llm-cli-gateway 2.9.0 → 2.11.0

package/dist/resources.js

@@ -1,4 +1,5 @@
 import { CLI_TYPES, PROVIDER_TYPES } from "./session-manager.js";
+import { getRequestContext, principalCanAccess, resolveOwnerPrincipal } from "./request-context.js";
 import { getAvailableCliInfo } from "./model-registry.js";
 import { computeGlobalCacheStats, computePrefixCacheStats, computeSessionCacheStats, computeTtlRemaining, } from "./cache-stats.js";
 import { buildProviderSubcommandsCompactCatalog, getCliSubcommandContract, serializeCliSubcommandContract, } from "./upstream-contracts.js";
@@ -201,13 +202,21 @@ export class ResourceProvider {
             })),
         ];
     }
+    ownedSessions(sessions) {
+        const caller = resolveOwnerPrincipal(getRequestContext());
+        return sessions.filter(s => principalCanAccess(s.ownerPrincipal, caller));
+    }
+    async ownedActiveId(provider) {
+        const active = await Promise.resolve(this.sessionManager.getActiveSession(provider));
+        if (!active)
+            return null;
+        const caller = resolveOwnerPrincipal(getRequestContext());
+        return principalCanAccess(active.ownerPrincipal, caller) ? active.id : null;
+    }
     async readResource(uri) {
         if (uri === "sessions://all") {
-            const sessions = await this.sessionManager.listSessions();
-            const activeSessions = Object.fromEntries(await Promise.all(PROVIDER_TYPES.map(async (provider) => [
-                provider,
-                (await this.sessionManager.getActiveSession(provider))?.id || null,
-            ])));
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions());
+            const activeSessions = Object.fromEntries(await Promise.all(PROVIDER_TYPES.map(async (provider) => [provider, await this.ownedActiveId(provider)])));
             return {
                 uri,
                 mimeType: "application/json",
@@ -225,7 +234,7 @@ export class ResourceProvider {
             };
         }
         if (uri === "sessions://claude") {
-            const sessions = await this.sessionManager.listSessions("claude");
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions("claude"));
             return {
                 uri,
                 mimeType: "application/json",
@@ -233,12 +242,12 @@ export class ResourceProvider {
                     cli: "claude",
                     total: sessions.length,
                     sessions,
-                    activeSession: (await this.sessionManager.getActiveSession("claude"))?.id || null,
+                    activeSession: await this.ownedActiveId("claude"),
                 }, null, 2),
             };
         }
         if (uri === "sessions://codex") {
-            const sessions = await this.sessionManager.listSessions("codex");
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions("codex"));
             return {
                 uri,
                 mimeType: "application/json",
@@ -246,12 +255,12 @@ export class ResourceProvider {
                     cli: "codex",
                     total: sessions.length,
                     sessions,
-                    activeSession: (await this.sessionManager.getActiveSession("codex"))?.id || null,
+                    activeSession: await this.ownedActiveId("codex"),
                 }, null, 2),
             };
         }
         if (uri === "sessions://gemini") {
-            const sessions = await this.sessionManager.listSessions("gemini");
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions("gemini"));
             return {
                 uri,
                 mimeType: "application/json",
@@ -259,12 +268,12 @@ export class ResourceProvider {
                     cli: "gemini",
                     total: sessions.length,
                     sessions,
-                    activeSession: (await this.sessionManager.getActiveSession("gemini"))?.id || null,
+                    activeSession: await this.ownedActiveId("gemini"),
                 }, null, 2),
             };
         }
         if (uri === "sessions://grok") {
-            const sessions = await this.sessionManager.listSessions("grok");
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions("grok"));
             return {
                 uri,
                 mimeType: "application/json",
@@ -272,12 +281,12 @@ export class ResourceProvider {
                     cli: "grok",
                     total: sessions.length,
                     sessions,
-                    activeSession: (await this.sessionManager.getActiveSession("grok"))?.id || null,
+                    activeSession: await this.ownedActiveId("grok"),
                 }, null, 2),
             };
         }
         if (uri === "sessions://mistral") {
-            const sessions = await this.sessionManager.listSessions("mistral");
+            const sessions = this.ownedSessions(await this.sessionManager.listSessions("mistral"));
             return {
                 uri,
                 mimeType: "application/json",
@@ -285,7 +294,7 @@ export class ResourceProvider {
                     cli: "mistral",
                     total: sessions.length,
                     sessions,
-                    activeSession: (await this.sessionManager.getActiveSession("mistral"))?.id || null,
+                    activeSession: await this.ownedActiveId("mistral"),
                 }, null, 2),
             };
         }

package/dist/session-manager-pg.js

@@ -1,13 +1,6 @@
 import { randomUUID } from "crypto";
+import { defaultSessionDescription } from "./session-manager.js";
 import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
-const DEFAULT_SESSION_DESCRIPTIONS = {
-    claude: "Claude Session",
-    codex: "Codex Session",
-    gemini: "Gemini Session",
-    grok: "Grok Session",
-    mistral: "Mistral Session",
-    "grok-api": "Grok API Session",
-};
 export class PostgreSQLSessionManager {
     pool;
     constructor(pool) {
@@ -15,7 +8,7 @@ export class PostgreSQLSessionManager {
     }
     async createSession(cli, description, sessionId) {
         const id = sessionId || randomUUID();
-        const sessionDescription = description ?? DEFAULT_SESSION_DESCRIPTIONS[cli];
+        const sessionDescription = description ?? defaultSessionDescription(cli);
         const now = new Date().toISOString();
         const ownerPrincipal = resolveOwnerPrincipal(getRequestContext());
         const client = await this.pool.connect();

package/dist/session-manager.d.ts

@@ -1,12 +1,17 @@
 import type { Config } from "./config.js";
 import type { DatabaseConnection } from "./db.js";
 import type { Logger } from "./logger.js";
-export declare const CLI_TYPES: readonly ["claude", "codex", "gemini", "grok", "mistral"];
+export declare const CLI_TYPES: readonly ["claude", "codex", "gemini", "grok", "mistral", "devin"];
 export type CliType = (typeof CLI_TYPES)[number];
 export declare const API_PROVIDER_TYPES: readonly ["grok-api"];
-export type ApiProviderType = (typeof API_PROVIDER_TYPES)[number];
-export declare const PROVIDER_TYPES: readonly ["claude", "codex", "gemini", "grok", "mistral", "grok-api"];
-export type ProviderType = (typeof PROVIDER_TYPES)[number];
+export type KnownApiProviderType = (typeof API_PROVIDER_TYPES)[number];
+export type ApiProviderType = KnownApiProviderType | (string & {});
+export type ProviderType = CliType | ApiProviderType;
+export type ProviderKind = "cli" | "api";
+export declare const PROVIDER_TYPES: readonly ["claude", "codex", "gemini", "grok", "mistral", "devin", "grok-api"];
+export declare function isCliType(provider: string): provider is CliType;
+export declare function providerKind(provider: ProviderType): ProviderKind;
+export declare function defaultSessionDescription(provider: ProviderType): string;
 export interface Session {
     id: string;
     cli: ProviderType;

package/dist/session-manager.js

@@ -5,11 +5,16 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, openSyn
 import { DEFAULT_SESSION_TTL_SECONDS } from "./config.js";
 import { noopLogger } from "./logger.js";
 import { getRequestContext, resolveOwnerPrincipal } from "./request-context.js";
-export const CLI_TYPES = ["claude", "codex", "gemini", "grok", "mistral"];
+export const CLI_TYPES = ["claude", "codex", "gemini", "grok", "mistral", "devin"];
 export const API_PROVIDER_TYPES = ["grok-api"];
 export const PROVIDER_TYPES = [...CLI_TYPES, ...API_PROVIDER_TYPES];
-const createEmptyActiveSessions = () => Object.fromEntries(PROVIDER_TYPES.map(provider => [provider, null]));
-const DEFAULT_SESSION_DESCRIPTIONS = {
+export function isCliType(provider) {
+    return CLI_TYPES.includes(provider);
+}
+export function providerKind(provider) {
+    return isCliType(provider) ? "cli" : "api";
+}
+const KNOWN_SESSION_DESCRIPTIONS = {
     claude: "Claude Session",
     codex: "Codex Session",
     gemini: "Gemini Session",
@@ -17,6 +22,10 @@ const DEFAULT_SESSION_DESCRIPTIONS = {
     mistral: "Mistral Session",
     "grok-api": "Grok API Session",
 };
+export function defaultSessionDescription(provider) {
+    return KNOWN_SESSION_DESCRIPTIONS[provider] ?? `${provider} Session`;
+}
+const createEmptyActiveSessions = () => Object.fromEntries(PROVIDER_TYPES.map(provider => [provider, null]));
 export class FileSessionManager {
     storagePath;
     storage = { sessions: {}, activeSession: createEmptyActiveSessions() };
@@ -107,7 +116,7 @@ export class FileSessionManager {
     createSession(cli, description, sessionId) {
         this.evictExpiredSessions();
         const id = sessionId || randomUUID();
-        const sessionDescription = description ?? DEFAULT_SESSION_DESCRIPTIONS[cli];
+        const sessionDescription = description ?? defaultSessionDescription(cli);
         const session = {
             id,
             cli,

package/dist/upstream-contracts.js

@@ -59,6 +59,17 @@ export const ACP_ENTRYPOINT_CONTRACTS = {
         evidence: "agy 1.0.7 has no ACP flag or subcommand. Legacy Gemini CLI ACP evidence does not transfer. Watchlist item.",
         docsRef: "docs/plans/first-class-acp-gateway-extension.dag.toml#provider_matrix.gemini",
     },
+    devin: {
+        cli: "devin",
+        displayName: "Cognition Devin CLI",
+        status: "native",
+        executable: "devin",
+        entrypointArgs: ["acp"],
+        targetVersion: "devin 2026.5.26-8 (1a388fa9)",
+        probeArgs: [["--version"]],
+        evidence: 'Native ACP entrypoint `devin acp` (stdio JSON-RPC). Slice D1 manual initialize + session/new smoke passed (protocolVersion 1, agent "Affogato", session created). Third native runtime pilot; routing stays config-gated.',
+        docsRef: "docs/plans/devin-integration-scoping.md",
+    },
 };
 const PERMISSION_MODES = [
     "default",
@@ -1412,8 +1423,7 @@ export const UPSTREAM_CLI_CONTRACTS = {
             },
             "--agent": {
                 arity: "one",
-                values: ["default", "plan", "accept-edits", "auto-approve", "chat", "explore", "lean"],
-                description: "Agent/permission mode",
+                description: "Agent/permission mode (builtin, install-gated, or custom agent name)",
             },
             "--enabled-tools": { arity: "one", description: "Enabled tool" },
             "--resume": {
@@ -1449,6 +1459,7 @@ export const UPSTREAM_CLI_CONTRACTS = {
                 description: "Additional writable workspace directory (Phase 4 slice ζ; repeat once per directory)",
             },
         },
+        acknowledgedUpstreamFlags: ["--auto-approve"],
         env: {
             VIBE_ACTIVE_MODEL: {
                 arity: "one",
@@ -1561,6 +1572,103 @@ export const UPSTREAM_CLI_CONTRACTS = {
             },
         ],
     },
+    devin: {
+        cli: "devin",
+        executable: "devin",
+        upstream: "Cognition Devin CLI",
+        upstreamMetadata: {
+            sourceUrls: ["https://cli.devin.ai/docs/reference/commands", "https://docs.devin.ai/cli"],
+            packageName: "devin",
+            installDocsUrl: "https://docs.devin.ai/cli",
+            releaseChannel: "vendor",
+            watchCategories: ["flags", "subcommands", "permission-modes", "acp-entrypoint"],
+        },
+        helpArgs: [["--help"]],
+        subcommands: {},
+        maxPositionals: 0,
+        mcpTools: ["devin_request", "devin_request_async"],
+        mcpParameters: [
+            "prompt",
+            "model",
+            "permissionMode",
+            "sessionId",
+            "resumeLatest",
+            "createNewSession",
+            "promptFile",
+        ],
+        flags: {
+            "-p": {
+                arity: "one",
+                description: "Print response and exit (non-interactive); prompt value",
+            },
+            "--model": { arity: "one", description: "AI model for this session" },
+            "--permission-mode": {
+                arity: "one",
+                values: ["normal", "auto", "dangerous", "yolo", "bypass"],
+                description: "Permission mode (normal/auto = read-only auto-approve; dangerous/yolo/bypass = approve all)",
+            },
+            "--prompt-file": { arity: "one", description: "Load the initial prompt from a file" },
+            "--resume": { arity: "one", description: "Resume a specific session by ID" },
+            "--continue": { arity: "none", description: "Resume the most recent session in cwd" },
+        },
+        env: {},
+        conformanceFixtures: [
+            {
+                id: "devin-minimal",
+                description: "Minimal print-mode prompt request",
+                args: ["-p", "hello"],
+                expect: "pass",
+            },
+            {
+                id: "devin-unsupported-flag",
+                description: "Unsupported flag is rejected before spawn",
+                args: ["-p", "hello", "--not-a-devin-flag"],
+                expect: "fail",
+            },
+            {
+                id: "devin-model",
+                description: "--model is accepted",
+                args: ["-p", "hello", "--model", "opus"],
+                expect: "pass",
+            },
+            {
+                id: "devin-permission-mode",
+                description: "Valid --permission-mode accepted (dangerous alias bypass)",
+                args: ["-p", "hello", "--permission-mode", "bypass"],
+                expect: "pass",
+            },
+            {
+                id: "devin-permission-mode-auto",
+                description: "Valid --permission-mode alias 'auto' (= normal) accepted",
+                args: ["-p", "hello", "--permission-mode", "auto"],
+                expect: "pass",
+            },
+            {
+                id: "devin-permission-mode-yolo",
+                description: "Valid --permission-mode alias 'yolo' (= dangerous) accepted",
+                args: ["-p", "hello", "--permission-mode", "yolo"],
+                expect: "pass",
+            },
+            {
+                id: "devin-permission-mode-invalid",
+                description: "Invalid --permission-mode value rejected by contract",
+                args: ["-p", "hello", "--permission-mode", "ludicrous"],
+                expect: "fail",
+            },
+            {
+                id: "devin-prompt-file",
+                description: "--prompt-file is accepted",
+                args: ["-p", "hello", "--prompt-file", "/tmp/prompt.txt"],
+                expect: "pass",
+            },
+            {
+                id: "devin-resume",
+                description: "Resume by session id accepted",
+                args: ["-p", "hello", "--resume", "abc12345"],
+                expect: "pass",
+            },
+        ],
+    },
 };
 export function validateUpstreamCliArgs(cli, args) {
     const contract = UPSTREAM_CLI_CONTRACTS[cli];
@@ -1936,6 +2044,8 @@ export function extractDiscoveredFlags(helpText) {
             const name = `--${match[1].toLowerCase().replace(/_/g, "-")}`;
             if (name === "--help")
                 continue;
+            if (name.endsWith("-"))
+                continue;
             discovered.add(name);
         }
     }

package/dist/validation-normalizer.d.ts

@@ -1,5 +1,5 @@
-import type { AsyncJobResult, AsyncJobSnapshot } from "./async-job-manager.js";
-export type ValidationProvider = "claude" | "codex" | "gemini" | "grok" | "mistral";
+import type { AsyncJobResult, AsyncJobSnapshot, JobProvider } from "./async-job-manager.js";
+export type ValidationProvider = JobProvider;
 export type NormalizedValidationStatus = "running" | "completed" | "failed" | "canceled" | "orphaned" | "skipped";
 export interface RawJobReference {
     jobId: string;

package/dist/validation-orchestrator.d.ts

@@ -1,11 +1,13 @@
 import type { AsyncJobManager } from "./async-job-manager.js";
 import { type ProviderRuntimeStatus } from "./provider-status.js";
+import type { ApiProviderRuntime } from "./config.js";
 import { type NormalizedValidationResult, type ValidationProvider } from "./validation-normalizer.js";
 import { type ValidationReport } from "./validation-report.js";
 import { type ValidationIntent } from "./validation-prompts.js";
 export interface ValidationOrchestratorDeps {
     asyncJobManager: AsyncJobManager;
     getProviderRuntimeStatus?: (provider: ValidationProvider) => ProviderRuntimeStatus;
+    apiProviders?: ApiProviderRuntime[];
 }
 export interface StartValidationInput {
     intent: ValidationIntent;

package/dist/validation-orchestrator.js

@@ -1,8 +1,31 @@
 import { randomUUID } from "node:crypto";
 import { getProviderRuntimeStatus } from "./provider-status.js";
+import { createApiProvider } from "./api-provider.js";
+import { prepareApiRequest } from "./api-request.js";
 import { normalizeJobResult, normalizeSkippedProvider, normalizeStartedJob, } from "./validation-normalizer.js";
 import { buildValidationReport } from "./validation-report.js";
 import { buildJudgePrompt, buildValidationPrompt, } from "./validation-prompts.js";
+function findApiReviewer(deps, provider) {
+    return deps.apiProviders?.find(p => p.name === provider) ?? null;
+}
+function resolveReviewerStatus(deps, provider) {
+    const api = findApiReviewer(deps, provider);
+    if (api) {
+        return { installed: true, version: null, loginStatus: "authenticated", displayName: api.name };
+    }
+    const runtimeStatus = deps.getProviderRuntimeStatus ?? getProviderRuntimeStatus;
+    return runtimeStatus(provider);
+}
+function dispatchProviderJob(deps, provider, prompt, correlationId) {
+    const api = findApiReviewer(deps, provider);
+    if (api) {
+        const apiProvider = createApiProvider(api.name, api.kind);
+        const apiRequest = prepareApiRequest(api, { prompt });
+        return deps.asyncJobManager.startHttpJob({ provider: apiProvider, apiRequest, correlationId })
+            .snapshot;
+    }
+    return deps.asyncJobManager.startJob(provider, buildProviderArgs(provider, prompt), correlationId);
+}
 export function startValidationRun(deps, input) {
     const validationId = randomUUID();
     const startedAt = new Date().toISOString();
@@ -67,8 +90,7 @@ export function startJudgeSynthesis(deps, input) {
             note: "Judge synthesis requires at least one completed provider result; skipped, failed, canceled, or orphaned results are preserved in the report but are not judge evidence.",
         };
     }
-    const runtimeStatus = deps.getProviderRuntimeStatus ?? getProviderRuntimeStatus;
-    const runtime = runtimeStatus(input.judgeProvider);
+    const runtime = resolveReviewerStatus(deps, input.judgeProvider);
     if (!runtime.installed) {
         return {
             status: "skipped",
@@ -77,10 +99,10 @@ export function startJudgeSynthesis(deps, input) {
             note: `${runtime.displayName} was selected as judge but is not installed.`,
         };
     }
-    const snapshot = deps.asyncJobManager.startJob(input.judgeProvider, buildProviderArgs(input.judgeProvider, buildJudgePrompt({
+    const snapshot = dispatchProviderJob(deps, input.judgeProvider, buildJudgePrompt({
         question: input.question,
         providerResults: completedResults,
-    })), `validation-judge-${randomUUID()}-${input.judgeProvider}`);
+    }), `validation-judge-${randomUUID()}-${input.judgeProvider}`);
     return {
         status: "running",
         judgeModel: input.judgeProvider,
@@ -102,15 +124,14 @@ export function collectValidationJobResult(deps, provider, jobId, model, maxChar
     return normalizeJobResult(provider, model, result);
 }
 function startProviderJob(deps, provider, prompt, validationId) {
-    const runtimeStatus = deps.getProviderRuntimeStatus ?? getProviderRuntimeStatus;
-    const runtime = runtimeStatus(provider);
+    const runtime = resolveReviewerStatus(deps, provider);
     if (!runtime.installed) {
         return normalizeSkippedProvider(provider, `${runtime.displayName} runtime is not installed.`);
     }
     const warning = runtime.loginStatus === "authenticated"
         ? undefined
         : `${runtime.displayName} login status is ${runtime.loginStatus}; the job may fail until login is complete.`;
-    const snapshot = deps.asyncJobManager.startJob(provider, buildProviderArgs(provider, prompt), `validation-${validationId}-${provider}`);
+    const snapshot = dispatchProviderJob(deps, provider, prompt, `validation-${validationId}-${provider}`);
     return normalizeStartedJob(provider, runtime.version, snapshot, warning);
 }
 function plannedJudgeSynthesis(input) {

package/dist/validation-tools.d.ts

@@ -1,7 +1,68 @@
+import { z } from "zod/v3";
 import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import type { AsyncJobManager } from "./async-job-manager.js";
 import { type ValidationOrchestratorDeps } from "./validation-orchestrator.js";
 export interface ValidationToolDeps extends ValidationOrchestratorDeps {
     asyncJobManager: AsyncJobManager;
 }
+export declare function buildValidationSchemas(deps: ValidationToolDeps): {
+    providerSchema: z.ZodEnum<[string, ...string[]]>;
+    providerListSchema: z.ZodDefault<z.ZodArray<z.ZodEnum<[string, ...string[]]>, "many">>;
+    normalizedProviderResultSchema: z.ZodObject<{
+        provider: z.ZodEnum<[string, ...string[]]>;
+        model: z.ZodNullable<z.ZodString>;
+        status: z.ZodEnum<["running", "completed", "failed", "canceled", "orphaned", "skipped"]>;
+        verdict: z.ZodNullable<z.ZodString>;
+        rationale: z.ZodNullable<z.ZodString>;
+        risks: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        rawJobReference: z.ZodNullable<z.ZodObject<{
+            jobId: z.ZodString;
+            correlationId: z.ZodString;
+            statusTool: z.ZodLiteral<"job_status">;
+            resultTool: z.ZodLiteral<"job_result">;
+        }, "strip", z.ZodTypeAny, {
+            correlationId: string;
+            jobId: string;
+            statusTool: "job_status";
+            resultTool: "job_result";
+        }, {
+            correlationId: string;
+            jobId: string;
+            statusTool: "job_status";
+            resultTool: "job_result";
+        }>>;
+        error: z.ZodNullable<z.ZodString>;
+        warning: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        error: string | null;
+        status: "running" | "completed" | "failed" | "canceled" | "orphaned" | "skipped";
+        model: string | null;
+        provider: string;
+        rawJobReference: {
+            correlationId: string;
+            jobId: string;
+            statusTool: "job_status";
+            resultTool: "job_result";
+        } | null;
+        verdict: string | null;
+        rationale: string | null;
+        risks: string[];
+        warning?: string | undefined;
+    }, {
+        error: string | null;
+        status: "running" | "completed" | "failed" | "canceled" | "orphaned" | "skipped";
+        model: string | null;
+        provider: string;
+        rawJobReference: {
+            correlationId: string;
+            jobId: string;
+            statusTool: "job_status";
+            resultTool: "job_result";
+        } | null;
+        verdict: string | null;
+        rationale: string | null;
+        risks?: string[] | undefined;
+        warning?: string | undefined;
+    }>;
+};
 export declare function registerValidationTools(server: McpServer, deps: ValidationToolDeps): void;

package/dist/validation-tools.js

@@ -1,26 +1,33 @@
 import { z } from "zod/v3";
+import { CLI_TYPES } from "./session-manager.js";
 import { getAvailableCliInfo } from "./model-registry.js";
+import { apiProviderCatalogEntry } from "./api-request.js";
 import { collectValidationJobResult, startJudgeSynthesis, startValidationRun, } from "./validation-orchestrator.js";
-const providerSchema = z.enum(["claude", "codex", "gemini", "grok", "mistral"]);
-const providerListSchema = z.array(providerSchema).min(1).default(["claude", "codex"]);
-const normalizedProviderResultSchema = z.object({
-    provider: providerSchema,
-    model: z.string().nullable(),
-    status: z.enum(["running", "completed", "failed", "canceled", "orphaned", "skipped"]),
-    verdict: z.string().nullable(),
-    rationale: z.string().nullable(),
-    risks: z.array(z.string()).default([]),
-    rawJobReference: z
-        .object({
-        jobId: z.string(),
-        correlationId: z.string(),
-        statusTool: z.literal("job_status"),
-        resultTool: z.literal("job_result"),
-    })
-        .nullable(),
-    error: z.string().nullable(),
-    warning: z.string().optional(),
-});
+export function buildValidationSchemas(deps) {
+    const apiNames = (deps.apiProviders ?? []).map(p => p.name);
+    const allowed = [...CLI_TYPES, ...apiNames];
+    const providerSchema = z.enum(allowed);
+    const providerListSchema = z.array(providerSchema).min(1).default(["claude", "codex"]);
+    const normalizedProviderResultSchema = z.object({
+        provider: providerSchema,
+        model: z.string().nullable(),
+        status: z.enum(["running", "completed", "failed", "canceled", "orphaned", "skipped"]),
+        verdict: z.string().nullable(),
+        rationale: z.string().nullable(),
+        risks: z.array(z.string()).default([]),
+        rawJobReference: z
+            .object({
+            jobId: z.string(),
+            correlationId: z.string(),
+            statusTool: z.literal("job_status"),
+            resultTool: z.literal("job_result"),
+        })
+            .nullable(),
+        error: z.string().nullable(),
+        warning: z.string().optional(),
+    });
+    return { providerSchema, providerListSchema, normalizedProviderResultSchema };
+}
 function textResponse(body) {
     const text = responseText(body);
     return {
@@ -47,6 +54,7 @@ function findHumanReadableReport(value) {
     return null;
 }
 export function registerValidationTools(server, deps) {
+    const { providerSchema, providerListSchema, normalizedProviderResultSchema } = buildValidationSchemas(deps);
     server.tool("validate_with_models", "Ask two or more provider CLIs to independently validate a question. Starts validation jobs — poll with job_status, collect with job_result (not llm_job_*).", {
         question: z.string().min(1).describe("Question or content to validate."),
         models: providerListSchema.describe("Providers to ask. Defaults to Claude and Codex."),
@@ -208,7 +216,14 @@ export function registerValidationTools(server, deps) {
         destructiveHint: false,
         idempotentHint: true,
         openWorldHint: false,
-    }, async () => textResponse({ success: true, models: getAvailableCliInfo() }));
+    }, async () => {
+        const apiProviders = (deps.apiProviders ?? []).map(apiProviderCatalogEntry);
+        return textResponse({
+            success: true,
+            models: getAvailableCliInfo(),
+            ...(apiProviders.length > 0 ? { apiProviders } : {}),
+        });
+    });
     server.tool("job_status", "Check a VALIDATION job's status (jobs started by validate_with_models/ask_model/etc.) — distinct from llm_job_status, which tracks provider request jobs.", {
         jobId: z.string().min(1).describe("Validation job ID."),
     }, {

package/migrations/005_provider_type_open_api_names.sql

@@ -0,0 +1,28 @@
+-- Slice 0.5 (API-endpoint routing, locked decision B: arbitrary provider names).
+--
+-- Relax the closed provider enum on the session tables so that any
+-- `[providers.<name>]` config key (a kind:"api" provider id) is a valid
+-- `cli` value. Migration 003 widened the constraint only as far as the
+-- hard-coded set ('claude','codex','gemini','grok','mistral','grok-api');
+-- arbitrary API provider names had no DB-level home.
+--
+-- Provider-set validation now lives in the application layer (config loading
+-- plus `SESSION_PROVIDER_ENUM` for the registered set). The database keeps a
+-- single *format* guard so empty strings / whitespace / control characters are
+-- still rejected — it no longer enumerates a fixed provider list. The pattern
+-- accepts the existing five CLIs and `grok-api`, and any well-formed provider
+-- identifier (e.g. `ollama`, `openai`, `vllm`, `llama3.3`).
+
+ALTER TABLE sessions DROP CONSTRAINT IF EXISTS sessions_cli_check;
+ALTER TABLE sessions
+  ADD CONSTRAINT sessions_cli_check
+  CHECK (cli ~ '^[A-Za-z][A-Za-z0-9._-]*$');
+
+ALTER TABLE active_sessions DROP CONSTRAINT IF EXISTS active_sessions_cli_check;
+ALTER TABLE active_sessions
+  ADD CONSTRAINT active_sessions_cli_check
+  CHECK (cli ~ '^[A-Za-z][A-Za-z0-9._-]*$');
+
+INSERT INTO schema_migrations (version, name)
+VALUES (5, '005_provider_type_open_api_names')
+ON CONFLICT (version) DO NOTHING;

package/npm-shrinkwrap.json

@@ -1,15 +1,16 @@
 {
   "name": "llm-cli-gateway",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "llm-cli-gateway",
-      "version": "2.9.0",
+      "version": "2.10.0",
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.29.0",
+        "body-parser": "2.2.2",
         "content-type": "1.0.5",
         "smol-toml": "^1.6.1",
         "type-is": "2.0.1",
@@ -587,9 +588,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.12.22",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.22.tgz",
-      "integrity": "sha512-7fvVPbB92zNRsQke+uiRGwtTuef0tB2Dg4hWxYfFNvkQhIltWoyi0ONReM5LWA+jJWS3nfT5lTq+qbsIpX0IQw==",
+      "version": "4.12.25",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.25.tgz",
+      "integrity": "sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"