copillm 0.2.1 → 0.2.3

package/dist/agents/registry.js

@@ -0,0 +1,72 @@
+/**
+ * Per-agent capability registry. The single source of truth for agent-specific
+ * behaviour that copillm needs to know about (yolo mapping, future: model
+ * pinning, debug surfaces, etc.). Adding a new agent should be one row here
+ * plus wiring in `src/cli.ts` — never a new branch in the action handlers.
+ *
+ * Note: the `AgentName` union lives in `../integrations/registry.ts` (paired
+ * with npm package / bin name metadata). We reuse it here so the two
+ * registries can never diverge.
+ */
+export const AGENTS = {
+    claude: {
+        name: "claude",
+        yolo: { mode: "inject", flags: ["--dangerously-skip-permissions"] }
+    },
+    codex: {
+        name: "codex",
+        yolo: { mode: "inject", flags: ["--dangerously-bypass-approvals-and-sandbox"] }
+    },
+    copilot: {
+        name: "copilot",
+        yolo: { mode: "inject", flags: ["--allow-all"] }
+    },
+    pi: {
+        name: "pi",
+        yolo: {
+            mode: "unsupported",
+            reason: "pi has no blanket-approve flag; use its per-tool approvals instead"
+        }
+    }
+};
+/**
+ * Resolve `--yolo` for a given agent and return the (possibly transformed)
+ * argv to forward downstream. Pure function aside from the optional warning
+ * sink — easy to unit-test.
+ */
+export function applyYolo(options) {
+    const args = [...options.userArgs];
+    if (!options.yolo)
+        return args;
+    const spec = AGENTS[options.agent].yolo;
+    switch (spec.mode) {
+        case "inject": {
+            const alreadyPresent = spec.flags.some((flag) => args.includes(flag));
+            if (alreadyPresent)
+                return args;
+            return [...spec.flags, ...args];
+        }
+        case "passthrough": {
+            if (args.includes("--yolo"))
+                return args;
+            return ["--yolo", ...args];
+        }
+        case "unsupported": {
+            const warn = options.warn ?? ((line) => process.stderr.write(`${line}\n`));
+            warn(`copillm: --yolo ignored for ${options.agent} (${spec.reason})`);
+            return args;
+        }
+    }
+}
+/**
+ * Read the `COPILLM_YOLO` env var as a boolean. Accepts "1", "true", "yes"
+ * (case-insensitive) as truthy; everything else (including unset) is false.
+ */
+export function yoloFromEnv(env = process.env) {
+    const raw = env.COPILLM_YOLO?.trim().toLowerCase();
+    return raw === "1" || raw === "true" || raw === "yes";
+}
+/** Combine the per-launch flag with the env var fallback. */
+export function resolveYolo(flag, env = process.env) {
+    return Boolean(flag) || yoloFromEnv(env);
+}

package/dist/auth/credentials.js

@@ -18,16 +18,57 @@ let sessionCredential = null;
 function forceSessionBackend() {
     return process.env.COPILLM_FORCE_SESSION_BACKEND === "1";
 }
-async function tryImportKeytar() {
+async function tryImportKeyring() {
     if (forceSessionBackend()) {
         return null;
     }
     try {
-        const mod = await import("keytar");
-        return mod.default;
+        const mod = (await import("@napi-rs/keyring"));
+        // Test seam: mocks can return `null` or `{ default: null }` to simulate an
+        // unavailable backend without throwing from the vi.mock factory (which
+        // confuses vitest's hoisting and our isMissingKeyringError check).
+        if (!mod) {
+            return null;
+        }
+        const AsyncEntry = mod.AsyncEntry ?? (mod.default && typeof mod.default === "object" ? mod.default.AsyncEntry : undefined);
+        if (typeof AsyncEntry !== "function") {
+            return null;
+        }
+        return {
+            async getPassword(service, account) {
+                const entry = new AsyncEntry(service, account);
+                try {
+                    const value = await entry.getPassword();
+                    return value ?? null;
+                }
+                catch (error) {
+                    if (isNoEntryError(error)) {
+                        return null;
+                    }
+                    throw error;
+                }
+            },
+            async setPassword(service, account, password) {
+                const entry = new AsyncEntry(service, account);
+                await entry.setPassword(password);
+            },
+            async deletePassword(service, account) {
+                const entry = new AsyncEntry(service, account);
+                try {
+                    await entry.deletePassword();
+                    return true;
+                }
+                catch (error) {
+                    if (isNoEntryError(error)) {
+                        return false;
+                    }
+                    throw error;
+                }
+            }
+        };
     }
     catch (error) {
-        if (isMissingKeytarError(error)) {
+        if (isMissingKeyringError(error)) {
             return null;
         }
         if (error instanceof Error) {
@@ -36,15 +77,25 @@ async function tryImportKeytar() {
         throw new Error("Failed to initialize OS keychain backend: unknown error");
     }
 }
-async function resolveKeytar() {
+// keyring-rs returns a "NoEntry" error when an item doesn't exist. Map that to
+// null/false to preserve the keytar-style "missing is not an error" semantics
+// that the rest of credentials.ts is built around.
+function isNoEntryError(error) {
+    if (!(error instanceof Error)) {
+        return false;
+    }
+    const message = error.message.toLowerCase();
+    return message.includes("no matching entry") || message.includes("no entry") || message.includes("noentry");
+}
+async function resolveKeyring() {
     if (forceSessionBackend()) {
-        return { keytar: null, reason: "forced_session_backend" };
+        return { keyring: null, reason: "forced_session_backend" };
     }
-    const keytar = await tryImportKeytar();
-    if (keytar) {
-        return { keytar, reason: null };
+    const keyring = await tryImportKeyring();
+    if (keyring) {
+        return { keyring, reason: null };
     }
-    return { keytar: null, reason: "keytar module is unavailable on this machine" };
+    return { keyring: null, reason: "keyring module is unavailable on this machine" };
 }
 function parseCredentialFile() {
     const path = credentialsReadPath();
@@ -86,13 +137,13 @@ function canUsePlaintextFallback() {
     }
     return process.stdin.isTTY || process.env.COPILLM_ALLOW_PLAINTEXT_CREDENTIALS === "1";
 }
-function isMissingKeytarError(error) {
+function isMissingKeyringError(error) {
     if (!(error instanceof Error)) {
         return false;
     }
     const message = error.message.toLowerCase();
-    return (message.includes("cannot find package 'keytar'") ||
-        message.includes("cannot find module 'keytar'") ||
+    return (message.includes("cannot find package '@napi-rs/keyring") ||
+        message.includes("cannot find module '@napi-rs/keyring") ||
         message.includes("module not found"));
 }
 /**
@@ -108,14 +159,14 @@ export async function inspectStoredCredential() {
     if (fs.existsSync(credentialsReadPath())) {
         return { stored: true, backend: "file" };
     }
-    const { keytar } = await resolveKeytar();
-    if (!keytar) {
+    const { keyring } = await resolveKeyring();
+    if (!keyring) {
         return { stored: false, backend: null };
     }
     try {
-        const token = await keytar.getPassword(SERVICE, ACCOUNT);
+        const token = await keyring.getPassword(SERVICE, ACCOUNT);
         if (token) {
-            return { stored: true, backend: "keytar" };
+            return { stored: true, backend: "keyring" };
         }
         return { stored: false, backend: null };
     }
@@ -134,13 +185,13 @@ export async function loadStoredCredential() {
         const parsed = parseCredentialFile();
         return { token: parsed.token, accountType: parsed.accountType, source: "file" };
     }
-    const { keytar } = await resolveKeytar();
-    if (!keytar) {
+    const { keyring } = await resolveKeyring();
+    if (!keyring) {
         return null;
     }
     let token;
     try {
-        token = await keytar.getPassword(SERVICE, ACCOUNT);
+        token = await keyring.getPassword(SERVICE, ACCOUNT);
     }
     catch (error) {
         if (error instanceof Error) {
@@ -151,7 +202,7 @@ export async function loadStoredCredential() {
     if (!token) {
         return null;
     }
-    return { token, accountType: "individual", source: "keytar" };
+    return { token, accountType: "individual", source: "keyring" };
 }
 export async function saveStoredCredential(token, accountType, options = {}) {
     const mode = options.mode ?? "auto";
@@ -164,11 +215,11 @@ export async function saveStoredCredential(token, accountType, options = {}) {
         writeCredentialFile(token, accountType);
         return "file";
     }
-    const { keytar, reason } = await resolveKeytar();
-    if (keytar) {
+    const { keyring, reason } = await resolveKeyring();
+    if (keyring) {
         try {
-            await keytar.setPassword(SERVICE, ACCOUNT, token);
-            return "keytar";
+            await keyring.setPassword(SERVICE, ACCOUNT, token);
+            return "keyring";
         }
         catch (error) {
             if (error instanceof Error) {
@@ -196,11 +247,11 @@ export async function clearStoredCredential() {
         }
         return { backend: "file", removed: true };
     }
-    const { keytar, reason } = await resolveKeytar();
-    if (keytar) {
+    const { keyring, reason } = await resolveKeyring();
+    if (keyring) {
         try {
-            const removed = await keytar.deletePassword(SERVICE, ACCOUNT);
-            return { backend: "keytar", removed: removed || hadSession };
+            const removed = await keyring.deletePassword(SERVICE, ACCOUNT);
+            return { backend: "keyring", removed: removed || hadSession };
         }
         catch (error) {
             if (error instanceof Error) {

package/dist/cli.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { spawn } from "node:child_process";
 import { randomUUID } from "node:crypto";
+import { createRequire } from "node:module";
 import { setTimeout as sleep } from "node:timers/promises";
 import { Command } from "commander";
 import { clearStoredCredential, inspectStoredCredential, loadStoredCredential, saveStoredCredential } from "./auth/credentials.js";
@@ -24,11 +25,18 @@ import { isShellSyntax, renderEnvBlock } from "./cli/envBlock.js";
 import { buildClaudeEnvBundle, buildCodexEnvBundle, buildPiEnvBundle } from "./cli/agentEnv.js";
 import { launchAgent } from "./cli/launchAgent.js";
 import { applyAgentConfig, formatApplyNotes } from "./agentconfig/apply.js";
+import { applyYolo, resolveYolo } from "./agents/registry.js";
 import { registerConfigCommands } from "./cli/configCommands.js";
 import { installProcessSafetyNet } from "./cli/processSafetyNet.js";
 const logger = createLogger();
 const program = new Command();
-program.name("copillm").description("Local Copilot proxy").version("0.1.0");
+// Resolve the package version from package.json at runtime so `--version` stays
+// in sync with whatever was published. Using createRequire keeps this working
+// under NodeNext ESM without needing an import-assertion syntax flag, and
+// resolves the same file in both `dist/cli.js` (one level deep) and `src/cli.ts`
+// when invoked via tsx.
+const pkgVersion = createRequire(import.meta.url)("../package.json").version;
+program.name("copillm").description("Local Copilot proxy").version(pkgVersion);
 program.enablePositionalOptions();
 program.option("--debug", "Enable copillm debug mode (debug endpoint plus verbose daemon diagnostics)");
 program
@@ -304,11 +312,19 @@ program
     .action(async (opts) => {
     const debug = resolveCopillmDebug(opts.debug);
     enableRuntimeDebug(debug);
-    const started = await runDaemon({ debug });
-    if (started.kind === "already_running") {
-        process.exit(0);
+    try {
+        const started = await runDaemon({ debug });
+        if (started.kind === "already_running") {
+            process.exit(0);
+        }
+        process.stdout.write(`copillm listening on http://127.0.0.1:${started.port}${debug ? " [debug]" : ""}\n`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.fatal({ err }, "daemon failed to start");
+        process.stderr.write(`copillm daemon: ${message}\n`);
+        process.exit(1);
     }
-    process.stdout.write(`copillm listening on http://127.0.0.1:${started.port}${debug ? " [debug]" : ""}\n`);
 });
 program
     .command("stop")
@@ -666,6 +682,7 @@ program
     .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
     .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
     .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .option("--yolo", "Skip approvals/sandbox (injects --dangerously-bypass-approvals-and-sandbox). Env: COPILLM_YOLO")
     .allowUnknownOption(true)
     .passThroughOptions()
     .helpOption(false)
@@ -691,9 +708,11 @@ program
         process.stderr.write(`${line}\n`);
     }
     const env = { ...bundle.env, ...applyResult.envOverlay };
+    const baseArgs = [...(forwardedArgs ?? []), ...applyResult.cliArgs];
+    const args = applyYolo({ agent: "codex", userArgs: baseArgs, yolo: resolveYolo(opts.yolo) });
     const exitCode = await launchAgent({
         agent: "codex",
-        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        args,
         env,
         pinnedSpec
     });
@@ -706,6 +725,7 @@ program
     .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
     .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
     .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .option("--yolo", "Skip permission prompts (injects --dangerously-skip-permissions). Env: COPILLM_YOLO")
     .allowUnknownOption(true)
     .passThroughOptions()
     .helpOption(false)
@@ -730,9 +750,11 @@ program
         process.stderr.write(`${line}\n`);
     }
     const env = { ...claude.bundle.env, ...applyResult.envOverlay };
+    const baseArgs = [...(forwardedArgs ?? []), ...applyResult.cliArgs];
+    const args = applyYolo({ agent: "claude", userArgs: baseArgs, yolo: resolveYolo(opts.yolo) });
     const exitCode = await launchAgent({
         agent: "claude",
-        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        args,
         env,
         pinnedSpec
     });
@@ -745,6 +767,7 @@ program
     .option("--copillm-debug", "Enable debug endpoints when auto-starting daemon")
     .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
     .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .option("--yolo", "Skip approvals if supported (pi has no equivalent; emits a warning). Env: COPILLM_YOLO")
     .allowUnknownOption(true)
     .passThroughOptions()
     .helpOption(false)
@@ -769,9 +792,11 @@ program
         process.stderr.write(`${line}\n`);
     }
     const env = { ...bundle.env, ...applyResult.envOverlay };
+    const baseArgs = [...(forwardedArgs ?? []), ...applyResult.cliArgs];
+    const args = applyYolo({ agent: "pi", userArgs: baseArgs, yolo: resolveYolo(opts.yolo) });
     const exitCode = await launchAgent({
         agent: "pi",
-        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        args,
         env,
         pinnedSpec
     });
@@ -783,6 +808,7 @@ program
     .option("--copillm-use <spec>", "Pin copilot package version (e.g. 1.0.52 or @github/copilot@1.0.52)")
     .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
     .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .option("--yolo", "Allow all tools/paths/URLs (injects --allow-all). Env: COPILLM_YOLO")
     .allowUnknownOption(true)
     .passThroughOptions()
     .helpOption(false)
@@ -812,9 +838,11 @@ program
         ...applyResult.envOverlay,
         COPILOT_GITHUB_TOKEN: credential.token
     };
+    const baseArgs = [...(forwardedArgs ?? []), ...applyResult.cliArgs];
+    const args = applyYolo({ agent: "copilot", userArgs: baseArgs, yolo: resolveYolo(opts.yolo) });
     const exitCode = await launchAgent({
         agent: "copilot",
-        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        args,
         env,
         pinnedSpec
     });
@@ -919,7 +947,7 @@ function candidatePorts(preferredPort) {
 }
 function describeBackend(backend) {
     switch (backend) {
-        case "keytar":
+        case "keyring":
             return "OS keychain";
         case "file":
             return "credentials file";
@@ -1274,6 +1302,12 @@ async function ensureDaemonRunningForLauncher(opts) {
         await warnIfDebugRequestedButInactive(opts.debug, live.port);
         return live;
     }
+    // Fail fast on missing credentials rather than spawning a detached daemon
+    // that will die silently and surface as a generic "start timed out" error.
+    const authState = await inspectStoredCredential();
+    if (!authState.stored) {
+        throw new Error("Not authenticated. Run `copillm auth login` first.");
+    }
     const debugLog = currentDebugLogPath(opts.debug);
     process.stderr.write(opts.debug && debugLog
         ? `Starting copillm in background with debug logging at ${displayHomePath(debugLog)}...\n`
@@ -1283,17 +1317,40 @@ async function ensureDaemonRunningForLauncher(opts) {
         daemonArgs.push("--debug");
     const child = spawn(process.execPath, daemonArgs, {
         detached: true,
-        stdio: "ignore",
+        stdio: ["ignore", "ignore", "pipe"],
         env: daemonSpawnEnv(opts.debug)
     });
     child.unref();
+    const stderrChunks = [];
+    let stderrBytes = 0;
+    const STDERR_TAIL_LIMIT = 8 * 1024;
+    if (child.stderr) {
+        child.stderr.on("data", (chunk) => {
+            stderrChunks.push(chunk);
+            stderrBytes += chunk.length;
+            while (stderrBytes > STDERR_TAIL_LIMIT && stderrChunks.length > 1) {
+                stderrBytes -= stderrChunks[0].length;
+                stderrChunks.shift();
+            }
+        });
+        child.stderr.on("error", () => {
+            // Ignore — best-effort capture only.
+        });
+    }
+    const formatStderrTail = () => {
+        const tail = Buffer.concat(stderrChunks).toString("utf8").trim();
+        return tail ? `\nDaemon stderr (tail):\n${tail}` : "";
+    };
     const started = await waitForDaemonReady(child.pid ?? null, 10_000);
     if (!started) {
-        throw new Error("Auto-start of copillm daemon timed out.");
+        if (child.pid !== undefined && !isPidAlive(child.pid)) {
+            throw new Error(`copillm daemon exited before becoming ready.${formatStderrTail()}`);
+        }
+        throw new Error(`Auto-start of copillm daemon timed out.${formatStderrTail()}`);
     }
     const inspection = inspectLock();
     if (inspection.state !== "running") {
-        throw new Error("copillm daemon failed to register a lock after auto-start.");
+        throw new Error(`copillm daemon failed to register a lock after auto-start.${formatStderrTail()}`);
     }
     return inspection.lock;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copillm",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Local Copilot proxy CLI (OpenAI/Anthropic-compatible)",
   "license": "MIT",
   "type": "module",
@@ -34,8 +34,8 @@
     "prepack": "npm run build"
   },
   "dependencies": {
+    "@napi-rs/keyring": "^1.3.0",
     "commander": "^12.1.0",
-    "keytar": "^7.9.0",
     "pino": "^9.4.0",
     "pino-pretty": "^11.2.2",
     "smol-toml": "^1.6.1",