@phren/agent 0.0.1

package/dist/permissions/checker.js

@@ -0,0 +1,111 @@
+import { checkShellSafety } from "./shell-safety.js";
+import { validatePath, checkSensitivePath } from "./sandbox.js";
+import { isAllowed } from "./allowlist.js";
+/** Tools that are safe in all modes — read-only, no side effects. */
+const ALWAYS_SAFE_TOOLS = new Set([
+    "phren_search",
+    "phren_get_tasks",
+]);
+/** Tools that access file paths and need sensitive-path checks. */
+const FILE_TOOLS = new Set([
+    "read_file",
+    "write_file",
+    "edit_file",
+    "glob",
+    "grep",
+]);
+/** Tools that auto-confirm mode allows without prompting. */
+const AUTO_CONFIRM_TOOLS = new Set([
+    "edit_file",
+    "phren_add_finding",
+    "phren_complete_task",
+]);
+/** Tools that are always denied regardless of mode. */
+const DENY_LIST_TOOLS = new Set([
+// Reserved for future use — e.g. "delete_project"
+]);
+/**
+ * Check whether a tool call should be allowed, asked about, or denied.
+ */
+export function checkPermission(config, toolName, input) {
+    // Deny-list always wins
+    if (DENY_LIST_TOOLS.has(toolName)) {
+        return { verdict: "deny", reason: `Tool "${toolName}" is on the deny list.` };
+    }
+    // Shell commands get extra scrutiny
+    if (toolName === "shell") {
+        const cmd = input.command || "";
+        const safety = checkShellSafety(cmd);
+        if (!safety.safe && safety.severity === "block") {
+            return { verdict: "deny", reason: safety.reason };
+        }
+        if (!safety.safe && safety.severity === "warn") {
+            // In full-auto, warn becomes ask. In other modes, it's already going to ask.
+            if (config.mode === "full-auto") {
+                return { verdict: "ask", reason: safety.reason };
+            }
+        }
+        // Check cwd for shell
+        const cwd = input.cwd || config.projectRoot;
+        const cwdResult = validatePath(cwd, config.projectRoot, config.allowedPaths);
+        if (!cwdResult.ok) {
+            if (config.mode === "full-auto") {
+                return { verdict: "ask", reason: `Shell cwd outside sandbox: ${cwdResult.error}` };
+            }
+            // suggest and auto-confirm will ask below anyway
+        }
+    }
+    // Path-based tools: validate sandbox + sensitive path
+    if (FILE_TOOLS.has(toolName)) {
+        const filePath = input.path || "";
+        if (filePath) {
+            // Sensitive path check applies in ALL modes
+            const sensitive = checkSensitivePath(filePath);
+            if (sensitive.sensitive) {
+                return { verdict: "deny", reason: `Sensitive path: ${sensitive.reason}` };
+            }
+            // Sandbox check: ask for out-of-sandbox paths in ALL modes (not just full-auto)
+            const pathResult = validatePath(filePath, config.projectRoot, config.allowedPaths);
+            if (!pathResult.ok) {
+                return { verdict: "ask", reason: `Path outside sandbox: ${pathResult.error}` };
+            }
+        }
+    }
+    // Always-safe tools pass in all modes
+    if (ALWAYS_SAFE_TOOLS.has(toolName)) {
+        return { verdict: "allow", reason: "Read-only tool, always allowed." };
+    }
+    // Session allowlist — user previously approved this tool+pattern via (a)llow-tool or (s)ession-allow.
+    // Placed after deny-list, shell-safety blocks, and sensitive-path denials so those are never bypassed.
+    if (isAllowed(toolName, input)) {
+        return { verdict: "allow", reason: "Session allowlist." };
+    }
+    // Mode-specific logic
+    switch (config.mode) {
+        case "suggest":
+            // Suggest mode: ask for everything except safe tools
+            return { verdict: "ask", reason: `Suggest mode requires confirmation for "${toolName}".` };
+        case "auto-confirm":
+            if (AUTO_CONFIRM_TOOLS.has(toolName)) {
+                // Auto-confirm tools are allowed if path is in sandbox
+                return { verdict: "allow", reason: `Auto-confirm mode allows "${toolName}".` };
+            }
+            if (toolName === "shell") {
+                const cwd = input.cwd || config.projectRoot;
+                const cwdResult = validatePath(cwd, config.projectRoot, config.allowedPaths);
+                if (cwdResult.ok) {
+                    const cmd = input.command || "";
+                    const safety = checkShellSafety(cmd);
+                    if (safety.safe) {
+                        return { verdict: "allow", reason: "Safe shell command within sandbox." };
+                    }
+                }
+            }
+            return { verdict: "ask", reason: `Auto-confirm mode requires confirmation for "${toolName}".` };
+        case "full-auto":
+            // Full-auto: allow everything not denied or warned
+            return { verdict: "allow", reason: "Full-auto mode." };
+        default:
+            return { verdict: "ask", reason: "Unknown permission mode." };
+    }
+}

package/dist/permissions/prompt.js

@@ -0,0 +1,190 @@
+/**
+ * Smart permission prompt — color-coded, full context, keyboard shortcuts.
+ *
+ * Responses:
+ *   y = allow once
+ *   n = deny
+ *   a = allow this tool for the rest of the session (any input)
+ *   s = allow this exact tool+pattern for the rest of the session
+ */
+import * as readline from "node:readline";
+import { addAllow } from "./allowlist.js";
+// ── ANSI colors ─────────────────────────────────────────────────────────
+const RESET = "\x1b[0m";
+const BOLD = "\x1b[1m";
+const DIM = "\x1b[2m";
+const GREEN = "\x1b[32m";
+const YELLOW = "\x1b[33m";
+const RED = "\x1b[31m";
+const CYAN = "\x1b[36m";
+const READ_TOOLS = new Set(["read_file", "glob", "grep", "git_status", "git_diff", "phren_search", "phren_get_tasks"]);
+const DANGEROUS_TOOLS = new Set(["shell"]);
+function classifyRisk(toolName) {
+    if (READ_TOOLS.has(toolName))
+        return "read";
+    if (DANGEROUS_TOOLS.has(toolName))
+        return "dangerous";
+    return "write";
+}
+function riskColor(risk) {
+    switch (risk) {
+        case "read": return GREEN;
+        case "write": return YELLOW;
+        case "dangerous": return RED;
+    }
+}
+function riskLabel(risk) {
+    switch (risk) {
+        case "read": return "READ";
+        case "write": return "WRITE";
+        case "dangerous": return "SHELL";
+    }
+}
+// ── Summary generation ──────────────────────────────────────────────────
+function summarizeCall(toolName, input) {
+    switch (toolName) {
+        case "read_file": {
+            const p = input.path || "?";
+            const offset = input.offset ? ` from line ${input.offset}` : "";
+            const limit = input.limit ? ` (${input.limit} lines)` : "";
+            return `Read ${p}${offset}${limit}`;
+        }
+        case "write_file": {
+            const p = input.path || "?";
+            const content = input.content || "";
+            const lines = content.split("\n").length;
+            return `Write ${lines} lines to ${p}`;
+        }
+        case "edit_file": {
+            const p = input.path || "?";
+            return `Edit ${p}`;
+        }
+        case "glob": {
+            const pattern = input.pattern || "?";
+            const dir = input.path || ".";
+            return `Glob "${pattern}" in ${dir}`;
+        }
+        case "grep": {
+            const pattern = input.pattern || "?";
+            const dir = input.path || ".";
+            return `Grep "${pattern}" in ${dir}`;
+        }
+        case "shell": {
+            const cmd = input.command || "?";
+            return cmd.length > 120 ? cmd.slice(0, 117) + "..." : cmd;
+        }
+        case "git_commit": {
+            const msg = input.message || "";
+            return `Commit: ${msg.slice(0, 80)}`;
+        }
+        case "phren_add_finding":
+            return `Save finding to phren`;
+        case "phren_complete_task":
+            return `Complete phren task`;
+        default: {
+            const keys = Object.keys(input);
+            return keys.length > 0 ? `${toolName}(${keys.join(", ")})` : toolName;
+        }
+    }
+}
+/**
+ * Ask the user on stderr whether to allow a tool call.
+ * Returns true if user approves (y, a, or s), false if denied (n).
+ *
+ * Side effect: "a" and "s" responses add to the session allowlist.
+ */
+export async function askUser(toolName, input, reason) {
+    const risk = classifyRisk(toolName);
+    const color = riskColor(risk);
+    const label = riskLabel(risk);
+    const summary = summarizeCall(toolName, input);
+    // Header
+    process.stderr.write(`\n${color}${BOLD}[${label}]${RESET} ${BOLD}${toolName}${RESET}\n`);
+    process.stderr.write(`${DIM}  ${reason}${RESET}\n`);
+    process.stderr.write(`${CYAN}  ${summary}${RESET}\n`);
+    // Show full input for shell commands or when details matter
+    if (toolName === "shell") {
+        const cmd = input.command || "";
+        if (cmd.length > 120) {
+            process.stderr.write(`${DIM}  Full command:${RESET}\n`);
+            process.stderr.write(`${DIM}  ${cmd}${RESET}\n`);
+        }
+    }
+    const result = await promptKey();
+    // Persist allowlist entries for session/tool scopes
+    if (result === "allow-session") {
+        addAllow(toolName, input, "session");
+    }
+    else if (result === "allow-tool") {
+        addAllow(toolName, input, "tool");
+    }
+    return result !== "deny";
+}
+/**
+ * Read a single keypress from stdin.
+ * Temporarily exits raw mode if the TUI has it enabled, restores after.
+ */
+async function promptKey() {
+    const hint = `${DIM}  [y]es  [n]o  [a]llow-tool  [s]ession-allow${RESET}  `;
+    process.stderr.write(hint);
+    const wasRaw = process.stdin.isTTY && process.stdin.isRaw;
+    return new Promise((resolve) => {
+        if (process.stdin.isTTY) {
+            // Single-keypress mode
+            if (!wasRaw) {
+                process.stdin.setRawMode(true);
+            }
+            process.stdin.resume();
+            const onData = (data) => {
+                process.stdin.removeListener("data", onData);
+                if (!wasRaw && process.stdin.isTTY) {
+                    process.stdin.setRawMode(false);
+                }
+                process.stdin.pause();
+                const key = data.toString().trim().toLowerCase();
+                process.stderr.write(key + "\n");
+                switch (key) {
+                    case "y":
+                        resolve("allow");
+                        break;
+                    case "a":
+                        resolve("allow-tool");
+                        break;
+                    case "s":
+                        resolve("allow-session");
+                        break;
+                    case "n":
+                        resolve("deny");
+                        break;
+                    case "\x03": // Ctrl+C
+                        process.stderr.write("\n");
+                        resolve("deny");
+                        break;
+                    default:
+                        resolve("deny"); // Unknown key = deny (safe default)
+                }
+            };
+            process.stdin.on("data", onData);
+        }
+        else {
+            // Non-TTY fallback: readline
+            const iface = readline.createInterface({ input: process.stdin, output: process.stderr });
+            iface.question("", (answer) => {
+                iface.close();
+                const key = answer.trim().toLowerCase();
+                switch (key) {
+                    case "y":
+                        resolve("allow");
+                        break;
+                    case "a":
+                        resolve("allow-tool");
+                        break;
+                    case "s":
+                        resolve("allow-session");
+                        break;
+                    default: resolve("deny");
+                }
+            });
+        }
+    });
+}

package/dist/permissions/sandbox.js

@@ -0,0 +1,95 @@
+import * as path from "path";
+import * as fs from "fs";
+import * as os from "os";
+/** Patterns that match sensitive files/directories. */
+const SENSITIVE_PATTERNS = [
+    "/.ssh/",
+    "/.aws/",
+    ".env",
+    "codex-token.json",
+    "id_rsa",
+    "id_ed25519",
+    "/etc/shadow",
+    "/etc/passwd",
+    "credentials.json",
+    "secrets.json",
+    "secrets.yaml",
+    ".npmrc",
+    ".netrc",
+    ".docker/config.json",
+    ".kube/config",
+    "/.gnupg/",
+    ".pypirc",
+];
+/** File extensions that are always sensitive. */
+const SENSITIVE_EXTENSIONS = [".pem", ".p12", ".pfx", ".key", ".keystore", ".jks"];
+/**
+ * Resolve and validate a file path against the sandbox boundary.
+ */
+export function validatePath(filePath, projectRoot, allowedPaths) {
+    // Resolve ~ to home directory
+    let resolved = filePath;
+    if (resolved.startsWith("~/") || resolved === "~") {
+        resolved = path.join(os.homedir(), resolved.slice(1));
+    }
+    // Resolve to absolute
+    if (!path.isAbsolute(resolved)) {
+        resolved = path.resolve(projectRoot, resolved);
+    }
+    // Normalize (remove .., trailing slashes, etc.)
+    resolved = path.normalize(resolved);
+    // Resolve symlinks if the path exists
+    try {
+        if (fs.existsSync(resolved)) {
+            resolved = fs.realpathSync(resolved);
+        }
+    }
+    catch {
+        // If we can't resolve, proceed with the normalized path
+    }
+    // Check sandbox boundaries
+    if (!isPathInSandbox(resolved, projectRoot, allowedPaths)) {
+        return {
+            ok: false,
+            error: `Path "${resolved}" is outside project root "${projectRoot}" and not in allowed paths.`,
+        };
+    }
+    return { ok: true, resolved };
+}
+/**
+ * Check if a resolved path is within the project root or any allowed path.
+ */
+export function isPathInSandbox(resolved, projectRoot, allowedPaths) {
+    const normalizedResolved = path.normalize(resolved) + path.sep;
+    const normalizedRoot = path.normalize(projectRoot) + path.sep;
+    if (normalizedResolved.startsWith(normalizedRoot) || resolved === projectRoot) {
+        return true;
+    }
+    for (const allowed of allowedPaths) {
+        let normalizedAllowed = allowed;
+        if (normalizedAllowed.startsWith("~/") || normalizedAllowed === "~") {
+            normalizedAllowed = path.join(os.homedir(), normalizedAllowed.slice(1));
+        }
+        normalizedAllowed = path.normalize(normalizedAllowed) + path.sep;
+        if (normalizedResolved.startsWith(normalizedAllowed) || resolved === path.normalize(allowed)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a resolved path matches any known sensitive pattern.
+ */
+export function checkSensitivePath(resolved) {
+    const normalizedLower = resolved.toLowerCase();
+    const ext = path.extname(resolved).toLowerCase();
+    if (SENSITIVE_EXTENSIONS.includes(ext)) {
+        return { sensitive: true, reason: `Sensitive file extension: ${ext}` };
+    }
+    for (const pattern of SENSITIVE_PATTERNS) {
+        if (normalizedLower.includes(pattern.toLowerCase())) {
+            return { sensitive: true, reason: `Matches sensitive pattern: ${pattern}` };
+        }
+    }
+    return { sensitive: false };
+}

package/dist/permissions/shell-safety.js

@@ -0,0 +1,74 @@
+const DANGEROUS_PATTERNS = [
+    // Block: destructive/irreversible (no $ anchors — catch chained commands like `rm -rf /; echo done`)
+    { pattern: /rm\s+-[a-z]*r[a-z]*f?\s+\/\s*/i, reason: "Recursive delete of root filesystem", severity: "block" },
+    { pattern: /rm\s+-[a-z]*r[a-z]*f?\s+\/[^\/\s]*/i, reason: "Recursive delete of top-level directory", severity: "block" },
+    { pattern: /curl\s+.*\|\s*(?:ba)?sh/i, reason: "Piping remote script to shell", severity: "block" },
+    { pattern: /wget\s+.*\|\s*(?:ba)?sh/i, reason: "Piping remote script to shell", severity: "block" },
+    { pattern: /\bmkfs\b/i, reason: "Filesystem format command", severity: "block" },
+    { pattern: /\bdd\b.*\bof=\/dev\//i, reason: "Direct device write with dd", severity: "block" },
+    { pattern: />\s*\/dev\/[sh]d[a-z]/i, reason: "Direct write to block device", severity: "block" },
+    { pattern: /:(){ :\|:& };:/i, reason: "Fork bomb", severity: "block" },
+    { pattern: /\bnohup\b/i, reason: "Detached process may outlive session", severity: "block" },
+    { pattern: /\bdisown\b/i, reason: "Detached process may outlive session", severity: "block" },
+    { pattern: /\bsetsid\b/i, reason: "Detached process may outlive session", severity: "block" },
+    // Warn: potentially dangerous
+    { pattern: /\beval\b/i, reason: "Dynamic code execution via eval", severity: "warn" },
+    { pattern: /\$\(.*\)/, reason: "Command substitution", severity: "warn" },
+    { pattern: /`[^`]+`/, reason: "Command substitution via backticks", severity: "warn" },
+    { pattern: /\benv\b/i, reason: "May expose environment variables", severity: "warn" },
+    { pattern: /\bprintenv\b/i, reason: "May expose environment variables", severity: "warn" },
+    { pattern: /\bsudo\b/i, reason: "Elevated privileges requested", severity: "warn" },
+    { pattern: /\bgit\s+push\s+--force\b/i, reason: "Force push can rewrite remote history", severity: "warn" },
+    { pattern: /\bgit\s+push\s+-f\b/i, reason: "Force push can rewrite remote history", severity: "warn" },
+    { pattern: /\bgit\s+reset\s+--hard\b/i, reason: "Hard reset discards uncommitted changes", severity: "warn" },
+    { pattern: /\bchmod\s+777\b/, reason: "World-writable permissions", severity: "warn" },
+    { pattern: /\bchown\b.*\broot\b/i, reason: "Changing ownership to root", severity: "warn" },
+];
+/** API key env var patterns to scrub. */
+const KEY_PATTERNS = [
+    "ANTHROPIC_API_KEY",
+    "OPENAI_API_KEY",
+    "OPENROUTER_API_KEY",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "DATABASE_URL",
+    "KUBECONFIG",
+    "DOCKER_AUTH_CONFIG",
+];
+/** Suffix patterns that also match connection strings and auth configs. */
+const SECRET_SUFFIX_PATTERNS = ["_URI", "_DSN"];
+const SECRET_SUFFIXES = ["_SECRET", "_TOKEN", "_PASSWORD", "_KEY"];
+/**
+ * Check a shell command for dangerous patterns.
+ */
+export function checkShellSafety(command) {
+    for (const dp of DANGEROUS_PATTERNS) {
+        if (dp.pattern.test(command)) {
+            return { safe: false, reason: dp.reason, severity: dp.severity };
+        }
+    }
+    return { safe: true, reason: "", severity: "ok" };
+}
+/**
+ * Return a sanitized copy of process.env with API keys and secrets removed.
+ */
+export function scrubEnv() {
+    const env = { ...process.env };
+    for (const key of Object.keys(env)) {
+        // Known API key vars
+        if (KEY_PATTERNS.includes(key)) {
+            delete env[key];
+            continue;
+        }
+        // Anything ending with _SECRET, _TOKEN, _PASSWORD, _KEY, _URI, _DSN
+        const upper = key.toUpperCase();
+        if (SECRET_SUFFIXES.some((suffix) => upper.endsWith(suffix))) {
+            delete env[key];
+            continue;
+        }
+        if (SECRET_SUFFIX_PATTERNS.some((suffix) => upper.endsWith(suffix))) {
+            delete env[key];
+        }
+    }
+    return env;
+}

package/dist/permissions/types.js

@@ -0,0 +1,2 @@
+/** Permission system types. */
+export {};

package/dist/plan.js

@@ -0,0 +1,38 @@
+/** Plan mode — ask the LLM for a plan before allowing tool use. */
+import * as readline from "readline";
+const PLAN_SUFFIX = `
+
+## Plan mode
+
+Before executing any tools, first describe your plan:
+1. What you understand about the task
+2. What files you'll need to read or modify
+3. What approach you'll take
+4. Any risks or uncertainties
+
+Do NOT call any tools yet. Just describe your plan.`;
+/** Append plan instruction to the system prompt. */
+export function injectPlanPrompt(systemPrompt) {
+    return systemPrompt + PLAN_SUFFIX;
+}
+/** Ask the user to approve the plan. Returns true if approved. */
+export async function requestPlanApproval() {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    return new Promise((resolve) => {
+        rl.question("\n\x1b[1mApprove this plan? [Y/n/edit] \x1b[0m", (answer) => {
+            rl.close();
+            const trimmed = answer.trim().toLowerCase();
+            if (trimmed === "n" || trimmed === "no") {
+                resolve({ approved: false });
+            }
+            else if (trimmed.startsWith("edit") || trimmed.length > 3) {
+                // Anything longer than "yes" is treated as feedback
+                const feedback = trimmed.startsWith("edit") ? trimmed.slice(4).trim() || "Please revise the plan." : trimmed;
+                resolve({ approved: false, feedback });
+            }
+            else {
+                resolve({ approved: true });
+            }
+        });
+    });
+}

package/dist/providers/anthropic.js

@@ -0,0 +1,170 @@
+export class AnthropicProvider {
+    name = "anthropic";
+    contextWindow = 200_000;
+    apiKey;
+    model;
+    constructor(apiKey, model) {
+        this.apiKey = apiKey;
+        this.model = model ?? "claude-sonnet-4-20250514";
+    }
+    async chat(system, messages, tools) {
+        const body = {
+            model: this.model,
+            system,
+            messages: messages.map((m) => ({
+                role: m.role,
+                content: m.content,
+            })),
+            max_tokens: 8192,
+        };
+        if (tools.length > 0) {
+            body.tools = tools.map((t) => ({
+                name: t.name,
+                description: t.description,
+                input_schema: t.input_schema,
+            }));
+        }
+        const res = await fetch("https://api.anthropic.com/v1/messages", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "x-api-key": this.apiKey,
+                "anthropic-version": "2023-06-01",
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Anthropic API error ${res.status}: ${text}`);
+        }
+        const data = await res.json();
+        const content = data.content ?? [];
+        const stop_reason = data.stop_reason === "tool_use" ? "tool_use"
+            : data.stop_reason === "max_tokens" ? "max_tokens"
+                : "end_turn";
+        const usage = data.usage;
+        return {
+            content,
+            stop_reason: stop_reason,
+            usage: usage ? { input_tokens: usage.input_tokens ?? 0, output_tokens: usage.output_tokens ?? 0 } : undefined,
+        };
+    }
+    async *chatStream(system, messages, tools) {
+        const body = {
+            model: this.model,
+            system,
+            messages: messages.map((m) => ({ role: m.role, content: m.content })),
+            max_tokens: 8192,
+            stream: true,
+        };
+        if (tools.length > 0) {
+            body.tools = tools.map((t) => ({
+                name: t.name,
+                description: t.description,
+                input_schema: t.input_schema,
+            }));
+        }
+        const res = await fetch("https://api.anthropic.com/v1/messages", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "x-api-key": this.apiKey,
+                "anthropic-version": "2023-06-01",
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Anthropic API error ${res.status}: ${text}`);
+        }
+        let stopReason = "end_turn";
+        let usage;
+        // Map block index to tool ID for consistent ID across start/delta/end
+        const indexToToolId = new Map();
+        for await (const event of parseSSE(res)) {
+            const type = event.event;
+            const data = event.data;
+            if (type === "content_block_start") {
+                const block = data.content_block;
+                if (block.type === "tool_use") {
+                    const index = data.index;
+                    const id = block.id;
+                    indexToToolId.set(index, id);
+                    yield { type: "tool_use_start", id, name: block.name };
+                }
+            }
+            else if (type === "content_block_delta") {
+                const delta = data.delta;
+                if (delta.type === "text_delta") {
+                    yield { type: "text_delta", text: delta.text };
+                }
+                else if (delta.type === "input_json_delta") {
+                    const index = data.index;
+                    const id = indexToToolId.get(index) ?? String(index);
+                    yield { type: "tool_use_delta", id, json: delta.partial_json };
+                }
+            }
+            else if (type === "content_block_stop") {
+                const index = data.index;
+                if (indexToToolId.has(index)) {
+                    yield { type: "tool_use_end", id: indexToToolId.get(index) };
+                }
+            }
+            else if (type === "message_delta") {
+                const delta = data.delta;
+                if (delta.stop_reason === "tool_use")
+                    stopReason = "tool_use";
+                else if (delta.stop_reason === "max_tokens")
+                    stopReason = "max_tokens";
+                const u = data.usage;
+                if (u) {
+                    usage = {
+                        input_tokens: u.input_tokens ?? 0,
+                        output_tokens: u.output_tokens ?? 0,
+                    };
+                }
+            }
+            else if (type === "message_start") {
+                const u = data.message?.usage;
+                if (u) {
+                    usage = {
+                        input_tokens: u.input_tokens ?? 0,
+                        output_tokens: u.output_tokens ?? 0,
+                    };
+                }
+            }
+        }
+        yield { type: "done", stop_reason: stopReason, usage };
+    }
+}
+/** Parse SSE stream from a fetch Response. */
+async function* parseSSE(res) {
+    if (!res.body)
+        throw new Error("Provider returned empty response body");
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buf = "";
+    let currentEvent = "";
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        buf += decoder.decode(value, { stream: true });
+        const lines = buf.split("\n");
+        buf = lines.pop();
+        for (const line of lines) {
+            if (line.startsWith("event: ")) {
+                currentEvent = line.slice(7).trim();
+            }
+            else if (line.startsWith("data: ")) {
+                const raw = line.slice(6);
+                if (raw === "[DONE]")
+                    return;
+                try {
+                    yield { event: currentEvent, data: JSON.parse(raw) };
+                }
+                catch { /* skip malformed JSON */ }
+            }
+        }
+    }
+}