@tokenwarden/opencode 0.1.0

package/README.md

@@ -0,0 +1,53 @@
+# @tokenwarden/opencode
+
+Local-first opencode cost and context control plugin.
+
+## Install
+
+```sh
+npm install -g @tokenwarden/opencode
+```
+
+Add the plugin to `opencode.json` or `~/.config/opencode/opencode.jsonc`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["tokenwarden"]
+}
+```
+
+Restart opencode after changing config.
+
+## Local Slash Commands
+
+- `/tokenwarden-report`: show observed savings from local usage data.
+- `/tokenwarden-status`: show status in the opencode TUI only.
+- `/tokenwarden-account`: open your hosted TokenWarden account page.
+- `/tokenwarden-connect`: connect this machine to a hosted account.
+- `/tokenwarden-disconnect`: remove the local paid license and revert to the capped free seat.
+
+## CLI
+
+```sh
+tokenwarden report
+tokenwarden status
+tokenwarden account
+tokenwarden connect --email you@example.com
+tokenwarden disconnect
+```
+
+See the repository root `README.md` and website `/readme` page for product, billing, and deployment notes.
+
+## Native Sidecar Support
+
+The published package includes signed native sidecar binaries for macOS arm64, macOS x64, Linux x64 musl, Linux ARM64 musl, and Windows x64. TokenWarden selects the matching binary locally and verifies its signed manifest before using native optimization.
+
+Usage, account, license, and raw-output records are stored under `~/.cache/tokenwarden/encrypted/`. The TypeScript plugin asks the verified native sidecar to read and write those encrypted files instead of storing plain JSON/JSONL directly. Local failure diagnostics are written to `~/.cache/tokenwarden/logs/failures.jsonl` without tool output or source content.
+
+Development and production plugin builds always compile every packaged sidecar target. On macOS, install the native cross-compilers before running `npm run build:plugin` or `npm run build:plugin:prod` from the repository root:
+
+```sh
+brew install mingw-w64
+brew install FiloSottile/musl-cross/musl-cross
+```

package/dist/src/cli/index.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+import { spawn } from "node:child_process";
+import { formatTokenReport } from "../core/format.js";
+import { createProtectedEngine } from "../core/protection/engine.js";
+import { formatBillingStatus, tokenWardenSiteURL } from "../core/billing.js";
+import { createStore } from "../core/storage.js";
+async function main() {
+    const [, , command = "report", ...args] = process.argv;
+    if (command === "report") {
+        const sessionID = valueAfter(args, "--session");
+        const color = !args.includes("--no-color");
+        const engine = await createProtectedEngine({ dataDir: valueAfter(args, "--data-dir") });
+        const summary = await engine.summarize(sessionID);
+        process.stdout.write(`${formatTokenReport(summary, { color })}\n`);
+        return;
+    }
+    if (command === "status") {
+        const store = createStore(valueAfter(args, "--data-dir"));
+        const engine = await createProtectedEngine({ dataDir: store.dataDir });
+        const protection = await engine.protectionStatus();
+        process.stdout.write(`TokenWarden data dir: ${store.dataDir}\n`);
+        process.stdout.write(`Usage log: ${store.eventsPath}\n`);
+        process.stdout.write(`Engine mode: ${protection.mode}\n`);
+        process.stdout.write(`License: ${protection.license}\n`);
+        process.stdout.write(`Rule pack: ${protection.rulePack}\n`);
+        process.stdout.write(`Tamper: ${protection.tamper}\n`);
+        process.stdout.write(`${formatBillingStatus(await engine.billing())}\n`);
+        return;
+    }
+    if (command === "account") {
+        const engine = await createProtectedEngine({ dataDir: valueAfter(args, "--data-dir") });
+        const entitlement = await engine.billing();
+        const url = accountPageURL(entitlement);
+        const opened = openBrowser(url);
+        process.stdout.write(opened ? `Opened: ${url}\n` : `Open: ${url}\n`);
+        return;
+    }
+    if (command === "disconnect") {
+        const engine = await createProtectedEngine({ dataDir: valueAfter(args, "--data-dir") });
+        await engine.disconnect();
+        process.stdout.write("TokenWarden disconnected. Reverted to the free seat.\n");
+        process.stdout.write(`${formatBillingStatus(await engine.billing())}\n`);
+        return;
+    }
+    if (command === "connect" || command === "activate") {
+        const store = createStore(valueAfter(args, "--data-dir"));
+        const engine = await createProtectedEngine({ dataDir: store.dataDir });
+        let openedURL;
+        const activation = await engine.activate({
+            email: valueAfter(args, "--email"),
+            deviceStartURL: valueAfter(args, "--device-start-url"),
+            devicePollURL: valueAfter(args, "--device-poll-url"),
+            deviceAckURL: valueAfter(args, "--device-ack-url"),
+            onVerificationURL(url) {
+                openedURL = url;
+                const opened = openBrowser(url);
+                process.stdout.write(opened ? `Opened: ${url}\n` : `Open: ${url}\n`);
+                process.stdout.write("Waiting for browser authorization...\n");
+            },
+        });
+        writeActivationResult(activation, Boolean(openedURL));
+        process.stdout.write(`${formatBillingStatus(await engine.billing())}\n`);
+        return;
+    }
+    process.stderr.write(`Unknown command: ${command}\n`);
+    process.stderr.write("Usage: tokenwarden report|status|account|connect|activate|disconnect [--session SESSION_ID] [--data-dir DIR] [--email EMAIL] [--device-start-url URL] [--device-poll-url URL] [--device-ack-url URL] [--no-color]\n");
+    process.stderr.write("report defaults to all locally recorded sessions; pass --session to filter one session.\n");
+    process.exitCode = 1;
+}
+function valueAfter(args, flag) {
+    const index = args.indexOf(flag);
+    return index >= 0 ? args[index + 1] : undefined;
+}
+function writeActivationResult(activation, browserOpened) {
+    process.stdout.write("TokenWarden hosted license activated.\n");
+    if (browserOpened)
+        process.stdout.write("Browser authorization complete.\n");
+    process.stdout.write(`License: ${activation.licensePath}\n`);
+    process.stdout.write(`Offline grace until: ${activation.offlineGraceUntil}\n`);
+    process.stdout.write(`Verification: ${activation.verified ? "passed" : "failed"}\n`);
+}
+function accountPageURL(entitlement) {
+    const url = new URL("/account", tokenWardenSiteURL());
+    if (entitlement.monthlyCapTokens === null) {
+        url.searchParams.set("optimization", "unlimited");
+        return url.toString();
+    }
+    url.searchParams.set("remainingOptimizableTokens", String(entitlement.remainingFreeTokens ?? 0));
+    url.searchParams.set("monthlyOptimizedTokens", String(entitlement.monthlySavedTokens));
+    url.searchParams.set("monthlyCapTokens", String(entitlement.monthlyCapTokens));
+    return url.toString();
+}
+function openBrowser(url) {
+    const command = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+    try {
+        const child = spawn(command, args, { detached: true, stdio: "ignore" });
+        child.unref();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+await main();

package/dist/src/core/billing.js

@@ -0,0 +1,252 @@
+import { join } from "node:path";
+import { randomUUID } from "node:crypto";
+import { createSavingsEvent } from "./savings.js";
+import { readSavingsEvents } from "./storage.js";
+import { getMachineHash, verifyLicense } from "./protection/license.js";
+import { LICENSE_PUBLIC_KEY } from "./protection/license-public-key.generated.js";
+import { DEFAULT_FREE_MONTHLY_SAVED_TOKEN_CAP, DEFAULT_TOKENWARDEN_SITE_URL, tokenWardenSiteURL } from "./build-config.js";
+import { encryptedDeleteFile, encryptedReadFile, encryptedWriteFile } from "./protection/sidecar.js";
+export const FREE_MONTHLY_SAVED_TOKEN_CAP = DEFAULT_FREE_MONTHLY_SAVED_TOKEN_CAP;
+export { DEFAULT_TOKENWARDEN_SITE_URL, tokenWardenSiteURL };
+export function freeMonthlySavedTokenCap() {
+    return FREE_MONTHLY_SAVED_TOKEN_CAP;
+}
+export function accountPath(store) {
+    return join(store.dataDir, "encrypted", "account.json.enc");
+}
+export function licensePath(store) {
+    return join(store.dataDir, "encrypted", "license.json.enc");
+}
+export async function readBillingAccount(store) {
+    try {
+        const content = await encryptedReadFile(accountPath(store));
+        if (!content)
+            return createFreeAccount();
+        return JSON.parse(content);
+    }
+    catch {
+        return createFreeAccount();
+    }
+}
+export async function connectBillingClient(store, input = {}) {
+    const existing = await readBillingAccount(store);
+    const email = input.email ?? existing.email;
+    const account = {
+        ...existing,
+        email,
+        connectedAt: new Date().toISOString(),
+        authURL: createAuthURL(existing.accountID, email),
+    };
+    await encryptedWriteFile(accountPath(store), `${JSON.stringify(account, null, 2)}\n`);
+    return account;
+}
+export async function disconnectBillingClient(store) {
+    const account = createFreeAccount();
+    await encryptedWriteFile(accountPath(store), `${JSON.stringify(account, null, 2)}\n`);
+    await encryptedDeleteFile(licensePath(store));
+    return account;
+}
+export async function activateHostedLicense(store, input = {}) {
+    const fetchImpl = input.fetchImpl ?? fetch;
+    const existing = await readBillingAccount(store);
+    const email = input.email ?? existing.email;
+    const machineHash = input.machineHash ?? getMachineHash();
+    const start = await postJson(fetchImpl, input.deviceStartURL ?? createDeviceStartURL(), {
+        machineHash,
+        email,
+        localOpencodeAccountId: existing.accountID,
+    });
+    input.onVerificationURL?.(start.verificationUrl);
+    const expiresAt = new Date(start.expiresAt).getTime();
+    const deadline = Math.min(Number.isFinite(expiresAt) ? expiresAt : Date.now() + 10 * 60 * 1000, Date.now() + (input.maxWaitMs ?? 10 * 60 * 1000));
+    const pollIntervalMs = Math.max(500, input.pollIntervalMs ?? start.pollIntervalSeconds * 1000);
+    while (Date.now() < deadline) {
+        await sleep(pollIntervalMs);
+        const poll = await postJson(fetchImpl, input.devicePollURL ?? createDevicePollURL(), { deviceCode: start.deviceCode });
+        if (poll.status === "pending") {
+            input.onPoll?.("pending");
+            continue;
+        }
+        if (poll.status === "authorized" && poll.license) {
+            const activation = await installHostedLicense(store, poll.license, machineHash, email);
+            await acknowledgeDeviceAuthorization(fetchImpl, input.deviceAckURL ?? createDeviceAckURL(), start.deviceCode);
+            return activation;
+        }
+        throw new Error(poll.error || `Device authorization failed with status ${poll.status}`);
+    }
+    throw new Error("Device authorization timed out before browser sign-in completed");
+}
+async function acknowledgeDeviceAuthorization(fetchImpl, url, deviceCode) {
+    try {
+        await postJson(fetchImpl, url, { deviceCode });
+    }
+    catch {
+        // The license is already verified and installed locally. A later cleanup job can expire the authorization row.
+    }
+}
+async function postJson(fetchImpl, url, body) {
+    const response = await fetchImpl(url, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify(body),
+    });
+    const text = await response.text();
+    let parsed;
+    try {
+        parsed = JSON.parse(text);
+    }
+    catch {
+        throw new Error(`Hosted activation request failed (${response.status}): ${text.slice(0, 240)}`);
+    }
+    if (!response.ok) {
+        throw new Error(parsed.error || `Hosted activation request failed (${response.status})`);
+    }
+    return parsed;
+}
+async function installHostedLicense(store, license, machineHash = getMachineHash(), email) {
+    const check = verifyLicense({ token: license, publicKeyPem: LICENSE_PUBLIC_KEY, machineHash });
+    if (!check.ok)
+        throw new Error(`Hosted license verification failed: ${check.reason}`);
+    const { payload } = license;
+    const existing = await readBillingAccount(store);
+    const account = {
+        accountID: payload.accountID,
+        seatID: payload.seatID,
+        email: email ?? existing.email,
+        plan: "standard",
+        status: "active",
+        connectedAt: new Date().toISOString(),
+        authURL: existing.authURL,
+    };
+    await encryptedWriteFile(licensePath(store), `${JSON.stringify({ installedAt: new Date().toISOString(), license }, null, 2)}\n`);
+    await encryptedWriteFile(accountPath(store), `${JSON.stringify(account, null, 2)}\n`);
+    return {
+        account,
+        licensePath: licensePath(store),
+        verified: true,
+        offlineGraceUntil: payload.offlineGraceUntil,
+    };
+}
+export async function getBillingEntitlement(store, now = new Date(), freeCapTokens = FREE_MONTHLY_SAVED_TOKEN_CAP) {
+    const account = await readBillingAccount(store);
+    const monthlySavedTokens = (await readSavingsEvents(store))
+        .filter((event) => isSameUtcMonth(new Date(event.timestamp), now))
+        .reduce((total, event) => total + event.savedTokens, 0);
+    if (account.plan === "standard" &&
+        account.status === "active" &&
+        (await hasValidStoredLicense(store, now))) {
+        return {
+            account,
+            monthlySavedTokens,
+            monthlyCapTokens: null,
+            remainingFreeTokens: null,
+            canOptimize: true,
+        };
+    }
+    const monthlyCapTokens = positiveInteger(freeCapTokens, FREE_MONTHLY_SAVED_TOKEN_CAP);
+    const remainingFreeTokens = Math.max(0, monthlyCapTokens - monthlySavedTokens);
+    return {
+        account,
+        monthlySavedTokens,
+        monthlyCapTokens,
+        remainingFreeTokens,
+        canOptimize: remainingFreeTokens > 0,
+    };
+}
+async function hasValidStoredLicense(store, now) {
+    try {
+        const content = await encryptedReadFile(licensePath(store));
+        if (!content)
+            return false;
+        const stored = JSON.parse(content);
+        if (!stored.license)
+            return false;
+        return verifyLicense({ token: stored.license, publicKeyPem: LICENSE_PUBLIC_KEY, now }).ok;
+    }
+    catch {
+        return false;
+    }
+}
+export async function applySavingsCap(store, event, freeCapTokens = FREE_MONTHLY_SAVED_TOKEN_CAP) {
+    if (event.metadata?.capCheckedBy === "native-sidecar")
+        return event;
+    const entitlement = await getBillingEntitlement(store, new Date(event.timestamp), freeCapTokens);
+    if (entitlement.monthlyCapTokens === null)
+        return event;
+    if (event.savedTokens <= 0)
+        return event;
+    const remaining = entitlement.remainingFreeTokens ?? 0;
+    if (remaining <= 0) {
+        return createSavingsEvent({
+            sessionID: event.sessionID,
+            source: event.source,
+            label: `${event.label} (free cap reached)`,
+            wouldHaveUsedTokens: event.wouldHaveUsedTokens,
+            usedTokens: event.wouldHaveUsedTokens,
+            metadata: {
+                ...event.metadata,
+                capped: true,
+                freeMonthlyCapTokens: entitlement.monthlyCapTokens,
+            },
+        });
+    }
+    if (event.savedTokens <= remaining)
+        return event;
+    return createSavingsEvent({
+        sessionID: event.sessionID,
+        source: event.source,
+        label: `${event.label} (free cap applied)`,
+        wouldHaveUsedTokens: event.wouldHaveUsedTokens,
+        usedTokens: event.wouldHaveUsedTokens - remaining,
+        metadata: {
+            ...event.metadata,
+            capped: true,
+            freeMonthlyCapTokens: entitlement.monthlyCapTokens,
+        },
+    });
+}
+export function formatBillingStatus(entitlement) {
+    if (entitlement.monthlyCapTokens === null) {
+        return `Account: ${entitlement.account.plan} (${entitlement.account.status})`;
+    }
+    const credited = Math.min(entitlement.monthlySavedTokens, entitlement.monthlyCapTokens);
+    return `Account: free seat | credited ${credited.toLocaleString()}/${entitlement.monthlyCapTokens.toLocaleString()} observed saved tokens this month | observed ${entitlement.monthlySavedTokens.toLocaleString()} | remaining ${(entitlement.remainingFreeTokens ?? 0).toLocaleString()}`;
+}
+function createFreeAccount() {
+    const accountID = `free_${randomUUID()}`;
+    return {
+        accountID,
+        seatID: `seat_${randomUUID()}`,
+        plan: "free",
+        status: "free",
+        connectedAt: new Date().toISOString(),
+        authURL: createAuthURL(accountID),
+    };
+}
+function createAuthURL(accountID, email) {
+    const baseURL = tokenWardenSiteURL();
+    const url = new URL("/auth/device", baseURL);
+    url.searchParams.set("account", accountID);
+    if (email)
+        url.searchParams.set("email", email);
+    return url.toString();
+}
+function createDeviceStartURL() {
+    return new URL("/api/device/start", tokenWardenSiteURL()).toString();
+}
+function createDevicePollURL() {
+    return new URL("/api/device/poll", tokenWardenSiteURL()).toString();
+}
+function createDeviceAckURL() {
+    return new URL("/api/device/ack", tokenWardenSiteURL()).toString();
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function positiveInteger(value, fallback) {
+    return Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
+}
+function isSameUtcMonth(left, right) {
+    return (left.getUTCFullYear() === right.getUTCFullYear() &&
+        left.getUTCMonth() === right.getUTCMonth());
+}

package/dist/src/core/build-config.js

@@ -0,0 +1,45 @@
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+export const DEFAULT_FREE_MONTHLY_SAVED_TOKEN_CAP = 100000;
+export const DEFAULT_TOKENWARDEN_SITE_URL = "https://tokenwarden.ai";
+let cachedConfig;
+export function readBuildConfig(configPath = defaultBuildConfigPath()) {
+    if (configPath === defaultBuildConfigPath() && cachedConfig)
+        return cachedConfig;
+    let config = defaultBuildConfig();
+    try {
+        const parsed = JSON.parse(readFileSync(configPath, "utf8"));
+        config = {
+            siteURL: validSiteURL(parsed.siteURL) ? parsed.siteURL : config.siteURL,
+            generatedAt: typeof parsed.generatedAt === "string" ? parsed.generatedAt : undefined,
+        };
+    }
+    catch {
+        config = defaultBuildConfig();
+    }
+    if (configPath === defaultBuildConfigPath())
+        cachedConfig = config;
+    return config;
+}
+export function tokenWardenSiteURL() {
+    return readBuildConfig().siteURL;
+}
+function defaultBuildConfig() {
+    return {
+        siteURL: DEFAULT_TOKENWARDEN_SITE_URL,
+    };
+}
+function defaultBuildConfigPath() {
+    return fileURLToPath(new URL("../../../native/bin/tokenwarden-build-config.json", import.meta.url));
+}
+function validSiteURL(value) {
+    if (typeof value !== "string")
+        return false;
+    try {
+        new URL(value);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/src/core/code-summary.js

@@ -0,0 +1,162 @@
+import { readdir, readFile, stat } from "node:fs/promises";
+import { isAbsolute, join, relative, resolve, sep } from "node:path";
+import { countTokens, trimToTokenBudget } from "./tokens.js";
+import { createSavingsEvent } from "./savings.js";
+export async function smartRead(input) {
+    const absPath = resolveInsideRoot(input.root, input.path);
+    const content = await readFile(absPath, "utf8");
+    const mode = input.mode ?? "symbols";
+    const budget = input.budget ?? 1600;
+    const relPath = relative(input.root, absPath) || input.path;
+    const rawTokens = countTokens(content);
+    const rendered = trimToTokenBudget(renderSmartRead(relPath, content, mode, input.query), budget);
+    const output = countTokens(rendered) > rawTokens ? trimToTokenBudget(content, budget) : rendered;
+    const usedTokens = countTokens(output);
+    const event = createSavingsEvent({
+        sessionID: input.sessionID,
+        source: "smart-read",
+        label: relPath,
+        wouldHaveUsedTokens: rawTokens,
+        usedTokens,
+        metadata: { mode, query: input.query },
+    });
+    return { output, rawTokens, usedTokens, event };
+}
+export async function smartPack(input) {
+    const budget = input.budget ?? 4000;
+    const files = await collectFiles(input.root, input.paths);
+    const sections = [];
+    let rawTokens = 0;
+    for (const file of files.slice(0, 40)) {
+        const content = await readFile(file, "utf8");
+        rawTokens += countTokens(content);
+        const relPath = relative(input.root, file);
+        sections.push(renderSmartRead(relPath, content, input.query ? "relevant" : "symbols", input.query));
+        if (countTokens(sections.join("\n\n")) >= budget)
+            break;
+    }
+    const output = trimToTokenBudget([`Smart pack for ${input.paths.join(", ")}`, `Files considered: ${files.length}`, "", sections.join("\n\n")].join("\n"), budget);
+    const usedTokens = countTokens(output);
+    const event = createSavingsEvent({
+        sessionID: input.sessionID,
+        source: "smart-pack",
+        label: input.paths.join(", "),
+        wouldHaveUsedTokens: rawTokens,
+        usedTokens,
+        metadata: { query: input.query, files: files.length },
+    });
+    return { output, rawTokens, usedTokens, event };
+}
+function renderSmartRead(path, content, mode, query) {
+    const lines = content.split(/\r?\n/);
+    const imports = collectMatchingLines(lines, /^\s*import\s|^\s*from\s.+import\s|^\s*const\s+.+require\(/);
+    const exports = collectMatchingLines(lines, /^\s*export\s/);
+    const definitions = collectMatchingLines(lines, /^\s*(export\s+)?(async\s+)?(function|class|interface|type|enum)\s+[A-Za-z0-9_$]+|^\s*(export\s+)?(const|let|var)\s+[A-Za-z0-9_$]+\s*=\s*(async\s*)?(\([^)]*\)|[A-Za-z0-9_$]+)\s*=>/);
+    if (mode === "raw-budgeted") {
+        return [`File: ${path}`, "Mode: raw-budgeted", "", content].join("\n");
+    }
+    const sections = [`File: ${path}`, `Estimated raw tokens: ${countTokens(content)}`];
+    if (mode === "relevant" && query) {
+        const relevant = collectRelevantBlocks(lines, query);
+        sections.push("", `Relevant blocks for: ${query}`, ...(relevant.length > 0 ? relevant : ["No direct matches found."]));
+        return sections.join("\n");
+    }
+    if (imports.length > 0)
+        sections.push("", "Imports:", ...imports);
+    if (exports.length > 0)
+        sections.push("", "Exports:", ...exports);
+    if (definitions.length > 0)
+        sections.push("", "Definitions:", ...definitions);
+    if (mode === "summary") {
+        sections.push("", "Summary:", summarizeByShape(path, lines, imports.length, definitions.length));
+    }
+    return sections.join("\n");
+}
+function collectMatchingLines(lines, pattern) {
+    return lines
+        .map((line, index) => ({ line: line.trim(), index }))
+        .filter(({ line }) => pattern.test(line))
+        .slice(0, 80)
+        .map(({ line, index }) => `- L${index + 1}: ${line}`);
+}
+function collectRelevantBlocks(lines, query) {
+    const terms = query
+        .toLowerCase()
+        .split(/[^a-z0-9_]+/)
+        .filter((term) => term.length > 2);
+    const keep = new Set();
+    lines.forEach((line, index) => {
+        const lower = line.toLowerCase();
+        if (!terms.some((term) => lower.includes(term)))
+            return;
+        for (let offset = -3; offset <= 8; offset += 1)
+            keep.add(index + offset);
+    });
+    return [...keep]
+        .filter((index) => index >= 0 && index < lines.length)
+        .sort((a, b) => a - b)
+        .map((index) => `L${index + 1}: ${lines[index]}`)
+        .slice(0, 120);
+}
+function summarizeByShape(path, lines, importCount, definitionCount) {
+    return `${path} has ${lines.length} lines, ${importCount} import-like lines, and ${definitionCount} top-level definition-like lines. Use relevant mode with a query for focused blocks.`;
+}
+function resolveInsideRoot(root, requestedPath) {
+    const absRoot = resolve(root);
+    const absPath = isAbsolute(requestedPath) ? resolve(requestedPath) : resolve(absRoot, requestedPath);
+    const rel = relative(absRoot, absPath);
+    if (rel.startsWith("..") || rel === ".." || rel.includes(`..${sep}`)) {
+        throw new Error(`Path is outside project root: ${requestedPath}`);
+    }
+    return absPath;
+}
+async function collectFiles(root, patterns) {
+    const absRoot = resolve(root);
+    const allFiles = await walk(absRoot);
+    const regexes = patterns.map(globToRegExp);
+    return allFiles
+        .filter((file) => regexes.some((regex) => regex.test(relative(absRoot, file).replaceAll(sep, "/"))))
+        .sort();
+}
+async function walk(dir) {
+    const entries = await readdir(dir, { withFileTypes: true });
+    const files = [];
+    for (const entry of entries) {
+        if (entry.name === ".git" || entry.name === "node_modules" || entry.name === "dist")
+            continue;
+        const full = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            files.push(...(await walk(full)));
+            continue;
+        }
+        if (!entry.isFile())
+            continue;
+        const info = await stat(full);
+        if (info.size > 512_000)
+            continue;
+        files.push(full);
+    }
+    return files;
+}
+function globToRegExp(pattern) {
+    const normalized = pattern.replaceAll("\\", "/");
+    let source = "^";
+    for (let index = 0; index < normalized.length; index += 1) {
+        const char = normalized[index];
+        const next = normalized[index + 1];
+        if (char === "*" && next === "*") {
+            source += ".*";
+            index += 1;
+        }
+        else if (char === "*") {
+            source += "[^/]*";
+        }
+        else {
+            source += escapeRegExp(char);
+        }
+    }
+    return new RegExp(`${source}$`);
+}
+function escapeRegExp(value) {
+    return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}