@wundam/orchex 1.0.0-rc.2 → 1.0.0-rc.21

package/dist/config.d.ts

@@ -1,12 +1,16 @@
 import { z } from 'zod';
 export declare const PRODUCTION_URL = "https://orchex.dev";
-export declare const LLMProviderSchema: z.ZodEnum<["anthropic", "openai", "gemini", "ollama", "deepseek"]>;
+export declare const LLMProviderSchema: z.ZodEnum<["anthropic", "openai", "gemini", "ollama", "deepseek", "bedrock"]>;
 export type LLMProvider = z.infer<typeof LLMProviderSchema>;
 /**
  * Detect the LLM provider based on available environment variables.
  * Priority: ORCHEX_PROVIDER env var > first available API key
  */
 export declare function detectProvider(): LLMProvider;
+/**
+ * Log the detected provider and masked key at startup.
+ */
+export declare function logProviderDetection(): void;
 /**
  * Get the API key for a specific provider from environment variables.
  */
@@ -47,9 +51,13 @@ export declare const ConfigSchema: z.ZodObject<{
     /** User's subscription tier (synced from cloud on login) */
     tier: z.ZodDefault<z.ZodEnum<["free", "pro", "team", "enterprise"]>>;
     /** LLM provider (auto-detected if not set) */
-    provider: z.ZodOptional<z.ZodEnum<["anthropic", "openai", "gemini", "ollama", "deepseek"]>>;
+    provider: z.ZodOptional<z.ZodEnum<["anthropic", "openai", "gemini", "ollama", "deepseek", "bedrock"]>>;
     /** LLM model (uses provider default if not set) */
     model: z.ZodOptional<z.ZodString>;
+    /** Cached trial runs remaining (synced from cloud on login) */
+    trialRunsRemaining: z.ZodOptional<z.ZodNumber>;
+    /** Account creation date (synced from cloud on login, ISO string) */
+    accountCreatedAt: z.ZodOptional<z.ZodString>;
     telemetry: z.ZodDefault<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
         endpoint: z.ZodOptional<z.ZodString>;
@@ -68,16 +76,20 @@ export declare const ConfigSchema: z.ZodObject<{
         enabled: boolean;
         endpoint?: string | undefined;
     };
-    provider?: "anthropic" | "openai" | "gemini" | "ollama" | "deepseek" | undefined;
     apiKey?: string | undefined;
+    provider?: "anthropic" | "openai" | "gemini" | "ollama" | "deepseek" | "bedrock" | undefined;
     model?: string | undefined;
+    trialRunsRemaining?: number | undefined;
+    accountCreatedAt?: string | undefined;
 }, {
-    provider?: "anthropic" | "openai" | "gemini" | "ollama" | "deepseek" | undefined;
     apiKey?: string | undefined;
+    provider?: "anthropic" | "openai" | "gemini" | "ollama" | "deepseek" | "bedrock" | undefined;
     mode?: "local" | "cloud" | undefined;
     apiUrl?: string | undefined;
     tier?: "free" | "pro" | "team" | "enterprise" | undefined;
     model?: string | undefined;
+    trialRunsRemaining?: number | undefined;
+    accountCreatedAt?: string | undefined;
     telemetry?: {
         enabled?: boolean | undefined;
         endpoint?: string | undefined;
@@ -90,6 +102,12 @@ export type TelemetryConfig = z.infer<typeof TelemetryConfigSchema>;
  * Returns error message if invalid, undefined if valid.
  */
 export declare function validateCloudConfig(config: Config): string | undefined;
+/**
+ * Validate that cloud mode provider is compatible.
+ * Cloud execution currently only supports Anthropic.
+ * Returns error message if invalid, undefined if valid.
+ */
+export declare function validateCloudProvider(config: Pick<Config, 'mode' | 'provider'>): string | undefined;
 /**
  * Load config from disk. Returns defaults when file doesn't exist.
  */
@@ -102,3 +120,11 @@ export declare function saveConfig(partial: Partial<Config>): Promise<Config>;
  * Returns config with apiKey masked for safe display (CLI output, logs).
  */
 export declare function maskConfigForDisplay(config: Config): Record<string, unknown>;
+/**
+ * Resolve the API URL using priority order:
+ * 1. Explicit --api-url flag value
+ * 2. ORCHEX_API_URL environment variable
+ * 3. ORCHEX_STAGING_URL (deprecated — emits console.warn)
+ * 4. config.apiUrl from ~/.orchex/config.json (defaults to PRODUCTION_URL)
+ */
+export declare function resolveApiUrl(flagValue?: string): Promise<string>;

package/dist/config.js

@@ -3,12 +3,14 @@ import * as path from 'path';
 import * as os from 'os';
 import { z } from 'zod';
 import { TierIdSchema } from './tiers.js';
+import { createLogger } from './logging.js';
+const log = createLogger('config');
 // Well-known URLs
 export const PRODUCTION_URL = 'https://orchex.dev';
 // ============================================================================
 // LLM Provider Configuration
 // ============================================================================
-export const LLMProviderSchema = z.enum(['anthropic', 'openai', 'gemini', 'ollama', 'deepseek']);
+export const LLMProviderSchema = z.enum(['anthropic', 'openai', 'gemini', 'ollama', 'deepseek', 'bedrock']);
 /**
  * Detect the LLM provider based on available environment variables.
  * Priority: ORCHEX_PROVIDER env var > first available API key
@@ -16,7 +18,7 @@ export const LLMProviderSchema = z.enum(['anthropic', 'openai', 'gemini', 'ollam
 export function detectProvider() {
     // Explicit provider override
     const explicit = process.env.ORCHEX_PROVIDER?.toLowerCase();
-    if (explicit && ['anthropic', 'openai', 'gemini', 'ollama', 'deepseek'].includes(explicit)) {
+    if (explicit && ['anthropic', 'openai', 'gemini', 'ollama', 'deepseek', 'bedrock'].includes(explicit)) {
         return explicit;
     }
     // Auto-detect from available API keys (priority order)
@@ -28,11 +30,26 @@ export function detectProvider() {
         return 'gemini';
     if (process.env.DEEPSEEK_API_KEY)
         return 'deepseek';
+    if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY)
+        return 'bedrock';
     if (process.env.OLLAMA_BASE_URL || process.env.OLLAMA_HOST)
         return 'ollama';
     // Default to Anthropic (original behavior)
     return 'anthropic';
 }
+function maskKey(key) {
+    if (key.length <= 8)
+        return '****';
+    return key.slice(0, 4) + '...' + key.slice(-4);
+}
+/**
+ * Log the detected provider and masked key at startup.
+ */
+export function logProviderDetection() {
+    const provider = detectProvider();
+    const key = getProviderApiKey(provider);
+    log.info({ provider, key: key ? maskKey(key) : 'none' }, 'provider_detected');
+}
 /**
  * Get the API key for a specific provider from environment variables.
  */
@@ -46,6 +63,8 @@ export function getProviderApiKey(provider) {
             return process.env.GEMINI_API_KEY || process.env.GOOGLE_API_KEY;
         case 'deepseek':
             return process.env.DEEPSEEK_API_KEY;
+        case 'bedrock':
+            return undefined; // Bedrock uses AWS credentials, not API key
         case 'ollama':
             return undefined; // Ollama doesn't require an API key
     }
@@ -72,6 +91,7 @@ export const DEFAULT_MODELS = {
     openai: 'gpt-4.1',
     gemini: 'gemini-2.0-flash',
     deepseek: 'deepseek-coder',
+    bedrock: 'claude-3.5-sonnet',
     ollama: 'llama3.3:70b',
 };
 /**
@@ -125,6 +145,10 @@ export const ConfigSchema = z.object({
     provider: LLMProviderSchema.optional(),
     /** LLM model (uses provider default if not set) */
     model: z.string().optional(),
+    /** Cached trial runs remaining (synced from cloud on login) */
+    trialRunsRemaining: z.number().optional(),
+    /** Account creation date (synced from cloud on login, ISO string) */
+    accountCreatedAt: z.string().optional(),
     telemetry: TelemetryConfigSchema.default({ enabled: false }),
 });
 /**
@@ -137,6 +161,18 @@ export function validateCloudConfig(config) {
     }
     return undefined;
 }
+/**
+ * Validate that cloud mode provider is compatible.
+ * Cloud execution currently only supports Anthropic.
+ * Returns error message if invalid, undefined if valid.
+ */
+export function validateCloudProvider(config) {
+    if (config.mode !== 'cloud')
+        return undefined;
+    if (!config.provider || config.provider === 'anthropic')
+        return undefined;
+    return `Cloud mode currently only supports the Anthropic provider. Configured provider "${config.provider}" will be ignored by the cloud backend. Run: orchex config --provider anthropic`;
+}
 function configDir() {
     return process.env.ORCHEX_CONFIG_DIR ?? path.join(os.homedir(), '.orchex');
 }
@@ -179,3 +215,26 @@ export function maskConfigForDisplay(config) {
         apiKey: config.apiKey ? '...' + config.apiKey.slice(-6) : undefined,
     };
 }
+/**
+ * Resolve the API URL using priority order:
+ * 1. Explicit --api-url flag value
+ * 2. ORCHEX_API_URL environment variable
+ * 3. ORCHEX_STAGING_URL (deprecated — emits console.warn)
+ * 4. config.apiUrl from ~/.orchex/config.json (defaults to PRODUCTION_URL)
+ */
+export async function resolveApiUrl(flagValue) {
+    // 1. Explicit flag (--api-url)
+    if (flagValue)
+        return flagValue;
+    // 2. Standard env var
+    if (process.env.ORCHEX_API_URL)
+        return process.env.ORCHEX_API_URL;
+    // 3. Deprecated env var — warn and use it
+    if (process.env.ORCHEX_STAGING_URL) {
+        console.warn('⚠  ORCHEX_STAGING_URL is deprecated. Use ORCHEX_API_URL instead.');
+        return process.env.ORCHEX_STAGING_URL;
+    }
+    // 4. Config file (defaults to PRODUCTION_URL if never set)
+    const config = await loadConfig();
+    return config.apiUrl;
+}

package/dist/context-builder.d.ts

@@ -31,6 +31,8 @@ export interface BuildPromptOptions {
     model?: string;
     /** Whether to enforce hard budget limits (throws ContextBudgetExceededError) */
     enforceHardLimit?: boolean;
+    /** Whether this is a fix stream (parentStreamId is set). When true, adds context about post-failure file state. */
+    isFixStream?: boolean;
 }
 /**
  * Build an optimized prompt with caching hints for cost reduction.

package/dist/context-builder.js

@@ -1,7 +1,6 @@
 import * as fs from 'fs/promises';
 import * as path from 'path';
-import { pruneUnusedFiles, estimateTokens, generateCachingHints } from './intelligence/context-optimizer.js';
-import { checkBudget, createBudgetConfig, ContextBudgetExceededError, } from './intelligence/budget-enforcer.js';
+import { pruneUnusedFiles, estimateTokens, generateCachingHints, checkBudget, createBudgetConfig, ContextBudgetExceededError, } from './intelligence/index.js';
 const EXCLUDED_DIRS = new Set([
     'node_modules', '.git', 'dist', '.orchex', '.next',
     '__pycache__', '.cache', 'coverage', '.turbo',
@@ -322,7 +321,7 @@ async function readFileSafe(filePath) {
 // ============================================================================
 // Optimized Prompt Builder
 // ============================================================================
-import { extractRelevantChunks } from "./intelligence/file-chunker.js";
+import { extractRelevantChunks } from "./intelligence/index.js";
 /**
  * Build an optimized prompt with caching hints for cost reduction.
  *
@@ -382,7 +381,16 @@ export async function buildFullPromptOptimized(projectDir, streamId, manifest, o
     // belong in taskContent, which all executors include in their messages.
     // IMPORTANT: buildInstructions() contains the orchex-artifact format spec.
     // Without it, LLMs won't produce parseable output.
+    const fixNote = options.isFixStream ? [
+        '',
+        '## Fix Stream Context',
+        '',
+        'The files shown below reflect their CURRENT state on disk — after the previous failed attempt modified them.',
+        'Your job is to fix the issues in these files.',
+        '',
+    ].join('\n') : '';
     const taskContent = [
+        fixNote,
         buildTaskContent(streamId, stream.name, stream.plan ?? '', manifest.feature, stream.owns ?? []),
         depsCtx,
         buildInstructions(streamId, stream.owns ?? [], options.provider),

package/dist/cost.js

@@ -12,7 +12,7 @@ export const PROVIDER_RATES = {
     deepseek: { input: 0.00014, output: 0.0006 }, // Deepseek-VL
     ollama: { input: 0, output: 0 }, // Local, free
 };
-import { getModelCosts } from './intelligence/cost-tracker.js';
+import { getModelCosts } from './intelligence/index.js';
 /**
  * Return LLM stream cost in USD for given input and output token counts.
  * If model is provided, use precise model-level rate. Otherwise, use provider-level fallback rates.

package/dist/entitlements/jwt.d.ts

@@ -0,0 +1,7 @@
+import { type Tier } from '../tiers.js';
+import type { EntitlementClaims } from './types.js';
+type SignableClaims = Omit<EntitlementClaims, 'iat' | 'exp'>;
+export declare function signEntitlement(claims: SignableClaims, privateKeyPem: string, publicKeyPem: string, ttlOverride?: number): Promise<string>;
+export declare function verifyEntitlement(jwt: string, publicKeyPem: string | string[]): Promise<EntitlementClaims | null>;
+export declare function claimsToTier(claims: EntitlementClaims): Tier;
+export {};

package/dist/entitlements/jwt.js

@@ -0,0 +1,78 @@
+import { SignJWT, jwtVerify, importPKCS8, importSPKI } from 'jose';
+import { createHash } from 'crypto';
+import { getTier } from '../tiers.js';
+import { JWT_TTL_SECONDS } from './types.js';
+function computeKid(publicKeyPem) {
+    return createHash('sha256').update(publicKeyPem).digest('hex').slice(0, 8);
+}
+export async function signEntitlement(claims, privateKeyPem, publicKeyPem, ttlOverride) {
+    const privateKey = await importPKCS8(privateKeyPem, 'RS256');
+    const kid = computeKid(publicKeyPem);
+    const ttl = ttlOverride ?? JWT_TTL_SECONDS;
+    const payload = {
+        sub: claims.sub,
+        tier: claims.tier,
+        eff: claims.eff,
+        src: claims.src,
+    };
+    if (claims.promoId)
+        payload.promoId = claims.promoId;
+    if (ttl < 0) {
+        const now = Math.floor(Date.now() / 1000);
+        payload.iat = now + ttl - 1;
+        payload.exp = now + ttl;
+        return new SignJWT(payload)
+            .setProtectedHeader({ alg: 'RS256', kid })
+            .sign(privateKey);
+    }
+    return new SignJWT(payload)
+        .setProtectedHeader({ alg: 'RS256', kid })
+        .setIssuedAt()
+        .setExpirationTime(`${ttl}s`)
+        .sign(privateKey);
+}
+export async function verifyEntitlement(jwt, publicKeyPem) {
+    if (!jwt)
+        return null;
+    const pems = Array.isArray(publicKeyPem) ? publicKeyPem : [publicKeyPem];
+    let jwtKid;
+    try {
+        const headerB64 = jwt.split('.')[0];
+        const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+        jwtKid = header.kid;
+    }
+    catch { /* proceed without kid matching */ }
+    for (const pem of pems) {
+        if (jwtKid && pems.length > 1) {
+            const pemKid = computeKid(pem);
+            if (pemKid !== jwtKid)
+                continue;
+        }
+        try {
+            const publicKey = await importSPKI(pem, 'RS256');
+            const { payload } = await jwtVerify(jwt, publicKey);
+            return {
+                sub: payload.sub,
+                tier: payload.tier,
+                eff: payload.eff,
+                src: payload.src,
+                promoId: payload.promoId,
+                iat: payload.iat,
+                exp: payload.exp,
+            };
+        }
+        catch { /* try next key */ }
+    }
+    return null;
+}
+export function claimsToTier(claims) {
+    const base = getTier(claims.tier);
+    return {
+        ...base,
+        maxWaves: claims.eff.maxWaves,
+        maxParallelAgents: claims.eff.maxParallelAgents,
+        maxProviders: claims.eff.maxProviders,
+        maxApiTokens: claims.eff.maxApiTokens,
+        cloudOrchestrations: claims.eff.cloudOrchestrations,
+    };
+}

package/dist/entitlements/resolve.d.ts

@@ -0,0 +1,17 @@
+import { type Tier } from '../tiers.js';
+/**
+ * Load the embedded public key PEM.
+ * Tries multiple paths: dist (npm package), src (dev), env var override.
+ */
+export declare function loadPublicKey(): Promise<string>;
+/**
+ * Resolve the user's effective tier, preferring a cached JWT entitlement.
+ *
+ * 1. Try JWT entitlement (works for both local and cloud modes)
+ * 2. Fallback: resolve effective tier from config (includes trial→pro logic)
+ */
+export declare function resolveEntitledTier(config: {
+    tier?: string;
+    accountCreatedAt?: string;
+    trialRunsRemaining?: number;
+}, publicKeyPem: string): Promise<Tier>;

package/dist/entitlements/resolve.js

@@ -0,0 +1,49 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import { getCachedEntitlement } from '../key-cache.js';
+import { getTier, getEffectiveTier } from '../tiers.js';
+import { claimsToTier } from './jwt.js';
+let cachedPublicKey = null;
+/**
+ * Load the embedded public key PEM.
+ * Tries multiple paths: dist (npm package), src (dev), env var override.
+ */
+export async function loadPublicKey() {
+    if (cachedPublicKey)
+        return cachedPublicKey;
+    if (process.env.ENTITLEMENT_PUBLIC_KEY) {
+        cachedPublicKey = process.env.ENTITLEMENT_PUBLIC_KEY;
+        return cachedPublicKey;
+    }
+    const candidates = [
+        path.join(import.meta.dirname, 'public-key.pem'),
+        path.join(import.meta.dirname, '..', 'src', 'entitlements', 'public-key.pem'),
+        path.join(import.meta.dirname, '..', '..', 'src', 'entitlements', 'public-key.pem'),
+    ];
+    for (const p of candidates) {
+        try {
+            cachedPublicKey = await fs.readFile(p, 'utf-8');
+            return cachedPublicKey;
+        }
+        catch { /* try next */ }
+    }
+    throw new Error('Entitlement public key not found');
+}
+/**
+ * Resolve the user's effective tier, preferring a cached JWT entitlement.
+ *
+ * 1. Try JWT entitlement (works for both local and cloud modes)
+ * 2. Fallback: resolve effective tier from config (includes trial→pro logic)
+ */
+export async function resolveEntitledTier(config, publicKeyPem) {
+    const claims = await getCachedEntitlement(publicKeyPem);
+    if (claims)
+        return claimsToTier(claims);
+    // Fallback: use effective tier (handles trial→pro resolution)
+    const effectiveTierId = getEffectiveTier({
+        tier: config.tier ?? 'free',
+        createdAt: config.accountCreatedAt ?? new Date(0).toISOString(),
+        trialRunsRemaining: config.trialRunsRemaining ?? 0,
+    });
+    return getTier(effectiveTierId);
+}

package/dist/entitlements/types.d.ts

@@ -0,0 +1,21 @@
+import type { TierId } from '../tiers.js';
+export type EntitlementSource = 'base' | 'trial' | 'fff' | 'internal' | 'beta' | 'boost';
+export interface EntitlementClaims {
+    sub: string;
+    tier: TierId;
+    eff: {
+        maxWaves: number;
+        maxParallelAgents: number;
+        maxProviders: number;
+        maxApiTokens: number;
+        cloudOrchestrations: number;
+    };
+    src: EntitlementSource;
+    promoId?: string;
+    iat: number;
+    exp: number;
+}
+/** 'never' expiry maps to 100 years to avoid null handling. */
+export declare const NEVER_EXPIRY_YEARS = 100;
+/** JWT TTL in seconds — 24 hours. */
+export declare const JWT_TTL_SECONDS: number;

package/dist/entitlements/types.js

@@ -0,0 +1,4 @@
+/** 'never' expiry maps to 100 years to avoid null handling. */
+export const NEVER_EXPIRY_YEARS = 100;
+/** JWT TTL in seconds — 24 hours. */
+export const JWT_TTL_SECONDS = 24 * 60 * 60;

package/dist/executors/base.d.ts

@@ -91,7 +91,7 @@ export { Semaphore };
  * Default models for each provider.
  * Re-exported from config.ts for backward compatibility.
  */
-export declare const DEFAULT_MODELS: Record<"anthropic" | "openai" | "gemini" | "ollama" | "deepseek", string>;
+export declare const DEFAULT_MODELS: Record<"anthropic" | "openai" | "gemini" | "ollama" | "deepseek" | "bedrock", string>;
 /**
  * Map a generic model name to provider-specific model.
  * Allows users to specify "claude-sonnet-4-5" and it gets translated appropriately.

package/dist/executors/bedrock-executor.d.ts

@@ -0,0 +1,39 @@
+/**
+ * AWS Bedrock Executor
+ *
+ * Supports Claude (via Bedrock), Llama, and Mistral models.
+ * Auth via AWS credentials (access key + secret key, or IAM role).
+ */
+import type { ExecutorStrategy, ExecutionRequest, ExecutionResult } from '../types.js';
+import { ExecutorConfig } from './base.js';
+export declare function resolveBedrockModelId(model: string): string;
+export interface BedrockExecutorConfig extends ExecutorConfig {
+    region: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+}
+export interface BedrockClientLike {
+    invokeModel(params: {
+        modelId: string;
+        contentType: string;
+        accept: string;
+        body: string;
+    }): Promise<{
+        body: Uint8Array | string;
+        contentType?: string;
+    }>;
+}
+export declare class BedrockExecutor implements ExecutorStrategy {
+    readonly provider = "bedrock";
+    private config;
+    private semaphore;
+    private client?;
+    constructor(config?: Partial<BedrockExecutorConfig>, client?: BedrockClientLike);
+    private getClient;
+    execute(request: ExecutionRequest): Promise<ExecutionResult>;
+    private executeWithRetry;
+    private invokeWithTimeout;
+    private invokeModel;
+    private buildRequestBody;
+    private parseResponse;
+}