feat: implement headless LS authentication via state sync

Reverse-engineered the UnifiedStateSyncUpdate protocol: - initial_state field is bytes (not string), contains serialized Topic proto - Map key for OAuth is 'oauthTokenInfoSentinelKey' - Row.value is base64-encoded OAuthTokenInfo protobuf - OAuthTokenInfo includes access_token, token_type, expiry (Timestamp) - Set far-future expiry (2099) to prevent token expiry errors Also fixed: - PushUnifiedStateSyncUpdate returns proper empty proto response - Stream keep-alive avoids sending empty envelopes (LS rejects nil updates) - uss-enterprisePreferences topic handled (empty initial state)
2026-02-15 21:40:35 -06:00
parent 4e4d8e9474
commit 6a07786c4e
6 changed files with 936 additions and 59 deletions
--- a/docs/standalone-ls-todo.md
+++ b/docs/standalone-ls-todo.md
@@ -1,16 +1,33 @@
 # Standalone LS for Proxy Isolation

-## Status: ✅ FULLY IMPLEMENTED (incl. MITM interception)
+## Status: ✅ FULLY IMPLEMENTED (incl. headless mode + MITM)

-The standalone LS is the default mode. Disable with `--no-standalone`.
-All cascade types (sync, streaming, multi-turn) and all endpoints work.
-MITM interception captures real token usage from Google's API.
+Two modes available:

-## Implementation
+- **Normal standalone** (default) — steals config from running Antigravity, optional UID isolation
+- **Headless** (`--headless`) — fully independent, no running Antigravity required

-**Module:** `src/standalone.rs`
+## Headless Mode

-The proxy spawns a standalone LS as a child process:
+Pass `--headless` to the proxy. This:
+
+1. Generates its own CSRF token (random UUID)
+2. Passes `-extension_server_port=0` to the LS (disables extension server callbacks)
+3. Passes `-standalone=true` to the LS binary (built-in standalone flag)
+4. Uses `HTTPS_PROXY` env var for MITM (no iptables/sudo required)
+5. No `/proc` scanning, no dependency on running Antigravity
+
+```bash
+# Headless (no Antigravity needed)
+RUST_LOG=info ./target/release/antigravity-proxy --headless
+
+# With MITM disabled
+./target/release/antigravity-proxy --headless --no-mitm
+```
+
+## Normal Standalone Mode
+
+The default mode (disable with `--no-standalone`):

 1. Discovers `extension_server_port` and `csrf_token` from the real LS (via `/proc/PID/cmdline`)
 2. Picks a random free port
@@ -31,26 +48,19 @@ When `scripts/mitm-redirect.sh install` has been run:
 5. A combined CA bundle (system CAs + MITM CA) is written to `/tmp/antigravity-mitm-combined-ca.pem`
 6. Only the standalone LS traffic is intercepted — no impact on other software

-## Usage
+## LS Binary Flags (Reference)

-```bash
-# Setup (one-time, requires sudo)
-sudo ./scripts/mitm-redirect.sh install
+From `language_server_linux_x64 --help`:

-# Run
-RUST_LOG=info ./target/release/antigravity-proxy
-
-# Check intercepted usage
-curl -s http://localhost:8741/v1/usage | jq .
-```
-
-## Root Cause of Original Failure
-
-The bash script (`scripts/standalone-ls.sh`) used `MODEL_PLACEHOLDER_M3` — an
-unassigned/invalid model enum. The LS silently drops cascades with unknown models.
-
-**Fix:** Use correct model enums (M18=Flash, M26=Opus4.6) via the proxy's
-byte-exact protobuf encoder.
+| Flag                     | Default | Description                           |
+| ------------------------ | ------- | ------------------------------------- |
+| `-standalone`            | `false` | Whether to run in standalone mode     |
+| `-extension_server_port` | `0`     | Extension server port. If 0, not used |
+| `-csrf_token`            | `""`    | CSRF token for RPC auth               |
+| `-server_port`           | `42100` | Port for LS ↔ extension               |
+| `-enable_lsp`            | `false` | Enable LSP protocol                   |
+| `-cloud_code_endpoint`   | `""`    | CCPA API URL                          |
+| `-parent_pipe_path`      | `""`    | Monitors parent process liveness      |

 ## Key Technical Details

@@ -58,7 +68,6 @@ byte-exact protobuf encoder.
 - Model IDs: M18=Flash, M8=Pro-High, M7=Pro-Low, M26=Opus4.6, M12=Opus4.5
 - LS binary: `/usr/share/antigravity/resources/app/extensions/antigravity/bin/language_server_linux_x64`
 - API endpoint: `daily-cloudcode-pa.googleapis.com/v1internal:streamGenerateContent?alt=sse`
- SSE response format: `{"response": {"usageMetadata": {"promptTokenCount", "candidatesTokenCount", "thoughtsTokenCount"}, "modelVersion": "..."}}`

 ## Test Results (2026-02-15)