llm-cli-gateway 2.10.0 → 2.11.1

package/CHANGELOG.md

@@ -2,7 +2,81 @@
 
 All notable changes to the llm-cli-gateway project.
 
-## Unreleased
+## [2.11.1] - 2026-06-22: Provider contract refresh and stable upstream scans
+
+### Changed
+
+- **Upstream contracts refreshed for all providers.** Live `--probe-installed` probes were run across the installed provider CLIs. Synced contract surfaces and bumped ACP `targetVersion` pins:
+  - claude → 2.1.185 (added `--ax-screen-reader`, `--safe-mode` to acknowledged flags; `agents --all` to subcommand contract)
+  - codex → 0.141.0 (aligned `exec resume` / `exec review` / top-level `review` flag lists with current advertised surfaces)
+  - gemini (agy) → 1.0.10
+  - grok → 0.2.60 (474c2bbfc)
+  - mistral (vibe) → 2.17.1
+  - devin → 2026.7.23 (3bd47f77) (added new flags to `acknowledgedUpstreamFlags`)
+- **Mistral upstream scan source stabilized.** The scanner now tracks GitHub's latest-release API for Mistral Vibe instead of the volatile HTML releases page, so `--live --fail-on-critical` no longer trips on release-page chrome/hash churn.
+- **Provider skill docs updated.** All five `.agents/skills/provider-*` files bumped to metadata version 1.2. Descriptions now call out `/subcommand` behaviour changes; added current-version "Tested against" notes and usage examples for the cache levers (Grok compaction, Claude `cacheControl`).
+- **Cache usage documentation expanded with concrete examples.** Added exact parameters, emitted CLI flags, and stream-json payload shapes for Grok `compactionMode`/`compactionDetail` and Claude `promptParts.cacheControl` (including the `assembleClaudeCacheBlocks` NDJSON structure with `cache_control: {type:"ephemeral", ttl:"1h"}`) to:
+  - `docs/personal-mcp/PROVIDER_CACHE_SURFACES.md`
+  - `README.md` (updated Cache-aware operation section and matrix)
+  - `.agents/skills/session-workflow/SKILL.md`
+- Cross-LLM reviews (Claude, Codex, Mistral) on the implementation plan were incorporated: kept provider-specific levers (no new unifying `CacheDirective` abstraction); focused on documentation and discoverability.
+- **Internal caching hygiene.** Promoted the ad-hoc capability cache in `provider-tool-capabilities.ts` to a documented reusable TTL structure (`CAPABILITY_CACHE`, helpers, test accessors) for easier future reuse.
+
+### Tests / CI
+
+- `npm run upstream:contracts`, relevant cache/session/provider-tool tests, and build all green.
+
+## [2.11.0] - 2026-06-18: API providers, Devin, ACP runtime, and a strip-at-publish internal-MCP boundary
+
+The accumulated work since 2.10.0: a generic HTTP API-provider surface, a sixth
+CLI provider (Devin), the Phase B ACP runtime (gated, dormant by default), and a
+release-time strip that keeps gateway-internal MCP server names out of the
+published npm artifact. Default local-stdio behaviour is unchanged; the new
+API/ACP surfaces are opt-in. Every change in this release was landed via PR with
+green CI and an adversarial multi-LLM review.
+
+### Added
+
+- **API providers (Slices 0–5).** An `ApiProvider` interface with OpenAI /
+  Anthropic / xAI adapters, a generic `api_<name>_request[_async]` tool surface,
+  an `HttpJobRunner` that treats HTTP calls as first-class async jobs, API-provider
+  discovery/catalog, and the ability to use API providers as validation
+  reviewers/judges. Open-string provider-identity widening (`kind:"api"`).
+- **Devin (Slices D0–D1).** Devin as a sixth gateway provider —
+  `devin_request[_async]` — with permission-mode aliases corrected against the
+  real CLI and a passing native-ACP smoke (third ACP runtime pilot).
+- **ACP runtime, Phase B (Slices B1–B7).** Read-only smoke harness,
+  deny-by-default HostServices boundary, permission bridge to ApprovalManager,
+  session map, session/update event normalizer, flight-recorder redaction, and
+  gated runtime pilots (Mistral + Grok + Devin) for first live ACP prompt routing.
+  Dormant by default.
+
+### Changed
+
+- **Strip internal MCP names from the published artifact.** Gateway-internal MCP
+  server names and host commands are centralised in `src/mcp-registry.ts` and
+  stripped at release time, so the published tarball contains zero internal names.
+  Enforced by an explicit, non-bypassable tarball token-guard
+  (`scripts/verify-no-internal-mcp.mjs`). `ClaudeMcpServerName` widens to `string`
+  and the request `mcpServers` schemas accept arbitrary names; no implicit default
+  server is injected.
+- **Vibe `permissionMode` accepts any `--agent` name.** Replaces the closed
+  agent-mode enum (which had stale `chat`/`explore`/`lean` values) with an open
+  string — Vibe owns its agent registry (builtins plus install-gated and custom
+  agents), so the gateway passes the name through and lets Vibe validate it.
+- **Gemini `mcpServers` accepted for approval tracking.** `gemini_request` no
+  longer rejects non-empty `mcpServers`; the names feed the approval policy but are
+  never passed to the Antigravity CLI (which manages its own MCP configuration).
+
+### Security / supply chain
+
+- `hono` pinned to `^4.12.25` via `overrides` (clears the advisories on 4.12.22),
+  with a hono-floor tripwire in the release security audit.
+
+### Deps
+
+- Dev-dependency bumps (keeps `type-is@2.1.0` out via the `body-parser` floor) and
+  a `github/codeql-action` group bump.
 
 ## [2.10.0] - 2026-06-15: Per-principal isolation on the request handlers
 

package/README.md

@@ -188,17 +188,47 @@ Every `*_request` and `*_request_async` tool accepts an optional `promptParts` f
 
 `prompt` and `promptParts` are mutually exclusive — pass exactly one.
 
-Per-CLI capability matrix:
+Per-CLI capability matrix (prefix discipline is automatic via `promptParts` for all; explicit levers are provider-specific):
+
+| CLI     | Prefix discipline | Explicit lever(s) |
+| ------- | ----------------- | ----------------- |
+| claude  | yes               | `promptParts.cacheControl` + `outputFormat: "stream-json"` (Anthropic `cache_control` breakpoints on stable blocks; `ttl="1h"` forced) |
+| codex   | yes               | none (OpenAI implicit) |
+| gemini  | yes               | none (implicit server-side) |
+| grok    | yes               | `compactionMode` / `compactionDetail` (context compaction: `summary|transcript|segments`; `segments` writes per-segment markdown) |
+| mistral | yes               | none (implicit) |
+
+**Claude example (explicit cacheControl)**
+
+```ts
+claude_request({
+  promptParts: {
+    system: "You are a helpful code reviewer.",
+    context: "<long stable file dump>",
+    task: "Review the diff.",
+    cacheControl: { system: true, context: true }  // task is never marked
+  },
+  outputFormat: "stream-json"
+})
+```
+
+Gateway emits the `stream-json` stdin path with `cache_control: {type:"ephemeral", ttl:"1h"}` on marked blocks only.
+
+**Grok example (compaction)**
+
+```ts
+grok_request({
+  promptParts: { system: "...", context: "...", task: "..." },
+  compactionMode: "segments",
+  compactionDetail: "balanced"
+})
+```
+
+Emits `--compaction-mode segments --compaction-detail balanced`.
 
-| CLI     | Prefix discipline (auto via `promptParts`) | Explicit `cache_control` emission                                            |
-| ------- | ------------------------------------------ | ---------------------------------------------------------------------------- |
-| claude  | yes                                        | yes, opt-in via `promptParts.cacheControl` and `outputFormat: "stream-json"` |
-| codex   | yes                                        | n/a (OpenAI implicit cache, no CLI lever)                                    |
-| gemini  | yes                                        | n/a (implicit prefix cache server-side)                                      |
-| grok    | yes                                        | n/a (no surfaced cache lever)                                                |
-| mistral | yes                                        | n/a (no surfaced cache lever)                                                |
+See `docs/personal-mcp/PROVIDER_CACHE_SURFACES.md` for full surfaces, telemetry differences (e.g. Grok `-p` vs ACP), exact stream-json payload shapes, and cross-LLM review notes.
 
-Opt-in flags (all default off) live under `[cache_awareness]` in `~/.llm-cli-gateway/config.toml`. See `docs/personal-mcp/PROVIDER_CACHE_SURFACES.md` for the per-model minimum cacheable token thresholds and field-name divergences.
+Opt-in flags (all default off) live under `[cache_awareness]` in `~/.llm-cli-gateway/config.toml`.
 
 ### Reliability & Performance
 
@@ -278,8 +308,10 @@ Vibe-specific notes:
   `VIBE_MODELS`, injects `VIBE_ACTIVE_MODEL` only when a model is explicitly
   requested or Vibe config needs recovery, and retries once after a
   model-not-found failure with refreshed discovery.
-- **`permissionMode` accepts** `default | plan | accept-edits | auto-approve |
-chat | explore | lean` and emits `--agent <mode>`. The gateway's
+- **`permissionMode` is the Vibe `--agent` name.** Builtins are
+  `default | plan | accept-edits | auto-approve`; Vibe also accepts install-gated
+  builtins (e.g. `lean`) and custom agents from `~/.vibe/agents`, so any name is
+  passed through and Vibe validates availability. The gateway's
   programmatic-mode default is `auto-approve`; pick a stricter mode
   explicitly if you need approval gates.
 - **`allowedTools` is allow-list only** — the gateway emits one
@@ -391,7 +423,7 @@ Execute a Claude Code request with optional session management.
 - `excludeDynamicSystemPromptSections` (boolean, optional): Trim dynamic system prompt sections
 - `approvalStrategy` (string, optional): `"legacy"` (default) or `"mcp_managed"`
 - `approvalPolicy` (string, optional): `"strict"`, `"balanced"`, or `"permissive"`
-- `mcpServers` (string[], optional): Claude MCP servers to expose (default: `["sqry","exa","ref_tools"]`; `"trstr"` available as opt-in)
+- `mcpServers` (string[], optional): Names of MCP servers to expose to Claude (default: none). The gateway resolves each name to a launch command from its local registry / Codex MCP config; unknown names are reported as unavailable. Configure the servers your deployment uses in the gateway environment.
 - `strictMcpConfig` (boolean, optional): Require Claude to use only supplied MCP config, default: true (request fails if any requested server is unavailable)
 - `optimizePrompt` (boolean, optional): Optimize prompt for token efficiency (44% reduction), default: false
 - `optimizeResponse` (boolean, optional): Optimize response for token efficiency (37% reduction), default: false
@@ -825,7 +857,7 @@ consumes       = ["OUT:mcp-reconnected"]
 Run a Mistral Vibe agentic coding request. Like `grok_request` in shape, but with Vibe's specific surface:
 
 - `model` (string, optional): Vibe model alias (for example `mistral-medium-3.5` or `latest`). The resolved value is injected via the `VIBE_ACTIVE_MODEL` environment variable; omit it to let the gateway discover Vibe config and avoid stale hardcoded defaults.
-- `permissionMode`: `default | plan | accept-edits | auto-approve | chat | explore | lean` — emitted as `--agent <mode>`. Defaults to `auto-approve` in programmatic mode.
+- `permissionMode`: the Vibe `--agent` name — builtins `default | plan | accept-edits | auto-approve`, or any install-gated/custom agent. Emitted as `--agent <name>`. Defaults to `auto-approve` in programmatic mode.
 - `allowedTools` (string[], optional): One `--enabled-tools <tool>` flag per entry (allow-list only).
 - `disallowedTools` (string[], optional): Accepted for parity with the other providers; ignored at the CLI boundary with a logged warning.
 - `outputFormat` (string, optional): Vibe 2.x values are `"text"`, `"json"`, or `"streaming"`; legacy aliases `"plain"` and `"stream-json"` are accepted and normalized before spawn.
@@ -861,7 +893,7 @@ Async request tools accept the same approval strategy fields as their sync varia
 
 - `approvalStrategy`: `"legacy"` (default) or `"mcp_managed"`
 - `approvalPolicy`: `"strict"|"balanced"|"permissive"` override
-- `mcpServers`: Requested MCP servers (`sqry`, `exa`, `ref_tools`, `trstr`)
+- `mcpServers`: Names of requested MCP servers, resolved against the gateway's local registry / Codex MCP config
 - `claude_request_async` also supports `strictMcpConfig` and fails fast when requested servers are unavailable
 
 ##### `llm_job_status`

package/dist/acp/event-normalizer.d.ts

@@ -0,0 +1,42 @@
+import type { ContentBlock, SessionUpdateNotification } from "./types.js";
+export type AcpProgressEvent = {
+    readonly kind: "agent_message";
+    readonly text: string;
+} | {
+    readonly kind: "agent_thought";
+    readonly text: string;
+} | {
+    readonly kind: "user_message";
+    readonly text: string;
+} | {
+    readonly kind: "tool_call";
+    readonly toolCallId: string;
+    readonly title: string;
+    readonly status?: string;
+    readonly toolKind?: string;
+} | {
+    readonly kind: "tool_update";
+    readonly toolCallId: string;
+    readonly status?: string;
+    readonly title?: string;
+} | {
+    readonly kind: "plan";
+    readonly entryCount: number;
+} | {
+    readonly kind: "mode";
+    readonly currentModeId: string;
+} | {
+    readonly kind: "usage";
+    readonly size: number;
+    readonly used: number;
+} | {
+    readonly kind: "other";
+    readonly sessionUpdate: string;
+};
+export declare function summarizeContentBlock(block: ContentBlock): string;
+export declare function normalizeSessionUpdate(notification: SessionUpdateNotification): AcpProgressEvent;
+export declare class AcpEventNormalizer {
+    private text;
+    handle(notification: SessionUpdateNotification): AcpProgressEvent;
+    get finalText(): string;
+}

package/dist/acp/event-normalizer.js

@@ -0,0 +1,71 @@
+function str(value) {
+    return typeof value === "string" ? value : undefined;
+}
+export function summarizeContentBlock(block) {
+    if (block.type === "text") {
+        return str(block.text) ?? "";
+    }
+    return `[${block.type}]`;
+}
+function chunkText(update) {
+    const content = update.content;
+    if (content && typeof content === "object") {
+        return summarizeContentBlock(content);
+    }
+    return "";
+}
+export function normalizeSessionUpdate(notification) {
+    const update = notification.update;
+    const variant = str(update.sessionUpdate) ?? "";
+    switch (variant) {
+        case "agent_message_chunk":
+            return { kind: "agent_message", text: chunkText(update) };
+        case "agent_thought_chunk":
+            return { kind: "agent_thought", text: chunkText(update) };
+        case "user_message_chunk":
+            return { kind: "user_message", text: chunkText(update) };
+        case "tool_call":
+            return {
+                kind: "tool_call",
+                toolCallId: str(update.toolCallId) ?? "",
+                title: str(update.title) ?? "",
+                status: str(update.status),
+                toolKind: str(update.kind),
+            };
+        case "tool_call_update":
+            return {
+                kind: "tool_update",
+                toolCallId: str(update.toolCallId) ?? "",
+                status: str(update.status),
+                title: str(update.title),
+            };
+        case "plan":
+            return {
+                kind: "plan",
+                entryCount: Array.isArray(update.entries) ? update.entries.length : 0,
+            };
+        case "current_mode_update":
+            return { kind: "mode", currentModeId: str(update.currentModeId) ?? "" };
+        case "usage_update":
+            return {
+                kind: "usage",
+                size: typeof update.size === "number" ? update.size : 0,
+                used: typeof update.used === "number" ? update.used : 0,
+            };
+        default:
+            return { kind: "other", sessionUpdate: variant };
+    }
+}
+export class AcpEventNormalizer {
+    text = "";
+    handle(notification) {
+        const event = normalizeSessionUpdate(notification);
+        if (event.kind === "agent_message") {
+            this.text += event.text;
+        }
+        return event;
+    }
+    get finalText() {
+        return this.text;
+    }
+}

package/dist/acp/flight-redaction.d.ts

@@ -0,0 +1,25 @@
+import type { ContentBlock } from "./types.js";
+import type { FlightLogResult, FlightLogStart } from "../flight-recorder.js";
+import type { CliType } from "../session-manager.js";
+export declare function summarizeAcpPromptForFlight(prompt: ReadonlyArray<ContentBlock>): string;
+export declare function summarizeAcpResponseForFlight(responseText: string): string;
+export declare function redactAcpTextForFlight(text: string): string;
+export interface AcpFlightStartParams {
+    readonly correlationId: string;
+    readonly provider: CliType;
+    readonly model: string;
+    readonly prompt: ReadonlyArray<ContentBlock>;
+    readonly gatewaySessionId?: string;
+    readonly asyncJobId?: string;
+}
+export declare function buildAcpFlightStart(params: AcpFlightStartParams): FlightLogStart;
+export interface AcpFlightResultParams {
+    readonly responseText: string;
+    readonly durationMs: number;
+    readonly status: "completed" | "failed";
+    readonly exitCode: number;
+    readonly inputTokens?: number;
+    readonly outputTokens?: number;
+    readonly errorMessage?: string;
+}
+export declare function buildAcpFlightResult(params: AcpFlightResultParams): FlightLogResult;

package/dist/acp/flight-redaction.js

@@ -0,0 +1,40 @@
+import { redactAcpMessage } from "./errors.js";
+import { isGatewaySessionId } from "./session-map.js";
+import { redactSecrets } from "../secret-redaction.js";
+export function summarizeAcpPromptForFlight(prompt) {
+    const n = prompt.length;
+    return `[acp prompt: ${n} content block${n === 1 ? "" : "s"}]`;
+}
+export function summarizeAcpResponseForFlight(responseText) {
+    return `[acp response: ${responseText.length} char${responseText.length === 1 ? "" : "s"}]`;
+}
+export function redactAcpTextForFlight(text) {
+    return redactSecrets(redactAcpMessage(text));
+}
+export function buildAcpFlightStart(params) {
+    const sessionId = params.gatewaySessionId !== undefined && isGatewaySessionId(params.gatewaySessionId)
+        ? params.gatewaySessionId
+        : undefined;
+    return {
+        correlationId: params.correlationId,
+        cli: params.provider,
+        model: params.model,
+        prompt: summarizeAcpPromptForFlight(params.prompt),
+        sessionId,
+        asyncJobId: params.asyncJobId,
+    };
+}
+export function buildAcpFlightResult(params) {
+    return {
+        response: summarizeAcpResponseForFlight(params.responseText),
+        durationMs: params.durationMs,
+        status: params.status,
+        exitCode: params.exitCode,
+        retryCount: 0,
+        circuitBreakerState: "closed",
+        optimizationApplied: false,
+        inputTokens: params.inputTokens,
+        outputTokens: params.outputTokens,
+        errorMessage: params.errorMessage !== undefined ? redactAcpTextForFlight(params.errorMessage) : undefined,
+    };
+}

package/dist/acp/host-services.d.ts

@@ -0,0 +1,16 @@
+import type { HostCallbackContext, HostServices } from "./client.js";
+import type { ReadTextFileRequest, ReadTextFileResponse, RequestPermissionRequest, RequestPermissionResponse, WriteTextFileRequest, WriteTextFileResponse } from "./types.js";
+import type { Logger } from "../logger.js";
+export type AcpPermissionDecider = (request: RequestPermissionRequest, context: HostCallbackContext) => Promise<RequestPermissionResponse>;
+export interface GatewayHostServicesOptions {
+    readonly logger?: Logger;
+    readonly permissionDecider?: AcpPermissionDecider;
+}
+export declare class GatewayHostServices implements HostServices {
+    private readonly logger;
+    private readonly permissionDecider?;
+    constructor(options?: GatewayHostServicesOptions);
+    readTextFile(_request: ReadTextFileRequest, context: HostCallbackContext): Promise<ReadTextFileResponse>;
+    writeTextFile(_request: WriteTextFileRequest, context: HostCallbackContext): Promise<WriteTextFileResponse>;
+    requestPermission(request: RequestPermissionRequest, context: HostCallbackContext): Promise<RequestPermissionResponse>;
+}

package/dist/acp/host-services.js

@@ -0,0 +1,29 @@
+import { AcpPermissionDeniedError } from "./errors.js";
+import { noopLogger } from "../logger.js";
+export class GatewayHostServices {
+    logger;
+    permissionDecider;
+    constructor(options = {}) {
+        this.logger = options.logger ?? noopLogger;
+        this.permissionDecider = options.permissionDecider;
+    }
+    async readTextFile(_request, context) {
+        this.logger.info("acp.host.read_denied", { provider: context.provider });
+        throw new AcpPermissionDeniedError(context.provider, "filesystem read host service is disabled", { provider: context.provider, debug: { method: context.method } });
+    }
+    async writeTextFile(_request, context) {
+        this.logger.info("acp.host.write_denied", { provider: context.provider });
+        throw new AcpPermissionDeniedError(context.provider, "filesystem write host service is disabled", { provider: context.provider, debug: { method: context.method } });
+    }
+    async requestPermission(request, context) {
+        if (this.permissionDecider) {
+            return this.permissionDecider(request, context);
+        }
+        this.logger.info("acp.permission.denied", {
+            provider: context.provider,
+            reason: "no_approval_bridge",
+            optionCount: request.options.length,
+        });
+        return { outcome: { outcome: "cancelled" } };
+    }
+}

package/dist/acp/permission-bridge.d.ts

@@ -0,0 +1,15 @@
+import type { HostCallbackContext } from "./client.js";
+import type { RequestPermissionRequest, RequestPermissionResponse } from "./types.js";
+import { ApprovalManager, type ApprovalCli, type ApprovalPolicy } from "../approval-manager.js";
+import type { Logger } from "../logger.js";
+export type AcpPermissionCategory = "read" | "write" | "execute" | "other";
+export interface AcpPermissionBridgeDeps {
+    readonly approvalManager: ApprovalManager;
+    readonly provider: ApprovalCli;
+    readonly allowWrite?: boolean;
+    readonly allowTerminal?: boolean;
+    readonly policy?: ApprovalPolicy;
+    readonly logger?: Logger;
+}
+export declare function categorizeToolCall(toolCall: Record<string, unknown>): AcpPermissionCategory;
+export declare function createAcpPermissionDecider(deps: AcpPermissionBridgeDeps): (request: RequestPermissionRequest, context: HostCallbackContext) => Promise<RequestPermissionResponse>;

package/dist/acp/permission-bridge.js

@@ -0,0 +1,90 @@
+import { noopLogger } from "../logger.js";
+const WRITE_KINDS = new Set(["edit", "delete", "move"]);
+const EXECUTE_KINDS = new Set(["execute"]);
+const READ_KINDS = new Set(["read", "search", "think"]);
+export function categorizeToolCall(toolCall) {
+    const kind = typeof toolCall.kind === "string" ? toolCall.kind.toLowerCase() : "";
+    if (WRITE_KINDS.has(kind))
+        return "write";
+    if (EXECUTE_KINDS.has(kind))
+        return "execute";
+    if (READ_KINDS.has(kind))
+        return "read";
+    return "other";
+}
+function isAllowOption(option) {
+    const kind = typeof option.kind === "string" ? option.kind.toLowerCase() : "";
+    return kind.startsWith("allow");
+}
+const CANCELLED = { outcome: { outcome: "cancelled" } };
+export function createAcpPermissionDecider(deps) {
+    const logger = deps.logger ?? noopLogger;
+    return async (request, _context) => {
+        const category = categorizeToolCall(request.toolCall);
+        if (category === "write" && deps.allowWrite !== true) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "write_disabled",
+            });
+            return CANCELLED;
+        }
+        if (category === "execute" && deps.allowTerminal !== true) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "terminal_disabled",
+            });
+            return CANCELLED;
+        }
+        if (category === "other") {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "unknown_kind_denied",
+            });
+            return CANCELLED;
+        }
+        let approved;
+        try {
+            const record = deps.approvalManager.decide({
+                cli: deps.provider,
+                operation: `acp_permission:${category}`,
+                prompt: `ACP permission request from ${deps.provider}`,
+                bypassRequested: false,
+                fullAuto: false,
+                requestedMcpServers: [],
+                policy: deps.policy,
+                metadata: { acp: true, category, optionCount: request.options.length },
+            });
+            approved = record.status === "approved";
+        }
+        catch (err) {
+            logger.error("acp.permission.decide_error", {
+                provider: deps.provider,
+                category,
+                errorClass: err instanceof Error ? err.name : "unknown",
+            });
+            return CANCELLED;
+        }
+        if (!approved) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "approval_denied",
+            });
+            return CANCELLED;
+        }
+        const allow = request.options.find(isAllowOption);
+        if (!allow) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "no_allow_option",
+            });
+            return CANCELLED;
+        }
+        logger.info("acp.permission.approved", { provider: deps.provider, category });
+        return { outcome: { outcome: "selected", optionId: allow.optionId } };
+    };
+}

package/dist/acp/process-manager.js

@@ -117,6 +117,8 @@ export class AcpProcessManager {
             callbacks: options.callbacks,
             idleTimeoutMs: options.idleTimeoutMs ?? this.config.processIdleTimeoutMs,
             initializeTimeoutMs: this.config.initializeTimeoutMs,
+            sessionNewTimeoutMs: this.config.sessionNewTimeoutMs,
+            promptTimeoutMs: this.config.promptTimeoutMs,
             onTerminal: m => this.live.delete(m),
         });
         this.live.add(managed);
@@ -192,7 +194,11 @@ class ManagedProcessImpl {
             hostServices: options.hostServices,
             callbacks: options.callbacks,
             logger: this.logger,
-            timeouts: { initializeMs: options.initializeTimeoutMs },
+            timeouts: {
+                initializeMs: options.initializeTimeoutMs,
+                sessionNewMs: options.sessionNewTimeoutMs,
+                promptMs: options.promptTimeoutMs,
+            },
         });
         options.child.on("exit", (code, signal) => this.handleExit(code, signal));
         options.child.on("error", err => this.handleSpawnError(err));

package/dist/acp/provider-registry.d.ts

@@ -1,5 +1,5 @@
 import type { CliType } from "../session-manager.js";
-export type AcpProviderStatus = "native_smoke_passed" | "adapter_mediated_deferred" | "absent_watchlist";
+export type AcpProviderStatus = "native_smoke_passed" | "native_candidate" | "adapter_mediated_deferred" | "absent_watchlist";
 export type AcpSupportKind = "native" | "adapter_mediated" | "none";
 export interface AcpEntrypoint {
     readonly command: string;

package/dist/acp/provider-registry.js

@@ -4,7 +4,7 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         displayName: "Mistral Vibe",
         status: "native_smoke_passed",
         supportKind: "native",
-        targetVersion: "vibe 2.14.1",
+        targetVersion: "vibe 2.17.1",
         entrypoint: Object.freeze({ command: "vibe-acp", args: Object.freeze([]) }),
         runtimeEnabledDefault: false,
         shipRuntimePilot: true,
@@ -17,7 +17,7 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         displayName: "xAI Grok CLI",
         status: "native_smoke_passed",
         supportKind: "native",
-        targetVersion: "grok 0.2.50 (cadf94855)",
+        targetVersion: "grok 0.2.60 (474c2bbfc)",
         entrypoint: Object.freeze({ command: "grok", args: Object.freeze(["agent", "stdio"]) }),
         runtimeEnabledDefault: false,
         shipRuntimePilot: true,
@@ -30,7 +30,7 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         displayName: "OpenAI Codex CLI",
         status: "adapter_mediated_deferred",
         supportKind: "adapter_mediated",
-        targetVersion: "codex-cli 0.139.0",
+        targetVersion: "codex-cli 0.141.0",
         entrypoint: null,
         runtimeEnabledDefault: false,
         shipRuntimePilot: false,
@@ -43,7 +43,7 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         displayName: "Anthropic Claude Code",
         status: "adapter_mediated_deferred",
         supportKind: "adapter_mediated",
-        targetVersion: "claude 2.1.175",
+        targetVersion: "claude 2.1.185",
         entrypoint: null,
         runtimeEnabledDefault: false,
         shipRuntimePilot: false,
@@ -56,7 +56,7 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         displayName: "Google Antigravity",
         status: "absent_watchlist",
         supportKind: "none",
-        targetVersion: "agy 1.0.7",
+        targetVersion: "agy 1.0.10",
         entrypoint: null,
         runtimeEnabledDefault: false,
         shipRuntimePilot: false,
@@ -64,6 +64,19 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         adapterCandidates: Object.freeze([]),
         caveat: "No ACP flag or subcommand at the target version. Legacy Gemini CLI ACP evidence does not transfer to Antigravity agy. Watchlist only.",
     }),
+    devin: Object.freeze({
+        provider: "devin",
+        displayName: "Cognition Devin CLI",
+        status: "native_smoke_passed",
+        supportKind: "native",
+        targetVersion: "devin 2026.7.23 (3bd47f77)",
+        entrypoint: Object.freeze({ command: "devin", args: Object.freeze(["acp"]) }),
+        runtimeEnabledDefault: false,
+        shipRuntimePilot: true,
+        runtimePriority: 3,
+        adapterCandidates: Object.freeze([]),
+        caveat: "Native ACP entrypoint `devin acp` (stdio JSON-RPC). Manual initialize + session/new smoke passed with the installed CLI managing credentials (`devin auth login`; WINDSURF_API_KEY for empty-env); empty-env smoke is expected to fail. Third native runtime pilot; runtime routing stays config-gated.",
+    }),
 });
 export function getAcpProviderRegistry() {
     return ACP_PROVIDER_REGISTRY;

package/dist/acp/runtime.d.ts

@@ -0,0 +1,35 @@
+import { type AcpSpawnFn, type ProcessEnv } from "./process-manager.js";
+import type { ApprovalManager } from "../approval-manager.js";
+import type { AcpConfig } from "../config.js";
+import type { FlightLogResult, FlightLogStart } from "../flight-recorder.js";
+import type { Logger } from "../logger.js";
+import type { CliType, ISessionManager } from "../session-manager.js";
+export interface AcpFlightSink {
+    logStart(entry: FlightLogStart): void;
+    logComplete(correlationId: string, result: FlightLogResult): void;
+}
+export interface AcpRuntimeDeps {
+    readonly config: AcpConfig;
+    readonly sessionManager: ISessionManager;
+    readonly approvalManager: ApprovalManager;
+    readonly flightRecorder?: AcpFlightSink;
+    readonly logger?: Logger;
+    readonly spawn?: AcpSpawnFn;
+    readonly baseEnv?: ProcessEnv;
+    readonly now?: () => number;
+}
+export interface AcpRunRequest {
+    readonly provider: CliType;
+    readonly prompt: string;
+    readonly model?: string;
+    readonly sessionId?: string;
+    readonly cwd?: string;
+    readonly correlationId: string;
+}
+export interface AcpRunResult {
+    readonly text: string;
+    readonly gatewaySessionId: string;
+    readonly protocolVersion: number | null;
+    readonly durationMs: number;
+}
+export declare function runAcpRequest(deps: AcpRuntimeDeps, req: AcpRunRequest): Promise<AcpRunResult>;