akm-cli 0.3.1 → 0.4.1

package/dist/common.js

@@ -8,6 +8,11 @@ export const IS_WINDOWS = process.platform === "win32";
 export function isHttpUrl(value) {
     return !!value && /^https?:\/\//.test(value);
 }
+export function filterNonEmptyStrings(value) {
+    if (!Array.isArray(value))
+        return undefined;
+    return value.filter((entry) => typeof entry === "string" && entry.trim().length > 0);
+}
 // ── Validators ──────────────────────────────────────────────────────────────
 export function isAssetType(type) {
     return Object.hasOwn(TYPE_DIRS, type);

package/dist/config-cli.js

@@ -26,6 +26,16 @@ export function parseConfigValue(key, value) {
             return { output: { format: parseOutputFormat(value) } };
         case "output.detail":
             return { output: { detail: parseOutputDetail(value) } };
+        case "security.installAudit.enabled":
+            return { security: { installAudit: { enabled: parseBooleanValue(value, key) } } };
+        case "security.installAudit.blockOnCritical":
+            return { security: { installAudit: { blockOnCritical: parseBooleanValue(value, key) } } };
+        case "security.installAudit.blockUnlistedRegistries":
+            return { security: { installAudit: { blockUnlistedRegistries: parseBooleanValue(value, key) } } };
+        case "security.installAudit.registryAllowlist":
+            return { security: { installAudit: { registryAllowlist: parseStringArrayValue(value, key) } } };
+        case "security.installAudit.registryWhitelist":
+            return { security: { installAudit: { registryAllowlist: parseStringArrayValue(value, key) } } };
         default:
             throw new UsageError(`Unknown config key: ${key}`);
     }
@@ -48,6 +58,18 @@ export function getConfigValue(config, key) {
             return config.output?.format ?? null;
         case "output.detail":
             return config.output?.detail ?? null;
+        case "security":
+            return config.security ?? null;
+        case "security.installAudit.enabled":
+            return config.security?.installAudit?.enabled ?? null;
+        case "security.installAudit.blockOnCritical":
+            return config.security?.installAudit?.blockOnCritical ?? null;
+        case "security.installAudit.blockUnlistedRegistries":
+            return config.security?.installAudit?.blockUnlistedRegistries ?? null;
+        case "security.installAudit.registryAllowlist":
+            return getInstallAuditAllowlist(config);
+        case "security.installAudit.registryWhitelist":
+            return getInstallAuditAllowlist(config);
         default:
             throw new UsageError(`Unknown config key: ${key}`);
     }
@@ -62,6 +84,11 @@ export function setConfigValue(config, key, rawValue) {
         case "stashes":
         case "output.format":
         case "output.detail":
+        case "security.installAudit.enabled":
+        case "security.installAudit.blockOnCritical":
+        case "security.installAudit.blockUnlistedRegistries":
+        case "security.installAudit.registryAllowlist":
+        case "security.installAudit.registryWhitelist":
             return mergeConfigValue(config, parseConfigValue(key, rawValue));
         default:
             throw new UsageError(`Unknown config key: ${key}`);
@@ -83,6 +110,28 @@ export function unsetConfigValue(config, key) {
             return { ...config, output: mergeOutputConfig(config.output, { format: undefined }) };
         case "output.detail":
             return { ...config, output: mergeOutputConfig(config.output, { detail: undefined }) };
+        case "security":
+            return { ...config, security: undefined };
+        case "security.installAudit.enabled":
+            return { ...config, security: mergeSecurityConfig(config.security, { installAudit: { enabled: undefined } }) };
+        case "security.installAudit.blockOnCritical":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, { installAudit: { blockOnCritical: undefined } }),
+            };
+        case "security.installAudit.blockUnlistedRegistries":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, { installAudit: { blockUnlistedRegistries: undefined } }),
+            };
+        case "security.installAudit.registryAllowlist":
+        case "security.installAudit.registryWhitelist":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, {
+                    installAudit: { registryAllowlist: undefined, registryWhitelist: undefined },
+                }),
+            };
         default:
             throw new UsageError(`Unknown or unsupported unset key: ${key}`);
     }
@@ -100,6 +149,8 @@ export function listConfig(config) {
         result.embedding = config.embedding;
     if (config.llm)
         result.llm = config.llm;
+    if (config.security)
+        result.security = config.security;
     return result;
 }
 function mergeConfigValue(config, partial) {
@@ -107,6 +158,7 @@ function mergeConfigValue(config, partial) {
         ...config,
         ...partial,
         output: mergeOutputConfig(config.output, partial.output),
+        security: mergeSecurityConfig(config.security, partial.security),
     };
 }
 function mergeOutputConfig(base, override) {
@@ -116,6 +168,18 @@ function mergeOutputConfig(base, override) {
     };
     return merged.format || merged.detail ? merged : undefined;
 }
+function mergeSecurityConfig(base, override) {
+    const mergedInstallAudit = mergeInstallAuditConfig(base?.installAudit, override?.installAudit);
+    return mergedInstallAudit ? { installAudit: mergedInstallAudit } : undefined;
+}
+function mergeInstallAuditConfig(base, override) {
+    const merged = {
+        ...(base ?? {}),
+        ...(override ?? {}),
+    };
+    const hasValue = Object.values(merged).some((value) => value !== undefined);
+    return hasValue ? merged : undefined;
+}
 function parseOutputFormat(value) {
     if (value === "json" || value === "yaml" || value === "text")
         return value;
@@ -126,6 +190,29 @@ function parseOutputDetail(value) {
         return value;
     throw new UsageError(`Invalid value for output.detail: expected one of brief|normal|full`);
 }
+function parseBooleanValue(value, key) {
+    if (value === "true")
+        return true;
+    if (value === "false")
+        return false;
+    throw new UsageError(`Invalid value for ${key}: expected true or false`);
+}
+function parseStringArrayValue(value, key) {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        throw new UsageError(`Invalid value for ${key}: expected a JSON array of strings`);
+    }
+    if (!Array.isArray(parsed) || parsed.some((entry) => typeof entry !== "string")) {
+        throw new UsageError(`Invalid value for ${key}: expected a JSON array of strings`);
+    }
+    return parsed;
+}
+function getInstallAuditAllowlist(config) {
+    return config.security?.installAudit?.registryAllowlist ?? config.security?.installAudit?.registryWhitelist ?? null;
+}
 function parseRegistriesValue(value) {
     if (value === "null" || value === "")
         return undefined;

package/dist/config.js

@@ -1,5 +1,6 @@
 import fs from "node:fs";
 import path from "node:path";
+import { filterNonEmptyStrings } from "./common";
 import { getConfigDir as _getConfigDir, getConfigPath as _getConfigPath } from "./paths";
 // ── Defaults ────────────────────────────────────────────────────────────────
 export const DEFAULT_CONFIG = {
@@ -21,42 +22,47 @@ export function getConfigPath() {
     return _getConfigPath();
 }
 // ── Load / Save / Update ────────────────────────────────────────────────────
+const PROJECT_CONFIG_RELATIVE_PATH = path.join(".akm", "config.json");
 let cachedConfig;
+let cachedUserConfig;
 export function resetConfigCache() {
     cachedConfig = undefined;
+    cachedUserConfig = undefined;
 }
-export function loadConfig() {
+export function loadUserConfig() {
     const configPath = getConfigPath();
     let stat;
     try {
         stat = fs.statSync(configPath);
-        if (cachedConfig && cachedConfig.path === configPath && cachedConfig.mtime === stat.mtimeMs) {
-            return cachedConfig.config;
+        if (cachedUserConfig && cachedUserConfig.path === configPath && cachedUserConfig.mtime === stat.mtimeMs) {
+            return cachedUserConfig.config;
         }
     }
     catch {
-        // File doesn't exist — return defaults below
-        cachedConfig = undefined;
-        return { ...DEFAULT_CONFIG };
-    }
-    const raw = readConfigObject(configPath);
-    const expanded = raw ? expandEnvVars(raw) : undefined;
-    const config = expanded ? pickKnownKeys(expanded) : { ...DEFAULT_CONFIG };
-    // Legacy: inject API keys from well-known env vars when not set via ${} substitution
-    if (config.embedding && !config.embedding.apiKey) {
-        const envKey = process.env.AKM_EMBED_API_KEY?.trim();
-        if (envKey)
-            config.embedding.apiKey = envKey;
+        cachedUserConfig = undefined;
+        return applyRuntimeEnvApiKeys({ ...DEFAULT_CONFIG });
     }
-    if (config.llm && !config.llm.apiKey) {
-        const envKey = process.env.AKM_LLM_API_KEY?.trim();
-        if (envKey)
-            config.llm.apiKey = envKey;
+    const config = mergeLoadedConfig(DEFAULT_CONFIG, readNormalizedConfig(configPath));
+    const finalConfig = applyRuntimeEnvApiKeys(config);
+    cachedUserConfig = { config: finalConfig, path: configPath, mtime: stat.mtimeMs };
+    return finalConfig;
+}
+export function loadConfig() {
+    const configPaths = getEffectiveConfigPaths();
+    const signature = getConfigSignature(configPaths);
+    if (cachedConfig && cachedConfig.signature === signature) {
+        return cachedConfig.config;
+    }
+    let config = loadUserConfig();
+    const userConfigPath = getConfigPath();
+    for (const configPath of configPaths) {
+        if (configPath === userConfigPath)
+            continue;
+        config = mergeLoadedConfig(config, readNormalizedConfig(configPath));
     }
-    // Cache the parsed config with its path and mtime for subsequent calls.
-    // Reuse the stat already obtained above (avoids a second syscall + TOCTOU gap).
-    cachedConfig = { config, path: configPath, mtime: stat.mtimeMs };
-    return config;
+    const finalConfig = applyRuntimeEnvApiKeys(config);
+    cachedConfig = { config: finalConfig, signature };
+    return finalConfig;
 }
 export function saveConfig(config) {
     cachedConfig = undefined;
@@ -98,7 +104,7 @@ function sanitizeConfigForWrite(config) {
     return sanitized;
 }
 export function updateConfig(partial) {
-    const current = loadConfig();
+    const current = loadUserConfig();
     // Shallow-merge for top-level scalar fields; deep-merge known object-type config keys.
     const merged = { ...current, ...partial };
     // Deep-merge output — partial update should not wipe sibling keys
@@ -113,12 +119,22 @@ export function updateConfig(partial) {
     if (current.llm && partial.llm && partial.llm !== current.llm) {
         merged.llm = { ...current.llm, ...partial.llm };
     }
+    if (current.security && partial.security && partial.security !== current.security) {
+        merged.security = mergeSecurityConfig(current.security, partial.security);
+    }
     saveConfig(merged);
     return merged;
 }
 // ── Helpers ─────────────────────────────────────────────────────────────────
+/**
+ * Normalize a raw config object into a sparse config layer containing only
+ * recognized keys that were valid in the source object. This function does not
+ * merge with DEFAULT_CONFIG; callers are responsible for layering defaults and
+ * combining multiple config sources so project config files only override what
+ * they set.
+ */
 function pickKnownKeys(raw) {
-    const config = { ...DEFAULT_CONFIG };
+    const config = {};
     if (typeof raw.stashDir === "string" && raw.stashDir.trim()) {
         config.stashDir = raw.stashDir.trim();
     }
@@ -159,14 +175,25 @@ function pickKnownKeys(raw) {
     const registries = parseRegistriesConfig(raw.registries);
     if (registries)
         config.registries = registries;
+    if (typeof raw.disableGlobalStashes === "boolean") {
+        config.disableGlobalStashes = raw.disableGlobalStashes;
+    }
     const stashes = parseStashesConfig(raw.stashes);
     if (stashes)
         config.stashes = stashes;
+    const security = parseSecurityConfig(raw.security);
+    if (security)
+        config.security = security;
     const output = parseOutputConfig(raw.output);
     if (output)
         config.output = output;
     return config;
 }
+function readNormalizedConfig(configPath) {
+    const raw = readConfigObject(configPath);
+    const expanded = raw ? expandEnvVars(raw) : undefined;
+    return expanded ? pickKnownKeys(expanded) : undefined;
+}
 function parseOutputConfig(value) {
     if (typeof value !== "object" || value === null || Array.isArray(value))
         return undefined;
@@ -440,6 +467,32 @@ function parseStashesConfig(value) {
         .filter((entry) => entry !== undefined);
     return entries;
 }
+function parseSecurityConfig(value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value))
+        return undefined;
+    const obj = value;
+    const installAudit = parseInstallAuditConfig(obj.installAudit);
+    if (!installAudit)
+        return undefined;
+    return { installAudit };
+}
+function parseInstallAuditConfig(value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value))
+        return undefined;
+    const obj = value;
+    const config = {};
+    if (typeof obj.enabled === "boolean")
+        config.enabled = obj.enabled;
+    if (typeof obj.blockOnCritical === "boolean")
+        config.blockOnCritical = obj.blockOnCritical;
+    if (typeof obj.blockUnlistedRegistries === "boolean")
+        config.blockUnlistedRegistries = obj.blockUnlistedRegistries;
+    const rawAllowlist = filterNonEmptyStrings(obj.registryAllowlist) ?? filterNonEmptyStrings(obj.registryWhitelist);
+    if (rawAllowlist) {
+        config.registryAllowlist = rawAllowlist;
+    }
+    return Object.keys(config).length > 0 ? config : undefined;
+}
 function parseStashConfigEntry(value) {
     if (typeof value !== "object" || value === null || Array.isArray(value))
         return undefined;
@@ -485,3 +538,122 @@ function parseRegistryConfigEntry(value) {
     }
     return entry;
 }
+function mergeSecurityConfig(base, override) {
+    if (!base && !override)
+        return undefined;
+    const installAudit = mergeInstallAuditConfig(base?.installAudit, override?.installAudit);
+    return installAudit ? { installAudit } : undefined;
+}
+function mergeInstallAuditConfig(base, override) {
+    if (!base && !override)
+        return undefined;
+    const merged = {
+        ...(base ?? {}),
+        ...(override ?? {}),
+    };
+    return Object.values(merged).some((value) => value !== undefined) ? merged : undefined;
+}
+/**
+ * Merge a normalized config layer into an accumulated config.
+ *
+ * Scalar fields follow normal override semantics. Known nested objects are
+ * deep-merged so project config files can override individual fields without
+ * clobbering sibling settings. `stashes` are additive by default, but a later
+ * layer can set `disableGlobalStashes: true` to drop inherited stashes first.
+ */
+function mergeLoadedConfig(base, override) {
+    if (!override)
+        return { ...base };
+    const merged = {
+        ...base,
+        ...override,
+    };
+    if (base.output && override.output) {
+        merged.output = { ...base.output, ...override.output };
+    }
+    if (base.embedding && override.embedding) {
+        merged.embedding = { ...base.embedding, ...override.embedding };
+    }
+    if (base.llm && override.llm) {
+        merged.llm = { ...base.llm, ...override.llm };
+    }
+    if (base.security && override.security) {
+        merged.security = mergeSecurityConfig(base.security, override.security);
+    }
+    if (override.disableGlobalStashes) {
+        merged.stashes = [...(override.stashes ?? [])];
+    }
+    else if (override.stashes) {
+        merged.stashes = [...(base.stashes ?? []), ...override.stashes];
+    }
+    return merged;
+}
+function applyRuntimeEnvApiKeys(config) {
+    const next = { ...config };
+    if (next.embedding && !next.embedding.apiKey) {
+        const envKey = process.env.AKM_EMBED_API_KEY?.trim();
+        if (envKey)
+            next.embedding = { ...next.embedding, apiKey: envKey };
+    }
+    if (next.llm && !next.llm.apiKey) {
+        const envKey = process.env.AKM_LLM_API_KEY?.trim();
+        if (envKey)
+            next.llm = { ...next.llm, apiKey: envKey };
+    }
+    return next;
+}
+/**
+ * Return config file paths in merge order: user config first, then project
+ * config files from the outermost parent directory down to the current working
+ * directory. Later entries have higher precedence when merged.
+ */
+function getEffectiveConfigPaths() {
+    const configPath = getConfigPath();
+    const paths = [];
+    if (isFile(configPath)) {
+        paths.push(configPath);
+    }
+    return [...paths, ...discoverProjectConfigPaths(process.cwd())];
+}
+/**
+ * Walk from `startDir` up to the filesystem root and collect `.akm/config.json`
+ * files. Paths are returned from outermost parent to innermost directory so
+ * nearer project directories override broader project settings.
+ */
+function discoverProjectConfigPaths(startDir) {
+    const paths = [];
+    let currentDir = path.resolve(startDir);
+    while (true) {
+        const configPath = path.join(currentDir, PROJECT_CONFIG_RELATIVE_PATH);
+        if (isFile(configPath)) {
+            paths.unshift(configPath);
+        }
+        const parentDir = path.dirname(currentDir);
+        if (parentDir === currentDir) {
+            break;
+        }
+        currentDir = parentDir;
+    }
+    return paths;
+}
+function getConfigSignature(configPaths) {
+    if (configPaths.length === 0)
+        return "defaults";
+    return configPaths.map((configPath) => `${configPath}:${getFileSignatureToken(configPath)}`).join("|");
+}
+function isFile(filePath) {
+    try {
+        return fs.statSync(filePath).isFile();
+    }
+    catch {
+        return false;
+    }
+}
+function getFileSignatureToken(filePath) {
+    try {
+        return String(fs.statSync(filePath).mtimeMs);
+    }
+    catch {
+        return "missing";
+    }
+}

package/dist/embedder.js

@@ -102,6 +102,28 @@ function l2Normalize(vec) {
     return vec.map((v) => v / norm);
 }
 // ── OpenAI-compatible remote embedder ───────────────────────────────────────
+function normalizeEmbeddingEndpoint(endpoint) {
+    let parsed;
+    try {
+        parsed = new URL(endpoint);
+    }
+    catch {
+        return endpoint;
+    }
+    const normalizedPath = parsed.pathname.replace(/\/+$/, "");
+    if (normalizedPath.endsWith("/embeddings")) {
+        return parsed.toString();
+    }
+    parsed.pathname = normalizedPath ? `${normalizedPath}/embeddings` : "/embeddings";
+    return parsed.toString();
+}
+function embeddingEndpointPathHint(endpoint) {
+    const normalizedEndpoint = normalizeEmbeddingEndpoint(endpoint);
+    if (normalizedEndpoint !== endpoint) {
+        return ` Check that your endpoint includes the full embeddings path (for example "${normalizedEndpoint}", not just "${endpoint}").`;
+    }
+    return "";
+}
 async function embedRemote(text, config) {
     const headers = { "Content-Type": "application/json" };
     if (config.apiKey) {
@@ -114,7 +136,7 @@ async function embedRemote(text, config) {
     if (config.dimension) {
         body.dimensions = config.dimension;
     }
-    const response = await fetchWithTimeout(config.endpoint, {
+    const response = await fetchWithTimeout(normalizeEmbeddingEndpoint(config.endpoint), {
         method: "POST",
         headers,
         body: JSON.stringify(body),
@@ -125,7 +147,7 @@ async function embedRemote(text, config) {
     }
     const json = (await response.json());
     if (!json.data?.[0]?.embedding) {
-        throw new Error("Unexpected embedding response format: missing data[0].embedding");
+        throw new Error(`Unexpected embedding response format: missing data[0].embedding.${embeddingEndpointPathHint(config.endpoint)}`);
     }
     return l2Normalize(json.data[0].embedding);
 }
@@ -228,7 +250,7 @@ async function embedRemoteBatch(texts, config) {
         if (config.dimension) {
             body.dimensions = config.dimension;
         }
-        const response = await fetchWithTimeout(config.endpoint, {
+        const response = await fetchWithTimeout(normalizeEmbeddingEndpoint(config.endpoint), {
             method: "POST",
             headers,
             body: JSON.stringify(body),
@@ -239,7 +261,7 @@ async function embedRemoteBatch(texts, config) {
         }
         const json = (await response.json());
         if (!json.data || json.data.length !== batch.length) {
-            throw new Error(`Unexpected embedding batch response: expected ${batch.length} embeddings, got ${json.data?.length ?? 0}`);
+            throw new Error(`Unexpected embedding batch response: expected ${batch.length} embeddings, got ${json.data?.length ?? 0}.${embeddingEndpointPathHint(config.endpoint)}`);
         }
         // Sort by index to guarantee correct order (OpenAI API doesn't guarantee order)
         const sorted = [...json.data].sort((a, b) => a.index - b.index);

package/dist/init.js

@@ -7,7 +7,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import { TYPE_DIRS } from "./asset-spec";
-import { getConfigPath, loadConfig, saveConfig } from "./config";
+import { getConfigPath, loadUserConfig, saveConfig } from "./config";
 import { getBinDir, getDefaultStashDir } from "./paths";
 import { ensureRg } from "./ripgrep-install";
 export async function akmInit(options) {
@@ -25,7 +25,7 @@ export async function akmInit(options) {
     }
     // Persist stashDir in config.json
     const configPath = getConfigPath();
-    const existing = loadConfig();
+    const existing = loadUserConfig();
     if (!existing.stashDir || existing.stashDir !== stashDir) {
         saveConfig({ ...existing, stashDir });
     }