npm - guardlink - Versions diffs - 1.1.0 → 1.3.0 - Mend

guardlink 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/CHANGELOG.md +62 -0
package/README.md +11 -2
package/dist/agents/config.d.ts +17 -0
package/dist/agents/config.d.ts.map +1 -1
package/dist/agents/config.js +38 -4
package/dist/agents/config.js.map +1 -1
package/dist/agents/index.d.ts +5 -1
package/dist/agents/index.d.ts.map +1 -1
package/dist/agents/index.js +4 -1
package/dist/agents/index.js.map +1 -1
package/dist/agents/launcher.d.ts +25 -8
package/dist/agents/launcher.d.ts.map +1 -1
package/dist/agents/launcher.js +137 -9
package/dist/agents/launcher.js.map +1 -1
package/dist/agents/prompts.d.ts +9 -0
package/dist/agents/prompts.d.ts.map +1 -1
package/dist/agents/prompts.js +43 -6
package/dist/agents/prompts.js.map +1 -1
package/dist/analyze/index.d.ts +44 -8
package/dist/analyze/index.d.ts.map +1 -1
package/dist/analyze/index.js +291 -15
package/dist/analyze/index.js.map +1 -1
package/dist/analyze/llm.d.ts +65 -13
package/dist/analyze/llm.d.ts.map +1 -1
package/dist/analyze/llm.js +429 -107
package/dist/analyze/llm.js.map +1 -1
package/dist/analyze/prompts.d.ts +6 -2
package/dist/analyze/prompts.d.ts.map +1 -1
package/dist/analyze/prompts.js +230 -111
package/dist/analyze/prompts.js.map +1 -1
package/dist/analyze/tools.d.ts +28 -0
package/dist/analyze/tools.d.ts.map +1 -0
package/dist/analyze/tools.js +236 -0
package/dist/analyze/tools.js.map +1 -0
package/dist/analyzer/index.d.ts +3 -0
package/dist/analyzer/index.d.ts.map +1 -1
package/dist/analyzer/index.js +3 -0
package/dist/analyzer/index.js.map +1 -1
package/dist/analyzer/sarif.d.ts +5 -6
package/dist/analyzer/sarif.d.ts.map +1 -1
package/dist/analyzer/sarif.js +5 -6
package/dist/analyzer/sarif.js.map +1 -1
package/dist/cli/index.d.ts +27 -16
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +524 -105
package/dist/cli/index.js.map +1 -1
package/dist/dashboard/data.d.ts +5 -0
package/dist/dashboard/data.d.ts.map +1 -1
package/dist/dashboard/data.js +5 -0
package/dist/dashboard/data.js.map +1 -1
package/dist/dashboard/generate.d.ts +8 -5
package/dist/dashboard/generate.d.ts.map +1 -1
package/dist/dashboard/generate.js +206 -66
package/dist/dashboard/generate.js.map +1 -1
package/dist/dashboard/index.d.ts +5 -0
package/dist/dashboard/index.d.ts.map +1 -1
package/dist/dashboard/index.js +5 -0
package/dist/dashboard/index.js.map +1 -1
package/dist/diff/git.d.ts +10 -7
package/dist/diff/git.d.ts.map +1 -1
package/dist/diff/git.js +10 -7
package/dist/diff/git.js.map +1 -1
package/dist/diff/index.d.ts +4 -0
package/dist/diff/index.d.ts.map +1 -1
package/dist/diff/index.js +4 -0
package/dist/diff/index.js.map +1 -1
package/dist/init/detect.d.ts +5 -0
package/dist/init/detect.d.ts.map +1 -1
package/dist/init/detect.js +5 -0
package/dist/init/detect.js.map +1 -1
package/dist/init/index.d.ts +26 -6
package/dist/init/index.d.ts.map +1 -1
package/dist/init/index.js +91 -11
package/dist/init/index.js.map +1 -1
package/dist/init/picker.d.ts.map +1 -1
package/dist/init/picker.js +17 -6
package/dist/init/picker.js.map +1 -1
package/dist/init/templates.d.ts +20 -0
package/dist/init/templates.d.ts.map +1 -1
package/dist/init/templates.js +167 -36
package/dist/init/templates.js.map +1 -1
package/dist/mcp/index.d.ts +5 -0
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +5 -0
package/dist/mcp/index.js.map +1 -1
package/dist/mcp/lookup.d.ts +5 -0
package/dist/mcp/lookup.d.ts.map +1 -1
package/dist/mcp/lookup.js +5 -0
package/dist/mcp/lookup.js.map +1 -1
package/dist/mcp/server.d.ts +16 -13
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +140 -17
package/dist/mcp/server.js.map +1 -1
package/dist/mcp/suggest.d.ts +8 -6
package/dist/mcp/suggest.d.ts.map +1 -1
package/dist/mcp/suggest.js +8 -6
package/dist/mcp/suggest.js.map +1 -1
package/dist/parser/clear.d.ts +36 -0
package/dist/parser/clear.d.ts.map +1 -0
package/dist/parser/clear.js +148 -0
package/dist/parser/clear.js.map +1 -0
package/dist/parser/index.d.ts +3 -1
package/dist/parser/index.d.ts.map +1 -1
package/dist/parser/index.js +2 -1
package/dist/parser/index.js.map +1 -1
package/dist/parser/parse-file.d.ts +5 -2
package/dist/parser/parse-file.d.ts.map +1 -1
package/dist/parser/parse-file.js +29 -2
package/dist/parser/parse-file.js.map +1 -1
package/dist/parser/parse-line.d.ts +3 -3
package/dist/parser/parse-line.js +3 -3
package/dist/parser/parse-project.d.ts +7 -7
package/dist/parser/parse-project.d.ts.map +1 -1
package/dist/parser/parse-project.js +24 -11
package/dist/parser/parse-project.js.map +1 -1
package/dist/parser/validate.d.ts +12 -0
package/dist/parser/validate.d.ts.map +1 -1
package/dist/parser/validate.js +44 -0
package/dist/parser/validate.js.map +1 -1
package/dist/report/index.d.ts +3 -0
package/dist/report/index.d.ts.map +1 -1
package/dist/report/index.js +3 -0
package/dist/report/index.js.map +1 -1
package/dist/report/report.d.ts +4 -7
package/dist/report/report.d.ts.map +1 -1
package/dist/report/report.js +68 -7
package/dist/report/report.js.map +1 -1
package/dist/review/index.d.ts +62 -0
package/dist/review/index.d.ts.map +1 -0
package/dist/review/index.js +226 -0
package/dist/review/index.js.map +1 -0
package/dist/tui/commands.d.ts +26 -1
package/dist/tui/commands.d.ts.map +1 -1
package/dist/tui/commands.js +608 -101
package/dist/tui/commands.js.map +1 -1
package/dist/tui/config.d.ts +6 -0
package/dist/tui/config.d.ts.map +1 -1
package/dist/tui/config.js +6 -0
package/dist/tui/config.js.map +1 -1
package/dist/tui/format.d.ts +7 -0
package/dist/tui/format.d.ts.map +1 -1
package/dist/tui/format.js +59 -0
package/dist/tui/format.js.map +1 -1
package/dist/tui/index.d.ts +8 -8
package/dist/tui/index.d.ts.map +1 -1
package/dist/tui/index.js +47 -10
package/dist/tui/index.js.map +1 -1
package/dist/tui/input.d.ts +6 -0
package/dist/tui/input.d.ts.map +1 -1
package/dist/tui/input.js +6 -0
package/dist/tui/input.js.map +1 -1
package/dist/types/index.d.ts +2 -0
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/analyze/llm.js CHANGED Viewed

@@ -2,67 +2,63 @@
  * GuardLink Threat Reports — Lightweight LLM client using raw fetch.
  *
  * Supports:
- *   - Anthropic Messages API (claude-sonnet-4-5-20250929, etc.)
- *   - OpenAI-compatible Chat Completions (GPT-4o, DeepSeek, OpenRouter)
+ *   - Anthropic Messages API (claude-sonnet-4-6, claude-opus-4-6, etc.) with extended thinking + tool use
+ *   - OpenAI Responses API (gpt-5.2, o3, etc.) with web search, tools, structured output
+ *   - Google Gemini API (gemini-2.5-flash, gemini-3-pro, etc.) via OpenAI-compatible endpoint
+ *   - OpenAI-compatible Chat Completions (DeepSeek, OpenRouter, Ollama)
+ *   - DeepSeek reasoning mode (deepseek-reasoner)
  *
  * Zero dependencies — uses Node 20+ built-in fetch.
  *
- * @exposes #llm-client to #api-key-exposure [high] cwe:CWE-798 -- "Reads API keys from environment variables"
- * @exposes #llm-client to #ssrf [medium] cwe:CWE-918 -- "Makes HTTP requests to configurable provider URLs"
- * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "Sends threat model content as LLM prompt"
- * @accepts #prompt-injection on #llm-client -- "Core feature: threat model data is sent to LLM for analysis"
- * @mitigates #llm-client against #ssrf using #config-validation -- "BASE_URLS are hardcoded to known providers"
- * @mitigates #llm-client against #api-key-exposure using #key-redaction -- "Keys read from env, not logged"
- * @handles secrets on #llm-client -- "API keys held in memory during request lifecycle"
- * @boundary between #llm-client and External_LLM_APIs (#llm-boundary) -- "HTTP requests cross network trust boundary to external AI providers"
- * @flows #llm-client -> External_LLM_APIs via fetch -- "HTTP POST with auth headers and prompt payload"
- * @flows External_LLM_APIs -> #llm-client via response -- "Streaming or complete response from LLM provider"
+ * @exposes #llm-client to #ssrf [medium] cwe:CWE-918 -- "fetch() calls external LLM API endpoints"
+ * @mitigates #llm-client against #ssrf using #config-validation -- "BASE_URLS are hardcoded; baseUrl override is optional config"
+ * @exposes #llm-client to #api-key-exposure [high] cwe:CWE-798 -- "API keys passed in Authorization headers"
+ * @mitigates #llm-client against #api-key-exposure using #key-redaction -- "Keys never logged; passed directly to API"
+ * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "User prompts sent to LLM API"
+ * @audit #llm-client -- "Prompt injection mitigated by LLM provider safety; local code is read-only"
+ * @flows LLMConfig -> #llm-client via chatCompletion -- "Config and prompt input"
+ * @flows #llm-client -> LLMProvider via fetch -- "API request output"
+ * @flows LLMProvider -> #llm-client via response -- "API response input"
+ * @boundary #llm-client and LLMProvider (#llm-api-boundary) -- "Trust boundary at external API call"
+ * @handles secrets on #llm-client -- "Processes API keys for authentication"
  */
+// ─── Defaults ────────────────────────────────────────────────────────
 const DEFAULT_MODELS = {
-    anthropic: 'claude-sonnet-4-5-20250929',
-    openai: 'gpt-4o',
-    openrouter: 'anthropic/claude-sonnet-4-5-20250929',
+    anthropic: 'claude-sonnet-4-6',
+    openai: 'gpt-5.2',
+    google: 'gemini-2.5-flash',
+    openrouter: 'anthropic/claude-sonnet-4-6',
     deepseek: 'deepseek-chat',
+    ollama: 'llama3.2',
 };
 const BASE_URLS = {
     anthropic: 'https://api.anthropic.com',
     openai: 'https://api.openai.com',
+    google: 'https://generativelanguage.googleapis.com/v1beta/openai',
     openrouter: 'https://openrouter.ai/api',
     deepseek: 'https://api.deepseek.com',
+    ollama: 'http://localhost:11434',
 };
+// ─── Auto-detect ─────────────────────────────────────────────────────
 /**
  * Auto-detect provider from environment variables.
  * Returns null if no API key found.
  */
 export function autoDetectConfig() {
-    // Priority: Anthropic > OpenAI > OpenRouter > DeepSeek
     if (process.env.ANTHROPIC_API_KEY) {
-        return {
-            provider: 'anthropic',
-            model: DEFAULT_MODELS.anthropic,
-            apiKey: process.env.ANTHROPIC_API_KEY,
-        };
+        return { provider: 'anthropic', model: DEFAULT_MODELS.anthropic, apiKey: process.env.ANTHROPIC_API_KEY };
     }
     if (process.env.OPENAI_API_KEY) {
-        return {
-            provider: 'openai',
-            model: DEFAULT_MODELS.openai,
-            apiKey: process.env.OPENAI_API_KEY,
-        };
+        return { provider: 'openai', model: DEFAULT_MODELS.openai, apiKey: process.env.OPENAI_API_KEY };
     }
     if (process.env.OPENROUTER_API_KEY) {
-        return {
-            provider: 'openrouter',
-            model: DEFAULT_MODELS.openrouter,
-            apiKey: process.env.OPENROUTER_API_KEY,
-        };
+        return { provider: 'openrouter', model: DEFAULT_MODELS.openrouter, apiKey: process.env.OPENROUTER_API_KEY };
+    }
+    if (process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY) {
+        return { provider: 'google', model: DEFAULT_MODELS.google, apiKey: (process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY) };
     }
     if (process.env.DEEPSEEK_API_KEY) {
-        return {
-            provider: 'deepseek',
-            model: DEFAULT_MODELS.deepseek,
-            apiKey: process.env.DEEPSEEK_API_KEY,
-        };
+        return { provider: 'deepseek', model: DEFAULT_MODELS.deepseek, apiKey: process.env.DEEPSEEK_API_KEY };
     }
     return null;
 }
@@ -70,13 +66,13 @@ export function autoDetectConfig() {
  * Build config from explicit flags + env vars.
  */
 export function buildConfig(opts) {
-    // If provider specified, use it
     if (opts.provider) {
         const provider = opts.provider;
         const envKeyMap = {
             anthropic: 'ANTHROPIC_API_KEY',
             openai: 'OPENAI_API_KEY',
             openrouter: 'OPENROUTER_API_KEY',
+            google: 'GOOGLE_API_KEY',
             deepseek: 'DEEPSEEK_API_KEY',
         };
         const apiKey = opts.apiKey || process.env[envKeyMap[provider] || ''];
@@ -84,58 +80,120 @@ export function buildConfig(opts) {
             return null;
         return {
             provider,
-            model: opts.model || DEFAULT_MODELS[provider] || 'gpt-4o',
+            model: opts.model || DEFAULT_MODELS[provider] || 'gpt-5.2',
             apiKey,
         };
     }
-    // Auto-detect
     const config = autoDetectConfig();
     if (!config)
         return null;
-    // Override model if specified
     if (opts.model)
         config.model = opts.model;
     return config;
 }
+// ─── Main entry point ────────────────────────────────────────────────
 /**
  * Send a message to the LLM and return the response.
+ * Supports streaming, tool use (agentic loop), extended thinking,
+ * web search, and structured output.
  */
 export async function chatCompletion(config, systemPrompt, userMessage, onChunk) {
     if (config.provider === 'anthropic') {
-        return callAnthropic(config, systemPrompt, userMessage, onChunk);
+        return callAnthropicWithTools(config, systemPrompt, userMessage, onChunk);
+    }
+    else if (config.provider === 'openai') {
+        return callOpenAIResponses(config, systemPrompt, userMessage, onChunk);
     }
     else {
+        // Google Gemini, DeepSeek, OpenRouter, Ollama all use OpenAI-compatible Chat Completions
         return callOpenAICompatible(config, systemPrompt, userMessage, onChunk);
     }
 }
-// ─── Anthropic Messages API ──────────────────────────────────────────
-async function callAnthropic(config, systemPrompt, userMessage, onChunk) {
+// ─── Anthropic Messages API (2025) ──────────────────────────────────
+const ANTHROPIC_API_VERSION = '2025-04-14';
+/** Wrapper with agentic tool-call loop */
+async function callAnthropicWithTools(config, systemPrompt, userMessage, onChunk) {
+    const maxRounds = config.maxToolRounds ?? 5;
+    let messages = [{ role: 'user', content: userMessage }];
+    const allToolCalls = [];
+    let finalResponse = null;
+    for (let round = 0; round <= maxRounds; round++) {
+        const response = await callAnthropic(config, systemPrompt, messages, round === 0 ? onChunk : undefined);
+        if (response.toolCalls?.length)
+            allToolCalls.push(...response.toolCalls);
+        if (!response.toolCalls?.length || !config.toolExecutor) {
+            finalResponse = response;
+            break;
+        }
+        // Add assistant response and tool results for next round
+        messages.push({ role: 'assistant', content: response._rawContent });
+        for (const tc of response.toolCalls) {
+            let resultText;
+            try {
+                resultText = await config.toolExecutor(tc.name, tc.arguments);
+            }
+            catch (err) {
+                resultText = `Error: ${err.message}`;
+            }
+            messages.push({
+                role: 'user',
+                content: [{ type: 'tool_result', tool_use_id: tc.id, content: resultText }],
+            });
+        }
+    }
+    if (!finalResponse)
+        throw new Error('Max tool call rounds exceeded');
+    finalResponse.toolCalls = allToolCalls.length ? allToolCalls : undefined;
+    return finalResponse;
+}
+async function callAnthropic(config, systemPrompt, messages, onChunk) {
     const baseUrl = config.baseUrl || BASE_URLS.anthropic;
     const maxTokens = config.maxTokens || 8192;
+    const headers = {
+        'Content-Type': 'application/json',
+        'x-api-key': config.apiKey,
+        'anthropic-version': ANTHROPIC_API_VERSION,
+    };
+    if (config.extendedThinking) {
+        headers['anthropic-beta'] = 'interleaved-thinking-2025-05-14';
+    }
+    const body = {
+        model: config.model,
+        max_tokens: maxTokens,
+        system: systemPrompt,
+        messages,
+    };
+    if (config.extendedThinking) {
+        body.thinking = { type: 'enabled', budget_tokens: config.thinkingBudget || 10000 };
+    }
+    if (config.tools?.length) {
+        body.tools = config.tools.map(t => ({
+            name: t.name,
+            description: t.description,
+            input_schema: {
+                type: 'object',
+                properties: t.parameters.properties,
+                required: t.parameters.required,
+            },
+        }));
+    }
     if (onChunk) {
-        // Streaming
+        body.stream = true;
         const res = await fetch(`${baseUrl}/v1/messages`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'x-api-key': config.apiKey,
-                'anthropic-version': '2023-06-01',
-            },
-            body: JSON.stringify({
-                model: config.model,
-                max_tokens: maxTokens,
-                system: systemPrompt,
-                stream: true,
-                messages: [{ role: 'user', content: userMessage }],
-            }),
+            method: 'POST', headers, body: JSON.stringify(body),
         });
         if (!res.ok) {
             const err = await res.text();
             throw new Error(`Anthropic API error ${res.status}: ${err}`);
         }
         let content = '';
+        let thinking = '';
         let inputTokens = 0;
         let outputTokens = 0;
+        const toolCalls = [];
+        let curToolId = '';
+        let curToolName = '';
+        let curToolArgs = '';
         const reader = res.body?.getReader();
         if (!reader)
             throw new Error('No response body');
@@ -155,52 +213,313 @@ async function callAnthropic(config, systemPrompt, userMessage, onChunk) {
                 if (data === '[DONE]')
                     continue;
                 try {
-                    const event = JSON.parse(data);
-                    if (event.type === 'content_block_delta' && event.delta?.text) {
-                        content += event.delta.text;
-                        onChunk(event.delta.text);
+                    const ev = JSON.parse(data);
+                    if (ev.type === 'content_block_start' && ev.content_block?.type === 'tool_use') {
+                        curToolId = ev.content_block.id || '';
+                        curToolName = ev.content_block.name || '';
+                        curToolArgs = '';
                     }
-                    if (event.type === 'message_delta' && event.usage) {
-                        outputTokens = event.usage.output_tokens || 0;
+                    if (ev.type === 'content_block_delta') {
+                        if (ev.delta?.type === 'text_delta' && ev.delta?.text) {
+                            content += ev.delta.text;
+                            onChunk(ev.delta.text);
+                        }
+                        if (ev.delta?.type === 'thinking_delta' && ev.delta?.thinking) {
+                            thinking += ev.delta.thinking;
+                        }
+                        if (ev.delta?.type === 'input_json_delta' && ev.delta?.partial_json) {
+                            curToolArgs += ev.delta.partial_json;
+                        }
                     }
-                    if (event.type === 'message_start' && event.message?.usage) {
-                        inputTokens = event.message.usage.input_tokens || 0;
+                    if (ev.type === 'content_block_stop' && curToolId) {
+                        try {
+                            toolCalls.push({ id: curToolId, name: curToolName, arguments: JSON.parse(curToolArgs || '{}') });
+                        }
+                        catch { /* skip */ }
+                        curToolId = '';
+                        curToolName = '';
+                        curToolArgs = '';
                     }
+                    if (ev.type === 'message_delta' && ev.usage)
+                        outputTokens = ev.usage.output_tokens || 0;
+                    if (ev.type === 'message_start' && ev.message?.usage)
+                        inputTokens = ev.message.usage.input_tokens || 0;
                 }
-                catch { /* skip non-JSON lines */ }
+                catch { /* skip */ }
             }
         }
-        return { content, model: config.model, inputTokens, outputTokens };
+        return {
+            content, model: config.model, inputTokens, outputTokens,
+            thinking: thinking || undefined, thinkingTokens: undefined,
+            toolCalls: toolCalls.length ? toolCalls : undefined,
+            _rawContent: buildRawContent(content, thinking, toolCalls),
+        };
     }
     else {
         // Non-streaming
         const res = await fetch(`${baseUrl}/v1/messages`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'x-api-key': config.apiKey,
-                'anthropic-version': '2023-06-01',
-            },
-            body: JSON.stringify({
-                model: config.model,
-                max_tokens: maxTokens,
-                system: systemPrompt,
-                messages: [{ role: 'user', content: userMessage }],
-            }),
+            method: 'POST', headers, body: JSON.stringify(body),
         });
         if (!res.ok) {
             const err = await res.text();
             throw new Error(`Anthropic API error ${res.status}: ${err}`);
         }
         const data = await res.json();
+        let content = '';
+        let thinking = '';
+        const toolCalls = [];
+        for (const block of (data.content || [])) {
+            if (block.type === 'text')
+                content += block.text;
+            if (block.type === 'thinking')
+                thinking += block.thinking;
+            if (block.type === 'tool_use') {
+                toolCalls.push({ id: block.id, name: block.name, arguments: block.input || {} });
+            }
+        }
         return {
-            content: data.content?.[0]?.text || '',
-            model: data.model || config.model,
+            content, model: data.model || config.model,
             inputTokens: data.usage?.input_tokens,
             outputTokens: data.usage?.output_tokens,
+            thinking: thinking || undefined,
+            toolCalls: toolCalls.length ? toolCalls : undefined,
+            _rawContent: data.content,
         };
     }
 }
+function buildRawContent(content, thinking, toolCalls) {
+    const blocks = [];
+    if (thinking)
+        blocks.push({ type: 'thinking', thinking });
+    if (content)
+        blocks.push({ type: 'text', text: content });
+    for (const tc of toolCalls)
+        blocks.push({ type: 'tool_use', id: tc.id, name: tc.name, input: tc.arguments });
+    return blocks;
+}
+// ─── OpenAI Responses API ────────────────────────────────────────────
+async function callOpenAIResponses(config, systemPrompt, userMessage, onChunk) {
+    const baseUrl = config.baseUrl || BASE_URLS.openai;
+    const maxTokens = config.maxTokens || 8192;
+    const headers = {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${config.apiKey}`,
+    };
+    const input = [
+        { role: 'developer', content: systemPrompt },
+        { role: 'user', content: userMessage },
+    ];
+    const tools = [];
+    if (config.webSearch)
+        tools.push({ type: 'web_search' });
+    if (config.tools?.length) {
+        for (const t of config.tools) {
+            tools.push({
+                type: 'function', name: t.name, description: t.description,
+                parameters: t.parameters, strict: true,
+            });
+        }
+    }
+    const body = { model: config.model, input, max_output_tokens: maxTokens };
+    if (tools.length)
+        body.tools = tools;
+    if (config.responseFormat === 'json')
+        body.text = { format: { type: 'json_object' } };
+    if (onChunk) {
+        body.stream = true;
+        const res = await fetch(`${baseUrl}/v1/responses`, {
+            method: 'POST', headers, body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            // Fallback to Chat Completions if Responses API not available
+            if (res.status === 404)
+                return callOpenAICompatible(config, systemPrompt, userMessage, onChunk);
+            throw new Error(`OpenAI API error ${res.status}: ${err}`);
+        }
+        let content = '';
+        let inputTokens = 0;
+        let outputTokens = 0;
+        const toolCalls = [];
+        const reader = res.body?.getReader();
+        if (!reader)
+            throw new Error('No response body');
+        const decoder = new TextDecoder();
+        let buffer = '';
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split('\n');
+            buffer = lines.pop() || '';
+            for (const line of lines) {
+                if (!line.startsWith('data: '))
+                    continue;
+                const d = line.slice(6).trim();
+                if (d === '[DONE]')
+                    continue;
+                try {
+                    const ev = JSON.parse(d);
+                    if (ev.type === 'response.output_text.delta' && ev.delta) {
+                        content += ev.delta;
+                        onChunk(ev.delta);
+                    }
+                    if (ev.type === 'response.function_call_arguments.done') {
+                        try {
+                            toolCalls.push({ id: ev.call_id || '', name: ev.name || '', arguments: JSON.parse(ev.arguments || '{}') });
+                        }
+                        catch { /* skip */ }
+                    }
+                    if (ev.type === 'response.completed' && ev.response?.usage) {
+                        inputTokens = ev.response.usage.input_tokens || 0;
+                        outputTokens = ev.response.usage.output_tokens || 0;
+                    }
+                }
+                catch { /* skip */ }
+            }
+        }
+        if (toolCalls.length && config.toolExecutor) {
+            return handleOpenAIToolLoop(config, baseUrl, headers, body, content, toolCalls, inputTokens, outputTokens, onChunk);
+        }
+        return { content, model: config.model, inputTokens, outputTokens, toolCalls: toolCalls.length ? toolCalls : undefined };
+    }
+    else {
+        // Non-streaming
+        const res = await fetch(`${baseUrl}/v1/responses`, {
+            method: 'POST', headers, body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            if (res.status === 404)
+                return callOpenAICompatible(config, systemPrompt, userMessage, undefined);
+            throw new Error(`OpenAI API error ${res.status}: ${err}`);
+        }
+        const data = await res.json();
+        let content = '';
+        const toolCalls = [];
+        for (const item of (data.output || [])) {
+            if (item.type === 'message') {
+                for (const part of (item.content || [])) {
+                    if (part.type === 'output_text')
+                        content += part.text;
+                }
+            }
+            if (item.type === 'function_call') {
+                try {
+                    toolCalls.push({ id: item.call_id || item.id || '', name: item.name || '', arguments: JSON.parse(item.arguments || '{}') });
+                }
+                catch { /* skip */ }
+            }
+        }
+        if (!content && data.output_text)
+            content = data.output_text;
+        if (toolCalls.length && config.toolExecutor) {
+            return handleOpenAIToolLoop(config, baseUrl, headers, body, content, toolCalls, data.usage?.input_tokens, data.usage?.output_tokens, undefined);
+        }
+        return {
+            content, model: data.model || config.model,
+            inputTokens: data.usage?.input_tokens, outputTokens: data.usage?.output_tokens,
+            toolCalls: toolCalls.length ? toolCalls : undefined,
+        };
+    }
+}
+/** Agentic tool-call loop for OpenAI Responses API */
+async function handleOpenAIToolLoop(config, baseUrl, headers, origBody, partialContent, pending, inTok, outTok, onChunk) {
+    const maxRounds = config.maxToolRounds ?? 5;
+    const all = [...pending];
+    let content = partialContent;
+    let inputTokens = inTok;
+    let outputTokens = outTok;
+    for (let round = 0; round < maxRounds && pending.length; round++) {
+        const results = [];
+        for (const tc of pending) {
+            let r;
+            try {
+                r = await config.toolExecutor(tc.name, tc.arguments);
+            }
+            catch (e) {
+                r = `Error: ${e.message}`;
+            }
+            results.push({ type: 'function_call_output', call_id: tc.id, output: r });
+        }
+        const followUp = { ...origBody, input: results, stream: !!onChunk };
+        const res = await fetch(`${baseUrl}/v1/responses`, { method: 'POST', headers, body: JSON.stringify(followUp) });
+        if (!res.ok) {
+            const err = await res.text();
+            throw new Error(`OpenAI tool follow-up error ${res.status}: ${err}`);
+        }
+        pending = [];
+        if (onChunk) {
+            const reader = res.body?.getReader();
+            if (!reader)
+                throw new Error('No response body');
+            const dec = new TextDecoder();
+            let buf = '';
+            while (true) {
+                const { done, value } = await reader.read();
+                if (done)
+                    break;
+                buf += dec.decode(value, { stream: true });
+                const lines = buf.split('\n');
+                buf = lines.pop() || '';
+                for (const ln of lines) {
+                    if (!ln.startsWith('data: '))
+                        continue;
+                    const d = ln.slice(6).trim();
+                    if (d === '[DONE]')
+                        continue;
+                    try {
+                        const ev = JSON.parse(d);
+                        if (ev.type === 'response.output_text.delta' && ev.delta) {
+                            content += ev.delta;
+                            onChunk(ev.delta);
+                        }
+                        if (ev.type === 'response.function_call_arguments.done') {
+                            try {
+                                const tc = { id: ev.call_id || '', name: ev.name || '', arguments: JSON.parse(ev.arguments || '{}') };
+                                pending.push(tc);
+                                all.push(tc);
+                            }
+                            catch { /* skip */ }
+                        }
+                        if (ev.type === 'response.completed' && ev.response?.usage) {
+                            inputTokens = (inputTokens || 0) + (ev.response.usage.input_tokens || 0);
+                            outputTokens = (outputTokens || 0) + (ev.response.usage.output_tokens || 0);
+                        }
+                    }
+                    catch { /* skip */ }
+                }
+            }
+        }
+        else {
+            const data = await res.json();
+            for (const item of (data.output || [])) {
+                if (item.type === 'message') {
+                    for (const p of (item.content || [])) {
+                        if (p.type === 'output_text')
+                            content += p.text;
+                    }
+                }
+                if (item.type === 'function_call') {
+                    try {
+                        const tc = { id: item.call_id || item.id || '', name: item.name || '', arguments: JSON.parse(item.arguments || '{}') };
+                        pending.push(tc);
+                        all.push(tc);
+                    }
+                    catch { /* skip */ }
+                }
+            }
+            if (data.output_text && !content)
+                content = data.output_text;
+            if (data.usage) {
+                inputTokens = (inputTokens || 0) + (data.usage.input_tokens || 0);
+                outputTokens = (outputTokens || 0) + (data.usage.output_tokens || 0);
+            }
+        }
+    }
+    return { content, model: config.model, inputTokens, outputTokens, toolCalls: all.length ? all : undefined };
+}
 // ─── OpenAI-compatible Chat Completions ──────────────────────────────
 async function callOpenAICompatible(config, systemPrompt, userMessage, onChunk) {
     const baseUrl = config.baseUrl || BASE_URLS[config.provider] || BASE_URLS.openai;
@@ -209,31 +528,39 @@ async function callOpenAICompatible(config, systemPrompt, userMessage, onChunk)
         'Content-Type': 'application/json',
         'Authorization': `Bearer ${config.apiKey}`,
     };
-    // OpenRouter requires extra headers
     if (config.provider === 'openrouter') {
         headers['HTTP-Referer'] = 'https://guardlink.bugb.io';
         headers['X-Title'] = 'GuardLink CLI';
     }
+    const isDeepSeekReasoner = config.provider === 'deepseek' && config.model.includes('reasoner');
+    const body = {
+        model: config.model,
+        max_tokens: maxTokens,
+        messages: [
+            { role: 'system', content: systemPrompt },
+            { role: 'user', content: userMessage },
+        ],
+    };
+    if (config.responseFormat === 'json') {
+        body.response_format = { type: 'json_object' };
+    }
+    if (config.tools?.length) {
+        body.tools = config.tools.map(t => ({
+            type: 'function',
+            function: { name: t.name, description: t.description, parameters: t.parameters },
+        }));
+    }
     if (onChunk) {
-        // Streaming
+        body.stream = true;
         const res = await fetch(`${baseUrl}/v1/chat/completions`, {
-            method: 'POST',
-            headers,
-            body: JSON.stringify({
-                model: config.model,
-                max_tokens: maxTokens,
-                stream: true,
-                messages: [
-                    { role: 'system', content: systemPrompt },
-                    { role: 'user', content: userMessage },
-                ],
-            }),
+            method: 'POST', headers, body: JSON.stringify(body),
         });
         if (!res.ok) {
             const err = await res.text();
             throw new Error(`${config.provider} API error ${res.status}: ${err}`);
         }
         let content = '';
+        let reasoning = '';
         const reader = res.body?.getReader();
         if (!reader)
             throw new Error('No response body');
@@ -259,36 +586,31 @@ async function callOpenAICompatible(config, systemPrompt, userMessage, onChunk)
                         content += delta;
                         onChunk(delta);
                     }
+                    const reasoningDelta = event.choices?.[0]?.delta?.reasoning_content;
+                    if (reasoningDelta)
+                        reasoning += reasoningDelta;
                 }
                 catch { /* skip */ }
             }
         }
-        return { content, model: config.model };
+        return { content, model: config.model, thinking: reasoning || undefined };
     }
     else {
-        // Non-streaming
         const res = await fetch(`${baseUrl}/v1/chat/completions`, {
-            method: 'POST',
-            headers,
-            body: JSON.stringify({
-                model: config.model,
-                max_tokens: maxTokens,
-                messages: [
-                    { role: 'system', content: systemPrompt },
-                    { role: 'user', content: userMessage },
-                ],
-            }),
+            method: 'POST', headers, body: JSON.stringify(body),
         });
         if (!res.ok) {
             const err = await res.text();
             throw new Error(`${config.provider} API error ${res.status}: ${err}`);
         }
         const data = await res.json();
+        const choice = data.choices?.[0];
         return {
-            content: data.choices?.[0]?.message?.content || '',
+            content: choice?.message?.content || '',
             model: data.model || config.model,
             inputTokens: data.usage?.prompt_tokens,
             outputTokens: data.usage?.completion_tokens,
+            thinking: isDeepSeekReasoner ? (choice?.message?.reasoning_content || undefined) : undefined,
         };
     }
 }