llm-cli-gateway 1.0.0 → 1.1.0

package/dist/review-integrity.js

@@ -1,283 +1,49 @@
-/**
- * Review Integrity Bypass Detection
- *
- * Detects when orchestrating agents neuter the multi-LLM review process by:
- * - Embedding tool-suppression language in review prompts
- * - Inlining full code instead of letting reviewers read files directly
- * - Setting allowedTools:[] to strip tool access from reviewers
- *
- * Two-gate design: violations only emitted when BOTH review context AND
- * a restriction are detected. This avoids false positives on non-review
- * prompts that happen to contain similar language.
- */
-// Two-part review context detection: a REVIEW_ACTION verb/phrase + a CODE_ANCHOR
-// in the same prompt. This avoids false positives like "Analyze customer feedback"
-// (has action but no code anchor) while catching "Analyze the implementation" (has both).
-//
-// Unambiguous multi-word phrases (code review, security audit, etc.) match on
-// their own without needing a separate code anchor.
-// Phrases that are unambiguously code-review context on their own:
-const UNAMBIGUOUS_REVIEW = /\b(code\s*review|security\s*audit|security\s*review|security\s*(?:vulnerabilit(?:y|ies)|scan|assessment)|bug\s*finding|quality\s*analysis|code\s*quality|code\s*audit|code\s*inspection|static\s*analysis|penetration\s*test(?:ing)?|threat\s*model|owasp|pentest|red[- ]?team|backdoor|exploitab(?:le|ility)|vulnerabilit(?:y|ies)|defects?|flaws?|weakness(?:es)?)\b/i;
-// Broad review-action verbs that need a code anchor to confirm context:
-const REVIEW_ACTIONS = /\b(review|audit|analyze|inspect|examine|assess|evaluate|verify|validate|triage|hunt|vet(?:ting)?|probe|diagnos(?:e|tics?)|find\s*(?:bugs?|issues?|defects?|flaws?|attack\s*(?:surface|path|vector)s?)|check\s*(?:for\s+)?(?:bugs?|issues?|errors?|problems?|defects?)|look\s*over|scan\s*(?:for|the))\b/i;
-// Code-related anchor words that confirm the prompt is about software.
-// Excludes ambiguous words (service, session, controller, route) that appear in non-code contexts.
-const CODE_ANCHORS = /\b(code|source|implementation|function|method|class|module|component|files?|patch|diff|commit|PR|pull\s*request|API|endpoint|auth|parser|codebase|repositor(?:y|ies)|repo|src|\.ts|\.js|\.py|\.go|\.rs|\.java|error\s*handling|middleware|handler|test\s*suite|retry|database|query|schema|config)\b/i;
-/**
- * Detect whether the prompt is a review/audit context.
- * Uses two-part detection: unambiguous phrases match alone,
- * ambiguous verbs (review, analyze, etc.) require a code anchor.
- * Normalizes Unicode before matching to prevent confusable bypasses.
- */
-export function isReviewContext(prompt) {
-    const normalized = normalizeForMatching(prompt);
-    if (UNAMBIGUOUS_REVIEW.test(normalized))
-        return true;
-    return REVIEW_ACTIONS.test(normalized) && CODE_ANCHORS.test(normalized);
-}
-// Normalize text for matching: NFKD decomposition to fold compatibility characters AND
-// decompose precomposed diacritics, then strip combining marks and confusables.
-function normalizeForMatching(text) {
-    return text
-        // NFKD: decomposes compatibility chars AND precomposed diacritics (é → e + U+0301)
-        .normalize("NFKD")
-        // Strip combining marks (diacritics): é (e + U+0301), n̸ (n + U+0338), etc.
-        // Must happen AFTER NFKD decomposition so precomposed characters are split first.
-        .replace(/[\u0300-\u036F]/g, "")
-        // Strip invisible Unicode format characters (zero-width joiners, soft hyphens, etc.)
-        .replace(/[\u200B-\u200F\u2028-\u202F\u2060-\u206F\uFEFF\u00AD]/g, "")
-        .replace(/[\u2018\u2019\u0060\u00B4]/g, "'")
-        .replace(/[\u201C\u201D]/g, '"')
-        // Fold common Cyrillic confusables that survive NFKC (visually identical to Latin)
-        .replace(/\u0430/g, "a") // а → a
-        .replace(/\u0435/g, "e") // е → e
-        .replace(/\u043E/g, "o") // о → o
-        .replace(/\u0440/g, "p") // р → p
-        .replace(/\u0441/g, "c") // с → c
-        .replace(/\u0445/g, "x") // х → x
-        .replace(/\u0456/g, "i") // і → i (Cyrillic i)
-        .replace(/\u0410/g, "A") // А → A
-        .replace(/\u0415/g, "E") // Е → E
-        .replace(/\u041E/g, "O") // О → O
-        .replace(/\u0420/g, "P") // Р → P
-        .replace(/\u0421/g, "C") // С → C
-        .replace(/\u0425/g, "X") // Х → X
-        // Fold common Greek confusables (visually identical to Latin)
-        .replace(/\u03BF/g, "o") // ο → o (Greek omicron)
-        .replace(/\u03C5/g, "u") // υ → u (Greek upsilon)
-        .replace(/\u03BD/g, "v") // ν → v (Greek nu)
-        .replace(/\u03B1/g, "a") // α → a (Greek alpha)
-        .replace(/\u03B5/g, "e") // ε → e (Greek epsilon)
-        .replace(/\u03B9/g, "i") // ι → i (Greek iota)
-        .replace(/\u03BA/g, "k") // κ → k (Greek kappa)
-        .replace(/\u03C1/g, "p") // ρ → p (Greek rho)
-        .replace(/\u039F/g, "O") // Ο → O (Greek capital omicron)
-        .replace(/\u0391/g, "A") // Α → A (Greek capital alpha)
-        .replace(/\u0395/g, "E") // Ε → E (Greek capital epsilon)
-        .replace(/\u0399/g, "I") // Ι → I (Greek capital iota)
-        .replace(/\u039A/g, "K") // Κ → K (Greek capital kappa)
-        // Fold Latin small capitals and modifier letters (used in visual spoofing)
-        .replace(/\u1D0F/g, "o") // ᴏ → o (Latin small capital O)
-        .replace(/\u1D20/g, "v") // ᴠ → v (Latin small capital V)
-        .replace(/\u1D00/g, "a") // ᴀ → a (Latin small capital A)
-        .replace(/\u1D04/g, "c") // ᴄ → c (Latin small capital C)
-        .replace(/\u1D07/g, "e") // ᴇ → e (Latin small capital E)
-        .replace(/\u026A/g, "i") // ɪ → i (Latin small capital I)
-        .replace(/\u0280/g, "r"); // ʀ → r (Latin small capital R)
+const REVIEW_CONTEXT_PATTERN = /\b(review|audit|analy[sz]e|analysis|inspect|assess|pentest|security|vulnerabilit(?:y|ies)|bug(?:s)?|defect(?:s)?|quality|code\s+review)\b/i;
+const TOOL_SUPPRESSION_PATTERN = /\b(do\s*not|don't|never|without)\b[\s\S]{0,80}\b(tool(?:s)?|shell|bash|command(?:s)?)\b/i;
+const CRITICAL_TOOLS = ["Read", "Grep", "Glob", "Bash"];
+function canonicalizeTools(tools) {
+    return tools
+        .map(raw => raw.trim())
+        .filter(Boolean)
+        .map(trimmed => {
+        const cut = Math.min(...[trimmed.indexOf("("), trimmed.indexOf(":"), trimmed.length].filter(i => i >= 0));
+        return trimmed.slice(0, cut).trim();
+    });
 }
-// Patterns that combine negation with tool/command references.
-// Each pattern requires a negation word near a tool-related action.
-// Tolerates punctuation and intervening clauses between negation and tool noun.
-// (?:[\w,]+\s+){0,6} allows up to 6 intervening words/commas for punctuation-separated negations.
-const TOOL_SUPPRESSION_PATTERNS = [
-    /\b(?:do\s+not|don't|never|must\s+not|should\s+not|shouldn't|cannot|can't)\s*,?\s*(?:[\w,]+\s+){0,6}(?:run|use|execute|invoke|call|access)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|bash|terminal|cli|commands?)\b/i,
-    /\b(?:do\s+not|don't|never|must\s+not|should\s+not|shouldn't)\s*,?\s*(?:[\w,]+\s+){0,6}(?:read|open|access|consult)\s+(?:(?:\w+\s+){0,4})(?:files?|the\s+file\s*system|disk|repositor(?:y|ies)\s*files?)\b/i,
-    /\bwithout\s+(?:using|running|executing|accessing)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|external)\b/i,
-    /\b(?:respond|answer|analyze|reply)\s+(?:only|solely|exclusively)\s+(?:based\s+on|from|using)\s+(?:the\s+)?(?:code|context|information|text)\s+(?:provided|given|above|below)\b/i,
-    /\bno\s+(?:tool|shell|file|command|filesystem)\s+(?:access|usage|calls?|execution)\b/i,
-    // Specific tool-name suppression: "Do not use Read or Grep", "never call Bash"
-    // Case-sensitive for tool identifiers to avoid false positives like "read replicas"
-    /\b(?:[Dd]o\s+not|[Dd]on't|[Nn]ever|[Mm]ust\s+not|[Ss]hould\s+not|[Ss]houldn't|[Cc]annot|[Cc]an't)\s+(?:run|use|execute|invoke|call|access)\s+(?:Read|Grep|Glob|Bash|Write|Edit)\b/,
-    // "avoid/refrain from using tools" or "avoid opening files"
-    /\b(?:avoid|refrain\s+from)\s+(?:using|running|executing|accessing|calling|opening)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|bash|terminal|cli|commands?|external|files?|additional\s+files?)\b/i,
-    // Standalone "no tools" — bare denial of tool access
-    /\bno\s+tools\b/i,
-    // "base your answer on this diff/snippet/code only"
-    /\b(?:base|ground)\s+(?:your\s+)?(?:answer|response|analysis|review|conclusions?)\s+(?:on|upon)\s+(?:this|the)\s+(?:diff|snippet|code|patch|context|excerpt)\s+(?:only|alone|exclusively)\b/i,
-    // "use reasoning/analysis only" (from context, not tools)
-    /\buse\s+(?:only\s+)?(?:reasoning|analysis|your\s+judgment)\s+(?:only\s+)?(?:from|based\s+on)\s+(?:the\s+)?(?:snippet|diff|code|context|patch)\b/i,
-    // "work offline" / "do not call external resources"
-    /\bwork\s+offline\b/i,
-    // "self-contained" / "snippet only" / "sole source of truth"
-    /\b(?:self[- ]contained|snippet[- ]only|sole\s+source\s+of\s+truth)\b/i,
-    // "keep analysis to/within this snippet/excerpt/diff"
-    /\b(?:keep|restrict|limit|confine)\s+(?:the\s+)?(?:analysis|review|response|yourself)\s+(?:to|within)\s+(?:this|the)\s+(?:snippet|excerpt|diff|patch|code|context|text)\b/i,
-    // "tool access is unavailable/disabled/restricted"
-    /\btool\s+access\s+(?:is\s+)?(?:unavailable|disabled|restricted|not\s+available)\b/i,
-    // "use only what is shown/provided/pasted"
-    /\buse\s+only\s+(?:what\s+is\s+)?(?:shown|provided|pasted|given|included)\b/i,
-    // "no need to execute/run/access"
-    /\bno\s+need\s+to\s+(?:execute|run|access|open|read)\b/i,
-];
-/**
- * Detect tool-suppression language in a prompt.
- * Returns the matched patterns for diagnostics.
- */
-export function detectToolSuppression(prompt) {
-    const normalized = normalizeForMatching(prompt);
-    const matches = [];
-    for (const pattern of TOOL_SUPPRESSION_PATTERNS) {
-        const match = normalized.match(pattern);
-        if (match) {
-            matches.push(match[0]);
-        }
-    }
-    return matches;
+export function isReviewContext(prompt) {
+    return REVIEW_CONTEXT_PATTERN.test(prompt);
 }
-// Note: <code[^>]*> already matches code inside <pre><code> blocks,
-// so a separate <pre><code> pattern is not needed (would double-count).
-// Case-insensitive for <CODE>/<PRE> tags. Fence regex uses backreference for matched opener/closer.
-const INLINED_CODE_PATTERNS = [
-    /<code[^>]*>([\s\S]*?)<\/code>/gi,
-    // Standalone <pre> blocks that don't contain <code> (avoids double-counting <pre><code>)
-    /<pre[^>]*>(?!\s*<code)([\s\S]*?)<\/pre>/gi,
-    // Multi-line backtick fences: opener and closer must use same number of backticks
-    /(`{3,})[^\n]*\r?\n([\s\S]*?)\1/g,
-    // Multi-line tilde fences
-    /(~{3,})[^\n]*\r?\n([\s\S]*?)\1/g,
-    // Single-line backtick fences: ```<content>``` on one line
-    /`{3,}[^\n`]*`{3,}/g,
-];
-// Group index for captured content differs per pattern:
-// HTML code: group 1; pre: group 1; backtick/tilde multi-line: group 2; single-line: group 0 (full match)
-const INLINED_CODE_CONTENT_GROUPS = [1, 1, 2, 2, 0];
-const INLINED_CODE_MIN_LENGTH = 200;
-const INLINED_CODE_TOTAL_THRESHOLD = 1000;
-// Heuristic for detecting raw code pasted without fences or tags.
-// Multi-language token pattern: JS/TS + Rust + Python + Go + Java + C/C++.
-// Word-boundary tokens use \b; symbol tokens match without \b.
-const RAW_CODE_TOKEN_PATTERN = /(?:\b(?:import|export|from|require|function|const|let|var|class|interface|type|return|if|else|for|while|switch|case|try|catch|throw|async|await|new|this|fn|impl|pub|struct|match|mod|use|crate|mut|enum|trait|unsafe|def|elif|lambda|yield|pass|with|raise|except|func|package|defer|goroutine|chan|select|void|static|final|abstract|extends|implements|override|sizeof|template|namespace|include|typedef|printf|println)\b|=>|===|!==|[{};])/g;
-const RAW_CODE_MIN_TOKENS = 15;
-const RAW_CODE_DENSITY_THRESHOLD = 1.5; // tokens per 100 chars
-/**
- * Detect inlined code blocks that look like full file dumps.
- * Two detection strategies:
- * 1. Any single code block with 200+ chars is flagged.
- * 2. Fallback: if total chars across ALL code blocks (even small ones)
- *    exceeds 1000, flag to catch split-block bypass attempts.
- */
-export function detectInlinedCode(prompt) {
-    let count = 0;
-    let totalChars = 0;
-    let allBlocksTotal = 0;
-    let allBlocksCount = 0;
-    for (let i = 0; i < INLINED_CODE_PATTERNS.length; i++) {
-        const pattern = INLINED_CODE_PATTERNS[i];
-        const contentGroup = INLINED_CODE_CONTENT_GROUPS[i];
-        pattern.lastIndex = 0;
-        let match;
-        while ((match = pattern.exec(prompt)) !== null) {
-            const rawContent = contentGroup === 0 ? match[0] : match[contentGroup];
-            const content = (rawContent || "").trim();
-            allBlocksCount++;
-            allBlocksTotal += content.length;
-            if (content.length >= INLINED_CODE_MIN_LENGTH) {
-                count++;
-                totalChars += content.length;
-            }
-        }
-    }
-    // Fallback: catch split-block bypass (many small blocks totaling large payload)
-    if (count === 0 && allBlocksTotal >= INLINED_CODE_TOTAL_THRESHOLD) {
-        count = allBlocksCount;
-        totalChars = allBlocksTotal;
-    }
-    // Fallback: detect plain-text code dumps (no fences or tags) via code-token density.
-    // Only triggers when no fenced/tagged blocks were found and the prompt is large enough.
-    if (count === 0 && prompt.length >= INLINED_CODE_TOTAL_THRESHOLD) {
-        const codeTokens = prompt.match(RAW_CODE_TOKEN_PATTERN);
-        const tokenCount = codeTokens ? codeTokens.length : 0;
-        // Require minimum absolute token count AND density ratio (tokens per 100 chars)
-        const density = (tokenCount / prompt.length) * 100;
-        if (tokenCount >= RAW_CODE_MIN_TOKENS && density >= RAW_CODE_DENSITY_THRESHOLD) {
-            count = 1;
-            totalChars = prompt.length;
+export function checkReviewIntegrity(input) {
+    const violations = [];
+    const reviewContext = isReviewContext(input.prompt);
+    if (reviewContext && input.allowedTools && input.allowedTools.length === 0) {
+        violations.push({
+            type: "empty_allowed_tools",
+            score: 6,
+            detail: "Review request with empty allowedTools limits reviewer capability",
+        });
+    }
+    if (reviewContext && input.disallowedTools && input.disallowedTools.length > 0) {
+        const canonical = canonicalizeTools(input.disallowedTools);
+        const blockedCritical = CRITICAL_TOOLS.filter(tool => canonical.includes(tool));
+        if (blockedCritical.length > 0) {
+            violations.push({
+                type: "critical_tools_disallowed",
+                score: 6,
+                detail: `Critical review tools disallowed: ${blockedCritical.join(", ")}`,
+            });
         }
     }
-    return { count, totalChars };
-}
-/**
- * Combined review integrity check. Only emits violations when BOTH
- * review context is detected AND a restriction is present.
- */
-// Tools that reviewers need to independently verify code claims.
-const CRITICAL_REVIEW_TOOLS = ["Read", "Grep", "Glob", "Bash"];
-// Extract base tool name from scoped/pattern forms like "Read(*)", "Bash(git:*)", "Grep"
-function canonicalizeToolName(spec) {
-    const trimmed = spec.trim();
-    const parenIdx = trimmed.indexOf("(");
-    const colonIdx = trimmed.indexOf(":");
-    const cutIdx = parenIdx >= 0 && colonIdx >= 0
-        ? Math.min(parenIdx, colonIdx)
-        : parenIdx >= 0 ? parenIdx : colonIdx >= 0 ? colonIdx : -1;
-    return cutIdx >= 0 ? trimmed.slice(0, cutIdx).trim() : trimmed;
-}
-export function checkReviewIntegrity(params) {
-    const reviewContext = isReviewContext(params.prompt);
-    const result = {
-        isReviewContext: reviewContext,
-        violations: [],
-        totalScore: 0,
-    };
-    // Gate: no violations emitted for non-review prompts
-    if (!reviewContext) {
-        return result;
-    }
-    // Check tool suppression language
-    const suppressionMatches = detectToolSuppression(params.prompt);
-    if (suppressionMatches.length > 0) {
-        const violation = {
+    if (reviewContext && TOOL_SUPPRESSION_PATTERN.test(input.prompt)) {
+        violations.push({
             type: "tool_suppression",
             score: 4,
-            detail: `Prompt contains tool-suppression language in review context: ${suppressionMatches.join("; ")}`,
-        };
-        result.violations.push(violation);
-        result.totalScore += violation.score;
-    }
-    // Check inlined code
-    const inlined = detectInlinedCode(params.prompt);
-    if (inlined.count > 0) {
-        const violation = {
-            type: "inlined_code",
-            score: 2,
-            detail: `Prompt inlines ${inlined.count} code block(s) (${inlined.totalChars} chars) instead of file paths — reviewers should read files directly`,
-        };
-        result.violations.push(violation);
-        result.totalScore += violation.score;
-    }
-    // Check empty allowedTools
-    if (params.allowedTools && params.allowedTools.length === 0) {
-        const violation = {
-            type: "empty_allowed_tools",
-            score: 4,
-            detail: "allowedTools is empty in review context — reviewers need tool access to read files and verify claims",
-        };
-        result.violations.push(violation);
-        result.totalScore += violation.score;
-    }
-    // Check disallowedTools blocking critical review tools (canonicalize to handle scoped forms like "Read(*)")
-    if (params.disallowedTools && params.disallowedTools.length > 0) {
-        const canonicalized = params.disallowedTools.map(canonicalizeToolName);
-        const blocked = CRITICAL_REVIEW_TOOLS.filter(t => canonicalized.includes(t));
-        if (blocked.length > 0) {
-            const violation = {
-                type: "critical_tools_disallowed",
-                score: 4,
-                detail: `Critical review tools disallowed: ${blocked.join(", ")} — reviewers need these to verify claims`,
-            };
-            result.violations.push(violation);
-            result.totalScore += violation.score;
-        }
+            detail: "Prompt contains tool-suppression language in review context",
+        });
     }
-    return result;
+    return {
+        isReviewContext: reviewContext,
+        violations,
+        totalScore: violations.reduce((sum, violation) => sum + violation.score, 0),
+    };
 }

package/dist/session-manager-pg.js

@@ -2,7 +2,7 @@ import { randomUUID } from "crypto";
 const DEFAULT_SESSION_DESCRIPTIONS = {
     claude: "Claude Session",
     codex: "Codex Session",
-    gemini: "Gemini Session"
+    gemini: "Gemini Session",
 };
 /**
  * PostgreSQL-backed session manager with Redis caching
@@ -127,7 +127,7 @@ export class PostgreSQLSessionManager {
                 cli,
                 createdAt: now,
                 lastUsedAt: now,
-                description: sessionDescription
+                description: sessionDescription,
             };
             // Write-through to cache
             try {
@@ -207,7 +207,9 @@ export class PostgreSQLSessionManager {
             : `SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt"
          FROM sessions
          ORDER BY last_used_at DESC`;
-        const result = cli ? await this.pool.query(query, [cli]) : await this.pool.query(query);
+        const result = cli
+            ? await this.pool.query(query, [cli])
+            : await this.pool.query(query);
         const sessions = result.rows;
         // Cache CLI-specific lists
         if (cacheKey) {
@@ -369,7 +371,7 @@ export class PostgreSQLSessionManager {
                 await Promise.all([
                     this.redis.del("active_session:claude"),
                     this.redis.del("active_session:codex"),
-                    this.redis.del("active_session:gemini")
+                    this.redis.del("active_session:gemini"),
                 ]);
             }
             catch (error) {

package/dist/session-manager.js

@@ -1,7 +1,7 @@
 import { randomUUID } from "crypto";
 import { homedir } from "os";
 import { join, dirname } from "path";
-import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, openSync, fsyncSync, closeSync, chmodSync } from "fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, openSync, fsyncSync, closeSync, chmodSync, } from "fs";
 import { DEFAULT_SESSION_TTL_SECONDS } from "./config.js";
 import { noopLogger } from "./logger.js";
 export const CLI_TYPES = ["claude", "codex", "gemini"];
@@ -9,7 +9,7 @@ const createEmptyActiveSessions = () => Object.fromEntries(CLI_TYPES.map(cli =>
 const DEFAULT_SESSION_DESCRIPTIONS = {
     claude: "Claude Session",
     codex: "Codex Session",
-    gemini: "Gemini Session"
+    gemini: "Gemini Session",
 };
 export class FileSessionManager {
     storagePath;
@@ -65,7 +65,10 @@ export class FileSessionManager {
     }
     saveStorage() {
         const tempPath = `${this.storagePath}.tmp.${process.pid}`;
-        writeFileSync(tempPath, JSON.stringify(this.storage, null, 2), { encoding: "utf-8", mode: 0o600 });
+        writeFileSync(tempPath, JSON.stringify(this.storage, null, 2), {
+            encoding: "utf-8",
+            mode: 0o600,
+        });
         const fd = openSync(tempPath, "r+");
         try {
             fsyncSync(fd);
@@ -85,7 +88,7 @@ export class FileSessionManager {
             cli,
             createdAt: new Date().toISOString(),
             lastUsedAt: new Date().toISOString(),
-            description: sessionDescription
+            description: sessionDescription,
         };
         this.storage.sessions[id] = session;
         // Set as active session if none exists for this CLI

package/dist/stream-json-parser.js

@@ -42,12 +42,14 @@ export function parseStreamJson(stdout) {
     }
     // Extract from result event (preferred)
     if (resultEvent) {
-        const usage = resultEvent.usage ? {
-            inputTokens: resultEvent.usage.input_tokens ?? 0,
-            outputTokens: resultEvent.usage.output_tokens ?? 0,
-            cacheReadInputTokens: resultEvent.usage.cache_read_input_tokens ?? 0,
-            cacheCreationInputTokens: resultEvent.usage.cache_creation_input_tokens ?? 0,
-        } : null;
+        const usage = resultEvent.usage
+            ? {
+                inputTokens: resultEvent.usage.input_tokens ?? 0,
+                outputTokens: resultEvent.usage.output_tokens ?? 0,
+                cacheReadInputTokens: resultEvent.usage.cache_read_input_tokens ?? 0,
+                cacheCreationInputTokens: resultEvent.usage.cache_creation_input_tokens ?? 0,
+            }
+            : null;
         return {
             text: resultEvent.result ?? "",
             costUsd: resultEvent.total_cost_usd ?? null,

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.0.0",
+  "version": "1.1.0",
+  "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, and Gemini CLIs with session management, retry logic, and async job orchestration.",
   "license": "MIT",
   "author": {
@@ -38,7 +39,7 @@
     "llm-cli-gateway": "./dist/index.js"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "files": [
     "dist/**/*.js",
@@ -60,7 +61,7 @@
     "test:unit": "vitest run src/__tests__/executor.test.ts",
     "test:session": "vitest run src/__tests__/session-manager.test.ts",
     "test:session-pg": "bash ./scripts/test-pg.sh src/__tests__/session-manager-pg.test.ts",
-    "test:integration": "vitest run src/__tests__/integration.test.ts",
+    "test:integration": "INTEGRATION_TESTS=1 vitest run src/__tests__/integration.test.ts",
     "test:pg": "bash ./scripts/test-pg.sh",
     "test:all": "npm run test && npm run test:pg",
     "lint": "eslint src/**/*.ts",
@@ -71,16 +72,19 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "better-sqlite3": "^11.0.0",
     "ioredis": "^5.4.1",
     "pg": "^8.12.0",
     "toml": "^3.0.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {
+    "@types/better-sqlite3": "^7.6.0",
     "@types/node": "^20.19.30",
     "@types/pg": "^8.11.10",
     "@typescript-eslint/eslint-plugin": "^6.0.0",
     "@typescript-eslint/parser": "^6.0.0",
+    "@vitest/coverage-v8": "^4.1.2",
     "eslint": "^8.0.0",
     "eslint-config-prettier": "^9.0.0",
     "prettier": "^3.0.0",