@tokenwarden/opencode 0.1.0

package/dist/src/core/format.js

@@ -0,0 +1,71 @@
+const ANSI = {
+    reset: "\x1b[0m",
+    bold: "\x1b[1m",
+    dim: "\x1b[2m",
+    red: "\x1b[31m",
+    green: "\x1b[32m",
+    cyan: "\x1b[36m",
+};
+export function formatTokenReport(summary, options = {}) {
+    const color = options.color ?? true;
+    const c = (name, text) => (color ? `${ANSI[name]}${text}${ANSI.reset}` : text);
+    const percent = `${formatPercent(summary.percentSaved)}%`;
+    const lines = [
+        c("bold", "TokenWarden observed optimized-context savings"),
+        "Scope: recorded optimization events only; this is not a full provider bill report.",
+        `Sessions counted: ${formatNumber(summary.sessions)}`,
+        `Events counted: ${formatNumber(summary.events)}`,
+        `${c("red", "Observed would-have-used")}: ${formatNumber(summary.wouldHaveUsedTokens)} tokens`,
+        `Observed actually used: ${formatNumber(summary.usedTokens)} tokens`,
+        `${c("green", "Observed saved")}: ${formatNumber(summary.savedTokens)} tokens`,
+        `${c("green", "Observed percent saved")}: ${percent}`,
+    ];
+    const sources = Object.entries(summary.bySource).sort(([, a], [, b]) => b.savedTokens - a.savedTokens);
+    if (sources.length > 0) {
+        lines.push("", c("cyan", "Observed savings by source"));
+        for (const [source, item] of sources) {
+            lines.push(`- ${source}: ${formatNumber(item.savedTokens)} saved / ${formatNumber(item.wouldHaveUsedTokens)} would-have-used (saved ${formatPercent(item.percentSaved)}%)`);
+        }
+    }
+    else {
+        lines.push("", c("dim", "No optimization savings recorded yet. Normal prompts may have no TokenWarden event."));
+    }
+    return lines.join("\n");
+}
+export function formatNumber(value) {
+    return new Intl.NumberFormat("en-US").format(safeRoundedNumber(value));
+}
+export function formatCompactNumber(value) {
+    const rounded = safeRoundedNumber(value);
+    const abs = Math.abs(rounded);
+    if (abs >= 1_000_000)
+        return `${trimFixed(rounded / 1_000_000)}M`;
+    if (abs >= 1_000)
+        return `${trimFixed(rounded / 1_000)}k`;
+    return String(rounded);
+}
+export function formatCompactSavingsToast(summary, entitlement) {
+    if (entitlement?.monthlyCapTokens !== null && entitlement?.monthlyCapTokens !== undefined) {
+        const credited = Math.min(entitlement.monthlySavedTokens, entitlement.monthlyCapTokens);
+        const capReached = (entitlement.remainingFreeTokens ?? 0) <= 0;
+        return {
+            title: capReached ? "TokenWarden: free cap reached" : "TokenWarden: free seat",
+            message: `${formatCompactNumber(credited)}/${formatCompactNumber(entitlement.monthlyCapTokens)} credited, observed ${formatCompactNumber(summary.savedTokens)}`,
+            variant: capReached ? "warning" : summary.savedTokens > 0 ? "success" : "info",
+        };
+    }
+    return {
+        title: `TokenWarden observed ${formatPercent(summary.percentSaved)}% saved`,
+        message: `${formatCompactNumber(summary.wouldHaveUsedTokens)} -> ${formatCompactNumber(summary.usedTokens)}, saved ${formatCompactNumber(summary.savedTokens)}`,
+        variant: summary.savedTokens > 0 ? "success" : "info",
+    };
+}
+function formatPercent(value) {
+    return (Number.isFinite(value) ? value : 0).toFixed(1);
+}
+function safeRoundedNumber(value) {
+    return Number.isFinite(value) ? Math.round(value) : 0;
+}
+function trimFixed(value) {
+    return value.toFixed(value >= 100 ? 0 : 1).replace(/\.0$/, "");
+}

package/dist/src/core/log-reducer.js

@@ -0,0 +1,97 @@
+import { countTokens, trimToTokenBudget } from "./tokens.js";
+import { createSavingsEvent } from "./savings.js";
+import { writeRawOutput } from "./storage.js";
+const IMPORTANT_LINE = /(error|failed|failure|exception|traceback|panic|fatal|warning|\bTS\d{4}\b|\bERR!\b|\b[A-Za-z0-9_./-]+\.(ts|tsx|js|jsx|py|go|rs|java|rb|php|swift|kt):\d+)/i;
+export async function reduceToolOutput(input) {
+    const rawTokens = countTokens(input.output);
+    if (rawTokens <= input.maxTokens) {
+        const event = createSavingsEvent({
+            sessionID: input.sessionID,
+            source: "tool-output",
+            label: input.tool,
+            wouldHaveUsedTokens: rawTokens,
+            usedTokens: rawTokens,
+            metadata: { callID: input.callID, reduced: false },
+        });
+        return { output: input.output, rawTokens, usedTokens: rawTokens, savedTokens: 0, event };
+    }
+    const rawPath = await writeRawOutput(input.store, {
+        sessionID: input.sessionID,
+        callID: input.callID,
+        output: input.output,
+    });
+    const relevant = extractRelevantLines(input.output);
+    const command = commandFromArgs(input.args);
+    const summary = [
+        "TokenWarden reduced large tool output.",
+        command ? `Command: ${command}` : undefined,
+        `Original: ${rawTokens} estimated tokens`,
+        `Full raw log: ${rawPath}`,
+        "",
+        "Relevant output:",
+        relevant || "No obvious error lines found. Showing the beginning and end of the output.",
+        relevant ? undefined : fallbackHeadTail(input.output),
+    ]
+        .filter(Boolean)
+        .join("\n");
+    const output = trimToTokenBudget(summary, input.maxTokens);
+    const usedTokens = countTokens(output);
+    const event = createSavingsEvent({
+        sessionID: input.sessionID,
+        source: "tool-output",
+        label: input.tool,
+        wouldHaveUsedTokens: rawTokens,
+        usedTokens,
+        metadata: { callID: input.callID, rawPath, reduced: true },
+    });
+    return { output, rawTokens, usedTokens, savedTokens: event.savedTokens, rawPath, event };
+}
+export function reducePlainTextForContext(input) {
+    const rawTokens = countTokens(input.text);
+    if (rawTokens <= input.maxTokens)
+        return undefined;
+    const reduced = trimToTokenBudget([
+        "TokenWarden reduced stale large context before the model call.",
+        `Original: ${rawTokens} estimated tokens`,
+        "",
+        extractRelevantLines(input.text) || fallbackHeadTail(input.text),
+    ].join("\n"), input.maxTokens);
+    const event = createSavingsEvent({
+        sessionID: input.sessionID,
+        source: "chat-history",
+        label: input.label,
+        wouldHaveUsedTokens: rawTokens,
+        usedTokens: countTokens(reduced),
+        metadata: { reduced: true },
+    });
+    return { text: reduced, event };
+}
+function extractRelevantLines(output) {
+    const lines = output.split(/\r?\n/);
+    const keep = new Set();
+    lines.forEach((line, index) => {
+        if (!IMPORTANT_LINE.test(line))
+            return;
+        keep.add(index - 1);
+        keep.add(index);
+        keep.add(index + 1);
+    });
+    return [...keep]
+        .filter((index) => index >= 0 && index < lines.length)
+        .sort((a, b) => a - b)
+        .map((index) => `${index + 1}: ${lines[index]}`)
+        .join("\n");
+}
+function fallbackHeadTail(output) {
+    const lines = output.split(/\r?\n/);
+    const head = lines.slice(0, 20);
+    const tail = lines.length > 40 ? lines.slice(-20) : [];
+    return [...head, ...(tail.length > 0 ? ["...", ...tail] : [])].join("\n");
+}
+function commandFromArgs(args) {
+    if (!args || typeof args !== "object")
+        return undefined;
+    const record = args;
+    const command = record.command ?? record.cmd;
+    return typeof command === "string" ? command : undefined;
+}

package/dist/src/core/protection/engine.js

@@ -0,0 +1,226 @@
+import { mkdir, readFile, rm, stat, writeFile } from "node:fs/promises";
+import { dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { smartPack, smartRead } from "../code-summary.js";
+import { reduceToolOutput } from "../log-reducer.js";
+import { createSavingsEvent } from "../savings.js";
+import { appendSavingsEvent, createStore, summarizeStore, writeRawOutput } from "../storage.js";
+import { activateHostedLicense, applySavingsCap, connectBillingClient, disconnectBillingClient, getBillingEntitlement } from "../billing.js";
+import { defaultSidecarPaths, requestSidecarReduceToolOutput, requestSidecarSmartPack, requestSidecarSmartRead, requestSidecarStatus, } from "./sidecar.js";
+export async function createProtectedEngine(input = {}) {
+    if (input.preferNativeSidecar === false)
+        return createDevelopmentEngine({ dataDir: input.dataDir });
+    try {
+        const status = await requestSidecarStatus(input.sidecarPaths ?? defaultSidecarPaths());
+        return createSidecarBackedEngine({ dataDir: input.dataDir, sidecarPaths: input.sidecarPaths ?? defaultSidecarPaths(), status });
+    }
+    catch {
+        return createDevelopmentEngine({
+            dataDir: input.dataDir,
+            protectionStatus: {
+                mode: "development-typescript",
+                tamper: "failed",
+            },
+        });
+    }
+}
+export function createSidecarBackedEngine(input) {
+    const store = createStore(input.dataDir);
+    return createEngineFromStore(store, {
+        mode: input.status.mode,
+        license: "not-configured",
+        rulePack: "development",
+        tamper: "passed",
+    }, input.sidecarPaths, input.status.freeMonthlySavedTokenCap);
+}
+export function createDevelopmentEngine(input = {}) {
+    const store = createStore(input.dataDir);
+    const status = {
+        mode: "development-typescript",
+        license: "not-configured",
+        rulePack: "development",
+        tamper: "not-checked",
+        ...input.protectionStatus,
+    };
+    return createEngineFromStore(store, status);
+}
+export function createEngineFromStore(store, status, sidecarPaths, freeCapTokens) {
+    const monthlyFreeCapTokens = freeCapTokens;
+    return {
+        async protectionStatus() {
+            return status;
+        },
+        async smartRead(input) {
+            if (!sidecarPaths)
+                return smartRead(input);
+            try {
+                const entitlement = await getBillingEntitlement(store, new Date(), monthlyFreeCapTokens);
+                const absPath = resolveInsideRoot(input.root, input.path);
+                const outputPath = sidecarOutputPath(store, input.sessionID, `smart-read-${Date.now()}.txt`);
+                await mkdir(dirname(outputPath), { recursive: true });
+                const result = await requestSidecarSmartRead({
+                    inputPath: absPath,
+                    outputPath,
+                    query: input.query,
+                    maxTokens: input.budget ?? 1600,
+                    paths: sidecarPaths,
+                    enforceFreeCap: entitlement.monthlyCapTokens !== null,
+                    monthlySavedTokens: entitlement.monthlySavedTokens,
+                });
+                const output = await readFile(outputPath, "utf8");
+                await rm(outputPath, { force: true });
+                const relPath = relative(input.root, absPath) || input.path;
+                const event = createSavingsEvent({
+                    sessionID: input.sessionID,
+                    source: "smart-read",
+                    label: relPath,
+                    wouldHaveUsedTokens: result.rawTokens,
+                    usedTokens: result.usedTokens,
+                    metadata: nativeSavingsMetadata({ mode: input.mode ?? "symbols", query: input.query, reducedBy: "native-sidecar" }, result),
+                });
+                return { output, rawTokens: result.rawTokens, usedTokens: result.usedTokens, event };
+            }
+            catch {
+                return smartRead(input);
+            }
+        },
+        async smartPack(input) {
+            if (!sidecarPaths || input.paths.some(hasGlobSyntax))
+                return smartPack(input);
+            try {
+                const entitlement = await getBillingEntitlement(store, new Date(), monthlyFreeCapTokens);
+                const files = [];
+                for (const item of input.paths) {
+                    const absPath = resolveInsideRoot(input.root, item);
+                    if (!(await stat(absPath)).isFile())
+                        return smartPack(input);
+                    files.push(absPath);
+                }
+                const manifestPath = sidecarOutputPath(store, input.sessionID, `smart-pack-${Date.now()}.manifest.txt`);
+                const outputPath = sidecarOutputPath(store, input.sessionID, `smart-pack-${Date.now()}.txt`);
+                await mkdir(dirname(manifestPath), { recursive: true });
+                await writeFile(manifestPath, `${files.join("\n")}\n`, "utf8");
+                const result = await requestSidecarSmartPack({
+                    manifestPath,
+                    outputPath,
+                    query: input.query,
+                    maxTokens: input.budget ?? 4000,
+                    paths: sidecarPaths,
+                    enforceFreeCap: entitlement.monthlyCapTokens !== null,
+                    monthlySavedTokens: entitlement.monthlySavedTokens,
+                });
+                const output = await readFile(outputPath, "utf8");
+                await rm(outputPath, { force: true });
+                await rm(manifestPath, { force: true });
+                const event = createSavingsEvent({
+                    sessionID: input.sessionID,
+                    source: "smart-pack",
+                    label: input.paths.join(", "),
+                    wouldHaveUsedTokens: result.rawTokens,
+                    usedTokens: result.usedTokens,
+                    metadata: nativeSavingsMetadata({ query: input.query, files: files.length, reducedBy: "native-sidecar" }, result),
+                });
+                return { output, rawTokens: result.rawTokens, usedTokens: result.usedTokens, event };
+            }
+            catch {
+                return smartPack(input);
+            }
+        },
+        async reduceToolOutput(input) {
+            const entitlement = await getBillingEntitlement(store, new Date(), monthlyFreeCapTokens);
+            if (!sidecarPaths && !entitlement.canOptimize) {
+                const event = createSavingsEvent({
+                    sessionID: input.sessionID,
+                    source: "tool-output",
+                    label: `${input.tool} (free cap reached)`,
+                    wouldHaveUsedTokens: 0,
+                    usedTokens: 0,
+                    metadata: { capped: true },
+                });
+                return { output: input.output, rawTokens: 0, usedTokens: 0, savedTokens: 0, event };
+            }
+            if (!sidecarPaths)
+                return reduceToolOutput({ store, ...input });
+            try {
+                const rawPath = await writeRawOutput(store, {
+                    sessionID: input.sessionID,
+                    callID: input.callID,
+                    output: input.output,
+                });
+                const reducedPath = `${rawPath}.reduced.txt`;
+                const reduced = await requestSidecarReduceToolOutput({
+                    inputPath: rawPath,
+                    outputPath: reducedPath,
+                    maxTokens: input.maxTokens,
+                    paths: sidecarPaths,
+                    enforceFreeCap: entitlement.monthlyCapTokens !== null,
+                    monthlySavedTokens: entitlement.monthlySavedTokens,
+                });
+                const output = await readFile(reducedPath, "utf8");
+                await rm(reducedPath, { force: true });
+                const event = await applySavingsCap(store, createSavingsEvent({
+                    sessionID: input.sessionID,
+                    source: "tool-output",
+                    label: input.tool,
+                    wouldHaveUsedTokens: reduced.rawTokens,
+                    usedTokens: reduced.usedTokens,
+                    metadata: nativeSavingsMetadata({ callID: input.callID, rawPath, reducedBy: "native-sidecar" }, reduced),
+                }), monthlyFreeCapTokens);
+                return {
+                    output,
+                    rawTokens: reduced.rawTokens,
+                    usedTokens: reduced.usedTokens,
+                    savedTokens: event.savedTokens,
+                    rawPath,
+                    event,
+                };
+            }
+            catch {
+                return reduceToolOutput({ store, ...input });
+            }
+        },
+        async recordSavings(event) {
+            await appendSavingsEvent(store, await applySavingsCap(store, event, monthlyFreeCapTokens));
+        },
+        summarize(sessionID) {
+            return summarizeStore(store, sessionID ? { sessionID } : {});
+        },
+        billing() {
+            return getBillingEntitlement(store, new Date(), monthlyFreeCapTokens);
+        },
+        connect(input) {
+            return connectBillingClient(store, input);
+        },
+        disconnect() {
+            return disconnectBillingClient(store);
+        },
+        activate(input) {
+            return activateHostedLicense(store, input);
+        },
+    };
+}
+function sidecarOutputPath(store, sessionID, filename) {
+    return join(store.rawOutputDir, safePathPart(sessionID), filename);
+}
+function safePathPart(value) {
+    return value.replace(/[^a-zA-Z0-9_.-]/g, "_").slice(0, 120) || "unknown";
+}
+function hasGlobSyntax(value) {
+    return /[*?\[\]{}]/.test(value);
+}
+function nativeSavingsMetadata(metadata, result) {
+    return {
+        ...metadata,
+        capCheckedBy: result.capChecked ? "native-sidecar" : undefined,
+        freeMonthlyCapTokens: result.freeCapTokens,
+        capped: result.capReached || undefined,
+    };
+}
+function resolveInsideRoot(root, requestedPath) {
+    const absRoot = resolve(root);
+    const absPath = isAbsolute(requestedPath) ? resolve(requestedPath) : resolve(absRoot, requestedPath);
+    const rel = relative(absRoot, absPath);
+    if (rel.startsWith("..") || rel === ".." || rel.includes(`..${sep}`)) {
+        throw new Error(`Path is outside project root: ${requestedPath}`);
+    }
+    return absPath;
+}

package/dist/src/core/protection/license-public-key.generated.js

@@ -0,0 +1,2 @@
+// Generated from the hosted license signing key. Do not edit by hand.
+export const LICENSE_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAR+Neoy7qucqnaSWEH2foZ710rZL+GcRUNmnUXDEbTxc=\n-----END PUBLIC KEY-----\n";

package/dist/src/core/protection/license.js

@@ -0,0 +1,27 @@
+import { createHash } from "node:crypto";
+import { hostname, userInfo } from "node:os";
+import { verifyEnvelope } from "./signing.js";
+export function verifyLicense(input) {
+    if (!verifyEnvelope(input.token, input.publicKeyPem)) {
+        return { ok: false, reason: "license signature is invalid", payload: input.token.payload };
+    }
+    const payload = input.token.payload;
+    const machineHash = input.machineHash ?? getMachineHash();
+    if (payload.machineHash !== machineHash) {
+        return { ok: false, reason: "license is for a different machine", payload };
+    }
+    if (payload.plan !== "Standard") {
+        return { ok: false, reason: "license plan is not Standard", payload };
+    }
+    const now = input.now ?? new Date();
+    const graceUntil = new Date(payload.offlineGraceUntil);
+    if (Number.isNaN(graceUntil.getTime()) || graceUntil < now) {
+        return { ok: false, reason: "offline grace period expired", payload };
+    }
+    if (payload.status === "active")
+        return { ok: true, payload, offline: true };
+    return { ok: false, reason: `license status is ${payload.status}`, payload };
+}
+export function getMachineHash(seed = `${hostname()}:${userInfo().username}`) {
+    return createHash("sha256").update(seed).digest("hex");
+}

package/dist/src/core/protection/rule-pack.js

@@ -0,0 +1,38 @@
+import { verifyEnvelope } from "./signing.js";
+export function verifyRulePack(input) {
+    if (!verifyEnvelope(input.envelope, input.publicKeyPem)) {
+        return { ok: false, reason: "rule pack signature is invalid", rulePack: input.envelope.payload };
+    }
+    const rulePack = input.envelope.payload;
+    if (!rulePack.id || !rulePack.version) {
+        return { ok: false, reason: "rule pack is missing id or version", rulePack };
+    }
+    if (rulePack.expiresAt) {
+        const expiresAt = new Date(rulePack.expiresAt);
+        if (Number.isNaN(expiresAt.getTime()))
+            return { ok: false, reason: "rule pack expiry is invalid", rulePack };
+        if (expiresAt < (input.now ?? new Date()))
+            return { ok: false, reason: "rule pack expired", rulePack };
+    }
+    return { ok: true, rulePack };
+}
+export const developmentRulePack = {
+    id: "tokenwarden-development",
+    version: "0.1.0",
+    issuedAt: "2026-06-06T00:00:00.000Z",
+    modelPricing: {},
+    reducerPatterns: [
+        "error",
+        "failed",
+        "exception",
+        "traceback",
+        "panic",
+        "fatal",
+        "warning",
+        "TS\\d{4}",
+    ],
+    smartPack: {
+        maxFileBytes: 512000,
+        defaultBudgetTokens: 4000,
+    },
+};

package/dist/src/core/protection/sidecar-public-key.generated.js

@@ -0,0 +1,2 @@
+// Generated by scripts/build-sidecar.mjs. Do not edit by hand.
+export const SIDECAR_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAmoM1wIcANnC/UDZx1jhxRu75SCtpFrFNWi5WNxEfot0=\n-----END PUBLIC KEY-----\n";

package/dist/src/core/protection/sidecar.js

@@ -0,0 +1,197 @@
+import { spawn } from "node:child_process";
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { verifyEnvelope } from "./signing.js";
+import { verifyFileChecksum } from "./tamper.js";
+import { SIDECAR_PUBLIC_KEY } from "./sidecar-public-key.generated.js";
+import { tokenWardenSiteURL } from "../build-config.js";
+export function defaultSidecarPaths(root = packageRoot()) {
+    const binaryPath = resolve(root, "native/bin", sidecarBinaryName());
+    return {
+        binaryPath,
+        manifestPath: `${binaryPath}.manifest.json`,
+    };
+}
+export function sidecarBinaryName(platform = process.platform, arch = process.arch) {
+    return `tokenwarden-engine-${platform}-${arch}${platform === "win32" ? ".exe" : ""}`;
+}
+function packageRoot() {
+    return fileURLToPath(new URL("../../../../", import.meta.url));
+}
+export async function verifySidecar(paths = defaultSidecarPaths()) {
+    let envelope;
+    try {
+        envelope = JSON.parse(await readFile(paths.manifestPath, "utf8"));
+    }
+    catch (error) {
+        return { ok: false, reason: `could not read sidecar manifest: ${error.message}` };
+    }
+    if (!verifyEnvelope(envelope, SIDECAR_PUBLIC_KEY)) {
+        return { ok: false, reason: "sidecar manifest signature is invalid", manifest: envelope.payload };
+    }
+    if (envelope.payload.platform !== process.platform || envelope.payload.arch !== process.arch) {
+        return { ok: false, reason: "sidecar manifest is for a different platform", manifest: envelope.payload };
+    }
+    const checksum = await verifyFileChecksum(paths.binaryPath, envelope.payload.sha256);
+    if (!checksum.ok)
+        return { ok: false, reason: `sidecar binary verification failed: ${checksum.reason}`, manifest: envelope.payload };
+    return { ok: true, manifest: envelope.payload };
+}
+export async function requestSidecarStatus(paths = defaultSidecarPaths()) {
+    const verification = await verifySidecar(paths);
+    if (!verification.ok)
+        throw new Error(verification.reason);
+    const response = await requestSidecar(paths.binaryPath, { id: 1, method: "status" });
+    if (!response.ok)
+        throw new Error(String(response.error ?? "sidecar status request failed"));
+    const result = response.result;
+    if (result.mode !== "native-sidecar" ||
+        typeof result.version !== "string" ||
+        typeof result.protocol !== "number" ||
+        typeof result.freeMonthlySavedTokenCap !== "number" ||
+        typeof result.siteURL !== "string") {
+        throw new Error("sidecar returned invalid status payload");
+    }
+    return result;
+}
+export async function requestSidecarReduceToolOutput(input) {
+    const paths = input.paths ?? defaultSidecarPaths();
+    const verification = await verifySidecar(paths);
+    if (!verification.ok)
+        throw new Error(verification.reason);
+    const response = await requestSidecar(paths.binaryPath, {
+        id: 1,
+        method: "reduce_tool_output",
+        inputPath: input.inputPath,
+        outputPath: input.outputPath,
+        maxTokens: input.maxTokens,
+        enforceFreeCap: input.enforceFreeCap ?? false,
+        monthlySavedTokens: input.monthlySavedTokens ?? 0,
+    });
+    if (!response.ok)
+        throw new Error(String(response.error ?? "sidecar reduce request failed"));
+    const result = response.result;
+    if (!isValidTokenCount(result.rawTokens) || !isValidTokenCount(result.usedTokens)) {
+        throw new Error("sidecar returned invalid reduce payload");
+    }
+    return result;
+}
+export async function requestSidecarSmartRead(input) {
+    const paths = input.paths ?? defaultSidecarPaths();
+    const verification = await verifySidecar(paths);
+    if (!verification.ok)
+        throw new Error(verification.reason);
+    const response = await requestSidecar(paths.binaryPath, {
+        id: 1,
+        method: "smart_read",
+        inputPath: input.inputPath,
+        outputPath: input.outputPath,
+        query: input.query ?? "",
+        maxTokens: input.maxTokens,
+        enforceFreeCap: input.enforceFreeCap ?? false,
+        monthlySavedTokens: input.monthlySavedTokens ?? 0,
+    });
+    if (!response.ok)
+        throw new Error(String(response.error ?? "sidecar smart_read request failed"));
+    return parseTokenResult(response.result, "smart_read");
+}
+export async function requestSidecarSmartPack(input) {
+    const paths = input.paths ?? defaultSidecarPaths();
+    const verification = await verifySidecar(paths);
+    if (!verification.ok)
+        throw new Error(verification.reason);
+    const response = await requestSidecar(paths.binaryPath, {
+        id: 1,
+        method: "smart_pack",
+        manifestPath: input.manifestPath,
+        outputPath: input.outputPath,
+        query: input.query ?? "",
+        maxTokens: input.maxTokens,
+        enforceFreeCap: input.enforceFreeCap ?? false,
+        monthlySavedTokens: input.monthlySavedTokens ?? 0,
+    });
+    if (!response.ok)
+        throw new Error(String(response.error ?? "sidecar smart_pack request failed"));
+    return parseTokenResult(response.result, "smart_pack");
+}
+export async function encryptedReadFile(path, paths = defaultSidecarPaths()) {
+    const response = await requestVerifiedSidecar(paths, { id: 1, method: "encrypted_read", path });
+    const result = response.result;
+    if (typeof result.found !== "boolean")
+        throw new Error("sidecar returned invalid encrypted_read payload");
+    if (!result.found)
+        return undefined;
+    if (typeof result.content !== "string")
+        throw new Error("sidecar returned invalid encrypted_read content");
+    return result.content;
+}
+export async function encryptedWriteFile(path, content, paths = defaultSidecarPaths()) {
+    await requestVerifiedSidecar(paths, { id: 1, method: "encrypted_write", path, content });
+}
+export async function encryptedAppendFile(path, content, paths = defaultSidecarPaths()) {
+    await requestVerifiedSidecar(paths, { id: 1, method: "encrypted_append", path, content });
+}
+export async function encryptedWriteFileFromPath(path, inputPath, paths = defaultSidecarPaths()) {
+    await requestVerifiedSidecar(paths, { id: 1, method: "encrypted_write_from_path", path, inputPath });
+}
+export async function encryptedDeleteFile(path, paths = defaultSidecarPaths()) {
+    await requestVerifiedSidecar(paths, { id: 1, method: "encrypted_delete", path });
+}
+function parseTokenResult(value, method) {
+    const result = value;
+    if (!isValidTokenCount(result.rawTokens) || !isValidTokenCount(result.usedTokens)) {
+        throw new Error(`sidecar returned invalid ${method} payload`);
+    }
+    return result;
+}
+function isValidTokenCount(value) {
+    return typeof value === "number" && Number.isFinite(value) && value >= 0;
+}
+async function requestVerifiedSidecar(paths, request) {
+    const verification = await verifySidecar(paths);
+    if (!verification.ok)
+        throw new Error(verification.reason);
+    const response = await requestSidecar(paths.binaryPath, request);
+    if (!response.ok)
+        throw new Error(String(response.error ?? "sidecar encrypted storage request failed"));
+    return response;
+}
+function requestSidecar(binaryPath, request) {
+    return new Promise((resolvePromise, reject) => {
+        const child = spawn(binaryPath, [], { stdio: ["pipe", "pipe", "pipe"], env: sidecarProcessEnv() });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.setEncoding("utf8");
+        child.stderr.setEncoding("utf8");
+        child.stdout.on("data", (chunk) => {
+            stdout += chunk;
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk;
+        });
+        child.on("error", reject);
+        child.on("close", (code) => {
+            const line = stdout.trim().split(/\r?\n/)[0];
+            if (!line) {
+                reject(new Error(stderr.trim() || `sidecar exited with code ${code}`));
+                return;
+            }
+            try {
+                resolvePromise(JSON.parse(line));
+            }
+            catch (error) {
+                reject(new Error(`sidecar returned invalid JSON: ${error.message}`));
+            }
+        });
+        child.stdin.end(`${JSON.stringify(request)}\n`);
+    });
+}
+export function sidecarProcessEnv() {
+    const siteURL = tokenWardenSiteURL();
+    return {
+        ...process.env,
+        TOKENWARDEN_SITE_URL: siteURL,
+        NEXT_PUBLIC_SITE_URL: siteURL,
+    };
+}