npm - siclaw - Versions diffs - 0.1.0 → 0.1.2 - Mend

siclaw 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (270) hide show

package/README.md +75 -114
package/dist/agentbox/gateway-client.d.ts +2 -1
package/dist/agentbox/gateway-client.js +6 -2
package/dist/agentbox/gateway-client.js.map +1 -1
package/dist/agentbox/http-server.js +184 -19
package/dist/agentbox/http-server.js.map +1 -1
package/dist/agentbox/resource-handlers.d.ts +1 -0
package/dist/agentbox/resource-handlers.js +23 -23
package/dist/agentbox/resource-handlers.js.map +1 -1
package/dist/agentbox/session.js +85 -5
package/dist/agentbox/session.js.map +1 -1
package/dist/agentbox-main.d.ts +2 -1
package/dist/agentbox-main.js +65 -18
package/dist/agentbox-main.js.map +1 -1
package/dist/cli-credentials.d.ts +1 -0
package/dist/cli-credentials.js +109 -0
package/dist/cli-credentials.js.map +1 -0
package/dist/cli-first-run.d.ts +11 -0
package/dist/cli-first-run.js +99 -0
package/dist/cli-first-run.js.map +1 -0
package/dist/cli-main.js +33 -11
package/dist/cli-main.js.map +1 -1
package/dist/cli-setup.d.ts +5 -11
package/dist/cli-setup.js +12 -225
package/dist/cli-setup.js.map +1 -1
package/dist/core/agent-factory.d.ts +4 -0
package/dist/core/agent-factory.js +102 -151
package/dist/core/agent-factory.js.map +1 -1
package/dist/core/config.d.ts +10 -3
package/dist/core/config.js +11 -95
package/dist/core/config.js.map +1 -1
package/dist/core/extensions/deep-investigation.d.ts +2 -1
package/dist/core/extensions/deep-investigation.js +144 -24
package/dist/core/extensions/deep-investigation.js.map +1 -1
package/dist/core/extensions/setup.d.ts +8 -0
package/dist/core/extensions/setup.js +669 -0
package/dist/core/extensions/setup.js.map +1 -0
package/dist/core/llm-proxy.js +7 -3
package/dist/core/llm-proxy.js.map +1 -1
package/dist/core/mcp-client.d.ts +0 -10
package/dist/core/mcp-client.js +0 -65
package/dist/core/mcp-client.js.map +1 -1
package/dist/core/prompt.d.ts +1 -1
package/dist/core/prompt.js +42 -5
package/dist/core/prompt.js.map +1 -1
package/dist/core/provider-presets.d.ts +14 -0
package/dist/core/provider-presets.js +81 -0
package/dist/core/provider-presets.js.map +1 -0
package/dist/cron/cron-coordinator.d.ts +2 -0
package/dist/cron/cron-coordinator.js +46 -14
package/dist/cron/cron-coordinator.js.map +1 -1
package/dist/cron/cron-executor.js +33 -8
package/dist/cron/cron-executor.js.map +1 -1
package/dist/cron/cron-scheduler.d.ts +1 -1
package/dist/cron/gateway-client.d.ts +5 -0
package/dist/cron/gateway-client.js +43 -8
package/dist/cron/gateway-client.js.map +1 -1
package/dist/cron-main.js +39 -9
package/dist/cron-main.js.map +1 -1
package/dist/gateway/agentbox/client.d.ts +11 -0
package/dist/gateway/agentbox/client.js +18 -0
package/dist/gateway/agentbox/client.js.map +1 -1
package/dist/gateway/agentbox/k8s-spawner.d.ts +11 -2
package/dist/gateway/agentbox/k8s-spawner.js +95 -52
package/dist/gateway/agentbox/k8s-spawner.js.map +1 -1
package/dist/gateway/agentbox/local-spawner.d.ts +1 -1
package/dist/gateway/agentbox/local-spawner.js +4 -2
package/dist/gateway/agentbox/local-spawner.js.map +1 -1
package/dist/gateway/agentbox/manager.d.ts +0 -10
package/dist/gateway/agentbox/manager.js +11 -30
package/dist/gateway/agentbox/manager.js.map +1 -1
package/dist/gateway/agentbox/types.d.ts +6 -4
package/dist/gateway/cron/cron-service.d.ts +49 -0
package/dist/gateway/cron/cron-service.js +259 -0
package/dist/gateway/cron/cron-service.js.map +1 -0
package/dist/gateway/db/init-schema.js +44 -0
package/dist/gateway/db/init-schema.js.map +1 -1
package/dist/gateway/db/migrate-sqlite.js +73 -4
package/dist/gateway/db/migrate-sqlite.js.map +1 -1
package/dist/gateway/db/repositories/chat-repo.d.ts +56 -2
package/dist/gateway/db/repositories/chat-repo.js +132 -2
package/dist/gateway/db/repositories/chat-repo.js.map +1 -1
package/dist/gateway/db/repositories/config-repo.d.ts +31 -2
package/dist/gateway/db/repositories/config-repo.js +57 -7
package/dist/gateway/db/repositories/config-repo.js.map +1 -1
package/dist/gateway/db/repositories/env-repo.d.ts +14 -0
package/dist/gateway/db/repositories/env-repo.js +15 -2
package/dist/gateway/db/repositories/env-repo.js.map +1 -1
package/dist/gateway/db/repositories/model-config-repo.d.ts +1 -1
package/dist/gateway/db/repositories/model-config-repo.js +26 -12
package/dist/gateway/db/repositories/model-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/skill-repo.d.ts +0 -5
package/dist/gateway/db/repositories/skill-review-repo.d.ts +1 -0
package/dist/gateway/db/repositories/skill-review-repo.js +4 -1
package/dist/gateway/db/repositories/skill-review-repo.js.map +1 -1
package/dist/gateway/db/repositories/skill-version-repo.js +0 -1
package/dist/gateway/db/repositories/skill-version-repo.js.map +1 -1
package/dist/gateway/db/repositories/system-config-repo.d.ts +1 -1
package/dist/gateway/db/repositories/system-config-repo.js +2 -1
package/dist/gateway/db/repositories/system-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/user-env-config-repo.d.ts +13 -0
package/dist/gateway/db/repositories/user-env-config-repo.js +11 -0
package/dist/gateway/db/repositories/user-env-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/workspace-repo.d.ts +3 -2
package/dist/gateway/db/repositories/workspace-repo.js +6 -2
package/dist/gateway/db/repositories/workspace-repo.js.map +1 -1
package/dist/gateway/db/schema-mysql.d.ts +473 -51
package/dist/gateway/db/schema-mysql.js +35 -4
package/dist/gateway/db/schema-mysql.js.map +1 -1
package/dist/gateway/db/schema-sqlite.d.ts +522 -57
package/dist/gateway/db/schema-sqlite.js +38 -6
package/dist/gateway/db/schema-sqlite.js.map +1 -1
package/dist/gateway/db/schema.d.ts +471 -51
package/dist/gateway/db/schema.js +1 -1
package/dist/gateway/db/schema.js.map +1 -1
package/dist/gateway/metrics-aggregator.d.ts +65 -0
package/dist/gateway/metrics-aggregator.js +244 -0
package/dist/gateway/metrics-aggregator.js.map +1 -0
package/dist/gateway/plugins/channel-bridge.d.ts +4 -1
package/dist/gateway/plugins/channel-bridge.js +78 -86
package/dist/gateway/plugins/channel-bridge.js.map +1 -1
package/dist/gateway/rpc-methods.d.ts +4 -2
package/dist/gateway/rpc-methods.js +962 -163
package/dist/gateway/rpc-methods.js.map +1 -1
package/dist/gateway/security/cert-manager.d.ts +2 -2
package/dist/gateway/security/cert-manager.js +4 -2
package/dist/gateway/security/cert-manager.js.map +1 -1
package/dist/gateway/server.d.ts +4 -8
package/dist/gateway/server.js +297 -261
package/dist/gateway/server.js.map +1 -1
package/dist/gateway/skills/file-writer.js +17 -11
package/dist/gateway/skills/file-writer.js.map +1 -1
package/dist/gateway/skills/script-evaluator.js +12 -9
package/dist/gateway/skills/script-evaluator.js.map +1 -1
package/dist/gateway/web/dist/assets/index-0p17ZeTP.js +740 -0
package/dist/gateway/web/dist/assets/index-9eP6nPUq.js +741 -0
package/dist/gateway/web/dist/assets/index-9eP6nPUq.js.map +1 -0
package/dist/gateway/web/dist/assets/index-CAmSY91d.js +675 -0
package/dist/gateway/web/dist/assets/index-DMFEh8Pp.css +1 -0
package/dist/gateway/web/dist/assets/index-DyowBCEj.css +1 -0
package/dist/gateway/web/dist/assets/index-PDK5JJDO.css +1 -0
package/dist/gateway/web/dist/index.html +2 -2
package/dist/gateway-main.js +27 -10
package/dist/gateway-main.js.map +1 -1
package/dist/memory/embeddings.js +5 -4
package/dist/memory/embeddings.js.map +1 -1
package/dist/memory/indexer.d.ts +23 -3
package/dist/memory/indexer.js +235 -23
package/dist/memory/indexer.js.map +1 -1
package/dist/memory/schema.js +15 -1
package/dist/memory/schema.js.map +1 -1
package/dist/memory/types.d.ts +18 -0
package/dist/memory/types.js +6 -1
package/dist/memory/types.js.map +1 -1
package/dist/shared/detect-language.d.ts +12 -0
package/dist/shared/detect-language.js +78 -0
package/dist/shared/detect-language.js.map +1 -0
package/dist/shared/diagnostic-events.d.ts +70 -0
package/dist/shared/diagnostic-events.js +38 -0
package/dist/shared/diagnostic-events.js.map +1 -0
package/dist/shared/local-collector.d.ts +56 -0
package/dist/shared/local-collector.js +284 -0
package/dist/shared/local-collector.js.map +1 -0
package/dist/shared/metrics-types.d.ts +64 -0
package/dist/shared/metrics-types.js +25 -0
package/dist/shared/metrics-types.js.map +1 -0
package/dist/shared/metrics.d.ts +19 -0
package/dist/shared/metrics.js +185 -0
package/dist/shared/metrics.js.map +1 -0
package/dist/shared/path-utils.d.ts +15 -0
package/dist/shared/path-utils.js +23 -0
package/dist/shared/path-utils.js.map +1 -0
package/dist/shared/retry.d.ts +35 -0
package/dist/shared/retry.js +61 -0
package/dist/shared/retry.js.map +1 -0
package/dist/tools/command-sets.d.ts +18 -2
package/dist/tools/command-sets.js +207 -32
package/dist/tools/command-sets.js.map +1 -1
package/dist/tools/command-validator.d.ts +56 -0
package/dist/tools/command-validator.js +357 -0
package/dist/tools/command-validator.js.map +1 -0
package/dist/tools/create-skill.js +26 -1
package/dist/tools/create-skill.js.map +1 -1
package/dist/tools/credential-list.js +1 -23
package/dist/tools/credential-list.js.map +1 -1
package/dist/tools/credential-manager.d.ts +98 -0
package/dist/tools/credential-manager.js +313 -0
package/dist/tools/credential-manager.js.map +1 -0
package/dist/tools/deep-search/engine.js +184 -127
package/dist/tools/deep-search/engine.js.map +1 -1
package/dist/tools/deep-search/prompts.d.ts +10 -2
package/dist/tools/deep-search/prompts.js +37 -36
package/dist/tools/deep-search/prompts.js.map +1 -1
package/dist/tools/deep-search/schemas.d.ts +87 -0
package/dist/tools/deep-search/schemas.js +85 -0
package/dist/tools/deep-search/schemas.js.map +1 -0
package/dist/tools/deep-search/sub-agent.d.ts +21 -0
package/dist/tools/deep-search/sub-agent.js +153 -4
package/dist/tools/deep-search/sub-agent.js.map +1 -1
package/dist/tools/deep-search/tool.js +1 -0
package/dist/tools/deep-search/tool.js.map +1 -1
package/dist/tools/deep-search/types.d.ts +2 -0
package/dist/tools/deep-search/types.js.map +1 -1
package/dist/tools/dp-tools.js +29 -5
package/dist/tools/dp-tools.js.map +1 -1
package/dist/tools/exec-utils.d.ts +85 -0
package/dist/tools/exec-utils.js +294 -0
package/dist/tools/exec-utils.js.map +1 -0
package/dist/tools/fork-skill.js +14 -2
package/dist/tools/fork-skill.js.map +1 -1
package/dist/tools/investigation-feedback.d.ts +3 -0
package/dist/tools/investigation-feedback.js +71 -0
package/dist/tools/investigation-feedback.js.map +1 -0
package/dist/tools/manage-schedule.js +16 -6
package/dist/tools/manage-schedule.js.map +1 -1
package/dist/tools/netns-script.js +27 -281
package/dist/tools/netns-script.js.map +1 -1
package/dist/tools/node-exec.d.ts +2 -14
package/dist/tools/node-exec.js +18 -225
package/dist/tools/node-exec.js.map +1 -1
package/dist/tools/node-script.js +14 -168
package/dist/tools/node-script.js.map +1 -1
package/dist/tools/pod-exec.d.ts +1 -1
package/dist/tools/pod-exec.js +10 -26
package/dist/tools/pod-exec.js.map +1 -1
package/dist/tools/pod-nsenter-exec.js +21 -225
package/dist/tools/pod-nsenter-exec.js.map +1 -1
package/dist/tools/pod-script.js +10 -19
package/dist/tools/pod-script.js.map +1 -1
package/dist/tools/restricted-bash.d.ts +1 -17
package/dist/tools/restricted-bash.js +38 -252
package/dist/tools/restricted-bash.js.map +1 -1
package/dist/tools/run-skill.d.ts +3 -1
package/dist/tools/run-skill.js +21 -1
package/dist/tools/run-skill.js.map +1 -1
package/dist/tools/script-resolver.d.ts +3 -1
package/dist/tools/script-resolver.js +74 -30
package/dist/tools/script-resolver.js.map +1 -1
package/dist/tools/update-skill.js +17 -6
package/dist/tools/update-skill.js.map +1 -1
package/package.json +8 -6
package/siclaw.mjs +10 -1
package/skills/core/cluster-events/SKILL.md +1 -1
package/skills/core/deep-investigation/SKILL.md +11 -0
package/skills/core/deployment-rollout-debug/SKILL.md +1 -1
package/skills/core/dns-debug/SKILL.md +1 -0
package/skills/core/meta.json +12 -1
package/skills/core/networkpolicy-debug/SKILL.md +332 -0
package/skills/core/node-logs/scripts/get-node-logs.sh +19 -9
package/skills/core/pod-pending-debug/SKILL.md +1 -0
package/skills/core/quota-debug/SKILL.md +203 -0
package/skills/core/service-debug/SKILL.md +1 -0
package/skills/core/statefulset-debug/SKILL.md +280 -0
package/skills/core/volcano-diagnose-pod/SKILL.md +196 -0
package/skills/core/volcano-diagnose-pod/scripts/diagnose-pod.sh +175 -0
package/skills/core/volcano-gang-scheduling/SKILL.md +299 -0
package/skills/core/volcano-job-diagnose/SKILL.md +319 -0
package/skills/core/volcano-job-diagnose/scripts/diagnose-job.sh +253 -0
package/skills/core/volcano-node-resources/SKILL.md +334 -0
package/skills/core/volcano-node-resources/scripts/get-node-resources.sh +281 -0
package/skills/core/volcano-queue-diagnose/SKILL.md +294 -0
package/skills/core/volcano-queue-diagnose/scripts/diagnose-queue.sh +283 -0
package/skills/core/volcano-resource-insufficient/SKILL.md +315 -0
package/skills/core/volcano-scheduler-config/SKILL.md +371 -0
package/skills/core/volcano-scheduler-config/scripts/get-scheduler-config.sh +297 -0
package/skills/core/volcano-scheduler-logs/SKILL.md +241 -0
package/skills/core/volcano-scheduler-logs/scripts/get-scheduler-logs.sh +159 -0
package/skills/platform/create-skill/SKILL.md +35 -3
package/skills/platform/manage-skill/SKILL.md +9 -2
package/skills/platform/update-skill/SKILL.md +17 -6

package/dist/shared/metrics.js ADDED Viewed

@@ -0,0 +1,185 @@
+/**
+ * Prometheus metrics subscriber — the ONLY file that depends on prom-client.
+ *
+ * Subscribes to the diagnostic event bus and maps events to Prometheus metrics.
+ * Business code never imports this module directly — it only calls emitDiagnostic().
+ *
+ * Importing this module (side-effect import) registers the subscriber automatically.
+ */
+import { Counter, Gauge, Histogram, Registry } from "prom-client";
+import { onDiagnostic } from "./diagnostic-events.js";
+/**
+ * Check bearer token authentication for /metrics endpoints.
+ * Returns true if the request is authorized (or no token is configured).
+ * Returns false and sends 401 response if unauthorized.
+ */
+export function checkMetricsAuth(req, res, configuredToken) {
+    const token = configuredToken || process.env.SICLAW_METRICS_TOKEN;
+    if (token && req.headers.authorization !== `Bearer ${token}`) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Unauthorized" }));
+        return false;
+    }
+    return true;
+}
+export const metricsRegistry = new Registry();
+/** Whether to include user_id label on token/cost metrics (dynamic, refreshable) */
+let includeUserId = process.env.SICLAW_METRICS_USER_ID !== "false";
+/** Update the includeUserId flag at runtime (called by Gateway when DB config changes) */
+export function setIncludeUserId(value) {
+    includeUserId = value;
+}
+// ── Phase 1: Core metrics (7) ──
+const tokensTotal = new Counter({
+    name: "siclaw_tokens_total",
+    help: "Cumulative token consumption",
+    labelNames: ["type", "provider", "model", "user_id"],
+    registers: [metricsRegistry],
+});
+const costUsdTotal = new Counter({
+    name: "siclaw_cost_usd_total",
+    help: "Cumulative LLM cost in USD",
+    labelNames: ["provider", "model", "user_id"],
+    registers: [metricsRegistry],
+});
+const promptDurationMs = new Histogram({
+    name: "siclaw_prompt_duration_ms",
+    help: "Prompt end-to-end processing latency in milliseconds",
+    labelNames: ["provider", "model", "outcome"],
+    buckets: [500, 1_000, 2_500, 5_000, 10_000, 30_000, 60_000, 120_000, 300_000],
+    registers: [metricsRegistry],
+});
+const promptsTotal = new Counter({
+    name: "siclaw_prompts_total",
+    help: "Total prompts processed",
+    labelNames: ["provider", "model", "outcome"],
+    registers: [metricsRegistry],
+});
+const sessionsActive = new Gauge({
+    name: "siclaw_sessions_active",
+    help: "Current number of active sessions",
+    registers: [metricsRegistry],
+});
+const toolCallsTotal = new Counter({
+    name: "siclaw_tool_calls_total",
+    help: "Total tool invocations",
+    labelNames: ["tool_name", "outcome"],
+    registers: [metricsRegistry],
+});
+const wsConnections = new Gauge({
+    name: "siclaw_ws_connections",
+    help: "Current number of WebSocket connections",
+    registers: [metricsRegistry],
+});
+// ── Skill metrics ──
+// NOTE: siclaw_skill_calls_total uses skill_name label which is unbounded.
+// If personal skill count grows large, consider dropping this counter and
+// relying solely on the low-cardinality siclaw_skill_calls_by_scope_total.
+const skillCallsTotal = new Counter({
+    name: "siclaw_skill_calls_total",
+    help: "Total skill invocations",
+    labelNames: ["skill_name", "scope", "outcome"],
+    registers: [metricsRegistry],
+});
+const skillCallsByScopeTotal = new Counter({
+    name: "siclaw_skill_calls_by_scope_total",
+    help: "Total skill invocations aggregated by scope (low-cardinality fallback)",
+    labelNames: ["scope", "outcome"],
+    registers: [metricsRegistry],
+});
+// ── Phase 2: Session health metrics (4) ──
+const contextTokensUsed = new Gauge({
+    name: "siclaw_context_tokens_used",
+    help: "Current context window tokens used (sampled per turn)",
+    labelNames: ["provider", "model"],
+    registers: [metricsRegistry],
+});
+const contextTokensLimit = new Gauge({
+    name: "siclaw_context_tokens_limit",
+    help: "Context window token limit (sampled per turn)",
+    labelNames: ["provider", "model"],
+    registers: [metricsRegistry],
+});
+const sessionStuckTotal = new Counter({
+    name: "siclaw_session_stuck_total",
+    help: "Number of stuck sessions detected",
+    registers: [metricsRegistry],
+});
+const sessionStuckAgeMs = new Histogram({
+    name: "siclaw_session_stuck_age_ms",
+    help: "Duration of stuck sessions in milliseconds",
+    buckets: [30_000, 60_000, 120_000, 300_000],
+    registers: [metricsRegistry],
+});
+// ── Event → metric mapping ──
+function handleDiagnostic(event) {
+    switch (event.type) {
+        case "prompt_complete": {
+            const { prev, curr, model, durationMs, outcome, userId } = event;
+            const provider = model?.provider ?? "unknown";
+            const modelId = model?.id ?? "unknown";
+            // Token deltas (session stats are cumulative — subtract pre-prompt snapshot)
+            const dInput = curr.tokens.input - prev.tokens.input;
+            const dOutput = curr.tokens.output - prev.tokens.output;
+            const dCacheRead = curr.tokens.cacheRead - prev.tokens.cacheRead;
+            const dCacheWrite = curr.tokens.cacheWrite - prev.tokens.cacheWrite;
+            const baseLabels = includeUserId && userId
+                ? { provider, model: modelId, user_id: userId }
+                : { provider, model: modelId };
+            if (dInput > 0)
+                tokensTotal.inc({ ...baseLabels, type: "input" }, dInput);
+            if (dOutput > 0)
+                tokensTotal.inc({ ...baseLabels, type: "output" }, dOutput);
+            if (dCacheRead > 0)
+                tokensTotal.inc({ ...baseLabels, type: "cache_read" }, dCacheRead);
+            if (dCacheWrite > 0)
+                tokensTotal.inc({ ...baseLabels, type: "cache_write" }, dCacheWrite);
+            // Cost delta
+            const dCost = curr.cost - prev.cost;
+            if (dCost > 0)
+                costUsdTotal.inc(baseLabels, dCost);
+            // Prompt duration + count
+            const outcomeLabels = { provider, model: modelId, outcome };
+            promptDurationMs.observe(outcomeLabels, durationMs);
+            promptsTotal.inc(outcomeLabels);
+            break;
+        }
+        case "session_created":
+            sessionsActive.inc();
+            break;
+        case "session_released":
+            sessionsActive.dec();
+            break;
+        case "tool_call":
+            toolCallsTotal.inc({ tool_name: event.toolName, outcome: event.outcome });
+            break;
+        case "skill_call":
+            skillCallsTotal.inc({
+                skill_name: event.skillName,
+                scope: event.scope,
+                outcome: event.outcome,
+            });
+            skillCallsByScopeTotal.inc({
+                scope: event.scope,
+                outcome: event.outcome,
+            });
+            break;
+        case "ws_connected":
+            wsConnections.inc();
+            break;
+        case "ws_disconnected":
+            wsConnections.dec();
+            break;
+        case "context_usage":
+            contextTokensUsed.set({ provider: event.provider, model: event.model }, event.tokensUsed);
+            contextTokensLimit.set({ provider: event.provider, model: event.model }, event.tokensLimit);
+            break;
+        case "session_stuck":
+            sessionStuckTotal.inc();
+            sessionStuckAgeMs.observe(event.idleMs);
+            break;
+    }
+}
+// Auto-register subscriber when this module is imported
+onDiagnostic(handleDiagnostic);
+//# sourceMappingURL=metrics.js.map

package/dist/shared/metrics.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"metrics.js","sourceRoot":"","sources":["../../src/shared/metrics.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,YAAY,EAAwB,MAAM,wBAAwB,CAAC;AAE5E;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAyB,EAAE,GAAwB,EAAE,eAAwB;IAC5G,MAAM,KAAK,GAAG,eAAe,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAClE,IAAI,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,aAAa,KAAK,UAAU,KAAK,EAAE,EAAE,CAAC;QAC7D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,QAAQ,EAAE,CAAC;AAE9C,oFAAoF;AACpF,IAAI,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO,CAAC;AAEnE,0FAA0F;AAC1F,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,aAAa,GAAG,KAAK,CAAC;AACxB,CAAC;AAED,kCAAkC;AAElC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC;IAC9B,IAAI,EAAE,qBAAqB;IAC3B,IAAI,EAAE,8BAA8B;IACpC,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,CAAU;IAC7D,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,IAAI,OAAO,CAAC;IAC/B,IAAI,EAAE,uBAAuB;IAC7B,IAAI,EAAE,4BAA4B;IAClC,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,CAAU;IACrD,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,SAAS,CAAC;IACrC,IAAI,EAAE,2BAA2B;IACjC,IAAI,EAAE,sDAAsD;IAC5D,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,CAAU;IACrD,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IAC7E,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,IAAI,OAAO,CAAC;IAC/B,IAAI,EAAE,sBAAsB;IAC5B,IAAI,EAAE,yBAAyB;IAC/B,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,CAAU;IACrD,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,KAAK,CAAC;IAC/B,IAAI,EAAE,wBAAwB;IAC9B,IAAI,EAAE,mCAAmC;IACzC,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,OAAO,CAAC;IACjC,IAAI,EAAE,yBAAyB;IAC/B,IAAI,EAAE,wBAAwB;IAC9B,UAAU,EAAE,CAAC,WAAW,EAAE,SAAS,CAAU;IAC7C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC;IAC9B,IAAI,EAAE,uBAAuB;IAC7B,IAAI,EAAE,yCAAyC;IAC/C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,sBAAsB;AACtB,2EAA2E;AAC3E,0EAA0E;AAC1E,2EAA2E;AAE3E,MAAM,eAAe,GAAG,IAAI,OAAO,CAAC;IAClC,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE,yBAAyB;IAC/B,UAAU,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,SAAS,CAAU;IACvD,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,OAAO,CAAC;IACzC,IAAI,EAAE,mCAAmC;IACzC,IAAI,EAAE,wEAAwE;IAC9E,UAAU,EAAE,CAAC,OAAO,EAAE,SAAS,CAAU;IACzC,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,4CAA4C;AAE5C,MAAM,iBAAiB,GAAG,IAAI,KAAK,CAAC;IAClC,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE,uDAAuD;IAC7D,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,CAAU;IAC1C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,IAAI,KAAK,CAAC;IACnC,IAAI,EAAE,6BAA6B;IACnC,IAAI,EAAE,+CAA+C;IACrD,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,CAAU;IAC1C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC;IACpC,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE,mCAAmC;IACzC,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,IAAI,SAAS,CAAC;IACtC,IAAI,EAAE,6BAA6B;IACnC,IAAI,EAAE,4CAA4C;IAClD,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IAC3C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,+BAA+B;AAE/B,SAAS,gBAAgB,CAAC,KAAsB;IAC9C,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;YACjE,MAAM,QAAQ,GAAG,KAAK,EAAE,QAAQ,IAAI,SAAS,CAAC;YAC9C,MAAM,OAAO,GAAG,KAAK,EAAE,EAAE,IAAI,SAAS,CAAC;YAEvC,6EAA6E;YAC7E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YACxD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YACjE,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;YAEpE,MAAM,UAAU,GAAG,aAAa,IAAI,MAAM;gBACxC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE;gBAC/C,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;YAEjC,IAAI,MAAM,GAAG,CAAC;gBAAE,WAAW,CAAC,GAAG,CAAC,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;YAC1E,IAAI,OAAO,GAAG,CAAC;gBAAE,WAAW,CAAC,GAAG,CAAC,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAC;YAC7E,IAAI,UAAU,GAAG,CAAC;gBAAE,WAAW,CAAC,GAAG,CAAC,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,UAAU,CAAC,CAAC;YACvF,IAAI,WAAW,GAAG,CAAC;gBAAE,WAAW,CAAC,GAAG,CAAC,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,WAAW,CAAC,CAAC;YAE1F,aAAa;YACb,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACpC,IAAI,KAAK,GAAG,CAAC;gBAAE,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAEnD,0BAA0B;YAC1B,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YAC5D,gBAAgB,CAAC,OAAO,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YACpD,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAChC,MAAM;QACR,CAAC;QAED,KAAK,iBAAiB;YACpB,cAAc,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM;QAER,KAAK,kBAAkB;YACrB,cAAc,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM;QAER,KAAK,WAAW;YACd,cAAc,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1E,MAAM;QAER,KAAK,YAAY;YACf,eAAe,CAAC,GAAG,CAAC;gBAClB,UAAU,EAAE,KAAK,CAAC,SAAS;gBAC3B,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK,CAAC,OAAO;aACvB,CAAC,CAAC;YACH,sBAAsB,CAAC,GAAG,CAAC;gBACzB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK,CAAC,OAAO;aACvB,CAAC,CAAC;YACH,MAAM;QAER,KAAK,cAAc;YACjB,aAAa,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM;QAER,KAAK,iBAAiB;YACpB,aAAa,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM;QAER,KAAK,eAAe;YAClB,iBAAiB,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;YAC1F,kBAAkB,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;YAC5F,MAAM;QAER,KAAK,eAAe;YAClB,iBAAiB,CAAC,GAAG,EAAE,CAAC;YACxB,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM;IACV,CAAC;AACH,CAAC;AAED,wDAAwD;AACxD,YAAY,CAAC,gBAAgB,CAAC,CAAC"}

package/dist/shared/path-utils.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Shared path traversal validation utility.
+ *
+ * Used by resource handlers, credential manager, and http-server to ensure
+ * resolved paths stay within a designated base directory.
+ */
+/**
+ * Resolve a path under a base directory, throwing if it escapes.
+ *
+ * @param base - The trusted base directory (must be an absolute, resolved path)
+ * @param segments - Untrusted path segments to join under base
+ * @returns The resolved absolute path guaranteed to be under base
+ * @throws Error if the resolved path escapes the base directory
+ */
+export declare function resolveUnderDir(base: string, ...segments: string[]): string;

package/dist/shared/path-utils.js ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Shared path traversal validation utility.
+ *
+ * Used by resource handlers, credential manager, and http-server to ensure
+ * resolved paths stay within a designated base directory.
+ */
+import path from "node:path";
+/**
+ * Resolve a path under a base directory, throwing if it escapes.
+ *
+ * @param base - The trusted base directory (must be an absolute, resolved path)
+ * @param segments - Untrusted path segments to join under base
+ * @returns The resolved absolute path guaranteed to be under base
+ * @throws Error if the resolved path escapes the base directory
+ */
+export function resolveUnderDir(base, ...segments) {
+    const resolved = path.resolve(base, ...segments);
+    if (resolved !== base && !resolved.startsWith(base + path.sep)) {
+        throw new Error(`Path escapes base directory: ${resolved}`);
+    }
+    return resolved;
+}
+//# sourceMappingURL=path-utils.js.map

package/dist/shared/path-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"path-utils.js","sourceRoot":"","sources":["../../src/shared/path-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,GAAG,QAAkB;IACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/shared/retry.d.ts ADDED Viewed

@@ -0,0 +1,35 @@
+/**
+ * Retry with exponential backoff — generic utility for HTTP calls.
+ *
+ * Pattern borrowed from src/memory/embeddings.ts.
+ */
+export interface RetryOptions {
+    /** Maximum number of attempts (including the first). Default: 3 */
+    maxAttempts?: number;
+    /** Base delay in ms before first retry. Default: 1000 */
+    baseDelayMs?: number;
+    /** Maximum delay cap in ms. Default: 10000 */
+    maxDelayMs?: number;
+    /** Optional predicate — return false to skip retries for certain errors */
+    shouldRetry?: (err: unknown) => boolean;
+    /** Label for log messages */
+    label?: string;
+}
+/**
+ * Execute `fn` with retry + exponential backoff.
+ *
+ * Delay formula: min(maxDelayMs, baseDelayMs * 2^attempt * (1 + random()*0.2))
+ */
+export declare function withRetry<T>(fn: () => Promise<T>, opts?: RetryOptions): Promise<T>;
+/**
+ * Typed HTTP error with status code — avoids fragile regex on message strings.
+ */
+export declare class HttpError extends Error {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
+/**
+ * Default shouldRetry predicate for HTTP calls:
+ * retry on network errors and 5xx / 429, skip on other 4xx.
+ */
+export declare function shouldRetryHttp(err: unknown): boolean;

package/dist/shared/retry.js ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Retry with exponential backoff — generic utility for HTTP calls.
+ *
+ * Pattern borrowed from src/memory/embeddings.ts.
+ */
+/**
+ * Execute `fn` with retry + exponential backoff.
+ *
+ * Delay formula: min(maxDelayMs, baseDelayMs * 2^attempt * (1 + random()*0.2))
+ */
+export async function withRetry(fn, opts = {}) {
+    const { maxAttempts = 3, baseDelayMs = 1000, maxDelayMs = 10_000, shouldRetry, label, } = opts;
+    let lastError;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+        try {
+            return await fn();
+        }
+        catch (err) {
+            lastError = err;
+            // Check if we should retry this error
+            if (shouldRetry && !shouldRetry(err)) {
+                throw err;
+            }
+            if (attempt + 1 >= maxAttempts) {
+                break; // No more attempts
+            }
+            const delay = Math.min(maxDelayMs, baseDelayMs * 2 ** attempt * (1 + Math.random() * 0.2));
+            const tag = label ? `[retry:${label}]` : "[retry]";
+            console.warn(`${tag} Attempt ${attempt + 1}/${maxAttempts} failed, retrying in ${Math.round(delay)}ms:`, err instanceof Error ? err.message : err);
+            await new Promise((resolve) => setTimeout(resolve, delay));
+        }
+    }
+    throw lastError;
+}
+/**
+ * Typed HTTP error with status code — avoids fragile regex on message strings.
+ */
+export class HttpError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+        this.name = "HttpError";
+    }
+}
+/**
+ * Default shouldRetry predicate for HTTP calls:
+ * retry on network errors and 5xx / 429, skip on other 4xx.
+ */
+export function shouldRetryHttp(err) {
+    if (err instanceof HttpError) {
+        if (err.status === 429)
+            return true; // Rate limited — retry
+        if (err.status >= 400 && err.status < 500)
+            return false; // Client error — don't retry
+        return true; // 5xx — retry
+    }
+    // Network error or non-HTTP — retry
+    return true;
+}
+//# sourceMappingURL=retry.js.map

package/dist/shared/retry.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"retry.js","sourceRoot":"","sources":["../../src/shared/retry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAoB,EACpB,OAAqB,EAAE;IAEvB,MAAM,EACJ,WAAW,GAAG,CAAC,EACf,WAAW,GAAG,IAAI,EAClB,UAAU,GAAG,MAAM,EACnB,WAAW,EACX,KAAK,GACN,GAAG,IAAI,CAAC;IAET,IAAI,SAAkB,CAAC;IAEvB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,GAAG,CAAC;YAEhB,sCAAsC;YACtC,IAAI,WAAW,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,IAAI,OAAO,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC/B,MAAM,CAAC,mBAAmB;YAC5B,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,UAAU,EACV,WAAW,GAAG,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CACvD,CAAC;YACF,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACnD,OAAO,CAAC,IAAI,CACV,GAAG,GAAG,YAAY,OAAO,GAAG,CAAC,IAAI,WAAW,wBAAwB,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAC1F,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;YAEF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,MAAM,SAAS,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAEhB;IADlB,YACkB,MAAc,EAC9B,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,WAAM,GAAN,MAAM,CAAQ;QAI9B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC,CAAC,uBAAuB;QAC5D,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC,CAAC,6BAA6B;QACtF,OAAO,IAAI,CAAC,CAAC,cAAc;IAC7B,CAAC;IACD,oCAAoC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/tools/command-sets.d.ts CHANGED Viewed

@@ -29,6 +29,9 @@ export declare function getCommandBinary(cmd: string): string;
  * whitelisted. Use grep + cut/tr/head/tail/jq for text processing instead.
  */
 export declare const ALLOWED_COMMANDS: Set<string>;
+/** Map each command to its functional category. */
+export declare const COMMAND_CATEGORIES: Record<string, string>;
+export declare const CONTEXT_CATEGORIES: Record<string, readonly string[]>;
 /**
  * Declarative command validation rule.
  * JSON-serializable: no Set, no function, no RegExp.
@@ -38,6 +41,14 @@ export interface CommandRule {
     command: string;
     category?: string;
     description?: string;
+    /** Execution contexts where this rule applies. Absent → all contexts. */
+    contexts?: string[];
+    /** If true, command must appear after a pipe | operator (stdin-only). */
+    pipeOnly?: boolean;
+    /** If true, block positional args that look like file paths (/, ./, ../, ~). */
+    noFilePaths?: boolean;
+    /** Flags that are explicitly blocked (checked per-character for short flags). */
+    blockedFlags?: string[];
     /** Flag whitelist. Present → check flags; absent → all flags allowed. */
     allowedFlags?: string[];
     /** Subcommand/action whitelist at a given positional position. */
@@ -52,10 +63,15 @@ export interface CommandRule {
     /** Delegate to a named custom validator function. */
     customValidator?: string;
 }
-export declare const COMMAND_RULES: Record<string, CommandRule>;
+export declare const COMMAND_RULES: Record<string, CommandRule | CommandRule[]>;
 /**
  * Apply extra security restrictions to whitelisted commands.
  * Takes a raw command string, parses it internally.
+ * Optionally accepts context (for context-specific rules) and piped
+ * (for pipe-only enforcement).
  * Returns an error message string if blocked, or null if allowed.
  */
-export declare function validateCommandRestrictions(cmd: string): string | null;
+export declare function validateCommandRestrictions(cmd: string, options?: {
+    context?: string;
+    piped?: boolean;
+}): string | null;