llm-cli-gateway 2.13.1 → 2.14.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/CHANGELOG.md +140 -0
  2. package/README.md +53 -26
  3. package/dist/acp/client.d.ts +29 -1
  4. package/dist/acp/client.js +78 -4
  5. package/dist/acp/errors.d.ts +9 -1
  6. package/dist/acp/errors.js +19 -0
  7. package/dist/acp/event-normalizer.d.ts +12 -0
  8. package/dist/acp/event-normalizer.js +16 -0
  9. package/dist/acp/flight-redaction.d.ts +3 -0
  10. package/dist/acp/flight-redaction.js +3 -0
  11. package/dist/acp/permission-bridge.js +11 -5
  12. package/dist/acp/process-manager.d.ts +2 -1
  13. package/dist/acp/process-manager.js +43 -4
  14. package/dist/acp/provider-registry.js +19 -11
  15. package/dist/acp/runtime.d.ts +8 -0
  16. package/dist/acp/runtime.js +47 -4
  17. package/dist/acp/types.d.ts +3083 -55
  18. package/dist/acp/types.js +242 -5
  19. package/dist/async-job-manager.d.ts +2 -0
  20. package/dist/async-job-manager.js +11 -0
  21. package/dist/codex-json-parser.d.ts +1 -0
  22. package/dist/codex-json-parser.js +6 -0
  23. package/dist/config.d.ts +16 -0
  24. package/dist/config.js +105 -19
  25. package/dist/connector-setup.d.ts +39 -0
  26. package/dist/connector-setup.js +86 -0
  27. package/dist/doctor.d.ts +39 -1
  28. package/dist/doctor.js +182 -3
  29. package/dist/flight-recorder.d.ts +2 -0
  30. package/dist/flight-recorder.js +20 -0
  31. package/dist/gemini-json-parser.d.ts +2 -0
  32. package/dist/gemini-json-parser.js +45 -8
  33. package/dist/grok-json-parser.d.ts +14 -0
  34. package/dist/grok-json-parser.js +156 -0
  35. package/dist/http-transport.js +27 -3
  36. package/dist/index.d.ts +48 -2
  37. package/dist/index.js +633 -144
  38. package/dist/job-store.d.ts +45 -7
  39. package/dist/job-store.js +138 -17
  40. package/dist/model-registry.d.ts +1 -0
  41. package/dist/model-registry.js +46 -0
  42. package/dist/oauth.js +17 -16
  43. package/dist/postgres-job-store-worker.d.ts +1 -0
  44. package/dist/postgres-job-store-worker.js +327 -0
  45. package/dist/pricing.d.ts +3 -2
  46. package/dist/provider-acp-capabilities.d.ts +52 -0
  47. package/dist/provider-acp-capabilities.js +101 -0
  48. package/dist/provider-admin-tools.d.ts +100 -0
  49. package/dist/provider-admin-tools.js +572 -0
  50. package/dist/provider-capability-cache.d.ts +46 -0
  51. package/dist/provider-capability-cache.js +248 -0
  52. package/dist/provider-capability-discovery.d.ts +85 -0
  53. package/dist/provider-capability-discovery.js +461 -0
  54. package/dist/provider-capability-resolver.d.ts +29 -0
  55. package/dist/provider-capability-resolver.js +92 -0
  56. package/dist/provider-definition-assertions.d.ts +9 -0
  57. package/dist/provider-definition-assertions.js +147 -0
  58. package/dist/provider-definitions.d.ts +127 -0
  59. package/dist/provider-definitions.js +758 -0
  60. package/dist/provider-help-parser.d.ts +34 -0
  61. package/dist/provider-help-parser.js +203 -0
  62. package/dist/provider-model-discovery.d.ts +30 -0
  63. package/dist/provider-model-discovery.js +229 -0
  64. package/dist/provider-output-metadata.d.ts +7 -0
  65. package/dist/provider-output-metadata.js +68 -0
  66. package/dist/provider-schema-builder.d.ts +22 -0
  67. package/dist/provider-schema-builder.js +55 -0
  68. package/dist/provider-surface-generator.d.ts +98 -0
  69. package/dist/provider-surface-generator.js +140 -0
  70. package/dist/provider-tool-capabilities.d.ts +3 -2
  71. package/dist/provider-tool-capabilities.js +77 -62
  72. package/dist/remote-url.d.ts +28 -0
  73. package/dist/remote-url.js +61 -0
  74. package/dist/request-helpers.d.ts +37 -4
  75. package/dist/request-helpers.js +134 -0
  76. package/dist/resources.d.ts +6 -1
  77. package/dist/resources.js +67 -193
  78. package/dist/session-manager.d.ts +2 -0
  79. package/dist/session-manager.js +34 -8
  80. package/dist/stream-json-parser.d.ts +1 -0
  81. package/dist/stream-json-parser.js +3 -0
  82. package/dist/upstream-contracts.d.ts +17 -1
  83. package/dist/upstream-contracts.js +209 -36
  84. package/dist/workspace-registry.d.ts +9 -0
  85. package/dist/workspace-registry.js +24 -4
  86. package/npm-shrinkwrap.json +2 -2
  87. package/package.json +8 -3
  88. package/setup/status.schema.json +75 -0
@@ -57,6 +57,27 @@ function isLocalHost(host) {
57
57
  const hostname = host.split(":")[0]?.toLowerCase() ?? "";
58
58
  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
59
59
  }
60
+ function isLoopbackHostname(hostname) {
61
+ const h = hostname.toLowerCase().replace(/^\[|\]$/g, "");
62
+ return h === "localhost" || h === "::1" || /^127\./.test(h);
63
+ }
64
+ function isPubliclyExposed(env, host) {
65
+ if (!isLocalHost(host))
66
+ return true;
67
+ if (env.LLM_GATEWAY_TUNNEL_PROVIDER && env.LLM_GATEWAY_TUNNEL_PROVIDER.trim().length > 0) {
68
+ return true;
69
+ }
70
+ const publicUrl = env.LLM_GATEWAY_PUBLIC_URL;
71
+ if (publicUrl && publicUrl.trim().length > 0) {
72
+ try {
73
+ if (!isLoopbackHostname(new URL(publicUrl).hostname))
74
+ return true;
75
+ }
76
+ catch {
77
+ }
78
+ }
79
+ return false;
80
+ }
60
81
  function requestBaseUrl(req) {
61
82
  const configured = process.env.LLM_GATEWAY_PUBLIC_URL;
62
83
  if (configured) {
@@ -85,9 +106,12 @@ export async function startHttpGateway(options) {
85
106
  const oauthConfig = loadRemoteOAuthConfig(logger);
86
107
  if (oauthConfig.enabled &&
87
108
  (oauthConfig.allowPublicClients || oauthConfig.registrationPolicy === "open_dev") &&
88
- !isLocalHost(host)) {
89
- throw new Error(`Refusing to start: remote OAuth with ${oauthConfig.allowPublicClients ? "public clients" : "open_dev registration"} is exposed on a non-loopback bind (host=${host}). Bind LLM_GATEWAY_HTTP_HOST to 127.0.0.1 ` +
90
- `and front the gateway with an authenticating proxy, or switch to ` +
109
+ isPubliclyExposed(process.env, host)) {
110
+ const exposure = !isLocalHost(host)
111
+ ? `a non-loopback bind (host=${host})`
112
+ : "a public URL / tunnel (LLM_GATEWAY_PUBLIC_URL or LLM_GATEWAY_TUNNEL_PROVIDER)";
113
+ throw new Error(`Refusing to start: remote OAuth with ${oauthConfig.allowPublicClients ? "public clients" : "open_dev registration"} is exposed via ${exposure}. A loopback bind fronted by a public tunnel is still ` +
114
+ `publicly reachable. Front the gateway with an authenticating proxy, or switch to ` +
91
115
  `registration_policy=static_clients with confidential client secrets.`);
92
116
  }
93
117
  const oauthServer = oauthConfig.enabled
package/dist/index.d.ts CHANGED
@@ -4,13 +4,14 @@ import { z } from "zod/v3";
4
4
  import { ISessionManager, type CliType, type ProviderType } from "./session-manager.js";
5
5
  import { ResourceProvider } from "./resources.js";
6
6
  import { PerformanceMetrics } from "./metrics.js";
7
- import { type PersistenceConfig, type CacheAwarenessConfig, type ProvidersConfig, type ApiProviderRuntime, type AcpConfig } from "./config.js";
7
+ import { type PersistenceConfig, type CacheAwarenessConfig, type ProvidersConfig, type ApiProviderRuntime, type AcpConfig, type AdminConfig } from "./config.js";
8
8
  import { DatabaseConnection } from "./db.js";
9
+ import { type DevinAcpAgentType } from "./provider-definitions.js";
9
10
  import { AsyncJobManager } from "./async-job-manager.js";
10
11
  import { ApprovalManager, ApprovalPolicy, ApprovalRecord } from "./approval-manager.js";
11
12
  import { ReviewIntegrityResult } from "./review-integrity.js";
12
13
  import { ClaudeMcpConfigResult, ClaudeMcpServerName } from "./claude-mcp-config.js";
13
- import { type MistralAgentMode, type ClaudePermissionMode, type CodexSandboxMode, type CodexAskForApproval, type ClaudeEffortLevel } from "./request-helpers.js";
14
+ import { type MistralAgentMode, type ClaudePermissionMode, type CodexSandboxMode, type CodexAskForApproval, type CodexLocalProvider, type CodexColorMode, type ClaudeEffortLevel } from "./request-helpers.js";
14
15
  import { FlightRecorderLike } from "./flight-recorder.js";
15
16
  import { type PromptParts } from "./prompt-parts.js";
16
17
  import { type WorkspaceRegistry } from "./workspace-registry.js";
@@ -77,6 +78,7 @@ export interface GatewayServerDeps {
77
78
  cacheAwareness?: CacheAwarenessConfig;
78
79
  providers?: ProvidersConfig;
79
80
  acpConfig?: AcpConfig;
81
+ adminConfig?: AdminConfig;
80
82
  workspaces?: WorkspaceRegistry;
81
83
  }
82
84
  export interface GatewayServerRuntime {
@@ -92,6 +94,7 @@ export interface GatewayServerRuntime {
92
94
  cacheAwareness: CacheAwarenessConfig;
93
95
  providers: ProvidersConfig;
94
96
  acpConfig: AcpConfig;
97
+ adminConfig: AdminConfig;
95
98
  workspaces: WorkspaceRegistry;
96
99
  }
97
100
  export declare function resolveGatewayServerRuntime(deps?: GatewayServerDeps, options?: {
@@ -104,6 +107,7 @@ export declare function runAcpTransport(deps: HandlerDeps, params: {
104
107
  model?: string;
105
108
  sessionId?: string;
106
109
  correlationId?: string;
110
+ agentType?: string;
107
111
  }): Promise<ExtendedToolResponse>;
108
112
  export interface ResolvedWorktree {
109
113
  cwd?: string;
@@ -120,6 +124,7 @@ export declare function resolveWorktreeForRequest(worktreeOpt: boolean | {
120
124
  workspaceRoot?: string;
121
125
  }): Promise<ResolvedWorktree>;
122
126
  export declare function formatWorktreePrefix(worktreePath?: string): string;
127
+ export declare function remoteSafeWorktreePath(worktreePath?: string, workspaceRoot?: string): string | undefined;
123
128
  export declare function createErrorResponse(cli: string, code: number, stderr: string, correlationId?: string, error?: Error, apiError?: {
124
129
  httpStatus?: number | null;
125
130
  responseBody?: string;
@@ -164,6 +169,7 @@ export declare function extractUsageAndCost(cli: CliType, output: string, output
164
169
  cacheCreationTokens?: number;
165
170
  costUsd?: number;
166
171
  };
172
+ export declare function registerBaseResources(server: McpServer, runtime: GatewayServerRuntime): void;
167
173
  interface CliRequestPrep {
168
174
  corrId: string;
169
175
  effectivePrompt: string;
@@ -212,6 +218,17 @@ export declare function prepareClaudeRequest(params: {
212
218
  settingSources?: string;
213
219
  settings?: string;
214
220
  tools?: string[];
221
+ includeHookEvents?: boolean;
222
+ replayUserMessages?: boolean;
223
+ systemPromptFile?: string;
224
+ appendSystemPromptFile?: string;
225
+ name?: string;
226
+ pluginDir?: string[];
227
+ pluginUrl?: string[];
228
+ safeMode?: boolean;
229
+ bare?: boolean;
230
+ debug?: string | boolean;
231
+ debugFile?: string;
215
232
  }, runtime?: GatewayServerRuntime): CliRequestPrep | ExtendedToolResponse;
216
233
  export interface CodexRequestPrep extends CliRequestPrep {
217
234
  cleanup?: () => void;
@@ -245,6 +262,14 @@ export declare function prepareCodexRequest(params: {
245
262
  ignoreRules?: boolean;
246
263
  workingDir?: string;
247
264
  addDir?: string[];
265
+ enable?: string[];
266
+ disable?: string[];
267
+ strictConfig?: boolean;
268
+ oss?: boolean;
269
+ localProvider?: CodexLocalProvider;
270
+ color?: CodexColorMode;
271
+ outputLastMessage?: string;
272
+ dangerouslyBypassHookTrust?: boolean;
248
273
  }, runtime?: GatewayServerRuntime): CodexRequestPrep | ExtendedToolResponse;
249
274
  export declare function prepareGeminiRequest(params: {
250
275
  prompt?: string;
@@ -268,6 +293,7 @@ export declare function prepareGeminiRequest(params: {
268
293
  yolo?: boolean;
269
294
  project?: string;
270
295
  newProject?: boolean;
296
+ printTimeout?: string;
271
297
  }, runtime?: GatewayServerRuntime): CliRequestPrep | ExtendedToolResponse;
272
298
  export declare function prepareGrokRequest(params: {
273
299
  prompt?: string;
@@ -412,6 +438,7 @@ export interface GeminiRequestParams {
412
438
  yolo?: boolean;
413
439
  project?: string;
414
440
  newProject?: boolean;
441
+ printTimeout?: string;
415
442
  workspace?: string;
416
443
  worktree?: boolean | {
417
444
  name?: string;
@@ -501,6 +528,12 @@ export interface DevinRequestParams {
501
528
  model?: string;
502
529
  permissionMode?: "auto" | "smart" | "dangerous";
503
530
  promptFile?: string;
531
+ config?: string;
532
+ sandbox?: boolean;
533
+ exportSession?: boolean | string;
534
+ respectWorkspaceTrust?: boolean;
535
+ agentConfig?: string;
536
+ agentType?: DevinAcpAgentType;
504
537
  transport?: "cli" | "acp";
505
538
  sessionId?: string;
506
539
  resumeLatest?: boolean;
@@ -516,6 +549,11 @@ export declare function prepareDevinRequest(params: {
516
549
  model?: string;
517
550
  permissionMode?: DevinRequestParams["permissionMode"];
518
551
  promptFile?: string;
552
+ config?: string;
553
+ sandbox?: boolean;
554
+ exportSession?: boolean | string;
555
+ respectWorkspaceTrust?: boolean;
556
+ agentConfig?: string;
519
557
  correlationId?: string;
520
558
  optimizePrompt: boolean;
521
559
  operation: string;
@@ -628,6 +666,14 @@ export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params:
628
666
  ignoreRules?: boolean;
629
667
  workingDir?: string;
630
668
  addDir?: string[];
669
+ enable?: string[];
670
+ disable?: string[];
671
+ strictConfig?: boolean;
672
+ oss?: boolean;
673
+ localProvider?: CodexLocalProvider;
674
+ color?: CodexColorMode;
675
+ outputLastMessage?: string;
676
+ dangerouslyBypassHookTrust?: boolean;
631
677
  workspace?: string;
632
678
  worktree?: boolean | {
633
679
  name?: string;