llm-cli-gateway 2.7.0 → 2.9.0

package/dist/cli-updater.js

@@ -237,10 +237,13 @@ export async function runCliUpgrade(params) {
         exitCode: result.code,
     };
 }
+const UPGRADE_TARGET_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/;
 function normalizeTarget(target) {
     const normalized = target.trim();
-    if (!normalized || normalized.startsWith("-") || /[\u0000-\u001f\u007f\s]/.test(normalized)) {
-        throw new Error("Upgrade target must be a non-empty package tag or version without whitespace and cannot start with '-'");
+    if (!UPGRADE_TARGET_PATTERN.test(normalized)) {
+        throw new Error("Upgrade target must be a bare version or dist-tag (letters, digits, '.', '_', '-'; " +
+            "1-64 chars; must start alphanumeric). Package specifiers, aliases, URLs, and paths " +
+            "(containing ':', '/', or '@') are not allowed.");
     }
     return normalized;
 }

package/dist/codex-json-parser.d.ts

@@ -10,5 +10,8 @@ export interface CodexJsonParseResult {
     error?: string;
     threadId?: string;
     finalMessage?: string;
+    sawEvent?: boolean;
 }
 export declare function parseCodexJsonStream(stdout: string): CodexJsonParseResult;
+export declare function codexDisplayText(stdout: string): string;
+export declare function codexFrResponse(outputFormat: string | undefined, stdout: string): string;

package/dist/codex-json-parser.js

@@ -13,6 +13,7 @@ export function parseCodexJsonStream(stdout) {
         if (!parsed || typeof parsed !== "object") {
             continue;
         }
+        result.sawEvent = true;
         switch (parsed.type) {
             case "thread.started":
                 if (typeof parsed.thread_id === "string") {
@@ -85,3 +86,19 @@ export function parseCodexJsonStream(stdout) {
     }
     return result;
 }
+export function codexDisplayText(stdout) {
+    const parsed = parseCodexJsonStream(stdout);
+    if (parsed.finalMessage !== undefined) {
+        return parsed.finalMessage;
+    }
+    if (parsed.error !== undefined) {
+        return parsed.error;
+    }
+    if (parsed.sawEvent) {
+        return "";
+    }
+    return stdout;
+}
+export function codexFrResponse(outputFormat, stdout) {
+    return outputFormat === "json" ? stdout : codexDisplayText(stdout);
+}

package/dist/config.d.ts

@@ -76,4 +76,34 @@ export interface ProvidersConfig {
 }
 export declare function loadProvidersConfig(logger?: Logger): ProvidersConfig;
 export declare function isXaiProviderEnabled(config: ProvidersConfig, env?: NodeJS.ProcessEnv): boolean;
+export declare const ACP_TRANSPORTS: readonly ["cli", "acp"];
+export type AcpTransport = (typeof ACP_TRANSPORTS)[number];
+export declare const DEFAULT_ACP_PROCESS_IDLE_TIMEOUT_MS = 600000;
+export declare const DEFAULT_ACP_INITIALIZE_TIMEOUT_MS = 10000;
+export declare const DEFAULT_ACP_SESSION_NEW_TIMEOUT_MS = 10000;
+export declare const DEFAULT_ACP_PROMPT_TIMEOUT_MS = 600000;
+export interface AcpProviderConfig {
+    enabled: boolean;
+    command: string;
+    args: string[];
+    runtimeEnabled: boolean;
+    isolatedLeaderSocket: boolean;
+}
+export interface AcpConfig {
+    enabled: boolean;
+    defaultTransport: AcpTransport;
+    smokeOnStartup: boolean;
+    processIdleTimeoutMs: number;
+    initializeTimeoutMs: number;
+    sessionNewTimeoutMs: number;
+    promptTimeoutMs: number;
+    allowWriteHostServices: boolean;
+    allowTerminalHostServices: boolean;
+    fallbackToCliWhenUnhealthy: boolean;
+    providers: Record<string, AcpProviderConfig>;
+    sources: {
+        configFile: string | null;
+    };
+}
+export declare function loadAcpConfig(logger?: Logger): AcpConfig;
 export declare function loadRemoteOAuthConfig(logger?: Logger, env?: NodeJS.ProcessEnv): RemoteOAuthConfig;

package/dist/config.js

@@ -348,6 +348,125 @@ export function isXaiProviderEnabled(config, env = process.env) {
         return false;
     return typeof env[keyEnv] === "string" && env[keyEnv].trim().length > 0;
 }
+export const ACP_TRANSPORTS = ["cli", "acp"];
+export const DEFAULT_ACP_PROCESS_IDLE_TIMEOUT_MS = 600000;
+export const DEFAULT_ACP_INITIALIZE_TIMEOUT_MS = 10000;
+export const DEFAULT_ACP_SESSION_NEW_TIMEOUT_MS = 10000;
+export const DEFAULT_ACP_PROMPT_TIMEOUT_MS = 600000;
+const SHELL_METACHARACTERS = /[\s|&;<>(){}$`"'\\*?[\]~#!\0]/;
+function isSafeExecutable(value) {
+    if (value.length === 0)
+        return false;
+    return !SHELL_METACHARACTERS.test(value);
+}
+const SafeExecutableSchema = z
+    .string()
+    .min(1)
+    .refine(isSafeExecutable, {
+    message: "ACP provider command must be a bare executable name or path with no shell metacharacters " +
+        "(no spaces, quotes, pipes, redirects, globs, or command substitution); pass arguments via 'args'",
+});
+const SafeArgSchema = z.string();
+const AcpProviderSchema = z
+    .object({
+    enabled: z.boolean().default(false),
+    command: SafeExecutableSchema,
+    args: z.array(SafeArgSchema).default([]),
+    runtime_enabled: z.boolean().default(false),
+    isolated_leader_socket: z.boolean().default(false),
+})
+    .strict();
+const AcpConfigSchema = z
+    .object({
+    enabled: z.boolean().default(false),
+    default_transport: z.enum(ACP_TRANSPORTS).default("cli"),
+    smoke_on_startup: z.boolean().default(false),
+    process_idle_timeout_ms: z
+        .number()
+        .int()
+        .positive()
+        .default(DEFAULT_ACP_PROCESS_IDLE_TIMEOUT_MS),
+    initialize_timeout_ms: z.number().int().positive().default(DEFAULT_ACP_INITIALIZE_TIMEOUT_MS),
+    session_new_timeout_ms: z.number().int().positive().default(DEFAULT_ACP_SESSION_NEW_TIMEOUT_MS),
+    prompt_timeout_ms: z.number().int().positive().default(DEFAULT_ACP_PROMPT_TIMEOUT_MS),
+    allow_write_host_services: z.boolean().default(false),
+    allow_terminal_host_services: z.boolean().default(false),
+    fallback_to_cli_when_unhealthy: z.boolean().default(true),
+    providers: z.record(z.string(), AcpProviderSchema).default({}),
+})
+    .strict();
+function defaultAcpConfig(sourcePath) {
+    return {
+        enabled: false,
+        defaultTransport: "cli",
+        smokeOnStartup: false,
+        processIdleTimeoutMs: DEFAULT_ACP_PROCESS_IDLE_TIMEOUT_MS,
+        initializeTimeoutMs: DEFAULT_ACP_INITIALIZE_TIMEOUT_MS,
+        sessionNewTimeoutMs: DEFAULT_ACP_SESSION_NEW_TIMEOUT_MS,
+        promptTimeoutMs: DEFAULT_ACP_PROMPT_TIMEOUT_MS,
+        allowWriteHostServices: false,
+        allowTerminalHostServices: false,
+        fallbackToCliWhenUnhealthy: true,
+        providers: {},
+        sources: { configFile: sourcePath },
+    };
+}
+function readAcpFile(configPath, logger) {
+    if (!existsSync(configPath)) {
+        return { raw: undefined, sourcePath: null };
+    }
+    try {
+        const require = createRequire(import.meta.url);
+        const TOML = require("smol-toml");
+        const text = readFileSync(configPath, "utf-8");
+        const parsed = TOML.parse(text);
+        return { raw: parsed?.acp, sourcePath: configPath };
+    }
+    catch (err) {
+        logger.error(`Failed to parse gateway config at ${configPath}; using acp defaults`, err);
+        return { raw: undefined, sourcePath: null };
+    }
+}
+export function loadAcpConfig(logger = noopLogger) {
+    const configPath = defaultGatewayConfigPath();
+    const { raw, sourcePath } = readAcpFile(configPath, logger);
+    if (raw === undefined) {
+        return defaultAcpConfig(sourcePath);
+    }
+    let parsed;
+    try {
+        parsed = AcpConfigSchema.parse(raw);
+    }
+    catch (err) {
+        throw new Error(`Invalid [acp] config: ${err instanceof Error ? err.message : String(err)}`, {
+            cause: err,
+        });
+    }
+    const providers = {};
+    for (const [name, p] of Object.entries(parsed.providers)) {
+        providers[name] = {
+            enabled: p.enabled,
+            command: p.command,
+            args: p.args,
+            runtimeEnabled: p.runtime_enabled,
+            isolatedLeaderSocket: p.isolated_leader_socket,
+        };
+    }
+    return {
+        enabled: parsed.enabled,
+        defaultTransport: parsed.default_transport,
+        smokeOnStartup: parsed.smoke_on_startup,
+        processIdleTimeoutMs: parsed.process_idle_timeout_ms,
+        initializeTimeoutMs: parsed.initialize_timeout_ms,
+        sessionNewTimeoutMs: parsed.session_new_timeout_ms,
+        promptTimeoutMs: parsed.prompt_timeout_ms,
+        allowWriteHostServices: parsed.allow_write_host_services,
+        allowTerminalHostServices: parsed.allow_terminal_host_services,
+        fallbackToCliWhenUnhealthy: parsed.fallback_to_cli_when_unhealthy,
+        providers,
+        sources: { configFile: sourcePath },
+    };
+}
 const OAuthRegistrationPolicySchema = z.enum(["static_clients", "shared_secret", "open_dev"]);
 const OAuthClientSchema = z
     .object({
@@ -373,6 +492,8 @@ const OAuthConfigSchema = z
     registration_policy: OAuthRegistrationPolicySchema.default("static_clients"),
     allow_public_clients: z.boolean().default(false),
     token_ttl_seconds: z.number().int().positive().default(3600),
+    require_consent: z.boolean().default(false),
+    consent_secret_hash: z.string().optional(),
     clients: z.array(OAuthClientSchema).default([]),
     shared_secret: OAuthSharedSecretSchema.optional(),
 })
@@ -386,6 +507,8 @@ function disabledOAuthConfig(sourcePath = null, envOverrides = []) {
         registrationPolicy: "static_clients",
         allowPublicClients: false,
         tokenTtlSeconds: 3600,
+        requireConsent: false,
+        consentSecretHash: null,
         clients: [],
         sharedSecret: null,
         sources: { configFile: sourcePath, envOverrides },
@@ -417,6 +540,15 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
             ? "LLM_GATEWAY_OAUTH_REGISTRATION_SECRET"
             : "LLM_GATEWAY_OAUTH_SHARED_SECRET");
     }
+    if (env.LLM_GATEWAY_OAUTH_REQUIRE_CONSENT !== undefined) {
+        merged.require_consent = env.LLM_GATEWAY_OAUTH_REQUIRE_CONSENT === "1";
+        envOverrides.push("LLM_GATEWAY_OAUTH_REQUIRE_CONSENT");
+    }
+    if (env.LLM_GATEWAY_OAUTH_CONSENT_SECRET) {
+        merged.consent_secret_hash = hashSecret(env.LLM_GATEWAY_OAUTH_CONSENT_SECRET);
+        merged.require_consent = merged.require_consent ?? true;
+        envOverrides.push("LLM_GATEWAY_OAUTH_CONSENT_SECRET");
+    }
     const parsed = OAuthConfigSchema.safeParse(merged);
     if (!parsed.success) {
         logWarn(logger, "Invalid [http.oauth] config; remote OAuth disabled", {
@@ -459,6 +591,12 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
     if (data.registration_policy === "open_dev" && env.LLM_GATEWAY_OAUTH_OPEN_DEV !== "1") {
         logWarn(logger, "[http.oauth].registration_policy='open_dev' is intended for localhost/dev only");
     }
+    if (data.require_consent) {
+        if (!data.consent_secret_hash || !isSecretHash(data.consent_secret_hash)) {
+            logWarn(logger, "[http.oauth].require_consent is set but consent_secret_hash is missing/invalid; remote OAuth disabled");
+            return disabledOAuthConfig(sourcePath, envOverrides);
+        }
+    }
     return {
         enabled: data.enabled,
         issuer: data.issuer,
@@ -467,6 +605,8 @@ export function loadRemoteOAuthConfig(logger = noopLogger, env = process.env) {
         registrationPolicy: data.registration_policy,
         allowPublicClients: data.allow_public_clients,
         tokenTtlSeconds: data.token_ttl_seconds,
+        requireConsent: data.require_consent,
+        consentSecretHash: data.consent_secret_hash ?? null,
         clients: data.clients.map(client => ({
             clientId: client.client_id,
             clientSecretHash: client.client_secret_hash ?? null,

package/dist/flight-recorder.d.ts

@@ -11,6 +11,7 @@ export interface FlightLogStart {
     stablePrefixTokens?: number;
     cacheControlBlocks?: number;
     cacheControlTtlSeconds?: number;
+    ownerPrincipal?: string | null;
 }
 export interface FlightLogResult {
     response: string;
@@ -39,11 +40,16 @@ export declare class FlightRecorder {
     private readOnlyDb;
     private closed;
     private readonly dbPath;
+    private readonly redactEnabled;
     private insertStartTxn;
     private updateCompleteTxn;
-    constructor(dbPath: string);
+    constructor(dbPath: string, options?: {
+        redactSecrets?: boolean;
+    });
     logStart(entry: FlightLogStart): void;
     logComplete(correlationId: string, result: FlightLogResult): void;
+    private redactStart;
+    private redactResult;
     queryRequests<T = Record<string, unknown>>(sql: string, ...params: unknown[]): T[];
     flush(): void;
     close(): void;

package/dist/flight-recorder.js

@@ -2,6 +2,8 @@ import { chmodSync } from "fs";
 import os from "os";
 import path from "path";
 import { openDatabase, openReadOnly } from "./sqlite-driver.js";
+import { redactSecrets, isRedactionEnabled } from "./secret-redaction.js";
+import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
 const MAX_THINKING_BYTES = 1_000_000;
 function ensureRequestsCacheColumns(db) {
     const rows = db.prepare("PRAGMA table_info(requests)").all();
@@ -13,6 +15,13 @@ function ensureRequestsCacheColumns(db) {
         db.exec("ALTER TABLE requests ADD COLUMN cache_creation_tokens INTEGER");
     }
 }
+function ensureRequestsOwnerColumn(db) {
+    const rows = db.prepare("PRAGMA table_info(requests)").all();
+    const names = new Set(rows.map((row) => (row && typeof row.name === "string" ? row.name : "")));
+    if (!names.has("owner_principal")) {
+        db.exec("ALTER TABLE requests ADD COLUMN owner_principal TEXT");
+    }
+}
 function ensureStablePrefixColumns(db) {
     const rows = db.prepare("PRAGMA table_info(requests)").all();
     const names = new Set(rows.map((row) => (row && typeof row.name === "string" ? row.name : "")));
@@ -87,10 +96,12 @@ export class FlightRecorder {
     readOnlyDb = null;
     closed = false;
     dbPath;
+    redactEnabled;
     insertStartTxn;
     updateCompleteTxn;
-    constructor(dbPath) {
+    constructor(dbPath, options = {}) {
         this.dbPath = dbPath;
+        this.redactEnabled = options.redactSecrets ?? isRedactionEnabled();
         this.db = openDatabase(dbPath);
         this.db.exec("PRAGMA journal_mode = WAL");
         this.db.exec("PRAGMA foreign_keys = ON");
@@ -113,7 +124,8 @@ export class FlightRecorder {
         input_tokens INTEGER,
         output_tokens INTEGER,
         cache_read_tokens INTEGER,
-        cache_creation_tokens INTEGER
+        cache_creation_tokens INTEGER,
+        owner_principal TEXT
       );
 
       CREATE TABLE IF NOT EXISTS gateway_metadata (
@@ -155,6 +167,10 @@ export class FlightRecorder {
         this.db
             .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(5, ?)")
             .run(new Date().toISOString());
+        ensureRequestsOwnerColumn(this.db);
+        this.db
+            .prepare("INSERT OR IGNORE INTO _migrations(version, applied_at) VALUES(6, ?)")
+            .run(new Date().toISOString());
         if (process.platform !== "win32") {
             try {
                 chmodSync(dbPath, 0o600);
@@ -165,10 +181,10 @@ export class FlightRecorder {
         const insertRequest = this.db.prepare(`
       INSERT INTO requests (id, cli, model, prompt, system, session_id, datetime_utc,
                             stable_prefix_hash, stable_prefix_tokens,
-                            cache_control_blocks, cache_control_ttl_seconds)
+                            cache_control_blocks, cache_control_ttl_seconds, owner_principal)
       VALUES (@id, @cli, @model, @prompt, @system, @session_id, @datetime_utc,
               @stable_prefix_hash, @stable_prefix_tokens,
-              @cache_control_blocks, @cache_control_ttl_seconds)
+              @cache_control_blocks, @cache_control_ttl_seconds, @owner_principal)
     `);
         const insertMetadata = this.db.prepare(`
       INSERT INTO gateway_metadata (request_id, async_job_id, status)
@@ -187,6 +203,7 @@ export class FlightRecorder {
                 stable_prefix_tokens: entry.stablePrefixTokens ?? null,
                 cache_control_blocks: entry.cacheControlBlocks ?? null,
                 cache_control_ttl_seconds: entry.cacheControlTtlSeconds ?? null,
+                owner_principal: entry.ownerPrincipal ?? resolveOwnerPrincipal(getRequestContext()),
             });
             insertMetadata.run({
                 request_id: entry.correlationId,
@@ -244,10 +261,20 @@ export class FlightRecorder {
         });
     }
     logStart(entry) {
-        this.insertStartTxn(entry);
+        this.insertStartTxn(this.redactEnabled ? this.redactStart(entry) : entry);
     }
     logComplete(correlationId, result) {
-        this.updateCompleteTxn(correlationId, result);
+        this.updateCompleteTxn(correlationId, this.redactEnabled ? this.redactResult(result) : result);
+    }
+    redactStart(entry) {
+        return {
+            ...entry,
+            prompt: redactSecrets(entry.prompt),
+            system: entry.system ? redactSecrets(entry.system) : entry.system,
+        };
+    }
+    redactResult(result) {
+        return { ...result, response: redactSecrets(result.response) };
     }
     queryRequests(sql, ...params) {
         if (this.closed) {

package/dist/http-transport.js

@@ -2,10 +2,11 @@ import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
-import { authorizeBearerRequest, getRequiredBearerToken, writeAuthFailure } from "./auth.js";
+import { authorizeBearerRequest, getRequiredBearerToken, resolveTrustedPrincipal, writeAuthFailure, } from "./auth.js";
 import { loadRemoteOAuthConfig } from "./config.js";
 import { OAuthServer, oauthBaseUrlFromRequest } from "./oauth.js";
 import { runWithRequestContext } from "./request-context.js";
+import { readCappedRawBody, maxHttpBodyBytes } from "./request-limits.js";
 const noopLogger = {
     info: (..._args) => { },
     error: (..._args) => { },
@@ -14,22 +15,8 @@ const noopLogger = {
 function firstHeader(value) {
     return Array.isArray(value) ? value[0] : value;
 }
-function readRawBody(req) {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
-        req.on("error", reject);
-        req.on("end", () => {
-            if (chunks.length === 0) {
-                resolve("");
-                return;
-            }
-            resolve(Buffer.concat(chunks).toString("utf8"));
-        });
-    });
-}
 async function readBody(req) {
-    const raw = await readRawBody(req);
+    const raw = await readCappedRawBody(req, maxHttpBodyBytes());
     if (!raw)
         return undefined;
     try {
@@ -94,6 +81,13 @@ export async function startHttpGateway(options) {
     const sessions = new Map();
     const token = getRequiredBearerToken();
     const oauthConfig = loadRemoteOAuthConfig(logger);
+    if (oauthConfig.enabled &&
+        (oauthConfig.allowPublicClients || oauthConfig.registrationPolicy === "open_dev") &&
+        !isLocalHost(host)) {
+        throw new Error(`Refusing to start: remote OAuth with ${oauthConfig.allowPublicClients ? "public clients" : "open_dev registration"} is exposed on a non-loopback bind (host=${host}). Bind LLM_GATEWAY_HTTP_HOST to 127.0.0.1 ` +
+            `and front the gateway with an authenticating proxy, or switch to ` +
+            `registration_policy=static_clients with confidential client secrets.`);
+    }
     const oauthServer = oauthConfig.enabled
         ? new OAuthServer({ protectedPath: path, config: oauthConfig, logger })
         : null;
@@ -155,17 +149,20 @@ export async function startHttpGateway(options) {
                 jsonError(res, 404, "Not found");
                 return;
             }
-            let requestContext = { authScopes: [] };
+            let requestContext = { authScopes: [], transport: "http" };
             if (!noAuthPath) {
                 const auth = authorizeBearerRequest(req, token);
                 if (!auth.ok) {
                     writeAuthFailure(res, auth, resourceMetadataUrl ? { resourceMetadataUrl } : {});
                     return;
                 }
+                const trustedPrincipal = resolveTrustedPrincipal(req, auth);
                 requestContext = {
+                    transport: "http",
                     authKind: auth.kind,
                     authScopes: auth.scopes ?? [],
                     authClientId: auth.clientId,
+                    authPrincipal: trustedPrincipal ?? auth.clientId,
                 };
             }
             if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
@@ -213,7 +210,13 @@ export async function startHttpGateway(options) {
         catch (error) {
             logger.error("HTTP transport request failed", error);
             if (!res.headersSent) {
-                jsonError(res, 500, "Internal server error");
+                const statusCode = error?.statusCode;
+                if (statusCode === 413) {
+                    jsonError(res, 413, "Payload too large");
+                }
+                else {
+                    jsonError(res, 500, "Internal server error");
+                }
             }
             else {
                 res.end();