@fro.bot/systematic 2.10.0 → 2.12.0

package/dist/index.js

@@ -1,18 +1,19 @@
 // @bun
 import {
+  AgentOverlaySchema,
+  CategoryOverlaySchema,
+  assertSourceCategoryModelDefaults,
   convertFileWithCache,
   extractAgentFrontmatter,
   extractCommandFrontmatter,
   findAgentsInDir,
   findCommandsInDir,
   findSkillsInDir,
-  isAgentMode,
-  isPermissionSetting,
   isRecord,
   loadConfig,
   loadConfigWithSources,
   parseFrontmatter
-} from "./index-mfy9dbdx.js";
+} from "./index-g602hys2.js";
 
 // src/index.ts
 import fs4 from "fs";
@@ -78,28 +79,16 @@ ${toolMapping}
 
 // src/lib/agent-overlays.ts
 import fs2 from "fs";
+import os2 from "os";
 import path2 from "path";
 var SOURCE_CATEGORY_MODEL_DEFAULTS = {
-  design: "openai/gpt-5.5",
-  docs: "openai/gpt-5.4-mini",
-  "document-review": "anthropic/claude-opus-4.7",
-  research: "openai/gpt-5.5",
-  review: "anthropic/claude-opus-4.7",
-  workflow: "openai/gpt-5.4-mini"
+  design: ["openai/gpt-5.5", "anthropic/claude-opus-4.7"],
+  docs: ["openai/gpt-5.4-mini", "anthropic/claude-haiku-4-5"],
+  "document-review": ["anthropic/claude-opus-4.7", "openai/gpt-5.5"],
+  research: ["openai/gpt-5.5", "anthropic/claude-opus-4.7"],
+  review: ["anthropic/claude-opus-4.7", "openai/gpt-5.5"],
+  workflow: ["openai/gpt-5.4-mini", "anthropic/claude-haiku-4-5"]
 };
-var ALLOWED_OVERLAY_FIELDS = new Set([
-  "model",
-  "variant",
-  "temperature",
-  "top_p",
-  "permission",
-  "mode",
-  "color",
-  "steps",
-  "hidden",
-  "disable",
-  "skills"
-]);
 function buildBundledAgentInventory(agentsDir, disabledAgents) {
   const categories = readCategoryDirs(agentsDir);
   const agentsByQualifiedId = {};
@@ -166,10 +155,51 @@ function inferBuiltInTemperature(name, description) {
   }
   return 0.3;
 }
-function getSourceCategoryModel(category) {
+function getAuthenticatedProviders(rootDirOverride) {
+  const xdgDataHome = process.env.XDG_DATA_HOME?.trim();
+  const rootDir = rootDirOverride || (xdgDataHome && path2.isAbsolute(xdgDataHome) ? xdgDataHome : path2.join(os2.homedir(), ".local/share"));
+  const authPath = path2.join(rootDir, "opencode", "auth.json");
+  let raw;
+  try {
+    raw = fs2.readFileSync(authPath, "utf8");
+  } catch (err) {
+    if (isSystemError(err) && err.code === "ENOENT") {
+      return new Set;
+    }
+    console.warn(`[systematic] auth.json unreadable at ${authPath}; ignoring`);
+    return new Set;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    console.warn(`[systematic] auth.json malformed at ${authPath}; ignoring`);
+    return new Set;
+  }
+  if (!isRecord(parsed)) {
+    console.warn(`[systematic] auth.json malformed at ${authPath}; ignoring`);
+    return new Set;
+  }
+  return new Set(Object.keys(parsed));
+}
+function getSourceCategoryModel(category, authedProviders) {
   if (!category)
     return;
-  return SOURCE_CATEGORY_MODEL_DEFAULTS[category];
+  const candidates = SOURCE_CATEGORY_MODEL_DEFAULTS[category];
+  if (!candidates || candidates.length === 0)
+    return;
+  if (!authedProviders || authedProviders.size === 0)
+    return candidates[0];
+  for (const entry of candidates) {
+    const slashIndex = entry.indexOf("/");
+    if (slashIndex <= 0)
+      continue;
+    const providerId = entry.slice(0, slashIndex);
+    if (authedProviders.has(providerId)) {
+      return entry;
+    }
+  }
+  return candidates[0];
 }
 function assertSourceCategoryModelCoverage(categories) {
   validateSourceCategoryModelDefaults();
@@ -179,9 +209,7 @@ function assertSourceCategoryModelCoverage(categories) {
   }
 }
 function validateSourceCategoryModelDefaults(defaults = SOURCE_CATEGORY_MODEL_DEFAULTS) {
-  for (const [category, model] of Object.entries(defaults)) {
-    validateModel("source category model defaults", `source category model defaults.${category}`, model);
-  }
+  assertSourceCategoryModelDefaults(defaults);
 }
 function validateExactAgentOverlays(inventory, overlays, nativeAgents, enabledSkills) {
   const result = [];
@@ -231,150 +259,35 @@ function validateCategoryOverlays(inventory, overlays, enabledSkills) {
   }
   return result;
 }
-function validateOverlayFields(overlay, targetType, enabledSkills) {
-  if (Object.hasOwn(overlay.value, "skills") && hasPermissionSkill(overlay.value.permission)) {
-    throwConfigError(overlay.sourcePath, overlay.keyPath, "cannot set both skills and permission.skill in the same overlay object");
-  }
-  for (const [field, value] of Object.entries(overlay.value)) {
-    const keyPath = `${overlay.keyPath}.${field}`;
-    if (!ALLOWED_OVERLAY_FIELDS.has(field)) {
-      throwConfigError(overlay.sourcePath, keyPath, `unsupported agent overlay field "${field}"`);
-    }
-    if (targetType === "category" && field === "disable") {
-      throwConfigError(overlay.sourcePath, keyPath, "disable is only valid for exact agent overlays");
-    }
-    validateOverlayFieldValue(overlay.sourcePath, keyPath, field, value, enabledSkills);
-  }
-}
 function hasPermissionSkill(permission) {
   return isRecord(permission) && Object.hasOwn(permission, "skill");
 }
-function validateOverlayFieldValue(sourcePath, keyPath, field, value, enabledSkills) {
-  switch (field) {
-    case "model":
-      if (value === null)
-        return;
-      validateModel(sourcePath, keyPath, value);
-      return;
-    case "variant":
-      validateNonEmptyString(sourcePath, keyPath, value);
-      return;
-    case "temperature":
-      validateTemperature(sourcePath, keyPath, value);
-      return;
-    case "top_p":
-      validateTopP(sourcePath, keyPath, value);
-      return;
-    case "permission":
-      validatePermission(sourcePath, keyPath, value);
-      return;
-    case "mode":
-      validateMode(sourcePath, keyPath, value);
-      return;
-    case "color":
-      validateColor(sourcePath, keyPath, value);
-      return;
-    case "steps":
-      validatePositiveInteger(sourcePath, keyPath, value);
-      return;
-    case "hidden":
-    case "disable":
-      validateBoolean(sourcePath, keyPath, value);
-      return;
-    case "skills":
-      validateSkills(sourcePath, keyPath, value, enabledSkills);
-      return;
-  }
-}
-function validateModel(sourcePath, keyPath, value) {
-  if (typeof value !== "string") {
-    throwConfigError(sourcePath, keyPath, "must be a provider/model string");
-  }
-  if (value !== value.trim() || /\s/.test(value)) {
-    throwConfigError(sourcePath, keyPath, "must be a provider/model string");
-  }
-  const slashIndex = value.indexOf("/");
-  if (value === "" || slashIndex <= 0 || slashIndex === value.length - 1) {
-    throwConfigError(sourcePath, keyPath, "must be a provider/model string");
-  }
-}
-function validateNonEmptyString(sourcePath, keyPath, value) {
-  if (typeof value !== "string" || value === "" || value !== value.trim()) {
-    throwConfigError(sourcePath, keyPath, "must be a non-empty string");
-  }
-}
-function validateTemperature(sourcePath, keyPath, value) {
-  if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
-    throwConfigError(sourcePath, keyPath, "must be a non-negative finite number");
-  }
-}
-function validateTopP(sourcePath, keyPath, value) {
-  if (typeof value !== "number" || !Number.isFinite(value) || value < 0 || value > 1) {
-    throwConfigError(sourcePath, keyPath, "must be a number from 0 to 1");
-  }
-}
-function validatePositiveInteger(sourcePath, keyPath, value) {
-  if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
-    throwConfigError(sourcePath, keyPath, "must be a positive integer");
-  }
-}
-function validateBoolean(sourcePath, keyPath, value) {
-  if (typeof value !== "boolean") {
-    throwConfigError(sourcePath, keyPath, "must be a boolean");
-  }
-}
-function validateMode(sourcePath, keyPath, value) {
-  if (!isAgentMode(value)) {
-    throwConfigError(sourcePath, keyPath, "must be one of: subagent, primary, all");
+function validateOverlayFields(overlay, targetType, enabledSkills) {
+  if (Object.hasOwn(overlay.value, "skills") && hasPermissionSkill(overlay.value.permission)) {
+    throwConfigError(overlay.sourcePath, overlay.keyPath, "cannot set both skills and permission.skill in the same overlay object");
   }
+  const result = parseOverlayShape(overlay, targetType);
+  validateOverlaySkills(overlay, result.skills, enabledSkills);
 }
-function validateColor(sourcePath, keyPath, value) {
-  if (typeof value !== "string" || value !== value.trim() || !isOpenCodeColor(value)) {
-    throwConfigError(sourcePath, keyPath, "must be an OpenCode-compatible color string");
+function parseOverlayShape(overlay, targetType) {
+  const schema = targetType === "agent" ? AgentOverlaySchema : CategoryOverlaySchema;
+  const result = schema.safeParse(overlay.value);
+  if (!result.success) {
+    throwOverlaySchemaError(overlay, result.error.issues[0]);
   }
+  return { skills: result.data.skills };
 }
-function isOpenCodeColor(value) {
-  if (value === "")
-    return false;
-  if (/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/.test(value))
-    return true;
-  return /^[a-zA-Z][a-zA-Z0-9-]*$/.test(value);
+function throwOverlaySchemaError(overlay, issue) {
+  const zodPath = issue.code === "unrecognized_keys" ? issue.message.match(/"([^"]+)"/)?.[1] ?? issue.path.join(".") : issue.path.join(".");
+  const fullPath = zodPath ? `${overlay.keyPath}.${zodPath}` : overlay.keyPath;
+  throwConfigError(overlay.sourcePath, fullPath, issue.message);
 }
-function validateSkills(sourcePath, keyPath, value, enabledSkills) {
-  if (!Array.isArray(value) || !value.every((skill) => typeof skill === "string" && skill !== "" && skill === skill.trim())) {
-    throwConfigError(sourcePath, keyPath, "must be an array of non-empty strings");
-  }
-  if (!enabledSkills)
+function validateOverlaySkills(overlay, skills, enabledSkills) {
+  if (!enabledSkills || !skills)
     return;
-  for (const skill of value) {
+  for (const skill of skills) {
     if (!enabledSkills.has(skill)) {
-      throwConfigError(sourcePath, keyPath, `unknown or disabled skill "${skill}"`);
-    }
-  }
-}
-function validatePermission(sourcePath, keyPath, value) {
-  if (!isRecord(value)) {
-    throwConfigError(sourcePath, keyPath, "must be an object");
-  }
-  for (const [toolKey, rule] of Object.entries(value)) {
-    if (toolKey.trim() === "") {
-      throwConfigError(sourcePath, `${keyPath}.${toolKey}`, "must use a non-empty tool key");
-    }
-    validatePermissionRule(sourcePath, `${keyPath}.${toolKey}`, rule);
-  }
-}
-function validatePermissionRule(sourcePath, keyPath, value) {
-  if (isPermissionSetting(value))
-    return;
-  if (!isRecord(value)) {
-    throwConfigError(sourcePath, keyPath, "must be ask, allow, deny, or an object of pattern rules");
-  }
-  for (const [pattern, setting] of Object.entries(value)) {
-    if (pattern.trim() === "") {
-      throwConfigError(sourcePath, `${keyPath}.${pattern}`, "must use a non-empty permission pattern");
-    }
-    if (!isPermissionSetting(setting)) {
-      throwConfigError(sourcePath, `${keyPath}.${pattern}`, "must be ask, allow, or deny");
+      throwConfigError(overlay.sourcePath, `${overlay.keyPath}.skills`, `unknown or disabled skill "${skill}"`);
     }
   }
 }
@@ -398,6 +311,9 @@ function validAgentKeys(inventory) {
 function throwConfigError(sourcePath, keyPath, message) {
   throw new Error(`Invalid Systematic config in ${sourcePath}: ${keyPath} ${message}`);
 }
+function isSystemError(err) {
+  return typeof err === "object" && err !== null && "code" in err && typeof err.code === "string";
+}
 
 // src/lib/skill-loader.ts
 import path3 from "path";
@@ -567,7 +483,7 @@ function loadSkillAsCommand(loaded) {
     config.subtask = loaded.subtask;
   return config;
 }
-function collectAgents(dir, disabledAgents, nativeAgents, overlays) {
+function collectAgents(dir, disabledAgents, nativeAgents, overlays, authedProviders) {
   const agents = {};
   const agentList = findAgentsInDir(dir);
   const disabledSet = new Set(disabledAgents);
@@ -582,12 +498,12 @@ function collectAgents(dir, disabledAgents, nativeAgents, overlays) {
       continue;
     const config = loadAgentAsConfig(agentInfo);
     if (config) {
-      agents[agentInfo.name] = applyAgentOverlays(config, agentInfo, overlays);
+      agents[agentInfo.name] = applyAgentOverlays(config, agentInfo, overlays, authedProviders);
     }
   }
   return agents;
 }
-function applyAgentOverlays(config, agentInfo, overlays) {
+function applyAgentOverlays(config, agentInfo, overlays, authedProviders) {
   const id = agentInfo.category ? `${agentInfo.category}/${agentInfo.name}` : agentInfo.name;
   const categoryOverlay = agentInfo.category ? overlays.categoriesByKey.get(agentInfo.category) : undefined;
   const exactOverlay = overlays.agentsByTargetId.get(id);
@@ -599,7 +515,7 @@ function applyAgentOverlays(config, agentInfo, overlays) {
   }
   result.temperature = inferBuiltInTemperature(agentInfo.name, result.description);
   if (agentInfo.category) {
-    const sourceModel = getSourceCategoryModel(agentInfo.category);
+    const sourceModel = getSourceCategoryModel(agentInfo.category, authedProviders);
     if (sourceModel) {
       result.model = sourceModel;
     }
@@ -729,6 +645,7 @@ function collectEnabledSkillNames(dir, disabledSkills) {
 }
 function createConfigHandler(deps) {
   const { directory, bundledSkillsDir, bundledAgentsDir, bundledCommandsDir } = deps;
+  const readAuthProviders = deps.getAuthenticatedProviders ?? getAuthenticatedProviders;
   return async (config) => {
     const { config: systematicConfig, overlays } = loadConfigWithSources(directory);
     const existingAgents = { ...config.agent ?? {} };
@@ -744,7 +661,8 @@ function createConfigHandler(deps) {
       enabledSkills: enabledSkillNames
     });
     const resolvedOverlays = resolveAgentOverlaySet(validatedOverlays);
-    const bundledAgents = collectAgents(bundledAgentsDir, systematicConfig.disabled_agents, existingAgents, resolvedOverlays);
+    const authedProviders = readAuthProviders();
+    const bundledAgents = collectAgents(bundledAgentsDir, systematicConfig.disabled_agents, existingAgents, resolvedOverlays, authedProviders);
     const bundledCommands = collectCommands(bundledCommandsDir, systematicConfig.disabled_commands);
     config.agent = {
       ...bundledAgents,

package/dist/lib/agent-colors.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Canonical OpenCode-accepted agent color tokens.
+ *
+ * These values are validated by OpenCode's `/config` HttpApi schema;
+ * any other value is rejected and surfaces to the user as
+ * `400: (empty response body)` on TUI launch.
+ *
+ * See anomalyco/opencode commits 2793502db / 96a534d8c for the
+ * server-side schema (PR #346 / v2.9.2 history).
+ */
+export declare const OPENCODE_AGENT_COLOR_TOKENS: readonly ["primary", "secondary", "accent", "success", "warning", "error", "info"];
+/**
+ * Check whether a value is a valid agent color — either a hex literal
+ * (`#RRGGBB`) or a named token from `OPENCODE_AGENT_COLOR_TOKENS`.
+ */
+export declare function isValidAgentColor(value: string): boolean;

package/dist/lib/agent-overlays.d.ts

@@ -42,6 +42,27 @@ export declare function buildBundledAgentInventory(agentsDir: string, disabledAg
 export declare function validateAgentOverlays({ inventory, overlays, nativeAgents, enabledSkills, }: ValidateAgentOverlaysOptions): ValidatedAgentOverlays;
 export declare function resolveAgentOverlaySet(overlays: ValidatedAgentOverlays): ResolvedAgentOverlaySet;
 export declare function inferBuiltInTemperature(name: string, description?: string): number;
-export declare function getSourceCategoryModel(category: string | undefined): string | undefined;
+/**
+ * Read which providers are authenticated from OpenCode's auth.json.
+ *
+ * Reads only top-level keys (provider IDs). Nested values are NEVER
+ * inspected, logged, persisted, or transmitted. This is a hard contract:
+ * the auth file holds API keys and OAuth tokens, and Systematic must
+ * never expose them via stderr, telemetry, or any other channel.
+ *
+ * Intended for one invocation per plugin config(cfg) cycle. Repeated
+ * calls trigger repeated file reads and, on malformed input, repeated
+ * stderr diagnostics.
+ *
+ * @param rootDirOverride - Optional path override for tests. When
+ *   non-empty, the auth file is resolved as
+ *   `path.join(rootDirOverride, 'opencode', 'auth.json')`. When
+ *   omitted, resolution follows XDG_DATA_HOME -> ~/.local/share
+ *   convention.
+ * @returns A readonly set of authenticated provider IDs (empty set on
+ *   any failure).
+ */
+export declare function getAuthenticatedProviders(rootDirOverride?: string): ReadonlySet<string>;
+export declare function getSourceCategoryModel(category: string | undefined, authedProviders?: ReadonlySet<string>): string | undefined;
 export declare function assertSourceCategoryModelCoverage(categories: string[]): void;
 export declare function validateSourceCategoryModelDefaults(defaults?: Record<string, unknown>): void;

package/dist/lib/config-handler.d.ts

@@ -4,6 +4,8 @@ export interface ConfigHandlerDeps {
     bundledSkillsDir: string;
     bundledAgentsDir: string;
     bundledCommandsDir: string;
+    /** Override for authenticated provider reader; for testing. */
+    getAuthenticatedProviders?: (rootDirOverride?: string) => ReadonlySet<string>;
 }
 export declare function toTitleCase(name: string): string;
 export declare function formatAgentDescription(name: string, description: string | undefined): string;

package/dist/lib/config-schema.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Zod schema for the user-facing `systematic.json` / `systematic.jsonc` config.
+ *
+ * ## Zod 4 API notes (verified against zod@4.4.3 during implementation)
+ *
+ * - `z.toJSONSchema(schema, { target: 'draft-7' })` produces draft-07 JSON Schema.
+ * - `.default(value)` DOES round-trip into JSON Schema `default`.
+ * - `.meta({ description, examples })` attaches documentation metadata visible in
+ *   JSON Schema output and via `schema.description`.
+ * - `z.object().strict()` rejects unknown keys with `unrecognized_keys` issues that
+ *   include the offending key names and the path to the containing object.
+ * - `z.record(keySchema, valueSchema)` is the canonical 2-arg form (Zod 4 types
+ *   require both key and value schemas). A single-arg overload works at runtime
+ *   but is not reflected in the type declarations for this Zod 4 minor.
+ */
+import { z } from 'zod';
+export declare const AgentOverlaySchema: z.ZodObject<{
+    model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    variant: z.ZodOptional<z.ZodString>;
+    temperature: z.ZodOptional<z.ZodNumber>;
+    top_p: z.ZodOptional<z.ZodNumber>;
+    mode: z.ZodOptional<z.ZodEnum<{
+        subagent: "subagent";
+        primary: "primary";
+        all: "all";
+    }>>;
+    color: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        primary: "primary";
+        secondary: "secondary";
+        accent: "accent";
+        success: "success";
+        warning: "warning";
+        error: "error";
+        info: "info";
+    }>, z.ZodString]>>;
+    steps: z.ZodOptional<z.ZodNumber>;
+    hidden: z.ZodOptional<z.ZodBoolean>;
+    disable: z.ZodOptional<z.ZodBoolean>;
+    skills: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    permission: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodEnum<{
+        ask: "ask";
+        allow: "allow";
+        deny: "deny";
+    }>, z.ZodRecord<z.ZodString, z.ZodEnum<{
+        ask: "ask";
+        allow: "allow";
+        deny: "deny";
+    }>>]>>>;
+}, z.core.$strict>;
+export declare const CategoryOverlaySchema: z.ZodObject<{
+    model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    variant: z.ZodOptional<z.ZodString>;
+    temperature: z.ZodOptional<z.ZodNumber>;
+    top_p: z.ZodOptional<z.ZodNumber>;
+    mode: z.ZodOptional<z.ZodEnum<{
+        subagent: "subagent";
+        primary: "primary";
+        all: "all";
+    }>>;
+    color: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        primary: "primary";
+        secondary: "secondary";
+        accent: "accent";
+        success: "success";
+        warning: "warning";
+        error: "error";
+        info: "info";
+    }>, z.ZodString]>>;
+    steps: z.ZodOptional<z.ZodNumber>;
+    hidden: z.ZodOptional<z.ZodBoolean>;
+    skills: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    permission: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodEnum<{
+        ask: "ask";
+        allow: "allow";
+        deny: "deny";
+    }>, z.ZodRecord<z.ZodString, z.ZodEnum<{
+        ask: "ask";
+        allow: "allow";
+        deny: "deny";
+    }>>]>>>;
+}, z.core.$strict>;
+export declare const BootstrapSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    file: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export declare const SystematicConfigSchema: z.ZodObject<{
+    $schema: z.ZodOptional<z.ZodString>;
+    agents: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        variant: z.ZodOptional<z.ZodString>;
+        temperature: z.ZodOptional<z.ZodNumber>;
+        top_p: z.ZodOptional<z.ZodNumber>;
+        mode: z.ZodOptional<z.ZodEnum<{
+            subagent: "subagent";
+            primary: "primary";
+            all: "all";
+        }>>;
+        color: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+            primary: "primary";
+            secondary: "secondary";
+            accent: "accent";
+            success: "success";
+            warning: "warning";
+            error: "error";
+            info: "info";
+        }>, z.ZodString]>>;
+        steps: z.ZodOptional<z.ZodNumber>;
+        hidden: z.ZodOptional<z.ZodBoolean>;
+        disable: z.ZodOptional<z.ZodBoolean>;
+        skills: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        permission: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodEnum<{
+            ask: "ask";
+            allow: "allow";
+            deny: "deny";
+        }>, z.ZodRecord<z.ZodString, z.ZodEnum<{
+            ask: "ask";
+            allow: "allow";
+            deny: "deny";
+        }>>]>>>;
+    }, z.core.$strict>>>;
+    categories: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        variant: z.ZodOptional<z.ZodString>;
+        temperature: z.ZodOptional<z.ZodNumber>;
+        top_p: z.ZodOptional<z.ZodNumber>;
+        mode: z.ZodOptional<z.ZodEnum<{
+            subagent: "subagent";
+            primary: "primary";
+            all: "all";
+        }>>;
+        color: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+            primary: "primary";
+            secondary: "secondary";
+            accent: "accent";
+            success: "success";
+            warning: "warning";
+            error: "error";
+            info: "info";
+        }>, z.ZodString]>>;
+        steps: z.ZodOptional<z.ZodNumber>;
+        hidden: z.ZodOptional<z.ZodBoolean>;
+        skills: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        permission: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodEnum<{
+            ask: "ask";
+            allow: "allow";
+            deny: "deny";
+        }>, z.ZodRecord<z.ZodString, z.ZodEnum<{
+            ask: "ask";
+            allow: "allow";
+            deny: "deny";
+        }>>]>>>;
+    }, z.core.$strict>>>;
+    disabled_skills: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    disabled_agents: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    disabled_commands: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    bootstrap: z.ZodDefault<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        file: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export interface ValidationResult {
+    success: boolean;
+    data?: z.infer<typeof SystematicConfigSchema>;
+    errors?: readonly z.ZodIssue[];
+}
+export declare function validateConfig(input: unknown): ValidationResult;
+export declare function assertSourceCategoryModelDefaults(defaults: Record<string, unknown>): void;
+/**
+ * Overlay fields that require a project-or-higher trust source.
+ *
+ * This list is co-located with the schema definitions above so that any
+ * future field additions that need trust protection are added here at the
+ * same time. The regression tests in tests/unit/config-schema.test.ts
+ * assert that this list agrees with every field tagged `.meta({ trust:
+ * 'project-or-higher' })` in AgentOverlaySchema — preventing silent drift.
+ *
+ * Matches the hand-coded `SECURITY_OVERLAY_FIELDS` set in `src/lib/config.ts`.
+ */
+export declare const SECURITY_OVERLAY_FIELDS: readonly string[];

package/dist/lib/config.d.ts

@@ -1,3 +1,4 @@
+import type { z } from 'zod';
 export interface BootstrapConfig {
     enabled: boolean;
     file?: string;
@@ -26,6 +27,26 @@ export interface SystematicConfig {
     categories?: OverlayConfigMap;
 }
 export declare const DEFAULT_CONFIG: SystematicConfig;
+interface RawSystematicConfig extends Omit<Partial<SystematicConfig>, 'agents' | 'categories'> {
+    agents?: unknown;
+    categories?: unknown;
+}
+interface ConfigSource {
+    path: string;
+    config: RawSystematicConfig;
+    trust: 'user' | 'project' | 'custom';
+}
+/**
+ * Type guard for errors thrown by the top-level config schema validator.
+ * Use this to distinguish schema validation failures from JSONC parse errors
+ * or file read errors.
+ */
+export declare function isConfigSchemaError(err: unknown): err is Error & {
+    _tag: 'ConfigSchemaError';
+    filePath: string;
+    trust: ConfigSource['trust'];
+    issues: readonly z.core.$ZodIssue[];
+};
 export declare function loadConfig(projectDir: string): SystematicConfig;
 export declare function loadConfigWithSources(projectDir: string): SourceAwareConfigResult;
 export declare function getConfigPaths(projectDir: string): {
@@ -36,3 +57,4 @@ export declare function getConfigPaths(projectDir: string): {
     userDir: string;
     projectDir: string;
 };
+export {};