@compilr-dev/sdk 0.10.40 → 0.11.0

package/dist/host/device-flow.js

@@ -0,0 +1,111 @@
+/**
+ * runDeviceFlow — browser-based (OAuth device flow) login state machine.
+ *
+ * Ported from the CLI's AuthManager.loginWithDeviceFlow so CLI and Desktop share
+ * one implementation. Desktop previously drove the poll loop from the renderer
+ * one fetch at a time and therefore lacked the `slow_down` backoff this owns.
+ *
+ * On success the tokens are persisted to `~/.compilr-dev/auth.json`. Fetching the
+ * user profile (account type, etc.) is left to the host — call `getProfile`
+ * afterward if needed.
+ */
+import { requestDeviceCode, pollDeviceToken, getAuthorizationUrl } from './auth-api.js';
+import { saveAuthData } from './auth-store.js';
+const NETWORK_RETRY_MS = 2000;
+const MAX_POLL_INTERVAL_MS = 30_000;
+const SLOW_DOWN_STEP_MS = 5000;
+/**
+ * Next poll interval after a `slow_down` response: +5s, capped at 30s.
+ * Exported for unit testing the backoff that Desktop was missing.
+ */
+export function nextPollInterval(currentMs) {
+    return Math.min(currentMs + SLOW_DOWN_STEP_MS, MAX_POLL_INTERVAL_MS);
+}
+/** Wait `ms`, resolving early (true) if the signal aborts. */
+function waitOrAbort(ms, signal) {
+    return new Promise((resolve) => {
+        const timeout = setTimeout(() => {
+            signal?.removeEventListener('abort', onAbort);
+            resolve(false);
+        }, ms);
+        const onAbort = () => {
+            clearTimeout(timeout);
+            resolve(true);
+        };
+        signal?.addEventListener('abort', onAbort, { once: true });
+    });
+}
+/**
+ * Run the full device-flow login: request a code, surface it via `onCodeReady`,
+ * then poll until authorized, denied, expired, or aborted. Persists tokens on
+ * success.
+ */
+export async function runDeviceFlow(callbacks, signal, opts) {
+    // Step 1: request a device code.
+    const codeResult = await requestDeviceCode(opts?.endpoints);
+    if (!codeResult.success || !codeResult.data) {
+        return { success: false, error: codeResult.error ?? 'Failed to get device code' };
+    }
+    const { device_code, user_code, expires_in, interval } = codeResult.data;
+    // Step 2: surface the code + URL (the host shows it and/or opens the browser).
+    callbacks.onCodeReady(user_code, getAuthorizationUrl(user_code, opts?.endpoints));
+    // Step 3: poll until a terminal outcome.
+    const expiresAtMs = Date.now() + expires_in * 1000;
+    let pollIntervalMs = interval * 1000;
+    while (Date.now() < expiresAtMs) {
+        if (signal?.aborted)
+            return { success: false, error: 'Login cancelled' };
+        const aborted = await waitOrAbort(pollIntervalMs, signal);
+        if (aborted || signal?.aborted)
+            return { success: false, error: 'Login cancelled' };
+        callbacks.onStatusUpdate?.('polling');
+        const tokenResult = await pollDeviceToken(device_code, opts?.endpoints);
+        if (tokenResult.success && tokenResult.data) {
+            callbacks.onStatusUpdate?.('authorized');
+            const { access_token, refresh_token, api_token, expires_in: tokenExpiresIn, user, } = tokenResult.data;
+            const authData = {
+                version: 1,
+                user: {
+                    id: user.id,
+                    email: user.email,
+                    // Device flow doesn't return account creation time.
+                    createdAt: new Date().toISOString(),
+                },
+                session: {
+                    accessToken: access_token,
+                    refreshToken: refresh_token,
+                    expiresAt: new Date(Date.now() + tokenExpiresIn * 1000).toISOString(),
+                    apiToken: api_token,
+                },
+            };
+            saveAuthData(authData, opts?.dir);
+            return { success: true, user: { id: user.id, email: user.email } };
+        }
+        if (tokenResult.error) {
+            switch (tokenResult.error.error) {
+                case 'authorization_pending':
+                    continue;
+                case 'slow_down':
+                    pollIntervalMs = nextPollInterval(pollIntervalMs);
+                    continue;
+                case 'expired_token':
+                    callbacks.onStatusUpdate?.('expired');
+                    return { success: false, error: 'Authorization expired. Please try again.' };
+                case 'access_denied':
+                    callbacks.onStatusUpdate?.('denied');
+                    return { success: false, error: 'Authorization denied.' };
+                default:
+                    return { success: false, error: tokenResult.error.error_description };
+            }
+        }
+        // Transient network error — wait a little longer and retry.
+        if (tokenResult.networkError) {
+            const cancelled = await waitOrAbort(NETWORK_RETRY_MS, signal);
+            if (cancelled)
+                return { success: false, error: 'Login cancelled' };
+            continue;
+        }
+    }
+    callbacks.onStatusUpdate?.('expired');
+    return { success: false, error: 'Authorization timed out. Please try again.' };
+}

package/dist/host/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Host integration layer — shared schema and helpers for the things CLI and
+ * Desktop both persist under `~/.compilr-dev/` (settings today; auth/token and
+ * device flow to follow in Phase 2). Pure data + transforms; no fs/electron.
+ */
+export { type HostSettings, type SettingsProviderType, type TextSize, type NotificationMode, type Verbosity, type CompactMode, type ProjectSessionMode, type MascotSetting, type StartupMode, type ProjectStartupMode, type StartupBehavior, type DefaultLeftPanel, type TipsProficiency, SHARED_DEFAULTS, migrateRawSettings, } from './settings-schema.js';
+export type { AccountType, AuthUser, AuthSession, AuthData, RefreshTokenResponse, ProfileData, HeartbeatData, DeviceCodeResponse, DeviceTokenResponse, DeviceTokenError, AuthEndpoints, } from './auth-types.js';
+export { refreshToken, sendHeartbeat, getProfile, updateProfile, requestDeviceCode, pollDeviceToken, getAuthorizationUrl, } from './auth-api.js';
+export { loadAuthData, saveAuthData, clearAuthData, updateSession, hasAuthData, checkAuthFilePermissions, readAuthFile, writeAuthFile, } from './auth-store.js';
+export { ensureFreshToken } from './token.js';
+export type { EnsureFreshTokenOptions, FreshToken } from './token.js';
+export { runDeviceFlow, nextPollInterval } from './device-flow.js';
+export type { DeviceFlowStatus, DeviceFlowCallbacks, LoginResult, RunDeviceFlowOptions, } from './device-flow.js';

package/dist/host/index.js

@@ -0,0 +1,10 @@
+/**
+ * Host integration layer — shared schema and helpers for the things CLI and
+ * Desktop both persist under `~/.compilr-dev/` (settings today; auth/token and
+ * device flow to follow in Phase 2). Pure data + transforms; no fs/electron.
+ */
+export { SHARED_DEFAULTS, migrateRawSettings, } from './settings-schema.js';
+export { refreshToken, sendHeartbeat, getProfile, updateProfile, requestDeviceCode, pollDeviceToken, getAuthorizationUrl, } from './auth-api.js';
+export { loadAuthData, saveAuthData, clearAuthData, updateSession, hasAuthData, checkAuthFilePermissions, readAuthFile, writeAuthFile, } from './auth-store.js';
+export { ensureFreshToken } from './token.js';
+export { runDeviceFlow, nextPollInterval } from './device-flow.js';

package/dist/host/settings-schema.d.ts

@@ -0,0 +1,148 @@
+/**
+ * Shared host settings schema, defaults, and migrations.
+ *
+ * CLI and Desktop both persist a `settings.json` under `~/.compilr-dev/`. They
+ * historically described it with two independent TypeScript interfaces and only
+ * the CLI ran value migrations — so a value the CLI would migrate was consumed
+ * raw by Desktop, and fields one app didn't know about survived only by luck.
+ *
+ * This module is the single source of truth for:
+ *  - the union shape of the file (`HostSettings`),
+ *  - the value-level migrations (`migrateRawSettings`), and
+ *  - the defaults whose semantics are identical across hosts (`SHARED_DEFAULTS`).
+ *
+ * File I/O, caching, per-host defaults, and the encryption master key stay in
+ * each host (see host-drift-remediation-spec.md §4.5). This module is pure:
+ * no `fs`, no `electron`, no process globals — it only transforms plain objects.
+ */
+import { type PermissionRule, type PermissionMode } from '../permissions.js';
+import type { ProviderType } from '../config.js';
+/**
+ * Provider identifier as stored in settings. Superset of the agent-config
+ * `ProviderType`: it adds `'auto'`, meaning "resolve from the environment" via
+ * `detectProviderFromEnv()`. Hosts without auto-detection should treat `'auto'`
+ * as a request to pick a concrete provider, never as invalid.
+ */
+export type SettingsProviderType = ProviderType | 'auto';
+export type TextSize = 'small' | 'medium' | 'large';
+export type NotificationMode = 'auto' | 'bell' | 'disabled';
+export type Verbosity = 'normal' | 'focused' | 'verbose';
+export type CompactMode = 'active' | 'all' | 'auto';
+export type ProjectSessionMode = 'auto' | 'ask' | 'fresh';
+export type MascotSetting = 'none' | 'random' | 'neutral' | 'thinking' | 'looking_left' | 'looking_right' | 'sleeping' | 'alert' | 'error' | 'success' | 'success_minimal' | 'searching' | 'skeptical';
+/** CLI: how the CLI starts up (interactive menu vs straight into the REPL). */
+export type StartupMode = 'menu' | 'repl';
+/** CLI: whether to auto-load the last project on startup. */
+export type ProjectStartupMode = 'last' | 'off';
+/** Desktop: resume the last project or land on the dashboard. */
+export type StartupBehavior = 'last-project' | 'dashboard';
+/** Desktop: which side panel opens by default ('none' = collapsed). */
+export type DefaultLeftPanel = 'none' | 'project' | 'conversations' | 'agents' | 'backlog' | 'docs';
+/** Desktop: status-bar tips proficiency ('auto' derives from usage). */
+export type TipsProficiency = 'auto' | 'beginner' | 'intermediate' | 'pro';
+/**
+ * The full shape of `~/.compilr-dev/settings.json`.
+ *
+ * Every field is optional at the type level; required-ness is produced by
+ * merging defaults at load time (`{ ...SHARED_DEFAULTS, ...HOST_DEFAULTS,
+ * ...migrated }`). Sections are grouped as shared / CLI-only / Desktop-only,
+ * but the file is flat and either host may carry the other's keys (preserved
+ * on save — see `migrateRawSettings`).
+ */
+export interface HostSettings {
+    theme?: string;
+    firstRunComplete?: boolean;
+    /** Opt-out telemetry (default on). */
+    telemetryEnabled?: boolean;
+    defaultProvider?: SettingsProviderType;
+    /** null = use the provider's default model. */
+    defaultModel?: string | null;
+    ollamaBaseUrl?: string;
+    checkUpdates?: boolean;
+    /**
+     * Startup default mode. Session-level changes do NOT persist here.
+     * Authoritative for Desktop. See §4.2 of the host-drift spec.
+     */
+    defaultPermissionMode?: PermissionMode;
+    /**
+     * Last active mode, restored at startup for continuity. Authoritative for
+     * the CLI. Distinct from `defaultPermissionMode` by design — both are kept.
+     */
+    permissionMode?: PermissionMode;
+    permissionRules?: PermissionRule[];
+    autoCompact?: boolean;
+    showTips?: boolean;
+    reviseCode?: boolean;
+    /** @deprecated superseded by `verbosity`; migrated forward. */
+    verbose?: boolean;
+    verbosity?: Verbosity;
+    progressBar?: boolean;
+    lastUpdateCheck?: number | null;
+    notifications?: NotificationMode;
+    startupMode?: StartupMode;
+    projectStartup?: ProjectStartupMode;
+    lastProjectId?: number | null;
+    mascot?: MascotSetting;
+    projectSessionMode?: ProjectSessionMode;
+    sessionRetentionDays?: number;
+    compactMode?: CompactMode;
+    /** Tool-result auto-delegation (summarize large results). */
+    delegation?: boolean;
+    vsDiffExtension?: boolean;
+    lastSeenVersion?: string;
+    modelTiers?: Partial<Record<SettingsProviderType, Partial<Record<'fast' | 'balanced' | 'powerful', string>>>>;
+    roleTierDefaults?: Record<string, 'fast' | 'balanced' | 'powerful'>;
+    textSize?: TextSize;
+    workspacePath?: string;
+    projectsPath?: string;
+    dataPath?: string;
+    deleteProtection?: boolean;
+    requireProjectMatch?: boolean;
+    /** Extended context window (1M for Claude); long-context pricing above 200K. */
+    extendedContext?: boolean;
+    startupBehavior?: StartupBehavior;
+    tourCompleted?: boolean;
+    defaultLeftPanel?: DefaultLeftPanel;
+    activityBarTooltipsEnabled?: boolean;
+    dudeEnabled?: boolean;
+    dudeAutoOpenOnFirstProject?: boolean;
+    dudeWelcomeShown?: boolean;
+    dudeModel?: string;
+    tipsEnabled?: boolean;
+    tipsProficiency?: TipsProficiency;
+    /**
+     * Encryption master key for the API-key keystore. Managed by each host's
+     * key storage; declared here so migrations preserve it. Never read by this
+     * module.
+     */
+    mk?: string;
+}
+/**
+ * Defaults for fields that mean the same thing in CLI and Desktop. Per-host
+ * defaults (e.g. CLI `defaultProvider: 'auto'` vs Desktop `'claude'`, plus each
+ * host's exclusive fields) are layered on top by the host:
+ *
+ *   const merged = { ...SHARED_DEFAULTS, ...HOST_DEFAULTS, ...migrated };
+ */
+export declare const SHARED_DEFAULTS: Partial<HostSettings>;
+/**
+ * Apply all value-level migrations to a raw settings object read from disk.
+ *
+ * Pure and idempotent: `migrateRawSettings(migrateRawSettings(x).settings)`
+ * yields the same settings with `changed: false`. **Unknown keys are preserved**
+ * (the input is spread first) — this is the contract that lets an old and a new
+ * app version share the same file without dropping each other's fields.
+ *
+ * Hosts call this on load and persist the result when `changed` is true.
+ *
+ * Migrations (seeded from the CLI's historical set + one cross-host addition):
+ *  1. `verbose: true` and no `verbosity` → `verbosity: 'verbose'`
+ *  2. `projectStartup: 'cwd'` → `'off'`
+ *  3. `permissionMode` / `defaultPermissionMode` legacy values normalized
+ *  4. `defaultPermissionMode` absent but `permissionMode` present → seed it
+ *     (gives Desktop a sane startup default on CLI-authored files)
+ */
+export declare function migrateRawSettings(raw: Record<string, unknown>): {
+    settings: Record<string, unknown>;
+    changed: boolean;
+};

package/dist/host/settings-schema.js

@@ -0,0 +1,107 @@
+/**
+ * Shared host settings schema, defaults, and migrations.
+ *
+ * CLI and Desktop both persist a `settings.json` under `~/.compilr-dev/`. They
+ * historically described it with two independent TypeScript interfaces and only
+ * the CLI ran value migrations — so a value the CLI would migrate was consumed
+ * raw by Desktop, and fields one app didn't know about survived only by luck.
+ *
+ * This module is the single source of truth for:
+ *  - the union shape of the file (`HostSettings`),
+ *  - the value-level migrations (`migrateRawSettings`), and
+ *  - the defaults whose semantics are identical across hosts (`SHARED_DEFAULTS`).
+ *
+ * File I/O, caching, per-host defaults, and the encryption master key stay in
+ * each host (see host-drift-remediation-spec.md §4.5). This module is pure:
+ * no `fs`, no `electron`, no process globals — it only transforms plain objects.
+ */
+import { DEFAULT_PERMISSION_RULES, } from '../permissions.js';
+// =============================================================================
+// Shared defaults (identical semantics across hosts only)
+// =============================================================================
+/**
+ * Defaults for fields that mean the same thing in CLI and Desktop. Per-host
+ * defaults (e.g. CLI `defaultProvider: 'auto'` vs Desktop `'claude'`, plus each
+ * host's exclusive fields) are layered on top by the host:
+ *
+ *   const merged = { ...SHARED_DEFAULTS, ...HOST_DEFAULTS, ...migrated };
+ */
+export const SHARED_DEFAULTS = {
+    theme: 'compilr-dark',
+    firstRunComplete: false,
+    telemetryEnabled: true,
+    checkUpdates: true,
+    defaultModel: null,
+    defaultPermissionMode: 'normal',
+    permissionRules: [...DEFAULT_PERMISSION_RULES],
+};
+// =============================================================================
+// Migrations
+// =============================================================================
+/** Normalize a legacy permission-mode value to the current vocabulary. */
+function migratePermissionModeValue(value) {
+    switch (value) {
+        case 'default':
+        case 'accept-edits':
+            return 'normal';
+        case 'dont-ask':
+            return 'auto-accept';
+        case 'normal':
+        case 'plan':
+        case 'auto-accept':
+            return value;
+        default:
+            return undefined;
+    }
+}
+/**
+ * Apply all value-level migrations to a raw settings object read from disk.
+ *
+ * Pure and idempotent: `migrateRawSettings(migrateRawSettings(x).settings)`
+ * yields the same settings with `changed: false`. **Unknown keys are preserved**
+ * (the input is spread first) — this is the contract that lets an old and a new
+ * app version share the same file without dropping each other's fields.
+ *
+ * Hosts call this on load and persist the result when `changed` is true.
+ *
+ * Migrations (seeded from the CLI's historical set + one cross-host addition):
+ *  1. `verbose: true` and no `verbosity` → `verbosity: 'verbose'`
+ *  2. `projectStartup: 'cwd'` → `'off'`
+ *  3. `permissionMode` / `defaultPermissionMode` legacy values normalized
+ *  4. `defaultPermissionMode` absent but `permissionMode` present → seed it
+ *     (gives Desktop a sane startup default on CLI-authored files)
+ */
+export function migrateRawSettings(raw) {
+    const out = { ...raw };
+    let changed = false;
+    // 1. verbose → verbosity
+    if (!('verbosity' in out) && out['verbose'] === true) {
+        out['verbosity'] = 'verbose';
+        changed = true;
+    }
+    // 2. projectStartup 'cwd' → 'off'
+    if (out['projectStartup'] === 'cwd') {
+        out['projectStartup'] = 'off';
+        changed = true;
+    }
+    // 3. Normalize legacy permission-mode values on both fields.
+    for (const key of ['permissionMode', 'defaultPermissionMode']) {
+        if (key in out) {
+            const normalized = migratePermissionModeValue(out[key]);
+            if (normalized !== undefined && normalized !== out[key]) {
+                out[key] = normalized;
+                changed = true;
+            }
+        }
+    }
+    // 4. Seed defaultPermissionMode from permissionMode when absent.
+    if ((out['defaultPermissionMode'] === undefined || !('defaultPermissionMode' in out)) &&
+        typeof out['permissionMode'] === 'string') {
+        const seeded = migratePermissionModeValue(out['permissionMode']);
+        if (seeded !== undefined) {
+            out['defaultPermissionMode'] = seeded;
+            changed = true;
+        }
+    }
+    return { settings: out, changed };
+}

package/dist/host/token.d.ts

@@ -0,0 +1,34 @@
+/**
+ * ensureFreshToken — return a usable bearer token, refreshing the JWT if needed.
+ *
+ * This is the fix for the Desktop JWT-lockout bug: Desktop read `auth.json` but
+ * had no refresh path, so once the JWT expired (and no long-lived `apiToken` was
+ * present) every backend call failed until the user logged in again. Both hosts
+ * now route token access through here.
+ *
+ * State machine (ported from the CLI's AuthManager.isAuthenticated/getAccessToken):
+ *  - `apiToken` present  → return it (server validates per-request; no expiry)
+ *  - JWT with > threshold remaining → return the access token as-is
+ *  - otherwise → refresh via the backend, persist the new session, return it
+ *  - refresh failure → return null, but DO NOT delete auth.json (the refresh
+ *    token may still be valid after a transient/network error; only explicit
+ *    logout clears credentials)
+ */
+import type { AuthEndpoints } from './auth-types.js';
+export interface EnsureFreshTokenOptions {
+    /** Refresh the JWT when it has less than this many ms left. Default 5 min. */
+    thresholdMs?: number;
+    /** Override the `.compilr-dev` directory (tests / non-standard homes). */
+    dir?: string;
+    /** Override backend endpoints (tests / branch previews). */
+    endpoints?: AuthEndpoints;
+}
+export interface FreshToken {
+    token: string;
+    source: 'api-token' | 'jwt' | 'refreshed';
+}
+/**
+ * Resolve the best available token, refreshing if the JWT is near expiry.
+ * Returns null when there are no credentials or a needed refresh failed.
+ */
+export declare function ensureFreshToken(opts?: EnsureFreshTokenOptions): Promise<FreshToken | null>;

package/dist/host/token.js

@@ -0,0 +1,56 @@
+/**
+ * ensureFreshToken — return a usable bearer token, refreshing the JWT if needed.
+ *
+ * This is the fix for the Desktop JWT-lockout bug: Desktop read `auth.json` but
+ * had no refresh path, so once the JWT expired (and no long-lived `apiToken` was
+ * present) every backend call failed until the user logged in again. Both hosts
+ * now route token access through here.
+ *
+ * State machine (ported from the CLI's AuthManager.isAuthenticated/getAccessToken):
+ *  - `apiToken` present  → return it (server validates per-request; no expiry)
+ *  - JWT with > threshold remaining → return the access token as-is
+ *  - otherwise → refresh via the backend, persist the new session, return it
+ *  - refresh failure → return null, but DO NOT delete auth.json (the refresh
+ *    token may still be valid after a transient/network error; only explicit
+ *    logout clears credentials)
+ */
+import { refreshToken as apiRefreshToken } from './auth-api.js';
+import { loadAuthData, updateSession } from './auth-store.js';
+const DEFAULT_THRESHOLD_MS = 5 * 60 * 1000; // refresh when < 5 min remaining
+const DEFAULT_EXPIRES_IN_S = 3600; // assume 1h if the server omits expires_in
+/**
+ * Resolve the best available token, refreshing if the JWT is near expiry.
+ * Returns null when there are no credentials or a needed refresh failed.
+ */
+export async function ensureFreshToken(opts) {
+    const auth = loadAuthData(opts?.dir);
+    if (!auth)
+        return null;
+    // Long-lived API token never expires locally.
+    if (auth.session.apiToken) {
+        return { token: auth.session.apiToken, source: 'api-token' };
+    }
+    const thresholdMs = opts?.thresholdMs ?? DEFAULT_THRESHOLD_MS;
+    const expiresAt = new Date(auth.session.expiresAt).getTime();
+    const remaining = expiresAt - Date.now();
+    // JWT still comfortably valid.
+    if (Number.isFinite(expiresAt) && remaining >= thresholdMs) {
+        return { token: auth.session.accessToken, source: 'jwt' };
+    }
+    // Needs a refresh.
+    if (!auth.session.refreshToken)
+        return null;
+    const result = await apiRefreshToken(auth.session.refreshToken, opts?.endpoints);
+    if (!result.success || !result.access_token || !result.refresh_token) {
+        // Preserve auth.json on disk — the refresh token may still be valid.
+        return null;
+    }
+    const expiresIn = result.expires_in ?? DEFAULT_EXPIRES_IN_S;
+    const newSession = {
+        accessToken: result.access_token,
+        refreshToken: result.refresh_token,
+        expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
+    };
+    updateSession(newSession, opts?.dir);
+    return { token: result.access_token, source: 'refreshed' };
+}

package/dist/index.d.ts

@@ -58,7 +58,7 @@ export { createSQLiteRepositories, SQLiteProjectRepository, SQLiteWorkItemReposi
 export type { SQLiteRepositories, CreateSQLiteRepositoriesOptions, ProjectDeleteHooks, ProjectRecord, WorkItemRecord, ProjectDocumentRecord, WorkItemCommentRecord, } from './platform/index.js';
 export { createAskUserTool, createAskUserSimpleTool, createProposeAlternativesTool, createInteractiveFlowTool, validateFlow, INTERACTIVE_FLOW_INPUT_SCHEMA, } from './tools/index.js';
 export type { AskUserQuestion, AskUserInput, AskUserResult, AskUserHandler, AskUserSimpleInput, AskUserSimpleResult, AskUserSimpleHandler, Alternative, ProposeAlternativesInput, ProposeAlternativesResult, ProposeAlternativesHandler, Flow, FlowTone, FlowNode, QuestionNode, InfoNode, BranchNode, SummaryNode, QuestionInput, Choice, Proposal, NextRef, BranchRoute, BranchCondition, NodeId, IconName, Tint, RenderVariant, AnswerValue, AbortReason, InteractiveFlowInput, InteractiveFlowResult, InteractiveFlowHandler, FlowValidationResult, FlowValidationError, FlowErrorCode, } from './tools/index.js';
-export { EntitlementCache, UNLIMITED, OFFLINE_FALLBACK_LIMITS, DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, } from './entitlements/index.js';
+export { EntitlementCache, UNLIMITED, OFFLINE_FALLBACK_LIMITS, DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, fetchEntitlements, } from './entitlements/index.js';
 export type { TierLimits, EntitlementResponse, LimitCheckResult, IEntitlementStore, EntitlementCacheConfig, } from './entitlements/index.js';
 export { detectProject, suggestProjectType, detectCommon } from './detection/index.js';
 export type { DetectProjectOptions, DetectionResult, ContentSummary } from './detection/index.js';
@@ -79,8 +79,12 @@ export type { ActionMeta, SkillMeta } from './project-types/index.js';
 export type { ProjectTypeConfig, ProjectPhase, SuggestedAgent, DocumentTemplate, } from './project-types/index.js';
 export { defineTool, createSuccessResult, createErrorResult, mergeHooks, createLoggingHooks, createClaudeProvider, createOpenAIProvider, createGeminiNativeProvider, createOllamaProvider, createTogetherProvider, createGroqProvider, createFireworksProvider, createPerplexityProvider, createOpenRouterProvider, createMockProvider, MockProvider, Agent, ContextManager, DEFAULT_CONTEXT_CONFIG, createTaskTool, createSuggestTool, defaultAgentTypes, TOOL_SETS, BUILTIN_GUARDRAILS, TOOL_NAMES, getDefaultShellManager, builtinSkills, AnchorManager, MCPManager, AgentError, ProviderError, ToolError, ToolTimeoutError, MaxIterationsError, AbortError, } from '@compilr-dev/agents';
 export type { Tool, HooksConfig, AgentEvent, Message, LLMProvider, AnchorInput, ToolExecutionResult, AgentRunResult, PermissionHandler, PermissionHandlerResponse, ToolPermission, AgentTypeConfig, GuardrailTriggeredHandler, BeforeLLMHookResult, BeforeToolHook, BeforeToolHookResult, AfterToolHook, AgentState, AgentConfig, SessionInfo, Anchor, AnchorScope, AnchorClearOptions, AnchorPriority, AnchorQueryOptions, FileAccessType, FileAccess, GuardrailResult, GuardrailContext, MCPClient, MCPToolDefinition, } from '@compilr-dev/agents';
-export { DEFAULT_PERMISSION_RULES, findMatchingRule, permissionModeLabel, permissionLevelLabel, } from './permissions.js';
+export { DEFAULT_PERMISSION_RULES, WRITE_TOOLS, findMatchingRule, permissionModeLabel, permissionLevelLabel, } from './permissions.js';
 export type { PermissionRule, PermissionMode, PermissionLevel } from './permissions.js';
+export { SHARED_DEFAULTS, migrateRawSettings } from './host/index.js';
+export type { HostSettings, SettingsProviderType, TextSize, NotificationMode, Verbosity, CompactMode, ProjectSessionMode, MascotSetting, StartupMode, ProjectStartupMode, StartupBehavior, DefaultLeftPanel, TipsProficiency, } from './host/index.js';
+export { refreshToken, sendHeartbeat, getProfile, updateProfile, requestDeviceCode, pollDeviceToken, getAuthorizationUrl, loadAuthData, saveAuthData, clearAuthData, updateSession, hasAuthData, checkAuthFilePermissions, readAuthFile, writeAuthFile, ensureFreshToken, runDeviceFlow, nextPollInterval, } from './host/index.js';
+export type { AccountType, AuthUser, AuthSession, AuthData, RefreshTokenResponse, ProfileData, HeartbeatData, DeviceCodeResponse, DeviceTokenResponse, DeviceTokenError, AuthEndpoints, EnsureFreshTokenOptions, FreshToken, DeviceFlowStatus, DeviceFlowCallbacks, LoginResult, RunDeviceFlowOptions, } from './host/index.js';
 export { DEFAULT_DELEGATION_CONFIG } from './delegation.js';
 export { FileEpisodeStore, EpisodeRecorder, isSignificantWork, extractAffectedFiles, extractLinesChanged, queryWorkAtRisk, buildWorkSummaryContent, updateWorkSummaryAnchor, } from './episodes/index.js';
 export type { FileEpisodeStoreOptions, EpisodeRecorderConfig, WorkSummaryAnchorConfig, PendingToolSignal, EpisodeFile, } from './episodes/index.js';

package/dist/index.js

@@ -135,7 +135,7 @@ export { createAskUserTool, createAskUserSimpleTool, createProposeAlternativesTo
 // =============================================================================
 // Entitlements (server-driven tier management)
 // =============================================================================
-export { EntitlementCache, UNLIMITED, OFFLINE_FALLBACK_LIMITS, DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, } from './entitlements/index.js';
+export { EntitlementCache, UNLIMITED, OFFLINE_FALLBACK_LIMITS, DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, fetchEntitlements, } from './entitlements/index.js';
 // =============================================================================
 // Project Detection (universal project content detection)
 // =============================================================================
@@ -196,7 +196,13 @@ AgentError, ProviderError, ToolError, ToolTimeoutError, MaxIterationsError, Abor
 // =============================================================================
 // Shared Permission Defaults & Utilities
 // =============================================================================
-export { DEFAULT_PERMISSION_RULES, findMatchingRule, permissionModeLabel, permissionLevelLabel, } from './permissions.js';
+export { DEFAULT_PERMISSION_RULES, WRITE_TOOLS, findMatchingRule, permissionModeLabel, permissionLevelLabel, } from './permissions.js';
+// =============================================================================
+// Host Integration Layer (shared settings schema + migrations)
+// =============================================================================
+export { SHARED_DEFAULTS, migrateRawSettings } from './host/index.js';
+// Auth: shared backend client, credential store, token refresh, device flow.
+export { refreshToken, sendHeartbeat, getProfile, updateProfile, requestDeviceCode, pollDeviceToken, getAuthorizationUrl, loadAuthData, saveAuthData, clearAuthData, updateSession, hasAuthData, checkAuthFilePermissions, readAuthFile, writeAuthFile, ensureFreshToken, runDeviceFlow, nextPollInterval, } from './host/index.js';
 // =============================================================================
 // Shared Delegation Config Defaults
 // =============================================================================

package/dist/permissions.d.ts

@@ -36,6 +36,14 @@ export type PermissionMode = 'normal' | 'plan' | 'auto-accept';
  * - Runner tools (run_tests, run_lint) → ask once
  */
 export declare const DEFAULT_PERMISSION_RULES: PermissionRule[];
+/**
+ * Tools that mutate the workspace (filesystem or shell). Desktop's workspace-trust
+ * "restricted mode" blocks exactly these in untrusted projects; previously it
+ * hand-maintained a parallel list that could silently drift from the SDK. This is
+ * the single source of truth — a subset of `PLAN_MODE_BLOCKED_TOOLS` (which also
+ * blocks git/runner tools), enforced by a test so the two can't diverge.
+ */
+export declare const WRITE_TOOLS: ReadonlySet<string>;
 /**
  * Find the matching permission rule for a tool name.
  * Checks exact match first, then wildcard patterns (e.g., git_* matches git_commit).

package/dist/permissions.js

@@ -34,6 +34,25 @@ export const DEFAULT_PERMISSION_RULES = [
     { toolName: 'grep', level: 'always', description: 'Search file contents', isDefault: true },
 ];
 // =============================================================================
+// Write-tool set (workspace trust / restricted mode)
+// =============================================================================
+/**
+ * Tools that mutate the workspace (filesystem or shell). Desktop's workspace-trust
+ * "restricted mode" blocks exactly these in untrusted projects; previously it
+ * hand-maintained a parallel list that could silently drift from the SDK. This is
+ * the single source of truth — a subset of `PLAN_MODE_BLOCKED_TOOLS` (which also
+ * blocks git/runner tools), enforced by a test so the two can't diverge.
+ */
+export const WRITE_TOOLS = new Set([
+    'bash',
+    'edit',
+    'write_file',
+    'create_file',
+    'delete_file',
+    'rename_file',
+    'move_file',
+]);
+// =============================================================================
 // Utilities
 // =============================================================================
 /**