@action-llama/action-llama 0.13.0 → 0.13.2

package/dist/webhooks/providers/mintlify.js

@@ -0,0 +1,69 @@
+import { truncateEventText as truncate, validateHmacSignature } from "../validation.js";
+export class MintlifyWebhookProvider {
+    source = "mintlify";
+    validateRequest(headers, rawBody, secrets) {
+        // Look for Mintlify signature header - common variations
+        const signature = headers["x-mintlify-signature"] || headers["mintlify-signature"];
+        return validateHmacSignature(rawBody, signature, secrets);
+    }
+    parseEvent(headers, body) {
+        // Handle potential missing or malformed payload
+        if (!body || typeof body !== "object")
+            return null;
+        const event = body.event || "build";
+        const action = body.action || body.status;
+        if (!action)
+            return null;
+        const base = {
+            source: "mintlify",
+            event,
+            action,
+            repo: body.project || body.organization || "unknown",
+            sender: body.user?.email || body.user?.name || "mintlify",
+            timestamp: body.timestamp || new Date().toISOString(),
+        };
+        return this.extractContext(body, base);
+    }
+    extractContext(body, base) {
+        // Extract build-specific information
+        const context = {
+            ...base,
+            title: body.title || `Build ${base.action}`,
+            body: truncate(body.message || body.error || body.description),
+            url: body.url || body.build_url || body.logs_url,
+            branch: body.branch || body.git?.branch || "main",
+        };
+        // Add additional context for failed builds
+        if (base.action === "failed" || base.action === "failure") {
+            context.conclusion = "failure";
+            if (body.error) {
+                context.body = truncate(`Build failed: ${body.error}`);
+            }
+        }
+        else if (base.action === "succeeded" || base.action === "success") {
+            context.conclusion = "success";
+        }
+        return context;
+    }
+    matchesFilter(context, filter) {
+        const f = filter;
+        if (f.events?.length && !f.events.includes(context.event)) {
+            return false;
+        }
+        if (f.actions?.length && context.action && !f.actions.includes(context.action)) {
+            return false;
+        }
+        // If filter specifies actions but event has no action, skip
+        if (f.actions?.length && !context.action) {
+            return false;
+        }
+        if (f.projects?.length && !f.projects.includes(context.repo)) {
+            return false;
+        }
+        if (f.branches?.length && context.branch && !f.branches.includes(context.branch)) {
+            return false;
+        }
+        return true;
+    }
+}
+//# sourceMappingURL=mintlify.js.map

package/dist/webhooks/providers/mintlify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mintlify.js","sourceRoot":"","sources":["../../../src/webhooks/providers/mintlify.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,IAAI,QAAQ,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAExF,MAAM,OAAO,uBAAuB;IAClC,MAAM,GAAG,UAAU,CAAC;IAEpB,eAAe,CACb,OAA2C,EAC3C,OAAe,EACf,OAAgC;QAEhC,yDAAyD;QACzD,MAAM,SAAS,GAAG,OAAO,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnF,OAAO,qBAAqB,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5D,CAAC;IAED,UAAU,CAAC,OAA2C,EAAE,IAAS;QAC/D,gDAAgD;QAChD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;QAE1C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,IAAI,GAA4B;YACpC,MAAM,EAAE,UAAU;YAClB,KAAK;YACL,MAAM;YACN,IAAI,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,YAAY,IAAI,SAAS;YACpD,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,UAAU;YACzD,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtD,CAAC;QAEF,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAEO,cAAc,CACpB,IAAS,EACT,IAA6B;QAE7B,qCAAqC;QACrC,MAAM,OAAO,GAAmB;YAC9B,GAAG,IAAI;YACP,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,IAAI,CAAC,MAAM,EAAE;YAC3C,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,CAAC;YAC9D,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,MAAM,IAAI,MAAM;SAChC,CAAC;QAEpB,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1D,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;YAC/B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,iBAAiB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpE,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;QACjC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,aAAa,CAAC,OAAuB,EAAE,MAAqB;QAC1D,MAAM,CAAC,GAAG,MAA+B,CAAC;QAE1C,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACzC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACjF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/webhooks/types.d.ts

@@ -11,6 +11,7 @@ export interface WebhookContext {
     assignee?: string;
     labels?: string[];
     branch?: string;
+    conclusion?: string;
     comment?: string;
     sender: string;
     timestamp: string;
@@ -25,6 +26,7 @@ export interface GitHubWebhookFilter {
     assignee?: string;
     author?: string;
     branches?: string[];
+    conclusions?: string[];
 }
 export interface SentryWebhookFilter {
     resources?: string[];
@@ -37,7 +39,13 @@ export interface LinearWebhookFilter {
     assignee?: string;
     author?: string;
 }
-export type WebhookFilter = GitHubWebhookFilter | SentryWebhookFilter | LinearWebhookFilter;
+export interface MintlifyWebhookFilter {
+    projects?: string[];
+    events?: string[];
+    actions?: string[];
+    branches?: string[];
+}
+export type WebhookFilter = GitHubWebhookFilter | SentryWebhookFilter | LinearWebhookFilter | MintlifyWebhookFilter;
 export interface WebhookTrigger {
     source: string;
     events?: string[];

package/dist/webhooks/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/webhooks/types.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,aAAa,GAAG,mBAAmB,GAAG,mBAAmB,GAAG,mBAAmB,CAAC;AAI5F,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC;IAC/H,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAAE,IAAI,EAAE,GAAG,GAAG,cAAc,GAAG,IAAI,CAAC;IAC1F,aAAa,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC;CACxE;AAID,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,OAAO,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;CAC/C;AAID,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/webhooks/types.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,MAAM,aAAa,GAAG,mBAAmB,GAAG,mBAAmB,GAAG,mBAAmB,GAAG,qBAAqB,CAAC;AAIpH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC;IAC/H,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAAE,IAAI,EAAE,GAAG,GAAG,cAAc,GAAG,IAAI,CAAC;IAC1F,aAAa,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC;CACxE;AAID,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,OAAO,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;CAC/C;AAID,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB"}

package/docker/bin/_http-exit

@@ -0,0 +1,35 @@
+#!/bin/sh
+# Shared HTTP status → exit code mapping for gateway-calling commands.
+# Source this file: . "$(dirname "$0")/_http-exit"
+# Then call: http_exit <http_code>
+#
+# Exit code table:
+#   0  = success          (HTTP 200)
+#   1  = conflict         (HTTP 409)
+#   2  = not found        (HTTP 404)
+#   3  = auth error       (HTTP 403)
+#   4  = bad request      (HTTP 400) — server rejected the request
+#   5  = unavailable      (HTTP 503) — gateway not ready
+#   6  = unreachable      (curl 000) — connection failed / DNS error
+#   7  = unexpected       (any other HTTP status)
+#   8  = timeout          (used by al-wait; not mapped here)
+#   9  = usage error      (missing argument — local check, never hit network)
+#  10  = bad gateway      (HTTP 502) — proxy could not reach the gateway
+#  11  = gateway timeout  (HTTP 504) — proxy timed out reaching the gateway
+#  12  = server error     (HTTP 500) — internal gateway error
+
+http_exit() {
+  case "$1" in
+    200) exit 0;;
+    409) exit 1;;
+    404) exit 2;;
+    403) exit 3;;
+    400) exit 4;;
+    503) exit 5;;
+    000) exit 6;;
+    502) exit 10;;
+    504) exit 11;;
+    500) exit 12;;
+    *)   exit 7;;
+  esac
+}

package/docker/bin/al-call

@@ -1,8 +1,14 @@
 #!/bin/sh
-if [ -z "$GATEWAY_URL" ]; then echo '{"ok":false,"reason":"no gateway"}'; exit 1; fi
-if [ -z "$1" ]; then echo '{"ok":false,"reason":"usage: echo ctx | al-call <agent>"}'; exit 1; fi
+# al-call — dispatch a call to another agent
+# Exit codes: 0=dispatched, 1=rejected, 3=auth, 4=bad request, 5=no gateway, 6=unreachable
+. "$(dirname "$0")/_http-exit"
+if [ -z "$GATEWAY_URL" ]; then echo '{"ok":false,"reason":"no gateway"}'; exit 5; fi
+if [ -z "$1" ]; then echo '{"ok":false,"reason":"usage: echo ctx | al-call <agent>"}'; exit 9; fi
 CONTEXT=$(cat)
-curl -s -X POST "$GATEWAY_URL/calls" \
+_raw=$(curl -s -w '\n%{http_code}' -X POST "$GATEWAY_URL/calls" \
   -H 'Content-Type: application/json' \
   -d "$(jq -n --arg s "$SHUTDOWN_SECRET" --arg t "$1" --arg c "$CONTEXT" \
-    '{secret:$s,targetAgent:$t,context:$c}')"
+    '{secret:$s,targetAgent:$t,context:$c}')")
+AL_HTTP_CODE=$(printf '%s' "$_raw" | tail -n1)
+printf '%s' "$_raw" | sed '$d'
+http_exit "$AL_HTTP_CODE"

package/docker/bin/al-check

@@ -1,4 +1,10 @@
 #!/bin/sh
-if [ -z "$GATEWAY_URL" ]; then echo '{"status":"error","errorMessage":"no gateway"}'; exit 1; fi
-if [ -z "$1" ]; then echo '{"status":"error","errorMessage":"usage: al-check <callId>"}'; exit 1; fi
-curl -s "$GATEWAY_URL/calls/$1?secret=$SHUTDOWN_SECRET"
+# al-check — check the status of a dispatched call
+# Exit codes: 0=found, 2=not found, 3=auth, 4=bad request, 5=no gateway, 6=unreachable
+. "$(dirname "$0")/_http-exit"
+if [ -z "$GATEWAY_URL" ]; then echo '{"status":"error","errorMessage":"no gateway"}'; exit 5; fi
+if [ -z "$1" ]; then echo '{"status":"error","errorMessage":"usage: al-check <callId>"}'; exit 9; fi
+_raw=$(curl -s -w '\n%{http_code}' "$GATEWAY_URL/calls/$1?secret=$SHUTDOWN_SECRET")
+AL_HTTP_CODE=$(printf '%s' "$_raw" | tail -n1)
+printf '%s' "$_raw" | sed '$d'
+http_exit "$AL_HTTP_CODE"

package/docker/bin/al-status

@@ -1,5 +1,5 @@
 #!/bin/sh
-if [ -z "$1" ]; then echo '{"ok":false,"error":"usage: al-status \"<text>\""}'; exit 1; fi
+if [ -z "$1" ]; then echo '{"ok":false,"error":"usage: al-status \"<text>\""}'; exit 9; fi
 printf '%s' "$1" > "$AL_SIGNAL_DIR/status"
 if [ -n "$GATEWAY_URL" ] && [ -n "$SHUTDOWN_SECRET" ]; then
   curl -s -X POST "$GATEWAY_URL/signals/status" \

package/docker/bin/al-wait

@@ -1,5 +1,8 @@
 #!/bin/sh
-if [ -z "$GATEWAY_URL" ]; then echo '{"error":"no gateway"}'; exit 1; fi
+# al-wait — wait for one or more calls to complete
+# Exit codes: 0=all complete, 4=bad request, 5=no gateway, 6=unreachable, 8=timeout
+. "$(dirname "$0")/_http-exit"
+if [ -z "$GATEWAY_URL" ]; then echo '{"error":"no gateway"}'; exit 5; fi
 TIMEOUT=900
 IDS=""
 while [ $# -gt 0 ]; do
@@ -8,12 +11,16 @@ while [ $# -gt 0 ]; do
     *) IDS="$IDS $1"; shift;;
   esac
 done
-if [ -z "$IDS" ]; then echo '{"error":"usage: al-wait <callId> [callId...] [--timeout N]"}'; exit 1; fi
+if [ -z "$IDS" ]; then echo '{"error":"usage: al-wait <callId> [callId...] [--timeout N]"}'; exit 9; fi
 ELAPSED=0
 while [ "$ELAPSED" -lt "$TIMEOUT" ]; do
   ALL_DONE=true
   for id in $IDS; do
-    STATUS=$(curl -s "$GATEWAY_URL/calls/$id?secret=$SHUTDOWN_SECRET" | jq -r .status)
+    _raw=$(curl -s -w '\n%{http_code}' "$GATEWAY_URL/calls/$id?secret=$SHUTDOWN_SECRET")
+    _code=$(printf '%s' "$_raw" | tail -n1)
+    # On connection failure during polling, keep trying
+    case "$_code" in 000) ALL_DONE=false; continue;; esac
+    STATUS=$(printf '%s' "$_raw" | sed '$d' | jq -r .status 2>/dev/null)
     case "$STATUS" in running|pending) ALL_DONE=false;; esac
   done
   if $ALL_DONE; then break; fi
@@ -27,3 +34,4 @@ for id in $IDS; do
   RESULT="$RESULT\"$id\":$(curl -s "$GATEWAY_URL/calls/$id?secret=$SHUTDOWN_SECRET")"
 done
 echo "$RESULT}"
+if [ "$ELAPSED" -ge "$TIMEOUT" ]; then exit 8; fi

package/docker/bin/rlock

@@ -1,5 +1,12 @@
 #!/bin/sh
+# rlock — acquire an exclusive resource lock
+# Exit codes: 0=acquired, 1=conflict, 3=auth, 4=bad request, 6=unreachable, 9=usage, 10=bad gateway
+. "$(dirname "$0")/_http-exit"
 if [ -z "$GATEWAY_URL" ]; then echo '{"ok":true}'; exit 0; fi
-curl -s -X POST "$GATEWAY_URL/locks/acquire" \
+if [ -z "$1" ]; then echo '{"ok":false,"error":"usage: rlock <resourceKey>"}'; exit 9; fi
+_raw=$(curl -s --connect-timeout 5 --max-time 10 -w '\n%{http_code}' -X POST "$GATEWAY_URL/locks/acquire" \
   -H 'Content-Type: application/json' \
-  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}'
+  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}')
+AL_HTTP_CODE=$(printf '%s' "$_raw" | tail -n1)
+printf '%s' "$_raw" | sed '$d'
+http_exit "$AL_HTTP_CODE"

package/docker/bin/rlock-heartbeat

@@ -1,5 +1,12 @@
 #!/bin/sh
+# rlock-heartbeat — extend the TTL on a held lock
+# Exit codes: 0=extended, 1=conflict, 2=not found, 3=auth, 4=bad request, 6=unreachable, 9=usage
+. "$(dirname "$0")/_http-exit"
 if [ -z "$GATEWAY_URL" ]; then echo '{"ok":true}'; exit 0; fi
-curl -s -X POST "$GATEWAY_URL/locks/heartbeat" \
+if [ -z "$1" ]; then echo '{"ok":false,"error":"usage: rlock-heartbeat <resourceKey>"}'; exit 9; fi
+_raw=$(curl -s --connect-timeout 5 --max-time 10 -w '\n%{http_code}' -X POST "$GATEWAY_URL/locks/heartbeat" \
   -H 'Content-Type: application/json' \
-  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}' || echo '{"ok":true,"note":"gateway unreachable"}'
+  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}')
+AL_HTTP_CODE=$(printf '%s' "$_raw" | tail -n1)
+printf '%s' "$_raw" | sed '$d'
+http_exit "$AL_HTTP_CODE"

package/docker/bin/runlock

@@ -1,5 +1,12 @@
 #!/bin/sh
+# runlock — release a resource lock
+# Exit codes: 0=released, 1=conflict, 2=not found, 3=auth, 4=bad request, 6=unreachable, 9=usage
+. "$(dirname "$0")/_http-exit"
 if [ -z "$GATEWAY_URL" ]; then echo '{"ok":true}'; exit 0; fi
-curl -s -X POST "$GATEWAY_URL/locks/release" \
+if [ -z "$1" ]; then echo '{"ok":false,"error":"usage: runlock <resourceKey>"}'; exit 9; fi
+_raw=$(curl -s --connect-timeout 5 --max-time 10 -w '\n%{http_code}' -X POST "$GATEWAY_URL/locks/release" \
   -H 'Content-Type: application/json' \
-  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}' || echo '{"ok":true,"note":"gateway unreachable, lock will expire"}'
+  -d '{"secret":"'"$SHUTDOWN_SECRET"'","resourceKey":"'"$1"'"}')
+AL_HTTP_CODE=$(printf '%s' "$_raw" | tail -n1)
+printf '%s' "$_raw" | sed '$d'
+http_exit "$AL_HTTP_CODE"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@action-llama/action-llama",
-  "version": "0.13.0",
+  "version": "0.13.2",
   "description": "Automated development agents triggered by cron or webhooks. BYOM — bring your own model.",
   "type": "module",
   "license": "MIT",
@@ -31,7 +31,7 @@
   "files": [
     "dist",
     "docker",
-    "docs",
+    "agent-docs",
     "README.md",
     "LICENSE"
   ],

package/docs/agent-config-reference.md

@@ -1,313 +0,0 @@
-# agent-config.toml Reference
-
-Each agent has an `agent-config.toml` file in its directory. The agent name is derived from the directory name and should not be included in the config.
-
-## Full Annotated Example
-
-```toml
-# Required: credential types the agent needs at runtime
-# Use "type" for default instance, "type:instance" for named instance
-credentials = ["github_token", "git_ssh", "sentry_token"]
-
-# Optional: cron schedule (standard cron syntax)
-# Agent must have at least one of: schedule, webhooks
-schedule = "*/5 * * * *"
-
-# Optional: number of concurrent runs allowed (default: 1)
-# When scale > 1, use LOCK/UNLOCK in your actions to coordinate
-# and prevent instances from working on the same resource.
-scale = 2
-
-# Optional: max runtime in seconds (default: falls back to [local].timeout, then 900)
-# On AWS ECS, agents with timeout <= 900 automatically route to Lambda
-# for faster cold starts (~1-2s vs ~30-60s on Fargate). Agents with
-# timeout > 900 run on ECS Fargate.
-timeout = 600
-
-# Required: LLM model configuration
-[model]
-provider = "anthropic"                    # LLM provider: anthropic, openai, groq, google, xai, mistral, openrouter, or custom
-model = "claude-sonnet-4-20250514"        # Model ID (e.g., claude-sonnet-4-20250514, gpt-4o, gemini-2.0-flash-exp)
-thinkingLevel = "medium"                  # Optional: off | minimal | low | medium | high | xhigh (for models with reasoning support)
-authType = "api_key"                      # api_key | oauth_token | pi_auth
-
-# Optional: webhook triggers (instead of or in addition to schedule)
-# Each source references a named webhook defined in the project's config.toml
-[[webhooks]]
-source = "my-github"                      # Required: references [webhooks.my-github] in config.toml
-repos = ["acme/app"]                      # Filter to specific repos (optional)
-events = ["issues"]                       # GitHub event types (optional)
-actions = ["labeled"]                     # GitHub event actions (optional)
-labels = ["agent"]                        # Only trigger on issues with these labels (optional)
-
-[[webhooks]]
-source = "my-sentry"                      # Required: references [webhooks.my-sentry] in config.toml
-resources = ["error", "event_alert"]      # Sentry resource types (optional)
-
-# Optional: preflight steps — run before the LLM session starts
-# Each step runs a built-in provider to stage data the agent will reference
-[[preflight]]
-provider = "git-clone"                    # Clone a repo into the workspace
-required = true                           # If true (default), abort if this step fails
-[preflight.params]
-repo = "acme/app"                         # Short "owner/repo" or full URL
-dest = "/tmp/repo"
-depth = 1                                 # Optional: shallow clone
-
-[[preflight]]
-provider = "http"                         # Fetch a URL and write the response to a file
-required = false                          # Optional step — warn and continue on failure
-[preflight.params]
-url = "https://api.internal/v1/flags"
-output = "/tmp/context/flags.json"
-headers = { Authorization = "Bearer ${INTERNAL_TOKEN}" }
-
-[[preflight]]
-provider = "shell"                        # Run a shell command
-[preflight.params]
-command = "gh issue list --repo acme/app --label P1 --json number,title,body --limit 20"
-output = "/tmp/context/issues.json"       # Optional: capture stdout to file
-
-# Optional: custom parameters injected into the agent prompt
-[params]
-repos = ["acme/app", "acme/api"]
-triggerLabel = "agent"
-assignee = "bot-user"
-sentryOrg = "acme"
-sentryProjects = ["web-app", "api"]
-```
-
-## Field Reference
-
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `credentials` | string[] | Yes | Credential refs: `"type"` for default instance, `"type:instance"` for named instance |
-| `schedule` | string | No* | Cron expression for polling |
-| `scale` | number | No | Number of concurrent runs allowed (default: 1). Set to `0` to disable the agent. Use lock skills in your actions to coordinate instances. See [Resource Locks](agents.md#resource-locks). |
-| `timeout` | number | No | Max runtime in seconds. Falls back to `[local].timeout` in project config, then `900`. On AWS ECS, agents with timeout <= 900 auto-route to Lambda for faster startup. See [Timeout](#timeout). |
-| `model` | table | No | LLM model configuration (falls back to `[model]` in project `config.toml`) |
-| `model.provider` | string | Yes* | LLM provider ("anthropic", "openai", "groq", "google", "xai", "mistral", "openrouter", or "custom") |
-| `model.model` | string | Yes* | Model ID |
-| `model.thinkingLevel` | string | No | Thinking budget level: off, minimal, low, medium, high, xhigh. Only relevant for Claude Sonnet/Opus. Omit for other models. |
-| `model.authType` | string | Yes* | Auth method for the provider |
-| `webhooks` | array | No* | Array of webhook trigger objects |
-| `preflight` | array | No | Array of preflight steps that run before the LLM session. See [Preflight](#preflight). |
-| `params` | table | No | Custom key-value params for the agent prompt |
-
-*At least one of `schedule` or `webhooks` is required (unless `scale = 0`). *Required within `[model]` if the agent defines its own model block (otherwise inherits from project `config.toml`).
-
-## Scale
-
-The `scale` field controls how many instances of an agent can run concurrently. This is useful for agents that handle high-volume workloads or when you want to process multiple tasks simultaneously.
-
-- **Default**: 1 (only one instance can run at a time)
-- **Minimum**: 0 (disables the agent — no runners, cron jobs, or webhook bindings are created)
-- **Maximum**: No hard limit, but consider system resources and model API rate limits
-
-### How it works
-
-1. **Scheduled runs**: If a cron trigger fires but all agent instances are busy, the scheduled run is skipped with a warning
-2. **Webhook events**: If a webhook arrives but all instances are busy, the event is queued (up to `workQueueSize` limit in global config, default: 100)
-3. **Agent calls**: If one agent calls another but all target instances are busy, the call is queued in the same work queue and processed when a runner frees up
-
-### Example use cases
-
-- **Dev agent** with `scale = 3`: Handle multiple GitHub issues simultaneously
-- **Review agent** with `scale = 2`: Review multiple PRs in parallel
-- **Monitoring agent** with `scale = 1`: Ensure only one instance processes alerts at a time
-- **Disabled agent** with `scale = 0`: Keep the config in the project but don't run it
-
-### Resource considerations
-
-Each parallel instance:
-- Uses separate Docker containers (in Docker mode)
-- Has independent logging streams
-- May consume LLM API quota concurrently
-- Uses system memory and CPU
-
-## Timeout
-
-The `timeout` field controls the maximum runtime for an agent invocation. When the timeout expires, the container is terminated.
-
-**Resolution order:** `agent-config.toml timeout` -> `config.toml [local].timeout` -> `900` (default)
-
-This means you can set a project-wide default in `[local].timeout` and override it per-agent.
-
-### Automatic Lambda routing (AWS ECS)
-
-When using `cloud.provider = "ecs"`, agents are automatically routed to the most efficient AWS compute service based on their effective timeout:
-
-| Effective timeout | Runtime | Cold start | Cost |
-|---|---|---|---|
-| **<= 900s** (15 min) | **AWS Lambda** | ~1-2s | Lower (pay per 100ms) |
-| **> 900s** | **ECS Fargate** | ~30-60s | Higher (pay per second, 1-min minimum) |
-
-This routing is automatic — you don't need to configure anything beyond setting the timeout. Both runtimes use the same ECR images (built via CodeBuild) and the same Secrets Manager credentials.
-
-**Why Lambda is faster:** Lambda keeps your container image warm in a pre-provisioned execution environment. When a function is invoked, Lambda can start executing in 1-2 seconds. ECS Fargate, by contrast, must provision a new VM, pull the container image, and start the container — which takes 30-60 seconds.
-
-**When to use a short timeout:** If your agent typically finishes in under 15 minutes (e.g., responding to a webhook, triaging an issue, reviewing a small PR), set `timeout = 600` or similar. The agent gets faster startup and lower cost on AWS. If an agent needs more than 15 minutes (e.g., large refactoring tasks, long-running monitoring loops), use a longer timeout and it will route to ECS Fargate automatically.
-
-### Lambda IAM roles
-
-When `al doctor -c` runs, it automatically creates Lambda execution roles (`al-{agentName}-lambda-role`) for agents whose effective timeout is <= 900s. These roles include permissions for Secrets Manager access, CloudWatch Logs, and ECR image pull. You can override the role with `cloud.lambdaRoleArn` in `config.toml`.
-
-### Examples
-
-```toml
-# Fast webhook responder — routes to Lambda on AWS
-timeout = 300       # 5 minutes
-
-# Medium-length task — still fits Lambda
-timeout = 900       # 15 minutes (Lambda max)
-
-# Long-running agent — routes to ECS Fargate
-timeout = 3600      # 1 hour
-
-# Omit timeout — uses [local].timeout or defaults to 900s
-# (routes to Lambda on AWS since 900 <= 900)
-```
-
-## Preflight
-
-Preflight steps run mechanical data-staging tasks after credentials are loaded but before the LLM session starts. They fetch data, clone repos, or run commands to prepare the workspace so the agent starts with everything it needs — instead of spending tokens fetching context at runtime.
-
-### How it works
-
-1. Steps run **sequentially** in the order they appear in `agent-config.toml`
-2. Steps run **inside the container** (or host process in `--no-docker` mode) after credential/env setup
-3. Providers write files to disk — your ACTIONS.md references the staged files
-4. Environment variable interpolation is supported: `${VAR_NAME}` in string params is resolved against `process.env` (which already has credentials injected)
-
-### Step fields
-
-Each `[[preflight]]` entry has these fields:
-
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `provider` | string | Yes | Provider name: `shell`, `http`, or `git-clone` |
-| `required` | boolean | No | If `true` (default), the agent aborts on failure. If `false`, logs a warning and continues. |
-| `params` | table | Yes | Provider-specific parameters (see below) |
-
-### Built-in providers
-
-#### `shell`
-
-Runs a command via `/bin/sh`. Optionally captures stdout to a file.
-
-| Param | Type | Required | Description |
-|-------|------|----------|-------------|
-| `command` | string | Yes | Shell command to execute |
-| `output` | string | No | File path to write stdout to. Parent directories are created automatically. |
-
-```toml
-[[preflight]]
-provider = "shell"
-[preflight.params]
-command = "gh issue list --repo acme/app --label P1 --json number,title,body --limit 20"
-output = "/tmp/context/issues.json"
-```
-
-#### `http`
-
-Fetches a URL and writes the response body to a file.
-
-| Param | Type | Required | Description |
-|-------|------|----------|-------------|
-| `url` | string | Yes | URL to fetch |
-| `output` | string | Yes | File path to write the response body |
-| `method` | string | No | HTTP method (default: `GET`) |
-| `headers` | table | No | HTTP headers as key-value pairs |
-| `body` | string | No | Request body (for POST/PUT) |
-
-```toml
-[[preflight]]
-provider = "http"
-required = false
-[preflight.params]
-url = "https://api.internal/v1/feature-flags"
-output = "/tmp/context/flags.json"
-headers = { Authorization = "Bearer ${INTERNAL_TOKEN}" }
-```
-
-#### `git-clone`
-
-Clones a git repository. Short `"owner/repo"` names are expanded to `git@github.com:owner/repo.git`; full URLs are passed through. Git credentials (SSH key, HTTPS token) are already configured from the agent's credentials.
-
-| Param | Type | Required | Description |
-|-------|------|----------|-------------|
-| `repo` | string | Yes | Repository: `"owner/repo"` or full URL |
-| `dest` | string | Yes | Local path to clone into |
-| `branch` | string | No | Branch to check out |
-| `depth` | number | No | Shallow clone depth (e.g., `1`) |
-
-```toml
-[[preflight]]
-provider = "git-clone"
-[preflight.params]
-repo = "acme/app"
-dest = "/tmp/repo"
-branch = "main"
-depth = 1
-```
-
-### Referencing staged files in ACTIONS.md
-
-Preflight writes files to disk — your ACTIONS.md tells the LLM what's there:
-
-```markdown
-## Context
-- The repo is cloned at `/tmp/repo`
-- Open P1 issues are at `/tmp/context/issues.json`
-- Feature flags (if available) are at `/tmp/context/flags.json`
-```
-
-### Notes
-
-- The `shell` provider is the escape hatch — anything a built-in provider doesn't cover can be expressed as a shell command
-- There is no per-step timeout — steps are bounded by the container-level timeout
-- Environment variables set inside `shell` child processes do not propagate back to the agent's `process.env`
-
-## Webhook Trigger Fields
-
-Each `[[webhooks]]` entry has the following fields:
-
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `source` | string | Yes | Name of a webhook source from the project's `config.toml` (e.g. `"my-github"`) |
-
-All filter fields below are optional. Omit all of them to trigger on everything from that source.
-
-### GitHub filter fields
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `repos` | string[] | Filter to specific repos |
-| `events` | string[] | Event types: issues, pull_request, push, etc. |
-| `actions` | string[] | Event actions: opened, labeled, closed, etc. |
-| `labels` | string[] | Only trigger when issue/PR has these labels |
-| `assignee` | string | Only trigger when assigned to this user |
-| `author` | string | Only trigger for this author |
-| `branches` | string[] | Only trigger for these branches |
-
-### Sentry filter fields
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `resources` | string[] | Resource types: event_alert, metric_alert, issue, error, comment |
-
-## Model Configuration
-
-The `[model]` section is optional — agents inherit the default model from the project's `config.toml`. Only add `[model]` to an agent config if you want to override the default for that specific agent.
-
-See [Models](models.md) for all supported providers, model IDs, auth types, thinking levels, and credential setup.
-
-## Cloud Runtimes
-
-### Cloud Run (GCP)
-
-When using Cloud Run mode (`cloud.provider = "cloud-run"` in `config.toml`), each agent automatically gets a per-agent service account (`al-{agentName}@{gcpProject}.iam.gserviceaccount.com`) that only has access to the credentials listed in that agent's `credentials` array. Run `al doctor -c` to create the service accounts and IAM bindings. See [Cloud Run docs](cloud-run.md) for details.
-
-### ECS Fargate (AWS)
-
-When using ECS mode (`cloud.provider = "ecs"` in `config.toml`), each agent automatically uses a per-agent IAM task role (`al-{agentName}-task-role`) that only has access to the credentials listed in that agent's `credentials` array. The task role ARN is derived from the ECR repository's account ID. See [ECS docs](ecs.md) for setup instructions including how to create the per-agent task roles.