llm-cli-gateway 2.7.0 → 2.9.0

package/dist/provider-tool-capabilities.d.ts

@@ -46,6 +46,23 @@ export interface ProviderFeatureCapability {
     details?: string;
     values?: string[];
 }
+export type ProviderAcpStatus = "native_smoke_passed" | "native_candidate" | "adapter_mediated_deferred" | "absent_watchlist" | "not_applicable";
+export type ProviderAcpMediation = "native" | "adapter_mediated" | "none";
+export type ProviderAcpSmokeStatus = "passed" | "not_run" | "unsupported";
+export interface ProviderAcpCapability {
+    status: ProviderAcpStatus;
+    mediation: ProviderAcpMediation;
+    targetVersion: string;
+    entrypoint: {
+        command: string;
+        args: string[];
+    } | null;
+    runtimeEnabled: boolean;
+    smokeSupported: boolean;
+    smokeStatus: ProviderAcpSmokeStatus;
+    caveats: string[];
+    docs: string;
+}
 export type ProviderFeatureMap = Record<string, ProviderFeatureCapability>;
 export interface ProviderCapabilityControls {
     allowlist: ProviderToolControl;
@@ -54,6 +71,25 @@ export interface ProviderCapabilityControls {
     nativeSkills: ProviderToolControl;
     [name: string]: ProviderToolControl;
 }
+export type AcpFrozenClassification = "native_candidate" | "adapter_mediated_deferred" | "absent_watchlist";
+export interface AcpProviderContract {
+    classification: AcpFrozenClassification;
+    summary: string;
+}
+export interface AcpContractMetadata {
+    protocol: "Agent Client Protocol";
+    outOfScope: "Agent Communication Protocol";
+    mcpFrontendRemains: true;
+    acpIsInternalProviderTransport: true;
+    defaultTransport: "cli";
+    hostServicesDenyByDefault: true;
+    noRawAcpJsonRpcTool: true;
+    adapterSupportIsNotNative: true;
+    contractDoc: "docs/acp-contract.md";
+    nonGoals: readonly string[];
+    providers: Readonly<Record<ProviderCapabilityId, AcpProviderContract>>;
+}
+export declare const ACP_CONTRACT: AcpContractMetadata;
 export interface ProviderToolCapabilities {
     schemaVersion: "provider-tool-capabilities.v2";
     generatedAt: string;
@@ -62,6 +98,8 @@ export interface ProviderToolCapabilities {
     gatewayRequestTools: string[];
     modelInfo: CliInfo | GrokApiModelInfo;
     summary: string;
+    acpContract: AcpProviderContract;
+    acp: ProviderAcpCapability;
     controls: ProviderCapabilityControls;
     features: ProviderFeatureMap;
     discoveredSkills: ProviderSkillCapability[];

package/dist/provider-tool-capabilities.js

@@ -11,6 +11,146 @@ const MAX_SKILL_BYTES = 64 * 1024;
 const MAX_CONFIG_BYTES = 128 * 1024;
 const MAX_PROVIDER_TOOLS_PER_SKILL = 50;
 const CAPABILITY_CACHE_TTL_MS = 60 * 1000;
+export const ACP_CONTRACT = {
+    protocol: "Agent Client Protocol",
+    outOfScope: "Agent Communication Protocol",
+    mcpFrontendRemains: true,
+    acpIsInternalProviderTransport: true,
+    defaultTransport: "cli",
+    hostServicesDenyByDefault: true,
+    noRawAcpJsonRpcTool: true,
+    adapterSupportIsNotNative: true,
+    contractDoc: "docs/acp-contract.md",
+    nonGoals: [
+        "Replace the MCP server.",
+        "Ship an outbound ACP server or frontend in this slice.",
+        "Wrap every provider immediately.",
+        "Run adapter-mediated providers by default.",
+        "Grant write or terminal HostServices by default.",
+        "Expose raw ACP JSON-RPC to agents.",
+        "Implement any agent-to-agent Agent Communication Protocol layer.",
+    ],
+    providers: {
+        mistral: {
+            classification: "native_candidate",
+            summary: "Mistral Vibe exposes native ACP via vibe-acp; first runtime pilot candidate.",
+        },
+        grok: {
+            classification: "native_candidate",
+            summary: "xAI Grok CLI exposes native ACP via grok agent stdio; second runtime pilot candidate.",
+        },
+        codex: {
+            classification: "adapter_mediated_deferred",
+            summary: "OpenAI Codex CLI has no native ACP entrypoint at the target version; adapter-mediated and deferred.",
+        },
+        claude: {
+            classification: "adapter_mediated_deferred",
+            summary: "Anthropic Claude Code has no native ACP entrypoint at the target version; adapter-mediated and deferred.",
+        },
+        gemini: {
+            classification: "absent_watchlist",
+            summary: "Google Antigravity agy 1.0.7 has no ACP surface; watchlist item only.",
+        },
+        grok_api: {
+            classification: "absent_watchlist",
+            summary: "Grok API is an HTTP provider with no ACP process transport; watchlist item only.",
+        },
+    },
+};
+const ACP_DOCS_REFERENCE = "docs/plans/first-class-acp-gateway-extension.dag.toml";
+const ACP_CAPABILITIES = {
+    mistral: {
+        status: "native_smoke_passed",
+        mediation: "native",
+        targetVersion: "vibe 2.14.1",
+        entrypoint: { command: "vibe-acp", args: [] },
+        runtimeEnabled: false,
+        smokeSupported: true,
+        smokeStatus: "passed",
+        caveats: [
+            "Native ACP via the provider-scoped vibe-acp executable; first runtime pilot.",
+            "Runtime routing stays disabled until ACP is enabled in gateway config.",
+        ],
+        docs: ACP_DOCS_REFERENCE,
+    },
+    grok: {
+        status: "native_smoke_passed",
+        mediation: "native",
+        targetVersion: "grok 0.2.50 (cadf94855)",
+        entrypoint: { command: "grok", args: ["agent", "stdio"] },
+        runtimeEnabled: false,
+        smokeSupported: true,
+        smokeStatus: "passed",
+        caveats: [
+            "Native ACP via grok agent stdio; second runtime pilot.",
+            "Credential lookup is owned by the installed CLI; empty-env smoke is not expected to pass.",
+            "Runtime routing stays disabled until ACP is enabled in gateway config.",
+        ],
+        docs: ACP_DOCS_REFERENCE,
+    },
+    codex: {
+        status: "adapter_mediated_deferred",
+        mediation: "adapter_mediated",
+        targetVersion: "codex-cli 0.139.0",
+        entrypoint: null,
+        runtimeEnabled: false,
+        smokeSupported: false,
+        smokeStatus: "unsupported",
+        caveats: [
+            "No native ACP entrypoint at the target version; ACP would be adapter-mediated.",
+            "Adapter support requires a separate threat model and is never labelled native gateway ACP support.",
+        ],
+        docs: ACP_DOCS_REFERENCE,
+    },
+    claude: {
+        status: "adapter_mediated_deferred",
+        mediation: "adapter_mediated",
+        targetVersion: "claude 2.1.175",
+        entrypoint: null,
+        runtimeEnabled: false,
+        smokeSupported: false,
+        smokeStatus: "unsupported",
+        caveats: [
+            "No native Claude Code CLI ACP entrypoint at the target version; ACP would be adapter-mediated.",
+            "Adapter ownership, permission bridging, and install story must be specified before runtime support.",
+        ],
+        docs: ACP_DOCS_REFERENCE,
+    },
+    gemini: {
+        status: "absent_watchlist",
+        mediation: "none",
+        targetVersion: "agy 1.0.7",
+        entrypoint: null,
+        runtimeEnabled: false,
+        smokeSupported: false,
+        smokeStatus: "unsupported",
+        caveats: [
+            "Antigravity agy 1.0.7 has no ACP flag or subcommand.",
+            "Legacy Gemini CLI ACP evidence does not transfer to agy; kept on the upstream drift watchlist.",
+        ],
+        docs: ACP_DOCS_REFERENCE,
+    },
+    grok_api: {
+        status: "not_applicable",
+        mediation: "none",
+        targetVersion: "xAI Responses API",
+        entrypoint: null,
+        runtimeEnabled: false,
+        smokeSupported: false,
+        smokeStatus: "unsupported",
+        caveats: ["ACP is a CLI-stdio transport; the HTTP API provider has no ACP surface."],
+        docs: ACP_DOCS_REFERENCE,
+    },
+};
+function cloneAcpCapability(acp) {
+    return {
+        ...acp,
+        entrypoint: acp.entrypoint
+            ? { command: acp.entrypoint.command, args: [...acp.entrypoint.args] }
+            : null,
+        caveats: [...acp.caveats],
+    };
+}
 const PROVIDER_CAPABILITY_IDS = [...CLI_TYPES, "grok_api"];
 const KNOWN_PROVIDER_TOOLS = {
     grok: [
@@ -640,6 +780,8 @@ function buildOneProviderToolCapabilities(cli, query) {
         gatewayRequestTool: gatewayRequestTools[0] ?? definition.gatewayRequestTools[0],
         modelInfo: getModelInfo(cli, query.refresh),
         summary: definition.summary,
+        acpContract: { ...ACP_CONTRACT.providers[cli] },
+        acp: cloneAcpCapability(ACP_CAPABILITIES[cli]),
         controls: cloneControls(definition.controls),
         features,
         discoveredSkills,

package/dist/request-context.d.ts

@@ -1,7 +1,11 @@
 export interface GatewayRequestContext {
+    transport?: "stdio" | "http";
     authKind?: "disabled" | "gateway_bearer" | "oauth";
     authScopes: string[];
     authClientId?: string;
+    authPrincipal?: string;
 }
+export declare function resolveOwnerPrincipal(ctx: GatewayRequestContext | undefined): string;
+export declare function principalCanAccess(rowOwner: string | null | undefined, caller: string): boolean;
 export declare function runWithRequestContext<T>(context: GatewayRequestContext, callback: () => T | Promise<T>): T | Promise<T>;
 export declare function getRequestContext(): GatewayRequestContext | undefined;

package/dist/request-context.js

@@ -1,5 +1,21 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 const requestContext = new AsyncLocalStorage();
+export function resolveOwnerPrincipal(ctx) {
+    if (!ctx)
+        return "local";
+    if (ctx.authPrincipal)
+        return ctx.authPrincipal;
+    if (ctx.authKind === "gateway_bearer")
+        return "gateway-bearer";
+    return "local";
+}
+export function principalCanAccess(rowOwner, caller) {
+    if (rowOwner === caller)
+        return true;
+    if ((rowOwner === null || rowOwner === undefined) && caller === "local")
+        return true;
+    return false;
+}
 export function runWithRequestContext(context, callback) {
     return requestContext.run(context, callback);
 }

package/dist/request-helpers.d.ts

@@ -98,8 +98,8 @@ export declare const CLAUDE_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodEffects<z.ZodObject<
     effort: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "xhigh", "max"]>>;
     excludeDynamicSystemPromptSections: z.ZodOptional<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
-    agents?: Record<string, Record<string, unknown>> | undefined;
     agent?: string | undefined;
+    agents?: Record<string, Record<string, unknown>> | undefined;
     forkSession?: boolean | undefined;
     systemPrompt?: string | undefined;
     appendSystemPrompt?: string | undefined;
@@ -108,8 +108,8 @@ export declare const CLAUDE_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodEffects<z.ZodObject<
     effort?: "medium" | "low" | "high" | "xhigh" | "max" | undefined;
     excludeDynamicSystemPromptSections?: boolean | undefined;
 }, {
-    agents?: Record<string, Record<string, unknown>> | undefined;
     agent?: string | undefined;
+    agents?: Record<string, Record<string, unknown>> | undefined;
     forkSession?: boolean | undefined;
     systemPrompt?: string | undefined;
     appendSystemPrompt?: string | undefined;
@@ -118,8 +118,8 @@ export declare const CLAUDE_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodEffects<z.ZodObject<
     effort?: "medium" | "low" | "high" | "xhigh" | "max" | undefined;
     excludeDynamicSystemPromptSections?: boolean | undefined;
 }>, {
-    agents?: Record<string, Record<string, unknown>> | undefined;
     agent?: string | undefined;
+    agents?: Record<string, Record<string, unknown>> | undefined;
     forkSession?: boolean | undefined;
     systemPrompt?: string | undefined;
     appendSystemPrompt?: string | undefined;
@@ -128,8 +128,8 @@ export declare const CLAUDE_HIGH_IMPACT_PARAMS_SCHEMA: z.ZodEffects<z.ZodObject<
     effort?: "medium" | "low" | "high" | "xhigh" | "max" | undefined;
     excludeDynamicSystemPromptSections?: boolean | undefined;
 }, {
-    agents?: Record<string, Record<string, unknown>> | undefined;
     agent?: string | undefined;
+    agents?: Record<string, Record<string, unknown>> | undefined;
     forkSession?: boolean | undefined;
     systemPrompt?: string | undefined;
     appendSystemPrompt?: string | undefined;

package/dist/request-limits.d.ts

@@ -0,0 +1,8 @@
+import type { IncomingMessage } from "node:http";
+export declare class PayloadTooLargeError extends Error {
+    readonly statusCode = 413;
+    constructor(maxBytes: number);
+}
+export declare function maxHttpBodyBytes(env?: NodeJS.ProcessEnv): number;
+export declare function maxOAuthBodyBytes(env?: NodeJS.ProcessEnv): number;
+export declare function readCappedRawBody(req: IncomingMessage, maxBytes: number): Promise<string>;

package/dist/request-limits.js

@@ -0,0 +1,49 @@
+export class PayloadTooLargeError extends Error {
+    statusCode = 413;
+    constructor(maxBytes) {
+        super(`Request body exceeds maximum size (${maxBytes} bytes)`);
+        this.name = "PayloadTooLargeError";
+    }
+}
+const DEFAULT_MAX_HTTP_BODY_BYTES = 8 * 1024 * 1024;
+const DEFAULT_MAX_OAUTH_BODY_BYTES = 64 * 1024;
+function positiveIntFromEnv(value, fallback) {
+    const parsed = Number(value);
+    return Number.isFinite(parsed) && parsed > 0 ? Math.floor(parsed) : fallback;
+}
+export function maxHttpBodyBytes(env = process.env) {
+    return positiveIntFromEnv(env.LLM_GATEWAY_MAX_HTTP_BODY_BYTES, DEFAULT_MAX_HTTP_BODY_BYTES);
+}
+export function maxOAuthBodyBytes(env = process.env) {
+    return positiveIntFromEnv(env.LLM_GATEWAY_MAX_OAUTH_BODY_BYTES, DEFAULT_MAX_OAUTH_BODY_BYTES);
+}
+export function readCappedRawBody(req, maxBytes) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let total = 0;
+        let aborted = false;
+        req.on("data", (chunk) => {
+            if (aborted)
+                return;
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            total += buf.length;
+            if (total > maxBytes) {
+                aborted = true;
+                chunks.length = 0;
+                reject(new PayloadTooLargeError(maxBytes));
+                req.resume();
+                return;
+            }
+            chunks.push(buf);
+        });
+        req.on("error", err => {
+            if (!aborted)
+                reject(err);
+        });
+        req.on("end", () => {
+            if (aborted)
+                return;
+            resolve(chunks.length === 0 ? "" : Buffer.concat(chunks).toString("utf8"));
+        });
+    });
+}

package/dist/secret-redaction.d.ts

@@ -0,0 +1,3 @@
+export declare function isRedactionEnabled(env?: NodeJS.ProcessEnv): boolean;
+export declare function redactSecrets(text: string): string;
+export declare function redactIfEnabled(value: string | null | undefined, enabled: boolean): typeof value;

package/dist/secret-redaction.js

@@ -0,0 +1,53 @@
+const REDACTED = "[REDACTED]";
+const RULES = [
+    {
+        label: "private-key",
+        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/g,
+    },
+    { label: "anthropic-key", pattern: /\bsk-ant-[A-Za-z0-9_-]{16,}/g },
+    { label: "openai-key", pattern: /\bsk-(?:proj-)?[A-Za-z0-9_-]{16,}/g },
+    { label: "xai-key", pattern: /\bxai-[A-Za-z0-9]{16,}/g },
+    { label: "google-key", pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+    { label: "aws-access-key-id", pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g },
+    { label: "github-token", pattern: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g },
+    { label: "slack-token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}/g },
+    {
+        label: "jwt",
+        pattern: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+    },
+    {
+        label: "bearer",
+        pattern: /\bBearer\s+[A-Za-z0-9._~+/=-]{12,}/g,
+        replace: () => `Bearer ${REDACTED}`,
+    },
+    {
+        label: "url-credential",
+        pattern: /([a-z][a-z0-9+.-]*:\/\/[^\s/:@]+):[^\s/@]+@/gi,
+        replace: (_m, prefix) => `${prefix}:${REDACTED}@`,
+    },
+    {
+        label: "secret-assignment",
+        pattern: /\b(password|passwd|pwd|secret[_-]?key|client[_-]?secret|api[_-]?key|access[_-]?key|auth[_-]?token)\b(\s*[:=]\s*)(?:"[^"\n]{6,}"|'[^'\n]{6,}'|[^\s"'\n,;]{6,})/gi,
+        replace: (_m, key, sep) => `${key}${sep}${REDACTED}`,
+    },
+];
+export function isRedactionEnabled(env = process.env) {
+    const raw = (env.LLM_GATEWAY_REDACT_LOGGED_SECRETS ?? "").trim().toLowerCase();
+    return raw !== "0" && raw !== "false" && raw !== "off" && raw !== "no";
+}
+export function redactSecrets(text) {
+    if (!text)
+        return text;
+    let out = text;
+    for (const rule of RULES) {
+        out = rule.replace
+            ? out.replace(rule.pattern, rule.replace)
+            : out.replace(rule.pattern, REDACTED);
+    }
+    return out;
+}
+export function redactIfEnabled(value, enabled) {
+    if (!enabled || !value)
+        return value;
+    return redactSecrets(value);
+}

package/dist/session-manager-pg.js

@@ -1,4 +1,5 @@
 import { randomUUID } from "crypto";
+import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
 const DEFAULT_SESSION_DESCRIPTIONS = {
     claude: "Claude Session",
     codex: "Codex Session",
@@ -16,11 +17,12 @@ export class PostgreSQLSessionManager {
         const id = sessionId || randomUUID();
         const sessionDescription = description ?? DEFAULT_SESSION_DESCRIPTIONS[cli];
         const now = new Date().toISOString();
+        const ownerPrincipal = resolveOwnerPrincipal(getRequestContext());
         const client = await this.pool.connect();
         try {
             await client.query("BEGIN");
-            await client.query(`INSERT INTO sessions (id, cli, description, created_at, last_used_at)
-         VALUES ($1, $2, $3, $4, $5)`, [id, cli, sessionDescription, now, now]);
+            await client.query(`INSERT INTO sessions (id, cli, description, created_at, last_used_at, owner_principal)
+         VALUES ($1, $2, $3, $4, $5, $6)`, [id, cli, sessionDescription, now, now, ownerPrincipal]);
             await client.query(`INSERT INTO active_sessions (cli, session_id, updated_at)
          VALUES ($1, $2, $3)
          ON CONFLICT (cli) DO NOTHING`, [cli, id, now]);
@@ -31,6 +33,7 @@ export class PostgreSQLSessionManager {
                 createdAt: now,
                 lastUsedAt: now,
                 description: sessionDescription,
+                ownerPrincipal,
             };
         }
         catch (error) {
@@ -42,18 +45,18 @@ export class PostgreSQLSessionManager {
         }
     }
     async getSession(sessionId) {
-        const result = await this.pool.query(`SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt"
+        const result = await this.pool.query(`SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt", owner_principal AS "ownerPrincipal"
        FROM sessions
        WHERE id = $1`, [sessionId]);
         return result.rows[0] ?? null;
     }
     async listSessions(cli) {
         const query = cli
-            ? `SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt"
+            ? `SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt", owner_principal AS "ownerPrincipal"
          FROM sessions
          WHERE cli = $1
          ORDER BY last_used_at DESC`
-            : `SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt"
+            : `SELECT id, cli, description, metadata, created_at AS "createdAt", last_used_at AS "lastUsedAt", owner_principal AS "ownerPrincipal"
          FROM sessions
          ORDER BY last_used_at DESC`;
         const result = cli

package/dist/session-manager.d.ts

@@ -14,6 +14,7 @@ export interface Session {
     lastUsedAt: string;
     description?: string;
     metadata?: Record<string, any>;
+    ownerPrincipal?: string | null;
 }
 export interface SessionStorage {
     sessions: Record<string, Session>;

package/dist/session-manager.js

@@ -4,6 +4,7 @@ import { join, dirname } from "path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, openSync, fsyncSync, closeSync, chmodSync, } from "fs";
 import { DEFAULT_SESSION_TTL_SECONDS } from "./config.js";
 import { noopLogger } from "./logger.js";
+import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
 export const CLI_TYPES = ["claude", "codex", "gemini", "grok", "mistral"];
 export const API_PROVIDER_TYPES = ["grok-api"];
 export const PROVIDER_TYPES = [...CLI_TYPES, ...API_PROVIDER_TYPES];
@@ -113,6 +114,7 @@ export class FileSessionManager {
             createdAt: new Date().toISOString(),
             lastUsedAt: new Date().toISOString(),
             description: sessionDescription,
+            ownerPrincipal: resolveOwnerPrincipal(getRequestContext()),
         };
         this.storage.sessions[id] = session;
         if (!this.storage.activeSession[cli]) {

package/dist/upstream-contracts.d.ts

@@ -107,6 +107,20 @@ export interface ProviderSubcommandCompactCatalog {
     ];
     rows: readonly (readonly string[])[];
 }
+export type AcpEntrypointStatus = "native" | "adapter_mediated_deferred" | "absent_watchlist";
+export interface AcpEntrypointContract {
+    cli: CliType;
+    displayName: string;
+    status: AcpEntrypointStatus;
+    executable: string;
+    entrypointArgs: readonly string[];
+    targetVersion: string;
+    probeArgs: readonly (readonly string[])[];
+    adapterCandidates?: readonly string[];
+    evidence: string;
+    docsRef: string;
+}
+export declare const ACP_ENTRYPOINT_CONTRACTS: Record<CliType, AcpEntrypointContract>;
 export declare const UPSTREAM_CLI_CONTRACTS: Record<CliType, CliContract>;
 export declare function validateUpstreamCliArgs(cli: CliType, args: readonly string[]): ContractValidationResult;
 export declare function assertUpstreamCliArgs(cli: CliType, args: readonly string[]): void;
@@ -167,6 +181,19 @@ export interface InstalledCliContractProbe {
     warnings: string[];
 }
 export declare function probeInstalledCliContract(cli: CliType, timeoutMs?: number): InstalledCliContractProbe;
+export interface InstalledAcpEntrypointProbe {
+    cli: CliType;
+    status: AcpEntrypointStatus;
+    executable: string;
+    entrypointArgs: readonly string[];
+    targetVersion: string;
+    checkedProbeCommands: readonly (readonly string[])[];
+    available: boolean | null;
+    entrypointDrift: boolean;
+    warnings: string[];
+    probedAt: string;
+}
+export declare function probeInstalledAcpEntrypoint(cli: CliType, timeoutMs?: number): InstalledAcpEntrypointProbe;
 export declare function buildUpstreamContractReport(options?: {
     cli?: CliType;
     probeInstalled?: boolean;