codeep 1.3.42 → 2.0.1

package/dist/utils/skillBundlesCloud.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Codeep skill marketplace — CLI ↔ codeep.dev/api/skills bridge.
+ *
+ * Talks to the REST endpoints in `Codeep-web/src/app/api/skills/`:
+ *   GET  /api/skills?q=&mine=1         → browse
+ *   POST /api/skills                   → publish (auth required)
+ *   GET  /api/skills/:owner/:slug      → fetch one (auth req for private)
+ *   DELETE /api/skills/:owner/:slug    → unpublish (owner only)
+ *
+ * Auth uses the same `x-sync-token` header `codeepCloud.ts` already sends
+ * for /api/tasks and friends.
+ */
+export interface RemoteSkill {
+    id: number;
+    github_id: string;
+    owner_username: string | null;
+    slug: string;
+    name: string;
+    description: string;
+    body: string;
+    version: string | null;
+    visibility: 'public' | 'private';
+    install_count: number;
+    updated_at: string;
+}
+/**
+ * Publish a skill bundle to codeep.dev. The bundle may be project-scoped
+ * (`<workspaceRoot>/.codeep/skills/<slug>/SKILL.md`) or global
+ * (`~/.codeep/skills/<slug>/SKILL.md`) — either is publishable. The
+ * `--public` flag (translated into `opts.isPublic`) is the user's
+ * explicit consent gate; we don't gate further on bundle scope. If both
+ * exist with the same slug, the project copy wins (mirrors the rest of
+ * the bundle-loading flow).
+ */
+export declare function publishBundle(workspaceRoot: string, slug: string, opts?: {
+    isPublic?: boolean;
+}): Promise<{
+    ok: boolean;
+    skill?: RemoteSkill;
+    error?: string;
+}>;
+/**
+ * Install a skill from the marketplace into the project's
+ * `.codeep/skills/<slug>/SKILL.md`. `idOrPath` may be either
+ * `<owner>/<slug>` (preferred) or a numeric id.
+ */
+export declare function installBundle(workspaceRoot: string, idOrPath: string): Promise<{
+    ok: boolean;
+    name?: string;
+    error?: string;
+}>;
+/** List public skills (or own when `mine=true`). Returns up to 100. */
+export declare function browseSkills(opts?: {
+    query?: string;
+    mine?: boolean;
+}): Promise<{
+    ok: boolean;
+    skills?: RemoteSkill[];
+    error?: string;
+}>;
+/** Unpublish a skill (owner only). */
+export declare function unpublishBundle(idOrPath: string): Promise<{
+    ok: boolean;
+    error?: string;
+}>;
+/** Read raw SKILL.md from disk — used when we want the unmodified bytes. */
+export declare function readRawSkillMd(workspaceRoot: string, slug: string): string | null;
+/** Delete the local copy of an installed skill bundle (for /skills uninstall). */
+export declare function uninstallLocalBundle(workspaceRoot: string, slug: string): boolean;

package/dist/utils/skillBundlesCloud.js

@@ -0,0 +1,202 @@
+/**
+ * Codeep skill marketplace — CLI ↔ codeep.dev/api/skills bridge.
+ *
+ * Talks to the REST endpoints in `Codeep-web/src/app/api/skills/`:
+ *   GET  /api/skills?q=&mine=1         → browse
+ *   POST /api/skills                   → publish (auth required)
+ *   GET  /api/skills/:owner/:slug      → fetch one (auth req for private)
+ *   DELETE /api/skills/:owner/:slug    → unpublish (owner only)
+ *
+ * Auth uses the same `x-sync-token` header `codeepCloud.ts` already sends
+ * for /api/tasks and friends.
+ */
+import { existsSync, readFileSync, mkdirSync, writeFileSync, rmSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { getSyncToken } from '../config/index.js';
+import { findSkillBundle } from './skillBundles.js';
+const API_BASE = 'https://codeep.dev';
+/**
+ * Publish a skill bundle to codeep.dev. The bundle may be project-scoped
+ * (`<workspaceRoot>/.codeep/skills/<slug>/SKILL.md`) or global
+ * (`~/.codeep/skills/<slug>/SKILL.md`) — either is publishable. The
+ * `--public` flag (translated into `opts.isPublic`) is the user's
+ * explicit consent gate; we don't gate further on bundle scope. If both
+ * exist with the same slug, the project copy wins (mirrors the rest of
+ * the bundle-loading flow).
+ */
+export async function publishBundle(workspaceRoot, slug, opts = {}) {
+    const token = getSyncToken();
+    if (!token)
+        return { ok: false, error: 'Not linked to codeep.dev — run `codeep account` first.' };
+    const bundle = findSkillBundle(slug, workspaceRoot);
+    if (!bundle) {
+        return {
+            ok: false,
+            error: `Skill bundle "${slug}" not found in either \`.codeep/skills/${slug}/\` (project) or \`~/.codeep/skills/${slug}/\` (global). Run \`/skills create-bundle ${slug}\` to scaffold one, or check \`/skills bundles\` to see what's available.`,
+        };
+    }
+    // Build the SKILL.md text we'll publish. We re-serialise from the loaded
+    // bundle rather than reading the file again — that way frontmatter
+    // normalisation (e.g. defaulted name from dir) is reflected on the
+    // server and the next install round-trips correctly.
+    const skillMd = serialiseSkillMd(bundle);
+    try {
+        const res = await fetch(`${API_BASE}/api/skills`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'x-sync-token': token },
+            body: JSON.stringify({
+                slug: bundle.name,
+                name: bundle.name,
+                description: bundle.description,
+                body: skillMd,
+                version: bundle.version ?? null,
+                visibility: opts.isPublic ? 'public' : 'private',
+            }),
+        });
+        const data = await res.json().catch(() => ({}));
+        if (!res.ok || !data.ok) {
+            return { ok: false, error: data.error ?? `HTTP ${res.status}` };
+        }
+        return { ok: true, skill: data.skill };
+    }
+    catch (err) {
+        return { ok: false, error: err.message };
+    }
+}
+/**
+ * Install a skill from the marketplace into the project's
+ * `.codeep/skills/<slug>/SKILL.md`. `idOrPath` may be either
+ * `<owner>/<slug>` (preferred) or a numeric id.
+ */
+export async function installBundle(workspaceRoot, idOrPath) {
+    const token = getSyncToken(); // optional — public skills are readable without auth
+    const headers = {};
+    if (token)
+        headers['x-sync-token'] = token;
+    try {
+        // ?install=1 so the server bumps install_count
+        const url = `${API_BASE}/api/skills/${encodeURIComponent(idOrPath)}?install=1`;
+        const res = await fetch(url, { headers });
+        const data = await res.json().catch(() => ({}));
+        if (!res.ok || !data.ok || !data.skill) {
+            return { ok: false, error: data.error ?? `HTTP ${res.status}` };
+        }
+        const skill = data.skill;
+        const dir = join(workspaceRoot, '.codeep', 'skills', skill.slug);
+        if (existsSync(dir)) {
+            return { ok: false, error: `A bundle already exists at .codeep/skills/${skill.slug}/ — remove it before re-installing.` };
+        }
+        mkdirSync(dir, { recursive: true });
+        writeFileSync(join(dir, 'SKILL.md'), skill.body);
+        return { ok: true, name: skill.slug };
+    }
+    catch (err) {
+        return { ok: false, error: err.message };
+    }
+}
+/** List public skills (or own when `mine=true`). Returns up to 100. */
+export async function browseSkills(opts = {}) {
+    const token = getSyncToken();
+    const headers = {};
+    if (token)
+        headers['x-sync-token'] = token;
+    if (opts.mine && !token)
+        return { ok: false, error: '`mine=1` requires `codeep account` login.' };
+    try {
+        const u = new URL(`${API_BASE}/api/skills`);
+        if (opts.query)
+            u.searchParams.set('q', opts.query);
+        if (opts.mine)
+            u.searchParams.set('mine', '1');
+        const res = await fetch(u.toString(), { headers });
+        const data = await res.json().catch(() => ({}));
+        if (!res.ok || !data.ok)
+            return { ok: false, error: data.error ?? `HTTP ${res.status}` };
+        return { ok: true, skills: data.skills ?? [] };
+    }
+    catch (err) {
+        return { ok: false, error: err.message };
+    }
+}
+/** Unpublish a skill (owner only). */
+export async function unpublishBundle(idOrPath) {
+    const token = getSyncToken();
+    if (!token)
+        return { ok: false, error: 'Not linked to codeep.dev — run `codeep account` first.' };
+    try {
+        const res = await fetch(`${API_BASE}/api/skills/${encodeURIComponent(idOrPath)}`, {
+            method: 'DELETE',
+            headers: { 'x-sync-token': token },
+        });
+        if (res.status === 404)
+            return { ok: false, error: 'Skill not found (or not yours).' };
+        if (!res.ok)
+            return { ok: false, error: `HTTP ${res.status}` };
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, error: err.message };
+    }
+}
+/**
+ * Re-serialise a loaded SkillBundle back into the SKILL.md text format.
+ * Used by publish so the round-trip is lossless (sort of — we drop
+ * unknown frontmatter keys for now to keep the published format stable).
+ */
+function serialiseSkillMd(bundle) {
+    const meta = ['---'];
+    meta.push(`name: ${bundle.name}`);
+    meta.push(`description: ${bundle.description}`);
+    if (bundle.version)
+        meta.push(`version: ${bundle.version}`);
+    if (bundle.author)
+        meta.push(`author: ${bundle.author}`);
+    if (bundle.codeepMinVersion)
+        meta.push(`codeep-min-version: ${bundle.codeepMinVersion}`);
+    if (bundle.requiresMcp.length) {
+        meta.push(`codeep-requires-mcp:`);
+        for (const s of bundle.requiresMcp)
+            meta.push(`  - ${s}`);
+    }
+    if (bundle.allowedTools.length) {
+        meta.push(`allowed-tools:`);
+        for (const s of bundle.allowedTools)
+            meta.push(`  - ${s}`);
+    }
+    if (bundle.triggers.length) {
+        meta.push(`triggers:`);
+        for (const s of bundle.triggers)
+            meta.push(`  - ${s}`);
+    }
+    meta.push('---', '');
+    return meta.join('\n') + bundle.body;
+}
+/** Read raw SKILL.md from disk — used when we want the unmodified bytes. */
+export function readRawSkillMd(workspaceRoot, slug) {
+    const file = join(workspaceRoot, '.codeep', 'skills', slug, 'SKILL.md');
+    if (!existsSync(file))
+        return null;
+    try {
+        return readFileSync(file, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+}
+/** Delete the local copy of an installed skill bundle (for /skills uninstall). */
+export function uninstallLocalBundle(workspaceRoot, slug) {
+    const dir = join(workspaceRoot, '.codeep', 'skills', slug);
+    if (!existsSync(dir))
+        return false;
+    try {
+        rmSync(dir, { recursive: true, force: true });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// Silence unused-import warning when builds strip unused — homedir is here
+// for future global-install support (planned 2.1).
+void homedir;

package/dist/utils/tokenTracker.d.ts

@@ -20,6 +20,8 @@ interface TokenRecord {
     totalTokens: number;
     model: string;
     provider: string;
+    /** Authoritative per-call USD from the provider (OpenRouter), if available. */
+    actualCostUsd?: number;
 }
 /**
  * Get context window size for a model (falls back to 128k if unknown)
@@ -31,9 +33,13 @@ export declare function getPricingTable(): {
     outputPer1M: number;
 }[];
 /**
- * Record token usage from an API response
+ * Record token usage from an API response. The optional `actualCostUsd`
+ * argument lets aggregator providers (OpenRouter) pass through the
+ * authoritative per-call cost they returned in `usage.cost`, instead of
+ * forcing us to look it up in `MODEL_PRICING` (which we don't maintain
+ * for every OpenRouter-listed model — there are 100+).
  */
-export declare function recordTokenUsage(usage: TokenUsage, model: string, provider: string): void;
+export declare function recordTokenUsage(usage: TokenUsage, model: string, provider: string, actualCostUsd?: number): void;
 /**
  * Extract token usage from OpenAI-format API response
  */
@@ -69,4 +75,10 @@ export declare function formatTokenCount(tokens: number): string;
  * Reset session tracking
  */
 export declare function resetTokenTracking(): void;
+/**
+ * Format a session cost report as a Markdown block. Used by `/cost` in both
+ * the TUI and ACP command handlers. Returns a "no usage yet" message if the
+ * session hasn't made any API calls.
+ */
+export declare function formatCostReport(): string;
 export {};

package/dist/utils/tokenTracker.js

@@ -1,7 +1,10 @@
 /**
  * Token and cost tracking for API usage
  */
-// Context window sizes per model (in tokens)
+// Context window sizes per model (in tokens).
+// Keep this table in lockstep with `providers.ts` — entries for models that
+// aren't in the provider catalogue only show up if a user types an id by hand
+// and produce phantom estimates against the wrong context size.
 const MODEL_CONTEXT_WINDOWS = {
     // Z.AI / ZhipuAI
     'glm-5.1': 131_072,
@@ -12,18 +15,10 @@ const MODEL_CONTEXT_WINDOWS = {
     'gpt-5.4': 1_050_000,
     'gpt-5.4-mini': 400_000,
     'gpt-5.4-nano': 400_000,
-    'gpt-4.1': 1_000_000,
-    'gpt-4.1-mini': 1_000_000,
-    'gpt-4.1-nano': 1_000_000,
-    'o3': 200_000,
-    'o4-mini': 200_000,
-    'gpt-4o': 128_000,
     // Anthropic
-    'claude-mythos-preview': 1_000_000,
     'claude-opus-4-7': 1_000_000,
     'claude-opus-4-6': 1_000_000,
     'claude-sonnet-4-6': 1_000_000,
-    'claude-sonnet-4-5-20250929': 200_000,
     'claude-haiku-4-5-20251001': 200_000,
     // DeepSeek
     'deepseek-v4-pro': 1_000_000,
@@ -31,17 +26,8 @@ const MODEL_CONTEXT_WINDOWS = {
     // Google
     'gemini-3.1-pro-preview': 1_048_576,
     'gemini-3-flash-preview': 1_000_000,
-    'gemini-3.1-flash-lite-preview': 1_000_000,
-    'gemini-2.5-pro': 1_000_000,
-    'gemini-2.5-flash': 1_000_000,
-    'gemini-2.5-flash-lite': 1_000_000,
     // MiniMax
     'MiniMax-M2.7': 204_800,
-    'MiniMax-M2.5': 196_608,
-    'MiniMax-M2.5-highspeed': 196_608,
-    'MiniMax-M2.1': 196_608,
-    'MiniMax-M2.1-highspeed': 196_608,
-    'MiniMax-M2': 196_608,
 };
 const DEFAULT_CONTEXT_WINDOW = 128_000;
 /**
@@ -50,7 +36,9 @@ const DEFAULT_CONTEXT_WINDOW = 128_000;
 export function getModelContextWindow(model) {
     return MODEL_CONTEXT_WINDOWS[model] ?? DEFAULT_CONTEXT_WINDOW;
 }
-// Pricing table — USD per 1M tokens
+// Pricing table — USD per 1M tokens. Same rule as MODEL_CONTEXT_WINDOWS:
+// only list model ids that exist in `providers.ts`, otherwise typing an id
+// by hand can produce phantom cost estimates against stale rates.
 const MODEL_PRICING = {
     // Z.AI / ZhipuAI
     'glm-5.1': { inputPer1M: 1.00, outputPer1M: 3.20 },
@@ -61,18 +49,10 @@ const MODEL_PRICING = {
     'gpt-5.4': { inputPer1M: 2.50, outputPer1M: 15.00 },
     'gpt-5.4-mini': { inputPer1M: 0.75, outputPer1M: 4.50 },
     'gpt-5.4-nano': { inputPer1M: 0.20, outputPer1M: 1.25 },
-    'gpt-4.1': { inputPer1M: 2.00, outputPer1M: 8.00 },
-    'gpt-4.1-mini': { inputPer1M: 0.40, outputPer1M: 1.60 },
-    'gpt-4.1-nano': { inputPer1M: 0.10, outputPer1M: 0.40 },
-    'o3': { inputPer1M: 2.00, outputPer1M: 8.00 },
-    'o4-mini': { inputPer1M: 0.55, outputPer1M: 2.20 },
-    'gpt-4o': { inputPer1M: 2.50, outputPer1M: 10.00 },
     // Anthropic
-    'claude-mythos-preview': { inputPer1M: 6.00, outputPer1M: 30.00 },
     'claude-opus-4-7': { inputPer1M: 5.00, outputPer1M: 25.00 },
     'claude-opus-4-6': { inputPer1M: 5.00, outputPer1M: 25.00 },
     'claude-sonnet-4-6': { inputPer1M: 3.00, outputPer1M: 15.00 },
-    'claude-sonnet-4-5-20250929': { inputPer1M: 3.00, outputPer1M: 15.00 },
     'claude-haiku-4-5-20251001': { inputPer1M: 1.00, outputPer1M: 5.00 },
     // DeepSeek (cache-miss input pricing)
     'deepseek-v4-pro': { inputPer1M: 1.74, outputPer1M: 3.48 },
@@ -80,17 +60,8 @@ const MODEL_PRICING = {
     // Google
     'gemini-3.1-pro-preview': { inputPer1M: 2.00, outputPer1M: 12.00 },
     'gemini-3-flash-preview': { inputPer1M: 0.50, outputPer1M: 3.00 },
-    'gemini-3.1-flash-lite-preview': { inputPer1M: 0.25, outputPer1M: 1.50 },
-    'gemini-2.5-pro': { inputPer1M: 1.00, outputPer1M: 10.00 },
-    'gemini-2.5-flash': { inputPer1M: 0.30, outputPer1M: 2.50 },
-    'gemini-2.5-flash-lite': { inputPer1M: 0.10, outputPer1M: 0.40 },
     // MiniMax
     'MiniMax-M2.7': { inputPer1M: 0.30, outputPer1M: 1.20 },
-    'MiniMax-M2.5': { inputPer1M: 0.118, outputPer1M: 0.99 },
-    'MiniMax-M2.5-highspeed': { inputPer1M: 0.30, outputPer1M: 2.40 },
-    'MiniMax-M2.1': { inputPer1M: 0.27, outputPer1M: 0.95 },
-    'MiniMax-M2.1-highspeed': { inputPer1M: 0.27, outputPer1M: 0.95 },
-    'MiniMax-M2': { inputPer1M: 0.30, outputPer1M: 1.20 },
 };
 export function getPricingTable() {
     return Object.entries(MODEL_PRICING).map(([model, p]) => ({ model, ...p }));
@@ -98,9 +69,13 @@ export function getPricingTable() {
 // Session-level accumulator
 const records = [];
 /**
- * Record token usage from an API response
+ * Record token usage from an API response. The optional `actualCostUsd`
+ * argument lets aggregator providers (OpenRouter) pass through the
+ * authoritative per-call cost they returned in `usage.cost`, instead of
+ * forcing us to look it up in `MODEL_PRICING` (which we don't maintain
+ * for every OpenRouter-listed model — there are 100+).
  */
-export function recordTokenUsage(usage, model, provider) {
+export function recordTokenUsage(usage, model, provider, actualCostUsd) {
     records.push({
         timestamp: Date.now(),
         promptTokens: usage.promptTokens,
@@ -108,6 +83,7 @@ export function recordTokenUsage(usage, model, provider) {
         totalTokens: usage.totalTokens,
         model,
         provider,
+        actualCostUsd,
     });
 }
 /**
@@ -144,11 +120,20 @@ export function getCostBreakdown() {
     for (const record of records) {
         const key = `${record.provider}/${record.model}`;
         const existing = grouped.get(key) ?? { provider: record.provider, model: record.model, promptTokens: 0, completionTokens: 0, estimatedCost: 0 };
-        const pricing = MODEL_PRICING[record.model];
         existing.promptTokens += record.promptTokens;
         existing.completionTokens += record.completionTokens;
-        if (pricing) {
-            existing.estimatedCost += (record.promptTokens / 1_000_000) * pricing.inputPer1M + (record.completionTokens / 1_000_000) * pricing.outputPer1M;
+        // Cost source priority:
+        //   1. Provider-reported USD (OpenRouter, MaxiCloud, etc.) — most accurate.
+        //   2. Our MODEL_PRICING table — for built-in providers we maintain rates for.
+        //   3. Zero — model isn't in our table; flag in formatCostReport.
+        if (typeof record.actualCostUsd === 'number' && Number.isFinite(record.actualCostUsd)) {
+            existing.estimatedCost += record.actualCostUsd;
+        }
+        else {
+            const pricing = MODEL_PRICING[record.model];
+            if (pricing) {
+                existing.estimatedCost += (record.promptTokens / 1_000_000) * pricing.inputPer1M + (record.completionTokens / 1_000_000) * pricing.outputPer1M;
+            }
         }
         grouped.set(key, existing);
     }
@@ -197,3 +182,36 @@ export function formatTokenCount(tokens) {
 export function resetTokenTracking() {
     records.length = 0;
 }
+/**
+ * Format a session cost report as a Markdown block. Used by `/cost` in both
+ * the TUI and ACP command handlers. Returns a "no usage yet" message if the
+ * session hasn't made any API calls.
+ */
+export function formatCostReport() {
+    const stats = getSessionStats();
+    if (stats.requestCount === 0) {
+        return '_No API requests in this session yet._';
+    }
+    const breakdown = getCostBreakdown();
+    const lines = [
+        '## Session Cost',
+        '',
+        `**Requests:** ${stats.requestCount}  ·  **Input:** ${formatTokenCount(stats.totalPromptTokens)}  ·  **Output:** ${formatTokenCount(stats.totalCompletionTokens)}  ·  **Total:** ${formatTokenCount(stats.totalTokens)}`,
+        `**Estimated cost:** $${stats.estimatedCost.toFixed(4)}`,
+        '',
+    ];
+    if (breakdown.length > 1 || (breakdown.length === 1 && breakdown[0].estimatedCost > 0)) {
+        lines.push('| Provider / Model | Input | Output | Cost |');
+        lines.push('|---|---:|---:|---:|');
+        for (const b of breakdown) {
+            lines.push(`| \`${b.provider}\` / \`${b.model}\` | ${formatTokenCount(b.promptTokens)} | ${formatTokenCount(b.completionTokens)} | $${b.estimatedCost.toFixed(4)} |`);
+        }
+    }
+    // Models with no pricing entry don't contribute to cost — flag so users
+    // aren't surprised the total looks low.
+    const untracked = breakdown.filter(b => b.estimatedCost === 0 && (b.promptTokens + b.completionTokens) > 0);
+    if (untracked.length > 0) {
+        lines.push('', `_Note: ${untracked.length} model${untracked.length === 1 ? '' : 's'} (${untracked.map(u => `\`${u.model}\``).join(', ')}) have no pricing entry — token counts are tracked but not priced._`);
+    }
+    return lines.join('\n');
+}

package/dist/utils/toolExecution.d.ts

@@ -17,10 +17,26 @@ export declare function validatePath(path: string, projectRoot: string): {
     absolutePath: string;
     error?: string;
 };
+/**
+ * Optional filesystem delegation. When an ACP client advertises `fs`
+ * capability (Zed always does, VS Code may), the server should route
+ * read/write through the client instead of touching disk directly — that
+ * way the client's unsaved buffers, undo history, and virtual filesystems
+ * stay authoritative. Callbacks must already use absolute paths.
+ */
+export interface FsCallbacks {
+    readTextFile?: (absolutePath: string) => Promise<string>;
+    writeTextFile?: (absolutePath: string, content: string) => Promise<void>;
+}
 /**
  * Execute a tool call and return the result.
+ *
+ * `fs` is optional — if provided and the relevant method is defined, file
+ * read/write is delegated to the client. Otherwise we fall back to direct
+ * disk I/O. A delegated call that throws also falls back to disk so a
+ * single client hiccup doesn't kill the agent loop.
  */
-export declare function executeTool(toolCall: ToolCall, projectRoot: string): Promise<ToolResult>;
+export declare function executeTool(toolCall: ToolCall, projectRoot: string, fs?: FsCallbacks, mcpSessionId?: string): Promise<ToolResult>;
 /**
  * Create action log from tool result
  */