PyPI - multi-forge - Versions diffs - 0.2.0__py3-none-any.whl - Mend

multi-forge 0.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (311) hide show

forge/__init__.py +3 -0
forge/_extensions/agents/.gitkeep +0 -0
forge/_extensions/commands/.gitkeep +0 -0
forge/_extensions/skills/analyze/SKILL.md +87 -0
forge/_extensions/skills/challenge/SKILL.md +91 -0
forge/_extensions/skills/consensus/SKILL.md +120 -0
forge/_extensions/skills/consensus/resources/code_consensus_evaluation.md +94 -0
forge/_extensions/skills/consensus/resources/consensus_evaluation.md +70 -0
forge/_extensions/skills/consensus/resources/synthesis.md +101 -0
forge/_extensions/skills/debate/SKILL.md +116 -0
forge/_extensions/skills/debate/resources/code_debate_evaluation.md +101 -0
forge/_extensions/skills/debate/resources/debate_evaluation.md +90 -0
forge/_extensions/skills/panel/SKILL.md +141 -0
forge/_extensions/skills/panel/resources/synthesis.md +103 -0
forge/_extensions/skills/qa/SKILL.md +704 -0
forge/_extensions/skills/qa/resources/checklist/0-enable.md +78 -0
forge/_extensions/skills/qa/resources/checklist/1-preflight.md +24 -0
forge/_extensions/skills/qa/resources/checklist/10-resume.md +143 -0
forge/_extensions/skills/qa/resources/checklist/11-config.md +150 -0
forge/_extensions/skills/qa/resources/checklist/12-search.md +58 -0
forge/_extensions/skills/qa/resources/checklist/13-guard.md +237 -0
forge/_extensions/skills/qa/resources/checklist/14-workflow.md +305 -0
forge/_extensions/skills/qa/resources/checklist/15-skills.md +155 -0
forge/_extensions/skills/qa/resources/checklist/16-handoff.md +224 -0
forge/_extensions/skills/qa/resources/checklist/17-info.md +50 -0
forge/_extensions/skills/qa/resources/checklist/18-disable.md +84 -0
forge/_extensions/skills/qa/resources/checklist/19-uninstall.md +146 -0
forge/_extensions/skills/qa/resources/checklist/2-extensions.md +188 -0
forge/_extensions/skills/qa/resources/checklist/20-cleanup.md +36 -0
forge/_extensions/skills/qa/resources/checklist/3-auth.md +234 -0
forge/_extensions/skills/qa/resources/checklist/4-proxy.md +481 -0
forge/_extensions/skills/qa/resources/checklist/5-session.md +541 -0
forge/_extensions/skills/qa/resources/checklist/6-hooks.md +275 -0
forge/_extensions/skills/qa/resources/checklist/7-costs.md +309 -0
forge/_extensions/skills/qa/resources/checklist/8-status-line.md +174 -0
forge/_extensions/skills/qa/resources/checklist/9-direct-commands.md +146 -0
forge/_extensions/skills/qa/resources/checklist.md +103 -0
forge/_extensions/skills/qa/resources/report-template.md +62 -0
forge/_extensions/skills/qa/scripts/start-container.sh +529 -0
forge/_extensions/skills/qa/scripts/walkthrough-state.py +1137 -0
forge/_extensions/skills/review/SKILL.md +125 -0
forge/_extensions/skills/review/references/claude-4.6.md +474 -0
forge/_extensions/skills/review/references/claude-4.7.md +710 -0
forge/_extensions/skills/review/references/gemini-3.1.md +546 -0
forge/_extensions/skills/review/references/gpt-5.5.md +490 -0
forge/_extensions/skills/review/references/skills-writing-guide.md +1588 -0
forge/_extensions/skills/review/resources/code-anthropic.md +160 -0
forge/_extensions/skills/review/resources/code-gemini.md +184 -0
forge/_extensions/skills/review/resources/code-openai.md +203 -0
forge/_extensions/skills/review/resources/code.md +160 -0
forge/_extensions/skills/review-docs/SKILL.md +121 -0
forge/_extensions/skills/review-docs/resources/docs-anthropic.md +170 -0
forge/_extensions/skills/review-docs/resources/docs-gemini.md +204 -0
forge/_extensions/skills/review-docs/resources/docs-openai.md +231 -0
forge/_extensions/skills/review-docs/resources/docs.md +170 -0
forge/_extensions/skills/smoke-test/SKILL.md +27 -0
forge/_extensions/skills/smoke-test/scripts/smoke-test.sh +118 -0
forge/_extensions/skills/understand/SKILL.md +148 -0
forge/_extensions/skills/understand/resources/code-anthropic.md +163 -0
forge/_extensions/skills/understand/resources/code-gemini.md +194 -0
forge/_extensions/skills/understand/resources/code-openai.md +181 -0
forge/_extensions/skills/understand/resources/code.md +163 -0
forge/_extensions/skills/understand/resources/docs-anthropic.md +177 -0
forge/_extensions/skills/understand/resources/docs-gemini.md +202 -0
forge/_extensions/skills/understand/resources/docs-openai.md +191 -0
forge/_extensions/skills/understand/resources/docs.md +177 -0
forge/_extensions/skills/walkthrough/SKILL.md +599 -0
forge/_extensions/skills/walkthrough/resources/checklist.md +765 -0
forge/_extensions/skills/walkthrough/scripts/run-in-repo.sh +118 -0
forge/_extensions/skills/walkthrough/scripts/setup-test-repo.sh +198 -0
forge/_extensions/skills/walkthrough/scripts/walkthrough-state.py +1137 -0
forge/backend/__init__.py +174 -0
forge/backend/adapters/__init__.py +38 -0
forge/backend/adapters/litellm.py +158 -0
forge/backend/creation.py +89 -0
forge/backend/registry.py +178 -0
forge/cli/__init__.py +16 -0
forge/cli/auth.py +483 -0
forge/cli/backend.py +298 -0
forge/cli/claude.py +411 -0
forge/cli/config_cmd.py +303 -0
forge/cli/extensions.py +1001 -0
forge/cli/gc.py +165 -0
forge/cli/guard.py +1018 -0
forge/cli/guards.py +106 -0
forge/cli/handoff.py +110 -0
forge/cli/hooks/__init__.py +36 -0
forge/cli/hooks/_group.py +20 -0
forge/cli/hooks/_helpers.py +149 -0
forge/cli/hooks/commands.py +1677 -0
forge/cli/hooks/direct_commands.py +1304 -0
forge/cli/hooks/install.py +232 -0
forge/cli/hooks/policy.py +151 -0
forge/cli/hooks/read_hygiene.py +74 -0
forge/cli/hooks/verification.py +370 -0
forge/cli/logs.py +406 -0
forge/cli/main.py +292 -0
forge/cli/proxy.py +1821 -0
forge/cli/proxy_costs.py +313 -0
forge/cli/search.py +416 -0
forge/cli/session.py +892 -0
forge/cli/session_addendum.py +81 -0
forge/cli/session_fork.py +750 -0
forge/cli/session_handoff.py +141 -0
forge/cli/session_lifecycle.py +2053 -0
forge/cli/session_manage.py +1336 -0
forge/cli/session_memory.py +201 -0
forge/cli/status_line.py +1398 -0
forge/cli/workflow.py +1964 -0
forge/config/__init__.py +110 -0
forge/config/dataclass_utils.py +88 -0
forge/config/defaults/__init__.py +0 -0
forge/config/defaults/backends/__init__.py +0 -0
forge/config/defaults/backends/litellm.yaml +196 -0
forge/config/defaults/templates/__init__.py +0 -0
forge/config/defaults/templates/litellm-anthropic-local.yaml +33 -0
forge/config/defaults/templates/litellm-anthropic.yaml +24 -0
forge/config/defaults/templates/litellm-gemini-flash-local.yaml +37 -0
forge/config/defaults/templates/litellm-gemini-local.yaml +32 -0
forge/config/defaults/templates/litellm-gemini-test.yaml +34 -0
forge/config/defaults/templates/litellm-gemini.yaml +21 -0
forge/config/defaults/templates/litellm-openai-codex-local.yaml +36 -0
forge/config/defaults/templates/litellm-openai-local.yaml +38 -0
forge/config/defaults/templates/litellm-openai.yaml +28 -0
forge/config/defaults/templates/openrouter-anthropic.yaml +23 -0
forge/config/defaults/templates/openrouter-deepseek.yaml +26 -0
forge/config/defaults/templates/openrouter-gemini-flash.yaml +26 -0
forge/config/defaults/templates/openrouter-gemini.yaml +23 -0
forge/config/defaults/templates/openrouter-glm.yaml +23 -0
forge/config/defaults/templates/openrouter-kimi.yaml +30 -0
forge/config/defaults/templates/openrouter-minimax.yaml +26 -0
forge/config/defaults/templates/openrouter-openai-codex.yaml +23 -0
forge/config/defaults/templates/openrouter-openai.yaml +28 -0
forge/config/defaults/templates/openrouter-qwen.yaml +25 -0
forge/config/loader.py +675 -0
forge/config/schema.py +448 -0
forge/core/__init__.py +5 -0
forge/core/auth/__init__.py +67 -0
forge/core/auth/capabilities.py +219 -0
forge/core/auth/credentials_file.py +244 -0
forge/core/auth/protocols.py +18 -0
forge/core/auth/secrets.py +243 -0
forge/core/auth/template_secrets.py +112 -0
forge/core/data/__init__.py +5 -0
forge/core/data/model_catalog.yaml +1522 -0
forge/core/data/pricing.yaml +140 -0
forge/core/data/system_prompt_addendums/__init__.py +0 -0
forge/core/data/system_prompt_addendums/gemini.md +330 -0
forge/core/data/system_prompt_addendums/openai.md +328 -0
forge/core/llm/__init__.py +231 -0
forge/core/llm/clients/__init__.py +14 -0
forge/core/llm/clients/base.py +115 -0
forge/core/llm/clients/litellm.py +619 -0
forge/core/llm/clients/openai_compat.py +244 -0
forge/core/llm/clients/openrouter.py +234 -0
forge/core/llm/credentials.py +439 -0
forge/core/llm/detection.py +86 -0
forge/core/llm/errors.py +44 -0
forge/core/llm/protocols.py +80 -0
forge/core/llm/types.py +176 -0
forge/core/logging.py +146 -0
forge/core/models/__init__.py +91 -0
forge/core/models/catalog.py +467 -0
forge/core/models/pricing.py +165 -0
forge/core/models/types.py +167 -0
forge/core/naming.py +212 -0
forge/core/ops/__init__.py +73 -0
forge/core/ops/context.py +141 -0
forge/core/ops/gc.py +802 -0
forge/core/ops/proxy.py +146 -0
forge/core/ops/resolution.py +135 -0
forge/core/ops/session.py +344 -0
forge/core/ops/session_context.py +548 -0
forge/core/paths.py +38 -0
forge/core/process.py +54 -0
forge/core/reactive/__init__.py +38 -0
forge/core/reactive/cost_tracking.py +300 -0
forge/core/reactive/env.py +180 -0
forge/core/reactive/proxy.py +78 -0
forge/core/reactive/routing.py +622 -0
forge/core/reactive/session_runner.py +185 -0
forge/core/reactive/structured_output.py +62 -0
forge/core/reactive/tagger.py +94 -0
forge/core/reactive/throttle.py +132 -0
forge/core/state/__init__.py +59 -0
forge/core/state/exceptions.py +59 -0
forge/core/state/io.py +140 -0
forge/core/state/lock.py +99 -0
forge/core/state/timestamps.py +60 -0
forge/core/transcript.py +78 -0
forge/core/typing_helpers.py +24 -0
forge/core/workqueue/__init__.py +67 -0
forge/core/workqueue/queue.py +552 -0
forge/core/workqueue/types.py +63 -0
forge/guard/__init__.py +26 -0
forge/guard/deterministic/__init__.py +26 -0
forge/guard/deterministic/base.py +158 -0
forge/guard/deterministic/coding_standards.py +256 -0
forge/guard/deterministic/registry.py +148 -0
forge/guard/deterministic/tdd.py +171 -0
forge/guard/engine.py +216 -0
forge/guard/protocols.py +91 -0
forge/guard/queries.py +96 -0
forge/guard/semantic/__init__.py +34 -0
forge/guard/semantic/promotion.py +18 -0
forge/guard/semantic/supervisor.py +813 -0
forge/guard/semantic/verdict.py +183 -0
forge/guard/store.py +124 -0
forge/guard/team/__init__.py +6 -0
forge/guard/team/config.py +24 -0
forge/guard/team/handlers.py +209 -0
forge/guard/team/prompts.py +41 -0
forge/guard/types.py +125 -0
forge/guard/workflow/__init__.py +17 -0
forge/guard/workflow/branches.py +67 -0
forge/guard/workflow/config.py +63 -0
forge/guard/workflow/divergence.py +113 -0
forge/guard/workflow/policy.py +87 -0
forge/guard/workflow/stages.py +205 -0
forge/install/__init__.py +55 -0
forge/install/cli.py +281 -0
forge/install/exceptions.py +163 -0
forge/install/hooks.py +109 -0
forge/install/installer.py +1037 -0
forge/install/models.py +321 -0
forge/install/preset.py +272 -0
forge/install/settings_merge.py +831 -0
forge/install/tracking.py +238 -0
forge/install/version.py +141 -0
forge/proxy/__init__.py +0 -0
forge/proxy/base_client.py +181 -0
forge/proxy/client_adapter.py +476 -0
forge/proxy/client_factory.py +531 -0
forge/proxy/converters.py +1206 -0
forge/proxy/cost_logger.py +132 -0
forge/proxy/cost_tracker.py +242 -0
forge/proxy/data_models.py +338 -0
forge/proxy/error_hints.py +92 -0
forge/proxy/metrics.py +222 -0
forge/proxy/model_spec.py +158 -0
forge/proxy/proxies.py +333 -0
forge/proxy/proxy_identity.py +134 -0
forge/proxy/proxy_orchestrator.py +1018 -0
forge/proxy/proxy_startup.py +54 -0
forge/proxy/server.py +1561 -0
forge/proxy/utils.py +537 -0
forge/review/__init__.py +6 -0
forge/review/adversarial.py +111 -0
forge/review/consensus.py +236 -0
forge/review/engine.py +356 -0
forge/review/models.py +437 -0
forge/review/resources/__init__.py +5 -0
forge/review/resources/codereview-performance.md +85 -0
forge/review/resources/codereview-quick.md +75 -0
forge/review/resources/codereview-security.md +92 -0
forge/review/resources/codereview.md +85 -0
forge/review/resources/docreview-quick.md +75 -0
forge/review/resources/docreview.md +86 -0
forge/review/resources/thinkdeep.md +89 -0
forge/review/routing.py +368 -0
forge/review/synthesis.py +73 -0
forge/runtime_config.py +438 -0
forge/search/__init__.py +55 -0
forge/search/bm25_store.py +264 -0
forge/search/content_store.py +197 -0
forge/search/engine.py +352 -0
forge/search/exceptions.py +51 -0
forge/search/extractor.py +234 -0
forge/search/index_state.py +295 -0
forge/search/store.py +215 -0
forge/search/tokenizer.py +24 -0
forge/session/__init__.py +130 -0
forge/session/active.py +339 -0
forge/session/artifacts.py +202 -0
forge/session/claude/__init__.py +50 -0
forge/session/claude/cleanup.py +105 -0
forge/session/claude/invoke.py +236 -0
forge/session/claude/paths.py +200 -0
forge/session/cleanup.py +216 -0
forge/session/config.py +34 -0
forge/session/direct_model.py +107 -0
forge/session/effective.py +169 -0
forge/session/exceptions.py +255 -0
forge/session/handoff.py +881 -0
forge/session/handoff_agent.py +544 -0
forge/session/hooks/__init__.py +35 -0
forge/session/hooks/models.py +73 -0
forge/session/hooks/session_start.py +507 -0
forge/session/identity.py +84 -0
forge/session/index.py +553 -0
forge/session/manager.py +1506 -0
forge/session/models.py +572 -0
forge/session/overrides.py +344 -0
forge/session/plan_resolution.py +286 -0
forge/session/prev_sessions.py +128 -0
forge/session/store.py +431 -0
forge/session/validation.py +47 -0
forge/session/worktree/__init__.py +65 -0
forge/session/worktree/cleanup.py +262 -0
forge/session/worktree/config_copy.py +203 -0
forge/session/worktree/create.py +332 -0
forge/sidecar/__init__.py +29 -0
forge/sidecar/container.py +161 -0
forge/sidecar/docker.py +86 -0
forge/sidecar/secrets.py +19 -0
multi_forge-0.2.0.dist-info/METADATA +242 -0
multi_forge-0.2.0.dist-info/RECORD +311 -0
multi_forge-0.2.0.dist-info/WHEEL +4 -0
multi_forge-0.2.0.dist-info/entry_points.txt +2 -0
multi_forge-0.2.0.dist-info/licenses/LICENSE +203 -0
multi_forge-0.2.0.dist-info/licenses/NOTICE +14 -0

forge/config/loader.py ADDED Viewed

@@ -0,0 +1,675 @@
+"""Configuration loader for Forge.
+This module handles loading configuration from three sources:
+    1. Template (for proxy creation): defaults/templates/{t}.yaml
+    2. Proxy file (runtime): ~/.forge/proxies/{id}/proxy.yaml
+    3. Secrets (env vars): *_API_KEY, *_AUTH_URL, FORGE_HOME
+Schema defaults in dataclasses handle missing fields.
+No user/project/local config file support - proxies own full config.
+"""
+from __future__ import annotations
+import hashlib
+import logging
+import os
+import re
+import tempfile
+from importlib.abc import Traversable
+from pathlib import Path
+from typing import Any
+import yaml
+from dotenv import load_dotenv
+from ruamel.yaml import YAML
+from forge.config.dataclass_utils import dict_to_dataclass
+from forge.config.schema import (
+    ForgeConfig,
+    ProviderConfig,
+    ProxyConfig,
+    ProxyInstanceConfig,
+    SessionConfig,
+    TierModels,
+    TierOverride,
+    TierOverrides,
+)
+from forge.core.paths import get_forge_home
+logger = logging.getLogger(__name__)
+def deep_merge(base: dict, overlay: dict) -> dict:
+    """Deep merge overlay into base dict (kustomize-style).
+    - Dicts are merged recursively
+    - Other values are replaced
+    - None values in overlay are skipped (don't override with None)
+    Args:
+        base: Base dictionary
+        overlay: Overlay dictionary (takes precedence)
+    Returns:
+        Merged dictionary (new dict, inputs not modified)
+    """
+    result = base.copy()
+    for key, overlay_value in overlay.items():
+        if overlay_value is None:
+            continue
+        if key in result and isinstance(result[key], dict) and isinstance(overlay_value, dict):
+            result[key] = deep_merge(result[key], overlay_value)
+        else:
+            result[key] = overlay_value
+    return result
+def load_yaml(path: Path) -> dict:
+    """Load YAML file, returning empty dict if not found.
+    Notes:
+        - Missing file: returns {}
+        - Invalid YAML: returns {} (best-effort)
+    For strict parsing (fail fast), use load_yaml_strict().
+    """
+    if not path.exists():
+        logger.debug(f"Config file not found: {path}")
+        return {}
+    try:
+        with open(path, encoding="utf-8") as f:
+            data = yaml.safe_load(f)
+            return data if isinstance(data, dict) else {}
+    except yaml.YAMLError as e:
+        logger.warning(f"Failed to parse {path}: {e}")
+        return {}
+def load_yaml_strict(path: Path) -> dict:
+    """Load YAML file strictly.
+    Raises:
+        ValueError: if the file exists but cannot be parsed as a dict.
+    """
+    if not path.exists():
+        return {}
+    try:
+        with open(path, encoding="utf-8") as f:
+            data = yaml.safe_load(f)
+    except yaml.YAMLError as e:
+        raise ValueError(f"Failed to parse YAML at {path}: {e}")
+    if data is None:
+        return {}
+    if not isinstance(data, dict):
+        raise ValueError(f"YAML at {path} must be a mapping (dict), got {type(data)}")
+    return data
+def get_defaults_dir() -> Path:
+    """Get the defaults directory (relative to this module).
+    .. deprecated::
+        Prefer ``list_template_names()``, ``template_exists()``, and
+        ``read_template()`` for template access.  This helper is retained for
+        callers that need a concrete ``Path`` (e.g. display-only).
+    """
+    return Path(__file__).parent / "defaults"
+# --- Template access helpers (C3 — importlib.resources + user templates) ---
+# Shipped templates live in the package (importlib.resources). User templates
+# live at ~/.forge/templates/<name>.yaml and take precedence when present.
+# A user template is a full replacement, not a YAML merge.
+#
+# User templates that shadow a shipped template are created via
+# ``forge proxy template edit``; manually placed templates without a
+# shipped counterpart also work (advanced/manual path).
+TEMPLATE_NAME_PATTERN = re.compile(r"^[A-Za-z0-9][A-Za-z0-9_.-]{0,63}$")
+def validate_template_name(name: str) -> None:
+    """Validate template name to prevent path traversal.
+    Raises:
+        ValueError: If name contains invalid characters or patterns.
+    """
+    if not name:
+        raise ValueError("Template name cannot be empty")
+    if not TEMPLATE_NAME_PATTERN.match(name):
+        raise ValueError(
+            f"Invalid template name '{name}': must be 1-64 characters, "
+            "start with alphanumeric, and contain only alphanumeric, underscore, dot, or hyphen"
+        )
+    if "/" in name or "\\" in name or ".." in name:
+        raise ValueError(f"Invalid template name '{name}': contains path separator or parent reference")
+def _templates_path() -> "Traversable":
+    """Return a traversable path to the shipped templates package."""
+    from importlib import resources
+    return resources.files("forge.config.defaults.templates")
+def _user_templates_dir() -> Path:
+    """Return the user templates directory (~/.forge/templates/)."""
+    return get_forge_home() / "templates"
+def get_user_template_path(name: str) -> Path:
+    """Return the filesystem path for a user template.
+    Validates the name to prevent path traversal before constructing
+    the path. All user-template filesystem operations go through this
+    function, so it is the security boundary.
+    Raises:
+        ValueError: If name fails validation (path traversal, etc.).
+    """
+    validate_template_name(name)
+    return _user_templates_dir() / f"{name}.yaml"
+def is_user_template(name: str) -> bool:
+    """Check if a user-customized template exists for this name."""
+    return get_user_template_path(name).is_file()
+def shipped_template_exists(name: str) -> bool:
+    """Check if a shipped (built-in) template exists, ignoring user copies."""
+    tpl = _templates_path()
+    return tpl.joinpath(f"{name}.yaml").is_file()
+def read_shipped_template(name: str) -> str:
+    """Read shipped template content, ignoring any user copy.
+    Used by ``forge proxy template edit`` to seed the first user copy,
+    and by display logic to show the built-in baseline.
+    Raises:
+        FileNotFoundError: If no shipped template with this name exists.
+    """
+    tpl = _templates_path()
+    target = tpl.joinpath(f"{name}.yaml")
+    if not target.is_file():
+        raise FileNotFoundError(f"Shipped template not found: {name}")
+    return target.read_text(encoding="utf-8")
+def list_template_names(*, include_internal: bool = False) -> list[str]:
+    """Return sorted list of available template names (shipped + user).
+    User templates at ~/.forge/templates/ are merged with shipped templates.
+    Deduplication ensures each name appears once. User templates bypass the
+    ``internal`` filter (only shipped templates can be marked internal).
+    Args:
+        include_internal: If False (default), excludes shipped templates with
+            ``internal: true`` at the top level (e.g. test-only templates).
+    """
+    import yaml
+    names: set[str] = set()
+    # Shipped templates (importlib.resources)
+    tpl = _templates_path()
+    for p in tpl.iterdir():
+        if not (hasattr(p, "name") and p.name.endswith(".yaml")):
+            continue
+        if not include_internal:
+            try:
+                data = yaml.safe_load(p.read_text(encoding="utf-8"))
+                if isinstance(data, dict) and data.get("internal") is True:
+                    continue
+            except Exception:
+                pass  # If we can't parse it, include it
+        names.add(p.name.removesuffix(".yaml"))
+    # User templates (~/.forge/templates/)
+    # Skip files with invalid names (e.g. .hidden.yaml) to avoid
+    # downstream ValueError from validate_template_name().
+    user_dir = _user_templates_dir()
+    if user_dir.is_dir():
+        for p in user_dir.iterdir():
+            if p.suffix == ".yaml" and p.is_file():
+                stem = p.stem
+                if TEMPLATE_NAME_PATTERN.match(stem) and "/" not in stem and ".." not in stem:
+                    names.add(stem)
+    return sorted(names)
+def template_exists(template: str) -> bool:
+    """Check if a template exists (user copy or shipped)."""
+    if is_user_template(template):
+        return True
+    tpl = _templates_path()
+    return tpl.joinpath(f"{template}.yaml").is_file()
+def read_template(template: str) -> str:
+    """Read template content, preferring user copy over shipped.
+    Resolution order: user copy at ~/.forge/templates/ first,
+    then shipped template in the package.
+    Raises:
+        FileNotFoundError: If template does not exist in either location.
+    """
+    user_path = get_user_template_path(template)
+    if user_path.is_file():
+        return user_path.read_text(encoding="utf-8")
+    tpl = _templates_path()
+    target = tpl.joinpath(f"{template}.yaml")
+    if not target.is_file():
+        raise FileNotFoundError(f"Template not found: {template}")
+    return target.read_text(encoding="utf-8")
+def env_to_dict() -> dict:
+    """Map secret environment variables to config dict.
+    Only maps secrets (API keys, auth URLs). Configuration belongs in
+    templates/proxies, not environment variables.
+    """
+    result: dict = {"proxy": {"gemini": {}, "openai": {}, "litellm": {}}, "session": {}}
+    secret_mappings = {
+        # Auth URLs (remote endpoints)
+        "GEMINI_AUTH_URL": ("proxy", "gemini", "auth_url"),
+        "OPENAI_AUTH_URL": ("proxy", "openai", "auth_url"),
+        # Forge home (user-specific path override)
+        "FORGE_HOME": ("session", "forge_home"),
+    }
+    for env_key, config_path in secret_mappings.items():
+        value = os.environ.get(env_key)
+        if value is not None:
+            # Secrets are opaque strings — no type coercion (H6: "007" must not become 7)
+            _set_nested(result, config_path, value)
+    return result
+def _set_nested(d: dict, path: tuple, value: Any) -> None:
+    """Set a value in a nested dict using a path tuple."""
+    for key in path[:-1]:
+        if key not in d:
+            d[key] = {}
+        d = d[key]
+    d[path[-1]] = value
+# --- PROXY FILE I/O (Full Ownership Model) ---
+# Proxy ID validation: alphanumeric with underscores, dots, hyphens; 1-64 chars
+# Must start with alphanumeric. Prevents path traversal attacks.
+PROXY_ID_PATTERN = re.compile(r"^[A-Za-z0-9][A-Za-z0-9_.-]{0,63}$")
+def validate_proxy_id(proxy_id: str) -> None:
+    """Validate proxy_id to prevent path traversal attacks.
+    Args:
+        proxy_id: The proxy identifier to validate
+    Raises:
+        ValueError: If proxy_id contains invalid characters or patterns
+    """
+    if not proxy_id:
+        raise ValueError("Proxy ID cannot be empty")
+    if not PROXY_ID_PATTERN.match(proxy_id):
+        raise ValueError(
+            f"Invalid proxy ID '{proxy_id}': must be 1-64 characters, "
+            "start with alphanumeric, and contain only alphanumeric, underscore, dot, or hyphen"
+        )
+    # Extra safety: reject any path separators or parent references
+    if "/" in proxy_id or "\\" in proxy_id or ".." in proxy_id:
+        raise ValueError(f"Invalid proxy ID '{proxy_id}': contains path separator or parent reference")
+def get_proxy_file_path(proxy_id: str) -> Path:
+    """Return the proxy file path for a proxy id (new format).
+    New format uses proxy.yaml instead of config.yaml overlay.
+    The user owns the entire file (no template merge at runtime).
+    Args:
+        proxy_id: The proxy identifier (validated for safety)
+    Raises:
+        ValueError: If proxy_id is invalid (path traversal prevention)
+    """
+    validate_proxy_id(proxy_id)
+    return get_forge_home() / "proxies" / proxy_id / "proxy.yaml"
+def get_template_path(template: str) -> Path:
+    """Return the active template file path (user copy if it exists, else shipped).
+    Display-only — internal resolution should use read_template() or
+    read_shipped_template() instead.
+    """
+    if is_user_template(template):
+        return get_user_template_path(template)
+    return get_defaults_dir() / "templates" / f"{template}.yaml"
+def compute_template_digest(template: str) -> str:
+    """Compute SHA256 digest of template file content.
+    Args:
+        template: Template name (e.g., "litellm-openai").
+    Returns a truncated digest in format "sha256:abc123..." (12 hex chars).
+    This enables drift detection for future `forge proxy rebase` functionality.
+    """
+    content = read_template(template).encode("utf-8")
+    full_hash = hashlib.sha256(content).hexdigest()
+    return f"sha256:{full_hash[:12]}"
+def load_proxy_instance_config(proxy_id: str) -> "ProxyInstanceConfig | None":
+    """Load and parse proxy.yaml for a proxy id.
+    Returns None if the file doesn't exist.
+    Raises ValueError for invalid YAML or schema violations.
+    Args:
+        proxy_id: The proxy identifier
+    Returns:
+        ProxyInstanceConfig instance or None if not found
+    """
+    path = get_proxy_file_path(proxy_id)
+    if not path.exists():
+        logger.debug(f"Proxy file not found: {path}")
+        return None
+    try:
+        ruamel = YAML()
+        ruamel.preserve_quotes = True
+        with open(path, encoding="utf-8") as f:
+            data = ruamel.load(f)
+    except Exception as e:
+        raise ValueError(f"Failed to parse proxy file {path}: {e}")
+    if not isinstance(data, dict):
+        raise ValueError(f"Proxy file {path} must be a mapping, got {type(data)}")
+    return load_proxy_instance_config_from_dict(data)
+def load_proxy_instance_config_from_dict(data: dict) -> "ProxyInstanceConfig":
+    """Parse a dict into a validated ProxyInstanceConfig.
+    Used by both file loading and edit/set validation (CR-006).
+    Raises ValueError/TypeError on invalid data (__post_init__ validates).
+    """
+    tiers_data = data.get("tiers", {})
+    tiers = TierModels(
+        haiku=tiers_data.get("haiku", ""),
+        sonnet=tiers_data.get("sonnet", ""),
+        opus=tiers_data.get("opus", ""),
+    )
+    tier_overrides_data = data.get("tier_overrides", {})
+    tier_overrides = TierOverrides(
+        haiku=TierOverride(**tier_overrides_data["haiku"]) if tier_overrides_data.get("haiku") else None,
+        sonnet=TierOverride(**tier_overrides_data["sonnet"]) if tier_overrides_data.get("sonnet") else None,
+        opus=TierOverride(**tier_overrides_data["opus"]) if tier_overrides_data.get("opus") else None,
+    )
+    return ProxyInstanceConfig(
+        proxy_format=data.get("proxy_format", 1),
+        template=data.get("template", ""),
+        template_digest=data.get("template_digest", ""),
+        provider=data.get("provider", ""),
+        proxy_endpoint=data.get("proxy_endpoint", ""),
+        port=data.get("port", 0),
+        upstream_base_url=data.get("upstream_base_url", ""),
+        tiers=tiers,
+        family=data.get("family", ""),
+        tier_overrides=tier_overrides,
+        model_alternatives=data.get("model_alternatives", {}),
+        default_tier=data.get("default_tier", "sonnet"),
+        provider_settings=data.get("provider_settings", {}),
+        prompt_caching=data.get("prompt_caching", "passthrough"),
+        auto_cache_min_tokens=data.get("auto_cache_min_tokens", 1024),
+        costs=data.get("costs", {}),
+        created_at=data.get("created_at"),
+        updated_at=data.get("updated_at"),
+    )
+def write_proxy_instance_config(proxy_id: str, config: "ProxyInstanceConfig") -> Path:
+    """Write proxy config to proxy.yaml with atomic write.
+    Uses temp file + rename for atomicity (POSIX).
+    Sets 0600 permissions for security (configs may contain sensitive data).
+    Args:
+        proxy_id: The proxy identifier
+        config: ProxyInstanceConfig to write
+    Returns:
+        Path to the written file
+    """
+    from dataclasses import asdict
+    path = get_proxy_file_path(proxy_id)
+    path.parent.mkdir(parents=True, exist_ok=True)
+    data = asdict(config)
+    # Clean up None values from tier_overrides for cleaner YAML
+    if data.get("tier_overrides"):
+        for tier in ("haiku", "sonnet", "opus"):
+            if data["tier_overrides"].get(tier) is None:
+                del data["tier_overrides"][tier]
+            elif data["tier_overrides"].get(tier):
+                data["tier_overrides"][tier] = {k: v for k, v in data["tier_overrides"][tier].items() if v is not None}
+                if not data["tier_overrides"][tier]:
+                    del data["tier_overrides"][tier]
+    # Use ruamel.yaml for round-trip (preserves comments on re-read)
+    ruamel = YAML()
+    ruamel.default_flow_style = False
+    ruamel.preserve_quotes = True
+    # Write to unique temp file in same directory (same filesystem for atomic rename)
+    fd, tmp_path = tempfile.mkstemp(
+        dir=str(path.parent),
+        prefix=f".{path.stem}.",
+        suffix=".tmp",
+    )
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as f:
+            # Add header comment
+            f.write("# Forge Proxy Configuration\n")
+            f.write("# This file is owned by the user - edit freely\n")
+            f.write("# Use `forge proxy edit` or edit directly\n\n")
+            ruamel.dump(data, f)
+        # Set permissions before rename (more secure)
+        os.chmod(tmp_path, 0o600)
+        # Atomic replace (works across filesystems, unlike Path.rename)
+        os.replace(tmp_path, str(path))
+    except Exception:
+        try:
+            os.unlink(tmp_path)
+        except OSError:
+            pass
+        raise
+    logger.debug(f"Wrote proxy config to {path}")
+    return path
+def _proxy_instance_to_forge_config(
+    proxy_config: "ProxyInstanceConfig",
+) -> "ForgeConfig":
+    """Convert a ProxyInstanceConfig to a ForgeConfig.
+    This is used when loading from the new proxy.yaml format.
+    The ProxyInstanceConfig contains everything needed to configure the proxy.
+    Secrets (auth_url) are applied from environment variables.
+    """
+    secrets = env_to_dict()
+    provider = proxy_config.provider
+    auth_url: str | None = None
+    if provider == "gemini":
+        auth_url = secrets.get("proxy", {}).get("gemini", {}).get("auth_url")
+    elif provider == "openai":
+        auth_url = secrets.get("proxy", {}).get("openai", {}).get("auth_url")
+    # Note: litellm uses underlying provider auth, not a separate auth_url
+    provider_config = ProviderConfig(
+        tiers=proxy_config.tiers,
+        tier_overrides=proxy_config.tier_overrides,
+        model_alternatives=proxy_config.model_alternatives,
+        base_url=proxy_config.upstream_base_url,
+        auth_url=auth_url or "",  # Empty string if no secret set
+        openai_api_mode=proxy_config.provider_settings.get("openai_api_mode", "auto"),
+        prompt_caching=proxy_config.prompt_caching,
+        auto_cache_min_tokens=proxy_config.auto_cache_min_tokens,
+        error_hints=proxy_config.provider_settings.get("error_hints", False),
+    )
+    proxy_server_config = ProxyConfig(
+        family=proxy_config.family,
+        preferred_provider=proxy_config.provider,
+        active_template=proxy_config.template,
+        default_tier=proxy_config.default_tier,
+        default_port=proxy_config.port,
+        costs=proxy_config.costs,
+    )
+    if proxy_config.provider == "gemini":
+        proxy_server_config.gemini = provider_config
+    elif proxy_config.provider == "openai":
+        proxy_server_config.openai = provider_config
+    elif proxy_config.provider == "openrouter":
+        proxy_server_config.openrouter = provider_config
+    else:  # litellm is default
+        proxy_server_config.litellm = provider_config
+    session_config = SessionConfig()
+    if secrets.get("session", {}).get("forge_home"):
+        session_config.forge_home = secrets["session"]["forge_home"]
+    return ForgeConfig(
+        proxy=proxy_server_config,
+        session=session_config,
+    )
+def _load_template_config(template: str) -> "ForgeConfig":
+    """Load template config (internal use for proxy creation).
+    This loads a template YAML and applies secrets from environment.
+    Used by `forge proxy create` to initialize new proxies.
+    Args:
+        template: Template name (e.g., "litellm-gemini")
+    Returns:
+        ForgeConfig populated from template + secrets
+    Raises:
+        ValueError: If template not found
+    """
+    if not template_exists(template):
+        raise ValueError(f"Template not found: {template}")
+    content = read_template(template)
+    template_data = yaml.safe_load(content)
+    if not isinstance(template_data, dict):
+        raise ValueError(f"Template '{template}' must be a mapping (dict)")
+    template_data.pop("internal", None)
+    proxy_block = template_data.get("proxy")
+    if not isinstance(proxy_block, dict):
+        raise ValueError(f"Template '{template}' must have a 'proxy' mapping")
+    family = proxy_block.get("family", "")
+    if not isinstance(family, str) or not family.strip():
+        raise ValueError(f"Template '{template}' missing required 'proxy.family' field (must be a non-blank string)")
+    secrets = env_to_dict()
+    config_dict = deep_merge(template_data, secrets)
+    # Set active_template so proxy knows which template is in use
+    config_dict.setdefault("proxy", {})["active_template"] = template
+    return dict_to_dataclass(ForgeConfig, config_dict, strict=True)
+def load_config(
+    *,
+    template: str | None = None,
+    proxy_id: str | None = None,
+) -> "ForgeConfig":
+    """Load configuration from proxy file or template.
+    Three-source model:
+        1. Proxy file: ~/.forge/proxies/{id}/proxy.yaml (user owns full config)
+        2. Template: defaults/templates/{t}.yaml (for proxy creation)
+        3. Secrets: env vars (*_AUTH_URL, FORGE_HOME)
+    Args:
+        proxy_id: Load from ~/.forge/proxies/{id}/proxy.yaml
+        template: Load template for proxy creation (internal use)
+    Returns:
+        ForgeConfig instance
+    Raises:
+        ValueError: If proxy_id provided but proxy.yaml not found (fail fast)
+    """
+    # Do not override already-set environment variables — tests set FORGE_HOME / endpoints explicitly.
+    load_dotenv(override=False)
+    if proxy_id:
+        proxy_instance_config = load_proxy_instance_config(proxy_id)
+        if proxy_instance_config is None:
+            raise ValueError(f"Proxy not found: {proxy_id}")
+        logger.debug(f"Loaded config from proxy.yaml for proxy_id={proxy_id}")
+        return _proxy_instance_to_forge_config(proxy_instance_config)
+    if template:
+        return _load_template_config(template)
+    return ForgeConfig()
+def reload_config(
+    config: "ForgeConfig",
+    *,
+    template: str | None = None,
+    proxy_id: str | None = None,
+) -> "ForgeConfig":
+    """Reload configuration (for runtime updates).
+    Re-reads the proxy file or template to pick up changes.
+    """
+    load_dotenv(override=False)
+    return load_config(
+        template=template or config.proxy.active_template,
+        proxy_id=proxy_id,
+    )