@aexhq/sdk 0.24.0 → 0.25.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/README.md +36 -125
  2. package/dist/_contracts/index.d.ts +0 -1
  3. package/dist/_contracts/index.js +0 -1
  4. package/dist/_contracts/models.js +1 -2
  5. package/dist/_contracts/operations.d.ts +13 -5
  6. package/dist/_contracts/operations.js +220 -10
  7. package/dist/_contracts/provider-support.d.ts +18 -29
  8. package/dist/_contracts/provider-support.js +3 -22
  9. package/dist/_contracts/proxy-protocol.d.ts +4 -2
  10. package/dist/_contracts/proxy-protocol.js +10 -3
  11. package/dist/_contracts/run-config.d.ts +28 -4
  12. package/dist/_contracts/run-config.js +10 -5
  13. package/dist/_contracts/run-cost.d.ts +3 -11
  14. package/dist/_contracts/run-cost.js +2 -57
  15. package/dist/_contracts/run-custody.d.ts +1 -52
  16. package/dist/_contracts/run-custody.js +3 -87
  17. package/dist/_contracts/run-retention.d.ts +1 -5
  18. package/dist/_contracts/run-retention.js +2 -14
  19. package/dist/_contracts/run-unit.d.ts +2 -2
  20. package/dist/_contracts/run-unit.js +3 -1
  21. package/dist/_contracts/runtime-security-profile.js +1 -1
  22. package/dist/_contracts/runtime-types.d.ts +38 -12
  23. package/dist/_contracts/side-effect-audit.d.ts +4 -5
  24. package/dist/_contracts/side-effect-audit.js +1 -4
  25. package/dist/_contracts/status.d.ts +3 -4
  26. package/dist/_contracts/status.js +3 -8
  27. package/dist/_contracts/submission.d.ts +68 -42
  28. package/dist/_contracts/submission.js +144 -30
  29. package/dist/bundle.d.ts +13 -0
  30. package/dist/bundle.js +51 -0
  31. package/dist/bundle.js.map +1 -1
  32. package/dist/cli.mjs +232 -58
  33. package/dist/cli.mjs.sha256 +1 -1
  34. package/dist/client.d.ts +25 -21
  35. package/dist/client.js +59 -15
  36. package/dist/client.js.map +1 -1
  37. package/dist/index.d.ts +6 -5
  38. package/dist/index.js +4 -3
  39. package/dist/index.js.map +1 -1
  40. package/dist/tool.d.ts +41 -0
  41. package/dist/tool.js +138 -0
  42. package/dist/tool.js.map +1 -0
  43. package/dist/version.d.ts +1 -1
  44. package/dist/version.js +1 -1
  45. package/docs/concepts/agent-tools.md +53 -0
  46. package/docs/concepts/composition.md +43 -0
  47. package/docs/concepts/providers-and-runtimes.md +53 -0
  48. package/docs/concepts/runs.md +40 -0
  49. package/docs/credentials.md +8 -4
  50. package/docs/events.md +12 -0
  51. package/docs/limits.md +53 -0
  52. package/docs/outputs.md +58 -0
  53. package/docs/provider-runtime-capabilities.md +53 -55
  54. package/docs/public-surface.json +81 -0
  55. package/docs/quickstart.md +28 -105
  56. package/docs/release.md +1 -1
  57. package/docs/run-config.md +2 -2
  58. package/docs/secrets.md +123 -0
  59. package/docs/skills.md +3 -3
  60. package/docs/vision-skills.md +14 -19
  61. package/package.json +2 -2
  62. package/dist/_contracts/managed-key.d.ts +0 -101
  63. package/dist/_contracts/managed-key.js +0 -181
  64. package/docs/product-boundaries.md +0 -57
package/dist/cli.mjs CHANGED
@@ -25,16 +25,21 @@ var PROXY_RESPONSE_MODES = ["status_only", "headers_only", "full"];
25
25
  var PROXY_ENDPOINT_DEFAULTS = {
26
26
  allowHeaders: [],
27
27
  responseMode: "headers_only",
28
- maxRequestBytes: 64 * 1024,
28
+ // 10 MiB. The body is buffered into the Worker to enforce this cap, while the
29
+ // launch default fits practical multimodal/tool POSTs without every endpoint
30
+ // needing an override.
31
+ maxRequestBytes: 10 * 1024 * 1024,
29
32
  // Unlimited (0). The request body is buffered to enforce its cap, so that
30
33
  // stays finite; the response is streamed, so it does not need one.
31
34
  maxResponseBytes: 0,
32
- timeoutMs: 1e4
35
+ // 5 minutes. Long-running upstream tool/model calls should not fail under a
36
+ // development-oriented 10s ceiling; endpoints can still set a smaller value.
37
+ timeoutMs: 5 * 60 * 1e3
33
38
  };
34
39
 
35
40
  // ../contracts/dist/provider-support.js
36
41
  var COMMON_DOCS = [
37
- { label: "Credentials", href: "credentials.md" },
42
+ { label: "Secrets", href: "secrets.md" },
38
43
  { label: "Events", href: "events.md" }
39
44
  ];
40
45
  var COMMON_EVIDENCE = [
@@ -69,7 +74,6 @@ var DEEPSEEK_MANAGED_EVIDENCE = [
69
74
  var PROVIDER_PUBLIC_SUPPORT = {
70
75
  anthropic: {
71
76
  displayName: "Anthropic",
72
- status: "supported",
73
77
  docsAnchor: "anthropic",
74
78
  docs: COMMON_DOCS,
75
79
  evidence: [...COMMON_EVIDENCE, ...ANTHROPIC_MANAGED_EVIDENCE],
@@ -79,7 +83,6 @@ var PROVIDER_PUBLIC_SUPPORT = {
79
83
  },
80
84
  deepseek: {
81
85
  displayName: "DeepSeek",
82
- status: "supported",
83
86
  docsAnchor: "deepseek",
84
87
  docs: COMMON_DOCS,
85
88
  evidence: [...COMMON_EVIDENCE, ...DEEPSEEK_MANAGED_EVIDENCE],
@@ -89,7 +92,6 @@ var PROVIDER_PUBLIC_SUPPORT = {
89
92
  },
90
93
  openai: {
91
94
  displayName: "OpenAI",
92
- status: "live-unverified",
93
95
  docsAnchor: "openai",
94
96
  docs: COMMON_DOCS,
95
97
  evidence: COMMON_EVIDENCE,
@@ -99,7 +101,6 @@ var PROVIDER_PUBLIC_SUPPORT = {
99
101
  },
100
102
  gemini: {
101
103
  displayName: "Gemini",
102
- status: "live-unverified",
103
104
  docsAnchor: "gemini",
104
105
  docs: COMMON_DOCS,
105
106
  evidence: COMMON_EVIDENCE,
@@ -109,7 +110,6 @@ var PROVIDER_PUBLIC_SUPPORT = {
109
110
  },
110
111
  mistral: {
111
112
  displayName: "Mistral",
112
- status: "live-unverified",
113
113
  docsAnchor: "mistral",
114
114
  docs: COMMON_DOCS,
115
115
  evidence: COMMON_EVIDENCE,
@@ -119,7 +119,6 @@ var PROVIDER_PUBLIC_SUPPORT = {
119
119
  },
120
120
  openrouter: {
121
121
  displayName: "OpenRouter",
122
- status: "live-unverified",
123
122
  docsAnchor: "openrouter",
124
123
  docs: COMMON_DOCS,
125
124
  evidence: COMMON_EVIDENCE,
@@ -128,13 +127,8 @@ var PROVIDER_PUBLIC_SUPPORT = {
128
127
  }
129
128
  },
130
129
  // Doubao (ByteDance) via the official Ark API — international BytePlus gateway.
131
- // Wired + parser/routing-verified but not yet proven against a live BytePlus
132
- // account, so `live-unverified`. Promote to `supported` (and swap COMMON_EVIDENCE
133
- // for a DOUBAO_MANAGED_EVIDENCE pointer to live-sdk-doubao.test.ts) once the
134
- // live run passes.
135
130
  doubao: {
136
131
  displayName: "Doubao",
137
- status: "live-unverified",
138
132
  docsAnchor: "doubao",
139
133
  docs: COMMON_DOCS,
140
134
  evidence: COMMON_EVIDENCE,
@@ -143,11 +137,8 @@ var PROVIDER_PUBLIC_SUPPORT = {
143
137
  }
144
138
  },
145
139
  // Doubao (ByteDance) via the official Ark API — China Volcengine gateway.
146
- // Same wiring as `doubao`; additionally gated on CF Worker egress reaching the
147
- // Beijing host (see apps/egress-probe). `live-unverified` until proven live.
148
140
  "doubao-cn": {
149
141
  displayName: "Doubao (China)",
150
- status: "live-unverified",
151
142
  docsAnchor: "doubao-cn",
152
143
  docs: COMMON_DOCS,
153
144
  evidence: COMMON_EVIDENCE,
@@ -179,8 +170,7 @@ var MODEL_PROVIDER_IDS = {
179
170
  // China Volcengine Ark gateway (`doubao-cn`). Ark accepts the API-format
180
171
  // model NAME directly in the chat-completions `model` field (no `ep-…`
181
172
  // inference-endpoint id). The native strings are the same Ark catalog ids on
182
- // both gateways; BytePlus per-account availability is confirmed at live-verify
183
- // (both providers ship `live-unverified` until then — provider-support.ts).
173
+ // both gateways.
184
174
  // pro — Doubao Seed 1.8 (flagship, 256K context).
185
175
  // flash — Doubao Seed 1.6 Flash (fast/cheap, 256K context).
186
176
  "doubao-seed-pro": { doubao: "doubao-seed-1-8-251228", "doubao-cn": "doubao-seed-1-8-251228" },
@@ -222,9 +212,7 @@ var TERMINAL_RUN_STATUSES = [
222
212
  "failed",
223
213
  "timed_out",
224
214
  "cancelled",
225
- "cleanup_failed",
226
- "pending_delete",
227
- "deleted"
215
+ "cleanup_failed"
228
216
  ];
229
217
  var terminalRunStatuses = new Set(TERMINAL_RUN_STATUSES);
230
218
 
@@ -762,7 +750,7 @@ var RUNTIME_SECURITY_PROFILE_CONFIG = Object.freeze({
762
750
  }),
763
751
  standard: Object.freeze({
764
752
  name: "standard",
765
- defaultNetworkingMode: "limited",
753
+ defaultNetworkingMode: "open",
766
754
  allowOpenNetworking: true,
767
755
  allowRuntimePackages: true,
768
756
  allowCustomerEnvVars: true,
@@ -780,27 +768,6 @@ var RUNTIME_SECURITY_PROFILE_CONFIG = Object.freeze({
780
768
  })
781
769
  });
782
770
 
783
- // ../contracts/dist/managed-key.js
784
- var MANAGED_KEY_POLICY_SCHEMA_VERSION = 1;
785
- var BLOCKED_MANAGED_KEY_FEATURE_POLICY_V1 = Object.freeze({
786
- files: "disabled",
787
- packages: "disabled",
788
- builtins: "disabled",
789
- mcpServers: "disabled",
790
- proxyEndpoints: "disabled",
791
- openNetworking: "disabled"
792
- });
793
- var BLOCKED_MANAGED_KEY_POLICY_V1 = Object.freeze({
794
- schemaVersion: MANAGED_KEY_POLICY_SCHEMA_VERSION,
795
- credentialMode: "managed",
796
- launchStage: "blocked",
797
- privateImplementationAvailable: false,
798
- billingRequired: true,
799
- providers: Object.freeze([]),
800
- runtimes: Object.freeze([]),
801
- features: BLOCKED_MANAGED_KEY_FEATURE_POLICY_V1
802
- });
803
-
804
771
  // ../contracts/dist/submission.js
805
772
  var RUN_PROVIDERS = [
806
773
  "anthropic",
@@ -904,13 +871,9 @@ var forbiddenStringPatterns = Object.freeze([
904
871
  {
905
872
  reason: "private_resource_handle",
906
873
  // `<keyword><sep><id>` opaque handles (`session_a1B2c3D4e5`, `file_9f8e7d…`).
907
- // The keyword set overlaps ordinary English (agent/file/skill/resource/…), so
908
- // the bare shape also matched documentation prose that simply chains those
909
- // words with `_`/`-` (`agent_decision_failure`, `file_grounded`,
910
- // `session_handoff_contract`, `agent-judgment` — read straight out of a
911
- // skill-pack doc in tool-result text). The `accept` predicate keeps the shape
912
- // but requires the id segment to look minted rather than spelled — i.e. carry
913
- // a digit — so genuine handles stay flagged while dictionary-word prose does not.
874
+ // The keyword set overlaps ordinary prose, so require the id segment to
875
+ // carry a digit. That keeps genuine minted handles flagged while avoiding
876
+ // dictionary-word chains such as `agent_decision_failure`.
914
877
  regex: /\b(?:machine|session|agent|file|skill|env|resource|handle|token_hash|bearer_hash)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i,
915
878
  accept: isMintedResourceHandle
916
879
  },
@@ -1397,6 +1360,7 @@ function extractErrorMessage(body) {
1397
1360
  var operations_exports = {};
1398
1361
  __export(operations_exports, {
1399
1362
  cancelRun: () => cancelRun,
1363
+ classifyOutput: () => classifyOutput,
1400
1364
  createAgentsMd: () => createAgentsMd,
1401
1365
  createFile: () => createFile,
1402
1366
  createOutputLink: () => createOutputLink,
@@ -1414,6 +1378,10 @@ __export(operations_exports, {
1414
1378
  downloadMetadata: () => downloadMetadata,
1415
1379
  downloadOutput: () => downloadOutput,
1416
1380
  downloadOutputs: () => downloadOutputs,
1381
+ eventArchiveLink: () => eventArchiveLink,
1382
+ filterOutputs: () => filterOutputs,
1383
+ findOutput: () => findOutput,
1384
+ findOutputs: () => findOutputs,
1417
1385
  findSkillByHash: () => findSkillByHash,
1418
1386
  findSkillByName: () => findSkillByName,
1419
1387
  getAgentsMd: () => getAgentsMd,
@@ -1422,6 +1390,7 @@ __export(operations_exports, {
1422
1390
  getRun: () => getRun,
1423
1391
  getRunUnit: () => getRunUnit,
1424
1392
  getSecret: () => getSecret,
1393
+ getSecretValue: () => getSecretValue,
1425
1394
  getSkill: () => getSkill,
1426
1395
  listAgentsMd: () => listAgentsMd,
1427
1396
  listFiles: () => listFiles,
@@ -1429,8 +1398,9 @@ __export(operations_exports, {
1429
1398
  listRunEvents: () => listRunEvents,
1430
1399
  listSecrets: () => listSecrets,
1431
1400
  listSkills: () => listSkills,
1401
+ normalizeOutputLinkExpiresIn: () => normalizeOutputLinkExpiresIn,
1402
+ outputLink: () => outputLink,
1432
1403
  resolveOutputFileSelector: () => resolveOutputFileSelector,
1433
- revealSecret: () => revealSecret,
1434
1404
  rotateSecret: () => rotateSecret,
1435
1405
  submitRun: () => submitRun,
1436
1406
  submitRunMultipart: () => submitRunMultipart,
@@ -2180,12 +2150,50 @@ async function listRunEvents(http, runId) {
2180
2150
  async function getCoordinatorTicket(http, runId) {
2181
2151
  return http.request(`/api/runs/${encodeURIComponent(runId)}/events/ticket`, { method: "POST" });
2182
2152
  }
2183
- async function listOutputs(http, runId) {
2153
+ async function listOutputs(http, runId, query) {
2184
2154
  const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/outputs`);
2185
- return result.outputs;
2155
+ return query === void 0 ? result.outputs : filterOutputs(result.outputs, query);
2156
+ }
2157
+ async function findOutputs(http, runId, query) {
2158
+ return listOutputs(http, runId, query);
2159
+ }
2160
+ async function findOutput(http, runId, query) {
2161
+ const matches = await findOutputs(http, runId, query);
2162
+ if (matches.length === 0)
2163
+ return null;
2164
+ if (matches.length === 1)
2165
+ return matches[0];
2166
+ throw new RunStateError("findOutput: output query matched multiple files", {
2167
+ runId,
2168
+ matches: matches.map((output) => output.filename ?? output.id)
2169
+ });
2170
+ }
2171
+ async function outputLink(http, runId, selectorOrQuery, options) {
2172
+ const output = await resolveOutputLinkTarget(http, runId, selectorOrQuery);
2173
+ const expiresInSeconds = normalizeOutputLinkExpiresIn(options?.expiresIn);
2174
+ const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/outputs/${encodeURIComponent(output.id)}/link`, {
2175
+ method: "POST",
2176
+ body: JSON.stringify({ expiresInSeconds })
2177
+ });
2178
+ return {
2179
+ ...result,
2180
+ expiresInSeconds: result.expiresInSeconds ?? expiresInSeconds,
2181
+ output: result.output ?? output
2182
+ };
2186
2183
  }
2187
- async function createOutputLink(http, runId, outputId) {
2188
- return http.request(`/api/runs/${encodeURIComponent(runId)}/outputs/${encodeURIComponent(outputId)}/link`, { method: "POST" });
2184
+ async function createOutputLink(http, runId, selectorOrQuery, options) {
2185
+ return outputLink(http, runId, selectorOrQuery, options);
2186
+ }
2187
+ async function eventArchiveLink(http, runId, options) {
2188
+ const expiresInSeconds = normalizeOutputLinkExpiresIn(options?.expiresIn);
2189
+ const result = await http.request(`/api/runs/${encodeURIComponent(runId)}/events/link`, {
2190
+ method: "POST",
2191
+ body: JSON.stringify({ expiresInSeconds })
2192
+ });
2193
+ return {
2194
+ ...result,
2195
+ expiresInSeconds: result.expiresInSeconds ?? expiresInSeconds
2196
+ };
2189
2197
  }
2190
2198
  function resolveOutputFileSelector(outputs, selector, runId) {
2191
2199
  if (isPathSelector(selector)) {
@@ -2270,6 +2278,171 @@ function isPathSelector(selector) {
2270
2278
  function normalizeOutputLookupPath(path) {
2271
2279
  return path.replace(/\\/g, "/").replace(/^\/+/, "");
2272
2280
  }
2281
+ function filterOutputs(outputs, query) {
2282
+ return outputs.filter((output) => outputMatchesQuery(output, query));
2283
+ }
2284
+ function classifyOutput(output) {
2285
+ const contentType = normalizeContentType(output.contentType);
2286
+ if (contentType) {
2287
+ if (contentType === "application/json" || contentType.endsWith("+json") || contentType.includes("json")) {
2288
+ return "json";
2289
+ }
2290
+ if (contentType.startsWith("text/"))
2291
+ return "text";
2292
+ if (contentType.startsWith("image/"))
2293
+ return "image";
2294
+ if (contentType.startsWith("audio/"))
2295
+ return "audio";
2296
+ if (contentType.startsWith("video/"))
2297
+ return "video";
2298
+ if (contentType === "application/pdf")
2299
+ return "pdf";
2300
+ if (contentType === "application/zip" || contentType === "application/gzip" || contentType === "application/x-gzip" || contentType === "application/x-tar" || contentType === "application/x-7z-compressed" || contentType === "application/vnd.rar" || contentType === "application/zstd") {
2301
+ return "archive";
2302
+ }
2303
+ if (contentType === "application/octet-stream")
2304
+ return "binary";
2305
+ return "unknown";
2306
+ }
2307
+ const extension = extensionOf(output.filename);
2308
+ if (!extension)
2309
+ return "unknown";
2310
+ if (["json", "jsonl", "ndjson"].includes(extension))
2311
+ return "json";
2312
+ if (["txt", "log", "md", "markdown", "csv", "tsv", "xml", "html", "htm", "yaml", "yml"].includes(extension)) {
2313
+ return "text";
2314
+ }
2315
+ if (["png", "jpg", "jpeg", "gif", "webp", "avif", "bmp", "tif", "tiff", "svg"].includes(extension)) {
2316
+ return "image";
2317
+ }
2318
+ if (["mp3", "wav", "flac", "m4a", "aac", "ogg", "oga", "opus"].includes(extension))
2319
+ return "audio";
2320
+ if (["mp4", "mov", "m4v", "webm", "mkv", "avi"].includes(extension))
2321
+ return "video";
2322
+ if (extension === "pdf")
2323
+ return "pdf";
2324
+ if (["zip", "tar", "tgz", "gz", "bz2", "xz", "7z", "rar", "zst"].includes(extension))
2325
+ return "archive";
2326
+ if (["bin", "exe", "dll", "so", "dylib", "dmg", "iso"].includes(extension))
2327
+ return "binary";
2328
+ return "unknown";
2329
+ }
2330
+ function normalizeOutputLinkExpiresIn(input = "1h") {
2331
+ if (typeof input === "number") {
2332
+ if (!Number.isFinite(input) || input <= 0) {
2333
+ throw new RunStateError("outputLink: expiresIn must be a positive number of seconds", {
2334
+ expiresIn: input
2335
+ });
2336
+ }
2337
+ return Math.floor(input);
2338
+ }
2339
+ if (input === "15m")
2340
+ return 15 * 60;
2341
+ if (input === "1h")
2342
+ return 60 * 60;
2343
+ if (input === "1d")
2344
+ return 24 * 60 * 60;
2345
+ throw new RunStateError('outputLink: expiresIn must be seconds, "15m", "1h", or "1d"', {
2346
+ expiresIn: input
2347
+ });
2348
+ }
2349
+ async function resolveOutputLinkTarget(http, runId, selectorOrQuery) {
2350
+ if (typeof selectorOrQuery === "string") {
2351
+ if (selectorOrQuery.length === 0) {
2352
+ throw new RunStateError("outputLink: selector must include an output id or query", { runId });
2353
+ }
2354
+ return { id: selectorOrQuery };
2355
+ }
2356
+ if (hasOutputId(selectorOrQuery)) {
2357
+ if (selectorOrQuery.id.length === 0) {
2358
+ throw new RunStateError("outputLink: selector must include an output id or query", { runId });
2359
+ }
2360
+ return selectorOrQuery;
2361
+ }
2362
+ if (isPathSelector(selectorOrQuery) && selectorOrQuery.match === "suffix") {
2363
+ return resolveOutputFileSelector(await listOutputs(http, runId), selectorOrQuery, runId);
2364
+ }
2365
+ const match = await findOutput(http, runId, selectorOrQuery);
2366
+ if (match)
2367
+ return match;
2368
+ throw new RunStateError("outputLink: output query matched no files", { runId });
2369
+ }
2370
+ function outputMatchesQuery(output, query) {
2371
+ const normalizedPath = typeof output.filename === "string" ? normalizeOutputQueryPath(output.filename) : "";
2372
+ if (query.path !== void 0 && normalizedPath !== normalizeOutputQueryPath(query.path)) {
2373
+ return false;
2374
+ }
2375
+ if (query.filename !== void 0) {
2376
+ const basename2 = basenameOf(normalizedPath);
2377
+ if (typeof query.filename === "string") {
2378
+ if (basename2 !== query.filename)
2379
+ return false;
2380
+ } else {
2381
+ query.filename.lastIndex = 0;
2382
+ if (!query.filename.test(basename2))
2383
+ return false;
2384
+ }
2385
+ }
2386
+ if (query.dir !== void 0 && !directoryMatches(normalizedPath, query.dir, query.recursive ?? true)) {
2387
+ return false;
2388
+ }
2389
+ if (query.extension !== void 0 && extensionOf(normalizedPath) !== normalizeExtension(query.extension)) {
2390
+ return false;
2391
+ }
2392
+ if (query.contentType !== void 0 && !contentTypeMatches(output.contentType, query.contentType)) {
2393
+ return false;
2394
+ }
2395
+ if (query.type !== void 0 && classifyOutput(output) !== query.type) {
2396
+ return false;
2397
+ }
2398
+ return true;
2399
+ }
2400
+ function hasOutputId(value) {
2401
+ return Boolean(value && typeof value === "object" && "id" in value && typeof value.id === "string");
2402
+ }
2403
+ function normalizeOutputQueryPath(path) {
2404
+ let normalized = path.replace(/\\/g, "/").replace(/^\/+/, "");
2405
+ while (normalized === "outputs" || normalized.startsWith("outputs/")) {
2406
+ normalized = normalized === "outputs" ? "" : normalized.slice("outputs/".length);
2407
+ }
2408
+ return normalized.replace(/\/+$/, "");
2409
+ }
2410
+ function basenameOf(path) {
2411
+ return path.split("/").filter(Boolean).pop() ?? "";
2412
+ }
2413
+ function directoryMatches(path, dir, recursive) {
2414
+ const normalizedDir = normalizeOutputQueryPath(dir);
2415
+ if (normalizedDir.length === 0)
2416
+ return true;
2417
+ const prefix = `${normalizedDir}/`;
2418
+ if (!path.startsWith(prefix))
2419
+ return false;
2420
+ const remainder = path.slice(prefix.length);
2421
+ return remainder.length > 0 && (recursive || !remainder.includes("/"));
2422
+ }
2423
+ function normalizeExtension(extension) {
2424
+ return extension.replace(/^\.+/, "").toLowerCase();
2425
+ }
2426
+ function extensionOf(path) {
2427
+ if (!path)
2428
+ return "";
2429
+ const basename2 = basenameOf(normalizeOutputQueryPath(path));
2430
+ const index = basename2.lastIndexOf(".");
2431
+ return index > 0 && index < basename2.length - 1 ? basename2.slice(index + 1).toLowerCase() : "";
2432
+ }
2433
+ function normalizeContentType(contentType) {
2434
+ return (contentType ?? "").split(";")[0].trim().toLowerCase();
2435
+ }
2436
+ function contentTypeMatches(actual, expected) {
2437
+ const normalizedActual = normalizeContentType(actual);
2438
+ const normalizedExpected = normalizeContentType(expected);
2439
+ if (!normalizedActual || !normalizedExpected)
2440
+ return false;
2441
+ if (normalizedExpected.endsWith("/*")) {
2442
+ return normalizedActual.startsWith(normalizedExpected.slice(0, -1));
2443
+ }
2444
+ return normalizedActual === normalizedExpected;
2445
+ }
2273
2446
  async function download(http, runId) {
2274
2447
  const [run, events, outputs] = await Promise.all([
2275
2448
  getRun(http, runId),
@@ -2558,8 +2731,8 @@ async function getSecret(http, name) {
2558
2731
  const result = await http.request(`/api/secrets/${encodeURIComponent(name)}`);
2559
2732
  return unwrapSecret(result);
2560
2733
  }
2561
- async function revealSecret(http, name) {
2562
- return http.request(`/api/secrets/${encodeURIComponent(name)}/reveal`, {
2734
+ async function getSecretValue(http, name) {
2735
+ return http.request(`/api/secrets/${encodeURIComponent(name)}/get_value`, {
2563
2736
  method: "POST"
2564
2737
  });
2565
2738
  }
@@ -3498,6 +3671,7 @@ async function runRunCmd(io2, argv) {
3498
3671
  agentsMd: [],
3499
3672
  files: [],
3500
3673
  mcpServers: mcpServersForSubmission,
3674
+ tools: [],
3501
3675
  ...runConfig.environment ? { environment: runConfig.environment } : {},
3502
3676
  ...runConfig.metadata ? { metadata: runConfig.metadata } : {}
3503
3677
  };
@@ -1 +1 @@
1
- e5614dc8a94834dcf24cb939f4f553141c15790d63fa3b842eaaf0723256d658 cli.mjs
1
+ 1b28b0b2c5ae5867dad0581510c232cf2cf956226db8efc20e66d97549a0d3b0 cli.mjs
package/dist/client.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { HttpClient, SecretString, type AexEvent, type AgentsMdRecord, type CredentialMode, type DebugSink, type FetchLike, type FileRecord, type Output, type OutputMode, type PlatformEnvironmentInput, type PlatformSubmission, type PlatformInlineSecrets, type PlatformProxyEndpoint, type PlatformProxyEndpointAuth, type PlatformPostHookInput, type Run, type RunModel, type RunEvent, type RunProvider, type SecretRecord, type SecretReveal, type RunUnit, type Builtin, type RuntimeSize, type RuntimeKind, type SignedOutputLink, type Skill as SkillRecord, type WhoAmI } from "./_contracts/index.js";
1
+ import { HttpClient, SecretString, type AexEvent, type AgentsMdRecord, type CredentialMode, type DebugSink, type FetchLike, type FileRecord, type Output, type OutputFileType, type OutputLink, type OutputLinkOptions, type OutputQuery, type OutputMode, type PlatformEnvironmentInput, type PlatformSubmission, type PlatformInlineSecrets, type PlatformProxyEndpoint, type PlatformProxyEndpointAuth, type PlatformPostHookInput, type Run, type RunModel, type RunEvent, type RunProvider, type SecretRecord, type SecretReveal, type RunUnit, type Builtin, type RuntimeSize, type RuntimeKind, type Skill as SkillRecord, type WhoAmI } from "./_contracts/index.js";
2
2
  import { AgentsMd } from "./agents-md.js";
3
3
  import { type UploadedAsset } from "./asset-upload.js";
4
4
  import { File } from "./file.js";
@@ -6,6 +6,7 @@ import { McpServer } from "./mcp-server.js";
6
6
  import { ProxyEndpoint } from "./proxy-endpoint.js";
7
7
  import { Secret } from "./secret.js";
8
8
  import { Skill } from "./skill.js";
9
+ import { Tool } from "./tool.js";
9
10
  export interface AgentExecutorOptions {
10
11
  /** Workspace-scoped SDK API token. */
11
12
  readonly apiToken: string;
@@ -50,8 +51,6 @@ export interface SubmitOptions {
50
51
  /**
51
52
  * Credential source for upstream provider access. Omitted defaults to
52
53
  * `"byok"`, which requires `secrets.apiKey`.
53
- * `"managed"` is reserved for paid managed-key mode and currently fails
54
- * closed until the hosted private implementation is wired.
55
54
  */
56
55
  readonly credentialMode?: CredentialMode;
57
56
  /**
@@ -83,6 +82,7 @@ export interface SubmitOptions {
83
82
  readonly system?: string;
84
83
  readonly prompt: string | readonly string[];
85
84
  readonly skills?: readonly Skill[];
85
+ readonly tools?: readonly Tool[];
86
86
  readonly agentsMd?: readonly AgentsMd[];
87
87
  readonly files?: readonly File[];
88
88
  readonly mcpServers?: readonly McpServer[];
@@ -137,19 +137,17 @@ export interface SubmitOptions {
137
137
  readonly maxFiles?: number;
138
138
  };
139
139
  /**
140
- * Override the managed runtime builtin extensions enabled inside the runner.
140
+ * Override the managed runtime builtins enabled inside the runner.
141
141
  * Each entry is one of the closed {@link Builtin} set — prefer the
142
142
  * {@link Builtins} symbol const so a typo is a compile error.
143
143
  *
144
- * - Omitted (default): the runner enables `[Builtins.DEVELOPER]`
145
- * which gives the agent `shell`, `write`, `edit`, and `tree` tools (bash,
146
- * grep via shell, file read via shell or editor, file edit).
147
- * - Empty array: the agent runs with zero builtin extensions
148
- * useful for pure-MCP setups where every tool comes from a
149
- * submitted `mcpServers` entry.
150
- * - Custom list: e.g.
151
- * `[Builtins.DEVELOPER, Builtins.COMPUTER_CONTROLLER]` to add
152
- * web fetch/scrape alongside the default shell/edit toolkit.
144
+ * - Omitted (default): the runner enables `DEFAULT_BUILTINS`
145
+ * (`web_search`, `web_fetch`, `read`, `edit`, `glob`, `grep`, `head`,
146
+ * `tail`).
147
+ * - Empty array: the agent runs with zero builtins useful for pure-MCP
148
+ * setups where every tool comes from a submitted `mcpServers` entry.
149
+ * - Custom list: narrows or extends the surface, e.g.
150
+ * `[Builtins.WEB_SEARCH, Builtins.NOTEBOOK]`.
153
151
  *
154
152
  * Validation: each entry must be a member of {@link Builtins}, max 16
155
153
  * entries, deduplicated server-side.
@@ -211,6 +209,7 @@ export interface OutputFileIdSelector {
211
209
  readonly id: string;
212
210
  }
213
211
  export type OutputFileSelector = Output | OutputFileIdSelector | OutputFilePathSelector;
212
+ export type OutputLinkSelector = string | OutputFileSelector | OutputQuery;
214
213
  export interface OutputDownloadOptions {
215
214
  readonly to?: string;
216
215
  }
@@ -317,11 +316,11 @@ export declare class FilesClient {
317
316
  * Lifecycle parity with assets/skills: a `Secret.value(...)` is per-run and
318
317
  * gone at terminal; `set` (or promoting an ephemeral via `secret.upload`)
319
318
  * persists a named, searchable workspace secret you can `get` (metadata),
320
- * `reveal` (audited value), `rotate`, `list`, and `delete`. The identity is the
319
+ * `get_value` (audited value), `rotate`, `list`, and `delete`. The identity is the
321
320
  * `name`; the value rotates under that stable name.
322
321
  *
323
322
  * Values are write-only: `set`/`rotate` send the value in the request BODY (never
324
- * the URL); `get`/`list` return metadata only; `reveal` is the explicit audited
323
+ * the URL); `get`/`list` return metadata only; `get_value` is the explicit audited
325
324
  * value read.
326
325
  */
327
326
  export declare class SecretsClient {
@@ -336,8 +335,8 @@ export declare class SecretsClient {
336
335
  list(): Promise<readonly SecretRecord[]>;
337
336
  /** Metadata for one workspace secret by name. Never returns the value. */
338
337
  get(name: string): Promise<SecretRecord>;
339
- /** Audited value read — the only path that returns a workspace secret value. */
340
- reveal(name: string): Promise<SecretReveal>;
338
+ /** Audited value read — the preferred path that returns a workspace secret value. */
339
+ get_value(name: string): Promise<SecretReveal>;
341
340
  /** Replace the value of an existing workspace secret; bumps its version. */
342
341
  rotate(args: {
343
342
  readonly name: string;
@@ -503,10 +502,15 @@ export declare class AgentExecutor {
503
502
  waitForRun(runId: string, options?: WaitForRunOptions): Promise<Run>;
504
503
  /** Short alias for `waitForRun`. */
505
504
  wait(runId: string, options?: WaitForRunOptions): Promise<Run>;
506
- listOutputs(runId: string): Promise<readonly Output[]>;
505
+ listOutputs(runId: string, query?: OutputQuery): Promise<readonly Output[]>;
507
506
  /** Short alias for `listOutputs`. */
508
- outputs(runId: string): Promise<readonly Output[]>;
509
- createOutputLink(runId: string, outputId: string): Promise<SignedOutputLink>;
507
+ outputs(runId: string, query?: OutputQuery): Promise<readonly Output[]>;
508
+ findOutputs(runId: string, query: OutputQuery): Promise<readonly Output[]>;
509
+ findOutput(runId: string, query: OutputQuery): Promise<Output | null>;
510
+ outputLink(runId: string, selectorOrQuery: OutputLinkSelector, options?: OutputLinkOptions): Promise<OutputLink>;
511
+ createOutputLink(runId: string, selectorOrQuery: OutputLinkSelector, options?: OutputLinkOptions): Promise<OutputLink>;
512
+ fetchOutput(runId: string, selectorOrQuery: OutputLinkSelector, options?: OutputLinkOptions): Promise<Response>;
513
+ eventArchiveLink(runId: string, options?: OutputLinkOptions): Promise<OutputLink>;
510
514
  /**
511
515
  * Download captured deliverables. Omit `selector` to receive the full
512
516
  * outputs namespace as a zip; pass an id, Output object, or path selector
@@ -544,4 +548,4 @@ export declare class AgentExecutor {
544
548
  /** Download only the run record (the `metadata` namespace) as a zip. */
545
549
  downloadMetadata(runId: string, options?: OutputDownloadOptions): Promise<Uint8Array>;
546
550
  }
547
- export type { PlatformProxyEndpoint, PlatformProxyEndpointAuth };
551
+ export type { OutputFileType, OutputLink, OutputLinkOptions, OutputQuery, PlatformProxyEndpoint, PlatformProxyEndpointAuth };