nemoris 0.1.0

package/src/providers/base.js

@@ -0,0 +1,247 @@
+import { annotateError } from "../runtime/network.js";
+import { fetchWithOutboundPolicy } from "../runtime/ssrf.js";
+import { OUTBOUND_ADDRESS_POLICY } from "../security/ssrf-check.js";
+import { getAuthProfile, resolveProfileSecret } from "../auth/auth-profiles.js";
+
+export class ProviderAdapter {
+  constructor(config = {}, dependencies = {}) {
+    this.config = config;
+    this.fetchImpl = dependencies.fetchImpl || globalThis.fetch;
+    this.lookupImpl = dependencies.lookupImpl;
+  }
+
+  requireFetch() {
+    if (!this.fetchImpl) {
+      throw new Error("No fetch implementation available");
+    }
+  }
+
+  get authRef() {
+    return this.config.authRef || "";
+  }
+
+  get authProfileId() {
+    if (!this.authRef.startsWith("profile:")) return null;
+    return this.authRef.slice("profile:".length);
+  }
+
+  resolveAuthProfile() {
+    const profileId = this.authProfileId;
+    if (!profileId) return null;
+    return getAuthProfile(profileId);
+  }
+
+  resolveAuthToken() {
+    if (this.authRef.startsWith("env:")) {
+      const envName = this.authRef.slice(4);
+      return process.env[envName] || null;
+    }
+    if (this.authRef.startsWith("profile:")) {
+      return resolveProfileSecret(this.resolveAuthProfile());
+    }
+    return null;
+  }
+
+  ensureAuthToken() {
+    const token = this.resolveAuthToken();
+    if (!token) {
+      throw new Error(`Missing auth token for ${this.config.id || "provider"} (${this.authRef})`);
+    }
+    return token;
+  }
+
+  buildUrl(endpoint) {
+    const baseUrl = String(this.config.baseUrl || "").replace(/\/$/, "");
+    const pathPart = String(endpoint || "").replace(/^\//, "");
+    return `${baseUrl}/${pathPart}`;
+  }
+
+  buildRequestOptions(options = {}, runtimeOptions = {}) {
+    const timeoutMs = Number((runtimeOptions.timeoutMs ?? this.config.defaultTimeoutMs) || 0);
+    if (!timeoutMs || typeof AbortSignal?.timeout !== "function") {
+      return options;
+    }
+
+    return {
+      ...options,
+      signal: options.signal || AbortSignal.timeout(timeoutMs)
+    };
+  }
+
+  resolveRequestUrl(target) {
+    if (typeof target === "string" && /^[a-z]+:\/\//i.test(target)) {
+      return target;
+    }
+    return this.buildUrl(target);
+  }
+
+  async fetchResponse(target, options = {}, runtimeOptions = {}) {
+    this.requireFetch();
+    const timeoutMs = Number((runtimeOptions.timeoutMs ?? this.config.defaultTimeoutMs) || 0);
+    const isOllama = this.config.id === "ollama" || this.config.adapter === "ollama";
+    try {
+      // Provider URLs come from runtime configuration. Only Ollama is meant to
+      // stay local, and even then it must resolve to loopback.
+      return await fetchWithOutboundPolicy(
+        this.resolveRequestUrl(target),
+        this.buildRequestOptions(options, runtimeOptions),
+        {
+          fetchImpl: this.fetchImpl,
+          lookupImpl: this.lookupImpl,
+          surface: "provider",
+          privateAddressMessage: `Provider request blocked — target resolves to a private/reserved IP address for ${this.config.id || "provider"}.`,
+          loopbackOnlyMessage: `Ollama base URL must resolve to loopback only; refusing ${this.resolveRequestUrl(target)}.`,
+          addressPolicy: isOllama ? OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK : OUTBOUND_ADDRESS_POLICY.BLOCK_PRIVATE,
+        }
+      );
+    } catch (error) {
+      if (error?.name === "TimeoutError" || error?.name === "AbortError") {
+        throw annotateError(
+          new Error(`Provider request timed out after ${timeoutMs || "configured"} ms for ${this.config.id || "provider"}`),
+          {
+            surface: "provider"
+          }
+        );
+      }
+      throw annotateError(error, { surface: "provider" });
+    }
+  }
+
+  getCapabilities() {
+    return {
+      supportsToolDefinitions: false,
+      supportsToolCalls: false,
+      structuredOutputMode: "none",
+      supportsReasoningSchema: false,
+      tokenCountingMode: "heuristic",
+      toolReliabilityTier: "unsupported",
+      supportsVision: false
+    };
+  }
+
+  supportsNativeStructuredOutput() {
+    return new Set(["response_format", "forced_tool", "constrained_decoding"]).has(
+      this.getCapabilities().structuredOutputMode
+    );
+  }
+
+  buildStructuredOutputFormat(_input) {
+    return null;
+  }
+
+  async countTokens(_input) {
+    return null;
+  }
+
+  async listModels() {
+    return null;
+  }
+
+  normalizeResponse(raw) {
+    if (!raw) {
+      return {
+        summary: "Provider returned no data.",
+        output: "",
+        nextActions: [],
+        reasoning: null,
+        raw
+      };
+    }
+
+    const text = this.extractText(raw);
+    const parsedJson = text ? this.parseStructuredJson(text) : null;
+    if (parsedJson) {
+      return {
+        summary: parsedJson.summary || "Provider returned structured JSON output.",
+        output: parsedJson.output || text,
+        nextActions: Array.isArray(parsedJson.nextActions) ? parsedJson.nextActions : [],
+        reasoning: parsedJson.analysis || null,
+        raw
+      };
+    }
+
+    if (text) {
+      return {
+        summary: text.slice(0, 200) || "Provider responded.",
+        output: text,
+        nextActions: [],
+        reasoning: null,
+        raw
+      };
+    }
+
+    return {
+      summary: "Provider responded with structured data.",
+      output: JSON.stringify(raw, null, 2),
+      nextActions: [],
+      reasoning: null,
+      raw
+    };
+  }
+
+  extractText(raw) {
+    return raw?.content && Array.isArray(raw.content)
+      ? raw.content
+          .map((item) => item.text || item.content || "")
+          .filter(Boolean)
+          .join("\n")
+      : raw?.choices?.[0]?.message?.content || raw?.message?.content
+        ? String(raw?.choices?.[0]?.message?.content || raw?.message?.content)
+        : null;
+  }
+
+  parseStructuredJson(text) {
+    const trimmed = String(text).trim();
+    const fencedMatch = trimmed.match(/^```(?:json)?\s*([\s\S]*?)\s*```$/i);
+    const candidate = fencedMatch ? fencedMatch[1].trim() : trimmed;
+    if (!(candidate.startsWith("{") && candidate.endsWith("}"))) {
+      return null;
+    }
+
+    try {
+      return JSON.parse(candidate);
+    } catch {
+      return null;
+    }
+  }
+
+  async postJson(endpoint, body, headers = {}, runtimeOptions = {}) {
+    let response;
+    try {
+      response = await this.fetchResponse(
+        endpoint,
+        {
+          method: "POST",
+          headers: {
+            "content-type": "application/json",
+            ...headers
+          },
+          body: JSON.stringify(body)
+        },
+        runtimeOptions
+      );
+    } catch (error) {
+      throw error;
+    }
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch {
+        data = text;
+      }
+    }
+
+    if (!response.ok) {
+      throw annotateError(
+        new Error(`Provider error ${response.status}: ${typeof data === "string" ? data : JSON.stringify(data)}`),
+        {
+          surface: "provider"
+        }
+      );
+    }
+
+    return data;
+  }
+}

package/src/providers/circuit-breaker.js

@@ -0,0 +1,136 @@
+const DEFAULT_TRANSIENT_CODES = new Set([408, 429, 500, 502, 503, 504]);
+
+export function ensureBreakerSchema(db) {
+  db.exec(`
+    create table if not exists provider_breakers (
+      provider_key text primary key,
+      state text not null default 'closed',
+      failure_count integer not null default 0,
+      last_failure_at text,
+      last_success_at text,
+      opened_at text,
+      half_open_at text
+    );
+  `);
+}
+
+export class CircuitBreaker {
+  constructor(providerKey, db, config = {}) {
+    this._key = providerKey;
+    this._db = db;
+    this._failureThreshold = config.failureThreshold ?? 5;
+    this._resetTimeoutSeconds = config.resetTimeoutSeconds ?? 30;
+    this._transientCodes = new Set(config.transientCodes ?? DEFAULT_TRANSIENT_CODES);
+
+    ensureBreakerSchema(db);
+    this._load();
+  }
+
+  static forProvider(providerKey, db, config = {}) {
+    return new CircuitBreaker(providerKey, db, config);
+  }
+
+  _load() {
+    const row = this._db.prepare("select * from provider_breakers where provider_key = ?").get(this._key);
+    if (row) {
+      this._state = row.state;
+      this._failureCount = row.failure_count;
+      this._lastFailureAt = row.last_failure_at;
+      this._lastSuccessAt = row.last_success_at;
+      this._openedAt = row.opened_at;
+      this._halfOpenAt = row.half_open_at;
+    } else {
+      this._state = "closed";
+      this._failureCount = 0;
+      this._lastFailureAt = null;
+      this._lastSuccessAt = null;
+      this._openedAt = null;
+      this._halfOpenAt = null;
+    }
+  }
+
+  _persist() {
+    this._db.prepare(`
+      insert into provider_breakers (provider_key, state, failure_count, last_failure_at, last_success_at, opened_at, half_open_at)
+      values (?, ?, ?, ?, ?, ?, ?)
+      on conflict(provider_key) do update set
+        state = excluded.state,
+        failure_count = excluded.failure_count,
+        last_failure_at = excluded.last_failure_at,
+        last_success_at = excluded.last_success_at,
+        opened_at = excluded.opened_at,
+        half_open_at = excluded.half_open_at
+    `).run(
+      this._key,
+      this._state,
+      this._failureCount,
+      this._lastFailureAt,
+      this._lastSuccessAt,
+      this._openedAt,
+      this._halfOpenAt
+    );
+  }
+
+  _checkHalfOpen() {
+    if (this._state !== "open") return;
+    if (!this._openedAt) return;
+    const elapsed = (Date.now() - new Date(this._openedAt).getTime()) / 1000;
+    if (elapsed >= this._resetTimeoutSeconds) {
+      this._state = "half_open";
+      this._halfOpenAt = new Date().toISOString();
+      this._persist();
+    }
+  }
+
+  isClosed() {
+    this._checkHalfOpen();
+    return this._state === "closed";
+  }
+
+  isOpen() {
+    this._checkHalfOpen();
+    return this._state === "open";
+  }
+
+  isHalfOpen() {
+    this._checkHalfOpen();
+    return this._state === "half_open";
+  }
+
+  failureCount() {
+    return this._failureCount;
+  }
+
+  retryAfter() {
+    if (this._state !== "open" || !this._openedAt) return 0;
+    const elapsed = (Date.now() - new Date(this._openedAt).getTime()) / 1000;
+    return Math.max(0, this._resetTimeoutSeconds - elapsed);
+  }
+
+  recordSuccess() {
+    this._state = "closed";
+    this._failureCount = 0;
+    this._lastSuccessAt = new Date().toISOString();
+    this._openedAt = null;
+    this._halfOpenAt = null;
+    this._persist();
+  }
+
+  recordFailure(errorCode) {
+    if (!this._transientCodes.has(errorCode)) return;
+
+    this._failureCount += 1;
+    this._lastFailureAt = new Date().toISOString();
+
+    if (this._state === "half_open") {
+      this._state = "open";
+      this._openedAt = new Date().toISOString();
+      this._halfOpenAt = null;
+    } else if (this._failureCount >= this._failureThreshold) {
+      this._state = "open";
+      this._openedAt = new Date().toISOString();
+    }
+
+    this._persist();
+  }
+}

package/src/providers/ollama.js

@@ -0,0 +1,163 @@
+import { ProviderAdapter } from "./base.js";
+
+export class OllamaAdapter extends ProviderAdapter {
+  static providerId = "ollama";
+
+  getCapabilities() {
+    return {
+      supportsToolDefinitions: true,
+      supportsToolCalls: true,
+      structuredOutputMode: "prompt_contract",
+      supportsReasoningSchema: false,
+      tokenCountingMode: "heuristic",
+      toolReliabilityTier: "medium",
+      supportsVision: false
+    };
+  }
+
+  normalizeModel(model) {
+    if (typeof model !== "string") return model;
+    return model.startsWith("ollama/") ? model.slice("ollama/".length) : model;
+  }
+
+  buildInvokePayload({ model, system, messages, tools, options }) {
+    const payload = {
+      model: this.normalizeModel(model),
+      stream: false,
+      system,
+      messages,
+      options
+    };
+    // Ollama /api/chat supports OpenAI-compatible tools array
+    if (tools?.length) payload.tools = tools;
+    return payload;
+  }
+
+  async invoke(input) {
+    return this.postJson("api/chat", this.buildInvokePayload(input), {}, {
+      timeoutMs: input.timeoutMs
+    });
+  }
+
+  normalizeResponse(raw) {
+    // Handle Ollama tool_calls (OpenAI-compatible format)
+    const toolCalls = raw?.message?.tool_calls;
+    if (Array.isArray(toolCalls) && toolCalls.length > 0) {
+      // Convert to Anthropic-style tool_use blocks for executor compatibility
+      const content = toolCalls.map((tc) => ({
+        type: "tool_use",
+        id: tc.id || `ollama_tool_${Date.now()}`,
+        name: tc.function?.name || tc.name,
+        input: tc.function?.arguments
+          ? (typeof tc.function.arguments === "string"
+              ? JSON.parse(tc.function.arguments)
+              : tc.function.arguments)
+          : {}
+      }));
+      return {
+        summary: `Tool call: ${content.map(c => c.name).join(", ")}`,
+        output: null,
+        nextActions: [],
+        reasoning: null,
+        raw,
+        content
+      };
+    }
+
+    const text = raw?.message?.content ? String(raw.message.content) : null;
+    const parsedJson = text ? this.parseStructuredJson(text) : null;
+    if (parsedJson) {
+      return {
+        summary: parsedJson.summary || "Provider returned structured JSON output.",
+        output: parsedJson.output || text,
+        nextActions: Array.isArray(parsedJson.nextActions) ? parsedJson.nextActions : [],
+        reasoning: parsedJson.analysis || null,
+        raw
+      };
+    }
+    if (text) {
+      return {
+        summary: text.slice(0, 200) || "Provider responded.",
+        output: text,
+        nextActions: [],
+        reasoning: null,
+        raw
+      };
+    }
+
+    return super.normalizeResponse(raw);
+  }
+
+  async embed({ model, input }) {
+    const payload = {
+      model: this.normalizeModel(model),
+      input
+    };
+
+    try {
+      const result = await this.postJson("api/embed", payload, {}, {
+        timeoutMs: input.timeoutMs
+      });
+      if (Array.isArray(result.embeddings) && result.embeddings.length > 0) {
+        return {
+          embeddings: result.embeddings
+        };
+      }
+      if (Array.isArray(result.embedding)) {
+        return {
+          embeddings: [result.embedding]
+        };
+      }
+      return result;
+    } catch (error) {
+      if (!String(error.message || "").includes("404")) throw error;
+      const fallback = await this.postJson("api/embeddings", payload, {}, {
+        timeoutMs: input.timeoutMs
+      });
+      if (Array.isArray(fallback.embedding)) {
+        return {
+          embeddings: [fallback.embedding]
+        };
+      }
+      return fallback;
+    }
+  }
+
+  async healthCheck() {
+    // Ollama is intentionally local-only. fetchResponse enforces loopback-only
+    // on the configured baseUrl before any health probe leaves the process.
+    const response = await this.fetchResponse("api/tags", {
+      method: "GET"
+    });
+    return {
+      ok: response.ok,
+      status: response.status
+    };
+  }
+
+  async listModels() {
+    const response = await this.fetchResponse("api/tags", {
+      method: "GET"
+    });
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch {
+        data = null;
+      }
+    }
+    if (!response.ok) {
+      throw new Error(`Provider error ${response.status}: ${typeof data === "string" ? data : JSON.stringify(data)}`);
+    }
+
+    const models = Array.isArray(data?.models)
+      ? data.models
+          .map((item) => item?.name || item?.model || null)
+          .filter(Boolean)
+      : [];
+
+    return models;
+  }
+}

package/src/providers/openai-codex.js

@@ -0,0 +1,149 @@
+import { resolveOpenAICodexAccess } from "../auth/openai-codex-oauth.js";
+import { ProviderAdapter } from "./base.js";
+
+export class OpenAICodexAdapter extends ProviderAdapter {
+  static providerId = "openai-codex";
+
+  normalizeModel(model) {
+    if (typeof model !== "string") return model;
+    return model.startsWith("openai-codex/") ? model.slice("openai-codex/".length) : model;
+  }
+
+  getCapabilities() {
+    return {
+      supportsToolDefinitions: true,
+      supportsToolCalls: true,
+      structuredOutputMode: "response_format",
+      supportsReasoningSchema: false,
+      tokenCountingMode: "heuristic",
+      toolReliabilityTier: "high",
+      supportsVision: true
+    };
+  }
+
+  buildStructuredOutputFormat(input) {
+    if (!input?.responseSchema?.schema) return null;
+    return {
+      type: "json_schema",
+      json_schema: {
+        name: input.responseSchema.name || "nemoris_response",
+        strict: true,
+        schema: input.responseSchema.schema
+      }
+    };
+  }
+
+  buildInvokePayload(input) {
+    const { model: rawModel, system, messages, maxTokens = 2048, tools, responseSchema } = input;
+    const model = this.normalizeModel(rawModel);
+    const normalizedMessages = [];
+    if (system) {
+      normalizedMessages.push({
+        role: "system",
+        content: system
+      });
+    }
+    normalizedMessages.push(...messages);
+
+    const payload = {
+      model,
+      messages: normalizedMessages,
+      max_tokens: maxTokens
+    };
+    if (tools?.length) payload.tools = tools;
+    const responseFormat = this.buildStructuredOutputFormat({ responseSchema });
+    if (responseFormat) payload.response_format = responseFormat;
+    return payload;
+  }
+
+  async getAccessToken() {
+    if (this.authRef.startsWith("profile:")) {
+      const profileId = this.authRef.slice("profile:".length);
+      const resolved = await resolveOpenAICodexAccess(profileId, {
+        fetchImpl: this.fetchImpl
+      });
+      return resolved.token;
+    }
+    return this.ensureAuthToken();
+  }
+
+  async invoke(input) {
+    const token = await this.getAccessToken();
+    return this.postJson(
+      "chat/completions",
+      this.buildInvokePayload(input),
+      {
+        authorization: `Bearer ${token}`
+      },
+      {
+        timeoutMs: input.timeoutMs
+      }
+    );
+  }
+
+  normalizeResponse(raw) {
+    const text = raw?.choices?.[0]?.message?.content
+      ? String(raw.choices[0].message.content)
+      : null;
+    const parsedJson = text ? this.parseStructuredJson(text) : null;
+    if (parsedJson) {
+      return {
+        summary: parsedJson.summary || "Provider returned structured JSON output.",
+        output: parsedJson.output || text,
+        nextActions: Array.isArray(parsedJson.nextActions) ? parsedJson.nextActions : [],
+        reasoning: parsedJson.analysis || null,
+        raw
+      };
+    }
+    if (text) {
+      return {
+        summary: text.slice(0, 200) || "Provider responded.",
+        output: text,
+        nextActions: [],
+        reasoning: null,
+        raw
+      };
+    }
+
+    return super.normalizeResponse(raw);
+  }
+
+  async healthCheck() {
+    const token = await this.getAccessToken();
+    const response = await this.fetchResponse("models", {
+      method: "GET",
+      headers: {
+        authorization: `Bearer ${token}`
+      }
+    });
+    return {
+      ok: response.ok,
+      status: response.status
+    };
+  }
+
+  async listModels() {
+    const token = await this.getAccessToken();
+    const response = await this.fetchResponse("models", {
+      method: "GET",
+      headers: {
+        authorization: `Bearer ${token}`
+      }
+    });
+    const text = await response.text();
+    let data = null;
+    if (text) {
+      try {
+        data = JSON.parse(text);
+      } catch {
+        data = null;
+      }
+    }
+    if (!response.ok) {
+      throw new Error(`Provider error ${response.status}: ${typeof data === "string" ? data : JSON.stringify(data)}`);
+    }
+    return Array.isArray(data?.data)
+      ? data.data.map((item) => item?.id).filter(Boolean)
+      : [];
+  }
+}