@aexhq/sdk 0.29.0 → 0.31.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +95 -8
- package/dist/_contracts/connection-ticket.d.ts +1 -1
- package/dist/_contracts/connection-ticket.js +1 -1
- package/dist/_contracts/event-envelope.d.ts +5 -8
- package/dist/_contracts/event-envelope.js +5 -6
- package/dist/_contracts/event-guards.d.ts +67 -0
- package/dist/_contracts/event-guards.js +36 -0
- package/dist/_contracts/event-stream-client.d.ts +1 -1
- package/dist/_contracts/http.js +1 -1
- package/dist/_contracts/index.d.ts +2 -0
- package/dist/_contracts/index.js +6 -0
- package/dist/_contracts/operations.d.ts +2 -47
- package/dist/_contracts/operations.js +7 -112
- package/dist/_contracts/provider-support.d.ts +48 -138
- package/dist/_contracts/provider-support.js +10 -41
- package/dist/_contracts/proxy-protocol.d.ts +7 -7
- package/dist/_contracts/proxy-protocol.js +8 -8
- package/dist/_contracts/run-config.d.ts +7 -20
- package/dist/_contracts/run-config.js +8 -46
- package/dist/_contracts/run-cost.d.ts +1 -5
- package/dist/_contracts/run-cost.js +0 -8
- package/dist/_contracts/run-custody.d.ts +4 -6
- package/dist/_contracts/run-custody.js +0 -8
- package/dist/_contracts/run-trace.d.ts +7 -0
- package/dist/_contracts/run-trace.js +9 -0
- package/dist/_contracts/run-unit.d.ts +1 -1
- package/dist/_contracts/run-unit.js +2 -2
- package/dist/_contracts/runner-event.d.ts +1 -1
- package/dist/_contracts/runner-event.js +1 -1
- package/dist/_contracts/runtime-manifest.d.ts +13 -26
- package/dist/_contracts/runtime-manifest.js +6 -35
- package/dist/_contracts/runtime-types.d.ts +32 -1
- package/dist/_contracts/sdk-secrets.js +4 -4
- package/dist/_contracts/side-effect-audit.d.ts +2 -4
- package/dist/_contracts/side-effect-audit.js +2 -4
- package/dist/_contracts/status.d.ts +1 -1
- package/dist/_contracts/status.js +1 -1
- package/dist/_contracts/submission.d.ts +19 -126
- package/dist/_contracts/submission.js +31 -185
- package/dist/_contracts/webhook-verify.d.ts +1 -1
- package/dist/_contracts/webhook-verify.js +1 -1
- package/dist/agents-md.d.ts +4 -1
- package/dist/agents-md.js +10 -9
- package/dist/agents-md.js.map +1 -1
- package/dist/asset-upload.d.ts +4 -10
- package/dist/asset-upload.js +4 -47
- package/dist/asset-upload.js.map +1 -1
- package/dist/cli.mjs +17647 -3950
- package/dist/cli.mjs.sha256 +1 -1
- package/dist/client.d.ts +79 -61
- package/dist/client.js +207 -125
- package/dist/client.js.map +1 -1
- package/dist/data-tools.d.ts +23 -0
- package/dist/data-tools.js +102 -13
- package/dist/data-tools.js.map +1 -1
- package/dist/file.d.ts +4 -1
- package/dist/file.js +10 -9
- package/dist/file.js.map +1 -1
- package/dist/index.d.ts +9 -8
- package/dist/index.js +10 -8
- package/dist/index.js.map +1 -1
- package/dist/skill.d.ts +9 -7
- package/dist/skill.js +15 -15
- package/dist/skill.js.map +1 -1
- package/dist/tool.d.ts +4 -1
- package/dist/tool.js +10 -8
- package/dist/tool.js.map +1 -1
- package/dist/version.d.ts +1 -1
- package/dist/version.js +1 -1
- package/docs/cleanup.md +2 -2
- package/docs/concepts/agent-tools.md +9 -5
- package/docs/concepts/composition.md +1 -1
- package/docs/concepts/providers-and-runtimes.md +2 -4
- package/docs/concepts/runs.md +3 -6
- package/docs/credentials.md +2 -5
- package/docs/defaults.md +22 -22
- package/docs/events.md +32 -9
- package/docs/limits-and-quotas.md +40 -40
- package/docs/limits.md +1 -1
- package/docs/networking.md +141 -0
- package/docs/outputs.md +1 -1
- package/docs/provider-runtime-capabilities.md +36 -64
- package/docs/public-surface.json +2 -3
- package/docs/quickstart.md +32 -11
- package/docs/run-config.md +3 -4
- package/docs/secrets.md +7 -5
- package/docs/skills.md +4 -12
- package/docs/vision-skills.md +1 -1
- package/examples/chat-corpus.ts +85 -0
- package/package.json +2 -2
|
@@ -7,12 +7,11 @@ title: Limits & quotas
|
|
|
7
7
|
These are the hard ceilings and caps that bound a run, a workspace, and a single
|
|
8
8
|
request. Every value is mirrored from a single source-of-truth constant; the
|
|
9
9
|
constant file is authoritative and this page is generated documentation, not a
|
|
10
|
-
second source of truth. If a value here ever disagrees with
|
|
10
|
+
second source of truth. If a value here ever disagrees with that constant,
|
|
11
11
|
the constant wins.
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
For the values that apply when you omit an option, see
|
|
13
|
+
Each row is named by its source-of-truth constant. For the values that apply
|
|
14
|
+
when you omit an option, see
|
|
16
15
|
[Defaults](defaults.md). For product/policy boundaries (what aex does and does
|
|
17
16
|
not promise), see [Limits](limits.md).
|
|
18
17
|
|
|
@@ -27,12 +26,13 @@ And whether you can **raise** it: per-run option, per-plan, or no.
|
|
|
27
26
|
|
|
28
27
|
| Limit | Value | Source | Raisable? | Constant |
|
|
29
28
|
| --- | --- | --- | --- | --- |
|
|
30
|
-
| Maximum run timeout | 6 hours | aex policy | Per plan (billing-driven) |
|
|
31
|
-
| Minimum run timeout | 1 minute | aex policy | No (floor) |
|
|
32
|
-
| Per-call exec timeout (default) | 30 minutes | aex policy | Per-call via the tool call's `timeoutMs` |
|
|
33
|
-
| Post-hook timeout (default) | 60 minutes | aex policy | Per-run via the hook's `timeoutMs` |
|
|
34
|
-
| MCP connect timeout (default) | 30 seconds | aex policy | Per-port via `connectTimeoutMs` |
|
|
35
|
-
| MCP call timeout (default) | 30 minutes | aex policy | Per-port via `callTimeoutMs` |
|
|
29
|
+
| Maximum run timeout | 6 hours | aex policy | Per plan (billing-driven) | `RUN_MAX_TIMEOUT_MS` |
|
|
30
|
+
| Minimum run timeout | 1 minute | aex policy | No (floor) | `RUN_MIN_TIMEOUT_MS` |
|
|
31
|
+
| Per-call exec timeout (default) | 30 minutes | aex policy | Per-call via the tool call's `timeoutMs` | `RUN_DEFAULT_EXEC_TIMEOUT_MS` |
|
|
32
|
+
| Post-hook timeout (default) | 60 minutes | aex policy | Per-run via the hook's `timeoutMs` | `RUN_DEFAULT_POST_HOOK_TIMEOUT_MS` |
|
|
33
|
+
| MCP connect timeout (default) | 30 seconds | aex policy | Per-port via `connectTimeoutMs` | `RUN_DEFAULT_MCP_CONNECT_TIMEOUT_MS` |
|
|
34
|
+
| MCP call timeout (default) | 30 minutes | aex policy | Per-port via `callTimeoutMs` | `RUN_DEFAULT_MCP_CALL_TIMEOUT_MS` |
|
|
35
|
+
| Per-run spend cap | None by default; when set, the run is stopped once its spend would exceed the cap | aex policy | Per-run via `options.limits.maxSpendUsd` (a positive USD amount) | — |
|
|
36
36
|
|
|
37
37
|
### Output capture (per run)
|
|
38
38
|
|
|
@@ -42,46 +42,46 @@ silently lost.
|
|
|
42
42
|
|
|
43
43
|
| Limit | Value | Source | Raisable? | Constant |
|
|
44
44
|
| --- | --- | --- | --- | --- |
|
|
45
|
-
| Capture wall-clock budget | 1 hour | aex policy | No (hard ceiling) |
|
|
46
|
-
| Max files captured | 50,000 | aex policy | No (hard ceiling) |
|
|
47
|
-
| Max bytes per captured file | 1 TB | aex policy | No (hard ceiling) |
|
|
48
|
-
| Max total captured bytes | 1 TB | aex policy | No (hard ceiling) |
|
|
45
|
+
| Capture wall-clock budget | 1 hour | aex policy | No (hard ceiling) | `RUN_CAPTURE_DEFAULT_TIMEOUT_MS` |
|
|
46
|
+
| Max files captured | 50,000 | aex policy | No (hard ceiling) | `RUN_CAPTURE_MAX_FILES` |
|
|
47
|
+
| Max bytes per captured file | 1 TB | aex policy | No (hard ceiling) | `RUN_CAPTURE_MAX_FILE_BYTES` |
|
|
48
|
+
| Max total captured bytes | 1 TB | aex policy | No (hard ceiling) | `RUN_CAPTURE_MAX_TOTAL_BYTES` |
|
|
49
49
|
|
|
50
50
|
### Tool output caps (per run)
|
|
51
51
|
|
|
52
52
|
| Limit | Value | Source | Raisable? | Constant |
|
|
53
53
|
| --- | --- | --- | --- | --- |
|
|
54
|
-
| `web_fetch` returned body | 500 KB (UTF-8) | aex policy | Per-call via `max_bytes` |
|
|
55
|
-
| `bash_output` per-read body | 1 MB (UTF-8) | aex policy | No (hard ceiling) |
|
|
56
|
-
| `grep` max file size (larger files skipped — use `bash grep`) | 25 MB | aex policy | No (hard ceiling) |
|
|
57
|
-
| `head`/`tail` max file size (larger files rejected — use `bash head`/`tail`) | 100 MB | aex policy | No (hard ceiling) |
|
|
58
|
-
| `grep`/`glob` files visited per recursive walk (then truncates with a notice) | 100,000 | aex policy | No (hard ceiling) |
|
|
54
|
+
| `web_fetch` returned body | 500 KB (UTF-8) | aex policy | Per-call via `max_bytes` | `REQUEST_WEB_FETCH_DEFAULT_MAX_BYTES` |
|
|
55
|
+
| `bash_output` per-read body | 1 MB (UTF-8) | aex policy | No (hard ceiling) | `RUN_BASH_BG_OUTPUT_MAX_BYTES` |
|
|
56
|
+
| `grep` max file size (larger files skipped — use `bash grep`) | 25 MB | aex policy | No (hard ceiling) | `RUN_TOOL_GREP_MAX_FILE_BYTES` |
|
|
57
|
+
| `head`/`tail` max file size (larger files rejected — use `bash head`/`tail`) | 100 MB | aex policy | No (hard ceiling) | `RUN_TOOL_HEAD_TAIL_MAX_FILE_BYTES` |
|
|
58
|
+
| `grep`/`glob` files visited per recursive walk (then truncates with a notice) | 100,000 | aex policy | No (hard ceiling) | `RUN_TOOL_WALK_MAX_FILES` |
|
|
59
59
|
|
|
60
60
|
### Subagents (per run lineage)
|
|
61
61
|
|
|
62
62
|
| Limit | Value | Source | Raisable? | Constant |
|
|
63
63
|
| --- | --- | --- | --- | --- |
|
|
64
|
-
| Max subagent depth (public submit / `subagent` tool) | 5 (a depth-5 lineage may not spawn deeper) | aex policy | Per-run via `options.limits.maxSubagentDepth` (clamped to this hard ceiling) |
|
|
65
|
-
| Concurrent child runs per lineage root | 1000 live (non-terminal); hard ceiling 4096 | aex policy | Per-run via `options.limits.maxConcurrentChildRuns` (clamped to the 4096 ceiling) |
|
|
64
|
+
| Max subagent depth (public submit / `subagent` tool) | 5 (a depth-5 lineage may not spawn deeper) | aex policy | Per-run via `options.limits.maxSubagentDepth` (clamped to this hard ceiling) | `RUN_MAX_PUBLIC_SUBAGENT_DEPTH` |
|
|
65
|
+
| Concurrent child runs per lineage root | 1000 live (non-terminal); hard ceiling 4096 | aex policy | Per-run via `options.limits.maxConcurrentChildRuns` (clamped to the 4096 ceiling) | `RUN_DEFAULT_MAX_CONCURRENT_CHILD_RUNS` |
|
|
66
66
|
|
|
67
67
|
### Retention (per run)
|
|
68
68
|
|
|
69
69
|
| Limit | Value | Source | Raisable? | Constant |
|
|
70
70
|
| --- | --- | --- | --- | --- |
|
|
71
|
-
| Per-run metadata
|
|
72
|
-
| Per-run secret-envelope
|
|
71
|
+
| Per-run metadata record TTL | 24 hours | aex policy | No (hard ceiling) | `RUN_KV_RECORD_TTL_SECONDS` |
|
|
72
|
+
| Per-run secret-envelope TTL | 24 hours | aex policy | No (hard ceiling) | `RUN_KV_SECRET_TTL_SECONDS` |
|
|
73
73
|
|
|
74
74
|
## Workspace scope
|
|
75
75
|
|
|
76
76
|
| Limit | Value | Source | Raisable? | Constant |
|
|
77
77
|
| --- | --- | --- | --- | --- |
|
|
78
|
-
| Workspace storage cap | 50 GiB (admins uncapped — not a customer entitlement) | Workspace default | Per-plane via env `AEX_WORKSPACE_STORAGE_CAP_BYTES` |
|
|
78
|
+
| Workspace storage cap | 50 GiB (admins uncapped — not a customer entitlement) | Workspace default | Per-plane via env `AEX_WORKSPACE_STORAGE_CAP_BYTES` | `WORKSPACE_DEFAULT_STORAGE_CAP_BYTES` |
|
|
79
79
|
| Max concurrent runs per workspace | Advisory — there is no hard per-workspace concurrent-run cap constant; concurrency is bounded by plan, the subagent child-run cap, and provider/platform throughput rather than a fixed number. | aex policy | n/a | — |
|
|
80
|
-
| Skill bundle max compressed size (`.zip`) | 100 GB | Workspace default | Per-workspace (plan/env) |
|
|
81
|
-
| Skill bundle max file entries | 1,000 | Workspace default | Per-workspace (plan/env) |
|
|
82
|
-
| Skill bundle max directory depth (`a/b/c/d` = 4) | 16 | Workspace default | Per-workspace (plan/env) |
|
|
83
|
-
| Skill bundle max entry path length | 512 characters | Workspace default | No (hard ceiling) |
|
|
84
|
-
| `File.mountPath` max length | 512 characters | Workspace default | No (hard ceiling) |
|
|
80
|
+
| Skill bundle max compressed size (`.zip`) | 100 GB | Workspace default | Per-workspace (plan/env) | `WORKSPACE_SKILL_BUNDLE_MAX_COMPRESSED_BYTES` |
|
|
81
|
+
| Skill bundle max file entries | 1,000 | Workspace default | Per-workspace (plan/env) | `WORKSPACE_SKILL_BUNDLE_MAX_FILES` |
|
|
82
|
+
| Skill bundle max directory depth (`a/b/c/d` = 4) | 16 | Workspace default | Per-workspace (plan/env) | `WORKSPACE_SKILL_BUNDLE_MAX_DEPTH` |
|
|
83
|
+
| Skill bundle max entry path length | 512 characters | Workspace default | No (hard ceiling) | `WORKSPACE_SKILL_BUNDLE_MAX_PATH_LENGTH` |
|
|
84
|
+
| `File.mountPath` max length | 512 characters | Workspace default | No (hard ceiling) | `WORKSPACE_MOUNT_PATH_MAX_LENGTH` |
|
|
85
85
|
|
|
86
86
|
### Rate limits (per workspace, per minute)
|
|
87
87
|
|
|
@@ -90,19 +90,19 @@ Default values; each is overridable per-plane via the matching
|
|
|
90
90
|
|
|
91
91
|
| Action | Default per minute | Source | Constant |
|
|
92
92
|
| --- | --- | --- | --- |
|
|
93
|
-
| Run submit | 60 | Workspace default |
|
|
94
|
-
| Run cancel | 30 | Workspace default |
|
|
95
|
-
| Run delete | 30 | Workspace default |
|
|
96
|
-
| Signed output link | 120 | Workspace default |
|
|
97
|
-
| API token create | 10 | Workspace default |
|
|
98
|
-
| API token delete | 30 | Workspace default |
|
|
93
|
+
| Run submit | 60 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
94
|
+
| Run cancel | 30 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
95
|
+
| Run delete | 30 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
96
|
+
| Signed output link | 120 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
97
|
+
| API token create | 10 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
98
|
+
| API token delete | 30 | Workspace default | `WORKSPACE_RATE_LIMIT_DEFAULTS` |
|
|
99
99
|
|
|
100
100
|
## Request scope (proxy and egress)
|
|
101
101
|
|
|
102
102
|
| Limit | Value | Source | Raisable? | Constant |
|
|
103
103
|
| --- | --- | --- | --- | --- |
|
|
104
|
-
| Proxy request body | 10 MiB | aex policy | Per-endpoint via `maxRequestBytes` |
|
|
105
|
-
| Proxy response body | `0` = unlimited (streamed unbuffered) | aex policy | Per-endpoint via `maxResponseBytes` |
|
|
106
|
-
| Proxy upstream timeout | 5 minutes | aex policy | Per-endpoint via `timeoutMs` |
|
|
107
|
-
| Signed output URL TTL | 300 seconds | aex policy | Per-call via `expiresSeconds` |
|
|
108
|
-
| Event-stream connection ticket TTL | 60 seconds | aex policy | Per-mint via `ttlMs` |
|
|
104
|
+
| Proxy request body | 10 MiB | aex policy | Per-endpoint via `maxRequestBytes` | `REQUEST_PROXY_DEFAULT_MAX_REQUEST_BYTES` |
|
|
105
|
+
| Proxy response body | `0` = unlimited (streamed unbuffered) | aex policy | Per-endpoint via `maxResponseBytes` | `REQUEST_PROXY_DEFAULT_MAX_RESPONSE_BYTES` |
|
|
106
|
+
| Proxy upstream timeout | 5 minutes | aex policy | Per-endpoint via `timeoutMs` | `REQUEST_PROXY_DEFAULT_TIMEOUT_MS` |
|
|
107
|
+
| Signed output URL TTL | 300 seconds | aex policy | Per-call via `expiresSeconds` | `REQUEST_PRESIGN_URL_DEFAULT_TTL_SECONDS` |
|
|
108
|
+
| Event-stream connection ticket TTL | 60 seconds | aex policy | Per-mint via `ttlMs` | `REQUEST_TICKET_DEFAULT_TTL_MS` |
|
package/docs/limits.md
CHANGED
|
@@ -24,7 +24,7 @@ For the current provider/model set, see the generated
|
|
|
24
24
|
|
|
25
25
|
| Area | Boundary |
|
|
26
26
|
| --- | --- |
|
|
27
|
-
| Runtime | New submissions run on the managed runtime.
|
|
27
|
+
| Runtime | New submissions run on the managed runtime. There is no public runtime selector. |
|
|
28
28
|
| Provider policy | Provider retention, training exclusion, HIPAA/BAA, data residency, abuse policy, and pricing belong to the selected provider account, endpoint, and contract. |
|
|
29
29
|
| Secrets | Provider keys, MCP credentials, proxy auth, and env secrets are caller-owned. aex excludes secret values from idempotency and uses the explicit secret surfaces described in [Secrets](secrets.md). |
|
|
30
30
|
| MCP servers | Remote MCP servers are customer-trusted systems. aex validates declarations and routes credentials; it does not make an untrusted MCP server safe. |
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Networking
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Networking
|
|
6
|
+
|
|
7
|
+
A run executes your agent's code in a sandbox that has **no unmediated route to
|
|
8
|
+
the internet**. Every outbound connection — whether it comes from the model, a
|
|
9
|
+
built-in tool, or a `curl` your code runs in the shell — passes through the
|
|
10
|
+
platform's egress boundary, which enforces the run's networking policy and a
|
|
11
|
+
fixed SSRF deny-list (loopback, link-local, cloud-metadata, and other private
|
|
12
|
+
ranges are always blocked, including hostnames that resolve to those ranges).
|
|
13
|
+
|
|
14
|
+
**Networking is open by default.** A run that does not set
|
|
15
|
+
`environment.networking` may reach any public host — still subject to the SSRF
|
|
16
|
+
deny-list above — with no allowlist required. You use the `environment.networking`
|
|
17
|
+
field to *narrow* that surface when you want a tighter, auditable egress posture.
|
|
18
|
+
Code cannot widen the policy from inside the container: the boundary is the
|
|
19
|
+
platform's, not the agent's.
|
|
20
|
+
|
|
21
|
+
## Paths that always work
|
|
22
|
+
|
|
23
|
+
These reach the network over managed paths and are **not** subject to
|
|
24
|
+
`environment.networking`, so you never list their hosts:
|
|
25
|
+
|
|
26
|
+
- The model / provider call for the run (and its subagents).
|
|
27
|
+
- The built-in `web_search` and `web_fetch` tools (still SSRF-guarded).
|
|
28
|
+
- Any remote MCP servers you declare in `mcpServers` — see [MCP](mcp.md).
|
|
29
|
+
- Any `proxyEndpoints` you declare — see [Credentials](credentials.md).
|
|
30
|
+
- The package registries for any `environment.packages` you declare (pip → PyPI,
|
|
31
|
+
apt → the distribution mirrors). Declaring a package implicitly allows the
|
|
32
|
+
registry it installs from.
|
|
33
|
+
|
|
34
|
+
`environment.networking` governs the **other** case: arbitrary outbound that
|
|
35
|
+
your own code makes to a host the platform doesn't already manage — a `curl` in
|
|
36
|
+
the `bash` tool, a `requests`/`urllib` call in Python, a `fetch` in
|
|
37
|
+
`code_execution`, or a third-party SDK.
|
|
38
|
+
|
|
39
|
+
## Restrict a run to an allowlist
|
|
40
|
+
|
|
41
|
+
Set `mode: "limited"` and list exactly the hosts your code is allowed to reach.
|
|
42
|
+
Anything not on the list (and not one of the always-allowed paths above) is
|
|
43
|
+
blocked, and the call fails. The platform automatically appends the
|
|
44
|
+
infrastructure hosts aex itself needs, so the model and tool paths keep working
|
|
45
|
+
without you listing them.
|
|
46
|
+
|
|
47
|
+
### TypeScript
|
|
48
|
+
|
|
49
|
+
```ts
|
|
50
|
+
import { AgentExecutor, Models, Providers } from "@aexhq/sdk";
|
|
51
|
+
|
|
52
|
+
const aex = new AgentExecutor({ apiToken: process.env.AEX_API_TOKEN! });
|
|
53
|
+
|
|
54
|
+
await aex.submit({
|
|
55
|
+
provider: Providers.ANTHROPIC,
|
|
56
|
+
model: Models.CLAUDE_HAIKU_4_5,
|
|
57
|
+
prompt: "Fetch the public status page and summarize it.",
|
|
58
|
+
environment: {
|
|
59
|
+
networking: {
|
|
60
|
+
mode: "limited",
|
|
61
|
+
allowedHosts: ["api.example.com", "status.example.com"]
|
|
62
|
+
}
|
|
63
|
+
},
|
|
64
|
+
secrets: { apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! } }
|
|
65
|
+
});
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
`allowedHosts` entries are host names (lowercased), e.g. `api.example.com`. Add a
|
|
69
|
+
non-default port when you need one (`api.example.com:8443`); a bare host name
|
|
70
|
+
covers HTTPS on 443. Matching is exact per host — it is not a wildcard or suffix
|
|
71
|
+
match, so list each host you need.
|
|
72
|
+
|
|
73
|
+
To validate your allowlist before submitting, `buildPlatformAllowedHosts` returns
|
|
74
|
+
the host set the platform will enforce given a base URL plus your extra hosts:
|
|
75
|
+
|
|
76
|
+
```ts
|
|
77
|
+
import { buildPlatformAllowedHosts } from "@aexhq/sdk";
|
|
78
|
+
|
|
79
|
+
const allowedHosts = buildPlatformAllowedHosts({
|
|
80
|
+
baseUrl: "https://api.aex.dev",
|
|
81
|
+
extraHosts: ["api.example.com"]
|
|
82
|
+
});
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
## Open mode
|
|
86
|
+
|
|
87
|
+
`open` is the default: a run that omits `environment.networking` already runs in
|
|
88
|
+
open mode. Set `mode: "open"` explicitly when you want to be unambiguous, or when
|
|
89
|
+
a run needs to reach hosts you can't enumerate ahead of time. The run may then
|
|
90
|
+
reach any public host, still subject to the SSRF deny-list. Prefer `limited`
|
|
91
|
+
whenever you can name the hosts — it gives the run a stable, auditable, least-
|
|
92
|
+
privilege egress surface (it is the tighter posture, not the default).
|
|
93
|
+
|
|
94
|
+
```ts
|
|
95
|
+
await aex.submit({
|
|
96
|
+
model: Models.CLAUDE_HAIKU_4_5,
|
|
97
|
+
prompt: "Research the topic across the open web.",
|
|
98
|
+
environment: { networking: { mode: "open" } },
|
|
99
|
+
secrets: { apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! } }
|
|
100
|
+
});
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
## Transparent for normal HTTP clients
|
|
104
|
+
|
|
105
|
+
You write ordinary code — there is no per-request proxy configuration and no
|
|
106
|
+
client changes. The runtime sets the standard proxy environment
|
|
107
|
+
(`HTTP_PROXY` / `HTTPS_PROXY`, with `NO_PROXY` for internal hosts), so any client
|
|
108
|
+
that honors it — `curl`, Python `requests` / `urllib`, `pip`, `npm`, Node
|
|
109
|
+
`fetch`, and most language SDKs — reaches allowed hosts transparently:
|
|
110
|
+
|
|
111
|
+
```bash
|
|
112
|
+
# In the agent's shell, against a limited run that allows api.example.com:
|
|
113
|
+
curl -sS https://api.example.com/v1/status # works
|
|
114
|
+
curl -sS https://other-host.example # blocked (not in allowlist)
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
You also do **not** need to install any certificate. The platform manages the
|
|
118
|
+
trust store for the managed egress path automatically, so TLS verification in
|
|
119
|
+
your client succeeds without extra setup.
|
|
120
|
+
|
|
121
|
+
## Limitations and gotchas
|
|
122
|
+
|
|
123
|
+
- **Enforcement is at the platform boundary, not in your code.** A tool can't
|
|
124
|
+
bypass the policy by ignoring proxy settings or opening a raw socket — the
|
|
125
|
+
sandbox has no other route out, so a disallowed host simply fails. This is the
|
|
126
|
+
intended fail-closed behavior.
|
|
127
|
+
- **A client that hard-bypasses the standard environment may fail to connect.**
|
|
128
|
+
This is rare — almost all HTTP tooling honors `HTTP_PROXY` / `HTTPS_PROXY` and
|
|
129
|
+
the system trust store. But a client that is explicitly told to ignore the
|
|
130
|
+
proxy environment, pins or replaces its certificate trust store, or speaks a
|
|
131
|
+
non-HTTP protocol over a raw socket can hit a wall even for an allowed host.
|
|
132
|
+
The fix is to let the client use the standard proxy and certificate
|
|
133
|
+
environment the runtime provides (most libraries do by default), rather than
|
|
134
|
+
overriding it.
|
|
135
|
+
- **`allowedHosts` only applies in `limited` mode.** It is ignored in `open`
|
|
136
|
+
mode, where the SSRF deny-list is the only gate.
|
|
137
|
+
|
|
138
|
+
For routing credentialed HTTP calls through the managed proxy without putting the
|
|
139
|
+
secret in the container, use proxy endpoints — see
|
|
140
|
+
[Credentials](credentials.md). For remote tool servers, see [MCP](mcp.md). For
|
|
141
|
+
the full set of run-config fields, see [Run configuration](run-config.md).
|
package/docs/outputs.md
CHANGED
|
@@ -14,7 +14,7 @@ import { RunModels } from "@aexhq/sdk";
|
|
|
14
14
|
const runId = await aex.submit({
|
|
15
15
|
model: RunModels.CLAUDE_HAIKU_4_5,
|
|
16
16
|
prompt: "Produce a report and save it as a file.",
|
|
17
|
-
secrets: { apiKey }
|
|
17
|
+
secrets: { apiKeys: { anthropic: apiKey } }
|
|
18
18
|
});
|
|
19
19
|
|
|
20
20
|
await aex.wait(runId);
|
|
@@ -4,11 +4,11 @@ title: Provider runtime capabilities
|
|
|
4
4
|
|
|
5
5
|
# Provider runtime capabilities
|
|
6
6
|
|
|
7
|
-
Generated from `packages/contracts/src/provider-support.ts` and `packages/contracts/src/models.ts
|
|
7
|
+
Generated from `packages/contracts/src/provider-support.ts` and `packages/contracts/src/models.ts`.
|
|
8
8
|
|
|
9
9
|
Regenerate with `bun run capabilities:generate`; check with `bun run capabilities:check`.
|
|
10
10
|
|
|
11
|
-
Providers: [Anthropic](#anthropic) (`anthropic`), [DeepSeek](#deepseek) (`deepseek`), [OpenAI](#openai) (`openai`), [Gemini](#gemini) (`gemini`), [Mistral](#mistral) (`mistral`), [OpenRouter](#openrouter) (`openrouter`), [Doubao](#doubao) (`doubao`), [Doubao (China)](#doubao-cn) (`doubao-cn`).
|
|
11
|
+
Providers: [Anthropic](#anthropic) (`anthropic`), [DeepSeek](#deepseek) (`deepseek`), [OpenAI](#openai) (`openai`), [Gemini](#gemini) (`gemini`), [Mistral](#mistral) (`mistral`), [OpenRouter](#openrouter) (`openrouter`), [Doubao](#doubao) (`doubao`), [Doubao (China)](#doubao-cn) (`doubao-cn`).
|
|
12
12
|
|
|
13
13
|
All new submissions run on the managed runtime. Public support is expressed as supported providers and supported model ids.
|
|
14
14
|
|
|
@@ -16,56 +16,36 @@ All new submissions run on the managed runtime. Public support is expressed as s
|
|
|
16
16
|
|
|
17
17
|
| Provider | Selector | Supported models | Docs | Evidence |
|
|
18
18
|
| --- | --- | --- | --- | --- |
|
|
19
|
-
| [Anthropic](#anthropic) | `anthropic` | `claude-haiku-4-5`, `claude-3-5-haiku-latest`, `claude-3-5-sonnet-latest`, `claude-sonnet-4-6` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
20
|
-
| [DeepSeek](#deepseek) | `deepseek` | `deepseek-v4-flash`, `deepseek-v4-pro`, `deepseek-chat`, `deepseek-reasoner` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
21
|
-
| [OpenAI](#openai) | `openai` | `gpt-4.1`, `gpt-4o-mini` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
22
|
-
| [Gemini](#gemini) | `gemini` | `gemini-2.0-flash`, `gemini-2.5-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
23
|
-
| [Mistral](#mistral) | `mistral` | `mistral-large-latest`, `mistral-small-latest` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
24
|
-
| [OpenRouter](#openrouter) | `openrouter` | `gpt-4o-mini`, `gpt-4o`, `gemini-2.0-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
25
|
-
| [Doubao](#doubao) | `doubao` | `doubao-seed-pro`, `doubao-seed-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
26
|
-
| [Doubao (China)](#doubao-cn) | `doubao-cn` | `doubao-seed-pro`, `doubao-seed-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
27
|
-
|
|
28
|
-
##
|
|
29
|
-
|
|
30
|
-
| Provider |
|
|
31
|
-
| --- | --- | --- |
|
|
32
|
-
| `anthropic` |
|
|
33
|
-
| `deepseek` |
|
|
34
|
-
| `openai` |
|
|
35
|
-
| `gemini` |
|
|
36
|
-
| `mistral` |
|
|
37
|
-
| `openrouter` |
|
|
38
|
-
| `doubao` |
|
|
39
|
-
| `doubao-cn` |
|
|
40
|
-
|
|
41
|
-
##
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
| --- | --- | --- | --- |
|
|
45
|
-
| `anthropic` | `managed` | submission parser + managed dispatch | [Installed-SDK Anthropic live user test](../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts) |
|
|
46
|
-
| `deepseek` | `managed` | submission parser + managed dispatch | [Installed-SDK DeepSeek live user test](../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts); [Installed-SDK DeepSeek comprehensive live user matrix](../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts) |
|
|
47
|
-
| `openai` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
48
|
-
| `gemini` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
49
|
-
| `mistral` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
50
|
-
| `openrouter` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
51
|
-
| `doubao` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
52
|
-
| `doubao-cn` | `managed` | submission parser + managed dispatch | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Runtime support validator](../../contracts/test/runtime-support.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
53
|
-
|
|
54
|
-
## Validation errors
|
|
55
|
-
|
|
56
|
-
| Code | Docs anchor | Enforcement path | Evidence |
|
|
57
|
-
| --- | --- | --- | --- |
|
|
58
|
-
| `feature_runtime_mismatch` | [managed-unsupported-features](#managed-unsupported-features) | collectManagedUnsupportedFeatures + selectRuntime | [Submission parser and routing parity](../../contracts/test/submission.test.ts) |
|
|
59
|
-
|
|
60
|
-
### Managed unsupported features
|
|
61
|
-
|
|
62
|
-
Provider-hosted skill refs (a `kind:"provider"` skill ref) are rejected because new runs dispatch to the managed runtime. Supply skill bytes through `Skill.fromFiles`, `Skill.fromPath`, `Skill.fromUrl`, or `Skill.fromCatalog`; each path normalizes to an asset that the platform snapshots into durable run asset storage.
|
|
19
|
+
| [Anthropic](#anthropic) | `anthropic` | `claude-haiku-4-5`, `claude-3-5-haiku-latest`, `claude-3-5-sonnet-latest`, `claude-sonnet-4-6` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts); [Installed-SDK Anthropic live user test](../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts) |
|
|
20
|
+
| [DeepSeek](#deepseek) | `deepseek` | `deepseek-v4-flash`, `deepseek-v4-pro`, `deepseek-chat`, `deepseek-reasoner` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts); [Installed-SDK DeepSeek live user test](../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts); [Installed-SDK DeepSeek comprehensive live user matrix](../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts) |
|
|
21
|
+
| [OpenAI](#openai) | `openai` | `gpt-4.1`, `gpt-4o-mini` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
22
|
+
| [Gemini](#gemini) | `gemini` | `gemini-2.0-flash`, `gemini-2.5-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
23
|
+
| [Mistral](#mistral) | `mistral` | `mistral-large-latest`, `mistral-small-latest` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
24
|
+
| [OpenRouter](#openrouter) | `openrouter` | `gpt-4o-mini`, `gpt-4o`, `gemini-2.0-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
25
|
+
| [Doubao](#doubao) | `doubao` | `doubao-seed-pro`, `doubao-seed-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
26
|
+
| [Doubao (China)](#doubao-cn) | `doubao-cn` | `doubao-seed-pro`, `doubao-seed-flash` | [Secrets](secrets.md); [Events](events.md) | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
27
|
+
|
|
28
|
+
## Managed evidence
|
|
29
|
+
|
|
30
|
+
| Provider | Enforcement path | Evidence |
|
|
31
|
+
| --- | --- | --- |
|
|
32
|
+
| `anthropic` | submission parser + managed execution | [Installed-SDK Anthropic live user test](../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts) |
|
|
33
|
+
| `deepseek` | submission parser + managed execution | [Installed-SDK DeepSeek live user test](../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts); [Installed-SDK DeepSeek comprehensive live user matrix](../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts) |
|
|
34
|
+
| `openai` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
35
|
+
| `gemini` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
36
|
+
| `mistral` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
37
|
+
| `openrouter` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
38
|
+
| `doubao` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
39
|
+
| `doubao-cn` | submission parser + managed execution | [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts) |
|
|
40
|
+
|
|
41
|
+
## Skills
|
|
42
|
+
|
|
43
|
+
Only asset-backed skills are accepted on submissions. Supply skill bytes through `Skill.fromFiles`, `Skill.fromPath`, `Skill.fromUrl`, or `Skill.fromCatalog`; each path normalizes to an asset that the platform snapshots into durable run asset storage.
|
|
63
44
|
|
|
64
45
|
Notes:
|
|
65
46
|
|
|
66
47
|
- Supported models are the public SDK model ids accepted for each provider.
|
|
67
|
-
-
|
|
68
|
-
- `runtime: "native"` is not a runtime selector; the submission parser rejects it as an invalid enum value.
|
|
48
|
+
- Execution uses the managed path; there is no public runtime selector.
|
|
69
49
|
|
|
70
50
|
## Provider anchors
|
|
71
51
|
|
|
@@ -73,62 +53,54 @@ Notes:
|
|
|
73
53
|
|
|
74
54
|
- Wire provider: `anthropic`
|
|
75
55
|
- Supported models: `claude-haiku-4-5`, `claude-3-5-haiku-latest`, `claude-3-5-sonnet-latest`, `claude-sonnet-4-6`
|
|
76
|
-
- Auto route: `managed`
|
|
77
56
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
78
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
57
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts); [Installed-SDK Anthropic live user test](../../../apps/user-tests/test/live/live-sdk-anthropic-managed.test.ts)
|
|
79
58
|
|
|
80
59
|
### DeepSeek
|
|
81
60
|
|
|
82
61
|
- Wire provider: `deepseek`
|
|
83
62
|
- Supported models: `deepseek-v4-flash`, `deepseek-v4-pro`, `deepseek-chat`, `deepseek-reasoner`
|
|
84
|
-
- Auto route: `managed`
|
|
85
63
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
86
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
64
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts); [Installed-SDK DeepSeek live user test](../../../apps/user-tests/test/live/live-sdk-deepseek.test.ts); [Installed-SDK DeepSeek comprehensive live user matrix](../../../apps/user-tests/test/live/live-sdk-comprehensive.test.ts)
|
|
87
65
|
|
|
88
66
|
### OpenAI
|
|
89
67
|
|
|
90
68
|
- Wire provider: `openai`
|
|
91
69
|
- Supported models: `gpt-4.1`, `gpt-4o-mini`
|
|
92
|
-
- Auto route: `managed`
|
|
93
70
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
94
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
71
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
|
95
72
|
|
|
96
73
|
### Gemini
|
|
97
74
|
|
|
98
75
|
- Wire provider: `gemini`
|
|
99
76
|
- Supported models: `gemini-2.0-flash`, `gemini-2.5-flash`
|
|
100
|
-
- Auto route: `managed`
|
|
101
77
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
102
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
78
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
|
103
79
|
|
|
104
80
|
### Mistral
|
|
105
81
|
|
|
106
82
|
- Wire provider: `mistral`
|
|
107
83
|
- Supported models: `mistral-large-latest`, `mistral-small-latest`
|
|
108
|
-
- Auto route: `managed`
|
|
109
84
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
110
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
85
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
|
111
86
|
|
|
112
87
|
### OpenRouter
|
|
113
88
|
|
|
114
89
|
- Wire provider: `openrouter`
|
|
115
90
|
- Supported models: `gpt-4o-mini`, `gpt-4o`, `gemini-2.0-flash`
|
|
116
|
-
- Auto route: `managed`
|
|
117
91
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
118
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
92
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
|
119
93
|
|
|
120
94
|
### Doubao
|
|
121
95
|
|
|
122
96
|
- Wire provider: `doubao`
|
|
123
97
|
- Supported models: `doubao-seed-pro`, `doubao-seed-flash`
|
|
124
|
-
- Auto route: `managed`
|
|
125
98
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
126
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
99
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
|
127
100
|
|
|
128
101
|
### Doubao (China)
|
|
129
102
|
|
|
130
103
|
- Wire provider: `doubao-cn`
|
|
131
104
|
- Supported models: `doubao-seed-pro`, `doubao-seed-flash`
|
|
132
|
-
- Auto route: `managed`
|
|
133
105
|
- Docs: [Secrets](secrets.md); [Events](events.md)
|
|
134
|
-
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [
|
|
106
|
+
- Evidence: [Submission parser and routing parity](../../contracts/test/submission.test.ts); [Generated matrix freshness](../../../scripts/validate/capability-matrix.test.ts)
|
package/docs/public-surface.json
CHANGED
|
@@ -6,15 +6,14 @@
|
|
|
6
6
|
"installCommand": "bun add @aexhq/sdk",
|
|
7
7
|
"examples": {
|
|
8
8
|
"typescriptLines": [
|
|
9
|
-
"import { AgentExecutor, Models
|
|
9
|
+
"import { AgentExecutor, Models } from \"@aexhq/sdk\";",
|
|
10
10
|
"",
|
|
11
11
|
"const aex = new AgentExecutor({ apiToken: process.env.AEX_API_TOKEN! });",
|
|
12
12
|
"",
|
|
13
13
|
"const runId = await aex.submit({",
|
|
14
|
-
" provider: Providers.ANTHROPIC,",
|
|
15
14
|
" model: Models.CLAUDE_HAIKU_4_5,",
|
|
16
15
|
" prompt: \"Write the report and save outputs.\",",
|
|
17
|
-
" secrets: {
|
|
16
|
+
" secrets: { apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! } }",
|
|
18
17
|
"});",
|
|
19
18
|
"",
|
|
20
19
|
"for await (const event of aex.stream(runId)) console.log(event.type);",
|
package/docs/quickstart.md
CHANGED
|
@@ -10,26 +10,47 @@ title: Quickstart
|
|
|
10
10
|
bun add @aexhq/sdk
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
This installs the TypeScript SDK exports and the bundled `aex` CLI.
|
|
14
|
+
|
|
15
|
+
## 2. Set credentials
|
|
16
|
+
|
|
17
|
+
The examples need both an aex API token and your BYOK provider key for the model
|
|
18
|
+
you choose. For the Claude examples below:
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
export AEX_API_TOKEN="<your-aex-token>"
|
|
22
|
+
export ANTHROPIC_API_KEY="<your-anthropic-api-key>"
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
## 3. Run a prompt
|
|
14
26
|
|
|
15
27
|
```ts
|
|
16
|
-
import { AgentExecutor, Models
|
|
28
|
+
import { AgentExecutor, Models } from "@aexhq/sdk";
|
|
17
29
|
|
|
18
|
-
const aex = new AgentExecutor({
|
|
19
|
-
apiToken: process.env.AEX_API_TOKEN!
|
|
20
|
-
});
|
|
30
|
+
const aex = new AgentExecutor({ apiToken: process.env.AEX_API_TOKEN! });
|
|
21
31
|
|
|
22
|
-
|
|
23
|
-
|
|
32
|
+
// run() submits, waits for the run to settle, and returns the result.
|
|
33
|
+
// `provider` is derived from the model; `secrets.apiKeys` carries your BYOK provider key.
|
|
34
|
+
const { text, ok } = await aex.run({
|
|
24
35
|
model: Models.CLAUDE_HAIKU_4_5,
|
|
25
|
-
|
|
26
|
-
|
|
36
|
+
secrets: { apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! } },
|
|
37
|
+
prompt: "Write a short report and save it as a file."
|
|
27
38
|
});
|
|
39
|
+
|
|
40
|
+
console.log(ok, text);
|
|
28
41
|
```
|
|
29
42
|
|
|
30
|
-
##
|
|
43
|
+
## 4. Submit, stream, wait, and download
|
|
44
|
+
|
|
45
|
+
When you need the run id, live events, or downloads, drive the lifecycle yourself:
|
|
31
46
|
|
|
32
47
|
```ts
|
|
48
|
+
const runId = await aex.submit({
|
|
49
|
+
model: Models.CLAUDE_HAIKU_4_5,
|
|
50
|
+
secrets: { apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! } },
|
|
51
|
+
prompt: "Write a short report and save it as a file."
|
|
52
|
+
});
|
|
53
|
+
|
|
33
54
|
for await (const event of aex.stream(runId)) {
|
|
34
55
|
console.log(event.type);
|
|
35
56
|
}
|
|
@@ -40,7 +61,7 @@ console.log(run.status);
|
|
|
40
61
|
await aex.download(runId, { to: "./run.zip" });
|
|
41
62
|
```
|
|
42
63
|
|
|
43
|
-
The same run from the CLI:
|
|
64
|
+
The same run from the bundled CLI:
|
|
44
65
|
|
|
45
66
|
```bash
|
|
46
67
|
aex run \
|
package/docs/run-config.md
CHANGED
|
@@ -15,13 +15,12 @@ Allowed fields:
|
|
|
15
15
|
- `mcpServers` - array of `McpServerRef`; headers are split into `secrets.mcpServers` server-side.
|
|
16
16
|
- `environment` - `{ networking?, packages?, envVars? }`. Networking is open by default; set `networking.mode` to `limited` only when you want an allowlist. `envVars` are merged into the in-container `RUNTIME.env` / `RUNTIME.json` mounts.
|
|
17
17
|
- `runtimeSize` - optional managed-runtime preset. Prefer `RuntimeSizes` in TypeScript.
|
|
18
|
-
- `region` - optional product placement region: `eu-west`, `us-west`, or `ap-northeast`. These are platform placement targets, not exact city guarantees; omitted runs infer a configured region from request geography and fall back when no hint matches.
|
|
19
18
|
- `timeout` - optional run deadline duration string such as `"30m"` or `"2h"`.
|
|
20
19
|
- `postHook` - optional post-agent verifier `{ command, timeout?, maxTurns?, maxChars? }`. It runs after a successful agent process; a failing or timed-out command is sent back to the agent for repair until `maxTurns` is exhausted. Empty `command` is treated as omitted.
|
|
21
20
|
- `proxyEndpoints` - array of `PlatformProxyEndpoint`; endpoint-level `retry` is allowed here and remains declaration-based.
|
|
22
21
|
- `metadata` - non-secret structured metadata.
|
|
23
22
|
|
|
24
|
-
`agentsMd`, `files`, `outputs`, `tools`, `includeBuiltinTools`, `limits`, and `outputMode` are top-level `submit` options, not run-config fields. They carry bytes, capture behavior, or agent tool/output controls that belong on a concrete run submission. The `limits` option sets per-run subagent-lineage caps (`maxConcurrentChildRuns`, `maxSubagentDepth`); see [Limits & quotas](limits-and-quotas.md).
|
|
23
|
+
`agentsMd`, `files`, `outputs`, `tools`, `includeBuiltinTools`, `limits`, and `outputMode` are top-level `submit` options, not run-config fields. They carry bytes, capture behavior, or agent tool/output controls that belong on a concrete run submission. The `limits` option sets per-run caps: the subagent-lineage caps (`maxConcurrentChildRuns`, `maxSubagentDepth`) and a USD spend cap (`maxSpendUsd`, which stops the run once its spend would exceed the cap); see [Limits & quotas](limits-and-quotas.md).
|
|
25
24
|
|
|
26
25
|
Secrets never live in run config. Pass credentials through `submit({ ...config, secrets })` in the SDK or the equivalent host-mode flags (`--anthropic-api-key`, `--mcp-auth`, `--proxy-auth`) in the CLI. See [Secrets](secrets.md) for secret lifecycles and [Credentials](credentials.md) for the proxy endpoint policy/auth split and retry fields.
|
|
27
26
|
|
|
@@ -46,7 +45,7 @@ function summarise(topic: string) {
|
|
|
46
45
|
|
|
47
46
|
await aex.submit({
|
|
48
47
|
...summarise("agent-first SDK design"),
|
|
49
|
-
secrets: { apiKey }
|
|
48
|
+
secrets: { apiKeys: { anthropic: apiKey } }
|
|
50
49
|
});
|
|
51
50
|
```
|
|
52
51
|
|
|
@@ -60,4 +59,4 @@ aex run --config ./run.json \
|
|
|
60
59
|
--anthropic-api-key "$ANTHROPIC_API_KEY"
|
|
61
60
|
```
|
|
62
61
|
|
|
63
|
-
...or as explicit flags (`--model`, `--system`, `--prompt`, `--mcp`, `--mcp-auth`, `--
|
|
62
|
+
...or as explicit flags (`--model`, `--system`, `--prompt`, `--mcp`, `--mcp-auth`, `--runtime-size`, `--run-timeout`, `--proxy-endpoint`, `--proxy-auth`, `--metadata`). The two modes are mutually exclusive. `postHook` is available through `--config`; there are no standalone hook flags.
|