@oscharko-dev/keiko 0.1.2 → 0.1.4

package/README.md

@@ -1,8 +1,22 @@
 # Keiko
 
-Keiko is a local enterprise coding assistant for regulated engineering teams. It helps inspect a repository, chat with configured language models, generate reviewable unit tests, investigate bugs, run verification, and keep redacted evidence for human review.
+Keiko is a governed agentic workspace for knowledge work that learns from experience.
 
-Keiko is developer-controlled by design. It does not commit, push, open pull requests, merge code, or apply changes without an explicit local action. The manifest-producing surfaces emit redacted evidence for audit.
+The current npm release starts with local developer-assist workflows for regulated engineering teams. Keiko helps inspect a repository, chat with configured language models, generate reviewable unit tests, investigate bugs, run verification, and keep redacted evidence for human review.
+
+Keiko is human-controlled by design. It does not commit, push, open pull requests, merge code, or apply changes without an explicit local action. The manifest-producing surfaces emit redacted evidence for audit.
+
+## Vision
+
+Keiko's long-term direction is a governed workspace where people can delegate knowledge work to learning agents without giving up control, oversight, or accountability.
+
+- **Governed delegation:** agents start with a task, not standing rights.
+- **Harness-first control:** agent actions, tool calls, connector access, approvals, failures, and outcomes flow through one observable control layer.
+- **Keiko Twin:** a governed work representative that can build controlled memory about user preferences, project routines, accepted outcomes, and recurring corrections.
+- **Learning from experience:** Keiko should improve future tool selection, escalation, policy suggestions, and workflow quality from structured evidence and feedback.
+- **Enterprise boundaries:** learning can improve suggestions and routines, but it must never grant itself authority or bypass human and organizational policy.
+
+Software engineering is the first use case because repositories, tests, reviews, and tool calls create hard evidence. The product direction is broader: a controlled agentic workspace for enterprise knowledge work.
 
 ## Requirements
 
@@ -45,8 +59,12 @@ If no model gateway is configured, the UI asks for:
 
 - Base URL, for example `https://llm-gateway.example.com/v1`
 - API token
+- Optional API-key header, only when your gateway admin provides a custom header
+- Deployment names, only when the gateway cannot expose a reliable model list
+
+Keiko calls the gateway model list endpoint, tests discovered chat models with a small chat-completions request, and stores only callable chat models in the local runtime configuration. LiteLLM-compatible gateways can also provide model metadata that lets Keiko filter non-chat models before testing. Credentials stay on the local machine and are not returned to the browser.
 
-Keiko calls the gateway model list endpoint, tests discovered chat models with a small chat-completions request, and stores only callable chat models in the local runtime configuration. Credentials stay on the local machine and are not returned to the browser.
+For OpenAI-compatible gateways such as LiteLLM, usually leave deployment names empty. For Azure AI Foundry, paste the deployment names you want Keiko to offer in the UI.
 
 The UI runs on loopback only. The `--host` option can validate a loopback host value; the server always binds `127.0.0.1`.
 
@@ -89,7 +107,8 @@ The UI can create a local runtime config during first-run setup. For scripted us
     {
       "modelId": "example-chat-model",
       "baseUrl": "https://llm-gateway.example.com/v1",
-      "apiKey": "replace-me"
+      "apiKey": "replace-me",
+      "apiKeyHeaderName": "authorization"
     }
   ]
 }
@@ -97,14 +116,18 @@ The UI can create a local runtime config during first-run setup. For scripted us
 
 Environment variables can override file values:
 
-| Variable                    | Purpose                        |
-| --------------------------- | ------------------------------ |
-| `KEIKO_CONFIG_FILE`         | Path to a gateway config file. |
-| `KEIKO_DEFAULT_BASE_URL`    | Fallback gateway base URL.     |
-| `KEIKO_DEFAULT_API_KEY`     | Fallback gateway API token.    |
-| `KEIKO_MODEL_<ID>_BASE_URL` | Per-model base URL override.   |
-| `KEIKO_MODEL_<ID>_API_KEY`  | Per-model API token override.  |
-| `KEIKO_UI_PORT`             | Local UI port override.        |
+| Variable                               | Purpose                           |
+| -------------------------------------- | --------------------------------- |
+| `KEIKO_CONFIG_FILE`                    | Path to a gateway config file.    |
+| `KEIKO_DEFAULT_BASE_URL`               | Fallback gateway base URL.        |
+| `KEIKO_DEFAULT_API_KEY`                | Fallback gateway API token.       |
+| `KEIKO_DEFAULT_API_KEY_HEADER_NAME`    | Fallback credential header name.  |
+| `KEIKO_MODEL_<ID>_BASE_URL`            | Per-model base URL override.      |
+| `KEIKO_MODEL_<ID>_API_KEY`             | Per-model API token override.     |
+| `KEIKO_MODEL_<ID>_API_KEY_HEADER_NAME` | Per-model credential header name. |
+| `KEIKO_UI_PORT`                        | Local UI port override.           |
+
+Supported credential headers are `authorization`, `x-litellm-key`, `x-api-key`, and `api-key`.
 
 Do not commit gateway config files, API tokens, `.keiko/`, or evidence that contains project-specific review material unless your process explicitly requires it.
 
@@ -129,13 +152,14 @@ Known limits:
 
 ## Troubleshooting
 
-| Symptom               | Check                                                                                                   |
-| --------------------- | ------------------------------------------------------------------------------------------------------- |
-| UI does not open      | Run `npm run keiko:status`, then inspect `.keiko/ui.log`.                                               |
-| Port is busy          | Start with `KEIKO_UI_PORT=1984 npm run keiko:start` or stop the process using the port.                 |
-| No model appears      | Reopen Settings, verify the base URL and token, then run the credential test again.                     |
-| Credential test fails | Confirm the gateway accepts OpenAI-compatible chat-completions requests at the configured base URL.     |
-| Stale process state   | Run `npm run keiko:stop`, delete `.keiko/ui.pid` if the process is no longer running, then start again. |
+| Symptom                | Check                                                                                                    |
+| ---------------------- | -------------------------------------------------------------------------------------------------------- |
+| UI does not open       | Run `npm run keiko:status`, then inspect `.keiko/ui.log`.                                                |
+| Port is busy           | Start with `KEIKO_UI_PORT=1984 npm run keiko:start` or stop the process using the port.                  |
+| No model appears       | Reopen Settings, verify the base URL and token, then run the credential test again.                      |
+| Credential test fails  | Confirm the gateway accepts OpenAI-compatible chat-completions requests at the configured base URL.      |
+| Custom proxy key fails | Confirm whether your gateway expects `Authorization` or a custom API-key header such as `X-Litellm-Key`. |
+| Stale process state    | Run `npm run keiko:stop`, delete `.keiko/ui.pid` if the process is no longer running, then start again.  |
 
 ## Further Reading
 

package/dist/cli/lifecycle.js

@@ -204,7 +204,7 @@ async function cmdStart(options, io, env, deps, cwd) {
         return 1;
     }
     child.unref();
-    writeFileSync(pidFile(options), `${String(child.pid)}\n`, "utf8");
+    writeFileSync(pidFile(options), `${String(child.pid)}\n`, { encoding: "utf8", mode: 0o600 });
     io.out(`Starting Keiko UI on ${healthUrl(options).replace("/api/health", "")} ...\n`);
     const healthy = await waitForHealth(options, child.pid, deps);
     if (healthy) {

package/dist/gateway/config.d.ts

@@ -1,7 +1,10 @@
 import type { CircuitBreakerConfig, GatewayConfig, ModelCapability } from "./types.js";
+export declare const DEFAULT_API_KEY_HEADER_NAME = "authorization";
+export declare const SUPPORTED_API_KEY_HEADER_NAMES: readonly ["authorization", "x-litellm-key", "x-api-key", "api-key"];
 export type EnvSource = Readonly<Record<string, string | undefined>>;
 export interface SafeProviderConfig {
     readonly modelId: string;
+    readonly credentialHeaderName: string;
     readonly timeoutMs: number;
     readonly maxRetries: number;
     readonly retryBaseDelayMs: number;
@@ -11,6 +14,9 @@ export interface SafeGatewayConfig {
     readonly circuitBreaker: CircuitBreakerConfig;
     readonly capabilities?: readonly ModelCapability[] | undefined;
 }
+export declare function normalizeApiKeyHeaderName(value: unknown, path: string, fallback?: string): string;
+export declare function apiKeyHeaderValue(headerName: string, apiKey: string): string;
+export declare function validateBaseUrl(baseUrl: string, path: string): void;
 export declare function parseGatewayConfig(raw: unknown, env?: EnvSource): GatewayConfig;
 export declare function loadConfigFromFile(path: string, env?: EnvSource): GatewayConfig;
 export declare function toSafeObject(config: GatewayConfig): SafeGatewayConfig;

package/dist/gateway/config.js

@@ -3,6 +3,7 @@
 // API keys are sourced only from environment or the config file, never CLI flags,
 // and are excluded from every serialisation path.
 import { readFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { ConfigInvalidError } from "./errors.js";
 const DEFAULT_TIMEOUT_MS = 30_000;
 const DEFAULT_MAX_RETRIES = 3;
@@ -10,6 +11,20 @@ const DEFAULT_RETRY_BASE_DELAY_MS = 500;
 const DEFAULT_FAILURE_THRESHOLD = 5;
 const DEFAULT_COOLDOWN_MS = 30_000;
 const DEFAULT_HALF_OPEN_PROBES = 2;
+export const DEFAULT_API_KEY_HEADER_NAME = "authorization";
+const MAX_API_KEY_HEADER_NAME_LENGTH = 64;
+const API_KEY_HEADER_NAME_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/u;
+export const SUPPORTED_API_KEY_HEADER_NAMES = [
+    DEFAULT_API_KEY_HEADER_NAME,
+    "x-litellm-key",
+    "x-api-key",
+    "api-key",
+];
+const SUPPORTED_API_KEY_HEADER_NAME_SET = new Set(SUPPORTED_API_KEY_HEADER_NAMES);
+const BEARER_API_KEY_HEADER_NAME_SET = new Set([
+    DEFAULT_API_KEY_HEADER_NAME,
+    "x-litellm-key",
+]);
 function isRecord(value) {
     return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -58,6 +73,33 @@ function optionalNonEmptyString(value, path, fallback) {
     }
     return requireNonEmptyString(value, path);
 }
+export function normalizeApiKeyHeaderName(value, path, fallback = DEFAULT_API_KEY_HEADER_NAME) {
+    if (value === undefined) {
+        return fallback;
+    }
+    if (typeof value !== "string") {
+        throw new ConfigInvalidError(`${path} must be a string`);
+    }
+    const headerName = value.trim().toLowerCase();
+    if (headerName.length === 0) {
+        return fallback;
+    }
+    if (headerName.length > MAX_API_KEY_HEADER_NAME_LENGTH ||
+        !API_KEY_HEADER_NAME_RE.test(headerName)) {
+        throw new ConfigInvalidError(`${path} must be a valid HTTP header name`);
+    }
+    if (!SUPPORTED_API_KEY_HEADER_NAME_SET.has(headerName)) {
+        throw new ConfigInvalidError(`${path} must be one of ${SUPPORTED_API_KEY_HEADER_NAMES.join(", ")}`);
+    }
+    return headerName;
+}
+export function apiKeyHeaderValue(headerName, apiKey) {
+    if (BEARER_API_KEY_HEADER_NAME_SET.has(headerName) &&
+        !apiKey.toLowerCase().startsWith("bearer ")) {
+        return `Bearer ${apiKey}`;
+    }
+    return apiKey;
+}
 function requireEnum(value, path, allowed) {
     if (typeof value !== "string" || !allowed.includes(value)) {
         throw new ConfigInvalidError(`${path} must be one of ${allowed.join(", ")}`);
@@ -79,17 +121,32 @@ function resolveSecret(modelId, fileValue, env, suffix) {
     const fallback = env[`KEIKO_DEFAULT_${suffix}`];
     return fallback ?? "";
 }
+function resolveApiKeyHeaderName(rawValue, path, modelId, env) {
+    const token = envModelToken(modelId);
+    const perModelName = `KEIKO_MODEL_${token}_API_KEY_HEADER_NAME`;
+    const perModel = env[perModelName];
+    if (perModel !== undefined && perModel.length > 0) {
+        return normalizeApiKeyHeaderName(perModel, perModelName);
+    }
+    if (rawValue !== undefined) {
+        return normalizeApiKeyHeaderName(rawValue, path);
+    }
+    return normalizeApiKeyHeaderName(env.KEIKO_DEFAULT_API_KEY_HEADER_NAME, "KEIKO_DEFAULT_API_KEY_HEADER_NAME");
+}
 // Validates a resolved baseUrl for scheme and credential hygiene. Host/IP is
 // intentionally NOT restricted: Keiko addresses private network endpoints
 // (private IPs are a valid, first-class target); this guard is scheme/credential
 // hygiene + defence-in-depth, not host filtering.
 function isLoopbackHost(hostname) {
-    return (hostname === "localhost" ||
-        hostname === "::1" ||
-        hostname === "[::1]" ||
-        hostname.startsWith("127."));
+    if (hostname === "localhost" || hostname === "::1" || hostname === "[::1]") {
+        return true;
+    }
+    // Real IPv4 loopback only. isIP === 4 guarantees a well-formed dotted-quad, so a "127." prefix
+    // here is the 127.0.0.0/8 block — never a domain such as "127.evil.com" or "127.0.0.1.evil.com".
+    // The WHATWG URL parser has already canonicalised IPv4 shorthand/hex into url.hostname.
+    return isIP(hostname) === 4 && hostname.startsWith("127.");
 }
-function validateBaseUrl(baseUrl, path) {
+export function validateBaseUrl(baseUrl, path) {
     let url;
     try {
         url = new URL(baseUrl);
@@ -100,6 +157,9 @@ function validateBaseUrl(baseUrl, path) {
     if (url.protocol !== "http:" && url.protocol !== "https:") {
         throw new ConfigInvalidError(`${path}.baseUrl must use the http or https scheme`);
     }
+    if (url.search !== "" || url.hash !== "") {
+        throw new ConfigInvalidError(`${path}.baseUrl must not contain a query string or fragment`);
+    }
     if (url.protocol === "http:" && !isLoopbackHost(url.hostname)) {
         throw new ConfigInvalidError(`${path}.baseUrl must use https unless it targets localhost or loopback`);
     }
@@ -161,6 +221,7 @@ function parseProviderConfig(raw, path, modelId, env) {
         modelId,
         baseUrl,
         apiKey,
+        apiKeyHeaderName: resolveApiKeyHeaderName(raw.apiKeyHeaderName, `${path}.apiKeyHeaderName`, modelId, env),
         timeoutMs: requirePositiveInt(raw.timeoutMs ?? DEFAULT_TIMEOUT_MS, `${path}.timeoutMs`),
         maxRetries: requireNonNegativeInt(raw.maxRetries ?? DEFAULT_MAX_RETRIES, `${path}.maxRetries`),
         retryBaseDelayMs: requirePositiveInt(raw.retryBaseDelayMs ?? DEFAULT_RETRY_BASE_DELAY_MS, `${path}.retryBaseDelayMs`),
@@ -233,6 +294,7 @@ export function toSafeObject(config) {
     return {
         providers: config.providers.map((provider) => ({
             modelId: provider.modelId,
+            credentialHeaderName: provider.apiKeyHeaderName ?? DEFAULT_API_KEY_HEADER_NAME,
             timeoutMs: provider.timeoutMs,
             maxRetries: provider.maxRetries,
             retryBaseDelayMs: provider.retryBaseDelayMs,

package/dist/gateway/http.d.ts

@@ -1,6 +1,8 @@
+export declare const MAX_RESPONSE_BYTES = 10000000;
 export interface GatewayFetchOptions extends RequestInit {
     readonly fetchImpl?: typeof fetch | undefined;
     readonly useCaFallback?: boolean | undefined;
 }
 export declare function isMissingIssuerError(error: unknown): boolean;
 export declare function gatewayFetch(url: string, options?: GatewayFetchOptions): Promise<Response>;
+export declare function readJsonCapped(response: Response, maxBytes?: number): Promise<unknown>;

package/dist/gateway/http.js

@@ -1,6 +1,8 @@
 import { readFileSync } from "node:fs";
 import { request as httpsRequest } from "node:https";
 import { rootCertificates } from "node:tls";
+// Caps a single gateway response at 10 MB; real chat completions are far smaller.
+export const MAX_RESPONSE_BYTES = 10_000_000;
 function headersFromNode(headers) {
     const out = new Headers();
     for (const [name, value] of Object.entries(headers)) {
@@ -80,7 +82,14 @@ function fetchWithCaBundle(url, init) {
             signal: init.signal ?? undefined,
         }, (res) => {
             const chunks = [];
+            let total = 0;
             res.on("data", (chunk) => {
+                total += chunk.length;
+                if (total > MAX_RESPONSE_BYTES) {
+                    req.destroy();
+                    reject(new Error("gateway response exceeded the size limit"));
+                    return;
+                }
                 chunks.push(chunk);
             });
             res.on("end", () => {
@@ -109,3 +118,25 @@ export async function gatewayFetch(url, options = {}) {
         throw error;
     }
 }
+export async function readJsonCapped(response, maxBytes = MAX_RESPONSE_BYTES) {
+    if (response.body === null) {
+        return response.json();
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    const parts = [];
+    let total = 0;
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        total += value.byteLength;
+        if (total > maxBytes) {
+            await reader.cancel();
+            throw new Error("response body exceeded the size limit");
+        }
+        parts.push(decoder.decode(value, { stream: true }));
+    }
+    parts.push(decoder.decode());
+    return JSON.parse(parts.join(""));
+}

package/dist/gateway/index.d.ts

@@ -1,6 +1,6 @@
 export type { CircuitBreakerConfig, CircuitBreakerStatus, CircuitState, ChatMessage, Clock, CostClass, FinishReason, GatewayConfig, GatewayRequest, LatencyClass, ModelCapability, ModelKind, ModelProviderConfig, NormalizedResponse, NormalizedToolCall, ProviderAdapter, ResponseFormat, StreamDelta, StreamEvent, ToolDefinition, UsageMetadata, } from "./types.js";
 export { CAPABILITY_REGISTRY, createDefaultChatCapability, findCapability, listCapabilities, selectCheapest, type CapabilityQuery, } from "./capabilities.js";
-export { loadConfigFromFile, parseGatewayConfig, toSafeObject, type EnvSource, type SafeGatewayConfig, type SafeProviderConfig, } from "./config.js";
+export { apiKeyHeaderValue, DEFAULT_API_KEY_HEADER_NAME, loadConfigFromFile, normalizeApiKeyHeaderName, parseGatewayConfig, toSafeObject, validateBaseUrl, type EnvSource, type SafeGatewayConfig, type SafeProviderConfig, } from "./config.js";
 export { Gateway, type GatewayDeps } from "./gateway.js";
 export { OpenAiAdapter, type AdapterDeps } from "./openai-adapter.js";
 export { assertConfiguredModel, findConfiguredCapability, listConfiguredCapabilities, selectConfiguredModel, type ModelSelectionQuery, } from "./model-selection.js";

package/dist/gateway/index.js

@@ -1,7 +1,7 @@
 // Public barrel for the model gateway: all types, the Gateway orchestrator, the
 // capability registry helpers, config loaders, and the typed error taxonomy.
 export { CAPABILITY_REGISTRY, createDefaultChatCapability, findCapability, listCapabilities, selectCheapest, } from "./capabilities.js";
-export { loadConfigFromFile, parseGatewayConfig, toSafeObject, } from "./config.js";
+export { apiKeyHeaderValue, DEFAULT_API_KEY_HEADER_NAME, loadConfigFromFile, normalizeApiKeyHeaderName, parseGatewayConfig, toSafeObject, validateBaseUrl, } from "./config.js";
 export { Gateway } from "./gateway.js";
 export { OpenAiAdapter } from "./openai-adapter.js";
 export { assertConfiguredModel, findConfiguredCapability, listConfiguredCapabilities, selectConfiguredModel, } from "./model-selection.js";

package/dist/gateway/openai-adapter.js

@@ -3,7 +3,8 @@
 // with no network I/O and no real time. The raw provider body is never echoed into
 // an error; only a redacted, status-level summary is surfaced.
 import { AuthenticationError, CancelledError, ContextOverflowError, ModelRefusalError, ProviderError, RateLimitError, TimeoutError, TransportError, } from "./errors.js";
-import { gatewayFetch } from "./http.js";
+import { apiKeyHeaderValue, DEFAULT_API_KEY_HEADER_NAME } from "./config.js";
+import { gatewayFetch, readJsonCapped } from "./http.js";
 import { normalizeChatResponse } from "./normalize.js";
 import { redact } from "./redaction.js";
 function buildMessage(message) {
@@ -116,6 +117,10 @@ function mapHttpError(response, modelId, secrets, payload) {
     }
     throw new ProviderError(`provider returned HTTP ${String(response.status)} for '${modelId}'`, response.status, secrets);
 }
+function apiKeyHeaders(config) {
+    const headerName = config.apiKeyHeaderName ?? DEFAULT_API_KEY_HEADER_NAME;
+    return { [headerName]: apiKeyHeaderValue(headerName, config.apiKey) };
+}
 export class OpenAiAdapter {
     deps;
     now;
@@ -149,7 +154,7 @@ export class OpenAiAdapter {
         const body = JSON.stringify(buildBody(request));
         const headers = {
             "content-type": "application/json",
-            authorization: `Bearer ${config.apiKey}`,
+            ...apiKeyHeaders(config),
         };
         try {
             return await gatewayFetch(url, {
@@ -178,7 +183,7 @@ export class OpenAiAdapter {
     }
     async readBody(response, config, secrets) {
         try {
-            return await response.json();
+            return await readJsonCapped(response);
         }
         catch {
             throw new TransportError(`provider sent an unreadable body for '${config.modelId}'`, secrets);
@@ -186,7 +191,7 @@ export class OpenAiAdapter {
     }
     async readErrorBody(response) {
         try {
-            return await response.json();
+            return await readJsonCapped(response);
         }
         catch {
             return null;

package/dist/gateway/types.d.ts

@@ -19,6 +19,7 @@ export interface ModelProviderConfig {
     readonly modelId: string;
     readonly baseUrl: string;
     readonly apiKey: string;
+    readonly apiKeyHeaderName?: string | undefined;
     readonly timeoutMs: number;
     readonly maxRetries: number;
     readonly retryBaseDelayMs: number;

package/dist/harness/session.d.ts

@@ -1,7 +1,7 @@
 import type { Clock } from "../gateway/types.js";
 import type { EventSink, Fingerprinter, IdSource, ModelPort, ToolPort } from "./ports.js";
 import { type HarnessLimits, type RunResult, type TaskInput } from "./types.js";
-export declare const HARNESS_VERSION = "0.1.2";
+export declare const HARNESS_VERSION = "0.1.4";
 export interface AgentConfig {
     readonly model: string;
     readonly workingDirectory: string;

package/dist/harness/session.js

@@ -10,7 +10,7 @@ import { runLoop } from "./loop.js";
 import { MemoryEventSink } from "./sinks.js";
 import { resolveTaskPlan } from "./tasks/policy.js";
 import { DEFAULT_LIMITS, } from "./types.js";
-export const HARNESS_VERSION = "0.1.2";
+export const HARNESS_VERSION = "0.1.4";
 function resolveLimits(config) {
     return { ...DEFAULT_LIMITS, ...config.limits };
 }

package/dist/sdk/index.d.ts

@@ -1,4 +1,4 @@
-export declare const SDK_VERSION = "0.1.2";
+export declare const SDK_VERSION = "0.1.4";
 export { createSession, type AgentConfig, type AgentSession, type HarnessDeps, type RunResult, type TaskInput, type TaskType, } from "../harness/index.js";
 export { runAgent, type SdkAgentConfig, type SdkEvidenceOptions } from "./run-agent.js";
 export { buildWorkspaceSummary, detectWorkspace, summarizeForAudit, type AuditEntry, type AuditSummary, type ContextEntrySummary, type ContextPackSummary, type WorkspaceInfo, type WorkspaceSummary, } from "../workspace/index.js";

package/dist/sdk/index.js

@@ -1,5 +1,5 @@
 // Single-sourced package version; CLI and SDK both read this to avoid drift.
-export const SDK_VERSION = "0.1.2";
+export const SDK_VERSION = "0.1.4";
 // The typed agent surface. AgentConfig, the session factory, the run result, and the
 // session handle all live in the harness module (ADR-0004); the SDK re-exports them so
 // callers import the agent API from one place.

package/dist/tools/types.js

@@ -75,6 +75,21 @@ export const DEFAULT_COMMAND_RULES = Object.freeze([
             "--namespace",
             "--exec-path",
         ]),
+        // Deny git's code-execution / external-driver flags. `git -c diff.external=<cmd> diff` (and
+        // --config-env/--ext-diff/--textconv) make git spawn an arbitrary command via its OWN shell,
+        // defeating the Node spawn's shell:false; --exec-path redirects git to attacker-supplied sub-binaries.
+        // hasDeniedFlag runs BEFORE subcommand resolution and matches both `--flag value` and
+        // `--flag=value`. `-C`/--git-dir/--work-tree stay value-flags (location only, not execution).
+        denyFlags: Object.freeze([
+            "-c",
+            "--config-env",
+            "--exec-path",
+            "--ext-diff",
+            "--textconv",
+            "--no-index",
+            "--output",
+            "--contents",
+        ]),
     },
 ]);
 export const DEFAULT_PATCH_LIMITS = {

package/dist/ui/csp-hashes.json

@@ -1,17 +1,17 @@
 [
-  "'sha256-/XgSSpwWKLLBpmcNR5yfmhouC89Mx4saOeSdHGSlLwA='",
   "'sha256-6JBR+C4qigE40tMbninopqoSguR9H/AhsfWgllRr6y0='",
-  "'sha256-9YWu7RzXwUVkhu2CKTX5ddtKfcMNvJTmDtfvbtgQVgs='",
   "'sha256-FhLHRUQz4c4ntLU9VkfEesX7PnzNLENSe/16Hi523Kk='",
-  "'sha256-IvVUe6R8n3tqnjQ4DFKHkJcpkhct7eqEN1v2+2uU1kY='",
+  "'sha256-M+Hl3si599YRqfbrXwUJ7SE0nbdc4ewUl5kYEqTyPkY='",
   "'sha256-NMmsYxPlvKu6BMNDUuiUA/0HWXXhODWSkUJ3CrerHAI='",
   "'sha256-OBTN3RiyCV4Bq7dFqZ5a2pAXjnCcCYeTJMO2I/LYKeo='",
-  "'sha256-SyPf64vF7t1VW6A0fQWPUKI7QXw9/m+zX0if/2n+ibc='",
+  "'sha256-QNiMmKndkFV2DCDiccdY8YAY8jMbQzYQN++NcsQqdeI='",
+  "'sha256-RU8ypFPeRhJ9iyjWdA0gQuMIMNNMmDfpfTvZ8mGo34w='",
+  "'sha256-RgGBVXhSba32fqKyKK1LJ4hBlUyuzsh4X4Wz8X/2ViQ='",
   "'sha256-U9W+ZoRW19rf6ohEfUh2oSN8UmJ8mZjCoxp31AbEGYM='",
+  "'sha256-Zh9WKxSpBbdbuXpYaiD8KL+3eIzvCyeUVc9aNk+MlSs='",
   "'sha256-bg+CWjI8RppcgHYH6RuW4z4OnLAUEUPDXRoYUo9Tyok='",
   "'sha256-qBQ7RdQKJEJuW7Fj1MbGjDbF6lnRdfu+KV0V4A5MTRg='",
   "'sha256-qjuzziE6xLU3Cras89VlShlRYHgYZuOxceXUDmuvClo='",
   "'sha256-xLP5QIbvR88RAxDKoSWqs6CVxNIRu17hhr7S/Q6hlU0='",
-  "'sha256-xz80fPjhAczg/tByXnm3xfZrdAUWODPmQtD4solyj1c='",
-  "'sha256-ygPaPap9QVGIk2na6327APzhMLDCt5Hh0UV/LPlFWNc='"
+  "'sha256-xz80fPjhAczg/tByXnm3xfZrdAUWODPmQtD4solyj1c='"
 ]

package/dist/ui/deps.d.ts

@@ -28,7 +28,7 @@ export interface UiHandlerDeps {
     readonly browser?: BrowserSessionManager | undefined;
     readonly gatewayConfig?: RuntimeGatewayConfig | undefined;
     readonly gatewaySetupTester?: ((config: GatewayConfig, candidateModelIds: readonly string[]) => Promise<readonly string[]>) | undefined;
-    readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string) => Promise<readonly string[]>) | undefined;
+    readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string, apiKeyHeaderName?: string) => Promise<readonly string[]>) | undefined;
 }
 export interface BuildHandlerDepsOptions {
     readonly configPath: string | undefined;
@@ -39,7 +39,7 @@ export interface BuildHandlerDepsOptions {
     readonly uiDbPath?: string | undefined;
     readonly store?: UiStore | undefined;
     readonly gatewaySetupTester?: ((config: GatewayConfig, candidateModelIds: readonly string[]) => Promise<readonly string[]>) | undefined;
-    readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string) => Promise<readonly string[]>) | undefined;
+    readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string, apiKeyHeaderName?: string) => Promise<readonly string[]>) | undefined;
 }
 export declare function currentGatewayConfig(deps: UiHandlerDeps): GatewayConfig | undefined;
 export declare function currentGatewayConfigPresent(deps: UiHandlerDeps): boolean;