localant 1.0.0

package/packages/mcp/dist/mcp-server.d.ts

@@ -0,0 +1,9 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { Gateway } from "@localant/gateway";
+/**
+ * Build an McpServer that exposes every registered gateway tool. Each MCP tool
+ * call is routed through gateway.executeTool, applying the full safety
+ * pipeline (validation → approval → redaction → audit).
+ */
+export declare function buildMcpServer(gw: Gateway): McpServer;
+//# sourceMappingURL=mcp-server.d.ts.map

package/packages/mcp/dist/mcp-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.d.ts","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAIjD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,OAAO,GAAG,SAAS,CAuBrD"}

package/packages/mcp/dist/mcp-server.js

@@ -0,0 +1,26 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+const SESSION_ID = "chatgpt";
+/**
+ * Build an McpServer that exposes every registered gateway tool. Each MCP tool
+ * call is routed through gateway.executeTool, applying the full safety
+ * pipeline (validation → approval → redaction → audit).
+ */
+export function buildMcpServer(gw) {
+    const server = new McpServer({ name: "LocalAnt", version: "1.0.0" });
+    for (const tool of gw.registry.list()) {
+        const shape = tool.inputSchema.shape ?? {};
+        server.registerTool(tool.name, {
+            description: `[risk ${tool.risk}] ${tool.description}`,
+            inputSchema: shape,
+        }, async (args) => {
+            const result = await gw.executeTool(tool.name, args, { caller: "chatgpt", sessionId: SESSION_ID });
+            const text = JSON.stringify(result, null, 2);
+            return {
+                content: [{ type: "text", text }],
+                isError: !result.ok && !result.approvalRequired,
+            };
+        });
+    }
+    return server;
+}
+//# sourceMappingURL=mcp-server.js.map

package/packages/mcp/dist/mcp-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.js","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAIpE,MAAM,UAAU,GAAG,SAAS,CAAC;AAE7B;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,EAAW;IACxC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAErE,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;QACtC,MAAM,KAAK,GAAI,IAAI,CAAC,WAAmE,CAAC,KAAK,IAAI,EAAE,CAAC;QACpG,MAAM,CAAC,YAAY,CACjB,IAAI,CAAC,IAAI,EACT;YACE,WAAW,EAAE,SAAS,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,WAAW,EAAE;YACtD,WAAW,EAAE,KAAK;SACnB,EACD,KAAK,EAAE,IAAa,EAAE,EAAE;YACtB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC;YACnG,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAC7C,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,CAAC;gBAC1C,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;aAChD,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/packages/mcp/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@localant/mcp",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "dependencies": {
+    "@localant/gateway": "workspace:*",
+    "@localant/dashboard": "workspace:*",
+    "@localant/shared": "workspace:*",
+    "@modelcontextprotocol/sdk": "^1.12.0",
+    "express": "^5.0.1",
+    "zod": "^3.24.1"
+  }
+}

package/packages/shared/dist/config.d.ts

@@ -0,0 +1,314 @@
+import { z } from "zod";
+/** Default command allowlist — safe, read-mostly developer commands. */
+export declare const DEFAULT_ALLOWED_COMMANDS: string[];
+/**
+ * Blocked command tokens. Matched against tokenized command words (after
+ * splitting on shell metacharacters), so `rm -rf` and `rm   -rf` and
+ * `a && rm -rf` are all caught regardless of spacing.
+ */
+export declare const BLOCKED_COMMAND_TOKENS: string[];
+export declare const SkillPermissionsSchema: z.ZodObject<{
+    filesystem: z.ZodDefault<z.ZodObject<{
+        mode: z.ZodDefault<z.ZodEnum<["none", "read", "write"]>>;
+        allowedDirectories: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        mode: "none" | "read" | "write";
+        allowedDirectories: string[];
+    }, {
+        mode?: "none" | "read" | "write" | undefined;
+        allowedDirectories?: string[] | undefined;
+    }>>;
+    shell: z.ZodDefault<z.ZodObject<{
+        mode: z.ZodDefault<z.ZodEnum<["none", "allowed", "custom"]>>;
+        allowedCommands: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        mode: "none" | "allowed" | "custom";
+        allowedCommands: string[];
+    }, {
+        mode?: "none" | "allowed" | "custom" | undefined;
+        allowedCommands?: string[] | undefined;
+    }>>;
+    network: z.ZodDefault<z.ZodObject<{
+        mode: z.ZodDefault<z.ZodEnum<["none", "allowlist", "all"]>>;
+        allowedHosts: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        mode: "none" | "allowlist" | "all";
+        allowedHosts: string[];
+    }, {
+        mode?: "none" | "allowlist" | "all" | undefined;
+        allowedHosts?: string[] | undefined;
+    }>>;
+    secrets: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    browser: z.ZodDefault<z.ZodEnum<["none", "read", "control"]>>;
+    adb: z.ZodDefault<z.ZodEnum<["none", "read", "control"]>>;
+    git: z.ZodDefault<z.ZodEnum<["none", "read", "write"]>>;
+    agent: z.ZodDefault<z.ZodEnum<["none", "plan", "execute"]>>;
+}, "strip", z.ZodTypeAny, {
+    filesystem: {
+        mode: "none" | "read" | "write";
+        allowedDirectories: string[];
+    };
+    shell: {
+        mode: "none" | "allowed" | "custom";
+        allowedCommands: string[];
+    };
+    network: {
+        mode: "none" | "allowlist" | "all";
+        allowedHosts: string[];
+    };
+    secrets: string[];
+    browser: "none" | "read" | "control";
+    adb: "none" | "read" | "control";
+    git: "none" | "read" | "write";
+    agent: "none" | "plan" | "execute";
+}, {
+    filesystem?: {
+        mode?: "none" | "read" | "write" | undefined;
+        allowedDirectories?: string[] | undefined;
+    } | undefined;
+    shell?: {
+        mode?: "none" | "allowed" | "custom" | undefined;
+        allowedCommands?: string[] | undefined;
+    } | undefined;
+    network?: {
+        mode?: "none" | "allowlist" | "all" | undefined;
+        allowedHosts?: string[] | undefined;
+    } | undefined;
+    secrets?: string[] | undefined;
+    browser?: "none" | "read" | "control" | undefined;
+    adb?: "none" | "read" | "control" | undefined;
+    git?: "none" | "read" | "write" | undefined;
+    agent?: "none" | "plan" | "execute" | undefined;
+}>;
+export type SkillPermissions = z.infer<typeof SkillPermissionsSchema>;
+declare const CodingAgentConfig: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    command: z.ZodString;
+    args: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    planArgs: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    executeArgs: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    defaultPermissionMode: z.ZodDefault<z.ZodEnum<["plan", "execute"]>>;
+    maxTurns: z.ZodDefault<z.ZodNumber>;
+    timeoutMs: z.ZodDefault<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    enabled: boolean;
+    command: string;
+    args: string[];
+    planArgs: string[];
+    executeArgs: string[];
+    defaultPermissionMode: "plan" | "execute";
+    maxTurns: number;
+    timeoutMs: number;
+}, {
+    command: string;
+    enabled?: boolean | undefined;
+    args?: string[] | undefined;
+    planArgs?: string[] | undefined;
+    executeArgs?: string[] | undefined;
+    defaultPermissionMode?: "plan" | "execute" | undefined;
+    maxTurns?: number | undefined;
+    timeoutMs?: number | undefined;
+}>;
+export type CodingAgentConfig = z.infer<typeof CodingAgentConfig>;
+export declare const ConfigSchema: z.ZodObject<{
+    version: z.ZodDefault<z.ZodLiteral<1>>;
+    gateway: z.ZodDefault<z.ZodObject<{
+        host: z.ZodDefault<z.ZodString>;
+        port: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        host: string;
+        port: number;
+    }, {
+        host?: string | undefined;
+        port?: number | undefined;
+    }>>;
+    dashboard: z.ZodDefault<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        port: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        port: number;
+        enabled: boolean;
+    }, {
+        port?: number | undefined;
+        enabled?: boolean | undefined;
+    }>>;
+    tunnel: z.ZodDefault<z.ZodObject<{
+        provider: z.ZodDefault<z.ZodEnum<["cloudflared", "ngrok", "none"]>>;
+        publicUrl: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        provider: "none" | "cloudflared" | "ngrok";
+        publicUrl?: string | undefined;
+    }, {
+        provider?: "none" | "cloudflared" | "ngrok" | undefined;
+        publicUrl?: string | undefined;
+    }>>;
+    security: z.ZodDefault<z.ZodObject<{
+        allowedDirectories: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        allowedCommands: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        blockedCommandTokens: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        approveRisk1: z.ZodDefault<z.ZodBoolean>;
+        maxFileSizeBytes: z.ZodDefault<z.ZodNumber>;
+        maxOutputBytes: z.ZodDefault<z.ZodNumber>;
+        commandTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        logRetentionDays: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        allowedDirectories: string[];
+        allowedCommands: string[];
+        blockedCommandTokens: string[];
+        approveRisk1: boolean;
+        maxFileSizeBytes: number;
+        maxOutputBytes: number;
+        commandTimeoutMs: number;
+        logRetentionDays: number;
+    }, {
+        allowedDirectories?: string[] | undefined;
+        allowedCommands?: string[] | undefined;
+        blockedCommandTokens?: string[] | undefined;
+        approveRisk1?: boolean | undefined;
+        maxFileSizeBytes?: number | undefined;
+        maxOutputBytes?: number | undefined;
+        commandTimeoutMs?: number | undefined;
+        logRetentionDays?: number | undefined;
+    }>>;
+    codingAgents: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        command: z.ZodString;
+        args: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        planArgs: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        executeArgs: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        defaultPermissionMode: z.ZodDefault<z.ZodEnum<["plan", "execute"]>>;
+        maxTurns: z.ZodDefault<z.ZodNumber>;
+        timeoutMs: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        command: string;
+        args: string[];
+        planArgs: string[];
+        executeArgs: string[];
+        defaultPermissionMode: "plan" | "execute";
+        maxTurns: number;
+        timeoutMs: number;
+    }, {
+        command: string;
+        enabled?: boolean | undefined;
+        args?: string[] | undefined;
+        planArgs?: string[] | undefined;
+        executeArgs?: string[] | undefined;
+        defaultPermissionMode?: "plan" | "execute" | undefined;
+        maxTurns?: number | undefined;
+        timeoutMs?: number | undefined;
+    }>>>;
+    mcpServers: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        command: z.ZodString;
+        args: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        transport: z.ZodDefault<z.ZodEnum<["stdio"]>>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        command: string;
+        args: string[];
+        transport: "stdio";
+    }, {
+        command: string;
+        enabled?: boolean | undefined;
+        args?: string[] | undefined;
+        transport?: "stdio" | undefined;
+    }>>>;
+    skillRegistry: z.ZodDefault<z.ZodObject<{
+        sources: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        sources: string[];
+    }, {
+        sources?: string[] | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    version: 1;
+    gateway: {
+        host: string;
+        port: number;
+    };
+    dashboard: {
+        port: number;
+        enabled: boolean;
+    };
+    tunnel: {
+        provider: "none" | "cloudflared" | "ngrok";
+        publicUrl?: string | undefined;
+    };
+    security: {
+        allowedDirectories: string[];
+        allowedCommands: string[];
+        blockedCommandTokens: string[];
+        approveRisk1: boolean;
+        maxFileSizeBytes: number;
+        maxOutputBytes: number;
+        commandTimeoutMs: number;
+        logRetentionDays: number;
+    };
+    codingAgents: Record<string, {
+        enabled: boolean;
+        command: string;
+        args: string[];
+        planArgs: string[];
+        executeArgs: string[];
+        defaultPermissionMode: "plan" | "execute";
+        maxTurns: number;
+        timeoutMs: number;
+    }>;
+    mcpServers: Record<string, {
+        enabled: boolean;
+        command: string;
+        args: string[];
+        transport: "stdio";
+    }>;
+    skillRegistry: {
+        sources: string[];
+    };
+}, {
+    version?: 1 | undefined;
+    gateway?: {
+        host?: string | undefined;
+        port?: number | undefined;
+    } | undefined;
+    dashboard?: {
+        port?: number | undefined;
+        enabled?: boolean | undefined;
+    } | undefined;
+    tunnel?: {
+        provider?: "none" | "cloudflared" | "ngrok" | undefined;
+        publicUrl?: string | undefined;
+    } | undefined;
+    security?: {
+        allowedDirectories?: string[] | undefined;
+        allowedCommands?: string[] | undefined;
+        blockedCommandTokens?: string[] | undefined;
+        approveRisk1?: boolean | undefined;
+        maxFileSizeBytes?: number | undefined;
+        maxOutputBytes?: number | undefined;
+        commandTimeoutMs?: number | undefined;
+        logRetentionDays?: number | undefined;
+    } | undefined;
+    codingAgents?: Record<string, {
+        command: string;
+        enabled?: boolean | undefined;
+        args?: string[] | undefined;
+        planArgs?: string[] | undefined;
+        executeArgs?: string[] | undefined;
+        defaultPermissionMode?: "plan" | "execute" | undefined;
+        maxTurns?: number | undefined;
+        timeoutMs?: number | undefined;
+    }> | undefined;
+    mcpServers?: Record<string, {
+        command: string;
+        enabled?: boolean | undefined;
+        args?: string[] | undefined;
+        transport?: "stdio" | undefined;
+    }> | undefined;
+    skillRegistry?: {
+        sources?: string[] | undefined;
+    } | undefined;
+}>;
+export type Config = z.infer<typeof ConfigSchema>;
+export declare function defaultConfig(): Config;
+export {};
+//# sourceMappingURL=config.d.ts.map

package/packages/shared/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,wEAAwE;AACxE,eAAO,MAAM,wBAAwB,EAAE,MAAM,EAe5C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,EAgB1C,CAAC;AAiBF,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASjC,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;EASrB,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AASlE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8DvB,CAAC;AAEH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/packages/shared/dist/config.js

@@ -0,0 +1,146 @@
+import { z } from "zod";
+import { defaultAllowedDirectories } from "./paths.js";
+/** Default command allowlist — safe, read-mostly developer commands. */
+export const DEFAULT_ALLOWED_COMMANDS = [
+    "pwd",
+    "ls",
+    "cat",
+    "git status",
+    "git diff",
+    "git log",
+    "git branch",
+    "pnpm test",
+    "pnpm build",
+    "pnpm lint",
+    "pnpm validate",
+    "npm test",
+    "npm run build",
+    "npm run lint",
+];
+/**
+ * Blocked command tokens. Matched against tokenized command words (after
+ * splitting on shell metacharacters), so `rm -rf` and `rm   -rf` and
+ * `a && rm -rf` are all caught regardless of spacing.
+ */
+export const BLOCKED_COMMAND_TOKENS = [
+    "sudo",
+    "su",
+    "mkfs",
+    "dd",
+    "chown",
+    "ssh",
+    "scp",
+    "rsync",
+    "diskutil",
+    "format",
+    "shutdown",
+    "reboot",
+    "killall",
+    "mkfs.ext4",
+    "fdisk",
+];
+const FilesystemPermission = z.object({
+    mode: z.enum(["none", "read", "write"]).default("read"),
+    allowedDirectories: z.array(z.string()).default([]),
+});
+const ShellPermission = z.object({
+    mode: z.enum(["none", "allowed", "custom"]).default("none"),
+    allowedCommands: z.array(z.string()).default([]),
+});
+const NetworkPermission = z.object({
+    mode: z.enum(["none", "allowlist", "all"]).default("none"),
+    allowedHosts: z.array(z.string()).default([]),
+});
+export const SkillPermissionsSchema = z.object({
+    filesystem: FilesystemPermission.default({ mode: "read", allowedDirectories: [] }),
+    shell: ShellPermission.default({ mode: "none", allowedCommands: [] }),
+    network: NetworkPermission.default({ mode: "none", allowedHosts: [] }),
+    secrets: z.array(z.string()).default([]),
+    browser: z.enum(["none", "read", "control"]).default("none"),
+    adb: z.enum(["none", "read", "control"]).default("none"),
+    git: z.enum(["none", "read", "write"]).default("none"),
+    agent: z.enum(["none", "plan", "execute"]).default("none"),
+});
+const CodingAgentConfig = z.object({
+    enabled: z.boolean().default(false),
+    command: z.string(),
+    args: z.array(z.string()).default([]),
+    planArgs: z.array(z.string()).default([]),
+    executeArgs: z.array(z.string()).default([]),
+    defaultPermissionMode: z.enum(["plan", "execute"]).default("plan"),
+    maxTurns: z.number().int().positive().default(10),
+    timeoutMs: z.number().int().positive().default(600_000),
+});
+const McpServerConfig = z.object({
+    command: z.string(),
+    args: z.array(z.string()).default([]),
+    transport: z.enum(["stdio"]).default("stdio"),
+    enabled: z.boolean().default(false),
+});
+export const ConfigSchema = z.object({
+    version: z.literal(1).default(1),
+    gateway: z
+        .object({
+        host: z.string().default("127.0.0.1"),
+        port: z.number().int().min(1).max(65535).default(8787),
+    })
+        .default({ host: "127.0.0.1", port: 8787 }),
+    dashboard: z
+        .object({
+        enabled: z.boolean().default(true),
+        port: z.number().int().min(1).max(65535).default(8788),
+    })
+        .default({ enabled: true, port: 8788 }),
+    tunnel: z
+        .object({
+        provider: z.enum(["cloudflared", "ngrok", "none"]).default("cloudflared"),
+        publicUrl: z.string().optional(),
+    })
+        .default({ provider: "cloudflared" }),
+    security: z
+        .object({
+        allowedDirectories: z.array(z.string()).default(defaultAllowedDirectories()),
+        allowedCommands: z.array(z.string()).default(DEFAULT_ALLOWED_COMMANDS),
+        blockedCommandTokens: z.array(z.string()).default(BLOCKED_COMMAND_TOKENS),
+        approveRisk1: z.boolean().default(false),
+        maxFileSizeBytes: z.number().int().positive().default(5_000_000),
+        maxOutputBytes: z.number().int().positive().default(100_000),
+        commandTimeoutMs: z.number().int().positive().default(120_000),
+        logRetentionDays: z.number().int().positive().default(30),
+    })
+        .default({}),
+    codingAgents: z
+        .record(z.string(), CodingAgentConfig)
+        .default({
+        "claude-code": {
+            enabled: false,
+            command: "claude",
+            args: [],
+            planArgs: ["-p"],
+            executeArgs: ["-p"],
+            defaultPermissionMode: "plan",
+            maxTurns: 10,
+            timeoutMs: 600_000,
+        },
+        codex: {
+            enabled: false,
+            command: "codex",
+            args: [],
+            planArgs: [],
+            executeArgs: [],
+            defaultPermissionMode: "plan",
+            maxTurns: 10,
+            timeoutMs: 600_000,
+        },
+    }),
+    mcpServers: z.record(z.string(), McpServerConfig).default({}),
+    skillRegistry: z
+        .object({
+        sources: z.array(z.string()).default([]),
+    })
+        .default({ sources: [] }),
+});
+export function defaultConfig() {
+    return ConfigSchema.parse({});
+}
+//# sourceMappingURL=config.js.map

package/packages/shared/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAEvD,wEAAwE;AACxE,MAAM,CAAC,MAAM,wBAAwB,GAAa;IAChD,KAAK;IACL,IAAI;IACJ,KAAK;IACL,YAAY;IACZ,UAAU;IACV,SAAS;IACT,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,WAAW;IACX,eAAe;IACf,UAAU;IACV,eAAe;IACf,cAAc;CACf,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAa;IAC9C,MAAM;IACN,IAAI;IACJ,MAAM;IACN,IAAI;IACJ,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,UAAU;IACV,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,SAAS;IACT,WAAW;IACX,OAAO;CACR,CAAC;AAEF,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACvD,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACpD,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC3D,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACjD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC1D,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAC9C,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,UAAU,EAAE,oBAAoB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC;IAClF,KAAK,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IACrE,OAAO,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACtE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC5D,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACxD,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACtD,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CAC3D,CAAC,CAAC;AAGH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACrC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACzC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5C,qBAAqB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAClE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACjD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACxD,CAAC,CAAC;AAGH,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACrC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAC7C,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAChC,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;QACrC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;KACvD,CAAC;SACD,OAAO,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC7C,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;KACvD,CAAC;SACD,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACzC,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;QACzE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACjC,CAAC;SACD,OAAO,CAAC,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;IACvC,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,yBAAyB,EAAE,CAAC;QAC5E,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC;QACtE,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;QACzE,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACxC,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;QAChE,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAC5D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAC9D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;KAC1D,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;SACZ,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC;SACrC,OAAO,CAAC;QACP,aAAa,EAAE;YACb,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,EAAE;YACR,QAAQ,EAAE,CAAC,IAAI,CAAC;YAChB,WAAW,EAAE,CAAC,IAAI,CAAC;YACnB,qBAAqB,EAAE,MAAM;YAC7B,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,OAAO;SACnB;QACD,KAAK,EAAE;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,EAAE;YACR,QAAQ,EAAE,EAAE;YACZ,WAAW,EAAE,EAAE;YACf,qBAAqB,EAAE,MAAM;YAC7B,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,OAAO;SACnB;KACF,CAAC;IACJ,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC7D,aAAa,EAAE,CAAC;SACb,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;KACzC,CAAC;SACD,OAAO,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;CAC5B,CAAC,CAAC;AAIH,MAAM,UAAU,aAAa;IAC3B,OAAO,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AAChC,CAAC"}

package/packages/shared/dist/index.d.ts

@@ -0,0 +1,8 @@
+export * from "./paths.js";
+export * from "./net.js";
+export * from "./risk.js";
+export * from "./redaction.js";
+export * from "./config.js";
+export * from "./types.js";
+export * from "./logger.js";
+//# sourceMappingURL=index.d.ts.map

package/packages/shared/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC"}

package/packages/shared/dist/index.js

@@ -0,0 +1,8 @@
+export * from "./paths.js";
+export * from "./net.js";
+export * from "./risk.js";
+export * from "./redaction.js";
+export * from "./config.js";
+export * from "./types.js";
+export * from "./logger.js";
+//# sourceMappingURL=index.js.map

package/packages/shared/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC"}

package/packages/shared/dist/logger.d.ts

@@ -0,0 +1,8 @@
+export declare function createLogger(scope: string): {
+    debug: (msg: string, extra?: unknown) => void;
+    info: (msg: string, extra?: unknown) => void;
+    warn: (msg: string, extra?: unknown) => void;
+    error: (msg: string, extra?: unknown) => void;
+};
+export type Logger = ReturnType<typeof createLogger>;
+//# sourceMappingURL=logger.d.ts.map

package/packages/shared/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAqBA,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM;iBAEzB,MAAM,UAAU,OAAO;gBACxB,MAAM,UAAU,OAAO;gBACvB,MAAM,UAAU,OAAO;iBACtB,MAAM,UAAU,OAAO;EAEvC;AAED,MAAM,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC"}

package/packages/shared/dist/logger.js

@@ -0,0 +1,26 @@
+const order = { debug: 0, info: 1, warn: 2, error: 3 };
+function currentLevel() {
+    const env = (process.env.CLA_LOG_LEVEL ?? "info").toLowerCase();
+    return (["debug", "info", "warn", "error"].includes(env) ? env : "info");
+}
+function log(level, scope, msg, extra) {
+    if (order[level] < order[currentLevel()])
+        return;
+    const ts = new Date().toISOString();
+    const prefix = `${ts} ${level.toUpperCase().padEnd(5)} [${scope}]`;
+    if (extra !== undefined) {
+        console.error(prefix, msg, extra);
+    }
+    else {
+        console.error(prefix, msg);
+    }
+}
+export function createLogger(scope) {
+    return {
+        debug: (msg, extra) => log("debug", scope, msg, extra),
+        info: (msg, extra) => log("info", scope, msg, extra),
+        warn: (msg, extra) => log("warn", scope, msg, extra),
+        error: (msg, extra) => log("error", scope, msg, extra),
+    };
+}
+//# sourceMappingURL=logger.js.map

package/packages/shared/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAGA,MAAM,KAAK,GAA0B,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AAE9E,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;IAChE,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAU,CAAC;AACpF,CAAC;AAED,SAAS,GAAG,CAAC,KAAY,EAAE,KAAa,EAAE,GAAW,EAAE,KAAe;IACpE,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;QAAE,OAAO;IACjD,MAAM,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,EAAE,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC;IACnE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO;QACL,KAAK,EAAE,CAAC,GAAW,EAAE,KAAe,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC;QACxE,IAAI,EAAE,CAAC,GAAW,EAAE,KAAe,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC;QACtE,IAAI,EAAE,CAAC,GAAW,EAAE,KAAe,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC;QACtE,KAAK,EAAE,CAAC,GAAW,EAAE,KAAe,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC;KACzE,CAAC;AACJ,CAAC"}

package/packages/shared/dist/net.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Find an available TCP port, starting at `preferred` and scanning upward.
+ * Ports listed in `skip` are treated as taken (used to avoid the gateway and
+ * dashboard colliding with each other). Throws if none is free within range.
+ *
+ * This is what lets setup survive a busy default port — e.g. Cloudflare's
+ * `workerd`/`wrangler dev`, which also defaults to 8787.
+ */
+export declare function findAvailablePort(preferred: number, host?: string, skip?: number[], attempts?: number): Promise<number>;
+//# sourceMappingURL=net.d.ts.map

package/packages/shared/dist/net.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"net.d.ts","sourceRoot":"","sources":["../src/net.ts"],"names":[],"mappings":"AAcA;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,MAAM,EACjB,IAAI,SAAc,EAClB,IAAI,GAAE,MAAM,EAAO,EACnB,QAAQ,SAAK,GACZ,OAAO,CAAC,MAAM,CAAC,CAYjB"}

package/packages/shared/dist/net.js

@@ -0,0 +1,35 @@
+import net from "node:net";
+/** Resolve true if a TCP port can be bound on the given host. */
+function isPortFree(port, host) {
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.once("error", () => resolve(false));
+        server.once("listening", () => {
+            server.close(() => resolve(true));
+        });
+        server.listen(port, host);
+    });
+}
+/**
+ * Find an available TCP port, starting at `preferred` and scanning upward.
+ * Ports listed in `skip` are treated as taken (used to avoid the gateway and
+ * dashboard colliding with each other). Throws if none is free within range.
+ *
+ * This is what lets setup survive a busy default port — e.g. Cloudflare's
+ * `workerd`/`wrangler dev`, which also defaults to 8787.
+ */
+export async function findAvailablePort(preferred, host = "127.0.0.1", skip = [], attempts = 50) {
+    const taken = new Set(skip);
+    for (let i = 0; i < attempts; i++) {
+        const port = preferred + i;
+        if (port > 65535)
+            break;
+        if (taken.has(port))
+            continue;
+        if (await isPortFree(port, host))
+            return port;
+    }
+    throw new Error(`No free port found near ${preferred} on ${host} (tried ${attempts}). ` +
+        `Set gateway.port to a free port in config.json.`);
+}
+//# sourceMappingURL=net.js.map