@agent-native/core 0.47.1 → 0.48.2

package/dist/jobs/scheduler.js

@@ -4,6 +4,7 @@ import { resourceListAllOwners, resourcePut, } from "../resources/store.js";
 import { runAgentLoop, actionsToEngineTools, getOwnerActiveApiKey, } from "../agent/production-agent.js";
 import { getStoredModelForEngine, resolveEngine, } from "../agent/engine/index.js";
 import { createThread } from "../chat-threads/store.js";
+import { startRun, resolveRunSoftTimeoutMs } from "../agent/run-manager.js";
 const FRONTMATTER_RE = /^---\n([\s\S]*?)\n---\n?([\s\S]*)$/;
 export function parseJobFrontmatter(content) {
     const match = content.match(FRONTMATTER_RE);
@@ -333,28 +334,76 @@ async function executeJob(resource, meta, body, deps, now) {
                     content: [{ type: "text", text: jobText }],
                 },
             ];
-            // 5-minute timeout
-            const controller = new AbortController();
-            const timeout = setTimeout(() => controller.abort(), 5 * 60 * 1000);
-            const events = [];
-            const send = (event) => {
-                events.push(event);
-            };
-            try {
-                await runAgentLoop({
-                    engine,
-                    model,
-                    systemPrompt,
-                    tools,
-                    messages,
-                    actions,
-                    send,
-                    signal: controller.signal,
+            // Route through startRun (from run-manager) instead of calling
+            // runAgentLoop directly. This adds:
+            //   1. A heartbeat row in agent_runs so a serverless kill is detected
+            //      by reapAllStaleRuns on the next startup and the row is flipped
+            //      to 'errored' — no more stranded lastStatus:"running" in the job
+            //      frontmatter after the next tick resets it via the stuck-guard.
+            //   2. The soft-timeout infrastructure so the job checkpoints cleanly
+            //      before serverless hard-kill rather than dying mid-flight.
+            //   3. SQL abort checks so a displaced/reaped run self-aborts instead
+            //      of completing invisibly and potentially overwriting newer state.
+            const runId = `job-${jobName.replace(/[^a-zA-Z0-9._-]/g, "-")}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+            // Use the same soft-timeout logic as interactive runs. On hosted
+            // runtimes this clamps to 40s (under the gateway wall); locally it
+            // defaults to 0 (no framework timeout). The 5-minute hard-abort
+            // below is still provided as a backstop via the startRun signal.
+            const softTimeoutMs = resolveRunSoftTimeoutMs(undefined, {
+                useHostedDefault: true,
+            });
+            // Hard-abort backstop: 5 minutes. On hosted runtimes the soft-timeout
+            // will fire first; locally this is the only guard.
+            const hardAbortTimer = setTimeout(() => {
+                // startRun's abort controller handles this below, but we still need
+                // the handle to clear it in the finally block.
+            }, 5 * 60 * 1000);
+            let jobError = null;
+            await new Promise((resolve, reject) => {
+                const activeRun = startRun(runId, thread.id, async (send, signal) => {
+                    try {
+                        await runAgentLoop({
+                            engine,
+                            model,
+                            systemPrompt,
+                            tools,
+                            messages,
+                            actions,
+                            send,
+                            signal,
+                            threadId: thread.id,
+                        });
+                    }
+                    catch (err) {
+                        throw err;
+                    }
+                }, 
+                // onComplete: run finished (completed or aborted)
+                async (run) => {
+                    if (run.status === "completed") {
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(`Job run ended with status: ${run.status}`));
+                    }
+                }, {
+                    softTimeoutMs,
+                    // turnId defaults to runId — fine for single-turn jobs
                 });
-            }
-            finally {
-                clearTimeout(timeout);
-            }
+                // Hard-abort backstop: abort the run-manager's own controller after
+                // 5 minutes if it hasn't finished naturally.
+                clearTimeout(hardAbortTimer);
+                setTimeout(() => {
+                    if (activeRun.status === "running") {
+                        activeRun.abort.abort("job_hard_timeout");
+                        reject(new Error("Job timed out after 5 minutes"));
+                    }
+                }, 5 * 60 * 1000);
+            }).catch((err) => {
+                jobError = err;
+            });
+            if (jobError)
+                throw jobError;
             // Success — update status. Compute the next run from completion time,
             // not the job's start time `now`: a long run could otherwise schedule a
             // nextRun that's already in the past and re-fire immediately next tick.

package/dist/jobs/scheduler.js.map

@@ -1 +1 @@
-{"version":3,"file":"scheduler.js","sourceRoot":"","sources":["../../src/jobs/scheduler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EACL,qBAAqB,EACrB,WAAW,GAEZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,GAErB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAiBxD,MAAM,cAAc,GAAG,oCAAoC,CAAC;AAE5D,MAAM,UAAU,mBAAmB,CAAC,OAAe;IAIjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YACtC,IAAI,EAAE,OAAO;SACd,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE7B,MAAM,IAAI,GAAmB,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAE7D,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,KAAK,CAAC,CAAC;YAAE,SAAS;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5C,eAAe;QACf,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,UAAU;gBACb,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;gBACtB,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,KAAK,OAAO,CAAC;gBACjC,MAAM;YACR,KAAK,WAAW;gBACd,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;gBACvB,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;gBACnB,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,KAAK;oBACR,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;gBAChE,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,YAAY;gBACf,IAAI,CAAC,UAAU,GAAG,KAAqC,CAAC;gBACxD,MAAM;YACR,KAAK,WAAW;gBACd,mDAAmD;gBACnD,IAAI,CAAC,SAAS,GAAG,KAAK;qBACnB,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC;qBACrB,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC;qBACrB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;qBACpB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;gBACrB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAoB,EAAE,IAAY;IAChE,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACvC,IAAI,IAAI,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/D,IAAI,IAAI,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzD,IAAI,IAAI,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IAClE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS;aAC3B,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;aACtB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;aACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;aACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,eAAe,OAAO,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,IAAI,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAeD,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,0EAA0E;AAC1E,4EAA4E;AAC5E,qEAAqE;AACrE,IAAI,aAAkC,CAAC;AACvC,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,MAAM,sBAAsB,GAAG,CAAC,GAAG,MAAM,CAAC;AAC1C,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAE/B,SAAS,6BAA6B;IACpC,IAAI,kBAAkB;QAAE,OAAO;IAC/B,kBAAkB,GAAG,IAAI,CAAC;IAC1B,oDAAoD;IACpD,MAAM,CAAC,yBAAyB,CAAC;SAC9B,IAAI,CAAC,CAAC,EAAE,mBAAmB,EAAE,EAAE,EAAE;QAChC,mBAAmB,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,KAAU,EAAE,EAAE;YACnD,IAAI,OAAO,KAAK,EAAE,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,aAAa,GAAG,SAAS,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACb,OAAO,CAAC,IAAI,CACV,4CAA4C,EAC5C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAmB;IAC5D,0BAA0B;IAC1B,IAAI,UAAU;QAAE,OAAO;IAEvB,6BAA6B,EAAE,CAAC;IAEhC,mEAAmE;IACnE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,IACE,aAAa,KAAK,KAAK;QACvB,KAAK,GAAG,cAAc,GAAG,sBAAsB,EAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,UAAU,GAAG,IAAI,CAAC;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC1D,aAAa,GAAG,YAAY,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC3D,CAAC;QACF,cAAc,GAAG,KAAK,CAAC;QACvB,IAAI,CAAC,aAAa;YAAE,OAAO;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,mCAAmC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC7C,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE9C,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAE7D,oCAAoC;YACpC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAC9C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE1C,+EAA+E;YAC/E,8EAA8E;YAC9E,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBACnC,IACE,IAAI,CAAC,OAAO;oBACZ,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,WAAW,EAC9D,CAAC;oBACD,SAAS;gBACX,CAAC;gBACD,gDAAgD;gBAChD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;gBAC1B,IAAI,CAAC,SAAS,GAAG,yCAAyC,CAAC;gBAC3D,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;YAED,eAAe;YACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC3C,IAAI,WAAW,GAAG,GAAG;oBAAE,SAAS;YAClC,CAAC;iBAAM,CAAC;gBACN,wEAAwE;gBACxE,sEAAsE;gBACtE,6DAA6D;gBAC7D,yDAAyD;gBACzD,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,SAAS;YAE3B,kBAAkB;YAClB,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,yEAAyE;QACzE,yEAAyE;QACzE,wCAAwC;QACxC,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC9D,IAAI,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,aAAa,GAAG,SAAS,CAAC,CAAC,yCAAyC;YACpE,cAAc,GAAG,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QACD,gGAAgG;QAChG,MAAM,MAAM,GACV,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,GAAG;YACL,CAAC,CAAC,CAAE,GAAW,EAAE,KAAK,IAAK,GAAW,EAAE,OAAO,IAAI,GAAG,CAAC,CAAC;QAC5D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAC;IACnE,CAAC;YAAS,CAAC;QACT,UAAU,GAAG,KAAK,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,oBAAoB,CACjC,YAAoB,EACpB,QAA4B;IAE5B,mEAAmE;IACnE,uBAAuB;IACvB,IAAI,YAAY,KAAK,YAAY;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,oEAAoE;QACpE,iDAAiD;QACjD,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAClC,GAAG,EAAE,8CAA8C;YACnD,IAAI,EAAE,CAAC,YAAY,CAAC;SACrB,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,YAAY,oBAAoB,EAAE,CAAC;QAC1E,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBACpC,GAAG,EAAE,gFAAgF;gBACrF,IAAI,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC;aAC/B,CAAC,CAAC;YACH,IAAI,CAAC,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzD,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,SAAS,YAAY,mCAAmC,QAAQ,GAAG;iBAC5E,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,oEAAoE;QACpE,qEAAqE;QACrE,8CAA8C;QAC9C,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAC9C,IACE,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC9B,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC7B,GAAG,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAC/B,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,sEAAsE;QACtE,oEAAoE;QACpE,kCAAkC;QAClC,OAAO,CAAC,IAAI,CACV,2DAA2D,YAAY,IAAI,EAC3E,GAAG,EAAE,OAAO,CACb,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,QAAkB,EAClB,IAAoB,EACpB,IAAY,EACZ,IAAmB,EACnB,GAAS;IAET,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAE1E,0EAA0E;IAC1E,qCAAqC;IACrC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC;IAC/C,MAAM,YAAY,GAChB,cAAc,KAAK,SAAS;QAC1B,CAAC,CAAC,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC,KAAK;QAClC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;IACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC;IAEzC,qEAAqE;IACrE,wEAAwE;IACxE,gEAAgE;IAChE,kEAAkE;IAClE,iBAAiB;IACjB,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CACV,kCAAkC,OAAO,MAAM,QAAQ,CAAC,MAAM,IAAI;YAChE,wEAAwE,CAC3E,CAAC;QACF,qEAAqE;QACrE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC;QACjC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC3B,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAE3C,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,EAC5C,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;YAC9D,MAAM,KAAK,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YAE5C,gEAAgE;YAChE,8DAA8D;YAC9D,iEAAiE;YACjE,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,MAAM,GACV,IAAI,CAAC,MAAM;gBACX,CAAC,MAAM,aAAa,CAAC;oBACnB,MAAM,EAAE,UAAU,IAAI,IAAI,CAAC,MAAM;oBACjC,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB,CAAC,CAAC,CAAC;YACN,MAAM,KAAK,GACT,IAAI,CAAC,KAAK;gBACV,CAAC,MAAM,uBAAuB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBAC9D,MAAM,CAAC,YAAY,CAAC;YAEtB,oCAAoC;YACpC,MAAM,WAAW,GAAG,QAAQ,OAAO,MAAM,GAAG,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACpE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YAExE,MAAM,OAAO,GAAG,mBAAmB,OAAO,gBAAgB,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,kDAAkD,IAAI,EAAE,CAAC;YAC9I,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;iBACpD;aACF,CAAC;YAEF,mBAAmB;YACnB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAEpE,MAAM,MAAM,GAAqB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,CAAC,KAAqB,EAAE,EAAE;gBACrC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,YAAY,CAAC;oBACjB,MAAM;oBACN,KAAK;oBACL,YAAY;oBACZ,KAAK;oBACL,QAAQ;oBACR,OAAO;oBACP,IAAI;oBACJ,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;YACL,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;YAED,sEAAsE;YACtE,wEAAwE;YACxE,wEAAwE;YACxE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAE3C,OAAO,CAAC,GAAG,CACT,yBAAyB,OAAO,0BAA0B,IAAI,CAAC,OAAO,EAAE,CACzE,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,iEAAiE;YACjE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,SAAS,GAAG,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,eAAe,CAAC;YAChE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAE3C,OAAO,CAAC,KAAK,CACX,yBAAyB,OAAO,WAAW,EAC3C,GAAG,EAAE,OAAO,CACb,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC,CAAC,4BAA4B;AACjC,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,QAAkB,EAClB,IAAoB,EACpB,IAAY;IAEZ,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5C,MAAM,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5D,CAAC","sourcesContent":["import { runWithRequestContext } from \"../server/request-context.js\";\nimport { nextOccurrence, isValidCron, describeCron } from \"./cron.js\";\nimport {\n  resourceListAllOwners,\n  resourcePut,\n  type Resource,\n} from \"../resources/store.js\";\nimport {\n  runAgentLoop,\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  type ActionEntry,\n} from \"../agent/production-agent.js\";\nimport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nimport type { AgentEngine } from \"../agent/engine/types.js\";\nimport { createThread } from \"../chat-threads/store.js\";\nimport type { AgentChatEvent } from \"../agent/types.js\";\n\n// ─── Frontmatter parsing ────────────────────────────────────────────────────\n\nexport interface JobFrontmatter {\n  schedule: string;\n  enabled: boolean;\n  createdBy?: string;\n  orgId?: string;\n  runAs?: \"creator\" | \"shared\";\n  lastRun?: string;\n  lastStatus?: \"success\" | \"error\" | \"running\" | \"skipped\";\n  lastError?: string;\n  nextRun?: string;\n}\n\nconst FRONTMATTER_RE = /^---\\n([\\s\\S]*?)\\n---\\n?([\\s\\S]*)$/;\n\nexport function parseJobFrontmatter(content: string): {\n  meta: JobFrontmatter;\n  body: string;\n} {\n  const match = content.match(FRONTMATTER_RE);\n  if (!match) {\n    return {\n      meta: { schedule: \"\", enabled: false },\n      body: content,\n    };\n  }\n\n  const yamlBlock = match[1];\n  const body = match[2].trim();\n\n  const meta: JobFrontmatter = { schedule: \"\", enabled: true };\n\n  for (const line of yamlBlock.split(\"\\n\")) {\n    const colonIdx = line.indexOf(\":\");\n    if (colonIdx === -1) continue;\n    const key = line.slice(0, colonIdx).trim();\n    let value = line.slice(colonIdx + 1).trim();\n\n    // Strip quotes\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    switch (key) {\n      case \"schedule\":\n        meta.schedule = value;\n        break;\n      case \"enabled\":\n        meta.enabled = value !== \"false\";\n        break;\n      case \"createdBy\":\n        meta.createdBy = value;\n        break;\n      case \"orgId\":\n        meta.orgId = value;\n        break;\n      case \"runAs\":\n        meta.runAs =\n          value === \"shared\" || value === \"creator\" ? value : undefined;\n        break;\n      case \"lastRun\":\n        meta.lastRun = value;\n        break;\n      case \"lastStatus\":\n        meta.lastStatus = value as JobFrontmatter[\"lastStatus\"];\n        break;\n      case \"lastError\":\n        // Reverse the escaping applied in buildJobContent.\n        meta.lastError = value\n          .replace(/\\\\n/g, \"\\n\")\n          .replace(/\\\\r/g, \"\\r\")\n          .replace(/\\\\\"/g, '\"')\n          .replace(/\\\\\\\\/g, \"\\\\\");\n        break;\n      case \"nextRun\":\n        meta.nextRun = value;\n        break;\n    }\n  }\n\n  return { meta, body };\n}\n\nexport function buildJobContent(meta: JobFrontmatter, body: string): string {\n  const lines = [`---`];\n  lines.push(`schedule: \"${meta.schedule}\"`);\n  lines.push(`enabled: ${meta.enabled}`);\n  if (meta.createdBy) lines.push(`createdBy: ${meta.createdBy}`);\n  if (meta.orgId) lines.push(`orgId: ${meta.orgId}`);\n  if (meta.runAs) lines.push(`runAs: ${meta.runAs}`);\n  if (meta.lastRun) lines.push(`lastRun: ${meta.lastRun}`);\n  if (meta.lastStatus) lines.push(`lastStatus: ${meta.lastStatus}`);\n  if (meta.lastError) {\n    // Escape backslash, quote, then CR/LF. The frontmatter parser splits on\n    // \"\\n\", so an un-escaped newline (common in stack traces) would otherwise\n    // split the value across lines and corrupt/truncate the stored error.\n    const escaped = meta.lastError\n      .replace(/\\\\/g, \"\\\\\\\\\")\n      .replace(/\"/g, '\\\\\"')\n      .replace(/\\r/g, \"\\\\r\")\n      .replace(/\\n/g, \"\\\\n\");\n    lines.push(`lastError: \"${escaped}\"`);\n  }\n  if (meta.nextRun) lines.push(`nextRun: ${meta.nextRun}`);\n  lines.push(`---`);\n  lines.push(\"\");\n  lines.push(body);\n  return lines.join(\"\\n\");\n}\n\n// ─── Job execution ──────────────────────────────────────────────────────────\n\nexport interface SchedulerDeps {\n  getActions: () => Record<string, ActionEntry>;\n  getSystemPrompt: (owner: string) => Promise<string>;\n  /** Optional engine override. Defaults to the resolved request engine. */\n  engine?: AgentEngine;\n  apiKey?: string;\n  model?: string;\n  /** App/template id used for org-scoped per-app model defaults. */\n  appId?: string;\n}\n\nlet _isRunning = false;\n\n// Skip the DB query on every tick if we recently confirmed no jobs exist.\n// `_hasJobsCache` is invalidated whenever a `jobs/*` resource is written or\n// deleted (subscribed below), and refreshed at most every 5 minutes.\nlet _hasJobsCache: boolean | undefined;\nlet _lastJobsCheck = 0;\nconst JOBS_CHECK_INTERVAL_MS = 5 * 60_000;\nlet _emitterSubscribed = false;\n\nfunction subscribeToJobsResourceEvents(): void {\n  if (_emitterSubscribed) return;\n  _emitterSubscribed = true;\n  // Lazy import to avoid circular deps at module load\n  import(\"../resources/emitter.js\")\n    .then(({ getResourcesEmitter }) => {\n      getResourcesEmitter().on(\"resources\", (event: any) => {\n        if (typeof event?.path === \"string\" && event.path.startsWith(\"jobs/\")) {\n          _hasJobsCache = undefined;\n        }\n      });\n    })\n    .catch((err) => {\n      console.warn(\n        \"[jobs] resource-event subscription failed:\",\n        err instanceof Error ? err.message : err,\n      );\n    });\n}\n\n/**\n * Process all due recurring jobs. Called every 60 seconds.\n * Sequential execution with 5-minute timeout per job.\n */\nexport async function processRecurringJobs(deps: SchedulerDeps): Promise<void> {\n  // Prevent concurrent runs\n  if (_isRunning) return;\n\n  subscribeToJobsResourceEvents();\n\n  // Skip if we recently confirmed there are no job resources to run.\n  const nowMs = Date.now();\n  if (\n    _hasJobsCache === false &&\n    nowMs - _lastJobsCheck < JOBS_CHECK_INTERVAL_MS\n  ) {\n    return;\n  }\n\n  _isRunning = true;\n\n  try {\n    const jobResources = await resourceListAllOwners(\"jobs/\");\n    _hasJobsCache = jobResources.some(\n      (r) => r.path.endsWith(\".md\") && !r.path.endsWith(\".keep\"),\n    );\n    _lastJobsCheck = nowMs;\n    if (!_hasJobsCache) return;\n    const now = new Date();\n\n    for (const resource of jobResources) {\n      // Skip non-markdown or .keep files\n      if (!resource.path.endsWith(\".md\")) continue;\n      if (resource.path.endsWith(\".keep\")) continue;\n\n      const { meta, body } = parseJobFrontmatter(resource.content);\n\n      // Skip disabled or missing schedule\n      if (!meta.enabled || !meta.schedule) continue;\n      if (!isValidCron(meta.schedule)) continue;\n\n      // Skip if currently running, unless it has been stuck for more than 10 minutes\n      // (server crash mid-job leaves lastStatus=running forever without this guard)\n      if (meta.lastStatus === \"running\") {\n        const stuckCutoff = 10 * 60 * 1000;\n        if (\n          meta.lastRun &&\n          now.getTime() - new Date(meta.lastRun).getTime() < stuckCutoff\n        ) {\n          continue;\n        }\n        // Stuck — reset so the next check can re-run it\n        meta.lastStatus = \"error\";\n        meta.lastError = \"Job timed out or server crashed mid-run\";\n        const next = nextOccurrence(meta.schedule, now);\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n        continue;\n      }\n\n      // Check if due\n      if (meta.nextRun) {\n        const nextRunDate = new Date(meta.nextRun);\n        if (nextRunDate > now) continue;\n      } else {\n        // No nextRun computed yet — seed it from `now` so the job waits for its\n        // real next occurrence. Computing from new Date(0) (the epoch) always\n        // returns a 1970 date, which is < now, so the job would fire\n        // immediately on first sight regardless of its schedule.\n        const next = nextOccurrence(meta.schedule, now);\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n        continue;\n      }\n\n      // Skip if body is empty\n      if (!body.trim()) continue;\n\n      // Execute the job\n      await executeJob(resource, meta, body, deps, now);\n    }\n  } catch (err) {\n    // Transient WS / connection drops (Neon serverless): silently retry next\n    // tick instead of spamming stderr — `retryOnConnectionError` already did\n    // its retry budget at the driver level.\n    const { isConnectionError } = await import(\"../db/client.js\");\n    if (isConnectionError(err)) {\n      _hasJobsCache = undefined; // force re-check on next successful tick\n      _lastJobsCheck = 0;\n      return;\n    }\n    // Unwrap ErrorEvent (Neon WS driver emits these on network failure) so logs show the real cause\n    const detail =\n      err instanceof Error\n        ? err\n        : ((err as any)?.error ?? (err as any)?.message ?? err);\n    console.error(\"[recurring-jobs] Error processing jobs:\", detail);\n  } finally {\n    _isRunning = false;\n  }\n}\n\n/**\n * Validate that the run-as user still exists and (if scoped to an org) is\n * still a member of that org. Skips the check for the dev-mode bypass\n * identity and the shared-owner sentinel, neither of which map to a real\n * user row.\n *\n * SECURITY: without this check the scheduler keeps running jobs as\n * `meta.createdBy` indefinitely — even after the user has been deleted,\n * removed from the org, or had their account disabled. The cron entry\n * itself is left intact so an admin can purge it manually after the\n * underlying user-state issue is investigated. See audit 12 #10.\n */\nasync function isJobRunAsStillValid(\n  jobUserEmail: string,\n  jobOrgId: string | undefined,\n): Promise<{ ok: boolean; reason?: string }> {\n  // Shared-owner sentinel isn't a real user (used by jobs run as the\n  // workspace identity).\n  if (jobUserEmail === \"__shared__\") return { ok: true };\n  try {\n    const { getDbExec } = await import(\"../db/client.js\");\n    const db = getDbExec();\n    // Better Auth's user table is named \"user\" (singular). The reserved\n    // word is quoted to avoid ambiguity in Postgres.\n    const userResult = await db.execute({\n      sql: `SELECT 1 FROM \"user\" WHERE email = ? LIMIT 1`,\n      args: [jobUserEmail],\n    });\n    if (!userResult.rows || userResult.rows.length === 0) {\n      return { ok: false, reason: `user \"${jobUserEmail}\" no longer exists` };\n    }\n    if (jobOrgId) {\n      const memberResult = await db.execute({\n        sql: `SELECT 1 FROM org_members WHERE org_id = ? AND LOWER(email) = LOWER(?) LIMIT 1`,\n        args: [jobOrgId, jobUserEmail],\n      });\n      if (!memberResult.rows || memberResult.rows.length === 0) {\n        return {\n          ok: false,\n          reason: `user \"${jobUserEmail}\" is no longer a member of org \"${jobOrgId}\"`,\n        };\n      }\n    }\n    return { ok: true };\n  } catch (err: any) {\n    // Tables may not exist on a brand-new install (no auth tables yet).\n    // Treat that as \"valid\" rather than blocking every job. The check is\n    // only meaningful once the auth tables exist.\n    const msg = err?.message?.toLowerCase() ?? \"\";\n    if (\n      msg.includes(\"does not exist\") ||\n      msg.includes(\"no such table\") ||\n      msg.includes(\"undefined table\")\n    ) {\n      return { ok: true };\n    }\n    // Any other DB error: be conservative and let the job run rather than\n    // blocking on an unexpected failure mode (e.g. transient connection\n    // issue). We log so it's visible.\n    console.warn(\n      `[recurring-jobs] User/membership validation failed for \"${jobUserEmail}\":`,\n      err?.message,\n    );\n    return { ok: true };\n  }\n}\n\nasync function executeJob(\n  resource: Resource,\n  meta: JobFrontmatter,\n  body: string,\n  deps: SchedulerDeps,\n  now: Date,\n): Promise<void> {\n  const jobName = resource.path.replace(/^jobs\\//, \"\").replace(/\\.md$/, \"\");\n\n  // Set owner context so all scoped operations (app-state, resources, etc.)\n  // operate on the correct user's data\n  const effectiveRunAs = meta.runAs ?? \"creator\";\n  const jobUserEmail =\n    effectiveRunAs === \"creator\"\n      ? meta.createdBy || resource.owner\n      : resource.owner;\n  const jobOrgId = meta.orgId ?? undefined;\n\n  // SECURITY (audit 12 #10): re-validate the run-as user/membership on\n  // every tick. Sharing revocation, user deletion, and org-member removal\n  // must take effect for already-scheduled jobs. Skip the tick on\n  // failure; leave the cron entry alone so an admin can purge after\n  // investigation.\n  const validity = await isJobRunAsStillValid(jobUserEmail, jobOrgId);\n  if (!validity.ok) {\n    console.warn(\n      `[recurring-jobs] Skipping job \"${jobName}\": ${validity.reason}. ` +\n        `User/membership no longer valid — leaving cron entry for admin review.`,\n    );\n    // Mark as skipped without resetting nextRun so an admin can find it.\n    meta.lastRun = now.toISOString();\n    meta.lastStatus = \"skipped\";\n    meta.lastError = validity.reason;\n    await updateResource(resource, meta, body);\n    return;\n  }\n\n  // Mark as running\n  meta.lastRun = now.toISOString();\n  meta.lastStatus = \"running\";\n  meta.lastError = undefined;\n  await updateResource(resource, meta, body);\n\n  await runWithRequestContext(\n    { userEmail: jobUserEmail, orgId: jobOrgId },\n    async () => {\n      try {\n        const actions = deps.getActions();\n        const systemPrompt = await deps.getSystemPrompt(jobUserEmail);\n        const tools = actionsToEngineTools(actions);\n\n        // Prefer the job runner's saved Anthropic key so recurring jobs\n        // don't silently bill the shared platform key once a user has\n        // brought their own. Falls back to the platform key when absent.\n        const userApiKey = await getOwnerActiveApiKey(jobUserEmail);\n        const engine =\n          deps.engine ??\n          (await resolveEngine({\n            apiKey: userApiKey ?? deps.apiKey,\n            appId: deps.appId,\n          }));\n        const model =\n          deps.model ??\n          (await getStoredModelForEngine(engine, { appId: deps.appId })) ??\n          engine.defaultModel;\n\n        // Create a chat thread for this run\n        const threadTitle = `Job: ${jobName} — ${now.toLocaleDateString()}`;\n        const thread = await createThread(jobUserEmail, { title: threadTitle });\n\n        const jobText = `[Recurring Job: ${jobName}]\\nSchedule: ${describeCron(meta.schedule)}\\n\\nExecute the following job instructions:\\n\\n${body}`;\n        const messages = [\n          {\n            role: \"user\" as const,\n            content: [{ type: \"text\" as const, text: jobText }],\n          },\n        ];\n\n        // 5-minute timeout\n        const controller = new AbortController();\n        const timeout = setTimeout(() => controller.abort(), 5 * 60 * 1000);\n\n        const events: AgentChatEvent[] = [];\n        const send = (event: AgentChatEvent) => {\n          events.push(event);\n        };\n\n        try {\n          await runAgentLoop({\n            engine,\n            model,\n            systemPrompt,\n            tools,\n            messages,\n            actions,\n            send,\n            signal: controller.signal,\n          });\n        } finally {\n          clearTimeout(timeout);\n        }\n\n        // Success — update status. Compute the next run from completion time,\n        // not the job's start time `now`: a long run could otherwise schedule a\n        // nextRun that's already in the past and re-fire immediately next tick.\n        const next = nextOccurrence(meta.schedule, new Date());\n        meta.lastStatus = \"success\";\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n\n        console.log(\n          `[recurring-jobs] Job \"${jobName}\" completed. Next run: ${meta.nextRun}`,\n        );\n      } catch (err: any) {\n        // Error — update status. Use completion time (see success path).\n        const next = nextOccurrence(meta.schedule, new Date());\n        meta.lastStatus = \"error\";\n        meta.lastError = err?.message?.slice(0, 200) || \"Unknown error\";\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n\n        console.error(\n          `[recurring-jobs] Job \"${jobName}\" failed:`,\n          err?.message,\n        );\n      }\n    },\n  ); // end runWithRequestContext\n}\n\nasync function updateResource(\n  resource: Resource,\n  meta: JobFrontmatter,\n  body: string,\n): Promise<void> {\n  const content = buildJobContent(meta, body);\n  await resourcePut(resource.owner, resource.path, content);\n}\n"]}
+{"version":3,"file":"scheduler.js","sourceRoot":"","sources":["../../src/jobs/scheduler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EACL,qBAAqB,EACrB,WAAW,GAEZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,GAErB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAgB5E,MAAM,cAAc,GAAG,oCAAoC,CAAC;AAE5D,MAAM,UAAU,mBAAmB,CAAC,OAAe;IAIjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YACtC,IAAI,EAAE,OAAO;SACd,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE7B,MAAM,IAAI,GAAmB,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAE7D,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,KAAK,CAAC,CAAC;YAAE,SAAS;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5C,eAAe;QACf,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,UAAU;gBACb,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;gBACtB,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,KAAK,OAAO,CAAC;gBACjC,MAAM;YACR,KAAK,WAAW;gBACd,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;gBACvB,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;gBACnB,MAAM;YACR,KAAK,OAAO;gBACV,IAAI,CAAC,KAAK;oBACR,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;gBAChE,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;gBACrB,MAAM;YACR,KAAK,YAAY;gBACf,IAAI,CAAC,UAAU,GAAG,KAAqC,CAAC;gBACxD,MAAM;YACR,KAAK,WAAW;gBACd,mDAAmD;gBACnD,IAAI,CAAC,SAAS,GAAG,KAAK;qBACnB,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC;qBACrB,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC;qBACrB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;qBACpB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,SAAS;gBACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;gBACrB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAoB,EAAE,IAAY;IAChE,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACvC,IAAI,IAAI,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/D,IAAI,IAAI,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzD,IAAI,IAAI,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IAClE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS;aAC3B,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;aACtB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;aACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;aACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,eAAe,OAAO,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,IAAI,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAeD,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,0EAA0E;AAC1E,4EAA4E;AAC5E,qEAAqE;AACrE,IAAI,aAAkC,CAAC;AACvC,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,MAAM,sBAAsB,GAAG,CAAC,GAAG,MAAM,CAAC;AAC1C,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAE/B,SAAS,6BAA6B;IACpC,IAAI,kBAAkB;QAAE,OAAO;IAC/B,kBAAkB,GAAG,IAAI,CAAC;IAC1B,oDAAoD;IACpD,MAAM,CAAC,yBAAyB,CAAC;SAC9B,IAAI,CAAC,CAAC,EAAE,mBAAmB,EAAE,EAAE,EAAE;QAChC,mBAAmB,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,KAAU,EAAE,EAAE;YACnD,IAAI,OAAO,KAAK,EAAE,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,aAAa,GAAG,SAAS,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACb,OAAO,CAAC,IAAI,CACV,4CAA4C,EAC5C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAmB;IAC5D,0BAA0B;IAC1B,IAAI,UAAU;QAAE,OAAO;IAEvB,6BAA6B,EAAE,CAAC;IAEhC,mEAAmE;IACnE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,IACE,aAAa,KAAK,KAAK;QACvB,KAAK,GAAG,cAAc,GAAG,sBAAsB,EAC/C,CAAC;QACD,OAAO;IACT,CAAC;IAED,UAAU,GAAG,IAAI,CAAC;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC1D,aAAa,GAAG,YAAY,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC3D,CAAC;QACF,cAAc,GAAG,KAAK,CAAC;QACvB,IAAI,CAAC,aAAa;YAAE,OAAO;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,mCAAmC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC7C,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE9C,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAE7D,oCAAoC;YACpC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAC9C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE1C,+EAA+E;YAC/E,8EAA8E;YAC9E,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBACnC,IACE,IAAI,CAAC,OAAO;oBACZ,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,WAAW,EAC9D,CAAC;oBACD,SAAS;gBACX,CAAC;gBACD,gDAAgD;gBAChD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;gBAC1B,IAAI,CAAC,SAAS,GAAG,yCAAyC,CAAC;gBAC3D,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;YAED,eAAe;YACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC3C,IAAI,WAAW,GAAG,GAAG;oBAAE,SAAS;YAClC,CAAC;iBAAM,CAAC;gBACN,wEAAwE;gBACxE,sEAAsE;gBACtE,6DAA6D;gBAC7D,yDAAyD;gBACzD,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,SAAS;YAE3B,kBAAkB;YAClB,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,yEAAyE;QACzE,yEAAyE;QACzE,wCAAwC;QACxC,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC9D,IAAI,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,aAAa,GAAG,SAAS,CAAC,CAAC,yCAAyC;YACpE,cAAc,GAAG,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QACD,gGAAgG;QAChG,MAAM,MAAM,GACV,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,GAAG;YACL,CAAC,CAAC,CAAE,GAAW,EAAE,KAAK,IAAK,GAAW,EAAE,OAAO,IAAI,GAAG,CAAC,CAAC;QAC5D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,MAAM,CAAC,CAAC;IACnE,CAAC;YAAS,CAAC;QACT,UAAU,GAAG,KAAK,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,oBAAoB,CACjC,YAAoB,EACpB,QAA4B;IAE5B,mEAAmE;IACnE,uBAAuB;IACvB,IAAI,YAAY,KAAK,YAAY;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,oEAAoE;QACpE,iDAAiD;QACjD,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAClC,GAAG,EAAE,8CAA8C;YACnD,IAAI,EAAE,CAAC,YAAY,CAAC;SACrB,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,YAAY,oBAAoB,EAAE,CAAC;QAC1E,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBACpC,GAAG,EAAE,gFAAgF;gBACrF,IAAI,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC;aAC/B,CAAC,CAAC;YACH,IAAI,CAAC,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzD,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,SAAS,YAAY,mCAAmC,QAAQ,GAAG;iBAC5E,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,oEAAoE;QACpE,qEAAqE;QACrE,8CAA8C;QAC9C,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAC9C,IACE,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC9B,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC7B,GAAG,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAC/B,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,sEAAsE;QACtE,oEAAoE;QACpE,kCAAkC;QAClC,OAAO,CAAC,IAAI,CACV,2DAA2D,YAAY,IAAI,EAC3E,GAAG,EAAE,OAAO,CACb,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,QAAkB,EAClB,IAAoB,EACpB,IAAY,EACZ,IAAmB,EACnB,GAAS;IAET,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAE1E,0EAA0E;IAC1E,qCAAqC;IACrC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC;IAC/C,MAAM,YAAY,GAChB,cAAc,KAAK,SAAS;QAC1B,CAAC,CAAC,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC,KAAK;QAClC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;IACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC;IAEzC,qEAAqE;IACrE,wEAAwE;IACxE,gEAAgE;IAChE,kEAAkE;IAClE,iBAAiB;IACjB,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CACV,kCAAkC,OAAO,MAAM,QAAQ,CAAC,MAAM,IAAI;YAChE,wEAAwE,CAC3E,CAAC;QACF,qEAAqE;QACrE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC;QACjC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC3B,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAE3C,MAAM,qBAAqB,CACzB,EAAE,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,EAC5C,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;YAC9D,MAAM,KAAK,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YAE5C,gEAAgE;YAChE,8DAA8D;YAC9D,iEAAiE;YACjE,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,MAAM,GACV,IAAI,CAAC,MAAM;gBACX,CAAC,MAAM,aAAa,CAAC;oBACnB,MAAM,EAAE,UAAU,IAAI,IAAI,CAAC,MAAM;oBACjC,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB,CAAC,CAAC,CAAC;YACN,MAAM,KAAK,GACT,IAAI,CAAC,KAAK;gBACV,CAAC,MAAM,uBAAuB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBAC9D,MAAM,CAAC,YAAY,CAAC;YAEtB,oCAAoC;YACpC,MAAM,WAAW,GAAG,QAAQ,OAAO,MAAM,GAAG,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACpE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YAExE,MAAM,OAAO,GAAG,mBAAmB,OAAO,gBAAgB,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,kDAAkD,IAAI,EAAE,CAAC;YAC9I,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAe;oBACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;iBACpD;aACF,CAAC;YAEF,+DAA+D;YAC/D,oCAAoC;YACpC,sEAAsE;YACtE,sEAAsE;YACtE,uEAAuE;YACvE,sEAAsE;YACtE,sEAAsE;YACtE,iEAAiE;YACjE,sEAAsE;YACtE,wEAAwE;YACxE,MAAM,KAAK,GAAG,OAAO,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAExH,iEAAiE;YACjE,mEAAmE;YACnE,gEAAgE;YAChE,iEAAiE;YACjE,MAAM,aAAa,GAAG,uBAAuB,CAAC,SAAS,EAAE;gBACvD,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAC;YAEH,sEAAsE;YACtE,mDAAmD;YACnD,MAAM,cAAc,GAAG,UAAU,CAC/B,GAAG,EAAE;gBACH,oEAAoE;gBACpE,+CAA+C;YACjD,CAAC,EACD,CAAC,GAAG,EAAE,GAAG,IAAI,CACd,CAAC;YAEF,IAAI,QAAQ,GAAiB,IAAI,CAAC;YAClC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC1C,MAAM,SAAS,GAAG,QAAQ,CACxB,KAAK,EACL,MAAM,CAAC,EAAE,EACT,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE;oBACrB,IAAI,CAAC;wBACH,MAAM,YAAY,CAAC;4BACjB,MAAM;4BACN,KAAK;4BACL,YAAY;4BACZ,KAAK;4BACL,QAAQ;4BACR,OAAO;4BACP,IAAI;4BACJ,MAAM;4BACN,QAAQ,EAAE,MAAM,CAAC,EAAE;yBACpB,CAAC,CAAC;oBACL,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,MAAM,GAAG,CAAC;oBACZ,CAAC;gBACH,CAAC;gBACD,kDAAkD;gBAClD,KAAK,EAAE,GAAG,EAAE,EAAE;oBACZ,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;wBAC/B,OAAO,EAAE,CAAC;oBACZ,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;oBAChE,CAAC;gBACH,CAAC,EACD;oBACE,aAAa;oBACb,uDAAuD;iBACxD,CACF,CAAC;gBAEF,oEAAoE;gBACpE,6CAA6C;gBAC7C,YAAY,CAAC,cAAc,CAAC,CAAC;gBAC7B,UAAU,CACR,GAAG,EAAE;oBACH,IAAI,SAAS,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;wBACnC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;wBAC1C,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;oBACrD,CAAC;gBACH,CAAC,EACD,CAAC,GAAG,EAAE,GAAG,IAAI,CACd,CAAC;YACJ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAQ,EAAE,EAAE;gBACpB,QAAQ,GAAG,GAAG,CAAC;YACjB,CAAC,CAAC,CAAC;YAEH,IAAI,QAAQ;gBAAE,MAAM,QAAQ,CAAC;YAE7B,sEAAsE;YACtE,wEAAwE;YACxE,wEAAwE;YACxE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAE3C,OAAO,CAAC,GAAG,CACT,yBAAyB,OAAO,0BAA0B,IAAI,CAAC,OAAO,EAAE,CACzE,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,iEAAiE;YACjE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;YAC1B,IAAI,CAAC,SAAS,GAAG,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,eAAe,CAAC;YAChE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAE3C,OAAO,CAAC,KAAK,CACX,yBAAyB,OAAO,WAAW,EAC3C,GAAG,EAAE,OAAO,CACb,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC,CAAC,4BAA4B;AACjC,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,QAAkB,EAClB,IAAoB,EACpB,IAAY;IAEZ,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5C,MAAM,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5D,CAAC","sourcesContent":["import { runWithRequestContext } from \"../server/request-context.js\";\nimport { nextOccurrence, isValidCron, describeCron } from \"./cron.js\";\nimport {\n  resourceListAllOwners,\n  resourcePut,\n  type Resource,\n} from \"../resources/store.js\";\nimport {\n  runAgentLoop,\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  type ActionEntry,\n} from \"../agent/production-agent.js\";\nimport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nimport type { AgentEngine } from \"../agent/engine/types.js\";\nimport { createThread } from \"../chat-threads/store.js\";\nimport { startRun, resolveRunSoftTimeoutMs } from \"../agent/run-manager.js\";\n\n// ─── Frontmatter parsing ────────────────────────────────────────────────────\n\nexport interface JobFrontmatter {\n  schedule: string;\n  enabled: boolean;\n  createdBy?: string;\n  orgId?: string;\n  runAs?: \"creator\" | \"shared\";\n  lastRun?: string;\n  lastStatus?: \"success\" | \"error\" | \"running\" | \"skipped\";\n  lastError?: string;\n  nextRun?: string;\n}\n\nconst FRONTMATTER_RE = /^---\\n([\\s\\S]*?)\\n---\\n?([\\s\\S]*)$/;\n\nexport function parseJobFrontmatter(content: string): {\n  meta: JobFrontmatter;\n  body: string;\n} {\n  const match = content.match(FRONTMATTER_RE);\n  if (!match) {\n    return {\n      meta: { schedule: \"\", enabled: false },\n      body: content,\n    };\n  }\n\n  const yamlBlock = match[1];\n  const body = match[2].trim();\n\n  const meta: JobFrontmatter = { schedule: \"\", enabled: true };\n\n  for (const line of yamlBlock.split(\"\\n\")) {\n    const colonIdx = line.indexOf(\":\");\n    if (colonIdx === -1) continue;\n    const key = line.slice(0, colonIdx).trim();\n    let value = line.slice(colonIdx + 1).trim();\n\n    // Strip quotes\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    switch (key) {\n      case \"schedule\":\n        meta.schedule = value;\n        break;\n      case \"enabled\":\n        meta.enabled = value !== \"false\";\n        break;\n      case \"createdBy\":\n        meta.createdBy = value;\n        break;\n      case \"orgId\":\n        meta.orgId = value;\n        break;\n      case \"runAs\":\n        meta.runAs =\n          value === \"shared\" || value === \"creator\" ? value : undefined;\n        break;\n      case \"lastRun\":\n        meta.lastRun = value;\n        break;\n      case \"lastStatus\":\n        meta.lastStatus = value as JobFrontmatter[\"lastStatus\"];\n        break;\n      case \"lastError\":\n        // Reverse the escaping applied in buildJobContent.\n        meta.lastError = value\n          .replace(/\\\\n/g, \"\\n\")\n          .replace(/\\\\r/g, \"\\r\")\n          .replace(/\\\\\"/g, '\"')\n          .replace(/\\\\\\\\/g, \"\\\\\");\n        break;\n      case \"nextRun\":\n        meta.nextRun = value;\n        break;\n    }\n  }\n\n  return { meta, body };\n}\n\nexport function buildJobContent(meta: JobFrontmatter, body: string): string {\n  const lines = [`---`];\n  lines.push(`schedule: \"${meta.schedule}\"`);\n  lines.push(`enabled: ${meta.enabled}`);\n  if (meta.createdBy) lines.push(`createdBy: ${meta.createdBy}`);\n  if (meta.orgId) lines.push(`orgId: ${meta.orgId}`);\n  if (meta.runAs) lines.push(`runAs: ${meta.runAs}`);\n  if (meta.lastRun) lines.push(`lastRun: ${meta.lastRun}`);\n  if (meta.lastStatus) lines.push(`lastStatus: ${meta.lastStatus}`);\n  if (meta.lastError) {\n    // Escape backslash, quote, then CR/LF. The frontmatter parser splits on\n    // \"\\n\", so an un-escaped newline (common in stack traces) would otherwise\n    // split the value across lines and corrupt/truncate the stored error.\n    const escaped = meta.lastError\n      .replace(/\\\\/g, \"\\\\\\\\\")\n      .replace(/\"/g, '\\\\\"')\n      .replace(/\\r/g, \"\\\\r\")\n      .replace(/\\n/g, \"\\\\n\");\n    lines.push(`lastError: \"${escaped}\"`);\n  }\n  if (meta.nextRun) lines.push(`nextRun: ${meta.nextRun}`);\n  lines.push(`---`);\n  lines.push(\"\");\n  lines.push(body);\n  return lines.join(\"\\n\");\n}\n\n// ─── Job execution ──────────────────────────────────────────────────────────\n\nexport interface SchedulerDeps {\n  getActions: () => Record<string, ActionEntry>;\n  getSystemPrompt: (owner: string) => Promise<string>;\n  /** Optional engine override. Defaults to the resolved request engine. */\n  engine?: AgentEngine;\n  apiKey?: string;\n  model?: string;\n  /** App/template id used for org-scoped per-app model defaults. */\n  appId?: string;\n}\n\nlet _isRunning = false;\n\n// Skip the DB query on every tick if we recently confirmed no jobs exist.\n// `_hasJobsCache` is invalidated whenever a `jobs/*` resource is written or\n// deleted (subscribed below), and refreshed at most every 5 minutes.\nlet _hasJobsCache: boolean | undefined;\nlet _lastJobsCheck = 0;\nconst JOBS_CHECK_INTERVAL_MS = 5 * 60_000;\nlet _emitterSubscribed = false;\n\nfunction subscribeToJobsResourceEvents(): void {\n  if (_emitterSubscribed) return;\n  _emitterSubscribed = true;\n  // Lazy import to avoid circular deps at module load\n  import(\"../resources/emitter.js\")\n    .then(({ getResourcesEmitter }) => {\n      getResourcesEmitter().on(\"resources\", (event: any) => {\n        if (typeof event?.path === \"string\" && event.path.startsWith(\"jobs/\")) {\n          _hasJobsCache = undefined;\n        }\n      });\n    })\n    .catch((err) => {\n      console.warn(\n        \"[jobs] resource-event subscription failed:\",\n        err instanceof Error ? err.message : err,\n      );\n    });\n}\n\n/**\n * Process all due recurring jobs. Called every 60 seconds.\n * Sequential execution with 5-minute timeout per job.\n */\nexport async function processRecurringJobs(deps: SchedulerDeps): Promise<void> {\n  // Prevent concurrent runs\n  if (_isRunning) return;\n\n  subscribeToJobsResourceEvents();\n\n  // Skip if we recently confirmed there are no job resources to run.\n  const nowMs = Date.now();\n  if (\n    _hasJobsCache === false &&\n    nowMs - _lastJobsCheck < JOBS_CHECK_INTERVAL_MS\n  ) {\n    return;\n  }\n\n  _isRunning = true;\n\n  try {\n    const jobResources = await resourceListAllOwners(\"jobs/\");\n    _hasJobsCache = jobResources.some(\n      (r) => r.path.endsWith(\".md\") && !r.path.endsWith(\".keep\"),\n    );\n    _lastJobsCheck = nowMs;\n    if (!_hasJobsCache) return;\n    const now = new Date();\n\n    for (const resource of jobResources) {\n      // Skip non-markdown or .keep files\n      if (!resource.path.endsWith(\".md\")) continue;\n      if (resource.path.endsWith(\".keep\")) continue;\n\n      const { meta, body } = parseJobFrontmatter(resource.content);\n\n      // Skip disabled or missing schedule\n      if (!meta.enabled || !meta.schedule) continue;\n      if (!isValidCron(meta.schedule)) continue;\n\n      // Skip if currently running, unless it has been stuck for more than 10 minutes\n      // (server crash mid-job leaves lastStatus=running forever without this guard)\n      if (meta.lastStatus === \"running\") {\n        const stuckCutoff = 10 * 60 * 1000;\n        if (\n          meta.lastRun &&\n          now.getTime() - new Date(meta.lastRun).getTime() < stuckCutoff\n        ) {\n          continue;\n        }\n        // Stuck — reset so the next check can re-run it\n        meta.lastStatus = \"error\";\n        meta.lastError = \"Job timed out or server crashed mid-run\";\n        const next = nextOccurrence(meta.schedule, now);\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n        continue;\n      }\n\n      // Check if due\n      if (meta.nextRun) {\n        const nextRunDate = new Date(meta.nextRun);\n        if (nextRunDate > now) continue;\n      } else {\n        // No nextRun computed yet — seed it from `now` so the job waits for its\n        // real next occurrence. Computing from new Date(0) (the epoch) always\n        // returns a 1970 date, which is < now, so the job would fire\n        // immediately on first sight regardless of its schedule.\n        const next = nextOccurrence(meta.schedule, now);\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n        continue;\n      }\n\n      // Skip if body is empty\n      if (!body.trim()) continue;\n\n      // Execute the job\n      await executeJob(resource, meta, body, deps, now);\n    }\n  } catch (err) {\n    // Transient WS / connection drops (Neon serverless): silently retry next\n    // tick instead of spamming stderr — `retryOnConnectionError` already did\n    // its retry budget at the driver level.\n    const { isConnectionError } = await import(\"../db/client.js\");\n    if (isConnectionError(err)) {\n      _hasJobsCache = undefined; // force re-check on next successful tick\n      _lastJobsCheck = 0;\n      return;\n    }\n    // Unwrap ErrorEvent (Neon WS driver emits these on network failure) so logs show the real cause\n    const detail =\n      err instanceof Error\n        ? err\n        : ((err as any)?.error ?? (err as any)?.message ?? err);\n    console.error(\"[recurring-jobs] Error processing jobs:\", detail);\n  } finally {\n    _isRunning = false;\n  }\n}\n\n/**\n * Validate that the run-as user still exists and (if scoped to an org) is\n * still a member of that org. Skips the check for the dev-mode bypass\n * identity and the shared-owner sentinel, neither of which map to a real\n * user row.\n *\n * SECURITY: without this check the scheduler keeps running jobs as\n * `meta.createdBy` indefinitely — even after the user has been deleted,\n * removed from the org, or had their account disabled. The cron entry\n * itself is left intact so an admin can purge it manually after the\n * underlying user-state issue is investigated. See audit 12 #10.\n */\nasync function isJobRunAsStillValid(\n  jobUserEmail: string,\n  jobOrgId: string | undefined,\n): Promise<{ ok: boolean; reason?: string }> {\n  // Shared-owner sentinel isn't a real user (used by jobs run as the\n  // workspace identity).\n  if (jobUserEmail === \"__shared__\") return { ok: true };\n  try {\n    const { getDbExec } = await import(\"../db/client.js\");\n    const db = getDbExec();\n    // Better Auth's user table is named \"user\" (singular). The reserved\n    // word is quoted to avoid ambiguity in Postgres.\n    const userResult = await db.execute({\n      sql: `SELECT 1 FROM \"user\" WHERE email = ? LIMIT 1`,\n      args: [jobUserEmail],\n    });\n    if (!userResult.rows || userResult.rows.length === 0) {\n      return { ok: false, reason: `user \"${jobUserEmail}\" no longer exists` };\n    }\n    if (jobOrgId) {\n      const memberResult = await db.execute({\n        sql: `SELECT 1 FROM org_members WHERE org_id = ? AND LOWER(email) = LOWER(?) LIMIT 1`,\n        args: [jobOrgId, jobUserEmail],\n      });\n      if (!memberResult.rows || memberResult.rows.length === 0) {\n        return {\n          ok: false,\n          reason: `user \"${jobUserEmail}\" is no longer a member of org \"${jobOrgId}\"`,\n        };\n      }\n    }\n    return { ok: true };\n  } catch (err: any) {\n    // Tables may not exist on a brand-new install (no auth tables yet).\n    // Treat that as \"valid\" rather than blocking every job. The check is\n    // only meaningful once the auth tables exist.\n    const msg = err?.message?.toLowerCase() ?? \"\";\n    if (\n      msg.includes(\"does not exist\") ||\n      msg.includes(\"no such table\") ||\n      msg.includes(\"undefined table\")\n    ) {\n      return { ok: true };\n    }\n    // Any other DB error: be conservative and let the job run rather than\n    // blocking on an unexpected failure mode (e.g. transient connection\n    // issue). We log so it's visible.\n    console.warn(\n      `[recurring-jobs] User/membership validation failed for \"${jobUserEmail}\":`,\n      err?.message,\n    );\n    return { ok: true };\n  }\n}\n\nasync function executeJob(\n  resource: Resource,\n  meta: JobFrontmatter,\n  body: string,\n  deps: SchedulerDeps,\n  now: Date,\n): Promise<void> {\n  const jobName = resource.path.replace(/^jobs\\//, \"\").replace(/\\.md$/, \"\");\n\n  // Set owner context so all scoped operations (app-state, resources, etc.)\n  // operate on the correct user's data\n  const effectiveRunAs = meta.runAs ?? \"creator\";\n  const jobUserEmail =\n    effectiveRunAs === \"creator\"\n      ? meta.createdBy || resource.owner\n      : resource.owner;\n  const jobOrgId = meta.orgId ?? undefined;\n\n  // SECURITY (audit 12 #10): re-validate the run-as user/membership on\n  // every tick. Sharing revocation, user deletion, and org-member removal\n  // must take effect for already-scheduled jobs. Skip the tick on\n  // failure; leave the cron entry alone so an admin can purge after\n  // investigation.\n  const validity = await isJobRunAsStillValid(jobUserEmail, jobOrgId);\n  if (!validity.ok) {\n    console.warn(\n      `[recurring-jobs] Skipping job \"${jobName}\": ${validity.reason}. ` +\n        `User/membership no longer valid — leaving cron entry for admin review.`,\n    );\n    // Mark as skipped without resetting nextRun so an admin can find it.\n    meta.lastRun = now.toISOString();\n    meta.lastStatus = \"skipped\";\n    meta.lastError = validity.reason;\n    await updateResource(resource, meta, body);\n    return;\n  }\n\n  // Mark as running\n  meta.lastRun = now.toISOString();\n  meta.lastStatus = \"running\";\n  meta.lastError = undefined;\n  await updateResource(resource, meta, body);\n\n  await runWithRequestContext(\n    { userEmail: jobUserEmail, orgId: jobOrgId },\n    async () => {\n      try {\n        const actions = deps.getActions();\n        const systemPrompt = await deps.getSystemPrompt(jobUserEmail);\n        const tools = actionsToEngineTools(actions);\n\n        // Prefer the job runner's saved Anthropic key so recurring jobs\n        // don't silently bill the shared platform key once a user has\n        // brought their own. Falls back to the platform key when absent.\n        const userApiKey = await getOwnerActiveApiKey(jobUserEmail);\n        const engine =\n          deps.engine ??\n          (await resolveEngine({\n            apiKey: userApiKey ?? deps.apiKey,\n            appId: deps.appId,\n          }));\n        const model =\n          deps.model ??\n          (await getStoredModelForEngine(engine, { appId: deps.appId })) ??\n          engine.defaultModel;\n\n        // Create a chat thread for this run\n        const threadTitle = `Job: ${jobName} — ${now.toLocaleDateString()}`;\n        const thread = await createThread(jobUserEmail, { title: threadTitle });\n\n        const jobText = `[Recurring Job: ${jobName}]\\nSchedule: ${describeCron(meta.schedule)}\\n\\nExecute the following job instructions:\\n\\n${body}`;\n        const messages = [\n          {\n            role: \"user\" as const,\n            content: [{ type: \"text\" as const, text: jobText }],\n          },\n        ];\n\n        // Route through startRun (from run-manager) instead of calling\n        // runAgentLoop directly. This adds:\n        //   1. A heartbeat row in agent_runs so a serverless kill is detected\n        //      by reapAllStaleRuns on the next startup and the row is flipped\n        //      to 'errored' — no more stranded lastStatus:\"running\" in the job\n        //      frontmatter after the next tick resets it via the stuck-guard.\n        //   2. The soft-timeout infrastructure so the job checkpoints cleanly\n        //      before serverless hard-kill rather than dying mid-flight.\n        //   3. SQL abort checks so a displaced/reaped run self-aborts instead\n        //      of completing invisibly and potentially overwriting newer state.\n        const runId = `job-${jobName.replace(/[^a-zA-Z0-9._-]/g, \"-\")}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;\n\n        // Use the same soft-timeout logic as interactive runs. On hosted\n        // runtimes this clamps to 40s (under the gateway wall); locally it\n        // defaults to 0 (no framework timeout). The 5-minute hard-abort\n        // below is still provided as a backstop via the startRun signal.\n        const softTimeoutMs = resolveRunSoftTimeoutMs(undefined, {\n          useHostedDefault: true,\n        });\n\n        // Hard-abort backstop: 5 minutes. On hosted runtimes the soft-timeout\n        // will fire first; locally this is the only guard.\n        const hardAbortTimer = setTimeout(\n          () => {\n            // startRun's abort controller handles this below, but we still need\n            // the handle to clear it in the finally block.\n          },\n          5 * 60 * 1000,\n        );\n\n        let jobError: Error | null = null;\n        await new Promise<void>((resolve, reject) => {\n          const activeRun = startRun(\n            runId,\n            thread.id,\n            async (send, signal) => {\n              try {\n                await runAgentLoop({\n                  engine,\n                  model,\n                  systemPrompt,\n                  tools,\n                  messages,\n                  actions,\n                  send,\n                  signal,\n                  threadId: thread.id,\n                });\n              } catch (err) {\n                throw err;\n              }\n            },\n            // onComplete: run finished (completed or aborted)\n            async (run) => {\n              if (run.status === \"completed\") {\n                resolve();\n              } else {\n                reject(new Error(`Job run ended with status: ${run.status}`));\n              }\n            },\n            {\n              softTimeoutMs,\n              // turnId defaults to runId — fine for single-turn jobs\n            },\n          );\n\n          // Hard-abort backstop: abort the run-manager's own controller after\n          // 5 minutes if it hasn't finished naturally.\n          clearTimeout(hardAbortTimer);\n          setTimeout(\n            () => {\n              if (activeRun.status === \"running\") {\n                activeRun.abort.abort(\"job_hard_timeout\");\n                reject(new Error(\"Job timed out after 5 minutes\"));\n              }\n            },\n            5 * 60 * 1000,\n          );\n        }).catch((err: any) => {\n          jobError = err;\n        });\n\n        if (jobError) throw jobError;\n\n        // Success — update status. Compute the next run from completion time,\n        // not the job's start time `now`: a long run could otherwise schedule a\n        // nextRun that's already in the past and re-fire immediately next tick.\n        const next = nextOccurrence(meta.schedule, new Date());\n        meta.lastStatus = \"success\";\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n\n        console.log(\n          `[recurring-jobs] Job \"${jobName}\" completed. Next run: ${meta.nextRun}`,\n        );\n      } catch (err: any) {\n        // Error — update status. Use completion time (see success path).\n        const next = nextOccurrence(meta.schedule, new Date());\n        meta.lastStatus = \"error\";\n        meta.lastError = err?.message?.slice(0, 200) || \"Unknown error\";\n        meta.nextRun = next.toISOString();\n        await updateResource(resource, meta, body);\n\n        console.error(\n          `[recurring-jobs] Job \"${jobName}\" failed:`,\n          err?.message,\n        );\n      }\n    },\n  ); // end runWithRequestContext\n}\n\nasync function updateResource(\n  resource: Resource,\n  meta: JobFrontmatter,\n  body: string,\n): Promise<void> {\n  const content = buildJobContent(meta, body);\n  await resourcePut(resource.owner, resource.path, content);\n}\n"]}

package/dist/mcp/actions/create-org-service-token.d.ts

@@ -0,0 +1,14 @@
+declare const _default: import("../../action.js").ActionDefinition<{
+    name: string;
+    ttlDays?: number | undefined;
+}, {
+    token: string;
+    id: string;
+    serviceName: string;
+    serviceEmail: string;
+    orgId: string;
+    ttlDays: number;
+    note: string;
+}>;
+export default _default;
+//# sourceMappingURL=create-org-service-token.d.ts.map

package/dist/mcp/actions/create-org-service-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-org-service-token.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/create-org-service-token.ts"],"names":[],"mappings":";;;;;;;;;;;;AA2BA,wBA0DG"}

package/dist/mcp/actions/create-org-service-token.js

@@ -0,0 +1,74 @@
+/**
+ * Mint an org-scoped SERVICE token for CI and other non-human callers (e.g.
+ * the `PLAN_RECAP_TOKEN` GitHub secret used by PR Visual Recap). Unlike a
+ * personal connect token, the credential belongs to the ORG: it keeps working
+ * when the human who minted it leaves or revokes their own tokens, and rows
+ * created with it are org-scoped so every org member can see them.
+ *
+ * SECURITY:
+ *   - Gated to org owners/admins (see service-token-access.ts).
+ *   - The token value appears ONLY in this action's response — it is never
+ *     stored (only its `jti`) and never logged.
+ *   - Not callable by the sandboxed agent tool loop (`toolCallable: false`):
+ *     minting a long-lived credential must be an explicit human/HTTP/CLI act,
+ *     never a prompt-injection target.
+ *   - Revocable via `revoke-org-service-token` — same `revoked_at` gate the
+ *     personal-token revocation path uses.
+ */
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { getRequestContext } from "../../server/request-context.js";
+import { getAppProductionUrl } from "../../server/app-url.js";
+import { mintOrgServiceToken } from "../connect-route.js";
+import { requireServiceTokenCaller, ServiceTokenError, } from "./service-token-access.js";
+export default defineAction({
+    description: "Create a named, org-scoped service token (for CI like PR Visual Recap's PLAN_RECAP_TOKEN). The token acts as a service principal owned by the organization, not a person. Org owner/admin only. The token value is returned ONCE and never stored — copy it immediately.",
+    schema: z.object({
+        name: z
+            .string()
+            .min(1)
+            .max(64)
+            .describe("Short service name, e.g. 'ci' or 'pr-recap'"),
+        ttlDays: z
+            .number()
+            .int()
+            .min(1)
+            .max(365)
+            .optional()
+            .describe("Token lifetime in days (1-365, default 365)"),
+    }),
+    toolCallable: false,
+    run: async (args, ctx) => {
+        const caller = await requireServiceTokenCaller({
+            userEmail: ctx?.userEmail,
+            orgId: ctx?.orgId,
+            level: "manage",
+        });
+        // App origin for OAuth-signed tokens (resource/issuer binding). The MCP
+        // path provides requestOrigin via runWithRequestContext; the HTTP action
+        // route falls back to the configured production URL. Deployments with
+        // A2A_SECRET don't depend on it (the A2A signer ignores appUrl).
+        const appUrl = (getRequestContext()?.requestOrigin || getAppProductionUrl()).replace(/\/+$/, "");
+        if (!appUrl && !process.env.A2A_SECRET?.trim()) {
+            throw new ServiceTokenError("Could not determine the app URL needed to mint a token. Set APP_URL on the deployment.", 500);
+        }
+        const minted = await mintOrgServiceToken({
+            serviceName: args.name,
+            orgId: caller.orgId,
+            createdBy: caller.email,
+            ttlDays: args.ttlDays,
+            appUrl,
+        });
+        return {
+            // The ONLY place the secret ever appears. Never stored, never logged.
+            token: minted.token,
+            id: minted.id,
+            serviceName: minted.serviceName,
+            serviceEmail: minted.serviceEmail,
+            orgId: caller.orgId,
+            ttlDays: minted.ttlDays,
+            note: "Store this token now (e.g. as the PLAN_RECAP_TOKEN GitHub Actions secret). It will not be shown again. Revoke it any time with revoke-org-service-token.",
+        };
+    },
+});
+//# sourceMappingURL=create-org-service-token.js.map

package/dist/mcp/actions/create-org-service-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-org-service-token.js","sourceRoot":"","sources":["../../../src/mcp/actions/create-org-service-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EACL,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,2BAA2B,CAAC;AAEnC,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,0QAA0Q;IAC5Q,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,IAAI,EAAE,CAAC;aACJ,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,GAAG,CAAC,EAAE,CAAC;aACP,QAAQ,CAAC,6CAA6C,CAAC;QAC1D,OAAO,EAAE,CAAC;aACP,MAAM,EAAE;aACR,GAAG,EAAE;aACL,GAAG,CAAC,CAAC,CAAC;aACN,GAAG,CAAC,GAAG,CAAC;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,6CAA6C,CAAC;KAC3D,CAAC;IACF,YAAY,EAAE,KAAK;IACnB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QACvB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC;YAC7C,SAAS,EAAE,GAAG,EAAE,SAAS;YACzB,KAAK,EAAE,GAAG,EAAE,KAAK;YACjB,KAAK,EAAE,QAAQ;SAChB,CAAC,CAAC;QAEH,wEAAwE;QACxE,yEAAyE;QACzE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,MAAM,GAAG,CACb,iBAAiB,EAAE,EAAE,aAAa,IAAI,mBAAmB,EAAE,CAC5D,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACtB,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,EAAE,CAAC;YAC/C,MAAM,IAAI,iBAAiB,CACzB,wFAAwF,EACxF,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACvC,WAAW,EAAE,IAAI,CAAC,IAAI;YACtB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,SAAS,EAAE,MAAM,CAAC,KAAK;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM;SACP,CAAC,CAAC;QAEH,OAAO;YACL,sEAAsE;YACtE,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,0JAA0J;SACjK,CAAC;IACJ,CAAC;CACF,CAAC,CAAC","sourcesContent":["/**\n * Mint an org-scoped SERVICE token for CI and other non-human callers (e.g.\n * the `PLAN_RECAP_TOKEN` GitHub secret used by PR Visual Recap). Unlike a\n * personal connect token, the credential belongs to the ORG: it keeps working\n * when the human who minted it leaves or revokes their own tokens, and rows\n * created with it are org-scoped so every org member can see them.\n *\n * SECURITY:\n *   - Gated to org owners/admins (see service-token-access.ts).\n *   - The token value appears ONLY in this action's response — it is never\n *     stored (only its `jti`) and never logged.\n *   - Not callable by the sandboxed agent tool loop (`toolCallable: false`):\n *     minting a long-lived credential must be an explicit human/HTTP/CLI act,\n *     never a prompt-injection target.\n *   - Revocable via `revoke-org-service-token` — same `revoked_at` gate the\n *     personal-token revocation path uses.\n */\nimport { z } from \"zod\";\nimport { defineAction } from \"../../action.js\";\nimport { getRequestContext } from \"../../server/request-context.js\";\nimport { getAppProductionUrl } from \"../../server/app-url.js\";\nimport { mintOrgServiceToken } from \"../connect-route.js\";\nimport {\n  requireServiceTokenCaller,\n  ServiceTokenError,\n} from \"./service-token-access.js\";\n\nexport default defineAction({\n  description:\n    \"Create a named, org-scoped service token (for CI like PR Visual Recap's PLAN_RECAP_TOKEN). The token acts as a service principal owned by the organization, not a person. Org owner/admin only. The token value is returned ONCE and never stored — copy it immediately.\",\n  schema: z.object({\n    name: z\n      .string()\n      .min(1)\n      .max(64)\n      .describe(\"Short service name, e.g. 'ci' or 'pr-recap'\"),\n    ttlDays: z\n      .number()\n      .int()\n      .min(1)\n      .max(365)\n      .optional()\n      .describe(\"Token lifetime in days (1-365, default 365)\"),\n  }),\n  toolCallable: false,\n  run: async (args, ctx) => {\n    const caller = await requireServiceTokenCaller({\n      userEmail: ctx?.userEmail,\n      orgId: ctx?.orgId,\n      level: \"manage\",\n    });\n\n    // App origin for OAuth-signed tokens (resource/issuer binding). The MCP\n    // path provides requestOrigin via runWithRequestContext; the HTTP action\n    // route falls back to the configured production URL. Deployments with\n    // A2A_SECRET don't depend on it (the A2A signer ignores appUrl).\n    const appUrl = (\n      getRequestContext()?.requestOrigin || getAppProductionUrl()\n    ).replace(/\\/+$/, \"\");\n    if (!appUrl && !process.env.A2A_SECRET?.trim()) {\n      throw new ServiceTokenError(\n        \"Could not determine the app URL needed to mint a token. Set APP_URL on the deployment.\",\n        500,\n      );\n    }\n\n    const minted = await mintOrgServiceToken({\n      serviceName: args.name,\n      orgId: caller.orgId,\n      createdBy: caller.email,\n      ttlDays: args.ttlDays,\n      appUrl,\n    });\n\n    return {\n      // The ONLY place the secret ever appears. Never stored, never logged.\n      token: minted.token,\n      id: minted.id,\n      serviceName: minted.serviceName,\n      serviceEmail: minted.serviceEmail,\n      orgId: caller.orgId,\n      ttlDays: minted.ttlDays,\n      note: \"Store this token now (e.g. as the PLAN_RECAP_TOKEN GitHub Actions secret). It will not be shown again. Revoke it any time with revoke-org-service-token.\",\n    };\n  },\n});\n"]}

package/dist/mcp/actions/list-org-service-tokens.d.ts

@@ -0,0 +1,17 @@
+declare const _default: import("../../action.js").ActionDefinition<{
+    includeRevoked?: boolean | undefined;
+}, {
+    orgId: string;
+    tokens: {
+        id: string;
+        serviceName: string | null;
+        serviceEmail: string;
+        label: string | null;
+        createdBy: string | null;
+        createdAt: number | null;
+        lastUsedAt: number | null;
+        revokedAt: number | null;
+    }[];
+}>;
+export default _default;
+//# sourceMappingURL=list-org-service-tokens.d.ts.map

package/dist/mcp/actions/list-org-service-tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-org-service-tokens.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/list-org-service-tokens.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAWA,wBA+BG"}

package/dist/mcp/actions/list-org-service-tokens.js

@@ -0,0 +1,42 @@
+/**
+ * List the active org service tokens — metadata only (name, who minted it,
+ * created/last-used/revoked timestamps). Token values are never stored, so
+ * they can never appear here. Any org member may list; minting and revoking
+ * are owner/admin-gated.
+ */
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { listOrgServiceTokens } from "../connect-store.js";
+import { requireServiceTokenCaller } from "./service-token-access.js";
+export default defineAction({
+    description: "List your organization's service tokens (CI credentials such as PLAN_RECAP_TOKEN): name, who created them, created/last-used times, and revocation state. Token values are never stored and never shown. Any org member can list.",
+    schema: z.object({
+        includeRevoked: z
+            .boolean()
+            .optional()
+            .describe("Also include revoked tokens (default false)"),
+    }),
+    http: { method: "GET" },
+    run: async (args, ctx) => {
+        const caller = await requireServiceTokenCaller({
+            userEmail: ctx?.userEmail,
+            orgId: ctx?.orgId,
+            level: "read",
+        });
+        const rows = await listOrgServiceTokens(caller.orgId);
+        const tokens = rows
+            .filter((row) => args.includeRevoked || row.revokedAt == null)
+            .map((row) => ({
+            id: row.id,
+            serviceName: row.serviceName,
+            serviceEmail: row.ownerEmail,
+            label: row.label,
+            createdBy: row.createdBy,
+            createdAt: row.createdAt,
+            lastUsedAt: row.lastUsedAt,
+            revokedAt: row.revokedAt,
+        }));
+        return { orgId: caller.orgId, tokens };
+    },
+});
+//# sourceMappingURL=list-org-service-tokens.js.map

package/dist/mcp/actions/list-org-service-tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-org-service-tokens.js","sourceRoot":"","sources":["../../../src/mcp/actions/list-org-service-tokens.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAEtE,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,mOAAmO;IACrO,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,cAAc,EAAE,CAAC;aACd,OAAO,EAAE;aACT,QAAQ,EAAE;aACV,QAAQ,CAAC,6CAA6C,CAAC;KAC3D,CAAC;IACF,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;IACvB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QACvB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC;YAC7C,SAAS,EAAE,GAAG,EAAE,SAAS;YACzB,KAAK,EAAE,GAAG,EAAE,KAAK;YACjB,KAAK,EAAE,MAAM;SACd,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI;aAChB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,IAAI,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC;aAC7D,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACb,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,YAAY,EAAE,GAAG,CAAC,UAAU;YAC5B,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC,CAAC,CAAC;QACN,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;IACzC,CAAC;CACF,CAAC,CAAC","sourcesContent":["/**\n * List the active org service tokens — metadata only (name, who minted it,\n * created/last-used/revoked timestamps). Token values are never stored, so\n * they can never appear here. Any org member may list; minting and revoking\n * are owner/admin-gated.\n */\nimport { z } from \"zod\";\nimport { defineAction } from \"../../action.js\";\nimport { listOrgServiceTokens } from \"../connect-store.js\";\nimport { requireServiceTokenCaller } from \"./service-token-access.js\";\n\nexport default defineAction({\n  description:\n    \"List your organization's service tokens (CI credentials such as PLAN_RECAP_TOKEN): name, who created them, created/last-used times, and revocation state. Token values are never stored and never shown. Any org member can list.\",\n  schema: z.object({\n    includeRevoked: z\n      .boolean()\n      .optional()\n      .describe(\"Also include revoked tokens (default false)\"),\n  }),\n  http: { method: \"GET\" },\n  run: async (args, ctx) => {\n    const caller = await requireServiceTokenCaller({\n      userEmail: ctx?.userEmail,\n      orgId: ctx?.orgId,\n      level: \"read\",\n    });\n    const rows = await listOrgServiceTokens(caller.orgId);\n    const tokens = rows\n      .filter((row) => args.includeRevoked || row.revokedAt == null)\n      .map((row) => ({\n        id: row.id,\n        serviceName: row.serviceName,\n        serviceEmail: row.ownerEmail,\n        label: row.label,\n        createdBy: row.createdBy,\n        createdAt: row.createdAt,\n        lastUsedAt: row.lastUsedAt,\n        revokedAt: row.revokedAt,\n      }));\n    return { orgId: caller.orgId, tokens };\n  },\n});\n"]}

package/dist/mcp/actions/revoke-org-service-token.d.ts

@@ -0,0 +1,7 @@
+declare const _default: import("../../action.js").ActionDefinition<{
+    id: string;
+}, {
+    ok: boolean;
+}>;
+export default _default;
+//# sourceMappingURL=revoke-org-service-token.d.ts.map

package/dist/mcp/actions/revoke-org-service-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke-org-service-token.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/revoke-org-service-token.ts"],"names":[],"mappings":";;;;;AAYA,wBAgBG"}

package/dist/mcp/actions/revoke-org-service-token.js

@@ -0,0 +1,28 @@
+/**
+ * Revoke an org service token by id. Owner/admin only. Uses the same
+ * `revoked_at` gate as personal-token revocation, so the token stops
+ * authenticating on its next request. The revoke is scoped by org id AND
+ * kind='service' in SQL — a caller can never revoke another org's token or a
+ * personal token through this action.
+ */
+import { z } from "zod";
+import { defineAction } from "../../action.js";
+import { revokeOrgServiceToken } from "../connect-store.js";
+import { requireServiceTokenCaller } from "./service-token-access.js";
+export default defineAction({
+    description: "Revoke one of your organization's service tokens by id (get ids from list-org-service-tokens). The token stops working immediately. Org owner/admin only. Idempotent.",
+    schema: z.object({
+        id: z.string().min(1).describe("Service token id to revoke"),
+    }),
+    toolCallable: false,
+    run: async (args, ctx) => {
+        const caller = await requireServiceTokenCaller({
+            userEmail: ctx?.userEmail,
+            orgId: ctx?.orgId,
+            level: "manage",
+        });
+        const revoked = await revokeOrgServiceToken(caller.orgId, args.id);
+        return { ok: revoked };
+    },
+});
+//# sourceMappingURL=revoke-org-service-token.js.map

package/dist/mcp/actions/revoke-org-service-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke-org-service-token.js","sourceRoot":"","sources":["../../../src/mcp/actions/revoke-org-service-token.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAEtE,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,uKAAuK;IACzK,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,4BAA4B,CAAC;KAC7D,CAAC;IACF,YAAY,EAAE,KAAK;IACnB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QACvB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC;YAC7C,SAAS,EAAE,GAAG,EAAE,SAAS;YACzB,KAAK,EAAE,GAAG,EAAE,KAAK;YACjB,KAAK,EAAE,QAAQ;SAChB,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;IACzB,CAAC;CACF,CAAC,CAAC","sourcesContent":["/**\n * Revoke an org service token by id. Owner/admin only. Uses the same\n * `revoked_at` gate as personal-token revocation, so the token stops\n * authenticating on its next request. The revoke is scoped by org id AND\n * kind='service' in SQL — a caller can never revoke another org's token or a\n * personal token through this action.\n */\nimport { z } from \"zod\";\nimport { defineAction } from \"../../action.js\";\nimport { revokeOrgServiceToken } from \"../connect-store.js\";\nimport { requireServiceTokenCaller } from \"./service-token-access.js\";\n\nexport default defineAction({\n  description:\n    \"Revoke one of your organization's service tokens by id (get ids from list-org-service-tokens). The token stops working immediately. Org owner/admin only. Idempotent.\",\n  schema: z.object({\n    id: z.string().min(1).describe(\"Service token id to revoke\"),\n  }),\n  toolCallable: false,\n  run: async (args, ctx) => {\n    const caller = await requireServiceTokenCaller({\n      userEmail: ctx?.userEmail,\n      orgId: ctx?.orgId,\n      level: \"manage\",\n    });\n    const revoked = await revokeOrgServiceToken(caller.orgId, args.id);\n    return { ok: revoked };\n  },\n});\n"]}

package/dist/mcp/actions/service-token-access.d.ts

@@ -0,0 +1,24 @@
+import type { OrgRole } from "../../org/types.js";
+export declare class ServiceTokenError extends Error {
+    statusCode: number;
+    constructor(message: string, statusCode: number);
+}
+/** Look up the caller's role in `orgId`, or null when not a member. */
+export declare function getOrgRoleForEmail(orgId: string, email: string): Promise<OrgRole | null>;
+export interface ServiceTokenCallerContext {
+    email: string;
+    orgId: string;
+    role: OrgRole;
+}
+/**
+ * Resolve and gate the caller for a service-token action. Throws
+ * `ServiceTokenError` (401/400/403) on failure so the action route maps it to
+ * the right HTTP status.
+ */
+export declare function requireServiceTokenCaller(params: {
+    userEmail: string | undefined;
+    orgId: string | null | undefined;
+    /** 'manage' = mint/revoke (owner/admin only); 'read' = list (any member). */
+    level: "manage" | "read";
+}): Promise<ServiceTokenCallerContext>;
+//# sourceMappingURL=service-token-access.d.ts.map

package/dist/mcp/actions/service-token-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-token-access.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,EAAE,MAAM,CAAC;gBACP,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED,uEAAuE;AACvE,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAczB;AAED,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAAC,MAAM,EAAE;IACtD,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IACjC,6EAA6E;IAC7E,KAAK,EAAE,QAAQ,GAAG,MAAM,CAAC;CAC1B,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA0BrC"}

package/dist/mcp/actions/service-token-access.js

@@ -0,0 +1,63 @@
+/**
+ * Shared gating for the org service-token actions.
+ *
+ * GATING DECISION: the org model HAS roles (`org_members.role` is
+ * 'owner' | 'admin' | 'member' — see `org/types.ts`), so minting and revoking
+ * service tokens require the caller to be an org **owner or admin**. Listing
+ * is allowed for any org member (token values are never stored, so the list
+ * only exposes metadata).
+ *
+ * Synthetic service identities (`svc-*@service.<orgId>`) are never inserted
+ * into `org_members`, so a leaked service token can NOT mint further service
+ * tokens or revoke others — the role lookup simply finds no membership.
+ */
+import { getDbExec } from "../../db/client.js";
+export class ServiceTokenError extends Error {
+    statusCode;
+    constructor(message, statusCode) {
+        super(message);
+        this.name = "ServiceTokenError";
+        this.statusCode = statusCode;
+    }
+}
+/** Look up the caller's role in `orgId`, or null when not a member. */
+export async function getOrgRoleForEmail(orgId, email) {
+    try {
+        const { rows } = await getDbExec().execute({
+            sql: `SELECT role FROM org_members WHERE org_id = ? AND LOWER(email) = ? LIMIT 1`,
+            args: [orgId, email.toLowerCase()],
+        });
+        const role = rows[0]?.role;
+        return role === "owner" || role === "admin" || role === "member"
+            ? role
+            : null;
+    }
+    catch {
+        // org tables not provisioned (template without orgs) → no membership.
+        return null;
+    }
+}
+/**
+ * Resolve and gate the caller for a service-token action. Throws
+ * `ServiceTokenError` (401/400/403) on failure so the action route maps it to
+ * the right HTTP status.
+ */
+export async function requireServiceTokenCaller(params) {
+    const email = params.userEmail?.trim();
+    if (!email) {
+        throw new ServiceTokenError("Sign in to manage org service tokens.", 401);
+    }
+    const orgId = params.orgId?.trim();
+    if (!orgId) {
+        throw new ServiceTokenError("No active organization. Service tokens are org-scoped — join or create an organization first.", 400);
+    }
+    const role = await getOrgRoleForEmail(orgId, email);
+    if (!role) {
+        throw new ServiceTokenError("You are not a member of this organization.", 403);
+    }
+    if (params.level === "manage" && role === "member") {
+        throw new ServiceTokenError("Only org owners or admins can create or revoke service tokens.", 403);
+    }
+    return { email, orgId, role };
+}
+//# sourceMappingURL=service-token-access.js.map

package/dist/mcp/actions/service-token-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-token-access.js","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAG/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,CAAS;IACnB,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;YACzC,GAAG,EAAE,4EAA4E;YACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;SACnC,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;QAC3B,OAAO,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;YAC9D,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAQD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,MAK/C;IACC,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CACzB,+FAA+F,EAC/F,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACpD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,iBAAiB,CACzB,4CAA4C,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,IAAI,iBAAiB,CACzB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAChC,CAAC","sourcesContent":["/**\n * Shared gating for the org service-token actions.\n *\n * GATING DECISION: the org model HAS roles (`org_members.role` is\n * 'owner' | 'admin' | 'member' — see `org/types.ts`), so minting and revoking\n * service tokens require the caller to be an org **owner or admin**. Listing\n * is allowed for any org member (token values are never stored, so the list\n * only exposes metadata).\n *\n * Synthetic service identities (`svc-*@service.<orgId>`) are never inserted\n * into `org_members`, so a leaked service token can NOT mint further service\n * tokens or revoke others — the role lookup simply finds no membership.\n */\nimport { getDbExec } from \"../../db/client.js\";\nimport type { OrgRole } from \"../../org/types.js\";\n\nexport class ServiceTokenError extends Error {\n  statusCode: number;\n  constructor(message: string, statusCode: number) {\n    super(message);\n    this.name = \"ServiceTokenError\";\n    this.statusCode = statusCode;\n  }\n}\n\n/** Look up the caller's role in `orgId`, or null when not a member. */\nexport async function getOrgRoleForEmail(\n  orgId: string,\n  email: string,\n): Promise<OrgRole | null> {\n  try {\n    const { rows } = await getDbExec().execute({\n      sql: `SELECT role FROM org_members WHERE org_id = ? AND LOWER(email) = ? LIMIT 1`,\n      args: [orgId, email.toLowerCase()],\n    });\n    const role = rows[0]?.role;\n    return role === \"owner\" || role === \"admin\" || role === \"member\"\n      ? role\n      : null;\n  } catch {\n    // org tables not provisioned (template without orgs) → no membership.\n    return null;\n  }\n}\n\nexport interface ServiceTokenCallerContext {\n  email: string;\n  orgId: string;\n  role: OrgRole;\n}\n\n/**\n * Resolve and gate the caller for a service-token action. Throws\n * `ServiceTokenError` (401/400/403) on failure so the action route maps it to\n * the right HTTP status.\n */\nexport async function requireServiceTokenCaller(params: {\n  userEmail: string | undefined;\n  orgId: string | null | undefined;\n  /** 'manage' = mint/revoke (owner/admin only); 'read' = list (any member). */\n  level: \"manage\" | \"read\";\n}): Promise<ServiceTokenCallerContext> {\n  const email = params.userEmail?.trim();\n  if (!email) {\n    throw new ServiceTokenError(\"Sign in to manage org service tokens.\", 401);\n  }\n  const orgId = params.orgId?.trim();\n  if (!orgId) {\n    throw new ServiceTokenError(\n      \"No active organization. Service tokens are org-scoped — join or create an organization first.\",\n      400,\n    );\n  }\n  const role = await getOrgRoleForEmail(orgId, email);\n  if (!role) {\n    throw new ServiceTokenError(\n      \"You are not a member of this organization.\",\n      403,\n    );\n  }\n  if (params.level === \"manage\" && role === \"member\") {\n    throw new ServiceTokenError(\n      \"Only org owners or admins can create or revoke service tokens.\",\n      403,\n    );\n  }\n  return { email, orgId, role };\n}\n"]}