Add GitLab Duo provider (subscription-backed coding model)

[quangdang46]

Add GitLab Duo provider (subscription-backed coding model)

Summary

Add a native GitLab Duo provider mirroring pi_agent_rust's implementation. Lets users with a GitLab Duo subscription use it inside jcode the same way they use Copilot or Claude Max today.

Reference: pi_agent_rust provider list referring to "GitLab Duo" — see Architecture ("10 native provider implementation modules in src/providers/: Anthropic, OpenAI Chat, OpenAI Responses/Codex Responses, Gemini, Cohere, Azure OpenAI, Bedrock, Vertex AI, GitHub Copilot, and GitLab Duo").

Why

• jcode already supports Copilot via OAuth; GitLab Duo is the equivalent subscription-backed coding model for the GitLab ecosystem.
• Many enterprises pay for GitLab Duo and would adopt jcode if it could ride that subscription instead of asking for a separate API key.

Current state in jcode

• No gitlab or duo references in src/provider/. CLI --provider doc string doesn't include it. No auth.json schema entry.

Implementation checklist

1. Auth

• GitLab Duo uses GitLab OAuth (PKCE). Implement an OAuth flow jcode login --provider gitlab-duo:
  • Device/PKCE flow with --no-browser fallback (jcode already supports this pattern for Claude/Copilot).
  • Persist tokens (access + refresh) in ~/.jcode/gitlab-duo-auth.json.
  • Refresh tokens automatically when expired.
• Support hosted GitLab.com and self-hosted GitLab instances. CLI flag --gitlab-host https://gitlab.example.com. Stored alongside the token.

2. Provider implementation

• src/provider/gitlab_duo.rs implements the Provider trait. Endpoint pattern (TBD against Duo API docs at integration time): https://<gitlab-host>/api/v4/code-suggestions/... or the chat-completion equivalent.
• Streaming, tool-call mapping, thinking blocks (where supported).
• Document any quotas / rate limits jcode should respect.

3. Models

• Register the canonical Duo model identifiers. Document in src/provider_catalog.rs and docs/providers.md.

4. CLI surface

• --provider gitlab-duo accepted.
• Update --provider doc string in src/cli/args.rs.
• Add to auth-test --all-configured coverage.
• jcode usage shows Duo subscription quota when the API exposes it.

5. Telemetry + errors

• Reuse provider telemetry hooks.
• Map 401 to a clear "please re-login" message that also clears the cached refresh token if it is invalid.

Testing

Unit

• OAuth flow state machine (challenge → callback → token store → refresh).
• Streaming parser tests against fixture responses.

Live (gated)

• JCODE_LIVE=1 cargo test gitlab_duo against a real Duo subscription (skipped by default).

Manual

• jcode login --provider gitlab-duo --gitlab-host https://gitlab.com then jcode -p "Hello".
• Self-hosted: same flow with --gitlab-host https://gitlab.example.com.

Acceptance criteria

• OAuth works against both gitlab.com and a self-hosted instance.
• Refresh-on-401 is automatic and only re-prompts if refresh genuinely fails.
• Streaming + tool calls + usage tracking work end to end.
• jcode auth-test --provider gitlab-duo returns OK after login.

References

• pi_agent_rust: Architecture — provider list.
• GitLab Duo API docs at integration time.

---

Implementation notes addendum (Devin gap-analysis pass, 2026-05-21)

Verified jcode code paths

• Add new file src/provider/gitlab_duo.rs patterned on src/provider/copilot.rs (subscription-backed providers share OAuth + per-request bearer-token rotation).
• Auth integration: src/auth/, login flow in src/cli/login/, picker in src/tui/login_picker.rs.

GitLab Duo specifics

• Auth: GitLab OAuth (PKCE) against https://gitlab.com/oauth/authorize. After exchange, store refresh token in the existing keychain wrapper.
• API: GitLab Duo Code Suggestions / Chat. Endpoint pattern: https://gitlab.com/api/v4/code_suggestions/completions (completion-style) and https://gitlab.com/api/v4/chat/completions (chat). Confirm against the upstream API before coding.
• Models: treat the active subscription model as a single virtual model (gitlab-duo-chat) at launch; gate any future model selection on the API actually exposing one.
• Self-hosted: allow GITLAB_URL env to point at a self-managed GitLab; the login flow uses that base URL.

Acceptance criteria

• jcode /login gitlab-duo walks PKCE flow.
• jcode --provider gitlab-duo "..." works.
• Self-hosted endpoint configurable.
• Token refresh handled invisibly (no re-login mid-session).
• jcode --list-providers includes GitLab Duo.

Cross-references

• Add Cohere provider (native streaming + tool use) #18 Cohere — sibling provider issue.

Reference

• pi_agent_rust: GitLab Duo is listed in Provider Layer.
• GitLab docs: https://docs.gitlab.com/ee/user/gitlab_duo/