wwxYw)Nzutf-8POSTr.)datamethodheaders)rDreplace)errorsr-zVPC-SC policy violation: code_assist_vpc_scr,zCode Assist HTTP z: code_assist_http_zCode Assist request failed: code_assist_network_error)jsondumpsencodeurllibrequestRequestr:urlopenreaddecodeloadserror HTTPError Exception_is_vpc_sc_violationr rreasonURLError) rErFr0rDr/rKrWrrawexcdetails r _post_jsonrfsF :d   " "7 + +Dn$$ $v|>NOOO%G ^ # #GW # = = 2--//(((CCC&)14:c???r 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 < ! XXZZ&&wy&AAFF    D   ' ' !4F44)  B B BF,@cj B B/SX//     <  03 0 0,    sn!C`` for up to ``_ONBOARDING_POLL_ATTEMPTS`` × ``_ONBOARDING_POLL_INTERVAL_SECONDS`` (default: 12 × 5s = 1 min). zTier zQ requires a GCP project id. Set HERMES_GEMINI_PROJECT_ID or GOOGLE_CLOUD_PROJECT.)tierIdr}rz/v1internal:onboardUserr.donenamer-z /v1internal/z%Onboarding poll attempt %d failed: %sNz.Onboarding did not complete within %d attempts) FREE_TIER_IDLEGACY_TIER_IDr(rCrrfrnrange_ONBOARDING_POLL_ATTEMPTStimesleep!_ONBOARDING_POLL_INTERVAL_SECONDSr rr) r0rr{r/rFrrErop_nameattemptpoll_url poll_resprds r onboard_userrs ,7n#<#%?%?%F3GGquu[117R88         Nr cLeZdZUdZdZded<dZded<dZded<dZded<dS) ProjectContextz)Resolved state for a given OAuth session.r-rr{managed_project_idrsourceN) r!r"r#r$r{rzrrrrBr rrr~s]33J     GFr r)configured_project_idenv_project_idr/rrc|rt|tdS|rt|tdSt||}|j}|j}|stt |t d|}|dpi}t|tr&|p#t|dpd}t }d } nd } t||t kr|nd|| S) aRFigure out what project id + tier to use for requests. Priority: 1. If configured_project_id or env_project_id is set, use that directly and short-circuit (no discovery needed). 2. Otherwise call loadCodeAssist to see what Google says. 3. If no tier assigned yet, onboard the user (free tier default). config)r{rrenvr.r-)rr{r/rr onboarded discovered)r{rrr) rrrrvrurrrnrlrmr) r0rrr/reffective_projecttier onboard_resp response_bodyrs rresolve_project_contextrsC  ,$     %$     L;K L L LD5  D #  -    %((44: mT * * !K}(()BCCIrJJ  $04 0D0D,,"    r )r0rr/rrr1)rr1) rErrFrGr0rrDrHr/rrrG)rFrrrg)r0rr{rr/rrrt)rrGrrt) r0rrrr{rr/rrrG)r0rr{rr/rrr) r0rrrrrr/rrr).r$ __future__rrSloggingr urllib.errorrVurllib.requestr7 dataclassesrrtypingrrrr getLoggerr!rrrrrrr5r6_DEFAULT_REQUEST_TIMEOUTrr RuntimeErrorr r(r:rCrfr`rtrrrrrrrrBr rrs!6#"""""   ((((((((,,,,,,,,,,,,  8 $ $=8:  "B%$'!'%'%'%'%'%l'%'%'%TJJJJJ_JJJBD      . %%%%%%P----6 6666666 6 '#'#'#'#'#'#T8 111111p 6666666 6 B  "$ <<<<<<<<r