ship-safe 3.1.0 → 4.0.0

package/cli/commands/score.js

@@ -0,0 +1,446 @@
+/**
+ * Score Command
+ * =============
+ *
+ * Compute a 0-100 security health score for your project.
+ * Combines secret detection, code vulnerability detection, and dependency auditing.
+ *
+ * USAGE:
+ *   npx ship-safe score [path]          Score the project in the current directory
+ *   npx ship-safe score . --no-deps     Skip dependency audit (faster)
+ *
+ * SCORING ALGORITHM (starts at 100):
+ *   Secrets:       critical −25, high −15, medium −5   (capped at −40)
+ *   Code Vulns:    critical −20, high −10, medium −3   (capped at −30)
+ *   Dependencies:  critical −20, high −10, moderate −5 (capped at −30)
+ *
+ * GRADES:
+ *   A  90–100  Ship it!
+ *   B  75–89   Minor issues to review
+ *   C  60–74   Fix before shipping
+ *   D  40–59   Significant security risks
+ *   F  0–39    Not safe to ship
+ *
+ * EXIT CODES:
+ *   0 - Score is A or B (90+/75+)
+ *   1 - Score is C or below (< 75)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import fg from 'fast-glob';
+import chalk from 'chalk';
+import ora from 'ora';
+import {
+  SECRET_PATTERNS,
+  SECURITY_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  TEST_FILE_PATTERNS,
+  MAX_FILE_SIZE
+} from '../utils/patterns.js';
+import { isHighEntropyMatch } from '../utils/entropy.js';
+import { runDepsAudit } from './deps.js';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// SCORING CONSTANTS
+// =============================================================================
+
+const SECRET_DEDUCTIONS = { critical: 25, high: 15, medium: 5 };
+const SECRET_CAP = 40;
+
+const VULN_DEDUCTIONS = { critical: 20, high: 10, medium: 3 };
+const VULN_CAP = 30;
+
+const DEP_DEDUCTIONS = { critical: 20, high: 10, moderate: 5, medium: 5 };
+const DEP_CAP = 30;
+
+const GRADES = [
+  { min: 90, letter: 'A', label: 'Ship it!' },
+  { min: 75, letter: 'B', label: 'Minor issues to review' },
+  { min: 60, letter: 'C', label: 'Fix before shipping' },
+  { min: 40, letter: 'D', label: 'Significant security risks' },
+  { min: 0,  letter: 'F', label: 'Not safe to ship' },
+];
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function scoreCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  console.log();
+  output.header('Security Health Score');
+  console.log();
+
+  const runDeps = options.deps !== false; // --no-deps sets options.deps = false
+
+  // ── 1. Scan for secrets and code vulns ──────────────────────────────────────
+  const spinner = ora({ text: 'Scanning for secrets and vulnerabilities...', color: 'cyan' }).start();
+
+  let findings = [];
+  let filesScanned = 0;
+
+  try {
+    const files = await findFiles(absolutePath);
+    filesScanned = files.length;
+    spinner.text = `Scanning ${files.length} files...`;
+
+    for (const file of files) {
+      const fileFindings = scanFile(file);
+      findings = findings.concat(fileFindings);
+    }
+    spinner.stop();
+  } catch (err) {
+    spinner.fail('Scan failed');
+    output.error(err.message);
+    process.exit(1);
+  }
+
+  const secretFindings = findings.filter(f => f.category !== 'vulnerability');
+  const vulnFindings   = findings.filter(f => f.category === 'vulnerability');
+
+  // ── 2. Dependency audit ──────────────────────────────────────────────────────
+  let depVulns = [];
+  let pm = null;
+
+  if (runDeps) {
+    const depSpinner = ora({ text: 'Auditing dependencies...', color: 'cyan' }).start();
+    try {
+      const result = await runDepsAudit(absolutePath);
+      pm = result.pm;
+      depVulns = result.vulns;
+      depSpinner.stop();
+    } catch {
+      depSpinner.stop();
+      // Dep audit failure doesn't block scoring — just skip
+    }
+  }
+
+  // ── 3. Compute score ─────────────────────────────────────────────────────────
+  const { score, secretDeduction, vulnDeduction, depDeduction, secretCounts, vulnCounts, depCounts } =
+    computeScore(secretFindings, vulnFindings, depVulns);
+
+  const grade = GRADES.find(g => score >= g.min);
+
+  // ── 4. Print results ─────────────────────────────────────────────────────────
+  printScore(score, grade, {
+    secretDeduction, vulnDeduction, depDeduction,
+    secretCounts, vulnCounts, depCounts,
+    filesScanned, pm, runDeps
+  });
+
+  // Exit 0 for A/B, exit 1 for C/D/F
+  process.exit(score >= 75 ? 0 : 1);
+}
+
+// =============================================================================
+// SCORE COMPUTATION
+// =============================================================================
+
+function computeScore(secretFindings, vulnFindings, depVulns) {
+  // ── Count by severity ────────────────────────────────────────────────────────
+  const secretCounts = countBySeverity(secretFindings);
+  const vulnCounts   = countBySeverity(vulnFindings);
+  const depCounts    = countBySeverity(depVulns);
+
+  // ── Compute deductions ───────────────────────────────────────────────────────
+  let secretDeduction = 0;
+  for (const [sev, pts] of Object.entries(SECRET_DEDUCTIONS)) {
+    secretDeduction += (secretCounts[sev] || 0) * pts;
+  }
+  secretDeduction = Math.min(secretDeduction, SECRET_CAP);
+
+  let vulnDeduction = 0;
+  for (const [sev, pts] of Object.entries(VULN_DEDUCTIONS)) {
+    vulnDeduction += (vulnCounts[sev] || 0) * pts;
+  }
+  vulnDeduction = Math.min(vulnDeduction, VULN_CAP);
+
+  let depDeduction = 0;
+  for (const [sev, pts] of Object.entries(DEP_DEDUCTIONS)) {
+    depDeduction += (depCounts[sev] || 0) * pts;
+  }
+  depDeduction = Math.min(depDeduction, DEP_CAP);
+
+  const score = Math.max(0, 100 - secretDeduction - vulnDeduction - depDeduction);
+
+  return { score, secretDeduction, vulnDeduction, depDeduction, secretCounts, vulnCounts, depCounts };
+}
+
+function countBySeverity(findings) {
+  const counts = {};
+  for (const f of findings) {
+    const sev = f.severity || 'unknown';
+    counts[sev] = (counts[sev] || 0) + 1;
+  }
+  return counts;
+}
+
+// =============================================================================
+// OUTPUT
+// =============================================================================
+
+const GRADE_COLOR = {
+  A: chalk.green.bold,
+  B: chalk.cyan.bold,
+  C: chalk.yellow.bold,
+  D: chalk.red,
+  F: chalk.red.bold,
+};
+
+function printScore(score, grade, ctx) {
+  const gradeColor = GRADE_COLOR[grade.letter] || chalk.white;
+  const scoreColor = score >= 75 ? chalk.green.bold : score >= 60 ? chalk.yellow.bold : chalk.red.bold;
+
+  // ── Score headline ───────────────────────────────────────────────────────────
+  console.log(
+    chalk.white.bold('  Ship Safe Score: ') +
+    scoreColor(`${score}/100`) +
+    chalk.gray('  ') +
+    gradeColor(`${grade.letter}`) +
+    chalk.gray(` — ${grade.label}`)
+  );
+  console.log(chalk.cyan('  ' + '─'.repeat(58)));
+  console.log();
+
+  // ── Row: Secrets ─────────────────────────────────────────────────────────────
+  const secretCount = Object.values(ctx.secretCounts).reduce((a, b) => a + b, 0);
+  const secretIcon = secretCount === 0 ? chalk.green('✔') : chalk.red('✘');
+  const secretStatus = secretCount === 0
+    ? chalk.green('0 found')
+    : chalk.red(`${secretCount} found`);
+  const secretDeductStr = ctx.secretDeduction === 0
+    ? chalk.gray('+0 deductions')
+    : chalk.red(`−${ctx.secretDeduction} points`) + chalk.gray(` (${formatCounts(ctx.secretCounts)})`);
+
+  console.log(
+    `  ${secretIcon}  ${chalk.white.bold('Secrets       ')}  ${secretStatus.padEnd(18)}  ${secretDeductStr}`
+  );
+
+  // ── Row: Code Vulns ───────────────────────────────────────────────────────────
+  const vulnCount = Object.values(ctx.vulnCounts).reduce((a, b) => a + b, 0);
+  const vulnIcon = vulnCount === 0 ? chalk.green('✔') : chalk.yellow('✘');
+  const vulnStatus = vulnCount === 0
+    ? chalk.green('0 found')
+    : chalk.yellow(`${vulnCount} found`);
+  const vulnDeductStr = ctx.vulnDeduction === 0
+    ? chalk.gray('+0 deductions')
+    : chalk.yellow(`−${ctx.vulnDeduction} points`) + chalk.gray(` (${formatCounts(ctx.vulnCounts)})`);
+
+  console.log(
+    `  ${vulnIcon}  ${chalk.white.bold('Code Vulns    ')}  ${vulnStatus.padEnd(18)}  ${vulnDeductStr}`
+  );
+
+  // ── Row: Dependencies ─────────────────────────────────────────────────────────
+  if (ctx.runDeps) {
+    const depCount = Object.values(ctx.depCounts).reduce((a, b) => a + b, 0);
+    const depIcon = depCount === 0 ? chalk.green('✔') : chalk.red('✘');
+    const depLabel = ctx.pm ? `Dependencies  ` : 'Dependencies  ';
+
+    let depStatus, depDeductStr;
+
+    if (!ctx.pm) {
+      depStatus  = chalk.gray('no manifest');
+      depDeductStr = chalk.gray('+0 deductions');
+    } else if (depCount === 0) {
+      depStatus  = chalk.green('0 CVEs');
+      depDeductStr = chalk.gray('+0 deductions');
+    } else {
+      depStatus  = chalk.red(`${depCount} CVEs`);
+      depDeductStr = chalk.red(`−${ctx.depDeduction} points`) + chalk.gray(` (${formatCounts(ctx.depCounts)})`);
+    }
+
+    console.log(
+      `  ${depIcon}  ${chalk.white.bold(depLabel)}  ${depStatus.padEnd(18)}  ${depDeductStr}`
+    );
+  } else {
+    console.log(
+      `  ${chalk.gray('–')}  ${chalk.gray('Dependencies    skipped (--no-deps)')}`
+    );
+  }
+
+  console.log();
+  console.log(chalk.cyan('  ' + '─'.repeat(58)));
+  console.log(chalk.gray(`  Files scanned: ${ctx.filesScanned}`));
+
+  // ── Next steps ────────────────────────────────────────────────────────────────
+  if (score < 100) {
+    console.log();
+    const actions = [];
+    if (Object.values(ctx.secretCounts).some(n => n > 0)) {
+      actions.push(chalk.white('  npx ship-safe agent .') + chalk.gray('     # AI audit: classify + auto-fix secrets'));
+    }
+    if (Object.values(ctx.vulnCounts).some(n => n > 0)) {
+      actions.push(chalk.white('  npx ship-safe agent .') + chalk.gray('     # AI audit: classify + fix suggestions'));
+    }
+    if (ctx.runDeps && Object.values(ctx.depCounts).some(n => n > 0) && ctx.pm) {
+      actions.push(chalk.white(`  npx ship-safe deps .`) + chalk.gray('      # See full dependency CVE details'));
+    }
+    if (actions.length > 0) {
+      console.log(chalk.gray('  Fix issues:'));
+      // Deduplicate (agent appears for both secrets and vulns)
+      const seen = new Set();
+      for (const a of actions) {
+        if (!seen.has(a)) { console.log(a); seen.add(a); }
+      }
+    }
+  } else {
+    console.log();
+    console.log(chalk.green('  All clear — safe to ship!'));
+  }
+
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log();
+}
+
+function formatCounts(counts) {
+  const SEV_ORDER = ['critical', 'high', 'moderate', 'medium', 'low'];
+  return SEV_ORDER
+    .filter(s => counts[s] > 0)
+    .map(s => `${counts[s]} ${s}`)
+    .join(', ');
+}
+
+// =============================================================================
+// INTERNAL SCAN (no subprocess — import patterns directly)
+// =============================================================================
+
+const ALL_PATTERNS = [...SECRET_PATTERNS, ...SECURITY_PATTERNS];
+
+/**
+ * Find all scannable files (same logic as scan.js, without test-exclusion
+ * and without .ship-safeignore loading — score is a quick overview).
+ */
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+
+  const files = await fg('**/*', {
+    cwd: rootPath,
+    absolute: true,
+    onlyFiles: true,
+    ignore: globIgnore,
+    dot: true
+  });
+
+  const filtered = [];
+
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) continue;
+
+    const basename = path.basename(file);
+    if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) continue;
+
+    // Load and respect .ship-safeignore
+    if (isIgnoredByFile(file, rootPath)) continue;
+
+    try {
+      const stats = fs.statSync(file);
+      if (stats.size > MAX_FILE_SIZE) continue;
+    } catch {
+      continue;
+    }
+
+    filtered.push(file);
+  }
+
+  return filtered;
+}
+
+// Cache ignore patterns per root to avoid re-reading the file thousands of times
+const _ignoreCache = new Map();
+
+function loadIgnorePatterns(rootPath) {
+  if (_ignoreCache.has(rootPath)) return _ignoreCache.get(rootPath);
+
+  const ignorePath = path.join(rootPath, '.ship-safeignore');
+  let patterns = [];
+
+  if (fs.existsSync(ignorePath)) {
+    try {
+      patterns = fs.readFileSync(ignorePath, 'utf-8')
+        .split('\n')
+        .map(l => l.trim())
+        .filter(l => l && !l.startsWith('#'));
+    } catch {
+      // ignore read error
+    }
+  }
+
+  _ignoreCache.set(rootPath, patterns);
+  return patterns;
+}
+
+function isIgnoredByFile(filePath, rootPath) {
+  const patterns = loadIgnorePatterns(rootPath);
+  if (patterns.length === 0) return false;
+
+  const relPath = path.relative(rootPath, filePath).replace(/\\/g, '/');
+
+  return patterns.some(pattern => {
+    if (pattern.endsWith('/')) {
+      return relPath.startsWith(pattern) || relPath.includes('/' + pattern);
+    }
+    const escaped = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*/g, '[^/]*')
+      .replace(/\?/g, '[^/]');
+    return new RegExp(`(^|/)${escaped}($|/)`).test(relPath);
+  });
+}
+
+/**
+ * Scan a single file and return normalized findings.
+ * Same algorithm as scan.js — inline here to avoid circular dependency
+ * (scan.js has process.exit() side effects).
+ */
+function scanFile(filePath) {
+  const findings = [];
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+
+      if (/ship-safe-ignore/i.test(line)) continue;
+
+      for (const pattern of ALL_PATTERNS) {
+        pattern.pattern.lastIndex = 0;
+
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) {
+            continue;
+          }
+
+          findings.push({
+            line: lineNum + 1,
+            severity: pattern.severity,
+            category: pattern.category || 'secret',
+          });
+        }
+      }
+    }
+  } catch {
+    // Skip unreadable files
+  }
+
+  // Deduplicate: same (line, severity, category)
+  const seen = new Set();
+  return findings.filter(f => {
+    const key = `${f.line}:${f.severity}:${f.category}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/cli/commands/watch.js

@@ -0,0 +1,160 @@
+/**
+ * Watch Command
+ * ==============
+ *
+ * Continuous file monitoring mode. Watches for file changes
+ * and incrementally scans modified files.
+ *
+ * USAGE:
+ *   npx ship-safe watch [path]     Start watching for changes
+ *   npx ship-safe watch . --poll   Use polling (for network drives)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { SKIP_DIRS, SKIP_EXTENSIONS, SECRET_PATTERNS, SECURITY_PATTERNS } from '../utils/patterns.js';
+import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import * as output from '../utils/output.js';
+
+export async function watchCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  console.log();
+  output.header('Ship Safe — Watch Mode');
+  console.log();
+  console.log(chalk.cyan('  Watching for file changes...'));
+  console.log(chalk.gray('  Press Ctrl+C to stop'));
+  console.log();
+
+  const allPatterns = [...SECRET_PATTERNS, ...SECURITY_PATTERNS];
+  const skipDirSet = SKIP_DIRS;
+  let debounceTimer = null;
+  const pendingFiles = new Set();
+
+  // Use fs.watch recursively
+  try {
+    const watcher = fs.watch(absolutePath, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+
+      const fullPath = path.join(absolutePath, filename); // ship-safe-ignore — filename from fs.watch, not user input
+      const relPath = filename.replace(/\\/g, '/');
+
+      // Skip directories we don't care about
+      for (const skipDir of skipDirSet) {
+        if (relPath.includes(`${skipDir}/`) || relPath.startsWith(`${skipDir}/`)) return;
+      }
+
+      // Skip non-code files
+      const ext = path.extname(filename).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) return;
+      if (filename.endsWith('.min.js') || filename.endsWith('.min.css')) return;
+
+      // Add to pending and debounce
+      pendingFiles.add(fullPath);
+
+      if (debounceTimer) clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(() => {
+        const filesToScan = [...pendingFiles];
+        pendingFiles.clear();
+        scanChangedFiles(filesToScan, allPatterns, absolutePath);
+      }, 300);
+    });
+
+    // Keep the process alive
+    process.on('SIGINT', () => {
+      watcher.close();
+      console.log();
+      output.info('Watch mode stopped.');
+      process.exit(0);
+    });
+
+    // Prevent Node from exiting
+    setInterval(() => {}, 1000 * 60 * 60);
+
+  } catch (err) {
+    output.error(`Watch failed: ${err.message}`);
+    console.log(chalk.gray('  Try: npx ship-safe watch . --poll'));
+    process.exit(1);
+  }
+}
+
+function scanChangedFiles(files, patterns, rootPath) {
+  const timestamp = new Date().toLocaleTimeString();
+  let totalFindings = 0;
+
+  for (const filePath of files) {
+    if (!fs.existsSync(filePath)) continue;
+
+    try {
+      const stats = fs.statSync(filePath);
+      if (stats.size > 1_000_000) continue;
+    } catch {
+      continue;
+    }
+
+    const findings = scanFile(filePath, patterns);
+    if (findings.length > 0) {
+      totalFindings += findings.length;
+      const relPath = path.relative(rootPath, filePath);
+
+      for (const f of findings) {
+        const sevColor = f.severity === 'critical' ? chalk.red.bold
+          : f.severity === 'high' ? chalk.yellow
+          : chalk.blue;
+
+        console.log(
+          chalk.gray(`  [${timestamp}] `) +
+          sevColor(`[${f.severity.toUpperCase()}]`) +
+          chalk.white(` ${relPath}:${f.line} `) +
+          chalk.gray(f.patternName)
+        );
+      }
+    }
+  }
+
+  if (totalFindings === 0 && files.length > 0) {
+    console.log(chalk.gray(`  [${timestamp}] ${files.length} file(s) scanned — clean`));
+  }
+}
+
+function scanFile(filePath, patterns) {
+  const findings = [];
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (/ship-safe-ignore/i.test(line)) continue;
+
+      for (const pattern of patterns) {
+        pattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+          findings.push({
+            line: i + 1,
+            patternName: pattern.name,
+            severity: pattern.severity,
+            matched: match[0],
+            category: pattern.category || 'secret',
+          });
+        }
+      }
+    }
+  } catch { /* skip */ }
+
+  const seen = new Set();
+  return findings.filter(f => {
+    const key = `${f.line}:${f.matched}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/cli/index.js

@@ -2,11 +2,49 @@
  * Ship Safe CLI - Module Entry Point
  * ===================================
  *
- * This file exports the CLI commands for programmatic use.
+ * This file exports the CLI commands and agents for programmatic use.
  * For normal CLI usage, run: npx ship-safe
  */
 
+// ── Core Commands ─────────────────────────────────────────────────────────────
 export { scanCommand } from './commands/scan.js';
 export { checklistCommand } from './commands/checklist.js';
 export { initCommand } from './commands/init.js';
-export { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+export { agentCommand } from './commands/agent.js';
+export { depsCommand, runDepsAudit } from './commands/deps.js';
+export { scoreCommand } from './commands/score.js';
+
+// ── v4.0 Commands ─────────────────────────────────────────────────────────────
+export { auditCommand } from './commands/audit.js';
+export { redTeamCommand } from './commands/red-team.js';
+export { watchCommand } from './commands/watch.js';
+
+// ── Patterns ──────────────────────────────────────────────────────────────────
+export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+
+// ── Agent Framework ───────────────────────────────────────────────────────────
+export { BaseAgent, createFinding } from './agents/base-agent.js';
+export { Orchestrator } from './agents/orchestrator.js';
+export { buildOrchestrator } from './agents/index.js';
+
+// ── Individual Agents ─────────────────────────────────────────────────────────
+export { ReconAgent } from './agents/recon-agent.js';
+export { InjectionTester } from './agents/injection-tester.js';
+export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
+export { SSRFProber } from './agents/ssrf-prober.js';
+export { SupplyChainAudit } from './agents/supply-chain-agent.js';
+export { ConfigAuditor } from './agents/config-auditor.js';
+export { LLMRedTeam } from './agents/llm-redteam.js';
+export { MobileScanner } from './agents/mobile-scanner.js';
+export { GitHistoryScanner } from './agents/git-history-scanner.js';
+export { CICDScanner } from './agents/cicd-scanner.js';
+export { APIFuzzer } from './agents/api-fuzzer.js';
+
+// ── Supporting Modules ────────────────────────────────────────────────────────
+export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
+export { SBOMGenerator } from './agents/sbom-generator.js';
+export { PolicyEngine } from './agents/policy-engine.js';
+export { HTMLReporter } from './agents/html-reporter.js';
+
+// ── LLM Providers ─────────────────────────────────────────────────────────────
+export { createProvider, autoDetectProvider } from './providers/llm-provider.js';