llm-cli-gateway 1.7.0 → 1.8.0

package/CHANGELOG.md

@@ -2,6 +2,78 @@
 
 All notable changes to the llm-cli-gateway project.
 
+## [1.8.0] - 2026-05-27 — Phase 4 openers (codex resume fix, mistral telemetry, headless trust flags)
+
+Ships the first three slices of the Phase 4 provider-modernisation
+backlog, one bug fix and two small features. Multi-LLM review surfaced
+five additional bug classes during the cycle (path traversal, UUID→dir
+resolution gap, sync usage ctx drop, retry-path flag drop, symlink
+boundary bypass); all are addressed in the two follow-up fix commits.
+
+### Fixed — Codex `--output-schema` + `-c/--config` on `exec resume`
+
+- `prepareCodexRequest` previously dropped `outputSchema` and
+  `configOverrides` on the resume branch because the U26 audit assumed
+  `codex exec resume` rejected both flags. Live re-verification against
+  `codex exec resume --help` (codex-cli 0.133.0) confirms both ARE
+  accepted on resume; only `--search` remains resume-incompatible. The
+  resume branch now threads both fields through, reusing the existing
+  outputSchema temp-file materialisation + cleanup contract.
+  `CODEX_RESUME_FILTERED_FLAGS` no longer strips `--output-schema`.
+
+### Added — Mistral Vibe `meta.json` usage / cost telemetry
+
+- New `src/mistral-meta-json-parser.ts` reads
+  `~/.vibe/logs/session/session_<YYYYMMDD>_<HHMMSS>_<first8hex>/meta.json`
+  (the actual filename — an earlier TODO at `src/index.ts:750` said
+  `metadata.json`, which was incorrect). Maps `stats.session_prompt_tokens`,
+  `stats.session_completion_tokens`, and `stats.session_cost` onto the
+  gateway's `inputTokens`/`outputTokens`/`costUsd` flight-recorder
+  columns. Cache-token surfaces stay undefined — Vibe doesn't expose
+  them today.
+- The gateway's mistral sessionId surface accepts the full UUID (to match
+  `vibe --resume <uuid>`), but Vibe persists telemetry under
+  `session_<ts>_<first8>` directories. The new resolver globs by the
+  leading 8-hex prefix and verifies each candidate's `session_id` field
+  before returning — required for every UUID input including
+  single-match cases, so two UUIDs sharing the leading 8 hex chars never
+  cross-attribute usage.
+- `extractUsageAndCost` and `buildAsyncFlightRecorderHandoff` thread a
+  primitives-only `{ sessionId, home }` context so the AsyncJobRecord
+  retention stays O(constant). `buildCliResponse` passes the same ctx so
+  sync `mistral_request` resume calls populate structured usage in their
+  response (not just the flight-recorder row).
+
+### Added — Headless trust-prompt bypass for Gemini + Mistral
+
+- New optional `skipTrust?: boolean` field on `gemini_request` and
+  `gemini_request_async`, defaulting `false`. When set, emits
+  `--skip-trust` so fresh workspaces don't block headless invocations on
+  Gemini's interactive trust prompt.
+- New optional `trust?: boolean` field on `mistral_request` and
+  `mistral_request_async`, defaulting `false`. When set, emits `--trust`
+  (per-invocation only, not persisted to `trusted_folders.toml`) so
+  fresh workspaces don't block headless Vibe runs. Preserved on the
+  stale-model recovery retry path so a fresh untrusted workspace can't
+  deadlock on the second attempt.
+- Default `false` preserves existing prompt behaviour for legacy
+  callers.
+
+### Security
+
+- `parseVibeMetaJson` enforces a strict input charset (UUID-shape OR
+  `^session_\d{8}_\d{6}_[0-9a-f]{8}$` Vibe dir basename) before any
+  filesystem access.
+- New `readInBase(realBase, candidate)` helper realpath-resolves both
+  ends and rejects targets whose final inode lives outside the session
+  log root. Both the resolver's disambiguation reads and the final
+  parser read route through it, so an in-tree symlink to an
+  out-of-tree directory (or symlinked meta.json) cannot leak file
+  contents outside `~/.vibe/logs/session/`.
+- Test coverage: traversal inputs (`../`, absolute, control-char,
+  embedded `../`), single-candidate prefix-collision rejection,
+  symlink-to-outside-baseDir rejection.
+
 ## [1.7.0] - 2026-05-26 — cache-awareness slice 1.5 (async-path flight recorder + codex parser fix)
 
 Closes the two telemetry gaps that v1.6.0 explicitly deferred: async-path

package/dist/index.d.ts

@@ -81,6 +81,23 @@ interface GatewayServerRuntime {
     persistence: PersistenceConfig;
     cacheAwareness: CacheAwarenessConfig;
 }
+export declare function extractUsageAndCost(cli: "claude" | "codex" | "gemini" | "grok" | "mistral", output: string, outputFormat?: string, 
+/**
+ * Optional context for off-stdout telemetry sources. Today only Mistral
+ * uses this — its meta.json lives on disk keyed by sessionId. Threading
+ * this in keeps the closure built by `buildAsyncFlightRecorderHandoff`
+ * primitives-only (no `params`/`prep` retention on AsyncJobRecord).
+ */
+ctx?: {
+    sessionId?: string;
+    home?: string;
+}): {
+    inputTokens?: number;
+    outputTokens?: number;
+    cacheReadTokens?: number;
+    cacheCreationTokens?: number;
+    costUsd?: number;
+};
 interface CliRequestPrep {
     corrId: string;
     effectivePrompt: string;
@@ -191,6 +208,12 @@ export declare function prepareGeminiRequest(params: {
     policyFiles?: string[];
     adminPolicyFiles?: string[];
     attachments?: string[];
+    /**
+     * Phase 4 slice γ: emit `--skip-trust` so first-run workspaces don't
+     * block headless invocations on the interactive trust prompt. Default
+     * is undefined (preserves current prompt behaviour for legacy callers).
+     */
+    skipTrust?: boolean;
 }, runtime?: GatewayServerRuntime): CliRequestPrep | ExtendedToolResponse;
 export declare function prepareMistralRequest(params: {
     prompt?: string;
@@ -208,6 +231,11 @@ export declare function prepareMistralRequest(params: {
     correlationId?: string;
     optimizePrompt: boolean;
     operation: string;
+    /**
+     * Phase 4 slice γ: emit `--trust` to bypass Vibe's interactive trust
+     * prompt for this invocation only (not persisted). Default undefined.
+     */
+    trust?: boolean;
 }, runtime?: GatewayServerRuntime): (CliRequestPrep & {
     mistralEnv: Record<string, string>;
 }) | ExtendedToolResponse;
@@ -235,6 +263,8 @@ export interface GeminiRequestParams {
     policyFiles?: string[];
     adminPolicyFiles?: string[];
     attachments?: string[];
+    /** Phase 4 slice γ: emit `--skip-trust` for fresh-workspace headless runs. */
+    skipTrust?: boolean;
 }
 export interface HandlerDeps {
     sessionManager: ISessionManager;
@@ -297,6 +327,8 @@ export interface MistralRequestParams {
     optimizeResponse?: boolean;
     idleTimeoutMs?: number;
     forceRefresh?: boolean;
+    /** Phase 4 slice γ: emit `--trust` for fresh-workspace headless runs. */
+    trust?: boolean;
 }
 export declare function handleMistralRequest(deps: HandlerDeps, params: MistralRequestParams): Promise<ExtendedToolResponse>;
 export declare function handleMistralRequestAsync(deps: AsyncHandlerDeps, params: Omit<MistralRequestParams, "optimizeResponse">): Promise<ExtendedToolResponse>;

package/dist/index.js

@@ -10,6 +10,8 @@ import { executeCli, killAllProcessGroups } from "./executor.js";
 import { parseStreamJson } from "./stream-json-parser.js";
 import { parseCodexJsonStream } from "./codex-json-parser.js";
 import { parseGeminiJson } from "./gemini-json-parser.js";
+import { parseVibeMetaJson } from "./mistral-meta-json-parser.js";
+import { homedir } from "os";
 import { createSessionManager } from "./session-manager.js";
 import { ResourceProvider } from "./resources.js";
 import { PerformanceMetrics } from "./metrics.js";
@@ -477,7 +479,14 @@ function createErrorResponse(cli, code, stderr, correlationId, error) {
         },
     };
 }
-function extractUsageAndCost(cli, output, outputFormat) {
+export function extractUsageAndCost(cli, output, outputFormat, 
+/**
+ * Optional context for off-stdout telemetry sources. Today only Mistral
+ * uses this — its meta.json lives on disk keyed by sessionId. Threading
+ * this in keeps the closure built by `buildAsyncFlightRecorderHandoff`
+ * primitives-only (no `params`/`prep` retention on AsyncJobRecord).
+ */
+ctx) {
     if (cli === "claude" && outputFormat === "stream-json") {
         const parsed = parseStreamJson(output);
         if (!parsed.usage) {
@@ -515,9 +524,14 @@ function extractUsageAndCost(cli, output, outputFormat) {
             cacheReadTokens: parsed.usage.cache_read_tokens,
         };
     }
-    // Mistral/Vibe: does not surface usage in its stdout/stream-json output. A
-    // future unit can read it from `~/.vibe/logs/session/<id>/metadata.json`
-    // once we resolve the session id post-run.
+    // Mistral/Vibe: usage/cost live on disk in `~/.vibe/logs/session/<id>/meta.json`
+    // (Phase 4 slice β). Best-effort: if we don't know the sessionId (fresh
+    // session whose Vibe-assigned UUID we never observed) or the file is
+    // missing/malformed, the parser returns `{}` and the FR row simply lacks
+    // usage data — matching pre-slice behaviour. No stdout fallback exists.
+    if (cli === "mistral") {
+        return parseVibeMetaJson(ctx?.home ?? homedir(), ctx?.sessionId);
+    }
     return {};
 }
 /**
@@ -530,9 +544,13 @@ function extractUsageAndCost(cli, output, outputFormat) {
 function buildAsyncFlightRecorderHandoff(cliName, prep, sessionId, outputFormat) {
     // Extract primitives BEFORE building the closure — capturing `prep` or
     // `params` directly would pin large attachments / promptParts on the
-    // AsyncJobRecord for JOB_TTL_MS.
+    // AsyncJobRecord for JOB_TTL_MS. Phase 4 slice β: `sid` and `home` are
+    // primitives too, threaded through so the Mistral branch of
+    // extractUsageAndCost can read `~/.vibe/logs/session/<id>/meta.json`.
     const cli = cliName;
     const fmt = outputFormat;
+    const sid = sessionId;
+    const home = homedir();
     return {
         flightRecorderEntry: {
             model: prep.resolvedModel || "default",
@@ -541,7 +559,7 @@ function buildAsyncFlightRecorderHandoff(cliName, prep, sessionId, outputFormat)
             stablePrefixHash: prep.stablePrefixHash ?? undefined,
             stablePrefixTokens: prep.stablePrefixTokens ?? undefined,
         },
-        extractUsage: (stdout) => extractUsageAndCost(cli, stdout, fmt),
+        extractUsage: (stdout) => extractUsageAndCost(cli, stdout, fmt, { sessionId: sid, home }),
     };
 }
 function safeFlightStart(entry, runtime = resolveGatewayServerRuntime()) {
@@ -1081,11 +1099,12 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         args.push("--json");
     }
     args.push("--skip-git-repo-check");
-    // U26: High-impact feature flags. Some of these (`--output-schema`,
-    // `--search`, `-C`, `--add-dir`) are rejected by `codex exec resume`, so we
-    // only emit them on a NEW session. Images / ephemeral / profile /
-    // ignore-rules / ignore-user-config are allowed on resume per the audited
-    // CLI help; we emit them in both branches.
+    // U26: High-impact feature flags. `--search` is rejected by
+    // `codex exec resume` (resume inherits the original session's web-search
+    // state), so we only emit it on a NEW session. `--output-schema`,
+    // `-c key=value`, profile, ephemeral, images, and the ignore-* flags are
+    // all accepted on resume per `codex exec resume --help` (codex-cli 0.133.0)
+    // and are emitted in both branches.
     let highImpactCleanup;
     if (sessionPlan.mode === "new") {
         const high = prepareCodexHighImpactFlags({
@@ -1105,12 +1124,10 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         highImpactCleanup = high.cleanup;
     }
     else {
-        // On resume, emit only the resume-safe subset (profile, ephemeral,
-        // images, ignoreUserConfig, ignoreRules). outputSchema, search, and
-        // configOverrides are dropped silently to mirror existing behavior for
-        // sandbox/ask-for-approval on resume.
         const high = prepareCodexHighImpactFlags({
+            outputSchema: params.outputSchema,
             profile: params.profile,
+            configOverrides: params.configOverrides,
             ephemeral: params.ephemeral,
             images: params.images,
             ignoreUserConfig: params.ignoreUserConfig,
@@ -1240,6 +1257,10 @@ export function prepareGeminiRequest(params, runtime = resolveGatewayServerRunti
     if (params.outputFormat === "json") {
         args.push("-o", "json");
     }
+    // Phase 4 slice γ: opt-in trust-prompt bypass for fresh workspaces.
+    if (params.skipTrust) {
+        args.push("--skip-trust");
+    }
     return {
         corrId,
         effectivePrompt,
@@ -1411,6 +1432,7 @@ export function prepareMistralRequest(params, runtime = resolveGatewayServerRunt
         reasoningEffort: params.reasoningEffort,
         allowedTools: params.allowedTools,
         disallowedTools: params.disallowedTools,
+        trust: params.trust,
     });
     if (prep.ignoredDisallowedTools) {
         runtime.logger.info(`[${corrId}] Mistral does not support disallowedTools; ignoring (caller passed ${params.disallowedTools?.length ?? 0} entries)`);
@@ -1466,7 +1488,10 @@ function buildCliResponse(cli, stdout, optimizeResponse, corrId, sessionId, prep
             correlationId: corrId,
             sessionId: sessionId || null,
             durationMs,
-            ...extractUsageAndCost(cli, stdout, outputFormat),
+            // Phase 4 slice β: thread sessionId + home so the Mistral branch of
+            // extractUsageAndCost can read `~/.vibe/logs/session/<dir>/meta.json`.
+            // Other CLIs ignore the ctx (their usage source is stdout).
+            ...extractUsageAndCost(cli, stdout, outputFormat, { sessionId, home: homedir() }),
             exitCode: 0,
             retryCount: 0,
         },
@@ -1564,6 +1589,7 @@ export async function handleGeminiRequest(deps, params) {
         policyFiles: params.policyFiles,
         adminPolicyFiles: params.adminPolicyFiles,
         attachments: params.attachments,
+        skipTrust: params.skipTrust,
     }, runtime);
     if (!("args" in prep))
         return prep;
@@ -1692,6 +1718,7 @@ export async function handleGeminiRequestAsync(deps, params) {
         policyFiles: params.policyFiles,
         adminPolicyFiles: params.adminPolicyFiles,
         attachments: params.attachments,
+        skipTrust: params.skipTrust,
     }, runtime);
     if (!("args" in prep))
         return prep;
@@ -1975,6 +2002,7 @@ export async function handleMistralRequest(deps, params) {
         correlationId: params.correlationId,
         optimizePrompt: params.optimizePrompt,
         operation: "mistral_request",
+        trust: params.trust,
     }, runtime);
     if (!("args" in prep))
         return prep;
@@ -2018,6 +2046,10 @@ export async function handleMistralRequest(deps, params) {
                     reasoningEffort: params.reasoningEffort,
                     allowedTools: params.allowedTools,
                     disallowedTools: params.disallowedTools,
+                    // Phase 4 slice γ: preserve --trust on the model-selection retry
+                    // so a fresh untrusted workspace doesn't block headlessly on the
+                    // second attempt after surviving the first.
+                    trust: params.trust,
                 });
                 const retryArgs = [...retryPrep.args, ...sessionResult.resumeArgs];
                 // Reuse the FR handoff built above — the retry preserves corrId,
@@ -2118,6 +2150,7 @@ export async function handleMistralRequestAsync(deps, params) {
         correlationId: params.correlationId,
         optimizePrompt: params.optimizePrompt,
         operation: "mistral_request_async",
+        trust: params.trust,
     }, runtime);
     if (!("args" in prep))
         return prep;
@@ -3006,7 +3039,11 @@ export function createGatewayServer(deps = {}) {
         policyFiles: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.policyFiles.describe("Policy file paths (--policy <path>, one per file). Paths must exist."),
         adminPolicyFiles: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.adminPolicyFiles.describe("Admin policy file paths (--admin-policy <path>, one per file). Paths must exist."),
         attachments: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.attachments.describe("Absolute file paths prepended as @<path> tokens to the prompt"),
-    }, async ({ prompt, promptParts, model, sessionId, resumeLatest, createNewSession, approvalMode, approvalStrategy, approvalPolicy, mcpServers, allowedTools, includeDirs, correlationId, optimizePrompt, optimizeResponse, idleTimeoutMs, forceRefresh, outputFormat, sandbox, policyFiles, adminPolicyFiles, attachments, }) => {
+        skipTrust: z
+            .boolean()
+            .default(false)
+            .describe("Emit `--skip-trust` so Gemini trusts the workspace for this session and skips the interactive trust prompt (Phase 4 slice γ). Required for headless runs in fresh workspaces."),
+    }, async ({ prompt, promptParts, model, sessionId, resumeLatest, createNewSession, approvalMode, approvalStrategy, approvalPolicy, mcpServers, allowedTools, includeDirs, correlationId, optimizePrompt, optimizeResponse, idleTimeoutMs, forceRefresh, outputFormat, sandbox, policyFiles, adminPolicyFiles, attachments, skipTrust, }) => {
         return handleGeminiRequest({ sessionManager, logger, runtime }, {
             prompt,
             promptParts,
@@ -3030,6 +3067,7 @@ export function createGatewayServer(deps = {}) {
             policyFiles,
             adminPolicyFiles,
             attachments,
+            skipTrust,
         });
     });
     //──────────────────────────────────────────────────────────────────────────────
@@ -3200,7 +3238,11 @@ export function createGatewayServer(deps = {}) {
             .boolean()
             .default(false)
             .describe("Bypass dedup and force a fresh CLI run even if a recent identical request exists"),
-    }, async ({ prompt, promptParts, model, outputFormat, sessionId, resumeLatest, createNewSession, permissionMode, effort, reasoningEffort, approvalStrategy, approvalPolicy, mcpServers, allowedTools, disallowedTools, correlationId, optimizePrompt, optimizeResponse, idleTimeoutMs, forceRefresh, }) => {
+        trust: z
+            .boolean()
+            .default(false)
+            .describe("Emit `--trust` so Vibe trusts the cwd for this invocation only (not persisted to trusted_folders.toml) and skips the interactive trust prompt (Phase 4 slice γ)."),
+    }, async ({ prompt, promptParts, model, outputFormat, sessionId, resumeLatest, createNewSession, permissionMode, effort, reasoningEffort, approvalStrategy, approvalPolicy, mcpServers, allowedTools, disallowedTools, correlationId, optimizePrompt, optimizeResponse, idleTimeoutMs, forceRefresh, trust, }) => {
         return handleMistralRequest({ sessionManager, logger, runtime }, {
             prompt,
             promptParts,
@@ -3222,6 +3264,7 @@ export function createGatewayServer(deps = {}) {
             optimizeResponse,
             idleTimeoutMs,
             forceRefresh,
+            trust,
         });
     });
     //──────────────────────────────────────────────────────────────────────────────
@@ -3612,7 +3655,11 @@ export function createGatewayServer(deps = {}) {
             policyFiles: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.policyFiles.describe("Policy file paths (--policy <path>, one per file). Paths must exist."),
             adminPolicyFiles: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.adminPolicyFiles.describe("Admin policy file paths (--admin-policy <path>, one per file). Paths must exist."),
             attachments: GEMINI_HIGH_IMPACT_PARAMS_SCHEMA.shape.attachments.describe("Absolute file paths prepended as @<path> tokens to the prompt"),
-        }, async ({ prompt, promptParts, model, sessionId, resumeLatest, createNewSession, approvalMode, approvalStrategy, approvalPolicy, mcpServers, allowedTools, includeDirs, correlationId, optimizePrompt, idleTimeoutMs, forceRefresh, outputFormat, sandbox, policyFiles, adminPolicyFiles, attachments, }) => {
+            skipTrust: z
+                .boolean()
+                .default(false)
+                .describe("Emit `--skip-trust` so Gemini trusts the workspace for this session and skips the interactive trust prompt (Phase 4 slice γ). Required for headless runs in fresh workspaces."),
+        }, async ({ prompt, promptParts, model, sessionId, resumeLatest, createNewSession, approvalMode, approvalStrategy, approvalPolicy, mcpServers, allowedTools, includeDirs, correlationId, optimizePrompt, idleTimeoutMs, forceRefresh, outputFormat, sandbox, policyFiles, adminPolicyFiles, attachments, skipTrust, }) => {
             return handleGeminiRequestAsync({ sessionManager, asyncJobManager, logger, runtime }, {
                 prompt,
                 promptParts,
@@ -3635,6 +3682,7 @@ export function createGatewayServer(deps = {}) {
                 policyFiles,
                 adminPolicyFiles,
                 attachments,
+                skipTrust,
             });
         });
         server.tool("grok_request_async", {
@@ -3796,7 +3844,11 @@ export function createGatewayServer(deps = {}) {
                 .boolean()
                 .default(false)
                 .describe("Bypass dedup and force a fresh CLI run even if a recent identical request exists"),
-        }, async ({ prompt, promptParts, model, outputFormat, sessionId, resumeLatest, createNewSession, permissionMode, effort, reasoningEffort, approvalStrategy, approvalPolicy, mcpServers, allowedTools, disallowedTools, correlationId, optimizePrompt, idleTimeoutMs, forceRefresh, }) => {
+            trust: z
+                .boolean()
+                .default(false)
+                .describe("Emit `--trust` so Vibe trusts the cwd for this invocation only (not persisted to trusted_folders.toml) and skips the interactive trust prompt (Phase 4 slice γ)."),
+        }, async ({ prompt, promptParts, model, outputFormat, sessionId, resumeLatest, createNewSession, permissionMode, effort, reasoningEffort, approvalStrategy, approvalPolicy, mcpServers, allowedTools, disallowedTools, correlationId, optimizePrompt, idleTimeoutMs, forceRefresh, trust, }) => {
             return handleMistralRequestAsync({ sessionManager, asyncJobManager, logger, runtime }, {
                 prompt,
                 promptParts,
@@ -3817,6 +3869,7 @@ export function createGatewayServer(deps = {}) {
                 optimizePrompt,
                 idleTimeoutMs,
                 forceRefresh,
+                trust,
             });
         });
         server.tool("llm_job_status", {

package/dist/mistral-meta-json-parser.d.ts

@@ -0,0 +1,6 @@
+export interface VibeMetaJsonUsage {
+    inputTokens?: number;
+    outputTokens?: number;
+    costUsd?: number;
+}
+export declare function parseVibeMetaJson(home: string, sessionId: string | undefined): VibeMetaJsonUsage;

package/dist/mistral-meta-json-parser.js

@@ -0,0 +1,175 @@
+/**
+ * Phase 4 slice β — Mistral Vibe `meta.json` parser.
+ *
+ * Vibe writes per-session telemetry to
+ *
+ *   ~/.vibe/logs/session/session_<YYYYMMDD>_<HHMMSS>_<first8hex>/meta.json
+ *
+ * where `<first8hex>` is the first 8 lowercase hex characters of the full
+ * session UUID. Inside the file:
+ *
+ *   {
+ *     "session_id": "<full-uuid>",
+ *     "stats": {
+ *       "session_prompt_tokens":      <number>  → inputTokens
+ *       "session_completion_tokens":  <number>  → outputTokens
+ *       "session_cost":               <number>  → costUsd
+ *     }
+ *   }
+ *
+ * The gateway's mistral session-id surface accepts the full UUID (so does
+ * `vibe --resume <uuid>`). To find the right directory we glob for
+ * `session_*_<first8>` and disambiguate by reading each candidate's
+ * `session_id` field. If callers happen to pass the directory basename
+ * itself we still honour that — useful for tests and for forward-compat if
+ * Vibe ever changes its dir naming scheme.
+ *
+ * Cache-token surfaces are not exposed by Vibe today, so `cacheReadTokens`
+ * and `cacheCreationTokens` are intentionally absent.
+ *
+ * Best-effort by design: any failure (missing file, bad JSON, missing
+ * fields, gateway-generated `gw-*` sessionId, unresolvable UUID, path
+ * outside the session log root) returns `{}` so the flight-recorder row
+ * simply lacks usage data.
+ */
+import { existsSync, readdirSync, readFileSync, realpathSync, statSync } from "fs";
+import { join, resolve, sep } from "path";
+import { GATEWAY_SESSION_PREFIX } from "./request-helpers.js";
+function asPositiveNumber(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        return undefined;
+    }
+    return value;
+}
+/**
+ * Read a file only if its realpath lives under `realBase`. Returns undefined
+ * on any error, missing file, or out-of-tree symlink target. This is the one
+ * place that calls `readFileSync` for meta.json content — the rest of the
+ * module routes through it so the security boundary is uniform.
+ */
+function readInBase(realBase, candidate) {
+    if (!existsSync(candidate))
+        return undefined;
+    let realCandidate;
+    try {
+        realCandidate = realpathSync(candidate);
+    }
+    catch {
+        return undefined;
+    }
+    const realBaseWithSep = realBase.endsWith(sep) ? realBase : realBase + sep;
+    if (!realCandidate.startsWith(realBaseWithSep))
+        return undefined;
+    try {
+        return readFileSync(realCandidate, "utf-8");
+    }
+    catch {
+        return undefined;
+    }
+}
+// UUID v4-ish (Vibe's own session UUIDs are not strictly v4, so we
+// validate against the broader 8-4-4-4-12 lowercase-hex shape) OR
+// Vibe's session_<digits>_<digits>_<first8> directory basename.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const DIRNAME_RE = /^session_\d{8}_\d{6}_[0-9a-f]{8}$/;
+/**
+ * Resolve the session-log directory basename for a given gateway sessionId.
+ * Returns undefined when no candidate can be found or the input is
+ * unsuitable. Pure with respect to side-effects on the caller — only reads
+ * the filesystem.
+ *
+ * Security invariants enforced here:
+ *   - Inputs are charset-gated (UUID or DIRNAME) before any filesystem read.
+ *   - For UUID input, the chosen candidate's meta.json MUST advertise the
+ *     same `session_id` — single-candidate is NOT trusted, because two
+ *     UUIDs sharing the first 8 hex chars would otherwise cross-attribute
+ *     usage (and leak telemetry to the caller of the other session).
+ */
+function resolveVibeSessionDirname(baseDir, realBase, sessionId) {
+    // 1. Caller already supplied the directory name verbatim.
+    if (DIRNAME_RE.test(sessionId) && existsSync(join(baseDir, sessionId, "meta.json"))) {
+        return sessionId;
+    }
+    // 2. Treat the input as a full session UUID.
+    if (!UUID_RE.test(sessionId))
+        return undefined;
+    const short = sessionId.slice(0, 8).toLowerCase();
+    let entries;
+    try {
+        entries = readdirSync(baseDir);
+    }
+    catch {
+        return undefined;
+    }
+    // Filter to candidates matching `session_*_<short>`. Sort newest-first
+    // by mtime; we still require an exact session_id match below.
+    const candidates = entries
+        .filter(name => DIRNAME_RE.test(name) && name.endsWith(`_${short}`))
+        .map(name => {
+        let mtimeMs = 0;
+        try {
+            mtimeMs = statSync(join(baseDir, name)).mtimeMs;
+        }
+        catch {
+            /* ignore */
+        }
+        return { name, mtimeMs };
+    })
+        .sort((a, b) => b.mtimeMs - a.mtimeMs);
+    for (const { name } of candidates) {
+        const text = readInBase(realBase, join(baseDir, name, "meta.json"));
+        if (text === undefined)
+            continue;
+        try {
+            const parsed = JSON.parse(text);
+            if (typeof parsed.session_id === "string" && parsed.session_id === sessionId) {
+                return name;
+            }
+        }
+        catch {
+            /* ignore and continue */
+        }
+    }
+    return undefined;
+}
+export function parseVibeMetaJson(home, sessionId) {
+    if (!sessionId)
+        return {};
+    if (sessionId.startsWith(GATEWAY_SESSION_PREFIX)) {
+        // gw-* IDs are gateway internal — Vibe never wrote a meta.json under that name.
+        return {};
+    }
+    const baseDir = resolve(join(home, ".vibe", "logs", "session"));
+    let realBase;
+    try {
+        realBase = realpathSync(baseDir);
+    }
+    catch {
+        return {};
+    }
+    const dirname = resolveVibeSessionDirname(baseDir, realBase, sessionId);
+    if (!dirname)
+        return {};
+    // `readInBase` is the security boundary: it realpath-resolves the file
+    // and rejects anything whose target lives outside `realBase`. Re-routing
+    // the final read through it (instead of a bespoke readFileSync) keeps
+    // the in-tree-only invariant in one place.
+    const text = readInBase(realBase, join(baseDir, dirname, "meta.json"));
+    if (text === undefined)
+        return {};
+    let raw;
+    try {
+        raw = JSON.parse(text);
+    }
+    catch {
+        return {};
+    }
+    const stats = raw?.stats;
+    if (!stats || typeof stats !== "object")
+        return {};
+    return {
+        inputTokens: asPositiveNumber(stats.session_prompt_tokens),
+        outputTokens: asPositiveNumber(stats.session_completion_tokens),
+        costUsd: asPositiveNumber(stats.session_cost),
+    };
+}

package/dist/request-helpers.d.ts

@@ -107,6 +107,13 @@ export interface PrepareMistralRequestInput {
      * emit a `logger.warn` when this is non-empty.
      */
     disallowedTools?: string[];
+    /**
+     * Phase 4 slice γ: emit `--trust` so non-interactive runs in fresh
+     * workspaces skip Vibe's interactive trust prompt for this invocation
+     * only (not persisted to `trusted_folders.toml`). Default undefined →
+     * Vibe's prompt behaviour is preserved for existing callers.
+     */
+    trust?: boolean;
 }
 export interface PrepareMistralRequestResult {
     args: string[];
@@ -204,9 +211,11 @@ export declare function resolveCodexSandboxFlags(input: CodexSandboxFlagsInput):
  * Flags that `codex exec resume` rejects (the original session's policy is
  * inherited). Callers must drop these when building resume argv.
  *
- * U26 expands this list with `--add-dir`, `-C`, `--output-schema`, and
- * `--search`, all of which `codex exec resume --help` rejects at the audit
- * date.
+ * Verified against `codex exec resume --help` (codex-cli 0.133.0):
+ * `--full-auto`, `--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, and
+ * `--search` are rejected. `--output-schema` and `-c key=value` ARE accepted
+ * on resume and therefore are NOT in this filter (Phase 4 slice α restored
+ * the previously-silent drop of those two).
  */
 export declare const CODEX_RESUME_FILTERED_FLAGS: ReadonlySet<string>;
 /**
@@ -398,8 +407,8 @@ export declare const CODEX_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodObject<{
     ignoreRules: z.ZodOptional<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     search?: boolean | undefined;
-    profile?: string | undefined;
     outputSchema?: string | Record<string, unknown> | undefined;
+    profile?: string | undefined;
     configOverrides?: Record<string, string> | undefined;
     ephemeral?: boolean | undefined;
     images?: string[] | undefined;
@@ -407,8 +416,8 @@ export declare const CODEX_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodObject<{
     ignoreRules?: boolean | undefined;
 }, {
     search?: boolean | undefined;
-    profile?: string | undefined;
     outputSchema?: string | Record<string, unknown> | undefined;
+    profile?: string | undefined;
     configOverrides?: Record<string, string> | undefined;
     ephemeral?: boolean | undefined;
     images?: string[] | undefined;

package/dist/request-helpers.js

@@ -176,6 +176,9 @@ export function prepareMistralRequest(input) {
             args.push("--enabled-tools", tool);
         }
     }
+    if (input.trust) {
+        args.push("--trust");
+    }
     const ignoredDisallowedTools = Boolean(input.disallowedTools && input.disallowedTools.length > 0);
     return { args, env, ignoredDisallowedTools };
 }
@@ -279,9 +282,11 @@ export function resolveCodexSandboxFlags(input) {
  * Flags that `codex exec resume` rejects (the original session's policy is
  * inherited). Callers must drop these when building resume argv.
  *
- * U26 expands this list with `--add-dir`, `-C`, `--output-schema`, and
- * `--search`, all of which `codex exec resume --help` rejects at the audit
- * date.
+ * Verified against `codex exec resume --help` (codex-cli 0.133.0):
+ * `--full-auto`, `--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, and
+ * `--search` are rejected. `--output-schema` and `-c key=value` ARE accepted
+ * on resume and therefore are NOT in this filter (Phase 4 slice α restored
+ * the previously-silent drop of those two).
  */
 export const CODEX_RESUME_FILTERED_FLAGS = new Set([
     "--full-auto",
@@ -289,7 +294,6 @@ export const CODEX_RESUME_FILTERED_FLAGS = new Set([
     "--ask-for-approval",
     "--add-dir",
     "-C",
-    "--output-schema",
     "--search",
 ]);
 /**
@@ -301,7 +305,6 @@ const CODEX_RESUME_FILTERED_FLAGS_WITH_VALUE = new Set([
     "--ask-for-approval",
     "--add-dir",
     "-C",
-    "--output-schema",
 ]);
 /**
  * Strip resume-incompatible flag/value pairs from a Codex argv segment.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",