llm-cli-gateway 1.4.0 → 1.5.13

package/dist/flight-recorder.d.ts

@@ -1,6 +1,6 @@
 export interface FlightLogStart {
     correlationId: string;
-    cli: "claude" | "codex" | "gemini" | "grok";
+    cli: "claude" | "codex" | "gemini" | "grok" | "mistral";
     model: string;
     prompt: string;
     system?: string;
@@ -11,6 +11,8 @@ export interface FlightLogResult {
     response: string;
     inputTokens?: number;
     outputTokens?: number;
+    cacheReadTokens?: number;
+    cacheCreationTokens?: number;
     durationMs: number;
     retryCount: number;
     circuitBreakerState: string;

package/dist/flight-recorder.js

@@ -3,6 +3,21 @@ import os from "os";
 import path from "path";
 import { createRequire } from "module";
 const MAX_THINKING_BYTES = 1_000_000;
+/**
+ * Idempotent migration: add `cache_read_tokens` / `cache_creation_tokens`
+ * columns to the `requests` table if a pre-U23 logs.db is opened. Existing
+ * rows keep NULL for the new columns; that is intentional.
+ */
+function ensureRequestsCacheColumns(db) {
+    const rows = db.prepare("PRAGMA table_info(requests)").all?.() ?? [];
+    const names = new Set(rows.map((row) => (row && typeof row.name === "string" ? row.name : "")));
+    if (!names.has("cache_read_tokens")) {
+        db.exec("ALTER TABLE requests ADD COLUMN cache_read_tokens INTEGER");
+    }
+    if (!names.has("cache_creation_tokens")) {
+        db.exec("ALTER TABLE requests ADD COLUMN cache_creation_tokens INTEGER");
+    }
+}
 export function resolveFlightRecorderDbPath() {
     const configured = process.env.LLM_GATEWAY_LOGS_DB;
     if (configured !== undefined) {
@@ -80,7 +95,9 @@ export class FlightRecorder {
         duration_ms INTEGER,
         datetime_utc TEXT NOT NULL,
         input_tokens INTEGER,
-        output_tokens INTEGER
+        output_tokens INTEGER,
+        cache_read_tokens INTEGER,
+        cache_creation_tokens INTEGER
       );
 
       CREATE TABLE IF NOT EXISTS gateway_metadata (
@@ -106,6 +123,14 @@ export class FlightRecorder {
         this.db
             .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(1, ?)")
             .run(new Date().toISOString());
+        // Migration v2: cache_read_tokens / cache_creation_tokens columns on
+        // pre-U23 logs.db files. ALTER TABLE ADD COLUMN is idempotent only via
+        // a prior PRAGMA table_info() check; better-sqlite3 has no native
+        // "IF NOT EXISTS" for ADD COLUMN.
+        ensureRequestsCacheColumns(this.db);
+        this.db
+            .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(2, ?)")
+            .run(new Date().toISOString());
         if (process.platform !== "win32") {
             try {
                 chmodSync(dbPath, 0o600);
@@ -142,7 +167,9 @@ export class FlightRecorder {
       SET response = @response,
           duration_ms = @duration_ms,
           input_tokens = @input_tokens,
-          output_tokens = @output_tokens
+          output_tokens = @output_tokens,
+          cache_read_tokens = @cache_read_tokens,
+          cache_creation_tokens = @cache_creation_tokens
       WHERE id = @id
     `);
         const updateMetadata = this.db.prepare(`
@@ -168,6 +195,8 @@ export class FlightRecorder {
                 duration_ms: result.durationMs,
                 input_tokens: result.inputTokens ?? null,
                 output_tokens: result.outputTokens ?? null,
+                cache_read_tokens: result.cacheReadTokens ?? null,
+                cache_creation_tokens: result.cacheCreationTokens ?? null,
             });
             updateMetadata.run({
                 id: correlationId,

package/dist/gateway-server.d.ts

@@ -0,0 +1,2 @@
+export type { GatewayServerDeps } from "./index.js";
+export { createGatewayServer } from "./index.js";

package/dist/gateway-server.js

@@ -0,0 +1 @@
+export { createGatewayServer } from "./index.js";

package/dist/gemini-json-parser.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Parser for Gemini CLI `-o json` output.
+ *
+ * Gemini emits a single JSON object with:
+ *   - `response`: string final model output
+ *   - `usageMetadata`: { promptTokenCount, candidatesTokenCount,
+ *                        cachedContentTokenCount?, totalTokenCount }
+ *
+ * Returns null when stdout is not parseable as JSON. Returns an object with
+ * only `response` when usageMetadata is missing.
+ */
+export interface GeminiUsage {
+    input_tokens: number;
+    output_tokens: number;
+    cache_read_tokens?: number;
+}
+export interface GeminiJsonParseResult {
+    usage?: GeminiUsage;
+    response?: string;
+}
+export declare function parseGeminiJson(stdout: string): GeminiJsonParseResult | null;

package/dist/gemini-json-parser.js

@@ -0,0 +1,47 @@
+/**
+ * Parser for Gemini CLI `-o json` output.
+ *
+ * Gemini emits a single JSON object with:
+ *   - `response`: string final model output
+ *   - `usageMetadata`: { promptTokenCount, candidatesTokenCount,
+ *                        cachedContentTokenCount?, totalTokenCount }
+ *
+ * Returns null when stdout is not parseable as JSON. Returns an object with
+ * only `response` when usageMetadata is missing.
+ */
+export function parseGeminiJson(stdout) {
+    const trimmed = stdout.trim();
+    if (!trimmed) {
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch {
+        return null;
+    }
+    if (!parsed || typeof parsed !== "object") {
+        return null;
+    }
+    const result = {};
+    if (typeof parsed.response === "string") {
+        result.response = parsed.response;
+    }
+    const meta = parsed.usageMetadata;
+    if (meta && typeof meta === "object") {
+        const input = typeof meta.promptTokenCount === "number" ? meta.promptTokenCount : undefined;
+        const output = typeof meta.candidatesTokenCount === "number" ? meta.candidatesTokenCount : undefined;
+        if (input !== undefined || output !== undefined) {
+            const usage = {
+                input_tokens: input ?? 0,
+                output_tokens: output ?? 0,
+            };
+            if (typeof meta.cachedContentTokenCount === "number") {
+                usage.cache_read_tokens = meta.cachedContentTokenCount;
+            }
+            result.usage = usage;
+        }
+    }
+    return result;
+}

package/dist/health.d.ts

@@ -1,4 +1,5 @@
 import { DatabaseConnection } from "./db.js";
+import { type ProviderRuntimeStatus } from "./provider-status.js";
 export interface HealthStatus {
     status: "healthy" | "degraded" | "unhealthy";
     postgres: {
@@ -11,6 +12,11 @@ export interface HealthStatus {
     };
     timestamp: string;
 }
+export interface ProviderRuntimeHealth {
+    status: "healthy" | "degraded" | "unhealthy";
+    providers: Record<string, Pick<ProviderRuntimeStatus, "installed" | "version" | "loginStatus" | "loginCheck">>;
+    timestamp: string;
+}
 /**
  * Check health status of PostgreSQL and Redis
  * - Both up → healthy
@@ -18,3 +24,4 @@ export interface HealthStatus {
  * - PostgreSQL down → unhealthy (critical failure)
  */
 export declare function checkHealth(db: DatabaseConnection): Promise<HealthStatus>;
+export declare function checkProviderRuntimeHealth(): ProviderRuntimeHealth;

package/dist/health.js

@@ -1,3 +1,4 @@
+import { listProviderRuntimeStatuses } from "./provider-status.js";
 /**
  * Check health status of PostgreSQL and Redis
  * - Both up → healthy
@@ -30,3 +31,24 @@ export async function checkHealth(db) {
     }
     return health;
 }
+export function checkProviderRuntimeHealth() {
+    const providers = listProviderRuntimeStatuses();
+    const projected = Object.fromEntries(Object.entries(providers).map(([name, provider]) => [
+        name,
+        {
+            installed: provider.installed,
+            version: provider.version,
+            loginStatus: provider.loginStatus,
+            loginCheck: provider.loginCheck,
+        },
+    ]));
+    const statuses = Object.values(providers);
+    const installedCount = statuses.filter(provider => provider.installed).length;
+    const authenticatedCount = statuses.filter(provider => provider.loginStatus === "authenticated").length;
+    const status = installedCount === 0 ? "unhealthy" : authenticatedCount === 0 ? "degraded" : "healthy";
+    return {
+        status,
+        providers: projected,
+        timestamp: new Date().toISOString(),
+    };
+}

package/dist/http-transport.d.ts

@@ -0,0 +1,22 @@
+import { type Server } from "node:http";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { GatewayServerDeps } from "./index.js";
+export interface HttpTransportOptions {
+    host?: string;
+    port?: number;
+    path?: string;
+    deps?: GatewayServerDeps;
+    createGatewayServer: (deps?: GatewayServerDeps) => McpServer;
+    logger?: {
+        info: (...args: any[]) => void;
+        error: (...args: any[]) => void;
+        debug: (...args: any[]) => void;
+    };
+}
+export interface HttpGatewayHandle {
+    server: Server;
+    url: string;
+    close: () => Promise<void>;
+    sessionCount: () => number;
+}
+export declare function startHttpGateway(options: HttpTransportOptions): Promise<HttpGatewayHandle>;

package/dist/http-transport.js

@@ -0,0 +1,164 @@
+import { createServer } from "node:http";
+import { randomUUID } from "node:crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { authorizeBearerRequest, getRequiredBearerToken, writeAuthFailure } from "./auth.js";
+const noopLogger = {
+    info: (..._args) => { },
+    error: (..._args) => { },
+    debug: (..._args) => { },
+};
+function readBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+        req.on("error", reject);
+        req.on("end", () => {
+            if (chunks.length === 0) {
+                resolve(undefined);
+                return;
+            }
+            const raw = Buffer.concat(chunks).toString("utf8");
+            try {
+                resolve(JSON.parse(raw));
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    });
+}
+function methodNotAllowed(res) {
+    res.writeHead(405, { allow: "GET, POST, DELETE", "content-type": "application/json" });
+    res.end(JSON.stringify({ error: "Method not allowed" }));
+}
+function jsonError(res, status, message) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify({ error: message }));
+}
+export async function startHttpGateway(options) {
+    const host = options.host ?? process.env.LLM_GATEWAY_HTTP_HOST ?? "127.0.0.1";
+    const port = options.port ?? Number(process.env.LLM_GATEWAY_HTTP_PORT ?? 3333);
+    const path = options.path ?? process.env.LLM_GATEWAY_HTTP_PATH ?? "/mcp";
+    const logger = options.logger ?? noopLogger;
+    const sessions = new Map();
+    const token = getRequiredBearerToken();
+    async function closeSession(sessionId) {
+        const entry = sessions.get(sessionId);
+        if (!entry)
+            return;
+        sessions.delete(sessionId);
+        await entry.transport
+            .close()
+            .catch(error => logger.error("HTTP transport close failed", error));
+        await entry.server.close().catch(error => logger.error("HTTP MCP server close failed", error));
+    }
+    async function createSession() {
+        const gatewayServer = options.createGatewayServer(options.deps);
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: () => randomUUID(),
+            onsessioninitialized: sessionId => {
+                sessions.set(sessionId, { server: gatewayServer, transport });
+            },
+        });
+        transport.onclose = () => {
+            if (transport.sessionId) {
+                sessions.delete(transport.sessionId);
+            }
+        };
+        transport.onerror = error => logger.error("HTTP MCP transport error", error);
+        await gatewayServer.connect(transport);
+        return { server: gatewayServer, transport };
+    }
+    const httpServer = createServer(async (req, res) => {
+        try {
+            const url = new URL(req.url || "/", `http://${req.headers.host || `${host}:${port}`}`);
+            if (url.pathname === "/healthz") {
+                res.writeHead(200, { "content-type": "application/json" });
+                res.end(JSON.stringify({ ok: true, sessions: sessions.size }));
+                return;
+            }
+            if (url.pathname !== path) {
+                jsonError(res, 404, "Not found");
+                return;
+            }
+            const auth = authorizeBearerRequest(req, token);
+            if (!auth.ok) {
+                writeAuthFailure(res, auth);
+                return;
+            }
+            if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
+                methodNotAllowed(res);
+                return;
+            }
+            const sessionId = req.headers["mcp-session-id"];
+            const normalizedSessionId = Array.isArray(sessionId) ? sessionId[0] : sessionId;
+            if (req.method === "DELETE") {
+                if (!normalizedSessionId) {
+                    jsonError(res, 400, "Missing mcp-session-id");
+                    return;
+                }
+                await closeSession(normalizedSessionId);
+                res.writeHead(204);
+                res.end();
+                return;
+            }
+            if (normalizedSessionId) {
+                const entry = sessions.get(normalizedSessionId);
+                if (!entry) {
+                    jsonError(res, 404, "Unknown MCP session");
+                    return;
+                }
+                const body = req.method === "POST" ? await readBody(req) : undefined;
+                await entry.transport.handleRequest(req, res, body);
+                return;
+            }
+            if (req.method !== "POST") {
+                if (req.method === "GET") {
+                    methodNotAllowed(res);
+                    return;
+                }
+                jsonError(res, 400, "Missing mcp-session-id");
+                return;
+            }
+            const body = await readBody(req);
+            if (!isInitializeRequest(body)) {
+                jsonError(res, 400, "First request must be initialize");
+                return;
+            }
+            const entry = await createSession();
+            await entry.transport.handleRequest(req, res, body);
+        }
+        catch (error) {
+            logger.error("HTTP transport request failed", error);
+            if (!res.headersSent) {
+                jsonError(res, 500, "Internal server error");
+            }
+            else {
+                res.end();
+            }
+        }
+    });
+    await new Promise((resolve, reject) => {
+        httpServer.once("error", reject);
+        httpServer.listen(port, host, () => {
+            httpServer.off("error", reject);
+            resolve();
+        });
+    });
+    const address = httpServer.address();
+    const actualPort = typeof address === "object" && address ? address.port : port;
+    const url = `http://${host}:${actualPort}${path}`;
+    logger.info(`HTTP MCP transport listening at ${url}`);
+    return {
+        server: httpServer,
+        url,
+        close: async () => {
+            await Promise.all([...sessions.keys()].map(closeSession));
+            await new Promise((resolve, reject) => {
+                httpServer.close(error => (error ? reject(error) : resolve()));
+            });
+        },
+        sessionCount: () => sessions.size,
+    };
+}

package/dist/index.d.ts

@@ -1,9 +1,17 @@
 #!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
 import { ISessionManager } from "./session-manager.js";
+import { ResourceProvider } from "./resources.js";
+import { PerformanceMetrics } from "./metrics.js";
+import { type PersistenceConfig } from "./config.js";
+import { DatabaseConnection } from "./db.js";
 import { AsyncJobManager } from "./async-job-manager.js";
-import { ApprovalRecord } from "./approval-manager.js";
+import { ApprovalManager, ApprovalRecord } from "./approval-manager.js";
 import { ReviewIntegrityResult } from "./review-integrity.js";
-import { ClaudeMcpServerName } from "./claude-mcp-config.js";
+import { ClaudeMcpConfigResult, ClaudeMcpServerName } from "./claude-mcp-config.js";
+import { type MistralAgentMode, type ClaudePermissionMode, type CodexSandboxMode, type CodexAskForApproval, type ClaudeEffortLevel } from "./request-helpers.js";
+import { FlightRecorderLike } from "./flight-recorder.js";
 type ExtendedToolResponse = {
     content: {
         type: "text";
@@ -21,6 +29,137 @@ type ExtendedToolResponse = {
     };
     reviewIntegrity?: ReviewIntegrityResult;
 };
+declare const logger: {
+    info: (message: string, ...args: any[]) => void;
+    warn: (message: string, ...args: any[]) => void;
+    error: (message: string, ...args: any[]) => void;
+    debug: (message: string, ...args: any[]) => void;
+};
+type GatewayLogger = typeof logger;
+export declare const SESSION_PROVIDER_VALUES: readonly ["claude", "codex", "gemini", "grok", "mistral"];
+export declare const SESSION_PROVIDER_ENUM: z.ZodEnum<["claude", "codex", "gemini", "grok", "mistral"]>;
+export type SessionProvider = (typeof SESSION_PROVIDER_VALUES)[number];
+export interface GatewayServerDeps {
+    sessionManager?: ISessionManager;
+    resourceProvider?: ResourceProvider;
+    db?: DatabaseConnection | null;
+    performanceMetrics?: PerformanceMetrics;
+    asyncJobManager?: AsyncJobManager;
+    approvalManager?: ApprovalManager;
+    flightRecorder?: FlightRecorderLike;
+    logger?: GatewayLogger;
+    persistence?: PersistenceConfig;
+}
+interface GatewayServerRuntime {
+    sessionManager: ISessionManager;
+    resourceProvider: ResourceProvider;
+    db: DatabaseConnection | null;
+    performanceMetrics: PerformanceMetrics;
+    asyncJobManager: AsyncJobManager;
+    approvalManager: ApprovalManager;
+    flightRecorder: FlightRecorderLike;
+    logger: GatewayLogger;
+    persistence: PersistenceConfig;
+}
+interface CliRequestPrep {
+    corrId: string;
+    effectivePrompt: string;
+    resolvedModel: string | undefined;
+    requestedMcpServers: ClaudeMcpServerName[];
+    mcpConfig?: ClaudeMcpConfigResult;
+    approvalDecision: ApprovalRecord | null;
+    reviewIntegrity?: ReviewIntegrityResult;
+    args: string[];
+}
+export declare function prepareClaudeRequest(params: {
+    prompt: string;
+    model?: string;
+    outputFormat: "text" | "json" | "stream-json";
+    allowedTools?: string[];
+    disallowedTools?: string[];
+    dangerouslySkipPermissions: boolean;
+    permissionMode?: ClaudePermissionMode;
+    approvalStrategy: "legacy" | "mcp_managed";
+    approvalPolicy?: string;
+    mcpServers?: ClaudeMcpServerName[];
+    strictMcpConfig: boolean;
+    correlationId?: string;
+    optimizePrompt: boolean;
+    operation: string;
+    agent?: string;
+    agents?: Record<string, unknown>;
+    forkSession?: boolean;
+    systemPrompt?: string;
+    appendSystemPrompt?: string;
+    maxBudgetUsd?: number;
+    maxTurns?: number;
+    effort?: ClaudeEffortLevel;
+    excludeDynamicSystemPromptSections?: boolean;
+}, runtime?: GatewayServerRuntime): CliRequestPrep | ExtendedToolResponse;
+export interface CodexRequestPrep extends CliRequestPrep {
+    /**
+     * U26: Cleanup hook for any `outputSchema` temp file written during prep.
+     * Callers MUST invoke this in a `finally` block (regardless of whether the
+     * spawn succeeded, failed, or never ran) to avoid leaking the 0o600 temp
+     * file into `os.tmpdir()`.
+     */
+    cleanup?: () => void;
+}
+export declare function prepareCodexRequest(params: {
+    prompt: string;
+    model?: string;
+    fullAuto: boolean;
+    sandboxMode?: CodexSandboxMode;
+    askForApproval?: CodexAskForApproval;
+    useLegacyFullAutoFlag?: boolean;
+    dangerouslyBypassApprovalsAndSandbox: boolean;
+    approvalStrategy: "legacy" | "mcp_managed";
+    approvalPolicy?: string;
+    mcpServers?: ClaudeMcpServerName[];
+    sessionId?: string;
+    resumeLatest?: boolean;
+    createNewSession?: boolean;
+    correlationId?: string;
+    optimizePrompt: boolean;
+    operation: string;
+    /**
+     * U23: output format. When set to "json", emits `--json` so Codex streams
+     * the JSONL event format that `parseCodexJsonStream` (and downstream
+     * `extractUsageAndCost`) can consume. Defaults to "text".
+     */
+    outputFormat?: "text" | "json";
+    outputSchema?: string | Record<string, unknown>;
+    search?: boolean;
+    profile?: string;
+    configOverrides?: Record<string, string>;
+    ephemeral?: boolean;
+    images?: string[];
+    ignoreUserConfig?: boolean;
+    ignoreRules?: boolean;
+}, runtime?: GatewayServerRuntime): CodexRequestPrep | ExtendedToolResponse;
+export declare function prepareGeminiRequest(params: {
+    prompt: string;
+    model?: string;
+    approvalMode?: string;
+    approvalStrategy: "legacy" | "mcp_managed";
+    approvalPolicy?: string;
+    allowedTools?: string[];
+    includeDirs?: string[];
+    mcpServers?: ClaudeMcpServerName[];
+    correlationId?: string;
+    optimizePrompt: boolean;
+    operation: string;
+    /**
+     * U23: output format. When set to "json", emits `-o json` so Gemini emits
+     * the JSON object containing usageMetadata that `parseGeminiJson` (and
+     * downstream `extractUsageAndCost`) can consume. Defaults to "text".
+     */
+    outputFormat?: "text" | "json";
+    sandbox?: boolean;
+    policyFiles?: string[];
+    adminPolicyFiles?: string[];
+    attachments?: string[];
+}, runtime?: GatewayServerRuntime): CliRequestPrep | ExtendedToolResponse;
 export interface GeminiRequestParams {
     prompt: string;
     model?: string;
@@ -38,14 +177,22 @@ export interface GeminiRequestParams {
     optimizeResponse?: boolean;
     idleTimeoutMs?: number;
     forceRefresh?: boolean;
+    /** U23: "json" emits `-o json` so token usage is parsed and reported. */
+    outputFormat?: "text" | "json";
+    sandbox?: boolean;
+    policyFiles?: string[];
+    adminPolicyFiles?: string[];
+    attachments?: string[];
 }
 export interface HandlerDeps {
     sessionManager: ISessionManager;
     logger: {
         info: (...args: any[]) => void;
+        warn?: (...args: any[]) => void;
         error: (...args: any[]) => void;
         debug: (...args: any[]) => void;
     };
+    runtime?: GatewayServerRuntime;
 }
 export interface AsyncHandlerDeps extends HandlerDeps {
     asyncJobManager: AsyncJobManager;
@@ -76,10 +223,36 @@ export interface GrokRequestParams {
 }
 export declare function handleGrokRequest(deps: HandlerDeps, params: GrokRequestParams): Promise<ExtendedToolResponse>;
 export declare function handleGrokRequestAsync(deps: AsyncHandlerDeps, params: Omit<GrokRequestParams, "optimizeResponse">): Promise<ExtendedToolResponse>;
+export interface MistralRequestParams {
+    prompt: string;
+    model?: string;
+    outputFormat?: string;
+    sessionId?: string;
+    resumeLatest: boolean;
+    createNewSession: boolean;
+    permissionMode?: MistralAgentMode;
+    effort?: string;
+    reasoningEffort?: string;
+    approvalStrategy: "legacy" | "mcp_managed";
+    approvalPolicy?: string;
+    mcpServers?: ClaudeMcpServerName[];
+    allowedTools?: string[];
+    disallowedTools?: string[];
+    correlationId?: string;
+    optimizePrompt: boolean;
+    optimizeResponse?: boolean;
+    idleTimeoutMs?: number;
+    forceRefresh?: boolean;
+}
+export declare function handleMistralRequest(deps: HandlerDeps, params: MistralRequestParams): Promise<ExtendedToolResponse>;
+export declare function handleMistralRequestAsync(deps: AsyncHandlerDeps, params: Omit<MistralRequestParams, "optimizeResponse">): Promise<ExtendedToolResponse>;
 export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params: {
     prompt: string;
     model?: string;
     fullAuto: boolean;
+    sandboxMode?: CodexSandboxMode;
+    askForApproval?: CodexAskForApproval;
+    useLegacyFullAutoFlag?: boolean;
     dangerouslyBypassApprovalsAndSandbox: boolean;
     approvalStrategy: "legacy" | "mcp_managed";
     approvalPolicy?: string;
@@ -91,5 +264,16 @@ export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params:
     optimizePrompt: boolean;
     idleTimeoutMs?: number;
     forceRefresh?: boolean;
+    /** U23: when "json", emits Codex `--json` so the parser is reachable. */
+    outputFormat?: "text" | "json";
+    outputSchema?: string | Record<string, unknown>;
+    search?: boolean;
+    profile?: string;
+    configOverrides?: Record<string, string>;
+    ephemeral?: boolean;
+    images?: string[];
+    ignoreUserConfig?: boolean;
+    ignoreRules?: boolean;
 }): Promise<ExtendedToolResponse>;
+export declare function createGatewayServer(deps?: GatewayServerDeps): McpServer;
 export {};