@bilalimamoglu/sift 0.1.0

package/dist/cli.js

@@ -0,0 +1,1346 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { createRequire } from "module";
+import { cac } from "cac";
+
+// src/config/load.ts
+import fs from "fs";
+import path2 from "path";
+import YAML from "yaml";
+
+// src/constants.ts
+import os from "os";
+import path from "path";
+var DEFAULT_CONFIG_FILENAME = "sift.config.yaml";
+var DEFAULT_CONFIG_SEARCH_PATHS = [
+  path.resolve(process.cwd(), "sift.config.yaml"),
+  path.resolve(process.cwd(), "sift.config.yml"),
+  path.join(os.homedir(), ".config", "sift", "config.yaml"),
+  path.join(os.homedir(), ".config", "sift", "config.yml")
+];
+var INSUFFICIENT_SIGNAL_TEXT = "Insufficient signal in the provided input.";
+var GENERIC_JSON_CONTRACT = '{"answer":string,"evidence":string[],"risks":string[]}';
+var CAPTURE_OMITTED_MARKER = "\n...[captured output omitted]...\n";
+
+// src/config/load.ts
+function findConfigPath(explicitPath) {
+  if (explicitPath) {
+    const resolved = path2.resolve(explicitPath);
+    if (!fs.existsSync(resolved)) {
+      throw new Error(`Config file not found: ${resolved}`);
+    }
+    return resolved;
+  }
+  for (const candidate of DEFAULT_CONFIG_SEARCH_PATHS) {
+    if (fs.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+function loadRawConfig(explicitPath) {
+  const configPath = findConfigPath(explicitPath);
+  if (!configPath) {
+    return {};
+  }
+  const content = fs.readFileSync(configPath, "utf8");
+  return YAML.parse(content) ?? {};
+}
+
+// src/config/defaults.ts
+var defaultConfig = {
+  provider: {
+    provider: "openai-compatible",
+    model: "gpt-4.1-mini",
+    baseUrl: "https://api.openai.com/v1",
+    apiKey: "",
+    timeoutMs: 2e4,
+    temperature: 0.1,
+    maxOutputTokens: 220
+  },
+  input: {
+    stripAnsi: true,
+    redact: false,
+    redactStrict: false,
+    maxCaptureChars: 25e4,
+    maxInputChars: 2e4,
+    headChars: 6e3,
+    tailChars: 6e3
+  },
+  runtime: {
+    rawFallback: true,
+    verbose: false
+  },
+  presets: {
+    "test-status": {
+      question: "Did the tests pass? If not, list only the failing tests or suites.",
+      format: "bullets",
+      policy: "test-status"
+    },
+    "audit-critical": {
+      question: "Extract only high and critical vulnerabilities. Include package, severity, and a short remediation note.",
+      format: "json",
+      policy: "audit-critical",
+      outputContract: '{"status":"ok|insufficient","vulnerabilities":[{"package":string,"severity":"critical|high","remediation":string}],"summary":string}'
+    },
+    "diff-summary": {
+      question: "Summarize the code changes and mention any risky or high-impact areas.",
+      format: "json",
+      policy: "diff-summary",
+      outputContract: '{"status":"ok|insufficient","answer":string,"evidence":string[],"risks":string[]}'
+    },
+    "build-failure": {
+      question: "Identify the most likely root cause of the build failure and the first thing to fix.",
+      format: "brief",
+      policy: "build-failure"
+    },
+    "log-errors": {
+      question: "Extract only the most relevant errors or failure signals.",
+      format: "bullets",
+      policy: "log-errors"
+    },
+    "infra-risk": {
+      question: "Assess whether the infrastructure changes are risky and whether they look safe to apply.",
+      format: "verdict",
+      policy: "infra-risk"
+    }
+  }
+};
+
+// src/config/schema.ts
+import { z } from "zod";
+var providerNameSchema = z.enum(["openai-compatible"]);
+var outputFormatSchema = z.enum([
+  "brief",
+  "bullets",
+  "json",
+  "verdict"
+]);
+var responseModeSchema = z.enum(["text", "json"]);
+var promptPolicyNameSchema = z.enum([
+  "test-status",
+  "audit-critical",
+  "diff-summary",
+  "build-failure",
+  "log-errors",
+  "infra-risk"
+]);
+var providerConfigSchema = z.object({
+  provider: providerNameSchema,
+  model: z.string().min(1),
+  baseUrl: z.string().url(),
+  apiKey: z.string().optional(),
+  timeoutMs: z.number().int().positive(),
+  temperature: z.number().min(0).max(2),
+  maxOutputTokens: z.number().int().positive()
+});
+var inputConfigSchema = z.object({
+  stripAnsi: z.boolean(),
+  redact: z.boolean(),
+  redactStrict: z.boolean(),
+  maxCaptureChars: z.number().int().positive(),
+  maxInputChars: z.number().int().positive(),
+  headChars: z.number().int().positive(),
+  tailChars: z.number().int().positive()
+});
+var runtimeConfigSchema = z.object({
+  rawFallback: z.boolean(),
+  verbose: z.boolean()
+});
+var presetDefinitionSchema = z.object({
+  question: z.string().min(1),
+  format: outputFormatSchema,
+  policy: promptPolicyNameSchema.optional(),
+  outputContract: z.string().optional(),
+  fallbackJson: z.unknown().optional()
+});
+var siftConfigSchema = z.object({
+  provider: providerConfigSchema,
+  input: inputConfigSchema,
+  runtime: runtimeConfigSchema,
+  presets: z.record(presetDefinitionSchema)
+});
+
+// src/config/resolve.ts
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function mergeDefined(base, override) {
+  if (!isRecord(override)) {
+    return base;
+  }
+  const result = isRecord(base) ? { ...base } : {};
+  for (const [key, value] of Object.entries(override)) {
+    if (value === void 0) {
+      continue;
+    }
+    const existing = result[key];
+    if (isRecord(existing) && isRecord(value)) {
+      result[key] = mergeDefined(existing, value);
+      continue;
+    }
+    result[key] = value;
+  }
+  return result;
+}
+function buildEnvOverrides(env) {
+  const overrides = {};
+  if (env.SIFT_PROVIDER || env.SIFT_MODEL || env.SIFT_BASE_URL || env.SIFT_API_KEY || env.SIFT_TIMEOUT_MS) {
+    overrides.provider = {
+      provider: env.SIFT_PROVIDER,
+      model: env.SIFT_MODEL,
+      baseUrl: env.SIFT_BASE_URL,
+      apiKey: env.SIFT_API_KEY,
+      timeoutMs: env.SIFT_TIMEOUT_MS ? Number(env.SIFT_TIMEOUT_MS) : void 0
+    };
+  }
+  if (env.SIFT_MAX_INPUT_CHARS || env.SIFT_MAX_CAPTURE_CHARS) {
+    overrides.input = {
+      maxCaptureChars: env.SIFT_MAX_CAPTURE_CHARS ? Number(env.SIFT_MAX_CAPTURE_CHARS) : void 0,
+      maxInputChars: env.SIFT_MAX_INPUT_CHARS ? Number(env.SIFT_MAX_INPUT_CHARS) : void 0
+    };
+  }
+  return overrides;
+}
+function resolveConfig(options = {}) {
+  const env = options.env ?? process.env;
+  const fileConfig = loadRawConfig(options.configPath);
+  const envConfig = buildEnvOverrides(env);
+  const merged = mergeDefined(
+    mergeDefined(mergeDefined(defaultConfig, fileConfig), envConfig),
+    options.cliOverrides ?? {}
+  );
+  return siftConfigSchema.parse(merged);
+}
+
+// src/config/write.ts
+import fs2 from "fs";
+import path3 from "path";
+import YAML2 from "yaml";
+function writeExampleConfig(targetPath) {
+  const resolved = path3.resolve(targetPath ?? DEFAULT_CONFIG_FILENAME);
+  if (fs2.existsSync(resolved)) {
+    throw new Error(`Config file already exists at ${resolved}`);
+  }
+  const yaml = YAML2.stringify(defaultConfig);
+  fs2.mkdirSync(path3.dirname(resolved), { recursive: true });
+  fs2.writeFileSync(resolved, yaml, "utf8");
+  return resolved;
+}
+
+// src/commands/config.ts
+var MASKED_SECRET = "***";
+function maskConfigSecrets(value) {
+  if (Array.isArray(value)) {
+    return value.map(maskConfigSecrets);
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  const output = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (key === "apiKey" && typeof entry === "string" && entry.length > 0) {
+      output[key] = MASKED_SECRET;
+      continue;
+    }
+    output[key] = maskConfigSecrets(entry);
+  }
+  return output;
+}
+function configInit(targetPath) {
+  const path4 = writeExampleConfig(targetPath);
+  process.stdout.write(`${path4}
+`);
+}
+function configShow(configPath, showSecrets = false) {
+  const config = resolveConfig({
+    configPath,
+    env: process.env
+  });
+  const printable = showSecrets ? config : maskConfigSecrets(config);
+  process.stdout.write(`${JSON.stringify(printable, null, 2)}
+`);
+}
+function configValidate(configPath) {
+  resolveConfig({
+    configPath,
+    env: process.env
+  });
+  const resolvedPath = findConfigPath(configPath);
+  process.stdout.write(
+    `Config is valid${resolvedPath ? ` (${resolvedPath})` : " (using defaults)"}.
+`
+  );
+}
+
+// src/commands/doctor.ts
+function runDoctor(config) {
+  const lines = [
+    "sift doctor",
+    `provider: ${config.provider.provider}`,
+    `model: ${config.provider.model}`,
+    `baseUrl: ${config.provider.baseUrl}`,
+    `apiKey: ${config.provider.apiKey ? "set" : "not set"}`,
+    `maxCaptureChars: ${config.input.maxCaptureChars}`,
+    `maxInputChars: ${config.input.maxInputChars}`,
+    `rawFallback: ${config.runtime.rawFallback}`
+  ];
+  process.stdout.write(`${lines.join("\n")}
+`);
+  const problems = [];
+  if (!config.provider.baseUrl) {
+    problems.push("Missing provider.baseUrl");
+  }
+  if (!config.provider.model) {
+    problems.push("Missing provider.model");
+  }
+  if (config.provider.provider === "openai-compatible" && !config.provider.apiKey) {
+    problems.push("Missing provider.apiKey");
+  }
+  if (problems.length > 0) {
+    process.stderr.write(`${problems.join("\n")}
+`);
+    return 1;
+  }
+  return 0;
+}
+
+// src/commands/presets.ts
+function listPresets(config) {
+  const names = Object.keys(config.presets).sort();
+  process.stdout.write(`${names.join("\n")}
+`);
+}
+function showPreset(config, name, includeInternal = false) {
+  const preset = config.presets[name];
+  if (!preset) {
+    throw new Error(`Unknown preset: ${name}`);
+  }
+  const output = includeInternal ? { name, ...preset } : {
+    name,
+    question: preset.question,
+    format: preset.format
+  };
+  process.stdout.write(`${JSON.stringify(output, null, 2)}
+`);
+}
+
+// src/core/exec.ts
+import { spawn } from "child_process";
+import { constants as osConstants } from "os";
+import pc2 from "picocolors";
+
+// src/core/run.ts
+import pc from "picocolors";
+
+// src/providers/openaiCompatible.ts
+function extractMessageText(payload) {
+  const content = payload?.choices?.[0]?.message?.content;
+  if (typeof content === "string") {
+    return content;
+  }
+  if (Array.isArray(content)) {
+    return content.map((item) => typeof item?.text === "string" ? item.text : "").join("").trim();
+  }
+  return "";
+}
+var OpenAICompatibleProvider = class {
+  name = "openai-compatible";
+  baseUrl;
+  apiKey;
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.apiKey = options.apiKey;
+  }
+  async generate(input) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), input.timeoutMs);
+    try {
+      const url = new URL("chat/completions", `${this.baseUrl}/`);
+      const response = await fetch(url, {
+        method: "POST",
+        signal: controller.signal,
+        headers: {
+          "content-type": "application/json",
+          ...this.apiKey ? { authorization: `Bearer ${this.apiKey}` } : {}
+        },
+        body: JSON.stringify({
+          model: input.model,
+          temperature: input.temperature,
+          max_tokens: input.maxOutputTokens,
+          messages: [
+            {
+              role: "system",
+              content: "You reduce noisy command output into compact answers for agents and automation."
+            },
+            {
+              role: "user",
+              content: input.prompt
+            }
+          ]
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`Provider returned HTTP ${response.status}`);
+      }
+      const data = await response.json();
+      const text = extractMessageText(data);
+      if (!text.trim()) {
+        throw new Error("Provider returned an empty response");
+      }
+      return {
+        text,
+        usage: data?.usage ? {
+          inputTokens: data.usage.prompt_tokens,
+          outputTokens: data.usage.completion_tokens,
+          totalTokens: data.usage.total_tokens
+        } : void 0,
+        raw: data
+      };
+    } catch (error) {
+      if (error.name === "AbortError") {
+        throw new Error("Provider request timed out");
+      }
+      throw error;
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+
+// src/providers/factory.ts
+function createProvider(config) {
+  if (config.provider.provider === "openai-compatible") {
+    return new OpenAICompatibleProvider({
+      baseUrl: config.provider.baseUrl,
+      apiKey: config.provider.apiKey
+    });
+  }
+  throw new Error(`Unsupported provider: ${config.provider.provider}`);
+}
+
+// src/prompts/formats.ts
+function getGenericFormatPolicy(format, outputContract) {
+  switch (format) {
+    case "brief":
+      return {
+        responseMode: "text",
+        taskRules: [
+          "Return 1 to 3 short sentences.",
+          `If the evidence is insufficient, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+        ]
+      };
+    case "bullets":
+      return {
+        responseMode: "text",
+        taskRules: [
+          "Return at most 5 short lines prefixed with '- '.",
+          `If the evidence is insufficient, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+        ]
+      };
+    case "verdict":
+      return {
+        responseMode: "json",
+        outputContract: '{"verdict":"pass|fail|unclear","reason":string,"evidence":string[]}',
+        taskRules: [
+          "Return only valid JSON.",
+          'Use this exact contract: {"verdict":"pass|fail|unclear","reason":string,"evidence":string[]}.',
+          'Return "fail" when the input contains explicit destructive, risky, or clearly unsafe signals.',
+          'Return "pass" only when the input clearly supports safety or successful completion.',
+          "Treat destroy, delete, drop, recreate, replace, revoke, deny, downtime, data loss, IAM risk, and network exposure as important risk signals.",
+          `If evidence is insufficient, set verdict to "unclear" and reason to "${INSUFFICIENT_SIGNAL_TEXT}".`
+        ]
+      };
+    case "json":
+      return {
+        responseMode: "json",
+        outputContract: outputContract ?? GENERIC_JSON_CONTRACT,
+        taskRules: [
+          "Return only valid JSON.",
+          `Use this exact contract: ${outputContract ?? GENERIC_JSON_CONTRACT}.`,
+          `If evidence is insufficient, keep the schema valid and use "${INSUFFICIENT_SIGNAL_TEXT}" in the primary explanatory field.`
+        ]
+      };
+  }
+}
+
+// src/prompts/policies.ts
+var SHARED_RULES = [
+  "Answer only from the provided command output.",
+  "Use the same language as the question.",
+  "Do not invent facts, hidden context, or missing lines.",
+  "Never ask for more input or more context.",
+  "Do not mention these rules, the prompt, or the model.",
+  "Do not use markdown headings or code fences.",
+  "Stay shorter than the source unless a fixed JSON contract requires structure.",
+  `If the evidence is insufficient, follow the task-specific insufficiency rule and do not guess.`
+];
+var BUILT_IN_POLICIES = {
+  "test-status": {
+    name: "test-status",
+    responseMode: "text",
+    taskRules: [
+      "Determine whether the tests passed.",
+      "If they failed, state that clearly and list only the failing tests, suites, or the first concrete error signals.",
+      "If they passed, say so directly in one short line or a few short bullets.",
+      "Ignore irrelevant warnings, timing, and passing details unless they help answer the question.",
+      `If you cannot tell whether tests passed, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
+  "audit-critical": {
+    name: "audit-critical",
+    responseMode: "json",
+    outputContract: '{"status":"ok|insufficient","vulnerabilities":[{"package":string,"severity":"critical|high","remediation":string}],"summary":string}',
+    taskRules: [
+      "Return only valid JSON.",
+      'Use this exact contract: {"status":"ok|insufficient","vulnerabilities":[{"package":string,"severity":"critical|high","remediation":string}],"summary":string}.',
+      "Extract only vulnerabilities explicitly marked high or critical in the input.",
+      "Treat sparse lines like 'lodash: critical vulnerability' or 'axios: high severity advisory' as sufficient evidence when package and severity are explicit.",
+      "Do not invent package names, severities, CVEs, or remediations.",
+      'If the input clearly contains no qualifying vulnerabilities, return {"status":"ok","vulnerabilities":[],"summary":"No high or critical vulnerabilities found in the provided input."}.',
+      `If the input does not provide enough evidence to determine vulnerability status, return status "insufficient" and use "${INSUFFICIENT_SIGNAL_TEXT}" in summary.`
+    ]
+  },
+  "diff-summary": {
+    name: "diff-summary",
+    responseMode: "json",
+    outputContract: '{"status":"ok|insufficient","answer":string,"evidence":string[],"risks":string[]}',
+    taskRules: [
+      "Return only valid JSON.",
+      'Use this exact contract: {"status":"ok|insufficient","answer":string,"evidence":string[],"risks":string[]}.',
+      "Summarize what changed at a high level, grounded only in the visible diff or output.",
+      "Evidence should cite the most important visible files, modules, resources, or actions.",
+      "Risks should include migrations, config changes, security changes, destructive actions, or unknown impact when visible.",
+      `If the change signal is incomplete, return status "insufficient" and use "${INSUFFICIENT_SIGNAL_TEXT}" in answer.`
+    ]
+  },
+  "build-failure": {
+    name: "build-failure",
+    responseMode: "text",
+    taskRules: [
+      "Identify the most likely root cause of the build failure.",
+      "Give the first concrete fix or next step in the same answer.",
+      "Keep the response to 1 or 2 short sentences.",
+      `If the root cause is not visible, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
+  "log-errors": {
+    name: "log-errors",
+    responseMode: "text",
+    taskRules: [
+      "Return at most 5 short bullet points.",
+      "Extract only the most relevant error or failure signals.",
+      "Prefer recurring or top-level errors over long stack traces.",
+      "Do not dump full traces unless a single trace line is the key signal.",
+      `If there is no clear error signal, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
+  "infra-risk": {
+    name: "infra-risk",
+    responseMode: "json",
+    outputContract: '{"verdict":"pass|fail|unclear","reason":string,"evidence":string[]}',
+    taskRules: [
+      "Return only valid JSON.",
+      'Use this exact contract: {"verdict":"pass|fail|unclear","reason":string,"evidence":string[]}.',
+      'Return "fail" when the input contains explicit destructive or clearly risky signals such as destroy, delete, drop, recreate, replace, revoke, deny, downtime, data loss, IAM risk, or network exposure.',
+      'Treat short plan summaries like "1 to destroy" or "resources to destroy" as enough evidence for "fail".',
+      'Return "pass" only when the input clearly shows no risky changes or explicitly safe behavior.',
+      'Return "unclear" when the input is incomplete, ambiguous, or does not show enough evidence to judge safety.',
+      "Evidence should contain the shortest concrete lines or phrases that justify the verdict."
+    ]
+  }
+};
+function resolvePromptPolicy(args) {
+  if (args.policyName) {
+    const policy = BUILT_IN_POLICIES[args.policyName];
+    return {
+      ...policy,
+      sharedRules: SHARED_RULES
+    };
+  }
+  const genericPolicy = getGenericFormatPolicy(args.format, args.outputContract);
+  return {
+    name: `generic-${args.format}`,
+    responseMode: genericPolicy.responseMode,
+    outputContract: genericPolicy.outputContract,
+    sharedRules: SHARED_RULES,
+    taskRules: genericPolicy.taskRules
+  };
+}
+
+// src/prompts/buildPrompt.ts
+function buildPrompt(args) {
+  const policy = resolvePromptPolicy({
+    format: args.format,
+    policyName: args.policyName,
+    outputContract: args.outputContract
+  });
+  const prompt = [
+    "You are Sift, a CLI output reduction assistant for downstream agents and automation.",
+    "Hard rules:",
+    ...policy.sharedRules.map((rule) => `- ${rule}`),
+    "",
+    `Task policy: ${policy.name}`,
+    ...policy.taskRules.map((rule) => `- ${rule}`),
+    ...policy.outputContract ? ["", `Output contract: ${policy.outputContract}`] : [],
+    "",
+    `Question: ${args.question}`,
+    "",
+    "Command output:",
+    '"""',
+    args.input,
+    '"""'
+  ].join("\n");
+  return {
+    prompt,
+    responseMode: policy.responseMode
+  };
+}
+
+// src/core/quality.ts
+var META_PATTERNS = [
+  /please provide/i,
+  /need more (?:input|context|information|details)/i,
+  /provided command output/i,
+  /based on the provided/i,
+  /as an ai/i,
+  /here(?:'s| is) (?:the )?(?:json|answer)/i,
+  /cannot determine without/i
+];
+function normalizeForComparison(input) {
+  return input.replace(/\r\n/g, "\n").replace(/\r/g, "\n").replace(/\s+/g, " ").trim();
+}
+function isRetriableReason(reason) {
+  return /timed out|http 408|http 409|http 425|http 429|http 5\d\d|network/i.test(
+    reason.toLowerCase()
+  );
+}
+function looksLikeRejectedModelOutput(args) {
+  const source = normalizeForComparison(args.source);
+  const candidate = normalizeForComparison(args.candidate);
+  if (!candidate) {
+    return true;
+  }
+  if (candidate === INSUFFICIENT_SIGNAL_TEXT) {
+    return false;
+  }
+  if (candidate.includes("```")) {
+    return true;
+  }
+  if (META_PATTERNS.some((pattern) => pattern.test(candidate))) {
+    return true;
+  }
+  if (args.responseMode === "json") {
+    const trimmed = args.candidate.trim();
+    if (!trimmed.startsWith("{") && !trimmed.startsWith("[")) {
+      return true;
+    }
+  }
+  if (source.length >= 800 && candidate.length > source.length * 0.8) {
+    return true;
+  }
+  if (source.length > 0 && source.length < 800 && candidate.length > source.length + 160) {
+    return true;
+  }
+  return false;
+}
+
+// src/core/fallback.ts
+var RAW_FALLBACK_SLICE = 1200;
+function buildStructuredError(reason) {
+  return {
+    status: "error",
+    reason,
+    retriable: isRetriableReason(reason)
+  };
+}
+function buildFallbackOutput(args) {
+  if (args.format === "verdict") {
+    return JSON.stringify(
+      {
+        ...buildStructuredError(args.reason),
+        verdict: "unclear",
+        reason: `Sift fallback: ${args.reason}`,
+        evidence: []
+      },
+      null,
+      2
+    );
+  }
+  if (args.format === "json") {
+    return JSON.stringify(buildStructuredError(args.reason), null, 2);
+  }
+  const prefix = `Sift fallback triggered (${args.reason}).`;
+  if (!args.rawFallback) {
+    return prefix;
+  }
+  return [prefix, "", args.rawInput.slice(-RAW_FALLBACK_SLICE)].join("\n");
+}
+
+// src/core/heuristics.ts
+var RISK_LINE_PATTERN = /(destroy|delete|drop|recreate|replace|revoke|deny|downtime|data loss|iam|network exposure)/i;
+var ZERO_DESTRUCTIVE_SUMMARY_PATTERN = /\b0\s+to\s+(destroy|delete|drop|recreate|replace|revoke)\b/i;
+var SAFE_LINE_PATTERN = /(no changes|up-to-date|up to date|no risky changes|safe to apply)/i;
+function collectEvidence(input, matcher, limit = 3) {
+  return input.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && matcher.test(line)).slice(0, limit);
+}
+function inferSeverity(token) {
+  return token.toLowerCase().includes("critical") ? "critical" : "high";
+}
+function inferPackage(line) {
+  const match = line.match(/^\s*([@a-z0-9._/-]+)\s*:/i);
+  return match?.[1] ?? null;
+}
+function inferRemediation(pkg2) {
+  return `Upgrade ${pkg2} to a patched version.`;
+}
+function auditCriticalHeuristic(input) {
+  const vulnerabilities = input.split("\n").map((line) => line.trim()).filter(Boolean).map((line) => {
+    if (!/\b(critical|high)\b/i.test(line)) {
+      return null;
+    }
+    const pkg2 = inferPackage(line);
+    if (!pkg2) {
+      return null;
+    }
+    return {
+      package: pkg2,
+      severity: inferSeverity(line),
+      remediation: inferRemediation(pkg2)
+    };
+  }).filter((item) => item !== null);
+  if (vulnerabilities.length === 0) {
+    return null;
+  }
+  const firstVulnerability = vulnerabilities[0];
+  return JSON.stringify(
+    {
+      status: "ok",
+      vulnerabilities,
+      summary: vulnerabilities.length === 1 ? `One ${firstVulnerability.severity} vulnerability found in ${firstVulnerability.package}.` : `${vulnerabilities.length} high or critical vulnerabilities found in the provided input.`
+    },
+    null,
+    2
+  );
+}
+function infraRiskHeuristic(input) {
+  const zeroDestructiveEvidence = input.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && ZERO_DESTRUCTIVE_SUMMARY_PATTERN.test(line)).slice(0, 3);
+  const riskEvidence = input.split("\n").map((line) => line.trim()).filter(
+    (line) => line.length > 0 && RISK_LINE_PATTERN.test(line) && !ZERO_DESTRUCTIVE_SUMMARY_PATTERN.test(line)
+  ).slice(0, 3);
+  if (riskEvidence.length > 0) {
+    return JSON.stringify(
+      {
+        verdict: "fail",
+        reason: "Destructive or clearly risky infrastructure change signals are present.",
+        evidence: riskEvidence
+      },
+      null,
+      2
+    );
+  }
+  if (zeroDestructiveEvidence.length > 0) {
+    return JSON.stringify(
+      {
+        verdict: "pass",
+        reason: "The provided input explicitly indicates zero destructive changes.",
+        evidence: zeroDestructiveEvidence
+      },
+      null,
+      2
+    );
+  }
+  const safeEvidence = collectEvidence(input, SAFE_LINE_PATTERN);
+  if (safeEvidence.length > 0) {
+    return JSON.stringify(
+      {
+        verdict: "pass",
+        reason: "The provided input explicitly indicates no risky infrastructure changes.",
+        evidence: safeEvidence
+      },
+      null,
+      2
+    );
+  }
+  return null;
+}
+function applyHeuristicPolicy(policyName, input) {
+  if (!policyName) {
+    return null;
+  }
+  if (policyName === "audit-critical") {
+    return auditCriticalHeuristic(input);
+  }
+  if (policyName === "infra-risk") {
+    return infraRiskHeuristic(input);
+  }
+  return null;
+}
+
+// src/core/redact.ts
+var BASE_PATTERNS = [
+  [/\bBearer\s+[A-Za-z0-9._-]+\b/gi, "Bearer ***"],
+  [/\bsk-[A-Za-z0-9_-]+\b/g, "sk-***"],
+  [/\b(api[_-]?key)\s*[:=]\s*([^\s]+)/gi, "$1=***"],
+  [/\b(token)\s*[:=]\s*([^\s]+)/gi, "$1=***"],
+  [/\b(password|passwd|pwd)\s*[:=]\s*([^\s]+)/gi, "$1=***"],
+  [/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, "***@***"],
+  [/\beyJ[A-Za-z0-9._-]+\b/g, "***JWT***"]
+];
+var STRICT_PATTERNS = [
+  [/([?&](?:token|key|api_key|access_token)=)[^&\s]+/gi, "$1***"],
+  [/\b[0-9a-f]{32,}\b/gi, "***HEX***"]
+];
+function redactInput(input, options) {
+  let output = input;
+  for (const [pattern, replacement] of BASE_PATTERNS) {
+    output = output.replace(pattern, replacement);
+  }
+  if (options.strict) {
+    for (const [pattern, replacement] of STRICT_PATTERNS) {
+      output = output.replace(pattern, replacement);
+    }
+  }
+  return output;
+}
+
+// src/core/sanitize.ts
+import stripAnsi from "strip-ansi";
+function sanitizeInput(input, stripAnsiEnabled) {
+  let output = input;
+  if (stripAnsiEnabled) {
+    output = stripAnsi(output);
+  }
+  return output.replace(/\r\n/g, "\n").replace(/\r/g, "\n").replace(/\u0000/g, "").replace(/[ \t]+\n/g, "\n").replace(/\n{3,}/g, "\n\n").trim();
+}
+
+// src/core/truncate.ts
+var SIGNAL_PATTERN = /(error|fail|failed|exception|panic|fatal|critical|denied|timeout|traceback)/i;
+var OMITTED_MARKER = "\n...[middle content omitted]...\n";
+var SIGNAL_MARKER = "\n...[selected signal lines]...\n";
+function collectSignalLines(input) {
+  const deduped = /* @__PURE__ */ new Set();
+  for (const line of input.split("\n")) {
+    if (SIGNAL_PATTERN.test(line)) {
+      deduped.add(line.trimEnd());
+    }
+  }
+  return [...deduped].slice(0, 120);
+}
+function truncateInput(input, options) {
+  if (input.length <= options.maxInputChars) {
+    return { text: input, truncatedApplied: false };
+  }
+  let headLength = Math.min(options.headChars, input.length, options.maxInputChars);
+  let tailLength = Math.min(options.tailChars, input.length - headLength, options.maxInputChars);
+  const signalLines = collectSignalLines(input).join("\n");
+  while (headLength + tailLength + OMITTED_MARKER.length > options.maxInputChars) {
+    if (headLength >= tailLength && headLength > 0) {
+      headLength = Math.max(0, headLength - 250);
+    } else if (tailLength > 0) {
+      tailLength = Math.max(0, tailLength - 250);
+    } else {
+      break;
+    }
+  }
+  const head = input.slice(0, headLength);
+  const tail = input.slice(input.length - tailLength);
+  const signalBudget = options.maxInputChars - head.length - tail.length - OMITTED_MARKER.length - (signalLines ? SIGNAL_MARKER.length : 0);
+  const signalSnippet = signalBudget > 0 && signalLines ? signalLines.slice(0, signalBudget) : "";
+  const text = [head, OMITTED_MARKER, signalSnippet ? `${SIGNAL_MARKER}${signalSnippet}` : "", tail].join("").slice(0, options.maxInputChars);
+  return {
+    text,
+    truncatedApplied: true
+  };
+}
+
+// src/core/pipeline.ts
+function prepareInput(raw, config) {
+  const sanitized = sanitizeInput(raw, config.stripAnsi);
+  const redacted = config.redact || config.redactStrict ? redactInput(sanitized, { strict: config.redactStrict }) : sanitized;
+  const truncated = truncateInput(redacted, {
+    maxInputChars: config.maxInputChars,
+    headChars: config.headChars,
+    tailChars: config.tailChars
+  });
+  return {
+    raw,
+    sanitized,
+    redacted,
+    truncated: truncated.text,
+    meta: {
+      originalLength: raw.length,
+      finalLength: truncated.text.length,
+      redactionApplied: config.redact || config.redactStrict,
+      truncatedApplied: truncated.truncatedApplied
+    }
+  };
+}
+
+// src/core/run.ts
+function normalizeOutput(text, responseMode) {
+  if (responseMode !== "json") {
+    return text.trim();
+  }
+  try {
+    const parsed = JSON.parse(text);
+    return JSON.stringify(parsed, null, 2);
+  } catch {
+    throw new Error("Provider returned invalid JSON");
+  }
+}
+async function runSift(request) {
+  const prepared = prepareInput(request.stdin, request.config.input);
+  const { prompt, responseMode } = buildPrompt({
+    question: request.question,
+    format: request.format,
+    input: prepared.truncated,
+    policyName: request.policyName,
+    outputContract: request.outputContract
+  });
+  const provider = createProvider(request.config);
+  if (request.config.runtime.verbose) {
+    process.stderr.write(
+      `${pc.dim("sift")} provider=${provider.name} model=${request.config.provider.model} base_url=${request.config.provider.baseUrl} input_chars=${prepared.meta.finalLength}
+`
+    );
+  }
+  const heuristicOutput = applyHeuristicPolicy(
+    request.policyName,
+    prepared.truncated
+  );
+  if (heuristicOutput) {
+    if (request.config.runtime.verbose) {
+      process.stderr.write(`${pc.dim("sift")} heuristic=${request.policyName}
+`);
+    }
+    return heuristicOutput;
+  }
+  try {
+    const result = await provider.generate({
+      model: request.config.provider.model,
+      prompt,
+      temperature: request.config.provider.temperature,
+      maxOutputTokens: request.config.provider.maxOutputTokens,
+      timeoutMs: request.config.provider.timeoutMs,
+      responseMode
+    });
+    if (looksLikeRejectedModelOutput({
+      source: prepared.truncated,
+      candidate: result.text,
+      responseMode
+    })) {
+      throw new Error("Model output rejected by quality gate");
+    }
+    return normalizeOutput(result.text, responseMode);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : "unknown_error";
+    return buildFallbackOutput({
+      format: request.format,
+      reason,
+      rawInput: prepared.truncated,
+      rawFallback: request.config.runtime.rawFallback,
+      jsonFallback: request.fallbackJson
+    });
+  }
+}
+
+// src/core/exec.ts
+var PROMPT_PATTERNS = [
+  /\[[^\]]*y\/n[^\]]*\]\s*$/i,
+  /\([^)]+y\/n[^)]*\)\s*$/i,
+  /continue\?\s*$/i,
+  /password:\s*$/i,
+  /passphrase:\s*$/i,
+  /otp:\s*$/i,
+  /enter choice:\s*$/i
+];
+var PROMPT_WINDOW_CHARS = 512;
+var BoundedCapture = class {
+  headBudget;
+  tailBudget;
+  maxChars;
+  full = "";
+  head = "";
+  tail = "";
+  overflowed = false;
+  totalChars = 0;
+  constructor(maxChars) {
+    this.maxChars = maxChars;
+    this.headBudget = Math.max(1, Math.floor(maxChars / 2));
+    this.tailBudget = Math.max(1, maxChars - this.headBudget);
+  }
+  push(chunk) {
+    this.totalChars += chunk.length;
+    if (!this.overflowed) {
+      this.full += chunk;
+      if (this.full.length <= this.maxChars) {
+        return;
+      }
+      this.overflowed = true;
+      this.head = this.full.slice(0, this.headBudget);
+      this.tail = this.full.slice(-this.tailBudget);
+      this.full = "";
+      return;
+    }
+    this.tail = `${this.tail}${chunk}`.slice(-this.tailBudget);
+  }
+  render() {
+    if (!this.overflowed) {
+      return this.full;
+    }
+    return `${this.head}${CAPTURE_OMITTED_MARKER}${this.tail}`;
+  }
+  getTotalChars() {
+    return this.totalChars;
+  }
+  wasTruncated() {
+    return this.overflowed;
+  }
+};
+function looksInteractivePrompt(windowText) {
+  return PROMPT_PATTERNS.some((pattern) => pattern.test(windowText));
+}
+function signalToExitCode(signal) {
+  if (!signal) {
+    return 1;
+  }
+  const signalNumber = osConstants.signals[signal];
+  if (typeof signalNumber !== "number") {
+    return 1;
+  }
+  return 128 + signalNumber;
+}
+function normalizeChildExitCode(status, signal) {
+  if (typeof status === "number") {
+    return status;
+  }
+  return signalToExitCode(signal);
+}
+function buildCommandPreview(request) {
+  if (request.shellCommand) {
+    return request.shellCommand;
+  }
+  return (request.command ?? []).join(" ");
+}
+async function runExec(request) {
+  const hasArgvCommand = Array.isArray(request.command) && request.command.length > 0;
+  const hasShellCommand = typeof request.shellCommand === "string";
+  if (hasArgvCommand === hasShellCommand) {
+    throw new Error("Provide either --shell <command> or -- <program> [args...].");
+  }
+  const shellPath = process.env.SHELL || "/bin/bash";
+  if (request.config.runtime.verbose) {
+    process.stderr.write(
+      `${pc2.dim("sift")} exec mode=${hasShellCommand ? "shell" : "argv"} command=${buildCommandPreview(request)}
+`
+    );
+  }
+  const capture = new BoundedCapture(request.config.input.maxCaptureChars);
+  let promptWindow = "";
+  let bypassed = false;
+  let childStatus = null;
+  let childSignal = null;
+  let childSpawnError = null;
+  const child = hasShellCommand ? spawn(shellPath, ["-lc", request.shellCommand], {
+    stdio: ["inherit", "pipe", "pipe"]
+  }) : spawn(request.command[0], request.command.slice(1), {
+    stdio: ["inherit", "pipe", "pipe"]
+  });
+  const handleChunk = (chunk) => {
+    const text = Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
+    if (bypassed) {
+      process.stderr.write(text);
+      return;
+    }
+    capture.push(text);
+    promptWindow = `${promptWindow}${text}`.slice(-PROMPT_WINDOW_CHARS);
+    if (!looksInteractivePrompt(promptWindow)) {
+      return;
+    }
+    bypassed = true;
+    if (request.config.runtime.verbose) {
+      process.stderr.write(`${pc2.dim("sift")} bypass=interactive-prompt
+`);
+    }
+    process.stderr.write(capture.render());
+  };
+  child.stdout.on("data", handleChunk);
+  child.stderr.on("data", handleChunk);
+  await new Promise((resolve, reject) => {
+    child.on("error", (error) => {
+      childSpawnError = error;
+      reject(error);
+    });
+    child.on("close", (status, signal) => {
+      childStatus = status;
+      childSignal = signal;
+      resolve();
+    });
+  }).catch((error) => {
+    if (error instanceof Error) {
+      throw error;
+    }
+    throw new Error("Failed to start child process.");
+  });
+  if (childSpawnError) {
+    throw childSpawnError;
+  }
+  const exitCode = normalizeChildExitCode(childStatus, childSignal);
+  if (request.config.runtime.verbose) {
+    process.stderr.write(
+      `${pc2.dim("sift")} child_exit=${exitCode} captured_chars=${capture.getTotalChars()} capture_truncated=${capture.wasTruncated()}
+`
+    );
+  }
+  if (!bypassed) {
+    const output = await runSift({
+      ...request,
+      stdin: capture.render()
+    });
+    process.stdout.write(`${output}
+`);
+  }
+  return exitCode;
+}
+
+// src/core/stdin.ts
+async function readStdin() {
+  if (process.stdin.isTTY) {
+    throw new Error("No stdin detected. Pipe command output into sift.");
+  }
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+
+// src/prompts/presets.ts
+function getPreset(config, name) {
+  const preset = config.presets[name];
+  if (!preset) {
+    throw new Error(`Unknown preset: ${name}`);
+  }
+  return preset;
+}
+
+// src/cli.ts
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+var cli = cac("sift");
+function toNumber(value) {
+  if (value === void 0 || value === null || value === "") {
+    return void 0;
+  }
+  return Number(value);
+}
+function buildCliOverrides(options) {
+  const overrides = {};
+  if (options.provider !== void 0 || options.model !== void 0 || options.baseUrl !== void 0 || options.apiKey !== void 0 || options.timeoutMs !== void 0) {
+    overrides.provider = {
+      provider: options.provider,
+      model: options.model,
+      baseUrl: options.baseUrl,
+      apiKey: options.apiKey,
+      timeoutMs: toNumber(options.timeoutMs)
+    };
+  }
+  if (options.maxCaptureChars !== void 0 || options.maxInputChars !== void 0 || options.headChars !== void 0 || options.tailChars !== void 0 || options.redact !== void 0 || options.redactStrict !== void 0 || options.stripAnsi !== void 0) {
+    overrides.input = {
+      maxCaptureChars: toNumber(options.maxCaptureChars),
+      maxInputChars: toNumber(options.maxInputChars),
+      headChars: toNumber(options.headChars),
+      tailChars: toNumber(options.tailChars),
+      redact: options.redact,
+      redactStrict: options.redactStrict,
+      stripAnsi: options.stripAnsi
+    };
+  }
+  if (options.rawFallback !== void 0 || options.verbose !== void 0) {
+    overrides.runtime = {
+      rawFallback: options.rawFallback,
+      verbose: options.verbose
+    };
+  }
+  return overrides;
+}
+function applySharedOptions(command) {
+  return command.option("--provider <provider>", "Provider: openai-compatible").option("--model <model>", "Model name").option("--base-url <url>", "Provider base URL").option("--api-key <key>", "Provider API key").option("--timeout-ms <ms>", "Request timeout in milliseconds").option("--format <format>", "brief | bullets | json | verdict").option("--max-capture-chars <n>", "Maximum raw child output chars kept in memory").option("--max-input-chars <n>", "Maximum input chars sent to the model").option("--head-chars <n>", "Head chars to preserve during truncation").option("--tail-chars <n>", "Tail chars to preserve during truncation").option("--strip-ansi", "Force ANSI stripping").option("--redact", "Enable standard redaction").option("--redact-strict", "Enable strict redaction").option("--raw-fallback", "Enable raw fallback text output").option("--config <path>", "Path to config file").option("--verbose", "Enable verbose stderr logging");
+}
+async function executeRun(args) {
+  const config = resolveConfig({
+    configPath: args.options.config,
+    env: process.env,
+    cliOverrides: buildCliOverrides(args.options)
+  });
+  const stdin = await readStdin();
+  const output = await runSift({
+    question: args.question,
+    format: args.format,
+    stdin,
+    config,
+    policyName: args.policyName,
+    outputContract: args.outputContract,
+    fallbackJson: args.fallbackJson
+  });
+  process.stdout.write(`${output}
+`);
+}
+function extractExecCommand(options) {
+  const passthrough = Array.isArray(options["--"]) ? options["--"].map((value) => String(value)) : [];
+  const shellCommand = typeof options.shell === "string" && options.shell.trim().length > 0 ? options.shell : void 0;
+  if (shellCommand && passthrough.length > 0) {
+    throw new Error("Use either --shell <command> or -- <program> [args...], not both.");
+  }
+  if (!shellCommand && passthrough.length === 0) {
+    throw new Error("Missing command to execute.");
+  }
+  return {
+    command: passthrough.length > 0 ? passthrough : void 0,
+    shellCommand
+  };
+}
+async function executeExec(args) {
+  const config = resolveConfig({
+    configPath: args.options.config,
+    env: process.env,
+    cliOverrides: buildCliOverrides(args.options)
+  });
+  const command = extractExecCommand(args.options);
+  process.exitCode = await runExec({
+    question: args.question,
+    format: args.format,
+    config,
+    policyName: args.policyName,
+    outputContract: args.outputContract,
+    fallbackJson: args.fallbackJson,
+    ...command
+  });
+}
+applySharedOptions(
+  cli.command("preset <name>", "Run a named preset against piped CLI output")
+).action(async (name, options) => {
+  const config = resolveConfig({
+    configPath: options.config,
+    env: process.env,
+    cliOverrides: buildCliOverrides(options)
+  });
+  const preset = getPreset(config, name);
+  await executeRun({
+    question: preset.question,
+    format: options.format ?? preset.format,
+    policyName: options.format === void 0 || options.format === preset.format ? preset.policy : void 0,
+    options,
+    outputContract: preset.outputContract,
+    fallbackJson: preset.fallbackJson
+  });
+});
+applySharedOptions(
+  cli.command("exec [question]", "Run a command and reduce its output").allowUnknownOptions()
+).option("--shell <command>", "Execute a shell command string instead of argv mode").option("--preset <name>", "Run a named preset in exec mode").action(async (question, options) => {
+  if (question === "preset") {
+    throw new Error("Use 'sift exec --preset <name> -- <program> ...' instead.");
+  }
+  const presetName = typeof options.preset === "string" && options.preset.length > 0 ? options.preset : void 0;
+  if (presetName) {
+    if (question) {
+      throw new Error("Use either a freeform question or --preset <name>, not both.");
+    }
+    const preset = getPreset(
+      resolveConfig({
+        configPath: options.config,
+        env: process.env,
+        cliOverrides: buildCliOverrides(options)
+      }),
+      presetName
+    );
+    await executeExec({
+      question: preset.question,
+      format: options.format ?? preset.format,
+      policyName: options.format === void 0 || options.format === preset.format ? preset.policy : void 0,
+      options,
+      outputContract: preset.outputContract,
+      fallbackJson: preset.fallbackJson
+    });
+    return;
+  }
+  if (!question) {
+    throw new Error("Missing question or preset.");
+  }
+  const format = options.format ?? "brief";
+  await executeExec({
+    question,
+    format,
+    options
+  });
+});
+cli.command("config <action>", "Config commands: init | show | validate").option("--path <path>", "Target config path for init").option("--config <path>", "Path to config file").option("--show-secrets", "Show secret values in config show").action((action, options) => {
+  if (action === "init") {
+    configInit(options.path);
+    return;
+  }
+  if (action === "show") {
+    configShow(
+      options.config,
+      Boolean(options.showSecrets)
+    );
+    return;
+  }
+  if (action === "validate") {
+    configValidate(options.config);
+    return;
+  }
+  throw new Error(`Unknown config action: ${action}`);
+});
+cli.command("doctor", "Validate runtime configuration").option("--config <path>", "Path to config file").action((options) => {
+  const config = resolveConfig({
+    configPath: options.config,
+    env: process.env
+  });
+  process.exitCode = runDoctor(config);
+});
+cli.command("presets <action> [name]", "Preset commands: list | show").option("--config <path>", "Path to config file").option("--internal", "Show internal preset fields in presets show").action((action, name, options) => {
+  const config = resolveConfig({
+    configPath: options.config,
+    env: process.env
+  });
+  if (action === "list") {
+    listPresets(config);
+    return;
+  }
+  if (action === "show") {
+    if (!name) {
+      throw new Error("Missing preset name.");
+    }
+    showPreset(config, name, Boolean(options.internal));
+    return;
+  }
+  throw new Error(`Unknown presets action: ${action}`);
+});
+applySharedOptions(
+  cli.command("[question]", "Ask a freeform question about piped CLI output")
+).action(async (question, options) => {
+  if (!question) {
+    throw new Error("Missing question.");
+  }
+  const format = options.format ?? "brief";
+  await executeRun({
+    question,
+    format,
+    options
+  });
+});
+cli.help();
+cli.version(pkg.version);
+async function main() {
+  cli.parse(process.argv, { run: false });
+  await cli.runMatchedCommand();
+}
+main().catch((error) => {
+  const message = error instanceof Error ? error.message : "Unexpected error.";
+  process.stderr.write(`${message}
+`);
+  process.exitCode = 1;
+});