@delegance/claude-autopilot 5.2.1 → 5.5.2

package/dist/src/adapters/deploy/vercel.d.ts

@@ -0,0 +1,127 @@
+import type { DeployAdapter, DeployInput, DeployLogLine, DeployResult, DeployRollbackInput, DeployStatusInput, DeployStatusResult, DeployStreamLogsInput } from './types.ts';
+/** Vercel deployment states. The first three are terminal; the rest are interim. */
+type VercelState = 'READY' | 'ERROR' | 'CANCELED' | 'BUILDING' | 'INITIALIZING' | 'QUEUED' | 'DEPLOYING' | 'ANALYZING';
+/**
+ * Single entry from `GET /v6/deployments`. Vercel's list response wraps
+ * these under `{ deployments: [...] }`. We only surface the fields the
+ * rollback + status flows need; callers MUST treat all fields beyond `id`
+ * as best-effort (older deployments occasionally omit `createdAt` and
+ * `state` is not always populated for super-recent in-flight builds).
+ */
+export interface VercelDeployListItem {
+    id: string;
+    url?: string;
+    state?: VercelState;
+    /** Milliseconds since epoch — Vercel returns this as a number. */
+    createdAt?: number;
+}
+export interface VercelDeployAdapterOptions {
+    /** Personal access token. Falls back to `process.env.VERCEL_TOKEN`. */
+    token?: string;
+    /** Vercel project ID or slug. Required. */
+    project: string;
+    /** Vercel team ID. Optional — required only for team accounts. */
+    team?: string;
+    /** Deploy target. Default: `production`. */
+    target?: 'production' | 'preview';
+    /** Polling interval (ms) when waiting for the build to reach a terminal state. Default: 2000. */
+    pollIntervalMs?: number;
+    /** Maximum total time to poll before returning `in-progress`. Default: 15 minutes. */
+    maxPollMs?: number;
+    /** Injected fetch implementation — defaults to `globalThis.fetch`. Tests pass a mock. */
+    fetchImpl?: typeof fetch;
+    /** Injected sleep implementation — tests pass a no-op so they don't actually wait. */
+    sleepImpl?: (ms: number) => Promise<void>;
+    /** Wall-clock source — tests pass a controllable counter. */
+    nowImpl?: () => number;
+}
+/**
+ * Vercel deploy adapter.
+ *
+ * Construct once per pipeline run. The adapter is stateless across calls — all
+ * configuration (token, project, team) is captured at construction time.
+ */
+export declare class VercelDeployAdapter implements DeployAdapter {
+    readonly name = "vercel";
+    private readonly token;
+    private readonly project;
+    private readonly team;
+    private readonly target;
+    private readonly pollIntervalMs;
+    private readonly maxPollMs;
+    private readonly fetchImpl;
+    private readonly sleep;
+    private readonly now;
+    constructor(opts: VercelDeployAdapterOptions);
+    deploy(input: DeployInput): Promise<DeployResult>;
+    status(input: DeployStatusInput): Promise<DeployStatusResult>;
+    /**
+     * Phase 2 — subscribe to real-time build logs for a deployment.
+     *
+     * Streams `GET /v2/deployments/<id>/events?builds=1&follow=1` and yields a
+     * `DeployLogLine` for each `stdout` / `stderr` event. Lifecycle events
+     * (`state`, `complete`) are filtered out — the polling loop in `deploy()`
+     * already handles them. Malformed JSON lines are skipped silently rather
+     * than crashing a long-running stream.
+     *
+     * Cancellation: pass `input.signal`. Once aborted, the underlying fetch
+     * is torn down and the iterator returns.
+     */
+    streamLogs(input: DeployStreamLogsInput): AsyncGenerator<DeployLogLine>;
+    /**
+     * Phase 3 — promote a previously-built deployment to production.
+     *
+     * Two modes:
+     * - `input.to` set → promote that deploy ID directly. Cheapest path.
+     * - `input.to` omitted → look up the previous prod deploy via
+     *   `listDeployments(5)` and promote it. Throws `no_previous_deploy`
+     *   when there's nothing to roll back to (project with one deploy,
+     *   or every prior deploy is in ERROR/CANCELED state).
+     *
+     * Always-query is intentional: we never cache deploy IDs locally, so a
+     * promote performed from the Vercel dashboard between our deploy and
+     * our rollback is still observable.
+     */
+    rollback(input: DeployRollbackInput): Promise<DeployResult>;
+    /**
+     * Phase 3 — list recent production deployments for the configured
+     * project. Used by the `deploy status` CLI subcommand and by the
+     * `findPreviousProdDeployment()` helper backing `rollback()`.
+     *
+     * The list endpoint is `/v6/deployments` (v13 is for individual
+     * deployments). `target=production` filters out preview builds; `limit`
+     * caps the result set — Vercel returns newest-first so a small limit
+     * is sufficient for both rollback target detection and the CLI status
+     * display (defaults to 5).
+     */
+    listDeployments(limit?: number, signal?: AbortSignal): Promise<VercelDeployListItem[]>;
+    /**
+     * Returns the deployment immediately preceding the current production
+     * deployment, or `null` if no rollback target exists.
+     *
+     * "Preceding" means: among deployments with `state === 'READY'` (so we
+     * never roll back to a known-broken build), sorted newest-first by
+     * `createdAt`, the second entry. The first entry is the current prod
+     * deploy and we drop it.
+     */
+    private findPreviousProdDeployment;
+    private pollUntilTerminal;
+    private shapeResult;
+    private headers;
+    private urlWithTeam;
+    private buildLogsUrl;
+    private assertOkOrThrow;
+    private fetchWithRetry;
+    /**
+     * Like `fetchWithRetry` but tuned for the events endpoint:
+     * - 404 right after a deploy POST is a known race (the deploy hasn't yet
+     *   propagated to the events service). Retry up to N times with backoff.
+     * - 5xx behaves the same as `fetchWithRetry`.
+     * - Cancels cleanly on AbortError.
+     * - Returns the last `Response` so the caller can `assertOkOrThrow` on a
+     *   final non-OK status (e.g. 401 still bubbles immediately on attempt 1).
+     */
+    private fetchEventsWithRetry;
+}
+export {};
+//# sourceMappingURL=vercel.d.ts.map

package/dist/src/adapters/deploy/vercel.js

@@ -0,0 +1,446 @@
+// src/adapters/deploy/vercel.ts
+//
+// First-class Vercel deploy adapter. Phase 1 of the v5.4 spec.
+//
+// Implements `deploy()` (POST + poll until terminal) and `status()` (one-shot
+// GET). Log streaming is Phase 2; rollback is Phase 3.
+//
+// All HTTP calls go through an injectable `fetchImpl` so unit tests never hit
+// the real Vercel API.
+//
+// Spec: docs/specs/v5.4-vercel-adapter.md
+import { GuardrailError } from "../../core/errors.js";
+const VERCEL_API_BASE = 'https://api.vercel.com';
+/**
+ * Vercel deploy adapter.
+ *
+ * Construct once per pipeline run. The adapter is stateless across calls — all
+ * configuration (token, project, team) is captured at construction time.
+ */
+export class VercelDeployAdapter {
+    name = 'vercel';
+    token;
+    project;
+    team;
+    target;
+    pollIntervalMs;
+    maxPollMs;
+    fetchImpl;
+    sleep;
+    now;
+    constructor(opts) {
+        const token = opts.token ?? process.env.VERCEL_TOKEN;
+        if (!token) {
+            throw new GuardrailError('Vercel deploy adapter requires VERCEL_TOKEN. Create one at https://vercel.com/account/tokens', { code: 'auth', provider: 'vercel' });
+        }
+        if (!opts.project) {
+            throw new GuardrailError('Vercel deploy adapter requires `project` (project ID or slug)', { code: 'invalid_config', provider: 'vercel' });
+        }
+        this.token = token;
+        this.project = opts.project;
+        this.team = opts.team;
+        this.target = opts.target ?? 'production';
+        this.pollIntervalMs = opts.pollIntervalMs ?? 2000;
+        this.maxPollMs = opts.maxPollMs ?? 15 * 60 * 1000;
+        this.fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+        this.sleep = opts.sleepImpl ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+        this.now = opts.nowImpl ?? Date.now;
+    }
+    async deploy(input) {
+        const start = this.now();
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v13/deployments`);
+        const body = {
+            name: this.project,
+            target: this.target,
+            meta: input.meta,
+        };
+        // Only include gitSource when we have a commitSha — Vercel requires the
+        // full {type, repoId, ref} contract for git deploys, which we can't
+        // synthesize from a SHA alone in Phase 1. Callers using `commitSha` should
+        // also have `VERCEL_PROJECT_ID` linked via `vc link` so Vercel resolves
+        // the repo from the linked project.
+        if (input.commitSha) {
+            body.gitSource = { type: 'github', sha: input.commitSha, ref: input.ref };
+        }
+        else if (input.ref) {
+            body.gitSource = { type: 'github', ref: input.ref };
+        }
+        const res = await this.fetchWithRetry(url, {
+            method: 'POST',
+            headers: this.headers(),
+            body: JSON.stringify(body),
+            signal: input.signal,
+        });
+        await this.assertOkOrThrow(res, 'create deployment');
+        const created = (await res.json());
+        if (!created.id) {
+            throw new GuardrailError(`Vercel returned no deployment id (got: ${JSON.stringify(created).slice(0, 200)})`, { code: 'adapter_bug', provider: 'vercel' });
+        }
+        // Phase 2: fire onDeployStart so callers (e.g. --watch) can subscribe
+        // to logs in parallel with polling. Wrap in try/catch — a buggy callback
+        // must not crash the deploy.
+        try {
+            input.onDeployStart?.(created.id);
+        }
+        catch {
+            /* swallow — observability concern only */
+        }
+        return this.pollUntilTerminal(created.id, start, input.signal);
+    }
+    async status(input) {
+        const start = this.now();
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v13/deployments/${encodeURIComponent(input.deployId)}`);
+        const res = await this.fetchWithRetry(url, {
+            method: 'GET',
+            headers: this.headers(),
+            signal: input.signal,
+        });
+        await this.assertOkOrThrow(res, 'get deployment');
+        const data = (await res.json());
+        const state = data.readyState ?? data.state;
+        const result = this.shapeResult(input.deployId, data, state, this.now() - start);
+        return { ...result, deployId: input.deployId };
+    }
+    /**
+     * Phase 2 — subscribe to real-time build logs for a deployment.
+     *
+     * Streams `GET /v2/deployments/<id>/events?builds=1&follow=1` and yields a
+     * `DeployLogLine` for each `stdout` / `stderr` event. Lifecycle events
+     * (`state`, `complete`) are filtered out — the polling loop in `deploy()`
+     * already handles them. Malformed JSON lines are skipped silently rather
+     * than crashing a long-running stream.
+     *
+     * Cancellation: pass `input.signal`. Once aborted, the underlying fetch
+     * is torn down and the iterator returns.
+     */
+    async *streamLogs(input) {
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v2/deployments/${encodeURIComponent(input.deployId)}/events?builds=1&follow=1`);
+        const res = await this.fetchEventsWithRetry(url, input.signal);
+        await this.assertOkOrThrow(res, 'stream logs');
+        if (!res.body) {
+            throw new GuardrailError(`Vercel events response had no body for ${input.deployId}`, { code: 'adapter_bug', provider: 'vercel' });
+        }
+        const reader = res.body.getReader();
+        const decoder = new TextDecoder('utf-8');
+        let buf = '';
+        try {
+            while (true) {
+                if (input.signal?.aborted)
+                    return;
+                const { done, value } = await reader.read();
+                if (done) {
+                    // Flush a trailing partial line if present.
+                    if (buf.length > 0) {
+                        const line = parseEventLine(buf);
+                        if (line)
+                            yield line;
+                    }
+                    return;
+                }
+                buf += decoder.decode(value, { stream: true });
+                let nl = buf.indexOf('\n');
+                while (nl !== -1) {
+                    const raw = buf.slice(0, nl);
+                    buf = buf.slice(nl + 1);
+                    const line = parseEventLine(raw);
+                    if (line)
+                        yield line;
+                    nl = buf.indexOf('\n');
+                }
+            }
+        }
+        finally {
+            try {
+                reader.releaseLock();
+            }
+            catch { /* ignore */ }
+        }
+    }
+    /**
+     * Phase 3 — promote a previously-built deployment to production.
+     *
+     * Two modes:
+     * - `input.to` set → promote that deploy ID directly. Cheapest path.
+     * - `input.to` omitted → look up the previous prod deploy via
+     *   `listDeployments(5)` and promote it. Throws `no_previous_deploy`
+     *   when there's nothing to roll back to (project with one deploy,
+     *   or every prior deploy is in ERROR/CANCELED state).
+     *
+     * Always-query is intentional: we never cache deploy IDs locally, so a
+     * promote performed from the Vercel dashboard between our deploy and
+     * our rollback is still observable.
+     */
+    async rollback(input) {
+        const start = this.now();
+        let targetId = input.to;
+        if (!targetId) {
+            const prev = await this.findPreviousProdDeployment(input.signal);
+            if (!prev) {
+                throw new GuardrailError(`No previous production deployment found for project "${this.project}" to roll back to`, { code: 'no_previous_deploy', provider: 'vercel' });
+            }
+            targetId = prev.id;
+        }
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v13/deployments/${encodeURIComponent(targetId)}/promote`);
+        const res = await this.fetchWithRetry(url, {
+            method: 'POST',
+            headers: this.headers(),
+            body: '{}',
+            signal: input.signal,
+        });
+        await this.assertOkOrThrow(res, 'promote deployment');
+        // Promote responses are typically empty (204) or echo the deployment.
+        // Be defensive — parse if there's a body, otherwise carry on with the
+        // ID alone.
+        let data;
+        try {
+            data = (await res.json());
+        }
+        catch {
+            data = undefined;
+        }
+        return {
+            status: 'pass',
+            deployId: targetId,
+            rolledBackTo: targetId,
+            deployUrl: data?.url ? `https://${data.url}` : undefined,
+            buildLogsUrl: this.buildLogsUrl(targetId),
+            durationMs: this.now() - start,
+            output: `Vercel deployment ${targetId} promoted to production`,
+        };
+    }
+    /**
+     * Phase 3 — list recent production deployments for the configured
+     * project. Used by the `deploy status` CLI subcommand and by the
+     * `findPreviousProdDeployment()` helper backing `rollback()`.
+     *
+     * The list endpoint is `/v6/deployments` (v13 is for individual
+     * deployments). `target=production` filters out preview builds; `limit`
+     * caps the result set — Vercel returns newest-first so a small limit
+     * is sufficient for both rollback target detection and the CLI status
+     * display (defaults to 5).
+     */
+    async listDeployments(limit = 5, signal) {
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v6/deployments` +
+            `?projectId=${encodeURIComponent(this.project)}` +
+            `&limit=${encodeURIComponent(String(limit))}` +
+            `&target=production`);
+        const res = await this.fetchWithRetry(url, {
+            method: 'GET',
+            headers: this.headers(),
+            signal,
+        });
+        await this.assertOkOrThrow(res, 'list deployments');
+        const data = (await res.json());
+        return Array.isArray(data.deployments) ? data.deployments : [];
+    }
+    // ─────────────────────────────────────────────────────────────────────────────
+    // private helpers
+    // ─────────────────────────────────────────────────────────────────────────────
+    /**
+     * Returns the deployment immediately preceding the current production
+     * deployment, or `null` if no rollback target exists.
+     *
+     * "Preceding" means: among deployments with `state === 'READY'` (so we
+     * never roll back to a known-broken build), sorted newest-first by
+     * `createdAt`, the second entry. The first entry is the current prod
+     * deploy and we drop it.
+     */
+    async findPreviousProdDeployment(signal) {
+        const items = await this.listDeployments(5, signal);
+        const ready = items.filter((d) => d.state === 'READY');
+        ready.sort((a, b) => (b.createdAt ?? 0) - (a.createdAt ?? 0));
+        if (ready.length < 2)
+            return null;
+        return ready[1] ?? null;
+    }
+    async pollUntilTerminal(deployId, start, signal) {
+        const url = this.urlWithTeam(`${VERCEL_API_BASE}/v13/deployments/${encodeURIComponent(deployId)}`);
+        while (true) {
+            if (signal?.aborted) {
+                return { status: 'in-progress', deployId, durationMs: this.now() - start };
+            }
+            if (this.now() - start > this.maxPollMs) {
+                return {
+                    status: 'in-progress',
+                    deployId,
+                    durationMs: this.now() - start,
+                    buildLogsUrl: this.buildLogsUrl(deployId),
+                    output: `Deployment still in progress after ${this.maxPollMs}ms — check ${this.buildLogsUrl(deployId)}`,
+                };
+            }
+            const res = await this.fetchWithRetry(url, {
+                method: 'GET',
+                headers: this.headers(),
+                signal,
+            });
+            await this.assertOkOrThrow(res, 'poll deployment');
+            const data = (await res.json());
+            const state = data.readyState ?? data.state;
+            if (state === 'READY' || state === 'ERROR' || state === 'CANCELED') {
+                return this.shapeResult(deployId, data, state, this.now() - start);
+            }
+            await this.sleep(this.pollIntervalMs);
+        }
+    }
+    shapeResult(deployId, data, state, durationMs) {
+        const status = state === 'READY' ? 'pass' : state === 'ERROR' || state === 'CANCELED' ? 'fail' : 'in-progress';
+        return {
+            status,
+            deployId,
+            deployUrl: data.url ? `https://${data.url}` : undefined,
+            buildLogsUrl: this.buildLogsUrl(deployId),
+            durationMs,
+            output: state ? `Vercel deployment ${deployId}: state=${state}` : undefined,
+        };
+    }
+    headers() {
+        return {
+            Authorization: `Bearer ${this.token}`,
+            'Content-Type': 'application/json',
+        };
+    }
+    urlWithTeam(base) {
+        if (!this.team)
+            return base;
+        const sep = base.includes('?') ? '&' : '?';
+        return `${base}${sep}teamId=${encodeURIComponent(this.team)}`;
+    }
+    buildLogsUrl(deployId) {
+        const teamSlug = this.team ?? 'me';
+        return `https://vercel.com/${encodeURIComponent(teamSlug)}/${encodeURIComponent(this.project)}/${encodeURIComponent(deployId)}`;
+    }
+    async assertOkOrThrow(res, step) {
+        if (res.ok)
+            return;
+        const bodyText = await safeReadBody(res);
+        if (res.status === 401 || res.status === 403) {
+            throw new GuardrailError(`Vercel auth failed (${res.status}) on ${step} — check VERCEL_TOKEN scope for project "${this.project}"${this.team ? ` (team ${this.team})` : ''}: ${bodyText}`, { code: 'auth', provider: 'vercel', step, details: { status: res.status } });
+        }
+        if (res.status === 404) {
+            throw new GuardrailError(`Vercel project "${this.project}" not found (${res.status}) on ${step}: ${bodyText}`, { code: 'invalid_config', provider: 'vercel', step, details: { status: res.status } });
+        }
+        throw new GuardrailError(`Vercel API error (${res.status}) on ${step}: ${bodyText}`, { code: 'adapter_bug', provider: 'vercel', step, details: { status: res.status } });
+    }
+    async fetchWithRetry(url, init, attempts = 3, baseMs = 500) {
+        let lastErr;
+        for (let i = 0; i < attempts; i++) {
+            try {
+                const res = await this.fetchImpl(url, init);
+                // 5xx is transient — retry. 4xx is the caller's problem — fail fast.
+                if (res.status >= 500 && res.status < 600 && i < attempts - 1) {
+                    lastErr = new Error(`HTTP ${res.status}`);
+                    await this.sleep(baseMs * 2 ** i);
+                    continue;
+                }
+                return res;
+            }
+            catch (err) {
+                lastErr = err;
+                // AbortError is intentional cancellation — surface it directly without retry.
+                if (err instanceof Error && err.name === 'AbortError')
+                    throw err;
+                if (i < attempts - 1) {
+                    await this.sleep(baseMs * 2 ** i);
+                    continue;
+                }
+            }
+        }
+        throw new GuardrailError(`Vercel API unreachable after ${attempts} attempts: ${lastErr?.message ?? String(lastErr)}`, { code: 'transient_network', provider: 'vercel' });
+    }
+    /**
+     * Like `fetchWithRetry` but tuned for the events endpoint:
+     * - 404 right after a deploy POST is a known race (the deploy hasn't yet
+     *   propagated to the events service). Retry up to N times with backoff.
+     * - 5xx behaves the same as `fetchWithRetry`.
+     * - Cancels cleanly on AbortError.
+     * - Returns the last `Response` so the caller can `assertOkOrThrow` on a
+     *   final non-OK status (e.g. 401 still bubbles immediately on attempt 1).
+     */
+    async fetchEventsWithRetry(url, signal, attempts = 3, baseMs = 500) {
+        let lastRes;
+        for (let i = 0; i < attempts; i++) {
+            let res;
+            try {
+                res = await this.fetchImpl(url, {
+                    method: 'GET',
+                    headers: { ...this.headers(), Accept: 'text/event-stream' },
+                    signal,
+                });
+            }
+            catch (err) {
+                if (err instanceof Error && err.name === 'AbortError')
+                    throw err;
+                if (i < attempts - 1) {
+                    await this.sleep(baseMs * 2 ** i);
+                    continue;
+                }
+                throw new GuardrailError(`Vercel events endpoint unreachable after ${attempts} attempts: ${err?.message ?? String(err)}`, { code: 'transient_network', provider: 'vercel' });
+            }
+            lastRes = res;
+            // 404 after create-deployment is the known race — retry.
+            if (res.status === 404 && i < attempts - 1) {
+                await this.sleep(baseMs * 2 ** i);
+                continue;
+            }
+            // 5xx is transient — retry.
+            if (res.status >= 500 && res.status < 600 && i < attempts - 1) {
+                await this.sleep(baseMs * 2 ** i);
+                continue;
+            }
+            return res;
+        }
+        return lastRes;
+    }
+}
+async function safeReadBody(res) {
+    try {
+        return (await res.text()).slice(0, 500);
+    }
+    catch {
+        return '<no body>';
+    }
+}
+/**
+ * Parse a single line from Vercel's events endpoint into a `DeployLogLine`.
+ *
+ * Accepts both raw NDJSON and classic SSE `data: {...}` lines. Returns
+ * `null` for events we don't surface (state changes, completes, heartbeats,
+ * and any line that fails to JSON-parse) — silently skipping a malformed
+ * event is preferable to crashing a long-running stream.
+ */
+function parseEventLine(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    // SSE comment / heartbeat lines start with ':'
+    if (trimmed.startsWith(':'))
+        return null;
+    // SSE event/id/retry lines — not data, skip
+    if (trimmed.startsWith('event:') || trimmed.startsWith('id:') || trimmed.startsWith('retry:'))
+        return null;
+    // Strip 'data: ' prefix if present (classic SSE)
+    const jsonPart = trimmed.startsWith('data:') ? trimmed.slice(5).trim() : trimmed;
+    if (!jsonPart)
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(jsonPart);
+    }
+    catch {
+        return null;
+    }
+    if (typeof parsed !== 'object' || parsed === null)
+        return null;
+    const ev = parsed;
+    // Only surface log-bearing event types. Vercel emits 'stdout'/'stderr' for
+    // build output; 'state'/'complete'/etc. are deploy lifecycle events that
+    // the polling loop already handles.
+    if (ev.type !== 'stdout' && ev.type !== 'stderr')
+        return null;
+    const text = typeof ev.payload?.text === 'string' ? ev.payload.text : '';
+    if (!text)
+        return null;
+    const ts = typeof ev.created === 'number' ? ev.created : typeof ev.date === 'number' ? ev.date : Date.now();
+    return { timestamp: ts, level: ev.type, text };
+}
+//# sourceMappingURL=vercel.js.map

package/dist/src/adapters/review-engine/claude.js

@@ -1,7 +1,7 @@
-import Anthropic from '@anthropic-ai/sdk';
 import { GuardrailError } from "../../core/errors.js";
 import { parseReviewOutput } from "./parse-output.js";
 import { buildSystemPrompt, classifyError } from "./prompt-builder.js";
+import { loadAnthropic } from "../sdk-loader.js";
 const DEFAULT_MODEL = 'claude-opus-4-7';
 const MAX_OUTPUT_TOKENS = 4096;
 // Cost per million tokens (USD) — opus-4-7 pricing
@@ -47,6 +47,7 @@ export const claudeAdapter = {
         }
         const model = input.context?.['model'] ?? DEFAULT_MODEL;
         const systemPrompt = buildSystemPrompt(input, SYSTEM_PROMPT_TEMPLATE);
+        const Anthropic = await loadAnthropic();
         const client = new Anthropic({ apiKey });
         let response;
         try {

package/dist/src/adapters/review-engine/codex.js

@@ -1,7 +1,7 @@
-import OpenAI from 'openai';
 import { parseReviewOutput } from "./parse-output.js";
 import { GuardrailError } from "../../core/errors.js";
 import { buildSystemPrompt, classifyError } from "./prompt-builder.js";
+import { loadOpenAI } from "../sdk-loader.js";
 const DEFAULT_MODEL = process.env.CODEX_MODEL ?? 'gpt-5.3-codex';
 const MAX_OUTPUT_TOKENS = 4096;
 // Per-million-token rates for gpt-5.3-codex (override via env for other models).
@@ -48,6 +48,7 @@ export const codexAdapter = {
             throw new GuardrailError('OPENAI_API_KEY not set', { code: 'auth', provider: 'codex' });
         }
         const systemPrompt = buildSystemPrompt(input, SYSTEM_PROMPT_TEMPLATE);
+        const OpenAI = await loadOpenAI();
         const client = new OpenAI({ apiKey });
         let response;
         try {

package/dist/src/adapters/review-engine/gemini.js

@@ -1,7 +1,7 @@
-import { GoogleGenerativeAI } from '@google/generative-ai';
 import { parseReviewOutput } from "./parse-output.js";
 import { GuardrailError } from "../../core/errors.js";
 import { buildSystemPrompt, classifyError } from "./prompt-builder.js";
+import { loadGoogleGenerativeAI } from "../sdk-loader.js";
 const DEFAULT_MODEL = 'gemini-2.5-pro-preview-05-06';
 const MAX_OUTPUT_TOKENS = 4096;
 // Cost per million tokens (USD) — gemini-2.5-pro pricing (<200k context)
@@ -55,6 +55,7 @@ export const geminiAdapter = {
         }
         const model = input.context?.['model'] ?? DEFAULT_MODEL;
         const prompt = buildSystemPrompt(input, PROMPT_TEMPLATE).replace('{CONTENT}', input.content);
+        const GoogleGenerativeAI = await loadGoogleGenerativeAI();
         const genAI = new GoogleGenerativeAI(apiKey);
         const genModel = genAI.getGenerativeModel({
             model,

package/dist/src/adapters/review-engine/openai-compatible.js

@@ -1,7 +1,7 @@
-import OpenAI from 'openai';
 import { parseReviewOutput } from "./parse-output.js";
 import { GuardrailError } from "../../core/errors.js";
 import { buildSystemPrompt, classifyError } from "./prompt-builder.js";
+import { loadOpenAI } from "../sdk-loader.js";
 const MAX_OUTPUT_TOKENS = 4096;
 const SYSTEM_PROMPT_TEMPLATE = `You are a senior software architect reviewing code changes for quality, security, and correctness.
 
@@ -49,6 +49,7 @@ export const openaiCompatibleAdapter = {
             throw new GuardrailError('openai-compatible adapter requires options.model to be set in guardrail.config.yaml', { code: 'invalid_config', provider: 'openai-compatible' });
         }
         const systemPrompt = buildSystemPrompt(input, SYSTEM_PROMPT_TEMPLATE);
+        const OpenAI = await loadOpenAI();
         const client = new OpenAI({ apiKey, ...(baseURL ? { baseURL } : {}) });
         let response;
         try {

package/dist/src/adapters/sdk-loader.d.ts

@@ -0,0 +1,15 @@
+import type AnthropicNS from '@anthropic-ai/sdk';
+import type OpenAINS from 'openai';
+import type { GoogleGenerativeAI as GoogleGenAINS } from '@google/generative-ai';
+type AnthropicCtor = typeof AnthropicNS;
+type OpenAICtor = typeof OpenAINS;
+type GoogleGenerativeAICtor = typeof GoogleGenAINS;
+export declare function loadAnthropic(): Promise<AnthropicCtor>;
+export declare function loadOpenAI(): Promise<OpenAICtor>;
+export declare function loadGoogleGenerativeAI(): Promise<GoogleGenerativeAICtor>;
+/**
+ * Quick non-throwing check — used by `doctor` to report install state.
+ */
+export declare function isSdkInstalled(pkg: string): Promise<boolean>;
+export {};
+//# sourceMappingURL=sdk-loader.d.ts.map