@aexhq/sdk 0.13.8 → 0.13.10

package/README.md

@@ -65,7 +65,7 @@ const runId = await aex.submitRun({
   model: "claude-haiku-4-5",
   system: "You are a concise automation agent.",
   prompt: "Write a short answer about agent-first SDK design.",
-  secrets: { anthropic: { apiKey: process.env.ANTHROPIC_API_KEY! } }
+  secrets: { apiKey: process.env.ANTHROPIC_API_KEY! }
 });
 
 const run = await aex.wait(runId);
@@ -94,7 +94,7 @@ function summarise(topic: string) {
 
 const runId = await aex.submitRun({
   ...summarise("agent-first SDK design"),
-  secrets: { anthropic: { apiKey: process.env.ANTHROPIC_API_KEY! } }
+  secrets: { apiKey: process.env.ANTHROPIC_API_KEY! }
 });
 ```
 

package/dist/_contracts/internal.d.ts

@@ -0,0 +1 @@
+export * from "./submission.js";

package/dist/_contracts/internal.js

@@ -0,0 +1,8 @@
+// Workspace-internal entry point. Re-exports the submission building blocks
+// (leaf parsers, helper validators, shared constants) so the platform-only
+// `@aexhq/shared` package can reuse them instead of hand-mirroring ~1.8k lines
+// of validator code. NOT part of the public `@aexhq/contracts` surface — do
+// NOT add this to the package `index`; consumers reach it via the explicit
+// `@aexhq/contracts/internal` subpath.
+export * from "./submission.js";
+//# sourceMappingURL=internal.js.map

package/dist/_contracts/provider-support.d.ts

@@ -61,16 +61,16 @@ export declare const PROVIDER_PUBLIC_SUPPORT: {
             readonly label: "Generated matrix freshness";
             readonly href: "../../../scripts/validate/capability-matrix.test.ts";
         }, {
-            readonly label: "Installed-SDK live user matrix";
-            readonly href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts";
+            readonly label: "Installed-SDK Anthropic live user test";
+            readonly href: "../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts";
         }, {
             readonly label: "Runtime support validator";
             readonly href: "../../contracts/test/runtime-support.test.ts";
         }];
         readonly runtimeEvidence: {
             readonly managed: readonly [{
-                readonly label: "Installed-SDK live user matrix";
-                readonly href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts";
+                readonly label: "Installed-SDK Anthropic live user test";
+                readonly href: "../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts";
             }, {
                 readonly label: "Runtime support validator";
                 readonly href: "../../contracts/test/runtime-support.test.ts";
@@ -98,7 +98,10 @@ export declare const PROVIDER_PUBLIC_SUPPORT: {
             readonly label: "Generated matrix freshness";
             readonly href: "../../../scripts/validate/capability-matrix.test.ts";
         }, {
-            readonly label: "Installed-SDK live user matrix";
+            readonly label: "Installed-SDK DeepSeek live user test";
+            readonly href: "../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts";
+        }, {
+            readonly label: "Installed-SDK DeepSeek comprehensive live user matrix";
             readonly href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts";
         }, {
             readonly label: "Runtime support validator";
@@ -106,7 +109,10 @@ export declare const PROVIDER_PUBLIC_SUPPORT: {
         }];
         readonly runtimeEvidence: {
             readonly managed: readonly [{
-                readonly label: "Installed-SDK live user matrix";
+                readonly label: "Installed-SDK DeepSeek live user test";
+                readonly href: "../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts";
+            }, {
+                readonly label: "Installed-SDK DeepSeek comprehensive live user matrix";
                 readonly href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts";
             }, {
                 readonly label: "Runtime support validator";

package/dist/_contracts/provider-support.js

@@ -12,11 +12,28 @@ const COMMON_EVIDENCE = [
     { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" },
     { label: "Generated matrix freshness", href: "../../../scripts/validate/capability-matrix.test.ts" }
 ];
-const LIVE_USER_MATRIX_EVIDENCE = [
-    { label: "Installed-SDK live user matrix", href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts" }
+const ANTHROPIC_LIVE_USER_EVIDENCE = [
+    {
+        label: "Installed-SDK Anthropic live user test",
+        href: "../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts"
+    }
+];
+const DEEPSEEK_LIVE_USER_EVIDENCE = [
+    {
+        label: "Installed-SDK DeepSeek live user test",
+        href: "../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts"
+    },
+    {
+        label: "Installed-SDK DeepSeek comprehensive live user matrix",
+        href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts"
+    }
+];
+const ANTHROPIC_MANAGED_EVIDENCE = [
+    ...ANTHROPIC_LIVE_USER_EVIDENCE,
+    { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" }
 ];
-const MANAGED_PROXY_EVIDENCE = [
-    ...LIVE_USER_MATRIX_EVIDENCE,
+const DEEPSEEK_MANAGED_EVIDENCE = [
+    ...DEEPSEEK_LIVE_USER_EVIDENCE,
     { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" }
 ];
 export const RUNTIME_VALIDATION_SUPPORT = {
@@ -38,9 +55,9 @@ export const PROVIDER_PUBLIC_SUPPORT = {
         status: "supported",
         docsAnchor: "anthropic",
         docs: COMMON_DOCS,
-        evidence: [...COMMON_EVIDENCE, ...MANAGED_PROXY_EVIDENCE],
+        evidence: [...COMMON_EVIDENCE, ...ANTHROPIC_MANAGED_EVIDENCE],
         runtimeEvidence: {
-            managed: MANAGED_PROXY_EVIDENCE
+            managed: ANTHROPIC_MANAGED_EVIDENCE
         }
     },
     deepseek: {
@@ -48,9 +65,9 @@ export const PROVIDER_PUBLIC_SUPPORT = {
         status: "supported",
         docsAnchor: "deepseek",
         docs: COMMON_DOCS,
-        evidence: [...COMMON_EVIDENCE, ...MANAGED_PROXY_EVIDENCE],
+        evidence: [...COMMON_EVIDENCE, ...DEEPSEEK_MANAGED_EVIDENCE],
         runtimeEvidence: {
-            managed: MANAGED_PROXY_EVIDENCE
+            managed: DEEPSEEK_MANAGED_EVIDENCE
         }
     },
     openai: {

package/dist/_contracts/submission.d.ts

@@ -75,21 +75,6 @@ export interface PlatformPackage {
  * package installer.
  */
 export declare function packageInstallString(pkg: PlatformPackage): string;
-export interface PlatformAnthropicSecrets {
-    readonly apiKey: string;
-}
-export interface PlatformDeepseekSecrets {
-    readonly apiKey: string;
-}
-export interface PlatformOpenAISecrets {
-    readonly apiKey: string;
-}
-export interface PlatformGeminiSecrets {
-    readonly apiKey: string;
-}
-export interface PlatformMistralSecrets {
-    readonly apiKey: string;
-}
 /**
  * Run-time provider selector. Aex exposes one customer interface
  * for every provider. All new submissions execute through the managed
@@ -148,21 +133,15 @@ export type PlatformProxyAuthValue = {
     readonly value: string;
 };
 /**
- * Per-run inline secrets bundle. Exactly one of `anthropic` | `deepseek`
- * | `openai` | `gemini` | `mistral` is required, matching the run's
- * `provider`; the cross-provider coupling is enforced in
- * `parseRunSubmissionRequest` so the wire shape stays simple and
- * individual provider keys remain optional in the type system.
- * `mcpServers` and `proxyEndpointAuth` are cross-provider (an MCP
- * credential is the same secret whether Anthropic or another model is
- * driving the MCP client).
+ * Per-run inline secrets bundle. `apiKey` is the BYOK provider key for the
+ * run's selected `provider` (required in `"byok"` credential mode, rejected
+ * in `"managed"` mode). A run targets exactly one provider, so the key is a
+ * single flat field rather than a per-provider block. `mcpServers` and
+ * `proxyEndpointAuth` are cross-provider (an MCP credential is the same
+ * secret whichever model is driving the MCP client).
  */
 export interface PlatformInlineSecrets {
-    readonly anthropic?: PlatformAnthropicSecrets;
-    readonly deepseek?: PlatformDeepseekSecrets;
-    readonly openai?: PlatformOpenAISecrets;
-    readonly gemini?: PlatformGeminiSecrets;
-    readonly mistral?: PlatformMistralSecrets;
+    readonly apiKey?: string;
     readonly mcpServers?: readonly PlatformMcpServerSecret[];
     readonly proxyEndpointAuth?: readonly PlatformProxyEndpointAuth[];
 }
@@ -190,6 +169,16 @@ export interface PlatformProxyEndpoint {
     readonly perCallBudget?: number;
     readonly responseByteBudget?: number;
 }
+export declare const SECRETS_KEY = "secrets";
+export declare const PROXY_ENDPOINT_NAME_PATTERN: RegExp;
+export declare const RESERVED_PROXY_ENDPOINT_NAMES: Set<string>;
+export declare const deniedSecretFields: Set<string>;
+export declare function parseProxyAuthShape(input: unknown, field: string): ProxyAuthShape;
+export declare function parseProxyMethods(input: unknown, field: string): readonly ProxyMethod[];
+export declare function parseProxyPathPrefixes(input: unknown, field: string): readonly string[];
+export declare function parseProxyAllowedHeaders(input: unknown, field: string, authShape: ProxyAuthShape): readonly string[] | undefined;
+export declare function crossValidateProxyEndpointsAndAuth(endpoints: readonly PlatformProxyEndpoint[] | undefined, auth: readonly PlatformProxyEndpointAuth[] | undefined): void;
+export declare function parseInlineSecrets(input: unknown): PlatformInlineSecrets;
 /**
  * The proxy body-redactor refuses to mask any derived target string shorter
  * than this many bytes — masking a 1-byte literal would corrupt the response
@@ -199,6 +188,12 @@ export interface PlatformProxyEndpoint {
  * never silently diverge.
  */
 export declare const MIN_REDACTION_TARGET_BYTES = 4;
+export declare function assertNoSecretBearingFields(input: unknown, path: readonly string[]): void;
+export declare function requireRecord(input: unknown, field: string): Record<string, unknown>;
+export declare function requireString(input: unknown, field: string): string;
+export declare function optionalString(input: unknown, field: string): string | undefined;
+export declare function optionalEnum<const T extends readonly string[]>(input: unknown, field: string, allowed: T): T[number] | undefined;
+export declare function optionalPositiveInt(input: unknown, field: string): number | undefined;
 /**
  * Wire-level submission posted to /api/runs in the flat surface. The
  * `prompt` is always an array internally so the worker, the audit log,
@@ -353,6 +348,20 @@ export interface ParseRunSubmissionOptions {
     readonly managedKeyPolicy?: ManagedKeyPolicyV1;
 }
 export declare function parseRunSubmissionRequest(input: unknown, options?: ParseRunSubmissionOptions): PlatformRunSubmissionRequest;
+export declare function parseRuntimeKind(input: unknown): RuntimeKind | undefined;
+export declare function parseRunProvider(input: unknown): RunProvider;
+/**
+ * Cross-check the supplied secrets bundle against the credential mode.
+ *
+ *  - `"byok"`: `secrets.apiKey` (the provider key for the run's `provider`)
+ *    MUST be present.
+ *  - `"managed"`: `secrets.apiKey` MUST be absent — provider access is
+ *    resolved by the managed-key policy, not a caller-supplied key.
+ *  - MCP / proxy endpoint auth carry across providers and are not
+ *    checked here.
+ */
+export declare function enforceCredentialSecretPolicy(credentialMode: CredentialMode, secrets: PlatformInlineSecrets): void;
+export declare function parseSubmission(input: unknown): PlatformSubmission;
 /** Assistant-output granularity values. Buffered is the platform default. */
 export declare const OUTPUT_MODES: readonly ["buffered", "stream"];
 export type OutputMode = (typeof OUTPUT_MODES)[number];

package/dist/_contracts/submission.js

@@ -96,9 +96,9 @@ export function checkRuntimeSupported(provider, runtime) {
     void provider;
     return { ok: true };
 }
-const SECRETS_KEY = "secrets";
-const PROXY_ENDPOINT_NAME_PATTERN = /^[a-z][a-z0-9_-]{0,62}$/;
-const RESERVED_PROXY_ENDPOINT_NAMES = new Set(["proxy", "aex", "internal", "admin"]);
+export const SECRETS_KEY = "secrets";
+export const PROXY_ENDPOINT_NAME_PATTERN = /^[a-z][a-z0-9_-]{0,62}$/;
+export const RESERVED_PROXY_ENDPOINT_NAMES = new Set(["proxy", "aex", "internal", "admin"]);
 /**
  * Headers the proxy never lets through, regardless of policy. Lowercase.
  * Anything that could re-introduce credentials, cookies, or routing
@@ -120,7 +120,7 @@ const PROXY_DENY_HEADER_LIST = new Set([
     "x-forwarded-proto",
     "x-real-ip"
 ]);
-const deniedSecretFields = new Set([
+export const deniedSecretFields = new Set([
     "providerApiKey",
     "anthropicApiKey",
     "apiKey",
@@ -387,7 +387,7 @@ function parseProxyBaseUrl(input, field) {
     const normalized = `${parsed.origin}${parsed.pathname.replace(/\/+$/, "")}`;
     return normalized;
 }
-function parseProxyAuthShape(input, field) {
+export function parseProxyAuthShape(input, field) {
     const value = requireRecord(input, field);
     const type = requireString(value.type, `${field}.type`);
     switch (type) {
@@ -418,7 +418,7 @@ function parseProxyAuthShape(input, field) {
             throw new Error(`${field}.type must be one of: none, bearer, basic, header, query`);
     }
 }
-function parseProxyMethods(input, field) {
+export function parseProxyMethods(input, field) {
     if (!Array.isArray(input) || input.length === 0) {
         throw new Error(`${field} must be a non-empty array of HTTP methods`);
     }
@@ -435,7 +435,7 @@ function parseProxyMethods(input, field) {
     }
     return Array.from(seen);
 }
-function parseProxyPathPrefixes(input, field) {
+export function parseProxyPathPrefixes(input, field) {
     if (!Array.isArray(input) || input.length === 0) {
         throw new Error(`${field} must be a non-empty array of path prefixes`);
     }
@@ -453,7 +453,7 @@ function parseProxyPathPrefixes(input, field) {
     }
     return Array.from(seen);
 }
-function parseProxyAllowedHeaders(input, field, authShape) {
+export function parseProxyAllowedHeaders(input, field, authShape) {
     if (input === undefined) {
         return undefined;
     }
@@ -497,7 +497,7 @@ function assertOnlyKeys(value, field, allowed) {
         }
     }
 }
-function crossValidateProxyEndpointsAndAuth(endpoints, auth) {
+export function crossValidateProxyEndpointsAndAuth(endpoints, auth) {
     const endpointsList = endpoints ?? [];
     const authList = auth ?? [];
     const endpointsByName = new Map(endpointsList.map((e) => [e.name, e]));
@@ -527,14 +527,9 @@ function crossValidateProxyEndpointsAndAuth(endpoints, auth) {
         }
     }
 }
-const PROVIDER_SECRET_KEYS = ["anthropic", "deepseek", "openai", "gemini", "mistral"];
-function parseInlineSecrets(input) {
+export function parseInlineSecrets(input) {
     const value = requireRecord(input, "secrets");
-    const allowedTopLevel = new Set([
-        ...PROVIDER_SECRET_KEYS,
-        "mcpServers",
-        "proxyEndpointAuth"
-    ]);
+    const allowedTopLevel = new Set(["apiKey", "mcpServers", "proxyEndpointAuth"]);
     for (const key of Object.keys(value)) {
         if (key.startsWith("__aex_")) {
             // Platform-internal namespace (e.g. __aex_proxy_token). The BFF
@@ -547,35 +542,15 @@ function parseInlineSecrets(input) {
             throw new Error(`secrets.${key} is not an allowed field; permitted: ${[...allowedTopLevel].join(", ")}`);
         }
     }
-    const anthropic = value.anthropic !== undefined ? parseProviderSecret(value.anthropic, "anthropic") : undefined;
-    const deepseek = value.deepseek !== undefined ? parseProviderSecret(value.deepseek, "deepseek") : undefined;
-    const openai = value.openai !== undefined ? parseProviderSecret(value.openai, "openai") : undefined;
-    const gemini = value.gemini !== undefined ? parseProviderSecret(value.gemini, "gemini") : undefined;
-    const mistral = value.mistral !== undefined ? parseProviderSecret(value.mistral, "mistral") : undefined;
+    const apiKey = value.apiKey !== undefined ? requireString(value.apiKey, "secrets.apiKey") : undefined;
     const mcpServers = parseMcpServerSecrets(value.mcpServers);
     const proxyEndpointAuth = parseProxyEndpointAuth(value.proxyEndpointAuth);
     return {
-        ...(anthropic ? { anthropic } : {}),
-        ...(deepseek ? { deepseek } : {}),
-        ...(openai ? { openai } : {}),
-        ...(gemini ? { gemini } : {}),
-        ...(mistral ? { mistral } : {}),
+        ...(apiKey !== undefined ? { apiKey } : {}),
         ...(mcpServers ? { mcpServers } : {}),
         ...(proxyEndpointAuth ? { proxyEndpointAuth } : {})
     };
 }
-function parseProviderSecret(input, provider) {
-    const field = `secrets.${provider}`;
-    const value = requireRecord(input, field);
-    const allowed = new Set(["apiKey"]);
-    for (const key of Object.keys(value)) {
-        if (!allowed.has(key)) {
-            throw new Error(`${field}.${key} is not an allowed field; permitted: apiKey`);
-        }
-    }
-    const apiKey = requireString(value.apiKey, `${field}.apiKey`);
-    return { apiKey };
-}
 function parseMcpServerSecrets(input) {
     if (input === undefined) {
         return undefined;
@@ -703,7 +678,7 @@ function requireSecretValue(input, field) {
     }
     return value;
 }
-function assertNoSecretBearingFields(input, path) {
+export function assertNoSecretBearingFields(input, path) {
     if (Array.isArray(input)) {
         input.forEach((item, index) => assertNoSecretBearingFields(item, [...path, String(index)]));
         return;
@@ -718,7 +693,7 @@ function assertNoSecretBearingFields(input, path) {
         assertNoSecretBearingFields(value, [...path, key]);
     }
 }
-function requireRecord(input, field) {
+export function requireRecord(input, field) {
     if (!isRecord(input)) {
         throw new Error(`${field} must be an object`);
     }
@@ -727,19 +702,19 @@ function requireRecord(input, field) {
 function isRecord(input) {
     return typeof input === "object" && input !== null && !Array.isArray(input);
 }
-function requireString(input, field) {
+export function requireString(input, field) {
     if (typeof input !== "string" || input.length === 0) {
         throw new Error(`${field} must be a non-empty string`);
     }
     return input;
 }
-function optionalString(input, field) {
+export function optionalString(input, field) {
     if (input === undefined) {
         return undefined;
     }
     return requireString(input, field);
 }
-function optionalEnum(input, field, allowed) {
+export function optionalEnum(input, field, allowed) {
     if (input === undefined) {
         return undefined;
     }
@@ -778,7 +753,7 @@ function optionalJsonRecord(input, field) {
     }
     return value;
 }
-function optionalPositiveInt(input, field) {
+export function optionalPositiveInt(input, field) {
     if (input === undefined) {
         return undefined;
     }
@@ -848,7 +823,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
     const timeoutMs = parseRunTimeout(value.timeout);
     const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
     const secrets = parseInlineSecrets(value.secrets);
-    enforceCredentialSecretPolicy(provider, credentialMode, secrets);
+    enforceCredentialSecretPolicy(credentialMode, secrets);
     crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
     const submission = parseSubmission(value.submission);
     // mcpServers names must agree across the submission half and the
@@ -896,7 +871,7 @@ export function parseRunSubmissionRequest(input, options = {}) {
         secrets
     };
 }
-function parseRuntimeKind(input) {
+export function parseRuntimeKind(input) {
     if (input === undefined) {
         return undefined;
     }
@@ -905,7 +880,7 @@ function parseRuntimeKind(input) {
     }
     return input;
 }
-function parseRunProvider(input) {
+export function parseRunProvider(input) {
     if (input === undefined) {
         return DEFAULT_RUN_PROVIDER;
     }
@@ -915,39 +890,27 @@ function parseRunProvider(input) {
     return input;
 }
 /**
- * Cross-check the chosen provider against the supplied secrets bundle.
+ * Cross-check the supplied secrets bundle against the credential mode.
  *
- *  - The matching provider's apiKey MUST be present.
- *  - Every OTHER provider's secret block MUST be absent (cross-provider
- *    secrets are explicitly rejected, not silently dropped — they are
- *    almost always a copy-paste mistake or a confused caller, and we
- *    want to fail loud).
+ *  - `"byok"`: `secrets.apiKey` (the provider key for the run's `provider`)
+ *    MUST be present.
+ *  - `"managed"`: `secrets.apiKey` MUST be absent — provider access is
+ *    resolved by the managed-key policy, not a caller-supplied key.
  *  - MCP / proxy endpoint auth carry across providers and are not
  *    checked here.
  */
-function enforceCredentialSecretPolicy(provider, credentialMode, secrets) {
+export function enforceCredentialSecretPolicy(credentialMode, secrets) {
     if (credentialMode === "managed") {
-        for (const providerKey of PROVIDER_SECRET_KEYS) {
-            if (secrets[providerKey] !== undefined) {
-                throw new Error(`secrets.${providerKey} is not allowed when credentialMode is managed; provider access is resolved by the managed-key policy`);
-            }
+        if (secrets.apiKey !== undefined) {
+            throw new Error(`secrets.apiKey is not allowed when credentialMode is managed; provider access is resolved by the managed-key policy`);
         }
         return;
     }
-    const required = secrets[provider];
-    if (!required?.apiKey) {
-        throw new Error(`secrets.${provider}.apiKey is required when provider is ${provider}`);
-    }
-    for (const other of PROVIDER_SECRET_KEYS) {
-        if (other === provider) {
-            continue;
-        }
-        if (secrets[other] !== undefined) {
-            throw new Error(`secrets.${other} is not allowed when provider is ${provider}; remove it or set provider to ${other}`);
-        }
+    if (!secrets.apiKey) {
+        throw new Error(`secrets.apiKey is required when credentialMode is byok`);
     }
 }
-function parseSubmission(input) {
+export function parseSubmission(input) {
     const value = requireRecord(input, "submission.submission");
     const allowed = new Set([
         "model",

package/dist/cli.mjs

@@ -44,11 +44,28 @@ var COMMON_EVIDENCE = [
   { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" },
   { label: "Generated matrix freshness", href: "../../../scripts/validate/capability-matrix.test.ts" }
 ];
-var LIVE_USER_MATRIX_EVIDENCE = [
-  { label: "Installed-SDK live user matrix", href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts" }
+var ANTHROPIC_LIVE_USER_EVIDENCE = [
+  {
+    label: "Installed-SDK Anthropic live user test",
+    href: "../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts"
+  }
+];
+var DEEPSEEK_LIVE_USER_EVIDENCE = [
+  {
+    label: "Installed-SDK DeepSeek live user test",
+    href: "../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts"
+  },
+  {
+    label: "Installed-SDK DeepSeek comprehensive live user matrix",
+    href: "../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts"
+  }
 ];
-var MANAGED_PROXY_EVIDENCE = [
-  ...LIVE_USER_MATRIX_EVIDENCE,
+var ANTHROPIC_MANAGED_EVIDENCE = [
+  ...ANTHROPIC_LIVE_USER_EVIDENCE,
+  { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" }
+];
+var DEEPSEEK_MANAGED_EVIDENCE = [
+  ...DEEPSEEK_LIVE_USER_EVIDENCE,
   { label: "Runtime support validator", href: "../../contracts/test/runtime-support.test.ts" }
 ];
 var PROVIDER_PUBLIC_SUPPORT = {
@@ -57,9 +74,9 @@ var PROVIDER_PUBLIC_SUPPORT = {
     status: "supported",
     docsAnchor: "anthropic",
     docs: COMMON_DOCS,
-    evidence: [...COMMON_EVIDENCE, ...MANAGED_PROXY_EVIDENCE],
+    evidence: [...COMMON_EVIDENCE, ...ANTHROPIC_MANAGED_EVIDENCE],
     runtimeEvidence: {
-      managed: MANAGED_PROXY_EVIDENCE
+      managed: ANTHROPIC_MANAGED_EVIDENCE
     }
   },
   deepseek: {
@@ -67,9 +84,9 @@ var PROVIDER_PUBLIC_SUPPORT = {
     status: "supported",
     docsAnchor: "deepseek",
     docs: COMMON_DOCS,
-    evidence: [...COMMON_EVIDENCE, ...MANAGED_PROXY_EVIDENCE],
+    evidence: [...COMMON_EVIDENCE, ...DEEPSEEK_MANAGED_EVIDENCE],
     runtimeEvidence: {
-      managed: MANAGED_PROXY_EVIDENCE
+      managed: DEEPSEEK_MANAGED_EVIDENCE
     }
   },
   openai: {
@@ -3156,11 +3173,8 @@ async function runRunCmd(io2, argv) {
     ...runConfig.environment ? { environment: runConfig.environment } : {},
     ...runConfig.metadata ? { metadata: runConfig.metadata } : {}
   };
-  const providerSecrets = {
-    [provider]: { apiKey: providerKeyValues[provider] }
-  };
   const secrets = {
-    ...providerSecrets,
+    apiKey: providerKeyValues[provider],
     ...mcpServerSecrets.length > 0 ? { mcpServers: mcpServerSecrets } : {},
     ...proxyAuth.length > 0 ? { proxyEndpointAuth: proxyAuth } : {}
   };

package/dist/cli.mjs.sha256

@@ -1 +1 @@
-2e7ad715af0e691bcc91e7f403c611f03d6e9a1e0566889dd32fd4b956b71779  cli.mjs
+9219ad7c8ff381c3e9916e5f312e110d9546cedb035b5a2f65bbbd07f5e27d4f  cli.mjs

package/dist/client.d.ts

@@ -37,8 +37,9 @@ export interface AgentExecutorOptions {
  *     secret is bundled into the constructor and split into
  *     `secrets.proxyEndpointAuth` server-side; the public submission
  *     only carries the declaration (`{ name, baseUrl, authShape, … }`).
- *   - `secrets.<provider>.apiKey` — REQUIRED for the selected provider.
- *     The platform never holds a long-lived provider key on your behalf.
+ *   - `secrets.apiKey` — REQUIRED: the provider key for the selected
+ *     `provider`. The platform never holds a long-lived provider key on
+ *     your behalf.
  *
  * `idempotencyKey` is auto-generated when omitted; pass one explicitly
  * if you want client-driven retry safety across process restarts.
@@ -46,16 +47,16 @@ export interface AgentExecutorOptions {
 export interface SubmitRunOptions {
     /**
      * Credential source for upstream provider access. Omitted defaults to
-     * `"byok"`, which requires `secrets.<provider>.apiKey` as today.
+     * `"byok"`, which requires `secrets.apiKey`.
      * `"managed"` is reserved for paid managed-key mode and currently fails
      * closed until the hosted private implementation is wired.
      */
     readonly credentialMode?: CredentialMode;
     /**
      * Provider selector. Optional — defaults to
-     * {@link DEFAULT_RUN_PROVIDER} (`"anthropic"`). The call site must
-     * supply the matching `secrets.<provider>.apiKey` and MUST NOT
-     * supply any other provider's secret block.
+     * {@link DEFAULT_RUN_PROVIDER} (`"anthropic"`). Selects which upstream
+     * model route the managed provider-proxy uses; the BYOK key for it is
+     * supplied as `secrets.apiKey`.
      */
     readonly provider?: RunProvider;
     /**