llm-cli-gateway 1.4.0 → 1.5.4

package/dist/logger.d.ts

@@ -2,5 +2,14 @@ export interface Logger {
     info(message: string, meta?: unknown): void;
     error(message: string, meta?: unknown): void;
     debug(message: string, meta?: unknown): void;
+    /** Optional: callers that want explicit WARN routing can implement this. */
+    warn?(message: string, meta?: unknown): void;
 }
 export declare const noopLogger: Logger;
+/**
+ * Emit a warning through whichever logger surface is available. Some Logger
+ * implementations (legacy) only provide `info`/`error`/`debug`; in that case
+ * the message is prefixed with `[WARN]` and routed through `info` so it still
+ * reaches stderr.
+ */
+export declare function logWarn(logger: Logger, message: string, meta?: unknown): void;

package/dist/logger.js

@@ -2,4 +2,18 @@ export const noopLogger = {
     info: () => { },
     error: () => { },
     debug: () => { },
+    warn: () => { },
 };
+/**
+ * Emit a warning through whichever logger surface is available. Some Logger
+ * implementations (legacy) only provide `info`/`error`/`debug`; in that case
+ * the message is prefixed with `[WARN]` and routed through `info` so it still
+ * reaches stderr.
+ */
+export function logWarn(logger, message, meta) {
+    if (typeof logger.warn === "function") {
+        logger.warn(message, meta);
+        return;
+    }
+    logger.info(`[WARN] ${message}`, meta);
+}

package/dist/model-registry.js

@@ -14,17 +14,19 @@ const FALLBACK_INFO = {
         modelOrder: ["opus", "sonnet", "haiku"],
     },
     codex: {
-        // Note: no hardcoded `defaultModel`. Let Codex CLI pick its own built-in default
-        // unless an explicit value is found via config.toml / env vars in applyCodexOverrides.
-        // This prevents the gateway from pinning a model that may become deprecated upstream.
+        // U26: gpt-5.5 is the bundled fallback default. Config/env overrides still
+        // win (applyCodexOverrides runs after). Older aliases are retained in the
+        // models map so callers that still pass `gpt-5.3-codex` resolve cleanly.
         description: "OpenAI's Codex CLI - best for code execution in sandboxed environments",
         models: {
-            "gpt-5.4": "Frontier coding and professional-work model. Best for: most Codex tasks, long-running agentic work",
-            "gpt-5.3-codex": "Specialized Codex model. Best for: agentic coding workflows with Codex-tuned behavior",
+            "gpt-5.5": "Latest Codex frontier model. Best for: most Codex tasks (default since U26)",
+            "gpt-5.4": "Frontier coding and professional-work model. Best for: long-running agentic work",
+            "gpt-5.3-codex": "Legacy specialized Codex model (kept for backwards-compat). Best for: agentic coding workflows with Codex-tuned behavior",
             "gpt-5.2": "Strong general-purpose GPT-5 model. Best for: broad coding and reasoning tasks",
             "gpt-5-pro": "Highest-capability GPT-5 model. Best for: deep reasoning and difficult professional workflows",
         },
-        modelOrder: ["gpt-5.3-codex", "gpt-5.4", "gpt-5.2", "gpt-5-pro"],
+        defaultModel: "gpt-5.5",
+        modelOrder: ["gpt-5.5", "gpt-5.4", "gpt-5.3-codex", "gpt-5.2", "gpt-5-pro"],
     },
     gemini: {
         description: "Google's Gemini CLI - best for multimodal tasks and Google ecosystem integration",
@@ -42,6 +44,20 @@ const FALLBACK_INFO = {
         },
         modelOrder: ["grok-build"],
     },
+    mistral: {
+        // Mistral Vibe selects the active model via the VIBE_ACTIVE_MODEL environment
+        // variable; there is NO `--model` flag. Aliases here are still resolvable so
+        // callers can pass e.g. `latest` → `devstral-medium`; the resolved value is
+        // injected via env in prepareMistralRequest.
+        description: "Mistral AI's Vibe CLI - agentic coding via Mistral models (model selection via VIBE_ACTIVE_MODEL env var)",
+        models: {
+            "devstral-medium": "Default Vibe coding model. Best for: most Vibe sessions (default when VIBE_ACTIVE_MODEL is unset)",
+            "devstral-large": "Higher-capability Devstral model. Best for: harder reasoning/coding tasks",
+            "mistral-large-latest": "General-purpose flagship Mistral model. Best for: non-Devstral reasoning workloads",
+        },
+        defaultModel: "devstral-medium",
+        modelOrder: ["devstral-medium", "devstral-large", "mistral-large-latest"],
+    },
 };
 const MODEL_CACHE_TTL_MS = 2 * 60 * 1000;
 const MAX_GEMINI_HISTORY_FILES = 200;
@@ -98,11 +114,13 @@ function buildCliInfo() {
         codex: cloneInfo(FALLBACK_INFO.codex),
         gemini: cloneInfo(FALLBACK_INFO.gemini),
         grok: cloneInfo(FALLBACK_INFO.grok),
+        mistral: cloneInfo(FALLBACK_INFO.mistral),
     };
     applyClaudeOverrides(info.claude);
     applyCodexOverrides(info.codex);
     applyGeminiOverrides(info.gemini);
     applyGrokOverrides(info.grok);
+    applyMistralOverrides(info.mistral);
     return info;
 }
 function cloneInfo(source) {
@@ -322,6 +340,22 @@ function applyGrokOverrides(info) {
     }
     info.modelOrder = buildOrder(info, info.defaultModel);
 }
+function applyMistralOverrides(info) {
+    // Vibe selects its active model via VIBE_ACTIVE_MODEL (no --model flag). When
+    // present, treat it as the configured default so resolveModelAlias("latest")
+    // returns the user-selected value.
+    const envDefault = process.env.MISTRAL_DEFAULT_MODEL || process.env.VIBE_ACTIVE_MODEL;
+    addEnvModels(info, "MISTRAL_MODELS");
+    addEnvAliases(info, "mistral", "MISTRAL_MODEL_ALIASES");
+    addGlobalEnvAliases(info, "mistral");
+    if (envDefault) {
+        const source = process.env.MISTRAL_DEFAULT_MODEL
+            ? "MISTRAL_DEFAULT_MODEL"
+            : "VIBE_ACTIVE_MODEL";
+        setDefaultModel(info, envDefault, source, "env");
+    }
+    info.modelOrder = buildOrder(info, info.defaultModel);
+}
 function readJsonStringValue(filePath, paths, info) {
     if (!existsSync(filePath)) {
         return undefined;

package/dist/provider-login-guidance.d.ts

@@ -0,0 +1,21 @@
+import type { CliType } from "./session-manager.js";
+export interface ProviderLoginGuidance {
+    provider: CliType;
+    displayName: string;
+    install: {
+        summary: string;
+        commands: string[];
+        documentationUrl?: string;
+    };
+    login: {
+        summary: string;
+        commands: string[];
+        credentialHandling: string;
+    };
+    verification: {
+        command: string;
+        expected: string;
+    };
+}
+export declare function getProviderLoginGuidance(provider: CliType): ProviderLoginGuidance;
+export declare function getAllProviderLoginGuidance(): Record<CliType, ProviderLoginGuidance>;

package/dist/provider-login-guidance.js

@@ -0,0 +1,98 @@
+const GUIDANCE = {
+    claude: {
+        provider: "claude",
+        displayName: "Claude Code",
+        install: {
+            summary: "Install Claude Code using Anthropic's current official installer.",
+            commands: ["npm install -g @anthropic-ai/claude-code"],
+            documentationUrl: "https://docs.anthropic.com/claude-code",
+        },
+        login: {
+            summary: "Sign in through Claude Code's official browser/device flow.",
+            commands: ["claude auth login"],
+            credentialHandling: "Do not paste Claude passwords, OAuth tokens, or credential files into the gateway or a remote chat.",
+        },
+        verification: {
+            command: "claude auth status --json",
+            expected: "loggedIn is true",
+        },
+    },
+    codex: {
+        provider: "codex",
+        displayName: "Codex CLI",
+        install: {
+            summary: "Install Codex CLI using OpenAI's npm package or the current official installer.",
+            commands: ["npm install -g @openai/codex"],
+            documentationUrl: "https://developers.openai.com/codex",
+        },
+        login: {
+            summary: "Sign in through Codex's official login flow.",
+            commands: ["codex login", "codex login --device-auth"],
+            credentialHandling: "Prefer browser or device-code login. Do not paste API keys or access tokens into assistant prompts.",
+        },
+        verification: {
+            command: "codex login status",
+            expected: "command reports that Codex is logged in",
+        },
+    },
+    gemini: {
+        provider: "gemini",
+        displayName: "Gemini CLI",
+        install: {
+            summary: "Install Gemini CLI using Google's npm package or current official installer.",
+            commands: ["npm install -g @google/gemini-cli"],
+            documentationUrl: "https://github.com/google-gemini/gemini-cli",
+        },
+        login: {
+            summary: "Run Gemini CLI and complete Google's official sign-in flow when prompted.",
+            commands: ["gemini"],
+            credentialHandling: "Let Gemini CLI store credentials in its own local store. Do not paste OAuth files or API keys into chat.",
+        },
+        verification: {
+            command: "gemini --version",
+            expected: "CLI is installed; doctor checks the local Gemini credential store for login evidence",
+        },
+    },
+    grok: {
+        provider: "grok",
+        displayName: "Grok CLI",
+        install: {
+            summary: "Install Grok CLI using xAI's current official installer or managed update flow.",
+            commands: ["npm install -g grok-build"],
+            documentationUrl: "https://docs.x.ai/build/cli",
+        },
+        login: {
+            summary: "Sign in through Grok's official OAuth or device-code flow.",
+            commands: ["grok login --oauth", "grok login --device-auth"],
+            credentialHandling: "Do not paste xAI API keys, OAuth tokens, or Grok auth files into the gateway or a remote chat.",
+        },
+        verification: {
+            command: "grok inspect --json",
+            expected: "CLI can inspect local configuration and a local auth store is present",
+        },
+    },
+    mistral: {
+        provider: "mistral",
+        displayName: "Mistral Vibe CLI",
+        install: {
+            summary: "Install Mistral Vibe CLI via pip, uv, or Homebrew (Vibe does not self-update; cli_upgrade dispatches to the installer it detects).",
+            commands: ["pip install vibe-cli", "uv tool install vibe-cli", "brew install mistral-vibe"],
+            documentationUrl: "https://docs.mistral.ai/agents/vibe-cli",
+        },
+        login: {
+            summary: "Sign in through Mistral's official auth flow and enable session_logging in ~/.vibe/config.toml.",
+            commands: ["vibe auth login", "vibe config set session_logging.enabled true"],
+            credentialHandling: "Do not paste Mistral API keys, OAuth tokens, or ~/.vibe/credentials into the gateway or a remote chat.",
+        },
+        verification: {
+            command: "vibe --version",
+            expected: "Vibe CLI is installed; doctor additionally checks ~/.vibe/config.toml for session_logging.enabled=true",
+        },
+    },
+};
+export function getProviderLoginGuidance(provider) {
+    return GUIDANCE[provider];
+}
+export function getAllProviderLoginGuidance() {
+    return { ...GUIDANCE };
+}

package/dist/provider-status.d.ts

@@ -0,0 +1,41 @@
+import type { CliType } from "./session-manager.js";
+import { type ProviderLoginGuidance } from "./provider-login-guidance.js";
+export type ProviderLoginStatus = "authenticated" | "not_authenticated" | "unknown" | "not_checked";
+export interface ProviderRuntimeStatus {
+    provider: CliType;
+    displayName: string;
+    command: string;
+    installed: boolean;
+    version: string | null;
+    versionCommand: string[];
+    loginStatus: ProviderLoginStatus;
+    loginCheck: {
+        method: "cli" | "credential_store" | "not_checked";
+        command: string[] | null;
+        credentialStore: "present" | "not_found" | "not_checked";
+        detail: string;
+    };
+    guidance: ProviderLoginGuidance;
+}
+export declare const PROVIDER_COMMANDS: Record<CliType, string>;
+export declare function listProviderRuntimeStatuses(): Record<CliType, ProviderRuntimeStatus>;
+export declare function getProviderRuntimeStatus(provider: CliType): ProviderRuntimeStatus;
+export interface GeminiAuthMethods {
+    oauth: boolean;
+    geminiApiKey: boolean;
+    googleApiKey: boolean;
+    vertexAi: boolean;
+}
+export interface GeminiAuthStatus {
+    status: "present" | "not_found";
+    methods: GeminiAuthMethods;
+}
+/**
+ * U27: Detect Gemini auth across all supported methods.
+ * Returns "present" if ANY of:
+ *   - OAuth credential file present (~/.gemini/oauth_creds.json, etc.)
+ *   - GEMINI_API_KEY env var set and non-empty
+ *   - GOOGLE_API_KEY env var set and non-empty
+ *   - GOOGLE_CLOUD_PROJECT set AND GOOGLE_GENAI_USE_VERTEXAI=true
+ */
+export declare function geminiAuthStatus(env?: NodeJS.ProcessEnv, home?: string): GeminiAuthStatus;

package/dist/provider-status.js

@@ -0,0 +1,203 @@
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { spawnSync } from "node:child_process";
+import { getProviderLoginGuidance } from "./provider-login-guidance.js";
+const PROVIDERS = ["claude", "codex", "gemini", "grok", "mistral"];
+const VERSION_ARGS = {
+    claude: ["--version"],
+    codex: ["--version"],
+    gemini: ["--version"],
+    grok: ["--version"],
+    mistral: ["--version"],
+};
+// Mistral Vibe ships as the `vibe` binary (PyPI package vibe-cli); the gateway
+// uses `mistral` as the provider key but invokes `vibe` on the shell.
+export const PROVIDER_COMMANDS = {
+    claude: "claude",
+    codex: "codex",
+    gemini: "gemini",
+    grok: "grok",
+    mistral: "vibe",
+};
+const LOGIN_CHECKS = {
+    claude: ["auth", "status", "--json"],
+    codex: ["login", "status"],
+    grok: ["inspect", "--json"],
+    mistral: ["auth", "status"],
+};
+export function listProviderRuntimeStatuses() {
+    return Object.fromEntries(PROVIDERS.map(provider => [provider, getProviderRuntimeStatus(provider)]));
+}
+export function getProviderRuntimeStatus(provider) {
+    const guidance = getProviderLoginGuidance(provider);
+    const command = PROVIDER_COMMANDS[provider];
+    const version = runCommand(command, VERSION_ARGS[provider], 5_000);
+    const installed = version.exitCode === 0 || Boolean(version.output);
+    const versionText = installed ? firstLine(version.output) : null;
+    const base = {
+        provider,
+        displayName: guidance.displayName,
+        command,
+        installed,
+        version: versionText,
+        versionCommand: [command, ...VERSION_ARGS[provider]],
+        loginStatus: installed ? "unknown" : "not_checked",
+        loginCheck: {
+            method: installed ? "not_checked" : "not_checked",
+            command: null,
+            credentialStore: "not_checked",
+            detail: installed
+                ? "No safe non-interactive login check is available."
+                : "Runtime is not installed.",
+        },
+        guidance,
+    };
+    if (!installed)
+        return base;
+    if (provider === "gemini") {
+        const auth = geminiAuthStatus();
+        const store = auth.status;
+        const matchedMethods = Object.entries(auth.methods)
+            .filter(([, v]) => v)
+            .map(([k]) => k);
+        return {
+            ...base,
+            loginStatus: store === "present" ? "authenticated" : "unknown",
+            loginCheck: {
+                method: "credential_store",
+                command: null,
+                credentialStore: store,
+                detail: store === "present"
+                    ? `Gemini auth detected via: ${matchedMethods.join(", ")}; contents were not inspected.`
+                    : "Gemini CLI is installed, but no credential store or auth env vars were found (oauth_creds.json, GEMINI_API_KEY, GOOGLE_API_KEY, or GOOGLE_CLOUD_PROJECT+GOOGLE_GENAI_USE_VERTEXAI).",
+            },
+        };
+    }
+    const args = LOGIN_CHECKS[provider];
+    if (!args)
+        return base;
+    const login = runCommand(command, args, 5_000);
+    const status = inferLoginStatus(provider, login.exitCode, login.output);
+    const credentialStore = provider === "grok"
+        ? grokCredentialStoreStatus()
+        : provider === "mistral"
+            ? mistralCredentialStoreStatus()
+            : "not_checked";
+    return {
+        ...base,
+        loginStatus: status,
+        loginCheck: {
+            method: "cli",
+            command: [command, ...args],
+            credentialStore,
+            detail: loginCheckDetail(provider, status, login.exitCode),
+        },
+    };
+}
+function runCommand(command, args, timeoutMs) {
+    const result = spawnSync(command, args, {
+        encoding: "utf8",
+        input: "",
+        timeout: timeoutMs,
+        windowsHide: true,
+    });
+    const output = sanitizeOutput(`${result.stdout || ""}\n${result.stderr || ""}`);
+    return {
+        exitCode: typeof result.status === "number" ? result.status : null,
+        output,
+    };
+}
+function firstLine(text) {
+    return (text
+        .split(/\r?\n/)
+        .map(line => line.trim())
+        .find(Boolean) || null);
+}
+function inferLoginStatus(provider, exitCode, output) {
+    if (provider === "claude") {
+        try {
+            const parsed = JSON.parse(output);
+            if (parsed.loggedIn === true)
+                return "authenticated";
+            if (parsed.loggedIn === false)
+                return "not_authenticated";
+        }
+        catch {
+            // Fall through to text heuristics.
+        }
+    }
+    if (/not\s+(logged|signed|authenticated)\s*in|unauthenticated|login required|not authorized/i.test(output)) {
+        return "not_authenticated";
+    }
+    if (/logged\s*in|signed\s*in|authenticated|authorized|using chatgpt|auth store/i.test(output)) {
+        return "authenticated";
+    }
+    if (provider === "grok" && grokCredentialStoreStatus() === "present") {
+        return "authenticated";
+    }
+    if (provider === "mistral" && mistralCredentialStoreStatus() === "present") {
+        return "authenticated";
+    }
+    if (exitCode && exitCode !== 0)
+        return "unknown";
+    return "unknown";
+}
+function loginCheckDetail(provider, status, exitCode) {
+    if (status === "authenticated")
+        return `${provider} login check indicates an authenticated local runtime.`;
+    if (status === "not_authenticated")
+        return `${provider} login check indicates the provider is not authenticated.`;
+    if (exitCode && exitCode !== 0)
+        return `${provider} login check exited non-zero without exposing credential material.`;
+    return `${provider} login check completed, but the output did not clearly indicate login state.`;
+}
+/**
+ * U27: Detect Gemini auth across all supported methods.
+ * Returns "present" if ANY of:
+ *   - OAuth credential file present (~/.gemini/oauth_creds.json, etc.)
+ *   - GEMINI_API_KEY env var set and non-empty
+ *   - GOOGLE_API_KEY env var set and non-empty
+ *   - GOOGLE_CLOUD_PROJECT set AND GOOGLE_GENAI_USE_VERTEXAI=true
+ */
+export function geminiAuthStatus(env = process.env, home = homedir()) {
+    const candidates = [
+        join(home, ".gemini", "oauth_creds.json"),
+        join(home, ".gemini", "google_accounts.json"),
+        join(home, ".config", "gemini", "oauth_creds.json"),
+    ];
+    const oauth = candidates.some(p => existsSync(p));
+    const geminiApiKey = Boolean(env.GEMINI_API_KEY && env.GEMINI_API_KEY.length > 0);
+    const googleApiKey = Boolean(env.GOOGLE_API_KEY && env.GOOGLE_API_KEY.length > 0);
+    const vertexAi = Boolean(env.GOOGLE_CLOUD_PROJECT &&
+        env.GOOGLE_CLOUD_PROJECT.length > 0 &&
+        env.GOOGLE_GENAI_USE_VERTEXAI === "true");
+    const methods = { oauth, geminiApiKey, googleApiKey, vertexAi };
+    const status = oauth || geminiApiKey || googleApiKey || vertexAi ? "present" : "not_found";
+    return { status, methods };
+}
+/** Back-compat shim retained for callers that only need the binary store status. */
+function geminiCredentialStoreStatus() {
+    return geminiAuthStatus().status;
+}
+function grokCredentialStoreStatus() {
+    const home = homedir();
+    const candidates = [join(home, ".grok", "auth.json"), join(home, ".config", "grok", "auth.json")];
+    return candidates.some(path => existsSync(path)) ? "present" : "not_found";
+}
+function mistralCredentialStoreStatus() {
+    const home = homedir();
+    const candidates = [
+        join(home, ".vibe", "credentials.json"),
+        join(home, ".vibe", "auth.json"),
+        join(home, ".config", "vibe", "credentials.json"),
+    ];
+    return candidates.some(path => existsSync(path)) ? "present" : "not_found";
+}
+function sanitizeOutput(output) {
+    return output
+        .replace(/([A-Z0-9._%+-]+)@([A-Z0-9.-]+\.[A-Z]{2,})/gi, "<redacted-email>")
+        .replace(/\b[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b/gi, "<redacted-id>")
+        .replace(/((?:token|secret|credential|password|authorization|api[_-]?key|access[_-]?key)[=:]\s*)\S+/gi, "$1<redacted>")
+        .trim();
+}