@mohanscodex/spectra-code 0.4.5

package/dist/src/security/read-tracker.d.ts

@@ -0,0 +1,20 @@
+import type { WriteGuardResult } from "./types.js";
+type WriteGuardMode = "soft" | "strict" | "off";
+export declare class ReadTracker {
+    private readPaths;
+    private writtenPaths;
+    private warnedPaths;
+    private mode;
+    private exclude;
+    constructor(config?: {
+        mode?: WriteGuardMode;
+        exclude?: string[];
+    });
+    recordRead(filePath: string, cwd?: string): void;
+    recordWrite(filePath: string, cwd?: string): void;
+    checkWrite(filePath: string, cwd?: string, toolName?: string): WriteGuardResult;
+    isTracked(filePath: string, cwd?: string): boolean;
+    reset(): void;
+}
+export {};
+//# sourceMappingURL=read-tracker.d.ts.map

package/dist/src/security/read-tracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"read-tracker.d.ts","sourceRoot":"","sources":["../../../src/security/read-tracker.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAGlD,KAAK,cAAc,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;AAE/C,qBAAa,WAAW;IACtB,OAAO,CAAC,SAAS,CAAoB;IACrC,OAAO,CAAC,YAAY,CAAoB;IACxC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,IAAI,CAAgB;IAC5B,OAAO,CAAC,OAAO,CAAa;gBAEhB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,cAAc,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE;IAKlE,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAsB,GAAG,IAAI;IAO/D,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAsB,GAAG,IAAI;IAOhE,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAsB,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,gBAAgB;IAoC9F,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAsB,GAAG,OAAO;IAIjE,KAAK,IAAI,IAAI;CAKd"}

package/dist/src/security/read-tracker.js

@@ -0,0 +1,73 @@
+import { existsSync } from "fs";
+import { canonicalPath } from "./wildcard.js";
+export class ReadTracker {
+    readPaths = new Set();
+    writtenPaths = new Set();
+    warnedPaths = new Set();
+    mode;
+    exclude;
+    constructor(config) {
+        this.mode = config?.mode ?? "soft";
+        this.exclude = new Set(config?.exclude ?? []);
+    }
+    recordRead(filePath, cwd = process.cwd()) {
+        if (this.mode === "off")
+            return;
+        const c = canonicalPath(filePath, cwd);
+        this.readPaths.add(c);
+        this.warnedPaths.delete(c);
+    }
+    recordWrite(filePath, cwd = process.cwd()) {
+        if (this.mode === "off")
+            return;
+        const c = canonicalPath(filePath, cwd);
+        this.writtenPaths.add(c);
+        this.readPaths.add(c);
+    }
+    checkWrite(filePath, cwd = process.cwd(), toolName) {
+        if (this.mode === "off")
+            return { ok: true };
+        if (toolName && this.exclude.has(toolName))
+            return { ok: true };
+        const c = canonicalPath(filePath, cwd);
+        if (!existsSync(c))
+            return { ok: true };
+        if (this.readPaths.has(c) || this.writtenPaths.has(c))
+            return { ok: true };
+        const displayPath = (() => {
+            const rel = (() => { try {
+                return require("path").relative(cwd, c);
+            }
+            catch {
+                return c;
+            } })();
+            return rel || c;
+        })();
+        if (this.mode === "strict") {
+            return {
+                ok: false,
+                blocked: true,
+                reason: `Refused: write to existing file '${displayPath}' without prior read. Read the file first.`,
+            };
+        }
+        if (this.warnedPaths.has(c)) {
+            this.recordWrite(filePath, cwd);
+            return { ok: true };
+        }
+        this.warnedPaths.add(c);
+        return {
+            ok: false,
+            warning: true,
+            reason: `Refused: write would overwrite existing '${displayPath}' you haven't read. Call read first, or retry — second attempt is allowed.`,
+        };
+    }
+    isTracked(filePath, cwd = process.cwd()) {
+        return this.readPaths.has(canonicalPath(filePath, cwd));
+    }
+    reset() {
+        this.readPaths.clear();
+        this.writtenPaths.clear();
+        this.warnedPaths.clear();
+    }
+}
+//# sourceMappingURL=read-tracker.js.map

package/dist/src/security/read-tracker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"read-tracker.js","sourceRoot":"","sources":["../../../src/security/read-tracker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAA;AAG/B,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAI7C,MAAM,OAAO,WAAW;IACd,SAAS,GAAG,IAAI,GAAG,EAAU,CAAA;IAC7B,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAChC,WAAW,GAAG,IAAI,GAAG,EAAU,CAAA;IAC/B,IAAI,CAAgB;IACpB,OAAO,CAAa;IAE5B,YAAY,MAAsD;QAChE,IAAI,CAAC,IAAI,GAAG,MAAM,EAAE,IAAI,IAAI,MAAM,CAAA;QAClC,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,UAAU,CAAC,QAAgB,EAAE,MAAc,OAAO,CAAC,GAAG,EAAE;QACtD,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;YAAE,OAAM;QAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;IAC5B,CAAC;IAED,WAAW,CAAC,QAAgB,EAAE,MAAc,OAAO,CAAC,GAAG,EAAE;QACvD,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;YAAE,OAAM;QAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACxB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IACvB,CAAC;IAED,UAAU,CAAC,QAAgB,EAAE,MAAc,OAAO,CAAC,GAAG,EAAE,EAAE,QAAiB;QACzE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QAC5C,IAAI,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QAE/D,MAAM,CAAC,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAEtC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QAEvC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QAE1E,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE;YACxB,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;gBAAC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,CAAC,CAAA;YAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC5F,OAAO,GAAG,IAAI,CAAC,CAAA;QACjB,CAAC,CAAC,EAAE,CAAA;QAEJ,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,oCAAoC,WAAW,4CAA4C;aACpG,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;YAC/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QACrB,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACvB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,4CAA4C,WAAW,4EAA4E;SAC5I,CAAA;IACH,CAAC;IAED,SAAS,CAAC,QAAgB,EAAE,MAAc,OAAO,CAAC,GAAG,EAAE;QACrD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAA;IACzD,CAAC;IAED,KAAK;QACH,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;QACtB,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAA;QACzB,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAA;IAC1B,CAAC;CACF"}

package/dist/src/security/ssrf-guard.d.ts

@@ -0,0 +1,19 @@
+import type { SsrfResult } from "./types.js";
+interface SsrfConfig {
+    blockPrivate?: boolean;
+    blockLoopback?: boolean;
+    allowedHosts?: string[];
+    followRedirects?: boolean;
+}
+export declare class SsrfGuard {
+    private blockPrivate;
+    private blockLoopback;
+    private allowedHosts;
+    followRedirects: boolean;
+    constructor(config?: SsrfConfig);
+    check(rawUrl: string): SsrfResult;
+    private isLoopback;
+    private isPrivate;
+}
+export {};
+//# sourceMappingURL=ssrf-guard.d.ts.map

package/dist/src/security/ssrf-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.d.ts","sourceRoot":"","sources":["../../../src/security/ssrf-guard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAI5C,UAAU,UAAU;IAClB,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,aAAa,CAAC,EAAE,OAAO,CAAA;IACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,qBAAa,SAAS;IACpB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,YAAY,CAAa;IACjC,eAAe,EAAE,OAAO,CAAA;gBAEZ,MAAM,CAAC,EAAE,UAAU;IAO/B,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU;IAiCjC,OAAO,CAAC,UAAU;IAgBlB,OAAO,CAAC,SAAS;CAuBlB"}

package/dist/src/security/ssrf-guard.js

@@ -0,0 +1,98 @@
+import { isIP } from "net";
+import { URL } from "url";
+export class SsrfGuard {
+    blockPrivate;
+    blockLoopback;
+    allowedHosts;
+    followRedirects;
+    constructor(config) {
+        this.blockPrivate = config?.blockPrivate ?? true;
+        this.blockLoopback = config?.blockLoopback ?? true;
+        this.allowedHosts = new Set(config?.allowedHosts ?? []);
+        this.followRedirects = config?.followRedirects ?? false;
+    }
+    check(rawUrl) {
+        let hostname;
+        let port;
+        try {
+            const url = new URL(rawUrl);
+            hostname = url.hostname;
+            port = parseInt(url.port) || (url.protocol === "https:" ? 443 : 80);
+        }
+        catch {
+            return { ok: false, reason: `Invalid URL: ${rawUrl}` };
+        }
+        if (this.allowedHosts.has(hostname)) {
+            return { ok: true };
+        }
+        if (this.isLoopback(hostname)) {
+            return {
+                ok: false,
+                reason: `SSRF blocked: loopback address (${hostname}). Use security.ssrf.allowedHosts to override.`,
+            };
+        }
+        if (this.blockPrivate && this.isPrivate(hostname)) {
+            return {
+                ok: false,
+                reason: `SSRF blocked: private/restricted address (${hostname}). Use security.ssrf.allowedHosts to override.`,
+            };
+        }
+        return { ok: true };
+    }
+    isLoopback(hostname) {
+        if (!this.blockLoopback)
+            return false;
+        if (hostname === "localhost" || hostname === "localhost.localdomain")
+            return true;
+        if (hostname === "::1" || hostname === "::")
+            return true;
+        if (hostname.startsWith("127.")) {
+            try {
+                const type = isIP(hostname);
+                if (type === 4) {
+                    const octets = hostname.split(".").map(Number);
+                    return octets.length === 4 && octets[0] === 127;
+                }
+            }
+            catch {
+                return false;
+            }
+        }
+        return false;
+    }
+    isPrivate(hostname) {
+        try {
+            const type = isIP(hostname);
+            if (type === 4) {
+                const octets = hostname.split(".").map(Number);
+                if (octets.length !== 4)
+                    return false;
+                if (octets[0] === 10)
+                    return true;
+                if (octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31)
+                    return true;
+                if (octets[0] === 192 && octets[1] === 168)
+                    return true;
+                if (octets[0] === 169 && octets[1] === 254)
+                    return true;
+                if (octets[0] === 0)
+                    return true;
+                if (octets[0] >= 224)
+                    return true;
+                return false;
+            }
+            if (type === 6) {
+                if (hostname === "::1" || hostname === "::")
+                    return true;
+                if (hostname.startsWith("fe80:"))
+                    return true;
+                if (hostname.startsWith("fc") || hostname.startsWith("fd"))
+                    return true;
+                return false;
+            }
+        }
+        catch { }
+        return false;
+    }
+}
+//# sourceMappingURL=ssrf-guard.js.map

package/dist/src/security/ssrf-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../../../src/security/ssrf-guard.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,KAAK,CAAA;AAC1B,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,CAAA;AASzB,MAAM,OAAO,SAAS;IACZ,YAAY,CAAS;IACrB,aAAa,CAAS;IACtB,YAAY,CAAa;IACjC,eAAe,CAAS;IAExB,YAAY,MAAmB;QAC7B,IAAI,CAAC,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,IAAI,CAAA;QAChD,IAAI,CAAC,aAAa,GAAG,MAAM,EAAE,aAAa,IAAI,IAAI,CAAA;QAClD,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC,CAAA;QACvD,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,eAAe,IAAI,KAAK,CAAA;IACzD,CAAC;IAED,KAAK,CAAC,MAAc;QAClB,IAAI,QAAgB,CAAA;QACpB,IAAI,IAAY,CAAA;QAEhB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;YAC3B,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAA;YACvB,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,MAAM,EAAE,EAAE,CAAA;QACxD,CAAC;QAED,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,mCAAmC,QAAQ,gDAAgD;aACpG,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,6CAA6C,QAAQ,gDAAgD;aAC9G,CAAA;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;IAEO,UAAU,CAAC,QAAgB;QACjC,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAA;QACrC,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,uBAAuB;YAAE,OAAO,IAAI,CAAA;QACjF,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QACxD,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAA;gBAC3B,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;oBAC9C,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,CAAA;gBACjD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,KAAK,CAAA;YAAC,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEO,SAAS,CAAC,QAAgB;QAChC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAA;YAC3B,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;gBAC9C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACrC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE;oBAAE,OAAO,IAAI,CAAA;gBACjC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE;oBAAE,OAAO,IAAI,CAAA;gBACxE,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;oBAAE,OAAO,IAAI,CAAA;gBACvD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;oBAAE,OAAO,IAAI,CAAA;gBACvD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;oBAAE,OAAO,IAAI,CAAA;gBAChC,IAAI,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG;oBAAE,OAAO,IAAI,CAAA;gBACjC,OAAO,KAAK,CAAA;YACd,CAAC;YACD,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,IAAI;oBAAE,OAAO,IAAI,CAAA;gBACxD,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;oBAAE,OAAO,IAAI,CAAA;gBAC7C,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;oBAAE,OAAO,IAAI,CAAA;gBACvE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,CAAC;QACX,OAAO,KAAK,CAAA;IACd,CAAC;CACF"}

package/dist/src/security/types.d.ts

@@ -0,0 +1,70 @@
+export type PermissionAction = "allow" | "ask" | "deny";
+export interface Rule {
+    permission: string;
+    pattern: string;
+    action: PermissionAction;
+}
+export type Ruleset = Rule[];
+export interface PermissionRequest {
+    id: string;
+    permission: string;
+    pattern: string;
+    tool?: string;
+    details?: string;
+    always?: string[];
+}
+export interface PermissionResponse {
+    action: "once" | "always" | "deny";
+}
+export type WriteGuardResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+    warning?: boolean;
+    blocked?: boolean;
+};
+export type DoomLoopResult = {
+    ok: true;
+} | {
+    ok: false;
+    action: "warn" | "stop";
+    message: string;
+};
+export type PathSafetyResult = {
+    ok: true;
+    resolvedPath: string;
+    displayPath: string;
+} | {
+    ok: false;
+    reason: string;
+};
+export type SsrfResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+export interface ToolCapabilities {
+    reads: boolean;
+    writes: boolean;
+}
+export interface SecurityConfig {
+    writeGuard?: "soft" | "strict" | "off";
+    writeGuardExclude?: string[];
+    blockedPaths?: string[];
+    allowedPaths?: string[];
+    ssrf?: {
+        blockPrivate?: boolean;
+        blockLoopback?: boolean;
+        allowedHosts?: string[];
+        followRedirects?: boolean;
+    };
+    doomLoop?: {
+        writeRepeatThreshold?: number;
+        readOnlyRepeatThreshold?: number;
+        patchSpiralThreshold?: number;
+    };
+}
+export type PermissionConfig = Record<string, string | Record<string, PermissionAction>>;
+//# sourceMappingURL=types.d.ts.map

package/dist/src/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/security/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAA;AAEvD,MAAM,WAAW,IAAI;IACnB,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED,MAAM,MAAM,OAAO,GAAG,IAAI,EAAE,CAAA;AAE5B,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAA;CACnC;AAED,MAAM,MAAM,gBAAgB,GACxB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAA;AAEvE,MAAM,MAAM,cAAc,GACtB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAE3D,MAAM,MAAM,gBAAgB,GACxB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACvD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAEjC,MAAM,MAAM,UAAU,GAClB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAEjC,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;IACtC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC5B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,IAAI,CAAC,EAAE;QACL,YAAY,CAAC,EAAE,OAAO,CAAA;QACtB,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;QACvB,eAAe,CAAC,EAAE,OAAO,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,EAAE;QACT,oBAAoB,CAAC,EAAE,MAAM,CAAA;QAC7B,uBAAuB,CAAC,EAAE,MAAM,CAAA;QAChC,oBAAoB,CAAC,EAAE,MAAM,CAAA;KAC9B,CAAA;CACF;AAED,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC,CAAA"}

package/dist/src/security/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/src/security/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/security/types.ts"],"names":[],"mappings":""}

package/dist/src/security/wildcard.d.ts

@@ -0,0 +1,5 @@
+export declare function matchWildcard(pattern: string, value: string): boolean;
+export declare function isInsideWorkingDir(targetPath: string, cwd: string): boolean;
+export declare function canonicalPath(raw: string, cwd: string): string;
+export declare function ensureDirGlob(rawPath: string): string;
+//# sourceMappingURL=wildcard.d.ts.map

package/dist/src/security/wildcard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wildcard.d.ts","sourceRoot":"","sources":["../../../src/security/wildcard.ts"],"names":[],"mappings":"AAOA,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAuBrE;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAc3E;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAErD"}

package/dist/src/security/wildcard.js

@@ -0,0 +1,50 @@
+import { homedir } from "os";
+import { resolve, relative, normalize, sep } from "path";
+function escapeRegex(pattern) {
+    return pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+}
+export function matchWildcard(pattern, value) {
+    let pat = pattern.replace(/^~\//, homedir());
+    const parts = pat.split(/(\*|\?)/g);
+    let regex = "";
+    for (const part of parts) {
+        if (part === "*") {
+            regex += ".*";
+        }
+        else if (part === "?") {
+            regex += ".";
+        }
+        else {
+            regex += escapeRegex(part);
+        }
+    }
+    regex = "^" + regex + "$";
+    try {
+        const re = new RegExp(regex, process.platform === "win32" ? "i" : "");
+        return re.test(value);
+    }
+    catch {
+        return false;
+    }
+}
+export function isInsideWorkingDir(targetPath, cwd) {
+    const abs = resolve(cwd, targetPath);
+    const rel = relative(cwd, abs);
+    if (rel.startsWith(".."))
+        return false;
+    if (process.platform === "win32") {
+        const absLower = abs.toLowerCase();
+        const cwdLower = resolve(cwd).toLowerCase();
+        return (absLower.startsWith(cwdLower + "\\") ||
+            absLower.startsWith(cwdLower + "/") ||
+            absLower === cwdLower);
+    }
+    return true;
+}
+export function canonicalPath(raw, cwd) {
+    return normalize(resolve(cwd, raw));
+}
+export function ensureDirGlob(rawPath) {
+    return rawPath + sep + "**";
+}
+//# sourceMappingURL=wildcard.js.map

package/dist/src/security/wildcard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wildcard.js","sourceRoot":"","sources":["../../../src/security/wildcard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,MAAM,CAAA;AAExD,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAA;AACrD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,KAAa;IAC1D,IAAI,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAA;IAE5C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IACnC,IAAI,KAAK,GAAG,EAAE,CAAA;IACd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjB,KAAK,IAAI,IAAI,CAAA;QACf,CAAC;aAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACxB,KAAK,IAAI,GAAG,CAAA;QACd,CAAC;aAAM,CAAC;YACN,KAAK,IAAI,WAAW,CAAC,IAAI,CAAC,CAAA;QAC5B,CAAC;IACH,CAAC;IAED,KAAK,GAAG,GAAG,GAAG,KAAK,GAAG,GAAG,CAAA;IAEzB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;QACrE,OAAO,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,GAAW;IAChE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACpC,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAC9B,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IACtC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;QAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;QAC3C,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,QAAQ,GAAG,IAAI,CAAC;YACpC,QAAQ,CAAC,UAAU,CAAC,QAAQ,GAAG,GAAG,CAAC;YACnC,QAAQ,KAAK,QAAQ,CACtB,CAAA;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,GAAW;IACpD,OAAO,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAA;AACrC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,OAAO,OAAO,GAAG,GAAG,GAAG,IAAI,CAAA;AAC7B,CAAC"}

package/dist/src/services/auth-store.d.ts

@@ -0,0 +1,25 @@
+export interface ApiCredential {
+    type: "api";
+    key: string;
+    metadata?: Record<string, string>;
+}
+export interface OauthCredential {
+    type: "oauth";
+    refresh: string;
+    access: string;
+    expires: number;
+    accountId?: string;
+    enterpriseUrl?: string;
+}
+export interface WellKnownCredential {
+    type: "wellknown";
+    key: string;
+    token: string;
+}
+export type Credential = ApiCredential | OauthCredential | WellKnownCredential;
+export declare function readAll(): Record<string, Credential>;
+export declare function read(providerId: string): Credential | undefined;
+export declare function write(providerId: string, credential: Credential): void;
+export declare function remove(providerId: string): void;
+export declare function listConnected(): string[];
+//# sourceMappingURL=auth-store.d.ts.map

package/dist/src/services/auth-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.d.ts","sourceRoot":"","sources":["../../../src/services/auth-store.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,KAAK,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,CAAA;IACb,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,WAAW,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;CACd;AAED,MAAM,MAAM,UAAU,GAAG,aAAa,GAAG,eAAe,GAAG,mBAAmB,CAAA;AAW9E,wBAAgB,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAOpD;AAED,wBAAgB,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAE/D;AAED,wBAAgB,KAAK,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,IAAI,CAMtE;AAED,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAK/C;AAED,wBAAgB,aAAa,IAAI,MAAM,EAAE,CAExC"}

package/dist/src/services/auth-store.js

@@ -0,0 +1,40 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { getGlobalDataDir } from "../utils/paths.js";
+function authFilePath() {
+    return join(getGlobalDataDir(), "auth.json");
+}
+function ensureDataDir() {
+    const dir = getGlobalDataDir();
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+}
+export function readAll() {
+    const file = authFilePath();
+    try {
+        return JSON.parse(readFileSync(file, "utf-8"));
+    }
+    catch {
+        return {};
+    }
+}
+export function read(providerId) {
+    return readAll()[providerId];
+}
+export function write(providerId, credential) {
+    ensureDataDir();
+    const file = authFilePath();
+    const data = readAll();
+    data[providerId] = credential;
+    writeFileSync(file, JSON.stringify(data, null, 2), { mode: 0o600, encoding: "utf-8" });
+}
+export function remove(providerId) {
+    const file = authFilePath();
+    const data = readAll();
+    delete data[providerId];
+    writeFileSync(file, JSON.stringify(data, null, 2), { mode: 0o600, encoding: "utf-8" });
+}
+export function listConnected() {
+    return Object.keys(readAll());
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/src/services/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../../../src/services/auth-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AA4BpD,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,gBAAgB,EAAE,EAAE,WAAW,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAA;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;AAC3D,CAAC;AAED,MAAM,UAAU,OAAO;IACrB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAA;IAC3B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,UAAkB;IACrC,OAAO,OAAO,EAAE,CAAC,UAAU,CAAC,CAAA;AAC9B,CAAC;AAED,MAAM,UAAU,KAAK,CAAC,UAAkB,EAAE,UAAsB;IAC9D,aAAa,EAAE,CAAA;IACf,MAAM,IAAI,GAAG,YAAY,EAAE,CAAA;IAC3B,MAAM,IAAI,GAAG,OAAO,EAAE,CAAA;IACtB,IAAI,CAAC,UAAU,CAAC,GAAG,UAAU,CAAA;IAC7B,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAA;AACxF,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,UAAkB;IACvC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAA;IAC3B,MAAM,IAAI,GAAG,OAAO,EAAE,CAAA;IACtB,OAAO,IAAI,CAAC,UAAU,CAAC,CAAA;IACvB,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAA;AACxF,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAA;AAC/B,CAAC"}

package/dist/src/services/config.d.ts

@@ -0,0 +1,66 @@
+export interface CustomProviderConfig {
+    name: string;
+    baseUrl: string;
+    apiKey?: string;
+    headers?: Record<string, string>;
+    models?: Record<string, {
+        name?: string;
+        contextWindow?: number;
+        maxOutput?: number;
+    }>;
+    enabled?: boolean;
+}
+import type { PermissionConfig, SecurityConfig } from "../security/types.js";
+export interface SpectraConfig {
+    model?: string;
+    smallModel?: string;
+    provider?: string;
+    apiKey?: string;
+    agent?: string;
+    agents?: Record<string, AgentConfig>;
+    theme?: "dark" | "light";
+    mcp?: McpConfig[];
+    plugins?: PluginConfig[];
+    permission?: PermissionConfig;
+    security?: SecurityConfig;
+    permissions?: PermissionRule[];
+    shell?: string;
+    logLevel?: "debug" | "info" | "warn" | "error";
+    providers?: Record<string, CustomProviderConfig>;
+}
+export interface AgentConfig {
+    name: string;
+    description: string;
+    model?: string;
+    systemPrompt?: string;
+    hidden?: boolean;
+    color?: string;
+    tools?: string[];
+    maxTurns?: number;
+}
+export interface McpConfig {
+    name: string;
+    command?: string;
+    args?: string[];
+    url?: string;
+    env?: Record<string, string>;
+    headers?: Record<string, string>;
+    enabled?: boolean;
+    timeout?: number;
+}
+export interface PluginConfig {
+    name: string;
+    path?: string;
+    enabled?: boolean;
+}
+export interface PermissionRule {
+    name: string;
+    pattern: string;
+    allow?: boolean;
+    timeout?: number;
+}
+export declare function loadConfig(cwd?: string): SpectraConfig;
+export declare function saveConfig(cfg: SpectraConfig, filePath?: string): void;
+export declare function getEffectiveModel(cfg: SpectraConfig): string;
+export declare function getEffectiveProvider(cfg: SpectraConfig): string;
+//# sourceMappingURL=config.d.ts.map

package/dist/src/services/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/services/config.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,OAAO,KAAK,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE7E,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACzB,GAAG,CAAC,EAAE,SAAS,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,WAAW,CAAC,EAAE,cAAc,EAAE,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;CAClD;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAUD,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,aAAa,CAkDtD;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAStE;AAGD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAE5D;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAE/D"}

package/dist/src/services/config.js

@@ -0,0 +1,83 @@
+import { existsSync, readFileSync, mkdirSync, writeFileSync } from "fs";
+import { join } from "path";
+import { getGlobalConfigDir, discoverConfigDirs } from "../utils/paths.js";
+const configFiles = [
+    "spectra.json",
+    "spectra.jsonc",
+    "config.json",
+    "opencode.json",
+    "opencode.jsonc",
+];
+export function loadConfig(cwd) {
+    const cfg = {};
+    const envConfig = process.env.SPECTRA_CONFIG;
+    if (envConfig) {
+        try {
+            const parsed = JSON.parse(envConfig);
+            Object.assign(cfg, parsed);
+        }
+        catch { }
+    }
+    const projectDir = cwd || process.cwd();
+    const dirs = discoverConfigDirs(projectDir);
+    for (const { path: dirPath } of dirs) {
+        for (const name of configFiles) {
+            const filePath = join(dirPath, name);
+            if (existsSync(filePath)) {
+                try {
+                    const content = readFileSync(filePath, "utf-8");
+                    const parsed = JSON.parse(stripJsonc(content));
+                    Object.assign(cfg, parsed);
+                }
+                catch { }
+            }
+        }
+    }
+    const globalDir = getGlobalConfigDir();
+    if (!dirs.some(d => d.path === globalDir)) {
+        for (const name of configFiles) {
+            const filePath = join(globalDir, name);
+            if (existsSync(filePath)) {
+                try {
+                    const content = readFileSync(filePath, "utf-8");
+                    const parsed = JSON.parse(stripJsonc(content));
+                    Object.assign(cfg, parsed);
+                }
+                catch { }
+            }
+        }
+    }
+    const envProvider = process.env.SPECTRA_PROVIDER;
+    const envModel = process.env.SPECTRA_MODEL;
+    const envKey = process.env.SPECTRA_API_KEY || process.env.ANTHROPIC_API_KEY || process.env.OPENAI_API_KEY;
+    if (envProvider && !cfg.provider)
+        cfg.provider = envProvider;
+    if (envModel && !cfg.model)
+        cfg.model = envModel;
+    if (envKey && !cfg.apiKey)
+        cfg.apiKey = envKey;
+    return cfg;
+}
+export function saveConfig(cfg, filePath) {
+    const target = filePath || join(getGlobalConfigDir(), "spectra.json");
+    const dir = target.substring(0, target.lastIndexOf("/") > 0
+        ? Math.max(target.lastIndexOf("/"), target.lastIndexOf("\\"))
+        : target.lastIndexOf("\\") > 0 ? target.lastIndexOf("\\") : 0);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(target, JSON.stringify(cfg, null, 2));
+}
+export function getEffectiveModel(cfg) {
+    return cfg.model || "anthropic/claude-sonnet-4-20250514";
+}
+export function getEffectiveProvider(cfg) {
+    return cfg.provider || cfg.model?.split("/")[0] || "anthropic";
+}
+function stripJsonc(text) {
+    return text
+        .replace(/\/\/.*$/gm, "")
+        .replace(/\/\*[\s\S]*?\*\//g, "")
+        .trim();
+}
+//# sourceMappingURL=config.js.map

package/dist/src/services/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/services/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAsB,MAAM,mBAAmB,CAAC;AAmE/F,MAAM,WAAW,GAAG;IAClB,cAAc;IACd,eAAe;IACf,aAAa;IACb,eAAe;IACf,gBAAgB;CACjB,CAAC;AAEF,MAAM,UAAU,UAAU,CAAC,GAAY;IACrC,MAAM,GAAG,GAAkB,EAAE,CAAC;IAE9B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC7C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC,CAAC,CAAC;IACb,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE5C,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YACrC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;oBAC/C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC7B,CAAC;gBAAC,MAAM,CAAC,CAAC,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,EAAE,CAAC;IACvC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,CAAC;QAC1C,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YACvC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;oBAC/C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC7B,CAAC;gBAAC,MAAM,CAAC,CAAC,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACjD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAE1G,IAAI,WAAW,IAAI,CAAC,GAAG,CAAC,QAAQ;QAAE,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAC;IAC7D,IAAI,QAAQ,IAAI,CAAC,GAAG,CAAC,KAAK;QAAE,GAAG,CAAC,KAAK,GAAG,QAAQ,CAAC;IACjD,IAAI,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM;QAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;IAE/C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAkB,EAAE,QAAiB;IAC9D,MAAM,MAAM,GAAG,QAAQ,IAAI,IAAI,CAAC,kBAAkB,EAAE,EAAE,cAAc,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IACD,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC;AAGD,MAAM,UAAU,iBAAiB,CAAC,GAAkB;IAClD,OAAO,GAAG,CAAC,KAAK,IAAI,oCAAoC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAkB;IACrD,OAAO,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC;AACjE,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;SACxB,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC;SAChC,IAAI,EAAE,CAAC;AACZ,CAAC"}

package/dist/src/services/context.d.ts

@@ -0,0 +1,7 @@
+export interface ContextResult {
+    systemPrompt: string;
+    instructions: string[];
+    files: string[];
+}
+export declare function loadContext(cwd?: string): ContextResult;
+//# sourceMappingURL=context.d.ts.map

package/dist/src/services/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../../src/services/context.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wBAAgB,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,aAAa,CAqBvD"}