llm-cli-gateway 2.4.0 → 2.6.0

package/dist/doctor.d.ts

@@ -69,6 +69,21 @@ export interface DoctorReport {
         required: boolean;
         token_configured: boolean;
         source: string;
+        oauth: {
+            enabled: boolean;
+            registration_policy: string;
+            clients_configured: number;
+            shared_secret_enabled: boolean;
+            pkce_required: boolean;
+            issuer: string | null;
+        };
+    };
+    workspaces: {
+        enabled: boolean;
+        default: string | null;
+        repo_count: number;
+        allowed_root_count: number;
+        gateway_app_dir_is_workspace: boolean;
     };
     providers: Record<"claude" | "codex" | "gemini" | "grok" | "mistral", {
         cli_available: boolean;

package/dist/doctor.js

@@ -6,7 +6,8 @@ import { loadAuthConfig } from "./auth.js";
 import { createEndpointExposureReport, redactDiagnosticUrl, } from "./endpoint-exposure.js";
 import { listProviderRuntimeStatuses, } from "./provider-status.js";
 import { CLAUDE_MCP_SERVER_NAMES } from "./claude-mcp-config.js";
-import { loadCacheAwarenessConfig } from "./config.js";
+import { loadCacheAwarenessConfig, loadRemoteOAuthConfig, } from "./config.js";
+import { loadWorkspaceRegistry } from "./workspace-registry.js";
 import { computeGlobalCacheStats } from "./cache-stats.js";
 import { FlightRecorder, resolveFlightRecorderDbPath } from "./flight-recorder.js";
 import { buildUpstreamContractReport } from "./upstream-contracts.js";
@@ -168,16 +169,7 @@ function chatGPTConnectorUrl(env, rawPublicUrl) {
         .find(value => value.startsWith("/") && !value.includes("?") && !value.includes("#"));
     if (!rawPublicUrl || !path)
         return null;
-    try {
-        const url = new URL(rawPublicUrl);
-        url.pathname = path;
-        url.search = "";
-        url.hash = "";
-        return redactDiagnosticUrl(url.toString());
-    }
-    catch {
-        return null;
-    }
+    return "<redacted>";
 }
 function buildCacheAwarenessReport(opts) {
     const enabled = [];
@@ -240,6 +232,8 @@ export function createDoctorReport(envOrOptions = process.env) {
         : { env: envOrOptions };
     const env = opts.env ?? process.env;
     const auth = loadAuthConfig(env);
+    const oauth = loadRemoteOAuthConfig(undefined, env);
+    const workspaceRegistry = loadWorkspaceRegistry();
     const transport = defaultTransport(env);
     const rawPublicUrl = env.LLM_GATEWAY_PUBLIC_URL || null;
     const publicUrl = redactDiagnosticUrl(rawPublicUrl);
@@ -294,6 +288,23 @@ export function createDoctorReport(envOrOptions = process.env) {
             required: auth.required,
             token_configured: auth.tokenConfigured,
             source: auth.source,
+            oauth: {
+                enabled: oauth.enabled,
+                registration_policy: oauth.registrationPolicy,
+                clients_configured: oauth.clients.length,
+                shared_secret_enabled: Boolean(oauth.sharedSecret?.enabled),
+                pkce_required: oauth.requirePkce,
+                issuer: oauth.issuer === "auto"
+                    ? publicUrl
+                    : redactDiagnosticUrl(oauth.issuer === "auto" ? null : oauth.issuer),
+            },
+        },
+        workspaces: {
+            enabled: workspaceRegistry.enabled,
+            default: workspaceRegistry.defaultAlias,
+            repo_count: workspaceRegistry.repos.length,
+            allowed_root_count: workspaceRegistry.allowedRoots.length,
+            gateway_app_dir_is_workspace: workspaceRegistry.repos.some(repo => repo.path === join(homedir(), ".llm-cli-gateway")),
         },
         providers: {
             claude: doctorProviderStatus(providerStatuses.claude),

package/dist/executor.d.ts

@@ -13,6 +13,7 @@ export interface ExecuteResult {
     stderr: string;
     code: number;
 }
+export declare function providerCommandName(command: string): string;
 export declare function buildExtendedPath(env?: NodeJS.ProcessEnv, home?: string, nodePath?: string, platform?: NodeJS.Platform): string;
 export declare function getExtendedPath(): string;
 export declare function envWithExtendedPath(baseEnv?: NodeJS.ProcessEnv, extendedPath?: string, platform?: NodeJS.Platform): NodeJS.ProcessEnv;

package/dist/executor.js

@@ -3,6 +3,13 @@ import { homedir } from "os";
 import { delimiter, join, dirname, extname, win32 } from "path";
 import { readdirSync, existsSync } from "fs";
 import { createCircuitBreaker, withRetry } from "./retry.js";
+export function providerCommandName(command) {
+    if (command === "gemini")
+        return "agy";
+    if (command === "mistral")
+        return "vibe";
+    return command;
+}
 const MAX_OUTPUT_SIZE = 50 * 1024 * 1024;
 const circuitBreakers = new Map();
 let cachedNvmPath;

package/dist/http-transport.js

@@ -3,31 +3,42 @@ import { randomUUID } from "node:crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import { authorizeBearerRequest, getRequiredBearerToken, writeAuthFailure } from "./auth.js";
+import { loadRemoteOAuthConfig } from "./config.js";
+import { OAuthServer, oauthBaseUrlFromRequest } from "./oauth.js";
+import { runWithRequestContext } from "./request-context.js";
 const noopLogger = {
     info: (..._args) => { },
     error: (..._args) => { },
     debug: (..._args) => { },
 };
-function readBody(req) {
+function firstHeader(value) {
+    return Array.isArray(value) ? value[0] : value;
+}
+function readRawBody(req) {
     return new Promise((resolve, reject) => {
         const chunks = [];
         req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
         req.on("error", reject);
         req.on("end", () => {
             if (chunks.length === 0) {
-                resolve(undefined);
+                resolve("");
                 return;
             }
-            const raw = Buffer.concat(chunks).toString("utf8");
-            try {
-                resolve(JSON.parse(raw));
-            }
-            catch (error) {
-                reject(error);
-            }
+            resolve(Buffer.concat(chunks).toString("utf8"));
         });
     });
 }
+async function readBody(req) {
+    const raw = await readRawBody(req);
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        throw error;
+    }
+}
 function methodNotAllowed(res) {
     res.writeHead(405, { allow: "GET, POST, DELETE", "content-type": "application/json" });
     res.end(JSON.stringify({ error: "Method not allowed" }));
@@ -36,6 +47,10 @@ function jsonError(res, status, message) {
     res.writeHead(status, { "content-type": "application/json" });
     res.end(JSON.stringify({ error: message }));
 }
+function jsonResponse(res, status, body) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify(body));
+}
 function parseNoAuthPaths(raw, protectedPath) {
     const paths = new Set();
     for (const value of (raw ?? "").split(/[,;\s]+/)) {
@@ -51,6 +66,25 @@ function parseNoAuthPaths(raw, protectedPath) {
     }
     return paths;
 }
+function isLocalHost(host) {
+    const hostname = host.split(":")[0]?.toLowerCase() ?? "";
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+function requestBaseUrl(req) {
+    const configured = process.env.LLM_GATEWAY_PUBLIC_URL;
+    if (configured) {
+        try {
+            return new URL(configured).origin;
+        }
+        catch {
+        }
+    }
+    const host = firstHeader(req.headers.host) ?? "127.0.0.1:3333";
+    const forwardedProto = firstHeader(req.headers["x-forwarded-proto"]);
+    const proto = forwardedProto ??
+        (host.startsWith("127.0.0.1") || host.startsWith("localhost") ? "http" : "https");
+    return `${proto}://${host}`;
+}
 export async function startHttpGateway(options) {
     const host = options.host ?? process.env.LLM_GATEWAY_HTTP_HOST ?? "127.0.0.1";
     const port = options.port ?? Number(process.env.LLM_GATEWAY_HTTP_PORT ?? 3333);
@@ -59,6 +93,10 @@ export async function startHttpGateway(options) {
     const logger = options.logger ?? noopLogger;
     const sessions = new Map();
     const token = getRequiredBearerToken();
+    const oauthConfig = loadRemoteOAuthConfig(logger);
+    const oauthServer = oauthConfig.enabled
+        ? new OAuthServer({ protectedPath: path, config: oauthConfig, logger })
+        : null;
     async function closeSession(sessionId) {
         const entry = sessions.get(sessionId);
         if (!entry)
@@ -89,22 +127,46 @@ export async function startHttpGateway(options) {
     const httpServer = createServer(async (req, res) => {
         try {
             const url = new URL(req.url || "/", `http://${req.headers.host || `${host}:${port}`}`);
+            const baseUrl = requestBaseUrl(req);
+            const oauthOrigin = oauthServer ? oauthBaseUrlFromRequest(req, oauthConfig) : null;
+            const effectiveOAuthBaseUrl = oauthOrigin ?? baseUrl;
+            const resourceMetadataUrl = oauthServer && oauthOrigin ? oauthServer.resourceMetadataUrl(oauthOrigin) : undefined;
             if (url.pathname === "/healthz") {
                 res.writeHead(200, { "content-type": "application/json" });
                 res.end(JSON.stringify({ ok: true, sessions: sessions.size }));
                 return;
             }
+            if (oauthServer) {
+                if (oauthServer.isOAuthPath(url.pathname) && !oauthOrigin) {
+                    jsonError(res, 503, "LLM_GATEWAY_PUBLIC_URL is required for public OAuth issuer metadata");
+                    return;
+                }
+                if (await oauthServer.handle({
+                    req,
+                    res,
+                    url,
+                    baseUrl: effectiveOAuthBaseUrl,
+                })) {
+                    return;
+                }
+            }
             const noAuthPath = noAuthPaths.has(url.pathname);
             if (url.pathname !== path && !noAuthPath) {
                 jsonError(res, 404, "Not found");
                 return;
             }
+            let requestContext = { authScopes: [] };
             if (!noAuthPath) {
                 const auth = authorizeBearerRequest(req, token);
                 if (!auth.ok) {
-                    writeAuthFailure(res, auth);
+                    writeAuthFailure(res, auth, resourceMetadataUrl ? { resourceMetadataUrl } : {});
                     return;
                 }
+                requestContext = {
+                    authKind: auth.kind,
+                    authScopes: auth.scopes ?? [],
+                    authClientId: auth.clientId,
+                };
             }
             if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
                 methodNotAllowed(res);
@@ -129,7 +191,7 @@ export async function startHttpGateway(options) {
                     return;
                 }
                 const body = req.method === "POST" ? await readBody(req) : undefined;
-                await entry.transport.handleRequest(req, res, body);
+                await runWithRequestContext(requestContext, () => entry.transport.handleRequest(req, res, body));
                 return;
             }
             if (req.method !== "POST") {
@@ -146,7 +208,7 @@ export async function startHttpGateway(options) {
                 return;
             }
             const entry = await createSession();
-            await entry.transport.handleRequest(req, res, body);
+            await runWithRequestContext(requestContext, () => entry.transport.handleRequest(req, res, body));
         }
         catch (error) {
             logger.error("HTTP transport request failed", error);

package/dist/index.d.ts

@@ -14,6 +14,7 @@ import { ClaudeMcpConfigResult, ClaudeMcpServerName } from "./claude-mcp-config.
 import { type MistralAgentMode, type ClaudePermissionMode, type CodexSandboxMode, type CodexAskForApproval, type ClaudeEffortLevel } from "./request-helpers.js";
 import { FlightRecorderLike } from "./flight-recorder.js";
 import { type PromptParts } from "./prompt-parts.js";
+import { type WorkspaceRegistry } from "./workspace-registry.js";
 export interface WarningEntry {
     code: string;
     message?: string;
@@ -59,6 +60,7 @@ export declare const WORKTREE_SCHEMA: z.ZodUnion<[z.ZodBoolean, z.ZodObject<{
     name?: string | undefined;
     ref?: string | undefined;
 }>]>;
+export declare const WORKSPACE_ALIAS_SCHEMA: z.ZodString;
 export declare const SESSION_PROVIDER_VALUES: readonly ["claude", "codex", "gemini", "grok", "mistral", "grok-api"];
 export declare const SESSION_PROVIDER_ENUM: z.ZodEnum<["claude", "codex", "gemini", "grok", "mistral", "grok-api"]>;
 export type SessionProvider = ProviderType;
@@ -74,6 +76,7 @@ export interface GatewayServerDeps {
     persistence?: PersistenceConfig;
     cacheAwareness?: CacheAwarenessConfig;
     providers?: ProvidersConfig;
+    workspaces?: WorkspaceRegistry;
 }
 export interface GatewayServerRuntime {
     sessionManager: ISessionManager;
@@ -87,6 +90,7 @@ export interface GatewayServerRuntime {
     persistence: PersistenceConfig;
     cacheAwareness: CacheAwarenessConfig;
     providers: ProvidersConfig;
+    workspaces: WorkspaceRegistry;
 }
 export declare function resolveGatewayServerRuntime(deps?: GatewayServerDeps, options?: {
     isolateState?: boolean;
@@ -95,11 +99,17 @@ export declare function shouldRegisterGrokApiTools(providers: ProvidersConfig):
 export interface ResolvedWorktree {
     cwd?: string;
     worktreePath?: string;
+    workspaceAlias?: string;
+    workspaceRoot?: string;
 }
 export declare function resolveWorktreeForRequest(worktreeOpt: boolean | {
     name?: string;
     ref?: string;
-} | undefined, sessionId: string | undefined, runtime: GatewayServerRuntime): Promise<ResolvedWorktree>;
+} | undefined, sessionId: string | undefined, runtime: GatewayServerRuntime, options?: {
+    repoRoot?: string;
+    workspaceAlias?: string;
+    workspaceRoot?: string;
+}): Promise<ResolvedWorktree>;
 export declare function formatWorktreePrefix(worktreePath?: string): string;
 export declare function extractUsageAndCost(cli: "claude" | "codex" | "gemini" | "grok" | "mistral", output: string, outputFormat?: string, ctx?: {
     sessionId?: string;
@@ -330,6 +340,7 @@ export interface GeminiRequestParams {
     attachments?: string[];
     skipTrust?: boolean;
     yolo?: boolean;
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -343,6 +354,7 @@ export interface HandlerDeps {
         error: (...args: any[]) => void;
         debug: (...args: any[]) => void;
     };
+    workspaces?: WorkspaceRegistry;
     runtime?: GatewayServerRuntime;
 }
 export interface AsyncHandlerDeps extends HandlerDeps {
@@ -400,6 +412,7 @@ export interface GrokRequestParams {
     restoreCode?: boolean;
     leaderSocket?: string;
     nativeWorktree?: boolean | string;
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -432,6 +445,7 @@ export interface MistralRequestParams {
     maxTokens?: number;
     workingDir?: string;
     addDir?: string[];
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;
@@ -469,6 +483,7 @@ export declare function handleCodexRequestAsync(deps: AsyncHandlerDeps, params:
     ignoreRules?: boolean;
     workingDir?: string;
     addDir?: string[];
+    workspace?: string;
     worktree?: boolean | {
         name?: string;
         ref?: string;