@agent-native/core 0.49.27 → 0.51.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. package/dist/agent/harness/ai-sdk-adapter.d.ts +13 -0
  2. package/dist/agent/harness/ai-sdk-adapter.d.ts.map +1 -0
  3. package/dist/agent/harness/ai-sdk-adapter.js +232 -0
  4. package/dist/agent/harness/ai-sdk-adapter.js.map +1 -0
  5. package/dist/agent/harness/background.d.ts +15 -0
  6. package/dist/agent/harness/background.d.ts.map +1 -0
  7. package/dist/agent/harness/background.js +233 -0
  8. package/dist/agent/harness/background.js.map +1 -0
  9. package/dist/agent/harness/builtin.d.ts +2 -0
  10. package/dist/agent/harness/builtin.d.ts.map +1 -0
  11. package/dist/agent/harness/builtin.js +24 -0
  12. package/dist/agent/harness/builtin.js.map +1 -0
  13. package/dist/agent/harness/index.d.ts +9 -0
  14. package/dist/agent/harness/index.d.ts.map +1 -0
  15. package/dist/agent/harness/index.js +8 -0
  16. package/dist/agent/harness/index.js.map +1 -0
  17. package/dist/agent/harness/registry.d.ts +15 -0
  18. package/dist/agent/harness/registry.d.ts.map +1 -0
  19. package/dist/agent/harness/registry.js +70 -0
  20. package/dist/agent/harness/registry.js.map +1 -0
  21. package/dist/agent/harness/runner.d.ts +21 -0
  22. package/dist/agent/harness/runner.d.ts.map +1 -0
  23. package/dist/agent/harness/runner.js +86 -0
  24. package/dist/agent/harness/runner.js.map +1 -0
  25. package/dist/agent/harness/store.d.ts +46 -0
  26. package/dist/agent/harness/store.d.ts.map +1 -0
  27. package/dist/agent/harness/store.js +304 -0
  28. package/dist/agent/harness/store.js.map +1 -0
  29. package/dist/agent/harness/translate.d.ts +5 -0
  30. package/dist/agent/harness/translate.d.ts.map +1 -0
  31. package/dist/agent/harness/translate.js +120 -0
  32. package/dist/agent/harness/translate.js.map +1 -0
  33. package/dist/agent/harness/types.d.ts +127 -0
  34. package/dist/agent/harness/types.d.ts.map +1 -0
  35. package/dist/agent/harness/types.js +2 -0
  36. package/dist/agent/harness/types.js.map +1 -0
  37. package/dist/agent/production-agent.d.ts.map +1 -1
  38. package/dist/agent/production-agent.js +2 -0
  39. package/dist/agent/production-agent.js.map +1 -1
  40. package/dist/cli/create.d.ts.map +1 -1
  41. package/dist/cli/create.js +10 -1
  42. package/dist/cli/create.js.map +1 -1
  43. package/dist/cli/pr-visual-recap-workflow.d.ts +1 -1
  44. package/dist/cli/pr-visual-recap-workflow.d.ts.map +1 -1
  45. package/dist/cli/pr-visual-recap-workflow.js +1 -1
  46. package/dist/cli/pr-visual-recap-workflow.js.map +1 -1
  47. package/dist/cli/skills.d.ts +1 -1
  48. package/dist/cli/skills.d.ts.map +1 -1
  49. package/dist/cli/skills.js +8 -1
  50. package/dist/cli/skills.js.map +1 -1
  51. package/dist/client/blocks/library/wireframe.d.ts.map +1 -1
  52. package/dist/client/blocks/library/wireframe.js +0 -1
  53. package/dist/client/blocks/library/wireframe.js.map +1 -1
  54. package/dist/client/resources/use-resources.d.ts.map +1 -1
  55. package/dist/client/resources/use-resources.js +4 -2
  56. package/dist/client/resources/use-resources.js.map +1 -1
  57. package/dist/code-agents/background-run.d.ts +6 -4
  58. package/dist/code-agents/background-run.d.ts.map +1 -1
  59. package/dist/code-agents/background-run.js.map +1 -1
  60. package/dist/coding-tools/run-code.js +6 -4
  61. package/dist/coding-tools/run-code.js.map +1 -1
  62. package/dist/provider-api/index.d.ts +20 -12
  63. package/dist/provider-api/index.d.ts.map +1 -1
  64. package/dist/provider-api/index.js +157 -37
  65. package/dist/provider-api/index.js.map +1 -1
  66. package/dist/provider-api/quota-governor.d.ts +53 -0
  67. package/dist/provider-api/quota-governor.d.ts.map +1 -0
  68. package/dist/provider-api/quota-governor.js +395 -0
  69. package/dist/provider-api/quota-governor.js.map +1 -0
  70. package/dist/provider-api/staging.d.ts.map +1 -1
  71. package/dist/provider-api/staging.js +16 -0
  72. package/dist/provider-api/staging.js.map +1 -1
  73. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  74. package/dist/server/agent-chat-plugin.js +34 -10
  75. package/dist/server/agent-chat-plugin.js.map +1 -1
  76. package/dist/templates/workspace-core/.agents/skills/harness-agents/SKILL.md +98 -0
  77. package/dist/workspace-files/index.d.ts +0 -1
  78. package/dist/workspace-files/index.d.ts.map +1 -1
  79. package/dist/workspace-files/index.js +0 -1
  80. package/dist/workspace-files/index.js.map +1 -1
  81. package/dist/workspace-files/store.d.ts +14 -9
  82. package/dist/workspace-files/store.d.ts.map +1 -1
  83. package/dist/workspace-files/store.js +89 -164
  84. package/dist/workspace-files/store.js.map +1 -1
  85. package/dist/workspace-files/tool.d.ts +3 -4
  86. package/dist/workspace-files/tool.d.ts.map +1 -1
  87. package/dist/workspace-files/tool.js +8 -7
  88. package/dist/workspace-files/tool.js.map +1 -1
  89. package/docs/content/deployment.md +1 -1
  90. package/package.json +2 -1
  91. package/src/templates/workspace-core/.agents/skills/harness-agents/SKILL.md +98 -0
  92. package/dist/workspace-files/schema.d.ts +0 -195
  93. package/dist/workspace-files/schema.d.ts.map +0 -1
  94. package/dist/workspace-files/schema.js +0 -48
  95. package/dist/workspace-files/schema.js.map +0 -1
package/dist/coding-tools/run-code.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"run-code.js","sourceRoot":"","sources":["../../src/coding-tools/run-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAKtD,MAAM,kBAAkB,GAAG,OAAO,CAAC;AACnC,MAAM,cAAc,GAAG,OAAO,CAAC;AAC/B,MAAM,wBAAwB,GAAG,MAAM,CAAC;AACxC,MAAM,gBAAgB,GAAG,OAAO,CAAC;AACjC,uFAAuF;AACvF,MAAM,qBAAqB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE/C,SAAS,qBAAqB,CAAC,MAAc;IAC3C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,IAAI,oBAA+C,CAAC;AACpD,SAAS,qBAAqB;IAC5B,IAAI,oBAAoB,KAAK,SAAS;QAAE,OAAO,oBAAoB,CAAC;IACpE,KAAK,MAAM,IAAI,IAAI,CAAC,cAAc,EAAE,2BAA2B,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,SAAS,CACrB,OAAO,CAAC,QAAQ,EAChB,CAAC,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,EAC/B,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,CACrC,CAAC;YACF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,oBAAoB,GAAG,IAAI,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,oBAAoB,GAAG,IAAI,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,sBAAsB;IACtB,mBAAmB;IACnB,sBAAsB;IACtB,aAAa;IACb,iBAAiB;CAClB,CAAC,CAAC;AAUH;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAA6C,EAC7C,OAAuB,EAAE;IAEzB,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAEzD,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,4EAA4E;QAC5E,qCAAqC;QACrC,SAAS,EAAE,cAAc;QACzB,cAAc,EAAE,gBAAgB;QAChC,IAAI,EAAE;YACJ,WAAW,EAAE;gBACX,sFAAsF;gBACtF,mHAAmH;gBACnH,8bAA8b;gBAC9b,oBAAoB;gBACpB,uHAAuH;gBACvH,mIAAmI;gBACnI,+HAA+H;gBAC/H,0DAA0D;gBAC1D,6FAA6F;gBAC7F,0GAA0G;gBAC1G,0LAA0L;gBAC1L,+UAA+U;gBAC/U,gFAAgF;gBAChF,iEAAiE;gBACjE,iFAAiF;gBACjF,iIAAiI;gBACjI,0HAA0H;gBAC1H,2FAA2F;gBAC3F,yEAAyE;gBACzE,6GAA6G;gBAC7G,sEAAsE;gBACtE,sGAAsG;aACvG,CAAC,IAAI,CAAC,GAAG,CAAC;YACX,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,WAAW,EACT,oEAAoE;qBACvE;oBACD,SAAS,EAAE;wBACT,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,+CAA+C,kBAAkB,UAAU,cAAc,GAAG;qBAC1G;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,iEAAiE,wBAAwB,UAAU,gBAAgB,GAAG;qBACpI;iBACF;gBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;aACnB;SACF;QACD,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAE,OAA0B,EAAE,EAAE;YACtE,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,OAAO,0BAA0B,CAAC;YAEpD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,SAAS,GACb,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,gBAAgB,GAAG,CAAC;gBACvD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC;gBAC5C,CAAC,CAAC,kBAAkB,CAAC;YAEzB,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACvD,MAAM,cAAc,GAClB,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,kBAAkB,GAAG,CAAC;gBAC3D,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;gBAChD,CAAC,CAAC,wBAAwB,CAAC;YAE/B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE3D,+DAA+D;YAC/D,MAAM,EACJ,MAAM,EACN,UAAU,EACV,YAAY,EACZ,OAAO,EAAE,aAAa,GACvB,GAAG,MAAM,iBAAiB,CACzB,WAAW,EACX,OAAO,EACP,OAAO,EACP,oBAAoB,EACpB,gBAAgB,CACjB,CAAC;YAEF,IAAI,MAA0B,CAAC;YAC/B,IAAI,OAA2B,CAAC;YAChC,IAAI,CAAC;gBACH,kEAAkE;gBAClE,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChD,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;gBAClE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;gBAC3C,EAAE,CAAC,aAAa,CACd,OAAO,EACP,kBAAkB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,EACjD,MAAM,CACP,CAAC;gBAEF,yDAAyD;gBACzD,MAAM,OAAO,GAA2B,EAAE,CAAC;gBAC3C,KAAK,MAAM,GAAG,IAAI;oBAChB,MAAM;oBACN,MAAM;oBACN,QAAQ;oBACR,MAAM;oBACN,KAAK;oBACL,MAAM;oBACN,QAAQ;iBACT,EAAE,CAAC;oBACF,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;gBACzD,CAAC;gBACD,qEAAqE;gBACrE,0CAA0C;gBAC1C,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACxB,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC;gBACtB,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC;gBAErB,qEAAqE;gBACrE,sEAAsE;gBACtE,8CAA8C;gBAC9C,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;gBAC/C,MAAM,QAAQ,GAAG,cAAc;oBAC7B,CAAC,CAAC;wBACE,cAAc;wBACd,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,GAAG,CAClC,CAAC,WAAW,EAAE,EAAE,CAAC,mBAAmB,WAAW,EAAE,CAClD;wBACD,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC,GAAG,CACnC,CAAC,WAAW,EAAE,EAAE,CAAC,oBAAoB,WAAW,EAAE,CACnD;wBACD,OAAO;qBACR;oBACH,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBAEd,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE;oBAC9C,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;gBAEH,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;gBAErB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC5B,QAAQ,GAAG,IAAI,CAAC;oBAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACtB,UAAU,CAAC,GAAG,EAAE;wBACd,IAAI,CAAC;4BACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;wBACxB,CAAC;wBAAC,MAAM,CAAC,CAAA,CAAC;oBACZ,CAAC,EAAE,KAAK,CAAC,CAAC;gBACZ,CAAC,EAAE,SAAS,CAAC,CAAC;gBAEd,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,CAAC,CAAC,CAAC;gBACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,CAAC,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACpE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;oBAC5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9B,CAAC,CAAC,CAAC;gBACH,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,MAAM,QAAQ,GACZ;oBACE,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;oBAClC,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;iBACnC;qBACE,MAAM,CAAC,OAAO,CAAC;qBACf,IAAI,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC;gBAEnC,MAAM,KAAK,GAAa,EAAE,CAAC;gBAC3B,IAAI,QAAQ;oBAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,SAAS,KAAK,CAAC,CAAC;gBAC5D,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,IAAI;oBACrC,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;gBACtC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;gBACjC,IAAI,SAAS,CAAC,MAAM;oBAClB,KAAK,CAAC,IAAI,CAAC,oBAAoB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACzD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAErB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChC,IAAI,IAAI,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;oBACjC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;oBAChD,OAAO,GAAG,SAAS,qBAAqB,CAAC,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,cAAc,EAAE,SAAS,CAAC;gBACnG,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;oBAAS,CAAC;gBACT,aAAa,EAAE,CAAC;gBAChB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,qCAAqC;gBACrC,IAAI,CAAC;oBACH,IAAI,OAAO;wBAAE,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;oBACjD,IAAI,MAAM;wBAAE,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAClE,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAaD,KAAK,UAAU,iBAAiB,CAC9B,KAAa,EACb,OAAoC,EACpC,OAAqC,EACrC,YAAyB,EACzB,UAAuB;IAEvB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YACjD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACnD,IAAI,UAAU,KAAK,UAAU,KAAK,EAAE,EAAE,CAAC;YACrC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACxB,OAAO;QACT,CAAC;QAED,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,aAAa,IAAI,KAAK,CAAC,MAAM,CAAC;YAC9B,IAAI,aAAa,GAAG,qBAAqB,EAAE,CAAC;gBAC1C,QAAQ,GAAG,IAAI,CAAC;gBAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAC7B,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO;YACT,CAAC;YACD,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,QAAQ;gBAAE,OAAO;YACrB,mBAAmB,CACjB,IAAI,EACJ,OAAO,EACP,OAAO,EACP,YAAY,EACZ,UAAU,EACV,SAAS,EACT,GAAG,CACJ,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAsB,CAAC;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;IAE7B,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC,CAAC;IAEF,OAAO;QACL,MAAM;QACN,UAAU;QACV,YAAY,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE;QAChD,OAAO;KACR,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAe,EACf,OAAoC,EACpC,OAAqC,EACrC,YAAyB,EACzB,UAAuB,EACvB,SAAsB,EACtB,GAAwB;IAExB,IAAI,MAAwD,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,gBAAgB,GACpB,KAAK,EAAE,QAAQ,KAAK,IAAI;QACxB,KAAK,CAAC,SAAS,KAAK,KAAK;QACzB,KAAK,CAAC,YAAY,KAAK,KAAK,CAAC;IAC/B,IACE,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3B,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;QACzB,CAAC,gBAAgB,EACjB,CAAC;QACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,SAAS,QAAQ,gFAAgF;SACzG,CAAC,CACH,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,QAAQ,sBAAsB,EAAE,CAAC,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IACnC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxB,4EAA4E;IAC5E,qDAAqD;IACrD,KAAK;SACF,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;SACtB,IAAI,CAAC,CAAC,MAAe,EAAE,EAAE;QACxB,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACP,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,kBAAkB,CACzB,QAAgB,EAChB,UAAkB,EAClB,WAAmB;IAEnB,OAAO;;;;wCAI+B,UAAU;wBAC1B,WAAW;;;;;;;;cAQrB,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsVtB,QAAQ;;;;;CAKT,CAAC;AACF,CAAC","sourcesContent":["/**\n * Sandboxed JavaScript execution tool for the agent.\n *\n * Executes user-supplied JavaScript in an isolated child process with:\n * - A scrubbed environment (no app secrets or env vars; only PATH/HOME/TMPDIR).\n * - A fresh temporary working directory.\n * - An ephemeral bridge HTTP server on 127.0.0.1 so the child can call\n * allowlisted registered tools (provider-api-request, web-request, etc.)\n * with the same request context as the parent — without leaking secrets.\n *\n * Security notes:\n * - The bridge token is a 32-byte random hex string generated per invocation.\n * - The bridge binds to 127.0.0.1 only; no external exposure.\n * - The allowlist of callable bridge tools is enforced server-side.\n * - Secret values are NEVER included in the env passed to the child.\n * - When the Node permission model is available (`--permission`, or\n * `--experimental-permission` on Node 20), the child is denied filesystem\n * access outside its own temp dir, child processes, workers, and native\n * addons. Outbound network from the child is NOT blocked by the permission\n * model; the env scrub means such requests carry no credentials, and all\n * authenticated calls must go through the bridge (which applies the\n * registered tools' host allowlists and SSRF guards).\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport http from \"node:http\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { spawn, spawnSync } from \"node:child_process\";\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport type { ActionRunContext } from \"../action.js\";\n\nconst DEFAULT_TIMEOUT_MS = 120_000;\nconst MAX_TIMEOUT_MS = 600_000;\nconst DEFAULT_MAX_OUTPUT_CHARS = 50_000;\nconst MAX_OUTPUT_CHARS = 200_000;\n/** Hard cap on bridge request bodies so sandboxed code can't exhaust parent memory. */\nconst BRIDGE_MAX_BODY_BYTES = 10 * 1024 * 1024;\n\nfunction sandboxReadAllowPaths(tmpDir: string): string[] {\n const paths = new Set<string>([tmpDir]);\n try {\n paths.add(fs.realpathSync(tmpDir));\n } catch {}\n return [...paths];\n}\n\nfunction sandboxWriteAllowPaths(tmpDir: string): string[] {\n const paths = new Set<string>([tmpDir]);\n try {\n paths.add(fs.realpathSync(tmpDir));\n } catch {}\n return [...paths];\n}\n\n/**\n * Resolve the Node permission-model flag supported by the current runtime,\n * probing once and caching. Returns null when the permission model is\n * unavailable (the sandbox then falls back to env-scrub isolation only).\n */\nlet cachedPermissionFlag: string | null | undefined;\nfunction resolvePermissionFlag(): string | null {\n if (cachedPermissionFlag !== undefined) return cachedPermissionFlag;\n for (const flag of [\"--permission\", \"--experimental-permission\"]) {\n try {\n const probe = spawnSync(\n process.execPath,\n [flag, \"-e\", \"process.exit(0)\"],\n { timeout: 10_000, stdio: \"ignore\" },\n );\n if (probe.status === 0) {\n cachedPermissionFlag = flag;\n return flag;\n }\n } catch {\n // Probe failure means the flag is unsupported; try the next one.\n }\n }\n cachedPermissionFlag = null;\n return null;\n}\n\n/** Tools callable via the sandbox bridge by default. */\nconst DEFAULT_BRIDGE_TOOLS = new Set([\n \"provider-api-request\",\n \"provider-api-docs\",\n \"provider-api-catalog\",\n \"web-request\",\n \"workspace-files\",\n]);\n\nexport interface RunCodeOptions {\n /**\n * Extra tool names (beyond the default set) that the sandbox bridge will\n * forward to the registered action registry.\n */\n bridgeTools?: string[];\n}\n\n/**\n * Create a `run-code` ActionEntry.\n *\n * @param getActions Supplier that returns the current action registry (called\n * at invocation time so updates are reflected).\n * @param opts Optional configuration.\n */\nexport function createRunCodeEntry(\n getActions: () => Record<string, ActionEntry>,\n opts: RunCodeOptions = {},\n): ActionEntry {\n const extraBridgeTools = new Set(opts.bridgeTools ?? []);\n\n return {\n readOnly: true,\n // Allow a generous per-call timeout so large data-processing jobs don't hit\n // the agent-loop's default 60 s cap.\n timeoutMs: MAX_TIMEOUT_MS,\n maxResultChars: MAX_OUTPUT_CHARS,\n tool: {\n description: [\n \"Execute JavaScript (Node.js, ESM, top-level await supported) in an isolated sandbox.\",\n \"Use this to fetch, join, aggregate, and reduce large datasets, returning only printed output to the conversation.\",\n \"The sandbox runs with a scrubbed environment (no secrets) and, where the Node permission model is available, no filesystem access outside its own temp dir, no child processes, and no workers. Authenticated calls must go through the provided globals; direct network requests carry no credentials. Note: isolation is process-level (env scrub + Node permission model), not an OS-level container — outbound network from sandbox code is not blocked.\",\n \"Available globals:\",\n \" - `appAction(name, args?)` — call any registered agent-exposed read-only app action/tool and get its parsed result.\",\n \" Use this to loop over app data readers and compose multi-source analyses without forcing every intermediate result into chat.\",\n \" - `providerFetch(provider, path, init?)` — authenticated call to a registered provider via the provider-api-request action.\",\n \" Returns the parsed JSON result (or throws on error).\",\n \" Supports stageAs/saveToFile/fetchAllPages; use cursorBodyPath for POST-body pagination.\",\n \" Example: `const data = await providerFetch('<provider-id>', '/records', { query: { limit: 100 } });`\",\n \" - `providerRequest(provider, path, init?)` — same authenticated call, but returns the full provider-api envelope with request, response status/headers, truncation, and body metadata.\",\n \" - `providerFetchAll(provider, path, init?)` — generic pagination helper for cursor, page, and offset APIs. Pass `pagination: { itemsPath, cursorPath or nextCursorPath, cursorParam or cursorBodyPath, pageParam, offsetParam, pageSize, maxPages }`. Returns `{ items, pages, pageCount, itemCount, hasMore, lastCursor, stoppedReason }`.\",\n \" - `webFetch(url, init?)` — outbound HTTP request via the web-request action.\",\n \" Returns `{ status, body }` where body is the response text.\",\n \" Example: `const { body } = await webFetch('https://api.example.com/data');`\",\n \" - `workspaceRead(path, opts?)` — read a workspace file by path. Returns content string or null. opts: { offset?, maxChars? }.\",\n \" - `workspaceReadMeta(path, opts?)` — read a workspace file with metadata such as sizeBytes, truncated, and nextOffset.\",\n \" - `workspaceWrite(path, content, contentType?)` — create or overwrite a workspace file.\",\n \" - `workspaceAppend(path, content)` — append text to a workspace file.\",\n \" - `workspaceList(prefix?)` — list workspace files, returns [{ path, sizeBytes, contentType, updatedAt }].\",\n \"Print results with `console.log()`; only stdout+stderr are returned.\",\n \"Timeout defaults to 120 s (max 600 s). Output is truncated to 50 000 chars by default (max 200 000).\",\n ].join(\" \"),\n parameters: {\n type: \"object\",\n properties: {\n code: {\n type: \"string\",\n description:\n \"JavaScript source to execute. ESM syntax, top-level await allowed.\",\n },\n timeoutMs: {\n type: \"number\",\n description: `Execution timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: ${MAX_TIMEOUT_MS}.`,\n },\n maxOutputChars: {\n type: \"number\",\n description: `Maximum combined stdout+stderr characters to return. Default: ${DEFAULT_MAX_OUTPUT_CHARS}. Max: ${MAX_OUTPUT_CHARS}.`,\n },\n },\n required: [\"code\"],\n },\n },\n run: async (args: Record<string, string>, context?: ActionRunContext) => {\n const code = typeof args.code === \"string\" ? args.code : \"\";\n if (!code.trim()) return \"Error: code is required.\";\n\n const requestedTimeout = Number(args.timeoutMs);\n const timeoutMs =\n Number.isFinite(requestedTimeout) && requestedTimeout > 0\n ? Math.min(requestedTimeout, MAX_TIMEOUT_MS)\n : DEFAULT_TIMEOUT_MS;\n\n const requestedMaxOutput = Number(args.maxOutputChars);\n const maxOutputChars =\n Number.isFinite(requestedMaxOutput) && requestedMaxOutput > 0\n ? Math.min(requestedMaxOutput, MAX_OUTPUT_CHARS)\n : DEFAULT_MAX_OUTPUT_CHARS;\n\n const actions = getActions();\n const bridgeToken = crypto.randomBytes(32).toString(\"hex\");\n\n // Start bridge server — resolves once the server is listening.\n const {\n server,\n bridgePort,\n getUsedTools,\n cleanup: cleanupBridge,\n } = await startBridgeServer(\n bridgeToken,\n actions,\n context,\n DEFAULT_BRIDGE_TOOLS,\n extraBridgeTools,\n );\n\n let tmpDir: string | undefined;\n let tmpFile: string | undefined;\n try {\n // Write code to a temp ESM file (top-level await needs a module).\n const tmpBaseDir = fs.realpathSync(os.tmpdir());\n tmpDir = fs.mkdtempSync(path.join(tmpBaseDir, \"agent-run-code-\"));\n tmpFile = path.join(tmpDir, \"sandbox.mjs\");\n fs.writeFileSync(\n tmpFile,\n buildSandboxModule(code, bridgePort, bridgeToken),\n \"utf8\",\n );\n\n // Build scrubbed env — only safe POSIX vars, no secrets.\n const safeEnv: Record<string, string> = {};\n for (const key of [\n \"PATH\",\n \"HOME\",\n \"TMPDIR\",\n \"TEMP\",\n \"TMP\",\n \"LANG\",\n \"LC_ALL\",\n ]) {\n if (process.env[key]) safeEnv[key] = process.env[key]!;\n }\n // Point TMPDIR inside the sandbox dir so in-sandbox temp writes stay\n // within the permission-model allow list.\n safeEnv.TMPDIR = tmpDir;\n safeEnv.TEMP = tmpDir;\n safeEnv.TMP = tmpDir;\n\n // Lock the child down with the Node permission model when available:\n // filesystem restricted to the sandbox temp dir, and child processes,\n // workers, and native addons denied entirely.\n const permissionFlag = resolvePermissionFlag();\n const nodeArgs = permissionFlag\n ? [\n permissionFlag,\n ...sandboxReadAllowPaths(tmpDir).map(\n (allowedPath) => `--allow-fs-read=${allowedPath}`,\n ),\n ...sandboxWriteAllowPaths(tmpDir).map(\n (allowedPath) => `--allow-fs-write=${allowedPath}`,\n ),\n tmpFile,\n ]\n : [tmpFile];\n\n const child = spawn(process.execPath, nodeArgs, {\n cwd: tmpDir,\n env: safeEnv,\n stdio: [\"ignore\", \"pipe\", \"pipe\"],\n });\n\n let stdout = \"\";\n let stderr = \"\";\n let timedOut = false;\n\n const timer = setTimeout(() => {\n timedOut = true;\n child.kill(\"SIGTERM\");\n setTimeout(() => {\n try {\n child.kill(\"SIGKILL\");\n } catch {}\n }, 2_000);\n }, timeoutMs);\n\n child.stdout?.on(\"data\", (chunk: Buffer) => {\n stdout += chunk.toString();\n });\n child.stderr?.on(\"data\", (chunk: Buffer) => {\n stderr += chunk.toString();\n });\n\n const exitCode = await new Promise<number | null>((resolve, reject) => {\n child.once(\"error\", reject);\n child.once(\"exit\", resolve);\n });\n clearTimeout(timer);\n\n const combined =\n [\n stdout ? `stdout:\\n${stdout}` : \"\",\n stderr ? `stderr:\\n${stderr}` : \"\",\n ]\n .filter(Boolean)\n .join(\"\\n\\n\") || \"(no output)\";\n\n const lines: string[] = [];\n if (timedOut) lines.push(`timedOut: true (${timeoutMs}ms)`);\n if (exitCode !== 0 && exitCode !== null)\n lines.push(`exitCode: ${exitCode}`);\n const usedTools = getUsedTools();\n if (usedTools.length)\n lines.push(`bridgeToolsUsed: ${usedTools.join(\", \")}`);\n lines.push(combined);\n\n const full = lines.join(\"\\n\\n\");\n if (full.length > maxOutputChars) {\n const truncated = full.slice(0, maxOutputChars);\n return `${truncated}\\n\\n...[truncated ${(full.length - maxOutputChars).toLocaleString()} chars]`;\n }\n return full;\n } finally {\n cleanupBridge();\n server.close();\n // Clean up temp files (best-effort).\n try {\n if (tmpFile) fs.rmSync(tmpFile, { force: true });\n if (tmpDir) fs.rmSync(tmpDir, { recursive: true, force: true });\n } catch {}\n }\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Bridge server\n// ---------------------------------------------------------------------------\n\ninterface BridgeResult {\n server: http.Server;\n bridgePort: number;\n getUsedTools: () => string[];\n cleanup: () => void;\n}\n\nasync function startBridgeServer(\n token: string,\n actions: Record<string, ActionEntry>,\n context: ActionRunContext | undefined,\n defaultTools: Set<string>,\n extraTools: Set<string>,\n): Promise<BridgeResult> {\n const usedTools = new Set<string>();\n const server = http.createServer((req, res) => {\n if (req.method !== \"POST\" || req.url !== \"/tool\") {\n res.writeHead(404);\n res.end(\"Not found\");\n return;\n }\n\n // Validate bearer token — must match exactly.\n const authHeader = req.headers.authorization ?? \"\";\n if (authHeader !== `Bearer ${token}`) {\n res.writeHead(401);\n res.end(\"Unauthorized\");\n return;\n }\n\n let body = \"\";\n let receivedBytes = 0;\n let rejected = false;\n req.on(\"data\", (chunk: Buffer) => {\n receivedBytes += chunk.length;\n if (receivedBytes > BRIDGE_MAX_BODY_BYTES) {\n rejected = true;\n res.writeHead(413);\n res.end(\"Payload too large\");\n req.destroy();\n return;\n }\n body += chunk.toString();\n });\n req.on(\"end\", () => {\n if (rejected) return;\n handleBridgeRequest(\n body,\n actions,\n context,\n defaultTools,\n extraTools,\n usedTools,\n res,\n );\n });\n req.on(\"error\", () => {\n res.writeHead(500);\n res.end(\"Request error\");\n });\n });\n\n await new Promise<void>((resolve, reject) => {\n server.once(\"error\", reject);\n server.listen(0, \"127.0.0.1\", () => resolve());\n });\n\n const addr = server.address() as { port: number };\n const bridgePort = addr.port;\n\n const cleanup = () => {\n try {\n server.close();\n } catch {}\n };\n\n return {\n server,\n bridgePort,\n getUsedTools: () => Array.from(usedTools).sort(),\n cleanup,\n };\n}\n\nfunction handleBridgeRequest(\n rawBody: string,\n actions: Record<string, ActionEntry>,\n context: ActionRunContext | undefined,\n defaultTools: Set<string>,\n extraTools: Set<string>,\n usedTools: Set<string>,\n res: http.ServerResponse,\n): void {\n let parsed: { tool?: string; args?: Record<string, string> };\n try {\n parsed = JSON.parse(rawBody);\n } catch {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid JSON body\" }));\n return;\n }\n\n const toolName = typeof parsed.tool === \"string\" ? parsed.tool.trim() : \"\";\n if (!toolName) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Missing tool name\" }));\n return;\n }\n\n // Enforce allowlist.\n const entry = actions[toolName];\n const isReadOnlyAction =\n entry?.readOnly === true &&\n entry.agentTool !== false &&\n entry.toolCallable !== false;\n if (\n !defaultTools.has(toolName) &&\n !extraTools.has(toolName) &&\n !isReadOnlyAction\n ) {\n res.writeHead(403, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: `Tool \"${toolName}\" is not an agent-exposed read-only action or sandbox bridge allowlisted tool.`,\n }),\n );\n return;\n }\n\n if (!entry) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: `Tool \"${toolName}\" is not registered.` }));\n return;\n }\n\n const toolArgs = parsed.args ?? {};\n usedTools.add(toolName);\n // Run the tool with the parent request context so auth/org/owner resolution\n // works exactly as it does in the normal agent loop.\n entry\n .run(toolArgs, context)\n .then((result: unknown) => {\n const body =\n typeof result === \"string\" ? result : JSON.stringify(result, null, 2);\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ result: body }));\n })\n .catch((err: unknown) => {\n const message = err instanceof Error ? err.message : String(err);\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: message }));\n });\n}\n\n// ---------------------------------------------------------------------------\n// Sandbox module template\n// ---------------------------------------------------------------------------\n\n/**\n * Wrap the user's code in an ESM module that:\n * 1. Defines `providerFetch`, `providerRequest`, `providerFetchAll`, and\n * `webFetch` helpers via the bridge.\n * 2. Runs the user's code as top-level await in an async IIFE.\n */\nfunction buildSandboxModule(\n userCode: string,\n bridgePort: number,\n bridgeToken: string,\n): string {\n return `\nimport { createRequire } from \"node:module\";\nconst require = createRequire(import.meta.url);\n\nconst _bridgeBase = \"http://127.0.0.1:${bridgePort}/tool\";\nconst _bridgeToken = \"${bridgeToken}\";\n\nasync function _bridgeCall(tool, args) {\n const http = await import(\"node:http\");\n return new Promise((resolve, reject) => {\n const body = JSON.stringify({ tool, args });\n const options = {\n hostname: \"127.0.0.1\",\n port: ${bridgePort},\n path: \"/tool\",\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"Content-Length\": Buffer.byteLength(body),\n \"Authorization\": \"Bearer \" + _bridgeToken,\n },\n };\n const req = http.request(options, (res) => {\n let data = \"\";\n res.on(\"data\", (chunk) => { data += chunk; });\n res.on(\"end\", () => {\n try {\n const parsed = JSON.parse(data);\n if (parsed.error) {\n reject(new Error(parsed.error));\n } else {\n resolve(parsed.result);\n }\n } catch (e) {\n reject(new Error(\"Bridge response parse error: \" + e.message));\n }\n });\n });\n req.on(\"error\", reject);\n req.end(body);\n });\n}\n\nfunction _parseBridgeResult(rawResult) {\n if (typeof rawResult !== \"string\") return rawResult;\n try { return JSON.parse(rawResult); } catch { return rawResult; }\n}\n\n/**\n * Call any registered agent-exposed read-only app action/tool via the sandbox bridge.\n * Mutating and explicitly hidden actions are blocked by the parent bridge.\n */\nasync function appAction(name, args = {}) {\n return _parseBridgeResult(await _bridgeCall(name, args));\n}\n\nasync function providerRequest(provider, apiPath, init = {}) {\n const method = (init.method || \"GET\").toUpperCase();\n const rawResult = await _bridgeCall(\"provider-api-request\", {\n provider,\n path: apiPath,\n method,\n ...(init.query ? { query: init.query } : {}),\n ...(init.body ? { body: init.body } : {}),\n ...(init.headers ? { headers: init.headers } : {}),\n ...(init.auth ? { auth: init.auth } : {}),\n ...(init.connectionId ? { connectionId: init.connectionId } : {}),\n ...(init.accountId ? { accountId: init.accountId } : {}),\n ...(init.timeoutMs ? { timeoutMs: init.timeoutMs } : {}),\n ...(init.maxBytes ? { maxBytes: init.maxBytes } : {}),\n ...(init.stageAs ? { stageAs: init.stageAs } : {}),\n ...(init.itemsPath ? { itemsPath: init.itemsPath } : {}),\n ...(init.pagination ? { pagination: init.pagination } : {}),\n ...(init.saveToFile ? { saveToFile: init.saveToFile } : {}),\n ...(init.fetchAllPages ? { fetchAllPages: init.fetchAllPages } : {}),\n });\n return _parseBridgeResult(rawResult);\n}\n\n/**\n * Call a provider API via the authenticated provider-api-request action.\n * Returns the parsed JSON response body (or throws on error).\n */\nasync function providerFetch(provider, apiPath, init = {}) {\n const parsed = await providerRequest(provider, apiPath, init);\n // Unwrap the provider-api-request envelope ({ provider, request, response, guidance })\n // so callers get the actual response body. fetchAllPages / saveToFile results\n // (which have no \\`response\\` field) are returned as-is.\n if (parsed && typeof parsed === \"object\" && parsed.response && typeof parsed.response === \"object\") {\n const r = parsed.response;\n if (typeof r.status === \"number\" && r.status >= 400) {\n const detail = typeof r.text === \"string\" ? r.text : JSON.stringify(r.json ?? \"\");\n throw new Error(\\`Provider request failed (\\${r.status}): \\${String(detail).slice(0, 500)}\\`);\n }\n return r.json !== undefined ? r.json : r.text;\n }\n return parsed;\n}\n\nfunction _cloneJson(value) {\n if (value === undefined || value === null) return value;\n return JSON.parse(JSON.stringify(value));\n}\n\nfunction _pathParts(path) {\n if (!path || typeof path !== \"string\") return [];\n return path\n .replace(/\\\\[(\\\\d+)\\\\]/g, \".$1\")\n .split(\".\")\n .map((part) => part.trim())\n .filter(Boolean);\n}\n\nfunction _getByPath(value, path) {\n let current = value;\n for (const part of _pathParts(path)) {\n if (current === undefined || current === null) return undefined;\n current = current[part];\n }\n return current;\n}\n\nfunction _setByPath(value, path, nextValue) {\n const parts = _pathParts(path);\n if (!parts.length) return value;\n const root = value && typeof value === \"object\" ? _cloneJson(value) : {};\n let current = root;\n for (let i = 0; i < parts.length - 1; i++) {\n const part = parts[i];\n if (!current[part] || typeof current[part] !== \"object\") current[part] = {};\n current = current[part];\n }\n current[parts[parts.length - 1]] = nextValue;\n return root;\n}\n\nfunction _extractItems(page, itemsPath) {\n if (itemsPath) {\n const value = _getByPath(page, itemsPath);\n return Array.isArray(value) ? value : [];\n }\n if (Array.isArray(page)) return page;\n if (!page || typeof page !== \"object\") return [];\n for (const key of [\"data\", \"results\", \"items\", \"records\", \"rows\", \"calls\", \"messages\", \"tickets\", \"issues\", \"deals\"]) {\n if (Array.isArray(page[key])) return page[key];\n }\n return [];\n}\n\nfunction _withoutProviderFetchAllOptions(init) {\n const {\n pagination: _pagination,\n fetchAllPages: _fetchAllPages,\n stageAs: _stageAs,\n itemsPath: _itemsPath,\n saveToFile: _saveToFile,\n ...rest\n } = init || {};\n return rest;\n}\n\n/**\n * Fetch every page from a provider API using generic cursor, page-number, or\n * offset pagination. Prefer this inside run-code when the answer depends on a\n * broad provider corpus rather than a single bounded request.\n */\nasync function providerFetchAll(provider, apiPath, init = {}) {\n const pagination = init.pagination || init.fetchAllPages || {};\n const itemsPath = pagination.itemsPath || init.itemsPath;\n const cursorPath = pagination.nextCursorPath || pagination.cursorPath;\n const maxPagesRaw = Number(pagination.maxPages || init.maxPages || 50);\n const maxPages = Math.max(1, Math.min(Number.isFinite(maxPagesRaw) ? maxPagesRaw : 50, 200));\n const baseInit = _withoutProviderFetchAllOptions(init);\n let query = _cloneJson(init.query || {});\n let body = _cloneJson(init.body);\n let pageNumber = Number(pagination.startPage || 1);\n let offset = Number(pagination.startOffset || 0);\n const pages = [];\n const items = [];\n let lastCursor = null;\n let stoppedReason = \"completed\";\n\n for (let pageIndex = 0; pageIndex < maxPages; pageIndex++) {\n if (pagination.pageParam) {\n query = { ...(query || {}), [pagination.pageParam]: pageNumber };\n }\n if (pagination.offsetParam) {\n query = { ...(query || {}), [pagination.offsetParam]: offset };\n }\n\n const page = await providerFetch(provider, apiPath, {\n ...baseInit,\n query,\n ...(body !== undefined ? { body } : {}),\n });\n pages.push(page);\n const pageItems = _extractItems(page, itemsPath);\n items.push(...pageItems);\n\n const nextCursor = cursorPath ? _getByPath(page, cursorPath) : undefined;\n if (nextCursor !== undefined && nextCursor !== null && String(nextCursor) !== \"\") {\n if (lastCursor !== null && String(nextCursor) === String(lastCursor)) {\n stoppedReason = \"repeated-cursor\";\n break;\n }\n lastCursor = nextCursor;\n if (pagination.cursorBodyPath) {\n body = _setByPath(body || {}, pagination.cursorBodyPath, nextCursor);\n } else if (pagination.cursorParam) {\n query = { ...(query || {}), [pagination.cursorParam]: nextCursor };\n } else {\n stoppedReason = \"cursor-found-without-destination\";\n break;\n }\n continue;\n }\n\n lastCursor = null;\n if (pagination.pageParam) {\n if (pageItems.length === 0) {\n stoppedReason = \"empty-page\";\n break;\n }\n pageNumber += 1;\n continue;\n }\n if (pagination.offsetParam) {\n if (pageItems.length === 0) {\n stoppedReason = \"empty-page\";\n break;\n }\n const step = Number(pagination.pageSize || pageItems.length);\n if (!Number.isFinite(step) || step <= 0) {\n stoppedReason = \"invalid-page-size\";\n break;\n }\n offset += step;\n if (pagination.pageSize && pageItems.length < Number(pagination.pageSize)) {\n stoppedReason = \"short-page\";\n break;\n }\n continue;\n }\n\n break;\n }\n\n const hitPageOrOffsetLimit =\n Boolean(pagination.pageParam || pagination.offsetParam) &&\n stoppedReason === \"completed\" &&\n pages.length >= maxPages;\n const hasMore =\n (lastCursor !== null && pages.length >= maxPages) || hitPageOrOffsetLimit;\n if (hasMore) stoppedReason = \"max-pages\";\n return {\n items,\n pages,\n pageCount: pages.length,\n itemCount: items.length,\n hasMore,\n lastCursor,\n stoppedReason,\n };\n}\n\n/**\n * Make an outbound HTTP request via the web-request action.\n * Returns an object \\`{ status, body }\\` where \\`body\\` is the response text.\n */\nasync function webFetch(url, init = {}) {\n const method = (init.method || \"GET\").toUpperCase();\n const rawResult = await _bridgeCall(\"web-request\", {\n url,\n method,\n ...(init.headers ? { headers: typeof init.headers === \"string\" ? init.headers : JSON.stringify(init.headers) } : {}),\n ...(init.body ? { body: typeof init.body === \"string\" ? init.body : JSON.stringify(init.body) } : {}),\n });\n // rawResult is \"HTTP <status> <statusText>\\\\n\\\\n<body>\"\n const statusMatch = typeof rawResult === \"string\" ? rawResult.match(/^HTTP (\\\\d+) [^\\\\n]*\\\\n\\\\n/) : null;\n if (statusMatch) {\n return {\n status: Number(statusMatch[1]),\n body: rawResult.slice(statusMatch[0].length),\n };\n }\n return { status: 0, body: rawResult };\n}\n\n/**\n * Read a workspace file by path. Returns the file content as a string, or null if not found.\n * Supports optional offset and maxChars for paging large files.\n */\nasync function workspaceRead(path, opts = {}) {\n const parsed = await workspaceReadMeta(path, opts);\n if (parsed && parsed.ok === false) return null;\n return parsed && typeof parsed.content === \"string\" ? parsed.content : null;\n}\n\n/**\n * Read a workspace file by path and return the full metadata envelope.\n * Use this when offset/maxChars paging or truncation status matters.\n */\nasync function workspaceReadMeta(path, opts = {}) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"read\",\n path,\n ...(opts.offset !== undefined ? { offset: opts.offset } : {}),\n ...(opts.maxChars !== undefined ? { maxChars: opts.maxChars } : {}),\n });\n return _parseBridgeResult(rawResult);\n}\n\n/**\n * Write (create or overwrite) a workspace file.\n * \\`content\\` must be a string. Returns metadata { path, sizeBytes, updatedAt }.\n */\nasync function workspaceWrite(path, content, contentType = \"text/plain\") {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"write\",\n path,\n content: typeof content === \"string\" ? content : JSON.stringify(content),\n contentType,\n });\n try { return typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult; } catch { return rawResult; }\n}\n\n/**\n * Append text to a workspace file (creates if absent).\n */\nasync function workspaceAppend(path, content) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"append\",\n path,\n content: typeof content === \"string\" ? content : JSON.stringify(content),\n });\n try { return typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult; } catch { return rawResult; }\n}\n\n/**\n * List workspace files, optionally filtered by path prefix.\n * Returns an array of { path, sizeBytes, contentType, updatedAt }.\n */\nasync function workspaceList(prefix) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"list\",\n ...(prefix ? { path: prefix } : {}),\n });\n const parsed = typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult;\n if (parsed && Array.isArray(parsed.files)) return parsed.files;\n if (Array.isArray(parsed)) return parsed;\n throw new Error(\"workspaceList: unexpected result shape: \" + JSON.stringify(parsed).slice(0, 200));\n}\n\n// Run user code\n(async () => {\n${userCode}\n})().catch((err) => {\n console.error(\"Unhandled error:\", err?.message ?? String(err));\n process.exit(1);\n});\n`;\n}\n"]}
1
+ {"version":3,"file":"run-code.js","sourceRoot":"","sources":["../../src/coding-tools/run-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAKtD,MAAM,kBAAkB,GAAG,OAAO,CAAC;AACnC,MAAM,cAAc,GAAG,OAAO,CAAC;AAC/B,MAAM,wBAAwB,GAAG,MAAM,CAAC;AACxC,MAAM,gBAAgB,GAAG,OAAO,CAAC;AACjC,uFAAuF;AACvF,MAAM,qBAAqB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE/C,SAAS,qBAAqB,CAAC,MAAc;IAC3C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,IAAI,oBAA+C,CAAC;AACpD,SAAS,qBAAqB;IAC5B,IAAI,oBAAoB,KAAK,SAAS;QAAE,OAAO,oBAAoB,CAAC;IACpE,KAAK,MAAM,IAAI,IAAI,CAAC,cAAc,EAAE,2BAA2B,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,SAAS,CACrB,OAAO,CAAC,QAAQ,EAChB,CAAC,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,EAC/B,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,CACrC,CAAC;YACF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,oBAAoB,GAAG,IAAI,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,oBAAoB,GAAG,IAAI,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,sBAAsB;IACtB,mBAAmB;IACnB,sBAAsB;IACtB,aAAa;IACb,iBAAiB;CAClB,CAAC,CAAC;AAUH;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAA6C,EAC7C,OAAuB,EAAE;IAEzB,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAEzD,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,4EAA4E;QAC5E,qCAAqC;QACrC,SAAS,EAAE,cAAc;QACzB,cAAc,EAAE,gBAAgB;QAChC,IAAI,EAAE;YACJ,WAAW,EAAE;gBACX,sFAAsF;gBACtF,mHAAmH;gBACnH,8bAA8b;gBAC9b,oBAAoB;gBACpB,uHAAuH;gBACvH,mIAAmI;gBACnI,+HAA+H;gBAC/H,0DAA0D;gBAC1D,6FAA6F;gBAC7F,0GAA0G;gBAC1G,0LAA0L;gBAC1L,+UAA+U;gBAC/U,gFAAgF;gBAChF,iEAAiE;gBACjE,iFAAiF;gBACjF,kJAAkJ;gBAClJ,0HAA0H;gBAC1H,6LAA6L;gBAC7L,yEAAyE;gBACzE,6GAA6G;gBAC7G,sEAAsE;gBACtE,sGAAsG;aACvG,CAAC,IAAI,CAAC,GAAG,CAAC;YACX,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,WAAW,EACT,oEAAoE;qBACvE;oBACD,SAAS,EAAE;wBACT,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,+CAA+C,kBAAkB,UAAU,cAAc,GAAG;qBAC1G;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,iEAAiE,wBAAwB,UAAU,gBAAgB,GAAG;qBACpI;iBACF;gBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;aACnB;SACF;QACD,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAE,OAA0B,EAAE,EAAE;YACtE,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,OAAO,0BAA0B,CAAC;YAEpD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,SAAS,GACb,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,gBAAgB,GAAG,CAAC;gBACvD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC;gBAC5C,CAAC,CAAC,kBAAkB,CAAC;YAEzB,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACvD,MAAM,cAAc,GAClB,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,kBAAkB,GAAG,CAAC;gBAC3D,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;gBAChD,CAAC,CAAC,wBAAwB,CAAC;YAE/B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE3D,+DAA+D;YAC/D,MAAM,EACJ,MAAM,EACN,UAAU,EACV,YAAY,EACZ,OAAO,EAAE,aAAa,GACvB,GAAG,MAAM,iBAAiB,CACzB,WAAW,EACX,OAAO,EACP,OAAO,EACP,oBAAoB,EACpB,gBAAgB,CACjB,CAAC;YAEF,IAAI,MAA0B,CAAC;YAC/B,IAAI,OAA2B,CAAC;YAChC,IAAI,CAAC;gBACH,kEAAkE;gBAClE,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChD,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;gBAClE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;gBAC3C,EAAE,CAAC,aAAa,CACd,OAAO,EACP,kBAAkB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,CAAC,EACjD,MAAM,CACP,CAAC;gBAEF,yDAAyD;gBACzD,MAAM,OAAO,GAA2B,EAAE,CAAC;gBAC3C,KAAK,MAAM,GAAG,IAAI;oBAChB,MAAM;oBACN,MAAM;oBACN,QAAQ;oBACR,MAAM;oBACN,KAAK;oBACL,MAAM;oBACN,QAAQ;iBACT,EAAE,CAAC;oBACF,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;gBACzD,CAAC;gBACD,qEAAqE;gBACrE,0CAA0C;gBAC1C,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACxB,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC;gBACtB,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC;gBAErB,qEAAqE;gBACrE,sEAAsE;gBACtE,8CAA8C;gBAC9C,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;gBAC/C,MAAM,QAAQ,GAAG,cAAc;oBAC7B,CAAC,CAAC;wBACE,cAAc;wBACd,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,GAAG,CAClC,CAAC,WAAW,EAAE,EAAE,CAAC,mBAAmB,WAAW,EAAE,CAClD;wBACD,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC,GAAG,CACnC,CAAC,WAAW,EAAE,EAAE,CAAC,oBAAoB,WAAW,EAAE,CACnD;wBACD,OAAO;qBACR;oBACH,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBAEd,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE;oBAC9C,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;gBAEH,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;gBAErB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC5B,QAAQ,GAAG,IAAI,CAAC;oBAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACtB,UAAU,CAAC,GAAG,EAAE;wBACd,IAAI,CAAC;4BACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;wBACxB,CAAC;wBAAC,MAAM,CAAC,CAAA,CAAC;oBACZ,CAAC,EAAE,KAAK,CAAC,CAAC;gBACZ,CAAC,EAAE,SAAS,CAAC,CAAC;gBAEd,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,CAAC,CAAC,CAAC;gBACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC7B,CAAC,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACpE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;oBAC5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9B,CAAC,CAAC,CAAC;gBACH,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,MAAM,QAAQ,GACZ;oBACE,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;oBAClC,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE;iBACnC;qBACE,MAAM,CAAC,OAAO,CAAC;qBACf,IAAI,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC;gBAEnC,MAAM,KAAK,GAAa,EAAE,CAAC;gBAC3B,IAAI,QAAQ;oBAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,SAAS,KAAK,CAAC,CAAC;gBAC5D,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,IAAI;oBACrC,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;gBACtC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;gBACjC,IAAI,SAAS,CAAC,MAAM;oBAClB,KAAK,CAAC,IAAI,CAAC,oBAAoB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACzD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAErB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChC,IAAI,IAAI,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;oBACjC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;oBAChD,OAAO,GAAG,SAAS,qBAAqB,CAAC,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,cAAc,EAAE,SAAS,CAAC;gBACnG,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;oBAAS,CAAC;gBACT,aAAa,EAAE,CAAC;gBAChB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,qCAAqC;gBACrC,IAAI,CAAC;oBACH,IAAI,OAAO;wBAAE,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;oBACjD,IAAI,MAAM;wBAAE,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAClE,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAaD,KAAK,UAAU,iBAAiB,CAC9B,KAAa,EACb,OAAoC,EACpC,OAAqC,EACrC,YAAyB,EACzB,UAAuB;IAEvB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YACjD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACnD,IAAI,UAAU,KAAK,UAAU,KAAK,EAAE,EAAE,CAAC;YACrC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACxB,OAAO;QACT,CAAC;QAED,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,aAAa,IAAI,KAAK,CAAC,MAAM,CAAC;YAC9B,IAAI,aAAa,GAAG,qBAAqB,EAAE,CAAC;gBAC1C,QAAQ,GAAG,IAAI,CAAC;gBAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAC7B,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO;YACT,CAAC;YACD,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC3B,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,QAAQ;gBAAE,OAAO;YACrB,mBAAmB,CACjB,IAAI,EACJ,OAAO,EACP,OAAO,EACP,YAAY,EACZ,UAAU,EACV,SAAS,EACT,GAAG,CACJ,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAsB,CAAC;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;IAE7B,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC,CAAC;IAEF,OAAO;QACL,MAAM;QACN,UAAU;QACV,YAAY,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE;QAChD,OAAO;KACR,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAe,EACf,OAAoC,EACpC,OAAqC,EACrC,YAAyB,EACzB,UAAuB,EACvB,SAAsB,EACtB,GAAwB;IAExB,IAAI,MAAwD,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,gBAAgB,GACpB,KAAK,EAAE,QAAQ,KAAK,IAAI;QACxB,KAAK,CAAC,SAAS,KAAK,KAAK;QACzB,KAAK,CAAC,YAAY,KAAK,KAAK,CAAC;IAC/B,IACE,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3B,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;QACzB,CAAC,gBAAgB,EACjB,CAAC;QACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,SAAS,QAAQ,gFAAgF;SACzG,CAAC,CACH,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,QAAQ,sBAAsB,EAAE,CAAC,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IACnC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxB,4EAA4E;IAC5E,qDAAqD;IACrD,KAAK;SACF,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;SACtB,IAAI,CAAC,CAAC,MAAe,EAAE,EAAE;QACxB,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACxE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACP,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,kBAAkB,CACzB,QAAgB,EAChB,UAAkB,EAClB,WAAmB;IAEnB,OAAO;;;;wCAI+B,UAAU;wBAC1B,WAAW;;;;;;;;cAQrB,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwVtB,QAAQ;;;;;CAKT,CAAC;AACF,CAAC","sourcesContent":["/**\n * Sandboxed JavaScript execution tool for the agent.\n *\n * Executes user-supplied JavaScript in an isolated child process with:\n * - A scrubbed environment (no app secrets or env vars; only PATH/HOME/TMPDIR).\n * - A fresh temporary working directory.\n * - An ephemeral bridge HTTP server on 127.0.0.1 so the child can call\n * allowlisted registered tools (provider-api-request, web-request, etc.)\n * with the same request context as the parent — without leaking secrets.\n *\n * Security notes:\n * - The bridge token is a 32-byte random hex string generated per invocation.\n * - The bridge binds to 127.0.0.1 only; no external exposure.\n * - The allowlist of callable bridge tools is enforced server-side.\n * - Secret values are NEVER included in the env passed to the child.\n * - When the Node permission model is available (`--permission`, or\n * `--experimental-permission` on Node 20), the child is denied filesystem\n * access outside its own temp dir, child processes, workers, and native\n * addons. Outbound network from the child is NOT blocked by the permission\n * model; the env scrub means such requests carry no credentials, and all\n * authenticated calls must go through the bridge (which applies the\n * registered tools' host allowlists and SSRF guards).\n */\n\nimport crypto from \"node:crypto\";\nimport fs from \"node:fs\";\nimport http from \"node:http\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { spawn, spawnSync } from \"node:child_process\";\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport type { ActionRunContext } from \"../action.js\";\n\nconst DEFAULT_TIMEOUT_MS = 120_000;\nconst MAX_TIMEOUT_MS = 600_000;\nconst DEFAULT_MAX_OUTPUT_CHARS = 50_000;\nconst MAX_OUTPUT_CHARS = 200_000;\n/** Hard cap on bridge request bodies so sandboxed code can't exhaust parent memory. */\nconst BRIDGE_MAX_BODY_BYTES = 10 * 1024 * 1024;\n\nfunction sandboxReadAllowPaths(tmpDir: string): string[] {\n const paths = new Set<string>([tmpDir]);\n try {\n paths.add(fs.realpathSync(tmpDir));\n } catch {}\n return [...paths];\n}\n\nfunction sandboxWriteAllowPaths(tmpDir: string): string[] {\n const paths = new Set<string>([tmpDir]);\n try {\n paths.add(fs.realpathSync(tmpDir));\n } catch {}\n return [...paths];\n}\n\n/**\n * Resolve the Node permission-model flag supported by the current runtime,\n * probing once and caching. Returns null when the permission model is\n * unavailable (the sandbox then falls back to env-scrub isolation only).\n */\nlet cachedPermissionFlag: string | null | undefined;\nfunction resolvePermissionFlag(): string | null {\n if (cachedPermissionFlag !== undefined) return cachedPermissionFlag;\n for (const flag of [\"--permission\", \"--experimental-permission\"]) {\n try {\n const probe = spawnSync(\n process.execPath,\n [flag, \"-e\", \"process.exit(0)\"],\n { timeout: 10_000, stdio: \"ignore\" },\n );\n if (probe.status === 0) {\n cachedPermissionFlag = flag;\n return flag;\n }\n } catch {\n // Probe failure means the flag is unsupported; try the next one.\n }\n }\n cachedPermissionFlag = null;\n return null;\n}\n\n/** Tools callable via the sandbox bridge by default. */\nconst DEFAULT_BRIDGE_TOOLS = new Set([\n \"provider-api-request\",\n \"provider-api-docs\",\n \"provider-api-catalog\",\n \"web-request\",\n \"workspace-files\",\n]);\n\nexport interface RunCodeOptions {\n /**\n * Extra tool names (beyond the default set) that the sandbox bridge will\n * forward to the registered action registry.\n */\n bridgeTools?: string[];\n}\n\n/**\n * Create a `run-code` ActionEntry.\n *\n * @param getActions Supplier that returns the current action registry (called\n * at invocation time so updates are reflected).\n * @param opts Optional configuration.\n */\nexport function createRunCodeEntry(\n getActions: () => Record<string, ActionEntry>,\n opts: RunCodeOptions = {},\n): ActionEntry {\n const extraBridgeTools = new Set(opts.bridgeTools ?? []);\n\n return {\n readOnly: true,\n // Allow a generous per-call timeout so large data-processing jobs don't hit\n // the agent-loop's default 60 s cap.\n timeoutMs: MAX_TIMEOUT_MS,\n maxResultChars: MAX_OUTPUT_CHARS,\n tool: {\n description: [\n \"Execute JavaScript (Node.js, ESM, top-level await supported) in an isolated sandbox.\",\n \"Use this to fetch, join, aggregate, and reduce large datasets, returning only printed output to the conversation.\",\n \"The sandbox runs with a scrubbed environment (no secrets) and, where the Node permission model is available, no filesystem access outside its own temp dir, no child processes, and no workers. Authenticated calls must go through the provided globals; direct network requests carry no credentials. Note: isolation is process-level (env scrub + Node permission model), not an OS-level container — outbound network from sandbox code is not blocked.\",\n \"Available globals:\",\n \" - `appAction(name, args?)` — call any registered agent-exposed read-only app action/tool and get its parsed result.\",\n \" Use this to loop over app data readers and compose multi-source analyses without forcing every intermediate result into chat.\",\n \" - `providerFetch(provider, path, init?)` — authenticated call to a registered provider via the provider-api-request action.\",\n \" Returns the parsed JSON result (or throws on error).\",\n \" Supports stageAs/saveToFile/fetchAllPages; use cursorBodyPath for POST-body pagination.\",\n \" Example: `const data = await providerFetch('<provider-id>', '/records', { query: { limit: 100 } });`\",\n \" - `providerRequest(provider, path, init?)` — same authenticated call, but returns the full provider-api envelope with request, response status/headers, truncation, and body metadata.\",\n \" - `providerFetchAll(provider, path, init?)` — generic pagination helper for cursor, page, and offset APIs. Pass `pagination: { itemsPath, cursorPath or nextCursorPath, cursorParam or cursorBodyPath, pageParam, offsetParam, pageSize, maxPages }`. Returns `{ items, pages, pageCount, itemCount, hasMore, lastCursor, stoppedReason }`.\",\n \" - `webFetch(url, init?)` — outbound HTTP request via the web-request action.\",\n \" Returns `{ status, body }` where body is the response text.\",\n \" Example: `const { body } = await webFetch('https://api.example.com/data');`\",\n \" - `workspaceRead(path, opts?)` — read a Resources-backed workspace file by path. Returns content string or null. opts: { offset?, maxChars? }.\",\n \" - `workspaceReadMeta(path, opts?)` — read a workspace file with metadata such as sizeBytes, truncated, and nextOffset.\",\n \" - `workspaceWrite(path, content, contentType?)` — create or overwrite a workspace file. Use `scratch/...` for temporary staging; use durable folders only for files the user should keep.\",\n \" - `workspaceAppend(path, content)` — append text to a workspace file.\",\n \" - `workspaceList(prefix?)` — list workspace files, returns [{ path, sizeBytes, contentType, updatedAt }].\",\n \"Print results with `console.log()`; only stdout+stderr are returned.\",\n \"Timeout defaults to 120 s (max 600 s). Output is truncated to 50 000 chars by default (max 200 000).\",\n ].join(\" \"),\n parameters: {\n type: \"object\",\n properties: {\n code: {\n type: \"string\",\n description:\n \"JavaScript source to execute. ESM syntax, top-level await allowed.\",\n },\n timeoutMs: {\n type: \"number\",\n description: `Execution timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: ${MAX_TIMEOUT_MS}.`,\n },\n maxOutputChars: {\n type: \"number\",\n description: `Maximum combined stdout+stderr characters to return. Default: ${DEFAULT_MAX_OUTPUT_CHARS}. Max: ${MAX_OUTPUT_CHARS}.`,\n },\n },\n required: [\"code\"],\n },\n },\n run: async (args: Record<string, string>, context?: ActionRunContext) => {\n const code = typeof args.code === \"string\" ? args.code : \"\";\n if (!code.trim()) return \"Error: code is required.\";\n\n const requestedTimeout = Number(args.timeoutMs);\n const timeoutMs =\n Number.isFinite(requestedTimeout) && requestedTimeout > 0\n ? Math.min(requestedTimeout, MAX_TIMEOUT_MS)\n : DEFAULT_TIMEOUT_MS;\n\n const requestedMaxOutput = Number(args.maxOutputChars);\n const maxOutputChars =\n Number.isFinite(requestedMaxOutput) && requestedMaxOutput > 0\n ? Math.min(requestedMaxOutput, MAX_OUTPUT_CHARS)\n : DEFAULT_MAX_OUTPUT_CHARS;\n\n const actions = getActions();\n const bridgeToken = crypto.randomBytes(32).toString(\"hex\");\n\n // Start bridge server — resolves once the server is listening.\n const {\n server,\n bridgePort,\n getUsedTools,\n cleanup: cleanupBridge,\n } = await startBridgeServer(\n bridgeToken,\n actions,\n context,\n DEFAULT_BRIDGE_TOOLS,\n extraBridgeTools,\n );\n\n let tmpDir: string | undefined;\n let tmpFile: string | undefined;\n try {\n // Write code to a temp ESM file (top-level await needs a module).\n const tmpBaseDir = fs.realpathSync(os.tmpdir());\n tmpDir = fs.mkdtempSync(path.join(tmpBaseDir, \"agent-run-code-\"));\n tmpFile = path.join(tmpDir, \"sandbox.mjs\");\n fs.writeFileSync(\n tmpFile,\n buildSandboxModule(code, bridgePort, bridgeToken),\n \"utf8\",\n );\n\n // Build scrubbed env — only safe POSIX vars, no secrets.\n const safeEnv: Record<string, string> = {};\n for (const key of [\n \"PATH\",\n \"HOME\",\n \"TMPDIR\",\n \"TEMP\",\n \"TMP\",\n \"LANG\",\n \"LC_ALL\",\n ]) {\n if (process.env[key]) safeEnv[key] = process.env[key]!;\n }\n // Point TMPDIR inside the sandbox dir so in-sandbox temp writes stay\n // within the permission-model allow list.\n safeEnv.TMPDIR = tmpDir;\n safeEnv.TEMP = tmpDir;\n safeEnv.TMP = tmpDir;\n\n // Lock the child down with the Node permission model when available:\n // filesystem restricted to the sandbox temp dir, and child processes,\n // workers, and native addons denied entirely.\n const permissionFlag = resolvePermissionFlag();\n const nodeArgs = permissionFlag\n ? [\n permissionFlag,\n ...sandboxReadAllowPaths(tmpDir).map(\n (allowedPath) => `--allow-fs-read=${allowedPath}`,\n ),\n ...sandboxWriteAllowPaths(tmpDir).map(\n (allowedPath) => `--allow-fs-write=${allowedPath}`,\n ),\n tmpFile,\n ]\n : [tmpFile];\n\n const child = spawn(process.execPath, nodeArgs, {\n cwd: tmpDir,\n env: safeEnv,\n stdio: [\"ignore\", \"pipe\", \"pipe\"],\n });\n\n let stdout = \"\";\n let stderr = \"\";\n let timedOut = false;\n\n const timer = setTimeout(() => {\n timedOut = true;\n child.kill(\"SIGTERM\");\n setTimeout(() => {\n try {\n child.kill(\"SIGKILL\");\n } catch {}\n }, 2_000);\n }, timeoutMs);\n\n child.stdout?.on(\"data\", (chunk: Buffer) => {\n stdout += chunk.toString();\n });\n child.stderr?.on(\"data\", (chunk: Buffer) => {\n stderr += chunk.toString();\n });\n\n const exitCode = await new Promise<number | null>((resolve, reject) => {\n child.once(\"error\", reject);\n child.once(\"exit\", resolve);\n });\n clearTimeout(timer);\n\n const combined =\n [\n stdout ? `stdout:\\n${stdout}` : \"\",\n stderr ? `stderr:\\n${stderr}` : \"\",\n ]\n .filter(Boolean)\n .join(\"\\n\\n\") || \"(no output)\";\n\n const lines: string[] = [];\n if (timedOut) lines.push(`timedOut: true (${timeoutMs}ms)`);\n if (exitCode !== 0 && exitCode !== null)\n lines.push(`exitCode: ${exitCode}`);\n const usedTools = getUsedTools();\n if (usedTools.length)\n lines.push(`bridgeToolsUsed: ${usedTools.join(\", \")}`);\n lines.push(combined);\n\n const full = lines.join(\"\\n\\n\");\n if (full.length > maxOutputChars) {\n const truncated = full.slice(0, maxOutputChars);\n return `${truncated}\\n\\n...[truncated ${(full.length - maxOutputChars).toLocaleString()} chars]`;\n }\n return full;\n } finally {\n cleanupBridge();\n server.close();\n // Clean up temp files (best-effort).\n try {\n if (tmpFile) fs.rmSync(tmpFile, { force: true });\n if (tmpDir) fs.rmSync(tmpDir, { recursive: true, force: true });\n } catch {}\n }\n },\n };\n}\n\n// ---------------------------------------------------------------------------\n// Bridge server\n// ---------------------------------------------------------------------------\n\ninterface BridgeResult {\n server: http.Server;\n bridgePort: number;\n getUsedTools: () => string[];\n cleanup: () => void;\n}\n\nasync function startBridgeServer(\n token: string,\n actions: Record<string, ActionEntry>,\n context: ActionRunContext | undefined,\n defaultTools: Set<string>,\n extraTools: Set<string>,\n): Promise<BridgeResult> {\n const usedTools = new Set<string>();\n const server = http.createServer((req, res) => {\n if (req.method !== \"POST\" || req.url !== \"/tool\") {\n res.writeHead(404);\n res.end(\"Not found\");\n return;\n }\n\n // Validate bearer token — must match exactly.\n const authHeader = req.headers.authorization ?? \"\";\n if (authHeader !== `Bearer ${token}`) {\n res.writeHead(401);\n res.end(\"Unauthorized\");\n return;\n }\n\n let body = \"\";\n let receivedBytes = 0;\n let rejected = false;\n req.on(\"data\", (chunk: Buffer) => {\n receivedBytes += chunk.length;\n if (receivedBytes > BRIDGE_MAX_BODY_BYTES) {\n rejected = true;\n res.writeHead(413);\n res.end(\"Payload too large\");\n req.destroy();\n return;\n }\n body += chunk.toString();\n });\n req.on(\"end\", () => {\n if (rejected) return;\n handleBridgeRequest(\n body,\n actions,\n context,\n defaultTools,\n extraTools,\n usedTools,\n res,\n );\n });\n req.on(\"error\", () => {\n res.writeHead(500);\n res.end(\"Request error\");\n });\n });\n\n await new Promise<void>((resolve, reject) => {\n server.once(\"error\", reject);\n server.listen(0, \"127.0.0.1\", () => resolve());\n });\n\n const addr = server.address() as { port: number };\n const bridgePort = addr.port;\n\n const cleanup = () => {\n try {\n server.close();\n } catch {}\n };\n\n return {\n server,\n bridgePort,\n getUsedTools: () => Array.from(usedTools).sort(),\n cleanup,\n };\n}\n\nfunction handleBridgeRequest(\n rawBody: string,\n actions: Record<string, ActionEntry>,\n context: ActionRunContext | undefined,\n defaultTools: Set<string>,\n extraTools: Set<string>,\n usedTools: Set<string>,\n res: http.ServerResponse,\n): void {\n let parsed: { tool?: string; args?: Record<string, string> };\n try {\n parsed = JSON.parse(rawBody);\n } catch {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid JSON body\" }));\n return;\n }\n\n const toolName = typeof parsed.tool === \"string\" ? parsed.tool.trim() : \"\";\n if (!toolName) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Missing tool name\" }));\n return;\n }\n\n // Enforce allowlist.\n const entry = actions[toolName];\n const isReadOnlyAction =\n entry?.readOnly === true &&\n entry.agentTool !== false &&\n entry.toolCallable !== false;\n if (\n !defaultTools.has(toolName) &&\n !extraTools.has(toolName) &&\n !isReadOnlyAction\n ) {\n res.writeHead(403, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: `Tool \"${toolName}\" is not an agent-exposed read-only action or sandbox bridge allowlisted tool.`,\n }),\n );\n return;\n }\n\n if (!entry) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: `Tool \"${toolName}\" is not registered.` }));\n return;\n }\n\n const toolArgs = parsed.args ?? {};\n usedTools.add(toolName);\n // Run the tool with the parent request context so auth/org/owner resolution\n // works exactly as it does in the normal agent loop.\n entry\n .run(toolArgs, context)\n .then((result: unknown) => {\n const body =\n typeof result === \"string\" ? result : JSON.stringify(result, null, 2);\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ result: body }));\n })\n .catch((err: unknown) => {\n const message = err instanceof Error ? err.message : String(err);\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: message }));\n });\n}\n\n// ---------------------------------------------------------------------------\n// Sandbox module template\n// ---------------------------------------------------------------------------\n\n/**\n * Wrap the user's code in an ESM module that:\n * 1. Defines `providerFetch`, `providerRequest`, `providerFetchAll`, and\n * `webFetch` helpers via the bridge.\n * 2. Runs the user's code as top-level await in an async IIFE.\n */\nfunction buildSandboxModule(\n userCode: string,\n bridgePort: number,\n bridgeToken: string,\n): string {\n return `\nimport { createRequire } from \"node:module\";\nconst require = createRequire(import.meta.url);\n\nconst _bridgeBase = \"http://127.0.0.1:${bridgePort}/tool\";\nconst _bridgeToken = \"${bridgeToken}\";\n\nasync function _bridgeCall(tool, args) {\n const http = await import(\"node:http\");\n return new Promise((resolve, reject) => {\n const body = JSON.stringify({ tool, args });\n const options = {\n hostname: \"127.0.0.1\",\n port: ${bridgePort},\n path: \"/tool\",\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"Content-Length\": Buffer.byteLength(body),\n \"Authorization\": \"Bearer \" + _bridgeToken,\n },\n };\n const req = http.request(options, (res) => {\n let data = \"\";\n res.on(\"data\", (chunk) => { data += chunk; });\n res.on(\"end\", () => {\n try {\n const parsed = JSON.parse(data);\n if (parsed.error) {\n reject(new Error(parsed.error));\n } else {\n resolve(parsed.result);\n }\n } catch (e) {\n reject(new Error(\"Bridge response parse error: \" + e.message));\n }\n });\n });\n req.on(\"error\", reject);\n req.end(body);\n });\n}\n\nfunction _parseBridgeResult(rawResult) {\n if (typeof rawResult !== \"string\") return rawResult;\n try { return JSON.parse(rawResult); } catch { return rawResult; }\n}\n\n/**\n * Call any registered agent-exposed read-only app action/tool via the sandbox bridge.\n * Mutating and explicitly hidden actions are blocked by the parent bridge.\n */\nasync function appAction(name, args = {}) {\n return _parseBridgeResult(await _bridgeCall(name, args));\n}\n\nasync function providerRequest(provider, apiPath, init = {}) {\n const method = (init.method || \"GET\").toUpperCase();\n const rawResult = await _bridgeCall(\"provider-api-request\", {\n provider,\n path: apiPath,\n method,\n ...(init.query ? { query: init.query } : {}),\n ...(init.body ? { body: init.body } : {}),\n ...(init.headers ? { headers: init.headers } : {}),\n ...(init.auth ? { auth: init.auth } : {}),\n ...(init.connectionId ? { connectionId: init.connectionId } : {}),\n ...(init.accountId ? { accountId: init.accountId } : {}),\n ...(init.timeoutMs ? { timeoutMs: init.timeoutMs } : {}),\n ...(init.maxBytes ? { maxBytes: init.maxBytes } : {}),\n ...(init.stageAs ? { stageAs: init.stageAs } : {}),\n ...(init.itemsPath ? { itemsPath: init.itemsPath } : {}),\n ...(init.pagination ? { pagination: init.pagination } : {}),\n ...(init.saveToFile ? { saveToFile: init.saveToFile } : {}),\n ...(init.fetchAllPages ? { fetchAllPages: init.fetchAllPages } : {}),\n });\n return _parseBridgeResult(rawResult);\n}\n\n/**\n * Call a provider API via the authenticated provider-api-request action.\n * Returns the parsed JSON response body (or throws on error).\n */\nasync function providerFetch(provider, apiPath, init = {}) {\n const parsed = await providerRequest(provider, apiPath, init);\n // Unwrap the provider-api-request envelope ({ provider, request, response, guidance })\n // so callers get the actual response body. fetchAllPages / saveToFile results\n // (which have no \\`response\\` field) are returned as-is.\n if (parsed && typeof parsed === \"object\" && parsed.response && typeof parsed.response === \"object\") {\n const r = parsed.response;\n if (typeof r.status === \"number\" && r.status >= 400) {\n const detail = typeof r.text === \"string\" ? r.text : JSON.stringify(r.json ?? \"\");\n throw new Error(\\`Provider request failed (\\${r.status}): \\${String(detail).slice(0, 500)}\\`);\n }\n return r.json !== undefined ? r.json : r.text;\n }\n return parsed;\n}\n\nfunction _cloneJson(value) {\n if (value === undefined || value === null) return value;\n return JSON.parse(JSON.stringify(value));\n}\n\nfunction _pathParts(path) {\n if (!path || typeof path !== \"string\") return [];\n return path\n .replace(/\\\\[(\\\\d+)\\\\]/g, \".$1\")\n .split(\".\")\n .map((part) => part.trim())\n .filter(Boolean);\n}\n\nfunction _getByPath(value, path) {\n let current = value;\n for (const part of _pathParts(path)) {\n if (current === undefined || current === null) return undefined;\n current = current[part];\n }\n return current;\n}\n\nfunction _setByPath(value, path, nextValue) {\n const parts = _pathParts(path);\n if (!parts.length) return value;\n const root = value && typeof value === \"object\" ? _cloneJson(value) : {};\n let current = root;\n for (let i = 0; i < parts.length - 1; i++) {\n const part = parts[i];\n if (!current[part] || typeof current[part] !== \"object\") current[part] = {};\n current = current[part];\n }\n current[parts[parts.length - 1]] = nextValue;\n return root;\n}\n\nfunction _extractItems(page, itemsPath) {\n if (itemsPath) {\n const value = _getByPath(page, itemsPath);\n return Array.isArray(value) ? value : [];\n }\n if (Array.isArray(page)) return page;\n if (!page || typeof page !== \"object\") return [];\n for (const key of [\"data\", \"results\", \"items\", \"records\", \"rows\", \"calls\", \"messages\", \"tickets\", \"issues\", \"deals\"]) {\n if (Array.isArray(page[key])) return page[key];\n }\n return [];\n}\n\nfunction _withoutProviderFetchAllOptions(init) {\n const {\n pagination: _pagination,\n fetchAllPages: _fetchAllPages,\n stageAs: _stageAs,\n itemsPath: _itemsPath,\n saveToFile: _saveToFile,\n ...rest\n } = init || {};\n return rest;\n}\n\n/**\n * Fetch every page from a provider API using generic cursor, page-number, or\n * offset pagination. Prefer this inside run-code when the answer depends on a\n * broad provider corpus rather than a single bounded request.\n */\nasync function providerFetchAll(provider, apiPath, init = {}) {\n const pagination = init.pagination || init.fetchAllPages || {};\n const itemsPath = pagination.itemsPath || init.itemsPath;\n const cursorPath = pagination.nextCursorPath || pagination.cursorPath;\n const maxPagesRaw = Number(pagination.maxPages || init.maxPages || 50);\n const maxPages = Math.max(1, Math.min(Number.isFinite(maxPagesRaw) ? maxPagesRaw : 50, 200));\n const baseInit = _withoutProviderFetchAllOptions(init);\n let query = _cloneJson(init.query || {});\n let body = _cloneJson(init.body);\n let pageNumber = Number(pagination.startPage || 1);\n let offset = Number(pagination.startOffset || 0);\n const pages = [];\n const items = [];\n let lastCursor = null;\n let stoppedReason = \"completed\";\n\n for (let pageIndex = 0; pageIndex < maxPages; pageIndex++) {\n if (pagination.pageParam) {\n query = { ...(query || {}), [pagination.pageParam]: pageNumber };\n }\n if (pagination.offsetParam) {\n query = { ...(query || {}), [pagination.offsetParam]: offset };\n }\n\n const page = await providerFetch(provider, apiPath, {\n ...baseInit,\n query,\n ...(body !== undefined ? { body } : {}),\n });\n pages.push(page);\n const pageItems = _extractItems(page, itemsPath);\n items.push(...pageItems);\n\n const nextCursor = cursorPath ? _getByPath(page, cursorPath) : undefined;\n if (nextCursor !== undefined && nextCursor !== null && String(nextCursor) !== \"\") {\n if (lastCursor !== null && String(nextCursor) === String(lastCursor)) {\n stoppedReason = \"repeated-cursor\";\n break;\n }\n lastCursor = nextCursor;\n if (pagination.cursorBodyPath) {\n body = _setByPath(body || {}, pagination.cursorBodyPath, nextCursor);\n } else if (pagination.cursorParam) {\n query = { ...(query || {}), [pagination.cursorParam]: nextCursor };\n } else {\n stoppedReason = \"cursor-found-without-destination\";\n break;\n }\n continue;\n }\n\n lastCursor = null;\n if (pagination.pageParam) {\n if (pageItems.length === 0) {\n stoppedReason = \"empty-page\";\n break;\n }\n pageNumber += 1;\n continue;\n }\n if (pagination.offsetParam) {\n if (pageItems.length === 0) {\n stoppedReason = \"empty-page\";\n break;\n }\n const step = Number(pagination.pageSize || pageItems.length);\n if (!Number.isFinite(step) || step <= 0) {\n stoppedReason = \"invalid-page-size\";\n break;\n }\n offset += step;\n if (pagination.pageSize && pageItems.length < Number(pagination.pageSize)) {\n stoppedReason = \"short-page\";\n break;\n }\n continue;\n }\n\n break;\n }\n\n const hitPageOrOffsetLimit =\n Boolean(pagination.pageParam || pagination.offsetParam) &&\n stoppedReason === \"completed\" &&\n pages.length >= maxPages;\n const hasMore =\n (lastCursor !== null && pages.length >= maxPages) || hitPageOrOffsetLimit;\n if (hasMore) stoppedReason = \"max-pages\";\n return {\n items,\n pages,\n pageCount: pages.length,\n itemCount: items.length,\n hasMore,\n lastCursor,\n stoppedReason,\n };\n}\n\n/**\n * Make an outbound HTTP request via the web-request action.\n * Returns an object \\`{ status, body }\\` where \\`body\\` is the response text.\n */\nasync function webFetch(url, init = {}) {\n const method = (init.method || \"GET\").toUpperCase();\n const rawResult = await _bridgeCall(\"web-request\", {\n url,\n method,\n ...(init.headers ? { headers: typeof init.headers === \"string\" ? init.headers : JSON.stringify(init.headers) } : {}),\n ...(init.body ? { body: typeof init.body === \"string\" ? init.body : JSON.stringify(init.body) } : {}),\n });\n // rawResult is \"HTTP <status> <statusText>\\\\n\\\\n<body>\"\n const statusMatch = typeof rawResult === \"string\" ? rawResult.match(/^HTTP (\\\\d+) [^\\\\n]*\\\\n\\\\n/) : null;\n if (statusMatch) {\n return {\n status: Number(statusMatch[1]),\n body: rawResult.slice(statusMatch[0].length),\n };\n }\n return { status: 0, body: rawResult };\n}\n\n/**\n * Read a Resources-backed workspace file by path. Returns the file content as\n * a string, or null if not found.\n * Supports optional offset and maxChars for paging large files.\n */\nasync function workspaceRead(path, opts = {}) {\n const parsed = await workspaceReadMeta(path, opts);\n if (parsed && parsed.ok === false) return null;\n return parsed && typeof parsed.content === \"string\" ? parsed.content : null;\n}\n\n/**\n * Read a workspace file by path and return the full metadata envelope.\n * Use this when offset/maxChars paging or truncation status matters.\n */\nasync function workspaceReadMeta(path, opts = {}) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"read\",\n path,\n ...(opts.offset !== undefined ? { offset: opts.offset } : {}),\n ...(opts.maxChars !== undefined ? { maxChars: opts.maxChars } : {}),\n });\n return _parseBridgeResult(rawResult);\n}\n\n/**\n * Write (create or overwrite) a workspace file. Use \\`scratch/...\\` for\n * temporary staging files.\n * \\`content\\` must be a string. Returns metadata { path, sizeBytes, updatedAt }.\n */\nasync function workspaceWrite(path, content, contentType = \"text/plain\") {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"write\",\n path,\n content: typeof content === \"string\" ? content : JSON.stringify(content),\n contentType,\n });\n try { return typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult; } catch { return rawResult; }\n}\n\n/**\n * Append text to a workspace file (creates if absent).\n */\nasync function workspaceAppend(path, content) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"append\",\n path,\n content: typeof content === \"string\" ? content : JSON.stringify(content),\n });\n try { return typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult; } catch { return rawResult; }\n}\n\n/**\n * List workspace files, optionally filtered by path prefix.\n * Returns an array of { path, sizeBytes, contentType, updatedAt }.\n */\nasync function workspaceList(prefix) {\n const rawResult = await _bridgeCall(\"workspace-files\", {\n action: \"list\",\n ...(prefix ? { path: prefix } : {}),\n });\n const parsed = typeof rawResult === \"string\" ? JSON.parse(rawResult) : rawResult;\n if (parsed && Array.isArray(parsed.files)) return parsed.files;\n if (Array.isArray(parsed)) return parsed;\n throw new Error(\"workspaceList: unexpected result shape: \" + JSON.stringify(parsed).slice(0, 200));\n}\n\n// Run user code\n(async () => {\n${userCode}\n})().catch((err) => {\n console.error(\"Unhandled error:\", err?.message ?? String(err));\n process.exit(1);\n});\n`;\n}\n"]}
package/dist/provider-api/index.d.ts CHANGED
@@ -165,6 +165,25 @@ interface ProviderApiRuntime {
165
165
  }): Promise<unknown>;
166
166
  executeRequest(args: ProviderApiRequestArgs): Promise<unknown>;
167
167
  }
168
+ interface ProviderApiHttpResponse {
169
+ status: number;
170
+ statusText: string;
171
+ ok: boolean;
172
+ elapsedMs: number;
173
+ headers: Record<string, string>;
174
+ contentType: string | null;
175
+ size: number;
176
+ truncated: boolean;
177
+ text?: string;
178
+ json?: unknown;
179
+ quota?: {
180
+ exhausted: boolean;
181
+ providerId: string;
182
+ retryAfterMs: number;
183
+ retryAt: string;
184
+ reason: string;
185
+ };
186
+ }
168
187
  export declare function getProviderApiConfig(provider: ProviderApiId | string): ProviderApiConfig;
169
188
  export declare function isProviderApiId(provider: string): provider is ProviderApiId;
170
189
  export declare function listProviderApiIdsForTemplateUse(templateUse: WorkspaceConnectionTemplateUse): ProviderApiId[];
@@ -265,18 +284,7 @@ export declare function fetchProviderApiDocs(options: {
265
284
  request: {
266
285
  url: string;
267
286
  };
268
- response: {
269
- status: number;
270
- statusText: string;
271
- ok: boolean;
272
- elapsedMs: number;
273
- headers: Record<string, string>;
274
- contentType: string | null;
275
- size: number;
276
- truncated: boolean;
277
- text: string | undefined;
278
- json: unknown;
279
- };
287
+ response: ProviderApiHttpResponse;
280
288
  guidance?: undefined;
281
289
  }>;
282
290
  export declare function executeProviderApiRequest(args: ProviderApiRequestArgs, runtime: ProviderApiRuntimeOptions): Promise<unknown>;
package/dist/provider-api/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/provider-api/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,KAAK,iBAAiB,EACvB,MAAM,yBAAyB,CAAC;AAYjC,OAAO,KAAK,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAChF,OAAO,KAAK,EACV,oBAAoB,EAErB,MAAM,sBAAsB,CAAC;AAE9B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,sBAAsB,CAAC;AAE9B,eAAO,MAAM,gBAAgB,kSA0BnB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE9D,MAAM,MAAM,iBAAiB,GACzB,KAAK,GACL,MAAM,GACN,KAAK,GACL,OAAO,GACP,QAAQ,GACR,MAAM,CAAC;AAEX,kDAAkD;AAClD,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;CACrC;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IACE,IAAI,EAAE,QAAQ,CAAC;IACf,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,gBAAgB,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,wBAAwB,CAAC;IAC/B,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CAC3B,GACD;IACE,IAAI,EAAE,cAAc,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,IAAI,EAAE,YAAY,CAAC;CACpB,CAAC;AAEN,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,aAAa,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7B,mBAAmB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,YAAY,CAAC,EAAE,SAAS,sBAAsB,EAAE,CAAC;IACjD,QAAQ,CAAC,EAAE,SAAS,kBAAkB,EAAE,CAAC;IACzC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,SAAS,8BAA8B,EAAE,CAAC;CAC1D;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,iBAAiB,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,6BAA6B;IAC5C,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kCAAkC;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,iBAAiB,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,MAAM,6BAA6B,GAAG,CAC1C,OAAO,EAAE,kCAAkC,KACxC,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAAC;AAEnD,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,SAAS,CAAC,aAAa,GAAG,MAAM,CAAC,EAAE,CAAC;IAClD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IACtD,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;CAC5D;AAED,UAAU,kBAAkB;IAC1B,WAAW,EAAE,SAAS,aAAa,EAAE,CAAC;IACtC,WAAW,CACT,QAAQ,CAAC,EAAE,aAAa,GAAG,MAAM,GAChC,UAAU,CAAC,OAAO,sBAAsB,CAAC,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,SAAS,CAAC,OAAO,EAAE;QACjB,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;QACjC,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACrB,cAAc,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAChE;AAirBD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,aAAa,GAAG,MAAM,GAC/B,iBAAiB,CAInB;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,IAAI,aAAa,CAE3E;AAED,wBAAgB,gCAAgC,CAC9C,WAAW,EAAE,8BAA8B,GAC1C,aAAa,EAAE,CAIjB;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,CAAC,EAAE,aAAa,GAAG,MAAM,EACjC,OAAO,GAAE;IAAE,WAAW,CAAC,EAAE,SAAS,CAAC,aAAa,GAAG,MAAM,CAAC,EAAE,CAAA;CAAO;;;;;;;;;;;;;;;IAyBpE;AAED,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,yBAAyB,GACjC,kBAAkB,CAsBpB;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE;IACP,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,EACD,OAAO,GAAE,yBAA4C;;;;;;;;;;;;;;;;;;;;;;;;;kBA2iBnC,MAAM,EAAE;;sBAEJ,OAAO,EAAE;;kBAEb,OAAO,EAAE;;sBAEL,MAAM,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBANZ,MAAM,EAAE;;sBAEJ,OAAO,EAAE;;kBAEb,OAAO,EAAE;;sBAEL,MAAM,EAAE;;;;;;;;;;;;;;;;;;;GAxf/B;AAED,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,sBAAsB,EAC5B,OAAO,EAAE,yBAAyB,oBAqLnC;AA6aD,wBAAsB,oCAAoC,CACxD,OAAO,EAAE,kCAAkC,GAC1C,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAkC/C"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/provider-api/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,KAAK,iBAAiB,EACvB,MAAM,yBAAyB,CAAC;AAYjC,OAAO,KAAK,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAChF,OAAO,KAAK,EACV,oBAAoB,EAErB,MAAM,sBAAsB,CAAC;AAS9B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,sBAAsB,CAAC;AAE9B,eAAO,MAAM,gBAAgB,kSA0BnB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE9D,MAAM,MAAM,iBAAiB,GACzB,KAAK,GACL,MAAM,GACN,KAAK,GACL,OAAO,GACP,QAAQ,GACR,MAAM,CAAC;AAEX,kDAAkD;AAClD,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;CACrC;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IACE,IAAI,EAAE,QAAQ,CAAC;IACf,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,gBAAgB,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,IAAI,EAAE,wBAAwB,CAAC;IAC/B,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CAC3B,GACD;IACE,IAAI,EAAE,cAAc,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,IAAI,EAAE,YAAY,CAAC;CACpB,CAAC;AAEN,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,aAAa,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7B,mBAAmB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,YAAY,CAAC,EAAE,SAAS,sBAAsB,EAAE,CAAC;IACjD,QAAQ,CAAC,EAAE,SAAS,kBAAkB,EAAE,CAAC;IACzC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,SAAS,8BAA8B,EAAE,CAAC;CAC1D;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,iBAAiB,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,6BAA6B;IAC5C,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kCAAkC;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,iBAAiB,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,MAAM,6BAA6B,GAAG,CAC1C,OAAO,EAAE,kCAAkC,KACxC,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAAC;AAEnD,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,SAAS,CAAC,aAAa,GAAG,MAAM,CAAC,EAAE,CAAC;IAClD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IACtD,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;CAC5D;AAED,UAAU,kBAAkB;IAC1B,WAAW,EAAE,SAAS,aAAa,EAAE,CAAC;IACtC,WAAW,CACT,QAAQ,CAAC,EAAE,aAAa,GAAG,MAAM,GAChC,UAAU,CAAC,OAAO,sBAAsB,CAAC,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,SAAS,CAAC,OAAO,EAAE;QACjB,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;QACjC,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACrB,cAAc,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAChE;AAQD,UAAU,uBAAuB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE;QACN,SAAS,EAAE,OAAO,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAkrBD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,aAAa,GAAG,MAAM,GAC/B,iBAAiB,CAInB;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,IAAI,aAAa,CAE3E;AAED,wBAAgB,gCAAgC,CAC9C,WAAW,EAAE,8BAA8B,GAC1C,aAAa,EAAE,CAIjB;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,CAAC,EAAE,aAAa,GAAG,MAAM,EACjC,OAAO,GAAE;IAAE,WAAW,CAAC,EAAE,SAAS,CAAC,aAAa,GAAG,MAAM,CAAC,EAAE,CAAA;CAAO;;;;;;;;;;;;;;;IAyBpE;AAED,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,yBAAyB,GACjC,kBAAkB,CAsBpB;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE;IACP,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,EACD,OAAO,GAAE,yBAA4C;;;;;;;;;;;;;;;;;;;;;;;;;kBAgnBnC,MAAM,EAAE;;sBAEJ,OAAO,EAAE;;kBAEb,OAAO,EAAE;;sBAEL,MAAM,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBANZ,MAAM,EAAE;;sBAEJ,OAAO,EAAE;;kBAEb,OAAO,EAAE;;sBAEL,MAAM,EAAE;;;;;;;;GA7jB/B;AAED,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,sBAAsB,EAC5B,OAAO,EAAE,yBAAyB,oBAwNnC;AA+cD,wBAAsB,oCAAoC,CACxD,OAAO,EAAE,kCAAkC,GAC1C,OAAO,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAkC/C"}
package/dist/provider-api/index.js CHANGED
@@ -4,6 +4,7 @@ import { createSsrfSafeDispatcher, isBlockedExtensionUrlWithDns, } from "../exte
4
4
  import { deleteOAuthTokens, listOAuthAccountsByOwner, saveOAuthTokens, } from "../oauth-tokens/index.js";
5
5
  import { getCredentialContext } from "../server/request-context.js";
6
6
  import { resolveWorkspaceConnectionCredentialForApp } from "../workspace-connections/credentials.js";
7
+ import { createProviderQuotaIdentity, createProviderRequestDedupeKey, executeWithProviderQuota, } from "./quota-governor.js";
7
8
  export { upsertCustomProvider, deleteCustomProvider, listCustomProviders, getCustomProvider, validateCustomBaseUrl, } from "./custom-registry.js";
8
9
  export const PROVIDER_API_IDS = [
9
10
  "amplitude",
@@ -842,6 +843,14 @@ export async function executeProviderApiRequest(args, runtime) {
842
843
  const effectiveMaxBytes = args.saveToFile
843
844
  ? SAVE_TO_FILE_MAX_BYTES
844
845
  : clampMaxBytes(args.maxBytes);
846
+ const quotaIdentity = createProviderQuotaIdentity({
847
+ appId: runtimeOptionsAppId(runtime),
848
+ providerId: config.id,
849
+ ctx,
850
+ credentialSources: auth.credentialSources,
851
+ connectionId: args.connectionId,
852
+ accountId: args.accountId,
853
+ });
845
854
  // --- fetchAllPages mode ---
846
855
  if (args.fetchAllPages) {
847
856
  const pageCfg = args.fetchAllPages;
@@ -859,6 +868,12 @@ export async function executeProviderApiRequest(args, runtime) {
859
868
  ? setValueAtPath(substituteUnknown(args.body, placeholders), extra.bodyCursor.path, extra.bodyCursor.value)
860
869
  : substituteUnknown(args.body, placeholders);
861
870
  const pageBody = prepareBody(bodyWithCursor, { ...headers });
871
+ const requestKey = createProviderRequestDedupeKey({
872
+ method,
873
+ url: pageUrl.href,
874
+ body: pageBody,
875
+ headers,
876
+ });
862
877
  const resp = await fetchWithTimeout(pageUrl.href, {
863
878
  method,
864
879
  headers,
@@ -866,6 +881,12 @@ export async function executeProviderApiRequest(args, runtime) {
866
881
  maxBytes: effectiveMaxBytes,
867
882
  timeoutMs: clampTimeout(args.timeoutMs),
868
883
  secretValues: auth.secretValues,
884
+ quota: {
885
+ identity: quotaIdentity,
886
+ method,
887
+ target: describeProviderRequestTarget(pageUrl.href, auth.secretValues),
888
+ requestKey,
889
+ },
869
890
  });
870
891
  return {
871
892
  text: resp.text ??
@@ -890,6 +911,12 @@ export async function executeProviderApiRequest(args, runtime) {
890
911
  }
891
912
  // --- Single request ---
892
913
  const body = prepareBody(substituteUnknown(args.body, placeholders), headers);
914
+ const requestKey = createProviderRequestDedupeKey({
915
+ method,
916
+ url: url.href,
917
+ body,
918
+ headers,
919
+ });
893
920
  const response = await fetchWithTimeout(url.href, {
894
921
  method,
895
922
  headers,
@@ -897,6 +924,12 @@ export async function executeProviderApiRequest(args, runtime) {
897
924
  maxBytes: effectiveMaxBytes,
898
925
  timeoutMs: clampTimeout(args.timeoutMs),
899
926
  secretValues: auth.secretValues,
927
+ quota: {
928
+ identity: quotaIdentity,
929
+ method,
930
+ target: describeProviderRequestTarget(url.href, auth.secretValues),
931
+ requestKey,
932
+ },
900
933
  });
901
934
  // saveToFile: write full body to workspace file and return compact summary.
902
935
  if (args.saveToFile) {
@@ -978,6 +1011,14 @@ async function executeCustomProviderApiRequest(args, customConfig, runtime) {
978
1011
  const effectiveMaxBytes = args.saveToFile
979
1012
  ? SAVE_TO_FILE_MAX_BYTES
980
1013
  : clampMaxBytes(args.maxBytes);
1014
+ const quotaIdentity = createProviderQuotaIdentity({
1015
+ appId: runtimeOptionsAppId(runtime),
1016
+ providerId: customConfig.id,
1017
+ ctx,
1018
+ credentialSources: auth.credentialSources,
1019
+ connectionId: args.connectionId,
1020
+ accountId: args.accountId,
1021
+ });
981
1022
  // --- fetchAllPages mode (same cursor pagination as built-in providers) ---
982
1023
  if (args.fetchAllPages) {
983
1024
  const pageCfg = args.fetchAllPages;
@@ -995,6 +1036,12 @@ async function executeCustomProviderApiRequest(args, customConfig, runtime) {
995
1036
  ? setValueAtPath(args.body, extra.bodyCursor.path, extra.bodyCursor.value)
996
1037
  : args.body;
997
1038
  const pageBody = prepareBody(bodyWithCursor, { ...headers });
1039
+ const requestKey = createProviderRequestDedupeKey({
1040
+ method,
1041
+ url: pageUrl.href,
1042
+ body: pageBody,
1043
+ headers,
1044
+ });
998
1045
  const resp = await fetchWithTimeout(pageUrl.href, {
999
1046
  method,
1000
1047
  headers,
@@ -1002,6 +1049,12 @@ async function executeCustomProviderApiRequest(args, customConfig, runtime) {
1002
1049
  maxBytes: effectiveMaxBytes,
1003
1050
  timeoutMs: clampTimeout(args.timeoutMs),
1004
1051
  secretValues: auth.secretValues,
1052
+ quota: {
1053
+ identity: quotaIdentity,
1054
+ method,
1055
+ target: describeProviderRequestTarget(pageUrl.href, auth.secretValues),
1056
+ requestKey,
1057
+ },
1005
1058
  });
1006
1059
  return {
1007
1060
  text: resp.text ??
@@ -1035,6 +1088,17 @@ async function executeCustomProviderApiRequest(args, customConfig, runtime) {
1035
1088
  maxBytes: effectiveMaxBytes,
1036
1089
  timeoutMs: clampTimeout(args.timeoutMs),
1037
1090
  secretValues: auth.secretValues,
1091
+ quota: {
1092
+ identity: quotaIdentity,
1093
+ method,
1094
+ target: describeProviderRequestTarget(url.href, auth.secretValues),
1095
+ requestKey: createProviderRequestDedupeKey({
1096
+ method,
1097
+ url: url.href,
1098
+ body,
1099
+ headers,
1100
+ }),
1101
+ },
1038
1102
  });
1039
1103
  if (args.saveToFile) {
1040
1104
  const rawText = response.text ??
@@ -1857,52 +1921,108 @@ function prepareBody(body, headers) {
1857
1921
  headers["Content-Type"] = "application/json";
1858
1922
  return JSON.stringify(body);
1859
1923
  }
1924
+ function runtimeOptionsAppId(runtime) {
1925
+ return runtime.appId || "app";
1926
+ }
1860
1927
  async function fetchWithTimeout(optionsUrl, options) {
1861
- const controller = new AbortController();
1862
- const timeoutMs = clampTimeout(options.timeoutMs);
1863
- const timeout = setTimeout(() => controller.abort(), timeoutMs);
1864
- const method = options.method ?? "GET";
1865
- const secretValues = options.secretValues ?? [];
1866
- try {
1867
- const dispatcher = (await createSsrfSafeDispatcher()) ?? undefined;
1868
- const fetchOptions = {
1869
- method,
1870
- headers: options.headers,
1871
- body: options.body,
1872
- signal: controller.signal,
1873
- redirect: "manual",
1874
- };
1875
- if (dispatcher)
1876
- fetchOptions.dispatcher = dispatcher;
1928
+ const runOnce = async () => {
1929
+ const controller = new AbortController();
1930
+ const timeoutMs = clampTimeout(options.timeoutMs);
1931
+ const timeout = setTimeout(() => controller.abort(), timeoutMs);
1932
+ const method = options.method ?? "GET";
1933
+ const secretValues = options.secretValues ?? [];
1877
1934
  try {
1878
- return await fetchProviderResponse(optionsUrl, fetchOptions, {
1879
- maxBytes: options.maxBytes,
1880
- secretValues,
1881
- });
1882
- }
1883
- catch (error) {
1884
- if (dispatcher && isDispatcherCompatibilityError(error)) {
1885
- const fallbackOptions = { ...fetchOptions };
1886
- delete fallbackOptions.dispatcher;
1887
- return await fetchProviderResponse(optionsUrl, fallbackOptions, {
1935
+ const dispatcher = (await createSsrfSafeDispatcher()) ?? undefined;
1936
+ const fetchOptions = {
1937
+ method,
1938
+ headers: options.headers,
1939
+ body: options.body,
1940
+ signal: controller.signal,
1941
+ redirect: "manual",
1942
+ };
1943
+ if (dispatcher)
1944
+ fetchOptions.dispatcher = dispatcher;
1945
+ try {
1946
+ return await fetchProviderResponse(optionsUrl, fetchOptions, {
1888
1947
  maxBytes: options.maxBytes,
1889
1948
  secretValues,
1890
1949
  });
1891
1950
  }
1892
- throw error;
1951
+ catch (error) {
1952
+ if (dispatcher && isDispatcherCompatibilityError(error)) {
1953
+ const fallbackOptions = { ...fetchOptions };
1954
+ delete fallbackOptions.dispatcher;
1955
+ return await fetchProviderResponse(optionsUrl, fallbackOptions, {
1956
+ maxBytes: options.maxBytes,
1957
+ secretValues,
1958
+ });
1959
+ }
1960
+ throw error;
1961
+ }
1893
1962
  }
1894
- }
1895
- catch (error) {
1896
- throw normalizeFetchError(error, {
1897
- method,
1898
- url: optionsUrl,
1899
- timeoutMs,
1900
- secretValues,
1963
+ catch (error) {
1964
+ throw normalizeFetchError(error, {
1965
+ method,
1966
+ url: optionsUrl,
1967
+ timeoutMs,
1968
+ secretValues,
1969
+ });
1970
+ }
1971
+ finally {
1972
+ clearTimeout(timeout);
1973
+ }
1974
+ };
1975
+ if (options.quota) {
1976
+ return executeWithProviderQuota({
1977
+ request: {
1978
+ identity: options.quota.identity,
1979
+ method: options.quota.method,
1980
+ target: options.quota.target,
1981
+ requestKey: options.quota.requestKey,
1982
+ },
1983
+ execute: runOnce,
1984
+ inspect: (result) => ({
1985
+ status: result.status,
1986
+ headers: result.headers,
1987
+ }),
1988
+ buildQuotaExhaustedResult: providerQuotaExhaustedResponse,
1901
1989
  });
1902
1990
  }
1903
- finally {
1904
- clearTimeout(timeout);
1905
- }
1991
+ return runOnce();
1992
+ }
1993
+ function providerQuotaExhaustedResponse(detail) {
1994
+ const retryAfterSeconds = Math.max(0, Math.ceil(detail.retryAfterMs / 1000));
1995
+ return {
1996
+ status: 429,
1997
+ statusText: "Provider quota cooldown",
1998
+ ok: false,
1999
+ elapsedMs: 0,
2000
+ headers: {
2001
+ "retry-after": String(retryAfterSeconds),
2002
+ "x-agent-native-provider-quota": "exhausted",
2003
+ },
2004
+ contentType: "application/json",
2005
+ size: 0,
2006
+ truncated: false,
2007
+ json: {
2008
+ error: "provider_quota_exhausted",
2009
+ provider: detail.providerId,
2010
+ message: `Provider API quota is cooling down for ${detail.providerId}. ` +
2011
+ `Retry after ${detail.retryAt}.`,
2012
+ retryAt: detail.retryAt,
2013
+ retryAfterMs: detail.retryAfterMs,
2014
+ reason: detail.reason,
2015
+ method: detail.method,
2016
+ target: detail.target,
2017
+ },
2018
+ quota: {
2019
+ exhausted: true,
2020
+ providerId: detail.providerId,
2021
+ retryAfterMs: detail.retryAfterMs,
2022
+ retryAt: detail.retryAt,
2023
+ reason: detail.reason,
2024
+ },
2025
+ };
1906
2026
  }
1907
2027
  async function fetchProviderResponse(url, fetchOptions, options) {
1908
2028
  const startedAt = Date.now();