ship-safe 9.1.2 → 9.2.0

package/cli/providers/llm-provider.js

@@ -27,6 +27,8 @@ class BaseLLMProvider {
     this.apiKey = apiKey;
     this.model = options.model || null;
     this.baseUrl = options.baseUrl || null;
+    this.think = options.think || false;
+    this.thinkLevel = options.thinkLevel || 'high';
   }
 
   /**
@@ -36,6 +38,16 @@ class BaseLLMProvider {
     throw new Error(`${this.name}.complete() not implemented`);
   }
 
+  /**
+   * Stream a completion as an async iterable of text chunks.
+   * Default implementation falls back to complete() and yields the whole
+   * response at once — providers that support real streaming should override.
+   */
+  async *stream(systemPrompt, userPrompt, options = {}) {
+    const text = await this.complete(systemPrompt, userPrompt, options);
+    if (text) yield text;
+  }
+
   /**
    * Classify security findings using the LLM.
    */
@@ -44,7 +56,7 @@ class BaseLLMProvider {
     const response = await this.complete(
       'You are a security expert. Respond with JSON only, no markdown.',
       prompt,
-      { maxTokens: 4096 }
+      { maxTokens: 4096, think: this.think, thinkLevel: this.thinkLevel }
     );
     return this.parseJSON(response);
   }
@@ -172,25 +184,32 @@ class AnthropicProvider extends BaseLLMProvider {
 class OpenAIProvider extends BaseLLMProvider {
   constructor(apiKey, options = {}) {
     super('OpenAI', apiKey, options);
-    this.model = options.model || 'gpt-4o-mini';
+    this.model = options.model || 'gpt-5.5';
     this.baseUrl = options.baseUrl || 'https://api.openai.com/v1/chat/completions';
   }
 
   async complete(systemPrompt, userPrompt, options = {}) {
+    const body = {
+      model: this.model,
+      max_tokens: options.maxTokens || 2048,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+    };
+
+    if (options.think) {
+      body.reasoning_effort = options.thinkLevel || 'high';
+      body.max_tokens = options.maxTokens || 16384;
+    }
+
     const response = await fetch(this.baseUrl, {
       method: 'POST',
       headers: {
         'Authorization': `Bearer ${this.apiKey}`,
         'Content-Type': 'application/json',
       },
-      body: JSON.stringify({
-        model: this.model,
-        max_tokens: options.maxTokens || 2048,
-        messages: [
-          { role: 'system', content: systemPrompt },
-          { role: 'user', content: userPrompt },
-        ],
-      }),
+      body: JSON.stringify(body),
     });
 
     if (!response.ok) {
@@ -200,6 +219,71 @@ class OpenAIProvider extends BaseLLMProvider {
     const data = await response.json();
     return data.choices?.[0]?.message?.content || '';
   }
+
+  /**
+   * Streaming variant for the OpenAI Chat Completions SSE protocol.
+   * Yields content tokens as they arrive. Inherited by every
+   * OpenAI-compatible provider (DeepSeek, Kimi, xAI, OpenRouter).
+   */
+  async *stream(systemPrompt, userPrompt, options = {}) {
+    const body = {
+      model: this.model,
+      max_tokens: options.maxTokens || 2048,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+      stream: true,
+    };
+    if (options.think) {
+      body.reasoning_effort = options.thinkLevel || 'high';
+      body.max_tokens = options.maxTokens || 16384;
+    }
+
+    const response = await fetch(this.baseUrl, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${this.apiKey}`,
+        'Content-Type':  'application/json',
+        'Accept':        'text/event-stream',
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (!response.ok) {
+      const errBody = await response.text().catch(() => '');
+      throw new Error(`${this.name} API error: HTTP ${response.status} ${errBody.slice(0, 200)}`);
+    }
+
+    const reader  = response.body.getReader();
+    const decoder = new TextDecoder('utf-8');
+    let buffer    = '';
+
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+
+      // SSE events are separated by blank lines; parse line-by-line and only
+      // act on `data: ` payloads. Everything else (event:, id:, comments) ignored.
+      const lines = buffer.split('\n');
+      buffer = lines.pop() ?? ''; // keep trailing partial line for next chunk
+
+      for (const raw of lines) {
+        const line = raw.trim();
+        if (!line.startsWith('data:')) continue;
+        const payload = line.slice(5).trim();
+        if (!payload || payload === '[DONE]') continue;
+        try {
+          const evt = JSON.parse(payload);
+          const delta = evt.choices?.[0]?.delta;
+          // Token text (delta.content) — yield as-is. Some providers also send
+          // tool_calls; ignored here since the REPL doesn't use tools yet.
+          if (delta?.content) yield delta.content;
+        } catch { /* malformed chunk — skip */ }
+      }
+    }
+  }
 }
 
 // =============================================================================
@@ -356,6 +440,11 @@ class GemmaProvider extends OllamaProvider {
 
 // Well-known OpenAI-compatible base URLs and their default models.
 const OPENAI_COMPATIBLE_PRESETS = {
+  'gpt-5.5':      { baseUrl: 'https://api.openai.com/v1/chat/completions',           model: 'gpt-5.5',                    envKey: 'OPENAI_API_KEY' },
+  'gpt-5.5-pro':  { baseUrl: 'https://api.openai.com/v1/chat/completions',           model: 'gpt-5.5-pro',                envKey: 'OPENAI_API_KEY' },
+  'gpt-5.4':      { baseUrl: 'https://api.openai.com/v1/chat/completions',           model: 'gpt-5.4',                    envKey: 'OPENAI_API_KEY' },
+  'gpt-5.4-mini': { baseUrl: 'https://api.openai.com/v1/chat/completions',           model: 'gpt-5.4-mini',               envKey: 'OPENAI_API_KEY' },
+  'gpt-5.4-nano': { baseUrl: 'https://api.openai.com/v1/chat/completions',           model: 'gpt-5.4-nano',               envKey: 'OPENAI_API_KEY' },
   groq:       { baseUrl: 'https://api.groq.com/openai/v1/chat/completions',         model: 'llama-3.3-70b-versatile',    envKey: 'GROQ_API_KEY' },
   together:   { baseUrl: 'https://api.together.xyz/v1/chat/completions',             model: 'meta-llama/Llama-3-70b-chat-hf', envKey: 'TOGETHER_API_KEY' },
   mistral:    { baseUrl: 'https://api.mistral.ai/v1/chat/completions',               model: 'mistral-large-latest',       envKey: 'MISTRAL_API_KEY' },
@@ -381,7 +470,7 @@ class OpenAICompatibleProvider extends OpenAIProvider {
 
   /** Models known to support OpenAI function calling reliably */
   get supportsStructuredOutput() {
-    return /kimi|moonshot|gpt-4|grok|deepseek|mistral-large/i.test(this.model || '');
+    return /kimi|moonshot|gpt-4|gpt-5|grok|deepseek|mistral-large/i.test(this.model || '');
   }
 
   async complete(systemPrompt, userPrompt, options = {}) {
@@ -394,6 +483,10 @@ class OpenAICompatibleProvider extends OpenAIProvider {
       ],
     };
     if (options.jsonMode) body.response_format = { type: 'json_object' };
+    if (options.think) {
+      body.reasoning_effort = options.thinkLevel || 'high';
+      body.max_tokens = options.maxTokens || 16384;
+    }
 
     const response = await fetch(this.baseUrl, {
       method: 'POST',
@@ -512,8 +605,10 @@ export function createProvider(provider, apiKey, options = {}) {
       name.charAt(0).toUpperCase() + name.slice(1),
       apiKey,
       {
-        baseUrl: options.baseUrl || preset.baseUrl,
-        model:   options.model   || preset.model || 'default',
+        baseUrl:    options.baseUrl || preset.baseUrl,
+        model:      options.model   || preset.model || 'default',
+        think:      options.think,
+        thinkLevel: options.thinkLevel,
       }
     );
   }
@@ -526,7 +621,7 @@ export function createProvider(provider, apiKey, options = {}) {
   throw new Error(
     `Unknown LLM provider: "${provider}".\n` +
     `Built-in: anthropic, openai, google, ollama\n` +
-    `Presets:  groq, together, mistral, cohere, deepseek, deepseek-flash, perplexity, lmstudio, xai, kimi\n` +
+    `Presets:  gpt-5.5, gpt-5.5-pro, gpt-5.4, gpt-5.4-mini, gpt-5.4-nano, groq, together, mistral, cohere, deepseek, deepseek-flash, perplexity, lmstudio, xai, kimi\n` +
     `Custom:   pass any name with --base-url <url>`
   );
 }
@@ -542,8 +637,10 @@ export function autoDetectProvider(rootPath, options = {}) {
   if (options.provider) {
     const apiKey = resolveApiKey(options.provider, rootPath);
     return createProvider(options.provider, apiKey, {
-      model:   options.model,
-      baseUrl: options.baseUrl,
+      model:      options.model,
+      baseUrl:    options.baseUrl,
+      think:      options.think,
+      thinkLevel: options.thinkLevel,
     });
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "9.1.2",
+  "version": "9.2.0",
   "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
   "main": "cli/index.js",
   "bin": {