feat: add TypeScript types and modularize translator registry

- Add type annotations to all providerModels helper functions
- Introduce LegacyProvider interface in providerRegistry
- Refactor translator system to use self-registering module pattern
  with bootstrapTranslatorRegistry() and per-file imports
- Simplify translator/index.ts by delegating to modular translators
- Remove hardcoded Gemini OAuth client secret for security

Author: diegosouzapw

open-sse/config/providerModels.ts

@@ -1,4 +1,4 @@
-import { generateModels, generateAliasMap } from "./providerRegistry.ts";
+import { generateModels, generateAliasMap, type RegistryModel } from "./providerRegistry.ts";
 
 // Provider models - Generated from providerRegistry.js (single source of truth)
 export const PROVIDER_MODELS = generateModels();
@@ -7,37 +7,41 @@ export const PROVIDER_MODELS = generateModels();
 export const PROVIDER_ID_TO_ALIAS = generateAliasMap();
 
 // Helper functions
-export function getProviderModels(aliasOrId) {
+export function getProviderModels(aliasOrId: string): RegistryModel[] {
   return PROVIDER_MODELS[aliasOrId] || [];
 }
 
-export function getDefaultModel(aliasOrId) {
+export function getDefaultModel(aliasOrId: string): string | null {
   const models = PROVIDER_MODELS[aliasOrId];
   return models?.[0]?.id || null;
 }
 
-export function isValidModel(aliasOrId, modelId, passthroughProviders = new Set()) {
+export function isValidModel(
+  aliasOrId: string,
+  modelId: string,
+  passthroughProviders = new Set<string>()
+): boolean {
   if (passthroughProviders.has(aliasOrId)) return true;
   const models = PROVIDER_MODELS[aliasOrId];
   if (!models) return false;
   return models.some((m) => m.id === modelId);
 }
 
-export function findModelName(aliasOrId, modelId) {
+export function findModelName(aliasOrId: string, modelId: string): string {
   const models = PROVIDER_MODELS[aliasOrId];
   if (!models) return modelId;
   const found = models.find((m) => m.id === modelId);
   return found?.name || modelId;
 }
 
-export function getModelTargetFormat(aliasOrId, modelId) {
+export function getModelTargetFormat(aliasOrId: string, modelId: string): string | null {
   const models = PROVIDER_MODELS[aliasOrId];
   if (!models) return null;
   const found = models.find((m) => m.id === modelId);
   return found?.targetFormat || null;
 }
 
-export function getModelsByProviderId(providerId) {
+export function getModelsByProviderId(providerId: string): RegistryModel[] {
   const alias = PROVIDER_ID_TO_ALIAS[providerId] || providerId;
   return PROVIDER_MODELS[alias] || [];
 }

open-sse/config/providerRegistry.ts

@@ -49,6 +49,21 @@ export interface RegistryEntry {
   passthroughModels?: boolean;
 }
 
+interface LegacyProvider {
+  format: string;
+  baseUrl?: string;
+  baseUrls?: string[];
+  responsesBaseUrl?: string;
+  headers?: Record<string, string>;
+  clientId?: string;
+  clientSecret?: string;
+  tokenUrl?: string;
+  refreshUrl?: string;
+  authUrl?: string;
+  chatPath?: string;
+  clientVersion?: string;
+}
+
 // ── Registry ──────────────────────────────────────────────────────────────
 
 export const REGISTRY: Record<string, RegistryEntry> = {
@@ -108,7 +123,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
       clientIdEnv: "GEMINI_OAUTH_CLIENT_ID",
       clientIdDefault: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com",
       clientSecretEnv: "GEMINI_OAUTH_CLIENT_SECRET",
-      clientSecretDefault: "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",
+      clientSecretDefault: "",
     },
     models: [
       { id: "gemini-3.1-pro", name: "Gemini 3.1 Pro" },
@@ -137,7 +152,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
       clientIdEnv: "GEMINI_CLI_OAUTH_CLIENT_ID",
       clientIdDefault: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com",
       clientSecretEnv: "GEMINI_CLI_OAUTH_CLIENT_SECRET",
-      clientSecretDefault: "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",
+      clientSecretDefault: "",
     },
     models: [
       { id: "gemini-3.1-pro", name: "Gemini 3.1 Pro" },
@@ -228,7 +243,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
       clientIdEnv: "IFLOW_OAUTH_CLIENT_ID",
       clientIdDefault: "10009311001",
       clientSecretEnv: "IFLOW_OAUTH_CLIENT_SECRET",
-      clientSecretDefault: "4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW",
+      clientSecretDefault: "",
       tokenUrl: "https://iflow.cn/oauth/token",
       authUrl: "https://iflow.cn/oauth",
     },
@@ -266,7 +281,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
       clientIdEnv: "ANTIGRAVITY_OAUTH_CLIENT_ID",
       clientIdDefault: "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com",
       clientSecretEnv: "ANTIGRAVITY_OAUTH_CLIENT_SECRET",
-      clientSecretDefault: "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",
+      clientSecretDefault: "",
     },
     models: [
       { id: "claude-opus-4-6-thinking", name: "Claude Opus 4.6 Thinking" },
@@ -844,10 +859,10 @@ export const REGISTRY: Record<string, RegistryEntry> = {
 // ── Generator Functions ───────────────────────────────────────────────────
 
 /** Generate legacy PROVIDERS object shape for constants.js backward compatibility */
-export function generateLegacyProviders(): Record<string, any> {
-  const providers: Record<string, any> = {};
+export function generateLegacyProviders(): Record<string, LegacyProvider> {
+  const providers: Record<string, LegacyProvider> = {};
   for (const [id, entry] of Object.entries(REGISTRY)) {
-    const p: Record<string, any> = { format: entry.format };
+    const p: LegacyProvider = { format: entry.format };
 
     // URL(s)
     if (entry.baseUrls) {
@@ -917,7 +932,7 @@ export function generateAliasMap(): Record<string, string> {
 
 // ── Registry Lookup Helpers ───────────────────────────────────────────────
 
-const _byAlias = new Map();
+const _byAlias = new Map<string, RegistryEntry>();
 for (const entry of Object.values(REGISTRY)) {
   if (entry.alias && entry.alias !== entry.id) {
     _byAlias.set(entry.alias, entry);

open-sse/handlers/chatCore.ts

@@ -283,6 +283,7 @@ export async function handleChatCore({
       comboName,
       apiKeyId: apiKeyInfo?.id || null,
       apiKeyName: apiKeyInfo?.name || null,
+      noLog: apiKeyInfo?.noLog === true,
     }).catch(() => {});
     if (error.name === "AbortError") {
       streamController.handleError(error);
@@ -298,11 +299,14 @@ export async function handleChatCore({
     providerResponse.status === HTTP_STATUS.UNAUTHORIZED ||
     providerResponse.status === HTTP_STATUS.FORBIDDEN
   ) {
-    const newCredentials = await refreshWithRetry(
+    const newCredentials = (await refreshWithRetry(
       () => executor.refreshCredentials(credentials, log),
       3,
       log
-    );
+    )) as null | {
+      accessToken?: string;
+      copilotToken?: string;
+    };
 
     if (newCredentials?.accessToken || newCredentials?.copilotToken) {
       log?.info?.("TOKEN", `${provider.toUpperCase()} | refreshed`);
@@ -363,6 +367,7 @@ export async function handleChatCore({
       comboName,
       apiKeyId: apiKeyInfo?.id || null,
       apiKeyName: apiKeyInfo?.name || null,
+      noLog: apiKeyInfo?.noLog === true,
     }).catch(() => {});
     const errMsg = formatProviderError(new Error(message), provider, model, statusCode);
     console.log(`${COLORS.red}[ERROR] ${errMsg}${COLORS.reset}`);
@@ -454,6 +459,7 @@ export async function handleChatCore({
       comboName,
       apiKeyId: apiKeyInfo?.id || null,
       apiKeyName: apiKeyInfo?.name || null,
+      noLog: apiKeyInfo?.noLog === true,
     }).catch(() => {});
     if (usage && typeof usage === "object") {
       const msg = `[${new Date().toLocaleTimeString("en-US", { hour12: false, hour: "2-digit", minute: "2-digit" })}] 📊 [USAGE] ${provider.toUpperCase()} | in=${usage?.prompt_tokens || 0} | out=${usage?.completion_tokens || 0}${connectionId ? ` | account=${connectionId.slice(0, 8)}...` : ""}`;
@@ -556,6 +562,7 @@ export async function handleChatCore({
       comboName,
       apiKeyId: apiKeyInfo?.id || null,
       apiKeyName: apiKeyInfo?.name || null,
+      noLog: apiKeyInfo?.noLog === true,
     }).catch(() => {});
   };
 

open-sse/mcp-server/scopeEnforcement.ts

@@ -0,0 +1,133 @@
+import { MCP_TOOL_MAP } from "./schemas/tools.ts";
+
+type AuthInfoLike = {
+  clientId?: string;
+  scopes?: string[];
+};
+
+export type McpToolExtraLike = {
+  authInfo?: AuthInfoLike;
+  sessionId?: string;
+  _meta?: unknown;
+};
+
+export type ScopeSource = "authInfo" | "meta" | "env" | "none";
+
+export interface CallerScopeContext {
+  callerId: string;
+  scopes: string[];
+  source: ScopeSource;
+}
+
+export interface ScopeCheckResult {
+  allowed: boolean;
+  required: string[];
+  provided: string[];
+  missing: string[];
+  reason?: string;
+}
+
+function normalizeScopeList(raw: unknown): string[] {
+  if (!Array.isArray(raw)) return [];
+  const normalized = raw
+    .filter((value) => typeof value === "string")
+    .map((value) => value.trim())
+    .filter(Boolean);
+  return Array.from(new Set(normalized));
+}
+
+function extractMetaScopeList(meta: unknown): string[] {
+  if (!meta || typeof meta !== "object") return [];
+  const metaRecord = meta as Record<string, unknown>;
+
+  const direct = normalizeScopeList(metaRecord.scopes);
+  if (direct.length > 0) return direct;
+
+  const auth = metaRecord.auth;
+  if (auth && typeof auth === "object") {
+    const authScopes = normalizeScopeList((auth as Record<string, unknown>).scopes);
+    if (authScopes.length > 0) return authScopes;
+  }
+
+  const omni = metaRecord.omniroute;
+  if (omni && typeof omni === "object") {
+    const omniScopes = normalizeScopeList((omni as Record<string, unknown>).scopes);
+    if (omniScopes.length > 0) return omniScopes;
+  }
+
+  return [];
+}
+
+function scopeMatches(grantedScope: string, requiredScope: string): boolean {
+  if (grantedScope === "*" || grantedScope === requiredScope) {
+    return true;
+  }
+  if (grantedScope.endsWith("*")) {
+    const prefix = grantedScope.slice(0, -1);
+    return requiredScope.startsWith(prefix);
+  }
+  return false;
+}
+
+export function resolveCallerScopeContext(
+  extra: McpToolExtraLike | undefined,
+  fallbackScopes: readonly string[] = []
+): CallerScopeContext {
+  const callerId =
+    (typeof extra?.authInfo?.clientId === "string" && extra.authInfo.clientId.trim()) ||
+    (typeof extra?.sessionId === "string" && extra.sessionId.trim()) ||
+    "anonymous";
+
+  const authScopes = normalizeScopeList(extra?.authInfo?.scopes);
+  if (authScopes.length > 0) {
+    return { callerId, scopes: authScopes, source: "authInfo" };
+  }
+
+  const metaScopes = extractMetaScopeList(extra?._meta);
+  if (metaScopes.length > 0) {
+    return { callerId, scopes: metaScopes, source: "meta" };
+  }
+
+  const fallback = normalizeScopeList(fallbackScopes);
+  if (fallback.length > 0) {
+    return { callerId, scopes: fallback, source: "env" };
+  }
+
+  return { callerId, scopes: [], source: "none" };
+}
+
+export function evaluateToolScopes(
+  toolName: string,
+  callerScopes: readonly string[],
+  enforceScopes: boolean
+): ScopeCheckResult {
+  const toolDef = MCP_TOOL_MAP[toolName];
+  if (!toolDef) {
+    return {
+      allowed: false,
+      required: [],
+      provided: Array.from(callerScopes),
+      missing: [],
+      reason: "tool_definition_missing",
+    };
+  }
+
+  const required = Array.isArray(toolDef.scopes) ? Array.from(toolDef.scopes) : [];
+  const provided = normalizeScopeList(callerScopes);
+
+  if (!enforceScopes || required.length === 0) {
+    return { allowed: true, required, provided, missing: [] };
+  }
+
+  const missing = required.filter(
+    (requiredScope) => !provided.some((grantedScope) => scopeMatches(grantedScope, requiredScope))
+  );
+
+  return {
+    allowed: missing.length === 0,
+    required,
+    provided,
+    missing,
+    reason: missing.length > 0 ? "missing_scopes" : undefined,
+  };
+}