Skip to content

feat: Antigravity OAuth fallback#128

Merged
robinebers merged 6 commits into
robinebers:mainfrom
validatedev:feat/ag-oauth
Feb 10, 2026
Merged

feat: Antigravity OAuth fallback#128
robinebers merged 6 commits into
robinebers:mainfrom
validatedev:feat/ag-oauth

Conversation

@validatedev

@validatedev validatedev commented Feb 8, 2026

Copy link
Copy Markdown
Collaborator

Description

This pull request significantly enhances the Antigravity plugin by adding robust support for authentication and quota discovery through both the local language server and Google's Cloud Code API. It introduces logic for reading and refreshing Google OAuth tokens from a local SQLite database, implements fallback strategies for model discovery, and improves error handling and deduplication of model quota data. The documentation is also updated to reflect these changes and provide detailed insight into the new authentication flow.

Authentication and Token Management:

  • Added logic to read API keys and Google OAuth tokens (including refresh tokens and expiry) from the local VS Code-compatible SQLite database (state.vscdb). Includes a minimal protobuf wire-format parser to extract tokens. [1] [2]
  • Implemented token refresh flow using Google's OAuth endpoint, with local caching of refreshed tokens for reuse.

Cloud Code API Fallback and Model Discovery:

  • Added fallback logic to use the Cloud Code API when the local language server is unavailable, trying multiple tokens and refreshing them if necessary. [1] [2] [3]
  • Implemented filtering and deduplication of models returned from Cloud Code, including blacklist and display name checks. [1] [2]

Language Server Improvements:

  • Updated LS probe logic to include the API key in metadata when available, and improved error handling to gracefully fall back to Cloud Code if the LS is not running. [1] [2] [3]

Documentation Updates:

  • Expanded documentation to describe the new authentication mechanisms, SQLite credential storage, Cloud Code fallback strategy, and token refresh flow. [1] [2] [3]

Refactoring and Code Quality:

  • Refactored model quota aggregation and sorting into a reusable function, and improved error handling throughout the plugin code. [1] [2]

These changes make the plugin more robust in a variety of user environments and ensure continued operation even if the local language server is unavailable or authentication tokens expire.

Note: I intentionally didn't modify the local database, unlike the implementation in Cursor. I used a file to hold the keys instead.

Type of Change

  • Bug fix
  • New feature

Testing

  • I ran bun run build and it succeeded
  • I ran bun run test and all tests pass
  • I tested the change locally with bun tauri dev

Screenshots

CleanShot 2026-02-09 at 00 28 37@2x

Checklist

  • I read CONTRIBUTING.md
  • My PR targets the main branch
  • I did not introduce new dependencies without justification

Summary by cubic

Adds an OAuth-backed fallback so Antigravity keeps showing model quotas when the language server isn’t running. Tokens are read from SQLite, refreshed and cached, with strict model filtering and expired proto tokens skipped.

  • New Features

    • Read API key and Google OAuth tokens from SQLite (protobuf decoded), refresh via Google OAuth, cache refreshed tokens; prefer proto/cached tokens before apiKey.
    • Cloud Code fallback for model/quota discovery when LS is unavailable; tries daily and prod endpoints; LS metadata includes apiKey.
    • Shared model parsing to deduplicate, sort, and format quota lines. Docs updated with DB schema, token flow, caching, and fallback strategy.
  • Bug Fixes

    • Filter non-user-facing Cloud Code models (isInternal, empty displayName, blacklist; includes Gemini 3 Pro Image).
    • Skip expired protobuf tokens before Cloud Code calls or refresh; tests added.
    • Graceful errors and timeouts; expanded tests cover LS-first, token ordering, refresh, caching, and filtering paths.

Written for commit b6008fc. Summary will update on new commits.

…avity

- Updated authentication to support API key retrieval from SQLite as a fallback.
- Improved the requirements for running the Antigravity IDE, allowing for signed-in credentials in SQLite.
- Added detailed documentation on local SQLite database structure and token management.
- Implemented a new strategy for fetching available models from the Cloud Code API when the language server is not running.
- Enhanced tests to cover new authentication flows and ensure proper handling of API keys.
- Updated the model fetching logic to filter out non-user-facing models based on the `isInternal` flag, empty `displayName`, and a blacklist of deprecated model IDs.
- Improved documentation to clarify the differences between Cloud Code and LS model sets.
- Added tests to ensure that models with the `isInternal` flag, empty display names, and blacklisted IDs are correctly excluded from the results.
- LS does not expose this model, so we are going to filter this too

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="plugins/antigravity/plugin.js">

<violation number="1" location="plugins/antigravity/plugin.js:11">
P1: Hard-coded OAuth client secret is embedded in client-side plugin code, exposing sensitive credentials in the distributed JS.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread plugins/antigravity/plugin.js

@robinebers robinebers left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work — this is solid. Auth flow, Cloud Code fallback, protobuf decoder, filtering, test coverage, docs all look great. Clean and safe to merge.

One small optimization you could make: loadProtoTokens already extracts expirySeconds but probe() never checks it. So if the proto token is expired, it still gets sent to Cloud Code, gets a 401, and then falls back. You could skip it upfront:

if (proto && proto.accessToken) {
  if (!proto.expirySeconds || proto.expirySeconds > Math.floor(Date.now() / 1000)) {
    tokens.push(proto.accessToken)
  }
}

Saves one unnecessary HTTP round-trip when the token is known-expired. Not blocking — just a free perf win.

@validatedev

Copy link
Copy Markdown
Collaborator Author

@robinebers thanks for the valuable feedback. Yes I missed that opportunity of that optimization. Fixing it!

- Updated the authentication logic to skip expired proto tokens based on their expiry time, ensuring that only valid tokens are used.
- Added a test case to verify that the system falls back to the next available token when the proto token is expired.
@validatedev

Copy link
Copy Markdown
Collaborator Author

All done!

@robinebers robinebers merged commit d067b1f into robinebers:main Feb 10, 2026
3 checks passed
@robinebers

Copy link
Copy Markdown
Owner

Thank you!

@validatedev validatedev deleted the feat/ag-oauth branch February 10, 2026 10:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants