@bilalimamoglu/sift 0.2.0 → 0.2.1

package/README.md

@@ -1,38 +1,18 @@
 # sift
 
-`sift` is a small wrapper for agent workflows.
+`sift` is a small command-output reducer for agent workflows.
 
-Instead of giving a model the full output of `pytest`, `git diff`, `npm audit`, or `terraform plan`, you run the command through `sift`. `sift` captures the output, trims the noise, and returns a much smaller answer.
+Instead of feeding a model the full output of `pytest`, `git diff`, `npm audit`, `tsc --noEmit`, `eslint .`, or `terraform plan`, you run the command through `sift`. It captures the output, trims the noise, and returns a much smaller answer.
 
-That answer can be short text or structured JSON.
+Best fit:
+- non-interactive shell commands
+- agents that need short answers instead of full logs
+- CI checks where a command may succeed but still produce a blocking result
 
-## What it is
-
-- a command-output reducer for agents
-- best used with `sift exec ... -- <command>`
-- designed for non-interactive shell commands
-- compatible with OpenAI-style APIs
-
-## What it is not
-
-- not a native Codex tool
-- not an MCP server
-- not a replacement for raw shell output when exact logs matter
-- not meant for TUI or interactive password/confirmation flows
-
-## Why use it
-
-Large shell output is expensive and noisy.
-
-If an agent only needs to know:
-- did tests pass
-- what changed
-- are there critical vulnerabilities
-- is this infra plan risky
-
-then sending the full raw output to a large model is wasteful.
-
-`sift` keeps the shell command, but shrinks what the model has to read.
+Not a fit:
+- exact raw log inspection
+- TUI tools
+- password/confirmation prompts
 
 ## Installation
 
@@ -44,86 +24,84 @@ npm install -g @bilalimamoglu/sift
 
 ## One-time setup
 
-Set credentials once in your shell:
+For OpenAI-hosted models:
 
 ```bash
+export SIFT_PROVIDER=openai
 export SIFT_BASE_URL=https://api.openai.com/v1
-export SIFT_MODEL=gpt-4.1-mini
+export SIFT_MODEL=gpt-5-nano
 export OPENAI_API_KEY=your_openai_api_key
 ```
 
-Or write them to a config file:
+Or generate a config file:
 
 ```bash
 sift config init
 ```
 
-For the default OpenAI-compatible setup, `OPENAI_API_KEY` works directly. If you point `SIFT_BASE_URL` at a different compatible endpoint, use that provider's native key when `sift` recognizes the endpoint, or set the generic fallback env:
+If you use a different OpenAI-compatible endpoint, switch to `provider: openai-compatible` and use either the endpoint's native API key env var or the generic fallback:
 
 ```bash
 export SIFT_PROVIDER_API_KEY=your_provider_api_key
 ```
 
-`SIFT_PROVIDER_API_KEY` is the generic wrapper env for custom or self-hosted compatible endpoints. Today's `openai-compatible` mode stays generic and does not imply OpenAI ownership.
-
-Known native env fallbacks for recognized compatible endpoints:
-
-- `OPENAI_API_KEY` for `https://api.openai.com/v1`
-- `OPENROUTER_API_KEY` for `https://openrouter.ai/api/v1`
-- `TOGETHER_API_KEY` for `https://api.together.xyz/v1`
-- `GROQ_API_KEY` for `https://api.groq.com/openai/v1`
+Common compatible env fallbacks:
+- `OPENROUTER_API_KEY`
+- `TOGETHER_API_KEY`
+- `GROQ_API_KEY`
 
 ## Quick start
 
 ```bash
 sift exec "what changed?" -- git diff
 sift exec --preset test-status -- pytest
+sift exec --preset typecheck-summary -- tsc --noEmit
+sift exec --preset lint-failures -- eslint .
 sift exec --preset audit-critical -- npm audit
 sift exec --preset infra-risk -- terraform plan
+sift exec --preset audit-critical --fail-on -- npm audit
+sift exec --preset infra-risk --fail-on -- terraform plan
 ```
 
 ## Main workflow
 
-`sift exec` is the main path:
+`sift exec` is the default path:
 
 ```bash
 sift exec "did tests pass?" -- pytest
-sift exec "what changed?" -- git diff
-sift exec --preset infra-risk -- terraform plan
 sift exec --dry-run "what changed?" -- git diff
 ```
 
-What happens:
-
-1. `sift` runs the command.
-2. It captures `stdout` and `stderr`.
-3. It sanitizes, optionally redacts, and truncates the result.
-4. It sends the reduced input to a smaller model.
-5. It prints a short answer or JSON.
-6. It preserves the wrapped command's exit code.
+What it does:
+1. runs the command
+2. captures `stdout` and `stderr`
+3. sanitizes, optionally redacts, and truncates the output
+4. sends the reduced input to a smaller model
+5. prints a short answer or JSON
+6. preserves the wrapped command's exit code
 
 Use `--dry-run` to inspect the reduced input and prompt without calling the provider.
 
-## Pipe mode
+Use `--fail-on` when a built-in semantic preset should turn a technically successful command into a CI failure. Supported presets:
+- `infra-risk`
+- `audit-critical`
 
-If the output already exists in a pipeline, pipe mode still works:
+Pipe mode still works when output already exists:
 
 ```bash
 git diff 2>&1 | sift "what changed?"
 ```
 
-Use pipe mode when the command is already being produced elsewhere.
+## Built-in presets
 
-## Presets
-
-Built-in presets:
-
-- `test-status`
-- `audit-critical`
-- `diff-summary`
-- `build-failure`
-- `log-errors`
-- `infra-risk`
+- `test-status`: summarize test results
+- `typecheck-summary`: group blocking type errors by root cause
+- `lint-failures`: group repeated lint violations and highlight the files or rules that matter
+- `audit-critical`: extract only high and critical vulnerabilities
+- `infra-risk`: return a safety verdict for infra changes
+- `diff-summary`: summarize code changes and risks
+- `build-failure`: explain the most likely build failure
+- `log-errors`: extract the most relevant error signals
 
 Inspect them with:
 
@@ -134,182 +112,89 @@ sift presets show audit-critical
 
 ## Output modes
 
-- `brief`: short plain-text answer
-- `bullets`: short bullet list
-- `json`: structured JSON
-- `verdict`: `{ verdict, reason, evidence }`
-
-Some built-in presets also use local heuristics before calling a model. For example, `infra-risk` can mark obvious destructive plans as `fail` without sending the whole decision to the model.
-
-## JSON response format
-
-When `format` resolves to JSON, `sift` can ask the provider for native JSON output.
+- `brief`
+- `bullets`
+- `json`
+- `verdict`
 
-- `auto`: enable native JSON mode only for known-safe endpoints such as `https://api.openai.com/v1`
-- `on`: always send the native JSON response format request
-- `off`: never send it
-
-Example:
-
-```bash
-sift exec --format json --json-response-format on "summarize this" -- some-command
-```
+Built-in JSON and verdict flows return strict error objects on provider or model failure.
 
 ## Config
 
-Generate an example config:
+Useful commands:
 
 ```bash
 sift config init
+sift config show
+sift config validate
+sift doctor
 ```
 
-`sift config show` masks secret values by default. Use `sift config show --show-secrets` only when you explicitly need the raw values.
+`sift config show` masks secrets by default. Use `--show-secrets` only when you explicitly need raw values.
 
 Resolution order:
-
 1. CLI flags
 2. environment variables
 3. `sift.config.yaml` or `sift.config.yml`
 4. `~/.config/sift/config.yaml` or `~/.config/sift/config.yml`
 5. built-in defaults
 
-If you pass `--config <path>`, that path is treated strictly. Missing explicit config paths are errors; `sift` does not silently fall back to defaults in that case.
-
-Supported environment variables:
+If you pass `--config <path>`, that path is strict. Missing explicit config paths are errors.
 
-- `SIFT_PROVIDER`
-- `SIFT_MODEL`
-- `SIFT_BASE_URL`
-- `SIFT_PROVIDER_API_KEY`
-- `OPENAI_API_KEY` for `https://api.openai.com/v1`
-- `OPENROUTER_API_KEY` for `https://openrouter.ai/api/v1`
-- `TOGETHER_API_KEY` for `https://api.together.xyz/v1`
-- `GROQ_API_KEY` for `https://api.groq.com/openai/v1`
-- `SIFT_MAX_CAPTURE_CHARS`
-- `SIFT_TIMEOUT_MS`
-- `SIFT_MAX_INPUT_CHARS`
-
-Example config:
+Minimal example:
 
 ```yaml
 provider:
-  provider: openai-compatible
-  model: gpt-4.1-mini
+  provider: openai
+  model: gpt-5-nano
   baseUrl: https://api.openai.com/v1
   apiKey: YOUR_API_KEY
-  timeoutMs: 20000
-  temperature: 0.1
-  maxOutputTokens: 220
 
 input:
   stripAnsi: true
-  redact: true
-  redactStrict: false
-  maxCaptureChars: 250000
-  maxInputChars: 20000
-  headChars: 6000
-  tailChars: 6000
+  redact: false
+  maxCaptureChars: 400000
+  maxInputChars: 60000
 
 runtime:
   rawFallback: true
-  verbose: false
 ```
 
-## Commands
-
-```bash
-sift [question]
-sift preset <name>
-sift exec [question] -- <program> [args...]
-sift exec --preset <name> -- <program> [args...]
-sift exec [question] --shell "<command string>"
-sift exec --preset <name> --shell "<command string>"
-sift config init
-sift config show
-sift config validate
-sift doctor
-sift presets list
-sift presets show <name>
-```
-
-## Releasing
-
-`sift` uses a manual GitHub Actions release workflow with npm trusted publishing.
-
-Before the first release:
+## Agent usage
 
-1. configure npm trusted publishing for `@bilalimamoglu/sift`
-2. point it at `bilalimamoglu/sift`
-3. use the workflow filename `release.yml`
-4. set the GitHub Actions environment name to `release`
+For Claude Code, add a short rule to `CLAUDE.md`.
 
-For each release:
+For Codex, add the same rule to `~/.codex/AGENTS.md`.
 
-1. update `package.json` to the target version
-2. merge the final release commit to `main`
-3. open GitHub Actions and run the `release` workflow manually
-
-The workflow will:
-
-1. install dependencies
-2. typecheck, test, and build
-3. pack and smoke-test the tarball
-4. publish to npm
-5. create and push the `vX.Y.Z` tag
-6. create a GitHub Release
-
-`release.yml` uses OIDC trusted publishing, so it does not require an `NPM_TOKEN`.
-
-## Using it with Codex
-
-`sift` does not install itself into Codex. The normal setup is:
-
-1. put credentials in your shell environment or `sift.config.yaml`
-2. add a short rule to `~/.codex/AGENTS.md`
-
-That way Codex inherits credentials safely. It should not pass API keys inline on every command.
-
-Example:
-
-```md
-Prefer `sift exec` for non-interactive shell commands whose output will be read or summarized.
-Use pipe mode only when the output already exists from another pipeline.
-Do not use `sift` when exact raw output is required.
-Do not use `sift` for interactive or TUI workflows.
-```
-
-That gives the agent a simple habit:
-
-- run command through `sift exec` when a summary is enough
-- skip `sift` when exact output matters
+The important part is simple:
+- prefer `sift exec` for noisy shell commands
+- skip `sift` when exact raw output matters
+- keep credentials in your shell env or `sift.config.yaml`, never inline in prompts or agent instructions
 
 ## Safety and limits
 
-- Redaction is optional and regex-based.
-- Redaction is off by default. If command output may contain secrets, enable `--redact` or set it in config before sending output to a provider.
-- Built-in JSON and verdict flows return strict error objects on provider/model failure.
-- Retriable provider failures such as `429`, timeouts, and `5xx` responses are retried once before falling back.
-- `sift exec` detects simple prompt-like output such as `[y/N]` or `password:` and skips reduction instead of guessing.
-- Pipe mode does not preserve upstream shell pipeline failures; use `set -o pipefail` if you need that behavior.
-- `sift exec` mirrors the wrapped command's exit code.
-- `sift doctor` is a conservative local config check. For the default OpenAI-compatible path it requires `baseUrl`, `model`, and `apiKey`.
+- redaction is optional and regex-based
+- retriable provider failures such as `429`, timeouts, and `5xx` are retried once
+- `sift exec` detects simple prompt-like output such as `[y/N]` or `password:` and skips reduction
+- pipe mode does not preserve upstream shell pipeline failures; use `set -o pipefail` if you need that behavior
 
-## Current scope
+## Releasing
 
-`sift` is intentionally small.
+This repo uses a manual GitHub Actions release workflow with npm trusted publishing.
 
-Today it supports:
-- OpenAI-compatible providers
-- agent-first `exec` mode
-- pipe mode
-- presets
-- local redaction and truncation
-- strict JSON/verdict fallbacks
+Release flow:
+1. bump `package.json`
+2. merge to `main`
+3. run the `release` workflow manually
 
-It does not try to be a full agent platform.
+The workflow:
+1. installs dependencies
+2. runs typecheck, tests, and build
+3. packs and smoke-tests the tarball
+4. publishes to npm
+5. creates and pushes the `vX.Y.Z` tag
+6. creates a GitHub Release
 
 ## License
 
 MIT
-
-The top-level MIT license is the licensing surface for this repo. Per-file license headers are not required unless code is copied or adapted from another source that needs separate notice or attribution.

package/dist/cli.js

@@ -51,23 +51,23 @@ function loadRawConfig(explicitPath) {
 // src/config/defaults.ts
 var defaultConfig = {
   provider: {
-    provider: "openai-compatible",
-    model: "gpt-4.1-mini",
+    provider: "openai",
+    model: "gpt-5-nano",
     baseUrl: "https://api.openai.com/v1",
     apiKey: "",
     jsonResponseFormat: "auto",
     timeoutMs: 2e4,
     temperature: 0.1,
-    maxOutputTokens: 220
+    maxOutputTokens: 400
   },
   input: {
     stripAnsi: true,
     redact: false,
     redactStrict: false,
-    maxCaptureChars: 25e4,
-    maxInputChars: 2e4,
-    headChars: 6e3,
-    tailChars: 6e3
+    maxCaptureChars: 4e5,
+    maxInputChars: 6e4,
+    headChars: 2e4,
+    tailChars: 2e4
   },
   runtime: {
     rawFallback: true,
@@ -101,6 +101,16 @@ var defaultConfig = {
       format: "bullets",
       policy: "log-errors"
     },
+    "typecheck-summary": {
+      question: "Summarize the blocking typecheck failures. Group repeated errors by root cause and point to the first files or symbols to fix.",
+      format: "bullets",
+      policy: "typecheck-summary"
+    },
+    "lint-failures": {
+      question: "Summarize the blocking lint failures. Group repeated rules, highlight the top offending files, and call out only failures that matter for fixing the run.",
+      format: "bullets",
+      policy: "lint-failures"
+    },
     "infra-risk": {
       question: "Assess whether the infrastructure changes are risky and whether they look safe to apply.",
       format: "verdict",
@@ -141,18 +151,21 @@ function resolveCompatibleEnvName(baseUrl) {
   return match?.envName;
 }
 function resolveProviderApiKey(provider, baseUrl, env) {
-  if (env.SIFT_PROVIDER_API_KEY) {
-    return env.SIFT_PROVIDER_API_KEY;
-  }
   if (provider === "openai-compatible") {
+    if (env.SIFT_PROVIDER_API_KEY) {
+      return env.SIFT_PROVIDER_API_KEY;
+    }
     const envName2 = resolveCompatibleEnvName(baseUrl);
     return envName2 ? env[envName2] : void 0;
   }
   if (!provider) {
-    return void 0;
+    return env.SIFT_PROVIDER_API_KEY;
   }
   const envName = PROVIDER_API_KEY_ENV[provider];
-  return envName ? env[envName] : void 0;
+  if (envName && env[envName]) {
+    return env[envName];
+  }
+  return env.SIFT_PROVIDER_API_KEY;
 }
 function getProviderApiKeyEnvNames(provider, baseUrl) {
   const envNames = ["SIFT_PROVIDER_API_KEY"];
@@ -168,14 +181,14 @@ function getProviderApiKeyEnvNames(provider, baseUrl) {
   }
   const envName = PROVIDER_API_KEY_ENV[provider];
   if (envName) {
-    envNames.push(envName);
+    return [envName, ...envNames];
   }
   return envNames;
 }
 
 // src/config/schema.ts
 import { z } from "zod";
-var providerNameSchema = z.enum(["openai-compatible"]);
+var providerNameSchema = z.enum(["openai", "openai-compatible"]);
 var outputFormatSchema = z.enum([
   "brief",
   "bullets",
@@ -190,7 +203,9 @@ var promptPolicyNameSchema = z.enum([
   "diff-summary",
   "build-failure",
   "log-errors",
-  "infra-risk"
+  "infra-risk",
+  "typecheck-summary",
+  "lint-failures"
 ]);
 var providerConfigSchema = z.object({
   provider: providerNameSchema,
@@ -402,7 +417,7 @@ function runDoctor(config) {
   if (!config.provider.model) {
     problems.push("Missing provider.model");
   }
-  if (config.provider.provider === "openai-compatible" && !config.provider.apiKey) {
+  if ((config.provider.provider === "openai" || config.provider.provider === "openai-compatible") && !config.provider.apiKey) {
     problems.push("Missing provider.apiKey");
     problems.push(
       `Set one of: ${getProviderApiKeyEnvNames(
@@ -444,9 +459,150 @@ import { spawn } from "child_process";
 import { constants as osConstants } from "os";
 import pc2 from "picocolors";
 
+// src/core/gate.ts
+var FAIL_ON_SUPPORTED_PRESETS = /* @__PURE__ */ new Set(["infra-risk", "audit-critical"]);
+function parseJson(output) {
+  try {
+    return JSON.parse(output);
+  } catch {
+    return null;
+  }
+}
+function supportsFailOnPreset(presetName) {
+  return typeof presetName === "string" && FAIL_ON_SUPPORTED_PRESETS.has(presetName);
+}
+function assertSupportedFailOnPreset(presetName) {
+  if (!supportsFailOnPreset(presetName)) {
+    throw new Error(
+      "--fail-on is supported only for built-in presets: infra-risk, audit-critical."
+    );
+  }
+}
+function assertSupportedFailOnFormat(args) {
+  const expectedFormat = args.presetName === "infra-risk" ? "verdict" : "json";
+  if (args.format !== expectedFormat) {
+    throw new Error(
+      `--fail-on requires the default ${expectedFormat} format for preset ${args.presetName}.`
+    );
+  }
+}
+function evaluateGate(args) {
+  const parsed = parseJson(args.output);
+  if (!parsed || typeof parsed !== "object") {
+    return { shouldFail: false };
+  }
+  if (args.presetName === "infra-risk") {
+    return {
+      shouldFail: parsed["verdict"] === "fail"
+    };
+  }
+  if (args.presetName === "audit-critical") {
+    const status = parsed["status"];
+    const vulnerabilities = parsed["vulnerabilities"];
+    return {
+      shouldFail: status === "ok" && Array.isArray(vulnerabilities) && vulnerabilities.length > 0
+    };
+  }
+  return { shouldFail: false };
+}
+
 // src/core/run.ts
 import pc from "picocolors";
 
+// src/providers/systemInstruction.ts
+var REDUCTION_SYSTEM_INSTRUCTION = "You reduce noisy command output into compact answers for agents and automation.";
+
+// src/providers/openai.ts
+function usesNativeJsonResponseFormat(mode) {
+  return mode !== "off";
+}
+function extractResponseText(payload) {
+  if (typeof payload?.output_text === "string") {
+    return payload.output_text.trim();
+  }
+  if (!Array.isArray(payload?.output)) {
+    return "";
+  }
+  return payload.output.flatMap((item) => Array.isArray(item?.content) ? item.content : []).map((item) => item?.type === "output_text" ? item.text : "").filter((text) => typeof text === "string" && text.trim().length > 0).join("").trim();
+}
+async function buildOpenAIError(response) {
+  let detail = `Provider returned HTTP ${response.status}`;
+  try {
+    const data = await response.json();
+    const message = data?.error?.message;
+    if (typeof message === "string" && message.trim().length > 0) {
+      detail = `${detail}: ${message.trim()}`;
+    }
+  } catch {
+  }
+  return new Error(detail);
+}
+var OpenAIProvider = class {
+  name = "openai";
+  baseUrl;
+  apiKey;
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.apiKey = options.apiKey;
+  }
+  async generate(input) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), input.timeoutMs);
+    try {
+      const url = new URL("responses", `${this.baseUrl}/`);
+      const response = await fetch(url, {
+        method: "POST",
+        signal: controller.signal,
+        headers: {
+          "content-type": "application/json",
+          ...this.apiKey ? { authorization: `Bearer ${this.apiKey}` } : {}
+        },
+        body: JSON.stringify({
+          model: input.model,
+          instructions: REDUCTION_SYSTEM_INSTRUCTION,
+          input: input.prompt,
+          reasoning: {
+            effort: "minimal"
+          },
+          text: {
+            verbosity: "low",
+            ...input.responseMode === "json" && usesNativeJsonResponseFormat(input.jsonResponseFormat) ? {
+              format: {
+                type: "json_object"
+              }
+            } : {}
+          },
+          max_output_tokens: input.maxOutputTokens
+        })
+      });
+      if (!response.ok) {
+        throw await buildOpenAIError(response);
+      }
+      const data = await response.json();
+      const text = extractResponseText(data);
+      if (!text) {
+        throw new Error("Provider returned an empty response");
+      }
+      return {
+        text,
+        usage: data?.usage ? {
+          inputTokens: data.usage.input_tokens,
+          outputTokens: data.usage.output_tokens,
+          totalTokens: data.usage.total_tokens
+        } : void 0,
+        raw: data
+      };
+    } catch (error) {
+      if (error.name === "AbortError") {
+        throw new Error("Provider request timed out");
+      }
+      throw error;
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+
 // src/providers/openaiCompatible.ts
 function supportsNativeJsonResponseFormat(baseUrl, mode) {
   if (mode === "off") {
@@ -467,6 +623,18 @@ function extractMessageText(payload) {
   }
   return "";
 }
+async function buildOpenAICompatibleError(response) {
+  let detail = `Provider returned HTTP ${response.status}`;
+  try {
+    const data = await response.json();
+    const message = data?.error?.message;
+    if (typeof message === "string" && message.trim().length > 0) {
+      detail = `${detail}: ${message.trim()}`;
+    }
+  } catch {
+  }
+  return new Error(detail);
+}
 var OpenAICompatibleProvider = class {
   name = "openai-compatible";
   baseUrl;
@@ -495,7 +663,7 @@ var OpenAICompatibleProvider = class {
           messages: [
             {
               role: "system",
-              content: "You reduce noisy command output into compact answers for agents and automation."
+              content: REDUCTION_SYSTEM_INSTRUCTION
             },
             {
               role: "user",
@@ -505,7 +673,7 @@ var OpenAICompatibleProvider = class {
         })
       });
       if (!response.ok) {
-        throw new Error(`Provider returned HTTP ${response.status}`);
+        throw await buildOpenAICompatibleError(response);
       }
       const data = await response.json();
       const text = extractMessageText(data);
@@ -534,6 +702,12 @@ var OpenAICompatibleProvider = class {
 
 // src/providers/factory.ts
 function createProvider(config) {
+  if (config.provider.provider === "openai") {
+    return new OpenAIProvider({
+      baseUrl: config.provider.baseUrl,
+      apiKey: config.provider.apiKey
+    });
+  }
   if (config.provider.provider === "openai-compatible") {
     return new OpenAICompatibleProvider({
       baseUrl: config.provider.baseUrl,
@@ -659,6 +833,33 @@ var BUILT_IN_POLICIES = {
       `If there is no clear error signal, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
     ]
   },
+  "typecheck-summary": {
+    name: "typecheck-summary",
+    responseMode: "text",
+    taskRules: [
+      "Return at most 5 short bullet points.",
+      "Determine whether the typecheck failed or passed.",
+      "Group repeated diagnostics into root-cause buckets instead of echoing many duplicate lines.",
+      "Mention the first concrete files, symbols, or error categories to fix when they are visible.",
+      "Prefer compiler or type-system errors over timing, progress, or summary noise.",
+      "If the output clearly indicates success, say that briefly and do not add extra bullets.",
+      `If you cannot tell whether the typecheck failed, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
+  "lint-failures": {
+    name: "lint-failures",
+    responseMode: "text",
+    taskRules: [
+      "Return at most 5 short bullet points.",
+      "Determine whether lint failed or whether there are no blocking lint failures.",
+      "Group repeated rule violations instead of listing the same rule many times.",
+      "Mention the top offending files and rule names when they are visible.",
+      "Distinguish blocking failures from warnings only when that distinction is clearly visible in the input.",
+      "Do not invent autofixability; only mention autofix or --fix support when the tool output explicitly says so.",
+      "If the output clearly indicates success or no blocking failures, say that briefly and stop.",
+      `If there is not enough evidence to determine the lint result, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
   "infra-risk": {
     name: "infra-risk",
     responseMode: "json",
@@ -1305,6 +1506,12 @@ async function runExec(request) {
     });
     process.stdout.write(`${output}
 `);
+    if (request.failOn && !request.dryRun && exitCode === 0 && supportsFailOnPreset(request.presetName) && evaluateGate({
+      presetName: request.presetName,
+      output
+    }).shouldFail) {
+      return 1;
+    }
   }
   return exitCode;
 }
@@ -1372,15 +1579,25 @@ function buildCliOverrides(options) {
   return overrides;
 }
 function applySharedOptions(command) {
-  return command.option("--provider <provider>", "Provider: openai-compatible").option("--model <model>", "Model name").option("--base-url <url>", "Provider base URL").option(
+  return command.option("--provider <provider>", "Provider: openai | openai-compatible").option("--model <model>", "Model name").option("--base-url <url>", "Provider base URL").option(
     "--api-key <key>",
-    "Provider API key (or set SIFT_PROVIDER_API_KEY; OPENAI_API_KEY also works for api.openai.com)"
+    "Provider API key (or set OPENAI_API_KEY for provider=openai; use SIFT_PROVIDER_API_KEY or endpoint-native envs for openai-compatible)"
   ).option(
     "--json-response-format <mode>",
     "JSON response format mode: auto | on | off"
-  ).option("--timeout-ms <ms>", "Request timeout in milliseconds").option("--format <format>", "brief | bullets | json | verdict").option("--max-capture-chars <n>", "Maximum raw child output chars kept in memory").option("--max-input-chars <n>", "Maximum input chars sent to the model").option("--head-chars <n>", "Head chars to preserve during truncation").option("--tail-chars <n>", "Tail chars to preserve during truncation").option("--strip-ansi", "Force ANSI stripping").option("--redact", "Enable standard redaction").option("--redact-strict", "Enable strict redaction").option("--raw-fallback", "Enable raw fallback text output").option("--dry-run", "Show the reduced input and prompt without calling the provider").option("--config <path>", "Path to config file").option("--verbose", "Enable verbose stderr logging");
+  ).option("--timeout-ms <ms>", "Request timeout in milliseconds").option("--format <format>", "brief | bullets | json | verdict").option("--max-capture-chars <n>", "Maximum raw child output chars kept in memory").option("--max-input-chars <n>", "Maximum input chars sent to the model").option("--head-chars <n>", "Head chars to preserve during truncation").option("--tail-chars <n>", "Tail chars to preserve during truncation").option("--strip-ansi", "Force ANSI stripping").option("--redact", "Enable standard redaction").option("--redact-strict", "Enable strict redaction").option("--raw-fallback", "Enable raw fallback text output").option("--dry-run", "Show the reduced input and prompt without calling the provider").option(
+    "--fail-on",
+    "Fail with exit code 1 when a supported built-in preset produces a blocking result"
+  ).option("--config <path>", "Path to config file").option("--verbose", "Enable verbose stderr logging");
 }
 async function executeRun(args) {
+  if (Boolean(args.options.failOn)) {
+    assertSupportedFailOnPreset(args.presetName);
+    assertSupportedFailOnFormat({
+      presetName: args.presetName,
+      format: args.format
+    });
+  }
   const config = resolveConfig({
     configPath: args.options.config,
     env: process.env,
@@ -1393,12 +1610,19 @@ async function executeRun(args) {
     stdin,
     config,
     dryRun: Boolean(args.options.dryRun),
+    presetName: args.presetName,
     policyName: args.policyName,
     outputContract: args.outputContract,
     fallbackJson: args.fallbackJson
   });
   process.stdout.write(`${output}
 `);
+  if (Boolean(args.options.failOn) && !Boolean(args.options.dryRun) && args.presetName && evaluateGate({
+    presetName: args.presetName,
+    output
+  }).shouldFail) {
+    process.exitCode = 1;
+  }
 }
 function extractExecCommand(options) {
   const passthrough = Array.isArray(options["--"]) ? options["--"].map((value) => String(value)) : [];
@@ -1415,6 +1639,13 @@ function extractExecCommand(options) {
   };
 }
 async function executeExec(args) {
+  if (Boolean(args.options.failOn)) {
+    assertSupportedFailOnPreset(args.presetName);
+    assertSupportedFailOnFormat({
+      presetName: args.presetName,
+      format: args.format
+    });
+  }
   const config = resolveConfig({
     configPath: args.options.config,
     env: process.env,
@@ -1426,6 +1657,8 @@ async function executeExec(args) {
     format: args.format,
     config,
     dryRun: Boolean(args.options.dryRun),
+    failOn: Boolean(args.options.failOn),
+    presetName: args.presetName,
     policyName: args.policyName,
     outputContract: args.outputContract,
     fallbackJson: args.fallbackJson,
@@ -1444,6 +1677,7 @@ applySharedOptions(
   await executeRun({
     question: preset.question,
     format: options.format ?? preset.format,
+    presetName: name,
     policyName: options.format === void 0 || options.format === preset.format ? preset.policy : void 0,
     options,
     outputContract: preset.outputContract,
@@ -1472,6 +1706,7 @@ applySharedOptions(
     await executeExec({
       question: preset.question,
       format: options.format ?? preset.format,
+      presetName,
       policyName: options.format === void 0 || options.format === preset.format ? preset.policy : void 0,
       options,
       outputContract: preset.outputContract,

package/dist/index.d.ts

@@ -1,8 +1,8 @@
-type ProviderName = "openai-compatible";
+type ProviderName = "openai" | "openai-compatible";
 type OutputFormat = "brief" | "bullets" | "json" | "verdict";
 type ResponseMode = "text" | "json";
 type JsonResponseFormatMode = "auto" | "on" | "off";
-type PromptPolicyName = "test-status" | "audit-critical" | "diff-summary" | "build-failure" | "log-errors" | "infra-risk";
+type PromptPolicyName = "test-status" | "audit-critical" | "diff-summary" | "build-failure" | "log-errors" | "infra-risk" | "typecheck-summary" | "lint-failures";
 interface ProviderConfig {
     provider: ProviderName;
     model: string;
@@ -70,6 +70,7 @@ interface RunRequest {
     stdin: string;
     config: SiftConfig;
     dryRun?: boolean;
+    presetName?: string;
     policyName?: PromptPolicyName;
     outputContract?: string;
     fallbackJson?: unknown;
@@ -89,6 +90,7 @@ interface PreparedInput {
 
 interface ExecRequest extends Omit<RunRequest, "stdin"> {
     command?: string[];
+    failOn?: boolean;
     shellCommand?: string;
 }
 declare function runExec(request: ExecRequest): Promise<number>;

package/dist/index.js

@@ -16,9 +16,135 @@ var INSUFFICIENT_SIGNAL_TEXT = "Insufficient signal in the provided input.";
 var GENERIC_JSON_CONTRACT = '{"answer":string,"evidence":string[],"risks":string[]}';
 var CAPTURE_OMITTED_MARKER = "\n...[captured output omitted]...\n";
 
+// src/core/gate.ts
+var FAIL_ON_SUPPORTED_PRESETS = /* @__PURE__ */ new Set(["infra-risk", "audit-critical"]);
+function parseJson(output) {
+  try {
+    return JSON.parse(output);
+  } catch {
+    return null;
+  }
+}
+function supportsFailOnPreset(presetName) {
+  return typeof presetName === "string" && FAIL_ON_SUPPORTED_PRESETS.has(presetName);
+}
+function evaluateGate(args) {
+  const parsed = parseJson(args.output);
+  if (!parsed || typeof parsed !== "object") {
+    return { shouldFail: false };
+  }
+  if (args.presetName === "infra-risk") {
+    return {
+      shouldFail: parsed["verdict"] === "fail"
+    };
+  }
+  if (args.presetName === "audit-critical") {
+    const status = parsed["status"];
+    const vulnerabilities = parsed["vulnerabilities"];
+    return {
+      shouldFail: status === "ok" && Array.isArray(vulnerabilities) && vulnerabilities.length > 0
+    };
+  }
+  return { shouldFail: false };
+}
+
 // src/core/run.ts
 import pc from "picocolors";
 
+// src/providers/systemInstruction.ts
+var REDUCTION_SYSTEM_INSTRUCTION = "You reduce noisy command output into compact answers for agents and automation.";
+
+// src/providers/openai.ts
+function usesNativeJsonResponseFormat(mode) {
+  return mode !== "off";
+}
+function extractResponseText(payload) {
+  if (typeof payload?.output_text === "string") {
+    return payload.output_text.trim();
+  }
+  if (!Array.isArray(payload?.output)) {
+    return "";
+  }
+  return payload.output.flatMap((item) => Array.isArray(item?.content) ? item.content : []).map((item) => item?.type === "output_text" ? item.text : "").filter((text) => typeof text === "string" && text.trim().length > 0).join("").trim();
+}
+async function buildOpenAIError(response) {
+  let detail = `Provider returned HTTP ${response.status}`;
+  try {
+    const data = await response.json();
+    const message = data?.error?.message;
+    if (typeof message === "string" && message.trim().length > 0) {
+      detail = `${detail}: ${message.trim()}`;
+    }
+  } catch {
+  }
+  return new Error(detail);
+}
+var OpenAIProvider = class {
+  name = "openai";
+  baseUrl;
+  apiKey;
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.apiKey = options.apiKey;
+  }
+  async generate(input) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), input.timeoutMs);
+    try {
+      const url = new URL("responses", `${this.baseUrl}/`);
+      const response = await fetch(url, {
+        method: "POST",
+        signal: controller.signal,
+        headers: {
+          "content-type": "application/json",
+          ...this.apiKey ? { authorization: `Bearer ${this.apiKey}` } : {}
+        },
+        body: JSON.stringify({
+          model: input.model,
+          instructions: REDUCTION_SYSTEM_INSTRUCTION,
+          input: input.prompt,
+          reasoning: {
+            effort: "minimal"
+          },
+          text: {
+            verbosity: "low",
+            ...input.responseMode === "json" && usesNativeJsonResponseFormat(input.jsonResponseFormat) ? {
+              format: {
+                type: "json_object"
+              }
+            } : {}
+          },
+          max_output_tokens: input.maxOutputTokens
+        })
+      });
+      if (!response.ok) {
+        throw await buildOpenAIError(response);
+      }
+      const data = await response.json();
+      const text = extractResponseText(data);
+      if (!text) {
+        throw new Error("Provider returned an empty response");
+      }
+      return {
+        text,
+        usage: data?.usage ? {
+          inputTokens: data.usage.input_tokens,
+          outputTokens: data.usage.output_tokens,
+          totalTokens: data.usage.total_tokens
+        } : void 0,
+        raw: data
+      };
+    } catch (error) {
+      if (error.name === "AbortError") {
+        throw new Error("Provider request timed out");
+      }
+      throw error;
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+
 // src/providers/openaiCompatible.ts
 function supportsNativeJsonResponseFormat(baseUrl, mode) {
   if (mode === "off") {
@@ -39,6 +165,18 @@ function extractMessageText(payload) {
   }
   return "";
 }
+async function buildOpenAICompatibleError(response) {
+  let detail = `Provider returned HTTP ${response.status}`;
+  try {
+    const data = await response.json();
+    const message = data?.error?.message;
+    if (typeof message === "string" && message.trim().length > 0) {
+      detail = `${detail}: ${message.trim()}`;
+    }
+  } catch {
+  }
+  return new Error(detail);
+}
 var OpenAICompatibleProvider = class {
   name = "openai-compatible";
   baseUrl;
@@ -67,7 +205,7 @@ var OpenAICompatibleProvider = class {
           messages: [
             {
               role: "system",
-              content: "You reduce noisy command output into compact answers for agents and automation."
+              content: REDUCTION_SYSTEM_INSTRUCTION
             },
             {
               role: "user",
@@ -77,7 +215,7 @@ var OpenAICompatibleProvider = class {
         })
       });
       if (!response.ok) {
-        throw new Error(`Provider returned HTTP ${response.status}`);
+        throw await buildOpenAICompatibleError(response);
       }
       const data = await response.json();
       const text = extractMessageText(data);
@@ -106,6 +244,12 @@ var OpenAICompatibleProvider = class {
 
 // src/providers/factory.ts
 function createProvider(config) {
+  if (config.provider.provider === "openai") {
+    return new OpenAIProvider({
+      baseUrl: config.provider.baseUrl,
+      apiKey: config.provider.apiKey
+    });
+  }
   if (config.provider.provider === "openai-compatible") {
     return new OpenAICompatibleProvider({
       baseUrl: config.provider.baseUrl,
@@ -231,6 +375,33 @@ var BUILT_IN_POLICIES = {
       `If there is no clear error signal, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
     ]
   },
+  "typecheck-summary": {
+    name: "typecheck-summary",
+    responseMode: "text",
+    taskRules: [
+      "Return at most 5 short bullet points.",
+      "Determine whether the typecheck failed or passed.",
+      "Group repeated diagnostics into root-cause buckets instead of echoing many duplicate lines.",
+      "Mention the first concrete files, symbols, or error categories to fix when they are visible.",
+      "Prefer compiler or type-system errors over timing, progress, or summary noise.",
+      "If the output clearly indicates success, say that briefly and do not add extra bullets.",
+      `If you cannot tell whether the typecheck failed, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
+  "lint-failures": {
+    name: "lint-failures",
+    responseMode: "text",
+    taskRules: [
+      "Return at most 5 short bullet points.",
+      "Determine whether lint failed or whether there are no blocking lint failures.",
+      "Group repeated rule violations instead of listing the same rule many times.",
+      "Mention the top offending files and rule names when they are visible.",
+      "Distinguish blocking failures from warnings only when that distinction is clearly visible in the input.",
+      "Do not invent autofixability; only mention autofix or --fix support when the tool output explicitly says so.",
+      "If the output clearly indicates success or no blocking failures, say that briefly and stop.",
+      `If there is not enough evidence to determine the lint result, reply exactly with: ${INSUFFICIENT_SIGNAL_TEXT}`
+    ]
+  },
   "infra-risk": {
     name: "infra-risk",
     responseMode: "json",
@@ -877,6 +1048,12 @@ async function runExec(request) {
     });
     process.stdout.write(`${output}
 `);
+    if (request.failOn && !request.dryRun && exitCode === 0 && supportsFailOnPreset(request.presetName) && evaluateGate({
+      presetName: request.presetName,
+      output
+    }).shouldFail) {
+      return 1;
+    }
   }
   return exitCode;
 }
@@ -884,23 +1061,23 @@ async function runExec(request) {
 // src/config/defaults.ts
 var defaultConfig = {
   provider: {
-    provider: "openai-compatible",
-    model: "gpt-4.1-mini",
+    provider: "openai",
+    model: "gpt-5-nano",
     baseUrl: "https://api.openai.com/v1",
     apiKey: "",
     jsonResponseFormat: "auto",
     timeoutMs: 2e4,
     temperature: 0.1,
-    maxOutputTokens: 220
+    maxOutputTokens: 400
   },
   input: {
     stripAnsi: true,
     redact: false,
     redactStrict: false,
-    maxCaptureChars: 25e4,
-    maxInputChars: 2e4,
-    headChars: 6e3,
-    tailChars: 6e3
+    maxCaptureChars: 4e5,
+    maxInputChars: 6e4,
+    headChars: 2e4,
+    tailChars: 2e4
   },
   runtime: {
     rawFallback: true,
@@ -934,6 +1111,16 @@ var defaultConfig = {
       format: "bullets",
       policy: "log-errors"
     },
+    "typecheck-summary": {
+      question: "Summarize the blocking typecheck failures. Group repeated errors by root cause and point to the first files or symbols to fix.",
+      format: "bullets",
+      policy: "typecheck-summary"
+    },
+    "lint-failures": {
+      question: "Summarize the blocking lint failures. Group repeated rules, highlight the top offending files, and call out only failures that matter for fixing the run.",
+      format: "bullets",
+      policy: "lint-failures"
+    },
     "infra-risk": {
       question: "Assess whether the infrastructure changes are risky and whether they look safe to apply.",
       format: "verdict",
@@ -1002,23 +1189,26 @@ function resolveCompatibleEnvName(baseUrl) {
   return match?.envName;
 }
 function resolveProviderApiKey(provider, baseUrl, env) {
-  if (env.SIFT_PROVIDER_API_KEY) {
-    return env.SIFT_PROVIDER_API_KEY;
-  }
   if (provider === "openai-compatible") {
+    if (env.SIFT_PROVIDER_API_KEY) {
+      return env.SIFT_PROVIDER_API_KEY;
+    }
     const envName2 = resolveCompatibleEnvName(baseUrl);
     return envName2 ? env[envName2] : void 0;
   }
   if (!provider) {
-    return void 0;
+    return env.SIFT_PROVIDER_API_KEY;
   }
   const envName = PROVIDER_API_KEY_ENV[provider];
-  return envName ? env[envName] : void 0;
+  if (envName && env[envName]) {
+    return env[envName];
+  }
+  return env.SIFT_PROVIDER_API_KEY;
 }
 
 // src/config/schema.ts
 import { z } from "zod";
-var providerNameSchema = z.enum(["openai-compatible"]);
+var providerNameSchema = z.enum(["openai", "openai-compatible"]);
 var outputFormatSchema = z.enum([
   "brief",
   "bullets",
@@ -1033,7 +1223,9 @@ var promptPolicyNameSchema = z.enum([
   "diff-summary",
   "build-failure",
   "log-errors",
-  "infra-risk"
+  "infra-risk",
+  "typecheck-summary",
+  "lint-failures"
 ]);
 var providerConfigSchema = z.object({
   provider: providerNameSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bilalimamoglu/sift",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Agent-first command-output reduction layer for agents, CI, and automation.",
   "type": "module",
   "bin": {