@bamboo-ai/core 0.1.0

package/dist/auth.d.ts

@@ -0,0 +1,47 @@
+export declare class AuthService {
+    /** new-api URL — used for LLM API calls via /v1 */
+    private apiBaseUrl;
+    /** Libra URL — used for login and API key generation */
+    private authUrl;
+    /**
+     * @param apiBaseUrl  new-api base URL (e.g. http://localhost:3010)
+     * @param authUrl     Libra base URL  (e.g. http://localhost:2999)
+     *                    Defaults to apiBaseUrl when not specified.
+     */
+    constructor(apiBaseUrl?: string, authUrl?: string);
+    /**
+     * Primary: Browser-based login via Libra → returns sk-xxx API key.
+     * Fallback: Terminal email/password login via Libra CLI API.
+     *
+     * Both paths end with a persistent API key stored in ~/.bamboo/credentials.
+     */
+    login(): Promise<string>;
+    /**
+     * 1. Start a local HTTP server on a random port
+     * 2. Open the browser to Libra's /api/auth/cli/authorize
+     * 3. Libra authenticates the user and creates/finds an sk-xxx API key
+     * 4. Libra redirects to our callback with ?api_key=sk-xxx
+     * 5. Save the API key to disk
+     */
+    private browserLogin;
+    /**
+     * Prompt email + password in the terminal, then call Libra's
+     * /api/auth/cli/login endpoint which returns an sk-xxx API key.
+     */
+    private terminalLogin;
+    private askPassword;
+    /**
+     * Read the stored API key (sk-xxx) from disk.
+     *
+     * Supports three formats for backward compatibility:
+     *  1. JSON  { "api_key": "sk-xxx" }          ← current
+     *  2. JSON  { "access_token": "..." }         ← old JWT format (ignored)
+     *  3. Plain text "sk-xxx"                     ← legacy
+     */
+    getToken(): Promise<string | null>;
+    private saveApiKey;
+    /**
+     * Clear stored credentials (logout).
+     */
+    logout(): Promise<void>;
+}

package/dist/auth.js

@@ -0,0 +1,341 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = void 0;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const http_1 = __importDefault(require("http"));
+const child_process_1 = require("child_process");
+const readline_1 = __importDefault(require("readline"));
+const axios_1 = __importDefault(require("axios"));
+const CREDENTIALS_DIR = path_1.default.join(os_1.default.homedir(), '.bamboo');
+const CREDENTIALS_FILE = path_1.default.join(CREDENTIALS_DIR, 'credentials');
+// ─── HTML Templates ──────────────────────────────────────────────────
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>Bamboo CLI — Login Successful</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+      display: flex; justify-content: center; align-items: center;
+      height: 100vh;
+      background: linear-gradient(135deg, #f0fdf4 0%, #ecfdf5 50%, #d1fae5 100%);
+    }
+    .card {
+      text-align: center; padding: 3rem 2.5rem;
+      background: white; border-radius: 1rem;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.06);
+      max-width: 420px; width: 90%;
+    }
+    .icon { font-size: 3rem; margin-bottom: 1rem; }
+    h1 { color: #16a34a; font-size: 1.5rem; margin-bottom: 0.5rem; }
+    p { color: #6b7280; line-height: 1.6; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="icon">🎋</div>
+    <h1>Login Successful!</h1>
+    <p>You can close this tab and return to your terminal.</p>
+  </div>
+</body>
+</html>`;
+function errorHtml(message) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>Bamboo CLI — Login Failed</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+      display: flex; justify-content: center; align-items: center;
+      height: 100vh;
+      background: linear-gradient(135deg, #fef2f2 0%, #fecaca 100%);
+    }
+    .card {
+      text-align: center; padding: 3rem 2.5rem;
+      background: white; border-radius: 1rem;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.06);
+      max-width: 420px; width: 90%;
+    }
+    .icon { font-size: 3rem; margin-bottom: 1rem; }
+    h1 { color: #dc2626; font-size: 1.5rem; margin-bottom: 0.5rem; }
+    p { color: #6b7280; line-height: 1.6; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="icon">❌</div>
+    <h1>Login Failed</h1>
+    <p>${message}</p>
+    <p style="margin-top:1rem;">Please close this tab and try again in your terminal.</p>
+  </div>
+</body>
+</html>`;
+}
+// ─── AuthService ─────────────────────────────────────────────────────
+class AuthService {
+    /**
+     * @param apiBaseUrl  new-api base URL (e.g. http://localhost:3010)
+     * @param authUrl     Libra base URL  (e.g. http://localhost:2999)
+     *                    Defaults to apiBaseUrl when not specified.
+     */
+    constructor(apiBaseUrl = 'https://api.bamboonode.cn', authUrl) {
+        this.apiBaseUrl = apiBaseUrl;
+        this.authUrl = authUrl || apiBaseUrl;
+    }
+    // ─── Login (primary + fallback) ─────────────────────────────────
+    /**
+     * Primary: Browser-based login via Libra → returns sk-xxx API key.
+     * Fallback: Terminal email/password login via Libra CLI API.
+     *
+     * Both paths end with a persistent API key stored in ~/.bamboo/credentials.
+     */
+    async login() {
+        try {
+            return await this.browserLogin();
+        }
+        catch (err) {
+            console.error(`Bamboo: Browser login unavailable (${err.message}).`);
+            console.error('Bamboo: Falling back to terminal login...');
+            console.error('');
+            return await this.terminalLogin();
+        }
+    }
+    // ─── Browser Login ──────────────────────────────────────────────
+    /**
+     * 1. Start a local HTTP server on a random port
+     * 2. Open the browser to Libra's /api/auth/cli/authorize
+     * 3. Libra authenticates the user and creates/finds an sk-xxx API key
+     * 4. Libra redirects to our callback with ?api_key=sk-xxx
+     * 5. Save the API key to disk
+     */
+    browserLogin() {
+        return new Promise((resolve, reject) => {
+            const server = http_1.default.createServer();
+            let timeoutId;
+            server.listen(0, '127.0.0.1', () => {
+                const addr = server.address();
+                const port = addr.port;
+                const redirectUri = `http://localhost:${port}/callback`;
+                const authorizeUrl = `${this.authUrl}/api/auth/cli/authorize?redirect_uri=${encodeURIComponent(redirectUri)}`;
+                console.error('');
+                console.error('══════════════════════════════════════');
+                console.error('       🎋 Bamboo CLI Login');
+                console.error('══════════════════════════════════════');
+                console.error('');
+                console.error('  Opening browser for login...');
+                console.error(`  If the browser does not open, visit:`);
+                console.error(`  ${authorizeUrl}`);
+                console.error('');
+                console.error('  Waiting for authentication...');
+                openBrowser(authorizeUrl);
+                // 5-minute timeout
+                timeoutId = setTimeout(() => {
+                    server.close();
+                    reject(new Error('Login timed out (5 min). Please try again.'));
+                }, 5 * 60 * 1000);
+            });
+            server.on('request', async (req, res) => {
+                const reqUrl = new URL(req.url || '/', 'http://localhost');
+                if (reqUrl.pathname !== '/callback') {
+                    res.writeHead(404);
+                    res.end('Not Found');
+                    return;
+                }
+                const apiKey = reqUrl.searchParams.get('api_key');
+                const error = reqUrl.searchParams.get('error');
+                if (apiKey) {
+                    await this.saveApiKey(apiKey);
+                    res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+                    res.end(SUCCESS_HTML);
+                    clearTimeout(timeoutId);
+                    server.close();
+                    console.error('');
+                    console.error('  ✅ Login successful!');
+                    console.error(`  API key saved to: ${CREDENTIALS_FILE}`);
+                    console.error('');
+                    resolve(apiKey);
+                }
+                else {
+                    const errMsg = error || 'Unknown error';
+                    res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+                    res.end(errorHtml(errMsg));
+                    clearTimeout(timeoutId);
+                    server.close();
+                    reject(new Error(`Login failed: ${errMsg}`));
+                }
+            });
+            server.on('error', (err) => {
+                clearTimeout(timeoutId);
+                reject(new Error(`Failed to start callback server: ${err.message}`));
+            });
+        });
+    }
+    // ─── Terminal Login (fallback) ──────────────────────────────────
+    /**
+     * Prompt email + password in the terminal, then call Libra's
+     * /api/auth/cli/login endpoint which returns an sk-xxx API key.
+     */
+    async terminalLogin() {
+        const rl = readline_1.default.createInterface({
+            input: process.stdin,
+            output: process.stderr,
+        });
+        const ask = (question) => new Promise((resolve) => rl.question(question, resolve));
+        try {
+            console.error('══════════════════════════════════════');
+            console.error('  🎋 Bamboo CLI Login (Terminal)');
+            console.error('══════════════════════════════════════');
+            console.error(`  Server: ${this.authUrl}`);
+            console.error('');
+            const email = await ask('  Email: ');
+            const password = await this.askPassword('  Password: ', rl);
+            console.error('');
+            if (!email || !password) {
+                throw new Error('Email and password are required.');
+            }
+            console.error('  Authenticating...');
+            const resp = await axios_1.default.post(`${this.authUrl}/api/auth/cli/login`, { email, password }, { headers: { 'Content-Type': 'application/json' } });
+            if (!resp.data?.success) {
+                throw new Error(resp.data?.message || 'Login failed');
+            }
+            const apiKey = resp.data.api_key;
+            if (!apiKey) {
+                throw new Error('Server did not return a valid API key.');
+            }
+            await this.saveApiKey(apiKey);
+            console.error('  ✅ Login successful!');
+            console.error(`  API key saved to: ${CREDENTIALS_FILE}`);
+            console.error('');
+            return apiKey;
+        }
+        finally {
+            rl.close();
+        }
+    }
+    // ─── Password Prompt (hidden input) ─────────────────────────────
+    askPassword(prompt, rl) {
+        return new Promise((resolve) => {
+            const stdin = process.stdin;
+            const stderr = process.stderr;
+            stderr.write(prompt);
+            if (stdin.isTTY) {
+                stdin.setRawMode(true);
+                stdin.resume();
+                stdin.setEncoding('utf8');
+                let password = '';
+                const onData = (char) => {
+                    const c = char.toString();
+                    if (c === '\n' || c === '\r' || c === '\u0004') {
+                        stdin.setRawMode(false);
+                        stdin.pause();
+                        stdin.removeListener('data', onData);
+                        stderr.write('\n');
+                        resolve(password);
+                    }
+                    else if (c === '\u0003') {
+                        stdin.setRawMode(false);
+                        process.exit(1);
+                    }
+                    else if (c === '\u007f' || c === '\b') {
+                        if (password.length > 0) {
+                            password = password.slice(0, -1);
+                            stderr.write('\b \b');
+                        }
+                    }
+                    else {
+                        password += c;
+                        stderr.write('*');
+                    }
+                };
+                stdin.on('data', onData);
+            }
+            else {
+                rl.question('', (answer) => resolve(answer));
+            }
+        });
+    }
+    // ─── Credential Storage ─────────────────────────────────────────
+    /**
+     * Read the stored API key (sk-xxx) from disk.
+     *
+     * Supports three formats for backward compatibility:
+     *  1. JSON  { "api_key": "sk-xxx" }          ← current
+     *  2. JSON  { "access_token": "..." }         ← old JWT format (ignored)
+     *  3. Plain text "sk-xxx"                     ← legacy
+     */
+    async getToken() {
+        try {
+            if (!fs_1.default.existsSync(CREDENTIALS_FILE))
+                return null;
+            const raw = fs_1.default.readFileSync(CREDENTIALS_FILE, 'utf-8').trim();
+            if (!raw)
+                return null;
+            // JSON format
+            if (raw.startsWith('{')) {
+                const parsed = JSON.parse(raw);
+                // Current format
+                if (parsed.api_key)
+                    return parsed.api_key;
+                // Old JWT format — can't use, need re-login
+                if (parsed.access_token)
+                    return null;
+                return null;
+            }
+            // Plain text — accept if it looks like an API key
+            if (raw.startsWith('sk-'))
+                return raw;
+            // Old plain-text JWT — can't use
+            return null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async saveApiKey(apiKey) {
+        if (!fs_1.default.existsSync(CREDENTIALS_DIR)) {
+            fs_1.default.mkdirSync(CREDENTIALS_DIR, { recursive: true });
+        }
+        const data = JSON.stringify({ api_key: apiKey }, null, 2);
+        fs_1.default.writeFileSync(CREDENTIALS_FILE, data, { mode: 0o600 });
+    }
+    /**
+     * Clear stored credentials (logout).
+     */
+    async logout() {
+        try {
+            if (fs_1.default.existsSync(CREDENTIALS_FILE)) {
+                fs_1.default.unlinkSync(CREDENTIALS_FILE);
+                console.error('Bamboo: Logged out. Credentials cleared.');
+            }
+        }
+        catch {
+            // ignore
+        }
+    }
+}
+exports.AuthService = AuthService;
+// ─── Utilities ───────────────────────────────────────────────────────
+/**
+ * Open a URL in the default browser (cross-platform, no external deps).
+ */
+function openBrowser(url) {
+    const escaped = url.replace(/"/g, '\\"');
+    const cmd = process.platform === 'darwin' ? `open "${escaped}"` :
+        process.platform === 'win32' ? `start "" "${escaped}"` :
+            `xdg-open "${escaped}"`;
+    (0, child_process_1.exec)(cmd, (err) => {
+        if (err) {
+            console.error(`Bamboo: Could not open browser automatically.`);
+        }
+    });
+}

package/dist/config.d.ts

@@ -0,0 +1,21 @@
+import { AuthService } from './auth';
+export interface ToolConfig {
+    apiKey: string;
+    baseUrl: string;
+}
+export declare class ConfigService {
+    private authService;
+    private apiBaseUrl;
+    constructor(authService: AuthService, apiBaseUrl?: string);
+    /**
+     * Get the runtime configuration for a specific tool.
+     *
+     * The API key (sk-xxx) is stored directly in ~/.bamboo/credentials
+     * and was generated during the login flow. No intermediate token needed.
+     *
+     * Base URL handling:
+     *   - Anthropic SDK adds /v1 internally, so ANTHROPIC_BASE_URL must NOT include /v1
+     *   - OpenAI SDK expects /v1 in the base URL, so OPENAI_BASE_URL must include /v1
+     */
+    getConfig(toolName: string): Promise<ToolConfig>;
+}

package/dist/config.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigService = void 0;
+class ConfigService {
+    constructor(authService, apiBaseUrl = 'https://api.bamboonode.cn') {
+        this.authService = authService;
+        this.apiBaseUrl = apiBaseUrl;
+    }
+    /**
+     * Get the runtime configuration for a specific tool.
+     *
+     * The API key (sk-xxx) is stored directly in ~/.bamboo/credentials
+     * and was generated during the login flow. No intermediate token needed.
+     *
+     * Base URL handling:
+     *   - Anthropic SDK adds /v1 internally, so ANTHROPIC_BASE_URL must NOT include /v1
+     *   - OpenAI SDK expects /v1 in the base URL, so OPENAI_BASE_URL must include /v1
+     */
+    async getConfig(toolName) {
+        const apiKey = await this.authService.getToken();
+        if (!apiKey) {
+            throw new Error('Not logged in. Please run the CLI to start the login flow.');
+        }
+        // Anthropic SDK appends /v1 itself; OpenAI SDK expects /v1 in the base URL
+        const baseUrl = toolName === 'claude'
+            ? this.apiBaseUrl
+            : `${this.apiBaseUrl}/v1`;
+        return { apiKey, baseUrl };
+    }
+}
+exports.ConfigService = ConfigService;

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export * from './auth';
+export * from './config';
+export * from './process';
+export * from './resolve-bin';

package/dist/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth"), exports);
+__exportStar(require("./config"), exports);
+__exportStar(require("./process"), exports);
+__exportStar(require("./resolve-bin"), exports);

package/dist/process.d.ts

@@ -0,0 +1,11 @@
+export declare class ProcessManager {
+    /**
+     * Spawns a child process with full stdio inheritance.
+     * Uses child_process.spawn directly — no need for execa dependency.
+     * Propagates the child's exit code to the parent.
+     *
+     * Cross-platform: on Windows, .cmd/.bat shims require `shell: true`
+     * for spawn to execute them correctly.
+     */
+    run(command: string, args: string[], env: NodeJS.ProcessEnv): Promise<void>;
+}

package/dist/process.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProcessManager = void 0;
+const child_process_1 = require("child_process");
+class ProcessManager {
+    /**
+     * Spawns a child process with full stdio inheritance.
+     * Uses child_process.spawn directly — no need for execa dependency.
+     * Propagates the child's exit code to the parent.
+     *
+     * Cross-platform: on Windows, .cmd/.bat shims require `shell: true`
+     * for spawn to execute them correctly.
+     */
+    async run(command, args, env) {
+        const finalEnv = { ...process.env, ...env };
+        // Windows .cmd/.bat shims need shell: true
+        const needsShell = process.platform === 'win32' && /\.(cmd|bat)$/i.test(command);
+        return new Promise((resolve, reject) => {
+            const child = (0, child_process_1.spawn)(command, args, {
+                env: finalEnv,
+                stdio: 'inherit',
+                shell: needsShell,
+            });
+            child.on('error', (err) => {
+                reject(new Error(`Failed to start process "${command}": ${err.message}`));
+            });
+            child.on('exit', (code, signal) => {
+                if (signal) {
+                    // Child was killed by a signal
+                    process.exit(1);
+                }
+                // Propagate child's exit code
+                process.exit(code ?? 0);
+            });
+        });
+    }
+}
+exports.ProcessManager = ProcessManager;

package/dist/resolve-bin.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Resolve a CLI binary from the system PATH.
+ *
+ * Strategy B: users install the underlying CLI tools globally themselves
+ * (e.g. `npm i -g @anthropic-ai/claude-code` or `npm i -g @openai/codex`).
+ * Bamboo locates the binary at runtime.
+ *
+ * Cross-platform: uses `where` on Windows, `which` on macOS/Linux.
+ *
+ * @param name       The binary name to look up (e.g. "claude", "codex")
+ * @param pkgHint    Human-readable install hint shown on failure
+ * @returns          Absolute path to the binary
+ */
+export declare function resolveBin(name: string, pkgHint: string): string;

package/dist/resolve-bin.js

@@ -0,0 +1,150 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveBin = resolveBin;
+const child_process_1 = require("child_process");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const isWindows = process.platform === 'win32';
+/**
+ * Known binary → expected version output substring.
+ * Used to verify we found the correct binary, not a different package
+ * with the same name (e.g. "codex" static site generator vs OpenAI Codex).
+ */
+const VERSION_CHECKS = {
+    claude: 'Claude Code',
+    codex: 'codex-cli',
+};
+/**
+ * Resolve a CLI binary from the system PATH.
+ *
+ * Strategy B: users install the underlying CLI tools globally themselves
+ * (e.g. `npm i -g @anthropic-ai/claude-code` or `npm i -g @openai/codex`).
+ * Bamboo locates the binary at runtime.
+ *
+ * Cross-platform: uses `where` on Windows, `which` on macOS/Linux.
+ *
+ * @param name       The binary name to look up (e.g. "claude", "codex")
+ * @param pkgHint    Human-readable install hint shown on failure
+ * @returns          Absolute path to the binary
+ */
+function resolveBin(name, pkgHint) {
+    const candidates = [];
+    // 1. Lookup from system PATH (cross-platform)
+    const pathResults = lookupFromPath(name);
+    for (const p of pathResults) {
+        if (!candidates.includes(p))
+            candidates.push(p);
+    }
+    // 2. Try common global npm/pnpm paths
+    const globalDirs = getGlobalNodeModulesDirs();
+    for (const dir of globalDirs) {
+        // On Windows, npm creates .cmd shims in the parent of node_modules
+        const binDir = isWindows ? path_1.default.resolve(dir, '..') : path_1.default.join(dir, '.bin');
+        const extensions = isWindows ? ['.cmd', '.ps1', '.exe', ''] : [''];
+        for (const ext of extensions) {
+            const binPath = path_1.default.join(binDir, name + ext);
+            if (fs_1.default.existsSync(binPath) && !candidates.includes(binPath)) {
+                candidates.push(binPath);
+            }
+        }
+    }
+    // 3. Verify the binary is the one we expect
+    const expectedSubstring = VERSION_CHECKS[name];
+    for (const binPath of candidates) {
+        if (!expectedSubstring || verifyBinary(binPath, expectedSubstring)) {
+            return binPath;
+        }
+    }
+    if (candidates.length > 0) {
+        throw new Error(`Bamboo: Found "${name}" at ${candidates[0]}, but it is not the expected tool.\n` +
+            `Please install the correct version:\n\n` +
+            `  npm install -g ${pkgHint}\n`);
+    }
+    throw new Error(`Bamboo: Could not find "${name}" binary.\n` +
+        `Please install it globally first:\n\n` +
+        `  npm install -g ${pkgHint}\n`);
+}
+/**
+ * Use system command to find a binary in PATH.
+ *   - Windows: `where <name>` (may return multiple lines)
+ *   - macOS/Linux: `which <name>`
+ *
+ * Returns an array of resolved paths.
+ */
+function lookupFromPath(name) {
+    const results = [];
+    const cmd = isWindows ? `where ${name}` : `which ${name}`;
+    try {
+        const output = (0, child_process_1.execSync)(cmd, {
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        if (!output)
+            return results;
+        // `where` on Windows can return multiple lines (one per match)
+        const lines = output.split(/\r?\n/).map(l => l.trim()).filter(Boolean);
+        for (const line of lines) {
+            if (fs_1.default.existsSync(line)) {
+                results.push(line);
+            }
+        }
+    }
+    catch {
+        // command not found or binary not in PATH
+    }
+    return results;
+}
+/**
+ * Run `<bin> --version` and check if the output contains the expected substring.
+ */
+function verifyBinary(binPath, expected) {
+    try {
+        // On Windows, .cmd/.ps1 shims need shell: true to execute
+        // On Windows, .cmd/.ps1 shims need shell mode to execute
+        const needsShell = isWindows && /\.(cmd|ps1)$/i.test(binPath);
+        const cmd = needsShell
+            ? `"${binPath}" --version`
+            : `"${binPath}" --version`;
+        const output = (0, child_process_1.execSync)(cmd, {
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            ...(needsShell ? { shell: 'cmd.exe' } : {}),
+        });
+        return output.includes(expected);
+    }
+    catch {
+        // --version failed; accept the binary anyway (some tools exit non-zero)
+        return true;
+    }
+}
+function getGlobalNodeModulesDirs() {
+    const dirs = [];
+    // npm global
+    try {
+        const npmRoot = (0, child_process_1.execSync)('npm root -g', {
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        if (npmRoot)
+            dirs.push(npmRoot);
+    }
+    catch { /* ignore */ }
+    // pnpm global
+    try {
+        const pnpmRoot = (0, child_process_1.execSync)('pnpm root -g', {
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        if (pnpmRoot)
+            dirs.push(pnpmRoot);
+    }
+    catch { /* ignore */ }
+    return dirs;
+}

package/package.json

@@ -0,0 +1,38 @@
+{
+    "name": "@bamboo-ai/core",
+    "version": "0.1.0",
+    "description": "Core logic for Bamboo CLI wrappers — SSO auth, config fetching, process management",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "files": [
+        "dist"
+    ],
+    "license": "MIT",
+    "engines": {
+        "node": ">=20.0.0"
+    },
+    "keywords": [
+        "bamboo",
+        "claude-code",
+        "codex",
+        "ai",
+        "cli",
+        "auth"
+    ],
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/bamboo-ai/claude-code-router.git",
+        "directory": "packages/bamboo-core"
+    },
+    "scripts": {
+        "build": "tsc",
+        "clean": "rm -rf dist"
+    },
+    "dependencies": {
+        "axios": "^1.6.0"
+    },
+    "devDependencies": {
+        "@types/node": "^20.0.0",
+        "typescript": "^5.0.0"
+    }
+}