@action-llama/action-llama 0.2.0 → 0.4.0

package/dist/docker/ecs-runtime.d.ts

@@ -0,0 +1,73 @@
+import type { ContainerRuntime, RuntimeLaunchOpts, RuntimeCredentials, BuildImageOpts, RunningAgent } from "./runtime.js";
+export interface ECSFargateConfig {
+    awsRegion: string;
+    ecsCluster: string;
+    ecrRepository: string;
+    executionRoleArn: string;
+    taskRoleArn: string;
+    subnets: string[];
+    securityGroups?: string[];
+    secretPrefix?: string;
+    buildBucket?: string;
+}
+/**
+ * AWS ECS Fargate runtime.
+ *
+ * Launches agents as ECS Fargate tasks with AWS Secrets Manager secrets
+ * injected as environment variables or mounted via container definitions.
+ *
+ * Auth: AWS SDK default credential provider chain
+ * 1. AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars
+ * 2. AWS_PROFILE / ~/.aws/credentials
+ * 3. SSO / IAM instance role (EC2/ECS/Lambda)
+ *
+ * The runtime credentials (your machine) need:
+ *   - ecs:RegisterTaskDefinition, ecs:RunTask, ecs:DescribeTasks, ecs:StopTask
+ *   - ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:PutImage, etc.
+ *   - logs:GetLogEvents
+ *
+ * The task role (container) needs per-agent:
+ *   - secretsmanager:GetSecretValue on its specific secrets
+ */
+export declare class ECSFargateRuntime implements ContainerRuntime {
+    readonly needsGateway = false;
+    private config;
+    private prefix;
+    private ecsClient;
+    private smClient;
+    private logsClient;
+    private cbClient;
+    private s3Client;
+    private ecrClient;
+    constructor(config: ECSFargateConfig);
+    private static readonly STARTED_BY_PREFIX;
+    static readonly LOG_GROUP: string;
+    private logGroupCreated;
+    private ensureLogGroup;
+    isAgentRunning(agentName: string): Promise<boolean>;
+    listRunningAgents(): Promise<RunningAgent[]>;
+    prepareCredentials(credRefs: string[]): Promise<RuntimeCredentials>;
+    cleanupCredentials(_creds: RuntimeCredentials): void;
+    buildImage(opts: BuildImageOpts): Promise<string>;
+    pushImage(_localImage: string): Promise<string>;
+    private buildImageCodeBuild;
+    private ecrImageExists;
+    private ensureBuildBucket;
+    private ensureCodeBuildProject;
+    launch(opts: RuntimeLaunchOpts): Promise<string>;
+    streamLogs(taskArn: string, onLine: (line: string) => void, onStderr?: (text: string) => void): {
+        stop: () => void;
+    };
+    waitForExit(taskArn: string, timeoutSeconds: number): Promise<number>;
+    kill(taskArn: string): Promise<void>;
+    remove(_taskArn: string): Promise<void>;
+    fetchLogs(agentName: string, limit: number): Promise<string[]>;
+    private awsSecretName;
+    private listSecretFields;
+    private registerTaskDefinition;
+    private runTask;
+    private getLogEvents;
+    private deriveTaskRoleArn;
+    private getAccountId;
+}
+//# sourceMappingURL=ecs-runtime.d.ts.map

package/dist/docker/ecs-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecs-runtime.d.ts","sourceRoot":"","sources":["../../src/docker/ecs-runtime.ts"],"names":[],"mappings":"AAsCA,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAe,cAAc,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIvI,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,iBAAkB,YAAW,gBAAgB;IACxD,QAAQ,CAAC,YAAY,SAAS;IAE9B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,SAAS,CAAY;gBAEjB,MAAM,EAAE,gBAAgB;IAapC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAA4B;IACrE,MAAM,CAAC,QAAQ,CAAC,SAAS,SAA2B;IACpD,OAAO,CAAC,eAAe,CAAS;YAElB,cAAc;IAYtB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUnD,iBAAiB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IA6B5C,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAmBzE,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI;IAM9C,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;IAIjD,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAKvC,mBAAmB;YAmMnB,cAAc;YAgBd,iBAAiB;YAuBjB,sBAAsB;IA2C9B,MAAM,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IA0BtD,UAAU,CACR,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,EAC9B,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAChC;QAAE,IAAI,EAAE,MAAM,IAAI,CAAA;KAAE;IAwCjB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwBrE,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAcpE,OAAO,CAAC,aAAa;YAIP,gBAAgB;YAoBhB,sBAAsB;YAwDtB,OAAO;YA0BP,YAAY;IAoB1B,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,YAAY;CAKrB"}

package/dist/docker/ecs-runtime.js

@@ -0,0 +1,596 @@
+import { execFileSync } from "child_process";
+import { createReadStream } from "fs";
+import { ECSClient, RegisterTaskDefinitionCommand, RunTaskCommand, DescribeTasksCommand, StopTaskCommand, ListTasksCommand, } from "@aws-sdk/client-ecs";
+import { SecretsManagerClient, ListSecretsCommand, } from "@aws-sdk/client-secrets-manager";
+import { CloudWatchLogsClient, GetLogEventsCommand, FilterLogEventsCommand, CreateLogGroupCommand, } from "@aws-sdk/client-cloudwatch-logs";
+import { CodeBuildClient, StartBuildCommand, BatchGetBuildsCommand, CreateProjectCommand, } from "@aws-sdk/client-codebuild";
+import { S3Client, PutObjectCommand, CreateBucketCommand, HeadBucketCommand, } from "@aws-sdk/client-s3";
+import { ECRClient, BatchGetImageCommand, } from "@aws-sdk/client-ecr";
+import { parseCredentialRef } from "../shared/credentials.js";
+import { AWS_CONSTANTS } from "../shared/aws-constants.js";
+/**
+ * AWS ECS Fargate runtime.
+ *
+ * Launches agents as ECS Fargate tasks with AWS Secrets Manager secrets
+ * injected as environment variables or mounted via container definitions.
+ *
+ * Auth: AWS SDK default credential provider chain
+ * 1. AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars
+ * 2. AWS_PROFILE / ~/.aws/credentials
+ * 3. SSO / IAM instance role (EC2/ECS/Lambda)
+ *
+ * The runtime credentials (your machine) need:
+ *   - ecs:RegisterTaskDefinition, ecs:RunTask, ecs:DescribeTasks, ecs:StopTask
+ *   - ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:PutImage, etc.
+ *   - logs:GetLogEvents
+ *
+ * The task role (container) needs per-agent:
+ *   - secretsmanager:GetSecretValue on its specific secrets
+ */
+export class ECSFargateRuntime {
+    needsGateway = false;
+    config;
+    prefix;
+    ecsClient;
+    smClient;
+    logsClient;
+    cbClient;
+    s3Client;
+    ecrClient;
+    constructor(config) {
+        this.config = config;
+        this.prefix = config.secretPrefix || AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
+        const clientConfig = { region: config.awsRegion };
+        this.ecsClient = new ECSClient(clientConfig);
+        this.smClient = new SecretsManagerClient(clientConfig);
+        this.logsClient = new CloudWatchLogsClient(clientConfig);
+        this.cbClient = new CodeBuildClient(clientConfig);
+        this.s3Client = new S3Client(clientConfig);
+        this.ecrClient = new ECRClient(clientConfig);
+    }
+    static STARTED_BY_PREFIX = AWS_CONSTANTS.STARTED_BY;
+    static LOG_GROUP = AWS_CONSTANTS.LOG_GROUP;
+    logGroupCreated = false;
+    async ensureLogGroup() {
+        if (this.logGroupCreated)
+            return;
+        try {
+            await this.logsClient.send(new CreateLogGroupCommand({ logGroupName: ECSFargateRuntime.LOG_GROUP }));
+        }
+        catch (err) {
+            if (err.name !== "ResourceAlreadyExistsException")
+                throw err;
+        }
+        this.logGroupCreated = true;
+    }
+    // --- Agent tracking ---
+    async isAgentRunning(agentName) {
+        const family = AWS_CONSTANTS.agentFamily(agentName);
+        const res = await this.ecsClient.send(new ListTasksCommand({
+            cluster: this.config.ecsCluster,
+            family,
+            desiredStatus: "RUNNING",
+        }));
+        return (res.taskArns?.length ?? 0) > 0;
+    }
+    async listRunningAgents() {
+        const res = await this.ecsClient.send(new ListTasksCommand({
+            cluster: this.config.ecsCluster,
+            startedBy: ECSFargateRuntime.STARTED_BY_PREFIX,
+            desiredStatus: "RUNNING",
+        }));
+        const taskArns = res.taskArns ?? [];
+        if (taskArns.length === 0)
+            return [];
+        const desc = await this.ecsClient.send(new DescribeTasksCommand({
+            cluster: this.config.ecsCluster,
+            tasks: taskArns,
+        }));
+        return (desc.tasks ?? []).map((task) => {
+            const family = task.taskDefinitionArn?.split("/").pop()?.split(":")[0] ?? "";
+            const agentName = AWS_CONSTANTS.agentNameFromFamily(family);
+            return {
+                agentName,
+                taskId: task.taskArn?.split("/").pop() ?? task.taskArn ?? "unknown",
+                status: task.lastStatus ?? "UNKNOWN",
+                startedAt: task.startedAt,
+            };
+        });
+    }
+    // --- Credential preparation ---
+    async prepareCredentials(credRefs) {
+        const mounts = [];
+        for (const credRef of credRefs) {
+            const { type, instance } = parseCredentialRef(credRef);
+            const fields = await this.listSecretFields(type, instance);
+            for (const field of fields) {
+                const secretName = this.awsSecretName(type, instance, field);
+                mounts.push({
+                    secretId: secretName,
+                    mountPath: `/credentials/${type}/${instance}/${field}`,
+                });
+            }
+        }
+        return { strategy: "secrets-manager", mounts };
+    }
+    cleanupCredentials(_creds) {
+        // No-op
+    }
+    // --- Image management ---
+    async buildImage(opts) {
+        return this.buildImageCodeBuild(opts, opts.onProgress);
+    }
+    async pushImage(_localImage) {
+        // CodeBuild handles build + push in one step; the image is already in ECR
+        return `${this.config.ecrRepository}:${_localImage.replace(":", "-")}`;
+    }
+    async buildImageCodeBuild(opts, onProgress) {
+        onProgress?.("Preparing build context");
+        const { join, relative, isAbsolute } = await import("path");
+        const { readFileSync, writeFileSync } = await import("fs");
+        const { randomUUID, createHash } = await import("crypto");
+        // Resolve the Dockerfile path and handle two cases:
+        // 1. Dockerfile is outside the context dir (agent custom Dockerfiles) — copy it in
+        // 2. Dockerfile references a local base image — rewrite FROM to use the remote ECR URI
+        const resolvedDockerfile = isAbsolute(opts.dockerfile)
+            ? opts.dockerfile
+            : join(opts.contextDir, opts.dockerfile);
+        const relPath = relative(opts.contextDir, resolvedDockerfile);
+        let dockerfileTar;
+        let tempDockerfile;
+        const needsCopy = relPath.startsWith("..");
+        const needsRewrite = !!opts.baseImage;
+        if (needsCopy || needsRewrite) {
+            tempDockerfile = join(opts.contextDir, `.Dockerfile.${randomUUID().slice(0, 8)}`);
+            let content = readFileSync(resolvedDockerfile, "utf-8");
+            if (needsRewrite && opts.baseImage) {
+                content = content.replace(/^FROM\s+\S+/m, `FROM ${opts.baseImage}`);
+            }
+            writeFileSync(tempDockerfile, content);
+            dockerfileTar = relative(opts.contextDir, tempDockerfile);
+        }
+        else {
+            dockerfileTar = relPath;
+        }
+        // Hash individual file contents (sorted) for a deterministic fingerprint.
+        const { readdirSync, readFileSync: readFileSyncBuf } = await import("fs");
+        const hash = createHash("sha256");
+        const hashFile = (p) => {
+            hash.update(p);
+            hash.update(readFileSyncBuf(join(opts.contextDir, p)));
+        };
+        const hashDir = (dir) => {
+            const entries = readdirSync(join(opts.contextDir, dir), { withFileTypes: true })
+                .sort((a, b) => a.name.localeCompare(b.name));
+            for (const entry of entries) {
+                const p = join(dir, entry.name);
+                if (entry.isDirectory())
+                    hashDir(p);
+                else
+                    hashFile(p);
+            }
+        };
+        hashFile(dockerfileTar);
+        hashFile("package.json");
+        hashDir("dist");
+        // Clean up temp Dockerfile after hashing but before any early returns
+        if (tempDockerfile) {
+            try {
+                const { rmSync } = await import("fs");
+                rmSync(tempDockerfile);
+            }
+            catch { }
+        }
+        const contentHash = hash.digest("hex").slice(0, 16);
+        const nameTag = opts.tag.replace(":", "-");
+        const hashTag = `${nameTag}-${contentHash}`;
+        const remoteTag = `${this.config.ecrRepository}:${hashTag}`;
+        // Check ECR cache before doing any S3/CodeBuild work
+        onProgress?.(`Checking cache (${hashTag})`);
+        const repoName = this.config.ecrRepository.split("/").pop();
+        const imageExists = await this.ecrImageExists(repoName, hashTag, onProgress);
+        if (imageExists) {
+            onProgress?.("Image unchanged — reusing cached build");
+            return remoteTag;
+        }
+        // Cache miss — need to build. Re-create temp Dockerfile for tarball.
+        if (needsCopy || needsRewrite) {
+            tempDockerfile = join(opts.contextDir, `.Dockerfile.${randomUUID().slice(0, 8)}`);
+            let content = readFileSync(resolvedDockerfile, "utf-8");
+            if (needsRewrite && opts.baseImage) {
+                content = content.replace(/^FROM\s+\S+/m, `FROM ${opts.baseImage}`);
+            }
+            writeFileSync(tempDockerfile, content);
+            dockerfileTar = relative(opts.contextDir, tempDockerfile);
+        }
+        const { tmpdir } = await import("os");
+        const tarPath = join(tmpdir(), `${AWS_CONSTANTS.BUILD_S3_PREFIX}-${randomUUID().slice(0, 8)}.tar.gz`);
+        try {
+            execFileSync("tar", [
+                "czf", tarPath,
+                "-C", opts.contextDir,
+                dockerfileTar, "package.json", "dist",
+            ], {
+                encoding: "utf-8",
+                timeout: 60_000,
+                env: { ...process.env, COPYFILE_DISABLE: "1" },
+            });
+        }
+        finally {
+            if (tempDockerfile) {
+                try {
+                    const { rmSync } = await import("fs");
+                    rmSync(tempDockerfile);
+                }
+                catch { }
+            }
+        }
+        // Upload to S3
+        onProgress?.("Uploading to S3");
+        const bucket = await this.ensureBuildBucket();
+        const s3Key = `${AWS_CONSTANTS.BUILD_S3_PREFIX}/${nameTag}-${Date.now()}.tar.gz`;
+        await this.s3Client.send(new PutObjectCommand({
+            Bucket: bucket,
+            Key: s3Key,
+            Body: createReadStream(tarPath),
+        }));
+        // Clean up local tarball
+        try {
+            const { rmSync } = await import("fs");
+            rmSync(tarPath);
+        }
+        catch { }
+        // Ensure CodeBuild project exists
+        const projectName = AWS_CONSTANTS.CODEBUILD_PROJECT;
+        await this.ensureCodeBuildProject(projectName, bucket);
+        const registry = this.config.ecrRepository.split("/")[0];
+        // Start build
+        const buildspec = [
+            "version: 0.2",
+            "phases:",
+            "  pre_build:",
+            "    commands:",
+            "      - tar xzf *.tar.gz && rm -f *.tar.gz",
+            "      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY",
+            "  build:",
+            "    commands:",
+            "      - docker build -t $IMAGE_URI -f $DOCKERFILE .",
+            "      - docker push $IMAGE_URI",
+        ].join("\n");
+        const buildRes = await this.cbClient.send(new StartBuildCommand({
+            projectName,
+            sourceTypeOverride: "S3",
+            sourceLocationOverride: `${bucket}/${s3Key}`,
+            buildspecOverride: buildspec,
+            environmentVariablesOverride: [
+                { name: "IMAGE_URI", value: remoteTag },
+                { name: "ECR_REGISTRY", value: registry },
+                { name: "DOCKERFILE", value: dockerfileTar },
+            ],
+        }));
+        const buildId = buildRes.build?.id;
+        if (!buildId)
+            throw new Error("CodeBuild did not return a build ID");
+        onProgress?.("Queued — waiting for CodeBuild");
+        // Poll until complete
+        while (true) {
+            await sleep(10_000);
+            const status = await this.cbClient.send(new BatchGetBuildsCommand({ ids: [buildId] }));
+            const build = status.builds?.[0];
+            if (!build)
+                throw new Error(`CodeBuild build ${buildId} not found`);
+            if (build.currentPhase) {
+                const phaseLabels = {
+                    SUBMITTED: "Submitted",
+                    QUEUED: "Queued",
+                    PROVISIONING: "Provisioning build environment",
+                    DOWNLOAD_SOURCE: "Downloading source",
+                    INSTALL: "Installing dependencies",
+                    PRE_BUILD: "Logging in to ECR",
+                    BUILD: "Building and pushing image",
+                    POST_BUILD: "Finalizing",
+                    UPLOAD_ARTIFACTS: "Uploading artifacts",
+                    FINALIZING: "Finalizing",
+                    COMPLETED: "Complete",
+                };
+                const label = phaseLabels[build.currentPhase] || build.currentPhase;
+                onProgress?.(label);
+            }
+            if (build.buildComplete) {
+                if (build.buildStatus !== "SUCCEEDED") {
+                    const logs = build.logs?.deepLink || "";
+                    throw new Error(`CodeBuild build failed (${build.buildStatus}). Logs: ${logs}`);
+                }
+                return remoteTag;
+            }
+        }
+    }
+    async ecrImageExists(repositoryName, imageTag, onProgress) {
+        try {
+            const res = await this.ecrClient.send(new BatchGetImageCommand({
+                repositoryName,
+                imageIds: [{ imageTag }],
+            }));
+            return (res.images?.length ?? 0) > 0;
+        }
+        catch (err) {
+            // ImageNotFoundException is expected when the image doesn't exist
+            if (err.name === "ImageNotFoundException")
+                return false;
+            // Surface unexpected errors (permissions, network) so they're not silently swallowed
+            onProgress?.(`Cache check failed: ${err.message ?? err}`);
+            return false;
+        }
+    }
+    async ensureBuildBucket() {
+        if (this.config.buildBucket) {
+            return this.config.buildBucket;
+        }
+        // Derive bucket name from account ID + region
+        const accountId = this.getAccountId();
+        const bucket = AWS_CONSTANTS.buildBucket(accountId, this.config.awsRegion);
+        try {
+            await this.s3Client.send(new HeadBucketCommand({ Bucket: bucket }));
+        }
+        catch (err) {
+            if (err.name === "NotFound" || err.$metadata?.httpStatusCode === 404) {
+                await this.s3Client.send(new CreateBucketCommand({ Bucket: bucket }));
+            }
+            else if (err.name !== "Forbidden") {
+                // Forbidden means bucket exists but we don't own it — try anyway
+                throw err;
+            }
+        }
+        return bucket;
+    }
+    async ensureCodeBuildProject(projectName, bucket) {
+        const accountId = this.getAccountId();
+        const region = this.config.awsRegion;
+        try {
+            const status = await this.cbClient.send(new BatchGetBuildsCommand({ ids: [`${projectName}:dummy`] }));
+            // If the project doesn't exist, BatchGetBuilds returns empty — but we need a better check
+            // Actually, just try to create and handle the conflict
+            void status;
+        }
+        catch { }
+        const serviceRole = `arn:aws:iam::${accountId}:role/${AWS_CONSTANTS.CODEBUILD_ROLE}`;
+        try {
+            await this.cbClient.send(new CreateProjectCommand({
+                name: projectName,
+                source: {
+                    type: "S3",
+                    location: `${bucket}/`,
+                },
+                artifacts: { type: "NO_ARTIFACTS" },
+                environment: {
+                    type: "LINUX_CONTAINER",
+                    computeType: "BUILD_GENERAL1_MEDIUM",
+                    image: "aws/codebuild/standard:7.0",
+                    privilegedMode: true,
+                    environmentVariables: [
+                        { name: "IMAGE_URI", value: "placeholder" },
+                        { name: "ECR_REGISTRY", value: "placeholder" },
+                        { name: "DOCKERFILE", value: "Dockerfile" },
+                    ],
+                },
+                serviceRole,
+            }));
+        }
+        catch (err) {
+            if (err.name !== "ResourceAlreadyExistsException") {
+                throw err;
+            }
+        }
+    }
+    // --- Container lifecycle ---
+    async launch(opts) {
+        await this.ensureLogGroup();
+        const family = AWS_CONSTANTS.agentFamily(opts.agentName);
+        const secretMounts = opts.credentials.strategy === "secrets-manager"
+            ? opts.credentials.mounts
+            : [];
+        const perAgentRole = this.deriveTaskRoleArn(opts.agentName);
+        const taskRoleArn = opts.serviceAccount || perAgentRole || this.config.taskRoleArn;
+        const taskDefArn = await this.registerTaskDefinition(family, {
+            image: opts.image,
+            env: opts.env,
+            secretMounts,
+            memory: opts.memory || "4096",
+            cpus: String((opts.cpus || 2) * 1024),
+            taskRoleArn,
+            streamPrefix: family,
+        });
+        const taskArn = await this.runTask(taskDefArn);
+        return taskArn;
+    }
+    streamLogs(taskArn, onLine, onStderr) {
+        let stopped = false;
+        let nextToken;
+        const poll = async () => {
+            const taskId = taskArn.split("/").pop();
+            const logGroup = ECSFargateRuntime.LOG_GROUP;
+            // Describe the task to get the family (used as stream prefix)
+            const desc = await this.ecsClient.send(new DescribeTasksCommand({
+                cluster: this.config.ecsCluster,
+                tasks: [taskArn],
+            }));
+            const family = desc.tasks?.[0]?.taskDefinitionArn?.split("/").pop()?.split(":")[0] ?? AWS_CONSTANTS.agentFamily("agent");
+            // awslogs stream format: <prefix>/<container-name>/<task-id>
+            const logStream = `${family}/agent/${taskId}`;
+            while (!stopped) {
+                try {
+                    const result = await this.getLogEvents(logGroup, logStream, nextToken);
+                    for (const event of result.events) {
+                        onLine(event.message);
+                    }
+                    if (result.nextForwardToken) {
+                        nextToken = result.nextForwardToken;
+                    }
+                }
+                catch (err) {
+                    if (!stopped && onStderr && err.name !== "ResourceNotFoundException") {
+                        onStderr(`Log polling error: ${err.message}`);
+                    }
+                }
+                if (!stopped)
+                    await sleep(5000);
+            }
+        };
+        poll();
+        return { stop: () => { stopped = true; } };
+    }
+    async waitForExit(taskArn, timeoutSeconds) {
+        const deadline = Date.now() + timeoutSeconds * 1000;
+        while (Date.now() < deadline) {
+            const res = await this.ecsClient.send(new DescribeTasksCommand({
+                cluster: this.config.ecsCluster,
+                tasks: [taskArn],
+            }));
+            const task = res.tasks?.[0];
+            if (!task)
+                throw new Error(`Task ${taskArn} not found`);
+            if (task.lastStatus === "STOPPED") {
+                const exitCode = task.containers?.[0]?.exitCode;
+                return exitCode ?? 1;
+            }
+            await sleep(10_000);
+        }
+        await this.kill(taskArn);
+        throw new Error(`ECS task ${taskArn} timed out after ${timeoutSeconds}s`);
+    }
+    async kill(taskArn) {
+        try {
+            await this.ecsClient.send(new StopTaskCommand({
+                cluster: this.config.ecsCluster,
+                task: taskArn,
+                reason: "action-llama timeout",
+            }));
+        }
+        catch {
+            // Task may already be stopped
+        }
+    }
+    async remove(_taskArn) {
+        // ECS cleans up stopped tasks automatically
+    }
+    async fetchLogs(agentName, limit) {
+        const res = await this.logsClient.send(new FilterLogEventsCommand({
+            logGroupName: ECSFargateRuntime.LOG_GROUP,
+            logStreamNamePrefix: `${AWS_CONSTANTS.agentFamily(agentName)}/`,
+            limit,
+        }));
+        return (res.events ?? [])
+            .map((e) => e.message?.trimEnd() ?? "")
+            .filter(Boolean);
+    }
+    // --- Internal: Secret naming ---
+    awsSecretName(type, instance, field) {
+        return `${this.prefix}/${type}/${instance}/${field}`;
+    }
+    async listSecretFields(type, instance) {
+        const prefix = `${this.prefix}/${type}/${instance}/`;
+        const res = await this.smClient.send(new ListSecretsCommand({
+            Filters: [{ Key: "name", Values: [prefix] }],
+            MaxResults: 100,
+        }));
+        const fields = [];
+        for (const secret of res.SecretList || []) {
+            if (secret.Name?.startsWith(prefix)) {
+                fields.push(secret.Name.slice(prefix.length));
+            }
+        }
+        return fields;
+    }
+    // --- Internal: ECS operations ---
+    async registerTaskDefinition(family, opts) {
+        const environment = Object.entries(opts.env).map(([name, value]) => ({ name, value }));
+        const secrets = opts.secretMounts.map((mount) => {
+            const parts = mount.mountPath.replace("/credentials/", "").split("/");
+            const envName = `AL_SECRET_${parts.join("__")}`;
+            return {
+                name: envName,
+                valueFrom: `arn:aws:secretsmanager:${this.config.awsRegion}:${this.getAccountId()}:secret:${mount.secretId}`,
+            };
+        });
+        const res = await this.ecsClient.send(new RegisterTaskDefinitionCommand({
+            family,
+            networkMode: "awsvpc",
+            requiresCompatibilities: ["FARGATE"],
+            cpu: opts.cpus,
+            memory: opts.memory,
+            executionRoleArn: this.config.executionRoleArn,
+            taskRoleArn: opts.taskRoleArn,
+            containerDefinitions: [{
+                    name: "agent",
+                    image: opts.image,
+                    essential: true,
+                    environment,
+                    secrets,
+                    logConfiguration: {
+                        logDriver: "awslogs",
+                        options: {
+                            "awslogs-group": ECSFargateRuntime.LOG_GROUP,
+                            "awslogs-region": this.config.awsRegion,
+                            "awslogs-stream-prefix": opts.streamPrefix,
+                            "awslogs-create-group": "true",
+                        },
+                    },
+                    user: "1000:1000",
+                    linuxParameters: {
+                        initProcessEnabled: true,
+                    },
+                }],
+        }));
+        return res.taskDefinition.taskDefinitionArn;
+    }
+    async runTask(taskDefinitionArn) {
+        const res = await this.ecsClient.send(new RunTaskCommand({
+            cluster: this.config.ecsCluster,
+            taskDefinition: taskDefinitionArn,
+            launchType: "FARGATE",
+            startedBy: ECSFargateRuntime.STARTED_BY_PREFIX,
+            count: 1,
+            networkConfiguration: {
+                awsvpcConfiguration: {
+                    subnets: this.config.subnets,
+                    securityGroups: this.config.securityGroups || [],
+                    assignPublicIp: "ENABLED",
+                },
+            },
+        }));
+        const tasks = res.tasks || [];
+        if (tasks.length === 0) {
+            const failures = res.failures || [];
+            const reason = failures[0]?.reason || "unknown";
+            throw new Error(`Failed to start ECS task: ${reason}`);
+        }
+        return tasks[0].taskArn;
+    }
+    async getLogEvents(logGroup, logStream, nextToken) {
+        const res = await this.logsClient.send(new GetLogEventsCommand({
+            logGroupName: logGroup,
+            logStreamName: logStream,
+            startFromHead: true,
+            nextToken,
+        }));
+        return {
+            events: (res.events || []).map((e) => ({ message: e.message?.trimEnd() || "" })),
+            nextForwardToken: res.nextForwardToken,
+        };
+    }
+    // --- Internal: Per-agent task role derivation ---
+    deriveTaskRoleArn(agentName) {
+        const accountId = this.getAccountId();
+        if (!accountId)
+            return undefined;
+        return `arn:aws:iam::${accountId}:role/${AWS_CONSTANTS.taskRoleName(agentName)}`;
+    }
+    getAccountId() {
+        const match = this.config.ecrRepository.match(/^(\d+)\.dkr\.ecr\./);
+        return match?.[1] || "";
+    }
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+//# sourceMappingURL=ecs-runtime.js.map