@team-agent/installer 0.1.0

package/README.md

@@ -0,0 +1,201 @@
+# TeamSpec Agent Mode
+
+Document-driven CLI runtime for launching and coordinating Codex CLI workers from a leader conversation.
+
+The product and engineering boundary is defined in [`docs/team-agent-foundation-and-boundaries.md`](docs/team-agent-foundation-and-boundaries.md). Agents express semantic intent; the runtime owns team startup, delivery, state, diagnostics, secret safety, and the coordinator daemon.
+
+## Install
+
+For normal users:
+
+```bash
+npx @team-agent/installer@latest install
+```
+
+The installer probes `TEAM_AGENT_PYTHON`, `python3`, then `python`, copies the runtime to
+`~/.team-agent/runtime/<version>/`, writes wrappers under `~/.local/bin/`, runs
+`team-agent install-skill --target all`, and then runs `team-agent doctor`.
+
+Source checkout install, for development:
+
+```bash
+python3 scripts/install.py --prefix "$HOME/.local"
+export PATH="$HOME/.local/bin:$PATH"
+team-agent doctor
+team-agent install-skill --target all
+```
+
+Runtime dependencies:
+
+- `tmux` 3.3+
+- Codex CLI command: `codex`
+- Provider auth owned by the provider CLI
+
+## Quick Start
+
+Start the user-facing leader from a tmux-managed pane before starting a real team. The short
+entry points are:
+
+```bash
+team-agent codex
+team-agent claude
+```
+
+Arguments after the provider name pass through to the provider CLI:
+
+```bash
+team-agent codex --dangerously-bypass-approvals-and-sandbox
+team-agent claude --dangerously-skip-permissions
+```
+
+If these commands run outside tmux, they create or attach a tmux leader session in the current
+directory. If they run inside tmux, they exec the provider in the current pane. Existing tmux
+layouts, including Finder/Ghostty right-click launchers, are also supported: the requirement is
+that `team-agent quick-start` runs from the leader's current tmux pane so worker-to-leader
+messages have a concrete, verifiable target.
+
+Create a directory containing role docs, then run:
+
+```bash
+team-agent quick-start <agents_dir>
+```
+
+The command prepares the current workspace team, starts workers, waits for readiness, and starts the per-workspace `team-agent-coordinator` daemon. When it prints `ready:` and `ready_signal`, startup is complete; do not add sleep/status polling unless diagnosing a failure. Detailed logs stay under the workspace team files.
+
+By default, loose role docs are copied into `.team/current/`. To keep multiple teams in one workspace, give each generated team an explicit id, or pass an existing team directory directly:
+
+```bash
+team-agent quick-start ./roles-alpha --team-id alpha
+team-agent quick-start .team/research
+```
+
+`quick-start` is the fresh startup path. If Team Agent finds stored worker context for the same runtime session, it stops before launching blank workers and tells you to either resume with `restart` or explicitly accept a fresh start with `--fresh`:
+
+```bash
+team-agent restart . --team team-alpha
+team-agent quick-start .team/alpha --fresh
+```
+
+Role docs can omit `model` for subscription workers. Team Agent fills defaults from `TEAM.md` `provider_models`, then built-in defaults (`codex: gpt-5.5`, `claude/claude_code: claude-sonnet-4-6`). Put a role-level `model` only when that worker intentionally uses a different model.
+
+Send work and inspect state:
+
+```bash
+team-agent send <agent_id> "<message>"
+team-agent send --watch-result <agent_id> "<message>"
+team-agent status
+team-agent status <agent_id>
+team-agent approvals
+team-agent inbox <agent_id>
+team-agent shutdown --keep-logs
+team-agent restart .
+team-agent restart . --team <session_name_or_team_name>
+team-agent start-agent <agent_id> --workspace .
+```
+
+`team-agent send` waits for `visible` delivery by default and exits non-zero if the target terminal does not show the unique token before timeout. Use `--no-wait` only when deliberately accepting injected-but-unverified delivery.
+Use `team-agent send --watch-result ...` for normal task dispatch: the command returns after verified delivery, registers a result watcher, and the coordinator collects the eventual result and notifies the leader.
+
+`team-agent status` includes result-store counts plus each worker's `session_id`, capture method, and attribution confidence when available. `team-agent shutdown` makes a final session capture attempt before killing tmux. `team-agent restart <workspace>` resumes workers with stored provider-native session ids; if the workspace has more than one restartable team, it fails closed and lists candidates until you pass `--team`. Workers with missing `session_id` are started fresh and logged as `restart.fresh_spawn`. `team-agent start-agent <agent_id> --workspace .` is the narrow repair path for one missing worker window; it resumes that worker when possible, starts it fresh otherwise, and leaves other workers running.
+
+Use `team-agent approvals [agent_id]` to inspect pending provider/MCP approval prompts without copying worker terminal pages into the leader context.
+
+## Role Docs
+
+Role docs are Markdown files with YAML front matter:
+
+```yaml
+---
+name: implementer
+role: Implementation Engineer
+provider: codex
+model: gpt-5.5
+auth_mode: subscription
+profile: codex-default
+tools:
+  - fs_read
+  - fs_write
+  - execute_bash
+  - mcp_team
+---
+```
+
+For quick-start teams, put role docs under `agents/` and keep `TEAM.md` at the team root. A root `TEAM.md` is team configuration, not a worker role, and does not create a leader pane. Quick-start generated files stay under the selected team directory, such as `.team/current/` or `.team/alpha/` (`team.spec.yaml`, `team_state.md`), instead of the workspace root.
+
+Team-level switches live in `TEAM.md` front matter:
+
+```yaml
+---
+name: demo-team
+dangerous_auto_approve: false
+display_backend: ghostty_window
+fast: false
+tick_interval_sec: 2
+push_min_interval_sec: 60
+stuck_timeout_sec: 300
+worker_to_worker: true
+---
+```
+
+If `display_backend` is omitted, quick-start defaults to `ghostty_window`. Use `display_backend: none` only for headless or CI runs.
+Ghostty display windows use one linked tmux session per worker, so each visible window keeps an independent active tmux window while runtime injection still targets the base worker window.
+When the leader Codex/Claude process itself was started with `--dangerously-bypass-approvals-and-sandbox` or `--dangerously-skip-permissions`, Team Agent treats worker launch, restart, and single-agent repair as already authorized and passes the matching dangerous permission mode through.
+
+Secrets must stay in profile files ignored by git. Role docs and manifests carry profile references only. Agents must not read raw profile env files into context; use `team-agent profile show <name> --workspace . --json` or `team-agent profile doctor <name> --workspace . --json` for redacted diagnostics.
+
+For third-party compatible APIs, the leader should generate a local fillable profile instead of asking for secrets in chat:
+
+```bash
+team-agent profile init deepseek --auth-mode compatible_api --workspace .
+```
+
+This creates `.team/current/profiles/deepseek.env` and `.team/current/profiles/deepseek.example.env` with blank values:
+
+```env
+AUTH_MODE=compatible_api
+PROFILE_NAME=deepseek
+BASE_URL=
+API_KEY=
+MODEL=
+```
+
+Fill the `.env` file locally, then reference only the profile name from role docs:
+
+```yaml
+provider: claude_code
+auth_mode: compatible_api
+profile: deepseek
+```
+
+For `compatible_api`, `MODEL=` in the profile is a valid model source. If both the role doc and profile define a model, they must match exactly; otherwise preflight fails before startup. Team Agent loads that profile during quick-start, launch, restart, and start-agent. Secret values are written only to per-worker runtime env files under `.team/runtime/provider-env/` and are not printed in CLI output, event logs, role docs, or compiled specs. Compatible API workers inherit the current shell proxy/CA environment by default, because some teams intentionally route third-party APIs through a proxy. Claude compatible API workers use a Team Agent managed `CLAUDE_CONFIG_DIR`, so user-level Claude subscription settings cannot re-inject Anthropic proxy variables into third-party API sessions. That managed config is pre-seeded with non-secret onboarding, theme, and workspace trust state so a fresh isolated Claude worker does not stop at first-run setup. Startup smoke checks expose whether the profile used an ambient proxy or a profile proxy; if the proxy cannot reach `BASE_URL`, quick-start returns a redacted blocker and lets the user choose whether to fix the proxy, set `HTTPS_PROXY=`/`HTTP_PROXY=` in that profile, or set `PROXY_MODE=direct` in that profile to bypass proxy only for that worker. Subscription workers keep the native provider settings and environment.
+When diagnosing profile state, run `team-agent profile show deepseek --workspace . --json`; it reports non-secret values and secret-key presence without printing secret values. Do not inspect `.team/current/profiles/*.env` or `.team/runtime/provider-env/*.env` through an Agent.
+
+## Runtime
+
+Worker-to-leader messages are stored in SQLite, rendered as human-readable text, and pushed into the attached leader pane by the runtime/coordinator path. Delivery states distinguish `accepted`, `target_resolved`, `injected`, `visible`, `submitted`, `failed`, and `ambiguous`. Direct leader delivery only reports `submitted` after the rendered token is observed in the pane and the runtime sends `Enter`; `visible` alone is only a pre-submit observation.
+
+Agent-facing MCP tools keep context thin: `send_message` takes only `to` and `content`, and `report_result` takes `summary` plus optional status/details. Sender, task id, ack policy, result schema fields, delivery ids, and verification metadata are filled or stored by the runtime. If a provider fails to pass `TEAM_AGENT_ID`, MCP infers the worker from the active task/message state and falls back to an explicit `unknown` sender rather than misrouting the message as leader. Message targets are team-scoped: use `leader`, a teammate agent id, or `*` for all other team members.
+
+Final results are stored through `report_result`; that call also attempts an immediate leader notification through the same verified/fallback delivery path. `team-agent collect` remains the authoritative state-update path, and `team-agent inbox` is message history only, not a final-result intake. `team-agent status --json` exposes `results.total`, `results.uncollected`, `results.collected`, `results.invalid`, and `results.by_status`.
+
+The coordinator automatically clears known Team Agent control-plane MCP prompts such as `team_orchestrator.report_result` and `team_orchestrator.send_message`. It uses session-scoped approval, verifies the prompt disappeared after submission, retries boundedly when Enter/selection does not take, and records the result in the event log. Non-allowlisted tools stay visible through `team-agent approvals`.
+
+Raw worker terminal inspection is blocked in the ordinary black-box workflow. The hidden `team-agent peek` diagnostic refuses to run unless the caller provides `--allow-raw-screen` after explicit user authorization, and still requires exactly one bounded selector: `--head N`, `--tail N`, or `--search TEXT`.
+
+Worker-to-worker messages are allowed within the current team. The runtime resolves recipients only from the current leader plus agents in the team spec/runtime state; `*` broadcasts to that set and excludes the sender.
+
+The main help intentionally shows only the black-box surface. Low-level commands remain available through:
+
+```bash
+team-agent advanced --help
+```
+
+## Acceptance
+
+```bash
+PYTHONPATH=src python3 scripts/run_regression_tests.py --iterations 3
+PYTHONPATH=src python3 tests/run_tests.py
+cargo test --manifest-path crates/team-agent-core/Cargo.toml
+```
+
+Real provider smoke requires installed and authenticated provider CLIs. A skipped real provider smoke is not production acceptance.

package/crates/team-agent-core/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "team-agent-core"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "team_agent_core"
+path = "src/lib.rs"
+
+[[bin]]
+name = "team-agent-core"
+path = "src/main.rs"

package/crates/team-agent-core/src/lib.rs

@@ -0,0 +1,287 @@
+use std::process::Command;
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct Target {
+    pub pane_id: String,
+    pub session_name: String,
+    pub window_index: String,
+    pub window_name: String,
+    pub pane_index: String,
+    pub pane_tty: String,
+    pub pane_current_command: String,
+    pub pane_active: bool,
+}
+
+impl Target {
+    pub fn fingerprint(&self) -> String {
+        format!(
+            "{}|{}|{}|{}",
+            self.session_name, self.window_index, self.pane_index, self.pane_tty
+        )
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum TargetResolution {
+    Resolved(Target),
+    Ambiguous(Vec<Target>),
+    Missing,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum DeliveryStatus {
+    Accepted,
+    TargetResolved,
+    Injected,
+    Visible,
+    Failed,
+    Ambiguous,
+}
+
+impl DeliveryStatus {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            DeliveryStatus::Accepted => "accepted",
+            DeliveryStatus::TargetResolved => "target_resolved",
+            DeliveryStatus::Injected => "injected",
+            DeliveryStatus::Visible => "visible",
+            DeliveryStatus::Failed => "failed",
+            DeliveryStatus::Ambiguous => "ambiguous",
+        }
+    }
+
+    pub fn can_transition_to(&self, next: &DeliveryStatus) -> bool {
+        matches!(
+            (self, next),
+            (DeliveryStatus::Accepted, DeliveryStatus::TargetResolved)
+                | (DeliveryStatus::Accepted, DeliveryStatus::Failed)
+                | (DeliveryStatus::Accepted, DeliveryStatus::Ambiguous)
+                | (DeliveryStatus::TargetResolved, DeliveryStatus::Injected)
+                | (DeliveryStatus::TargetResolved, DeliveryStatus::Failed)
+                | (DeliveryStatus::TargetResolved, DeliveryStatus::Ambiguous)
+                | (DeliveryStatus::Injected, DeliveryStatus::Visible)
+                | (DeliveryStatus::Injected, DeliveryStatus::Failed)
+                | (DeliveryStatus::Visible, DeliveryStatus::Failed)
+        )
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct DeliveryError {
+    pub code: String,
+    pub message: String,
+}
+
+pub fn list_tmux_targets() -> Result<Vec<Target>, String> {
+    let format = "#{pane_id}\t#{session_name}\t#{window_index}\t#{window_name}\t#{pane_index}\t#{pane_tty}\t#{pane_current_command}\t#{pane_active}";
+    let output = Command::new("tmux")
+        .args(["list-panes", "-a", "-F", format])
+        .output()
+        .map_err(|err| format!("tmux list-panes failed: {err}"))?;
+    if !output.status.success() {
+        return Err(String::from_utf8_lossy(&output.stderr).trim().to_string());
+    }
+    Ok(String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(parse_target_line)
+        .collect())
+}
+
+pub fn parse_target_line(line: &str) -> Option<Target> {
+    let parts: Vec<&str> = line.split('\t').collect();
+    if parts.len() != 8 {
+        return None;
+    }
+    Some(Target {
+        pane_id: parts[0].to_string(),
+        session_name: parts[1].to_string(),
+        window_index: parts[2].to_string(),
+        window_name: parts[3].to_string(),
+        pane_index: parts[4].to_string(),
+        pane_tty: parts[5].to_string(),
+        pane_current_command: parts[6].to_string(),
+        pane_active: parts[7] == "1",
+    })
+}
+
+pub fn resolve_target(candidates: Vec<Target>, expected_fingerprint: Option<&str>) -> TargetResolution {
+    if let Some(fingerprint) = expected_fingerprint {
+        let matched: Vec<Target> = candidates
+            .iter()
+            .cloned()
+            .filter(|target| target.fingerprint() == fingerprint)
+            .collect();
+        if matched.len() == 1 {
+            return TargetResolution::Resolved(matched[0].clone());
+        }
+        if matched.len() > 1 {
+            return TargetResolution::Ambiguous(matched);
+        }
+    }
+    let usable: Vec<Target> = candidates
+        .into_iter()
+        .filter(|target| {
+            let cmd = target
+                .pane_current_command
+                .rsplit('/')
+                .next()
+                .unwrap_or(&target.pane_current_command);
+            matches!(cmd, "codex" | "node" | "nodejs")
+        })
+        .collect();
+    match usable.len() {
+        0 => TargetResolution::Missing,
+        1 => TargetResolution::Resolved(usable[0].clone()),
+        _ => TargetResolution::Ambiguous(usable),
+    }
+}
+
+pub fn render_message(sender: &str, task_id: Option<&str>, content: &str, token: &str) -> String {
+    let mut header = format!("Team Agent message from {}", sender);
+    if let Some(task) = task_id {
+        if !task.is_empty() {
+            header.push_str(" for ");
+            header.push_str(task);
+        }
+    }
+    format!("{header}:\n\n{content}\n\n[team-agent-token:{token}]")
+}
+
+pub fn redact_secrets(input: &str) -> String {
+    let mut out = Vec::new();
+    for raw in input.split_whitespace() {
+        let lower = raw.to_ascii_lowercase();
+        let redacted = lower.contains("api_key")
+            || lower.contains("apikey")
+            || lower.contains("token=")
+            || lower.contains("secret")
+            || lower == "bearer"
+            || raw.starts_with("sk-")
+            || looks_base64_secret(raw);
+        out.push(if redacted { "[REDACTED]" } else { raw });
+    }
+    out.join(" ")
+}
+
+pub fn looks_base64_secret(value: &str) -> bool {
+    value.len() >= 32
+        && value
+            .chars()
+            .all(|ch| ch.is_ascii_alphanumeric() || matches!(ch, '+' | '/' | '=' | '_' | '-'))
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct Profile {
+    pub provider: String,
+    pub model: String,
+    pub auth_mode: String,
+    pub profile: String,
+    pub credential_ref: Option<String>,
+}
+
+pub fn validate_profile(profile: &Profile) -> Result<(), Vec<String>> {
+    let mut errors = Vec::new();
+    if !matches!(
+        profile.auth_mode.as_str(),
+        "subscription" | "official_api" | "compatible_api"
+    ) {
+        errors.push("auth_mode must be subscription, official_api, or compatible_api".to_string());
+    }
+    if profile.provider.is_empty() {
+        errors.push("provider must not be empty".to_string());
+    }
+    if profile.model.is_empty() {
+        errors.push("model must not be empty".to_string());
+    }
+    if profile.profile.is_empty() {
+        errors.push("profile must not be empty".to_string());
+    }
+    for value in [
+        &profile.provider,
+        &profile.model,
+        &profile.auth_mode,
+        &profile.profile,
+    ] {
+        if contains_inline_secret(value) {
+            errors.push("profile metadata contains a probable inline secret".to_string());
+            break;
+        }
+    }
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(errors)
+    }
+}
+
+pub fn contains_inline_secret(value: &str) -> bool {
+    let lower = value.to_ascii_lowercase();
+    lower.contains("api_key")
+        || lower.contains("apikey")
+        || lower.contains("token")
+        || lower.contains("secret")
+        || value.starts_with("sk-")
+        || looks_base64_secret(value)
+}
+
+pub fn json_escape(input: &str) -> String {
+    let mut out = String::new();
+    for ch in input.chars() {
+        match ch {
+            '"' => out.push_str("\\\""),
+            '\\' => out.push_str("\\\\"),
+            '\n' => out.push_str("\\n"),
+            '\r' => out.push_str("\\r"),
+            '\t' => out.push_str("\\t"),
+            ch if ch.is_control() => out.push_str(&format!("\\u{:04x}", ch as u32)),
+            ch => out.push(ch),
+        }
+    }
+    out
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parses_target_and_fingerprint() {
+        let target = parse_target_line("%1\ts\t2\tw\t0\t/dev/ttys001\tnode\t1").unwrap();
+        assert_eq!(target.pane_id, "%1");
+        assert_eq!(target.fingerprint(), "s|2|0|/dev/ttys001");
+    }
+
+    #[test]
+    fn delivery_state_transitions_are_explicit() {
+        assert!(DeliveryStatus::Accepted.can_transition_to(&DeliveryStatus::TargetResolved));
+        assert!(DeliveryStatus::TargetResolved.can_transition_to(&DeliveryStatus::Injected));
+        assert!(DeliveryStatus::Injected.can_transition_to(&DeliveryStatus::Visible));
+        assert!(!DeliveryStatus::Accepted.can_transition_to(&DeliveryStatus::Visible));
+    }
+
+    #[test]
+    fn renders_human_readable_message() {
+        let rendered = render_message("worker", Some("task_a"), "done", "msg_1");
+        assert!(rendered.contains("Team Agent message from worker for task_a:"));
+        assert!(rendered.contains("[team-agent-token:msg_1]"));
+    }
+
+    #[test]
+    fn redacts_common_secret_shapes() {
+        let redacted = redact_secrets("Authorization Bearer sk-test abcdefghijklmnopqrstuvwxyz123456");
+        assert!(redacted.contains("[REDACTED]"));
+        assert!(!redacted.contains("sk-test"));
+    }
+
+    #[test]
+    fn profile_rejects_inline_secret() {
+        let profile = Profile {
+            provider: "codex".to_string(),
+            model: "gpt-5.5".to_string(),
+            auth_mode: "subscription".to_string(),
+            profile: "sk-inline-secret".to_string(),
+            credential_ref: None,
+        };
+        assert!(validate_profile(&profile).is_err());
+    }
+}

package/crates/team-agent-core/src/main.rs

@@ -0,0 +1,152 @@
+use std::env;
+use std::io::{self, Read};
+
+use team_agent_core::{
+    contains_inline_secret, json_escape, list_tmux_targets, redact_secrets, render_message,
+    validate_profile, Profile,
+};
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    let command = args.get(1).map(String::as_str).unwrap_or("");
+    let result = match command {
+        "list-targets" => list_targets(),
+        "render-message" => render_message_cmd(),
+        "redact" => redact_cmd(),
+        "validate-profile" => validate_profile_cmd(),
+        _ => Err(format!(
+            "unknown command {command:?}; expected list-targets, render-message, redact, validate-profile"
+        )),
+    };
+    match result {
+        Ok(json) => println!("{json}"),
+        Err(error) => {
+            println!(
+                "{{\"ok\":false,\"error\":\"{}\"}}",
+                json_escape(error.trim())
+            );
+            std::process::exit(1);
+        }
+    }
+}
+
+fn read_stdin() -> Result<String, String> {
+    let mut input = String::new();
+    io::stdin()
+        .read_to_string(&mut input)
+        .map_err(|err| format!("stdin read failed: {err}"))?;
+    Ok(input)
+}
+
+fn list_targets() -> Result<String, String> {
+    let targets = list_tmux_targets()?;
+    let mut items = Vec::new();
+    for target in targets {
+        items.push(format!(
+            "{{\"pane_id\":\"{}\",\"session_name\":\"{}\",\"window_index\":\"{}\",\"window_name\":\"{}\",\"pane_index\":\"{}\",\"pane_tty\":\"{}\",\"pane_current_command\":\"{}\",\"pane_active\":{},\"fingerprint\":\"{}\"}}",
+            json_escape(&target.pane_id),
+            json_escape(&target.session_name),
+            json_escape(&target.window_index),
+            json_escape(&target.window_name),
+            json_escape(&target.pane_index),
+            json_escape(&target.pane_tty),
+            json_escape(&target.pane_current_command),
+            target.pane_active,
+            json_escape(&target.fingerprint())
+        ));
+    }
+    Ok(format!("{{\"ok\":true,\"targets\":[{}]}}", items.join(",")))
+}
+
+fn render_message_cmd() -> Result<String, String> {
+    let input = read_stdin()?;
+    let sender = extract_string(&input, "from")
+        .or_else(|| extract_string(&input, "sender"))
+        .unwrap_or_else(|| "unknown".to_string());
+    let task_id = extract_string(&input, "task_id");
+    let content = extract_string(&input, "content").unwrap_or_default();
+    let token = extract_string(&input, "message_id").unwrap_or_else(|| "missing".to_string());
+    let rendered = render_message(&sender, task_id.as_deref(), &content, &token);
+    Ok(format!(
+        "{{\"ok\":true,\"text\":\"{}\",\"token\":\"{}\"}}",
+        json_escape(&rendered),
+        json_escape(&token)
+    ))
+}
+
+fn redact_cmd() -> Result<String, String> {
+    let input = read_stdin()?;
+    let text = extract_string(&input, "text").unwrap_or(input);
+    Ok(format!(
+        "{{\"ok\":true,\"text\":\"{}\"}}",
+        json_escape(&redact_secrets(&text))
+    ))
+}
+
+fn validate_profile_cmd() -> Result<String, String> {
+    let input = read_stdin()?;
+    let profile = Profile {
+        provider: extract_string(&input, "provider").unwrap_or_default(),
+        model: extract_string(&input, "model").unwrap_or_default(),
+        auth_mode: extract_string(&input, "auth_mode").unwrap_or_default(),
+        profile: extract_string(&input, "profile").unwrap_or_default(),
+        credential_ref: extract_string(&input, "credential_ref"),
+    };
+    let mut errors = match validate_profile(&profile) {
+        Ok(()) => Vec::new(),
+        Err(errors) => errors,
+    };
+    if contains_inline_secret(&input) {
+        errors.push("input contains a probable inline secret".to_string());
+    }
+    if errors.is_empty() {
+        Ok("{\"ok\":true,\"errors\":[]}".to_string())
+    } else {
+        let encoded: Vec<String> = errors
+            .into_iter()
+            .map(|err| format!("\"{}\"", json_escape(&err)))
+            .collect();
+        Ok(format!("{{\"ok\":false,\"errors\":[{}]}}", encoded.join(",")))
+    }
+}
+
+fn extract_string(input: &str, key: &str) -> Option<String> {
+    let needle = format!("\"{key}\"");
+    let key_pos = input.find(&needle)?;
+    let rest = &input[key_pos + needle.len()..];
+    let colon = rest.find(':')?;
+    let value = rest[colon + 1..].trim_start();
+    if !value.starts_with('"') {
+        return None;
+    }
+    parse_json_string(value)
+}
+
+fn parse_json_string(input: &str) -> Option<String> {
+    let mut out = String::new();
+    let mut chars = input.chars();
+    if chars.next()? != '"' {
+        return None;
+    }
+    let mut escaped = false;
+    for ch in chars {
+        if escaped {
+            match ch {
+                '"' => out.push('"'),
+                '\\' => out.push('\\'),
+                'n' => out.push('\n'),
+                'r' => out.push('\r'),
+                't' => out.push('\t'),
+                other => out.push(other),
+            }
+            escaped = false;
+            continue;
+        }
+        match ch {
+            '\\' => escaped = true,
+            '"' => return Some(out),
+            other => out.push(other),
+        }
+    }
+    None
+}