sneakoscope 2.0.4 → 2.0.5

package/dist/core/agents/ollama-worker-config.js

@@ -2,12 +2,16 @@ import os from 'node:os';
 import path from 'node:path';
 import { ensureDir, exists, nowIso, readJson, writeJsonAtomic } from '../fsx.js';
 export const LOCAL_MODEL_CONFIG_SCHEMA = 'sks.local-model-config.v1';
+export const LOCAL_MODEL_CONFIG_SCHEMA_V2 = 'sks.local-model-config.v2';
 export const OLLAMA_WORKER_CONFIG_SCHEMA = 'sks.ollama-worker-config.v1';
 export const DEFAULT_OLLAMA_CODER_MODEL = 'rafw007/qwen36-a3b-claude-coder:q4_K_M';
 export const DEFAULT_OLLAMA_BASE_URL = 'http://127.0.0.1:11434';
+export const DEFAULT_MLX_LM_MODEL = 'mlx-community/Qwen3.6-35B-A3B-4bit';
+export const DEFAULT_MLX_LM_BASE_URL = 'http://127.0.0.1:8080';
 export const DEFAULT_OLLAMA_KEEP_ALIVE = '30m';
 export const DEFAULT_OLLAMA_TIMEOUT_MS = 120_000;
 export const DEFAULT_OLLAMA_THINK = false;
+export const LOCAL_LLM_SMOKE_TTL_MS = 24 * 60 * 60 * 1000;
 export function localModelConfigPath() {
     return process.env.SKS_LOCAL_MODEL_CONFIG
         ? path.resolve(process.env.SKS_LOCAL_MODEL_CONFIG)
@@ -30,28 +34,38 @@ export async function resolveOllamaWorkerConfig(input = {}) {
     const explicitDisable = boolEnv(process.env.SKS_OLLAMA_WORKERS) === false;
     const explicitEnable = boolEnv(process.env.SKS_OLLAMA_WORKERS) === true || input.ollamaEnabled === true || input.backend === 'ollama';
     const enabled = explicitDisable ? false : explicitEnable || stored.enabled === true;
-    const model = firstText(process.env.SKS_OLLAMA_MODEL, input.model, stored.model, DEFAULT_OLLAMA_CODER_MODEL);
-    const baseUrl = trimTrailingSlash(firstText(process.env.SKS_OLLAMA_BASE_URL, input.baseUrl, stored.base_url, DEFAULT_OLLAMA_BASE_URL));
+    const explicitProvider = firstText(process.env.SKS_LOCAL_LLM_PROVIDER, input.provider, input.backend === 'ollama' ? 'ollama' : '');
+    const provider = explicitProvider ? normalizeProvider(explicitProvider) : normalizeProvider(stored.provider);
+    const storedMatchesProvider = stored.provider === provider;
+    const model = firstText(process.env.SKS_LOCAL_LLM_MODEL, process.env.SKS_OLLAMA_MODEL, input.model, storedMatchesProvider ? stored.model : '', defaultModelForProvider(provider));
+    const baseUrl = trimTrailingSlash(firstText(process.env.SKS_LOCAL_LLM_BASE_URL, process.env.SKS_OLLAMA_BASE_URL, input.baseUrl, storedMatchesProvider ? stored.base_url : '', defaultBaseUrlForProvider(provider)));
     const keepAlive = firstText(process.env.SKS_OLLAMA_KEEP_ALIVE, input.keepAlive, stored.keep_alive, DEFAULT_OLLAMA_KEEP_ALIVE);
     const timeoutMs = positiveNumber(process.env.SKS_OLLAMA_TIMEOUT_MS, input.timeoutMs, stored.timeout_ms, DEFAULT_OLLAMA_TIMEOUT_MS);
     const temperature = finiteNumber(process.env.SKS_OLLAMA_TEMPERATURE, input.temperature, stored.temperature, 0.1);
     const think = boolEnv(process.env.SKS_OLLAMA_THINK) ?? input.think ?? stored.think ?? DEFAULT_OLLAMA_THINK;
+    const status = enabled ? resolveEnabledStatus(stored) : 'disabled';
     const blockers = [
         ...(enabled ? [] : ['ollama_workers_disabled']),
-        ...(!model ? ['ollama_model_missing'] : []),
-        ...(!baseUrl ? ['ollama_base_url_missing'] : [])
+        ...(enabled && status !== 'verified' ? [`local_llm_${status}`] : []),
+        ...(!model ? ['local_model_missing'] : []),
+        ...(!baseUrl ? ['local_model_base_url_missing'] : [])
     ];
     return {
         schema: OLLAMA_WORKER_CONFIG_SCHEMA,
         ok: blockers.length === 0,
         enabled,
-        provider: 'ollama',
+        status,
+        provider,
         model,
         base_url: baseUrl,
+        endpoint: baseUrl,
         keep_alive: keepAlive,
         timeout_ms: timeoutMs,
         temperature,
         think,
+        policy: stored.policy,
+        capability: stored.capability,
+        last_smoke: stored.last_smoke,
         config_path: localModelConfigPath(),
         explicit_disable: explicitDisable,
         explicit_enable: explicitEnable,
@@ -59,25 +73,62 @@ export async function resolveOllamaWorkerConfig(input = {}) {
     };
 }
 export function normalizeLocalModelConfig(raw = {}) {
+    const enabled = raw.enabled === true;
+    const lastSmoke = normalizeSmoke(raw.last_smoke || raw.lastSmoke || null);
+    const status = enabled ? normalizeStatus(raw.status, lastSmoke) : 'disabled';
+    const provider = normalizeProvider(raw.provider);
+    const baseUrl = trimTrailingSlash(firstText(raw.base_url, raw.baseUrl, raw.endpoint, defaultBaseUrlForProvider(provider)));
     return {
-        schema: LOCAL_MODEL_CONFIG_SCHEMA,
+        schema: LOCAL_MODEL_CONFIG_SCHEMA_V2,
         ...(raw.generated_at ? { generated_at: String(raw.generated_at) } : { generated_at: nowIso() }),
         ...(raw.updated_at ? { updated_at: String(raw.updated_at) } : {}),
-        enabled: raw.enabled === true,
-        provider: 'ollama',
-        model: firstText(raw.model, DEFAULT_OLLAMA_CODER_MODEL),
-        base_url: trimTrailingSlash(firstText(raw.base_url, raw.baseUrl, DEFAULT_OLLAMA_BASE_URL)),
+        enabled,
+        status,
+        provider,
+        model: firstText(raw.model, defaultModelForProvider(provider)),
+        endpoint: baseUrl,
+        base_url: baseUrl,
         keep_alive: firstText(raw.keep_alive, raw.keepAlive, DEFAULT_OLLAMA_KEEP_ALIVE),
         timeout_ms: positiveNumber(raw.timeout_ms, raw.timeoutMs, DEFAULT_OLLAMA_TIMEOUT_MS),
         temperature: finiteNumber(raw.temperature, 0.1),
         think: typeof raw.think === 'boolean' ? raw.think : DEFAULT_OLLAMA_THINK,
-        policy: {
-            worker_only: true,
-            no_strategy_planning_design: true,
-            allowed_work: ['simple_code_patch_envelopes', 'read_only_collection']
-        }
+        policy: normalizePolicy(raw.policy),
+        capability: normalizeCapability(raw.capability),
+        last_smoke: lastSmoke,
+        blockers: Array.isArray(raw.blockers) ? raw.blockers.map(String) : status === 'blocked' ? ['local_llm_smoke_failed'] : []
     };
 }
+export function applyLocalLlmSmokeResult(config, smoke) {
+    const blockers = Array.isArray(smoke.blockers) ? smoke.blockers.map(String) : [];
+    const status = smoke.skipped
+        ? 'enabled_unverified'
+        : smoke.ok && smoke.schema_valid !== false
+            ? 'verified'
+            : smoke.status === 'degraded'
+                ? 'degraded'
+                : 'blocked';
+    return normalizeLocalModelConfig({
+        ...config,
+        enabled: true,
+        status,
+        capability: {
+            ...config.capability,
+            api_reachable: smoke.ok !== false,
+            model_installed: smoke.ok !== false
+        },
+        last_smoke: {
+            ...smoke,
+            status
+        },
+        blockers
+    });
+}
+export function localModelSmokeFresh(smoke, now = Date.now()) {
+    if (!smoke?.ok || smoke.schema_valid === false || !smoke.ran_at)
+        return false;
+    const ranAt = Date.parse(smoke.ran_at);
+    return Number.isFinite(ranAt) && now - ranAt <= LOCAL_LLM_SMOKE_TTL_MS;
+}
 export function boolEnv(value) {
     const text = String(value ?? '').trim().toLowerCase();
     if (!text)
@@ -99,6 +150,104 @@ function firstText(...values) {
 function trimTrailingSlash(value) {
     return value.replace(/\/+$/, '');
 }
+export function normalizeProvider(...values) {
+    for (const value of values) {
+        const text = String(value ?? '').trim().toLowerCase();
+        if (!text)
+            continue;
+        if (['ollama'].includes(text))
+            return 'ollama';
+        if (['mlx', 'mlx-lm', 'mlx_lm', 'mlxlm'].includes(text))
+            return 'mlx-lm';
+        if (['openai-compatible', 'openai_compatible', 'openai', 'openai-compatible-local'].includes(text))
+            return 'openai-compatible';
+    }
+    return 'ollama';
+}
+export function defaultModelForProvider(provider) {
+    if (provider === 'mlx-lm')
+        return DEFAULT_MLX_LM_MODEL;
+    if (provider === 'openai-compatible')
+        return '';
+    return DEFAULT_OLLAMA_CODER_MODEL;
+}
+export function defaultBaseUrlForProvider(provider) {
+    if (provider === 'mlx-lm')
+        return DEFAULT_MLX_LM_BASE_URL;
+    if (provider === 'openai-compatible')
+        return '';
+    return DEFAULT_OLLAMA_BASE_URL;
+}
+function resolveEnabledStatus(config) {
+    if (config.status === 'verified' && !localModelSmokeFresh(config.last_smoke))
+        return 'enabled_unverified';
+    return config.status === 'disabled' ? 'enabled_unverified' : config.status;
+}
+function normalizeStatus(value, smoke) {
+    const text = String(value ?? '').trim();
+    const known = ['disabled', 'enabled_unverified', 'verified', 'degraded', 'blocked'];
+    if (known.includes(text)) {
+        if (text === 'verified' && !localModelSmokeFresh(smoke))
+            return 'enabled_unverified';
+        return text;
+    }
+    return localModelSmokeFresh(smoke) ? 'verified' : 'enabled_unverified';
+}
+function normalizePolicy(value) {
+    const defaultAllowed = ['simple_patch_envelope', 'read_only_collection', 'grep_like_qa', 'test_generation_draft'];
+    const allowed = [
+        ...defaultAllowed,
+        ...(Array.isArray(value?.allowed_task_classes) ? value.allowed_task_classes : []),
+        ...(Array.isArray(value?.allowed_work) ? value.allowed_work : [])
+    ];
+    const forbidden = Array.isArray(value?.forbidden_task_classes) ? value.forbidden_task_classes : [
+        'planning',
+        'strategy',
+        'final_review',
+        'verification_authority',
+        'safety_authority',
+        'integration_authority'
+    ];
+    return {
+        role: 'worker_only',
+        allowed_task_classes: [...new Set(allowed.map(String))],
+        forbidden_task_classes: forbidden.map(String),
+        requires_gpt_final: value?.requires_gpt_final !== false
+    };
+}
+function normalizeCapability(value) {
+    return {
+        api_reachable: value?.api_reachable === true,
+        model_installed: value?.model_installed === true,
+        supports_streaming: value?.supports_streaming !== false,
+        supports_json_schema: value?.supports_json_schema === true,
+        supports_tools: value?.supports_tools === true,
+        supports_images: value?.supports_images === true,
+        context_window: positiveNumber(value?.context_window, 32768),
+        max_parallel_requests: Math.max(1, Math.min(16, positiveNumber(value?.max_parallel_requests, 4)))
+    };
+}
+function normalizeSmoke(value) {
+    if (!value || typeof value !== 'object')
+        return null;
+    return {
+        ok: value.ok === true,
+        ...(value.skipped === true ? { skipped: true } : {}),
+        ...(value.ran_at ? { ran_at: String(value.ran_at) } : {}),
+        ...(value.prompt_hash ? { prompt_hash: String(value.prompt_hash) } : {}),
+        ...(Number.isFinite(Number(value.latency_ms)) ? { latency_ms: Number(value.latency_ms) } : {}),
+        ...(Number.isFinite(Number(value.tokens_per_second)) ? { tokens_per_second: Number(value.tokens_per_second) } : {}),
+        ...(typeof value.schema_valid === 'boolean' ? { schema_valid: value.schema_valid } : {}),
+        ...(value.result_path ? { result_path: String(value.result_path) } : {}),
+        ...(normalizeKnownStatus(value.status) ? { status: normalizeKnownStatus(value.status) } : {}),
+        ...(value.reason ? { reason: String(value.reason) } : {}),
+        ...(Array.isArray(value.blockers) ? { blockers: value.blockers.map(String) } : {})
+    };
+}
+function normalizeKnownStatus(value) {
+    const text = String(value ?? '').trim();
+    return ['disabled', 'enabled_unverified', 'verified', 'degraded', 'blocked'].includes(text) ? text : undefined;
+}
 function positiveNumber(...values) {
     for (const value of values) {
         const n = Number(value);

package/dist/core/codex/codex-0-137-compat.js

@@ -0,0 +1,119 @@
+import { runProcess, which } from '../fsx.js';
+import { compareSemverLike, parseCodexVersionText } from '../codex-compat/codex-version-policy.js';
+import { createHash } from 'node:crypto';
+export const CODEX_0_137_BASELINE_TAG = 'rust-v0.137.0';
+export const CODEX_0_137_VERSION = '0.137.0';
+export const CODEX_0_137_SCHEMA = 'sks.codex-0.137-compat.v1';
+export function codex0137Matrix(input = {}) {
+    const version = parseCodexVersionText(input.version) || input.version || null;
+    const available = input.available !== false && Boolean(version);
+    const meets = available && compareSemverLike(version, CODEX_0_137_VERSION) >= 0;
+    const pluginJsonDetected = looksLikeJson(input.pluginListText || '');
+    const runtimeDetected = /runtime|model|provider|thread/i.test(input.debugModelsText || '');
+    const approvalsDetected = /approval|environment|sandbox|profile|permission/i.test(input.doctorText || '');
+    const localOrBaseline = (detected) => detected ? 'detected' : meets ? 'release_baseline' : available ? 'blocked' : 'unavailable';
+    const capabilities = [
+        capability('plugin_list_json', 'P0', localOrBaseline(pluginJsonDetected), '`codex plugin list --json` parses as JSON or 0.137 baseline records it.'),
+        capability('thread_runtime_choice', 'P0', localOrBaseline(runtimeDetected), 'Thread/runtime choice is tracked by SKS per-thread proof and Codex runtime evidence.'),
+        capability('environment_scoped_approvals', 'P0', localOrBaseline(approvalsDetected), 'Approval proof carries environment identity and sandbox scope.'),
+        capability('managed_proxy_ca_bundle_child_commands', 'P1', meets ? 'release_baseline' : available ? 'blocked' : 'unavailable', 'Managed proxy CA bundle propagation is release-baseline plus SKS env proof.'),
+        capability('python_sdk_app_server_json_rpc', 'P0', meets ? 'release_baseline' : available ? 'blocked' : 'unavailable', 'Python SDK controls local app-server over JSON-RPC per current Codex manual.')
+    ];
+    const below = available && version ? compareSemverLike(version, CODEX_0_137_VERSION) < 0 : false;
+    const blockers = [
+        ...(input.requireReal && (!version || below) ? ['codex_0_137_required_but_not_detected'] : []),
+        ...capabilities
+            .filter((row) => input.requireReal && row.priority === 'P0' && (row.status === 'blocked' || row.status === 'unavailable'))
+            .map((row) => `codex_0_137_capability_unavailable:${row.id}`)
+    ];
+    return {
+        schema: CODEX_0_137_SCHEMA,
+        baseline: CODEX_0_137_BASELINE_TAG,
+        required_version: CODEX_0_137_VERSION,
+        release_evidence: {
+            upstream: 'openai/codex',
+            npm_package: '@openai/codex-sdk',
+            npm_version: '0.137.0',
+            manual_source: 'https://developers.openai.com/codex/codex-manual.md',
+            checked_topics: ['Codex SDK TypeScript', 'Codex SDK Python', 'CLI plugin/json/runtime/approval surfaces']
+        },
+        inherited_baselines: ['rust-v0.136.0', 'rust-v0.135.0', 'rust-v0.134.0'],
+        detected_version: version,
+        available,
+        require_real: input.requireReal === true,
+        capabilities,
+        plugin_list_json_supported: supported(capabilities, 'plugin_list_json'),
+        thread_runtime_choice_supported: supported(capabilities, 'thread_runtime_choice'),
+        environment_scoped_approvals_supported: supported(capabilities, 'environment_scoped_approvals'),
+        ok: blockers.length === 0,
+        warnings: !input.requireReal && (!version || below) ? [`Codex ${CODEX_0_137_BASELINE_TAG} not detected; release:check treats this as warning-only.`] : [],
+        blockers
+    };
+}
+export async function collectCodex0137LocalEvidence(opts = {}) {
+    const bin = opts.codexBin || await which('codex');
+    if (!bin) {
+        return {
+            available: false,
+            versionText: '',
+            pluginListText: '',
+            debugModelsText: '',
+            doctorText: '',
+            warnings: ['codex_binary_missing']
+        };
+    }
+    const run = async (args) => runProcess(bin, args, { timeoutMs: 10000, maxOutputBytes: 64 * 1024 }).catch((err) => ({
+        code: 1,
+        stdout: '',
+        stderr: err.message || String(err)
+    }));
+    const [version, pluginList, debugModels, doctor] = await Promise.all([
+        run(['--version']),
+        run(['plugin', 'list', '--json']),
+        run(['debug', 'models', '--bundled']),
+        run(['doctor', '--json'])
+    ]);
+    return {
+        available: version.code === 0,
+        versionText: `${version.stdout || ''}${version.stderr || ''}`.trim(),
+        pluginListText: `${pluginList.stdout || ''}${pluginList.stderr || ''}`,
+        debugModelsText: summarizeCodexCommandOutput(`${debugModels.stdout || ''}${debugModels.stderr || ''}`, ['runtime', 'model', 'provider', 'thread']),
+        doctorText: summarizeCodexCommandOutput(`${doctor.stdout || ''}${doctor.stderr || ''}`, ['approval', 'environment', 'sandbox', 'profile', 'permission']),
+        warnings: [
+            ...(pluginList.code === 0 ? [] : ['codex_plugin_list_json_unavailable']),
+            ...(debugModels.code === 0 ? [] : ['codex_debug_models_unavailable']),
+            ...(doctor.code === 0 ? [] : ['codex_doctor_json_unavailable'])
+        ]
+    };
+}
+function capability(id, priority, status, detector) {
+    return { id, priority, status, detector, notes: [] };
+}
+function supported(capabilities, id) {
+    const status = capabilities.find((capability) => capability.id === id)?.status;
+    return status === 'detected' || status === 'release_baseline';
+}
+function looksLikeJson(value) {
+    const text = String(value || '').trim();
+    if (!text)
+        return false;
+    try {
+        JSON.parse(text);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function summarizeCodexCommandOutput(value, keywords) {
+    const text = String(value || '');
+    const lower = text.toLowerCase();
+    const matched = keywords.filter((keyword) => lower.includes(keyword.toLowerCase()));
+    return [
+        `raw_output_redacted=true`,
+        `bytes=${Buffer.byteLength(text, 'utf8')}`,
+        `sha256=${createHash('sha256').update(text).digest('hex')}`,
+        `matched_keywords=${matched.join(',') || 'none'}`
+    ].join(' ');
+}
+//# sourceMappingURL=codex-0-137-compat.js.map

package/dist/core/codex-control/codex-control-proof.js

@@ -7,7 +7,8 @@ export async function writeCodexControlProof(root, input) {
         schema: CODEX_CONTROL_PROOF_SCHEMA,
         generated_at: nowIso(),
         ok: input.result.ok === true,
-        backend: 'codex-sdk',
+        backend: input.result.backend,
+        backend_family: input.result.backend_family,
         route: input.task.route,
         mission_id: input.task.missionId,
         work_item_id: input.task.workItemId || null,
@@ -22,6 +23,8 @@ export async function writeCodexControlProof(root, input) {
         output_schema_id: input.task.outputSchemaId,
         worker_result_path: input.result.workerResultPath,
         patch_envelope_path: input.result.patchEnvelopePath || null,
+        local_llm_proof_path: input.result.localLlmProofPath || null,
+        python_sdk_proof_path: input.result.pythonSdkProofPath || null,
         sandbox: input.sandbox || null,
         env: input.envProof || null,
         config: input.config ? redactCodexSdkConfig(input.config) : null,

package/dist/core/codex-control/codex-sdk-capability.js

@@ -37,7 +37,7 @@ export async function detectCodexSdkCapability(input = {}) {
         node_compatible: nodeCompatible,
         dynamic_import_ok: dynamicImportOk,
         structured_output_fake_smoke: structuredFake,
-        setup_action: blockers.includes('codex_sdk_unavailable') ? 'npm install @openai/codex-sdk@0.136.0' : null,
+        setup_action: blockers.includes('codex_sdk_unavailable') ? 'npm install @openai/codex-sdk@0.137.0' : null,
         blockers
     };
 }