llm-cli-gateway 2.13.0 → 2.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,7 +3,7 @@ name: multi-llm-review
3
3
  description: Parallel code reviews across Claude, Codex, Gemini, Grok, and Mistral. Use for quality analysis, bug finding, or security audit.
4
4
  metadata:
5
5
  author: verivus-oss
6
- version: "1.6"
6
+ version: "1.7"
7
7
  ---
8
8
 
9
9
  # Multi-LLM Code Review
@@ -24,10 +24,89 @@ Parallel reviews using gateway MCP tools. Each LLM has different strengths — c
24
24
 
25
25
  Apply these on every dispatch unless the caller has explicitly overridden a rule in the current turn:
26
26
 
27
- 1. **Omit `model`** let the gateway use its configured default per CLI. Nominating a model risks deprecated IDs (`o3`, `o3-pro`, `gpt-4o`, …) and capability mismatches. Call `list_models` only when the caller has asked for a specific variant.
28
- 2. **`approvalStrategy:"mcp_managed"`** is the skill dispatch default (the gateway schema default is `"legacy"`). It gates the request before execution; Claude then runs with `--permission-mode bypassPermissions`, Gemini with `--approval-mode yolo`, and Codex still needs `fullAuto:true` for autonomous file/shell work. Prefer this over raw bypass flags.
29
- 3. **No wallclock timeout; poll every 60 s** let sync auto-defer at 45 s or use `*_request_async`. Poll `llm_job_status` once every 60 seconds. Do **not** cancel jobs for taking too long; cancel only on explicit instruction or hard failure. `idleTimeoutMs` (no-output safeguard) is separate.
30
- 4. **Iterate until unconditional APPROVED** (review dispatches only)every review prompt must end with "End with APPROVED or NOT APPROVED with findings." On `NOT APPROVED` or conditional approval, consolidate findings, dispatch fixes (Codex + `fullAuto:true`), re-dispatch the review to the same reviewer. Repeat until unconditional APPROVED. Escalate after 3 rounds without convergence. This rule does **not** apply to pure implementation or non-review analysis dispatches.
27
+ 1. **Use the stdio gateway MCP surface only** call the host's `mcp__gtwy__*` tools (or the equivalent stdio `gtwy` namespace exposed to the current agent). Do not use connector/shadow gateway tools when the user asked for stdio gateway validation.
28
+ 2. **Omit `model`** let the gateway use its configured default per CLI. Nominating a model risks deprecated IDs (`o3`, `o3-pro`, `gpt-4o`, ...) and capability mismatches. Call `list_models` only when the caller has asked for a specific variant.
29
+ 3. **`approvalStrategy:"mcp_managed"`** is the skill dispatch default (the gateway schema default is `"legacy"`). It gates the request before execution. Grant full non-interactive verification permissions on every review round because permission grants are not assumed durable.
30
+ 4. **Full verification access for reviewers is required**reviewers need read, test/build, code-search, docs lookup, web/search, and provider-safe gateway introspection access where appropriate. Do not suppress tools or pass empty allowlists. If a provider-specific permission or MCP server required for verification is rejected, treat that as a review dispatch failure and fix the gateway/permission setup before proceeding, unless the user explicitly authorizes a degraded review.
31
+ 5. **No wallclock timeout; poll every 90 s** — use `*_request_async`. Poll `llm_job_status` no more than once every 90 seconds. Do **not** cancel reviewer jobs for taking too long; cancel only on explicit user instruction or a terminal provider/runtime failure. `idleTimeoutMs` (no-output safeguard) is separate.
32
+ 6. **Iterate until unconditional APPROVED** (review dispatches only) — every review prompt must end with a strict verdict requirement. On `NOT APPROVED`, `CHANGES_REQUIRED`, `BLOCKER`, or conditional approval, consolidate findings, apply fixes, refresh the verification report and exact diff/commit evidence, then re-dispatch the same reviewers. Repeat until unconditional approval or a concrete blocker remains after evidence-based rebuttal. This rule does **not** apply to pure implementation or non-review analysis dispatches.
33
+
34
+ ## Standard Validation Gate
35
+
36
+ Use this gate whenever the user asks for "the other LLMs", "cross review",
37
+ "red team", "validation", or similar review work.
38
+
39
+ ### Evidence Packet
40
+
41
+ Before dispatch, prepare a stable packet and pass the same packet to every
42
+ reviewer:
43
+
44
+ - **Corrective-program verification report**: the local verification report used
45
+ as the spec for the review. It must list claims, commands run, test names,
46
+ command-result digests, and code/doc evidence.
47
+ - **Exact change set**: commit SHA(s) when available, the diff range or explicit
48
+ `git diff` command, and the changed-file list. If the work is uncommitted,
49
+ state that clearly and include the exact dirty-file list.
50
+ - **Scope and invariants**: DAG step(s), issue/PR references, security
51
+ invariants, docs that define intended behavior, and out-of-scope files.
52
+ - **Review log from prior rounds**: verbatim reviewer findings plus per-finding
53
+ responses marked `FIXED`, `DISAGREE`, or `BLOCKER`, each with file:line, test,
54
+ command, or doc evidence.
55
+
56
+ The packet is not a substitute for inspection. The prompt must explicitly say
57
+ that the verification report and summary are claims, not evidence.
58
+
59
+ ### Reviewer Contract
60
+
61
+ Every reviewer prompt must require:
62
+
63
+ - Verify claims against actual code, tests, docs, and upstream documentation.
64
+ - Open/read the changed files and relevant neighboring code directly.
65
+ - Run or inspect the cited tests/builds; approval cannot be based on a summary,
66
+ intent, plan-compliance, or "should be fixed" language.
67
+ - Cite concrete evidence for each finding: `file:line`, test name + command, or
68
+ upstream doc URL. If a claim cannot be verified, report it as at least a major
69
+ finding.
70
+ - Return strict structured output with `verdict`, `findings`, `inspected`, and
71
+ `unconditional_approval_blockers`.
72
+
73
+ Recommended final verdict enum:
74
+
75
+ ```json
76
+ {
77
+ "verdict": "APPROVED | CHANGES_REQUIRED | BLOCKER",
78
+ "findings": [
79
+ {
80
+ "id": "F1",
81
+ "severity": "blocker | major | minor | nit",
82
+ "file": "src/example.ts",
83
+ "line": 123,
84
+ "claim": "Exact claim reviewed",
85
+ "issue": "What is wrong",
86
+ "evidence": "file:line, command/test output digest, URL, or unable to verify: reason",
87
+ "suggested_fix": "Concrete fix"
88
+ }
89
+ ],
90
+ "inspected": ["files, tests, commands, docs actually inspected"],
91
+ "unconditional_approval_blockers": ["F1"]
92
+ }
93
+ ```
94
+
95
+ ### Evidence-Based Triage
96
+
97
+ For every finding:
98
+
99
+ - If correct: fix it, run the relevant local gates, update the verification
100
+ report, and start a new review round with a fresh exact change set.
101
+ - If disputed: respond to that reviewer through the gateway with code/doc/test
102
+ evidence. Do not rebut with assertion, intent, "by design", or "the code should
103
+ already do that" unless accompanied by the exact evidence. The reviewer must
104
+ withdraw the finding or provide counter-evidence.
105
+ - If unresolvable in scope: record it as a concrete `BLOCKER` with evidence and
106
+ stop advancing the change until the user decides scope.
107
+
108
+ "Approved with nits" is not unconditional approval. Fix the nits or get the
109
+ reviewer to withdraw them as non-blocking with evidence.
31
110
 
32
111
  ## Workflow
33
112
 
@@ -61,28 +140,30 @@ CLIs share Claude's tool names or MCP semantics. The same data is available as
61
140
 
62
141
  ### 2. Send Parallel Reviews
63
142
 
64
- Sync tools auto-defer at 45s if response contains `status:"deferred"`, poll `jobId` via `llm_job_status` every 60s, fetch with `llm_job_result`.
143
+ Sync tools auto-defer at 45s, but review gates should prefer async tools. Poll
144
+ `jobId` via `llm_job_status` no more than once every 90s, fetch with
145
+ `llm_job_result` only after a terminal status.
65
146
 
66
147
  **Tip — share the stable prefix across reviewers:** when the same long brief / file dump is sent to every reviewer, switch from `prompt` to the structured `promptParts` field. The gateway concatenates in canonical order `system → tools → context → task`, so every reviewer sees byte-identical stable prefix bytes, raising implicit cache hit rate at each provider. `prompt` and `promptParts` are mutually exclusive — the runtime returns `provide exactly one of \`prompt\` or \`promptParts\`` if both are supplied. After the round, read `cache-state://prefix/{hash}` (tokens/hashes only, no prompt text) to confirm reviewers actually shared the prefix.
67
148
 
68
149
  **Claude — Quality & Architecture:**
69
150
  ```
70
- claude_request({prompt:"Review changes in {path} for architecture, design patterns, maintainability, documentation gaps. Read the files directly. Specific line numbers and fixes. End with APPROVED or NOT APPROVED with findings.",approvalStrategy:"mcp_managed",optimizePrompt:true,optimizeResponse:true})
151
+ claude_request_async({prompt:"Review the attached evidence packet and exact change set for architecture, design patterns, maintainability, and documentation gaps. The packet is a claim, not evidence. Verify against the changed files, neighboring source, tests, and docs directly. Cite file:line/test/doc evidence. Return strict JSON and end with APPROVED, CHANGES_REQUIRED, or BLOCKER.",approvalStrategy:"mcp_managed",optimizePrompt:true})
71
152
  ```
72
153
 
73
154
  **Codex — Logic & Correctness:**
74
155
  ```
75
- codex_request({prompt:"Analyze {path} for logic bugs, off-by-one, missing error handling, race conditions, test gaps. Read the files directly. Severity: critical/high/medium/low. End with APPROVED or NOT APPROVED with findings.",fullAuto:true,approvalStrategy:"mcp_managed",optimizePrompt:true,optimizeResponse:true})
156
+ codex_request_async({prompt:"Review the attached evidence packet and exact change set for logic bugs, off-by-one errors, missing error handling, races, and test gaps. The packet is a claim, not evidence. Verify against code/tests/docs directly. Cite file:line/test/doc evidence. Return strict JSON and end with APPROVED, CHANGES_REQUIRED, or BLOCKER.",fullAuto:true,approvalStrategy:"mcp_managed",optimizePrompt:true})
76
157
  ```
77
158
 
78
159
  **Gemini — Security & Edge Cases:**
79
160
  ```
80
- gemini_request({prompt:"Security audit {path}: injection, auth bypasses, data leaks, OWASP Top 10, crash-causing edge cases. Read the files directly. End with APPROVED or NOT APPROVED with findings.",approvalStrategy:"mcp_managed",optimizePrompt:true,optimizeResponse:true})
161
+ gemini_request_async({prompt:"Review the attached evidence packet and exact change set for security issues: injection, auth bypasses, data leaks, OWASP Top 10, and crash-causing edge cases. The packet is a claim, not evidence. Verify against code/tests/docs/upstream docs directly. Cite evidence. Return strict JSON and end with APPROVED, CHANGES_REQUIRED, or BLOCKER.",approvalStrategy:"mcp_managed",optimizePrompt:true})
81
162
  ```
82
163
 
83
164
  **Grok — Independent Diversity (optional 4th reviewer):**
84
165
  ```
85
- grok_request({prompt:"Independent review of {path}. Read the files directly. Flag issues the other reviewers may have missed, contradict findings you disagree with, and call out blind spots. End with APPROVED or NOT APPROVED with findings.",approvalStrategy:"mcp_managed",optimizePrompt:true,optimizeResponse:true})
166
+ grok_request_async({prompt:"Independent review of the attached evidence packet and exact change set. The packet is a claim, not evidence. Verify against code/tests/docs directly, flag blind spots, and contradict weak findings with evidence. Return strict JSON and end with APPROVED, CHANGES_REQUIRED, or BLOCKER.",approvalStrategy:"mcp_managed",optimizePrompt:true})
86
167
  ```
87
168
 
88
169
  Add Grok when consensus matters (high-stakes changes, security-critical paths) or to break ties between the other three. Auth must already be set up (`grok login` OAuth or `GROK_CODE_XAI_API_KEY`).
@@ -122,7 +203,10 @@ grok_request_async({prompt:"Independent diversity review of all TS files in src/
122
203
  mistral_request_async({prompt:"Independent Vibe review of all TS files in src/... End with APPROVED or NOT APPROVED with findings.",approvalStrategy:"mcp_managed",correlationId:"review-mistral"})
123
204
  ```
124
205
 
125
- Poll with `llm_job_status` every 60s, retrieve with `llm_job_result` when terminal. Jobs are durable — if your polling wrapper times out, re-issue the same call (the gateway auto-dedups onto the live job) or fetch by `jobId` later (default 30-day retention).
206
+ Poll with `llm_job_status` no more than once every 90s, retrieve with
207
+ `llm_job_result` when terminal. Jobs are durable — if your polling wrapper times
208
+ out, re-issue the same call (the gateway auto-dedups onto the live job) or fetch
209
+ by `jobId` later (default 30-day retention).
126
210
 
127
211
  For iterative Gemini reviews, pass `sessionId` for resumability:
128
212
 
@@ -135,23 +219,34 @@ gemini_request_async({prompt:"Deep security audit of src/... End with APPROVED o
135
219
 
136
220
  These patterns undermine review quality and trigger review integrity warnings:
137
221
 
138
- - **Don't inline code in `<code>` blocks** provide file paths and let reviewers read files directly
222
+ - **Don't use non-stdio gateway surfaces** when the requested validation path is
223
+ the local stdio gateway.
224
+ - **Don't provide only a summary** — provide the verification report and exact
225
+ change set, while requiring reviewers to verify against files/tests/docs
226
+ directly.
227
+ - **Don't under-grant review access** — full read, test/build, and MCP
228
+ verification access is the default. A partial-access review is not a valid
229
+ approval unless the user explicitly accepts that limitation.
139
230
  - **Don't suppress tools** — never include "do not run tools" or "respond only based on code provided" in review prompts
140
231
  - **Don't use `allowedTools:[]`** for reviews — reviewers need tool access to
141
232
  verify claims
142
233
  - **Don't copy tool names between providers** — Claude's `Read` / `Grep` /
143
234
  `Glob` names are not Grok, Codex, Gemini, or Vibe allowlist names. Check
144
235
  `provider_tool_capabilities` first, or omit provider tool allowlists.
145
- - **Do provide file paths** `"Review changes in src/auth.ts"` instead of dumping file contents
236
+ - **Don't cancel reviewer jobs** just because they are slow. Let them reach a
237
+ terminal status unless the user explicitly says to stop them.
238
+ - **Do provide file paths and exact diff identifiers** — `"Review commit
239
+ abc123, diff range base..head, changed files src/auth.ts ..."` instead of
240
+ vague summaries.
146
241
 
147
242
  ## Iteration Loop (mandatory)
148
243
 
149
244
  Reviews are not one-shot. The caller runs this loop:
150
245
 
151
246
  1. Dispatch reviewer(s) with the verdict clause in the prompt
152
- 2. Poll every 60s if deferred; fetch result
247
+ 2. Poll every 90s if deferred; fetch result only after terminal status
153
248
  3. Parse verdict from each reviewer — APPROVED / NOT APPROVED / conditional
154
- 4. **Any NOT APPROVED or conditional** → consolidate findingsdispatch fixes (Codex + `fullAuto:true`) → re-dispatch same review → goto 2
249
+ 4. **Any NOT APPROVED, CHANGES_REQUIRED, BLOCKER, or conditional** → triage each finding with evidence fix or rebut with code/doc/test citations refresh verification report and exact diff → re-dispatch same review → goto 2
155
250
  5. **All APPROVED (unconditional)** → done
156
251
  6. After 3 rounds without convergence, escalate to the user
157
252
 
@@ -169,6 +264,6 @@ Reviews are not one-shot. The caller runs this loop:
169
264
  - Use all five async variants for true parallel reviews when you want Grok's
170
265
  independent perspective and Mistral Vibe's fifth review
171
266
  - Pass `sessionId` to `gemini_request_async` / `grok_request_async` for resumable follow-up
172
- - Check for `status:"deferred"` in sync responses — poll `jobId` every 60s if present
267
+ - Check for `status:"deferred"` in sync responses — poll `jobId` no more than once every 90s if present
173
268
  - Gateway `mcpServers` default to the host's configured Claude MCP set; pass explicit server names only when the review needs those capabilities
174
269
  - **Re-issuing after a polling timeout is safe** — auto-dedup (default 1 h window, `LLM_GATEWAY_DEDUP_WINDOW_MS`) reattaches the new call to the existing job. Use `forceRefresh:true` only when inputs genuinely changed
package/CHANGELOG.md CHANGED
@@ -2,6 +2,32 @@
2
2
 
3
3
  All notable changes to the llm-cli-gateway project.
4
4
 
5
+ ## [2.13.1] - 2026-07-01: code-scanning hardening and review-gate discipline
6
+
7
+ ### Security
8
+
9
+ - **CodeQL remediation for URL, ReDoS, logging, and OAuth cookie alerts.**
10
+ API endpoint joining no longer uses slash-trimming regexes; ACP message
11
+ redaction now uses a stack-based single-pass JSON payload scanner with
12
+ truncated structured-payload fallback; central gateway stderr logging redacts
13
+ message strings, structured args, and nested `Error` name/message/stack
14
+ values; the xAI missing-key error no longer leaks the configured env var name;
15
+ and OAuth consent CSRF cookies now include `HttpOnly`, `Secure`,
16
+ `SameSite=Lax`, `Path=/oauth`, and `Max-Age=300`.
17
+ - **Regression coverage for the fixed alert surfaces.** Added focused tests for
18
+ endpoint slash normalization, nested and truncated ACP payload redaction,
19
+ logger redaction before stderr output, generic xAI missing-key messaging, and
20
+ complete OAuth CSRF cookie attributes.
21
+
22
+ ### Docs
23
+
24
+ - **Standardized cross-LLM review validation.** The shipped multi-LLM review
25
+ skill and best-practices guide now require the stdio gateway surface, no
26
+ provider model nomination, full non-interactive verification access,
27
+ 90-second polling, exact evidence packets, no cancellation of slow reviewers,
28
+ evidence-based rebuttals, and iteration until unconditional approval or a
29
+ concrete blocker.
30
+
5
31
  ## [2.13.0] - 2026-07-01: Cursor Agent CLI provider
6
32
 
7
33
  ### Added
@@ -1,7 +1,5 @@
1
1
  export function redactAcpMessage(input) {
2
- let out = input;
3
- out = out.replace(/\{[\s\S]*?\}/g, "<redacted-json>");
4
- out = out.replace(/\[[\s\S]*?\]/g, "<redacted-json>");
2
+ let out = redactJsonLikeBodies(input);
5
3
  out = out.replace(/\b(bearer|token|api[_-]?key|secret)\b\s*[:=]?\s*\S+/gi, "$1 <redacted>");
6
4
  out = out.replace(/\b(sk|xai|gsk|key)-[A-Za-z0-9_-]{8,}\b/gi, "<redacted-token>");
7
5
  out = out.replace(/(^|[^A-Za-z0-9._~\\/-])[A-Za-z]:\\[^\s"')\]}>]*/g, "$1<redacted-path>");
@@ -11,6 +9,64 @@ export function redactAcpMessage(input) {
11
9
  out = out.replace(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi, "<redacted-email>");
12
10
  return out;
13
11
  }
12
+ function redactJsonLikeBodies(input) {
13
+ let out = "";
14
+ let cursor = 0;
15
+ let bodyStart = -1;
16
+ let stack = [];
17
+ let inString = false;
18
+ let escaped = false;
19
+ for (let index = 0; index < input.length; index += 1) {
20
+ const char = input.charAt(index);
21
+ if (bodyStart === -1) {
22
+ const close = char === "{" ? "}" : char === "[" ? "]" : "";
23
+ if (!close)
24
+ continue;
25
+ bodyStart = index;
26
+ stack = [close];
27
+ inString = false;
28
+ escaped = false;
29
+ continue;
30
+ }
31
+ if (escaped) {
32
+ escaped = false;
33
+ continue;
34
+ }
35
+ if (char === "\\") {
36
+ escaped = inString;
37
+ continue;
38
+ }
39
+ if (char === '"') {
40
+ inString = !inString;
41
+ continue;
42
+ }
43
+ if (inString)
44
+ continue;
45
+ const nestedClose = char === "{" ? "}" : char === "[" ? "]" : "";
46
+ if (nestedClose) {
47
+ stack.push(nestedClose);
48
+ continue;
49
+ }
50
+ if (char !== stack[stack.length - 1])
51
+ continue;
52
+ stack.pop();
53
+ if (stack.length > 0)
54
+ continue;
55
+ out += input.slice(cursor, bodyStart);
56
+ out += "<redacted-json>";
57
+ cursor = index + 1;
58
+ bodyStart = -1;
59
+ }
60
+ if (bodyStart !== -1 && isLikelyJsonPayload(input.slice(bodyStart))) {
61
+ out += input.slice(cursor, bodyStart);
62
+ out += "<redacted-json>";
63
+ cursor = input.length;
64
+ }
65
+ return cursor === 0 ? input : out + input.slice(cursor);
66
+ }
67
+ function isLikelyJsonPayload(span) {
68
+ return /"(?:jsonrpc|method|params|prompt|content|body|token|secret|api[_-]?key|credential|auth|cwd|path|[A-Za-z0-9_-]+)"\s*:/i.test(span);
69
+ }
14
70
  export function redactAcpDebug(value) {
15
71
  const sensitiveKey = /(payload|body|prompt|content|token|secret|api[_-]?key|credential|auth|cwd|path)/i;
16
72
  if (typeof value === "string") {
package/dist/api-http.js CHANGED
@@ -40,8 +40,8 @@ export function isLoopbackUrl(value) {
40
40
  }
41
41
  }
42
42
  export function buildEndpointUrl(baseUrl, path) {
43
- const trimmedBase = baseUrl.replace(/\/+$/, "");
44
- const trimmedPath = path.replace(/^\/+/, "");
43
+ const trimmedBase = stripTrailingSlashChars(baseUrl);
44
+ const trimmedPath = stripLeadingSlashChars(path);
45
45
  const url = new URL(`${trimmedBase}/${trimmedPath}`);
46
46
  if (url.protocol !== "https:" &&
47
47
  !(url.protocol === "http:" && LOOPBACK_HOSTS.includes(url.hostname))) {
@@ -49,6 +49,20 @@ export function buildEndpointUrl(baseUrl, path) {
49
49
  }
50
50
  return url;
51
51
  }
52
+ function stripTrailingSlashChars(value) {
53
+ let end = value.length;
54
+ while (end > 0 && value.charCodeAt(end - 1) === 47) {
55
+ end -= 1;
56
+ }
57
+ return value.slice(0, end);
58
+ }
59
+ function stripLeadingSlashChars(value) {
60
+ let start = 0;
61
+ while (start < value.length && value.charCodeAt(start) === 47) {
62
+ start += 1;
63
+ }
64
+ return value.slice(start);
65
+ }
52
66
  export function isHttpTransient(error) {
53
67
  const status = typeof error?.status === "number" ? error.status : null;
54
68
  if (status === 429 || (status !== null && status >= 500))
package/dist/index.d.ts CHANGED
@@ -38,11 +38,11 @@ type ExtendedToolResponse = {
38
38
  reviewIntegrity?: ReviewIntegrityResult;
39
39
  warnings?: WarningEntry[];
40
40
  };
41
- declare const logger: {
42
- info: (message: string, ...args: any[]) => void;
43
- warn: (message: string, ...args: any[]) => void;
44
- error: (message: string, ...args: any[]) => void;
45
- debug: (message: string, ...args: any[]) => void;
41
+ export declare const logger: {
42
+ info: (message: string, ...args: unknown[]) => void;
43
+ warn: (message: string, ...args: unknown[]) => void;
44
+ error: (message: string, ...args: unknown[]) => void;
45
+ debug: (message: string, ...args: unknown[]) => void;
46
46
  };
47
47
  type GatewayLogger = typeof logger;
48
48
  export declare function buildServerInstructions(asyncJobsEnabled: boolean, grokApiToolsEnabled?: boolean): string;
package/dist/index.js CHANGED
@@ -21,6 +21,7 @@ import { estimateTokens, optimizePrompt as optimizePromptText, optimizeResponse
21
21
  import { loadConfig, loadPersistenceConfig, loadCacheAwarenessConfig, loadProvidersConfig, loadAcpConfig, loadLimitsConfig, defaultGatewayConfigPath, isXaiProviderEnabled, enabledApiProviders, minStableTokensForModel, } from "./config.js";
22
22
  import { runAcpRequest } from "./acp/runtime.js";
23
23
  import { isAcpError } from "./acp/errors.js";
24
+ import { redactSecrets } from "./secret-redaction.js";
24
25
  import { createApiProvider, runApiRequest, apiProviderBreakerState, } from "./api-provider.js";
25
26
  import { prepareApiRequest, apiProviderCatalogEntry, ApiModelNotAllowedError, } from "./api-request.js";
26
27
  import { checkHealth } from "./health.js";
@@ -47,22 +48,65 @@ import { currentCaller, resolveValidationReceipt } from "./validation-receipt.js
47
48
  import { assertUpstreamCliArgs, assertUpstreamCliEnv, buildProviderSubcommandsCompactCatalog, buildUpstreamContractReport, getCliSubcommandContract, probeInstalledCliContract, serializeCliSubcommandContract, UPSTREAM_CLI_CONTRACTS, } from "./upstream-contracts.js";
48
49
  import { buildArgvFromGeneration, deriveZodShapeFromGeneration, GROK_FLAG_GENERATION, GROK_GEN_OUTPUT_FORMAT, GROK_GEN_MAIN, GROK_GEN_PROMPT_FILE, GROK_GEN_SINGLE, GROK_GEN_TAIL, } from "./provider-codegen.js";
49
50
  import { entrypointFileURL } from "./entrypoint-url.js";
50
- const logger = {
51
+ export const logger = {
51
52
  info: (message, ...args) => {
52
- console.error(`[INFO] ${new Date().toISOString()} - ${message}`, ...args);
53
+ console.error(formatLogLine("INFO", message), ...args.map(sanitizeLogArg));
53
54
  },
54
55
  warn: (message, ...args) => {
55
- console.error(`[WARN] ${new Date().toISOString()} - ${message}`, ...args);
56
+ console.error(formatLogLine("WARN", message), ...args.map(sanitizeLogArg));
56
57
  },
57
58
  error: (message, ...args) => {
58
- console.error(`[ERROR] ${new Date().toISOString()} - ${message}`, ...args);
59
+ console.error(formatLogLine("ERROR", message), ...args.map(sanitizeLogArg));
59
60
  },
60
61
  debug: (message, ...args) => {
61
62
  if (process.env.DEBUG) {
62
- console.error(`[DEBUG] ${new Date().toISOString()} - ${message}`, ...args);
63
+ console.error(formatLogLine("DEBUG", message), ...args.map(sanitizeLogArg));
63
64
  }
64
65
  },
65
66
  };
67
+ function formatLogLine(level, message) {
68
+ return `[${level}] ${new Date().toISOString()} - ${redactSecrets(message)}`;
69
+ }
70
+ function sanitizeLogArg(value) {
71
+ return sanitizeLogValue(value, new WeakSet(), 0);
72
+ }
73
+ function sanitizeLogValue(value, seen, depth) {
74
+ if (typeof value === "string") {
75
+ return redactSecrets(value);
76
+ }
77
+ if (value instanceof Error) {
78
+ return sanitizeLogError(value);
79
+ }
80
+ if (Array.isArray(value)) {
81
+ if (depth >= 4)
82
+ return "[Array]";
83
+ return value.map(item => sanitizeLogValue(item, seen, depth + 1));
84
+ }
85
+ if (value !== null && typeof value === "object") {
86
+ if (seen.has(value))
87
+ return "[Circular]";
88
+ if (depth >= 4)
89
+ return "[Object]";
90
+ seen.add(value);
91
+ const out = {};
92
+ for (const [key, inner] of Object.entries(value)) {
93
+ out[key] = sanitizeLogValue(inner, seen, depth + 1);
94
+ }
95
+ seen.delete(value);
96
+ return out;
97
+ }
98
+ return value;
99
+ }
100
+ function sanitizeLogError(error) {
101
+ const out = {
102
+ name: redactSecrets(error.name),
103
+ message: redactSecrets(error.message),
104
+ };
105
+ if (error.stack) {
106
+ out.stack = redactSecrets(error.stack);
107
+ }
108
+ return out;
109
+ }
66
110
  function startWindowsBootstrapperSelfHeal() {
67
111
  if (process.platform !== "win32")
68
112
  return;
@@ -2415,7 +2459,7 @@ export async function handleGrokApiRequest(deps, params) {
2415
2459
  }
2416
2460
  const apiKey = process.env[xaiConfig.apiKeyEnv]?.trim();
2417
2461
  if (!apiKey) {
2418
- return createErrorResponse("grok_api_request", 1, "", corrId, new Error(`xAI API key env var ${xaiConfig.apiKeyEnv} is not set`));
2462
+ return createErrorResponse("grok_api_request", 1, "", corrId, new Error("xAI API key is not configured"));
2419
2463
  }
2420
2464
  safeFlightStart({
2421
2465
  correlationId: corrId,
package/dist/oauth.js CHANGED
@@ -77,6 +77,10 @@ function readCookie(req, name) {
77
77
  }
78
78
  return null;
79
79
  }
80
+ function oauthCsrfCookie(csrf) {
81
+ const maxAgeSeconds = Math.floor(OAUTH_CODE_TTL_MS / 1000);
82
+ return `gw_oauth_csrf=${csrf}; HttpOnly; Secure; SameSite=Lax; Path=/oauth; Max-Age=${maxAgeSeconds}`;
83
+ }
80
84
  function methodNotAllowed(res) {
81
85
  res.writeHead(405, { allow: "GET, POST", "content-type": "application/json" });
82
86
  res.end(JSON.stringify({ error: "Method not allowed" }));
@@ -466,7 +470,7 @@ ${errorBlock}
466
470
  <p class="muted">Only approve if you initiated this connection.</p></div></body></html>`;
467
471
  res.writeHead(200, {
468
472
  "content-type": "text/html; charset=utf-8",
469
- "set-cookie": `gw_oauth_csrf=${csrf}; HttpOnly; SameSite=Lax; Path=/oauth`,
473
+ "set-cookie": oauthCsrfCookie(csrf),
470
474
  "cache-control": "no-store",
471
475
  });
472
476
  res.end(html);
@@ -1,12 +1,12 @@
1
1
  {
2
2
  "name": "llm-cli-gateway",
3
- "version": "2.13.0",
3
+ "version": "2.13.1",
4
4
  "lockfileVersion": 3,
5
5
  "requires": true,
6
6
  "packages": {
7
7
  "": {
8
8
  "name": "llm-cli-gateway",
9
- "version": "2.13.0",
9
+ "version": "2.13.1",
10
10
  "license": "MIT",
11
11
  "dependencies": {
12
12
  "@modelcontextprotocol/sdk": "^1.29.0",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "llm-cli-gateway",
3
- "version": "2.13.0",
3
+ "version": "2.13.1",
4
4
  "mcpName": "io.github.verivus-oss/llm-cli-gateway",
5
5
  "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, Mistral Vibe, and Devin CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
6
6
  "license": "MIT",