longer-agent 0.1.0

package/dist/providers/openrouter.js

@@ -0,0 +1,177 @@
+/**
+ * OpenRouter provider adapter.
+ *
+ * Extends OpenAIChatProvider with:
+ * - Automatic base_url defaulting and HTTP-Referer / X-Title headers
+ * - OpenRouter-style reasoning params (reasoning: { effort } in extra_body)
+ * - reasoning_details extraction from non-streaming responses
+ * - reasoning_details round-trip on assistant messages
+ */
+import OpenAI from "openai";
+import { OpenAIChatProvider } from "./openai-chat.js";
+const OPENROUTER_BASE_URL = "https://openrouter.ai/api/v1";
+/** Map LongerAgent thinking levels to OpenRouter reasoning effort values. */
+const EFFORT_MAP = {
+    minimal: "minimal",
+    low: "low",
+    medium: "medium",
+    high: "high",
+    xhigh: "xhigh",
+    max: "xhigh", // Anthropic "max" → OpenRouter's highest effort
+    on: "high", // binary on/off models → default to high
+};
+export class OpenRouterProvider extends OpenAIChatProvider {
+    constructor(config) {
+        const headerExtra = config.extra ?? {};
+        const sanitizedExtra = Object.fromEntries(Object.entries(headerExtra).filter(([k]) => k !== "http_referer" && k !== "x_title"));
+        super({
+            ...config,
+            extra: sanitizedExtra,
+        });
+        // Rebuild client with OpenRouter-specific settings
+        const baseUrl = config.baseUrl || OPENROUTER_BASE_URL;
+        const headers = {};
+        if (config.extra?.["http_referer"]) {
+            headers["HTTP-Referer"] = config.extra["http_referer"];
+        }
+        if (config.extra?.["x_title"]) {
+            headers["X-Title"] = config.extra["x_title"];
+        }
+        this._client = new OpenAI({
+            apiKey: config.apiKey,
+            baseURL: baseUrl,
+            defaultHeaders: Object.keys(headers).length > 0 ? headers : undefined,
+        });
+    }
+    // ------------------------------------------------------------------
+    // Thinking / reasoning params — OpenRouter unified format
+    // ------------------------------------------------------------------
+    _applyThinkingParams(kwargs, options) {
+        if (!this._config.supportsThinking)
+            return;
+        const level = options?.thinkingLevel;
+        // Explicitly disable reasoning
+        if (level === "off" || level === "none") {
+            const extraBody = kwargs["extra_body"] || {};
+            extraBody["reasoning"] = { effort: "none" };
+            kwargs["extra_body"] = extraBody;
+            return;
+        }
+        // Build reasoning config
+        const reasoningConfig = {};
+        if (this._config.thinkingBudget > 0) {
+            // Use max_tokens for reasoning when thinkingBudget is explicitly set
+            reasoningConfig["max_tokens"] = this._config.thinkingBudget;
+        }
+        else {
+            // Map thinking level to effort
+            const effort = (level && level !== "default")
+                ? (EFFORT_MAP[level] ?? "high")
+                : "high";
+            reasoningConfig["effort"] = effort;
+        }
+        const extraBody = kwargs["extra_body"] || {};
+        extraBody["reasoning"] = reasoningConfig;
+        kwargs["extra_body"] = extraBody;
+        // Do NOT delete temperature or swap max_tokens → max_completion_tokens.
+        // OpenRouter normalizes these per-model internally.
+    }
+    _augmentRequestKwargs(kwargs, ctx) {
+        if (!ctx.hasNativeWebSearch)
+            return;
+        const existing = Array.isArray(kwargs["plugins"])
+            ? [...kwargs["plugins"]]
+            : [];
+        const hasWebPlugin = existing.some((plugin) => plugin && typeof plugin === "object" && plugin["id"] === "web");
+        if (!hasWebPlugin) {
+            existing.push({ id: "web" });
+        }
+        kwargs["plugins"] = existing;
+    }
+    // ------------------------------------------------------------------
+    // Response post-processing — extract reasoning_details
+    // ------------------------------------------------------------------
+    async sendMessage(messages, tools, options) {
+        const result = await super.sendMessage(messages, tools, options);
+        // Non-streaming: the base class _parseResponse (private) only extracts
+        // reasoning_content (string). OpenRouter also returns reasoning_details
+        // (structured array) which we want for faithful round-tripping.
+        // Streaming already handles reasoning_details via _callStream.
+        if (result.raw && (!result.reasoningContent || result.reasoningState === result.reasoningContent)) {
+            try {
+                const raw = result.raw;
+                const choices = raw["choices"] || [];
+                if (choices.length > 0) {
+                    const message = choices[0]["message"];
+                    if (message) {
+                        const details = message["reasoning_details"];
+                        if (Array.isArray(details) && details.length > 0) {
+                            const texts = [];
+                            for (const item of details) {
+                                if (typeof item === "string") {
+                                    texts.push(item);
+                                    continue;
+                                }
+                                if (item && typeof item === "object") {
+                                    const obj = item;
+                                    const text = obj["content"]
+                                        || obj["text"]
+                                        || "";
+                                    if (text)
+                                        texts.push(text);
+                                    // Extract from summary arrays
+                                    if (Array.isArray(obj["summary"])) {
+                                        for (const s of obj["summary"]) {
+                                            const st = s["text"] || "";
+                                            if (st)
+                                                texts.push(st);
+                                        }
+                                    }
+                                }
+                            }
+                            if (texts.length > 0) {
+                                result.reasoningContent = texts.join("\n");
+                                result.reasoningState = details; // Preserve structured data for round-trip
+                            }
+                        }
+                    }
+                }
+            }
+            catch {
+                // Ignore extraction errors — reasoning_content from base class is still usable
+            }
+        }
+        return result;
+    }
+    // ------------------------------------------------------------------
+    // Message conversion — reasoning_details round-trip
+    // ------------------------------------------------------------------
+    _convertMessages(messages) {
+        const converted = super._convertMessages(messages);
+        // Enrich assistant messages with reasoning_details from _reasoning_state
+        // for faithful round-tripping through OpenRouter.
+        // Use simple ordinal mapping: base class preserves assistant message order.
+        const originals = messages;
+        const origAssistantIndices = [];
+        const convAssistantIndices = [];
+        for (let i = 0; i < originals.length; i++) {
+            if (originals[i]["role"] === "assistant")
+                origAssistantIndices.push(i);
+        }
+        for (let i = 0; i < converted.length; i++) {
+            if (converted[i]["role"] === "assistant")
+                convAssistantIndices.push(i);
+        }
+        const count = Math.min(origAssistantIndices.length, convAssistantIndices.length);
+        for (let i = 0; i < count; i++) {
+            const orig = originals[origAssistantIndices[i]];
+            const conv = converted[convAssistantIndices[i]];
+            const state = orig["_reasoning_state"];
+            if (state && Array.isArray(state)) {
+                conv["reasoning_details"] = state;
+            }
+        }
+        return converted;
+    }
+}
+//# sourceMappingURL=openrouter.js.map

package/dist/providers/openrouter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openrouter.js","sourceRoot":"","sources":["../../src/providers/openrouter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAQ5B,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,mBAAmB,GAAG,8BAA8B,CAAC;AAE3D,6EAA6E;AAC7E,MAAM,UAAU,GAA2B;IACzC,OAAO,EAAE,SAAS;IAClB,GAAG,EAAE,KAAK;IACV,MAAM,EAAE,QAAQ;IAChB,IAAI,EAAE,MAAM;IACZ,KAAK,EAAE,OAAO;IACd,GAAG,EAAE,OAAO,EAAK,gDAAgD;IACjE,EAAE,EAAE,MAAM,EAAQ,yCAAyC;CAC5D,CAAC;AAEF,MAAM,OAAO,kBAAmB,SAAQ,kBAAkB;IACxD,YAAY,MAAmB;QAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACvC,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,CACvC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,MAAM,CAChC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,cAAc,IAAI,CAAC,KAAK,SAAS,CACjD,CACF,CAAC;QACF,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,KAAK,EAAE,cAAc;SACtB,CAAC,CAAC;QACH,mDAAmD;QACnD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,mBAAmB,CAAC;QACtD,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,cAAc,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,CAAW,CAAC;QACnE,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAW,CAAC;QACzD,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,IAAI,MAAM,CAAC;YACxB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,OAAO;YAChB,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;SACtE,CAAC,CAAC;IACL,CAAC;IAED,qEAAqE;IACrE,0DAA0D;IAC1D,qEAAqE;IAElD,oBAAoB,CACrC,MAA+B,EAC/B,OAA4B;QAE5B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB;YAAE,OAAO;QAE3C,MAAM,KAAK,GAAG,OAAO,EAAE,aAAa,CAAC;QAErC,+BAA+B;QAC/B,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;YACxC,MAAM,SAAS,GAAI,MAAM,CAAC,YAAY,CAA6B,IAAI,EAAE,CAAC;YAC1E,SAAS,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;YAC5C,MAAM,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC;YACjC,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,GAAG,CAAC,EAAE,CAAC;YACpC,qEAAqE;YACrE,eAAe,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,MAAM,MAAM,GAAG,CAAC,KAAK,IAAI,KAAK,KAAK,SAAS,CAAC;gBAC3C,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC;gBAC/B,CAAC,CAAC,MAAM,CAAC;YACX,eAAe,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC;QACrC,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,YAAY,CAA6B,IAAI,EAAE,CAAC;QAC1E,SAAS,CAAC,WAAW,CAAC,GAAG,eAAe,CAAC;QACzC,MAAM,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC;QAEjC,wEAAwE;QACxE,oDAAoD;IACtD,CAAC;IAEkB,qBAAqB,CACtC,MAA+B,EAC/B,GAIC;QAED,IAAI,CAAC,GAAG,CAAC,kBAAkB;YAAE,OAAO;QAEpC,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC,GAAI,MAAM,CAAC,SAAS,CAA+B,CAAC;YACvD,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAC5C,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,KAAK,CAC/D,CAAC;QACF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC;IAC/B,CAAC;IAED,qEAAqE;IACrE,uDAAuD;IACvD,qEAAqE;IAE5D,KAAK,CAAC,WAAW,CACxB,QAAmB,EACnB,KAAiB,EACjB,OAA4B;QAE5B,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAEjE,uEAAuE;QACvE,wEAAwE;QACxE,gEAAgE;QAChE,+DAA+D;QAC/D,IAAI,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,cAAc,KAAK,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClG,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,CAAC,GAA8B,CAAC;gBAClD,MAAM,OAAO,GAAI,GAAG,CAAC,SAAS,CAA+B,IAAI,EAAE,CAAC;gBACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAwC,CAAC;oBAC7E,IAAI,OAAO,EAAE,CAAC;wBACZ,MAAM,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAA0B,CAAC;wBACtE,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BACjD,MAAM,KAAK,GAAa,EAAE,CAAC;4BAC3B,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gCAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oCAC7B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oCACjB,SAAS;gCACX,CAAC;gCACD,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oCACrC,MAAM,GAAG,GAAG,IAA+B,CAAC;oCAC5C,MAAM,IAAI,GAAI,GAAG,CAAC,SAAS,CAAY;2CACjC,GAAG,CAAC,MAAM,CAAY;2CACvB,EAAE,CAAC;oCACR,IAAI,IAAI;wCAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oCAC3B,8BAA8B;oCAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;wCAClC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,SAAS,CAA8B,EAAE,CAAC;4CAC5D,MAAM,EAAE,GAAI,CAAC,CAAC,MAAM,CAAY,IAAI,EAAE,CAAC;4CACvC,IAAI,EAAE;gDAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wCACzB,CAAC;oCACH,CAAC;gCACH,CAAC;4BACH,CAAC;4BACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCACrB,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gCAC3C,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,CAAC,0CAA0C;4BAC7E,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,+EAA+E;YACjF,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qEAAqE;IACrE,oDAAoD;IACpD,qEAAqE;IAElD,gBAAgB,CACjC,QAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAEnD,yEAAyE;QACzE,kDAAkD;QAClD,4EAA4E;QAC5E,MAAM,SAAS,GAAG,QAAgD,CAAC;QACnE,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAC1C,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,WAAW;gBAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,WAAW;gBAAE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;QACjF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,SAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,MAAM,IAAI,GAAG,SAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACvC,IAAI,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClC,IAAI,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC;YACpC,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/providers/registry.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Provider factory — maps provider identifiers to concrete provider classes.
+ */
+import type { ModelConfig } from "../config.js";
+import type { BaseProvider } from "./base.js";
+export declare function createProvider(config: ModelConfig): BaseProvider;
+//# sourceMappingURL=registry.d.ts.map

package/dist/providers/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/providers/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAS9C,wBAAgB,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG,YAAY,CAoChE"}

package/dist/providers/registry.js

@@ -0,0 +1,38 @@
+/**
+ * Provider factory — maps provider identifiers to concrete provider classes.
+ */
+import { AnthropicProvider } from "./anthropic.js";
+import { OpenAIResponsesProvider } from "./openai-responses.js";
+import { OpenAIChatProvider } from "./openai-chat.js";
+import { KimiProvider } from "./kimi.js";
+import { GLMProvider } from "./glm.js";
+import { MiniMaxProvider } from "./minimax.js";
+import { OpenRouterProvider } from "./openrouter.js";
+export function createProvider(config) {
+    const provider = config.provider.toLowerCase();
+    if (provider === "anthropic") {
+        return new AnthropicProvider(config);
+    }
+    if (provider === "openai" || provider === "openai-codex") {
+        return new OpenAIResponsesProvider(config);
+    }
+    if (provider === "openai-chat") {
+        return new OpenAIChatProvider(config);
+    }
+    if (provider === "kimi-cn" || provider === "kimi-ai" || provider === "kimi" || provider === "kimi-code") {
+        return new KimiProvider(config);
+    }
+    if (provider === "glm" || provider === "glm-intl" || provider === "glm-code" || provider === "glm-intl-code") {
+        return new GLMProvider(config);
+    }
+    if (provider === "minimax" || provider === "minimax-cn") {
+        return new MiniMaxProvider(config);
+    }
+    if (provider === "openrouter") {
+        return new OpenRouterProvider(config);
+    }
+    throw new Error(`Unknown provider '${config.provider}'. ` +
+        "Supported: anthropic, openai, openai-codex, openai-chat, kimi, kimi-cn, kimi-ai, kimi-code, " +
+        "glm, glm-intl, glm-code, glm-intl-code, minimax, minimax-cn, openrouter");
+}
+//# sourceMappingURL=registry.js.map

package/dist/providers/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/providers/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAErD,MAAM,UAAU,cAAc,CAAC,MAAmB;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE/C,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;QACzD,OAAO,IAAI,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B,OAAO,IAAI,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QACxG,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;QAC7G,OAAO,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QACxD,OAAO,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC9B,OAAO,IAAI,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,CAAC,QAAQ,KAAK;QACvC,8FAA8F;QAC9F,yEAAyE,CAC5E,CAAC;AACJ,CAAC"}

package/dist/security/path.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Unified path safety checks for file-accessing features.
+ *
+ * Phase 1 scope:
+ * - Enforce a directory boundary (project root / session artifacts)
+ * - Prevent lexical traversal (`..`) and prefix-collision mistakes
+ * - Reject symlink escapes via canonical (realpath) checks
+ * - Support create paths by validating the nearest existing ancestor
+ */
+export type PathAccessKind = "read" | "write" | "list" | "search" | "attach" | "template" | "spawn_call_file" | "diff";
+export type PathDecision = "allow" | "deny_external" | "deny_symlink";
+export interface SafePathOptions {
+    baseDir: string;
+    requestedPath: string;
+    cwd?: string;
+    mustExist?: boolean;
+    allowCreate?: boolean;
+    expectDirectory?: boolean;
+    expectFile?: boolean;
+    accessKind: PathAccessKind;
+    followSymlinks?: boolean;
+}
+export interface SafePathResult {
+    requestedPath: string;
+    resolvedPath: string;
+    canonicalPath?: string;
+    baseDirResolved: string;
+    baseDirCanonical?: string;
+    decision: PathDecision;
+    safePath?: string;
+    reason?: string;
+    isOutsideByLexical?: boolean;
+    isOutsideByCanonical?: boolean;
+    crossedSymlinkBoundary?: boolean;
+}
+type SafePathErrorCode = "PATH_OUTSIDE_SCOPE" | "PATH_SYMLINK_ESCAPES_SCOPE" | "PATH_NOT_FOUND" | "PATH_NOT_FILE" | "PATH_NOT_DIRECTORY" | "PATH_INVALID_INPUT";
+export declare class SafePathError extends Error {
+    code: SafePathErrorCode;
+    details: SafePathResult;
+    constructor(code: SafePathErrorCode, message: string, details: SafePathResult);
+}
+/**
+ * Resolve and validate a path against a single allowed base directory.
+ *
+ * Phase 1 behavior:
+ * - Paths outside the base are denied
+ * - Symlink escapes are denied (future phases may map this to an `ask`)
+ */
+export declare function safePath(opts: SafePathOptions): SafePathResult;
+export {};
+//# sourceMappingURL=path.d.ts.map

package/dist/security/path.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path.d.ts","sourceRoot":"","sources":["../../src/security/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,MAAM,cAAc,GACtB,MAAM,GACN,OAAO,GACP,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,UAAU,GACV,iBAAiB,GACjB,MAAM,CAAC;AAEX,MAAM,MAAM,YAAY,GACpB,OAAO,GACP,eAAe,GACf,cAAc,CAAC;AAEnB,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,cAAc,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,KAAK,iBAAiB,GAClB,oBAAoB,GACpB,4BAA4B,GAC5B,gBAAgB,GAChB,eAAe,GACf,oBAAoB,GACpB,oBAAoB,CAAC;AAEzB,qBAAa,aAAc,SAAQ,KAAK;IACtC,IAAI,EAAE,iBAAiB,CAAC;IACxB,OAAO,EAAE,cAAc,CAAC;gBAGtB,IAAI,EAAE,iBAAiB,EACvB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,cAAc;CAO1B;AAwCD;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,eAAe,GAAG,cAAc,CAkI9D"}

package/dist/security/path.js

@@ -0,0 +1,187 @@
+/**
+ * Unified path safety checks for file-accessing features.
+ *
+ * Phase 1 scope:
+ * - Enforce a directory boundary (project root / session artifacts)
+ * - Prevent lexical traversal (`..`) and prefix-collision mistakes
+ * - Reject symlink escapes via canonical (realpath) checks
+ * - Support create paths by validating the nearest existing ancestor
+ */
+import { existsSync, realpathSync, statSync } from "node:fs";
+import path from "node:path";
+export class SafePathError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.name = "SafePathError";
+        this.code = code;
+        this.details = details;
+    }
+}
+function isWithinBase(baseAbs, candidateAbs) {
+    const rel = path.relative(baseAbs, candidateAbs);
+    if (rel === "")
+        return true;
+    if (path.isAbsolute(rel))
+        return false; // Windows cross-drive safety
+    return !rel.startsWith("..");
+}
+function nearestExistingAncestor(targetAbs) {
+    let current = targetAbs;
+    while (true) {
+        if (existsSync(current))
+            return current;
+        const parent = path.dirname(current);
+        if (parent === current)
+            return null;
+        current = parent;
+    }
+}
+function makeBaseResult(opts, baseDirResolved, resolvedPath) {
+    return {
+        requestedPath: opts.requestedPath,
+        resolvedPath,
+        baseDirResolved,
+        decision: "deny_external",
+    };
+}
+function fail(code, message, result) {
+    throw new SafePathError(code, message, result);
+}
+/**
+ * Resolve and validate a path against a single allowed base directory.
+ *
+ * Phase 1 behavior:
+ * - Paths outside the base are denied
+ * - Symlink escapes are denied (future phases may map this to an `ask`)
+ */
+export function safePath(opts) {
+    const requested = String(opts.requestedPath ?? "");
+    const baseRaw = String(opts.baseDir ?? "");
+    if (!requested.trim()) {
+        const result = {
+            requestedPath: requested,
+            resolvedPath: "",
+            baseDirResolved: path.resolve(baseRaw || "."),
+            decision: "deny_external",
+            reason: "Empty path.",
+        };
+        fail("PATH_INVALID_INPUT", "Path cannot be empty.", result);
+    }
+    if (!baseRaw.trim()) {
+        const result = {
+            requestedPath: requested,
+            resolvedPath: path.resolve(requested),
+            baseDirResolved: path.resolve("."),
+            decision: "deny_external",
+            reason: "Invalid base directory.",
+        };
+        fail("PATH_INVALID_INPUT", "Base directory cannot be empty.", result);
+    }
+    const baseDirResolved = path.resolve(baseRaw);
+    const cwd = opts.cwd ? path.resolve(opts.cwd) : process.cwd();
+    const resolvedPath = path.isAbsolute(requested)
+        ? path.resolve(requested)
+        : path.resolve(cwd, requested);
+    const result = makeBaseResult(opts, baseDirResolved, resolvedPath);
+    // 1) Lexical boundary check
+    const outsideLexical = !isWithinBase(baseDirResolved, resolvedPath);
+    result.isOutsideByLexical = outsideLexical;
+    if (outsideLexical) {
+        result.reason = "Path is outside the allowed directory boundary.";
+        fail("PATH_OUTSIDE_SCOPE", result.reason, result);
+    }
+    // 2) Existence / type checks
+    const mustExist = opts.mustExist === true;
+    const allowCreate = opts.allowCreate === true;
+    const exists = existsSync(resolvedPath);
+    if (mustExist && !exists) {
+        result.reason = `Path does not exist: ${resolvedPath}`;
+        fail("PATH_NOT_FOUND", result.reason, result);
+    }
+    if (!exists && !mustExist && !allowCreate) {
+        result.reason = `Path does not exist: ${resolvedPath}`;
+        fail("PATH_NOT_FOUND", result.reason, result);
+    }
+    // 3) Canonical (realpath) boundary check to prevent symlink escapes
+    const followSymlinks = opts.followSymlinks !== false;
+    if (followSymlinks) {
+        let baseCanonical;
+        try {
+            if (existsSync(baseDirResolved)) {
+                baseCanonical = realpathSync(baseDirResolved);
+                result.baseDirCanonical = baseCanonical;
+            }
+        }
+        catch {
+            // If the base cannot be canonicalized, fall back to lexical checks.
+        }
+        if (baseCanonical) {
+            if (exists) {
+                try {
+                    const candidateCanonical = realpathSync(resolvedPath);
+                    result.canonicalPath = candidateCanonical;
+                    const outsideCanonical = !isWithinBase(baseCanonical, candidateCanonical);
+                    result.isOutsideByCanonical = outsideCanonical;
+                    if (outsideCanonical) {
+                        result.canonicalPath = candidateCanonical;
+                        result.crossedSymlinkBoundary = true;
+                        result.decision = "deny_symlink";
+                        result.reason = "Path escapes the allowed directory via a symbolic link.";
+                        fail("PATH_SYMLINK_ESCAPES_SCOPE", result.reason, result);
+                    }
+                }
+                catch (e) {
+                    if (e instanceof SafePathError)
+                        throw e;
+                    // If canonicalization fails for an existing path, rely on lexical + stat checks.
+                }
+            }
+            else if (allowCreate) {
+                const ancestor = nearestExistingAncestor(resolvedPath);
+                if (ancestor) {
+                    try {
+                        const ancestorCanonical = realpathSync(ancestor);
+                        const outsideCanonical = !isWithinBase(baseCanonical, ancestorCanonical);
+                        result.canonicalPath = ancestorCanonical;
+                        result.isOutsideByCanonical = outsideCanonical;
+                        if (outsideCanonical) {
+                            result.crossedSymlinkBoundary = true;
+                            result.decision = "deny_symlink";
+                            result.reason = "Path escapes the allowed directory via a symbolic link in its parent path.";
+                            fail("PATH_SYMLINK_ESCAPES_SCOPE", result.reason, result);
+                        }
+                    }
+                    catch (e) {
+                        if (e instanceof SafePathError)
+                            throw e;
+                        // ignore canonical failure; lexical check already passed
+                    }
+                }
+            }
+        }
+    }
+    if (exists) {
+        let st;
+        try {
+            st = statSync(resolvedPath);
+        }
+        catch (e) {
+            result.reason = `Failed to stat path: ${e instanceof Error ? e.message : String(e)}`;
+            fail("PATH_INVALID_INPUT", result.reason, result);
+        }
+        if (opts.expectFile && !st.isFile()) {
+            result.reason = `Expected a file: ${resolvedPath}`;
+            fail("PATH_NOT_FILE", result.reason, result);
+        }
+        if (opts.expectDirectory && !st.isDirectory()) {
+            result.reason = `Expected a directory: ${resolvedPath}`;
+            fail("PATH_NOT_DIRECTORY", result.reason, result);
+        }
+    }
+    result.decision = "allow";
+    result.safePath = resolvedPath;
+    return result;
+}
+//# sourceMappingURL=path.js.map

package/dist/security/path.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path.js","sourceRoot":"","sources":["../../src/security/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,IAAI,MAAM,WAAW,CAAC;AAmD7B,MAAM,OAAO,aAAc,SAAQ,KAAK;IACtC,IAAI,CAAoB;IACxB,OAAO,CAAiB;IAExB,YACE,IAAuB,EACvB,OAAe,EACf,OAAuB;QAEvB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;CACF;AAED,SAAS,YAAY,CAAC,OAAe,EAAE,YAAoB;IACzD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACjD,IAAI,GAAG,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,6BAA6B;IACrE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,SAAiB;IAChD,IAAI,OAAO,GAAG,SAAS,CAAC;IACxB,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,OAAO,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CACrB,IAAqB,EACrB,eAAuB,EACvB,YAAoB;IAEpB,OAAO;QACL,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,YAAY;QACZ,eAAe;QACf,QAAQ,EAAE,eAAe;KAC1B,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAuB,EACvB,OAAe,EACf,MAAsB;IAEtB,MAAM,IAAI,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAqB;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IAE3C,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG;YACb,aAAa,EAAE,SAAS;YACxB,YAAY,EAAE,EAAE;YAChB,eAAe,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,GAAG,CAAC;YAC7C,QAAQ,EAAE,eAAwB;YAClC,MAAM,EAAE,aAAa;SACtB,CAAC;QACF,IAAI,CAAC,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG;YACb,aAAa,EAAE,SAAS;YACxB,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YACrC,eAAe,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;YAClC,QAAQ,EAAE,eAAwB;YAClC,MAAM,EAAE,yBAAyB;SAClC,CAAC;QACF,IAAI,CAAC,oBAAoB,EAAE,iCAAiC,EAAE,MAAM,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IAC9D,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACzB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAEjC,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,eAAe,EAAE,YAAY,CAAC,CAAC;IAEnE,4BAA4B;IAC5B,MAAM,cAAc,GAAG,CAAC,YAAY,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IACpE,MAAM,CAAC,kBAAkB,GAAG,cAAc,CAAC;IAC3C,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,GAAG,iDAAiD,CAAC;QAClE,IAAI,CAAC,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;IAED,6BAA6B;IAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,KAAK,IAAI,CAAC;IAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC;IAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAExC,IAAI,SAAS,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,CAAC,MAAM,GAAG,wBAAwB,YAAY,EAAE,CAAC;QACvD,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,CAAC,MAAM,GAAG,wBAAwB,YAAY,EAAE,CAAC;QACvD,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAED,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,KAAK,KAAK,CAAC;IACrD,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,aAAiC,CAAC;QACtC,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBAChC,aAAa,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;gBAC9C,MAAM,CAAC,gBAAgB,GAAG,aAAa,CAAC;YAC1C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;QACtE,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,kBAAkB,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;oBACtD,MAAM,CAAC,aAAa,GAAG,kBAAkB,CAAC;oBAC1C,MAAM,gBAAgB,GAAG,CAAC,YAAY,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;oBAC1E,MAAM,CAAC,oBAAoB,GAAG,gBAAgB,CAAC;oBAC/C,IAAI,gBAAgB,EAAE,CAAC;wBACrB,MAAM,CAAC,aAAa,GAAG,kBAAkB,CAAC;wBAC1C,MAAM,CAAC,sBAAsB,GAAG,IAAI,CAAC;wBACrC,MAAM,CAAC,QAAQ,GAAG,cAAc,CAAC;wBACjC,MAAM,CAAC,MAAM,GAAG,yDAAyD,CAAC;wBAC1E,IAAI,CAAC,4BAA4B,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;oBAC5D,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,IAAI,CAAC,YAAY,aAAa;wBAAE,MAAM,CAAC,CAAC;oBACxC,iFAAiF;gBACnF,CAAC;YACH,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACvB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAC;gBACvD,IAAI,QAAQ,EAAE,CAAC;oBACb,IAAI,CAAC;wBACH,MAAM,iBAAiB,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;wBACjD,MAAM,gBAAgB,GAAG,CAAC,YAAY,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;wBACzE,MAAM,CAAC,aAAa,GAAG,iBAAiB,CAAC;wBACzC,MAAM,CAAC,oBAAoB,GAAG,gBAAgB,CAAC;wBAC/C,IAAI,gBAAgB,EAAE,CAAC;4BACrB,MAAM,CAAC,sBAAsB,GAAG,IAAI,CAAC;4BACrC,MAAM,CAAC,QAAQ,GAAG,cAAc,CAAC;4BACjC,MAAM,CAAC,MAAM,GAAG,4EAA4E,CAAC;4BAC7F,IAAI,CAAC,4BAA4B,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;wBAC5D,CAAC;oBACH,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACX,IAAI,CAAC,YAAY,aAAa;4BAAE,MAAM,CAAC,CAAC;wBACxC,yDAAyD;oBAC3D,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,IAAI,CAAC;YACH,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,CAAC,MAAM,GAAG,wBAAwB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YACrF,IAAI,CAAC,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC;YACpC,MAAM,CAAC,MAAM,GAAG,oBAAoB,YAAY,EAAE,CAAC;YACnD,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9C,MAAM,CAAC,MAAM,GAAG,yBAAyB,YAAY,EAAE,CAAC;YACxD,IAAI,CAAC,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC1B,MAAM,CAAC,QAAQ,GAAG,YAAY,CAAC;IAC/B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/security/sensitive-files.d.ts

@@ -0,0 +1,3 @@
+export declare function getSensitiveFileReadReason(filePath: string): string | null;
+export declare function isSensitiveFileForRead(filePath: string): boolean;
+//# sourceMappingURL=sensitive-files.d.ts.map

package/dist/security/sensitive-files.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-files.d.ts","sourceRoot":"","sources":["../../src/security/sensitive-files.ts"],"names":[],"mappings":"AAoBA,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAwB1E;AAED,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEhE"}

package/dist/security/sensitive-files.js

@@ -0,0 +1,41 @@
+import * as path from "node:path";
+function normalizeBasename(filePath) {
+    return path.basename(filePath).toLowerCase();
+}
+function isEnvSecretFile(base) {
+    if (base === ".env")
+        return true;
+    if (!base.startsWith(".env."))
+        return false;
+    if (base === ".env.example" ||
+        base === ".env.sample" ||
+        base === ".env.template" ||
+        base === ".env.schema") {
+        return false;
+    }
+    return true;
+}
+export function getSensitiveFileReadReason(filePath) {
+    const base = normalizeBasename(filePath);
+    if (isEnvSecretFile(base)) {
+        return "environment secret files (.env*) are blocked by default";
+    }
+    if (base === ".npmrc" || base === ".pypirc" || base === ".netrc") {
+        return `${base} may contain credentials`;
+    }
+    if (base === "credentials.json" || base === "application_default_credentials.json") {
+        return `${base} commonly stores cloud credentials`;
+    }
+    if (base === "id_rsa" || base === "id_dsa" || base === "id_ecdsa" || base === "id_ed25519") {
+        return `${base} is a private key file`;
+    }
+    if (base.endsWith(".pem") || base.endsWith(".key") || base.endsWith(".p12") ||
+        base.endsWith(".pfx") || base.endsWith(".p8")) {
+        return "certificate/private-key material is blocked by default";
+    }
+    return null;
+}
+export function isSensitiveFileForRead(filePath) {
+    return getSensitiveFileReadReason(filePath) !== null;
+}
+//# sourceMappingURL=sensitive-files.js.map

package/dist/security/sensitive-files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-files.js","sourceRoot":"","sources":["../../src/security/sensitive-files.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;AAC/C,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IACE,IAAI,KAAK,cAAc;QACvB,IAAI,KAAK,aAAa;QACtB,IAAI,KAAK,eAAe;QACxB,IAAI,KAAK,aAAa,EACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,QAAgB;IACzD,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO,yDAAyD,CAAC;IACnE,CAAC;IAED,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACjE,OAAO,GAAG,IAAI,0BAA0B,CAAC;IAC3C,CAAC;IAED,IAAI,IAAI,KAAK,kBAAkB,IAAI,IAAI,KAAK,sCAAsC,EAAE,CAAC;QACnF,OAAO,GAAG,IAAI,oCAAoC,CAAC;IACrD,CAAC;IAED,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC3F,OAAO,GAAG,IAAI,wBAAwB,CAAC;IACzC,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QACvE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAClD,OAAO,wDAAwD,CAAC;IAClE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,OAAO,0BAA0B,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC;AACvD,CAAC"}