KooshaPari · KooshaPari · Apr 25, 2026 · Apr 25, 2026 · gemini-code-assist · Apr 25, 2026
@@ -0,0 +1,164 @@
+package kiro
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+
+	"github.com/google/uuid"
+)
+
+// Constants used across the kiro auth package for AWS CodeWhisperer
+// runtime endpoint construction.
+const (
+	DefaultKiroRegion       = "us-east-1"
+	pathGetUsageLimits      = "getUsageLimits"
+	pathListAvailableModels = "listAvailableModels"
+)
+
+// ProfileARN is a parsed representation of an AWS CodeWhisperer profile ARN.
+type ProfileARN struct {
+	Raw          string
+	Partition    string
+	Service      string
+	Region       string
+	AccountID    string
+	ResourceType string
+	ResourceID   string
+}
+
+// ParseProfileARN parses a profile ARN of the form:
+//
+//	arn:<partition>:codewhisperer:<region>:<account-id>:<resourceType>/<resourceID>
+//
+// Returns nil if the ARN is malformed or not for CodeWhisperer.
+func ParseProfileARN(arn string) *ProfileARN {
+	if arn == "" {
+		return nil
+	}
+	parts := strings.Split(arn, ":")
+	if len(parts) < 6 || parts[0] != "arn" || parts[1] == "" || parts[2] != "codewhisperer" {
+		return nil
+	}
+	region := strings.TrimSpace(parts[3])
+	if region == "" || !strings.Contains(region, "-") {
+		return nil
+	}
+	resource := strings.Join(parts[5:], ":")
+	resourceType := resource
+	resourceID := ""
+	if idx := strings.Index(resource, "/"); idx > 0 {
+		resourceType = resource[:idx]
+		resourceID = resource[idx+1:]
+	}
+	return &ProfileARN{
+		Raw:          arn,
+		Partition:    parts[1],
+		Service:      parts[2],
+		Region:       region,
+		AccountID:    parts[4],
+		ResourceType: resourceType,
+		ResourceID:   resourceID,
+	}
+}
+
+// ExtractRegionFromProfileArn returns the region embedded in a CodeWhisperer
+// profile ARN, or "" if the ARN is unparseable.
+func ExtractRegionFromProfileArn(profileArn string) string {
+	parsed := ParseProfileARN(profileArn)
+	if parsed == nil {
+		return ""
+	}
+	return parsed.Region
+}
+
+// GetKiroAPIEndpoint returns the Q runtime endpoint for the given AWS region,
+// falling back to DefaultKiroRegion when region is empty.
+func GetKiroAPIEndpoint(region string) string {
+	if region == "" {
+		region = DefaultKiroRegion
+	}
+	return "https://q." + region + ".amazonaws.com"
+}
+
+// buildURL composes a runtime URL from endpoint, path, and optional query
+// parameters. Empty parameter values are skipped.
+func buildURL(endpoint, path string, queryParams map[string]string) string {
+	fullURL := fmt.Sprintf("%s/%s", endpoint, path)
+	if len(queryParams) == 0 {
+		return fullURL
+	}
+	values := url.Values{}
+	for key, value := range queryParams {
+		if strings.TrimSpace(value) == "" {
+			continue
+		}
+		values.Set(key, value)
+	}
+	if encoded := values.Encode(); encoded != "" {
+		fullURL += "?" + encoded
+	}
+	return fullURL
+}
+
+// GenerateAccountKey derives a stable short hash from a seed string,
+// suitable for use as a per-account cache key.
+func GenerateAccountKey(seed string) string {
+	hash := sha256.Sum256([]byte(seed))
+	return hex.EncodeToString(hash[:8])
+}
+
+// GetAccountKey produces a stable account key derived from clientID
+// (preferred) or refreshToken; falls back to a UUID if both are empty.
+func GetAccountKey(clientID, refreshToken string) string {
+	if clientID != "" {
+		return GenerateAccountKey(clientID)
+	}
+	if refreshToken != "" {
+		return GenerateAccountKey(refreshToken)
+	}
+	return GenerateAccountKey(uuid.New().String())
+}
+
+// Process-wide FingerprintManager singleton. Created on first use.
+var (
+	globalFingerprintManager     *FingerprintManager
+	globalFingerprintManagerOnce sync.Once
+)
+
+// GetGlobalFingerprintManager returns the process-wide FingerprintManager,
+// initializing it on first call.
+func GetGlobalFingerprintManager() *FingerprintManager {
+	globalFingerprintManagerOnce.Do(func() {
+		globalFingerprintManager = NewFingerprintManager()
+	})
+	return globalFingerprintManager
+}
+
+// setRuntimeHeaders applies the Authorization, user-agent, and AWS SDK
+// invocation headers to req using the per-account fingerprint.
+func setRuntimeHeaders(req *http.Request, accessToken string, accountKey string) {
+	fp := GetGlobalFingerprintManager().GetFingerprint(accountKey)
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+	req.Header.Set("x-amz-user-agent", fp.BuildAmzUserAgent())
+	req.Header.Set("User-Agent", fp.BuildUserAgent())
+	req.Header.Set("amz-sdk-invocation-id", uuid.New().String())
+	req.Header.Set("amz-sdk-request", "attempt=1; max=1")
+}
+
+// FetchProfileArn is the exported wrapper around the internal sso_oidc.go
+// fetchProfileArn helper. It delegates to the unexported method so callers
+// outside this file (such as oauth_web.go) can resolve a profile ARN
+// without exposing transport details. clientID and refreshToken are
+// accepted for forward compatibility (per-account fingerprinting) but
+// the underlying API call only requires the access token.
+func (c *SSOOIDCClient) FetchProfileArn(ctx context.Context, accessToken, clientID, refreshToken string) string {
+	_ = clientID
+	_ = refreshToken
+	return c.fetchProfileArn(ctx, accessToken)
+}
@@ -200,6 +200,9 @@ type RemoteManagement struct {
 	SecretKey string `yaml:"secret-key"`
 	// DisableControlPanel skips serving and syncing the bundled management UI when true.
 	DisableControlPanel bool `yaml:"disable-control-panel"`
+	// DisableAutoUpdatePanel skips the periodic auto-update of the bundled
+	// management UI asset while still serving the control panel itself.
+	DisableAutoUpdatePanel bool `yaml:"disable-auto-update-panel"`
 	// PanelGitHubRepository overrides the GitHub repository used to fetch the management panel asset.
 	// Accepts either a repository URL (https://github.com/org/repo) or an API releases endpoint.
 	PanelGitHubRepository string `yaml:"panel-github-repository"`

@@ -13,11 +13,12 @@ import (
 	"time"
 
 	"github.com/go-git/go-git/v6"
+	gitclient "github.com/go-git/go-git/v6/plumbing/client"
 	"github.com/go-git/go-git/v6/config"
 	"github.com/go-git/go-git/v6/plumbing"
 	"github.com/go-git/go-git/v6/plumbing/object"
 	"github.com/go-git/go-git/v6/plumbing/transport"
-	"github.com/go-git/go-git/v6/plumbing/transport/http"
+	githttp "github.com/go-git/go-git/v6/plumbing/transport/http"
 	cliproxyauth "github.com/kooshapari/CLIProxyAPI/v7/sdk/cliproxy/auth"
 )
 
@@ -120,7 +121,7 @@ func (s *GitTokenStore) EnsureRepository() error {
 			s.dirLock.Unlock()
 			return fmt.Errorf("git token store: create repo dir: %w", errMk)
 		}
-		if _, errClone := git.PlainClone(repoDir, &git.CloneOptions{Auth: authMethod, URL: s.remote}); errClone != nil {
+		if _, errClone := git.PlainClone(repoDir, &git.CloneOptions{ClientOptions: authMethod, URL: s.remote}); errClone != nil {
 			if errors.Is(errClone, transport.ErrEmptyRemoteRepository) {
 				_ = os.RemoveAll(gitDir)
 				repo, errInit := git.PlainInit(repoDir, false)
@@ -176,7 +177,7 @@ func (s *GitTokenStore) EnsureRepository() error {
 			s.dirLock.Unlock()
 			return fmt.Errorf("git token store: worktree: %w", errWorktree)
 		}
-		if errPull := worktree.Pull(&git.PullOptions{Auth: authMethod, RemoteName: "origin"}); errPull != nil {
+		if errPull := worktree.Pull(&git.PullOptions{ClientOptions: authMethod, RemoteName: "origin"}); errPull != nil {
 			switch {
 			case errors.Is(errPull, git.NoErrAlreadyUpToDate),
 				errors.Is(errPull, git.ErrUnstagedChanges),
@@ -538,15 +539,19 @@ func (s *GitTokenStore) repoDirSnapshot() string {
 	return s.repoDir
 }
 
-func (s *GitTokenStore) gitAuth() transport.AuthMethod {
+// gitAuth returns transport client options carrying HTTP basic auth derived
+// from the configured username/password, or nil when no credentials are set.
+func (s *GitTokenStore) gitAuth() []gitclient.Option {
 	if s.username == "" && s.password == "" {
 		return nil
 	}
 	user := s.username
 	if user == "" {
 		user = "git"
 	}
-	return &http.BasicAuth{Username: user, Password: s.password}
+	return []gitclient.Option{
+		gitclient.WithHTTPAuth(&githttp.BasicAuth{Username: user, Password: s.password}),
+	}
 }
 
 func (s *GitTokenStore) relativeToRepo(path string) (string, error) {
@@ -637,7 +642,7 @@ func (s *GitTokenStore) commitAndPushLocked(message string, relPaths ...string)
 		return errRewrite
 	}
 	s.maybeRunGC(repo)
-	if err = repo.Push(&git.PushOptions{Auth: s.gitAuth(), Force: true}); err != nil {
+	if err = repo.Push(&git.PushOptions{ClientOptions: s.gitAuth(), Force: true}); err != nil {
 		if errors.Is(err, git.NoErrAlreadyUpToDate) {
 			return nil
 		}

@@ -7,8 +7,6 @@
 package codex
 
 import (
-	"strings"
-
 	"github.com/kooshapari/CLIProxyAPI/v7/pkg/llmproxy/registry"
 	"github.com/kooshapari/CLIProxyAPI/v7/pkg/llmproxy/thinking"
 	"github.com/tidwall/gjson"

@@ -56,7 +56,7 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 					continue
 				}
 				partJSON := `{}`
-				partJSON, _ = sjson.SetBytesM(partJSON, "text", systemPrompt)
+				partJSON, _ = sjson.SetBytes(partJSON, "text", systemPrompt)
-				partJSON, _ = sjson.SetBytes(partJSON, "text", systemPrompt)
+				partJSON, _ = sjson.Set(partJSON, "text", systemPrompt)
-				partJSON, _ = sjson.SetBytes(partJSON, "text", systemPrompt)
+				partJSON, _ = sjson.Set(partJSON, "text", systemPrompt)
 				systemInstructionJSON, _ = sjson.SetRaw(systemInstructionJSON, "parts.-1", partJSON)
 				hasSystemInstruction = true
 			}
@@ -65,7 +65,7 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 		systemPrompt := strings.TrimSpace(systemResult.String())
 		if systemPrompt != "" {
 			systemInstructionJSON = `{"role":"user","parts":[{"text":""}]}`
-			systemInstructionJSON, _ = sjson.SetBytesM(systemInstructionJSON, "parts.0.text", systemPrompt)
+			systemInstructionJSON, _ = sjson.SetBytes(systemInstructionJSON, "parts.0.text", systemPrompt)
 			hasSystemInstruction = true
 		}
 	}
@@ -380,7 +380,7 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 					continue
 				}
 				partJSON := `{}`
-				partJSON, _ = sjson.SetBytesM(partJSON, "text", prompt)
+				partJSON, _ = sjson.SetBytes(partJSON, "text", prompt)
 				clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 				contentsJSON, _ = sjson.SetRaw(contentsJSON, "-1", clientContentJSON)
 				hasContents = true
@@ -526,7 +526,7 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 				maxTokens = limit
 			}
 		}
-		out, _ = sjson.SetBytesM(out, "request.generationConfig.maxOutputTokens", maxTokens)
+		out, _ = sjson.SetBytes(out, "request.generationConfig.maxOutputTokens", maxTokens)
 	}
 
 	out = common.AttachDefaultSafetySettings(out, "request.safetySettings")

@@ -103,7 +103,7 @@ func ConvertAntigravityResponseToOpenAI(_ context.Context, _ string, originalReq
 		}
 		promptTokenCount := usageResult.Get("promptTokenCount").Int() - cachedTokenCount
 		thoughtsTokenCount := usageResult.Get("thoughtsTokenCount").Int()
-		template, _ = sjson.SetBytesM(template, "usage.prompt_tokens", promptTokenCount+thoughtsTokenCount)
+		template, _ = sjson.SetBytes(template, "usage.prompt_tokens", promptTokenCount+thoughtsTokenCount)
 		if thoughtsTokenCount > 0 {
 			template, _ = sjson.SetBytes(template, "usage.completion_tokens_details.reasoning_tokens", thoughtsTokenCount)
 		}

@@ -14,6 +14,7 @@ import (
 	"strings"
 
 	"github.com/google/uuid"
+	"github.com/kooshapari/CLIProxyAPI/v7/pkg/llmproxy/registry"
 	"github.com/kooshapari/CLIProxyAPI/v7/pkg/llmproxy/thinking"
 	"github.com/kooshapari/CLIProxyAPI/v7/pkg/llmproxy/util"
 	"github.com/tidwall/gjson"