@kyo-so/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/.agents/skills/kyoso-review/SKILL.md +38 -0
  2. package/.agents/skills/kyoso-review/agents/openai.yaml +14 -0
  3. package/LICENSE +677 -0
  4. package/README.md +202 -0
  5. package/dist/acp/AcpAgentManager.d.ts +9 -0
  6. package/dist/acp/AcpAgentProcess.d.ts +9 -0
  7. package/dist/acp/FakeAgentManager.d.ts +9 -0
  8. package/dist/acp/normalize.d.ts +3 -0
  9. package/dist/acp/prompts.d.ts +2 -0
  10. package/dist/aggregate/aggregateFindings.d.ts +15 -0
  11. package/dist/aggregate/severity.d.ts +3 -0
  12. package/dist/audit/sanitize.d.ts +3 -0
  13. package/dist/audit/trace.d.ts +12 -0
  14. package/dist/bin/kyoso.js +199606 -0
  15. package/dist/cli/args.d.ts +8 -0
  16. package/dist/cli/doctor.d.ts +9 -0
  17. package/dist/cli/init.d.ts +4 -0
  18. package/dist/cli/io.d.ts +7 -0
  19. package/dist/cli/main.d.ts +1 -0
  20. package/dist/config/defaultConfig.d.ts +2 -0
  21. package/dist/config/defineConfig.d.ts +2 -0
  22. package/dist/config/loadConfig.d.ts +22 -0
  23. package/dist/config/schema.d.ts +117 -0
  24. package/dist/config/trustedConfig.d.ts +5 -0
  25. package/dist/config/tsConfigLoader.d.ts +7 -0
  26. package/dist/context/buildContext.d.ts +11 -0
  27. package/dist/context/pathPolicy.d.ts +3 -0
  28. package/dist/context/truncate.d.ts +6 -0
  29. package/dist/core/constants.d.ts +7 -0
  30. package/dist/core/errors.d.ts +4 -0
  31. package/dist/core/runReview.d.ts +12 -0
  32. package/dist/core/types.d.ts +154 -0
  33. package/dist/core/validateRequest.d.ts +2 -0
  34. package/dist/index.d.ts +3 -0
  35. package/dist/index.js +189728 -0
  36. package/dist/judge/anthropic.d.ts +2 -0
  37. package/dist/judge/deterministicFallback.d.ts +3 -0
  38. package/dist/judge/openai.d.ts +2 -0
  39. package/dist/judge/prompt.d.ts +9 -0
  40. package/dist/judge/provider.d.ts +26 -0
  41. package/dist/mcp/formatMcpResponse.d.ts +7 -0
  42. package/dist/mcp/schemas.d.ts +38 -0
  43. package/dist/mcp/server.d.ts +6 -0
  44. package/dist/output/markdown.d.ts +7 -0
  45. package/dist/security/cisaGate.d.ts +2 -0
  46. package/dist/security/decision.d.ts +10 -0
  47. package/dist/security/recursionGuard.d.ts +1 -0
  48. package/dist/security/redact.d.ts +5 -0
  49. package/dist/security/sanitizeText.d.ts +3 -0
  50. package/dist/security/secretScan.d.ts +2 -0
  51. package/dist/utils/env.d.ts +5 -0
  52. package/dist/utils/ids.d.ts +1 -0
  53. package/dist/workspace/cleanup.d.ts +1 -0
  54. package/dist/workspace/createSnapshot.d.ts +11 -0
  55. package/examples/claude-code-mcp.json +13 -0
  56. package/examples/codex-config.toml +11 -0
  57. package/examples/kyoso.config.ts +22 -0
  58. package/package.json +50 -0
@@ -0,0 +1,8 @@
1
+ export type ParsedArgs = {
2
+ command: string;
3
+ flags: Record<string, string | boolean | string[]>;
4
+ };
5
+ export declare function parseArgs(argv: string[]): ParsedArgs;
6
+ export declare function stringFlag(flags: ParsedArgs["flags"], key: string): string | undefined;
7
+ export declare function booleanFlag(flags: ParsedArgs["flags"], key: string): boolean;
8
+ export declare function stringArrayFlag(flags: ParsedArgs["flags"], key: string): string[];
@@ -0,0 +1,9 @@
1
+ export declare function runDoctor(options: {
2
+ cwd: string;
3
+ configPath?: string;
4
+ ignoreConfig?: boolean;
5
+ trustConfig?: boolean;
6
+ promptForTrust?: boolean;
7
+ trustStorePath?: string;
8
+ env?: NodeJS.ProcessEnv;
9
+ }): Promise<string>;
@@ -0,0 +1,4 @@
1
+ export declare function runInit(options: {
2
+ cwd: string;
3
+ force: boolean;
4
+ }): Promise<string>;
@@ -0,0 +1,7 @@
1
+ export declare function readPathOrText(value: string | undefined): Promise<string | undefined>;
2
+ export declare function readSelectedFiles(paths: string[]): Promise<Array<{
3
+ path: string;
4
+ language?: string;
5
+ content: string;
6
+ }>>;
7
+ export declare function writeFileWithOverwritePrompt(path: string, content: string, force: boolean): Promise<"created" | "skipped">;
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,2 @@
1
+ import type { KyosoConfigInput } from "./schema.js";
2
+ export declare const defaultConfig: KyosoConfigInput;
@@ -0,0 +1,2 @@
1
+ import type { KyosoConfigInput } from "./schema.js";
2
+ export declare function defineConfig(config: KyosoConfigInput): KyosoConfigInput;
@@ -0,0 +1,22 @@
1
+ import { type KyosoConfig } from "./schema.js";
2
+ import { type ConfigTrustStatus } from "./trustedConfig.js";
3
+ export type LoadConfigOptions = {
4
+ cwd?: string;
5
+ configPath?: string;
6
+ ignoreConfig?: boolean;
7
+ trustConfig?: boolean;
8
+ promptForTrust?: boolean;
9
+ trustStorePath?: string;
10
+ trustPrompt?: (config: {
11
+ configPath: string;
12
+ configHash: string;
13
+ }) => Promise<boolean>;
14
+ };
15
+ export type LoadedConfig = {
16
+ config: KyosoConfig;
17
+ configPath?: string;
18
+ configHash?: string;
19
+ configTrustStatus: ConfigTrustStatus;
20
+ warnings: string[];
21
+ };
22
+ export declare function loadConfig(options?: LoadConfigOptions): Promise<LoadedConfig>;
@@ -0,0 +1,117 @@
1
+ import { z } from "zod";
2
+ type PartialDeep<T> = {
3
+ [K in keyof T]?: T[K] extends Record<string, unknown> ? PartialDeep<T[K]> : T[K];
4
+ };
5
+ export declare const kyosoConfigSchema: z.ZodObject<{
6
+ entrypoints: z.ZodObject<{
7
+ mcp: z.ZodBoolean;
8
+ cli: z.ZodBoolean;
9
+ }, z.core.$strip>;
10
+ firstClassClient: z.ZodString;
11
+ tools: z.ZodObject<{
12
+ planReview: z.ZodBoolean;
13
+ securityReview: z.ZodBoolean;
14
+ diffReview: z.ZodBoolean;
15
+ }, z.core.$strip>;
16
+ agents: z.ZodObject<{
17
+ codex: z.ZodObject<{
18
+ enabled: z.ZodDefault<z.ZodBoolean>;
19
+ type: z.ZodDefault<z.ZodLiteral<"acp">>;
20
+ command: z.ZodString;
21
+ args: z.ZodDefault<z.ZodArray<z.ZodString>>;
22
+ model: z.ZodOptional<z.ZodString>;
23
+ role: z.ZodEnum<{
24
+ implementation_reviewer: "implementation_reviewer";
25
+ architecture_security_reviewer: "architecture_security_reviewer";
26
+ }>;
27
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
28
+ env: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
29
+ auth: z.ZodObject<{
30
+ mode: z.ZodDefault<z.ZodLiteral<"passthrough">>;
31
+ preferExistingLogin: z.ZodDefault<z.ZodBoolean>;
32
+ preferApiKey: z.ZodDefault<z.ZodBoolean>;
33
+ recommendedEnv: z.ZodArray<z.ZodString>;
34
+ envWhitelist: z.ZodArray<z.ZodString>;
35
+ }, z.core.$strip>;
36
+ }, z.core.$strip>;
37
+ claude: z.ZodObject<{
38
+ enabled: z.ZodDefault<z.ZodBoolean>;
39
+ type: z.ZodDefault<z.ZodLiteral<"acp">>;
40
+ command: z.ZodString;
41
+ args: z.ZodDefault<z.ZodArray<z.ZodString>>;
42
+ model: z.ZodOptional<z.ZodString>;
43
+ role: z.ZodEnum<{
44
+ implementation_reviewer: "implementation_reviewer";
45
+ architecture_security_reviewer: "architecture_security_reviewer";
46
+ }>;
47
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
48
+ env: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
49
+ auth: z.ZodObject<{
50
+ mode: z.ZodDefault<z.ZodLiteral<"passthrough">>;
51
+ preferExistingLogin: z.ZodDefault<z.ZodBoolean>;
52
+ preferApiKey: z.ZodDefault<z.ZodBoolean>;
53
+ recommendedEnv: z.ZodArray<z.ZodString>;
54
+ envWhitelist: z.ZodArray<z.ZodString>;
55
+ }, z.core.$strip>;
56
+ }, z.core.$strip>;
57
+ }, z.core.$strip>;
58
+ workspace: z.ZodObject<{
59
+ mode: z.ZodLiteral<"temp_snapshot">;
60
+ root: z.ZodString;
61
+ readOnly: z.ZodBoolean;
62
+ maxContextBytes: z.ZodNumber;
63
+ maxDiffBytes: z.ZodNumber;
64
+ deny: z.ZodArray<z.ZodString>;
65
+ }, z.core.$strip>;
66
+ secrets: z.ZodObject<{
67
+ mode: z.ZodLiteral<"redact_and_block">;
68
+ blockOnDetectedSecret: z.ZodBoolean;
69
+ allowOverride: z.ZodBoolean;
70
+ }, z.core.$strip>;
71
+ network: z.ZodObject<{
72
+ defaultMode: z.ZodEnum<{
73
+ model_only: "model_only";
74
+ unrestricted: "unrestricted";
75
+ }>;
76
+ allowUnrestricted: z.ZodBoolean;
77
+ warnOnUnrestricted: z.ZodBoolean;
78
+ mediatedWeb: z.ZodObject<{
79
+ enabled: z.ZodBoolean;
80
+ }, z.core.$strip>;
81
+ }, z.core.$strip>;
82
+ securityReview: z.ZodObject<{
83
+ cisaSecureByDesign: z.ZodObject<{
84
+ enabled: z.ZodBoolean;
85
+ gate: z.ZodBoolean;
86
+ dimensions: z.ZodObject<{
87
+ customerSecurityOutcomes: z.ZodBoolean;
88
+ secureByDefault: z.ZodBoolean;
89
+ transparencyAndAccountability: z.ZodBoolean;
90
+ governance: z.ZodBoolean;
91
+ }, z.core.$strip>;
92
+ }, z.core.$strip>;
93
+ }, z.core.$strip>;
94
+ judge: z.ZodObject<{
95
+ mode: z.ZodEnum<{
96
+ deterministic_plus_llm: "deterministic_plus_llm";
97
+ deterministic_only: "deterministic_only";
98
+ }>;
99
+ provider: z.ZodEnum<{
100
+ auto: "auto";
101
+ openai: "openai";
102
+ anthropic: "anthropic";
103
+ none: "none";
104
+ }>;
105
+ timeoutMs: z.ZodNumber;
106
+ }, z.core.$strip>;
107
+ audit: z.ZodObject<{
108
+ enabled: z.ZodBoolean;
109
+ format: z.ZodLiteral<"jsonl">;
110
+ directory: z.ZodString;
111
+ includeRawAgentOutput: z.ZodBoolean;
112
+ includeFileContents: z.ZodBoolean;
113
+ }, z.core.$strip>;
114
+ }, z.core.$strip>;
115
+ export type KyosoConfig = z.infer<typeof kyosoConfigSchema>;
116
+ export type KyosoConfigInput = PartialDeep<KyosoConfig>;
117
+ export {};
@@ -0,0 +1,5 @@
1
+ export type ConfigTrustStatus = "ignored" | "not_found" | "trusted" | "trusted_by_flag" | "trusted_interactively" | "untrusted_skipped";
2
+ export declare function hashConfigSource(source: string): string;
3
+ export declare function defaultTrustedConfigStorePath(env?: NodeJS.ProcessEnv): string;
4
+ export declare function isTrustedConfig(storePath: string, configPath: string, configHash: string): Promise<boolean>;
5
+ export declare function trustConfig(storePath: string, configPath: string, configHash: string): Promise<void>;
@@ -0,0 +1,7 @@
1
+ type ConfigModule = {
2
+ default?: unknown;
3
+ config?: unknown;
4
+ [key: string]: unknown;
5
+ };
6
+ export declare function loadConfigModule(filePath: string, source: string): Promise<ConfigModule>;
7
+ export {};
@@ -0,0 +1,11 @@
1
+ import type { KyosoReviewRequest } from "../core/types.js";
2
+ export type BuiltContext = {
3
+ request: KyosoReviewRequest;
4
+ warnings: string[];
5
+ };
6
+ export declare function buildContext(request: KyosoReviewRequest, options: {
7
+ maxContextBytes: number;
8
+ maxDiffBytes: number;
9
+ denyPatterns: string[];
10
+ allowPatterns?: string[];
11
+ }): BuiltContext;
@@ -0,0 +1,3 @@
1
+ export declare function normalizeRelativePath(path: string): string;
2
+ export declare function isDeniedPath(path: string, denyPatterns: string[]): boolean;
3
+ export declare function isAllowedPath(path: string, allowPatterns: string[]): boolean;
@@ -0,0 +1,6 @@
1
+ export type TruncationResult = {
2
+ content: string;
3
+ truncated: boolean;
4
+ bytes: number;
5
+ };
6
+ export declare function truncateUtf8(input: string, maxBytes: number): TruncationResult;
@@ -0,0 +1,7 @@
1
+ export declare const DEFAULT_AGENT_TIMEOUT_MS = 120000;
2
+ export declare const DEFAULT_MAX_CONTEXT_BYTES = 500000;
3
+ export declare const DEFAULT_MAX_DIFF_BYTES = 300000;
4
+ export declare const RAW_OUTPUT_MAX_CHARS = 16384;
5
+ export declare const TRACE_DIR = ".kyoso/traces";
6
+ export declare const KYOSO_CHILD_AGENT = "KYOSO_CHILD_AGENT";
7
+ export declare const KYOSO_VERSION = "0.1.0";
@@ -0,0 +1,4 @@
1
+ export declare class KyosoRequestError extends Error {
2
+ readonly code: string;
3
+ constructor(message: string, code: string);
4
+ }
@@ -0,0 +1,12 @@
1
+ import { type KyosoConfig } from "../config/schema.js";
2
+ import { type LoadConfigOptions } from "../config/loadConfig.js";
3
+ import type { AcpAgentManager } from "../acp/AcpAgentManager.js";
4
+ import type { KyosoResult, KyosoReviewRequest, NetworkMode, ReviewTool } from "./types.js";
5
+ export type RunReviewOptions = LoadConfigOptions & {
6
+ config?: KyosoConfig;
7
+ configHash?: string;
8
+ agentManager?: AcpAgentManager;
9
+ env?: NodeJS.ProcessEnv;
10
+ mcpNetworkMode?: NetworkMode;
11
+ };
12
+ export declare function runReview(tool: ReviewTool, request: KyosoReviewRequest, options?: RunReviewOptions): Promise<KyosoResult>;
@@ -0,0 +1,154 @@
1
+ export type ReviewTool = "plan_review" | "security_review" | "diff_review";
2
+ export type KyosoDecision = "approve" | "approve_with_changes" | "block";
3
+ export type GateStatus = "pass" | "warn" | "fail" | "not_applicable";
4
+ export type NetworkMode = "model_only" | "unrestricted";
5
+ export type JudgeProvider = "auto" | "openai" | "anthropic" | "none";
6
+ export type Severity = "critical" | "high" | "medium" | "low" | "info";
7
+ export type FindingCategory = "architecture" | "authn" | "authz" | "csrf" | "xss" | "ssrf" | "injection" | "secret" | "supply_chain" | "privacy" | "data_loss" | "test" | "maintainability" | "cisa_secure_by_design" | "other";
8
+ export type CisaDimension = "customer_security_outcomes" | "secure_by_default" | "transparency_and_accountability" | "governance";
9
+ export type KyosoReviewRequest = {
10
+ goal: string;
11
+ repoSummary?: string;
12
+ currentPlan?: string;
13
+ selectedFiles?: Array<{
14
+ path: string;
15
+ language?: string;
16
+ content: string;
17
+ truncated?: boolean;
18
+ }>;
19
+ diff?: {
20
+ baseRef?: string;
21
+ headRef?: string;
22
+ unifiedDiff: string;
23
+ };
24
+ constraints?: string[];
25
+ workspace?: {
26
+ root?: string;
27
+ allowRead?: string[];
28
+ denyRead?: string[];
29
+ };
30
+ options?: {
31
+ network?: NetworkMode;
32
+ maxAgentTimeoutMs?: number;
33
+ includeAgentRawOutputs?: boolean;
34
+ judgeProvider?: JudgeProvider;
35
+ allowSecretRedaction?: boolean;
36
+ };
37
+ };
38
+ export type KyosoFinding = {
39
+ id: string;
40
+ severity: Severity;
41
+ category: FindingCategory;
42
+ title: string;
43
+ evidence: string;
44
+ recommendation: string;
45
+ files?: Array<{
46
+ path: string;
47
+ lineStart?: number;
48
+ lineEnd?: number;
49
+ }>;
50
+ sourceAgents: Array<AgentName | "judge" | "kyoso_policy">;
51
+ confidence: "high" | "medium" | "low";
52
+ cisaMapping?: CisaDimension[];
53
+ };
54
+ export type CisaSecureByDesignResult = {
55
+ customerSecurityOutcomes: GateStatus;
56
+ secureByDefault: GateStatus;
57
+ transparencyAndAccountability: GateStatus;
58
+ governance: GateStatus;
59
+ notes: string[];
60
+ };
61
+ export type AgentName = "codex" | "claude";
62
+ export type AgentRole = "implementation_reviewer" | "architecture_security_reviewer";
63
+ export type NormalizedAgentOpinion = {
64
+ agent: AgentName;
65
+ role: string;
66
+ summary: string;
67
+ findings: Array<{
68
+ severity: Severity;
69
+ category: FindingCategory | string;
70
+ title: string;
71
+ evidence: string;
72
+ recommendation: string;
73
+ files?: Array<{
74
+ path: string;
75
+ lineStart?: number;
76
+ lineEnd?: number;
77
+ }>;
78
+ confidence: "high" | "medium" | "low";
79
+ cisaMapping?: string[];
80
+ }>;
81
+ testsToAdd: string[];
82
+ residualRisks: string[];
83
+ openQuestions: string[];
84
+ cisaSecureByDesign?: Partial<CisaSecureByDesignResult>;
85
+ };
86
+ export type AgentRunInput = {
87
+ traceId: string;
88
+ agent: AgentName;
89
+ role: AgentRole;
90
+ tool: ReviewTool;
91
+ prompt: string;
92
+ workspaceDir: string;
93
+ timeoutMs: number;
94
+ networkMode: NetworkMode;
95
+ };
96
+ export type AgentRunResult = {
97
+ agent: AgentName;
98
+ role: AgentRole;
99
+ status: "completed" | "failed" | "timeout" | "skipped";
100
+ rawText?: string;
101
+ normalized?: NormalizedAgentOpinion;
102
+ error?: {
103
+ code: string;
104
+ message: string;
105
+ detail?: string;
106
+ };
107
+ startedAt: string;
108
+ completedAt?: string;
109
+ };
110
+ export type KyosoResult = {
111
+ decision: KyosoDecision;
112
+ degraded: boolean;
113
+ summaryMarkdown: string;
114
+ findings: KyosoFinding[];
115
+ cisaSecureByDesign?: CisaSecureByDesignResult;
116
+ disagreements: Array<{
117
+ topic: string;
118
+ positions: Array<{
119
+ agent: AgentName;
120
+ opinion: string;
121
+ }>;
122
+ judgeComment: string;
123
+ }>;
124
+ testsToAdd: string[];
125
+ residualRisks: string[];
126
+ agentOpinions: Array<{
127
+ agent: AgentName;
128
+ role: string;
129
+ summary: string;
130
+ status: "completed" | "failed" | "timeout" | "skipped";
131
+ errorCode?: string;
132
+ rawText?: string;
133
+ }>;
134
+ audit: {
135
+ traceId: string;
136
+ startedAt: string;
137
+ completedAt: string;
138
+ agentsUsed: string[];
139
+ redactionsApplied: number;
140
+ networkMode: NetworkMode;
141
+ workspaceMode: "temp_snapshot";
142
+ configHash?: string;
143
+ warnings?: string[];
144
+ };
145
+ };
146
+ export type SecretScanResult = {
147
+ detected: boolean;
148
+ redactions: number;
149
+ matches: Array<{
150
+ kind: string;
151
+ location: string;
152
+ }>;
153
+ redactedRequest: KyosoReviewRequest;
154
+ };
@@ -0,0 +1,2 @@
1
+ import type { KyosoReviewRequest, ReviewTool } from "./types.js";
2
+ export declare function validateReviewRequest(tool: ReviewTool, request: KyosoReviewRequest): void;
@@ -0,0 +1,3 @@
1
+ export { defineConfig } from "./config/defineConfig.js";
2
+ export { runReview } from "./core/runReview.js";
3
+ export type { CisaSecureByDesignResult, GateStatus, KyosoDecision, KyosoFinding, KyosoResult, KyosoReviewRequest, NetworkMode, ReviewTool, } from "./core/types.js";