akm-cli 0.0.21 → 0.0.23

package/dist/config-cli.js

@@ -25,6 +25,8 @@ export function parseConfigValue(key, value) {
             return { llm: parseLlmConnectionValue(value) };
         case "registries":
             return { registries: parseRegistriesValue(value) };
+        case "stashes":
+            return { stashes: parseStashesValue(value) };
         case "output.format":
             return { output: { format: parseOutputFormat(value) } };
         case "output.detail":
@@ -47,6 +49,8 @@ export function getConfigValue(config, key) {
             return config.llm ?? null;
         case "registries":
             return config.registries ?? DEFAULT_CONFIG.registries ?? [];
+        case "stashes":
+            return config.stashes ?? [];
         case "output.format":
             return config.output?.format ?? null;
         case "output.detail":
@@ -63,6 +67,7 @@ export function setConfigValue(config, key, rawValue) {
         case "embedding":
         case "llm":
         case "registries":
+        case "stashes":
         case "output.format":
         case "output.detail":
             return mergeConfigValue(config, parseConfigValue(key, rawValue));
@@ -80,6 +85,8 @@ export function unsetConfigValue(config, key) {
             return { ...config, llm: undefined };
         case "registries":
             return { ...config, registries: undefined };
+        case "stashes":
+            return { ...config, stashes: undefined };
         case "output.format":
             return { ...config, output: mergeOutputConfig(config.output, { format: undefined }) };
         case "output.detail":
@@ -89,15 +96,21 @@ export function unsetConfigValue(config, key) {
     }
 }
 export function listConfig(config) {
-    return {
-        ...DEFAULT_CONFIG,
-        ...config,
+    const result = {
+        semanticSearch: config.semanticSearch,
+        registries: config.registries ?? DEFAULT_CONFIG.registries ?? [],
         output: mergeOutputConfig(DEFAULT_CONFIG.output, config.output) ?? null,
         stashDir: config.stashDir ?? null,
-        embedding: config.embedding ?? null,
-        llm: config.llm ?? null,
-        registries: config.registries ?? DEFAULT_CONFIG.registries ?? [],
+        installed: config.installed ?? [],
+        stashes: config.stashes ?? [],
     };
+    if (config.embedding)
+        result.embedding = config.embedding;
+    if (config.llm)
+        result.llm = config.llm;
+    if (config.searchPaths?.length)
+        result.searchPaths = config.searchPaths;
+    return result;
 }
 function mergeConfigValue(config, partial) {
     return {
@@ -236,3 +249,39 @@ function parseUnknownPositiveInteger(value, key) {
     }
     return value;
 }
+function parseStashesValue(value) {
+    if (value === "null" || value === "")
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        throw new UsageError(`Invalid value for stashes: expected JSON array of {type, path?, url?, name?, enabled?, options?} objects`);
+    }
+    if (!Array.isArray(parsed)) {
+        throw new UsageError(`Invalid value for stashes: expected a JSON array`);
+    }
+    return parsed.map((entry, i) => {
+        if (typeof entry !== "object" || entry === null || Array.isArray(entry)) {
+            throw new UsageError(`Invalid value for stashes[${i}]: expected an object with a "type" field`);
+        }
+        const obj = entry;
+        if (typeof obj.type !== "string" || !obj.type) {
+            throw new UsageError(`Invalid value for stashes[${i}]: "type" is required`);
+        }
+        const result = { type: obj.type };
+        if (typeof obj.path === "string" && obj.path)
+            result.path = obj.path;
+        if (typeof obj.url === "string" && obj.url)
+            result.url = obj.url;
+        if (typeof obj.name === "string" && obj.name)
+            result.name = obj.name;
+        if (typeof obj.enabled === "boolean")
+            result.enabled = obj.enabled;
+        if (typeof obj.options === "object" && obj.options !== null && !Array.isArray(obj.options)) {
+            result.options = obj.options;
+        }
+        return result;
+    });
+}

package/dist/config.js

@@ -25,8 +25,9 @@ export function getConfigPath() {
 let cachedConfig;
 export function loadConfig() {
     const configPath = getConfigPath();
+    let stat;
     try {
-        const stat = fs.statSync(configPath);
+        stat = fs.statSync(configPath);
         if (cachedConfig && cachedConfig.path === configPath && cachedConfig.mtime === stat.mtimeMs) {
             return cachedConfig.config;
         }
@@ -37,10 +38,9 @@ export function loadConfig() {
         return { ...DEFAULT_CONFIG };
     }
     const raw = readConfigObject(configPath);
-    const config = raw ? pickKnownKeys(raw) : { ...DEFAULT_CONFIG };
-    // Inject API keys from environment variables.
-    // API keys should be provided via AKM_EMBED_API_KEY and AKM_LLM_API_KEY
-    // rather than stored in the config file.
+    const expanded = raw ? expandEnvVars(raw) : undefined;
+    const config = expanded ? pickKnownKeys(expanded) : { ...DEFAULT_CONFIG };
+    // Legacy: inject API keys from well-known env vars when not set via ${} substitution
     if (config.embedding && !config.embedding.apiKey) {
         const envKey = process.env.AKM_EMBED_API_KEY?.trim();
         if (envKey)
@@ -51,14 +51,9 @@ export function loadConfig() {
         if (envKey)
             config.llm.apiKey = envKey;
     }
-    // Cache the parsed config with its path and mtime for subsequent calls
-    try {
-        const stat = fs.statSync(configPath);
-        cachedConfig = { config, path: configPath, mtime: stat.mtimeMs };
-    }
-    catch {
-        // If we can't stat (unlikely since we just read it), skip caching
-    }
+    // Cache the parsed config with its path and mtime for subsequent calls.
+    // Reuse the stat already obtained above (avoids a second syscall + TOCTOU gap).
+    cachedConfig = { config, path: configPath, mtime: stat.mtimeMs };
     return config;
 }
 export function saveConfig(config) {
@@ -67,7 +62,7 @@ export function saveConfig(config) {
     const dir = path.dirname(configPath);
     fs.mkdirSync(dir, { recursive: true });
     const sanitized = sanitizeConfigForWrite(config);
-    const tmpPath = `${configPath}.tmp.${process.pid}`;
+    const tmpPath = `${configPath}.tmp.${process.pid}.${Math.random().toString(36).slice(2)}`;
     try {
         fs.writeFileSync(tmpPath, `${JSON.stringify(sanitized, null, 2)}\n`, "utf8");
         fs.renameSync(tmpPath, configPath);
@@ -89,19 +84,35 @@ export function saveConfig(config) {
  */
 function sanitizeConfigForWrite(config) {
     const sanitized = { ...config };
-    if (sanitized.embedding) {
-        const { apiKey, ...rest } = sanitized.embedding;
+    if (config.embedding) {
+        const { apiKey, ...rest } = config.embedding;
         sanitized.embedding = rest;
     }
-    if (sanitized.llm) {
-        const { apiKey, ...rest } = sanitized.llm;
+    if (config.llm) {
+        const { apiKey, ...rest } = config.llm;
         sanitized.llm = rest;
     }
+    // Drop empty keys to keep config clean
+    if (!config.searchPaths?.length)
+        delete sanitized.searchPaths;
     return sanitized;
 }
 export function updateConfig(partial) {
     const current = loadConfig();
+    // Shallow-merge for top-level scalar fields; deep-merge known object-type config keys.
     const merged = { ...current, ...partial };
+    // Deep-merge output — partial update should not wipe sibling keys
+    if (current.output && partial.output && partial.output !== current.output) {
+        merged.output = { ...current.output, ...partial.output };
+    }
+    // Deep-merge embedding — only when both sides are objects and partial does not intend to clear
+    if (current.embedding && partial.embedding && partial.embedding !== current.embedding) {
+        merged.embedding = { ...current.embedding, ...partial.embedding };
+    }
+    // Deep-merge llm — same pattern
+    if (current.llm && partial.llm && partial.llm !== current.llm) {
+        merged.llm = { ...current.llm, ...partial.llm };
+    }
     saveConfig(merged);
     return merged;
 }
@@ -129,6 +140,9 @@ function pickKnownKeys(raw) {
     const registries = parseRegistriesConfig(raw.registries);
     if (registries)
         config.registries = registries;
+    const stashes = parseStashesConfig(raw.stashes);
+    if (stashes)
+        config.stashes = stashes;
     const output = parseOutputConfig(raw.output);
     if (output)
         config.output = output;
@@ -147,6 +161,49 @@ function parseOutputConfig(value) {
     }
     return Object.keys(output).length > 0 ? output : undefined;
 }
+/**
+ * Field names that hold URLs and must NOT have env var substitution applied.
+ * Expanding ${VAR} inside a URL could leak secrets by redirecting requests to
+ * an attacker-controlled server if the config file is world-readable.
+ */
+const URL_FIELD_NAMES = new Set(["url", "endpoint", "artifactUrl"]);
+/**
+ * Recursively expand `${VAR}` references in all string values.
+ * Supports `${VAR}`, `${VAR:-default}`, and bare `$VAR` at the start of a value.
+ * Non-string values pass through unchanged.
+ *
+ * URL-type fields (named `url`, `endpoint`, `artifactUrl`, or whose value starts
+ * with `http://` / `https://`) are skipped to prevent secret injection into URLs.
+ */
+function expandEnvVars(value, fieldName) {
+    if (typeof value === "string") {
+        // Skip URL-type fields by name or by value prefix
+        if ((fieldName !== undefined && URL_FIELD_NAMES.has(fieldName)) ||
+            value.startsWith("http://") ||
+            value.startsWith("https://")) {
+            return value;
+        }
+        return value.replace(/\$\{([^}]+)\}|\$([A-Za-z_][A-Za-z0-9_]*)/g, (_match, braced, bare) => {
+            if (braced) {
+                const [name, ...rest] = braced.split(":-");
+                const fallback = rest.join(":-");
+                return process.env[name] ?? fallback ?? "";
+            }
+            return process.env[bare] ?? "";
+        });
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => expandEnvVars(item));
+    }
+    if (value !== null && typeof value === "object") {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[k] = expandEnvVars(v, k);
+        }
+        return out;
+    }
+    return value;
+}
 function readConfigObject(configPath) {
     try {
         const text = fs.readFileSync(configPath, "utf8");
@@ -168,7 +225,6 @@ export function stripJsonComments(text) {
     let result = "";
     let i = 0;
     let inString = false;
-    let stringChar = "";
     while (i < text.length) {
         if (inString) {
             if (text[i] === "\\") {
@@ -176,16 +232,16 @@ export function stripJsonComments(text) {
                 i += 2;
                 continue;
             }
-            if (text[i] === stringChar) {
+            if (text[i] === '"') {
                 inString = false;
             }
             result += text[i];
             i++;
             continue;
         }
-        if (text[i] === '"' || text[i] === "'") {
+        // JSON only uses double-quoted strings; single quotes are not valid JSON
+        if (text[i] === '"') {
             inString = true;
-            stringChar = text[i];
             result += text[i];
             i++;
             continue;
@@ -213,6 +269,10 @@ function parseEmbeddingConfig(value) {
     const obj = value;
     if (typeof obj.endpoint !== "string" || !obj.endpoint)
         return undefined;
+    if (!obj.endpoint.startsWith("http://") && !obj.endpoint.startsWith("https://")) {
+        console.warn(`[agentikit] Ignoring embedding config: endpoint must start with http:// or https://, got "${obj.endpoint}"`);
+        return undefined;
+    }
     if (typeof obj.model !== "string" || !obj.model)
         return undefined;
     const result = {
@@ -242,6 +302,10 @@ function parseLlmConfig(value) {
     const obj = value;
     if (typeof obj.endpoint !== "string" || !obj.endpoint)
         return undefined;
+    if (!obj.endpoint.startsWith("http://") && !obj.endpoint.startsWith("https://")) {
+        console.warn(`[agentikit] Ignoring llm config: endpoint must start with http:// or https://, got "${obj.endpoint}"`);
+        return undefined;
+    }
     if (typeof obj.model !== "string" || !obj.model)
         return undefined;
     const result = {
@@ -324,6 +388,38 @@ function parseRegistriesConfig(value) {
     // which overrides the default. Only return undefined if the field was not an array.
     return entries;
 }
+function parseStashesConfig(value) {
+    if (!Array.isArray(value))
+        return undefined;
+    const entries = value
+        .map((entry) => parseStashConfigEntry(entry))
+        .filter((entry) => entry !== undefined);
+    return entries;
+}
+function parseStashConfigEntry(value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value))
+        return undefined;
+    const obj = value;
+    const type = asNonEmptyString(obj.type);
+    if (!type)
+        return undefined;
+    const entry = { type };
+    const entryPath = asNonEmptyString(obj.path);
+    if (entryPath)
+        entry.path = entryPath;
+    const url = asNonEmptyString(obj.url);
+    if (url)
+        entry.url = url;
+    const name = asNonEmptyString(obj.name);
+    if (name)
+        entry.name = name;
+    if (typeof obj.enabled === "boolean")
+        entry.enabled = obj.enabled;
+    if (typeof obj.options === "object" && obj.options !== null && !Array.isArray(obj.options)) {
+        entry.options = obj.options;
+    }
+    return entry;
+}
 function parseRegistryConfigEntry(value) {
     if (typeof value !== "object" || value === null || Array.isArray(value))
         return undefined;

package/dist/create-provider-registry.js

@@ -0,0 +1,18 @@
+/**
+ * Generic factory-map utility.
+ *
+ * Creates a lightweight registry that maps string keys to factory functions.
+ * Both registry-factory.ts (kit discovery) and stash-provider-factory.ts
+ * (stash source providers) are built on this utility.
+ */
+export function createProviderRegistry() {
+    const map = new Map();
+    return {
+        register(type, factory) {
+            map.set(type, factory);
+        },
+        resolve(type) {
+            return map.get(type) ?? null;
+        },
+    };
+}