voyageai-cli 1.28.0 → 1.30.0

package/src/lib/llm.js

@@ -147,15 +147,24 @@ class AnthropicProvider {
       const json = await res.json();
       const text = json.content?.[0]?.text || '';
       yield text;
+      // Yield usage sentinel
+      const usage = json.usage || {};
+      yield { __usage: { inputTokens: usage.input_tokens || 0, outputTokens: usage.output_tokens || 0 } };
       return;
     }
 
-    yield* parseSSE(res.body, (event, data) => {
-      if (event === 'content_block_delta' && data.delta?.text) {
-        return data.delta.text;
+    // Manual SSE loop to capture usage from streaming events
+    const usage = { inputTokens: 0, outputTokens: 0 };
+    for await (const chunk of parseSSEWithMeta(res.body)) {
+      if (chunk.__event === 'message_start' && chunk.__data?.message?.usage) {
+        usage.inputTokens = chunk.__data.message.usage.input_tokens || 0;
+      } else if (chunk.__event === 'message_delta' && chunk.__data?.usage) {
+        usage.outputTokens = chunk.__data.usage.output_tokens || 0;
+      } else if (chunk.__event === 'content_block_delta' && chunk.__data?.delta?.text) {
+        yield chunk.__data.delta.text;
       }
-      return null;
-    });
+    }
+    yield { __usage: usage };
   }
 
   /**
@@ -163,7 +172,7 @@ class AnthropicProvider {
    * @param {Array} messages - Conversation messages
    * @param {Array} tools - Tool definitions in Anthropic format
    * @param {object} [options]
-   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string}>}
+   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string, usage: object}>}
    */
   async chatWithTools(messages, tools, options = {}) {
     const model = options.model || this.model;
@@ -200,6 +209,8 @@ class AnthropicProvider {
 
     const json = await res.json();
     const stopReason = json.stop_reason || 'end_turn';
+    const apiUsage = json.usage || {};
+    const usage = { inputTokens: apiUsage.input_tokens || 0, outputTokens: apiUsage.output_tokens || 0 };
 
     // Check for tool_use blocks
     const toolBlocks = (json.content || []).filter(b => b.type === 'tool_use');
@@ -212,6 +223,7 @@ class AnthropicProvider {
           arguments: b.input,
         })),
         stopReason,
+        usage,
         _raw: json.content,
       };
     }
@@ -222,6 +234,7 @@ class AnthropicProvider {
       type: 'text',
       content: textBlocks.map(b => b.text).join(''),
       stopReason,
+      usage,
     };
   }
 
@@ -324,6 +337,11 @@ class OpenAIProvider {
       messages,
     };
 
+    // Request usage data in streaming mode
+    if (stream) {
+      body.stream_options = { include_usage: true };
+    }
+
     const res = await fetch(`${this.baseUrl}/v1/chat/completions`, {
       method: 'POST',
       headers: {
@@ -342,14 +360,25 @@ class OpenAIProvider {
       const json = await res.json();
       const text = json.choices?.[0]?.message?.content || '';
       yield text;
+      const apiUsage = json.usage || {};
+      yield { __usage: { inputTokens: apiUsage.prompt_tokens || 0, outputTokens: apiUsage.completion_tokens || 0 } };
       return;
     }
 
-    yield* parseSSE(res.body, (_event, data) => {
-      if (data === '[DONE]') return null;
-      const content = data.choices?.[0]?.delta?.content;
-      return content || null;
-    });
+    // Manual SSE loop to capture usage from final streaming chunk
+    const usage = { inputTokens: 0, outputTokens: 0 };
+    for await (const chunk of parseSSEWithMeta(res.body)) {
+      const data = chunk.__data;
+      if (data === '[DONE]') continue;
+      // Final chunk with usage stats (stream_options: include_usage)
+      if (data?.usage) {
+        usage.inputTokens = data.usage.prompt_tokens || 0;
+        usage.outputTokens = data.usage.completion_tokens || 0;
+      }
+      const content = data?.choices?.[0]?.delta?.content;
+      if (content) yield content;
+    }
+    yield { __usage: usage };
   }
 
   /**
@@ -357,7 +386,7 @@ class OpenAIProvider {
    * @param {Array} messages - Conversation messages
    * @param {Array} tools - Tool definitions in OpenAI format
    * @param {object} [options]
-   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string}>}
+   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string, usage: object}>}
    */
   async chatWithTools(messages, tools, options = {}) {
     const model = options.model || this.model;
@@ -389,6 +418,8 @@ class OpenAIProvider {
     const choice = json.choices?.[0] || {};
     const msg = choice.message || {};
     const stopReason = choice.finish_reason || 'stop';
+    const apiUsage = json.usage || {};
+    const usage = { inputTokens: apiUsage.prompt_tokens || 0, outputTokens: apiUsage.completion_tokens || 0 };
 
     if (msg.tool_calls && msg.tool_calls.length > 0) {
       return {
@@ -401,6 +432,7 @@ class OpenAIProvider {
             : tc.function.arguments,
         })),
         stopReason,
+        usage,
         _raw: msg,
       };
     }
@@ -409,6 +441,7 @@ class OpenAIProvider {
       type: 'text',
       content: msg.content || '',
       stopReason,
+      usage,
     };
   }
 
@@ -502,14 +535,25 @@ class OllamaProvider {
       const json = await res.json();
       const text = json.choices?.[0]?.message?.content || '';
       yield text;
+      // Ollama may not return usage, default to 0
+      const apiUsage = json.usage || {};
+      yield { __usage: { inputTokens: apiUsage.prompt_tokens || 0, outputTokens: apiUsage.completion_tokens || 0 } };
       return;
     }
 
-    yield* parseSSE(res.body, (_event, data) => {
-      if (data === '[DONE]') return null;
-      const content = data.choices?.[0]?.delta?.content;
-      return content || null;
-    });
+    // Manual SSE loop (Ollama may not support stream_options)
+    const usage = { inputTokens: 0, outputTokens: 0 };
+    for await (const chunk of parseSSEWithMeta(res.body)) {
+      const data = chunk.__data;
+      if (data === '[DONE]') continue;
+      if (data?.usage) {
+        usage.inputTokens = data.usage.prompt_tokens || 0;
+        usage.outputTokens = data.usage.completion_tokens || 0;
+      }
+      const content = data?.choices?.[0]?.delta?.content;
+      if (content) yield content;
+    }
+    yield { __usage: usage };
   }
 
   /**
@@ -517,7 +561,7 @@ class OllamaProvider {
    * @param {Array} messages - Conversation messages
    * @param {Array} tools - Tool definitions in OpenAI format
    * @param {object} [options]
-   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string}>}
+   * @returns {Promise<{type: 'text'|'tool_calls', content?: string, calls?: Array, stopReason: string, usage: object}>}
    */
   async chatWithTools(messages, tools, options = {}) {
     const model = options.model || this.model;
@@ -544,6 +588,9 @@ class OllamaProvider {
     const choice = json.choices?.[0] || {};
     const msg = choice.message || {};
     const stopReason = choice.finish_reason || 'stop';
+    // Ollama may not return usage, default to 0
+    const apiUsage = json.usage || {};
+    const usage = { inputTokens: apiUsage.prompt_tokens || 0, outputTokens: apiUsage.completion_tokens || 0 };
 
     if (msg.tool_calls && msg.tool_calls.length > 0) {
       return {
@@ -556,6 +603,7 @@ class OllamaProvider {
             : tc.function.arguments,
         })),
         stopReason,
+        usage,
         _raw: msg,
       };
     }
@@ -564,6 +612,7 @@ class OllamaProvider {
       type: 'text',
       content: msg.content || '',
       stopReason,
+      usage,
     };
   }
 
@@ -622,6 +671,64 @@ class OllamaProvider {
 // SSE Stream Parser
 // ============================================
 
+/**
+ * Parse a Server-Sent Events stream, yielding raw event+data pairs.
+ * Unlike parseSSE, this preserves event types and full data objects
+ * so callers can extract both content and metadata (e.g. usage stats).
+ *
+ * @param {ReadableStream} body - Response body stream
+ * @yields {{ __event: string|null, __data: object|string }} Parsed SSE events
+ */
+async function* parseSSEWithMeta(body) {
+  const decoder = new TextDecoder();
+  let buffer = '';
+  let currentEvent = null;
+
+  for await (const chunk of body) {
+    buffer += decoder.decode(chunk, { stream: true });
+
+    const lines = buffer.split('\n');
+    buffer = lines.pop() || '';
+
+    for (const line of lines) {
+      if (line.startsWith('event: ')) {
+        currentEvent = line.slice(7).trim();
+        continue;
+      }
+
+      if (line.startsWith('data: ')) {
+        const rawData = line.slice(6);
+
+        if (rawData === '[DONE]') {
+          yield { __event: currentEvent, __data: '[DONE]' };
+          return;
+        }
+
+        let parsed;
+        try {
+          parsed = JSON.parse(rawData);
+        } catch {
+          continue;
+        }
+
+        yield { __event: currentEvent, __data: parsed };
+        currentEvent = null;
+      }
+    }
+  }
+
+  // Process remaining buffer
+  if (buffer.trim() && buffer.startsWith('data: ')) {
+    const rawData = buffer.slice(6);
+    if (rawData !== '[DONE]') {
+      try {
+        const parsed = JSON.parse(rawData);
+        yield { __event: currentEvent, __data: parsed };
+      } catch { /* skip */ }
+    }
+  }
+}
+
 /**
  * Parse a Server-Sent Events stream.
  * @param {ReadableStream} body - Response body stream

package/src/lib/npm-utils.js

@@ -0,0 +1,265 @@
+'use strict';
+
+const { execSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+const WORKFLOW_PREFIX = 'vai-workflow-';
+const VAICLI_SCOPE = '@vaicli/';
+const VAICLI_WORKFLOW_PREFIX = '@vaicli/vai-workflow-';
+const NPM_SEARCH_URL = 'https://registry.npmjs.org/-/v1/search';
+
+/**
+ * Check if a package name is an official @vaicli scoped package.
+ * @param {string} name
+ * @returns {boolean}
+ */
+function isOfficialPackage(name) {
+  return name.startsWith(VAICLI_WORKFLOW_PREFIX);
+}
+
+/**
+ * Check if a package name is a valid vai workflow package (scoped or unscoped).
+ * @param {string} name
+ * @returns {boolean}
+ */
+function isWorkflowPackage(name) {
+  return name.startsWith(VAICLI_WORKFLOW_PREFIX) || name.startsWith(WORKFLOW_PREFIX);
+}
+
+/**
+ * Search the npm registry for vai workflow packages.
+ * @param {string} query - Search terms
+ * @param {{ limit?: number }} options
+ * @returns {Promise<Array<{ name: string, version: string, description: string, author: string, date: string, keywords: string[], official: boolean }>>}
+ */
+async function searchNpm(query, options = {}) {
+  const limit = options.limit || 10;
+  // Search for both scoped and unscoped packages
+  const searchText = query
+    ? `keywords:vai-workflow ${query}`
+    : `keywords:vai-workflow`;
+  const url = `${NPM_SEARCH_URL}?text=${encodeURIComponent(searchText)}&size=${limit * 3}`;
+
+  const res = await fetch(url, {
+    headers: { 'Accept': 'application/json' },
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    throw new Error(`npm search failed: ${res.status} ${res.statusText}`);
+  }
+
+  const data = await res.json();
+  let results = (data.objects || [])
+    .filter(obj => isWorkflowPackage(obj.package.name))
+    .map(obj => ({
+      name: obj.package.name,
+      version: obj.package.version,
+      description: obj.package.description || '',
+      author: obj.package.author?.name || obj.package.publisher?.username || 'unknown',
+      date: obj.package.date,
+      keywords: obj.package.keywords || [],
+      official: isOfficialPackage(obj.package.name),
+    }));
+
+  // Client-side filtering: npm keyword search returns all vai-workflow packages,
+  // so we filter locally by matching query against name, description, and keywords
+  if (query) {
+    const q = query.toLowerCase();
+    const terms = q.split(/\s+/).filter(Boolean);
+    results = results.filter(pkg => {
+      const haystack = [
+        pkg.name,
+        pkg.description,
+        ...pkg.keywords,
+      ].join(' ').toLowerCase();
+      return terms.every(term => haystack.includes(term));
+    });
+  }
+
+  results = results.slice(0, options.limit || limit);
+
+  // Sort: official first, then by name
+  results.sort((a, b) => {
+    if (a.official !== b.official) return a.official ? -1 : 1;
+    return a.name.localeCompare(b.name);
+  });
+
+  return results;
+}
+
+/**
+ * Install a workflow package via npm.
+ * @param {string} packageName
+ * @param {{ global?: boolean }} options
+ * @returns {{ success: boolean, version: string, path: string, official: boolean }}
+ */
+function installPackage(packageName, options = {}) {
+  if (!isWorkflowPackage(packageName)) {
+    throw new Error(
+      `Package name must start with "${WORKFLOW_PREFIX}" or "${VAICLI_WORKFLOW_PREFIX}". Did you mean ${WORKFLOW_PREFIX}${packageName}?`
+    );
+  }
+
+  // Determine install location: use global if explicitly requested,
+  // or if there's no local package.json (e.g. running inside Electron app)
+  const hasLocalPkg = !options.global && (() => {
+    try { return require('fs').existsSync(require('path').join(process.cwd(), 'package.json')); }
+    catch { return false; }
+  })();
+  const useGlobal = options.global || !hasLocalPkg;
+  const globalFlag = useGlobal ? '-g' : '';
+  const cmd = `npm install ${packageName} ${globalFlag} ${useGlobal ? '' : '--save'} --ignore-scripts 2>&1`;
+
+  try {
+    const output = execSync(cmd, {
+      encoding: 'utf8',
+      timeout: 60000,
+      cwd: useGlobal ? undefined : process.cwd(),
+    });
+
+    // Find installed version from node_modules
+    const pkgPath = resolvePackagePath(packageName, useGlobal);
+    let version = 'unknown';
+    if (pkgPath) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(pkgPath, 'package.json'), 'utf8'));
+        version = pkg.version;
+      } catch { /* ignore */ }
+    }
+
+    return { success: true, version, path: pkgPath || '', official: isOfficialPackage(packageName) };
+  } catch (err) {
+    const msg = err.stderr || err.stdout || err.message;
+    if (msg.includes('404') || msg.includes('E404')) {
+      throw new Error(`Package ${packageName} not found on npm`);
+    }
+    throw new Error(`npm install failed: ${msg}`);
+  }
+}
+
+/**
+ * Uninstall a workflow package via npm.
+ * @param {string} packageName
+ * @param {{ global?: boolean }} options
+ * @returns {{ success: boolean }}
+ */
+function uninstallPackage(packageName, options = {}) {
+  const globalFlag = options.global ? '-g' : '';
+  const cmd = `npm uninstall ${packageName} ${globalFlag} 2>&1`;
+
+  try {
+    execSync(cmd, { encoding: 'utf8', timeout: 30000 });
+    return { success: true };
+  } catch (err) {
+    throw new Error(`npm uninstall failed: ${err.message}`);
+  }
+}
+
+/**
+ * Get metadata for a package from the npm registry (without installing).
+ * @param {string} packageName
+ * @returns {Promise<{ name: string, version: string, description: string, author: string, vai: object|null, official: boolean }>}
+ */
+async function getPackageInfo(packageName) {
+  // Scoped packages need proper encoding: @vaicli/vai-workflow-foo -> @vaicli%2fvai-workflow-foo
+  const encodedName = packageName.startsWith('@')
+    ? `@${encodeURIComponent(packageName.slice(1))}`
+    : encodeURIComponent(packageName);
+  const url = `https://registry.npmjs.org/${encodedName}/latest`;
+  const res = await fetch(url, {
+    headers: { 'Accept': 'application/json' },
+    signal: AbortSignal.timeout(10000),
+  });
+
+  if (!res.ok) {
+    if (res.status === 404) throw new Error(`Package ${packageName} not found on npm`);
+    throw new Error(`npm registry error: ${res.status}`);
+  }
+
+  const data = await res.json();
+  return {
+    name: data.name,
+    version: data.version,
+    description: data.description || '',
+    author: typeof data.author === 'string' ? data.author : data.author?.name || 'unknown',
+    license: data.license || 'unknown',
+    vai: data.vai || null,
+    keywords: data.keywords || [],
+    repository: data.repository,
+    official: isOfficialPackage(data.name),
+  };
+}
+
+/**
+ * Resolve the filesystem path of an installed package.
+ * Handles both scoped (@vaicli/vai-workflow-*) and unscoped (vai-workflow-*) packages.
+ * @param {string} packageName
+ * @param {boolean} [global]
+ * @returns {string|null}
+ */
+function resolvePackagePath(packageName, global) {
+  // Scoped packages live at node_modules/@scope/package-name
+  // path.join handles this correctly since packageName includes the scope
+  if (!global) {
+    let dir = process.cwd();
+    while (dir !== path.dirname(dir)) {
+      const candidate = path.join(dir, 'node_modules', packageName);
+      if (fs.existsSync(candidate)) return candidate;
+      dir = path.dirname(dir);
+    }
+  }
+
+  // Try global
+  try {
+    const globalRoot = execSync('npm root -g', { encoding: 'utf8' }).trim();
+    const candidate = path.join(globalRoot, packageName);
+    if (fs.existsSync(candidate)) return candidate;
+  } catch { /* ignore */ }
+
+  return null;
+}
+
+/**
+ * Find the nearest node_modules directory.
+ * @returns {string|null}
+ */
+function findLocalNodeModules() {
+  let dir = process.cwd();
+  while (dir !== path.dirname(dir)) {
+    const candidate = path.join(dir, 'node_modules');
+    if (fs.existsSync(candidate) && fs.statSync(candidate).isDirectory()) {
+      return candidate;
+    }
+    dir = path.dirname(dir);
+  }
+  return null;
+}
+
+/**
+ * Find the global node_modules directory.
+ * @returns {string|null}
+ */
+function findGlobalNodeModules() {
+  try {
+    return execSync('npm root -g', { encoding: 'utf8' }).trim();
+  } catch {
+    return null;
+  }
+}
+
+module.exports = {
+  searchNpm,
+  installPackage,
+  uninstallPackage,
+  getPackageInfo,
+  resolvePackagePath,
+  findLocalNodeModules,
+  findGlobalNodeModules,
+  isOfficialPackage,
+  isWorkflowPackage,
+  WORKFLOW_PREFIX,
+  VAICLI_SCOPE,
+  VAICLI_WORKFLOW_PREFIX,
+};

package/src/lib/quality-audit.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const CATEGORIES = ['retrieval', 'analysis', 'ingestion', 'domain-specific', 'utility', 'integration'];
+
+/**
+ * Run quality audit on a workflow definition and its package.
+ * @param {object} definition - Parsed workflow JSON
+ * @param {object} pkg - Parsed package.json
+ * @param {string} [packagePath] - Path to the package directory
+ * @returns {Array<{level: string, message: string}>}
+ */
+function qualityAudit(definition, pkg, packagePath) {
+  const issues = [];
+
+  // Package metadata checks
+  if (!pkg.description || pkg.description.length < 20) {
+    issues.push({ level: 'error', message: 'Package description too short (min 20 chars)' });
+  }
+  if (!pkg.author) {
+    issues.push({ level: 'error', message: 'Package must have an author' });
+  }
+  if (!pkg.license) {
+    issues.push({ level: 'warning', message: 'No license specified' });
+  }
+  if (!pkg.vai?.category || !CATEGORIES.includes(pkg.vai.category)) {
+    issues.push({ level: 'error', message: 'Invalid or missing vai.category' });
+  }
+
+  // README checks
+  if (packagePath) {
+    const readmePath = path.join(packagePath, 'README.md');
+    if (!fs.existsSync(readmePath)) {
+      issues.push({ level: 'error', message: 'Missing README.md' });
+    } else {
+      const readme = fs.readFileSync(readmePath, 'utf8');
+      if (readme.length < 200) {
+        issues.push({ level: 'warning', message: 'README is very short (< 200 chars)' });
+      }
+      if (!readme.includes('## Usage') && !readme.includes('## Install')) {
+        issues.push({ level: 'warning', message: 'README should include Usage or Install section' });
+      }
+      if (readme.includes('TODO')) {
+        issues.push({ level: 'warning', message: 'README contains TODO placeholders' });
+      }
+    }
+  }
+
+  // Workflow definition quality
+  if (definition && Array.isArray(definition.steps)) {
+    if (definition.steps.length === 1) {
+      issues.push({ level: 'suggestion', message: 'Single-step workflows may not warrant a package — consider documenting as a CLI example instead' });
+    }
+  }
+
+  // Branding
+  if (!definition?.branding?.icon) {
+    issues.push({ level: 'suggestion', message: 'Consider adding branding.icon for store display' });
+  }
+
+  // Naming — should be descriptive, not generic
+  if (definition?.name && /^(test|my|workflow|demo|example)/i.test(definition.name)) {
+    issues.push({ level: 'warning', message: `Workflow name "${definition.name}" is too generic` });
+  }
+
+  return issues;
+}
+
+module.exports = { qualityAudit, CATEGORIES };

package/src/lib/security/blocked-domains.json

@@ -0,0 +1,17 @@
+[
+  "evil.com",
+  "malware.com",
+  "requestbin.com",
+  "webhook.site",
+  "pipedream.net",
+  "hookbin.com",
+  "requestcatcher.com",
+  "canarytokens.com",
+  "burpcollaborator.net",
+  "interact.sh",
+  "oastify.com",
+  "dnslog.cn",
+  "ceye.io",
+  "bxss.me",
+  "xss.ht"
+]