npm - clawfast - Versions diffs - 2.1.1 → 2.2.0 - Mend

clawfast 2.1.1 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/clawfast.cjs +462 -67
package/package.json +1 -1

package/dist/clawfast.cjs CHANGED Viewed

@@ -548,11 +548,11 @@ function fileDefines(filePath, key) {
     return false;
   }
 }
-function swapNvidiaKey(key) {
+function swapProviderKey(envVar, key) {
   const local = import_node_path.default.resolve(process.cwd(), ".env.local");
-  const target = fileDefines(local, "NVIDIA_API_KEY") ? local : clawfastEnvPath();
-  setEnvVar(target, "NVIDIA_API_KEY", key);
-  process.env.NVIDIA_API_KEY = key;
+  const target = fileDefines(local, envVar) ? local : clawfastEnvPath();
+  setEnvVar(target, envVar, key);
+  process.env[envVar] = key;
   return target;
 }
 async function testNvidiaKey(key) {
@@ -586,6 +586,27 @@ async function testNvidiaKey(key) {
     };
   }
 }
+async function testOpenRouterKey(key) {
+  try {
+    const res = await fetch("https://openrouter.ai/api/v1/key", {
+      headers: { Authorization: `Bearer ${key}` }
+    });
+    if (res.ok) return { ok: true, status: res.status, detail: "OK" };
+    let detail = res.statusText || `HTTP ${res.status}`;
+    try {
+      const body = await res.json();
+      detail = body.error?.message || body.message || detail;
+    } catch {
+    }
+    return { ok: false, status: res.status, detail };
+  } catch (err) {
+    return {
+      ok: false,
+      status: 0,
+      detail: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
 function promptLine(question) {
   const rl = import_node_readline.default.createInterface({
     input: process.stdin,
@@ -634,7 +655,7 @@ ${C.dim}Para come\xE7ar, preciso de uma chave de modelo. Use a NVIDIA build (mod
   );
   return true;
 }
-var import_dotenv, import_node_os, import_node_path, import_node_fs, import_node_readline, clawfastHome, clawfastEnvPath, PROVIDER_KEYS, hasAnyProviderKey, C;
+var import_dotenv, import_node_os, import_node_path, import_node_fs, import_node_readline, clawfastHome, clawfastEnvPath, PROVIDER_KEYS, hasAnyProviderKey, swapNvidiaKey, swapOpenRouterKey, C;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
@@ -645,8 +666,14 @@ var init_config = __esm({
     import_node_readline = __toESM(require("node:readline"));
     clawfastHome = () => process.env.CLAWFAST_HOME?.trim() || import_node_path.default.join(import_node_os.default.homedir(), ".clawfast");
     clawfastEnvPath = () => import_node_path.default.join(clawfastHome(), ".env");
-    PROVIDER_KEYS = ["NVIDIA_API_KEY", "OPENAI_API_KEY"];
+    PROVIDER_KEYS = [
+      "NVIDIA_API_KEY",
+      "OPENAI_API_KEY",
+      "OPENROUTER_API_KEY"
+    ];
     hasAnyProviderKey = () => PROVIDER_KEYS.some((name25) => Boolean(process.env[name25]?.trim()));
+    swapNvidiaKey = (key) => swapProviderKey("NVIDIA_API_KEY", key);
+    swapOpenRouterKey = (key) => swapProviderKey("OPENROUTER_API_KEY", key);
     C = {
       reset: "\x1B[0m",
       dim: "\x1B[90m",
@@ -662,7 +689,7 @@ var clawfastVersion, isDevVersion, isNewerVersion;
 var init_version = __esm({
   "src/version.ts"() {
     "use strict";
-    clawfastVersion = () => true ? "2.1.1" : "0.0.0-dev";
+    clawfastVersion = () => true ? "2.2.0" : devVersionFromPackageJson();
     isDevVersion = () => clawfastVersion().includes("-dev");
     isNewerVersion = (a, b) => {
       const parse3 = (v) => v.split("-")[0].split(".").map((n) => Number.parseInt(n, 10) || 0);
@@ -45777,7 +45804,36 @@ function supportsMultimodalToolResults(modelName) {
   const normalized = modelName.toLowerCase();
   return normalized === "ask-model" || normalized.includes("gemini") || normalized.includes("google/") || isAnthropicModel(normalized) || normalized.includes("anthropic/") || normalized.includes("claude") || normalized.includes("openai") || normalized.includes("openai/") || normalized.includes("gpt-") || normalized.includes("o1") || normalized.includes("o3") || normalized.includes("o4") || normalized.includes("x-ai/") || normalized.includes("grok");
 }
-var isRecord, isXaiModelSlug, isGeminiModelSlug, requestCanRouteToXai, requestCanRouteToGemini, hasOwnEncryptedContent, stripEncryptedContent, sanitizeOpenRouterRequestForXai, hasJsonRefKey, wrapToolContentIfGeminiRefSensitive, sanitizeOpenRouterRequestForGeminiFunctionResponses, patchKimiReasoningToolCalls, OPENROUTER_METADATA_HEADER, withOpenRouterMetadataHeader, openrouterPatchFetch, openrouter2, openai2, isNvidiaMistralModel, applyNvidiaMistralConfig, nvidiaPatchFetch, nvidia, deepseek, kimi, buildProviderMap, hasEnvValue, isDeepSeekEnabled, isKimiEnabled, CLI_MODEL_CHAIN, baseProviders, modelCutoffDates, modelDisplayNames, getModelDisplayName, getModelCutoffDate, myProvider;
+function resolveLanguageModel2(key) {
+  if (isOpenRouterDynamicKey(key)) {
+    return openrouter2(openRouterSlugFromKey(key));
+  }
+  return myProvider.languageModel(key);
+}
+async function listOpenRouterModels(signal) {
+  const key = process.env.OPENROUTER_API_KEY?.trim();
+  if (!key) throw new Error("OPENROUTER_API_KEY n\xE3o configurada");
+  const res = await fetch("https://openrouter.ai/api/v1/models", {
+    headers: { Authorization: `Bearer ${key}` },
+    signal
+  });
+  if (!res.ok) {
+    throw new Error(`OpenRouter /models falhou: HTTP ${res.status}`);
+  }
+  const json3 = await res.json();
+  const data = Array.isArray(json3.data) ? json3.data : [];
+  return data.map((raw) => {
+    if (!isRecord(raw) || typeof raw.id !== "string") return null;
+    const pricing = isRecord(raw.pricing) ? raw.pricing : void 0;
+    return {
+      id: raw.id,
+      name: typeof raw.name === "string" && raw.name.trim() ? raw.name : raw.id,
+      contextLength: typeof raw.context_length === "number" ? raw.context_length : void 0,
+      promptPrice: typeof pricing?.prompt === "string" ? pricing.prompt : void 0
+    };
+  }).filter((m) => m !== null).sort((a, b) => a.name.localeCompare(b.name));
+}
+var isRecord, isXaiModelSlug, isGeminiModelSlug, requestCanRouteToXai, requestCanRouteToGemini, hasOwnEncryptedContent, stripEncryptedContent, sanitizeOpenRouterRequestForXai, hasJsonRefKey, wrapToolContentIfGeminiRefSensitive, sanitizeOpenRouterRequestForGeminiFunctionResponses, patchKimiReasoningToolCalls, OPENROUTER_METADATA_HEADER, withOpenRouterMetadataHeader, openrouterPatchFetch, openrouter2, openai2, isNvidiaMistralModel, applyNvidiaMistralConfig, nvidiaPatchFetch, nvidia, deepseek, kimi, buildProviderMap, hasEnvValue, isDeepSeekEnabled, isKimiEnabled, CLI_MODEL_CHAIN, baseProviders, modelCutoffDates, modelDisplayNames, getModelDisplayName, getModelCutoffDate, myProvider, OPENROUTER_KEY_PREFIX, hasOpenRouterKey, isOpenRouterDynamicKey, openRouterSlugFromKey, openRouterKeyForSlug;
 var init_providers = __esm({
   "../lib/ai/providers.ts"() {
     "use strict";
@@ -46119,6 +46175,11 @@ var init_providers = __esm({
     myProvider = customProvider({
       languageModels: baseProviders
     });
+    OPENROUTER_KEY_PREFIX = "openrouter:";
+    hasOpenRouterKey = () => Boolean(process.env.OPENROUTER_API_KEY?.trim());
+    isOpenRouterDynamicKey = (key) => key.startsWith(OPENROUTER_KEY_PREFIX);
+    openRouterSlugFromKey = (key) => key.slice(OPENROUTER_KEY_PREFIX.length);
+    openRouterKeyForSlug = (slug) => `${OPENROUTER_KEY_PREFIX}${slug}`;
   }
 });
@@ -70372,6 +70433,9 @@ var init_local_sandbox = __esm({
             ["recon_ports.py", true],
             ["recon_content.py", true],
             ["recon_intel.py", true],
+            ["recon_routes.py", true],
+            ["exploit_engine.py", true],
+            ["harden.py", true],
             ["console_recon.js", true],
             ["README.md", true],
             ["scope.txt", false]
@@ -71506,6 +71570,7 @@ async function createAgent() {
     system += pythonOnlyPolicy();
     system += deepReconPolicy(sandbox.getWorkdir());
     system += reconPhasesPolicy(sandbox.getWorkdir());
+    system += attackChainPolicy(sandbox.getWorkdir());
     system += httpAndFindingsPolicy(sandbox.getWorkdir());
     system += buildCliNotesSection();
     system += buildSkillsIndexSection();
@@ -71603,6 +71668,33 @@ async function createAgent() {
         selection: getModelSelection()
       };
     }
+    if (isOpenRouterDynamicKey(raw)) {
+      if (!hasOpenRouterKey()) {
+        return {
+          ok: false,
+          message: "OpenRouter indispon\xEDvel: defina OPENROUTER_API_KEY em .env.local (https://openrouter.ai/keys)",
+          selection: getModelSelection()
+        };
+      }
+      const slug = openRouterSlugFromKey(raw).trim();
+      if (!slug) {
+        return {
+          ok: false,
+          message: "informe o modelo OpenRouter (ex.: openrouter:openai/gpt-4o)",
+          selection: getModelSelection()
+        };
+      }
+      const key = openRouterKeyForSlug(slug);
+      selectedModelKey = key;
+      currentModelName = key;
+      context2.modelName = key;
+      await rebuildSystemPrompt(key);
+      return {
+        ok: true,
+        message: `modelo fixado: ${labelFor(key)}`,
+        selection: getModelSelection()
+      };
+    }
     const choices = getModelChoices();
     let match;
     if (/^\d+$/.test(normalized)) {
@@ -71712,6 +71804,28 @@ ${seen}`);
     }
     return sections.join("\n\n");
   }
+  let lastKimiChatId = null;
+  async function reportKimiSession() {
+    const base = process.env.KIMI_BASE_URL?.trim();
+    if (!base) return;
+    try {
+      const url2 = `${base.replace(/\/+$/, "")}/session`;
+      const controller = new AbortController();
+      const timer2 = setTimeout(() => controller.abort(), 1500);
+      const res = await fetch(url2, { signal: controller.signal }).finally(
+        () => clearTimeout(timer2)
+      );
+      if (!res.ok) return;
+      const info = await res.json();
+      if (!info?.active || !info.chatId) return;
+      const isNew = info.chatId !== lastKimiChatId;
+      lastKimiChatId = info.chatId;
+      render.info(
+        `\u25B8 kimi: ${isNew ? "conversa \xFAnica ativa" : "mesma conversa"} (turno ${info.turns ?? "?"}) \u2014 ${info.url ?? info.chatId}`
+      );
+    } catch {
+    }
+  }
   async function send(userInput, signal) {
     history.push({ role: "user", content: userInput });
     if (!auditMode && detectProjectAuditIntent(userInput)) {
@@ -71809,7 +71923,7 @@ ${segs.join(
       };
       try {
         const result = streamText({
-          model: myProvider.languageModel(modelKey),
+          model: resolveLanguageModel2(modelKey),
           system: turnSystem,
           messages: history,
           tools,
@@ -71944,6 +72058,9 @@ ${resultText}`
             `\u25B8 fim do turno: ${finishReason}` + (autoContinues >= MAX_AUTO_CONTINUES ? " (limite de retomadas autom\xE1ticas atingido)" : "")
           );
         }
+        if (modelKey === PROXY_MODEL_KEYS.kimi) {
+          await reportKimiSession();
+        }
         render.endTurn();
         return;
       } catch (err) {
@@ -72056,10 +72173,12 @@ ${resultText}`
     getModelChoices,
     getModelSelection,
     setModelSelection,
+    isOpenRouterAvailable: hasOpenRouterKey,
+    listOpenRouterModels: (signal) => listOpenRouterModels(signal),
     close
   };
 }
-var import_promises2, import_node_path10, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep4, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, BRIDGEABLE_TOOLS, FINDINGS_ACTIONS, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, httpAndFindingsPolicy, reconPhasesPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
+var import_promises2, import_node_path10, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep4, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, BRIDGEABLE_TOOLS, FINDINGS_ACTIONS, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, httpAndFindingsPolicy, reconPhasesPolicy, attackChainPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
 var init_agent = __esm({
   "src/agent.ts"() {
     "use strict";
@@ -72150,6 +72269,7 @@ Regras:
 4. Crie/edite scripts e c\xF3digo-fonte SOMENTE via {"action":"write"} / {"action":"edit"} \u2014 nunca por redirecionamento de shell (echo >, cat <<EOF, tee, Out-File...).
 5. Durante a\xE7\xF5es, coloque o conte\xFAdo operacional apenas dentro do JSON. Fora do JSON use no m\xE1ximo uma frase curta.
 6. Quando a tarefa estiver conclu\xEDda, responda em texto normal SEM bloco json.
+7. VOC\xCA N\xC3O TEM AMBIENTE PR\xD3PRIO. Voc\xEA n\xE3o possui sandbox, m\xE1quina, terminal ou sistema de arquivos seu. Caminhos como /mnt, /mnt/agents, /mnt/kimi N\xC3O existem. A \xDANICA forma de listar pastas, ler arquivos ou rodar comandos \xE9 emitindo o bloco \`\`\`json acima \u2014 que o runtime executa na m\xE1quina REAL do operador (use o caminho/diret\xF3rio de trabalho informado no system prompt). NUNCA invente sa\xEDda de comando, conte\xFAdo de arquivo ou estrutura de diret\xF3rios; s\xF3 use o que voltar como resultado real. Para "analisar/olhar/listar <caminho>", sua PRIMEIRA resposta deve ser um bloco json, sem pre\xE2mbulo.
 </web_session_tool_protocol>`;
     SYSTEM_PROMPT_SOURCE = "lib/system-prompt.ts";
     REQUIRED_SYSTEM_PROMPT_MARKERS = [
@@ -72177,7 +72297,7 @@ Regras:
       "fallback-openai-chat-latest": "OpenAI - chat-latest",
       "model-nvidia-nemotron": "NVIDIA - nemotron-3-ultra-550b"
     };
-    labelFor = (key) => MODEL_LABELS[key] ?? key;
+    labelFor = (key) => isOpenRouterDynamicKey(key) ? `OpenRouter - ${openRouterSlugFromKey(key)}` : MODEL_LABELS[key] ?? key;
     loginRequiredHint = (msg) => {
       if (/account is suspended|violation of user policies|account has been suspended/i.test(
         msg
@@ -72283,6 +72403,26 @@ Beyond recon/recon_deep.py (HTTP/JS/secret/browser recon), the workspace at ${wo
 Each module writes a JSON (and where useful Markdown) report under ./reports/. Read it, then record anything actionable with the findings tool. You MAY extend any module via the file tool \u2014 keep it Python and keep the scope gate intact.
 </recon_phases>`;
+    attackChainPolicy = (workdir) => `
+<attack_and_remediation_chain>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION \u2014 applies to EVERY model and EVERY task:
+When the operator asks you to "attack", "explore vulnerabilities", "exploit", "pentest hard", "find a way in", or to FIX/close a vulnerability, follow the seeded offensive\u2192defensive chain at ${workdir}/recon. Do NOT hand-roll a one-off exploit script \u2014 these modules are the canonical engines, scope-gated by recon/scope.txt, AUTHORIZED-USE-ONLY, and strictly NON-DESTRUCTIVE (they prove impact; they never DROP data, mass-exfiltrate, or DoS).
+1. MAP THE ROUTES (saber as rotas): \`python recon/recon_routes.py https://alvo.com --wayback\`
+   Aggregates crawl + HTML forms + JS endpoints + robots/sitemap + Swagger/OpenAPI (+ Wayback) into ONE route map, annotating each route with its parameters and whether it needs auth. Writes reports/routes_<host>.json. This is the attack surface.
+2. ATTACK & PROVE (o ataque): \`python recon/exploit_engine.py --routes reports/routes_<host>.json\`
+   (or a single target: \`python recon/exploit_engine.py "https://alvo/item?id=1" --classes sqli,xss,lfi,cmdi,ssrf,redir\`). Runs verified playbooks per OWASP class (SQLi error/boolean/time-based, reflected XSS, LFI/traversal, command injection, SSRF, open redirect, IDOR with --idor-range). It only marks a finding "confirmed" when the LIVE response proves impact, capturing the exact payload + evidence. Use --cookie / --header for authenticated endpoints, --sleep for time-based, --oob for SSRF callbacks. Writes reports/exploit_<host>.json.
+3. RECORD: take every CONFIRMED finding from the exploit report and store it with the \`findings\` tool (status confirmed, paste the evidence). This is the engagement memory and the executive report.
+4. CLOSE THE BREACH (fechar a brecha para n\xE3o ter acesso de novo): \`python recon/harden.py --report reports/exploit_<host>.json\`
+   For each confirmed finding it emits the concrete fix (parameterized queries, output encoding, allowlist validation, security headers, WAF rule) AND REPLAYS the PoC to verify: "FIXED" only once the exploit no longer reproduces. After the operator applies a fix, RUN harden.py AGAIN \u2014 a vuln is only closed when its verdict flips to FIXED \u2705. Report what is still STILL OPEN \u274C.
+Dependencies (optional, improve fidelity): \`python -m pip install requests\`. You MAY extend any module via the file tool \u2014 keep it Python, keep the scope gate, keep it non-destructive.
+</attack_and_remediation_chain>`;
     skillsScopePolicy = () => `
 <skills_scope>
@@ -72502,6 +72642,94 @@ var init_interactive_input = __esm({
           };
         });
       }
+      /**
+       * Searchable single-choice list: a live filter bar on top, a scrolling
+       * viewport of matches below. Type to filter, ↑/↓ to move (wraps), Enter to
+       * pick, Esc / Ctrl+C to cancel. Built for big catalogs (e.g. every OpenRouter
+       * model). Returns the chosen item's ORIGINAL index, or null on cancel.
+       */
+      searchSelect(title, items, opts = {}) {
+        const pageSize = Math.max(4, opts.pageSize ?? 10);
+        const placeholder = opts.placeholder ?? "digite para filtrar";
+        let query = "";
+        let sel = 0;
+        let top = 0;
+        this.lastRows = 0;
+        out2("\n");
+        const filtered = () => {
+          const q = query.toLowerCase().trim();
+          const all = items.map((it, i) => ({ it, i }));
+          if (!q) return all;
+          return all.filter(
+            ({ it }) => it.label.toLowerCase().includes(q) || (it.hint ?? "").toLowerCase().includes(q)
+          );
+        };
+        const draw = () => {
+          const list = filtered();
+          if (sel >= list.length) sel = Math.max(0, list.length - 1);
+          if (sel < top) top = sel;
+          if (sel >= top + pageSize) top = sel - pageSize + 1;
+          this.renderSearchList(
+            title,
+            placeholder,
+            query,
+            list,
+            sel,
+            top,
+            pageSize,
+            items.length
+          );
+        };
+        draw();
+        return new Promise((resolve2) => {
+          const finish = (value) => {
+            this.collapseTo(this.lastRows);
+            this.onKey = null;
+            resolve2(value);
+          };
+          this.onKey = (str, key) => {
+            if (key.ctrl && key.name === "c") return finish(null);
+            const list = filtered();
+            switch (key.name) {
+              case "escape":
+                return finish(null);
+              case "return":
+                if (list.length === 0) return;
+                return finish(list[sel].i);
+              case "up":
+                if (list.length) sel = (sel - 1 + list.length) % list.length;
+                draw();
+                return;
+              case "down":
+              case "tab":
+                if (list.length) sel = (sel + 1) % list.length;
+                draw();
+                return;
+              case "backspace":
+                if (query.length) {
+                  query = query.slice(0, -1);
+                  sel = 0;
+                  top = 0;
+                }
+                draw();
+                return;
+            }
+            if (key.ctrl && key.name === "u") {
+              query = "";
+              sel = 0;
+              top = 0;
+              draw();
+              return;
+            }
+            if (str && !key.ctrl && !key.meta && str.charCodeAt(0) >= 32) {
+              query += str;
+              sel = 0;
+              top = 0;
+              draw();
+            }
+          };
+        });
+      }
       /**
        * Lightweight line reader used WHILE a turn is running, so typed lines can be
        * forwarded to an interactive command's stdin. No box/dropdown — just echoes
@@ -72722,12 +72950,12 @@ var init_interactive_input = __esm({
         const prefix = frame2("\u2570\u2500") + gradient("\u276F", { bold: true }) + " ";
         const prefixLen = 4;
         const avail = Math.max(8, width - prefixLen - 1);
-        let start = 0;
-        if (this.cursor > avail) start = this.cursor - avail;
-        const visible = this.buffer.slice(start, start + avail);
-        const caretCol = prefixLen + (this.cursor - start);
-        const promptLine2 = prefix + visible;
-        const lines = [top, idLine, promptLine2];
+        const { textLines, caretLine, caretCol } = this.wrap(
+          prefix,
+          prefixLen,
+          avail
+        );
+        const lines = [top, idLine, ...textLines];
         const items = this.dropdownItems();
         if (items.length > 0) {
           this.ddSel = Math.min(this.ddSel, items.length - 1);
@@ -72752,9 +72980,27 @@ var init_interactive_input = __esm({
         } else {
           this.ddSel = 0;
         }
-        this.inputLineIndex = 2;
+        this.inputLineIndex = 2 + caretLine;
         this.paint(lines, caretCol);
       }
+      /**
+       * Split the buffer into terminal-width rows. The first row carries `prefix`
+       * (e.g. "❯ "); continuation rows are indented by `prefixLen` spaces so the
+       * text columns line up. Also returns which wrapped row the caret sits on and
+       * its absolute column, so paint() can place the cursor correctly.
+       */
+      wrap(prefix, prefixLen, avail) {
+        const indent = " ".repeat(prefixLen);
+        const caretLine = Math.floor(this.cursor / avail);
+        const caretColInLine = this.cursor - caretLine * avail;
+        const chunks = [];
+        for (let i = 0; i < this.buffer.length; i += avail) {
+          chunks.push(this.buffer.slice(i, i + avail));
+        }
+        while (chunks.length <= caretLine) chunks.push("");
+        const textLines = chunks.map((c, i) => (i === 0 ? prefix : indent) + c);
+        return { textLines, caretLine, caretCol: prefixLen + caretColInLine };
+      }
       /** Compact single-line labelled prompt ("nome ❯ …") for step-by-step capture. */
       renderCompact() {
         const width = cols();
@@ -72762,12 +73008,13 @@ var init_interactive_input = __esm({
         const prefix = `${gradient(label, { bold: true })} ${gradient("\u276F", { bold: true })} `;
         const prefixLen = vlen(`${label} \u276F `);
         const avail = Math.max(8, width - prefixLen - 1);
-        let start = 0;
-        if (this.cursor > avail) start = this.cursor - avail;
-        const visible = this.buffer.slice(start, start + avail);
-        const caretCol = prefixLen + (this.cursor - start);
-        this.inputLineIndex = 0;
-        this.paint([prefix + visible], caretCol);
+        const { textLines, caretLine, caretCol } = this.wrap(
+          prefix,
+          prefixLen,
+          avail
+        );
+        this.inputLineIndex = caretLine;
+        this.paint(textLines, caretCol);
       }
       /** Repaint the whole block, then place the cursor on the active input line. */
       paint(lines, caretCol) {
@@ -72812,6 +73059,42 @@ var init_interactive_input = __esm({
         );
         this.paintBlock(lines);
       }
+      /** Render the search bar + a scrolling viewport of filtered matches. */
+      renderSearchList(title, placeholder, query, list, sel, top, pageSize, total) {
+        const width = cols();
+        const inner = Math.min(Math.max(40, width - 4), 80);
+        const lines = [];
+        lines.push(`${frame2("\u256D\u2500\u25C6 ")}${gradient(title, { bold: true })}`);
+        const shown = query.length ? query : `${C4.dim}${placeholder}${C4.reset}`;
+        const counter = query.trim() ? `${C4.dim}${list.length}/${total}${C4.reset}` : `${C4.dim}${total}${C4.reset}`;
+        lines.push(
+          `${frame2("\u2502 ")}${gradient("\u2315", { bold: true })} ${shown}${C4.reset}  ${counter}`
+        );
+        lines.push(frame2("\u2502"));
+        if (list.length === 0) {
+          lines.push(`${frame2("\u2502 ")}${C4.dim}nenhum modelo corresponde${C4.reset}`);
+        } else {
+          const end = Math.min(top + pageSize, list.length);
+          for (let i = top; i < end; i++) {
+            const active2 = i === sel;
+            const { it } = list[i];
+            const marker25 = active2 ? gradient("\u276F ", { bold: true }) : `${C4.dim}  `;
+            const text2 = active2 ? gradient(it.label, { bold: true }) : `${C4.reset}${it.label}`;
+            const labelW = vlen(it.label);
+            const hint = it.hint ? `   ${C4.dim}${truncate4(it.hint, Math.max(6, inner - labelW - 6))}${C4.reset}` : "";
+            lines.push(`${frame2("\u2502 ")}${C4.reset}${marker25}${text2}${C4.reset}${hint}`);
+          }
+          if (list.length > pageSize) {
+            lines.push(
+              `${frame2("\u2502 ")}${C4.dim}${sel + 1}/${list.length}${C4.reset}`
+            );
+          }
+        }
+        lines.push(
+          `${frame2("\u2570\u2500")} ${C4.dim}digite filtra \xB7 \u2191\u2193 navega \xB7 Enter seleciona \xB7 Esc cancela${C4.reset}`
+        );
+        this.paintBlock(lines);
+      }
       /** Repaint a block and leave the cursor just below it (for list/menu modes). */
       paintBlock(lines) {
         let s = "";
@@ -72869,8 +73152,8 @@ async function main() {
 `
   );
   const COMMANDS = [
-    { name: "/model", desc: "trocar o modelo (seletor com setas)" },
-    { name: "/api", desc: "trocar a chave NVIDIA (testa e ativa na hora)" },
+    { name: "/model", desc: "trocar o modelo (setas; OpenRouter c/ busca)" },
+    { name: "/api", desc: "trocar chave de API (NVIDIA / OpenRouter)" },
     { name: "/skills", desc: "listar as skills instaladas" },
     { name: "/skillcreator", desc: "criar uma nova skill" },
     { name: "/system", desc: "salvar o system prompt (HTML) na \xC1rea de Trabalho" },
@@ -73123,69 +73406,66 @@ ${C5.dim}ja disponivel para todos os modelos nesta sessao.${C5.reset}
 `
     );
   };
-  const openModelSelector = async () => {
-    const state = agent.getModelSelection();
-    const items = [
-      {
-        label: "Auto \u2014 cadeia de fallback autom\xE1tica",
-        hint: "tenta os modelos em ordem"
-      },
-      ...state.chain.map((c) => ({ label: c.label, hint: c.key }))
-    ];
-    const activeIdx = state.mode === "auto" ? 0 : Math.max(
-      0,
-      1 + state.chain.findIndex((c) => c.key === state.activeModelKey)
-    );
-    const choice2 = await inputUI.select("selecionar modelo", items, activeIdx);
-    if (choice2 === null) {
-      process.stdout.write(`${C5.dim}sele\xE7\xE3o de modelo cancelada${C5.reset}
-`);
-      return;
-    }
-    const arg = choice2 === 0 ? "auto" : state.chain[choice2 - 1].key;
-    try {
-      printModelResult(await agent.setModelSelection(arg));
-    } catch (err) {
-      printFatal(err);
+  const KEY_PROVIDERS = [
+    {
+      id: "nvidia",
+      name: "NVIDIA",
+      envVar: "NVIDIA_API_KEY",
+      createUrl: "https://build.nvidia.com/",
+      keyRegex: /nvapi-[A-Za-z0-9_-]+/,
+      keyHint: "nvapi-\u2026",
+      test: testNvidiaKey,
+      swap: swapNvidiaKey
+    },
+    {
+      id: "openrouter",
+      name: "OpenRouter",
+      envVar: "OPENROUTER_API_KEY",
+      createUrl: "https://openrouter.ai/keys",
+      keyRegex: /sk-or-[A-Za-z0-9_-]+/,
+      keyHint: "sk-or-\u2026",
+      test: testOpenRouterKey,
+      swap: swapOpenRouterKey
     }
-  };
-  const handleApiSwap = async (inlineKey) => {
+  ];
+  const openRouterProvider = KEY_PROVIDERS.find((p) => p.id === "openrouter");
+  const promptAndSwapKey = async (provider, inlineKey = "") => {
     let raw = inlineKey;
     if (!raw) {
       process.stdout.write(
-        `${C5.dim}Cole a nova chave NVIDIA (cria em ${C5.reset}${C5.cyan}https://build.nvidia.com/${C5.reset}${C5.dim}). Enter vazio ou Ctrl+C cancela.${C5.reset}
+        `${C5.dim}Cole a nova chave ${provider.name} (cria em ${C5.reset}${C5.cyan}${provider.createUrl}${C5.reset}${C5.dim}). Enter vazio ou Ctrl+C cancela.${C5.reset}
 `
       );
       const res = await inputUI.prompt({
-        label: "nova NVIDIA API key",
+        label: `nova ${provider.name} API key`,
         secret: true
       });
       if (res.type !== "line" || !res.value.trim()) {
         process.stdout.write(`${C5.dim}troca de chave cancelada${C5.reset}
 `);
-        return;
+        return false;
       }
       raw = res.value;
     }
-    const key = raw.replace(/\s+/g, "").match(/nvapi-[A-Za-z0-9_-]+/)?.[0] ?? "";
+    const key = raw.replace(/\s+/g, "").match(provider.keyRegex)?.[0] ?? "";
     if (!key) {
       process.stdout.write(
-        `${C5.red}\u2717 n\xE3o encontrei uma chave NVIDIA no que foi colado${C5.reset} ${C5.dim}(esperado um token "nvapi-\u2026"; cole a chave completa).${C5.reset}
+        `${C5.red}\u2717 n\xE3o encontrei uma chave ${provider.name} no que foi colado${C5.reset} ${C5.dim}(esperado um token "${provider.keyHint}"; cole a chave completa).${C5.reset}
 `
       );
-      return;
+      return false;
     }
-    process.stdout.write(`${C5.dim}testando a chave na NVIDIA\u2026${C5.reset}
+    process.stdout.write(`${C5.dim}testando a chave na ${provider.name}\u2026${C5.reset}
 `);
-    const test = await testNvidiaKey(key);
+    const test = await provider.test(key);
     if (!test.ok) {
       if (test.status === 401 || test.status === 403) {
         process.stdout.write(
-          `${C5.red}\u2717 a NVIDIA recusou a chave (${test.status}): ${test.detail}${C5.reset}
-${C5.dim}chave N\xC3O salva \u2014 confira se copiou inteira e se a conta tem acesso de infer\xEAncia.${C5.reset}
+          `${C5.red}\u2717 a ${provider.name} recusou a chave (${test.status}): ${test.detail}${C5.reset}
+${C5.dim}chave N\xC3O salva \u2014 confira se copiou inteira e se a conta tem acesso.${C5.reset}
 `
         );
-        return;
+        return false;
       }
       process.stdout.write(
         `${C5.yellow}\u26A0 n\xE3o consegui validar (${test.status || "rede"}): ${test.detail}${C5.reset}
@@ -73193,13 +73473,123 @@ ${C5.dim}salvando mesmo assim \u2014 o pr\xF3ximo pedido vai usar a chave nova.$
 `
       );
     }
-    const file2 = swapNvidiaKey(key);
+    const file2 = provider.swap(key);
     const masked = `${key.slice(0, 9)}\u2026${key.slice(-4)} (${key.length} chars)`;
     process.stdout.write(
-      `${C5.green}\u2713 chave NVIDIA trocada e ativa${C5.reset} ${C5.dim}${masked}${C5.reset}
+      `${C5.green}\u2713 chave ${provider.name} trocada e ativa${C5.reset} ${C5.dim}${masked}${C5.reset}
 ${C5.dim}salva em ${C5.reset}${C5.cyan}${file2}${C5.reset}
 `
     );
+    return true;
+  };
+  const openOpenRouterPicker = async () => {
+    if (!agent.isOpenRouterAvailable()) {
+      process.stdout.write(
+        `${C5.dim}OpenRouter ainda sem chave. Vamos adicionar uma.${C5.reset}
+`
+      );
+      const ok = await promptAndSwapKey(openRouterProvider);
+      if (!ok) return;
+    }
+    process.stdout.write(`${C5.dim}buscando cat\xE1logo OpenRouter\u2026${C5.reset}
+`);
+    let models;
+    try {
+      models = await agent.listOpenRouterModels();
+    } catch (err) {
+      process.stdout.write(
+        `${C5.red}\u2717 falha ao listar modelos OpenRouter: ${err instanceof Error ? err.message : String(err)}${C5.reset}
+`
+      );
+      return;
+    }
+    if (models.length === 0) {
+      process.stdout.write(
+        `${C5.yellow}\u26A0 a OpenRouter n\xE3o retornou nenhum modelo${C5.reset}
+`
+      );
+      return;
+    }
+    const items = models.map((m) => ({
+      label: m.name,
+      hint: `${m.id}${m.promptPrice === "0" ? "  \xB7 free" : ""}`
+    }));
+    const choice2 = await inputUI.searchSelect(
+      "OpenRouter \u2014 buscar modelo",
+      items,
+      { placeholder: "digite para filtrar (nome ou slug)" }
+    );
+    if (choice2 === null) {
+      process.stdout.write(`${C5.dim}sele\xE7\xE3o de modelo cancelada${C5.reset}
+`);
+      return;
+    }
+    try {
+      printModelResult(
+        await agent.setModelSelection(`openrouter:${models[choice2].id}`)
+      );
+    } catch (err) {
+      printFatal(err);
+    }
+  };
+  const openModelSelector = async () => {
+    const state = agent.getModelSelection();
+    const orAvailable = agent.isOpenRouterAvailable();
+    const items = [
+      {
+        label: "Auto \u2014 cadeia de fallback autom\xE1tica",
+        hint: "tenta os modelos em ordem"
+      },
+      ...state.chain.map((c) => ({ label: c.label, hint: c.key }))
+    ];
+    const openRouterIdx = items.length;
+    items.push({
+      label: "OpenRouter \u2014 buscar no cat\xE1logo completo",
+      hint: orAvailable ? "lista todos os modelos da sua conta" : "pede a API key e lista o cat\xE1logo"
+    });
+    const activeIsOpenRouter = state.activeModelKey.startsWith("openrouter:");
+    const activeIdx = state.mode === "auto" ? 0 : activeIsOpenRouter ? openRouterIdx : Math.max(
+      0,
+      1 + state.chain.findIndex((c) => c.key === state.activeModelKey)
+    );
+    const choice2 = await inputUI.select("selecionar modelo", items, activeIdx);
+    if (choice2 === null) {
+      process.stdout.write(`${C5.dim}sele\xE7\xE3o de modelo cancelada${C5.reset}
+`);
+      return;
+    }
+    if (choice2 === openRouterIdx) {
+      await openOpenRouterPicker();
+      return;
+    }
+    const arg = choice2 === 0 ? "auto" : state.chain[choice2 - 1].key;
+    try {
+      printModelResult(await agent.setModelSelection(arg));
+    } catch (err) {
+      printFatal(err);
+    }
+  };
+  const handleApiSwap = async (inlineKey) => {
+    if (inlineKey) {
+      const stripped = inlineKey.replace(/\s+/g, "");
+      const provider = KEY_PROVIDERS.find((p) => p.keyRegex.test(stripped)) ?? KEY_PROVIDERS[0];
+      await promptAndSwapKey(provider, inlineKey);
+      return;
+    }
+    const idx = await inputUI.select(
+      "trocar chave de API",
+      KEY_PROVIDERS.map((p) => ({
+        label: p.name,
+        hint: process.env[p.envVar]?.trim() ? `${p.envVar} (configurada)` : p.envVar
+      })),
+      0
+    );
+    if (idx === null) {
+      process.stdout.write(`${C5.dim}troca de chave cancelada${C5.reset}
+`);
+      return;
+    }
+    await promptAndSwapKey(KEY_PROVIDERS[idx]);
   };
   const handleLine = async (line) => {
     if (closing) return;
@@ -73226,6 +73616,10 @@ ${C5.dim}salva em ${C5.reset}${C5.cyan}${file2}${C5.reset}
     }
     if (input.startsWith("/model ") || input.startsWith("/models ")) {
       const arg = input.replace(/^\/models?\s*/, "");
+      if (arg.toLowerCase() === "openrouter" || arg.toLowerCase() === "or") {
+        await openOpenRouterPicker();
+        return;
+      }
       try {
         printModelResult(await agent.setModelSelection(arg));
       } catch (err) {
@@ -73379,11 +73773,12 @@ var init_index = __esm({
     configuredModelProviders = [
       deepseekEnabled ? "DeepSeek (proxy/web session)" : null,
       process.env.NVIDIA_API_KEY?.trim() ? "NVIDIA build" : null,
-      process.env.OPENAI_API_KEY?.trim() ? "OpenAI" : null
+      process.env.OPENAI_API_KEY?.trim() ? "OpenAI" : null,
+      process.env.OPENROUTER_API_KEY?.trim() ? "OpenRouter" : null
     ].filter((name25) => Boolean(name25));
     if (configuredModelProviders.length === 0) {
       console.error(
-        `Nenhuma chave de modelo configurada. Defina NVIDIA_API_KEY (ou OPENAI_API_KEY) em ${clawfastEnvPath()} ou como vari\xE1vel de ambiente.`
+        `Nenhuma chave de modelo configurada. Defina NVIDIA_API_KEY (ou OPENAI_API_KEY / OPENROUTER_API_KEY) em ${clawfastEnvPath()} ou como vari\xE1vel de ambiente.`
       );
       process.exit(1);
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clawfast",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "CLAWFAST — agente de pentest no terminal. Com o clawfast você faz tudo.",
   "bin": {
     "clawfast": "dist/clawfast.cjs"