ivUdZddlmZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlZddlmZddlmZddlmZmZmZmZddlmZe jeZ dZ!d Z"d Z#d Z$d Z%e#d e$dZ&de%Z'ddl(Z)ddl*m+Z+e)j,dZ-e)j,dZ.e)j,dZ/e)j,dZ0dZ1dZ2dZ3dZ4dZ5dZ6dZ7dZ8dZ9dZ:dZ;d Z<Gd!d"e=Z>dsd%Z?dsd&Z@e jAZBejCe;fdtd)ZDiZEd*eFd+<dud-ZGdvd/ZHdwd1ZIdwd2ZJdwd3ZKdvd4ZLeGd5d6ZMeGd7d8ZNdxd:ZOdyd<ZPdzd>ZQd{dCZRdde9dDd|dKZSdde9dDd}dMZTe9fd~dOZUiZVdPeFdQ<e jWZXdRdSddVZYdddZZZGd[d\ej[j\Z]d]Z^d^Z_e5fddbZ`ddcZadRdde:dWdeddiZbddlZcddmZddWdnddpZeddqZfdwdrZgdS)uxGoogle OAuth PKCE flow for the Gemini (google-gemini-cli) inference provider. This module implements Authorization Code + PKCE (S256) OAuth against Google's accounts.google.com endpoints. The resulting access token is used by ``agent.gemini_cloudcode_adapter`` to talk to ``cloudcode-pa.googleapis.com`` (Google's Code Assist backend that powers the Gemini CLI's free and paid tiers). Synthesized from: - jenslys/opencode-gemini-auth (MIT) — overall flow shape, public OAuth creds, request format - clawdbot/extensions/google/ — refresh-token rotation, VPC-SC handling reference - PRs #10176 (@sliverp) and #10779 (@newarthur) — PKCE module structure, cross-process lock Storage (``~/.hermes/auth/google_oauth.json``, chmod 0o600): { "refresh": "refreshToken|projectId|managedProjectId", "access": "...", "expires": 1744848000000, // unix MILLIseconds "email": "user@example.com" } The ``refresh`` field packs the refresh_token together with the resolved GCP project IDs so subsequent sessions don't need to re-discover the project. This matches opencode-gemini-auth's storage contract exactly. The packed format stays parseable even if no project IDs are present — just a bare refresh_token is treated as "packed with empty IDs". Public client credentials ------------------------- The client_id and client_secret below are Google's PUBLIC desktop OAuth client for their own open-source gemini-cli. They are baked into every copy of the gemini-cli npm package and are NOT confidential — desktop OAuth clients have no secret-keeping requirement (PKCE provides the security). Shipping them here is consistent with opencode-gemini-auth and the official Google gemini-cli. Policy note: Google considers using this OAuth client with third-party software a policy violation. Users see an upfront warning with ``confirm(default=False)`` before authorization begins. ) annotationsN) dataclass)Path)AnyDictOptionalTupleget_hermes_homeHERMES_GEMINI_CLIENT_IDHERMES_GEMINI_CLIENT_SECRET 681255809395 oo8ft2oprdrnp9e3aqf6av3hmdib135jz4uHgMPm-1o7Sk-geV6Cu5clXFsxl-z.apps.googleusercontent.comzGOCSPX-)atomic_replacezPOAUTH_CLIENT_ID\s*=\s*['\"]([0-9]+-[a-z0-9]+\.apps\.googleusercontent\.com)['\"]z;OAUTH_CLIENT_SECRET\s*=\s*['\"](GOCSPX-[A-Za-z0-9_-]+)['\"]z7([0-9]{8,}-[a-z0-9]{20,}\.apps\.googleusercontent\.com)z(GOCSPX-[A-Za-z0-9_-]{20,})z,https://accounts.google.com/o/oauth2/v2/authz#https://oauth2.googleapis.com/tokenz-https://www.googleapis.com/oauth2/v1/userinfozhttps://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profileiz 127.0.0.1z/oauth2callback<g4@i,g>@)SSH_CONNECTION SSH_CLIENTSSH_TTYHERMES_HEADLESSc*eZdZdZddd fd ZxZS) GoogleOAuthErrorz0Raised for any failure in the Google OAuth flow.google_oauth_errorcodemessagestrrreturnNonecXt|||_dSN)super__init__r)selfrr __class__s 7/home/ubuntu/.hermes/hermes-agent/agent/google_oauth.pyr#zGoogleOAuthError.__init__s& !!! )rrrrrr)__name__ __module__ __qualname____doc__r# __classcell__)r%s@r&rrsP::4Hr'rrrc*tdz dz S)Nauthzgoogle_oauth.jsonr r'r&_credentials_pathr0s   v %(; ;;r'cDtdS)Nz .json.lock)r0 with_suffixr/r'r& _lock_pathr3s    * *< 8 88r'timeout_secondsfloatc#Kttdd}|dkrF|dzt_ dVtxjdzc_n#txjdzc_wxYwdSt}|jddt jt|t j t j zd}d} ddl }n#t$rd}YnwxYw|tjtd t!|z} |||j|jzd}nO#t($rAtj|krt+d |d tjd YnwxYwvn ddl}tjtd t!|z} |||jdd}nO#t4$rAtj|krt+d |d tjd YnwxYwon#t$rd}YnwxYwdt_dV |ru ddl }|||jnT#t$rG ddl} |||jdn#t4$rYnwxYwn#t$rYnwxYwYnwxYwt j|dt_dS#t j|dt_wxYw# |ru ddl }|||jnT#t$rG ddl} |||jdn#t4$rYnwxYwn#t$rYnwxYwYnwxYwt j|dt_n%#t j|dt_wxYwwxYw) zNCross-process lock around the credentials file (fcntl POSIX / msvcrt Windows).depthrNTparentsexist_okiFgz5Timed out acquiring Google OAuth credentials lock at .g?)getattr _lock_stater7r3parentmkdirosopenrO_CREATO_RDWRfcntl ImportErrortime monotonicmaxr5flockLOCK_EXLOCK_NBBlockingIOError TimeoutErrorsleepmsvcrtlockingLK_NBLCKOSErrorLOCK_UNLK_UNLCKclose)r4r7lock_file_pathfdacquiredrEdeadlinerPs r&_credentials_lockr[s K! , ,E qyy!AI  # EEE    "   K   "      \\Nt<<< ^$$bj29&++c#u_7M7M.N.NN ) )r6?A>>>#'")))>++x77". iXf i i i## 4((((( ) )       "   LLLKKEM2222"   % !"NN2vBBBB&!!! D!&  HRLLL !K    HRLLL !K  ! ! ! !% "   LLLKKEM2222"   % !"NN2vBBBB&!!! D!&  HRLLL !K   HRLLL !K  ! ! ! ! ! ! ! !sA A  CL C!L C!!7L%D?>L?AF L F  L6H6G&%H6&AH1.H60H11H65L6 ILILK2I<;K2< K J: J)(J:) J63J:5J66J:9K : KK KK  K2 K  K22"LON1L<;N1< N M: M)(M:) M6 3M:5M6 6M:9N : N N N N  N1 N  N1!O1"OODict[str, str]_scraped_creds_cacheOptional[Path]cddl}|d}|sdS t|}n#t$rYdSwxYwg}|j}t dD]b}|||dz r ||dz dz dz n|j|krn|j}c|D]}|s|dz d z d z d z |dz d z d z |d z d z d z g}|D]}|r|ccS | d D]} | ccSx#ttf$rYwxYwdS) aWalk the user's gemini binary install to find its oauth2.js. Returns None if gemini isn't installed. Supports both the npm install (``node_modules/@google/gemini-cli-core/dist/**/code_assist/oauth2.js``) and the Homebrew ``bundle/`` layout. rNgemini node_modulesz@googlezgemini-cli-coredistsrc code_assistz oauth2.js) shutilwhichrresolverSr?rangeappendexistsrglob ValueError) rfr`real search_dirscur_root candidatescpaths r&_locate_gemini_cli_oauth_jsrvsMMM \\( # #F tF||##%% tt!K +C 1XX3 . ( ( * *    s^3i?BSS T T T E :   Ej{{}}   6ME !M 1K ? 6MM )K 7 5L= (; 6   Axxzz    ;//    $    H  4s#!A AA)EEETuple[str, str]c:tdr6tddtddfSt}| dtd<dS |dd }n>#t$r1}t d ||dtd<Yd}~dSd}~wwxYwt|pt|}t|pt|}|r| d nd}|r| d nd}|td<|td<dtd<|rt d |||fS)zDExtract client_id + client_secret from the local gemini-cli install.resolved client_id client_secretN1r{r{utf-8replace)encodingerrorsz"Failed to read oauth2.js at %s: %sr8z#Scraped Gemini OAuth client from %s)r]getrv read_textrSloggerdebug_CLIENT_ID_PATTERNsearch_CLIENT_ID_SHAPE_CLIENT_SECRET_PATTERN_CLIENT_SECRET_SHAPEgroupinfo)oauth_jscontentexc cid_matchcs_matchrzr|s r&_scrape_client_credentialsr0s ++h#'' R88:N:R:RSbdf:g:ggg*,,H+.Z(v$$gi$HH  98SIII+.Z(vvvvv #))'22V6F6M6Mg6V6VI%,,W55]9M9T9TU\9]9]H&/7 """RI)19HNN1%%%rM(1%,9)'*$E 98DDD m ##s.B C&B<<Crctjtpd}|r|StrtSt \}}|SNr{)rAgetenv ENV_CLIENT_IDstrip_DEFAULT_CLIENT_IDr)env_valscrapedrqs r&_get_client_idrRsQy''-24466G"!!+--JGQ Nr'ctjtpd}|r|StrtSt \}}|Sr)rArENV_CLIENT_SECRETr_DEFAULT_CLIENT_SECRETr)rrqrs r&_get_client_secretr\sRy*++1r88::G&%%+--JAw Nr'cHt}|stdd|S)NaGoogle OAuth client ID is not available. Hermes looks for a locally installed gemini-cli to source the OAuth client. Either: 1. Install it: npm install -g @google/gemini-cli (or brew install gemini-cli) 2. Set HERMES_GEMINI_CLIENT_ID and HERMES_GEMINI_CLIENT_SECRET in ~/.hermes/.env Register a Desktop OAuth client at: https://console.cloud.google.com/apis/credentials (enable the Generative Language API on the project).google_oauth_client_id_missingr)rr)cids r&_require_client_idrfs>   C    C2     Jr'ctjd}tj|d}t j|d d}||fS)z1Generate a (verifier, challenge) pair using S256.@ascii=) secrets token_urlsafehashlibsha256encodedigestbase64urlsafe_b64encoderstripdecode)verifierr challenges r&_generate_pkce_pairr|sp$R((H ^HOOG44 5 5 < < > >F(0077==DDWMMI Y r'cVeZdZUded<dZded<dZded<ed d Zd d Zd S) RefreshPartsr refresh_tokenr{ project_idmanaged_project_idpackedr'RefreshParts'c|s |dS|dd}||dt|dkr|dndt|dkr|dndS)Nr{)r|rr8rrr)splitlen)clsrpartss r&parsezRefreshParts.parses )3R((( ( S!$$s(#&u::>>uQxxr+.u::>>uQxxr    r'cp|jsdS|js|js|jS|jd|jd|jS)Nr{rrr$s r&formatzRefreshParts.formatsS! 2 &t'> &% %$RRtRR9PRRRr'N)rrrrrr) r(r)r*__annotations__rr classmethodrrr/r'r&rrs}J        [ SSSSSSr'rceZdZUded<ded<ded<dZded<dZded<dZded <dd ZeddZ ddZ e fddZ dS)GoogleCredentialsr access_tokenrint expires_msr{emailrrrDict[str, Any]ct|j|j|j|jt |j|jdS)Nr)refreshaccessexpiresr) rrrrrrrrrrs r&to_dictzGoogleCredentials.to_dictsW#"0?#'#:fhh'4?++Z   r'data'GoogleCredentials'c t|ddpd}t|}|t|ddpd|jt |ddpdt|ddpd|j|jS)Nrr{rrrrrrrrrr)rrrrrrrr)rrrefresh_packedrs r& from_dictzGoogleCredentials.from_dictsTXXi44:;;"">22sTXXh339r::-488Iq116Q77dhhw++1r22'$7     r'r5c|jdz S)Ng@@)rrs r&expires_unix_secondsz&GoogleCredentials.expires_unix_secondss''r' skew_secondsboolc|jr|jsdStjtd|zdz|jkS)NTr)rrrGrI)r$rs r&access_token_expiredz&GoogleCredentials.access_token_expiredsB   4 c!\222d:doMMr'Nrr)rrrr)rr5)rrrr) r(r)r*rrrrrrrrREFRESH_SKEW_SECONDSrr/r'r&rrsOOOEOOOOJ              [  ((((8LNNNNNNNr'rOptional[GoogleCredentials]ct}|sdS t5|d}dddn #1swxYwYt j|}nF#tjttf$r'}t d||Yd}~dSd}~wwxYwt|tsdSt|}|jsdS|S)z?Load credentials from disk. Returns None if missing or corrupt.Nrrz1Failed to read Google OAuth credentials at %s: %s)r0rkr[rjsonloadsJSONDecodeErrorrSIOErrorrwarning isinstancedictrrr)rurawrrcredss r&load_credentialsrs9   D ;;==t   3 3..'.22C 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3z#  '7 3JDRUVVVttttt dD ! !t  ' ' - -E  t Ls:A7A A7AA7AA77B:B55B:rc t}|jddtj|dddz}t 5|dtj dtj d} t|d d 5}| ||tj|d d d n #1swxYwYtj|t$jt$jzt+|| |r|nO#t0$rYnCwxYw# |r|ww#t0$rYwwxYwxYwd d d n #1swxYwY|S) z6Atomically write creds to disk with 0o600 permissions.Tr9r)indent sort_keys z.tmp.r<wrrN)r0r?r@rdumpsrr[r2rAgetpidr token_hexrBwriteflushfsyncfilenochmodstatS_IRUSRS_IWUSRrrkunlinkrS)rrupayloadtmp_pathfhs r&save_credentialsr sS   DKdT222jdCCCdJG   ##$PBIKK$P$P':KA:N:N$P$PQQ hg666 &"!!! %%% & & & & & & & & & & & & & & & HXt|dl: ; ; ; 8T * * * ??$$&OO%%%     ??$$&OO%%%%&     Ks%?G%F7AD FD FD ?F(FG FGFGG(G>G G G G GGG#&G#rct}t5 |n>#t$rYn2t$r&}t d||Yd}~nd}~wwxYwddddS#1swxYwYdS)z"Remove the creds file. Idempotent.z3Failed to remove Google OAuth credentials at %s: %sN)r0r[rFileNotFoundErrorrSrr)rurs r&clear_credentialsr s   D   ]] ] KKMMMM     D ] ] ] NNPRVX[ \ \ \ \ \ \ \ \ ] ]]]]]]]]]]]]]]]]]]sBA?4A? A/A? A/ A*%A?*A//A??BBurlrtimeoutrc*tj|d}tj||dddd} tj||5}|dd }tj |cd d d S#1swxYwYd S#tj j $r}d } |dd }n#t$rYnwxYwd } d|vrd} td|jd|p|j| |d }~wtj j$r}td|d|d }~wwxYw)z;POST x-www-form-urlencoded and return parsed JSON response.rPOSTz!application/x-www-form-urlencodedzapplication/json) Content-TypeAccept)rmethodheadersrrrrNr{google_oauth_token_http_error invalid_grantgoogle_oauth_invalid_grantz*Google OAuth token endpoint returned HTTP z: rz#Google OAuth token request failed: google_oauth_token_network_error)urllibr urlencoderrequestRequesturlopenreadrrrerror HTTPError ExceptionlowerrrreasonURLError) r rrbodyrresponserrdetailrs r& _post_formr*s < ! !$ ' ' . .w 7 7Dn$$ ?(  %G ^ # #GW # = = #--//(((CCC:c?? # # # # # # # # # # # # # # # # # # < !    XXZZ&&wy&AAFF    D / fllnn , ,/D [ [ [VEYsz [ [     <  7# 7 73    sm!C;=C8 CC  C C  CF&E!))DE! D E!D  AE!!F8F  F)rzr|rrr redirect_urirz Optional[str]r|c||n t}||n t}d||||d}|r||d<tt||S)z8Exchange authorization code for access + refresh tokens.Nauthorization_code) grant_typer code_verifierrzr+r|)rrr*TOKEN_ENDPOINT) rrr+rzr|rrcsecretrs r& exchange_coder35sn!,)).2B2BC,8mm>P>R>RG*!$   D( '_ ndG 4 44r'rc|stdd||n t}||n t}d||d}|r||d<tt||S)zRefresh the access token.z;Cannot refresh: refresh_token is empty. Re-run OAuth login."google_oauth_refresh_token_missingrNr)r/rrzr|)rrrr*r1)rrzr|rrr2rs r&refresh_access_tokenr6Ms   I5    !,)).2B2BC,8mm>P>R>RG%&  D ( '_ ndG 4 44r'rc tjtdzdd|i}tj||5}|dd}d d d n #1swxYwYtj|}t| d d pd S#t$r&}t d |Yd }~d Sd }~wwxYw) zEBest-effort userinfo fetch for display. Failures return empty string.z ?alt=json AuthorizationzBearer )rrrrrNrr{z%Userinfo fetch failed (non-fatal): %s)rrrUSERINFO_ENDPOINTrr rrrrrr#rr)rrrr(rrrs r&_fetch_user_emailr:fsJ .((  +$&> &>&>?)  ^ # #GW # = = D--//(((CCC D D D D D D D D D D D D D D Dz#488GR((.B///  >DDFF]%J] ,227a88 ') c"j.A.A ATIJJ!  ' 0 0!%%b$/// 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IIKKKK 5 ' 0 0!%%b$/// 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IIKKKK st ?BBB-C=<J+= E AEE  D J+"J  J J + K>5K K>K! !K>$K! %K>r{rrclt}|dS|r||_|r||_t|dS)zFPersist resolved/discovered project IDs back into the credential file.N)rrrr )rrrs r&update_project_idsrQsK   E }&%6#5 Ur'c`eZdZUdZded<dZded<dZded<dZded <ddZddZ ddZ dS)_OAuthCallbackHandlerr{rexpected_stateNr, captured_codecaptured_errorzOptional[threading.Event]readyrargsrrrc0tjd|zg|RdS)NzOAuth callback: )rr)r$rrXs r& log_messagez!_OAuthCallbackHandler.log_messages& '&084888888r'ctj|j}|jtkr+|d|dStj|j}| dpdgd}| dpdgd}| dpdgd}|t|j krEdt|_ | dtd n |r|t|_ t!|d d d ddd}| dtd| nu|r0|t|_| dt&nCdt|_ | dtd t|j(t|jdSdS)Nistater{rr!rstate_mismatchiu'State mismatch — aborting for safety.)r&z&z>zAuthorization denied: no_codez(Callback received no authorization code.)rrurlparseru CALLBACK_PATH send_response end_headersparse_qsqueryrtyperTrV _respond_html _ERROR_PAGErrrrU _SUCCESS_PAGErWrG)r$parsedparamsr\r!rsafe_errs r&do_GETz_OAuthCallbackHandler.do_GETs4&&ty11 ;- ' '   s # # #       F&&v|44G$$,a0G$$,a0 6""*rdA. DJJ- - -(8DJJ %   sK$6$6?h$6$i$i j j j j  l(-DJJ %E g&&f%%f%%    sK$6$6?bX`?b?b$6$c$c d d d d  l'+DJJ $   sM 2 2 2 2(1DJJ %   sK$6$6?i$6$j$j k k k ::  ' JJ  " " " " " ( 'r'statusrr'cB|d}|||dd|dtt |||j|dS)Nrrztext/html; charset=utf-8zContent-Length)rre send_headerrrrfwfiler)r$rqr'rs r&rjz#_OAuthCallbackHandler._respond_htmls++g&& 6""" )CDDD )3s7||+<+<===  !!!!!r')rrrXrrrrr)rqrr'rrr) r(r)r*rTrrUrVrWrZrprjr/r'r&rSrSsN#'M''''$(N(((('+E++++9999!#!#!#!#F""""""r'rSuz Hermes — signed in

Signed in to Google.

You can close this tab and return to your terminal.

u Hermes — sign-in failed

Sign-in failed

{message}

Return to your terminal — Hermes will walk you through a manual paste fallback.

preferred_portr"Tuple[http.server.HTTPServer, int]c@ tjt|ft}||fS#t $r&}t d||Yd}~nd}~wwxYwtjtdft}||jdfS)NzLPreferred OAuth callback port %d unavailable (%s); requesting ephemeral portrr8) httpserver HTTPServer REDIRECT_HOSTrSrSrrserver_address)rvrzrs r&_bind_callback_serverr~#s ''(GI^__~%%     Z C         [ # #]A$68M N NF 6(+ ++s/2 A"AA"c>tdtDS)Nc3>K|]}tj|VdSr!)rAr).0ks r& z_is_headless..1s*88ry||888888r')any_HEADLESS_ENV_VARSr/r'r& _is_headlessr0s 88%7888 8 88r'T) force_relogin open_browsercallback_wait_secondsrrrrc "|s3t}|r#|jrtd|St }t }t \}}tjd} tr0|r.tdt||| |||Stt\} } dtd| t} | t_dt_dt_t'j} | t_|| dt,| |dd d d }t.d zt0j|zd z}t'j| jd}|t=t=dt=d|t=|rP ddl}| |ddn2#tB$r%}t"d|Yd}~nd}~wwxYwd} | #|r/tj}tj}|rtId|dn(tdtK} | &n#tB$rYnwxYw | 'n#tB$rYnwxYw|(dng# | &n#tB$rYnwxYw | 'n#tB$rYnwxYw|(dwxYw|stIddtS||| ||}tU||S) aRun the interactive browser OAuth flow and persist credentials. Args: force_relogin: If False and valid creds already exist, return them. open_browser: If False, skip webbrowser.open and print the URL only. callback_wait_seconds: Max seconds to wait for the browser callback. project_id: Initial GCP project ID to bake into the stored creds. Can be discovered/updated later via update_project_ids(). z9Google OAuth credentials already present; skipping login.z?Headless environment detected; using paste-mode OAuth fallback.http://:NrS256offlineconsent rzr+ response_typescoper\code_challengecode_challenge_method access_typeprompt?#hermesT)targetdaemonu,Opening your browser to sign in to Google…z,If it does not open automatically, visit: rr8)new autoraisezwebbrowser.open failed: %srzAuthorization failed: !google_oauth_authorization_failedru=Callback server timed out — offering manual paste fallback.g@z)No authorization code received. Aborting.google_oauth_no_coderzr|r)+rrrrrrrrrr_paste_mode_loginr~DEFAULT_REDIRECT_PORTr|rdrSrTrUrVrBrCrW OAUTH_SCOPES AUTH_ENDPOINTrrrThread serve_foreverstartprint webbrowserrBr#rrDr_prompt_paste_fallbackshutdown server_closejoinr3_persist_token_response)rrrrexistingrzr|rrr\rzportr+rWrnauth_url server_threadrrrr! token_resps r&start_oauth_flowr8s< #%%  -  KKS T T TO"$$I&((M-//Hi  !" % %E~~c,c UVVV 9eY Wabbb()>??LFDB]BBTB=BBL+0(*.'+/( O  E"'$#!'   Fs"V\%;%;F%C%CCiOH$F,@NNNM GGG 8999 D( D DEEE GGG< <     OOH!tO < < < < < < < LL5s ; ; ; ; ; ; ; ; <D( ::3: 4 4 ,(6D)8E &4U44<  KKW X X X)++D  OO        D      ! ! ! !    D 3''''  OO        D      ! ! ! !    D 3''''   7'     h =J #:* E E EEsG-- H7HH"A-K2J%% J21J26K KK2M4L M LMLML/.M/ L<9M;L<<Mrr\c dtdtt}||dt||dddd }tdzt j|zd z}ttd td |ttd td tt} | stddt| ||||} t| |S)z/Run OAuth flow without a local callback server.rrrrrrrrrz)Open this URL in a browser on any device:z zGAfter signing in, Google will redirect to localhost (which won't load).z7Copy the full URL from your browser and paste it below.zNo authorization code provided.rrrr) r|rrdrrrrrrrrr3r) rrr\rzr|rr+rnrrrs r&rrs'T]SS-BSMSSL$#!'   Fs"V\%;%;F%C%CCiOH GGG 5666 /x// GGG STTT CDDD GGG ! # #D _@G]^^^^ h =J #:* E E EEr'c\ttdtd}|sdS|ds|drctj|}tj|j}| dpdgdpdS|drGtj|d d}| dpdgdpdS|S) NzSPaste the full redirect URL Google showed you, OR just the 'code=' parameter value.zCallback URL or code: rzhttps://rr{rrr8) rinputr startswithrrrcrgrhr)rrmrns r&rrs GGG _``` ( ) ) / / 1 1C t ~~i  7CNN:$>$>7&&s++&&v|44 6""*rdA.6$6 ~~c7&&s122w// 6""*rdA.6$6 Jr'rrc jt|ddpd}t|ddpd}t|ddpd}|r|st ddt ||tt jtd |zd zt||d }t|t d t|S) Nrr{rr@rz 4 0 0 0E*,)&   r'cldD]0}tj|pd}|r|cS1dS)z9Return a GCP project ID from env vars, in priority order.)HERMES_GEMINI_PROJECT_IDGOOGLE_CLOUD_PROJECTGOOGLE_CLOUD_PROJECT_IDr{)rArr)varvals r&resolve_project_id_from_envrsN y~~#**,,  JJJ  2r')rr)r4r5)rr^)rrwr)rr)rrrrru)r rrr\rr5rr)rrrrr+rrzr,r|r,rr5rr) rrrzr,r|r,rr5rr)rrrr5rr)r<rrrr~)rrrrrr)rvrrrw)rr) rrrrrr5rrrr)rrrrr\rrzrr|rrrrr)rr,)rrrrrrr)hr+ __future__rr contextlibr http.serverryrloggingrArrrBrG urllib.errorr urllib.parseurllib.request dataclassesrpathlibrtypingrrrr hermes_constantsr getLoggerr(rrr_PUBLIC_CLIENT_ID_PROJECT_NUM_PUBLIC_CLIENT_ID_HASH_PUBLIC_CLIENT_SECRET_SUFFIXrrre_reutilsrcompilerrrrrr1r9rrr|rdrTOKEN_REQUEST_TIMEOUT_SECONDSCALLBACK_WAIT_SECONDSrEr RuntimeErrorrr0r3localr>contextmanagerr[r]rrvrrrrrrrrr r r*r3r6r:r;LockrArOrQrzBaseHTTPRequestHandlerrSrlrkr~rrrrrrrr/r'r&rs<'''R#"""""     !!!!!!------------,,,,,,  8 $ $"* 1 !/;=%""'="""B#?AA  S[W%B3;YZZ"s{#ABB? 6C7  !  $T|<<<<9999io  /CJ"J"J"J"J"b(*))))1111h$$$$D, SSSSSSS S8 'N'N'N'N'N'N'N 'N\(0 ] ] ] ] """"T $#'25555556 $#'2 5555552;X     (132222'))5:DDDDDDV      2"2"2"2"2"DK>2"2"2"j  1F , , , , ,9999 #8 iFiFiFiFiFiFX(F(F(F(FV(<          r'