WIP: Remove global state from pi-ai OAuth/API key handling

- Remove setApiKey, resolveApiKey, and global apiKeys Map from stream.ts - Rename getApiKey to getApiKeyFromEnv (only checks env vars) - Remove OAuth storage layer (storage.ts deleted) - OAuth login/refresh functions now return credentials instead of saving - getOAuthApiKey/refreshOAuthToken now take credentials as params - Add test/oauth.ts helper for ai package tests - Simplify root npm run check (single biome + tsgo pass) - Remove redundant check scripts from most packages - Add web-ui and coding-agent examples to biome/tsgo includes coding-agent still has compile errors - needs refactoring for new API
2026-04-22 03:03:42 +00:00 · 2025-12-25 01:01:03 +01:00 · 2025-12-25 01:01:03 +01:00 · 030788140a
commit 030788140a
parent d93cbf8c32
51 changed files with 646 additions and 570 deletions
--- a/packages/ai/test/oauth.ts
+++ b/packages/ai/test/oauth.ts
@ -0,0 +1,89 @@
+/**
+ * Test helper for resolving API keys from ~/.pi/agent/auth.json
+ *
+ * Supports both API key and OAuth credentials.
+ * OAuth tokens are automatically refreshed if expired and saved back to auth.json.
+ */
+
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import { dirname, join } from "path";
+import { getOAuthApiKey } from "../src/utils/oauth/index.js";
+import type { OAuthCredentials, OAuthProvider } from "../src/utils/oauth/types.js";
+
+const AUTH_PATH = join(homedir(), ".pi", "agent", "auth.json");
+
+type ApiKeyCredential = {
+	type: "api_key";
+	key: string;
+};
+
+type OAuthCredentialEntry = {
+	type: "oauth";
+} & OAuthCredentials;
+
+type AuthCredential = ApiKeyCredential | OAuthCredentialEntry;
+
+type AuthStorage = Record<string, AuthCredential>;
+
+function loadAuthStorage(): AuthStorage {
+	if (!existsSync(AUTH_PATH)) {
+		return {};
+	}
+	try {
+		const content = readFileSync(AUTH_PATH, "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return {};
+	}
+}
+
+function saveAuthStorage(storage: AuthStorage): void {
+	const configDir = dirname(AUTH_PATH);
+	if (!existsSync(configDir)) {
+		mkdirSync(configDir, { recursive: true, mode: 0o700 });
+	}
+	writeFileSync(AUTH_PATH, JSON.stringify(storage, null, 2), "utf-8");
+	chmodSync(AUTH_PATH, 0o600);
+}
+
+/**
+ * Resolve API key for a provider from ~/.pi/agent/auth.json
+ *
+ * For API key credentials, returns the key directly.
+ * For OAuth credentials, returns the access token (refreshing if expired and saving back).
+ *
+ * For google-gemini-cli and google-antigravity, returns JSON-encoded { token, projectId }
+ */
+export async function resolveApiKey(provider: string): Promise<string | undefined> {
+	const storage = loadAuthStorage();
+	const entry = storage[provider];
+
+	if (!entry) return undefined;
+
+	if (entry.type === "api_key") {
+		return entry.key;
+	}
+
+	if (entry.type === "oauth") {
+		// Build OAuthCredentials record for getOAuthApiKey
+		const oauthCredentials: Record<string, OAuthCredentials> = {};
+		for (const [key, value] of Object.entries(storage)) {
+			if (value.type === "oauth") {
+				const { type: _, ...creds } = value;
+				oauthCredentials[key] = creds;
+			}
+		}
+
+		const result = await getOAuthApiKey(provider as OAuthProvider, oauthCredentials);
+		if (!result) return undefined;
+
+		// Save refreshed credentials back to auth.json
+		storage[provider] = { type: "oauth", ...result.newCredentials };
+		saveAuthStorage(storage);
+
+		return result.apiKey;
+	}
+
+	return undefined;
+}