aiden-runtime 4.0.0 → 4.0.2

package/dist/core/permissionSystem.js

@@ -53,7 +53,7 @@ exports.permissionSystem = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const js_yaml_1 = __importDefault(require("js-yaml"));
-const minimatch_1 = __importDefault(require("minimatch"));
+const minimatch_1 = require("minimatch");
 // ── PermissionSystem ──────────────────────────────────────────
 class PermissionSystem {
     constructor() {
@@ -136,7 +136,7 @@ class PermissionSystem {
             if (!p.includes('*') && !p.includes('?') && !p.includes('[')) {
                 return normalized.toLowerCase().startsWith(p.toLowerCase().replace(/\s*$/, ''));
             }
-            return (0, minimatch_1.default)(normalized, p, { dot: true, matchBase: true, nocase: true });
+            return (0, minimatch_1.minimatch)(normalized, p, { dot: true, matchBase: true, nocase: true });
         });
     }
     // ── Audit ────────────────────────────────────────────────────

package/dist/core/toolRegistry.js

@@ -68,7 +68,7 @@ const paths_1 = require("./paths");
 const computerControl_1 = require("./computerControl");
 const webSearch_1 = require("./webSearch");
 const conversationMemory_1 = require("./conversationMemory");
-const minimatch_1 = __importDefault(require("minimatch"));
+const minimatch_1 = require("minimatch");
 const morningBriefing_1 = require("./morningBriefing");
 const marketDataTool_1 = require("./tools/marketDataTool");
 const companyFilingsTool_1 = require("./tools/companyFilingsTool");
@@ -124,7 +124,7 @@ const DENIED_PATHS = [
 ];
 function isPathDenied(filePath) {
     const normalized = normalizeFilePath(filePath);
-    return DENIED_PATHS.some(pattern => (0, minimatch_1.default)(normalized, pattern, { dot: true }));
+    return DENIED_PATHS.some(pattern => (0, minimatch_1.minimatch)(normalized, pattern, { dot: true }));
 }
 // ── Command deny rules ────────────────────────────────────────
 const DENIED_COMMANDS = [

package/dist/core/v4/firstRun/providerDetection.js

@@ -0,0 +1,287 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/firstRun/providerDetection.ts — Aiden v4.0.2 (Phase 30.2)
+ *
+ * Fast (< 100 ms) check at boot: does the user have ANY working
+ * provider configured? Drives the "auto-launch setup wizard if not"
+ * behaviour in cli/v4/aidenCLI.ts and the "model not configured"
+ * fallback in the boot card.
+ *
+ * Three signals are inspected, all local — no real API calls:
+ *
+ *   1. Env vars      — process.env keys matching any of the wizard's
+ *                      `PROVIDERS[].envVar` entries. (Wizard-managed
+ *                      `.env` is loaded into process.env upstream by
+ *                      `loadAidenEnvFile`, so this catches both shell
+ *                      env and Aiden's persisted .env.)
+ *
+ *   2. OAuth tokens  — `<paths.root>/auth/<provider>.json`. We treat
+ *                      the file's presence as "credentials available"
+ *                      — actual decrypt + expiry happens later in
+ *                      `runtimeResolver` and is reported via plugin
+ *                      boot-card status. Avoids paying scrypt + AES
+ *                      cost on every boot just to gate the wizard.
+ *
+ *   3. Ollama        — TCP probe of `http://localhost:11434/api/tags`
+ *                      with a HARD 80 ms abort. Non-fatal on timeout
+ *                      so a slow loopback doesn't slow boot.
+ *
+ * Returns a `ProviderDetection` snapshot the caller can consult to
+ * decide whether to launch the wizard. The shape is intentionally
+ * descriptive (lists, not just a boolean) so smoke tests and
+ * `aiden doctor` can render the why.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAvailableProviders = detectAvailableProviders;
+exports.summarizeDetection = summarizeDetection;
+const node_fs_1 = require("node:fs");
+const node_path_1 = __importDefault(require("node:path"));
+const setupWizard_1 = require("../../../cli/v4/setupWizard");
+/**
+ * Walk `PROVIDERS` and return env-var names whose value is set + non-empty.
+ * Includes the multi-slot Groq fallback vars so a user with `GROQ_API_KEY_2`
+ * but no primary still counts as configured.
+ */
+function detectEnvVars(env) {
+    const seen = new Set();
+    const out = [];
+    const consider = (name) => {
+        if (!name)
+            return;
+        if (seen.has(name))
+            return;
+        const val = env[name];
+        if (typeof val === 'string' && val.trim().length > 0) {
+            seen.add(name);
+            out.push(name);
+        }
+    };
+    for (const p of setupWizard_1.PROVIDERS)
+        consider(p.envVar);
+    // Multi-slot Groq fallbacks live in core/v4/providerFallback.ts. Keep
+    // this list local so detection has zero deep imports off the boot
+    // path; the fallback module is heavy.
+    for (const extra of [
+        'GROQ_API_KEY_2',
+        'GROQ_API_KEY_3',
+        'GROQ_API_KEY_4',
+        'TOGETHER_API_KEY',
+    ]) {
+        consider(extra);
+    }
+    return out;
+}
+/**
+ * Read `<paths.root>/auth/` and return provider ids whose `.json`
+ * file exists. ENOENT on the directory is treated as "no tokens".
+ */
+async function detectOAuthTokens(paths) {
+    const dir = node_path_1.default.join(paths.root, 'auth');
+    let entries;
+    try {
+        entries = await node_fs_1.promises.readdir(dir);
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const e of entries) {
+        if (!e.endsWith('.json'))
+            continue;
+        const id = e.replace(/\.json$/, '');
+        // tokenStore writes one JSON per provider id; the file itself is
+        // always non-empty when it exists. Skip the size check — the
+        // resolver will surface a corrupt file with a clear error.
+        out.push(id);
+    }
+    return out;
+}
+/**
+ * Quick local probe of an Ollama daemon. Hard-aborts at `timeoutMs`
+ * so a slow loopback (e.g. WSL2 mirror mode warming up) never delays
+ * boot past the budget.
+ */
+async function probeOllamaQuick(opts) {
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), opts.timeoutMs);
+    try {
+        const res = await opts.fetchImpl('http://localhost:11434/api/tags', { signal: ctrl.signal });
+        return res.ok;
+    }
+    catch {
+        return false;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Cheap regex parse of `model.provider:` / `model.modelId:` AND the
+ * `providers:` section from config.yaml. Avoids pulling in js-yaml on
+ * the boot hot-path. Tolerates quoted values and inline comments.
+ * Returns nulls / empty list when the file is missing.
+ *
+ * The `providers:` walker mirrors `cli/v4/setupWizard.isFreshInstall`
+ * so a config.yaml that only carries inline `providers.foo.apiKey`
+ * (no env var) still counts as "the user has configured something" —
+ * the moat-boot test suite relies on this fixture shape.
+ */
+async function readConfigProviders(configYaml) {
+    let text;
+    try {
+        text = await node_fs_1.promises.readFile(configYaml, 'utf8');
+    }
+    catch {
+        return { provider: null, model: null, configuredProviders: [] };
+    }
+    const lines = text.split(/\r?\n/);
+    let inModel = false;
+    let inProviders = false;
+    let provider = null;
+    let model = null;
+    // Two-line lookahead would let us match `apiKey: ...` under each
+    // provider id; instead we keep the most recently seen provider id
+    // and stamp it on `configuredProviders` when its child field is
+    // populated. Idempotent within a single file.
+    let currentProviderId = null;
+    const seenProviders = [];
+    for (const raw of lines) {
+        const line = raw.replace(/#.*$/, '').replace(/\s+$/, '');
+        if (/^model\s*:\s*$/.test(line)) {
+            inModel = true;
+            inProviders = false;
+            currentProviderId = null;
+            continue;
+        }
+        if (/^providers\s*:\s*$/.test(line)) {
+            inProviders = true;
+            inModel = false;
+            currentProviderId = null;
+            continue;
+        }
+        // Top-level non-indented key ends both blocks.
+        if (/^\S/.test(line) && line.length > 0) {
+            inModel = false;
+            inProviders = false;
+            currentProviderId = null;
+            continue;
+        }
+        if (inModel) {
+            const provM = line.match(/^\s+provider\s*:\s*['"]?([^'"\s]+)['"]?\s*$/);
+            if (provM)
+                provider = provM[1];
+            const modM = line.match(/^\s+modelId\s*:\s*['"]?([^'"\s]+)['"]?\s*$/);
+            if (modM)
+                model = modM[1];
+            continue;
+        }
+        if (inProviders) {
+            // 2-space indented `<id>:` opens a provider entry.
+            const idM = line.match(/^  ([A-Za-z0-9_.-]+)\s*:\s*$/);
+            if (idM) {
+                currentProviderId = idM[1];
+                continue;
+            }
+            // 4-space indented `apiKey:` / `baseUrl:` flags it as configured.
+            if (currentProviderId &&
+                /^    (apiKey|baseUrl|auth)\s*:\s*\S/.test(line)) {
+                if (!seenProviders.includes(currentProviderId)) {
+                    seenProviders.push(currentProviderId);
+                }
+            }
+        }
+    }
+    return { provider, model, configuredProviders: seenProviders };
+}
+/**
+ * Map a config provider id to the env-var name(s) and/or OAuth provider
+ * id that would represent valid credentials for it. Drives the
+ * `configuredProviderHasCredentials` flag.
+ */
+function configProviderCredentialKeys(providerId) {
+    const entry = setupWizard_1.PROVIDERS.find((p) => p.id === providerId);
+    const envVars = [];
+    const oauthIds = [];
+    if (entry?.envVar)
+        envVars.push(entry.envVar);
+    // Pro/oauth providers store tokens under their provider id.
+    if (entry?.kind === 'pro' || entry?.kind === 'oauth') {
+        oauthIds.push(providerId);
+    }
+    // Ollama needs no credentials; mirror the env-var-less local-key path.
+    if (entry?.kind === 'local') {
+        envVars.push('__OLLAMA_REACHABLE__'); // sentinel handled by caller
+    }
+    return { envVars, oauthIds };
+}
+async function detectAvailableProviders(opts) {
+    const env = opts.env ?? process.env;
+    const fetchImpl = opts.fetchImpl ?? fetch;
+    const timeoutMs = opts.ollamaTimeoutMs ?? 80;
+    // Run the four independent probes in parallel — Ollama is the only
+    // one that can take real wall time, but capping it at 80 ms keeps
+    // total detection cost under the 100 ms budget on every realistic host.
+    const [envVars, oauthTokens, ollamaReachable, cfg] = await Promise.all([
+        Promise.resolve(detectEnvVars(env)),
+        detectOAuthTokens(opts.paths),
+        opts.skipOllamaProbe
+            ? Promise.resolve(false)
+            : probeOllamaQuick({ fetchImpl, timeoutMs }),
+        readConfigProviders(opts.paths.configYaml),
+    ]);
+    const hasAnyProvider = envVars.length > 0 ||
+        oauthTokens.length > 0 ||
+        ollamaReachable ||
+        cfg.configuredProviders.length > 0;
+    let configuredProviderHasCredentials = false;
+    if (cfg.provider) {
+        const want = configProviderCredentialKeys(cfg.provider);
+        const envHit = want.envVars.some((v) => v === '__OLLAMA_REACHABLE__' ? ollamaReachable : envVars.includes(v));
+        const oauthHit = want.oauthIds.some((id) => oauthTokens.includes(id));
+        // Inline `providers.<id>.apiKey` in config.yaml is also a valid
+        // credential source — it's what the moat-boot fixtures rely on
+        // and what users get when they hand-edit config.yaml.
+        const inlineHit = cfg.configuredProviders.includes(cfg.provider);
+        configuredProviderHasCredentials = envHit || oauthHit || inlineHit;
+    }
+    return {
+        hasAnyProvider,
+        envVars,
+        oauthTokens,
+        ollamaReachable,
+        configProvider: cfg.provider,
+        configModel: cfg.model,
+        configuredProviders: cfg.configuredProviders,
+        configuredProviderHasCredentials,
+    };
+}
+/**
+ * Format a single-line summary suitable for the boot UX preamble.
+ * Public so the wizard auto-trigger path can mirror it and so smoke
+ * tests can assert on stable text.
+ */
+function summarizeDetection(d) {
+    if (d.hasAnyProvider) {
+        const parts = [];
+        if (d.envVars.length > 0)
+            parts.push(`env: ${d.envVars.length}`);
+        if (d.oauthTokens.length > 0)
+            parts.push(`oauth: ${d.oauthTokens.length}`);
+        if (d.ollamaReachable)
+            parts.push('ollama');
+        if (d.configuredProviders.length > 0) {
+            parts.push(`config: ${d.configuredProviders.length}`);
+        }
+        return `Providers detected — ${parts.join(', ')}.`;
+    }
+    return 'No AI provider configured yet.';
+}

package/dist/core/version.js

@@ -2,4 +2,4 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 // AUTO-GENERATED by scripts/inject-version.js — do not edit by hand
-exports.VERSION = '4.0.0';
+exports.VERSION = '4.0.2';

package/dist/providers/v4/nullAdapter.js

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * providers/v4/nullAdapter.ts — Aiden v4.0.2 (Phase 30.2.1)
+ *
+ * A `ProviderAdapter` that throws a typed `NotConfiguredError` on every
+ * call. Used when the setup wizard returns `status: 'skipped'` so the
+ * REPL can boot in "explore mode" — slash commands, skill listing,
+ * /providers etc. all work, but any chat attempt is intercepted by
+ * `ChatSession.runAgentTurn` BEFORE reaching the agent loop and
+ * surfaces a friendly "no provider configured" message.
+ *
+ * Why a stub instead of nullable types: every wiring downstream of
+ * the resolver assumes a non-null `provider` field on AidenAgent /
+ * ChatSession. Threading optionality through 6 layers of code would
+ * be a much larger blast radius for v4.0.2's UX-only patch. The stub
+ * is one file, one error type, fully typed.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NullAdapter = exports.NotConfiguredError = void 0;
+/**
+ * Sentinel error class. ChatSession checks `instanceof NotConfiguredError`
+ * to decide whether to print the friendly message or fall through to
+ * the generic adapter-error path.
+ */
+class NotConfiguredError extends Error {
+    constructor(msg = 'No AI provider configured yet.') {
+        super(msg);
+        this.notConfigured = true;
+        this.name = 'NotConfiguredError';
+    }
+}
+exports.NotConfiguredError = NotConfiguredError;
+/**
+ * Drop-in stub adapter. Reports `chat_completions` so the rest of the
+ * agent loop's provider-mode dispatch finds the same shape it expects;
+ * the actual `call()` / `callStream()` paths never run because
+ * `ChatSession` short-circuits on the explore-mode flag.
+ */
+class NullAdapter {
+    constructor() {
+        this.apiMode = 'chat_completions';
+    }
+    async call(_input) {
+        throw new NotConfiguredError('No AI provider configured yet. Run /setup to configure a provider, ' +
+            'or set an API key environment variable (e.g. GROQ_API_KEY).');
+    }
+    async *callStream(_input) {
+        throw new NotConfiguredError('No AI provider configured yet. Run /setup to configure a provider, ' +
+            'or set an API key environment variable (e.g. GROQ_API_KEY).');
+    }
+}
+exports.NullAdapter = NullAdapter;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiden-runtime",
-  "version": "4.0.0",
+  "version": "4.0.2",
   "publishConfig": {
     "access": "public"
   },
@@ -61,9 +61,9 @@
     "dev": "electron electron/main.js",
     "build": "tsc --outDir dist && npm run build:cli && npm run build:api",
     "prebuild:cli": "node scripts/inject-version.js",
-    "build:cli": "esbuild cli/aiden.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/cli.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core",
+    "build:cli": "esbuild cli/aiden.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/cli.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core --external:@aws-sdk/client-s3",
     "prebuild:api": "node scripts/inject-version.js",
-    "build:api": "esbuild api/entry.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/index.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core",
+    "build:api": "esbuild api/entry.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/index.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core --external:@aws-sdk/client-s3",
     "prepublishOnly": "npm run typecheck && npm run build",
     "typecheck": "tsc --noEmit",
     "publish:beta": "npm publish --tag beta",
@@ -233,7 +233,7 @@
     "@types/twilio": "^3.19.2",
     "@types/ws": "^8.18.1",
     "archiver": "^7.0.1",
-    "axios": "^1.13.5",
+    "axios": "^1.15.2",
     "bcrypt": "^6.0.0",
     "better-sqlite3": "^12.9.0",
     "blessed": "^0.1.81",
@@ -255,7 +255,7 @@
     "kleur": "^4.1.5",
     "marked": "^15.0.12",
     "marked-terminal": "^7.3.0",
-    "multer": "^1.4.5-lts.2",
+    "multer": "^2.1.1",
     "nodemailer": "^8.0.3",
     "open": "^11.0.0",
     "ora": "^9.3.0",
@@ -272,12 +272,20 @@
     "whatsapp-web.js": "^1.26.0",
     "ws": "^8.20.0"
   },
+  "overrides": {
+    "basic-ftp": "^5.3.1",
+    "ip-address": "^10.1.1",
+    "semver": "^7.5.2",
+    "postcss": "^8.5.10",
+    "hono": "^4.12.16",
+    "minimatch": "^9.0.9"
+  },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
     "@types/blessed": "^0.1.27",
     "@types/dockerode": "^4.0.1",
     "@types/js-yaml": "^4.0.9",
-    "@types/multer": "^1.4.12",
+    "@types/multer": "^2.0.0",
     "@types/node": "^25.3.0",
     "@types/nodemailer": "^7.0.11",
     "@types/pdf-parse": "^1.1.4",