llm-cli-gateway 1.14.0 → 1.15.1

package/dist/async-job-manager.js

@@ -207,15 +207,21 @@ export class AsyncJobManager {
      * (sorted keys → JSON-stringified). This prevents two Mistral requests with the
      * same argv but different `VIBE_ACTIVE_MODEL` from deduping onto each other.
      */
-    buildRequestKey(cli, args, env, stdin) {
+    buildRequestKey(cli, args, env, stdin, cwd) {
         // Slice κ: stdin participates in the dedup key. Two Claude requests
         // with identical argv but different cache_control content blocks
         // would otherwise collide on dedup and the second caller would get
         // the wrong response. The legacy "no stdin" code path passes
         // stdin=undefined, which serialises to the same empty marker the
         // previous version emitted — non-κ dedup is unchanged.
+        // Slice λ: cwd participates similarly. Two requests with identical
+        // argv but different worktrees would otherwise collide on dedup and
+        // the second caller would receive a response executed in the wrong
+        // worktree. cwd=undefined preserves the pre-λ key shape — non-λ
+        // dedup is unchanged.
         const extraEnv = canonicaliseEnvForKey(env);
-        const extra = stdin === undefined ? extraEnv : `${extraEnv}|stdin:${stdin}`;
+        const withStdin = stdin === undefined ? extraEnv : `${extraEnv}|stdin:${stdin}`;
+        const extra = cwd === undefined ? withStdin : `${withStdin}|cwd:${cwd}`;
         return computeRequestKey(cli, args, extra);
     }
     fireOnComplete(job) {
@@ -449,7 +455,7 @@ export class AsyncJobManager {
      */
     startJobWithDedup(cli, args, correlationId, opts = {}) {
         const { cwd, idleTimeoutMs, outputFormat, forceRefresh, env: extraEnv, stdin, onComplete, flightRecorderEntry, extractUsage, writeFlightStart, } = opts;
-        const requestKey = this.buildRequestKey(cli, args, extraEnv, stdin);
+        const requestKey = this.buildRequestKey(cli, args, extraEnv, stdin, cwd);
         if (!forceRefresh && this.store) {
             try {
                 const existing = this.store.findByRequestKey(requestKey);
@@ -810,8 +816,9 @@ export class AsyncJobManager {
                 job.error = "Output exceeded maximum size (50MB)";
                 job.finishedAt = new Date().toISOString();
                 job.clearIdleTimer?.();
-                if (job.process)
+                if (job.process) {
                     killProcessGroup(job.process, "SIGTERM");
+                }
                 this.logger.info(`Job ${job.id} killed due to output overflow`, {
                     correlationId: job.correlationId,
                 });
@@ -819,11 +826,16 @@ export class AsyncJobManager {
                 this.persistComplete(job);
                 this.writeFlightComplete(job, "failed", "Output exceeded maximum size (50MB)");
                 this.fireOnComplete(job);
-                setTimeout(() => {
-                    if (!job.exited && job.process)
-                        killProcessGroup(job.process, "SIGKILL");
+                if (job.process) {
+                    setTimeout(() => {
+                        if (!job.exited && job.process)
+                            killProcessGroup(job.process, "SIGKILL");
+                        job.cleanupGroup?.();
+                    }, 5000);
+                }
+                else {
                     job.cleanupGroup?.();
-                }, 5000);
+                }
             }
             return;
         }

package/dist/executor.js

@@ -139,18 +139,48 @@ export function resolveCommandForSpawn(command, args, options = {}) {
     if ([".cmd", ".bat"].includes(extname(resolved).toLowerCase())) {
         return {
             command: "cmd.exe",
-            args: ["/d", "/s", "/c", `"${buildWindowsCmdCommand(resolved, args)}"`],
+            args: [
+                "/d",
+                "/s",
+                "/c",
+                // Windows .cmd/.bat shims require cmd.exe. `buildWindowsCmdCommand`
+                // applies CommandLineToArgvW quoting and cmd metacharacter escaping
+                // to every dynamic segment before it reaches this shell boundary.
+                //
+                // codeql[js/shell-command-constructed-from-input]
+                `"${buildWindowsCmdCommand(resolved, args)}"`,
+            ],
             windowsVerbatimArguments: true,
         };
     }
     return { command: resolved, args };
 }
 function buildWindowsCmdCommand(command, args) {
+    // codeql[js/shell-command-constructed-from-input]
     return [escapeWindowsCmdCommand(command), ...args.map(escapeWindowsCmdArgument)].join(" ");
 }
-const WINDOWS_CMD_META_CHARS = /([()\][%!^"`<>&|;, *?])/g;
+const WINDOWS_CMD_META_CHARS = new Set([
+    "(",
+    ")",
+    "]",
+    "[",
+    "%",
+    "!",
+    "^",
+    '"',
+    "`",
+    "<",
+    ">",
+    "&",
+    "|",
+    ";",
+    ",",
+    " ",
+    "*",
+    "?",
+]);
 function escapeWindowsCmdCommand(value) {
-    return win32.normalize(value).replace(WINDOWS_CMD_META_CHARS, "^$1");
+    return escapeWindowsCmdMetaChars(win32.normalize(value));
 }
 // CommandLineToArgvW rules: a run of N backslashes before a literal " must be
 // doubled and followed by \" (yielding 2N+1 backslashes total, so the parser
@@ -158,11 +188,38 @@ function escapeWindowsCmdCommand(value) {
 // before the closing " must be doubled (2N) so the quote still terminates the
 // arg. Then wrap in quotes and caret-escape cmd.exe metacharacters.
 function escapeWindowsCmdArgument(value) {
-    let arg = `${value}`;
-    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
-    arg = arg.replace(/(\\*)$/, "$1$1");
-    arg = `"${arg}"`;
-    return arg.replace(WINDOWS_CMD_META_CHARS, "^$1");
+    return escapeWindowsCmdMetaChars(quoteWindowsArgForCommandLineToArgv(`${value}`));
+}
+function quoteWindowsArgForCommandLineToArgv(value) {
+    let encoded = "";
+    let backslashes = 0;
+    for (const ch of value) {
+        if (ch === "\\") {
+            backslashes += 1;
+            continue;
+        }
+        if (ch === '"') {
+            encoded += "\\".repeat(backslashes * 2 + 1);
+            encoded += '"';
+            backslashes = 0;
+            continue;
+        }
+        encoded += "\\".repeat(backslashes);
+        backslashes = 0;
+        encoded += ch;
+    }
+    encoded += "\\".repeat(backslashes * 2);
+    return `"${encoded}"`;
+}
+function escapeWindowsCmdMetaChars(value) {
+    let escaped = "";
+    for (const ch of value) {
+        if (WINDOWS_CMD_META_CHARS.has(ch)) {
+            escaped += "^";
+        }
+        escaped += ch;
+    }
+    return escaped;
 }
 function resolveWindowsCommandPath(command, envPath) {
     if (/[\\/]/.test(command)) {

package/dist/index.d.ts

@@ -67,6 +67,36 @@ type GatewayLogger = typeof logger;
  */
 export declare const MAX_TURNS_SCHEMA: z.ZodNumber;
 export declare const MAX_PRICE_SCHEMA: z.ZodNumber;
+/**
+ * Slice λ: shared worktree directive for all 10 `*_request` / `*_request_async`
+ * tools. `true` creates a fresh worktree under `<repoRoot>/.worktrees/<uuid>`
+ * branched from HEAD. `{ name?, ref? }` lets the caller supply a sanitized
+ * name and/or git ref (default ref: HEAD).
+ *
+ * Lifecycle is gateway-owned: the gateway pre-creates the worktree via
+ * `git worktree add`, then spawns the child CLI with `cwd: <worktree-path>`.
+ * No `-w` / `--worktree` flag is ever emitted to the underlying CLI. When
+ * the request carries a sessionId and the session already has a worktree,
+ * that worktree is reused. On session_delete or TTL eviction the gateway
+ * runs `git worktree remove --force`.
+ *
+ * Tool response: when a worktree was used, the successful response stdout
+ * is prefixed with `[gateway] worktree=<absolute-path>\n` so callers can
+ * parse/use the path without a schema change (slice λ §1.d).
+ *
+ * NOTE: callers should `.gitignore` the `.worktrees/` directory in their
+ * repo (the gateway does NOT auto-gitignore — see slice λ spec Q4).
+ */
+export declare const WORKTREE_SCHEMA: z.ZodUnion<[z.ZodBoolean, z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    ref: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    name?: string | undefined;
+    ref?: string | undefined;
+}, {
+    name?: string | undefined;
+    ref?: string | undefined;
+}>]>;
 export declare const SESSION_PROVIDER_VALUES: readonly ["claude", "codex", "gemini", "grok", "mistral"];
 export declare const SESSION_PROVIDER_ENUM: z.ZodEnum<["claude", "codex", "gemini", "grok", "mistral"]>;
 export type SessionProvider = (typeof SESSION_PROVIDER_VALUES)[number];
@@ -97,6 +127,57 @@ export interface GatewayServerRuntime {
 export declare function resolveGatewayServerRuntime(deps?: GatewayServerDeps, options?: {
     isolateState?: boolean;
 }): GatewayServerRuntime;
+/**
+ * Slice λ: shape returned by `resolveWorktreeForRequest`. `cwd` is what
+ * the spawn helpers (`executeCli`, `startJobWithDedup`) consume;
+ * `worktreePath` is what the tool handler embeds in the response prefix
+ * so callers can discover the path.
+ */
+export interface ResolvedWorktree {
+    cwd?: string;
+    worktreePath?: string;
+}
+/**
+ * Slice λ: resolve a request's worktree directive into a spawn cwd.
+ *
+ * - `worktreeOpt` is the Zod-validated input value (boolean |
+ *   `{ name?, ref? }` | undefined).
+ * - When the request has a session AND the session already has a
+ *   `metadata.worktreePath`, that path is reused (resume semantics).
+ *   The reused path is returned without touching git; if the directory
+ *   was externally removed between requests, the next CLI invocation
+ *   will surface the error naturally.
+ * - When no reusable worktree exists, `createWorktree` runs; on success
+ *   the new path is written to `session.metadata` (only when a session
+ *   exists — request-scoped worktrees do NOT persist).
+ * - Returns `{}` when `worktreeOpt` is undefined/false (preserves
+ *   pre-λ behaviour at non-worktree call sites).
+ * - Errors propagate as `WorktreeError`/`Error`; the caller wraps them
+ *   in a `createErrorResponse` envelope. Do NOT swallow.
+ *
+ * Spec: docs/plans/slice-lambda.spec.md §"Implementation surface to
+ * verify" §5.
+ */
+export declare function resolveWorktreeForRequest(worktreeOpt: boolean | {
+    name?: string;
+    ref?: string;
+} | undefined, sessionId: string | undefined, runtime: GatewayServerRuntime): Promise<ResolvedWorktree>;
+/**
+ * Slice λ §1.d: response-envelope shape decision for `worktreePath`.
+ *
+ * We surface the worktree path inline as a stdout prefix
+ * (`[gateway] worktree=<absolute-path>\n`) rather than as a
+ * structuredContent field or JSON wrapper. Rationale:
+ *   - zero schema change across all 10 tools and their downstream parsers
+ *   - matches how other slice features (session warnings, cache_state
+ *     aggregates) surface side-channel metadata today
+ *   - callers that want the path can split on the first newline; callers
+ *     that don't care see a single ignorable header line
+ *
+ * Use `formatWorktreePrefix(resolution.worktreePath)` once per tool, at
+ * the moment a successful response is constructed.
+ */
+export declare function formatWorktreePrefix(worktreePath?: string): string;
 export declare function extractUsageAndCost(cli: "claude" | "codex" | "gemini" | "grok" | "mistral", output: string, outputFormat?: string, 
 /**
  * Optional context for off-stdout telemetry sources. Today only Mistral
@@ -384,6 +465,11 @@ export interface GeminiRequestParams {
     attachments?: string[];
     /** Phase 4 slice γ: emit `--skip-trust` for fresh-workspace headless runs. */
     skipTrust?: boolean;
+    /** Slice λ: run this request inside a gateway-owned git worktree. */
+    worktree?: boolean | {
+        name?: string;
+        ref?: string;
+    };
 }
 export interface HandlerDeps {
     sessionManager: ISessionManager;
@@ -436,6 +522,11 @@ export interface GrokRequestParams {
     allow?: string[];
     /** Phase 4 slice θ: Grok `--deny <RULE>` (repeatable; one entry per --deny instance). */
     deny?: string[];
+    /** Slice λ: run this request inside a gateway-owned git worktree. */
+    worktree?: boolean | {
+        name?: string;
+        ref?: string;
+    };
 }
 export declare function handleGrokRequest(deps: HandlerDeps, params: GrokRequestParams): Promise<ExtendedToolResponse>;
 export declare function handleGrokRequestAsync(deps: AsyncHandlerDeps, params: Omit<GrokRequestParams, "optimizeResponse">): Promise<ExtendedToolResponse>;
@@ -470,6 +561,11 @@ export interface MistralRequestParams {
     workingDir?: string;
     /** Phase 4 slice ζ: Vibe `--add-dir <DIR>` repeatable add-dir parity. */
     addDir?: string[];
+    /** Slice λ: run this request inside a gateway-owned git worktree. */
+    worktree?: boolean | {
+        name?: string;
+        ref?: string;
+    };
 }
 export declare function handleMistralRequest(deps: HandlerDeps, params: MistralRequestParams): Promise<ExtendedToolResponse>;
 export declare function handleMistralRequestAsync(deps: AsyncHandlerDeps, params: Omit<MistralRequestParams, "optimizeResponse">): Promise<ExtendedToolResponse>;
@@ -504,6 +600,11 @@ export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params:
     ignoreRules?: boolean;
     workingDir?: string;
     addDir?: string[];
+    /** Slice λ: run this request inside a gateway-owned git worktree. */
+    worktree?: boolean | {
+        name?: string;
+        ref?: string;
+    };
 }): Promise<ExtendedToolResponse>;
 export declare function createGatewayServer(deps?: GatewayServerDeps): McpServer;
 export {};