@kbediako/codex-orchestrator 0.1.38 → 0.2.1

package/dist/orchestrator/src/cli/utils/cloudPreflight.js

@@ -1,12 +1,33 @@
+import process from 'node:process';
 import { spawn } from 'node:child_process';
+import { fingerprintAuthProvenanceValue } from './authProvenanceFingerprint.js';
+import { resolveCodexCliBin } from './codexCli.js';
+function formatCommandSpawnError(error) {
+    if (error instanceof Error) {
+        const errno = error;
+        const code = typeof errno.code === 'string' ? errno.code : null;
+        if (code && !error.message.includes(code)) {
+            return `${code}: ${error.message}`;
+        }
+        return error.message;
+    }
+    return String(error);
+}
 function runCommand(command, args, options) {
     const timeoutMs = options.timeoutMs ?? 10_000;
     return new Promise((resolve) => {
-        const child = spawn(command, args, {
-            cwd: options.cwd,
-            env: options.env,
-            stdio: ['ignore', 'pipe', 'pipe']
-        });
+        let child;
+        try {
+            child = spawn(command, args, {
+                cwd: options.cwd,
+                env: options.env,
+                stdio: ['ignore', 'pipe', 'pipe']
+            });
+        }
+        catch (error) {
+            resolve({ exitCode: 1, stdout: '', stderr: formatCommandSpawnError(error) });
+            return;
+        }
         let stdout = '';
         let stderr = '';
         let settled = false;
@@ -36,7 +57,7 @@ function runCommand(command, args, options) {
             }
             settled = true;
             clearTimeout(timer);
-            resolve({ exitCode: 1, stdout, stderr: `${stderr}\n${error.message}`.trim() });
+            resolve({ exitCode: 1, stdout, stderr: `${stderr}\n${formatCommandSpawnError(error)}`.trim() });
         });
         child.once('close', (code) => {
             if (settled) {
@@ -55,6 +76,243 @@ function normalizeBranch(raw) {
     }
     return trimmed.replace(/^refs\/heads\//u, '');
 }
+function normalizeCloudPreflightRequestValue(raw) {
+    const trimmed = String(raw ?? '').trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function readCloudPreflightCommandOutput(result) {
+    const output = [result.stderr, result.stdout]
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0)
+        .join(' ')
+        .replace(/\s+/gu, ' ')
+        .trim();
+    return output || 'no output';
+}
+function readCloudPreflightErrorOutput(result) {
+    const output = result.stderr.trim().replace(/\s+/gu, ' ');
+    return output || 'no output';
+}
+function compactCloudPreflightOutput(output) {
+    return output.length > 500 ? `${output.slice(0, 497)}...` : output;
+}
+function redactCloudPreflightOutput(output) {
+    return output
+        .replace(/\b(?:authorization|bearer)\s*[:=]\s*bearer\s+[^\s,;]+/giu, 'authorization: Bearer <redacted>')
+        .replace(/\bbearer\s+[A-Za-z0-9._~+/-]{10,}/giu, 'Bearer <redacted>')
+        .replace(/\b(?:sk|sess|eyJ)[A-Za-z0-9._~+/-]{12,}/gu, '<redacted-token>')
+        .replace(/\b(?:CODEX|OPENAI|CHATGPT|GITHUB|GH)_[A-Z0-9_]*(?:API_KEY|AUTH_TOKEN|ACCESS_TOKEN|REFRESH_TOKEN|TOKEN|SECRET|PASSWORD)\s*=\s*[^\s,;]+/gu, (match) => `${match.split('=')[0] ?? 'secret'}=<redacted>`)
+        .replace(/\b(?:api[_ -]?key|auth[_ -]?token|access[_ -]?token|refresh[_ -]?token|bearer[_ -]?token|password|secret|credential)\s*[:=]\s*[^\s,;]+/giu, (match) => `${match.split(/[:=]/u)[0]?.trim() ?? 'secret'}=<redacted>`)
+        .replace(/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/giu, '<redacted-email>');
+}
+function compactCloudPreflightCommandOutput(result) {
+    return compactCloudPreflightOutput(redactCloudPreflightOutput(readCloudPreflightCommandOutput(result)));
+}
+function escapeRegExpLiteral(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/gu, '\\$&');
+}
+function isEnvironmentNotFoundSignal(signal, environmentId) {
+    const normalized = signal.toLowerCase();
+    const normalizedEnvironmentId = environmentId.toLowerCase();
+    if (normalized.includes('environment_not_found')) {
+        return true;
+    }
+    const escapedEnvironmentId = escapeRegExpLiteral(normalizedEnvironmentId);
+    return new RegExp(`\\benvironment\\s+(?:(["'])${escapedEnvironmentId}\\1|${escapedEnvironmentId})\\s+not\\s+found\\b`, 'u').test(normalized);
+}
+function maskCloudPreflightEnvironmentIdentifierValues(signal) {
+    return signal
+        .toLowerCase()
+        .replace(/\benvironment\s+(?:['"][^'"]+['"]|[^\s'"]+)\s+not\s+found\b/gu, 'environment <env-id> not found')
+        .replace(/\bcodex_cloud_env_id\s+(?:['"][^'"]+['"]|[^\s'"]+)/gu, 'codex_cloud_env_id <env-id>')
+        .replace(/\bcodex cloud env id\s+(?:['"][^'"]+['"]|[^\s'"]+)/gu, 'codex cloud env id <env-id>');
+}
+function hasWrappedEnvironmentProbeUnavailableSignal(signal) {
+    const normalized = maskCloudPreflightEnvironmentIdentifierValues(signal);
+    return (/\b(?:missing[_ -]github[_ -]connector[_ -]link|github connection not found|github connector not found)\b/u.test(normalized) ||
+        /\b(?:cloud denial|cloud-denial|cloud_denial|cloud denied|not allowed in cloud|cloud access denied|cloud execution denied)\b/u.test(normalized) ||
+        /\b(?:forbidden|unauthorized|not logged in|login required|active account|active profile|account mismatch|profile mismatch|invalid token|expired token|token expired|missing token|token missing|api key|auth token|access token|refresh token|bearer token)\b/u.test(normalized) ||
+        /\b(?:rate limit|rate-limit|rate_limited|rate_limit_exceeded|quota|too many requests|usage limit|usage_limit_reached)\b/u.test(normalized) ||
+        /\b(?:enotfound|econn|network|timed out|timeout|502|503|504|bad gateway|service unavailable|gateway timeout)\b/u.test(normalized));
+}
+function buildEnvironmentProbeIssue(environmentId, result) {
+    const fullDetail = readCloudPreflightCommandOutput(result);
+    const detail = compactCloudPreflightCommandOutput(result);
+    if (isEnvironmentNotFoundSignal(fullDetail, environmentId) &&
+        !hasWrappedEnvironmentProbeUnavailableSignal(fullDetail)) {
+        return {
+            code: 'environment_not_found',
+            message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' is not visible to codex cloud before codex cloud exec: ${detail}`
+        };
+    }
+    return {
+        code: 'environment_unavailable',
+        message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' could not be verified by codex cloud before codex cloud exec: ${detail}`
+    };
+}
+function tryParseCloudListJson(stdout) {
+    const trimmed = stdout.trim();
+    if (!trimmed) {
+        return null;
+    }
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        return null;
+    }
+}
+function readCloudListTasks(payload) {
+    if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+        return null;
+    }
+    const record = payload;
+    return Array.isArray(record.tasks) ? record.tasks : null;
+}
+function readCloudListTaskEnvironmentIdentities(task) {
+    if (!task || typeof task !== 'object') {
+        return [];
+    }
+    const record = task;
+    const identities = [];
+    for (const key of ['environment_id', 'environmentId', 'cloud_environment_id', 'cloudEnvId']) {
+        const value = normalizeCloudPreflightRequestValue(record[key]);
+        if (value) {
+            identities.push(value);
+        }
+    }
+    for (const key of ['environment_label', 'environmentLabel']) {
+        const value = normalizeCloudPreflightRequestValue(record[key]);
+        if (value) {
+            identities.push(value);
+        }
+    }
+    const environment = record.environment;
+    if (environment && typeof environment === 'object') {
+        const environmentRecord = environment;
+        for (const key of ['id', 'environment_id', 'environmentId', 'cloud_environment_id', 'cloudEnvId']) {
+            const value = normalizeCloudPreflightRequestValue(environmentRecord[key]);
+            if (value) {
+                identities.push(value);
+            }
+        }
+        for (const key of ['label', 'environment_label', 'environmentLabel']) {
+            const value = normalizeCloudPreflightRequestValue(environmentRecord[key]);
+            if (value) {
+                identities.push(value);
+            }
+        }
+    }
+    return [...new Set(identities)];
+}
+function normalizeCloudEnvironmentIdentity(value) {
+    return value.trim().toLowerCase();
+}
+function buildEnvironmentProbePayloadIssue(environmentId, detail) {
+    const safeDetail = compactCloudPreflightOutput(redactCloudPreflightOutput(detail));
+    return {
+        code: 'environment_unavailable',
+        message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' could not be verified by codex cloud before codex cloud exec: ${safeDetail}`
+    };
+}
+function inspectSuccessfulEnvironmentProbe(environmentId, result) {
+    const stderrDetail = readCloudPreflightErrorOutput(result);
+    if (isEnvironmentNotFoundSignal(stderrDetail, environmentId)) {
+        return buildEnvironmentProbeIssue(environmentId, {
+            ...result,
+            stdout: ''
+        });
+    }
+    const payload = tryParseCloudListJson(result.stdout);
+    const tasks = readCloudListTasks(payload);
+    if (!tasks) {
+        return buildEnvironmentProbePayloadIssue(environmentId, `unexpected codex cloud list JSON payload: ${compactCloudPreflightOutput(result.stdout.trim() || 'no output')}`);
+    }
+    const taskEnvironmentIdentities = tasks.map((task) => readCloudListTaskEnvironmentIdentities(task));
+    const normalizedEnvironmentId = normalizeCloudEnvironmentIdentity(environmentId);
+    if (taskEnvironmentIdentities.some((identities) => identities.length === 0)) {
+        return buildEnvironmentProbePayloadIssue(environmentId, 'codex cloud list returned task rows without an environment identity');
+    }
+    const mismatchedEnvironmentIds = taskEnvironmentIdentities
+        .filter((identities) => !identities.some((identity) => normalizeCloudEnvironmentIdentity(identity) === normalizedEnvironmentId))
+        .flat();
+    if (mismatchedEnvironmentIds.length > 0) {
+        return buildEnvironmentProbePayloadIssue(environmentId, `codex cloud list returned task rows for a different environment identity: ${[
+            ...new Set(mismatchedEnvironmentIds)
+        ].join(', ')}`);
+    }
+    return null;
+}
+function readFirstCloudPreflightEnvValue(env, keys) {
+    if (!env) {
+        return null;
+    }
+    for (const key of keys) {
+        const value = normalizeCloudPreflightRequestValue(env[key]);
+        if (value) {
+            return value;
+        }
+    }
+    return null;
+}
+function readFirstCloudPreflightCredentialSource(env) {
+    if (!env) {
+        return null;
+    }
+    for (const key of [
+        'CODEX_API_KEY',
+        'OPENAI_API_KEY',
+        'CODEX_AUTH_TOKEN',
+        'OPENAI_AUTH_TOKEN',
+        'CHATGPT_AUTH_TOKEN'
+    ]) {
+        if (normalizeCloudPreflightRequestValue(env[key])) {
+            return `env:${key}`;
+        }
+    }
+    return null;
+}
+export function buildCloudPreflightAuthProvenance(params) {
+    const credentialSource = readFirstCloudPreflightCredentialSource(params.env);
+    const profile = readFirstCloudPreflightEnvValue(params.env, [
+        'CODEX_AUTH_PROFILE',
+        'CODEX_PROFILE',
+        'OPENAI_PROFILE',
+        'CHATGPT_AUTH_PROFILE',
+        'CHATGPT_PROFILE'
+    ]);
+    const account = readFirstCloudPreflightEnvValue(params.env, [
+        'CODEX_ACCOUNT_ID',
+        'CODEX_ACCOUNT',
+        'CODEX_ACCOUNT_EMAIL',
+        'OPENAI_ACCOUNT_ID',
+        'OPENAI_ORG_ID',
+        'CHATGPT_ACCOUNT_ID',
+        'CHATGPT_ACCOUNT',
+        'CHATGPT_ACCOUNT_EMAIL'
+    ]);
+    return {
+        providerKind: 'codex_cloud',
+        activeProfileFingerprint: fingerprintAuthProvenanceValue(profile, params.env),
+        activeAccountFingerprint: fingerprintAuthProvenanceValue(account, params.env),
+        cloudEnvId: params.environmentId,
+        cloudBranch: params.branch,
+        credentialSource,
+        authFreshness: credentialSource ? 'env_credential_present' : 'credential_source_unknown'
+    };
+}
+export function buildCloudPreflightRequest(params) {
+    const env = params.env ?? process.env;
+    const branch = normalizeCloudPreflightRequestValue(params.branch)
+        ?? normalizeCloudPreflightRequestValue(env.CODEX_CLOUD_BRANCH);
+    return {
+        repoRoot: params.repoRoot,
+        codexBin: resolveCodexCliBin(env),
+        environmentId: params.environmentId,
+        branch,
+        env
+    };
+}
 export async function runCloudPreflight(params) {
     const issues = [];
     const branch = normalizeBranch(params.branch);
@@ -74,6 +332,21 @@ export async function runCloudPreflight(params) {
             message: `Codex CLI is unavailable (${params.codexBin} --version failed).`
         });
     }
+    if (params.environmentId && codexCheck.exitCode === 0) {
+        const environmentCheck = await runCommand(params.codexBin, ['cloud', 'list', '--env', params.environmentId, '--limit', '1', '--json'], {
+            cwd: params.repoRoot,
+            env: params.env
+        });
+        if (environmentCheck.exitCode !== 0) {
+            issues.push(buildEnvironmentProbeIssue(params.environmentId, environmentCheck));
+        }
+        else {
+            const environmentProbeIssue = inspectSuccessfulEnvironmentProbe(params.environmentId, environmentCheck);
+            if (environmentProbeIssue) {
+                issues.push(environmentProbeIssue);
+            }
+        }
+    }
     if (branch) {
         const gitCheck = await runCommand('git', ['--version'], { cwd: params.repoRoot, env: params.env });
         if (gitCheck.exitCode !== 0) {
@@ -95,7 +368,12 @@ export async function runCloudPreflight(params) {
         details: {
             codexBin: params.codexBin,
             environmentId: params.environmentId,
-            branch
+            branch,
+            authProvenance: buildCloudPreflightAuthProvenance({
+                env: params.env,
+                environmentId: params.environmentId,
+                branch
+            })
         }
     };
 }

package/dist/orchestrator/src/cli/utils/codexFeatures.js

@@ -0,0 +1,60 @@
+import { spawnSync } from 'node:child_process';
+export function readCodexFeatureProbe(codexBin, env = process.env) {
+    const result = spawnSync(codexBin, ['features', 'list'], {
+        encoding: 'utf8',
+        env,
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 5000
+    });
+    const stderr = String(result.stderr ?? '');
+    if (result.error || result.status !== 0) {
+        return {
+            flags: null,
+            stderr,
+            error: result.error
+                ? result.error.message
+                : `codex features list exited with status ${result.status ?? '<unknown>'}`,
+            status: result.status
+        };
+    }
+    const stdout = String(result.stdout ?? '');
+    return {
+        flags: parseFeatureFlagsFromText(stdout),
+        stderr,
+        error: null,
+        status: result.status
+    };
+}
+export function codexFeatureProbeRejectsAgentMaxThreads(probe) {
+    const text = `${probe.error ?? ''}\n${probe.stderr}`.toLowerCase();
+    const mentionsMaxThreads = /\bagents\.max_threads\b/u.test(text) || /\bmax[_\s-]?threads\b/u.test(text);
+    return mentionsMaxThreads && /\bmulti_agent_v2\b/u.test(text);
+}
+export function codexFeatureProbeDisablesMultiAgentV2(probe) {
+    return probe.flags?.multi_agent_v2 === false;
+}
+function parseFeatureFlagsFromText(stdout) {
+    const flags = {};
+    for (const line of stdout.split(/\r?\n/u)) {
+        const trimmed = line.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const tokens = trimmed.split(/\s+/u);
+        if (tokens.length < 2) {
+            continue;
+        }
+        const name = tokens[0] ?? '';
+        const enabledToken = tokens[tokens.length - 1] ?? '';
+        if (!name) {
+            continue;
+        }
+        if (enabledToken === 'true') {
+            flags[name] = true;
+        }
+        else if (enabledToken === 'false') {
+            flags[name] = false;
+        }
+    }
+    return flags;
+}

package/dist/orchestrator/src/cli/utils/delegationConfigParser.js

@@ -0,0 +1,250 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { hasMcpServerEntry } from './mcpServerEntry.js';
+export function readDelegationFallbackConfig(configPath) {
+    if (!existsSync(configPath)) {
+        return null;
+    }
+    try {
+        const raw = readFileSync(configPath, 'utf8');
+        if (!hasMcpServerEntry(raw, 'delegation')) {
+            return null;
+        }
+        return {
+            command: readDelegationCommandFromConfig(raw),
+            args: readDelegationArgsFromConfig(raw),
+            envVars: readDelegationEnvVarsFromConfig(raw)
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function readDelegationCommandFromConfig(raw) {
+    const section = readSectionBody(raw, [
+        'mcp_servers.delegation',
+        'mcp_servers."delegation"',
+        "mcp_servers.'delegation'"
+    ]);
+    if (!section) {
+        const inlineEntry = readDelegationInlineEntry(raw);
+        return inlineEntry ? readInlineQuotedValue(inlineEntry, 'command') : null;
+    }
+    const commandMatch = section.match(/^\s*command\s*=\s*("(?:\\"|[^"])*"|'(?:\\'|[^'])*')\s*$/mu);
+    return commandMatch ? decodeQuotedTomlString(commandMatch[1] ?? '') : null;
+}
+function readDelegationArgsFromConfig(raw) {
+    const section = readSectionBody(raw, [
+        'mcp_servers.delegation',
+        'mcp_servers."delegation"',
+        "mcp_servers.'delegation'"
+    ]);
+    if (!section) {
+        const inlineEntry = readDelegationInlineEntry(raw);
+        return inlineEntry ? readQuotedTokens(readInlinePropertyContents(inlineEntry, 'args', '[', ']')) : [];
+    }
+    const argsMatch = section.match(/^\s*args\s*=\s*\[([\s\S]*?)\]/mu);
+    if (!argsMatch) {
+        return [];
+    }
+    return readQuotedTokens(argsMatch[1] ?? '');
+}
+function readDelegationEnvVarsFromConfig(raw) {
+    const envVars = {};
+    const section = readSectionBody(raw, [
+        'mcp_servers.delegation.env',
+        'mcp_servers."delegation".env',
+        "mcp_servers.'delegation'.env"
+    ]);
+    if (!section) {
+        const inlineEntry = readDelegationInlineEntry(raw);
+        return inlineEntry ? readInlineEnvVars(inlineEntry) : envVars;
+    }
+    const linePattern = /^\s*([A-Za-z0-9_.-]+)\s*=\s*("(?:\\"|[^"])*"|'(?:\\'|[^'])*')\s*$/gmu;
+    let match = linePattern.exec(section);
+    while (match) {
+        const key = match[1];
+        const rawValue = match[2];
+        const decoded = rawValue ? decodeQuotedTomlString(rawValue) : null;
+        if (key && decoded !== null) {
+            envVars[key] = decoded;
+        }
+        match = linePattern.exec(section);
+    }
+    return envVars;
+}
+function readDelegationInlineEntry(raw) {
+    let currentTable = null;
+    for (const line of raw.split('\n')) {
+        const trimmed = stripTomlComment(line).trim();
+        if (!trimmed) {
+            continue;
+        }
+        const tableMatch = trimmed.match(/^\[(.+)\]$/u);
+        if (tableMatch) {
+            currentTable = tableMatch[1]?.trim() ?? null;
+            continue;
+        }
+        const dottedMatch = trimmed.match(/^mcp_servers\.(?:"delegation"|'delegation'|delegation)\s*=\s*\{([\s\S]*)\}\s*$/u);
+        if (dottedMatch) {
+            return dottedMatch[1] ?? '';
+        }
+        if (currentTable === 'mcp_servers') {
+            const entryMatch = trimmed.match(/^(?:"delegation"|'delegation'|delegation)\s*=\s*\{([\s\S]*)\}\s*$/u);
+            if (entryMatch) {
+                return entryMatch[1] ?? '';
+            }
+        }
+    }
+    return null;
+}
+function readInlineEnvVars(raw) {
+    const envVars = {};
+    const envRaw = readInlinePropertyContents(raw, 'env', '{', '}');
+    if (!envRaw) {
+        return envVars;
+    }
+    const linePattern = /([A-Za-z0-9_.-]+)\s*=\s*("(?:\\"|[^"])*"|'(?:\\'|[^'])*')/gu;
+    let match = linePattern.exec(envRaw);
+    while (match) {
+        const key = match[1];
+        const rawValue = match[2];
+        const decoded = rawValue ? decodeQuotedTomlString(rawValue) : null;
+        if (key && decoded !== null) {
+            envVars[key] = decoded;
+        }
+        match = linePattern.exec(envRaw);
+    }
+    return envVars;
+}
+function readInlineQuotedValue(raw, propertyName) {
+    const propertyPattern = new RegExp(`\\b${escapeRegExp(propertyName)}\\s*=\\s*("(?:\\\\.|[^"])*"|'(?:\\\\.|[^'])*')`, 'u');
+    const propertyMatch = propertyPattern.exec(raw);
+    return propertyMatch ? decodeQuotedTomlString(propertyMatch[1] ?? '') : null;
+}
+function readSectionBody(raw, names) {
+    let currentTable = null;
+    let collecting = false;
+    const lines = [];
+    for (const line of raw.split('\n')) {
+        const trimmed = stripTomlComment(line).trim();
+        const tableMatch = trimmed.match(/^\[(.+)\]$/u);
+        if (tableMatch) {
+            const tableName = tableMatch[1]?.trim() ?? null;
+            if (collecting) {
+                break;
+            }
+            currentTable = tableName;
+            collecting = currentTable !== null && names.includes(currentTable);
+            continue;
+        }
+        if (collecting) {
+            lines.push(line);
+        }
+    }
+    return collecting || lines.length > 0 ? lines.join('\n') : null;
+}
+function readInlinePropertyContents(raw, propertyName, open, close) {
+    const propertyPattern = new RegExp(`\\b${escapeRegExp(propertyName)}\\s*=\\s*\\${open}`, 'u');
+    const propertyMatch = propertyPattern.exec(raw);
+    if (!propertyMatch) {
+        return '';
+    }
+    const openIndex = propertyMatch.index + propertyMatch[0].length - 1;
+    return readDelimitedContents(raw, openIndex, open, close);
+}
+function readDelimitedContents(raw, openIndex, open, close) {
+    let quote = null;
+    let escaped = false;
+    let depth = 0;
+    let start = -1;
+    for (let index = openIndex; index < raw.length; index += 1) {
+        const character = raw[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (character === '\\' && quote) {
+            escaped = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            quote = quote === character ? null : quote ?? character;
+            continue;
+        }
+        if (quote) {
+            continue;
+        }
+        if (character === open) {
+            depth += 1;
+            if (depth === 1) {
+                start = index + 1;
+            }
+            continue;
+        }
+        if (character === close) {
+            depth -= 1;
+            if (depth === 0 && start !== -1) {
+                return raw.slice(start, index);
+            }
+        }
+    }
+    return '';
+}
+function readQuotedTokens(raw) {
+    const tokens = [];
+    const tokenPattern = /("(?:\\.|[^"])*"|'(?:\\.|[^'])*')/gu;
+    let token = tokenPattern.exec(raw);
+    while (token) {
+        const decoded = decodeQuotedTomlString(token[1] ?? '');
+        if (decoded !== null) {
+            tokens.push(decoded);
+        }
+        token = tokenPattern.exec(raw);
+    }
+    return tokens;
+}
+function decodeQuotedTomlString(raw) {
+    if (!raw || raw.length < 2) {
+        return null;
+    }
+    if (raw.startsWith('"') && raw.endsWith('"')) {
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            const unquoted = raw.slice(1, -1);
+            return unquoted
+                .replace(/\\\\/gu, '\\')
+                .replace(/\\"/gu, '"')
+                .replace(/\\'/gu, '\'');
+        }
+    }
+    const unquoted = raw.slice(1, -1);
+    return unquoted.replace(/\\'/gu, '\'');
+}
+function stripTomlComment(line) {
+    let quote = null;
+    let escaped = false;
+    for (let index = 0; index < line.length; index += 1) {
+        const character = line[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (character === '\\' && quote) {
+            escaped = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            quote = quote === character ? null : quote ?? character;
+            continue;
+        }
+        if (character === '#' && !quote) {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}