fix(core): prevent double server.close() and promise rejection in OAuth callback server

[cyphercodes]

Description

This PR fixes issue #24088 where multiple server.close() calls without guard in the OAuth callback server can throw ERR_SERVER_NOT_RUNNING errors.

Problem

In packages/core/src/utils/oauth-flow.ts, the startCallbackServer() function calls server.close() in multiple code paths without checking if the server has already been closed:

1. When there's an OAuth error (line ~150)
2. When state mismatch occurs (line ~164)
3. In the success path (line ~181)
4. In the catch block (line ~184)

Additionally, the server.on('error') handler calls both portReject(error) and reject(error), which can cause double promise rejection.

Solution

Added guard variables and helper functions:

• serverClosed boolean to track if server has been closed
• promiseSettled boolean to track if promise has been resolved/rejected
• closeServer() helper that only closes if not already closed
• safeResolve() helper that only resolves if not already settled
• safeReject() helper that only rejects if not already settled

All code paths now use these safe helpers instead of calling server.close(), resolve(), or reject() directly.

Testing

• All 45 existing tests pass
• Added 3 new tests to verify the fix:
  • should handle multiple concurrent requests without double-closing server
  • should handle rapid error and success without double rejection
  • should not throw ERR_SERVER_NOT_RUNNING on state mismatch

Checklist

• Code follows the project style guidelines
• Tests pass (npm run test in packages/core)
• Linked to issue Bug: Multiple server.close() calls without guard in OAuth callback server can throw ERR_SERVER_NOT_RUNNING #24088
• Conventional commit message format used

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses stability issues in the OAuth callback server where improper handling of server lifecycle events led to runtime errors and promise rejection conflicts. By implementing safe wrappers for server closure and promise settlement, the changes ensure that the server handles concurrent requests and error states gracefully without crashing.

Highlights

• OAuth Callback Server Stability: Introduced guard variables and helper functions (closeServer, safeResolve, safeReject) to prevent multiple server.close() calls and double promise rejections, effectively resolving issue Bug: Multiple server.close() calls without guard in OAuth callback server can throw ERR_SERVER_NOT_RUNNING #24088.
• Testing: Added three new test cases to verify concurrent request handling, rapid error/success scenarios, and state mismatch handling to ensure the server remains stable under load.
• Dependency Updates: Updated @vitest/coverage-v8 and adjusted various dependency definitions in package-lock.json and package.json to improve build and test environment consistency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves the reliability of the OAuth callback server by introducing state management to prevent double-closing the server or double-settling the authorization promise. It adds safe wrapper functions for resolving, rejecting, and closing the server, along with comprehensive tests for concurrent requests and error handling. Dependency updates for @vitest/coverage-v8 and modifications to the VS Code companion's license notices are also included. I have no feedback to provide.

[gemini-cli]

Hi there! Thank you for your interest in contributing to Gemini CLI.

To ensure we maintain high code quality and focus on our prioritized roadmap, we have updated our contribution policy (see Discussion #17383).

We only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'. All other community pull requests are subject to closure after 14 days if they do not align with our current focus areas. For this reason, we strongly recommend that contributors only submit pull requests against issues explicitly labeled as 'help-wanted'.

This pull request is being closed as it has been open for 14 days without a 'help wanted' designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding and for being part of our community!