@f5xc-salesdemos/xcsh 17.1.3 → 17.2.0

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@f5xc-salesdemos/xcsh",
-	"version": "17.1.3",
+	"version": "17.2.0",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://github.com/f5xc-salesdemos/xcsh",
 	"author": "Can Boluk",
@@ -46,12 +46,12 @@
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.16.1",
 		"@mozilla/readability": "^0.6",
-		"@f5xc-salesdemos/xcsh-stats": "17.1.3",
-		"@f5xc-salesdemos/pi-agent-core": "17.1.3",
-		"@f5xc-salesdemos/pi-ai": "17.1.3",
-		"@f5xc-salesdemos/pi-natives": "17.1.3",
-		"@f5xc-salesdemos/pi-tui": "17.1.3",
-		"@f5xc-salesdemos/pi-utils": "17.1.3",
+		"@f5xc-salesdemos/xcsh-stats": "17.2.0",
+		"@f5xc-salesdemos/pi-agent-core": "17.2.0",
+		"@f5xc-salesdemos/pi-ai": "17.2.0",
+		"@f5xc-salesdemos/pi-natives": "17.2.0",
+		"@f5xc-salesdemos/pi-tui": "17.2.0",
+		"@f5xc-salesdemos/pi-utils": "17.2.0",
 		"@sinclair/typebox": "^0.34",
 		"@xterm/headless": "^6.0",
 		"ajv": "^8.18",

package/src/config/auto-config.ts

@@ -199,6 +199,35 @@ export function healConfigYmlModelRoles(configPath: string): void {
 // Backup
 // ---------------------------------------------------------------------------
 
+/**
+ * Extract a quoted literal API key from an existing models.yml file.
+ * Only looks within the anthropic or litellm provider blocks to avoid
+ * accidentally picking up keys from unrelated providers.
+ * Returns undefined if the file uses an env var reference (unquoted) or doesn't exist.
+ */
+export function readApiKeyLiteral(modelsPath: string): string | undefined {
+	try {
+		const content = fs.readFileSync(modelsPath, "utf-8");
+		const lines = content.split("\n");
+		let inTargetBlock = false;
+
+		for (const line of lines) {
+			if (/^\s{2}(?:anthropic|litellm)\s*:/.test(line)) {
+				inTargetBlock = true;
+				continue;
+			}
+			if (inTargetBlock && /^\s{2}\S/.test(line)) {
+				inTargetBlock = false;
+			}
+			if (inTargetBlock) {
+				const match = line.match(/^\s+apiKey:\s*"([^"]+)"/);
+				if (match) return match[1].replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+			}
+		}
+	} catch {}
+	return undefined;
+}
+
 /** Create a .bak backup of a file if it exists. Returns true if backed up. */
 function backupIfExists(filePath: string): boolean {
 	try {
@@ -481,9 +510,18 @@ export function autoFixModelsConfig(modelsPath: string): FixResult {
 		return { fixed: false, changes: ["Cannot fix: LITELLM_BASE_URL is invalid"] };
 	}
 
+	const existingLiteralKey = readApiKeyLiteral(modelsPath);
+
 	backupIfExists(modelsPath);
 
-	if (!safeWrite(modelsPath, generateModelsYml(baseUrl))) {
+	if (
+		!safeWrite(
+			modelsPath,
+			generateModelsYml(baseUrl, {
+				...(existingLiteralKey ? { apiKeyLiteral: existingLiteralKey } : {}),
+			}),
+		)
+	) {
 		return { fixed: false, changes: [`Write failed: could not write to ${modelsPath}`] };
 	}
 
@@ -538,13 +576,13 @@ export function startupHealthCheck(
 
 		const expectedUrl = `${envBaseUrl}/anthropic`;
 		if (anthropicConfig.baseUrl !== expectedUrl) {
-			// Only auto-fix configs that were generated by xcsh (they contain the
-			// literal string "apiKey: LITELLM_API_KEY"). User-written configs with a
-			// custom proxy URL must never be silently overwritten.
+			// Only auto-fix configs that were generated by xcsh. User-written configs
+			// with a custom proxy URL must never be silently overwritten.
+			// Recognize both env-var-ref configs and literal-key configs as auto-generated.
 			let isAutoGenerated = false;
 			try {
 				const content = fs.readFileSync(modelsPath, "utf-8");
-				isAutoGenerated = content.includes("apiKey: LITELLM_API_KEY");
+				isAutoGenerated = content.includes("Auto-generated by xcsh") || content.includes("apiKey: LITELLM_API_KEY");
 			} catch {
 				// File unreadable — skip, don't block startup
 			}
@@ -608,10 +646,18 @@ export async function probeAndUpgradeLiteLLMConfig(
 	modelsPath: string,
 	options?: { fetch?: typeof globalThis.fetch },
 ): Promise<boolean> {
-	if (!hasLiteLLMEnv()) return false;
+	// Try env vars first; fall back to literal key stored in the config
+	let baseUrl = getLiteLLMBaseUrl();
+	let apiKey = $env.LITELLM_API_KEY?.trim();
+
+	if (!baseUrl || !apiKey) {
+		const existing = readLiteLLMConfig(modelsPath);
+		if (existing) {
+			baseUrl = baseUrl || existing.baseUrl;
+			apiKey = apiKey || existing.apiKey;
+		}
+	}
 
-	const baseUrl = getLiteLLMBaseUrl();
-	const apiKey = $env.LITELLM_API_KEY?.trim();
 	if (!baseUrl || !apiKey) return false;
 
 	let content: string;
@@ -624,7 +670,8 @@ export async function probeAndUpgradeLiteLLMConfig(
 
 	// Only upgrade configs that were auto-generated by xcsh. User-written configs
 	// with custom proxy URLs must never be silently overwritten by LiteLLM probing.
-	if (!content.includes("apiKey: LITELLM_API_KEY")) {
+	// Recognize both env-var-ref configs and literal-key configs as auto-generated.
+	if (!content.includes("Auto-generated by xcsh") && !content.includes("apiKey: LITELLM_API_KEY")) {
 		return false;
 	}
 
@@ -650,9 +697,13 @@ export async function probeAndUpgradeLiteLLMConfig(
 		return false; // Already correct
 	}
 
-	// Upgrade: backup and regenerate with correct base path
+	// Upgrade: backup and regenerate with correct base path, preserving literal keys
+	const existingLiteralKey = readApiKeyLiteral(modelsPath);
 	backupIfExists(modelsPath);
-	const newContent = generateModelsYml(baseUrl, { apiBasePath: probe.apiBasePath });
+	const newContent = generateModelsYml(baseUrl, {
+		apiBasePath: probe.apiBasePath,
+		...(existingLiteralKey ? { apiKeyLiteral: existingLiteralKey } : {}),
+	});
 	if (!safeWrite(modelsPath, newContent)) {
 		return false;
 	}

package/src/config/model-registry.ts

@@ -461,12 +461,26 @@ type LlamaCppDiscoveredServerMetadata = {
  * Resolve an API key config value to an actual key.
  * Checks environment variable first, then treats as literal.
  */
-function resolveApiKeyConfig(keyConfig: string): string | undefined {
+export function resolveApiKeyConfig(keyConfig: string): string | undefined {
 	const envValue = Bun.env[keyConfig];
 	if (envValue) return envValue;
 	return keyConfig;
 }
 
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z][A-Z0-9]*)+$/;
+
+/**
+ * Resolve an API key that came from YAML config (models.yml).
+ * Unlike resolveApiKeyConfig, this returns undefined for unresolved env var
+ * names to prevent sending literal names like "LITELLM_API_KEY" as Bearer tokens.
+ */
+export function resolveYamlApiKeyConfig(keyConfig: string): string | undefined {
+	const envValue = Bun.env[keyConfig];
+	if (envValue) return envValue;
+	if (ENV_VAR_NAME_RE.test(keyConfig)) return undefined;
+	return keyConfig;
+}
+
 function toPositiveNumberOrUndefined(value: unknown): number | undefined {
 	if (typeof value === "number" && Number.isFinite(value) && value > 0) {
 		return value;

package/src/modes/components/welcome-checks.ts

@@ -67,6 +67,11 @@ async function validateModelConnection(model: Model | undefined, authStorage: Au
 			return { state: "auth_error", provider };
 		}
 
+		// Detect unresolved env var names (e.g. "LITELLM_API_KEY" sent as literal)
+		if (/^[A-Z][A-Z0-9]*(?:_[A-Z][A-Z0-9]*)+$/.test(rawApiKey)) {
+			return { state: "auth_error", provider };
+		}
+
 		const baseUrl = model?.baseUrl;
 		if (!baseUrl) {
 			return { state: "auth_error", provider };

package/src/prompts/system/system-prompt.md

@@ -114,7 +114,7 @@ happens under load, in a degraded state, or with an adversarial payload?"
 
 <stakes>
 The operator works in live infrastructure. Routing changes, firewall rules, TLS configurations,
-API deployments, traffic policies... Misconfigurations → outages, security exposures, or
+API deployments, traffic policies… Misconfigurations → outages, security exposures, or
 systems that fail under adversarial conditions.
 - You **MUST NOT** yield incomplete or unvalidated configurations.
 - You **MUST** only recommend operations and configurations you can defend.
@@ -322,7 +322,6 @@ These are inviolable. Violation is system failure.
 
 Configuration integrity means infrastructure tells the truth about what is actually deployed.
 Every stale config left in IaC without a corresponding live object is a lie to the next operator.
-
 - **The unit of change is the infrastructure decision, not the ticket.** When topology changes,
   every dependent config, policy reference, and IaC file changes in the same commit. Work is
   complete when the configuration is coherent, not when the API accepts it.

package/src/web/search/index.ts

@@ -38,6 +38,21 @@ export const webSearchSchema = Type.Object({
 	max_tokens: Type.Optional(Type.Number({ description: "Maximum output tokens" })),
 	temperature: Type.Optional(Type.Number({ description: "Sampling temperature" })),
 	num_search_results: Type.Optional(Type.Number({ description: "Number of search results to retrieve" })),
+	allowed_domains: Type.Optional(Type.Array(Type.String(), { description: "Only return results from these domains" })),
+	blocked_domains: Type.Optional(Type.Array(Type.String(), { description: "Exclude results from these domains" })),
+	max_uses: Type.Optional(Type.Number({ description: "Maximum number of web searches per request" })),
+	user_location: Type.Optional(
+		Type.Object(
+			{
+				type: Type.Literal("approximate"),
+				city: Type.Optional(Type.String()),
+				region: Type.Optional(Type.String()),
+				country: Type.Optional(Type.String()),
+				timezone: Type.Optional(Type.String()),
+			},
+			{ description: "Approximate user location for localized results" },
+		),
+	),
 });
 
 export type SearchToolParams = {
@@ -50,6 +65,16 @@ export type SearchToolParams = {
 	temperature?: number;
 	/** Number of search results to retrieve. Defaults to 10. */
 	num_search_results?: number;
+	allowed_domains?: string[];
+	blocked_domains?: string[];
+	max_uses?: number;
+	user_location?: {
+		type: "approximate";
+		city?: string;
+		region?: string;
+		country?: string;
+		timezone?: string;
+	};
 };
 
 export interface SearchQueryParams extends SearchToolParams {
@@ -143,10 +168,13 @@ async function executeSearch(
 	_toolCallId: string,
 	params: SearchQueryParams,
 ): Promise<{ content: Array<{ type: "text"; text: string }>; details: SearchRenderDetails }> {
+	const hasDomainFilter = params.allowed_domains?.length || params.blocked_domains?.length;
+	const effectiveProvider =
+		hasDomainFilter && (!params.provider || params.provider === "auto") ? "anthropic" : params.provider;
 	const providers =
-		params.provider && params.provider !== "auto"
-			? (await getSearchProvider(params.provider).isAvailable())
-				? [getSearchProvider(params.provider)]
+		effectiveProvider && effectiveProvider !== "auto"
+			? (await getSearchProvider(effectiveProvider).isAvailable())
+				? [getSearchProvider(effectiveProvider)]
 				: await resolveProviderChain("auto")
 			: await resolveProviderChain();
 	if (providers.length === 0) {
@@ -171,6 +199,10 @@ async function executeSearch(
 				maxOutputTokens: params.max_tokens,
 				numSearchResults: params.num_search_results,
 				temperature: params.temperature,
+				allowedDomains: params.allowed_domains,
+				blockedDomains: params.blocked_domains,
+				maxUses: params.max_uses,
+				userLocation: params.user_location,
 			});
 
 			const text = formatForLLM(response);

package/src/web/search/providers/anthropic.ts

@@ -30,6 +30,14 @@ const DEFAULT_MAX_TOKENS = 4096;
 const WEB_SEARCH_TOOL_NAME = "web_search";
 const WEB_SEARCH_TOOL_TYPE = "web_search_20250305";
 
+export interface AnthropicUserLocation {
+	type: "approximate";
+	city?: string;
+	region?: string;
+	country?: string;
+	timezone?: string;
+}
+
 export interface AnthropicSearchParams {
 	query: string;
 	system_prompt?: string;
@@ -38,6 +46,31 @@ export interface AnthropicSearchParams {
 	max_tokens?: number;
 	/** Sampling temperature (0–1). Lower = more focused/factual. */
 	temperature?: number;
+	allowed_domains?: string[];
+	blocked_domains?: string[];
+	max_uses?: number;
+	user_location?: AnthropicUserLocation;
+}
+
+interface WebSearchToolConfig {
+	allowed_domains?: string[];
+	blocked_domains?: string[];
+	max_uses?: number;
+	user_location?: AnthropicUserLocation;
+}
+
+export function extractSiteOperators(query: string): { cleanQuery: string; domains: string[] } {
+	const sitePattern = /\bsite:(\S+)/gi;
+	const domains: string[] = [];
+	const cleanQuery = query
+		.replace(sitePattern, (_, domain) => {
+			domains.push(domain);
+			return "";
+		})
+		.replace(/\s{2,}/g, " ")
+		.trim();
+	const fallback = domains.length > 0 ? domains.join(" ") : query;
+	return { cleanQuery: cleanQuery || fallback, domains };
 }
 
 /**
@@ -86,22 +119,27 @@ async function callSearch(
 	systemPrompt?: string,
 	maxTokens?: number,
 	temperature?: number,
+	toolConfig?: WebSearchToolConfig,
 ): Promise<AnthropicApiResponse> {
 	const url = buildAnthropicUrl(auth);
 	const headers = buildAnthropicSearchHeaders(auth);
 
 	const systemBlocks = buildSystemBlocks(auth, model, systemPrompt);
 
+	const tool: Record<string, unknown> = {
+		type: WEB_SEARCH_TOOL_TYPE,
+		name: WEB_SEARCH_TOOL_NAME,
+	};
+	if (toolConfig?.allowed_domains?.length) tool.allowed_domains = toolConfig.allowed_domains;
+	if (toolConfig?.blocked_domains?.length) tool.blocked_domains = toolConfig.blocked_domains;
+	if (toolConfig?.max_uses) tool.max_uses = toolConfig.max_uses;
+	if (toolConfig?.user_location) tool.user_location = toolConfig.user_location;
+
 	const body: Record<string, unknown> = {
 		model,
 		max_tokens: maxTokens ?? DEFAULT_MAX_TOKENS,
 		messages: [{ role: "user", content: query }],
-		tools: [
-			{
-				type: WEB_SEARCH_TOOL_TYPE,
-				name: WEB_SEARCH_TOOL_NAME,
-			},
-		],
+		tools: [tool],
 	};
 
 	if (temperature !== undefined) {
@@ -246,13 +284,23 @@ export async function searchAnthropic(params: AnthropicSearchParams): Promise<Se
 	}
 
 	const model = getModel();
+
+	const { cleanQuery, domains: siteDomains } = extractSiteOperators(params.query);
+	const allAllowedDomains = [...(params.allowed_domains ?? []), ...siteDomains];
+
 	const response = await callSearch(
 		auth,
 		model,
-		params.query,
+		cleanQuery,
 		params.system_prompt,
 		params.max_tokens,
 		params.temperature,
+		{
+			allowed_domains: allAllowedDomains.length > 0 ? allAllowedDomains : undefined,
+			blocked_domains: params.blocked_domains,
+			max_uses: params.max_uses,
+			user_location: params.user_location,
+		},
 	);
 
 	const result = parseResponse(response);
@@ -281,6 +329,10 @@ export class AnthropicProvider extends SearchProvider {
 			num_results: params.numSearchResults ?? params.limit,
 			max_tokens: params.maxOutputTokens,
 			temperature: params.temperature,
+			allowed_domains: params.allowedDomains,
+			blocked_domains: params.blockedDomains,
+			max_uses: params.maxUses,
+			user_location: params.userLocation,
 		});
 	}
 }

package/src/web/search/providers/base.ts

@@ -10,6 +10,16 @@ export interface SearchParams {
 	maxOutputTokens?: number;
 	numSearchResults?: number;
 	temperature?: number;
+	allowedDomains?: string[];
+	blockedDomains?: string[];
+	maxUses?: number;
+	userLocation?: {
+		type: "approximate";
+		city?: string;
+		region?: string;
+		country?: string;
+		timezone?: string;
+	};
 	googleSearch?: Record<string, unknown>;
 	codeExecution?: Record<string, unknown>;
 	urlContext?: Record<string, unknown>;