@nanhara/hara 0.0.2 → 0.48.0

package/dist/plugins/plugins.js

@@ -0,0 +1,124 @@
+// Plugins — a distribution unit that drops skills / roles / MCP servers onto disk; it owns nothing at
+// runtime. The existing loaders pick the contents up (skillsDirs/loadRoles append the resolvers below;
+// index.ts merges pluginMcpServers into the MCP set). Manifest is Claude-Code-compatible: we read
+// .claude-plugin/plugin.json, .hara-plugin/plugin.json, or a bare plugin.json at the plugin root.
+import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync, rmSync, cpSync } from "node:fs";
+import { join, resolve, isAbsolute } from "node:path";
+import { homedir } from "node:os";
+import { execFileSync } from "node:child_process";
+import { readRawConfig } from "../config.js";
+export function pluginsDir() {
+    return join(homedir(), ".hara", "plugins");
+}
+const MANIFEST_PATHS = [".claude-plugin/plugin.json", ".hara-plugin/plugin.json", "plugin.json"];
+function readManifest(root) {
+    for (const rel of MANIFEST_PATHS) {
+        const p = join(root, rel);
+        if (!existsSync(p))
+            continue;
+        try {
+            return JSON.parse(readFileSync(p, "utf8"));
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+/** Every installed plugin under ~/.hara/plugins (regardless of enabled state). */
+export function listInstalled() {
+    const dir = pluginsDir();
+    if (!existsSync(dir))
+        return [];
+    const out = [];
+    for (const entry of readdirSync(dir)) {
+        const root = join(dir, entry);
+        const manifest = readManifest(root);
+        if (!manifest)
+            continue;
+        out.push({ name: manifest.name || entry, version: manifest.version || "0.0.0", root, manifest });
+    }
+    return out;
+}
+/** A plugin is active unless explicitly disabled in config (`plugins.enabled[name] === false`). */
+export function enabledPlugins() {
+    const enabled = (readRawConfig().plugins?.enabled ?? {});
+    return listInstalled().filter((p) => enabled[p.name] !== false);
+}
+function resolveDirs(p, entries) {
+    return (entries ?? [])
+        .map((e) => (isAbsolute(e) ? e : resolve(p.root, e)))
+        .filter((d) => existsSync(d));
+}
+// --- Contribution resolvers (consumed by the existing loaders; lowest precedence) ---
+/** Skill search dirs from enabled plugins (each holds <name>/SKILL.md subdirs). */
+export function pluginSkillDirs() {
+    return enabledPlugins().flatMap((p) => resolveDirs(p, p.manifest.skills));
+}
+/** Role/subagent dirs from enabled plugins. */
+export function pluginRoleDirs() {
+    return enabledPlugins().flatMap((p) => resolveDirs(p, p.manifest.agents));
+}
+/** MCP servers contributed by enabled plugins (merged under user config, which wins). */
+export function pluginMcpServers() {
+    const out = {};
+    for (const p of enabledPlugins())
+        Object.assign(out, p.manifest.mcpServers ?? {});
+    return out;
+}
+/** Install a plugin from `file:<path>`, `github:<owner/repo>`, or `git:<url>` into ~/.hara/plugins/<name>. */
+export function installPlugin(source) {
+    mkdirSync(pluginsDir(), { recursive: true });
+    const tmpName = `_install-${process.pid}-${Date.now()}`;
+    const tmp = join(pluginsDir(), tmpName);
+    rmSync(tmp, { recursive: true, force: true });
+    try {
+        if (source.startsWith("file:")) {
+            const src = resolve(source.slice("file:".length));
+            if (!existsSync(src))
+                throw new Error(`no such path: ${src}`);
+            cpSync(src, tmp, { recursive: true });
+        }
+        else if (source.startsWith("github:")) {
+            execFileSync("git", ["clone", "--depth", "1", `https://github.com/${source.slice("github:".length)}.git`, tmp], { stdio: "ignore" });
+        }
+        else if (source.startsWith("git:")) {
+            execFileSync("git", ["clone", "--depth", "1", source.slice("git:".length), tmp], { stdio: "ignore" });
+        }
+        else {
+            throw new Error("source must be file:<path>, github:<owner/repo>, or git:<url>");
+        }
+        const manifest = readManifest(tmp);
+        if (!manifest || !manifest.name) {
+            rmSync(tmp, { recursive: true, force: true });
+            throw new Error("no valid plugin.json (need at least a name) at the source root");
+        }
+        const dest = join(pluginsDir(), manifest.name);
+        rmSync(dest, { recursive: true, force: true });
+        // move tmp → dest (rename within the same dir)
+        cpSync(tmp, dest, { recursive: true });
+        rmSync(tmp, { recursive: true, force: true });
+        return { name: manifest.name, version: manifest.version || "0.0.0", root: dest, manifest };
+    }
+    catch (e) {
+        rmSync(tmp, { recursive: true, force: true });
+        throw e;
+    }
+}
+export function uninstallPlugin(name) {
+    const dest = join(pluginsDir(), name);
+    if (!existsSync(dest))
+        return false;
+    rmSync(dest, { recursive: true, force: true });
+    return true;
+}
+/** Persist a plugin's enabled flag in ~/.hara/config.json (`plugins.enabled[name]`). */
+export function setPluginEnabled(name, on) {
+    const p = join(homedir(), ".hara", "config.json");
+    const cfg = readRawConfig();
+    const plugins = (cfg.plugins && typeof cfg.plugins === "object" ? cfg.plugins : {});
+    plugins.enabled = { ...(plugins.enabled ?? {}), [name]: on };
+    cfg.plugins = plugins;
+    mkdirSync(join(homedir(), ".hara"), { recursive: true });
+    writeFileSync(p, JSON.stringify(cfg, null, 2) + "\n", "utf8");
+}

package/dist/providers/anthropic.js

@@ -0,0 +1,83 @@
+import Anthropic from "@anthropic-ai/sdk";
+import { imageToBase64 } from "../images.js";
+export function toAnthropic(history) {
+    const msgs = [];
+    for (const m of history) {
+        if (m.role === "user") {
+            if (m.images?.length) {
+                const blocks = [];
+                if (m.content)
+                    blocks.push({ type: "text", text: m.content });
+                for (const img of m.images) {
+                    const data = imageToBase64(img.path);
+                    if (data)
+                        blocks.push({ type: "image", source: { type: "base64", media_type: img.mediaType, data } });
+                }
+                msgs.push({ role: "user", content: blocks.length ? blocks : m.content });
+            }
+            else {
+                msgs.push({ role: "user", content: m.content });
+            }
+        }
+        else if (m.role === "assistant") {
+            const content = [];
+            if (m.text)
+                content.push({ type: "text", text: m.text });
+            for (const tu of m.toolUses)
+                content.push({ type: "tool_use", id: tu.id, name: tu.name, input: tu.input });
+            msgs.push({ role: "assistant", content: content.length ? content : [{ type: "text", text: "(no output)" }] });
+        }
+        else {
+            msgs.push({
+                role: "user",
+                content: m.results.map((r) => ({
+                    type: "tool_result",
+                    tool_use_id: r.id,
+                    content: r.content,
+                    is_error: r.isError,
+                })),
+            });
+        }
+    }
+    return msgs;
+}
+export function createAnthropicProvider(opts) {
+    const client = new Anthropic({ apiKey: opts.apiKey, maxRetries: 4, ...(opts.baseURL ? { baseURL: opts.baseURL } : {}) });
+    return {
+        id: "anthropic",
+        model: opts.model,
+        async turn({ system, history, tools, onText, onReasoning, signal }) {
+            const stream = client.messages.stream({
+                model: opts.model,
+                max_tokens: 32000,
+                thinking: { type: "adaptive" },
+                system,
+                tools: tools,
+                messages: toAnthropic(history),
+            }, { signal });
+            stream.on("text", onText);
+            if (onReasoning)
+                stream.on("thinking", onReasoning); // thinking deltas (if emitted)
+            let msg;
+            try {
+                msg = await stream.finalMessage();
+            }
+            catch (e) {
+                if (signal?.aborted)
+                    return { text: "", toolUses: [], stop: "error", errorMsg: "interrupted" };
+                const errorMsg = e instanceof Anthropic.APIError ? `${e.status ?? ""} ${e.message}` : String(e);
+                return { text: "", toolUses: [], stop: "error", errorMsg };
+            }
+            const text = msg.content
+                .filter((b) => b.type === "text")
+                .map((b) => b.text)
+                .join("");
+            const toolUses = msg.content
+                .filter((b) => b.type === "tool_use")
+                .map((b) => ({ id: b.id, name: b.name, input: b.input }));
+            const stop = msg.stop_reason === "tool_use" ? "tool_use" : "end";
+            const usage = { input: msg.usage?.input_tokens ?? 0, output: msg.usage?.output_tokens ?? 0 };
+            return { text, toolUses, stop, usage };
+        },
+    };
+}

package/dist/providers/openai.js

@@ -0,0 +1,125 @@
+import OpenAI from "openai";
+import { imageToBase64 } from "../images.js";
+/** Build OpenAI chat-completions messages from neutral history. */
+export function toOpenAI(system, history) {
+    const msgs = [{ role: "system", content: system }];
+    for (const m of history) {
+        if (m.role === "user") {
+            if (m.images?.length) {
+                // multimodal content parts: text + image_url data URLs (Qwen-VL / GLM-4V / OpenAI vision)
+                const parts = [];
+                if (m.content)
+                    parts.push({ type: "text", text: m.content });
+                for (const img of m.images) {
+                    const data = imageToBase64(img.path);
+                    if (data)
+                        parts.push({ type: "image_url", image_url: { url: `data:${img.mediaType};base64,${data}` } });
+                }
+                msgs.push({ role: "user", content: parts.length ? parts : m.content });
+            }
+            else {
+                msgs.push({ role: "user", content: m.content });
+            }
+        }
+        else if (m.role === "assistant") {
+            const tool_calls = m.toolUses.map((tu) => ({
+                id: tu.id,
+                type: "function",
+                function: { name: tu.name, arguments: JSON.stringify(tu.input ?? {}) },
+            }));
+            msgs.push({
+                role: "assistant",
+                content: m.text || null,
+                ...(tool_calls.length ? { tool_calls } : {}),
+            });
+        }
+        else {
+            for (const r of m.results) {
+                msgs.push({
+                    role: "tool",
+                    tool_call_id: r.id,
+                    content: r.isError ? `ERROR: ${r.content}` : r.content,
+                });
+            }
+        }
+    }
+    return msgs;
+}
+/** OpenAI-compatible provider (works with OpenAI, Qwen/DashScope, GLM, Kimi, …). */
+export function createOpenAIProvider(opts) {
+    const client = new OpenAI({ apiKey: opts.apiKey, maxRetries: 4, ...(opts.baseURL ? { baseURL: opts.baseURL } : {}) });
+    return {
+        id: opts.label ?? "openai",
+        model: opts.model,
+        async turn({ system, history, tools, onText, onReasoning, signal }) {
+            const oaiTools = tools.map((t) => ({
+                type: "function",
+                function: { name: t.name, description: t.description, parameters: t.input_schema },
+            }));
+            const params = {
+                model: opts.model,
+                messages: toOpenAI(system, history),
+                max_tokens: 8192,
+                stream: true,
+                stream_options: { include_usage: true },
+            };
+            if (oaiTools.length)
+                params.tools = oaiTools;
+            // Stream: emit text deltas live; accumulate tool-call args by index; grab usage from the tail chunk.
+            let text = "";
+            const acc = new Map();
+            let finish;
+            let usage = { input: 0, output: 0 };
+            try {
+                const stream = await client.chat.completions.create(params, { signal });
+                for await (const chunk of stream) {
+                    const choice = chunk.choices?.[0];
+                    const delta = choice?.delta;
+                    if (delta?.content) {
+                        text += delta.content;
+                        onText(delta.content);
+                    }
+                    const rc = delta?.reasoning_content ?? delta?.reasoning; // GLM-5 / DeepSeek
+                    if (rc)
+                        onReasoning?.(rc);
+                    if (delta?.tool_calls) {
+                        for (const tc of delta.tool_calls) {
+                            const idx = tc.index ?? 0;
+                            const cur = acc.get(idx) ?? { id: "", name: "", args: "" };
+                            if (tc.id)
+                                cur.id = tc.id;
+                            if (tc.function?.name)
+                                cur.name = tc.function.name;
+                            if (tc.function?.arguments)
+                                cur.args += tc.function.arguments;
+                            acc.set(idx, cur);
+                        }
+                    }
+                    if (choice?.finish_reason)
+                        finish = choice.finish_reason;
+                    if (chunk.usage)
+                        usage = { input: chunk.usage.prompt_tokens ?? 0, output: chunk.usage.completion_tokens ?? 0 };
+                }
+            }
+            catch (e) {
+                if (signal?.aborted)
+                    return { text: "", toolUses: [], stop: "error", errorMsg: "interrupted" };
+                return { text: "", toolUses: [], stop: "error", errorMsg: `${e?.status ?? ""} ${e?.message ?? e}` };
+            }
+            const toolUses = [...acc.values()]
+                .filter((t) => t.id && t.name)
+                .map((t) => {
+                let input = {};
+                try {
+                    input = JSON.parse(t.args || "{}");
+                }
+                catch {
+                    input = {};
+                }
+                return { id: t.id, name: t.name, input };
+            });
+            const stop = finish === "tool_calls" || toolUses.length ? "tool_use" : "end";
+            return { text, toolUses, stop, usage };
+        },
+    };
+}

package/dist/providers/qwen-oauth.js

@@ -0,0 +1,139 @@
+// Qwen "Qwen Code" free-tier OAuth (device-code + PKCE), ported from OpenClaw's qwen-portal-auth.
+// Token (access/refresh/resource_url) is stored in ~/.hara/qwen-oauth.json and auto-refreshed.
+import { createHash, randomBytes } from "node:crypto";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+const BASE = "https://chat.qwen.ai";
+const DEVICE_CODE_URL = `${BASE}/api/v1/oauth2/device/code`;
+const TOKEN_URL = `${BASE}/api/v1/oauth2/token`;
+const CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
+const SCOPE = "openid profile email model.completion";
+const DEVICE_GRANT = "urn:ietf:params:oauth:grant-type:device_code";
+const DEFAULT_BASE_URL = "https://portal.qwen.ai/v1";
+function tokenPath() {
+    return join(homedir(), ".hara", "qwen-oauth.json");
+}
+export function loadQwenToken() {
+    const p = tokenPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+function saveQwenToken(t) {
+    const p = tokenPath();
+    mkdirSync(join(homedir(), ".hara"), { recursive: true });
+    writeFileSync(p, JSON.stringify(t, null, 2) + "\n", "utf8");
+}
+const b64url = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+function pkce() {
+    const verifier = b64url(randomBytes(32));
+    const challenge = b64url(createHash("sha256").update(verifier).digest());
+    return { verifier, challenge };
+}
+/** resource_url → a clean https base ending in /v1 (default portal.qwen.ai). */
+export function normalizeBaseUrl(v) {
+    const raw = (v && v.trim()) || DEFAULT_BASE_URL;
+    const withProto = raw.startsWith("http") ? raw : `https://${raw}`;
+    return withProto.endsWith("/v1") ? withProto : `${withProto.replace(/\/+$/, "")}/v1`;
+}
+/** Device-code login. Prints the verification URL via `log`, polls until approved. */
+export async function qwenDeviceLogin(log) {
+    const { verifier, challenge } = pkce();
+    const dc = await fetch(DEVICE_CODE_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+        body: new URLSearchParams({
+            client_id: CLIENT_ID,
+            scope: SCOPE,
+            code_challenge: challenge,
+            code_challenge_method: "S256",
+        }),
+    });
+    if (!dc.ok)
+        throw new Error(`device-code request failed: ${dc.status} ${await dc.text()}`);
+    const dev = (await dc.json());
+    if (!dev.device_code || !dev.verification_uri)
+        throw new Error("incomplete device authorization payload");
+    const url = dev.verification_uri_complete || dev.verification_uri;
+    log(`Open this URL in your browser and approve access:\n\n    ${url}\n\n  (if prompted, enter code: ${dev.user_code})\n\nWaiting for approval…`);
+    let wait = (dev.interval || 2) * 1000;
+    const deadline = Date.now() + (dev.expires_in || 300) * 1000;
+    while (Date.now() < deadline) {
+        await new Promise((r) => setTimeout(r, wait));
+        const tr = await fetch(TOKEN_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+            body: new URLSearchParams({
+                grant_type: DEVICE_GRANT,
+                client_id: CLIENT_ID,
+                device_code: dev.device_code,
+                code_verifier: verifier,
+            }),
+        });
+        if (tr.ok) {
+            const t = (await tr.json());
+            if (t.access_token && t.refresh_token) {
+                const tok = {
+                    access: t.access_token,
+                    refresh: t.refresh_token,
+                    expires: Date.now() + (t.expires_in || 3600) * 1000,
+                    resourceUrl: t.resource_url,
+                };
+                saveQwenToken(tok);
+                return tok;
+            }
+        }
+        else {
+            let err = {};
+            try {
+                err = await tr.json();
+            }
+            catch {
+                /* ignore */
+            }
+            if (err.error === "authorization_pending")
+                continue;
+            if (err.error === "slow_down") {
+                wait = Math.min(wait * 1.5, 10000);
+                continue;
+            }
+            throw new Error(`token poll failed: ${err.error_description || err.error || tr.status}`);
+        }
+    }
+    throw new Error("Qwen OAuth timed out waiting for approval.");
+}
+async function refreshToken(tok) {
+    const r = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+        body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: tok.refresh, client_id: CLIENT_ID }),
+    });
+    if (!r.ok)
+        throw new Error(`Qwen token refresh failed (${r.status}) — re-run \`hara login qwen\`.`);
+    const t = (await r.json());
+    if (!t.access_token)
+        throw new Error("refresh response missing access_token");
+    const next = {
+        access: t.access_token,
+        refresh: t.refresh_token || tok.refresh,
+        expires: Date.now() + (t.expires_in || 3600) * 1000,
+        resourceUrl: tok.resourceUrl,
+    };
+    saveQwenToken(next);
+    return next;
+}
+/** Valid access token + baseURL, refreshing if within 60s of expiry. null if not logged in. */
+export async function getValidQwenAuth() {
+    let tok = loadQwenToken();
+    if (!tok)
+        return null;
+    if (Date.now() > tok.expires - 60_000)
+        tok = await refreshToken(tok);
+    return { accessToken: tok.access, baseURL: normalizeBaseUrl(tok.resourceUrl) };
+}

package/dist/providers/types.js

@@ -0,0 +1,2 @@
+/** Provider-neutral conversation + provider interface (multi-provider core). */
+export {};

package/dist/recall.js

@@ -0,0 +1,76 @@
+// Code-asset recall — a personal, git-versionable library of snippets/playbooks the agent can
+// reference. Lexical search over `~/.hara/code-assets/**/*.md` (override with HARA_ASSETS).
+// Phase-C v0: lexical-first (no embeddings); reuses the shared filesystem walker.
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { readFileSync, mkdirSync, writeFileSync, existsSync } from "node:fs";
+import { walkFiles } from "./fs-walk.js";
+import { skillsDirs } from "./skills/skills.js";
+export function assetsDir() {
+    return process.env.HARA_ASSETS || join(homedir(), ".hara", "code-assets");
+}
+/** Every lexical-search root for "assets": the skills (project + global + plugin) and the code-asset
+ *  library — one corpus so `recall` and dedup-before-save see the same things. */
+export function assetSearchRoots(cwd) {
+    return [...skillsDirs(cwd), assetsDir()];
+}
+export function titleOf(text, path) {
+    const fm = /^---\n([\s\S]*?)\n---/.exec(text);
+    if (fm) {
+        const t = /(?:^|\n)title:\s*(.+)/i.exec(fm[1]);
+        if (t)
+            return t[1].trim();
+    }
+    const h = /^#\s+(.+)$/m.exec(text);
+    return h ? h[1].trim() : (path.split("/").pop() ?? path);
+}
+/**
+ * Lexical search: rank .md files by how many query words appear in path+content.
+ * Default searches the code-asset library (relative paths). Pass `roots` to search other dirs
+ * (e.g. the memory store) — then paths come back absolute so callers can read them directly.
+ */
+export function searchAssets(query, limit = 5, roots) {
+    const dirs = roots ?? [assetsDir()];
+    const abs = roots !== undefined;
+    const words = query.toLowerCase().split(/\s+/).filter(Boolean);
+    if (!words.length)
+        return [];
+    const hits = [];
+    for (const dir of dirs) {
+        if (!existsSync(dir))
+            continue;
+        for (const rel of walkFiles(dir).filter((f) => f.endsWith(".md"))) {
+            let text;
+            try {
+                text = readFileSync(join(dir, rel), "utf8");
+            }
+            catch {
+                continue;
+            }
+            const hay = (rel + "\n" + text).toLowerCase();
+            const score = words.filter((w) => hay.includes(w)).length;
+            if (!score)
+                continue;
+            hits.push({ path: abs ? join(dir, rel) : rel, title: titleOf(text, rel), snippet: text.slice(0, 800), score });
+        }
+    }
+    hits.sort((a, b) => b.score - a.score || a.path.length - b.path.length);
+    return hits.slice(0, limit);
+}
+/** Create the assets dir with an example snippet + README. Returns files written. */
+export function scaffoldAssets() {
+    const dir = assetsDir();
+    mkdirSync(join(dir, "snippets"), { recursive: true });
+    const written = [];
+    const ex = join(dir, "snippets", "example.md");
+    if (!existsSync(ex)) {
+        writeFileSync(ex, "---\ntitle: Example snippet\ntags: [example]\nlang: ts\n---\n\n# Example snippet\n\nDescribe a reusable pattern, then the code:\n\n```ts\nexport const example = 1;\n```\n");
+        written.push("snippets/example.md");
+    }
+    const rd = join(dir, "README.md");
+    if (!existsSync(rd)) {
+        writeFileSync(rd, '# hara code-assets\n\nDrop `*.md` files here (snippets, playbooks). `hara recall "<query>"` searches them;\nin the REPL, `/recall <query>` pulls the best matches into your next message. A personal,\ngit-versionable library of code/patterns you want to reuse.\n');
+        written.push("README.md");
+    }
+    return written;
+}

package/dist/sandbox.js

@@ -0,0 +1,78 @@
+// OS sandboxing for the bash tool. macOS = Seatbelt (sandbox-exec); other platforms run unsandboxed
+// (the approval gate + cwd-scoped file tools still apply). Only the `bash` shell is sandboxed —
+// hara's own file tools (write_file/edit_file) are in-process, explicit, and gated.
+import { spawn } from "node:child_process";
+import { writeFileSync, mkdtempSync } from "node:fs";
+import { tmpdir, platform } from "node:os";
+import { join } from "node:path";
+const sbQuote = (s) => '"' + s.replace(/\\/g, "\\\\").replace(/"/g, '\\"') + '"';
+function seatbeltProfile(cwd, mode) {
+    const writable = [
+        '(literal "/dev/null")',
+        '(literal "/dev/stdout")',
+        '(literal "/dev/stderr")',
+        '(literal "/dev/dtracehelper")',
+        '(literal "/dev/tty")',
+        '(subpath "/private/tmp")',
+        '(subpath "/private/var/folders")',
+    ];
+    if (mode === "workspace-write")
+        writable.push(`(subpath ${sbQuote(cwd)})`);
+    return `(version 1)\n(allow default)\n(deny file-write*)\n(allow file-write*\n  ${writable.join("\n  ")})\n`;
+}
+export function sandboxSupported() {
+    return platform() === "darwin";
+}
+/**
+ * Run a shell command, sandboxed when mode != off and the platform supports it.
+ * Streams output via `opts.onData` while capturing it for the resolved value.
+ * Resolves on exit 0; rejects (with `.stdout`/`.stderr`/`.code`) on nonzero exit or timeout.
+ */
+export function runShell(command, cwd, mode, opts) {
+    let cmd;
+    let args;
+    if (mode !== "off" && platform() === "darwin") {
+        const dir = mkdtempSync(join(tmpdir(), "hara-sb-"));
+        const profileFile = join(dir, "policy.sb");
+        writeFileSync(profileFile, seatbeltProfile(cwd, mode));
+        cmd = "sandbox-exec";
+        args = ["-f", profileFile, "/bin/bash", "-lc", command];
+    }
+    else {
+        cmd = "/bin/sh";
+        args = ["-c", command];
+    }
+    return new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, { cwd });
+        let stdout = "";
+        let stderr = "";
+        let timedOut = false;
+        const grow = (cur, add) => (cur.length < opts.maxBuffer ? cur + add : cur);
+        const timer = setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGKILL");
+        }, opts.timeout);
+        child.stdout.on("data", (d) => {
+            const s = d.toString();
+            stdout = grow(stdout, s);
+            opts.onData?.(s);
+        });
+        child.stderr.on("data", (d) => {
+            const s = d.toString();
+            stderr = grow(stderr, s);
+            opts.onData?.(s);
+        });
+        child.on("error", (e) => {
+            clearTimeout(timer);
+            reject(Object.assign(e, { stdout, stderr }));
+        });
+        child.on("close", (code) => {
+            clearTimeout(timer);
+            if (timedOut)
+                return reject(Object.assign(new Error(`timed out after ${opts.timeout}ms`), { stdout, stderr }));
+            if (code !== 0)
+                return reject(Object.assign(new Error(`exit code ${code}`), { stdout, stderr, code }));
+            resolve({ stdout, stderr });
+        });
+    });
+}

package/dist/search/embed.js

@@ -0,0 +1,42 @@
+const DEFAULT_MODEL = {
+    ollama: "nomic-embed-text",
+    qwen: "text-embedding-v3",
+    openai: "text-embedding-3-small",
+};
+/** Build an Embedder from config, or null if embeddings are off/unconfigured (→ lexical fallback). */
+export function getEmbedder(cfg) {
+    const provider = cfg.embedProvider;
+    if (!provider || provider === "off")
+        return null;
+    const model = cfg.embedModel || DEFAULT_MODEL[provider] || "embed";
+    if (provider === "ollama") {
+        const base = (cfg.embedBaseURL || "http://localhost:11434").replace(/\/$/, "");
+        return async (texts) => {
+            const out = [];
+            for (const input of texts) {
+                const r = await fetch(`${base}/api/embeddings`, {
+                    method: "POST",
+                    headers: { "content-type": "application/json" },
+                    body: JSON.stringify({ model, prompt: input }),
+                });
+                if (!r.ok)
+                    throw new Error(`ollama embeddings ${r.status}`);
+                out.push((await r.json()).embedding);
+            }
+            return out;
+        };
+    }
+    // qwen (DashScope compatible-mode) + any OpenAI-compatible endpoint: POST /embeddings { model, input[] }
+    const base = (cfg.embedBaseURL || (provider === "qwen" ? "https://dashscope.aliyuncs.com/compatible-mode/v1" : cfg.baseURL || "https://api.openai.com/v1")).replace(/\/$/, "");
+    const key = cfg.embedApiKey || cfg.apiKey || "";
+    return async (texts) => {
+        const r = await fetch(`${base}/embeddings`, {
+            method: "POST",
+            headers: { "content-type": "application/json", authorization: `Bearer ${key}` },
+            body: JSON.stringify({ model, input: texts }),
+        });
+        if (!r.ok)
+            throw new Error(`embeddings ${r.status}`);
+        return ((await r.json()).data || []).map((d) => d.embedding);
+    };
+}