llm-cli-gateway 2.9.0 → 2.11.0

package/CHANGELOG.md

@@ -4,6 +4,98 @@ All notable changes to the llm-cli-gateway project.
 
 ## Unreleased
 
+## [2.11.0] - 2026-06-18: API providers, Devin, ACP runtime, and a strip-at-publish internal-MCP boundary
+
+The accumulated work since 2.10.0: a generic HTTP API-provider surface, a sixth
+CLI provider (Devin), the Phase B ACP runtime (gated, dormant by default), and a
+release-time strip that keeps gateway-internal MCP server names out of the
+published npm artifact. Default local-stdio behaviour is unchanged; the new
+API/ACP surfaces are opt-in. Every change in this release was landed via PR with
+green CI and an adversarial multi-LLM review.
+
+### Added
+
+- **API providers (Slices 0–5).** An `ApiProvider` interface with OpenAI /
+  Anthropic / xAI adapters, a generic `api_<name>_request[_async]` tool surface,
+  an `HttpJobRunner` that treats HTTP calls as first-class async jobs, API-provider
+  discovery/catalog, and the ability to use API providers as validation
+  reviewers/judges. Open-string provider-identity widening (`kind:"api"`).
+- **Devin (Slices D0–D1).** Devin as a sixth gateway provider —
+  `devin_request[_async]` — with permission-mode aliases corrected against the
+  real CLI and a passing native-ACP smoke (third ACP runtime pilot).
+- **ACP runtime, Phase B (Slices B1–B7).** Read-only smoke harness,
+  deny-by-default HostServices boundary, permission bridge to ApprovalManager,
+  session map, session/update event normalizer, flight-recorder redaction, and
+  gated runtime pilots (Mistral + Grok + Devin) for first live ACP prompt routing.
+  Dormant by default.
+
+### Changed
+
+- **Strip internal MCP names from the published artifact.** Gateway-internal MCP
+  server names and host commands are centralised in `src/mcp-registry.ts` and
+  stripped at release time, so the published tarball contains zero internal names.
+  Enforced by an explicit, non-bypassable tarball token-guard
+  (`scripts/verify-no-internal-mcp.mjs`). `ClaudeMcpServerName` widens to `string`
+  and the request `mcpServers` schemas accept arbitrary names; no implicit default
+  server is injected.
+- **Vibe `permissionMode` accepts any `--agent` name.** Replaces the closed
+  agent-mode enum (which had stale `chat`/`explore`/`lean` values) with an open
+  string — Vibe owns its agent registry (builtins plus install-gated and custom
+  agents), so the gateway passes the name through and lets Vibe validate it.
+- **Gemini `mcpServers` accepted for approval tracking.** `gemini_request` no
+  longer rejects non-empty `mcpServers`; the names feed the approval policy but are
+  never passed to the Antigravity CLI (which manages its own MCP configuration).
+
+### Security / supply chain
+
+- `hono` pinned to `^4.12.25` via `overrides` (clears the advisories on 4.12.22),
+  with a hono-floor tripwire in the release security audit.
+
+### Deps
+
+- Dev-dependency bumps (keeps `type-is@2.1.0` out via the `body-parser` floor) and
+  a `github/codeql-action` group bump.
+
+## [2.10.0] - 2026-06-15: Per-principal isolation on the request handlers
+
+A follow-up to the 2.9.0 per-principal isolation (F3): the ownership model was
+enforced on the `session_*` / `llm_*` bookkeeping tools but **not** on the
+`*_request` execution handlers, the workspace/worktree resolvers, or the
+`sessions://*` resources. An adversarial multi-LLM review of the 2.9.0 surface
+found two HIGH cross-principal bugs reachable in the opt-in remote/OAuth
+multi-tenant modes; this release closes them. The default local-stdio and shared
+static-bearer paths collapse to a single principal and are unaffected (no
+behaviour change). Provider CLI release targets are unchanged from 2.8.0/2.9.0
+(see `docs/upstream/release-targets.md`).
+
+### Security
+
+- Cross-principal session takeover (F3b, request handlers):
+  `getExistingSessionForProvider` now rejects a caller-supplied session id owned
+  by a different principal — the ownership check is ordered before the
+  provider-type comparison, so a foreign session never leaks its provider. This
+  is the choke point for every `*_request` / `*_request_async` handler (claude,
+  codex, gemini, grok, mistral, grok-api) and `codex_fork_session`. Previously a
+  remote principal could resume or read another principal's conversation by
+  supplying its session id.
+- Global active-session pointer is now owner-filtered at every request-handler
+  adoption site (and in the codex async path, which bypassed the choke point),
+  so a no-`sessionId` request can no longer adopt and resume another principal's
+  active session.
+- Workspace-isolation bypass (F3b, resolvers): `resolveWorktreeForRequest` and
+  `resolveWorkspaceAndWorktreeForRequest` ignore a referenced session the caller
+  does not own, so a foreign session's metadata can no longer select the
+  workspace/worktree working directory or satisfy the remote "registered
+  workspace" gate.
+- `sessions://*` resources are now owner-filtered: `sessions://all` and the five
+  per-provider session resources return only the caller's own rows and active
+  pointer, closing the session-id/metadata enumeration vector.
+
+### Tests
+
+- Adds `src/__tests__/f3b-request-handler-isolation.test.ts` (cross-principal
+  deny-path coverage for the request handlers and the `sessions://*` resources).
+
 ## [2.9.0] - 2026-06-14: MCP-surface red-team remediation
 
 This release remediates all 17 findings of a multi-LLM red-team of the gateway's

package/README.md

@@ -278,8 +278,10 @@ Vibe-specific notes:
   `VIBE_MODELS`, injects `VIBE_ACTIVE_MODEL` only when a model is explicitly
   requested or Vibe config needs recovery, and retries once after a
   model-not-found failure with refreshed discovery.
-- **`permissionMode` accepts** `default | plan | accept-edits | auto-approve |
-chat | explore | lean` and emits `--agent <mode>`. The gateway's
+- **`permissionMode` is the Vibe `--agent` name.** Builtins are
+  `default | plan | accept-edits | auto-approve`; Vibe also accepts install-gated
+  builtins (e.g. `lean`) and custom agents from `~/.vibe/agents`, so any name is
+  passed through and Vibe validates availability. The gateway's
   programmatic-mode default is `auto-approve`; pick a stricter mode
   explicitly if you need approval gates.
 - **`allowedTools` is allow-list only** — the gateway emits one
@@ -391,7 +393,7 @@ Execute a Claude Code request with optional session management.
 - `excludeDynamicSystemPromptSections` (boolean, optional): Trim dynamic system prompt sections
 - `approvalStrategy` (string, optional): `"legacy"` (default) or `"mcp_managed"`
 - `approvalPolicy` (string, optional): `"strict"`, `"balanced"`, or `"permissive"`
-- `mcpServers` (string[], optional): Claude MCP servers to expose (default: `["sqry","exa","ref_tools"]`; `"trstr"` available as opt-in)
+- `mcpServers` (string[], optional): Names of MCP servers to expose to Claude (default: none). The gateway resolves each name to a launch command from its local registry / Codex MCP config; unknown names are reported as unavailable. Configure the servers your deployment uses in the gateway environment.
 - `strictMcpConfig` (boolean, optional): Require Claude to use only supplied MCP config, default: true (request fails if any requested server is unavailable)
 - `optimizePrompt` (boolean, optional): Optimize prompt for token efficiency (44% reduction), default: false
 - `optimizeResponse` (boolean, optional): Optimize response for token efficiency (37% reduction), default: false
@@ -825,7 +827,7 @@ consumes       = ["OUT:mcp-reconnected"]
 Run a Mistral Vibe agentic coding request. Like `grok_request` in shape, but with Vibe's specific surface:
 
 - `model` (string, optional): Vibe model alias (for example `mistral-medium-3.5` or `latest`). The resolved value is injected via the `VIBE_ACTIVE_MODEL` environment variable; omit it to let the gateway discover Vibe config and avoid stale hardcoded defaults.
-- `permissionMode`: `default | plan | accept-edits | auto-approve | chat | explore | lean` — emitted as `--agent <mode>`. Defaults to `auto-approve` in programmatic mode.
+- `permissionMode`: the Vibe `--agent` name — builtins `default | plan | accept-edits | auto-approve`, or any install-gated/custom agent. Emitted as `--agent <name>`. Defaults to `auto-approve` in programmatic mode.
 - `allowedTools` (string[], optional): One `--enabled-tools <tool>` flag per entry (allow-list only).
 - `disallowedTools` (string[], optional): Accepted for parity with the other providers; ignored at the CLI boundary with a logged warning.
 - `outputFormat` (string, optional): Vibe 2.x values are `"text"`, `"json"`, or `"streaming"`; legacy aliases `"plain"` and `"stream-json"` are accepted and normalized before spawn.
@@ -861,7 +863,7 @@ Async request tools accept the same approval strategy fields as their sync varia
 
 - `approvalStrategy`: `"legacy"` (default) or `"mcp_managed"`
 - `approvalPolicy`: `"strict"|"balanced"|"permissive"` override
-- `mcpServers`: Requested MCP servers (`sqry`, `exa`, `ref_tools`, `trstr`)
+- `mcpServers`: Names of requested MCP servers, resolved against the gateway's local registry / Codex MCP config
 - `claude_request_async` also supports `strictMcpConfig` and fails fast when requested servers are unavailable
 
 ##### `llm_job_status`

package/dist/acp/event-normalizer.d.ts

@@ -0,0 +1,42 @@
+import type { ContentBlock, SessionUpdateNotification } from "./types.js";
+export type AcpProgressEvent = {
+    readonly kind: "agent_message";
+    readonly text: string;
+} | {
+    readonly kind: "agent_thought";
+    readonly text: string;
+} | {
+    readonly kind: "user_message";
+    readonly text: string;
+} | {
+    readonly kind: "tool_call";
+    readonly toolCallId: string;
+    readonly title: string;
+    readonly status?: string;
+    readonly toolKind?: string;
+} | {
+    readonly kind: "tool_update";
+    readonly toolCallId: string;
+    readonly status?: string;
+    readonly title?: string;
+} | {
+    readonly kind: "plan";
+    readonly entryCount: number;
+} | {
+    readonly kind: "mode";
+    readonly currentModeId: string;
+} | {
+    readonly kind: "usage";
+    readonly size: number;
+    readonly used: number;
+} | {
+    readonly kind: "other";
+    readonly sessionUpdate: string;
+};
+export declare function summarizeContentBlock(block: ContentBlock): string;
+export declare function normalizeSessionUpdate(notification: SessionUpdateNotification): AcpProgressEvent;
+export declare class AcpEventNormalizer {
+    private text;
+    handle(notification: SessionUpdateNotification): AcpProgressEvent;
+    get finalText(): string;
+}

package/dist/acp/event-normalizer.js

@@ -0,0 +1,71 @@
+function str(value) {
+    return typeof value === "string" ? value : undefined;
+}
+export function summarizeContentBlock(block) {
+    if (block.type === "text") {
+        return str(block.text) ?? "";
+    }
+    return `[${block.type}]`;
+}
+function chunkText(update) {
+    const content = update.content;
+    if (content && typeof content === "object") {
+        return summarizeContentBlock(content);
+    }
+    return "";
+}
+export function normalizeSessionUpdate(notification) {
+    const update = notification.update;
+    const variant = str(update.sessionUpdate) ?? "";
+    switch (variant) {
+        case "agent_message_chunk":
+            return { kind: "agent_message", text: chunkText(update) };
+        case "agent_thought_chunk":
+            return { kind: "agent_thought", text: chunkText(update) };
+        case "user_message_chunk":
+            return { kind: "user_message", text: chunkText(update) };
+        case "tool_call":
+            return {
+                kind: "tool_call",
+                toolCallId: str(update.toolCallId) ?? "",
+                title: str(update.title) ?? "",
+                status: str(update.status),
+                toolKind: str(update.kind),
+            };
+        case "tool_call_update":
+            return {
+                kind: "tool_update",
+                toolCallId: str(update.toolCallId) ?? "",
+                status: str(update.status),
+                title: str(update.title),
+            };
+        case "plan":
+            return {
+                kind: "plan",
+                entryCount: Array.isArray(update.entries) ? update.entries.length : 0,
+            };
+        case "current_mode_update":
+            return { kind: "mode", currentModeId: str(update.currentModeId) ?? "" };
+        case "usage_update":
+            return {
+                kind: "usage",
+                size: typeof update.size === "number" ? update.size : 0,
+                used: typeof update.used === "number" ? update.used : 0,
+            };
+        default:
+            return { kind: "other", sessionUpdate: variant };
+    }
+}
+export class AcpEventNormalizer {
+    text = "";
+    handle(notification) {
+        const event = normalizeSessionUpdate(notification);
+        if (event.kind === "agent_message") {
+            this.text += event.text;
+        }
+        return event;
+    }
+    get finalText() {
+        return this.text;
+    }
+}

package/dist/acp/flight-redaction.d.ts

@@ -0,0 +1,25 @@
+import type { ContentBlock } from "./types.js";
+import type { FlightLogResult, FlightLogStart } from "../flight-recorder.js";
+import type { CliType } from "../session-manager.js";
+export declare function summarizeAcpPromptForFlight(prompt: ReadonlyArray<ContentBlock>): string;
+export declare function summarizeAcpResponseForFlight(responseText: string): string;
+export declare function redactAcpTextForFlight(text: string): string;
+export interface AcpFlightStartParams {
+    readonly correlationId: string;
+    readonly provider: CliType;
+    readonly model: string;
+    readonly prompt: ReadonlyArray<ContentBlock>;
+    readonly gatewaySessionId?: string;
+    readonly asyncJobId?: string;
+}
+export declare function buildAcpFlightStart(params: AcpFlightStartParams): FlightLogStart;
+export interface AcpFlightResultParams {
+    readonly responseText: string;
+    readonly durationMs: number;
+    readonly status: "completed" | "failed";
+    readonly exitCode: number;
+    readonly inputTokens?: number;
+    readonly outputTokens?: number;
+    readonly errorMessage?: string;
+}
+export declare function buildAcpFlightResult(params: AcpFlightResultParams): FlightLogResult;

package/dist/acp/flight-redaction.js

@@ -0,0 +1,40 @@
+import { redactAcpMessage } from "./errors.js";
+import { isGatewaySessionId } from "./session-map.js";
+import { redactSecrets } from "../secret-redaction.js";
+export function summarizeAcpPromptForFlight(prompt) {
+    const n = prompt.length;
+    return `[acp prompt: ${n} content block${n === 1 ? "" : "s"}]`;
+}
+export function summarizeAcpResponseForFlight(responseText) {
+    return `[acp response: ${responseText.length} char${responseText.length === 1 ? "" : "s"}]`;
+}
+export function redactAcpTextForFlight(text) {
+    return redactSecrets(redactAcpMessage(text));
+}
+export function buildAcpFlightStart(params) {
+    const sessionId = params.gatewaySessionId !== undefined && isGatewaySessionId(params.gatewaySessionId)
+        ? params.gatewaySessionId
+        : undefined;
+    return {
+        correlationId: params.correlationId,
+        cli: params.provider,
+        model: params.model,
+        prompt: summarizeAcpPromptForFlight(params.prompt),
+        sessionId,
+        asyncJobId: params.asyncJobId,
+    };
+}
+export function buildAcpFlightResult(params) {
+    return {
+        response: summarizeAcpResponseForFlight(params.responseText),
+        durationMs: params.durationMs,
+        status: params.status,
+        exitCode: params.exitCode,
+        retryCount: 0,
+        circuitBreakerState: "closed",
+        optimizationApplied: false,
+        inputTokens: params.inputTokens,
+        outputTokens: params.outputTokens,
+        errorMessage: params.errorMessage !== undefined ? redactAcpTextForFlight(params.errorMessage) : undefined,
+    };
+}

package/dist/acp/host-services.d.ts

@@ -0,0 +1,16 @@
+import type { HostCallbackContext, HostServices } from "./client.js";
+import type { ReadTextFileRequest, ReadTextFileResponse, RequestPermissionRequest, RequestPermissionResponse, WriteTextFileRequest, WriteTextFileResponse } from "./types.js";
+import type { Logger } from "../logger.js";
+export type AcpPermissionDecider = (request: RequestPermissionRequest, context: HostCallbackContext) => Promise<RequestPermissionResponse>;
+export interface GatewayHostServicesOptions {
+    readonly logger?: Logger;
+    readonly permissionDecider?: AcpPermissionDecider;
+}
+export declare class GatewayHostServices implements HostServices {
+    private readonly logger;
+    private readonly permissionDecider?;
+    constructor(options?: GatewayHostServicesOptions);
+    readTextFile(_request: ReadTextFileRequest, context: HostCallbackContext): Promise<ReadTextFileResponse>;
+    writeTextFile(_request: WriteTextFileRequest, context: HostCallbackContext): Promise<WriteTextFileResponse>;
+    requestPermission(request: RequestPermissionRequest, context: HostCallbackContext): Promise<RequestPermissionResponse>;
+}

package/dist/acp/host-services.js

@@ -0,0 +1,29 @@
+import { AcpPermissionDeniedError } from "./errors.js";
+import { noopLogger } from "../logger.js";
+export class GatewayHostServices {
+    logger;
+    permissionDecider;
+    constructor(options = {}) {
+        this.logger = options.logger ?? noopLogger;
+        this.permissionDecider = options.permissionDecider;
+    }
+    async readTextFile(_request, context) {
+        this.logger.info("acp.host.read_denied", { provider: context.provider });
+        throw new AcpPermissionDeniedError(context.provider, "filesystem read host service is disabled", { provider: context.provider, debug: { method: context.method } });
+    }
+    async writeTextFile(_request, context) {
+        this.logger.info("acp.host.write_denied", { provider: context.provider });
+        throw new AcpPermissionDeniedError(context.provider, "filesystem write host service is disabled", { provider: context.provider, debug: { method: context.method } });
+    }
+    async requestPermission(request, context) {
+        if (this.permissionDecider) {
+            return this.permissionDecider(request, context);
+        }
+        this.logger.info("acp.permission.denied", {
+            provider: context.provider,
+            reason: "no_approval_bridge",
+            optionCount: request.options.length,
+        });
+        return { outcome: { outcome: "cancelled" } };
+    }
+}

package/dist/acp/permission-bridge.d.ts

@@ -0,0 +1,15 @@
+import type { HostCallbackContext } from "./client.js";
+import type { RequestPermissionRequest, RequestPermissionResponse } from "./types.js";
+import { ApprovalManager, type ApprovalCli, type ApprovalPolicy } from "../approval-manager.js";
+import type { Logger } from "../logger.js";
+export type AcpPermissionCategory = "read" | "write" | "execute" | "other";
+export interface AcpPermissionBridgeDeps {
+    readonly approvalManager: ApprovalManager;
+    readonly provider: ApprovalCli;
+    readonly allowWrite?: boolean;
+    readonly allowTerminal?: boolean;
+    readonly policy?: ApprovalPolicy;
+    readonly logger?: Logger;
+}
+export declare function categorizeToolCall(toolCall: Record<string, unknown>): AcpPermissionCategory;
+export declare function createAcpPermissionDecider(deps: AcpPermissionBridgeDeps): (request: RequestPermissionRequest, context: HostCallbackContext) => Promise<RequestPermissionResponse>;

package/dist/acp/permission-bridge.js

@@ -0,0 +1,90 @@
+import { noopLogger } from "../logger.js";
+const WRITE_KINDS = new Set(["edit", "delete", "move"]);
+const EXECUTE_KINDS = new Set(["execute"]);
+const READ_KINDS = new Set(["read", "search", "think"]);
+export function categorizeToolCall(toolCall) {
+    const kind = typeof toolCall.kind === "string" ? toolCall.kind.toLowerCase() : "";
+    if (WRITE_KINDS.has(kind))
+        return "write";
+    if (EXECUTE_KINDS.has(kind))
+        return "execute";
+    if (READ_KINDS.has(kind))
+        return "read";
+    return "other";
+}
+function isAllowOption(option) {
+    const kind = typeof option.kind === "string" ? option.kind.toLowerCase() : "";
+    return kind.startsWith("allow");
+}
+const CANCELLED = { outcome: { outcome: "cancelled" } };
+export function createAcpPermissionDecider(deps) {
+    const logger = deps.logger ?? noopLogger;
+    return async (request, _context) => {
+        const category = categorizeToolCall(request.toolCall);
+        if (category === "write" && deps.allowWrite !== true) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "write_disabled",
+            });
+            return CANCELLED;
+        }
+        if (category === "execute" && deps.allowTerminal !== true) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "terminal_disabled",
+            });
+            return CANCELLED;
+        }
+        if (category === "other") {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "unknown_kind_denied",
+            });
+            return CANCELLED;
+        }
+        let approved;
+        try {
+            const record = deps.approvalManager.decide({
+                cli: deps.provider,
+                operation: `acp_permission:${category}`,
+                prompt: `ACP permission request from ${deps.provider}`,
+                bypassRequested: false,
+                fullAuto: false,
+                requestedMcpServers: [],
+                policy: deps.policy,
+                metadata: { acp: true, category, optionCount: request.options.length },
+            });
+            approved = record.status === "approved";
+        }
+        catch (err) {
+            logger.error("acp.permission.decide_error", {
+                provider: deps.provider,
+                category,
+                errorClass: err instanceof Error ? err.name : "unknown",
+            });
+            return CANCELLED;
+        }
+        if (!approved) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "approval_denied",
+            });
+            return CANCELLED;
+        }
+        const allow = request.options.find(isAllowOption);
+        if (!allow) {
+            logger.info("acp.permission.denied", {
+                provider: deps.provider,
+                category,
+                reason: "no_allow_option",
+            });
+            return CANCELLED;
+        }
+        logger.info("acp.permission.approved", { provider: deps.provider, category });
+        return { outcome: { outcome: "selected", optionId: allow.optionId } };
+    };
+}

package/dist/acp/process-manager.js

@@ -117,6 +117,8 @@ export class AcpProcessManager {
             callbacks: options.callbacks,
             idleTimeoutMs: options.idleTimeoutMs ?? this.config.processIdleTimeoutMs,
             initializeTimeoutMs: this.config.initializeTimeoutMs,
+            sessionNewTimeoutMs: this.config.sessionNewTimeoutMs,
+            promptTimeoutMs: this.config.promptTimeoutMs,
             onTerminal: m => this.live.delete(m),
         });
         this.live.add(managed);
@@ -192,7 +194,11 @@ class ManagedProcessImpl {
             hostServices: options.hostServices,
             callbacks: options.callbacks,
             logger: this.logger,
-            timeouts: { initializeMs: options.initializeTimeoutMs },
+            timeouts: {
+                initializeMs: options.initializeTimeoutMs,
+                sessionNewMs: options.sessionNewTimeoutMs,
+                promptMs: options.promptTimeoutMs,
+            },
         });
         options.child.on("exit", (code, signal) => this.handleExit(code, signal));
         options.child.on("error", err => this.handleSpawnError(err));

package/dist/acp/provider-registry.d.ts

@@ -1,5 +1,5 @@
 import type { CliType } from "../session-manager.js";
-export type AcpProviderStatus = "native_smoke_passed" | "adapter_mediated_deferred" | "absent_watchlist";
+export type AcpProviderStatus = "native_smoke_passed" | "native_candidate" | "adapter_mediated_deferred" | "absent_watchlist";
 export type AcpSupportKind = "native" | "adapter_mediated" | "none";
 export interface AcpEntrypoint {
     readonly command: string;

package/dist/acp/provider-registry.js

@@ -64,6 +64,19 @@ const ACP_PROVIDER_REGISTRY = Object.freeze({
         adapterCandidates: Object.freeze([]),
         caveat: "No ACP flag or subcommand at the target version. Legacy Gemini CLI ACP evidence does not transfer to Antigravity agy. Watchlist only.",
     }),
+    devin: Object.freeze({
+        provider: "devin",
+        displayName: "Cognition Devin CLI",
+        status: "native_smoke_passed",
+        supportKind: "native",
+        targetVersion: "devin 2026.5.26-8 (1a388fa9)",
+        entrypoint: Object.freeze({ command: "devin", args: Object.freeze(["acp"]) }),
+        runtimeEnabledDefault: false,
+        shipRuntimePilot: true,
+        runtimePriority: 3,
+        adapterCandidates: Object.freeze([]),
+        caveat: "Native ACP entrypoint `devin acp` (stdio JSON-RPC). Manual initialize + session/new smoke passed with the installed CLI managing credentials (`devin auth login`; WINDSURF_API_KEY for empty-env); empty-env smoke is expected to fail. Third native runtime pilot; runtime routing stays config-gated.",
+    }),
 });
 export function getAcpProviderRegistry() {
     return ACP_PROVIDER_REGISTRY;

package/dist/acp/runtime.d.ts

@@ -0,0 +1,35 @@
+import { type AcpSpawnFn, type ProcessEnv } from "./process-manager.js";
+import type { ApprovalManager } from "../approval-manager.js";
+import type { AcpConfig } from "../config.js";
+import type { FlightLogResult, FlightLogStart } from "../flight-recorder.js";
+import type { Logger } from "../logger.js";
+import type { CliType, ISessionManager } from "../session-manager.js";
+export interface AcpFlightSink {
+    logStart(entry: FlightLogStart): void;
+    logComplete(correlationId: string, result: FlightLogResult): void;
+}
+export interface AcpRuntimeDeps {
+    readonly config: AcpConfig;
+    readonly sessionManager: ISessionManager;
+    readonly approvalManager: ApprovalManager;
+    readonly flightRecorder?: AcpFlightSink;
+    readonly logger?: Logger;
+    readonly spawn?: AcpSpawnFn;
+    readonly baseEnv?: ProcessEnv;
+    readonly now?: () => number;
+}
+export interface AcpRunRequest {
+    readonly provider: CliType;
+    readonly prompt: string;
+    readonly model?: string;
+    readonly sessionId?: string;
+    readonly cwd?: string;
+    readonly correlationId: string;
+}
+export interface AcpRunResult {
+    readonly text: string;
+    readonly gatewaySessionId: string;
+    readonly protocolVersion: number | null;
+    readonly durationMs: number;
+}
+export declare function runAcpRequest(deps: AcpRuntimeDeps, req: AcpRunRequest): Promise<AcpRunResult>;