@oscharko-dev/keiko-cli 0.2.0

package/dist/memory.js

@@ -0,0 +1,290 @@
+// `keiko memory` — operator surface for the governed memory vault (Epic #204).
+//
+//   maintain   Run one bounded maintenance pass IN-PROCESS (consolidate + decay + reinforce +
+//              forget) against the local vault and print the applied counts. Reuses the exact same
+//              `runMemoryMaintenance` core the BFF route uses, so the CLI and UI never drift.
+//   stats      Print memory counts by status, by scope kind, and the total.
+//   diagnostics
+//              Print a redacted body-free diagnostics snapshot for local support.
+//
+// The vault is opened at the resolved memory dir (default $KEIKO_MEMORY_DIR or the platform state
+// dir; override with --memory-dir). Tests inject a vault via deps so no disk is touched. Exit 0 on
+// success, 1 on a runtime error (vault open / maintenance fault), 2 on usage (unknown/missing
+// subcommand).
+import { createMemoryVault } from "@oscharko-dev/keiko-memory-vault";
+import { createMemoryEmbedder, exportMemoryDiagnostics, runMemoryMaintenance, } from "@oscharko-dev/keiko-server";
+import { createAuditRedactor, createNodeEvidenceStore, resolveEvidenceDir, } from "@oscharko-dev/keiko-evidence";
+import { requestOpenAIEmbedding, GatewayError, } from "@oscharko-dev/keiko-model-gateway";
+import { loadGatewayConfigFromFile } from "./gateway-config.js";
+const USAGE = `Usage:
+  keiko memory maintain [--memory-dir PATH] [--evidence-dir PATH]
+                                              Run a bounded consolidate + archive + forget pass.
+  keiko memory stats [--memory-dir PATH]      Print memory counts by status and scope.
+  keiko memory diagnostics [--memory-dir PATH] [--evidence-dir PATH] [--last N]
+                                              Print redacted local diagnostics JSON.
+  keiko memory reembed [--memory-dir PATH] [--limit N] [--config PATH]
+                                              Backfill embeddings for accepted memories lacking one.
+
+Opens the local memory vault (default $KEIKO_MEMORY_DIR or the platform state dir; override with
+--memory-dir). \`maintain\` promotes strong proposals, archives faded memories, forgets
+expired/very-faint ones, and reports unresolved consolidation review items (memory strength itself
+is derived live at retrieval; this pass never rewrites confidence). \`diagnostics\`
+prints schema version, generated time, scope/status counts, redacted storage path, and a bounded
+audit tail without memory body or payload content. \`reembed\` computes the embedding for each
+accepted memory that has none (bounded by --limit, default 200), so pre-existing memories become
+semantically retrievable; it is gated on an embedding model being configured (via --config /
+$KEIKO_CONFIG_FILE) and is best-effort.
+`;
+const DEFAULT_REEMBED_LIMIT = 200;
+function flagValue(args, name) {
+    const i = args.indexOf(name);
+    if (i === -1)
+        return undefined;
+    const value = args[i + 1];
+    return value === undefined || value.startsWith("--") ? undefined : value;
+}
+function resolveVault(args, env, deps) {
+    if (deps.vault !== undefined)
+        return deps.vault;
+    const memoryDir = flagValue(args, "--memory-dir");
+    if (deps.openVault !== undefined)
+        return deps.openVault(memoryDir, env);
+    return createMemoryVault({
+        ...(memoryDir !== undefined ? { memoryDir } : {}),
+        env,
+    });
+}
+function scopeKindOf(scope) {
+    return scope.kind;
+}
+function scopeKey(scope) {
+    switch (scope.kind) {
+        case "user":
+            return `user:${scope.userId}`;
+        case "workspace":
+            return `workspace:${scope.workspaceId}`;
+        case "project":
+            return `project:${scope.projectId}`;
+        case "workflow":
+            return `workflow:${scope.workflowDefinitionId}`;
+        case "global":
+            return "global";
+        default: {
+            const never = scope;
+            return never;
+        }
+    }
+}
+function uniqueRecordScopes(records) {
+    const scopes = new Map();
+    for (const record of records) {
+        scopes.set(scopeKey(record.scope), record.scope);
+    }
+    return scopes.size === 0 ? [{ kind: "global" }] : [...scopes.values()];
+}
+function tallyBy(records, keyOf) {
+    const counts = new Map();
+    for (const record of records) {
+        const key = keyOf(record);
+        counts.set(key, (counts.get(key) ?? 0) + 1);
+    }
+    return counts;
+}
+function renderTally(title, counts) {
+    const rows = [...counts.entries()].sort((a, b) => a[0].localeCompare(b[0]));
+    if (rows.length === 0)
+        return `${title}:\n  (none)\n`;
+    const body = rows.map(([key, n]) => `  ${key}: ${String(n)}`).join("\n");
+    return `${title}:\n${body}\n`;
+}
+function renderStats(records) {
+    const byStatus = tallyBy(records, (record) => record.status);
+    const byScope = tallyBy(records, (record) => scopeKindOf(record.scope));
+    return (renderTally("By status", byStatus) +
+        renderTally("By scope", byScope) +
+        `Total: ${String(records.length)}\n`);
+}
+function renderMaintenanceReport(counts) {
+    return [
+        "Memory maintenance complete.",
+        `  promoted:          ${String(counts.promoted)}`,
+        `  archived:          ${String(counts.archived)}`,
+        `  forgotten:         ${String(counts.forgotten)}`,
+        `  superseded:        ${String(counts.superseded)}`,
+        `  edgesCreated:      ${String(counts.edgesCreated)}`,
+        `  clustersInspected: ${String(counts.clustersInspected)}`,
+        `  reviewItems:       ${String(counts.reviewItemsCreated)}`,
+        "",
+    ].join("\n");
+}
+function runStats(args, io, env, deps) {
+    const vault = resolveVault(args, env, deps);
+    try {
+        const records = vault.listMemories({ includeExpired: true });
+        io.out(renderStats(records));
+        return 0;
+    }
+    finally {
+        if (deps.vault === undefined)
+            vault.close();
+    }
+}
+function parseLastAuditEvents(args) {
+    const raw = flagValue(args, "--last");
+    if (raw === undefined)
+        return undefined;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
+function runDiagnostics(args, io, env, deps) {
+    const vault = resolveVault(args, env, deps);
+    const evidenceDir = resolveEvidenceDir(flagValue(args, "--evidence-dir"), env);
+    const evidenceStore = deps.evidenceStore ?? createNodeEvidenceStore(evidenceDir);
+    const redactString = deps.redactString ?? createAuditRedactor({}, env);
+    try {
+        const records = vault.listMemories({ includeExpired: true });
+        const lastNAuditEvents = parseLastAuditEvents(args);
+        const diagnostics = exportMemoryDiagnostics({
+            vault,
+            scopes: uniqueRecordScopes(records),
+            evidenceStore,
+            redactString,
+            evidenceDir,
+            ...(lastNAuditEvents === undefined ? {} : { lastNAuditEvents }),
+        });
+        io.out(`${JSON.stringify(diagnostics, null, 2)}\n`);
+        return 0;
+    }
+    finally {
+        if (deps.vault === undefined)
+            vault.close();
+    }
+}
+function runMaintain(args, io, env, deps) {
+    const vault = resolveVault(args, env, deps);
+    const evidenceDir = resolveEvidenceDir(flagValue(args, "--evidence-dir"), env);
+    const evidenceStore = deps.evidenceStore ?? createNodeEvidenceStore(evidenceDir);
+    try {
+        const counts = runMemoryMaintenance(vault, evidenceStore);
+        io.out(renderMaintenanceReport(counts));
+        return 0;
+    }
+    finally {
+        if (deps.vault === undefined)
+            vault.close();
+    }
+}
+// Resolves the production embedder from the gateway config (--config / $KEIKO_CONFIG_FILE), or
+// null when no config source is available, the config cannot be loaded, or no embedding-capable
+// model is configured. The test seam (deps.embedText) short-circuits this entirely. A GatewayError
+// is treated as "no model" (best-effort backfill never hard-fails on a config problem).
+function resolveEmbedder(args, env, deps) {
+    if (deps.embedText !== undefined)
+        return deps.embedText;
+    const configPath = flagValue(args, "--config") ?? env.KEIKO_CONFIG_FILE;
+    if (configPath === undefined)
+        return null;
+    try {
+        return createMemoryEmbedder(loadGatewayConfigFromFile(configPath, env), requestOpenAIEmbedding);
+    }
+    catch (error) {
+        if (error instanceof GatewayError)
+            return null;
+        throw error;
+    }
+}
+function parseLimit(args) {
+    const raw = flagValue(args, "--limit");
+    if (raw === undefined)
+        return DEFAULT_REEMBED_LIMIT;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isInteger(parsed) && parsed > 0 ? parsed : DEFAULT_REEMBED_LIMIT;
+}
+async function backfillEmbeddings(vault, embed, limit) {
+    const accepted = vault.listMemories({ status: ["accepted"], includeExpired: true, limit });
+    const counts = { embedded: 0, skipped: 0, failed: 0 };
+    for (const record of accepted) {
+        if (vault.getEmbedding(record.id) !== undefined) {
+            counts.skipped += 1;
+            continue;
+        }
+        const input = await embed(record.body);
+        if (input === null) {
+            counts.failed += 1;
+            continue;
+        }
+        try {
+            vault.upsertEmbedding(record.id, input);
+            counts.embedded += 1;
+        }
+        catch {
+            counts.failed += 1;
+        }
+    }
+    return counts;
+}
+function renderReembedReport(counts) {
+    return [
+        "Memory re-embedding complete.",
+        `  embedded: ${String(counts.embedded)}`,
+        `  skipped:  ${String(counts.skipped)}`,
+        `  failed:   ${String(counts.failed)}`,
+        "",
+    ].join("\n");
+}
+async function reembed(args, io, env, deps) {
+    const embed = resolveEmbedder(args, env, deps);
+    if (embed === null) {
+        io.out("No embedding model is configured — skipping re-embedding. " +
+            "Provide a gateway config with --config PATH or $KEIKO_CONFIG_FILE.\n");
+        return 0;
+    }
+    const vault = resolveVault(args, env, deps);
+    try {
+        const counts = await backfillEmbeddings(vault, embed, parseLimit(args));
+        io.out(renderReembedReport(counts));
+        return 0;
+    }
+    finally {
+        if (deps.vault === undefined)
+            vault.close();
+    }
+}
+// async wrapper so a sync-or-async failure surfaces as exit 1 (the sync subcommands rely on
+// dispatchSubcommand's try/catch, which cannot catch a rejected Promise).
+async function runReembed(args, io, env, deps) {
+    try {
+        return await reembed(args, io, env, deps);
+    }
+    catch (error) {
+        io.err(`keiko memory: ${error instanceof Error ? error.message : String(error)}\n`);
+        return 1;
+    }
+}
+function dispatchSubcommand(sub, args, io, env, deps) {
+    try {
+        if (sub === "maintain")
+            return runMaintain(args, io, env, deps);
+        if (sub === "stats")
+            return runStats(args, io, env, deps);
+        if (sub === "diagnostics")
+            return runDiagnostics(args, io, env, deps);
+        if (sub === "reembed")
+            return runReembed(args, io, env, deps);
+    }
+    catch (error) {
+        io.err(`keiko memory: ${error instanceof Error ? error.message : String(error)}\n`);
+        return 1;
+    }
+    io.err(`keiko memory: unknown subcommand: ${sub}\n`);
+    io.err(USAGE);
+    return 2;
+}
+export function runMemoryCli(rest, io, env = {}, deps = {}) {
+    const sub = rest[0];
+    if (sub === undefined || sub === "--help" || sub === "-h") {
+        io.out(USAGE);
+        return sub === undefined ? 2 : 0;
+    }
+    return dispatchSubcommand(sub, rest.slice(1), io, env, deps);
+}

package/dist/models.d.ts

@@ -0,0 +1,4 @@
+import { type EnvSource } from "@oscharko-dev/keiko-model-gateway";
+import type { CliIo } from "./runner.js";
+export declare function runModelsCli(args: readonly string[], io: CliIo, env: EnvSource): number;
+//# sourceMappingURL=models.d.ts.map

package/dist/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../src/models.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,SAAS,EAEf,MAAM,mCAAmC,CAAC;AAE3C,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAkDzC,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,GAAG,MAAM,CAevF"}

package/dist/models.js

@@ -0,0 +1,62 @@
+// `keiko models` CLI handler. Synchronous by design: `list` reads built-in
+// capability metadata; `validate` reads a config file with readFileSync and runs
+// the hand-rolled validator. Neither path needs a live async Gateway, so the
+// existing `process.exit(runCli(...))` shim stays synchronous. No credential value
+// is ever written to stdout or stderr.
+import { listCapabilities, GatewayError, } from "@oscharko-dev/keiko-model-gateway";
+import { loadGatewayConfigFromFile, resolveConfigPathFromArgs } from "./gateway-config.js";
+const USAGE = `Usage:
+  keiko models list                      List registered model capabilities.
+  keiko models validate [--config PATH]  Validate gateway configuration.
+`;
+function formatUseCases(useCases) {
+    return useCases.map((useCase) => useCase.toLowerCase().replace(/\s+/g, "-")).join(",");
+}
+function listModels(io) {
+    io.out("ID\tKIND\tCOST\tLATENCY\tTOOLS\tSTRUCT\tUSE-CASES\n");
+    for (const cap of listCapabilities()) {
+        const tools = cap.toolCalling ? "yes" : "no";
+        const struct = cap.structuredOutput ? "yes" : "no";
+        io.out(`${cap.id}\t${cap.kind}\t${cap.costClass}\t${cap.latencyClass}\t${tools}\t${struct}\t${formatUseCases(cap.preferredUseCases)}\n`);
+    }
+    return 0;
+}
+function validateConfig(args, io, env) {
+    const resolution = resolveConfigPathFromArgs(args, env);
+    if (resolution.kind === "missing-value") {
+        io.err("Error: --config requires a path argument.\n");
+        return 2;
+    }
+    if (resolution.kind === "not-configured") {
+        io.err("Error [GATEWAY_CONFIG_INVALID]: no config source; pass --config PATH or set KEIKO_CONFIG_FILE.\n");
+        return 1;
+    }
+    try {
+        const config = loadGatewayConfigFromFile(resolution.path, env);
+        io.out(`Gateway config valid. ${String(config.providers.length)} model providers configured.\n`);
+        return 0;
+    }
+    catch (error) {
+        if (error instanceof GatewayError) {
+            io.err(`Error [${error.code}]: ${error.message}\n`);
+            return 1;
+        }
+        throw error;
+    }
+}
+export function runModelsCli(args, io, env) {
+    const sub = args[0];
+    if (sub === "list") {
+        return listModels(io);
+    }
+    if (sub === "validate") {
+        return validateConfig(args.slice(1), io, env);
+    }
+    if (sub === undefined) {
+        io.err(USAGE);
+        return 2;
+    }
+    io.err(`keiko models: unknown sub-command: ${sub}\n`);
+    io.err(USAGE);
+    return 2;
+}

package/dist/prompt-enhancer.d.ts

@@ -0,0 +1,13 @@
+import { type EnvSource, type GatewayConfig } from "@oscharko-dev/keiko-model-gateway";
+import { runPromptEnhancement } from "@oscharko-dev/keiko-workflows";
+import type { CliIo } from "./runner.js";
+export interface PromptEnhancerCliDeps {
+    readonly run?: typeof runPromptEnhancement;
+    readonly loadConfig?: (path: string, env: EnvSource) => GatewayConfig;
+}
+/**
+ * `keiko prompt-enhancer` entrypoint. Returns 0 on success, 1 on a runtime/config error, 2 on usage
+ * error. Pure apart from optional config-file reads; never dispatches a model.
+ */
+export declare function runPromptEnhancerCli(args: readonly string[], io: CliIo, env: EnvSource, deps?: PromptEnhancerCliDeps): number;
+//# sourceMappingURL=prompt-enhancer.d.ts.map

package/dist/prompt-enhancer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-enhancer.d.ts","sourceRoot":"","sources":["../src/prompt-enhancer.ts"],"names":[],"mappings":"AAQA,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAIL,oBAAoB,EACrB,MAAM,+BAA+B,CAAC;AAYvC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAIzC,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,oBAAoB,CAAC;IAC3C,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,KAAK,aAAa,CAAC;CACvE;AA4PD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,EAAE,EAAE,KAAK,EACT,GAAG,EAAE,SAAS,EACd,IAAI,GAAE,qBAA0B,GAC/B,MAAM,CAyCR"}

package/dist/prompt-enhancer.js

@@ -0,0 +1,261 @@
+// `keiko prompt-enhancer` — the developer-facing surface for the Prompt Enhancer (Epic #1307, Issue
+// #1314; ADR-0044 §1 "CLI command"). It drives the EXACT SAME deterministic workflow as the BFF
+// route (`runPromptEnhancement` from keiko-workflows), so the product and developer surfaces produce
+// byte-identical enhancements (AC1). The command never dispatches a model: enhancement is deterministic
+// and provider-neutral; an optional `--model` only resolves dispatch readiness through the Model
+// Gateway (AC3). All printed output is redacted (AC4); `--evidence` emits a redact-by-construction
+// audit manifest reusing the #1313 keiko-evidence promptEnhancement store.
+import { ConfigInvalidError, GatewayError, loadConfigFromFile, redact, } from "@oscharko-dev/keiko-model-gateway";
+import { PromptEnhancementInputError, buildPromptEnhancementRecordInput, promptEnhancementGatewayRoutingConfig, runPromptEnhancement, } from "@oscharko-dev/keiko-workflows";
+import { validatePromptEnhancementWireRequest, } from "@oscharko-dev/keiko-contracts";
+import { buildPromptEnhancementEvidenceManifest, createAuditRedactor, deepRedactStrings, } from "@oscharko-dev/keiko-evidence";
+import { keikoApiKeySecretValues } from "@oscharko-dev/keiko-security";
+const USAGE = `Usage: keiko prompt-enhancer --input "<raw prompt>" [OPTIONS]
+
+Generate a governed, reviewable Enhanced Prompt from a raw draft. Deterministic and provider-neutral;
+the result is data for review, never executed.
+
+Options:
+  --input TEXT       The raw prompt draft to enhance (required).
+  --profile ID       Preferred profile: fast | precise | research | creative | technical |
+                     safety-critical | agentic. Safety criticality may still escalate it.
+  --strategy MODE    How to handle missing information: clarify (default) | assume.
+  --candidates N     Number of candidate variants to score (1-7).
+  --model ID         Resolve dispatch readiness for this model through the Model Gateway. Requires a
+                     gateway config (--config PATH or KEIKO_CONFIG_FILE).
+  --config PATH      Gateway config file (also honored via KEIKO_CONFIG_FILE).
+  --evidence         Also print a redacted, content-light audit evidence manifest.
+  --json             Print the full enhancement result as redacted JSON.
+`;
+const VALUE_FLAGS = [
+    "--input",
+    "--profile",
+    "--strategy",
+    "--candidates",
+    "--model",
+    "--config",
+];
+const BOOLEAN_FLAG_KEYS = {
+    "--json": "json",
+    "--evidence": "evidence",
+    "--help": "help",
+    "-h": "help",
+};
+const isValueFlag = (value) => VALUE_FLAGS.includes(value);
+function parseArgs(args) {
+    const values = {};
+    const bools = { json: false, evidence: false, help: false };
+    for (let i = 0; i < args.length; i += 1) {
+        const arg = args[i];
+        if (arg === undefined)
+            continue;
+        if (isValueFlag(arg)) {
+            const value = args[i + 1];
+            if (value === undefined || (arg !== "--input" && value.startsWith("--"))) {
+                return { ok: false, error: `missing value for ${arg}` };
+            }
+            values[arg] = value;
+            i += 1;
+            continue;
+        }
+        const boolKey = BOOLEAN_FLAG_KEYS[arg];
+        if (boolKey !== undefined) {
+            bools[boolKey] = true;
+            continue;
+        }
+        return {
+            ok: false,
+            error: arg.startsWith("--") ? `unknown flag ${arg}` : `unexpected argument ${arg}`,
+        };
+    }
+    return { ok: true, flags: { values, ...bools } };
+}
+// Build the wire request from flags and validate it with the same validator the BFF route uses, so the
+// CLI and API reject identical malformed inputs. Numeric/enumerated flags are coerced before validation.
+function buildWireRequest(flags) {
+    const candidate = { text: flags.values["--input"] };
+    if (flags.values["--profile"] !== undefined)
+        candidate.profilePreference = flags.values["--profile"];
+    if (flags.values["--strategy"] !== undefined) {
+        candidate.missingInformationStrategy = flags.values["--strategy"];
+    }
+    if (flags.values["--model"] !== undefined)
+        candidate.modelId = flags.values["--model"];
+    if (flags.values["--candidates"] !== undefined) {
+        const parsed = Number(flags.values["--candidates"]);
+        candidate.candidateCount = Number.isNaN(parsed) ? flags.values["--candidates"] : parsed;
+    }
+    const validation = validatePromptEnhancementWireRequest(candidate);
+    if (!validation.ok) {
+        return { ok: false, errors: validation.errors };
+    }
+    return { ok: true, request: validation.value };
+}
+function resolveGatewayConfig(flags, env, io, deps) {
+    // A model is only checked for downstream-dispatch readiness when --model is given. Without it,
+    // enhancement is fully deterministic and needs no config.
+    if (flags.values["--model"] === undefined) {
+        return { ok: true, config: undefined };
+    }
+    const path = flags.values["--config"] ?? env.KEIKO_CONFIG_FILE;
+    if (path === undefined) {
+        io.err("Error: --model requires a gateway config to resolve readiness; pass --config PATH or set KEIKO_CONFIG_FILE.\n");
+        return { ok: false, code: 1 };
+    }
+    try {
+        const load = deps.loadConfig ?? loadConfigFromFile;
+        return { ok: true, config: load(path, env) };
+    }
+    catch (error) {
+        if (error instanceof GatewayError || error instanceof ConfigInvalidError) {
+            io.err(`Error: model gateway configuration problem — ${redact(error.message)}\n` +
+                "Provide a valid gateway config with --config PATH or KEIKO_CONFIG_FILE.\n");
+            return { ok: false, code: 1 };
+        }
+        throw error;
+    }
+}
+function buildEvidenceManifest(rawInput, result, env, config) {
+    const record = buildPromptEnhancementRecordInput({
+        rawInput,
+        result,
+        recordedAt: new Date().toISOString(),
+    });
+    // The builder fingerprints + redacts by construction, so the returned manifest carries no raw secret.
+    // Topology values are literal-redacted; configured credentials only trigger full string redaction so
+    // the raw credential values never approach the evidence hashing boundary.
+    return buildPromptEnhancementEvidenceManifest(record, {
+        additionalSecrets: promptEnhancerTopologyRedactionSecrets(config),
+        redactAllStrings: promptEnhancerHasOpaqueRedactionSecret(env, config),
+    }).manifest;
+}
+function egressSecretValues(egress) {
+    if (egress === undefined)
+        return [];
+    return [egress.httpProxy, egress.httpsProxy, egress.caBundlePath].filter((value) => value !== undefined && value.length > 0);
+}
+function configTopologyValues(config) {
+    if (config === undefined)
+        return [];
+    const out = [...egressSecretValues(config.egress)];
+    for (const provider of config.providers) {
+        out.push(provider.baseUrl, ...egressSecretValues(provider.egress));
+    }
+    return out;
+}
+function configOpaqueSecretValues(config) {
+    if (config === undefined)
+        return [];
+    const out = [];
+    if (config.figma?.accessToken !== undefined) {
+        out.push(config.figma.accessToken);
+    }
+    for (const provider of config.providers) {
+        out.push(provider.apiKey);
+    }
+    return out;
+}
+function figmaEnvSecretValues(env) {
+    const token = env.FIGMA_ACCESS_TOKEN;
+    return token !== undefined && token.length > 0 ? [token] : [];
+}
+function promptEnhancerRedactionSecrets(env, config) {
+    return Array.from(new Set([
+        ...keikoApiKeySecretValues(env),
+        ...figmaEnvSecretValues(env),
+        ...configTopologyValues(config),
+        ...configOpaqueSecretValues(config),
+    ]));
+}
+function promptEnhancerTopologyRedactionSecrets(config) {
+    return Array.from(new Set(configTopologyValues(config)));
+}
+function promptEnhancerHasOpaqueRedactionSecret(env, config) {
+    return (keikoApiKeySecretValues(env).length > 0 ||
+        figmaEnvSecretValues(env).length > 0 ||
+        configOpaqueSecretValues(config).length > 0);
+}
+function renderHuman(result, io) {
+    const winner = result.candidates.scorecards.find((scorecard) => scorecard.candidateId === result.candidates.winnerCandidateId);
+    io.out(`Enhanced prompt (profile: ${winner?.profile ?? "n/a"}, id: ${result.promptId})\n`);
+    io.out(`Task class: ${result.analysis.taskClass} · domain: ${result.analysis.domain} · criticality: ${result.analysis.criticality}\n`);
+    io.out(`Model routing: ${result.modelRouting.availability} (${result.modelRouting.reason})` +
+        (result.modelRouting.resolvedModelId === undefined
+            ? "\n"
+            : ` → ${result.modelRouting.resolvedModelId}\n`));
+    io.out(`Safety: ${result.safety.decision} · verification: ${result.safety.verificationStatus}` +
+        ` · human review: ${result.safety.requiresHumanReview ? "required" : "not required"}\n`);
+    if (result.safety.findings.length > 0) {
+        io.out(`Safety findings: ${result.safety.findings.map((f) => f.code).join(", ")}\n`);
+    }
+    io.out("\nCandidate scorecards (winner first):\n");
+    for (const scorecard of result.candidates.scorecards) {
+        const marker = scorecard.candidateId === result.candidates.winnerCandidateId ? "*" : " ";
+        io.out(`  ${marker} ${scorecard.profile.padEnd(16)} score ${scorecard.aggregateScore.toFixed(3)} · ~${String(scorecard.estimatedTokens)} tokens\n`);
+    }
+    io.out("\n--- Enhanced prompt (review before any downstream use) ---\n");
+    io.out(`${result.renderedPrompt}\n`);
+}
+/**
+ * `keiko prompt-enhancer` entrypoint. Returns 0 on success, 1 on a runtime/config error, 2 on usage
+ * error. Pure apart from optional config-file reads; never dispatches a model.
+ */
+export function runPromptEnhancerCli(args, io, env, deps = {}) {
+    const parsed = parseArgs(args);
+    if (!parsed.ok) {
+        io.err(`Error: ${parsed.error}\n\n${USAGE}`);
+        return 2;
+    }
+    if (parsed.flags.help) {
+        io.out(USAGE);
+        return 0;
+    }
+    const rawInput = parsed.flags.values["--input"];
+    if (rawInput === undefined) {
+        io.err(`Error: --input is required.\n\n${USAGE}`);
+        return 2;
+    }
+    const wire = buildWireRequest(parsed.flags);
+    if (!wire.ok) {
+        io.err(`Error: invalid request:\n  - ${wire.errors.join("\n  - ")}\n`);
+        return 2;
+    }
+    const config = resolveGatewayConfig(parsed.flags, env, io, deps);
+    if (!config.ok) {
+        return config.code;
+    }
+    const run = deps.run ?? runPromptEnhancement;
+    let result;
+    try {
+        result = run(wire.request, {
+            gatewayRoutingConfig: promptEnhancementGatewayRoutingConfig(config.config),
+        });
+    }
+    catch (error) {
+        if (error instanceof PromptEnhancementInputError) {
+            io.err(`Error: enhancement rejected the request:\n  - ${error.errors.join("\n  - ")}\n`);
+            return 1;
+        }
+        throw error;
+    }
+    emitResult(parsed.flags, result, rawInput, env, config.config, io);
+    return 0;
+}
+// Redact and print the enhancement result. AC4: deep-redact every string leaf before printing so a
+// secret-shaped substring a user pasted into their own draft is scrubbed from the echoed input /
+// rendered prompt. The evidence manifest is built from the ORIGINAL result (the evidence store redacts
+// by construction) and is always integrity-hashed and content-light.
+function emitResult(flags, result, rawInput, env, config, io) {
+    const redactFn = createAuditRedactor({ additionalSecrets: promptEnhancerRedactionSecrets(env, config) }, env);
+    const redactedResult = deepRedactStrings(result, redactFn);
+    if (flags.json) {
+        io.out(`${JSON.stringify(redactedResult, null, 2)}\n`);
+    }
+    else {
+        renderHuman(redactedResult, io);
+    }
+    if (flags.evidence) {
+        const manifest = buildEvidenceManifest(rawInput, result, env, config);
+        io.out(`\n--- Redacted evidence manifest ---\n${JSON.stringify(manifest, null, 2)}\n`);
+    }
+}

package/dist/repair.d.ts

@@ -0,0 +1,10 @@
+import type { EnvSource } from "@oscharko-dev/keiko-model-gateway";
+import type { CliIo } from "./runner.js";
+export interface RepairCliDeps {
+    readonly cwd?: string | undefined;
+    readonly argv?: readonly string[] | undefined;
+    readonly homedir?: () => string;
+    readonly isProcessAlive?: (pid: number) => boolean;
+}
+export declare function runRepairCli(args: readonly string[], io: CliIo, env: EnvSource, deps?: RepairCliDeps): number;
+//# sourceMappingURL=repair.d.ts.map

package/dist/repair.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repair.d.ts","sourceRoot":"","sources":["../src/repair.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AA8EzC,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,CAAC;IAC9C,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;CACpD;AA0XD,wBAAgB,YAAY,CAC1B,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,EAAE,EAAE,KAAK,EACT,GAAG,EAAE,SAAS,EACd,IAAI,GAAE,aAAkB,GACvB,MAAM,CAmCR"}