@oscharko-dev/keiko-model-gateway 0.2.0

package/dist/http.js

@@ -0,0 +1,666 @@
+import { readFileSync } from "node:fs";
+import { request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
+import { connect as netConnect, isIP } from "node:net";
+import * as tls from "node:tls";
+// Caps a single gateway response at 10 MB; real chat completions are far smaller.
+export const MAX_RESPONSE_BYTES = 10_000_000;
+export class OutboundHttpEgressError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "OutboundHttpEgressError";
+        this.code = code;
+    }
+}
+const FORWARDED_CREDENTIAL_HEADERS = new Set([
+    "authorization",
+    "x-litellm-key",
+    "x-api-key",
+    "api-key",
+]);
+function headersFromNode(headers) {
+    const out = new Headers();
+    for (const [name, value] of Object.entries(headers)) {
+        if (Array.isArray(value)) {
+            for (const item of value)
+                out.append(name, item);
+        }
+        else if (value !== undefined) {
+            out.set(name, value);
+        }
+    }
+    return out;
+}
+function headersToRecord(headers) {
+    const out = {};
+    const normalized = new Headers(headers);
+    normalized.forEach((value, key) => {
+        out[key] = value;
+    });
+    return out;
+}
+function hasForwardedCredentialHeader(headers) {
+    return Object.keys(headers).some((name) => FORWARDED_CREDENTIAL_HEADERS.has(name.toLowerCase()));
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+export function isMissingIssuerError(error) {
+    const cause = isRecord(error) ? error.cause : undefined;
+    const candidates = [error, cause];
+    return candidates.some((item) => {
+        if (!isRecord(item))
+            return false;
+        return item.code === "UNABLE_TO_GET_ISSUER_CERT_LOCALLY";
+    });
+}
+const RECOVERABLE_TLS_TRUST_ERROR_CODES = new Set([
+    "DEPTH_ZERO_SELF_SIGNED_CERT",
+    "SELF_SIGNED_CERT_IN_CHAIN",
+    "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+    "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+]);
+export function isRecoverableTlsTrustError(error) {
+    const cause = isRecord(error) ? error.cause : undefined;
+    const candidates = [error, cause];
+    return candidates.some((item) => {
+        if (!isRecord(item) || typeof item.code !== "string")
+            return false;
+        return RECOVERABLE_TLS_TRUST_ERROR_CODES.has(item.code);
+    });
+}
+function usesHttps(url) {
+    try {
+        return new URL(url).protocol === "https:";
+    }
+    catch {
+        return false;
+    }
+}
+function readCertificateFile(path) {
+    try {
+        return [readFileSync(path, "utf8")];
+    }
+    catch {
+        return [];
+    }
+}
+// One-time set of paths we have already warned about so the warning fires once per path.
+const warnedCaBundlePaths = new Set();
+function extraCaCertificates(caBundlePath) {
+    const paths = [process.env.NODE_EXTRA_CA_CERTS, caBundlePath].filter((path) => path !== undefined && path.trim().length > 0);
+    return paths.flatMap((path) => {
+        const certs = readCertificateFile(path);
+        // Warn once when a configured path yields no certificates so the operator
+        // can tell the file is missing or unreadable without throwing at startup.
+        if (certs.length === 0 && !warnedCaBundlePaths.has(path)) {
+            warnedCaBundlePaths.add(path);
+            // eslint-disable-next-line no-console
+            console.warn(`[keiko-model-gateway] CA bundle at ${path} could not be read or is empty`);
+        }
+        return certs;
+    });
+}
+function nodeCaCertificates(source) {
+    const getter = tls.getCACertificates;
+    if (typeof getter !== "function") {
+        return [];
+    }
+    try {
+        return getter(source);
+    }
+    catch {
+        return [];
+    }
+}
+export function gatewayTrustedCaCertificates(caBundlePath) {
+    return Array.from(new Set([
+        ...nodeCaCertificates("default"),
+        ...tls.rootCertificates,
+        ...nodeCaCertificates("system"),
+        ...nodeCaCertificates("extra"),
+        ...extraCaCertificates(caBundlePath),
+    ]));
+}
+// Exposed for tests to reset the one-time warning set between runs.
+export function _resetWarnedCaBundlePaths() {
+    warnedCaBundlePaths.clear();
+}
+function bodyToString(body) {
+    if (body === undefined || body === null) {
+        return undefined;
+    }
+    if (typeof body === "string") {
+        return body;
+    }
+    if (body instanceof URLSearchParams) {
+        return body.toString();
+    }
+    throw new TypeError("gateway HTTP fallback supports string request bodies only");
+}
+// Converts a Node IncomingMessage into a streaming web Response, enforcing the
+// byte cap inline and destroying the request when the consumer cancels. Unlike a
+// Buffer.concat-on-end approach this delivers SSE chunks incrementally (#152), so
+// the CA-bundle fallback streams tokens instead of buffering the whole response.
+export function streamingResponseFromNode(res, onCancel, maxBytes = MAX_RESPONSE_BYTES) {
+    let total = 0;
+    let done = false;
+    const body = new ReadableStream({
+        start(controller) {
+            res.on("data", (chunk) => {
+                if (done)
+                    return;
+                total += chunk.length;
+                if (total > maxBytes) {
+                    done = true;
+                    controller.error(new Error("gateway response exceeded the size limit"));
+                    onCancel();
+                    return;
+                }
+                controller.enqueue(new Uint8Array(chunk));
+            });
+            res.on("end", () => {
+                if (done)
+                    return;
+                done = true;
+                controller.close();
+            });
+            res.on("error", (error) => {
+                if (done)
+                    return;
+                done = true;
+                controller.error(error);
+            });
+        },
+        cancel() {
+            done = true;
+            onCancel();
+        },
+    });
+    return new Response(body, {
+        status: res.statusCode ?? 500,
+        statusText: res.statusMessage ?? "",
+        headers: headersFromNode(res.headers),
+    });
+}
+// Composes a caller-supplied AbortSignal with an AbortSignal.timeout so both
+// cancellation and deadline are observed. Returns undefined when neither is set.
+function composeSignal(callerSignal, timeoutMs) {
+    const timeoutSignal = timeoutMs !== undefined ? AbortSignal.timeout(timeoutMs) : undefined;
+    if (callerSignal != null && timeoutSignal !== undefined) {
+        return AbortSignal.any([callerSignal, timeoutSignal]);
+    }
+    if (callerSignal != null)
+        return callerSignal;
+    return timeoutSignal;
+}
+function fetchWithCaBundle(url, init, egress, maxResponseBytes) {
+    const body = bodyToString(init.body);
+    const headers = headersToRecord(init.headers);
+    const cap = maxResponseBytes ?? MAX_RESPONSE_BYTES;
+    return new Promise((resolve, reject) => {
+        const req = httpsRequest(url, {
+            method: init.method ?? "GET",
+            headers,
+            ca: [...gatewayTrustedCaCertificates(egress?.caBundlePath)],
+            signal: init.signal ?? undefined,
+        }, (res) => {
+            resolve(streamingResponseFromNode(res, () => req.destroy(), cap));
+        });
+        req.on("error", reject);
+        req.end(body);
+    });
+}
+function normalizeHost(hostname) {
+    return hostname.toLowerCase().replace(/^\[/u, "").replace(/\]$/u, "");
+}
+function tlsServerName(hostname) {
+    const normalized = normalizeHost(hostname);
+    return isIP(normalized) === 0 ? normalized : undefined;
+}
+function defaultPort(protocol) {
+    return protocol === "https:" ? "443" : "80";
+}
+function targetPort(url) {
+    return url.port.length > 0 ? url.port : defaultPort(url.protocol);
+}
+// Returns the Host header value for a target URL: omit the port when it is the
+// default for the scheme (443 for https, 80 for http) so the value matches what
+// undici sends directly and satisfies SigV4 pre-signed S3 URLs behind a proxy.
+function hostHeader(url) {
+    const isDefaultPort = (url.protocol === "https:" && (url.port === "" || url.port === "443")) ||
+        (url.protocol === "http:" && (url.port === "" || url.port === "80"));
+    return isDefaultPort ? url.hostname : `${url.hostname}:${url.port}`;
+}
+function noProxyRuleMatches(rule, host, hostPort) {
+    if (rule.length === 0)
+        return false;
+    if (rule === "*")
+        return true;
+    if (rule.includes(":") && normalizeHost(rule) === hostPort)
+        return true;
+    const domain = rule.startsWith(".") ? rule.slice(1) : rule;
+    if (host === domain)
+        return true;
+    return host.endsWith(`.${domain}`);
+}
+function noProxyMatches(url, rules) {
+    if (rules === undefined || rules.length === 0)
+        return false;
+    const host = normalizeHost(url.hostname);
+    const hostPort = `${host}:${targetPort(url)}`;
+    for (const rawRule of rules) {
+        const rule = rawRule.trim().toLowerCase();
+        if (noProxyRuleMatches(rule, host, hostPort))
+            return true;
+    }
+    return false;
+}
+function parseProxyUrl(raw) {
+    let url;
+    try {
+        url = new URL(raw);
+    }
+    catch {
+        throw new OutboundHttpEgressError("PROXY_EGRESS_FAILED", "Configured proxy URL is invalid.");
+    }
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        throw new OutboundHttpEgressError("PROXY_EGRESS_FAILED", "Configured proxy URL uses an unsupported scheme.");
+    }
+    if (url.username !== "" || url.password !== "") {
+        throw new OutboundHttpEgressError("PROXY_AUTH_REQUIRED", "Proxy credentials must not be embedded in the proxy URL.");
+    }
+    return url;
+}
+function proxyForTarget(target, egress) {
+    if (egress === undefined || noProxyMatches(target, egress.noProxy))
+        return undefined;
+    if (target.protocol === "https:")
+        return egress.httpsProxy ?? egress.httpProxy;
+    if (target.protocol === "http:")
+        return egress.httpProxy;
+    return undefined;
+}
+function proxyPort(proxy) {
+    if (proxy.port.length > 0)
+        return Number(proxy.port);
+    return proxy.protocol === "https:" ? 443 : 80;
+}
+const PROXY_UNREACHABLE_CODES = new Set([
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "EAI_AGAIN",
+    "ETIMEDOUT",
+    "EHOSTUNREACH",
+    "ENETUNREACH",
+]);
+const ABORT_ERROR_NAMES = new Set(["AbortError", "TimeoutError"]);
+function mapProxyError(error) {
+    if (error instanceof OutboundHttpEgressError)
+        return error;
+    if (isRecoverableTlsTrustError(error)) {
+        return tlsCaFailureError();
+    }
+    if (error instanceof Error) {
+        const code = isRecord(error) ? error.code : undefined;
+        if ((typeof code === "string" && PROXY_UNREACHABLE_CODES.has(code)) ||
+            ABORT_ERROR_NAMES.has(error.name)) {
+            return new OutboundHttpEgressError("PROXY_UNREACHABLE", "Configured proxy is unreachable.");
+        }
+        return error;
+    }
+    return new OutboundHttpEgressError("PROXY_EGRESS_FAILED", "Outbound egress failed.");
+}
+function tlsCaFailureError() {
+    return new OutboundHttpEgressError("TLS_CA_FAILURE", "TLS certificate verification failed for outbound egress.");
+}
+const PROXY_UNREACHABLE_ERROR = new OutboundHttpEgressError("PROXY_UNREACHABLE", "Configured proxy is unreachable.");
+function attachAbortGuard(signal, onAbort) {
+    if (signal.aborted) {
+        onAbort();
+        return () => undefined;
+    }
+    signal.addEventListener("abort", onAbort, { once: true });
+    return () => {
+        signal.removeEventListener("abort", onAbort);
+    };
+}
+function openProxySocket(proxy, ca, signal) {
+    const host = proxy.hostname;
+    const port = proxyPort(proxy);
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const settle = (fn) => {
+            if (settled)
+                return;
+            settled = true;
+            cleanup();
+            fn();
+        };
+        const onConnect = () => {
+            settle(() => {
+                resolve(socket);
+            });
+        };
+        const onError = (error) => {
+            settle(() => {
+                reject(mapProxyError(error));
+            });
+        };
+        const onAbort = () => {
+            socket.destroy();
+            settle(() => {
+                reject(PROXY_UNREACHABLE_ERROR);
+            });
+        };
+        let removeAbort = () => undefined;
+        const cleanup = () => {
+            socket.off("error", onError);
+            removeAbort();
+        };
+        const socket = proxy.protocol === "https:"
+            ? tls.connect({ host, port, servername: tlsServerName(host), ca: [...ca] }, onConnect)
+            : netConnect({ host, port }, onConnect);
+        socket.once("error", onError);
+        if (signal !== undefined) {
+            removeAbort = attachAbortGuard(signal, onAbort);
+        }
+    });
+}
+function readConnectHeader(socket, signal) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let settled = false;
+        let removeAbort = () => undefined;
+        const settle = (fn) => {
+            if (settled)
+                return;
+            settled = true;
+            socket.off("data", onData);
+            socket.off("error", onError);
+            removeAbort();
+            fn();
+        };
+        const onData = (chunk) => {
+            chunks.push(chunk);
+            const buffer = Buffer.concat(chunks);
+            const headerEnd = buffer.indexOf("\r\n\r\n");
+            if (headerEnd === -1)
+                return;
+            const rest = buffer.subarray(headerEnd + 4);
+            if (rest.length > 0)
+                socket.unshift(rest);
+            settle(() => {
+                resolve(buffer.subarray(0, headerEnd).toString("latin1"));
+            });
+        };
+        const onError = (error) => {
+            settle(() => {
+                reject(mapProxyError(error));
+            });
+        };
+        const onAbort = () => {
+            socket.destroy();
+            settle(() => {
+                reject(PROXY_UNREACHABLE_ERROR);
+            });
+        };
+        socket.on("data", onData);
+        socket.once("error", onError);
+        if (signal !== undefined) {
+            removeAbort = attachAbortGuard(signal, onAbort);
+        }
+    });
+}
+function connectStatus(header) {
+    const match = /^HTTP\/\d(?:\.\d)?\s+(\d{3})/iu.exec(header);
+    return match === null ? 0 : Number(match[1]);
+}
+function startTargetTls(target, socket, ca, signal) {
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const settle = (fn) => {
+            if (settled)
+                return;
+            settled = true;
+            cleanup();
+            fn();
+        };
+        const onError = (error) => {
+            settle(() => {
+                reject(mapProxyError(error));
+            });
+        };
+        const onAbort = () => {
+            tlsSocket.destroy();
+            settle(() => {
+                reject(new DOMException("The operation was aborted.", "AbortError"));
+            });
+        };
+        const cleanup = () => {
+            tlsSocket.off("error", onError);
+            signal?.removeEventListener("abort", onAbort);
+        };
+        const tlsSocket = tls.connect({ socket, servername: tlsServerName(target.hostname), ca: [...ca] }, () => {
+            settle(() => {
+                resolve(tlsSocket);
+            });
+        });
+        tlsSocket.once("error", onError);
+        tlsSocket.resume();
+        if (signal !== undefined) {
+            if (signal.aborted) {
+                onAbort();
+                return;
+            }
+            signal.addEventListener("abort", onAbort, { once: true });
+        }
+    });
+}
+async function createTlsTunnel(target, proxy, ca, signal) {
+    const socket = await openProxySocket(proxy, ca, signal);
+    const authority = `${target.hostname}:${targetPort(target)}`;
+    socket.write(`CONNECT ${authority} HTTP/1.1\r\nHost: ${authority}\r\n\r\n`);
+    const status = connectStatus(await readConnectHeader(socket, signal));
+    if (status === 407) {
+        socket.destroy();
+        throw new OutboundHttpEgressError("PROXY_AUTH_REQUIRED", "The configured proxy requires authentication.");
+    }
+    if (status < 200 || status >= 300) {
+        socket.destroy();
+        throw new OutboundHttpEgressError(status === 403 ? "PROXY_BLOCKED_BY_POLICY" : "PROXY_EGRESS_FAILED", "The configured proxy rejected outbound egress.");
+    }
+    socket.resume();
+    return startTargetTls(target, socket, ca, signal);
+}
+function responseFromClientRequest(start) {
+    return new Promise((resolve, reject) => {
+        start(resolve, reject);
+    });
+}
+function fetchHttpViaProxy(target, init, proxy, ca, maxResponseBytes) {
+    const body = bodyToString(init.body);
+    const headers = headersToRecord(init.headers);
+    if (hasForwardedCredentialHeader(headers)) {
+        throw new OutboundHttpEgressError("PROXY_BLOCKED_BY_POLICY", "Refusing to forward credential headers to a plaintext HTTP target through the configured proxy.");
+    }
+    // Ensure Host header omits the default port (fixes SigV4 pre-signed S3 URLs).
+    if (!Object.prototype.hasOwnProperty.call(headers, "host")) {
+        headers.host = hostHeader(target);
+    }
+    const request = proxy.protocol === "https:" ? httpsRequest : httpRequest;
+    const cap = maxResponseBytes ?? MAX_RESPONSE_BYTES;
+    return responseFromClientRequest((resolve, reject) => {
+        const req = request({
+            protocol: proxy.protocol,
+            hostname: proxy.hostname,
+            port: proxyPort(proxy),
+            method: init.method ?? "GET",
+            path: target.href,
+            headers,
+            ca: proxy.protocol === "https:" ? [...ca] : undefined,
+            signal: init.signal ?? undefined,
+        }, (res) => {
+            resolve(streamingResponseFromNode(res, () => {
+                req.destroy();
+            }, cap));
+        });
+        req.on("error", (error) => {
+            reject(mapProxyError(error));
+        });
+        req.end(body);
+    });
+}
+async function fetchHttpsViaProxy(target, init, proxy, ca, maxResponseBytes) {
+    const body = bodyToString(init.body);
+    const headers = headersToRecord(init.headers);
+    if (!Object.prototype.hasOwnProperty.call(headers, "connection")) {
+        headers.connection = "close";
+    }
+    // Ensure Host header omits :443 so it matches what undici sends directly and
+    // satisfies SigV4 pre-signed S3 URLs behind a proxy.
+    if (!Object.prototype.hasOwnProperty.call(headers, "host")) {
+        headers.host = hostHeader(target);
+    }
+    const socket = await createTlsTunnel(target, proxy, ca, init.signal ?? undefined);
+    const cap = maxResponseBytes ?? MAX_RESPONSE_BYTES;
+    return responseFromClientRequest((resolve, reject) => {
+        const req = httpRequest({
+            method: init.method ?? "GET",
+            hostname: target.hostname,
+            port: Number(targetPort(target)),
+            path: `${target.pathname}${target.search}`,
+            headers,
+            signal: init.signal ?? undefined,
+            createConnection: () => socket,
+        }, (res) => {
+            resolve(streamingResponseFromNode(res, () => {
+                req.destroy();
+            }, cap));
+        });
+        req.on("error", (error) => {
+            reject(mapProxyError(error));
+        });
+        req.end(body);
+    });
+}
+function fetchViaProxy(target, init, proxyRaw, egress, maxResponseBytes) {
+    const proxy = parseProxyUrl(proxyRaw);
+    const ca = gatewayTrustedCaCertificates(egress?.caBundlePath);
+    return target.protocol === "https:"
+        ? fetchHttpsViaProxy(target, init, proxy, ca, maxResponseBytes)
+        : fetchHttpViaProxy(target, init, proxy, ca, maxResponseBytes);
+}
+// Extracted from gatewayFetch to keep its cyclomatic complexity within the limit.
+async function fetchDirectWithCaFallback(url, init, doFetch, useCaFallback, egress, maxResponseBytes) {
+    try {
+        return await doFetch(url, init);
+    }
+    catch (error) {
+        if (useCaFallback && usesHttps(url) && isRecoverableTlsTrustError(error)) {
+            try {
+                return await fetchWithCaBundle(url, init, egress, maxResponseBytes);
+            }
+            catch (fallbackError) {
+                if (isRecoverableTlsTrustError(fallbackError)) {
+                    throw tlsCaFailureError();
+                }
+                throw fallbackError;
+            }
+        }
+        if (usesHttps(url) && isRecoverableTlsTrustError(error)) {
+            throw tlsCaFailureError();
+        }
+        throw error;
+    }
+}
+export async function gatewayFetch(url, options = {}) {
+    const { fetchImpl, useCaFallback = fetchImpl === undefined, egress, timeoutMs, maxResponseBytes, ...rest } = options;
+    // Compose caller signal + optional timeout into a single signal for all paths.
+    const composedSignal = composeSignal(rest.signal, timeoutMs);
+    const init = composedSignal !== undefined ? { ...rest, signal: composedSignal } : rest;
+    const doFetch = fetchImpl ?? globalThis.fetch;
+    const target = new URL(url);
+    const proxy = fetchImpl === undefined ? proxyForTarget(target, egress) : undefined;
+    if (proxy !== undefined) {
+        return fetchViaProxy(target, init, proxy, egress, maxResponseBytes);
+    }
+    return fetchDirectWithCaFallback(url, init, doFetch, useCaFallback, egress, maxResponseBytes);
+}
+export async function readJsonCapped(response, maxBytes = MAX_RESPONSE_BYTES) {
+    if (response.body === null) {
+        return response.json();
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    const parts = [];
+    let total = 0;
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        total += value.byteLength;
+        if (total > maxBytes) {
+            await reader.cancel();
+            throw new Error("response body exceeded the size limit");
+        }
+        parts.push(decoder.decode(value, { stream: true }));
+    }
+    parts.push(decoder.decode());
+    return JSON.parse(parts.join(""));
+}
+// Splits an SSE buffer on newlines, keeping the trailing partial line (no newline yet)
+// for the next read. Returns the complete lines and the leftover remainder so a
+// `data: {...}` payload split across two reads is never parsed half-formed.
+function splitSseBuffer(buffer) {
+    const segments = buffer.split("\n");
+    const rest = segments.pop() ?? "";
+    return { lines: segments, rest };
+}
+function parseSseLine(rawLine) {
+    const line = rawLine.endsWith("\r") ? rawLine.slice(0, -1) : rawLine;
+    if (line.length === 0 || !line.startsWith("data:")) {
+        return { kind: "skip" };
+    }
+    const payload = line.slice("data:".length).trimStart();
+    if (payload === "[DONE]") {
+        return { kind: "done" };
+    }
+    return { kind: "value", value: JSON.parse(payload) };
+}
+// Reads a Server-Sent-Events response as a stream of parsed JSON `data:` payloads.
+// Incomplete lines are buffered across reads; `data: [DONE]` terminates; cumulative
+// bytes are capped exactly like readJsonCapped. A null body yields nothing.
+export async function* readSseStream(response, maxBytes = MAX_RESPONSE_BYTES) {
+    if (response.body === null) {
+        return;
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let total = 0;
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        total += value.byteLength;
+        if (total > maxBytes) {
+            await reader.cancel();
+            throw new Error("response body exceeded the size limit");
+        }
+        buffer += decoder.decode(value, { stream: true });
+        const { lines, rest } = splitSseBuffer(buffer);
+        buffer = rest;
+        for (const line of lines) {
+            const result = parseSseLine(line);
+            if (result.kind === "done")
+                return;
+            if (result.kind === "value")
+                yield result.value;
+        }
+    }
+    const tail = parseSseLine(buffer + decoder.decode());
+    if (tail.kind === "value")
+        yield tail.value;
+}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+export { KEIKO_MODEL_GATEWAY_VERSION } from "./version.js";
+export type { CircuitBreakerConfig, CircuitBreakerStatus, CircuitState, ChatMessage, Clock, CostClass, FinishReason, GatewayConfig, GatewayRequest, GatewayStreamChunk, InfillingAlignment, LatencyClass, ModelCapability, CompletionInteractionMode, CompletionDegradeReason, CompletionModelSelection, ModelKind, ModelProviderConfig, NormalizedResponse, NormalizedToolCall, OutboundHttpEgressConfig, ProviderAdapter, ResponseFormat, StreamDelta, StreamEvent, ToolDefinition, UsageMetadata, } from "./types.js";
+export { CAPABILITY_REGISTRY, createDefaultChatCapability, explainConversationIneligibility, findCapability, INFILLING_ALIGNMENTS, isAlignedInfillingModel, isAsYouTypeCompletionModel, isConversationEligibleModel, listCapabilities, modelSupportsInfilling, resolveCostClass, selectCheapest, selectCompletionModelFromCapabilities, type CapabilityQuery, type CompletionSelectionOptions, type ConversationIneligibilityReason, } from "./capabilities.js";
+export { CAPABILITY_DATA } from "./capabilities.data.js";
+export { apiKeyHeaderValue, DEFAULT_API_KEY_HEADER_NAME, loadConfigFromFile, loadEgressConfigFromFile, normalizeApiKeyHeaderName, parseGatewayConfig, resolveOutboundHttpEgressConfig, toSafeObject, validateBaseUrl, type EnvSource, type SafeGatewayConfig, type SafeProviderConfig, } from "./config.js";
+export { Gateway, type GatewayDeps } from "./gateway.js";
+export { assertConfiguredModel, findConfiguredCapability, listConfiguredCapabilities, selectCompletionModel, selectConfiguredModel, type ConfiguredCapabilityProvider, type ConfiguredCapabilitySource, type ModelSelectionQuery, } from "./model-selection.js";
+export { assertCompatibleEmbeddingIdentity, verifyEmbeddingCapability, type EmbeddingCapabilityCheck, type EmbeddingFailureReason, type EmbeddingIdentityWarning, type EmbeddingProbeOptions, type OpenAIEmbeddingAdapter, } from "./embedding.js";
+export { requestOpenAIEmbedding, requestOpenAIEmbeddingBatch, type OpenAIEmbeddingBatchOutcome, type OpenAIEmbeddingBatchRequest, type OpenAIEmbeddingErrorKind, type OpenAIEmbeddingOutcome, type OpenAIEmbeddingRequest, type OpenAIEmbeddingSuccess, } from "./openai-embedding-adapter.js";
+export { redact } from "@oscharko-dev/keiko-security";
+export { AuthenticationError, CancelledError, CircuitOpenError, ConfigInvalidError, ContextOverflowError, ERROR_CODES, GatewayEgressError, GatewayError, MalformedToolCallError, ModelRefusalError, ProviderError, RateLimitError, TimeoutError, TransportError, UnknownModelError, type ErrorCode, type GatewayEgressErrorCode, } from "@oscharko-dev/keiko-security/errors/gateway";
+export * as QualityIntelligence from "./qualityIntelligence/index.js";
+export { QualityIntelligenceSafeErrorException, createInMemoryReplayCache, deriveReplayCacheKey, dispatchQualityIntelligenceRequest, isCacheable, type QualityIntelligenceBudgetState, type QualityIntelligenceCancellationHandle, type QualityIntelligenceReplayCachePort, type QualityIntelligenceSafeError, type QualityIntelligenceSafeErrorCode, } from "./qualityIntelligence/index.js";
+export type { QualityIntelligenceDispatcherArgs, QualityIntelligenceDispatcherResult, } from "./qualityIntelligence/dispatcher.js";
+export * as PromptEnhancer from "./promptEnhancer/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAE3D,YAAY,EACV,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,EACZ,WAAW,EACX,KAAK,EACL,SAAS,EACT,YAAY,EACZ,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,YAAY,EACZ,eAAe,EACf,yBAAyB,EACzB,uBAAuB,EACvB,wBAAwB,EACxB,SAAS,EACT,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,EACf,cAAc,EACd,WAAW,EACX,WAAW,EACX,cAAc,EACd,aAAa,GACd,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,gCAAgC,EAChC,cAAc,EACd,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,2BAA2B,EAC3B,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,cAAc,EACd,qCAAqC,EACrC,KAAK,eAAe,EACpB,KAAK,0BAA0B,EAC/B,KAAK,+BAA+B,GACrC,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,kBAAkB,EAClB,wBAAwB,EACxB,yBAAyB,EACzB,kBAAkB,EAClB,+BAA+B,EAC/B,YAAY,EACZ,eAAe,EACf,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAEzD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,0BAA0B,EAC1B,qBAAqB,EACrB,qBAAqB,EACrB,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,GACzB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,iCAAiC,EACjC,yBAAyB,EACzB,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,GAC5B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,2BAA2B,EAC3B,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,GAC5B,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EAAE,MAAM,EAAE,MAAM,8BAA8B,CAAC;AAEtD,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,sBAAsB,EACtB,iBAAiB,EACjB,aAAa,EACb,cAAc,EACd,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,KAAK,SAAS,EACd,KAAK,sBAAsB,GAC5B,MAAM,6CAA6C,CAAC;AAKrD,OAAO,KAAK,mBAAmB,MAAM,gCAAgC,CAAC;AAGtE,OAAO,EACL,qCAAqC,EACrC,yBAAyB,EACzB,oBAAoB,EACpB,kCAAkC,EAClC,WAAW,EACX,KAAK,8BAA8B,EACnC,KAAK,qCAAqC,EAC1C,KAAK,kCAAkC,EACvC,KAAK,4BAA4B,EACjC,KAAK,gCAAgC,GACtC,MAAM,gCAAgC,CAAC;AACxC,YAAY,EACV,iCAAiC,EACjC,mCAAmC,GACpC,MAAM,qCAAqC,CAAC;AAM7C,OAAO,KAAK,cAAc,MAAM,2BAA2B,CAAC"}