@aexhq/sdk 0.13.6 → 0.13.8

package/dist/cli.mjs

@@ -10,8 +10,14 @@ import { readFile as readFile2, writeFile, readdir as readdir2, stat as stat2 }
 import { resolve as resolvePath4 } from "node:path";
 
 // ../contracts/dist/proxy-protocol.js
-var PROXY_PROTOCOL_VERSION = "1";
+var PROXY_PROTOCOL_VERSION_V2 = "2";
 var PROXY_PROTOCOL_HEADER = "x-aex-proxy-protocol";
+var PROXY_RESP_STATUS_HEADER = "x-aex-proxy-status";
+var PROXY_RESP_MODE_HEADER = "x-aex-proxy-effective-mode";
+var PROXY_RESP_TRUNCATED_HEADER = "x-aex-proxy-truncated";
+var PROXY_RESP_REMAINING_CALLS_HEADER = "x-aex-proxy-remaining-calls";
+var PROXY_RESP_REMAINING_BYTES_HEADER = "x-aex-proxy-remaining-bytes";
+var PROXY_RESP_UPSTREAM_HEADERS_HEADER = "x-aex-proxy-upstream-headers";
 var PROXY_METHOD_HEADER = "x-aex-method";
 var PROXY_PATH_HEADER = "x-aex-path";
 var PROXY_QUERY_HEADER = "x-aex-query";
@@ -114,6 +120,13 @@ var terminalRunStatuses = new Set(TERMINAL_RUN_STATUSES);
 var SKILL_BUNDLE_LIMITS = {
   /** Compressed (.zip) ceiling. */
   maxCompressedBytes: 10 * 1024 * 1024,
+  /**
+   * Hard ceiling for the direct-to-storage (presigned PUT) upload path, where
+   * bytes never transit the hosted API so its memory/request-payload limits no
+   * longer cap the bundle. Kept well under the object store's 5 GiB single-PUT
+   * limit; objects above this would need S3 multipart, which is out of scope.
+   */
+  maxBytes: 2 * 1024 * 1024 * 1024,
   /** Sum of uncompressed file sizes. */
   maxDecompressedBytes: 50 * 1024 * 1024,
   /** Number of regular file entries (directories don't count). */
@@ -302,32 +315,63 @@ function rejectStdioMcpShape(record) {
     }
   }
 }
-function denyReasonForMcpHost(parsed) {
-  const host = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, "");
-  if (host === "localhost" || host.endsWith(".localhost")) {
-    return "must not target a loopback hostname";
+function denyReasonForHostIp(host) {
+  const mappedDotted = /^::(?:ffff:)?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/.exec(host);
+  if (mappedDotted) {
+    return denyReasonForV4(mappedDotted[1]);
   }
-  if (/^127(?:\.[0-9]+){3}$/.test(host)) {
-    return "must not target loopback IPv4 (127.0.0.0/8)";
+  const mappedHex = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/.exec(host);
+  if (mappedHex) {
+    const hi = Number.parseInt(mappedHex[1], 16);
+    const lo = Number.parseInt(mappedHex[2], 16);
+    const dotted = `${hi >> 8}.${hi & 255}.${lo >> 8}.${lo & 255}`;
+    return denyReasonForV4(dotted);
   }
+  const v4 = denyReasonForV4(host);
+  if (v4)
+    return v4;
   if (host === "::1" || host === "0:0:0:0:0:0:0:1") {
     return "must not target loopback IPv6 (::1)";
   }
   if (/^fe[89ab][0-9a-f]?:/.test(host)) {
     return "must not target link-local IPv6 (fe80::/10)";
   }
-  if (/^169\.254\.[0-9]+\.[0-9]+$/.test(host)) {
+  if (/^f[cd][0-9a-f]{0,2}:/.test(host)) {
+    return "must not target unique-local IPv6 (fc00::/7)";
+  }
+  return null;
+}
+function denyReasonForV4(host) {
+  if (!/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host))
+    return null;
+  const octets = host.split(".").map((o) => Number.parseInt(o, 10));
+  if (octets.some((o) => o > 255))
+    return null;
+  const [a, b] = octets;
+  if (a === 127)
+    return "must not target loopback IPv4 (127.0.0.0/8)";
+  if (a === 169 && b === 254) {
     return "must not target link-local IPv4 (169.254.0.0/16) \u2014 cloud metadata range";
   }
-  if (/^10\.[0-9]+\.[0-9]+\.[0-9]+$/.test(host)) {
-    return "must not target RFC1918 IPv4 (10.0.0.0/8)";
+  if (a === 100 && b >= 64 && b <= 127) {
+    return "must not target CGNAT IPv4 (100.64.0.0/10)";
   }
-  if (/^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$/.test(host)) {
+  if (a === 10)
+    return "must not target RFC1918 IPv4 (10.0.0.0/8)";
+  if (a === 172 && b >= 16 && b <= 31)
     return "must not target RFC1918 IPv4 (172.16.0.0/12)";
-  }
-  if (/^192\.168\.[0-9]+\.[0-9]+$/.test(host)) {
+  if (a === 192 && b === 168)
     return "must not target RFC1918 IPv4 (192.168.0.0/16)";
+  return null;
+}
+function denyReasonForMcpHost(parsed) {
+  const host = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (host === "localhost" || host.endsWith(".localhost")) {
+    return "must not target a loopback hostname";
   }
+  const ipDenial = denyReasonForHostIp(host);
+  if (ipDenial)
+    return ipDenial;
   if (parsed.protocol === "https:" && parsed.port !== "" && parsed.port !== "443") {
     return `must use port 443 for https (got ${parsed.port})`;
   }
@@ -544,7 +588,7 @@ var BLOCKED_MANAGED_KEY_POLICY_V1 = Object.freeze({
   schemaVersion: MANAGED_KEY_POLICY_SCHEMA_VERSION,
   credentialMode: "managed",
   launchStage: "blocked",
-  serviceAvailable: false,
+  privateImplementationAvailable: false,
   billingRequired: true,
   providers: Object.freeze([]),
   runtimes: Object.freeze([]),
@@ -624,7 +668,7 @@ var forbiddenStringPatterns = Object.freeze([
     regex: /\b(?:sk-(?:ant|proj|live|test|deepseek|openai)|xox[baprs]-|AIza)[A-Za-z0-9_-]{8,}/i
   },
   { reason: "signed_url", regex: /[?&](?:X-Amz-Signature|X-Amz-Credential|X-Amz-Algorithm|AWSAccessKeyId)=/i },
-  { reason: "r2_object_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
+  { reason: "object_store_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
   { reason: "vault_id", regex: /\b(?:vault|vlt|secret)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i },
   {
     reason: "private_resource_handle",
@@ -633,7 +677,7 @@ var forbiddenStringPatterns = Object.freeze([
   { reason: "high_entropy_token", regex: /\b(?=[A-Za-z0-9_-]{40,}\b)(?=.*[A-Za-z])(?=.*\d)[A-Za-z0-9_-]{40,}\b/ }
 ]);
 function isForbiddenCustodyFieldName(key) {
-  return /^(apiKey|secretValue|bearerHash|signedUrl|r2Key|objectKey|vaultId|providerResponseBody|responseBody|privateResourceHandle|resourceHandle|rawBody)$/i.test(key);
+  return /^(apiKey|secretValue|bearerHash|signedUrl|objectStoreKey|objectKey|vaultId|providerResponseBody|responseBody|privateResourceHandle|resourceHandle|rawBody)$/i.test(key);
 }
 
 // ../contracts/dist/run-record.js
@@ -650,7 +694,6 @@ var RunRecordArchiveRedactionError = class extends Error {
 };
 function buildRunRecordDownloadManifestV1(input) {
   const outputs = input.outputs.map((file2) => normalizeArtifactSummary(file2));
-  const logs = input.logs.map((file2) => normalizeArtifactSummary(file2));
   const errors = (input.errors ?? []).map((error) => Object.freeze({ ...error }));
   return Object.freeze({
     schemaVersion: RUN_RECORD_MANIFEST_SCHEMA_VERSION,
@@ -658,9 +701,8 @@ function buildRunRecordDownloadManifestV1(input) {
     runId: input.runId,
     namespaces: Object.freeze([
       namespace("metadata", "Run metadata, submission snapshot, custody, and cost files."),
-      namespace("events", "Typed event-channel exports and optional full-stream/log-channel exports."),
-      namespace("outputs", "Captured deliverables produced by the run."),
-      namespace("logs", "Platform diagnostics and runtime log artifacts.")
+      namespace("events", "Typed event-channel exports."),
+      namespace("outputs", "Captured deliverables produced by the run.")
     ]),
     files: Object.freeze([
       file("metadata", "metadata/run.json", "run_metadata", "present"),
@@ -670,14 +712,10 @@ function buildRunRecordDownloadManifestV1(input) {
       file("events", "events/events.jsonl", "typed_events", "present", {
         recordCount: input.typedEventCount ?? 0
       }),
-      file("events", "events/logs.jsonl", "log_events", input.logEvents?.status ?? "unavailable", recordCountExtra(input.logEvents)),
-      file("events", "events/all.jsonl", "all_events", input.allEvents?.status ?? "unavailable", recordCountExtra(input.allEvents)),
       file("events", "events/manifest.json", "coordinator_events_manifest", input.coordinatorEventsManifest?.status ?? "unavailable"),
-      ...outputs.map((output) => artifactFile("outputs", "output", "outputs/", output)),
-      ...logs.map((log) => artifactFile("logs", "log", "logs/", log))
+      ...outputs.map((output) => artifactFile("outputs", "output", "outputs/", output))
     ]),
     outputs: Object.freeze(outputs),
-    logs: Object.freeze(logs),
     errors: Object.freeze(errors)
   });
 }
@@ -698,9 +736,6 @@ function file(namespaceName, path, role, status, extra) {
     ...extra?.recordCount !== void 0 ? { recordCount: extra.recordCount } : {}
   });
 }
-function recordCountExtra(input) {
-  return input?.status === "present" && input.recordCount !== void 0 ? { recordCount: input.recordCount } : void 0;
-}
 function artifactFile(namespaceName, role, prefix, artifact) {
   return Object.freeze({
     namespace: namespaceName,
@@ -767,7 +802,7 @@ function isAllowedArchiveHighEntropyField(entryPath, finding) {
   if (finding.reason !== "high_entropy_token" || !entryPath.endsWith("manifest.json")) {
     return false;
   }
-  return /^\$(?:\.files\[\d+\]|\.outputs\[\d+\]|\.logs\[\d+\])\.id$/.test(finding.path);
+  return /^\$(?:\.files\[\d+\]|\.outputs\[\d+\])\.id$/.test(finding.path);
 }
 function parseArchiveTextValues(path, text) {
   if (/\.json$/i.test(path)) {
@@ -806,7 +841,7 @@ function formatArchiveFindingPaths(findings) {
 // ../contracts/dist/run-retention.js
 var forbiddenStringPatterns2 = Object.freeze([
   { reason: "signed_url", regex: /[?&](?:X-Amz-Signature|X-Amz-Credential|X-Amz-Algorithm|AWSAccessKeyId)=/i },
-  { reason: "r2_object_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
+  { reason: "object_store_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
   { reason: "vault_id", regex: /\b(?:vault|vlt|secret)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i },
   {
     reason: "private_resource_handle",
@@ -823,7 +858,7 @@ var forbiddenStringPatterns3 = Object.freeze([
     regex: /\b(?:sk-(?:ant|proj|live|test|deepseek|openai)|xox[baprs]-|AIza)[A-Za-z0-9_-]{8,}/i
   },
   { reason: "signed_url", regex: /[?&](?:X-Amz-Signature|X-Amz-Credential|X-Amz-Algorithm|AWSAccessKeyId)=/i },
-  { reason: "r2_object_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
+  { reason: "object_store_key", regex: /(^|[\s"'`])(?:runs|assets)\/[^?<#\s"'`]+/i },
   { reason: "vault_id", regex: /\b(?:vault|vlt|secret)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i },
   {
     reason: "private_resource_handle",
@@ -1062,39 +1097,6 @@ function extractErrorMessage(body) {
   return "aex API request failed";
 }
 
-// ../contracts/dist/run-artifacts.js
-function runArtifactRel(rel) {
-  if (rel.startsWith(".runtime-logs/"))
-    return `runtime/${rel.slice(".runtime-logs/".length)}`;
-  if (rel.startsWith("runtime/"))
-    return rel;
-  if (rel.startsWith(".host-logs/"))
-    return `host/${rel.slice(".host-logs/".length)}`;
-  if (rel.startsWith("host/"))
-    return rel;
-  if (rel.startsWith(".provider-proxy/"))
-    return `provider-proxy/${rel.slice(".provider-proxy/".length)}`;
-  if (rel.startsWith("provider-proxy/"))
-    return rel;
-  if (rel.startsWith(".control-plane/"))
-    return `control-plane/${rel.slice(".control-plane/".length)}`;
-  if (rel.startsWith("control-plane/"))
-    return rel;
-  if (rel.startsWith(".goose-logs/"))
-    return `runtime/${rel.slice(".goose-logs/".length)}`;
-  if (rel.startsWith("goose-logs/"))
-    return `runtime/${rel.slice("goose-logs/".length)}`;
-  if (rel.startsWith(".fly-logs/"))
-    return `host/${rel.slice(".fly-logs/".length)}`;
-  if (rel.startsWith("fly-logs/"))
-    return `host/${rel.slice("fly-logs/".length)}`;
-  if (rel.startsWith(".anthropic-debug/"))
-    return `provider-proxy/${rel.slice(".anthropic-debug/".length)}`;
-  if (rel.startsWith("anthropic-debug/"))
-    return `provider-proxy/${rel.slice("anthropic-debug/".length)}`;
-  return rel;
-}
-
 // ../contracts/dist/operations.js
 var operations_exports = {};
 __export(operations_exports, {
@@ -1111,7 +1113,6 @@ __export(operations_exports, {
   deleteWorkspaceAsset: () => deleteWorkspaceAsset,
   download: () => download,
   downloadEvents: () => downloadEvents,
-  downloadLogs: () => downloadLogs,
   downloadMetadata: () => downloadMetadata,
   downloadOutput: () => downloadOutput,
   downloadOutputs: () => downloadOutputs,
@@ -1125,7 +1126,6 @@ __export(operations_exports, {
   getSkill: () => getSkill,
   listAgentsMd: () => listAgentsMd,
   listFiles: () => listFiles,
-  listLogs: () => listLogs,
   listOutputs: () => listOutputs,
   listRunEvents: () => listRunEvents,
   listSkills: () => listSkills,
@@ -1860,10 +1860,20 @@ async function getRun(http, runId) {
 async function getRunUnit(http, runId) {
   return http.request(`/api/runs/${encodeURIComponent(runId)}`);
 }
-async function listRunEvents(http, runId, options = {}) {
-  const query = options.channel && options.channel !== "event" ? { channel: options.channel } : {};
-  const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/events`, {}, query);
-  return result.events;
+var LIST_EVENTS_PAGE_BUDGET = 1e3;
+async function listRunEvents(http, runId) {
+  const path = `/api/runs/${encodeURIComponent(runId)}/events`;
+  const all = [];
+  let cursor;
+  for (let page = 0; page < LIST_EVENTS_PAGE_BUDGET; page++) {
+    const query = cursor !== void 0 ? { cursor: String(cursor) } : {};
+    const result = await http.request(path, {}, query);
+    all.push(...result.events);
+    if (typeof result.nextCursor !== "number")
+      break;
+    cursor = result.nextCursor;
+  }
+  return all;
 }
 async function getCoordinatorTicket(http, runId) {
   return http.request(`/api/runs/${encodeURIComponent(runId)}/events/ticket`, { method: "POST" });
@@ -1872,10 +1882,6 @@ async function listOutputs(http, runId) {
   const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/outputs`);
   return result.outputs;
 }
-async function listLogs(http, runId) {
-  const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/logs`);
-  return result.logs.map((log) => typeof log.filename === "string" ? { ...log, filename: runArtifactRel(log.filename) } : log);
-}
 async function createOutputLink(http, runId, outputId) {
   return http.request(`/api/runs/${encodeURIComponent(runId)}/outputs/${encodeURIComponent(outputId)}/link`, { method: "POST" });
 }
@@ -1939,7 +1945,7 @@ async function collectArtifactBytes(http, runId, items, zipPrefix, namespace2) {
         path: `${zipPrefix}${rel}`,
         bytes: new Uint8Array(await response.arrayBuffer()),
         ...item.contentType !== void 0 ? { contentType: item.contentType } : {},
-        ...namespace2 === "outputs" ? { customerContent: true } : {}
+        customerContent: true
       });
       captured.push({
         id: item.id,
@@ -1956,23 +1962,6 @@ async function collectArtifactBytes(http, runId, items, zipPrefix, namespace2) {
 function eventsJsonl(events) {
   return strToU8(events.map((event) => JSON.stringify(event)).join("\n"));
 }
-async function tryListOptionalRunEvents(http, runId, channel) {
-  try {
-    const events = await listRunEvents(http, runId, { channel });
-    if (channel === "log") {
-      return events.length > 0 && events.every(isLogChannelEvent) ? { status: "present", events } : { status: "unavailable", events: [] };
-    }
-    return hasUnifiedStreamEvidence(events) ? { status: "present", events } : { status: "unavailable", events: [] };
-  } catch {
-    return { status: "unavailable", events: [] };
-  }
-}
-function isLogChannelEvent(event) {
-  return event.channel === "log";
-}
-function hasUnifiedStreamEvidence(events) {
-  return events.some((event) => event.channel === "log" || event.channel === "event");
-}
 function isPathSelector(selector) {
   return Boolean(selector && typeof selector === "object" && "path" in selector);
 }
@@ -1980,38 +1969,28 @@ function normalizeOutputLookupPath(path) {
   return path.replace(/\\/g, "/").replace(/^\/+/, "");
 }
 async function download(http, runId) {
-  const [run, events, logEvents, allEvents, outputs, logItems] = await Promise.all([
+  const [run, events, outputs] = await Promise.all([
     getRun(http, runId),
     listRunEvents(http, runId),
-    tryListOptionalRunEvents(http, runId, "log"),
-    tryListOptionalRunEvents(http, runId, "all"),
-    listOutputs(http, runId),
-    listLogs(http, runId)
+    listOutputs(http, runId)
   ]);
   const out = await collectArtifactBytes(http, runId, outputs, "outputs/", "outputs");
-  const logs = await collectArtifactBytes(http, runId, logItems, "logs/", "logs");
   const submissionSnapshot = extractSubmissionSnapshot(run);
   const costTelemetry = extractCostTelemetry(run);
   const manifest = buildRunRecordDownloadManifestV1({
     runId,
     outputs: out.captured,
-    logs: logs.captured,
-    errors: [...out.errors, ...logs.errors],
+    errors: out.errors,
     typedEventCount: events.length,
     ...submissionSnapshot ? { submission: { status: "present" } } : {},
-    ...costTelemetry ? { cost: { status: "present" } } : {},
-    logEvents: { status: logEvents.status, recordCount: logEvents.events.length },
-    allEvents: { status: allEvents.status, recordCount: allEvents.events.length }
+    ...costTelemetry ? { cost: { status: "present" } } : {}
   });
   return zipEntries([
     jsonEntry("metadata/run.json", run),
     ...submissionSnapshot ? [jsonEntry("metadata/submission.json", submissionSnapshot)] : [],
     ...costTelemetry ? [jsonEntry("metadata/cost.json", costTelemetry)] : [],
     jsonlEntry("events/events.jsonl", events),
-    ...logEvents.status === "present" ? [jsonlEntry("events/logs.jsonl", logEvents.events)] : [],
-    ...allEvents.status === "present" ? [jsonlEntry("events/all.jsonl", allEvents.events)] : [],
     ...out.entries,
-    ...logs.entries,
     jsonEntry("manifest.json", manifest)
   ]);
 }
@@ -2023,25 +2002,9 @@ async function downloadOutputs(http, runId) {
     jsonEntry("manifest.json", { runId, namespace: "outputs", outputs: captured, errors })
   ]);
 }
-async function downloadLogs(http, runId) {
-  const logItems = await listLogs(http, runId);
-  const { entries, captured, errors } = await collectArtifactBytes(http, runId, logItems, "", "logs");
-  return zipEntries([
-    ...entries,
-    jsonEntry("manifest.json", { runId, namespace: "logs", logs: captured, errors })
-  ]);
-}
 async function downloadEvents(http, runId) {
-  const [events, logEvents, allEvents] = await Promise.all([
-    listRunEvents(http, runId),
-    tryListOptionalRunEvents(http, runId, "log"),
-    tryListOptionalRunEvents(http, runId, "all")
-  ]);
-  return zipEntries([
-    jsonlEntry("events.jsonl", events),
-    ...logEvents.status === "present" ? [jsonlEntry("logs.jsonl", logEvents.events)] : [],
-    ...allEvents.status === "present" ? [jsonlEntry("all.jsonl", allEvents.events)] : []
-  ]);
+  const events = await listRunEvents(http, runId);
+  return zipEntries([jsonlEntry("events.jsonl", events)]);
 }
 async function downloadMetadata(http, runId) {
   const run = await getRun(http, runId);
@@ -2742,7 +2705,7 @@ async function runProxy(io2, rest) {
   const url = `${manifest.proxyBaseUrl.replace(/\/+$/, "")}/${encodeURIComponent(f.endpointName)}`;
   const requestHeaders = new Headers();
   requestHeaders.set("authorization", `Bearer ${token}`);
-  requestHeaders.set(PROXY_PROTOCOL_HEADER, PROXY_PROTOCOL_VERSION);
+  requestHeaders.set(PROXY_PROTOCOL_HEADER, PROXY_PROTOCOL_VERSION_V2);
   requestHeaders.set(PROXY_METHOD_HEADER, f.method.toUpperCase());
   requestHeaders.set(PROXY_PATH_HEADER, f.path);
   if (f.query) {
@@ -2776,6 +2739,11 @@ async function runProxy(io2, rest) {
     });
     return RUNTIME_ERR;
   }
+  if (response.headers.get(PROXY_RESP_STATUS_HEADER) !== null) {
+    const envelope = await readStreamedEnvelope(response, f.endpointName);
+    io2.stdout(JSON.stringify(envelope) + "\n");
+    return SUCCESS;
+  }
   const text = await response.text();
   let parsedBody;
   try {
@@ -2813,6 +2781,39 @@ async function resolveBody(io2, spec) {
 function emitError(io2, body) {
   io2.stderr(JSON.stringify(body) + "\n");
 }
+async function readStreamedEnvelope(response, endpointName) {
+  const effectiveResponseMode = response.headers.get(PROXY_RESP_MODE_HEADER) ?? "headers_only";
+  const upstreamStatus = Number.parseInt(response.headers.get(PROXY_RESP_STATUS_HEADER) ?? "0", 10);
+  const remainingCalls = Number.parseInt(response.headers.get(PROXY_RESP_REMAINING_CALLS_HEADER) ?? "0", 10);
+  const remainingResponseBytes = Number.parseInt(response.headers.get(PROXY_RESP_REMAINING_BYTES_HEADER) ?? "0", 10);
+  let upstreamHeaders = {};
+  const rawHeaders = response.headers.get(PROXY_RESP_UPSTREAM_HEADERS_HEADER);
+  if (rawHeaders) {
+    try {
+      const parsed = JSON.parse(rawHeaders);
+      if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+        upstreamHeaders = parsed;
+      }
+    } catch {
+    }
+  }
+  const truncatedRaw = response.headers.get(PROXY_RESP_TRUNCATED_HEADER);
+  const bytes = new Uint8Array(await response.arrayBuffer());
+  return {
+    endpointName,
+    upstreamStatus,
+    upstreamHeaders,
+    effectiveResponseMode,
+    // The streamed path can't echo the request-side clamp decision (it
+    // isn't carried back); the effective mode is authoritative for the
+    // agent and matches what v1 surfaced for an un-clamped call.
+    modeClamped: false,
+    remainingCalls,
+    remainingResponseBytes,
+    ...effectiveResponseMode === "full" && bytes.byteLength > 0 ? { upstreamBodyBase64: Buffer.from(bytes).toString("base64") } : {},
+    ...truncatedRaw === "true" ? { truncated: true } : {}
+  };
+}
 async function tryReadManifest(io2) {
   try {
     const raw = await io2.readFile(AEX_INDEX_PATH);
@@ -3814,7 +3815,6 @@ async function runOutputsCmd(io2, argv) {
 import { resolve as resolvePath3 } from "node:path";
 var NAMESPACE_DOWNLOADERS = {
   outputs: operations_exports.downloadOutputs,
-  logs: operations_exports.downloadLogs,
   events: operations_exports.downloadEvents,
   metadata: operations_exports.downloadMetadata
 };
@@ -3847,7 +3847,7 @@ async function runDownloadCmd(io2, argv) {
   const namespace2 = onlyFlag.value;
   const positional = onlyFlag.remaining.filter((arg) => !arg.startsWith("--"));
   if (positional.length !== 1) {
-    io2.stderr("usage: aex download <run-id> [--only outputs|logs|events|metadata] [--out path] [common flags]\n");
+    io2.stderr("usage: aex download <run-id> [--only outputs|events|metadata] [--out path] [common flags]\n");
     return USAGE_ERR;
   }
   const runId = positional[0];

package/dist/cli.mjs.sha256

@@ -1 +1 @@
-bbc00f3784013aefc17bd7b5253652f3290d1fcdef98a2302d32befb4f6bf2ec  cli.mjs
+2e7ad715af0e691bcc91e7f403c611f03d6e9a1e0566889dd32fd4b956b71779  cli.mjs

package/dist/client.d.ts

@@ -1,10 +1,10 @@
-import { HttpClient, type AexEvent, type AgentsMdRecord, type CredentialMode, type DebugSink, type FetchLike, type FileRecord, type Output, type PlatformSubmission, type PlatformInlineSecrets, type PlatformProxyEndpoint, type PlatformProxyEndpointAuth, type Run, type RunEvent, type RunProvider, type RunUnit, type RuntimeSize, type RuntimeKind, type SignedOutputLink, type Skill as SkillRecord, type WhoAmI } from "./_contracts/index.js";
+import { HttpClient, type AexEvent, type AgentsMdRecord, type CredentialMode, type DebugSink, type FetchLike, type FileRecord, type Output, type OutputMode, type PlatformSubmission, type PlatformInlineSecrets, type PlatformProxyEndpoint, type PlatformProxyEndpointAuth, type Run, type RunEvent, type RunProvider, type RunUnit, type RuntimeSize, type RuntimeKind, type SignedOutputLink, type Skill as SkillRecord, type WhoAmI } from "./_contracts/index.js";
 import { AgentsMd } from "./agents-md.js";
 import { File } from "./file.js";
 import { McpServer } from "./mcp-server.js";
 import { ProxyEndpoint } from "./proxy-endpoint.js";
 import { Skill } from "./skill.js";
-export interface AexClientOptions {
+export interface AgentExecutorOptions {
     /** Workspace-scoped SDK API token. */
     readonly apiToken: string;
     /**
@@ -117,6 +117,12 @@ export interface SubmitRunOptions {
      * entries, deduplicated server-side.
      */
     readonly builtins?: readonly string[];
+    /**
+     * Assistant-output granularity. `"buffered"` (default) delivers one event per
+     * assistant message; `"stream"` delivers per-token text deltas for live
+     * typing UIs.
+     */
+    readonly outputMode?: OutputMode;
     readonly secrets: PlatformInlineSecrets;
     readonly idempotencyKey?: string;
     readonly signal?: AbortSignal;
@@ -148,34 +154,6 @@ export type OutputFileSelector = Output | OutputFileIdSelector | OutputFilePathS
 export interface OutputDownloadOptions {
     readonly to?: string;
 }
-/**
- * One captured debug artifact returned by {@link AexClient.getRunDebugLogs}.
- *
- *   - `filename` is the path under `runs/{runId}/logs/` — leading
- *     `runtime/` for runtime logs and `host/` for host logs.
- *   - `text` is populated when the content type looks textual
- *     (`text/*`, `application/json`); decoded as UTF-8.
- *   - `bytesBase64` is always present so a caller that wants raw bytes
- *     (e.g. piping into a file) can use it uniformly across textual
- *     and binary artifacts.
- */
-export interface RunDebugLog {
-    readonly filename: string;
-    readonly sizeBytes: number;
-    readonly contentType: string;
-    readonly createdAt: string;
-    readonly text?: string;
-    readonly bytesBase64: string;
-}
-export interface RunDebugLogError {
-    readonly filename: string;
-    readonly message: string;
-}
-export interface RunDebugLogs {
-    readonly runId: string;
-    readonly logs: ReadonlyArray<RunDebugLog>;
-    readonly errors: ReadonlyArray<RunDebugLogError>;
-}
 /**
  * Workspace skill admin operations exposed under `client.skills`.
  *
@@ -283,12 +261,12 @@ export declare class FilesClient {
  * `client.whoami()` if you want to introspect which workspace the
  * token resolves to.
  */
-export declare class AexClient {
+export declare class AgentExecutor {
     #private;
     readonly skills: SkillsClient;
     readonly agentsMd: AgentsMdClient;
     readonly files: FilesClient;
-    constructor(options: AexClientOptions);
+    constructor(options: AgentExecutorOptions);
     /**
      * Internal: forwards to `SkillsClient._uploadSkillBundle`. NOT part of
      * the public API.
@@ -406,25 +384,6 @@ export declare class AexClient {
     downloadOutput(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
     downloadOutput(runId: string, selector: undefined, options?: OutputDownloadOptions): Promise<Uint8Array>;
     downloadOutput(runId: string, selector: OutputFileSelector, options?: OutputDownloadOptions): Promise<Uint8Array>;
-    /**
-     * Bundle the per-run debug artifacts aex captures automatically:
-     *
-     *   - `runtime/{stdout,stderr,args}.log` — runtime process diagnostics.
-     *   - `host/...` — managed host logs when the platform includes them.
-     * These all live in the run's `logs` namespace (`runs/<id>/logs/`).
-     * Each is downloaded through the gated `/logs/:id/download` endpoint,
-     * decoded as UTF-8 text when the content type looks textual, and
-     * surfaced as raw bytes (base64) otherwise. The call is best-effort: a
-     * download failure for one file does not block the others; the failing
-     * entry lands in `errors` with the underlying message.
-     *
-     * Use this when a run failed or behaved oddly and you want all the
-     * post-mortem material in one round-trip — no need to wire
-     * `listOutputs` + `createOutputLink` by hand.
-     */
-    getRunDebugLogs(runId: string): Promise<RunDebugLogs>;
-    /** Short alias for `getRunDebugLogs`. */
-    debugLogs(runId: string): Promise<RunDebugLogs>;
     cancelRun(runId: string): Promise<void>;
     /** Short alias for `cancelRun`. */
     cancel(runId: string): Promise<void>;
@@ -439,19 +398,16 @@ export declare class AexClient {
     deleteWorkspaceAsset(hash: string): Promise<void>;
     whoami(): Promise<WhoAmI>;
     /**
-     * Download EVERYTHING about a run as one zip, assembled client-side
+     * Download EVERYTHING public about a run as one zip, assembled client-side
      * from the public read endpoints (`getRun` + `listEvents` +
-     * `listOutputs` + per-output `/download`). Organised into the four
-     * namespace folders: `metadata/`, `events/`, `outputs/` (deliverables),
-     * `logs/` (`runtime/`, `host/`, `provider-proxy/`, `control-plane/`
-     * diagnostics), plus a `manifest.json`. Pass `to` to also write the
+     * `listOutputs` + per-output `/download`). Organised into the namespace
+     * folders `metadata/`, `events/`, and `outputs/`, plus a `manifest.json`.
+     * Pass `to` to also write the
      * bytes to a file path while still returning the bytes.
      */
     download(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
     /** Download only the run's deliverables (the `outputs` namespace) as a zip. */
     downloadOutputs(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
-    /** Download only the platform diagnostics (the `logs` namespace) as a zip. */
-    downloadLogs(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
     /** Download only the indexed event archive (the `events` namespace) as a zip. */
     downloadEvents(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
     /** Download only the run record (the `metadata` namespace) as a zip. */