npm - @f5xc-salesdemos/xcsh - Versions diffs - 17.1.3 → 17.1.4 - Mend

@f5xc-salesdemos/xcsh 17.1.3 → 17.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +7 -7
package/src/config/auto-config.ts +62 -11
package/src/config/model-registry.ts +15 -1
package/src/modes/components/welcome-checks.ts +5 -0

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@f5xc-salesdemos/xcsh",
-	"version": "17.1.3",
+	"version": "17.1.4",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://github.com/f5xc-salesdemos/xcsh",
 	"author": "Can Boluk",
@@ -46,12 +46,12 @@
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.16.1",
 		"@mozilla/readability": "^0.6",
-		"@f5xc-salesdemos/xcsh-stats": "17.1.3",
-		"@f5xc-salesdemos/pi-agent-core": "17.1.3",
-		"@f5xc-salesdemos/pi-ai": "17.1.3",
-		"@f5xc-salesdemos/pi-natives": "17.1.3",
-		"@f5xc-salesdemos/pi-tui": "17.1.3",
-		"@f5xc-salesdemos/pi-utils": "17.1.3",
+		"@f5xc-salesdemos/xcsh-stats": "17.1.4",
+		"@f5xc-salesdemos/pi-agent-core": "17.1.4",
+		"@f5xc-salesdemos/pi-ai": "17.1.4",
+		"@f5xc-salesdemos/pi-natives": "17.1.4",
+		"@f5xc-salesdemos/pi-tui": "17.1.4",
+		"@f5xc-salesdemos/pi-utils": "17.1.4",
 		"@sinclair/typebox": "^0.34",
 		"@xterm/headless": "^6.0",
 		"ajv": "^8.18",

package/src/config/auto-config.ts CHANGED Viewed

@@ -199,6 +199,35 @@ export function healConfigYmlModelRoles(configPath: string): void {
 // Backup
 // ---------------------------------------------------------------------------
+/**
+ * Extract a quoted literal API key from an existing models.yml file.
+ * Only looks within the anthropic or litellm provider blocks to avoid
+ * accidentally picking up keys from unrelated providers.
+ * Returns undefined if the file uses an env var reference (unquoted) or doesn't exist.
+ */
+export function readApiKeyLiteral(modelsPath: string): string | undefined {
+	try {
+		const content = fs.readFileSync(modelsPath, "utf-8");
+		const lines = content.split("\n");
+		let inTargetBlock = false;
+		for (const line of lines) {
+			if (/^\s{2}(?:anthropic|litellm)\s*:/.test(line)) {
+				inTargetBlock = true;
+				continue;
+			}
+			if (inTargetBlock && /^\s{2}\S/.test(line)) {
+				inTargetBlock = false;
+			}
+			if (inTargetBlock) {
+				const match = line.match(/^\s+apiKey:\s*"([^"]+)"/);
+				if (match) return match[1].replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+			}
+		}
+	} catch {}
+	return undefined;
+}
 /** Create a .bak backup of a file if it exists. Returns true if backed up. */
 function backupIfExists(filePath: string): boolean {
 	try {
@@ -481,9 +510,18 @@ export function autoFixModelsConfig(modelsPath: string): FixResult {
 		return { fixed: false, changes: ["Cannot fix: LITELLM_BASE_URL is invalid"] };
 	}
+	const existingLiteralKey = readApiKeyLiteral(modelsPath);
 	backupIfExists(modelsPath);
-	if (!safeWrite(modelsPath, generateModelsYml(baseUrl))) {
+	if (
+		!safeWrite(
+			modelsPath,
+			generateModelsYml(baseUrl, {
+				...(existingLiteralKey ? { apiKeyLiteral: existingLiteralKey } : {}),
+			}),
+		)
+	) {
 		return { fixed: false, changes: [`Write failed: could not write to ${modelsPath}`] };
 	}
@@ -538,13 +576,13 @@ export function startupHealthCheck(
 		const expectedUrl = `${envBaseUrl}/anthropic`;
 		if (anthropicConfig.baseUrl !== expectedUrl) {
-			// Only auto-fix configs that were generated by xcsh (they contain the
-			// literal string "apiKey: LITELLM_API_KEY"). User-written configs with a
-			// custom proxy URL must never be silently overwritten.
+			// Only auto-fix configs that were generated by xcsh. User-written configs
+			// with a custom proxy URL must never be silently overwritten.
+			// Recognize both env-var-ref configs and literal-key configs as auto-generated.
 			let isAutoGenerated = false;
 			try {
 				const content = fs.readFileSync(modelsPath, "utf-8");
-				isAutoGenerated = content.includes("apiKey: LITELLM_API_KEY");
+				isAutoGenerated = content.includes("Auto-generated by xcsh") || content.includes("apiKey: LITELLM_API_KEY");
 			} catch {
 				// File unreadable — skip, don't block startup
 			}
@@ -608,10 +646,18 @@ export async function probeAndUpgradeLiteLLMConfig(
 	modelsPath: string,
 	options?: { fetch?: typeof globalThis.fetch },
 ): Promise<boolean> {
-	if (!hasLiteLLMEnv()) return false;
+	// Try env vars first; fall back to literal key stored in the config
+	let baseUrl = getLiteLLMBaseUrl();
+	let apiKey = $env.LITELLM_API_KEY?.trim();
+	if (!baseUrl || !apiKey) {
+		const existing = readLiteLLMConfig(modelsPath);
+		if (existing) {
+			baseUrl = baseUrl || existing.baseUrl;
+			apiKey = apiKey || existing.apiKey;
+		}
+	}
-	const baseUrl = getLiteLLMBaseUrl();
-	const apiKey = $env.LITELLM_API_KEY?.trim();
 	if (!baseUrl || !apiKey) return false;
 	let content: string;
@@ -624,7 +670,8 @@ export async function probeAndUpgradeLiteLLMConfig(
 	// Only upgrade configs that were auto-generated by xcsh. User-written configs
 	// with custom proxy URLs must never be silently overwritten by LiteLLM probing.
-	if (!content.includes("apiKey: LITELLM_API_KEY")) {
+	// Recognize both env-var-ref configs and literal-key configs as auto-generated.
+	if (!content.includes("Auto-generated by xcsh") && !content.includes("apiKey: LITELLM_API_KEY")) {
 		return false;
 	}
@@ -650,9 +697,13 @@ export async function probeAndUpgradeLiteLLMConfig(
 		return false; // Already correct
 	}
-	// Upgrade: backup and regenerate with correct base path
+	// Upgrade: backup and regenerate with correct base path, preserving literal keys
+	const existingLiteralKey = readApiKeyLiteral(modelsPath);
 	backupIfExists(modelsPath);
-	const newContent = generateModelsYml(baseUrl, { apiBasePath: probe.apiBasePath });
+	const newContent = generateModelsYml(baseUrl, {
+		apiBasePath: probe.apiBasePath,
+		...(existingLiteralKey ? { apiKeyLiteral: existingLiteralKey } : {}),
+	});
 	if (!safeWrite(modelsPath, newContent)) {
 		return false;
 	}

package/src/config/model-registry.ts CHANGED Viewed

@@ -461,12 +461,26 @@ type LlamaCppDiscoveredServerMetadata = {
  * Resolve an API key config value to an actual key.
  * Checks environment variable first, then treats as literal.
  */
-function resolveApiKeyConfig(keyConfig: string): string | undefined {
+export function resolveApiKeyConfig(keyConfig: string): string | undefined {
 	const envValue = Bun.env[keyConfig];
 	if (envValue) return envValue;
 	return keyConfig;
 }
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z][A-Z0-9]*)+$/;
+/**
+ * Resolve an API key that came from YAML config (models.yml).
+ * Unlike resolveApiKeyConfig, this returns undefined for unresolved env var
+ * names to prevent sending literal names like "LITELLM_API_KEY" as Bearer tokens.
+ */
+export function resolveYamlApiKeyConfig(keyConfig: string): string | undefined {
+	const envValue = Bun.env[keyConfig];
+	if (envValue) return envValue;
+	if (ENV_VAR_NAME_RE.test(keyConfig)) return undefined;
+	return keyConfig;
+}
 function toPositiveNumberOrUndefined(value: unknown): number | undefined {
 	if (typeof value === "number" && Number.isFinite(value) && value > 0) {
 		return value;

package/src/modes/components/welcome-checks.ts CHANGED Viewed

@@ -67,6 +67,11 @@ async function validateModelConnection(model: Model | undefined, authStorage: Au
 			return { state: "auth_error", provider };
 		}
+		// Detect unresolved env var names (e.g. "LITELLM_API_KEY" sent as literal)
+		if (/^[A-Z][A-Z0-9]*(?:_[A-Z][A-Z0-9]*)+$/.test(rawApiKey)) {
+			return { state: "auth_error", provider };
+		}
 		const baseUrl = model?.baseUrl;
 		if (!baseUrl) {
 			return { state: "auth_error", provider };