chainlesschain 0.162.78 → 0.162.80

package/src/lib/mcp-serve.js

@@ -62,11 +62,14 @@ export function buildTools({ root, readOnly = false, deps = _deps }) {
         const text = (truncated ? buf.slice(0, MAX_READ_BYTES) : buf).toString(
           "utf-8",
         );
-        return ok(truncated ? `${text}\n… [truncated ${buf.length} bytes]` : text);
+        return ok(
+          truncated ? `${text}\n… [truncated ${buf.length} bytes]` : text,
+        );
       },
     },
     list_dir: {
-      description: "List a directory under the serve root (dirs get trailing /)",
+      description:
+        "List a directory under the serve root (dirs get trailing /)",
       inputSchema: {
         type: "object",
         properties: { path: { type: "string" } },
@@ -106,12 +109,14 @@ export function buildTools({ root, readOnly = false, deps = _deps }) {
             return;
           }
           for (const e of list) {
-            if (hits.length >= MAX_SEARCH_RESULTS || ++seen >= MAX_SEARCH_ENTRIES)
+            if (
+              hits.length >= MAX_SEARCH_RESULTS ||
+              ++seen >= MAX_SEARCH_ENTRIES
+            )
               return;
             const abs = deps.path.join(d, e.name);
             if (e.isDirectory()) {
-              if (!SKIP_DIRS.has(e.name) && !e.name.startsWith("."))
-                walk(abs);
+              if (!SKIP_DIRS.has(e.name) && !e.name.startsWith(".")) walk(abs);
             } else {
               const rel = deps.path.relative(root, abs).replace(/\\/g, "/");
               if (rel.toLowerCase().includes(q)) hits.push(rel);
@@ -125,7 +130,8 @@ export function buildTools({ root, readOnly = false, deps = _deps }) {
   };
   if (!readOnly) {
     tools.write_file = {
-      description: "Write a UTF-8 file under the serve root (creates parent dirs)",
+      description:
+        "Write a UTF-8 file under the serve root (creates parent dirs)",
       inputSchema: {
         type: "object",
         properties: {
@@ -138,7 +144,9 @@ export function buildTools({ root, readOnly = false, deps = _deps }) {
         const abs = confine(root, rel, deps);
         fs.mkdirSync(deps.path.dirname(abs), { recursive: true });
         fs.writeFileSync(abs, String(content), "utf-8");
-        return ok(`wrote ${Buffer.byteLength(String(content))} bytes to ${rel}`);
+        return ok(
+          `wrote ${Buffer.byteLength(String(content))} bytes to ${rel}`,
+        );
       },
     };
   }
@@ -163,11 +171,20 @@ export function startMcpServe(opts = {}) {
   const root = deps.path.resolve(opts.root || process.cwd());
   const readOnly = Boolean(opts.readOnly);
   const token =
-    opts.token === false
-      ? null
-      : opts.token || randomBytes(16).toString("hex");
+    opts.token === false ? null : opts.token || randomBytes(16).toString("hex");
   const tools = buildTools({ root, readOnly, deps });
 
+  // Guardrails for the request-collection phase: a JSON-RPC request is small,
+  // so cap the body and bound how long we wait for it. Without these a large
+  // body grows `raw` unbounded (memory) and a stalled client holds the socket
+  // forever (req.on("end") never fires). Both overridable for tests / tuning.
+  const maxRequestBytes = Number.isFinite(opts.maxRequestBytes)
+    ? opts.maxRequestBytes
+    : 1024 * 1024; // 1 MB
+  const requestTimeoutMs = Number.isFinite(opts.requestTimeoutMs)
+    ? opts.requestTimeoutMs
+    : 30000;
+
   const server = http.createServer((req, res) => {
     const send = (status, body) => {
       res.writeHead(status, { "Content-Type": "application/json" });
@@ -183,10 +200,49 @@ export function startMcpServe(opts = {}) {
       }
     }
     let raw = "";
+    let bytes = 0;
+    let aborted = false;
+    const collectTimer = setTimeout(() => {
+      if (aborted) return;
+      aborted = true;
+      try {
+        send(408, rpcError(null, -32001, "request timeout"));
+      } catch {
+        /* socket already gone */
+      }
+      req.destroy();
+    }, requestTimeoutMs);
+    req.on("error", () => {
+      if (aborted) return;
+      aborted = true;
+      clearTimeout(collectTimer);
+      // Request stream errored (client reset/dropped): no response is
+      // deliverable on a broken socket — just stop, don't crash the process.
+      try {
+        if (!res.writableEnded) res.destroy();
+      } catch {
+        /* ignore */
+      }
+    });
     req.on("data", (c) => {
+      if (aborted) return;
+      bytes += c.length;
+      if (bytes > maxRequestBytes) {
+        aborted = true;
+        clearTimeout(collectTimer);
+        try {
+          send(413, rpcError(null, -32600, "request too large"));
+        } catch {
+          /* socket already gone */
+        }
+        req.destroy();
+        return;
+      }
       raw += c;
     });
     req.on("end", () => {
+      if (aborted) return;
+      clearTimeout(collectTimer);
       let msg;
       try {
         msg = JSON.parse(raw);
@@ -224,7 +280,10 @@ export function startMcpServe(opts = {}) {
         if (method === "tools/call") {
           const tool = tools[params?.name];
           if (!tool) {
-            return send(200, rpcResult(id, fail(`unknown tool: ${params?.name}`)));
+            return send(
+              200,
+              rpcResult(id, fail(`unknown tool: ${params?.name}`)),
+            );
           }
           let result;
           try {

package/src/lib/multisig-runtime.js

@@ -150,11 +150,30 @@ export function readSecretKey(arg) {
 }
 
 /**
- * Read JSON from inline string or file path.
+ * Read JSON from an inline string or a file path. Errors name the file (or
+ * say it was inline) and carry the underlying parser reason, instead of a
+ * bare "Unexpected token …" / "ENOENT …" with no context.
  */
 export function readJsonArg(arg) {
+  if (arg == null || arg === "") {
+    throw new Error("Expected inline JSON or a path to a JSON file");
+  }
   if (fs.existsSync(arg)) {
-    return JSON.parse(fs.readFileSync(arg, "utf-8"));
+    let raw;
+    try {
+      raw = fs.readFileSync(arg, "utf-8");
+    } catch (e) {
+      throw new Error(`Cannot read JSON file "${arg}": ${e.message}`);
+    }
+    try {
+      return JSON.parse(raw);
+    } catch (e) {
+      throw new Error(`Invalid JSON in file "${arg}": ${e.message}`);
+    }
+  }
+  try {
+    return JSON.parse(arg);
+  } catch (e) {
+    throw new Error(`Invalid inline JSON argument: ${e.message}`);
   }
-  return JSON.parse(arg);
 }

package/src/lib/parse-json-option.js

@@ -0,0 +1,35 @@
+/**
+ * Parse a user-supplied JSON CLI option value.
+ *
+ * Many command actions pass raw `--flag` strings straight to `JSON.parse`,
+ * so malformed JSON surfaces as a raw `SyntaxError` — an ugly stack trace for
+ * actions without a try/catch, and a cryptic "Unexpected token …" for the rest.
+ * This helper turns that into a single, friendly `Invalid JSON for <label>: …`
+ * error, and consolidates the duplicated `_parseJsonArg` / `_parseMetaV2`
+ * helpers that several command files grew independently.
+ *
+ * @param {string|undefined|null} value  raw option string (e.g. `options.input`)
+ * @param {string} label                 user-facing label for errors (e.g. `"--input"`)
+ * @param {*} [fallback]                  returned when `value` is empty (default `undefined`)
+ * @returns the parsed JSON, or `fallback` when `value` is empty
+ * @throws {Error} `Invalid JSON for <label>: <reason>` when `value` is non-empty but unparseable
+ */
+export function parseJsonOption(value, label, fallback = undefined) {
+  if (value === undefined || value === null || value === "") return fallback;
+  // Defensive: a Commander custom parser may have already produced an object.
+  if (typeof value !== "string") return value;
+  try {
+    return JSON.parse(value);
+  } catch (e) {
+    const reason = e && e.message ? e.message : String(e);
+    // Friendly one-line message for the non-verbose error boundary, but keep the
+    // original SyntaxError reachable: chain it as `cause`, and append its stack
+    // to ours so `--verbose` (which prints err.stack) still surfaces the root
+    // SyntaxError type + location instead of swallowing it behind the wrapper.
+    const err = new Error(`Invalid JSON for ${label}: ${reason}`, { cause: e });
+    if (e && e.stack) err.stack += `\nCaused by: ${e.stack}`;
+    throw err;
+  }
+}
+
+export default parseJsonOption;

package/src/lib/parse-number-option.js

@@ -0,0 +1,27 @@
+/**
+ * Parse a user-supplied numeric CLI option value.
+ *
+ * Command actions often do `parseFloat(options.x)` / `parseInt(options.x)`
+ * straight into domain logic. When the flag is malformed (`--weight abc`,
+ * `--amount 1,5`) those yield `NaN`, which then flows silently into stored
+ * records and math (vote weights, amounts, thresholds) — corrupt data with no
+ * error. This helper validates the value is a finite number and otherwise
+ * throws a single friendly `Invalid number for <label>: <value>` error
+ * (which reads cleanly through the CLI entry boundary).
+ *
+ * @param {string|number|undefined|null} value  raw option (e.g. `options.weight`)
+ * @param {string} label                        user-facing label (e.g. `"--weight"`)
+ * @param {*} [fallback]                         returned when `value` is empty (default `undefined`)
+ * @returns {number|*} the parsed finite number, or `fallback` when empty
+ * @throws {Error} when `value` is non-empty but not a finite number
+ */
+export function parseNumberOption(value, label, fallback = undefined) {
+  if (value === undefined || value === null || value === "") return fallback;
+  const n = typeof value === "number" ? value : Number(value);
+  if (!Number.isFinite(n)) {
+    throw new Error(`Invalid number for ${label}: ${JSON.stringify(value)}`);
+  }
+  return n;
+}
+
+export default parseNumberOption;

package/src/lib/runnable-provider.js

@@ -0,0 +1,216 @@
+/**
+ * Runnability guards for LLM model/provider selection.
+ *
+ * The task-based auto model-selector (lib/task-model-selector.js) switches the
+ * model by detected task type — e.g. a "quick" message on the `anthropic`
+ * provider becomes `claude-haiku`. That is WRONG when the target provider has
+ * no usable API key: it silently routes you onto a model you can't call and you
+ * get a 401. These helpers make selection "runnable-first": never switch onto a
+ * provider that has no usable (present) key, and let callers detect that the
+ * configured provider itself is not runnable.
+ *
+ * "Usable key" = a keyless local provider (ollama), OR the active session's
+ * configured key, OR the provider's standard env var (`<PROVIDER>_API_KEY`).
+ * Empty/whitespace keys never count (a missing or cleared key is not usable).
+ */
+import { BUILT_IN_PROVIDERS } from "./llm-providers.js";
+import { selectModelForTask, TaskType } from "./task-model-selector.js";
+
+function nonEmpty(v) {
+  return typeof v === "string" && v.trim().length > 0;
+}
+
+/** Is this an authentication/authorization failure (missing/invalid/expired key)? */
+export function isAuthError(err) {
+  if (!err) return false;
+  const status =
+    typeof err.status === "number"
+      ? err.status
+      : typeof err.statusCode === "number"
+        ? err.statusCode
+        : null;
+  if (status === 401 || status === 403) return true;
+  const msg = String(err.message || err).toLowerCase();
+  return /\b401\b|\b403\b|unauthorized|forbidden|authentication failed|api[\s_-]*key required|invalid api[\s_-]*key|incorrect api[\s_-]*key|expired/.test(
+    msg,
+  );
+}
+
+/** Host of a baseUrl, lowercased, or "" — tolerant of a bare host string. */
+function hostOf(url) {
+  if (!nonEmpty(url)) return "";
+  try {
+    return new URL(url).host.toLowerCase();
+  } catch {
+    return String(url).toLowerCase();
+  }
+}
+
+/**
+ * Infer the provider a baseUrl actually belongs to. Catches a config where the
+ * provider field disagrees with the endpoint (e.g. provider "anthropic" but
+ * baseUrl points at volces.com → really volcengine). Returns null if unknown.
+ */
+export function inferProviderFromBaseUrl(baseUrl) {
+  const host = hostOf(baseUrl);
+  if (!host) return null;
+  for (const [name, def] of Object.entries(BUILT_IN_PROVIDERS)) {
+    const defHost = hostOf(def.baseUrl);
+    if (defHost && (host === defHost || host.endsWith("." + defHost))) {
+      return name;
+    }
+  }
+  return null;
+}
+
+function envKey(provider, env) {
+  const def = BUILT_IN_PROVIDERS[provider];
+  return def && def.apiKeyEnv ? env[def.apiKeyEnv] : null;
+}
+
+/** A sensible default model for a provider (its CHAT task model). */
+function defaultModelFor(provider) {
+  return selectModelForTask(provider, TaskType.CHAT) || undefined;
+}
+
+/**
+ * Wrap a chatFn so an AUTH failure (no / wrong / expired key for the resolved
+ * provider) self-heals to a provider we can actually run instead of failing the
+ * whole turn. Two recovery paths, in order:
+ *   1. baseUrl says otherwise — the endpoint belongs to a different provider
+ *      than the `provider` field; retry with that provider, SAME baseUrl + key
+ *      (fixes a mislabeled config like provider:anthropic + volces baseUrl).
+ *   2. env-keyed fallback — some other built-in provider has its key in the
+ *      environment; retry with that provider's baseUrl + env key + default model.
+ * If neither applies, the original (clear) auth error is rethrown. One hop only;
+ * never recurses. Non-auth errors pass straight through.
+ *
+ * @param {Function} chatFn
+ * @param {object} [opts] { env=process.env, onFallback?({from,to,reason}) }
+ */
+export function makeRunnableProviderFallback(
+  chatFn,
+  { env = process.env, onFallback } = {},
+) {
+  const notify = (info) => {
+    if (typeof onFallback === "function") {
+      try {
+        onFallback(info);
+      } catch {
+        /* notification is best-effort */
+      }
+    }
+  };
+  return async function runnableProviderFallback(messages, options = {}) {
+    try {
+      return await chatFn(messages, options);
+    } catch (err) {
+      if (!isAuthError(err)) throw err;
+      const failed = options.provider;
+
+      // 1) The endpoint belongs to a different provider than the label.
+      const inferred = inferProviderFromBaseUrl(options.baseUrl);
+      if (inferred && inferred !== failed) {
+        notify({ from: failed, to: inferred, reason: "baseurl-mismatch" });
+        return await chatFn(messages, {
+          ...options,
+          provider: inferred,
+          model: defaultModelFor(inferred) || options.model,
+        });
+      }
+
+      // 2) Another provider has a usable key in the environment.
+      for (const [name, def] of Object.entries(BUILT_IN_PROVIDERS)) {
+        if (name === failed) continue;
+        if (def.apiKeyEnv && nonEmpty(env[def.apiKeyEnv])) {
+          notify({ from: failed, to: name, reason: "env-key" });
+          return await chatFn(messages, {
+            ...options,
+            provider: name,
+            baseUrl: def.baseUrl,
+            apiKey: envKey(name, env),
+            model: defaultModelFor(name) || options.model,
+          });
+        }
+      }
+      throw err; // nowhere runnable to fall back to — surface the clear error
+    }
+  };
+}
+
+/**
+ * Can we actually call `provider` right now?
+ *
+ * @param {string} provider
+ * @param {object} [opts]
+ * @param {string} [opts.apiKey]   the session's configured key — only counts
+ *                                 when `isActive` (it belongs to the ACTIVE
+ *                                 provider, not an arbitrary one).
+ * @param {boolean} [opts.isActive=true]
+ * @param {object} [opts.env=process.env]
+ * @returns {boolean}
+ */
+export function hasUsableKey(
+  provider,
+  { apiKey, isActive = true, env = process.env } = {},
+) {
+  const def = BUILT_IN_PROVIDERS[provider];
+  if (!def) return false;
+  if (!def.apiKeyEnv) return true; // keyless local provider (e.g. ollama)
+  if (isActive && nonEmpty(apiKey)) return true;
+  return nonEmpty(env[def.apiKeyEnv]);
+}
+
+/**
+ * Gate the task-based auto model-switch on runnability. Returns the recommended
+ * model ONLY when the (active) provider is runnable; otherwise returns null so
+ * the caller keeps the user's configured model instead of switching onto
+ * something it can't call.
+ *
+ * @param {object} args
+ * @param {string} args.provider
+ * @param {string} [args.currentModel]
+ * @param {string|null} [args.recommended]   from selectModelForTask()
+ * @param {string} [args.apiKey]
+ * @param {object} [args.env=process.env]
+ * @returns {string|null} a model to switch to, or null to keep the current one
+ */
+export function runnableTaskModel({
+  provider,
+  currentModel,
+  recommended,
+  apiKey,
+  env = process.env,
+} = {}) {
+  if (!recommended || recommended === currentModel) return null;
+  return hasUsableKey(provider, { apiKey, isActive: true, env })
+    ? recommended
+    : null;
+}
+
+/**
+ * Find a provider we can actually run, "runnable-first": keep `provider` when
+ * it has a usable key; otherwise fall back to the first built-in provider whose
+ * env key is set; otherwise the keyless local provider (ollama). Returns
+ * `{ provider, runnable, fellBackFrom?, keyless? }`. Pure given `env`.
+ */
+export function pickRunnableProvider({
+  provider,
+  apiKey,
+  env = process.env,
+} = {}) {
+  if (provider && hasUsableKey(provider, { apiKey, isActive: true, env })) {
+    return { provider, runnable: true };
+  }
+  for (const [name, def] of Object.entries(BUILT_IN_PROVIDERS)) {
+    if (def.apiKeyEnv && nonEmpty(env[def.apiKeyEnv])) {
+      return { provider: name, runnable: true, fellBackFrom: provider || null };
+    }
+  }
+  return {
+    provider: "ollama",
+    runnable: true,
+    keyless: true,
+    fellBackFrom: provider || null,
+  };
+}

package/src/repl/agent-repl.js

@@ -52,6 +52,7 @@ import {
   detectTaskType,
   selectModelForTask,
 } from "../lib/task-model-selector.js";
+import { runnableTaskModel, hasUsableKey } from "../lib/runnable-provider.js";
 import { CLIPermanentMemory } from "../lib/permanent-memory.js";
 import { CLIAutonomousAgent, GoalStatus } from "../lib/autonomous-agent.js";
 import {
@@ -743,7 +744,9 @@ export async function startAgentRepl(options = {}) {
         _bundleResolved.approvalPolicy.default,
       );
       // Mirror it so Shift+Tab cycling starts from the real tier.
-      const applied = parsePermissionTier(_bundleResolved.approvalPolicy.default);
+      const applied = parsePermissionTier(
+        _bundleResolved.approvalPolicy.default,
+      );
       if (applied) _sessionTier = applied;
     } catch (_err) {
       // Non-critical — invalid policy value is silently ignored
@@ -1307,7 +1310,7 @@ export async function startAgentRepl(options = {}) {
         `  ${chalk.cyan("/theme")}      Color theme (/theme <auto|dark|light|mono>; mono = no color)`,
       );
       logger.log(
-        `  ${chalk.cyan("/config")}     Effective config (provider/model, keys masked)`,
+        `  ${chalk.cyan("/config")}     Show config; ${chalk.cyan("/config <key>")} read, ${chalk.cyan("/config <key>=<val>")} set`,
       );
       logger.log(
         `  ${chalk.cyan("/doctor")}     Session health check (provider/key/IDE/MCP/hooks)`,
@@ -2695,18 +2698,43 @@ export async function startAgentRepl(options = {}) {
 
     // `/config` — effective configuration (secret-safe): the LLM provider/model
     // in effect, whether keys are set, web-search backend, config path.
-    if (trimmed === "/config" || trimmed === "/config ") {
+    // `/config <key>` reads a value; `/config <key>=<value>` (Claude-Code
+    // parity) or `/config <key> <value>` persists one. Secrets stay masked.
+    if (trimmed === "/config" || trimmed.startsWith("/config ")) {
       try {
-        const { loadConfig } = await import("../lib/config-manager.js");
+        const cm = await import("../lib/config-manager.js");
         const { getConfigPath } = await import("../lib/paths.js");
-        const { renderConfigSummary } = await import("./config-summary.js");
-        logger.log(
-          renderConfigSummary(loadConfig(), {
-            path: getConfigPath(),
-            activeProvider: provider,
-            activeModel: _curModel || model,
-          }),
-        );
+        const {
+          renderConfigSummary,
+          parseConfigCommand,
+          renderConfigGet,
+          renderConfigSet,
+        } = await import("./config-summary.js");
+        const cmd = parseConfigCommand(trimmed.slice("/config".length));
+        if (cmd.action === "error") {
+          logger.error(chalk.red(`/config: ${cmd.message}`));
+        } else if (cmd.action === "get") {
+          logger.log(renderConfigGet(cmd.key, cm.getConfigValue(cmd.key)));
+        } else if (cmd.action === "set") {
+          cm.setConfigValue(cmd.key, cmd.value);
+          logger.log(
+            chalk.green("✓ ") +
+              renderConfigSet(cmd.key, cm.getConfigValue(cmd.key)),
+          );
+          logger.log(
+            chalk.gray(
+              "  (persisted; provider/model changes apply to new sessions)",
+            ),
+          );
+        } else {
+          logger.log(
+            renderConfigSummary(cm.loadConfig(), {
+              path: getConfigPath(),
+              activeProvider: provider,
+              activeModel: _curModel || model,
+            }),
+          );
+        }
       } catch (err) {
         logger.error(chalk.red(`/config failed: ${err.message}`));
       }
@@ -3080,16 +3108,35 @@ export async function startAgentRepl(options = {}) {
       // Slot-filling failure is non-critical
     }
 
-    // Auto-select best model based on task type
+    // Auto-select best model based on task type — but ONLY onto a runnable
+    // provider. The selector maps e.g. "fast" → claude-haiku on anthropic; if
+    // there's no usable key for the provider, never switch there (you'd just
+    // get a 401). Runnable-first: keep the configured (working) model instead.
     let activeModel = model;
     const taskDetection = detectTaskType(promptText);
     if (taskDetection.confidence > 0.3) {
       const recommended = selectModelForTask(provider, taskDetection.taskType);
-      if (recommended && recommended !== activeModel) {
-        activeModel = recommended;
+      const switchTo = runnableTaskModel({
+        provider,
+        currentModel: activeModel,
+        recommended,
+        apiKey,
+      });
+      if (switchTo) {
+        activeModel = switchTo;
         logger.info(
           chalk.gray(`[auto] ${taskDetection.name} → ${activeModel}`),
         );
+      } else if (
+        recommended &&
+        recommended !== activeModel &&
+        !hasUsableKey(provider, { apiKey })
+      ) {
+        logger.info(
+          chalk.gray(
+            `[auto] ${taskDetection.name}: keeping ${activeModel} — no usable key for "${provider}" (skipping ${recommended})`,
+          ),
+        );
       }
     }
 
@@ -3122,7 +3169,8 @@ export async function startAgentRepl(options = {}) {
         ? {
             onToken: (t) => {
               // Separate the answer from the dimmed reasoning above it (once).
-              if (!_liveStreamed && _liveThinkStarted) process.stdout.write("\n");
+              if (!_liveStreamed && _liveThinkStarted)
+                process.stdout.write("\n");
               _liveStreamed = true;
               process.stdout.write(t);
             },
@@ -3143,6 +3191,16 @@ export async function startAgentRepl(options = {}) {
         thinking: reasoning,
       } = await agentLoop(messages, {
         ...liveOpts,
+        // Visible auto-retry feedback (Claude-Code 2.1.181): when the model's
+        // streaming call hits a transient connection drop and retries, tell the
+        // user instead of leaving them staring at a silent pause. To stderr so
+        // it never corrupts the streamed answer on stdout.
+        onStreamRetry: (attempt) =>
+          process.stderr.write(
+            chalk.dim(
+              `  ⟳ connection dropped — retrying (attempt ${attempt})…\n`,
+            ),
+          ),
         signal: _turnAbort.signal,
         provider,
         model: activeModel,
@@ -3242,7 +3300,8 @@ export async function startAgentRepl(options = {}) {
         } else {
           // Phase G #2 — route through StreamRouter so REPL / WS / future
           // streaming providers share one StreamEvent protocol.
-          const { streamAgentResponse } = await import("../lib/agent-stream.js");
+          const { streamAgentResponse } =
+            await import("../lib/agent-stream.js");
           process.stdout.write("\n");
           const noStream = options.noStream === true;
           const streamResult = await streamAgentResponse(effectiveResponse, {

package/src/repl/config-summary.js

@@ -17,6 +17,72 @@ export function maskSecret(v) {
   return s.length <= 4 ? "set (hidden)" : `set (…${s.slice(-4)})`;
 }
 
+/**
+ * A config key whose value must never be echoed in plaintext in the
+ * (shoulder-surfable) interactive REPL — apiKey / secret / token / password.
+ * Matched on the last dotted segment (e.g. `llm.apiKey`, `webSearch.apiKey`).
+ */
+const SECRET_KEY_RE = /(api[_-]?key|secret|token|password|passwd)$/i;
+export function isSecretConfigKey(key) {
+  if (!key) return false;
+  const last = String(key).split(".").pop();
+  return SECRET_KEY_RE.test(last);
+}
+
+/**
+ * Parse the argument string after `/config` into an action.
+ * Mirrors Claude Code's `/config key=value` syntax, and also accepts the
+ * `/config key value` form. Returns one of:
+ *   { action: "show" }                       // `/config`
+ *   { action: "get", key }                   // `/config llm.model`
+ *   { action: "set", key, value }            // `/config llm.model=opus` | `/config llm.model opus`
+ *   { action: "error", message }
+ * `value` is the raw string; the caller coerces (true/false/null/number) via
+ * config-manager's setConfigValue.
+ *
+ * @param {string} argStr  everything after the literal `/config`
+ */
+export function parseConfigCommand(argStr) {
+  const s = (argStr || "").trim();
+  if (s === "") return { action: "show" };
+
+  const eq = s.indexOf("=");
+  if (eq !== -1) {
+    const key = s.slice(0, eq).trim();
+    const value = s.slice(eq + 1).trim();
+    if (!key) return { action: "error", message: "missing key before '='" };
+    return { action: "set", key, value };
+  }
+
+  // `key value` — split on the first run of whitespace.
+  const m = s.match(/^(\S+)\s+([\s\S]+)$/);
+  if (m) return { action: "set", key: m[1], value: m[2].trim() };
+
+  // Bare token → read that key.
+  return { action: "get", key: s };
+}
+
+/** Render a single config value for `/config <key>`, masking secrets. */
+export function renderConfigGet(key, value) {
+  if (value === undefined) return `${key} = (unset)`;
+  if (isSecretConfigKey(key)) return `${key} = ${maskSecret(value)}`;
+  const shown =
+    value !== null && typeof value === "object"
+      ? JSON.stringify(value)
+      : String(value);
+  return `${key} = ${shown}`;
+}
+
+/** Render the confirmation line after `/config <key>=<value>`. */
+export function renderConfigSet(key, storedValue) {
+  if (isSecretConfigKey(key)) return `set ${key} = ${maskSecret(storedValue)}`;
+  const shown =
+    storedValue !== null && typeof storedValue === "object"
+      ? JSON.stringify(storedValue)
+      : String(storedValue);
+  return `set ${key} = ${shown}`;
+}
+
 /**
  * @param {object|null} config  loaded config.json
  * @param {object} [opts]  { path, activeProvider, activeModel }