llm-cli-gateway 1.6.1 → 1.8.0

package/dist/mistral-meta-json-parser.js

@@ -0,0 +1,175 @@
+/**
+ * Phase 4 slice β — Mistral Vibe `meta.json` parser.
+ *
+ * Vibe writes per-session telemetry to
+ *
+ *   ~/.vibe/logs/session/session_<YYYYMMDD>_<HHMMSS>_<first8hex>/meta.json
+ *
+ * where `<first8hex>` is the first 8 lowercase hex characters of the full
+ * session UUID. Inside the file:
+ *
+ *   {
+ *     "session_id": "<full-uuid>",
+ *     "stats": {
+ *       "session_prompt_tokens":      <number>  → inputTokens
+ *       "session_completion_tokens":  <number>  → outputTokens
+ *       "session_cost":               <number>  → costUsd
+ *     }
+ *   }
+ *
+ * The gateway's mistral session-id surface accepts the full UUID (so does
+ * `vibe --resume <uuid>`). To find the right directory we glob for
+ * `session_*_<first8>` and disambiguate by reading each candidate's
+ * `session_id` field. If callers happen to pass the directory basename
+ * itself we still honour that — useful for tests and for forward-compat if
+ * Vibe ever changes its dir naming scheme.
+ *
+ * Cache-token surfaces are not exposed by Vibe today, so `cacheReadTokens`
+ * and `cacheCreationTokens` are intentionally absent.
+ *
+ * Best-effort by design: any failure (missing file, bad JSON, missing
+ * fields, gateway-generated `gw-*` sessionId, unresolvable UUID, path
+ * outside the session log root) returns `{}` so the flight-recorder row
+ * simply lacks usage data.
+ */
+import { existsSync, readdirSync, readFileSync, realpathSync, statSync } from "fs";
+import { join, resolve, sep } from "path";
+import { GATEWAY_SESSION_PREFIX } from "./request-helpers.js";
+function asPositiveNumber(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        return undefined;
+    }
+    return value;
+}
+/**
+ * Read a file only if its realpath lives under `realBase`. Returns undefined
+ * on any error, missing file, or out-of-tree symlink target. This is the one
+ * place that calls `readFileSync` for meta.json content — the rest of the
+ * module routes through it so the security boundary is uniform.
+ */
+function readInBase(realBase, candidate) {
+    if (!existsSync(candidate))
+        return undefined;
+    let realCandidate;
+    try {
+        realCandidate = realpathSync(candidate);
+    }
+    catch {
+        return undefined;
+    }
+    const realBaseWithSep = realBase.endsWith(sep) ? realBase : realBase + sep;
+    if (!realCandidate.startsWith(realBaseWithSep))
+        return undefined;
+    try {
+        return readFileSync(realCandidate, "utf-8");
+    }
+    catch {
+        return undefined;
+    }
+}
+// UUID v4-ish (Vibe's own session UUIDs are not strictly v4, so we
+// validate against the broader 8-4-4-4-12 lowercase-hex shape) OR
+// Vibe's session_<digits>_<digits>_<first8> directory basename.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const DIRNAME_RE = /^session_\d{8}_\d{6}_[0-9a-f]{8}$/;
+/**
+ * Resolve the session-log directory basename for a given gateway sessionId.
+ * Returns undefined when no candidate can be found or the input is
+ * unsuitable. Pure with respect to side-effects on the caller — only reads
+ * the filesystem.
+ *
+ * Security invariants enforced here:
+ *   - Inputs are charset-gated (UUID or DIRNAME) before any filesystem read.
+ *   - For UUID input, the chosen candidate's meta.json MUST advertise the
+ *     same `session_id` — single-candidate is NOT trusted, because two
+ *     UUIDs sharing the first 8 hex chars would otherwise cross-attribute
+ *     usage (and leak telemetry to the caller of the other session).
+ */
+function resolveVibeSessionDirname(baseDir, realBase, sessionId) {
+    // 1. Caller already supplied the directory name verbatim.
+    if (DIRNAME_RE.test(sessionId) && existsSync(join(baseDir, sessionId, "meta.json"))) {
+        return sessionId;
+    }
+    // 2. Treat the input as a full session UUID.
+    if (!UUID_RE.test(sessionId))
+        return undefined;
+    const short = sessionId.slice(0, 8).toLowerCase();
+    let entries;
+    try {
+        entries = readdirSync(baseDir);
+    }
+    catch {
+        return undefined;
+    }
+    // Filter to candidates matching `session_*_<short>`. Sort newest-first
+    // by mtime; we still require an exact session_id match below.
+    const candidates = entries
+        .filter(name => DIRNAME_RE.test(name) && name.endsWith(`_${short}`))
+        .map(name => {
+        let mtimeMs = 0;
+        try {
+            mtimeMs = statSync(join(baseDir, name)).mtimeMs;
+        }
+        catch {
+            /* ignore */
+        }
+        return { name, mtimeMs };
+    })
+        .sort((a, b) => b.mtimeMs - a.mtimeMs);
+    for (const { name } of candidates) {
+        const text = readInBase(realBase, join(baseDir, name, "meta.json"));
+        if (text === undefined)
+            continue;
+        try {
+            const parsed = JSON.parse(text);
+            if (typeof parsed.session_id === "string" && parsed.session_id === sessionId) {
+                return name;
+            }
+        }
+        catch {
+            /* ignore and continue */
+        }
+    }
+    return undefined;
+}
+export function parseVibeMetaJson(home, sessionId) {
+    if (!sessionId)
+        return {};
+    if (sessionId.startsWith(GATEWAY_SESSION_PREFIX)) {
+        // gw-* IDs are gateway internal — Vibe never wrote a meta.json under that name.
+        return {};
+    }
+    const baseDir = resolve(join(home, ".vibe", "logs", "session"));
+    let realBase;
+    try {
+        realBase = realpathSync(baseDir);
+    }
+    catch {
+        return {};
+    }
+    const dirname = resolveVibeSessionDirname(baseDir, realBase, sessionId);
+    if (!dirname)
+        return {};
+    // `readInBase` is the security boundary: it realpath-resolves the file
+    // and rejects anything whose target lives outside `realBase`. Re-routing
+    // the final read through it (instead of a bespoke readFileSync) keeps
+    // the in-tree-only invariant in one place.
+    const text = readInBase(realBase, join(baseDir, dirname, "meta.json"));
+    if (text === undefined)
+        return {};
+    let raw;
+    try {
+        raw = JSON.parse(text);
+    }
+    catch {
+        return {};
+    }
+    const stats = raw?.stats;
+    if (!stats || typeof stats !== "object")
+        return {};
+    return {
+        inputTokens: asPositiveNumber(stats.session_prompt_tokens),
+        outputTokens: asPositiveNumber(stats.session_completion_tokens),
+        costUsd: asPositiveNumber(stats.session_cost),
+    };
+}

package/dist/request-helpers.d.ts

@@ -107,6 +107,13 @@ export interface PrepareMistralRequestInput {
      * emit a `logger.warn` when this is non-empty.
      */
     disallowedTools?: string[];
+    /**
+     * Phase 4 slice γ: emit `--trust` so non-interactive runs in fresh
+     * workspaces skip Vibe's interactive trust prompt for this invocation
+     * only (not persisted to `trusted_folders.toml`). Default undefined →
+     * Vibe's prompt behaviour is preserved for existing callers.
+     */
+    trust?: boolean;
 }
 export interface PrepareMistralRequestResult {
     args: string[];
@@ -204,9 +211,11 @@ export declare function resolveCodexSandboxFlags(input: CodexSandboxFlagsInput):
  * Flags that `codex exec resume` rejects (the original session's policy is
  * inherited). Callers must drop these when building resume argv.
  *
- * U26 expands this list with `--add-dir`, `-C`, `--output-schema`, and
- * `--search`, all of which `codex exec resume --help` rejects at the audit
- * date.
+ * Verified against `codex exec resume --help` (codex-cli 0.133.0):
+ * `--full-auto`, `--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, and
+ * `--search` are rejected. `--output-schema` and `-c key=value` ARE accepted
+ * on resume and therefore are NOT in this filter (Phase 4 slice α restored
+ * the previously-silent drop of those two).
  */
 export declare const CODEX_RESUME_FILTERED_FLAGS: ReadonlySet<string>;
 /**
@@ -398,8 +407,8 @@ export declare const CODEX_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodObject<{
     ignoreRules: z.ZodOptional<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     search?: boolean | undefined;
-    profile?: string | undefined;
     outputSchema?: string | Record<string, unknown> | undefined;
+    profile?: string | undefined;
     configOverrides?: Record<string, string> | undefined;
     ephemeral?: boolean | undefined;
     images?: string[] | undefined;
@@ -407,8 +416,8 @@ export declare const CODEX_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodObject<{
     ignoreRules?: boolean | undefined;
 }, {
     search?: boolean | undefined;
-    profile?: string | undefined;
     outputSchema?: string | Record<string, unknown> | undefined;
+    profile?: string | undefined;
     configOverrides?: Record<string, string> | undefined;
     ephemeral?: boolean | undefined;
     images?: string[] | undefined;

package/dist/request-helpers.js

@@ -176,6 +176,9 @@ export function prepareMistralRequest(input) {
             args.push("--enabled-tools", tool);
         }
     }
+    if (input.trust) {
+        args.push("--trust");
+    }
     const ignoredDisallowedTools = Boolean(input.disallowedTools && input.disallowedTools.length > 0);
     return { args, env, ignoredDisallowedTools };
 }
@@ -279,9 +282,11 @@ export function resolveCodexSandboxFlags(input) {
  * Flags that `codex exec resume` rejects (the original session's policy is
  * inherited). Callers must drop these when building resume argv.
  *
- * U26 expands this list with `--add-dir`, `-C`, `--output-schema`, and
- * `--search`, all of which `codex exec resume --help` rejects at the audit
- * date.
+ * Verified against `codex exec resume --help` (codex-cli 0.133.0):
+ * `--full-auto`, `--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, and
+ * `--search` are rejected. `--output-schema` and `-c key=value` ARE accepted
+ * on resume and therefore are NOT in this filter (Phase 4 slice α restored
+ * the previously-silent drop of those two).
  */
 export const CODEX_RESUME_FILTERED_FLAGS = new Set([
     "--full-auto",
@@ -289,7 +294,6 @@ export const CODEX_RESUME_FILTERED_FLAGS = new Set([
     "--ask-for-approval",
     "--add-dir",
     "-C",
-    "--output-schema",
     "--search",
 ]);
 /**
@@ -301,7 +305,6 @@ const CODEX_RESUME_FILTERED_FLAGS_WITH_VALUE = new Set([
     "--ask-for-approval",
     "--add-dir",
     "-C",
-    "--output-schema",
 ]);
 /**
  * Strip resume-incompatible flag/value pairs from a Codex argv segment.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.6.1",
+  "version": "1.8.0",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",