PyPI - multi-forge - Versions diffs - 0.2.0__py3-none-any.whl - Mend

multi-forge 0.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (311) hide show

forge/__init__.py +3 -0
forge/_extensions/agents/.gitkeep +0 -0
forge/_extensions/commands/.gitkeep +0 -0
forge/_extensions/skills/analyze/SKILL.md +87 -0
forge/_extensions/skills/challenge/SKILL.md +91 -0
forge/_extensions/skills/consensus/SKILL.md +120 -0
forge/_extensions/skills/consensus/resources/code_consensus_evaluation.md +94 -0
forge/_extensions/skills/consensus/resources/consensus_evaluation.md +70 -0
forge/_extensions/skills/consensus/resources/synthesis.md +101 -0
forge/_extensions/skills/debate/SKILL.md +116 -0
forge/_extensions/skills/debate/resources/code_debate_evaluation.md +101 -0
forge/_extensions/skills/debate/resources/debate_evaluation.md +90 -0
forge/_extensions/skills/panel/SKILL.md +141 -0
forge/_extensions/skills/panel/resources/synthesis.md +103 -0
forge/_extensions/skills/qa/SKILL.md +704 -0
forge/_extensions/skills/qa/resources/checklist/0-enable.md +78 -0
forge/_extensions/skills/qa/resources/checklist/1-preflight.md +24 -0
forge/_extensions/skills/qa/resources/checklist/10-resume.md +143 -0
forge/_extensions/skills/qa/resources/checklist/11-config.md +150 -0
forge/_extensions/skills/qa/resources/checklist/12-search.md +58 -0
forge/_extensions/skills/qa/resources/checklist/13-guard.md +237 -0
forge/_extensions/skills/qa/resources/checklist/14-workflow.md +305 -0
forge/_extensions/skills/qa/resources/checklist/15-skills.md +155 -0
forge/_extensions/skills/qa/resources/checklist/16-handoff.md +224 -0
forge/_extensions/skills/qa/resources/checklist/17-info.md +50 -0
forge/_extensions/skills/qa/resources/checklist/18-disable.md +84 -0
forge/_extensions/skills/qa/resources/checklist/19-uninstall.md +146 -0
forge/_extensions/skills/qa/resources/checklist/2-extensions.md +188 -0
forge/_extensions/skills/qa/resources/checklist/20-cleanup.md +36 -0
forge/_extensions/skills/qa/resources/checklist/3-auth.md +234 -0
forge/_extensions/skills/qa/resources/checklist/4-proxy.md +481 -0
forge/_extensions/skills/qa/resources/checklist/5-session.md +541 -0
forge/_extensions/skills/qa/resources/checklist/6-hooks.md +275 -0
forge/_extensions/skills/qa/resources/checklist/7-costs.md +309 -0
forge/_extensions/skills/qa/resources/checklist/8-status-line.md +174 -0
forge/_extensions/skills/qa/resources/checklist/9-direct-commands.md +146 -0
forge/_extensions/skills/qa/resources/checklist.md +103 -0
forge/_extensions/skills/qa/resources/report-template.md +62 -0
forge/_extensions/skills/qa/scripts/start-container.sh +529 -0
forge/_extensions/skills/qa/scripts/walkthrough-state.py +1137 -0
forge/_extensions/skills/review/SKILL.md +125 -0
forge/_extensions/skills/review/references/claude-4.6.md +474 -0
forge/_extensions/skills/review/references/claude-4.7.md +710 -0
forge/_extensions/skills/review/references/gemini-3.1.md +546 -0
forge/_extensions/skills/review/references/gpt-5.5.md +490 -0
forge/_extensions/skills/review/references/skills-writing-guide.md +1588 -0
forge/_extensions/skills/review/resources/code-anthropic.md +160 -0
forge/_extensions/skills/review/resources/code-gemini.md +184 -0
forge/_extensions/skills/review/resources/code-openai.md +203 -0
forge/_extensions/skills/review/resources/code.md +160 -0
forge/_extensions/skills/review-docs/SKILL.md +121 -0
forge/_extensions/skills/review-docs/resources/docs-anthropic.md +170 -0
forge/_extensions/skills/review-docs/resources/docs-gemini.md +204 -0
forge/_extensions/skills/review-docs/resources/docs-openai.md +231 -0
forge/_extensions/skills/review-docs/resources/docs.md +170 -0
forge/_extensions/skills/smoke-test/SKILL.md +27 -0
forge/_extensions/skills/smoke-test/scripts/smoke-test.sh +118 -0
forge/_extensions/skills/understand/SKILL.md +148 -0
forge/_extensions/skills/understand/resources/code-anthropic.md +163 -0
forge/_extensions/skills/understand/resources/code-gemini.md +194 -0
forge/_extensions/skills/understand/resources/code-openai.md +181 -0
forge/_extensions/skills/understand/resources/code.md +163 -0
forge/_extensions/skills/understand/resources/docs-anthropic.md +177 -0
forge/_extensions/skills/understand/resources/docs-gemini.md +202 -0
forge/_extensions/skills/understand/resources/docs-openai.md +191 -0
forge/_extensions/skills/understand/resources/docs.md +177 -0
forge/_extensions/skills/walkthrough/SKILL.md +599 -0
forge/_extensions/skills/walkthrough/resources/checklist.md +765 -0
forge/_extensions/skills/walkthrough/scripts/run-in-repo.sh +118 -0
forge/_extensions/skills/walkthrough/scripts/setup-test-repo.sh +198 -0
forge/_extensions/skills/walkthrough/scripts/walkthrough-state.py +1137 -0
forge/backend/__init__.py +174 -0
forge/backend/adapters/__init__.py +38 -0
forge/backend/adapters/litellm.py +158 -0
forge/backend/creation.py +89 -0
forge/backend/registry.py +178 -0
forge/cli/__init__.py +16 -0
forge/cli/auth.py +483 -0
forge/cli/backend.py +298 -0
forge/cli/claude.py +411 -0
forge/cli/config_cmd.py +303 -0
forge/cli/extensions.py +1001 -0
forge/cli/gc.py +165 -0
forge/cli/guard.py +1018 -0
forge/cli/guards.py +106 -0
forge/cli/handoff.py +110 -0
forge/cli/hooks/__init__.py +36 -0
forge/cli/hooks/_group.py +20 -0
forge/cli/hooks/_helpers.py +149 -0
forge/cli/hooks/commands.py +1677 -0
forge/cli/hooks/direct_commands.py +1304 -0
forge/cli/hooks/install.py +232 -0
forge/cli/hooks/policy.py +151 -0
forge/cli/hooks/read_hygiene.py +74 -0
forge/cli/hooks/verification.py +370 -0
forge/cli/logs.py +406 -0
forge/cli/main.py +292 -0
forge/cli/proxy.py +1821 -0
forge/cli/proxy_costs.py +313 -0
forge/cli/search.py +416 -0
forge/cli/session.py +892 -0
forge/cli/session_addendum.py +81 -0
forge/cli/session_fork.py +750 -0
forge/cli/session_handoff.py +141 -0
forge/cli/session_lifecycle.py +2053 -0
forge/cli/session_manage.py +1336 -0
forge/cli/session_memory.py +201 -0
forge/cli/status_line.py +1398 -0
forge/cli/workflow.py +1964 -0
forge/config/__init__.py +110 -0
forge/config/dataclass_utils.py +88 -0
forge/config/defaults/__init__.py +0 -0
forge/config/defaults/backends/__init__.py +0 -0
forge/config/defaults/backends/litellm.yaml +196 -0
forge/config/defaults/templates/__init__.py +0 -0
forge/config/defaults/templates/litellm-anthropic-local.yaml +33 -0
forge/config/defaults/templates/litellm-anthropic.yaml +24 -0
forge/config/defaults/templates/litellm-gemini-flash-local.yaml +37 -0
forge/config/defaults/templates/litellm-gemini-local.yaml +32 -0
forge/config/defaults/templates/litellm-gemini-test.yaml +34 -0
forge/config/defaults/templates/litellm-gemini.yaml +21 -0
forge/config/defaults/templates/litellm-openai-codex-local.yaml +36 -0
forge/config/defaults/templates/litellm-openai-local.yaml +38 -0
forge/config/defaults/templates/litellm-openai.yaml +28 -0
forge/config/defaults/templates/openrouter-anthropic.yaml +23 -0
forge/config/defaults/templates/openrouter-deepseek.yaml +26 -0
forge/config/defaults/templates/openrouter-gemini-flash.yaml +26 -0
forge/config/defaults/templates/openrouter-gemini.yaml +23 -0
forge/config/defaults/templates/openrouter-glm.yaml +23 -0
forge/config/defaults/templates/openrouter-kimi.yaml +30 -0
forge/config/defaults/templates/openrouter-minimax.yaml +26 -0
forge/config/defaults/templates/openrouter-openai-codex.yaml +23 -0
forge/config/defaults/templates/openrouter-openai.yaml +28 -0
forge/config/defaults/templates/openrouter-qwen.yaml +25 -0
forge/config/loader.py +675 -0
forge/config/schema.py +448 -0
forge/core/__init__.py +5 -0
forge/core/auth/__init__.py +67 -0
forge/core/auth/capabilities.py +219 -0
forge/core/auth/credentials_file.py +244 -0
forge/core/auth/protocols.py +18 -0
forge/core/auth/secrets.py +243 -0
forge/core/auth/template_secrets.py +112 -0
forge/core/data/__init__.py +5 -0
forge/core/data/model_catalog.yaml +1522 -0
forge/core/data/pricing.yaml +140 -0
forge/core/data/system_prompt_addendums/__init__.py +0 -0
forge/core/data/system_prompt_addendums/gemini.md +330 -0
forge/core/data/system_prompt_addendums/openai.md +328 -0
forge/core/llm/__init__.py +231 -0
forge/core/llm/clients/__init__.py +14 -0
forge/core/llm/clients/base.py +115 -0
forge/core/llm/clients/litellm.py +619 -0
forge/core/llm/clients/openai_compat.py +244 -0
forge/core/llm/clients/openrouter.py +234 -0
forge/core/llm/credentials.py +439 -0
forge/core/llm/detection.py +86 -0
forge/core/llm/errors.py +44 -0
forge/core/llm/protocols.py +80 -0
forge/core/llm/types.py +176 -0
forge/core/logging.py +146 -0
forge/core/models/__init__.py +91 -0
forge/core/models/catalog.py +467 -0
forge/core/models/pricing.py +165 -0
forge/core/models/types.py +167 -0
forge/core/naming.py +212 -0
forge/core/ops/__init__.py +73 -0
forge/core/ops/context.py +141 -0
forge/core/ops/gc.py +802 -0
forge/core/ops/proxy.py +146 -0
forge/core/ops/resolution.py +135 -0
forge/core/ops/session.py +344 -0
forge/core/ops/session_context.py +548 -0
forge/core/paths.py +38 -0
forge/core/process.py +54 -0
forge/core/reactive/__init__.py +38 -0
forge/core/reactive/cost_tracking.py +300 -0
forge/core/reactive/env.py +180 -0
forge/core/reactive/proxy.py +78 -0
forge/core/reactive/routing.py +622 -0
forge/core/reactive/session_runner.py +185 -0
forge/core/reactive/structured_output.py +62 -0
forge/core/reactive/tagger.py +94 -0
forge/core/reactive/throttle.py +132 -0
forge/core/state/__init__.py +59 -0
forge/core/state/exceptions.py +59 -0
forge/core/state/io.py +140 -0
forge/core/state/lock.py +99 -0
forge/core/state/timestamps.py +60 -0
forge/core/transcript.py +78 -0
forge/core/typing_helpers.py +24 -0
forge/core/workqueue/__init__.py +67 -0
forge/core/workqueue/queue.py +552 -0
forge/core/workqueue/types.py +63 -0
forge/guard/__init__.py +26 -0
forge/guard/deterministic/__init__.py +26 -0
forge/guard/deterministic/base.py +158 -0
forge/guard/deterministic/coding_standards.py +256 -0
forge/guard/deterministic/registry.py +148 -0
forge/guard/deterministic/tdd.py +171 -0
forge/guard/engine.py +216 -0
forge/guard/protocols.py +91 -0
forge/guard/queries.py +96 -0
forge/guard/semantic/__init__.py +34 -0
forge/guard/semantic/promotion.py +18 -0
forge/guard/semantic/supervisor.py +813 -0
forge/guard/semantic/verdict.py +183 -0
forge/guard/store.py +124 -0
forge/guard/team/__init__.py +6 -0
forge/guard/team/config.py +24 -0
forge/guard/team/handlers.py +209 -0
forge/guard/team/prompts.py +41 -0
forge/guard/types.py +125 -0
forge/guard/workflow/__init__.py +17 -0
forge/guard/workflow/branches.py +67 -0
forge/guard/workflow/config.py +63 -0
forge/guard/workflow/divergence.py +113 -0
forge/guard/workflow/policy.py +87 -0
forge/guard/workflow/stages.py +205 -0
forge/install/__init__.py +55 -0
forge/install/cli.py +281 -0
forge/install/exceptions.py +163 -0
forge/install/hooks.py +109 -0
forge/install/installer.py +1037 -0
forge/install/models.py +321 -0
forge/install/preset.py +272 -0
forge/install/settings_merge.py +831 -0
forge/install/tracking.py +238 -0
forge/install/version.py +141 -0
forge/proxy/__init__.py +0 -0
forge/proxy/base_client.py +181 -0
forge/proxy/client_adapter.py +476 -0
forge/proxy/client_factory.py +531 -0
forge/proxy/converters.py +1206 -0
forge/proxy/cost_logger.py +132 -0
forge/proxy/cost_tracker.py +242 -0
forge/proxy/data_models.py +338 -0
forge/proxy/error_hints.py +92 -0
forge/proxy/metrics.py +222 -0
forge/proxy/model_spec.py +158 -0
forge/proxy/proxies.py +333 -0
forge/proxy/proxy_identity.py +134 -0
forge/proxy/proxy_orchestrator.py +1018 -0
forge/proxy/proxy_startup.py +54 -0
forge/proxy/server.py +1561 -0
forge/proxy/utils.py +537 -0
forge/review/__init__.py +6 -0
forge/review/adversarial.py +111 -0
forge/review/consensus.py +236 -0
forge/review/engine.py +356 -0
forge/review/models.py +437 -0
forge/review/resources/__init__.py +5 -0
forge/review/resources/codereview-performance.md +85 -0
forge/review/resources/codereview-quick.md +75 -0
forge/review/resources/codereview-security.md +92 -0
forge/review/resources/codereview.md +85 -0
forge/review/resources/docreview-quick.md +75 -0
forge/review/resources/docreview.md +86 -0
forge/review/resources/thinkdeep.md +89 -0
forge/review/routing.py +368 -0
forge/review/synthesis.py +73 -0
forge/runtime_config.py +438 -0
forge/search/__init__.py +55 -0
forge/search/bm25_store.py +264 -0
forge/search/content_store.py +197 -0
forge/search/engine.py +352 -0
forge/search/exceptions.py +51 -0
forge/search/extractor.py +234 -0
forge/search/index_state.py +295 -0
forge/search/store.py +215 -0
forge/search/tokenizer.py +24 -0
forge/session/__init__.py +130 -0
forge/session/active.py +339 -0
forge/session/artifacts.py +202 -0
forge/session/claude/__init__.py +50 -0
forge/session/claude/cleanup.py +105 -0
forge/session/claude/invoke.py +236 -0
forge/session/claude/paths.py +200 -0
forge/session/cleanup.py +216 -0
forge/session/config.py +34 -0
forge/session/direct_model.py +107 -0
forge/session/effective.py +169 -0
forge/session/exceptions.py +255 -0
forge/session/handoff.py +881 -0
forge/session/handoff_agent.py +544 -0
forge/session/hooks/__init__.py +35 -0
forge/session/hooks/models.py +73 -0
forge/session/hooks/session_start.py +507 -0
forge/session/identity.py +84 -0
forge/session/index.py +553 -0
forge/session/manager.py +1506 -0
forge/session/models.py +572 -0
forge/session/overrides.py +344 -0
forge/session/plan_resolution.py +286 -0
forge/session/prev_sessions.py +128 -0
forge/session/store.py +431 -0
forge/session/validation.py +47 -0
forge/session/worktree/__init__.py +65 -0
forge/session/worktree/cleanup.py +262 -0
forge/session/worktree/config_copy.py +203 -0
forge/session/worktree/create.py +332 -0
forge/sidecar/__init__.py +29 -0
forge/sidecar/container.py +161 -0
forge/sidecar/docker.py +86 -0
forge/sidecar/secrets.py +19 -0
multi_forge-0.2.0.dist-info/METADATA +242 -0
multi_forge-0.2.0.dist-info/RECORD +311 -0
multi_forge-0.2.0.dist-info/WHEEL +4 -0
multi_forge-0.2.0.dist-info/entry_points.txt +2 -0
multi_forge-0.2.0.dist-info/licenses/LICENSE +203 -0
multi_forge-0.2.0.dist-info/licenses/NOTICE +14 -0

forge/core/auth/capabilities.py ADDED Viewed

@@ -0,0 +1,219 @@
+"""Credential registry and capability metadata.
+Single source of truth for Forge credential definitions. Each credential
+maps to one or more env vars and describes what features it unlocks.
+Dependency direction: this module imports TEMPLATE_SECRETS from
+template_secrets.py (one-way). template_secrets.py must NOT import
+from this module.
+"""
+from __future__ import annotations
+from dataclasses import dataclass
+@dataclass(frozen=True)
+class EnvVar:
+    """Metadata for one environment variable within a credential."""
+    name: str
+    required: bool = True
+    secret: bool = True
+    connection_value: bool = False
+    default_value: str | None = None
+@dataclass(frozen=True)
+class Credential:
+    """A Forge credential with its env vars and capability metadata."""
+    name: str
+    env_vars: tuple[EnvVar, ...] = ()
+    unlocks_features: tuple[str, ...] = ()
+    signup_url: str | None = None
+    note: str | None = None
+    not_needed_for: tuple[str, ...] | None = None
+CREDENTIALS: dict[str, Credential] = {
+    "openrouter": Credential(
+        name="openrouter",
+        env_vars=(
+            EnvVar("OPENROUTER_API_KEY"),
+            EnvVar(
+                "OPENROUTER_BASE_URL",
+                required=False,
+                secret=False,
+                connection_value=True,
+                default_value="https://openrouter.ai/api/v1",
+            ),
+        ),
+        unlocks_features=("OpenRouter proxy templates", "OSS workflow model workers"),
+        signup_url="https://openrouter.ai/keys",
+        note="Routes to Claude, GPT, Gemini, DeepSeek, etc. via OpenRouter",
+    ),
+    "anthropic-api": Credential(
+        name="anthropic-api",
+        env_vars=(EnvVar("ANTHROPIC_API_KEY"),),
+        unlocks_features=(
+            "Forge subprocesses (supervisor, handoff agent)",
+            "direct Anthropic panel/debate workers",
+            "litellm-anthropic-local proxy",
+        ),
+        signup_url="https://console.anthropic.com/",
+        note="Pay-per-token API key. Not Claude Code login.",
+        not_needed_for=(
+            "forge session start (uses Claude Code's own auth)",
+            "Claude via openrouter-anthropic (uses OPENROUTER_API_KEY)",
+            "Claude via litellm-anthropic (uses LITELLM_API_KEY)",
+        ),
+    ),
+    "openai-api": Credential(
+        name="openai-api",
+        env_vars=(EnvVar("OPENAI_API_KEY"),),
+        unlocks_features=("litellm-openai-local proxy",),
+        signup_url="https://platform.openai.com/api-keys",
+        note="OpenAI API key for local LiteLLM proxy routing",
+    ),
+    "gemini-api": Credential(
+        name="gemini-api",
+        env_vars=(EnvVar("GEMINI_API_KEY"),),
+        unlocks_features=("litellm-gemini-local proxy",),
+        signup_url="https://aistudio.google.com/apikey",
+        note="Gemini API key for local LiteLLM proxy routing",
+    ),
+    "litellm-remote": Credential(
+        name="litellm-remote",
+        env_vars=(
+            EnvVar("LITELLM_API_KEY"),
+            EnvVar("LITELLM_BASE_URL", secret=False, connection_value=True),
+        ),
+        unlocks_features=("Remote LiteLLM proxy templates",),
+        note="Shared/internal LiteLLM server (team setups)",
+    ),
+}
+RETIRED_NAMES: dict[str, str] = {
+    "anthropic": (
+        "Unknown credential 'anthropic'. Did you mean 'anthropic-api'?\n"
+        "\n"
+        "  'anthropic-api' is for Forge subprocess auth (pay-per-token API key).\n"
+        "  It is NOT your Claude Code login.\n"
+        "\n"
+        "  Run: forge auth login -c anthropic-api"
+    ),
+    "litellm-local": (
+        "'litellm-local' is not a credential. It's a setup that uses upstream API keys.\n"
+        "\n"
+        "  Configure the providers you need:\n"
+        "    forge auth login -c gemini-api       # for litellm-gemini-local\n"
+        "    forge auth login -c openai-api       # for litellm-openai-local\n"
+        "    forge auth login -c anthropic-api    # for litellm-anthropic-local"
+    ),
+}
+def credential_for_env_var(var_name: str) -> Credential | None:
+    """Find the credential that owns a given env var name."""
+    for cred in CREDENTIALS.values():
+        if any(ev.name == var_name for ev in cred.env_vars):
+            return cred
+    return None
+def credentials_for_template(template: str) -> list[Credential]:
+    """Which credentials does a template need?
+    Bridges TEMPLATE_SECRETS (template -> env var names) to CREDENTIALS
+    (credential -> env var metadata) via reverse lookup.
+    """
+    from forge.core.auth.template_secrets import TEMPLATE_SECRETS
+    required_vars = TEMPLATE_SECRETS.get(template, [])
+    if not required_vars:
+        return []
+    seen: set[str] = set()
+    result: list[Credential] = []
+    for var_name in required_vars:
+        cred = credential_for_env_var(var_name)
+        if cred and cred.name not in seen:
+            seen.add(cred.name)
+            result.append(cred)
+    return result
+def format_missing_credential_error(
+    credential: Credential,
+    *,
+    missing_vars: list[str],
+    template: str | None = None,
+    context: str | None = None,
+    extra_hint: str | None = None,
+    profile: str | None = None,
+    env_ignored: bool = False,
+) -> str:
+    """Build an actionable error message for missing credentials.
+    Includes what failed, which key(s), signup URL, and the exact
+    ``forge auth login`` command. Renders ``not_needed_for`` only for
+    anthropic-api (where false urgency is common).
+    """
+    key_word = "key" if len(missing_vars) == 1 else "keys"
+    var_list = ", ".join(missing_vars)
+    if context and template:
+        header = f"{context} requires {var_list} (template '{template}')."
+    elif context:
+        header = f"{context} requires {var_list}."
+    elif template:
+        header = f"Template '{template}' requires {key_word}: {var_list}."
+    else:
+        header = f"Missing {key_word}: {var_list}."
+    lines = [f"Error: {header}"]
+    if credential.note:
+        lines.append(f"\n  {credential.note}")
+    if credential.not_needed_for:
+        lines.append("")
+        lines.append("  NOT needed for:")
+        for item in credential.not_needed_for:
+            lines.append(f"    - {item}")
+    unlocks = credential.unlocks_features
+    if unlocks:
+        lines.append(f"\n  Unlocks: {', '.join(unlocks)}")
+    if credential.signup_url:
+        lines.append(f"  Get one at {credential.signup_url}")
+    login_cmd = f"forge auth login -c {credential.name}"
+    if profile:
+        login_cmd += f" --profile {profile}"
+    lines.append(f"  Tip: Run '{login_cmd}' to configure.")
+    if extra_hint:
+        lines.append(f"       {extra_hint}")
+    if env_ignored:
+        present_in_env = [v for v in missing_vars if _env_has(v)]
+        if present_in_env:
+            env_list = ", ".join(present_in_env)
+            verb = "is" if len(present_in_env) == 1 else "are"
+            pronoun = "it" if len(present_in_env) == 1 else "them"
+            lines.append(
+                f"\n  Note: {env_list} {verb} set in env but auth_ignore_env is active."
+                f"\n  Run 'forge config set auth_ignore_env=false' to use {pronoun}."
+            )
+    return "\n".join(lines)
+def _env_has(var_name: str) -> bool:
+    """Check if an env var is set (for env_ignored diagnostic only)."""
+    import os
+    return bool(os.environ.get(var_name))

forge/core/auth/credentials_file.py ADDED Viewed

@@ -0,0 +1,244 @@
+"""File-based credential store (~/.forge/credentials.yaml).
+Provides atomic read/write for the credential file with named profiles.
+The FileSecretsProvider (in secrets.py) reads from this store;
+CLI commands (forge auth login/status/logout) write via these functions.
+Schema:
+    version: 1
+    profiles:
+      default:
+        LITELLM_API_KEY: "sk-..."
+      personal:
+        ANTHROPIC_API_KEY: "sk-ant-..."
+Security: file permissions set to 0o600 (owner read/write only).
+Concurrency: advisory file lock on write to prevent concurrent clobber.
+"""
+from __future__ import annotations
+import os
+import re
+import tempfile
+from pathlib import Path
+from typing import Any
+import yaml
+from forge.core.paths import get_forge_home
+from forge.core.state.lock import file_lock_for_target
+CREDENTIALS_FILENAME = "credentials.yaml"
+SCHEMA_VERSION = 1
+class CredentialVersionError(Exception):
+    """Credential file has an incompatible schema version.
+    Distinct from ValueError (YAML corruption) so callers can distinguish
+    "safe to overwrite" from "don't touch — upgrade Forge first".
+    """
+# Profile names: alphanumeric, hyphens, underscores only
+_PROFILE_NAME_RE = re.compile(r"^[A-Za-z0-9_-]+$")
+def get_credentials_path() -> Path:
+    """Return path to ~/.forge/credentials.yaml."""
+    return get_forge_home() / CREDENTIALS_FILENAME
+def resolve_profile(profile: str | None = None) -> str:
+    """Resolve active profile name.
+    Args:
+        profile: Explicit profile name (from CLI --profile flag).
+                 If None, falls back to FORGE_PROFILE env var, then "default".
+    """
+    if profile is not None:
+        return profile
+    return os.environ.get("FORGE_PROFILE", "default")
+def _validate_profile_name(name: str) -> None:
+    """Validate profile name contains only safe characters.
+    Raises:
+        ValueError: If name contains path separators, spaces, or control chars.
+    """
+    if not _PROFILE_NAME_RE.match(name):
+        raise ValueError(
+            f"Invalid profile name '{name}': "
+            f"must match [A-Za-z0-9_-] (no spaces, path separators, or special chars)"
+        )
+def load_credentials(path: Path | None = None) -> dict[str, dict[str, str]]:
+    """Load all profiles from the credentials file.
+    Returns:
+        Dict mapping profile names to their key-value secrets.
+        Returns empty dict if file doesn't exist.
+    Raises:
+        ValueError: If file exists but is malformed.
+    """
+    creds_path = path or get_credentials_path()
+    if not creds_path.exists():
+        return {}
+    try:
+        with open(creds_path, encoding="utf-8") as f:
+            data = yaml.safe_load(f)
+    except yaml.YAMLError as e:
+        raise ValueError(
+            f"Corrupt credentials file: {creds_path}\n"
+            f"Recovery: mv {creds_path} {creds_path}.corrupt && forge auth login\n"
+            f"Parse error: {e}"
+        ) from e
+    if data is None:
+        return {}
+    if not isinstance(data, dict):
+        raise ValueError(f"credentials.yaml must be a YAML mapping, got {type(data).__name__}")
+    version = data.get("version")
+    if version is not None and version != SCHEMA_VERSION:
+        raise CredentialVersionError(
+            f"credentials.yaml has version {version}, but this Forge only supports version {SCHEMA_VERSION}. "
+            f"Upgrade Forge or recreate the file with 'forge auth login'."
+        )
+    profiles = data.get("profiles", {})
+    if not isinstance(profiles, dict):
+        raise ValueError("credentials.yaml 'profiles' must be a mapping")
+    # Validate all profile values are flat string dicts
+    for name, secrets in profiles.items():
+        if not isinstance(secrets, dict):
+            raise ValueError(f"Profile '{name}' must be a mapping")
+        for k, v in secrets.items():
+            if not isinstance(v, str):
+                raise ValueError(f"Profile '{name}' key '{k}' must be a string, got {type(v).__name__}")
+    return profiles
+def load_profile(profile: str, *, path: Path | None = None) -> dict[str, str]:
+    """Load a single profile's secrets.
+    Returns empty dict if the profile or file doesn't exist.
+    """
+    profiles = load_credentials(path)
+    return profiles.get(profile, {})
+def save_profile(
+    profile: str,
+    secrets: dict[str, str],
+    *,
+    path: Path | None = None,
+    merge: bool = True,
+) -> Path:
+    """Save secrets to a profile in the credentials file.
+    Uses advisory file lock, atomic write (tempfile + os.replace),
+    and 0o600 permissions.
+    Args:
+        profile: Profile name to save to.
+        secrets: Key-value pairs to store.
+        path: Override credentials file path (for testing).
+        merge: If True, merge with existing profile secrets.
+               If False, replace the profile entirely.
+    Returns:
+        Path to credentials file.
+    Raises:
+        ValueError: If profile name is invalid.
+    """
+    _validate_profile_name(profile)
+    creds_path = path or get_credentials_path()
+    with file_lock_for_target(target_path=creds_path, timeout_s=5.0):
+        # Read-modify-write under lock
+        try:
+            profiles = load_credentials(creds_path)
+        except ValueError:
+            # Corrupt file — start fresh under lock
+            profiles = {}
+        if merge and profile in profiles:
+            profiles[profile].update(secrets)
+        else:
+            profiles[profile] = dict(secrets)
+        _write_credentials(creds_path, profiles)
+    return creds_path
+def delete_profile(profile: str, *, path: Path | None = None) -> bool:
+    """Delete a profile from the credentials file.
+    Returns True if the profile existed, False otherwise.
+    Raises:
+        ValueError: If profile name is invalid.
+    """
+    _validate_profile_name(profile)
+    creds_path = path or get_credentials_path()
+    with file_lock_for_target(target_path=creds_path, timeout_s=5.0):
+        try:
+            profiles = load_credentials(creds_path)
+        except ValueError:
+            return False
+        if profile not in profiles:
+            return False
+        del profiles[profile]
+        _write_credentials(creds_path, profiles)
+    return True
+def list_profiles(path: Path | None = None) -> list[str]:
+    """Return sorted list of profile names."""
+    profiles = load_credentials(path)
+    return sorted(profiles.keys())
+def _write_credentials(creds_path: Path, profiles: dict[str, dict[str, str]]) -> None:
+    """Atomic write of credentials file with 0o600 permissions."""
+    creds_path.parent.mkdir(parents=True, exist_ok=True)
+    data: dict[str, Any] = {
+        "version": SCHEMA_VERSION,
+        "profiles": profiles,
+    }
+    fd, tmp_path = tempfile.mkstemp(
+        dir=str(creds_path.parent),
+        prefix=f".{creds_path.stem}.",
+        suffix=".tmp",
+    )
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as f:
+            f.write("# Forge Credential Store — managed by `forge auth login`\n\n")
+            yaml.safe_dump(data, f, default_flow_style=False, sort_keys=False)
+        os.chmod(tmp_path, 0o600)
+        os.replace(tmp_path, str(creds_path))
+    except Exception:
+        try:
+            os.unlink(tmp_path)
+        except OSError:
+            pass
+        raise

forge/core/auth/protocols.py ADDED Viewed

@@ -0,0 +1,18 @@
+"""Authentication protocols shared across auth and LLM modules."""
+from __future__ import annotations
+from typing import Any, Protocol, runtime_checkable
+@runtime_checkable
+class SecretsProvider(Protocol):
+    """Protocol for optional and required secret lookup."""
+    def get(self, key: str, default: Any = None) -> Any:
+        """Get a secret value, returning default if not found or empty."""
+        ...
+    def require(self, key: str) -> str:
+        """Get a required secret value, raising if not found or empty."""
+        ...