llm-cli-gateway 2.3.0 → 2.5.0

package/dist/executor.js

@@ -269,30 +269,26 @@ export function killAllProcessGroups() {
     });
 }
 export function killProcessGroup(proc, signal) {
-    if (proc.pid) {
-        if (process.platform === "win32") {
-            return killWindowsProcessTree(proc.pid);
-        }
-        try {
-            process.kill(-proc.pid, signal);
-            return true;
-        }
-        catch (err) {
-            if (err.code !== "ESRCH") {
-                try {
-                    return proc.kill(signal);
-                }
-                catch {
-                    return false;
-                }
-            }
-            return false;
-        }
+    const pid = proc.pid;
+    if (typeof pid !== "number" || !Number.isInteger(pid) || pid <= 0) {
+        return false;
+    }
+    if (process.platform === "win32") {
+        return killWindowsProcessTree(pid);
     }
     try {
-        return proc.kill(signal);
+        process.kill(-pid, signal);
+        return true;
     }
-    catch {
+    catch (err) {
+        if (err.code !== "ESRCH") {
+            try {
+                return proc.kill(signal);
+            }
+            catch {
+                return false;
+            }
+        }
         return false;
     }
 }

package/dist/flight-recorder.d.ts

@@ -1,6 +1,7 @@
+import type { ProviderType } from "./session-manager.js";
 export interface FlightLogStart {
     correlationId: string;
-    cli: "claude" | "codex" | "gemini" | "grok" | "mistral";
+    cli: ProviderType;
     model: string;
     prompt: string;
     system?: string;

package/dist/http-transport.js

@@ -3,31 +3,42 @@ import { randomUUID } from "node:crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import { authorizeBearerRequest, getRequiredBearerToken, writeAuthFailure } from "./auth.js";
+import { loadRemoteOAuthConfig } from "./config.js";
+import { OAuthServer, oauthBaseUrlFromRequest } from "./oauth.js";
+import { runWithRequestContext } from "./request-context.js";
 const noopLogger = {
     info: (..._args) => { },
     error: (..._args) => { },
     debug: (..._args) => { },
 };
-function readBody(req) {
+function firstHeader(value) {
+    return Array.isArray(value) ? value[0] : value;
+}
+function readRawBody(req) {
     return new Promise((resolve, reject) => {
         const chunks = [];
         req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
         req.on("error", reject);
         req.on("end", () => {
             if (chunks.length === 0) {
-                resolve(undefined);
+                resolve("");
                 return;
             }
-            const raw = Buffer.concat(chunks).toString("utf8");
-            try {
-                resolve(JSON.parse(raw));
-            }
-            catch (error) {
-                reject(error);
-            }
+            resolve(Buffer.concat(chunks).toString("utf8"));
         });
     });
 }
+async function readBody(req) {
+    const raw = await readRawBody(req);
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        throw error;
+    }
+}
 function methodNotAllowed(res) {
     res.writeHead(405, { allow: "GET, POST, DELETE", "content-type": "application/json" });
     res.end(JSON.stringify({ error: "Method not allowed" }));
@@ -36,6 +47,10 @@ function jsonError(res, status, message) {
     res.writeHead(status, { "content-type": "application/json" });
     res.end(JSON.stringify({ error: message }));
 }
+function jsonResponse(res, status, body) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify(body));
+}
 function parseNoAuthPaths(raw, protectedPath) {
     const paths = new Set();
     for (const value of (raw ?? "").split(/[,;\s]+/)) {
@@ -51,6 +66,25 @@ function parseNoAuthPaths(raw, protectedPath) {
     }
     return paths;
 }
+function isLocalHost(host) {
+    const hostname = host.split(":")[0]?.toLowerCase() ?? "";
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+function requestBaseUrl(req) {
+    const configured = process.env.LLM_GATEWAY_PUBLIC_URL;
+    if (configured) {
+        try {
+            return new URL(configured).origin;
+        }
+        catch {
+        }
+    }
+    const host = firstHeader(req.headers.host) ?? "127.0.0.1:3333";
+    const forwardedProto = firstHeader(req.headers["x-forwarded-proto"]);
+    const proto = forwardedProto ??
+        (host.startsWith("127.0.0.1") || host.startsWith("localhost") ? "http" : "https");
+    return `${proto}://${host}`;
+}
 export async function startHttpGateway(options) {
     const host = options.host ?? process.env.LLM_GATEWAY_HTTP_HOST ?? "127.0.0.1";
     const port = options.port ?? Number(process.env.LLM_GATEWAY_HTTP_PORT ?? 3333);
@@ -59,6 +93,10 @@ export async function startHttpGateway(options) {
     const logger = options.logger ?? noopLogger;
     const sessions = new Map();
     const token = getRequiredBearerToken();
+    const oauthConfig = loadRemoteOAuthConfig(logger);
+    const oauthServer = oauthConfig.enabled
+        ? new OAuthServer({ protectedPath: path, config: oauthConfig, logger })
+        : null;
     async function closeSession(sessionId) {
         const entry = sessions.get(sessionId);
         if (!entry)
@@ -89,22 +127,46 @@ export async function startHttpGateway(options) {
     const httpServer = createServer(async (req, res) => {
         try {
             const url = new URL(req.url || "/", `http://${req.headers.host || `${host}:${port}`}`);
+            const baseUrl = requestBaseUrl(req);
+            const oauthOrigin = oauthServer ? oauthBaseUrlFromRequest(req, oauthConfig) : null;
+            const effectiveOAuthBaseUrl = oauthOrigin ?? baseUrl;
+            const resourceMetadataUrl = oauthServer && oauthOrigin ? oauthServer.resourceMetadataUrl(oauthOrigin) : undefined;
             if (url.pathname === "/healthz") {
                 res.writeHead(200, { "content-type": "application/json" });
                 res.end(JSON.stringify({ ok: true, sessions: sessions.size }));
                 return;
             }
+            if (oauthServer) {
+                if (oauthServer.isOAuthPath(url.pathname) && !oauthOrigin) {
+                    jsonError(res, 503, "LLM_GATEWAY_PUBLIC_URL is required for public OAuth issuer metadata");
+                    return;
+                }
+                if (await oauthServer.handle({
+                    req,
+                    res,
+                    url,
+                    baseUrl: effectiveOAuthBaseUrl,
+                })) {
+                    return;
+                }
+            }
             const noAuthPath = noAuthPaths.has(url.pathname);
             if (url.pathname !== path && !noAuthPath) {
                 jsonError(res, 404, "Not found");
                 return;
             }
+            let requestContext = { authScopes: [] };
             if (!noAuthPath) {
                 const auth = authorizeBearerRequest(req, token);
                 if (!auth.ok) {
-                    writeAuthFailure(res, auth);
+                    writeAuthFailure(res, auth, resourceMetadataUrl ? { resourceMetadataUrl } : {});
                     return;
                 }
+                requestContext = {
+                    authKind: auth.kind,
+                    authScopes: auth.scopes ?? [],
+                    authClientId: auth.clientId,
+                };
             }
             if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
                 methodNotAllowed(res);
@@ -129,7 +191,7 @@ export async function startHttpGateway(options) {
                     return;
                 }
                 const body = req.method === "POST" ? await readBody(req) : undefined;
-                await entry.transport.handleRequest(req, res, body);
+                await runWithRequestContext(requestContext, () => entry.transport.handleRequest(req, res, body));
                 return;
             }
             if (req.method !== "POST") {
@@ -146,7 +208,7 @@ export async function startHttpGateway(options) {
                 return;
             }
             const entry = await createSession();
-            await entry.transport.handleRequest(req, res, body);
+            await runWithRequestContext(requestContext, () => entry.transport.handleRequest(req, res, body));
         }
         catch (error) {
             logger.error("HTTP transport request failed", error);

package/dist/index.d.ts

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod/v3";
-import { ISessionManager } from "./session-manager.js";
+import { ISessionManager, type ProviderType } from "./session-manager.js";
 import { ResourceProvider } from "./resources.js";
 import { PerformanceMetrics } from "./metrics.js";
-import { type PersistenceConfig, type CacheAwarenessConfig } from "./config.js";
+import { type PersistenceConfig, type CacheAwarenessConfig, type ProvidersConfig } from "./config.js";
+import { type XaiReasoningEffort } from "./xai-api-provider.js";
 import { DatabaseConnection } from "./db.js";
 import { AsyncJobManager } from "./async-job-manager.js";
 import { ApprovalManager, ApprovalRecord } from "./approval-manager.js";
@@ -13,6 +14,7 @@ import { ClaudeMcpConfigResult, ClaudeMcpServerName } from "./claude-mcp-config.
 import { type MistralAgentMode, type ClaudePermissionMode, type CodexSandboxMode, type CodexAskForApproval, type ClaudeEffortLevel } from "./request-helpers.js";
 import { FlightRecorderLike } from "./flight-recorder.js";
 import { type PromptParts } from "./prompt-parts.js";
+import { type WorkspaceRegistry } from "./workspace-registry.js";
 export interface WarningEntry {
     code: string;
     message?: string;
@@ -44,7 +46,7 @@ declare const logger: {
     debug: (message: string, ...args: any[]) => void;
 };
 type GatewayLogger = typeof logger;
-export declare function buildServerInstructions(asyncJobsEnabled: boolean): string;
+export declare function buildServerInstructions(asyncJobsEnabled: boolean, grokApiToolsEnabled?: boolean): string;
 export declare const MAX_TURNS_SCHEMA: z.ZodNumber;
 export declare const MAX_TOKENS_SCHEMA: z.ZodNumber;
 export declare const MAX_PRICE_SCHEMA: z.ZodNumber;
@@ -58,9 +60,10 @@ export declare const WORKTREE_SCHEMA: z.ZodUnion<[z.ZodBoolean, z.ZodObject<{
     name?: string | undefined;
     ref?: string | undefined;
 }>]>;
-export declare const SESSION_PROVIDER_VALUES: readonly ["claude", "codex", "gemini", "grok", "mistral"];
-export declare const SESSION_PROVIDER_ENUM: z.ZodEnum<["claude", "codex", "gemini", "grok", "mistral"]>;
-export type SessionProvider = (typeof SESSION_PROVIDER_VALUES)[number];
+export declare const WORKSPACE_ALIAS_SCHEMA: z.ZodString;
+export declare const SESSION_PROVIDER_VALUES: readonly ["claude", "codex", "gemini", "grok", "mistral", "grok-api"];
+export declare const SESSION_PROVIDER_ENUM: z.ZodEnum<["claude", "codex", "gemini", "grok", "mistral", "grok-api"]>;
+export type SessionProvider = ProviderType;
 export interface GatewayServerDeps {
     sessionManager?: ISessionManager;
     resourceProvider?: ResourceProvider;
@@ -72,6 +75,8 @@ export interface GatewayServerDeps {
     logger?: GatewayLogger;
     persistence?: PersistenceConfig;
     cacheAwareness?: CacheAwarenessConfig;
+    providers?: ProvidersConfig;
+    workspaces?: WorkspaceRegistry;
 }
 export interface GatewayServerRuntime {
     sessionManager: ISessionManager;
@@ -84,18 +89,27 @@ export interface GatewayServerRuntime {
     logger: GatewayLogger;
     persistence: PersistenceConfig;
     cacheAwareness: CacheAwarenessConfig;
+    providers: ProvidersConfig;
+    workspaces: WorkspaceRegistry;
 }
 export declare function resolveGatewayServerRuntime(deps?: GatewayServerDeps, options?: {
     isolateState?: boolean;
 }): GatewayServerRuntime;
+export declare function shouldRegisterGrokApiTools(providers: ProvidersConfig): boolean;
 export interface ResolvedWorktree {
     cwd?: string;
     worktreePath?: string;
+    workspaceAlias?: string;
+    workspaceRoot?: string;
 }
 export declare function resolveWorktreeForRequest(worktreeOpt: boolean | {
     name?: string;
     ref?: string;
-} | undefined, sessionId: string | undefined, runtime: GatewayServerRuntime): Promise<ResolvedWorktree>;
+} | undefined, sessionId: string | undefined, runtime: GatewayServerRuntime, options?: {
+    repoRoot?: string;
+    workspaceAlias?: string;
+    workspaceRoot?: string;
+}): Promise<ResolvedWorktree>;
 export declare function formatWorktreePrefix(worktreePath?: string): string;
 export declare function extractUsageAndCost(cli: "claude" | "codex" | "gemini" | "grok" | "mistral", output: string, outputFormat?: string, ctx?: {
     sessionId?: string;
@@ -285,6 +299,22 @@ export declare function buildMistralRetryPrep(params: Pick<MistralRequestParams,
     env: Record<string, string>;
     ignoredDisallowedTools: boolean;
 };
+export interface GrokApiRequestParams {
+    prompt?: string;
+    promptParts?: PromptParts;
+    model?: string;
+    sessionId?: string;
+    createNewSession?: boolean;
+    correlationId?: string;
+    optimizePrompt: boolean;
+    optimizeResponse?: boolean;
+    maxOutputTokens?: number;
+    temperature?: number;
+    topP?: number;
+    reasoningEffort?: XaiReasoningEffort;
+    timeoutMs?: number;
+}
+export declare function handleGrokApiRequest(deps: HandlerDeps, params: GrokApiRequestParams): Promise<ExtendedToolResponse>;
 export interface GeminiRequestParams {
     prompt?: string;
     promptParts?: PromptParts;
@@ -310,6 +340,7 @@ export interface GeminiRequestParams {
     attachments?: string[];
     skipTrust?: boolean;
     yolo?: boolean;
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -323,6 +354,7 @@ export interface HandlerDeps {
         error: (...args: any[]) => void;
         debug: (...args: any[]) => void;
     };
+    workspaces?: WorkspaceRegistry;
     runtime?: GatewayServerRuntime;
 }
 export interface AsyncHandlerDeps extends HandlerDeps {
@@ -380,6 +412,7 @@ export interface GrokRequestParams {
     restoreCode?: boolean;
     leaderSocket?: string;
     nativeWorktree?: boolean | string;
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -412,6 +445,7 @@ export interface MistralRequestParams {
     maxTokens?: number;
     workingDir?: string;
     addDir?: string[];
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -449,6 +483,7 @@ export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params:
     ignoreRules?: boolean;
     workingDir?: string;
     addDir?: string[];
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;