@agent-vm/gateway-interface 0.0.80 → 0.0.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.d.ts +146 -15
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +212 -7
  4. package/dist/index.js.map +1 -1
  5. package/package.json +3 -3
package/dist/index.d.ts CHANGED
@@ -306,14 +306,30 @@ declare function mergeRuntimeGatewaySecrets(baseSecrets: SplitResolvedSecretsRes
306
306
  //#region src/tool-vm-active-use.d.ts
307
307
  type ToolVmActiveUseOutcome = 'abandoned' | 'cancelled' | 'completed' | 'failed' | 'timed-out';
308
308
  interface ToolVmActiveUseCorrelation {
309
- readonly agentId?: string;
310
- readonly sessionId?: string;
311
- readonly sessionKey?: string;
312
- readonly toolCallId?: string;
313
- readonly toolName?: string;
309
+ readonly agentId?: string | undefined;
310
+ readonly sessionId?: string | undefined;
311
+ readonly sessionKey?: string | undefined;
312
+ readonly toolCallId?: string | undefined;
313
+ readonly toolName?: string | undefined;
314
+ }
315
+ type ToolVmSshOperationPhase = 'completed' | 'failed' | 'probe-succeeded' | 'running' | 'starting';
316
+ type ToolVmSshFailureKind = 'active-use-refreshable-failure' | 'ssh-command-failed' | 'ssh-command-timed-out' | 'ssh-probe-failed';
317
+ interface ToolVmSshFailureReport {
318
+ readonly kind: ToolVmSshFailureKind;
319
+ readonly message: string;
320
+ }
321
+ interface ToolVmSshOperationReport {
322
+ readonly failure?: ToolVmSshFailureReport | undefined;
323
+ readonly probeSucceeded?: boolean | undefined;
324
+ }
325
+ interface ToolVmActiveUseOperationReport {
326
+ readonly observedAtMs: number;
327
+ readonly phase: ToolVmSshOperationPhase;
328
+ readonly ssh?: ToolVmSshOperationReport | undefined;
314
329
  }
315
330
  interface StartToolVmActiveUseRequest {
316
- readonly correlation?: ToolVmActiveUseCorrelation;
331
+ readonly correlation?: ToolVmActiveUseCorrelation | undefined;
332
+ readonly report?: ToolVmActiveUseOperationReport | undefined;
317
333
  readonly useId: string;
318
334
  }
319
335
  interface StartToolVmActiveUseResponse {
@@ -325,31 +341,144 @@ interface HeartbeatToolVmActiveUseResponse {
325
341
  readonly expiresAt: number;
326
342
  readonly heartbeatAfterMs: number;
327
343
  }
344
+ interface HeartbeatToolVmActiveUseRequest {
345
+ readonly report?: ToolVmActiveUseOperationReport | undefined;
346
+ }
328
347
  interface EndToolVmActiveUseRequest {
329
348
  readonly outcome: ToolVmActiveUseOutcome;
349
+ readonly report?: ToolVmActiveUseOperationReport | undefined;
330
350
  }
331
351
  interface ToolVmActiveUseHandle {
352
+ readonly signal: AbortSignal;
332
353
  readonly useId: string;
333
354
  dispose(outcome?: ToolVmActiveUseOutcome): Promise<void>;
334
355
  end(outcome?: ToolVmActiveUseOutcome): Promise<void>;
356
+ report(report: ToolVmActiveUseOperationReport): void;
335
357
  }
336
358
  interface CreateToolVmActiveUseHandleOptions {
337
- readonly correlation?: ToolVmActiveUseCorrelation;
359
+ readonly correlation?: ToolVmActiveUseCorrelation | undefined;
338
360
  readonly endActiveUse: (useId: string, request: EndToolVmActiveUseRequest) => Promise<void>;
339
- readonly heartbeatActiveUse: (useId: string) => Promise<HeartbeatToolVmActiveUseResponse>;
361
+ readonly heartbeatActiveUse: (useId: string, request: HeartbeatToolVmActiveUseRequest) => Promise<HeartbeatToolVmActiveUseResponse>;
362
+ readonly heartbeatJitterRatio?: number | undefined;
340
363
  readonly isEndErrorTolerable?: (error: unknown) => boolean;
364
+ readonly isHeartbeatErrorRefreshable?: (error: unknown) => boolean;
341
365
  readonly logEndFailure?: (error: unknown) => void;
342
366
  readonly logHeartbeatFailure?: (error: unknown) => void;
343
- readonly maxHeartbeatDurationMs?: number;
344
- readonly nowImpl?: () => number;
367
+ readonly maxHeartbeatDurationMs?: number | undefined;
368
+ readonly nowImpl?: (() => number) | undefined;
369
+ readonly onRefreshableHeartbeatFailure?: (error: unknown) => Promise<void>;
370
+ readonly randomImpl?: (() => number) | undefined;
345
371
  readonly startActiveUse: (request: StartToolVmActiveUseRequest) => Promise<StartToolVmActiveUseResponse>;
346
- readonly setTimeoutImpl?: typeof setTimeout;
347
- readonly clearTimeoutImpl?: typeof clearTimeout;
372
+ readonly setTimeoutImpl?: typeof setTimeout | undefined;
373
+ readonly clearTimeoutImpl?: typeof clearTimeout | undefined;
348
374
  }
349
375
  declare function createToolVmActiveUseId(): string;
350
376
  declare function isToolVmActiveUseId(value: string): boolean;
351
377
  declare function createToolVmActiveUseHandle(options: CreateToolVmActiveUseHandleOptions): Promise<ToolVmActiveUseHandle>;
352
378
  //#endregion
379
+ //#region src/runtime-paths/runtime-path-mapping.d.ts
380
+ declare const TOOL_VM_WORKSPACE_GUEST_ROOT = "/workspace";
381
+ declare const TOOL_VM_SCRATCH_GUEST_ROOT = "/work";
382
+ declare const OPENCLAW_STATE_VM_ROOT = "/home/openclaw/.openclaw/state";
383
+ declare const OPENCLAW_STATE_SANDBOXES_VM_ROOT = "/home/openclaw/.openclaw/state/sandboxes";
384
+ type RuntimePathPurpose = 'executionCwd' | 'leaseMount';
385
+ interface RuntimePathCapabilities {
386
+ readonly executionCwd: boolean;
387
+ readonly leaseMount: boolean;
388
+ }
389
+ type RuntimePathBacking = {
390
+ readonly kind: 'host-realfs';
391
+ readonly durability: 'durable' | 'runtime' | 'cache';
392
+ readonly backup: 'included' | 'excluded';
393
+ } | {
394
+ readonly kind: 'guest-rootfs-cow';
395
+ readonly durability: 'vm-lifetime';
396
+ };
397
+ interface RuntimePathRootMappingBase {
398
+ readonly capabilities: RuntimePathCapabilities;
399
+ readonly guidanceLabel: string;
400
+ readonly id: string;
401
+ readonly rootPathAllowed: boolean;
402
+ }
403
+ type RuntimePathRootMapping = (RuntimePathRootMappingBase & {
404
+ readonly backing: Extract<RuntimePathBacking, {
405
+ readonly kind: 'host-realfs';
406
+ }>;
407
+ readonly guestRoot?: string;
408
+ readonly hostRoot: string;
409
+ readonly showHostRootInGuidance?: boolean;
410
+ }) | (RuntimePathRootMappingBase & {
411
+ readonly backing: Extract<RuntimePathBacking, {
412
+ readonly kind: 'guest-rootfs-cow';
413
+ }>;
414
+ readonly capabilities: RuntimePathCapabilities & {
415
+ readonly leaseMount: false;
416
+ };
417
+ readonly guestRoot: string;
418
+ readonly hostRoot?: never;
419
+ readonly showHostRootInGuidance?: never;
420
+ });
421
+ interface RuntimePathMapping {
422
+ readonly id: string;
423
+ readonly roots: readonly RuntimePathRootMapping[];
424
+ }
425
+ interface TranslateRuntimePathInput {
426
+ readonly inputPath: string;
427
+ readonly mapping: RuntimePathMapping;
428
+ readonly purpose: RuntimePathPurpose;
429
+ }
430
+ interface RuntimePathTranslationBase {
431
+ readonly backing: RuntimePathBacking;
432
+ readonly capabilities: RuntimePathCapabilities;
433
+ readonly inputNamespace: 'guest' | 'host';
434
+ readonly inputPath: string;
435
+ readonly mappingId: string;
436
+ readonly relativePath: string;
437
+ readonly rootId: string;
438
+ }
439
+ type RuntimePathTranslation = (RuntimePathTranslationBase & {
440
+ readonly guestPath?: string;
441
+ readonly guestRoot?: string;
442
+ readonly hasHostBacking: true;
443
+ readonly hostPath: string;
444
+ readonly hostRoot: string;
445
+ readonly kind: 'host-backed';
446
+ }) | (RuntimePathTranslationBase & {
447
+ readonly guestPath: string;
448
+ readonly guestRoot: string;
449
+ readonly hasHostBacking: false;
450
+ readonly hostPath?: never;
451
+ readonly hostRoot?: never;
452
+ readonly kind: 'guest-only';
453
+ });
454
+ type RuntimePathTranslationErrorCode = 'path-not-absolute' | 'path-parent-traversal' | 'invalid-runtime-root' | 'unknown-runtime-path' | 'purpose-not-allowed' | 'root-path-not-allowed';
455
+ interface RuntimePathTranslationError {
456
+ readonly allowedPathForms: readonly string[];
457
+ readonly code: RuntimePathTranslationErrorCode;
458
+ readonly inputPath: string;
459
+ readonly mappingId: string;
460
+ readonly message: string;
461
+ readonly purpose: RuntimePathPurpose;
462
+ readonly retryGuidance: string;
463
+ }
464
+ type TranslateRuntimePathResult = {
465
+ readonly ok: true;
466
+ readonly value: RuntimePathTranslation;
467
+ } | {
468
+ readonly ok: false;
469
+ readonly error: RuntimePathTranslationError;
470
+ };
471
+ declare function translateRuntimePath(input: TranslateRuntimePathInput): TranslateRuntimePathResult;
472
+ //#endregion
473
+ //#region src/tool-vm-lease-id.d.ts
474
+ declare const toolVmLeaseIdBrand: unique symbol;
475
+ type ToolVmLeaseId = string & {
476
+ readonly [toolVmLeaseIdBrand]: true;
477
+ };
478
+ declare function createToolVmLeaseId(): ToolVmLeaseId;
479
+ declare function isToolVmLeaseId(value: unknown): value is ToolVmLeaseId;
480
+ declare function parseToolVmLeaseId(value: unknown): ToolVmLeaseId;
481
+ //#endregion
353
482
  //#region src/vm-capability-lease.d.ts
354
483
  /**
355
484
  * Small host-issued capability envelope shared by VM-backed transports. The
@@ -382,16 +511,18 @@ declare function isVmSshPublicEndpoint(value: unknown): value is VmSshPublicEndp
382
511
  //#region src/tool-vm-lease.d.ts
383
512
  interface ToolVmSshLease extends VmSshLease<'ssh-sandbox'> {
384
513
  readonly agentId: string;
385
- readonly scopeKey: string;
514
+ readonly idleTtlMs: number;
515
+ readonly leaseId: ToolVmLeaseId;
386
516
  readonly tcpSlot: number;
387
517
  readonly workdir: string;
388
518
  }
389
519
  interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {
390
520
  readonly agentId: string;
391
521
  readonly createdAt: number;
522
+ readonly idleTtlMs: number;
392
523
  readonly lastUsedAt: number;
524
+ readonly leaseId: ToolVmLeaseId;
393
525
  readonly profileId: string;
394
- readonly scopeKey: string;
395
526
  readonly ssh: VmSshPublicEndpoint;
396
527
  readonly tcpSlot: number;
397
528
  readonly workdir: string;
@@ -400,5 +531,5 @@ interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {
400
531
  declare function isToolVmSshLease(value: unknown): value is ToolVmSshLease;
401
532
  declare function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek;
402
533
  //#endregion
403
- export { type BuildGatewayVmSpecOptions, type CreateToolVmActiveUseHandleOptions, type EgressHostConfig, type EndToolVmActiveUseRequest, type EnvInjectedGatewaySecretConfig, FORCE_IPV4_EGRESS_NODE_OPTIONS, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayIngressConfig, type GatewayLifecycle, type GatewayProcessSpec, type GatewaySecretConfig, type GatewayType, type GatewayVmSpec, type GatewayZoneAgentConfig, type GatewayZoneConfig, type GatewayZoneMcpPortalConfig, type HeartbeatToolVmActiveUseResponse, type HttpMediatedGatewaySecretConfig, type RuntimeVmAudience, type SecretInjectionConfig, type SplitResolvedGatewaySecretsResult, type SplitResolvedSecretsResult, type StartToolVmActiveUseRequest, type StartToolVmActiveUseResponse, type ToolVmActiveUseCorrelation, type ToolVmActiveUseHandle, type ToolVmActiveUseOutcome, type ToolVmLeasePeek, type ToolVmSshLease, type VmAudience, type VmCapabilityLease, type VmSshEndpoint, type VmSshLease, type VmSshPublicEndpoint, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, isToolVmActiveUseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, vmAudienceValues };
534
+ export { type BuildGatewayVmSpecOptions, type CreateToolVmActiveUseHandleOptions, type EgressHostConfig, type EndToolVmActiveUseRequest, type EnvInjectedGatewaySecretConfig, FORCE_IPV4_EGRESS_NODE_OPTIONS, type GatewayAuthConfig, type GatewayHealthCheck, type GatewayIngressConfig, type GatewayLifecycle, type GatewayProcessSpec, type GatewaySecretConfig, type GatewayType, type GatewayVmSpec, type GatewayZoneAgentConfig, type GatewayZoneConfig, type GatewayZoneMcpPortalConfig, type HeartbeatToolVmActiveUseRequest, type HeartbeatToolVmActiveUseResponse, type HttpMediatedGatewaySecretConfig, OPENCLAW_STATE_SANDBOXES_VM_ROOT, OPENCLAW_STATE_VM_ROOT, type RuntimePathBacking, type RuntimePathCapabilities, type RuntimePathMapping, type RuntimePathPurpose, type RuntimePathRootMapping, type RuntimePathTranslation, type RuntimePathTranslationError, type RuntimePathTranslationErrorCode, type RuntimeVmAudience, type SecretInjectionConfig, type SplitResolvedGatewaySecretsResult, type SplitResolvedSecretsResult, type StartToolVmActiveUseRequest, type StartToolVmActiveUseResponse, TOOL_VM_SCRATCH_GUEST_ROOT, TOOL_VM_WORKSPACE_GUEST_ROOT, type ToolVmActiveUseCorrelation, type ToolVmActiveUseHandle, type ToolVmActiveUseOperationReport, type ToolVmActiveUseOutcome, type ToolVmLeaseId, type ToolVmLeasePeek, type ToolVmSshFailureKind, type ToolVmSshFailureReport, type ToolVmSshLease, type ToolVmSshOperationPhase, type ToolVmSshOperationReport, type TranslateRuntimePathInput, type TranslateRuntimePathResult, type VmAudience, type VmCapabilityLease, type VmSshEndpoint, type VmSshLease, type VmSshPublicEndpoint, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, createToolVmLeaseId, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, isToolVmActiveUseId, isToolVmLeaseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, parseToolVmLeaseId, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, translateRuntimePath, vmAudienceValues };
404
535
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/force-ipv4-egress.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"mappings":";;;;cAAa,iBAAA;AAAA,KAED,WAAA,WAAsB,iBAAA;AAAA,iBAElB,wBAAA,CAAyB,gBAAA,UAA0B,MAAA;AAAA,iBAInD,qBAAA,CACf,gBAAA,UACA,MAAA,UACA,OAAA;;;cCXY,gBAAA;AAAA,KAED,UAAA,WAAqB,gBAAA;AAAA,KACrB,iBAAA,GAAoB,OAAA,CAAQ,UAAA;AAAA,UAEvB,gBAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA,EAAU,UAAA;AAAA;AAAA,cAGP,gBAAA;AAAA,iBAEG,eAAA,CACf,cAAA,EAAgB,UAAA,EAChB,eAAA,EAAiB,iBAAA;AAAA,iBAKF,sBAAA,CACf,WAAA,WAAsB,gBAAA,IACtB,eAAA,EAAiB,iBAAA;AAAA,iBAOF,qBAAA,CAAsB,WAAA,WAAsB,gBAAA;;;;;;;AD5B5D;;;;;AAEA;;;;;AAEA;;;;;AAIA;;;;;;;;;;;;ACRA;;;;cCmCa,8BAAA;ADjCb;;;;;AACA;;;;;AAEA;;;;;;;;;AAKA;;;;;AAEA;;;;AAVA,iBCgEgB,kBAAA,CAAmB,SAAA;;;KClEvB,kBAAA;EAAA,SACE,IAAA;EAAA,SAAuB,IAAA;EAAA,SAAuB,IAAA;AAAA;EAAA,SAC9C,IAAA;EAAA,SAA0B,OAAA;AAAA;;AHAxC;;;UGMiB,kBAAA;EAAA,SACP,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,WAAA,EAAa,kBAAA;EAAA,SACb,eAAA;EAAA,SACA,OAAA;AAAA;;;;;AHbV;;UIOiB,aAAA;EAAA,SACP,WAAA,EAAa,MAAA;EAAA,SACb,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,eAAA,EAAiB,MAAA,SAAe,kBAAA;EAAA,SAChC,QAAA,EAAU,MAAA;EAAA,SACV,YAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;AAAA;;;;;;;UCJO,iBAAA;ELTM;;;;EAAA,SKcb,oBAAA;ELZ8B;;;;EAAA,SKkB9B,iBAAA,GACR,QAAA,UACA,OAAA;IAAA,SACU,UAAA;IAAA,SACA,OAAA;IAAA,SACA,UAAA;EAAA;AAAA;AAAA,UAKF,sBAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA,SAAqC,sBAAA;EAAA,SACrC,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,UAEK,gBAAA;EAAA,SACP,SAAA,EAAW,uBAAA;AAAA;AAAA,UAGJ,oBAAA;EAAA,SACP,uBAAA;EAAA,SACA,yBAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,IAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA;EAAA,SACA,IAAA,EAAM,WAAA;EAAA,SACN,MAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA,GAAU,oBAAA;EAAA,SACV,MAAA;EAAA,SACA,QAAA;EAAA,SACA,iBAAA;EAAA,SACA,GAAA,EAAK,gBAAA;EAAA,SACL,eAAA,GACN,4BAAA,GACA,iCAAA,GACA,iCAAA;AAAA;AAAA,UAIM,gCAAA,SAAyC,4BAAA;EAAA,SACzC,IAAA;EAAA,SACA,WAAA,EAAa,gCAAA;EAAA,SACb,YAAA;EAAA,SACA,mBAAA,GAAsB,QAAA,CAC9B,MAAA,SAEG,4BAAA,GACA,iCAAA,GACA,iCAAA;EAAA,SAGK,aAAA;AAAA;AAAA,UAGA,8BAAA,SAAuC,4BAAA;EAAA,SACvC,IAAA;AAAA;AAAA,KAGL,wBAAA,GAA2B,gCAAA,GAAmC,8BAAA;AAAA,UAEzD,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,wBAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGL,kBAAA,GACF,6BAAA,GACA,6BAAA,GACA,wBAAA;AAAA,KAES,8BAAA,GAAiC,kBAAA;EAAA,SACnC,QAAA;EAAA,SACA,SAAA;AAAA;AAAA,KAGE,+BAAA,GAAkC,kBAAA;EAAA,SACpC,QAAA,EAAU,UAAA;EAAA,SACV,SAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,mBAAA,GAAsB,8BAAA,GAAiC,+BAAA;;;;AFxInE;UE8IiB,iBAAA;EAAA,SACP,EAAA;EAAA,SACA,MAAA,YAAkB,sBAAA;EAAA,SAClB,OAAA,EAAS,wBAAA;EAAA,SACT,SAAA,GAAY,0BAAA;EAAA,SACZ,iBAAA,GAAoB,QAAA,CAAS,MAAA,SAAe,0BAAA;EAAA,SAC5C,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;EAAA,SACjD,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,oBAAA,GAAuB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA,SACxD,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,mBAAA;EAAA,SACjC,WAAA,WAAsB,gBAAA;EAAA,SACtB,eAAA;EAAA,SACA,oBAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,EAAA;EAAA,SACA,aAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,OAAA,GAAU,QAAA,CAAS,MAAA;EAAA,SACnB,SAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,cAAA;EAAA,SACA,eAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA,EAAiB,MAAA;EAAA,SACjB,UAAA;EAAA,SACA,OAAA;IAAA,SACC,QAAA;IAAA,SACA,IAAA;EAAA;EAAA,SAED,IAAA,EAAM,iBAAA;AAAA;AAAA,UAGC,gBAAA;EDhLI;;;;EAAA,SCqLX,UAAA,GAAa,iBAAA;EDnLb;;;;ECyLT,WAAA,CAAY,OAAA,EAAS,yBAAA,GAA4B,aAAA;EDrLxC;;;;EC2LT,gBAAA,CACC,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,kBAAA;;AAlMJ;;;EAwMC,gBAAA,EAAkB,IAAA,EAAM,iBAAA,EAAmB,cAAA,EAAgB,cAAA,GAAiB,OAAA;AAAA;;;UC9M5D,0BAAA;EAAA,SACP,kBAAA,EAAoB,MAAA;EAAA,SACpB,eAAA,EAAiB,MAAA,SAAe,kBAAA;AAAA;AAAA,UAGzB,iCAAA;EAAA,SACP,SAAA;EAAA,SACA,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;AAAA;AAAA,KAG/C,qBAAA,GAAwB,mBAAA;AAAA,UAEnB,2BAAA;EAAA,SACP,QAAA,EAAU,iBAAA;EAAA,SACV,SAAA;AAAA;AAAA,iBAGM,+BAAA,CACf,aAAA,EAAe,QAAA,CAAS,MAAA,SAAe,qBAAA,IACvC,eAAA,EAAiB,MAAA,kBACjB,OAAA,EAAS,2BAAA,GACP,0BAAA;AAAA,KA2CS,iCAAA,GAAoC,0BAAA;AAAA,iBAEhC,2BAAA,CACf,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,iCAAA;AAAA,iBAgCa,0BAAA,CACf,WAAA,EAAa,0BAAA,EACb,OAAA,GAAS,iCAAA,GACP,0BAAA;;;KC5GS,sBAAA;AAAA,UAOK,0BAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,UAAA;EAAA,SACA,QAAA;AAAA;AAAA,UAGO,2BAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,KAAA;AAAA;AAAA,UAGO,4BAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,OAAA,EAAS,sBAAA;AAAA;AAAA,UAGF,qBAAA;EAAA,SACP,KAAA;EACT,OAAA,CAAQ,OAAA,GAAU,sBAAA,GAAyB,OAAA;EAC3C,GAAA,CAAI,OAAA,GAAU,sBAAA,GAAyB,OAAA;AAAA;AAAA,UAGvB,kCAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,YAAA,GAAe,KAAA,UAAe,OAAA,EAAS,yBAAA,KAA8B,OAAA;EAAA,SACrE,kBAAA,GAAqB,KAAA,aAAkB,OAAA,CAAQ,gCAAA;EAAA,SAC/C,mBAAA,IAAuB,KAAA;EAAA,SACvB,aAAA,IAAiB,KAAA;EAAA,SACjB,mBAAA,IAAuB,KAAA;EAAA,SACvB,sBAAA;EAAA,SACA,OAAA;EAAA,SACA,cAAA,GACR,OAAA,EAAS,2BAAA,KACL,OAAA,CAAQ,4BAAA;EAAA,SACJ,cAAA,UAAwB,UAAA;EAAA,SACxB,gBAAA,UAA0B,YAAA;AAAA;AAAA,iBAOpB,uBAAA,CAAA;AAAA,iBAIA,mBAAA,CAAoB,KAAA;AAAA,iBAId,2BAAA,CACrB,OAAA,EAAS,kCAAA,GACP,OAAA,CAAQ,qBAAA;;;;;;;APzEX;UQOiB,iBAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA,EAAW,UAAA;AAAA;AAAA,UAGJ,aAAA;EAAA,SACP,IAAA;EAAA,SACA,WAAA;EAAA,SACA,cAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,mBAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,UAAA,oCAA8C,iBAAA,CAAkB,UAAA;EAAA,SACvE,GAAA,EAAK,aAAA;AAAA;AAAA,iBAWC,mBAAA,2BAAA,CACf,KAAA,WACA,SAAA,EAAW,UAAA,GACT,KAAA,IAAS,iBAAA,CAAkB,UAAA;AAAA,iBASd,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAY1C,qBAAA,CAAsB,KAAA,YAAiB,KAAA,IAAS,mBAAA;;;UCrD/C,cAAA,SAAuB,UAAA;EAAA,SAC9B,OAAA;EAAA,SACA,QAAA;EAAA,SACA,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,UAGO,eAAA,SAAwB,iBAAA;EAAA,SAC/B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,SAAA;EAAA,SACA,QAAA;EAAA,SACA,GAAA,EAAK,mBAAA;EAAA,SACL,OAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBAOM,gBAAA,CAAiB,KAAA,YAAiB,KAAA,IAAS,cAAA;AAAA,iBAY3C,iBAAA,CAAkB,KAAA,YAAiB,KAAA,IAAS,eAAA"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/force-ipv4-egress.ts","../src/gateway-process-spec.ts","../src/gateway-vm-spec.ts","../src/gateway-lifecycle.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"mappings":";;;;cAAa,iBAAA;AAAA,KAED,WAAA,WAAsB,iBAAA;AAAA,iBAElB,wBAAA,CAAyB,gBAAA,UAA0B,MAAA;AAAA,iBAInD,qBAAA,CACf,gBAAA,UACA,MAAA,UACA,OAAA;;;cCXY,gBAAA;AAAA,KAED,UAAA,WAAqB,gBAAA;AAAA,KACrB,iBAAA,GAAoB,OAAA,CAAQ,UAAA;AAAA,UAEvB,gBAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA,EAAU,UAAA;AAAA;AAAA,cAGP,gBAAA;AAAA,iBAEG,eAAA,CACf,cAAA,EAAgB,UAAA,EAChB,eAAA,EAAiB,iBAAA;AAAA,iBAKF,sBAAA,CACf,WAAA,WAAsB,gBAAA,IACtB,eAAA,EAAiB,iBAAA;AAAA,iBAOF,qBAAA,CAAsB,WAAA,WAAsB,gBAAA;;;;;;;AD5B5D;;;;;AAEA;;;;;AAEA;;;;;AAIA;;;;;;;;;;;;ACRA;;;;cCmCa,8BAAA;ADjCb;;;;;AACA;;;;;AAEA;;;;;;;;;AAKA;;;;;AAEA;;;;AAVA,iBCgEgB,kBAAA,CAAmB,SAAA;;;KClEvB,kBAAA;EAAA,SACE,IAAA;EAAA,SAAuB,IAAA;EAAA,SAAuB,IAAA;AAAA;EAAA,SAC9C,IAAA;EAAA,SAA0B,OAAA;AAAA;;AHAxC;;;UGMiB,kBAAA;EAAA,SACP,gBAAA;EAAA,SACA,YAAA;EAAA,SACA,WAAA,EAAa,kBAAA;EAAA,SACb,eAAA;EAAA,SACA,OAAA;AAAA;;;;;AHbV;;UIOiB,aAAA;EAAA,SACP,WAAA,EAAa,MAAA;EAAA,SACb,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,eAAA,EAAiB,MAAA,SAAe,kBAAA;EAAA,SAChC,QAAA,EAAU,MAAA;EAAA,SACV,YAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;AAAA;;;;;;;UCJO,iBAAA;ELTM;;;;EAAA,SKcb,oBAAA;ELZ8B;;;;EAAA,SKkB9B,iBAAA,GACR,QAAA,UACA,OAAA;IAAA,SACU,UAAA;IAAA,SACA,OAAA;IAAA,SACA,UAAA;EAAA;AAAA;AAAA,UAKF,sBAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,iCAAA,SAA0C,sBAAA;EAAA,SAC1C,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA,SAAqC,sBAAA;EAAA,SACrC,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,UAEK,gBAAA;EAAA,SACP,SAAA,EAAW,uBAAA;AAAA;AAAA,UAGJ,oBAAA;EAAA,SACP,uBAAA;EAAA,SACA,yBAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,IAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,4BAAA;EAAA,SACA,IAAA,EAAM,WAAA;EAAA,SACN,MAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;EAAA,SACA,OAAA,GAAU,oBAAA;EAAA,SACV,MAAA;EAAA,SACA,QAAA;EAAA,SACA,iBAAA;EAAA,SACA,GAAA,EAAK,gBAAA;EAAA,SACL,eAAA,GACN,4BAAA,GACA,iCAAA,GACA,iCAAA;AAAA;AAAA,UAIM,gCAAA,SAAyC,4BAAA;EAAA,SACzC,IAAA;EAAA,SACA,WAAA,EAAa,gCAAA;EAAA,SACb,YAAA;EAAA,SACA,mBAAA,GAAsB,QAAA,CAC9B,MAAA,SAEG,4BAAA,GACA,iCAAA,GACA,iCAAA;EAAA,SAGK,aAAA;AAAA;AAAA,UAGA,8BAAA,SAAuC,4BAAA;EAAA,SACvC,IAAA;AAAA;AAAA,KAGL,wBAAA,GAA2B,gCAAA,GAAmC,8BAAA;AAAA,UAEzD,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGA,6BAAA;EAAA,SACA,MAAA;EAAA,SACA,MAAA;AAAA;AAAA,UAGA,wBAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGL,kBAAA,GACF,6BAAA,GACA,6BAAA,GACA,wBAAA;AAAA,KAES,8BAAA,GAAiC,kBAAA;EAAA,SACnC,QAAA;EAAA,SACA,SAAA;AAAA;AAAA,KAGE,+BAAA,GAAkC,kBAAA;EAAA,SACpC,QAAA,EAAU,UAAA;EAAA,SACV,SAAA;EAAA,SACA,KAAA;AAAA;AAAA,KAGE,mBAAA,GAAsB,8BAAA,GAAiC,+BAAA;;;;AFxInE;UE8IiB,iBAAA;EAAA,SACP,EAAA;EAAA,SACA,MAAA,YAAkB,sBAAA;EAAA,SAClB,OAAA,EAAS,wBAAA;EAAA,SACT,SAAA,GAAY,0BAAA;EAAA,SACZ,iBAAA,GAAoB,QAAA,CAAS,MAAA,SAAe,0BAAA;EAAA,SAC5C,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;EAAA,SACjD,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,oBAAA,GAAuB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA,SACxD,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,mBAAA;EAAA,SACjC,WAAA,WAAsB,gBAAA;EAAA,SACtB,eAAA;EAAA,SACA,oBAAA;AAAA;AAAA,UAGO,sBAAA;EAAA,SACP,EAAA;EAAA,SACA,aAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,0BAAA;EAAA,SACP,OAAA,GAAU,QAAA,CAAS,MAAA;EAAA,SACnB,SAAA;EAAA,SACA,GAAA;AAAA;AAAA,UAGO,yBAAA;EAAA,SACP,cAAA;EAAA,SACA,eAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA,EAAiB,MAAA;EAAA,SACjB,UAAA;EAAA,SACA,OAAA;IAAA,SACC,QAAA;IAAA,SACA,IAAA;EAAA;EAAA,SAED,IAAA,EAAM,iBAAA;AAAA;AAAA,UAGC,gBAAA;EDhLI;;;;EAAA,SCqLX,UAAA,GAAa,iBAAA;EDnLb;;;;ECyLT,WAAA,CAAY,OAAA,EAAS,yBAAA,GAA4B,aAAA;EDrLxC;;;;EC2LT,gBAAA,CACC,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,kBAAA;;AAlMJ;;;EAwMC,gBAAA,EAAkB,IAAA,EAAM,iBAAA,EAAmB,cAAA,EAAgB,cAAA,GAAiB,OAAA;AAAA;;;UC9M5D,0BAAA;EAAA,SACP,kBAAA,EAAoB,MAAA;EAAA,SACpB,eAAA,EAAiB,MAAA,SAAe,kBAAA;AAAA;AAAA,UAGzB,iCAAA;EAAA,SACP,SAAA;EAAA,SACA,kBAAA,GAAqB,QAAA,CAAS,MAAA;EAAA,SAC9B,sBAAA,GAAyB,QAAA,CAAS,MAAA,SAAe,kBAAA;AAAA;AAAA,KAG/C,qBAAA,GAAwB,mBAAA;AAAA,UAEnB,2BAAA;EAAA,SACP,QAAA,EAAU,iBAAA;EAAA,SACV,SAAA;AAAA;AAAA,iBAGM,+BAAA,CACf,aAAA,EAAe,QAAA,CAAS,MAAA,SAAe,qBAAA,IACvC,eAAA,EAAiB,MAAA,kBACjB,OAAA,EAAS,2BAAA,GACP,0BAAA;AAAA,KA2CS,iCAAA,GAAoC,0BAAA;AAAA,iBAEhC,2BAAA,CACf,IAAA,EAAM,iBAAA,EACN,eAAA,EAAiB,MAAA,mBACf,iCAAA;AAAA,iBAgCa,0BAAA,CACf,WAAA,EAAa,0BAAA,EACb,OAAA,GAAS,iCAAA,GACP,0BAAA;;;KC5GS,sBAAA;AAAA,UAOK,0BAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,UAAA;EAAA,SACA,QAAA;AAAA;AAAA,KAGE,uBAAA;AAAA,KAOA,oBAAA;AAAA,UAMK,sBAAA;EAAA,SACP,IAAA,EAAM,oBAAA;EAAA,SACN,OAAA;AAAA;AAAA,UAGO,wBAAA;EAAA,SACP,OAAA,GAAU,sBAAA;EAAA,SACV,cAAA;AAAA;AAAA,UAGO,8BAAA;EAAA,SACP,YAAA;EAAA,SACA,KAAA,EAAO,uBAAA;EAAA,SACP,GAAA,GAAM,wBAAA;AAAA;AAAA,UAGC,2BAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,MAAA,GAAS,8BAAA;EAAA,SACT,KAAA;AAAA;AAAA,UAGO,4BAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,gCAAA;EAAA,SACP,SAAA;EAAA,SACA,gBAAA;AAAA;AAAA,UAGO,+BAAA;EAAA,SACP,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,yBAAA;EAAA,SACP,OAAA,EAAS,sBAAA;EAAA,SACT,MAAA,GAAS,8BAAA;AAAA;AAAA,UAGF,qBAAA;EAAA,SACP,MAAA,EAAQ,WAAA;EAAA,SACR,KAAA;EACT,OAAA,CAAQ,OAAA,GAAU,sBAAA,GAAyB,OAAA;EAC3C,GAAA,CAAI,OAAA,GAAU,sBAAA,GAAyB,OAAA;EACvC,MAAA,CAAO,MAAA,EAAQ,8BAAA;AAAA;AAAA,UAGC,kCAAA;EAAA,SACP,WAAA,GAAc,0BAAA;EAAA,SACd,YAAA,GAAe,KAAA,UAAe,OAAA,EAAS,yBAAA,KAA8B,OAAA;EAAA,SACrE,kBAAA,GACR,KAAA,UACA,OAAA,EAAS,+BAAA,KACL,OAAA,CAAQ,gCAAA;EAAA,SACJ,oBAAA;EAAA,SACA,mBAAA,IAAuB,KAAA;EAAA,SACvB,2BAAA,IAA+B,KAAA;EAAA,SAC/B,aAAA,IAAiB,KAAA;EAAA,SACjB,mBAAA,IAAuB,KAAA;EAAA,SACvB,sBAAA;EAAA,SACA,OAAA;EAAA,SACA,6BAAA,IAAiC,KAAA,cAAmB,OAAA;EAAA,SACpD,UAAA;EAAA,SACA,cAAA,GACR,OAAA,EAAS,2BAAA,KACL,OAAA,CAAQ,4BAAA;EAAA,SACJ,cAAA,UAAwB,UAAA;EAAA,SACxB,gBAAA,UAA0B,YAAA;AAAA;AAAA,iBAqBpB,uBAAA,CAAA;AAAA,iBAIA,mBAAA,CAAoB,KAAA;AAAA,iBAId,2BAAA,CACrB,OAAA,EAAS,kCAAA,GACP,OAAA,CAAQ,qBAAA;;;cCnIE,4BAAA;AAAA,cACA,0BAAA;AAAA,cACA,sBAAA;AAAA,cACA,gCAAA;AAAA,KAED,kBAAA;AAAA,UAEK,uBAAA;EAAA,SACP,YAAA;EAAA,SACA,UAAA;AAAA;AAAA,KAGE,kBAAA;EAAA,SAEA,IAAA;EAAA,SACA,UAAA;EAAA,SACA,MAAA;AAAA;EAAA,SAGA,IAAA;EAAA,SACA,UAAA;AAAA;AAAA,UAGF,0BAAA;EAAA,SACA,YAAA,EAAc,uBAAA;EAAA,SACd,aAAA;EAAA,SACA,EAAA;EAAA,SACA,eAAA;AAAA;AAAA,KAGE,sBAAA,IACR,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,SAAA;EAAA,SACA,QAAA;EAAA,SACA,sBAAA;AAAA,MAER,0BAAA;EAAA,SACQ,OAAA,EAAS,OAAA,CAAQ,kBAAA;IAAA,SAA+B,IAAA;EAAA;EAAA,SAChD,YAAA,EAAc,uBAAA;IAAA,SAAqC,UAAA;EAAA;EAAA,SACnD,SAAA;EAAA,SACA,QAAA;EAAA,SACA,sBAAA;AAAA;AAAA,UASK,kBAAA;EAAA,SACP,EAAA;EAAA,SACA,KAAA,WAAgB,sBAAA;AAAA;AAAA,UAGT,yBAAA;EAAA,SACP,SAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,OAAA,EAAS,kBAAA;AAAA;AAAA,UAGT,0BAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,YAAA,EAAc,uBAAA;EAAA,SACd,cAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,YAAA;EAAA,SACA,MAAA;AAAA;AAAA,KAGE,sBAAA,IACR,0BAAA;EAAA,SACQ,SAAA;EAAA,SACA,SAAA;EAAA,SACA,cAAA;EAAA,SACA,QAAA;EAAA,SACA,QAAA;EAAA,SACA,IAAA;AAAA,MAER,0BAAA;EAAA,SACQ,SAAA;EAAA,SACA,SAAA;EAAA,SACA,cAAA;EAAA,SACA,QAAA;EAAA,SACA,QAAA;EAAA,SACA,IAAA;AAAA;AAAA,KAGA,+BAAA;AAAA,UAQK,2BAAA;EAAA,SACP,gBAAA;EAAA,SACA,IAAA,EAAM,+BAAA;EAAA,SACN,SAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA;EAAA,SACA,OAAA,EAAS,kBAAA;EAAA,SACT,aAAA;AAAA;AAAA,KAGE,0BAAA;EAAA,SAEA,EAAA;EAAA,SACA,KAAA,EAAO,sBAAA;AAAA;EAAA,SAGP,EAAA;EAAA,SACA,KAAA,EAAO,2BAAA;AAAA;AAAA,iBAuGH,oBAAA,CAAqB,KAAA,EAAO,yBAAA,GAA4B,0BAAA;;;cCxN1D,kBAAA;AAAA,KAEF,aAAA;EAAA,UACD,kBAAA;AAAA;AAAA,iBAGK,mBAAA,CAAA,GAAuB,aAAA;AAAA,iBAIvB,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAI1C,kBAAA,CAAmB,KAAA,YAAiB,aAAA;;;;;;;AThBpD;UUOiB,iBAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA,EAAW,UAAA;AAAA;AAAA,UAGJ,aAAA;EAAA,SACP,IAAA;EAAA,SACA,WAAA;EAAA,SACA,cAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,mBAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,UAAA,oCAA8C,iBAAA,CAAkB,UAAA;EAAA,SACvE,GAAA,EAAK,aAAA;AAAA;AAAA,iBAWC,mBAAA,2BAAA,CACf,KAAA,WACA,SAAA,EAAW,UAAA,GACT,KAAA,IAAS,iBAAA,CAAkB,UAAA;AAAA,iBASd,eAAA,CAAgB,KAAA,YAAiB,KAAA,IAAS,aAAA;AAAA,iBAY1C,qBAAA,CAAsB,KAAA,YAAiB,KAAA,IAAS,mBAAA;;;UCpD/C,cAAA,SAAuB,UAAA;EAAA,SAC9B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,OAAA;EAAA,SACA,OAAA;AAAA;AAAA,UAGO,eAAA,SAAwB,iBAAA;EAAA,SAC/B,OAAA;EAAA,SACA,SAAA;EAAA,SACA,SAAA;EAAA,SACA,UAAA;EAAA,SACA,OAAA,EAAS,aAAA;EAAA,SACT,SAAA;EAAA,SACA,GAAA,EAAK,mBAAA;EAAA,SACL,OAAA;EAAA,SACA,OAAA;EAAA,SACA,MAAA;AAAA;AAAA,iBASM,gBAAA,CAAiB,KAAA,YAAiB,KAAA,IAAS,cAAA;AAAA,iBAc3C,iBAAA,CAAkB,KAAA,YAAiB,KAAA,IAAS,eAAA"}
package/dist/index.js CHANGED
@@ -153,6 +153,12 @@ function mergeRuntimeGatewaySecrets(baseSecrets, options = {}) {
153
153
  //#endregion
154
154
  //#region src/tool-vm-active-use.ts
155
155
  const defaultMaxHeartbeatDurationMs = 720 * 60 * 1e3;
156
+ function jitterDelayMs(params) {
157
+ if (params.jitterRatio <= 0) return params.delayMs;
158
+ const spreadMs = params.delayMs * params.jitterRatio;
159
+ const jitteredMs = params.delayMs - spreadMs + params.random() * spreadMs * 2;
160
+ return Math.max(1, Math.round(jitteredMs));
161
+ }
156
162
  function createToolVmActiveUseId() {
157
163
  return v7();
158
164
  }
@@ -170,8 +176,12 @@ async function createToolVmActiveUseHandle(options) {
170
176
  const now = options.nowImpl ?? Date.now;
171
177
  const startedAt = now();
172
178
  const maxHeartbeatDurationMs = options.maxHeartbeatDurationMs ?? defaultMaxHeartbeatDurationMs;
179
+ const heartbeatJitterRatio = options.heartbeatJitterRatio ?? .1;
180
+ const random = options.randomImpl ?? Math.random;
181
+ const operationAbortController = new AbortController();
173
182
  let ended = false;
174
183
  let heartbeatTimer;
184
+ let latestReport;
175
185
  const clearHeartbeatTimer = () => {
176
186
  if (heartbeatTimer) {
177
187
  clearTimeoutImpl(heartbeatTimer);
@@ -183,13 +193,27 @@ async function createToolVmActiveUseHandle(options) {
183
193
  clearHeartbeatTimer();
184
194
  heartbeatTimer = setTimeoutImpl(() => {
185
195
  if (now() - startedAt >= maxHeartbeatDurationMs) return;
186
- options.heartbeatActiveUse(startedUse.useId).then((heartbeat) => {
196
+ const heartbeatRequest = latestReport === void 0 ? {} : { report: latestReport };
197
+ options.heartbeatActiveUse(startedUse.useId, heartbeatRequest).then((heartbeat) => {
187
198
  if (!ended) scheduleHeartbeat(heartbeat.heartbeatAfterMs);
188
199
  }).catch((error) => {
189
200
  options.logHeartbeatFailure?.(error);
201
+ if (options.isHeartbeatErrorRefreshable?.(error) === true && options.onRefreshableHeartbeatFailure) {
202
+ operationAbortController.abort(error);
203
+ ended = true;
204
+ clearHeartbeatTimer();
205
+ options.onRefreshableHeartbeatFailure(error).catch((staleError) => {
206
+ options.logHeartbeatFailure?.(staleError);
207
+ });
208
+ return;
209
+ }
190
210
  if (!ended) scheduleHeartbeat(startedUse.heartbeatAfterMs);
191
211
  });
192
- }, delayMs);
212
+ }, jitterDelayMs({
213
+ delayMs,
214
+ jitterRatio: heartbeatJitterRatio,
215
+ random
216
+ }));
193
217
  };
194
218
  scheduleHeartbeat(startedUse.heartbeatAfterMs);
195
219
  const end = async (outcome = "completed") => {
@@ -197,7 +221,10 @@ async function createToolVmActiveUseHandle(options) {
197
221
  ended = true;
198
222
  clearHeartbeatTimer();
199
223
  try {
200
- await options.endActiveUse(startedUse.useId, { outcome });
224
+ await options.endActiveUse(startedUse.useId, {
225
+ outcome,
226
+ ...latestReport === void 0 ? {} : { report: latestReport }
227
+ });
201
228
  } catch (error) {
202
229
  if (options.isEndErrorTolerable?.(error) === true) {
203
230
  options.logEndFailure?.(error);
@@ -207,11 +234,188 @@ async function createToolVmActiveUseHandle(options) {
207
234
  }
208
235
  };
209
236
  return {
237
+ signal: operationAbortController.signal,
210
238
  useId: startedUse.useId,
211
239
  dispose: end,
212
- end
240
+ end,
241
+ report: (report) => {
242
+ if (ended) return;
243
+ latestReport = report;
244
+ }
245
+ };
246
+ }
247
+ //#endregion
248
+ //#region src/runtime-paths/runtime-path-mapping.ts
249
+ const TOOL_VM_WORKSPACE_GUEST_ROOT = "/workspace";
250
+ const TOOL_VM_SCRATCH_GUEST_ROOT = "/work";
251
+ const OPENCLAW_STATE_VM_ROOT = "/home/openclaw/.openclaw/state";
252
+ const OPENCLAW_STATE_SANDBOXES_VM_ROOT = `${OPENCLAW_STATE_VM_ROOT}/sandboxes`;
253
+ function isHostRealfsRootMapping(root) {
254
+ return root.backing.kind === "host-realfs";
255
+ }
256
+ function pathContainsParentTraversal(inputPath) {
257
+ return inputPath.split(/\/+/u).includes("..");
258
+ }
259
+ function normalizeAbsolutePath(inputPath) {
260
+ return `/${inputPath.split("/").filter((segment) => segment !== "" && segment !== ".").join("/")}`;
261
+ }
262
+ function normalizeRoot(rootPath) {
263
+ const normalizedRoot = normalizeAbsolutePath(rootPath);
264
+ return normalizedRoot === "/" ? normalizedRoot : normalizedRoot.replace(/\/+$/u, "");
265
+ }
266
+ function pathMatchesRoot(candidatePath, rootPath) {
267
+ return candidatePath === rootPath || candidatePath.startsWith(`${rootPath}/`);
268
+ }
269
+ function relativePathForRoot(candidatePath, rootPath) {
270
+ return candidatePath === rootPath ? "" : candidatePath.slice(rootPath.length + 1);
271
+ }
272
+ function joinRootAndRelative(rootPath, relativePath) {
273
+ return relativePath === "" ? rootPath : `${rootPath}/${relativePath}`;
274
+ }
275
+ function allowedPathFormsForMapping(mapping, purpose) {
276
+ return mapping.roots.flatMap((root) => {
277
+ if (!root.capabilities[purpose]) return [];
278
+ const suffix = root.rootPathAllowed ? "[/subpath]" : "/<child>";
279
+ return [root.guestRoot, root.backing.kind === "host-realfs" && root.showHostRootInGuidance !== false ? root.hostRoot : void 0].filter((value) => value !== void 0).map((value) => `${normalizeRoot(value)}${suffix}`);
280
+ });
281
+ }
282
+ function retryGuidanceForMapping(mapping, purpose) {
283
+ return `Use one of the allowed path forms for ${mapping.id} ${purpose}: ${allowedPathFormsForMapping(mapping, purpose).join(", ")}.`;
284
+ }
285
+ function errorResult(params) {
286
+ return {
287
+ error: {
288
+ allowedPathForms: allowedPathFormsForMapping(params.mapping, params.purpose),
289
+ code: params.code,
290
+ inputPath: params.inputPath,
291
+ mappingId: params.mapping.id,
292
+ message: params.message,
293
+ purpose: params.purpose,
294
+ retryGuidance: retryGuidanceForMapping(params.mapping, params.purpose)
295
+ },
296
+ ok: false
213
297
  };
214
298
  }
299
+ function findBestRootMatch(params) {
300
+ return params.mapping.roots.flatMap((root) => {
301
+ const guestRoot = root.guestRoot === void 0 ? void 0 : normalizeRoot(root.guestRoot);
302
+ let hostRoot;
303
+ if (isHostRealfsRootMapping(root)) hostRoot = normalizeRoot(root.hostRoot);
304
+ const rootMatches = [];
305
+ if (guestRoot !== void 0 && pathMatchesRoot(params.inputPath, guestRoot)) rootMatches.push({
306
+ inputNamespace: "guest",
307
+ matchedRoot: guestRoot,
308
+ root
309
+ });
310
+ if (hostRoot !== void 0 && pathMatchesRoot(params.inputPath, hostRoot)) rootMatches.push({
311
+ inputNamespace: "host",
312
+ matchedRoot: hostRoot,
313
+ root
314
+ });
315
+ return rootMatches;
316
+ }).toSorted((left, right) => right.matchedRoot.length - left.matchedRoot.length)[0];
317
+ }
318
+ function translateRuntimePath(input) {
319
+ if (!input.inputPath.startsWith("/")) return errorResult({
320
+ code: "path-not-absolute",
321
+ inputPath: input.inputPath,
322
+ mapping: input.mapping,
323
+ message: `Path '${input.inputPath}' must be absolute.`,
324
+ purpose: input.purpose
325
+ });
326
+ if (pathContainsParentTraversal(input.inputPath)) return errorResult({
327
+ code: "path-parent-traversal",
328
+ inputPath: input.inputPath,
329
+ mapping: input.mapping,
330
+ message: `Path '${input.inputPath}' must not contain parent traversal.`,
331
+ purpose: input.purpose
332
+ });
333
+ const normalizedInputPath = normalizeAbsolutePath(input.inputPath);
334
+ const match = findBestRootMatch({
335
+ inputPath: normalizedInputPath,
336
+ mapping: input.mapping
337
+ });
338
+ if (match === void 0) return errorResult({
339
+ code: "unknown-runtime-path",
340
+ inputPath: normalizedInputPath,
341
+ mapping: input.mapping,
342
+ message: `Path '${normalizedInputPath}' is not part of runtime path mapping '${input.mapping.id}'.`,
343
+ purpose: input.purpose
344
+ });
345
+ const relativePath = relativePathForRoot(normalizedInputPath, match.matchedRoot);
346
+ if (relativePath === "" && !match.root.rootPathAllowed) return errorResult({
347
+ code: "root-path-not-allowed",
348
+ inputPath: normalizedInputPath,
349
+ mapping: input.mapping,
350
+ message: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but the root itself is not allowed for ${input.purpose}.`,
351
+ purpose: input.purpose
352
+ });
353
+ if (!match.root.capabilities[input.purpose]) return errorResult({
354
+ code: "purpose-not-allowed",
355
+ inputPath: normalizedInputPath,
356
+ mapping: input.mapping,
357
+ message: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel} but cannot be used for ${input.purpose}.`,
358
+ purpose: input.purpose
359
+ });
360
+ const guestRoot = match.root.guestRoot === void 0 ? void 0 : normalizeRoot(match.root.guestRoot);
361
+ let hostRoot;
362
+ if (isHostRealfsRootMapping(match.root)) hostRoot = normalizeRoot(match.root.hostRoot);
363
+ if (hostRoot === void 0) {
364
+ if (guestRoot === void 0) return errorResult({
365
+ code: "invalid-runtime-root",
366
+ inputPath: normalizedInputPath,
367
+ mapping: input.mapping,
368
+ message: `Runtime path root '${match.root.id}' has no guest path.`,
369
+ purpose: input.purpose
370
+ });
371
+ return {
372
+ ok: true,
373
+ value: {
374
+ backing: match.root.backing,
375
+ capabilities: match.root.capabilities,
376
+ guestPath: joinRootAndRelative(guestRoot, relativePath),
377
+ guestRoot,
378
+ hasHostBacking: false,
379
+ inputNamespace: match.inputNamespace,
380
+ inputPath: normalizedInputPath,
381
+ kind: "guest-only",
382
+ mappingId: input.mapping.id,
383
+ relativePath,
384
+ rootId: match.root.id
385
+ }
386
+ };
387
+ }
388
+ return {
389
+ ok: true,
390
+ value: {
391
+ backing: match.root.backing,
392
+ capabilities: match.root.capabilities,
393
+ ...guestRoot !== void 0 ? { guestPath: joinRootAndRelative(guestRoot, relativePath) } : {},
394
+ ...guestRoot !== void 0 ? { guestRoot } : {},
395
+ hasHostBacking: true,
396
+ hostPath: joinRootAndRelative(hostRoot, relativePath),
397
+ hostRoot,
398
+ inputNamespace: match.inputNamespace,
399
+ inputPath: normalizedInputPath,
400
+ kind: "host-backed",
401
+ mappingId: input.mapping.id,
402
+ relativePath,
403
+ rootId: match.root.id
404
+ }
405
+ };
406
+ }
407
+ //#endregion
408
+ //#region src/tool-vm-lease-id.ts
409
+ function createToolVmLeaseId() {
410
+ return parseToolVmLeaseId(v7());
411
+ }
412
+ function isToolVmLeaseId(value) {
413
+ return typeof value === "string" && validate(value) && version(value) === 7;
414
+ }
415
+ function parseToolVmLeaseId(value) {
416
+ if (isToolVmLeaseId(value)) return value;
417
+ throw new TypeError("Tool VM lease id must be an opaque UUIDv7 string.");
418
+ }
215
419
  //#endregion
216
420
  //#region src/vm-capability-lease.ts
217
421
  const VM_SSH_PUBLIC_ENDPOINT_KEYS = new Set([
@@ -244,15 +448,16 @@ function isVmSshPublicEndpoint(value) {
244
448
  function objectValue(value) {
245
449
  return typeof value === "object" && value !== null ? value : void 0;
246
450
  }
451
+ const deprecatedScopeKeyPropertyName = ["scope", "Key"].join("");
247
452
  function isToolVmSshLease(value) {
248
453
  const record = objectValue(value);
249
- return isVmCapabilityLease(record, "ssh-sandbox") && isVmSshEndpoint(Reflect.get(record, "ssh")) && typeof Reflect.get(record, "agentId") === "string" && typeof Reflect.get(record, "scopeKey") === "string" && typeof Reflect.get(record, "tcpSlot") === "number" && typeof Reflect.get(record, "workdir") === "string";
454
+ return isVmCapabilityLease(record, "ssh-sandbox") && isToolVmLeaseId(Reflect.get(record, "leaseId")) && isVmSshEndpoint(Reflect.get(record, "ssh")) && typeof Reflect.get(record, "agentId") === "string" && typeof Reflect.get(record, "idleTtlMs") === "number" && typeof Reflect.get(record, "tcpSlot") === "number" && typeof Reflect.get(record, "workdir") === "string" && !Reflect.has(record, deprecatedScopeKeyPropertyName);
250
455
  }
251
456
  function isToolVmLeasePeek(value) {
252
457
  const record = objectValue(value);
253
- return isVmCapabilityLease(record, "ssh-sandbox") && typeof Reflect.get(record, "agentId") === "string" && typeof Reflect.get(record, "createdAt") === "number" && typeof Reflect.get(record, "lastUsedAt") === "number" && typeof Reflect.get(record, "profileId") === "string" && typeof Reflect.get(record, "scopeKey") === "string" && isVmSshPublicEndpoint(Reflect.get(record, "ssh")) && typeof Reflect.get(record, "tcpSlot") === "number" && typeof Reflect.get(record, "workdir") === "string" && typeof Reflect.get(record, "zoneId") === "string";
458
+ return isVmCapabilityLease(record, "ssh-sandbox") && isToolVmLeaseId(Reflect.get(record, "leaseId")) && typeof Reflect.get(record, "agentId") === "string" && typeof Reflect.get(record, "createdAt") === "number" && typeof Reflect.get(record, "idleTtlMs") === "number" && typeof Reflect.get(record, "lastUsedAt") === "number" && typeof Reflect.get(record, "profileId") === "string" && isVmSshPublicEndpoint(Reflect.get(record, "ssh")) && typeof Reflect.get(record, "tcpSlot") === "number" && typeof Reflect.get(record, "workdir") === "string" && typeof Reflect.get(record, "zoneId") === "string" && !Reflect.has(record, deprecatedScopeKeyPropertyName);
254
459
  }
255
460
  //#endregion
256
- export { FORCE_IPV4_EGRESS_NODE_OPTIONS, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, isToolVmActiveUseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, vmAudienceValues };
461
+ export { FORCE_IPV4_EGRESS_NODE_OPTIONS, OPENCLAW_STATE_SANDBOXES_VM_ROOT, OPENCLAW_STATE_VM_ROOT, TOOL_VM_SCRATCH_GUEST_ROOT, TOOL_VM_WORKSPACE_GUEST_ROOT, buildGatewaySessionLabel, buildToolSessionLabel, composeNodeOptions, controllerVmHost, createToolVmActiveUseHandle, createToolVmActiveUseId, createToolVmLeaseId, egressHostsForAudience, gatewayTypeValues, gatewayVmAllowedHosts, isToolVmActiveUseId, isToolVmLeaseId, isToolVmLeasePeek, isToolVmSshLease, isVmCapabilityLease, isVmSshEndpoint, isVmSshPublicEndpoint, mergeRuntimeGatewaySecrets, parseToolVmLeaseId, splitResolvedGatewaySecrets, splitResolvedSecretsByInjection, targetsAudience, translateRuntimePath, vmAudienceValues };
257
462
 
258
463
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["uuidv7","validateUuid","uuidVersion","objectValue"],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/force-ipv4-egress.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"sourcesContent":["export const gatewayTypeValues = ['openclaw', 'worker'] as const;\n\nexport type GatewayType = (typeof gatewayTypeValues)[number];\n\nexport function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string {\n\treturn `${projectNamespace}:${zoneId}:gateway`;\n}\n\nexport function buildToolSessionLabel(\n\tprojectNamespace: string,\n\tzoneId: string,\n\ttcpSlot: number,\n): string {\n\treturn `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;\n}\n","export const vmAudienceValues = ['gateway', 'tool-vm', 'both'] as const;\n\nexport type VmAudience = (typeof vmAudienceValues)[number];\nexport type RuntimeVmAudience = Exclude<VmAudience, 'both'>;\n\nexport interface EgressHostConfig {\n\treadonly host: string;\n\treadonly audience: VmAudience;\n}\n\nexport const controllerVmHost = 'controller.vm.host';\n\nexport function targetsAudience(\n\tconfigAudience: VmAudience,\n\truntimeAudience: RuntimeVmAudience,\n): boolean {\n\treturn configAudience === runtimeAudience || configAudience === 'both';\n}\n\nexport function egressHostsForAudience(\n\tegressHosts: readonly EgressHostConfig[],\n\truntimeAudience: RuntimeVmAudience,\n): readonly string[] {\n\treturn egressHosts\n\t\t.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience))\n\t\t.map((egressHost) => egressHost.host);\n}\n\nexport function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[] {\n\treturn Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, 'gateway')]));\n}\n","/**\n * Canonical NODE_OPTIONS value for forcing IPv4-preference egress\n * in agent-vm VMs.\n *\n * Background: Gondolin's synthetic DNS (when tcpHosts is enabled)\n * returns a per-host IPv4 (reverse-lookable) and a single shared\n * IPv4-mapped IPv6 (::ffff:198.18.0.1, NOT reverse-lookable). Node\n * 20+'s fetch (via undici, autoSelectFamily: true) races both\n * families; when the IPv6 race wins (~5-20% under sequential load),\n * gondolin cannot route it and the request fails with a non-JSON\n * 400 (HTTP) or 403 (TLS). The two flags below stop the race:\n *\n * --dns-result-order=ipv4first changes dns.lookup() so\n * IPv4 addresses are listed\n * before IPv6.\n *\n * --no-network-family-autoselection disables Node's Happy\n * Eyeballs entirely. This is\n * the load-bearing flag —\n * --dns-result-order alone\n * doesn't prevent Node from\n * racing both families if\n * IPv4 is slow.\n *\n * Composition: NODE_OPTIONS is whitespace-separated. To add more\n * flags downstream, append rather than replace. Example:\n *\n * NODE_OPTIONS: `${FORCE_IPV4_EGRESS_NODE_OPTIONS} --inspect`\n *\n * Reference: see `shravan-claw@0ddf5f2:docs/wip/debugging/\n * 2026-05-21-lease-keepalive-400-and-discord-403-ipv6-race.md`\n * for the full root-cause analysis. Node-side flag references:\n * https://github.com/nodejs/node/issues/54359 (autoSelectFamily\n * revert recommendation by the Node core team).\n */\nexport const FORCE_IPV4_EGRESS_NODE_OPTIONS =\n\t'--dns-result-order=ipv4first --no-network-family-autoselection';\n\n/**\n * Compose the forced IPv4-preference flags with a user-provided\n * NODE_OPTIONS value (if any).\n *\n * Use this at every site where NODE_OPTIONS is set into a VM env\n * block AFTER a spread of user-controlled secrets, to guarantee\n * the forced flags are always present in the final value even if\n * a zone secret happens to provide its own NODE_OPTIONS.\n *\n * Forced flags come FIRST so they are unambiguously applied.\n * User-provided flags are appended verbatim. Node treats NODE_OPTIONS\n * as a whitespace-separated list and all flags apply.\n *\n * Returns just the forced flags if the user value is undefined,\n * empty, or whitespace-only.\n *\n * Examples:\n *\n * composeNodeOptions(undefined)\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('--inspect=0.0.0.0:9229')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection\n * --inspect=0.0.0.0:9229'\n */\nexport function composeNodeOptions(userValue: string | undefined): string {\n\tconst trimmed = userValue?.trim() ?? '';\n\tif (trimmed === '') {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\treturn `${FORCE_IPV4_EGRESS_NODE_OPTIONS} ${trimmed}`;\n}\n","import type { MediatedSecretSpec } from '@agent-vm/secret-management';\n\nimport { targetsAudience, type RuntimeVmAudience } from './audience.js';\nimport type { GatewaySecretConfig, GatewayZoneConfig } from './gateway-lifecycle.js';\n\nexport interface SplitResolvedSecretsResult {\n\treadonly environmentSecrets: Record<string, string>;\n\treadonly mediatedSecrets: Record<string, MediatedSecretSpec>;\n}\n\nexport interface MergeRuntimeGatewaySecretsOptions {\n\treadonly logPrefix?: string;\n\treadonly runtimeEnvironment?: Readonly<Record<string, string>> | undefined;\n\treadonly runtimeMediatedSecrets?: Readonly<Record<string, MediatedSecretSpec>> | undefined;\n}\n\nexport type SecretInjectionConfig = GatewaySecretConfig;\n\nexport interface SplitResolvedSecretsOptions {\n\treadonly audience: RuntimeVmAudience;\n\treadonly logPrefix?: string;\n}\n\nexport function splitResolvedSecretsByInjection(\n\tsecretConfigs: Readonly<Record<string, SecretInjectionConfig>>,\n\tresolvedSecrets: Record<string, string>,\n\toptions: SplitResolvedSecretsOptions,\n): SplitResolvedSecretsResult {\n\tconst environmentSecrets: Record<string, string> = {};\n\tconst mediatedSecrets: Record<string, MediatedSecretSpec> = {};\n\tconst logPrefix = options.logPrefix ?? 'split-resolved-secrets';\n\n\tfor (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {\n\t\tconst secretConfig = secretConfigs[secretName];\n\t\tif (!secretConfig) {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`,\n\t\t\t);\n\t\t}\n\t\tif (!targetsAudience(secretConfig.audience, options.audience)) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (secretConfig.injection === 'http-mediation') {\n\t\t\tif (secretConfig.hosts.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tmediatedSecrets[secretName] = {\n\t\t\t\thosts: [...secretConfig.hosts],\n\t\t\t\tvalue: secretValue,\n\t\t\t};\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst envSecretAudience = (secretConfig as { readonly audience: string }).audience;\n\t\tif (envSecretAudience !== 'gateway') {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`,\n\t\t\t);\n\t\t}\n\t\tif (options.audience === 'gateway') {\n\t\t\tenvironmentSecrets[secretName] = secretValue;\n\t\t}\n\t}\n\n\treturn { environmentSecrets, mediatedSecrets };\n}\n\nexport type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;\n\nexport function splitResolvedGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): SplitResolvedGatewaySecretsResult {\n\treturn splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {\n\t\taudience: 'gateway',\n\t\tlogPrefix: 'split-resolved-gateway-secrets',\n\t});\n}\n\nfunction assertNoRuntimeSecretCollision(\n\tsecretName: string,\n\ttarget: 'environment' | 'http-mediation',\n\tbaseSecrets: SplitResolvedSecretsResult,\n\truntimeSeen: Set<string>,\n\tlogPrefix: string,\n): void {\n\tif (runtimeSeen.has(secretName)) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway secret '${secretName}' is declared for both environment and http-mediation injection.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.environmentSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored environment secret.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.mediatedSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored http-mediation secret.`,\n\t\t);\n\t}\n\truntimeSeen.add(secretName);\n}\n\nexport function mergeRuntimeGatewaySecrets(\n\tbaseSecrets: SplitResolvedSecretsResult,\n\toptions: MergeRuntimeGatewaySecretsOptions = {},\n): SplitResolvedSecretsResult {\n\tconst logPrefix = options.logPrefix ?? 'merge-runtime-gateway-secrets';\n\tconst runtimeSeen = new Set<string>();\n\tfor (const secretName of Object.keys(options.runtimeEnvironment ?? {})) {\n\t\tassertNoRuntimeSecretCollision(secretName, 'environment', baseSecrets, runtimeSeen, logPrefix);\n\t}\n\tfor (const secretName of Object.keys(options.runtimeMediatedSecrets ?? {})) {\n\t\tassertNoRuntimeSecretCollision(\n\t\t\tsecretName,\n\t\t\t'http-mediation',\n\t\t\tbaseSecrets,\n\t\t\truntimeSeen,\n\t\t\tlogPrefix,\n\t\t);\n\t}\n\n\treturn {\n\t\tenvironmentSecrets: {\n\t\t\t...baseSecrets.environmentSecrets,\n\t\t\t...options.runtimeEnvironment,\n\t\t},\n\t\tmediatedSecrets: {\n\t\t\t...baseSecrets.mediatedSecrets,\n\t\t\t...options.runtimeMediatedSecrets,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\nexport type ToolVmActiveUseOutcome =\n\t| 'abandoned'\n\t| 'cancelled'\n\t| 'completed'\n\t| 'failed'\n\t| 'timed-out';\n\nexport interface ToolVmActiveUseCorrelation {\n\treadonly agentId?: string;\n\treadonly sessionId?: string;\n\treadonly sessionKey?: string;\n\treadonly toolCallId?: string;\n\treadonly toolName?: string;\n}\n\nexport interface StartToolVmActiveUseRequest {\n\treadonly correlation?: ToolVmActiveUseCorrelation;\n\treadonly useId: string;\n}\n\nexport interface StartToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n\treadonly useId: string;\n}\n\nexport interface HeartbeatToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n}\n\nexport interface EndToolVmActiveUseRequest {\n\treadonly outcome: ToolVmActiveUseOutcome;\n}\n\nexport interface ToolVmActiveUseHandle {\n\treadonly useId: string;\n\tdispose(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\tend(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n}\n\nexport interface CreateToolVmActiveUseHandleOptions {\n\treadonly correlation?: ToolVmActiveUseCorrelation;\n\treadonly endActiveUse: (useId: string, request: EndToolVmActiveUseRequest) => Promise<void>;\n\treadonly heartbeatActiveUse: (useId: string) => Promise<HeartbeatToolVmActiveUseResponse>;\n\treadonly isEndErrorTolerable?: (error: unknown) => boolean;\n\treadonly logEndFailure?: (error: unknown) => void;\n\treadonly logHeartbeatFailure?: (error: unknown) => void;\n\treadonly maxHeartbeatDurationMs?: number;\n\treadonly nowImpl?: () => number;\n\treadonly startActiveUse: (\n\t\trequest: StartToolVmActiveUseRequest,\n\t) => Promise<StartToolVmActiveUseResponse>;\n\treadonly setTimeoutImpl?: typeof setTimeout;\n\treadonly clearTimeoutImpl?: typeof clearTimeout;\n}\n\ntype HeartbeatTimer = ReturnType<typeof setTimeout>;\n\nconst defaultMaxHeartbeatDurationMs = 12 * 60 * 60 * 1000;\n\nexport function createToolVmActiveUseId(): string {\n\treturn uuidv7();\n}\n\nexport function isToolVmActiveUseId(value: string): boolean {\n\treturn validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport async function createToolVmActiveUseHandle(\n\toptions: CreateToolVmActiveUseHandleOptions,\n): Promise<ToolVmActiveUseHandle> {\n\tconst useId = createToolVmActiveUseId();\n\tconst startedUse = await options.startActiveUse({\n\t\t...(options.correlation ? { correlation: options.correlation } : {}),\n\t\tuseId,\n\t});\n\tconst setTimeoutImpl = options.setTimeoutImpl ?? setTimeout;\n\tconst clearTimeoutImpl = options.clearTimeoutImpl ?? clearTimeout;\n\tconst now = options.nowImpl ?? Date.now;\n\tconst startedAt = now();\n\tconst maxHeartbeatDurationMs = options.maxHeartbeatDurationMs ?? defaultMaxHeartbeatDurationMs;\n\tlet ended = false;\n\tlet heartbeatTimer: HeartbeatTimer | undefined;\n\n\tconst clearHeartbeatTimer = (): void => {\n\t\tif (heartbeatTimer) {\n\t\t\tclearTimeoutImpl(heartbeatTimer);\n\t\t\theartbeatTimer = undefined;\n\t\t}\n\t};\n\n\tconst scheduleHeartbeat = (delayMs: number): void => {\n\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\treturn;\n\t\t}\n\t\tclearHeartbeatTimer();\n\t\theartbeatTimer = setTimeoutImpl(() => {\n\t\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tvoid options\n\t\t\t\t.heartbeatActiveUse(startedUse.useId)\n\t\t\t\t.then((heartbeat) => {\n\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\tscheduleHeartbeat(heartbeat.heartbeatAfterMs);\n\t\t\t\t\t}\n\t\t\t\t})\n\t\t\t\t.catch((error: unknown) => {\n\t\t\t\t\toptions.logHeartbeatFailure?.(error);\n\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t}, delayMs);\n\t};\n\n\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\n\tconst end = async (outcome: ToolVmActiveUseOutcome = 'completed'): Promise<void> => {\n\t\tif (ended) {\n\t\t\treturn;\n\t\t}\n\t\tended = true;\n\t\tclearHeartbeatTimer();\n\t\ttry {\n\t\t\tawait options.endActiveUse(startedUse.useId, { outcome });\n\t\t} catch (error) {\n\t\t\tif (options.isEndErrorTolerable?.(error) === true) {\n\t\t\t\toptions.logEndFailure?.(error);\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\treturn {\n\t\tuseId: startedUse.useId,\n\t\tdispose: end,\n\t\tend,\n\t};\n}\n","const VM_SSH_PUBLIC_ENDPOINT_KEYS = new Set(['host', 'port', 'user']);\n\n/**\n * Small host-issued capability envelope shared by VM-backed transports. The\n * transport tag keeps SSH Tool VM leases distinct from future host-side\n * Gondolin RPC or bridge capabilities without inventing a transport object.\n */\nexport interface VmCapabilityLease<TTransport extends string> {\n\treadonly leaseId: string;\n\treadonly transport: TTransport;\n}\n\nexport interface VmSshEndpoint {\n\treadonly host: string;\n\treadonly identityPem: string;\n\treadonly knownHostsLine: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshPublicEndpoint {\n\treadonly host: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshLease<TTransport extends string> extends VmCapabilityLease<TTransport> {\n\treadonly ssh: VmSshEndpoint;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n\treturn typeof value === 'string' && value.trim().length > 0;\n}\n\nexport function isVmCapabilityLease<TTransport extends string>(\n\tvalue: unknown,\n\ttransport: TTransport,\n): value is VmCapabilityLease<TTransport> {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'leaseId') === 'string' &&\n\t\tReflect.get(record, 'transport') === transport\n\t);\n}\n\nexport function isVmSshEndpoint(value: unknown): value is VmSshEndpoint {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\tisNonEmptyString(Reflect.get(record, 'identityPem')) &&\n\t\ttypeof Reflect.get(record, 'knownHostsLine') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n\nexport function isVmSshPublicEndpoint(value: unknown): value is VmSshPublicEndpoint {\n\tconst record = objectValue(value);\n\tif (record === undefined) {\n\t\treturn false;\n\t}\n\tfor (const key of Object.keys(record)) {\n\t\tif (!VM_SSH_PUBLIC_ENDPOINT_KEYS.has(key)) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn (\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n","import {\n\tisVmCapabilityLease,\n\tisVmSshEndpoint,\n\tisVmSshPublicEndpoint,\n\ttype VmCapabilityLease,\n\ttype VmSshLease,\n\ttype VmSshPublicEndpoint,\n} from './vm-capability-lease.js';\n\nexport interface ToolVmSshLease extends VmSshLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly scopeKey: string;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n}\n\nexport interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly createdAt: number;\n\treadonly lastUsedAt: number;\n\treadonly profileId: string;\n\treadonly scopeKey: string;\n\treadonly ssh: VmSshPublicEndpoint;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n\treadonly zoneId: string;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nexport function isToolVmSshLease(value: unknown): value is ToolVmSshLease {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisVmSshEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'scopeKey') === 'string' &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string'\n\t);\n}\n\nexport function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'createdAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'lastUsedAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'profileId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'scopeKey') === 'string' &&\n\t\tisVmSshPublicEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\ttypeof Reflect.get(record, 'zoneId') === 'string'\n\t);\n}\n"],"mappings":";;AAAA,MAAa,oBAAoB,CAAC,YAAY,SAAS;AAIvD,SAAgB,yBAAyB,kBAA0B,QAAwB;CAC1F,OAAO,GAAG,iBAAiB,GAAG,OAAO;;AAGtC,SAAgB,sBACf,kBACA,QACA,SACS;CACT,OAAO,GAAG,iBAAiB,GAAG,OAAO,QAAQ;;;;ACb9C,MAAa,mBAAmB;CAAC;CAAW;CAAW;CAAO;AAU9D,MAAa,mBAAmB;AAEhC,SAAgB,gBACf,gBACA,iBACU;CACV,OAAO,mBAAmB,mBAAmB,mBAAmB;;AAGjE,SAAgB,uBACf,aACA,iBACoB;CACpB,OAAO,YACL,QAAQ,eAAe,gBAAgB,WAAW,UAAU,gBAAgB,CAAC,CAC7E,KAAK,eAAe,WAAW,KAAK;;AAGvC,SAAgB,sBAAsB,aAA6D;CAClG,OAAO,MAAM,KAAK,IAAI,IAAI,CAAC,kBAAkB,GAAG,uBAAuB,aAAa,UAAU,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACMlG,MAAa,iCACZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BD,SAAgB,mBAAmB,WAAuC;CACzE,MAAM,UAAU,WAAW,MAAM,IAAI;CACrC,IAAI,YAAY,IACf,OAAO;CAER,OAAO,GAAG,+BAA+B,GAAG;;;;AChD7C,SAAgB,gCACf,eACA,iBACA,SAC6B;CAC7B,MAAM,qBAA6C,EAAE;CACrD,MAAM,kBAAsD,EAAE;CAC9D,MAAM,YAAY,QAAQ,aAAa;CAEvC,KAAK,MAAM,CAAC,YAAY,gBAAgB,OAAO,QAAQ,gBAAgB,EAAE;EACxE,MAAM,eAAe,cAAc;EACnC,IAAI,CAAC,cACJ,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,mDACrC;EAEF,IAAI,CAAC,gBAAgB,aAAa,UAAU,QAAQ,SAAS,EAC5D;EAGD,IAAI,aAAa,cAAc,kBAAkB;GAChD,IAAI,aAAa,MAAM,WAAW,GACjC,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,8CACrC;GAEF,gBAAgB,cAAc;IAC7B,OAAO,CAAC,GAAG,aAAa,MAAM;IAC9B,OAAO;IACP;GACD;;EAGD,MAAM,oBAAqB,aAA+C;EAC1E,IAAI,sBAAsB,WACzB,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,kDAAkD,kBAAkB,IACzG;EAEF,IAAI,QAAQ,aAAa,WACxB,mBAAmB,cAAc;;CAInC,OAAO;EAAE;EAAoB;EAAiB;;AAK/C,SAAgB,4BACf,MACA,iBACoC;CACpC,OAAO,gCAAgC,KAAK,SAAS,iBAAiB;EACrE,UAAU;EACV,WAAW;EACX,CAAC;;AAGH,SAAS,+BACR,YACA,QACA,aACA,aACA,WACO;CACP,IAAI,YAAY,IAAI,WAAW,EAC9B,MAAM,IAAI,MACT,IAAI,UAAU,4BAA4B,WAAW,kEACrD;CAEF,IAAI,cAAc,YAAY,oBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,mDAC/D;CAEF,IAAI,cAAc,YAAY,iBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,sDAC/D;CAEF,YAAY,IAAI,WAAW;;AAG5B,SAAgB,2BACf,aACA,UAA6C,EAAE,EAClB;CAC7B,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,8BAAc,IAAI,KAAa;CACrC,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,sBAAsB,EAAE,CAAC,EACrE,+BAA+B,YAAY,eAAe,aAAa,aAAa,UAAU;CAE/F,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,0BAA0B,EAAE,CAAC,EACzE,+BACC,YACA,kBACA,aACA,aACA,UACA;CAGF,OAAO;EACN,oBAAoB;GACnB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD,iBAAiB;GAChB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD;;;;AC1EF,MAAM,gCAAgC,MAAU,KAAK;AAErD,SAAgB,0BAAkC;CACjD,OAAOA,IAAQ;;AAGhB,SAAgB,oBAAoB,OAAwB;CAC3D,OAAOC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGtD,eAAsB,4BACrB,SACiC;CACjC,MAAM,QAAQ,yBAAyB;CACvC,MAAM,aAAa,MAAM,QAAQ,eAAe;EAC/C,GAAI,QAAQ,cAAc,EAAE,aAAa,QAAQ,aAAa,GAAG,EAAE;EACnE;EACA,CAAC;CACF,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,mBAAmB,QAAQ,oBAAoB;CACrD,MAAM,MAAM,QAAQ,WAAW,KAAK;CACpC,MAAM,YAAY,KAAK;CACvB,MAAM,yBAAyB,QAAQ,0BAA0B;CACjE,IAAI,QAAQ;CACZ,IAAI;CAEJ,MAAM,4BAAkC;EACvC,IAAI,gBAAgB;GACnB,iBAAiB,eAAe;GAChC,iBAAiB,KAAA;;;CAInB,MAAM,qBAAqB,YAA0B;EACpD,IAAI,KAAK,GAAG,aAAa,wBACxB;EAED,qBAAqB;EACrB,iBAAiB,qBAAqB;GACrC,IAAI,KAAK,GAAG,aAAa,wBACxB;GAED,QACE,mBAAmB,WAAW,MAAM,CACpC,MAAM,cAAc;IACpB,IAAI,CAAC,OACJ,kBAAkB,UAAU,iBAAiB;KAE7C,CACD,OAAO,UAAmB;IAC1B,QAAQ,sBAAsB,MAAM;IACpC,IAAI,CAAC,OACJ,kBAAkB,WAAW,iBAAiB;KAE9C;KACD,QAAQ;;CAGZ,kBAAkB,WAAW,iBAAiB;CAE9C,MAAM,MAAM,OAAO,UAAkC,gBAA+B;EACnF,IAAI,OACH;EAED,QAAQ;EACR,qBAAqB;EACrB,IAAI;GACH,MAAM,QAAQ,aAAa,WAAW,OAAO,EAAE,SAAS,CAAC;WACjD,OAAO;GACf,IAAI,QAAQ,sBAAsB,MAAM,KAAK,MAAM;IAClD,QAAQ,gBAAgB,MAAM;IAC9B;;GAED,MAAM;;;CAIR,OAAO;EACN,OAAO,WAAW;EAClB,SAAS;EACT;EACA;;;;AC9IF,MAAM,8BAA8B,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;AA8BrE,SAASC,cAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,SAAS,iBAAiB,OAAiC;CAC1D,OAAO,OAAO,UAAU,YAAY,MAAM,MAAM,CAAC,SAAS;;AAG3D,SAAgB,oBACf,OACA,WACyC;CACzC,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,QAAQ,IAAI,QAAQ,YAAY,KAAK;;AAIvC,SAAgB,gBAAgB,OAAwC;CACvE,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,iBAAiB,QAAQ,IAAI,QAAQ,cAAc,CAAC,IACpD,OAAO,QAAQ,IAAI,QAAQ,iBAAiB,KAAK,YACjD,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;AAIzC,SAAgB,sBAAsB,OAA8C;CACnF,MAAM,SAASA,cAAY,MAAM;CACjC,IAAI,WAAW,KAAA,GACd,OAAO;CAER,KAAK,MAAM,OAAO,OAAO,KAAK,OAAO,EACpC,IAAI,CAAC,4BAA4B,IAAI,IAAI,EACxC,OAAO;CAGT,OACC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;;;AC/CzC,SAAS,YAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,SAAgB,iBAAiB,OAAyC;CACzE,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IAC3C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,WAAW,KAAK,YAC3C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK;;AAI5C,SAAgB,kBAAkB,OAA0C;CAC3E,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,aAAa,KAAK,YAC7C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,WAAW,KAAK,YAC3C,sBAAsB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IACjD,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,SAAS,KAAK"}
1
+ {"version":3,"file":"index.js","names":["uuidv7","validateUuid","uuidVersion","uuidv7","validateUuid","uuidVersion","objectValue"],"sources":["../src/gateway-runtime-contract.ts","../src/audience.ts","../src/force-ipv4-egress.ts","../src/split-resolved-gateway-secrets.ts","../src/tool-vm-active-use.ts","../src/runtime-paths/runtime-path-mapping.ts","../src/tool-vm-lease-id.ts","../src/vm-capability-lease.ts","../src/tool-vm-lease.ts"],"sourcesContent":["export const gatewayTypeValues = ['openclaw', 'worker'] as const;\n\nexport type GatewayType = (typeof gatewayTypeValues)[number];\n\nexport function buildGatewaySessionLabel(projectNamespace: string, zoneId: string): string {\n\treturn `${projectNamespace}:${zoneId}:gateway`;\n}\n\nexport function buildToolSessionLabel(\n\tprojectNamespace: string,\n\tzoneId: string,\n\ttcpSlot: number,\n): string {\n\treturn `${projectNamespace}:${zoneId}:tool:${tcpSlot}`;\n}\n","export const vmAudienceValues = ['gateway', 'tool-vm', 'both'] as const;\n\nexport type VmAudience = (typeof vmAudienceValues)[number];\nexport type RuntimeVmAudience = Exclude<VmAudience, 'both'>;\n\nexport interface EgressHostConfig {\n\treadonly host: string;\n\treadonly audience: VmAudience;\n}\n\nexport const controllerVmHost = 'controller.vm.host';\n\nexport function targetsAudience(\n\tconfigAudience: VmAudience,\n\truntimeAudience: RuntimeVmAudience,\n): boolean {\n\treturn configAudience === runtimeAudience || configAudience === 'both';\n}\n\nexport function egressHostsForAudience(\n\tegressHosts: readonly EgressHostConfig[],\n\truntimeAudience: RuntimeVmAudience,\n): readonly string[] {\n\treturn egressHosts\n\t\t.filter((egressHost) => targetsAudience(egressHost.audience, runtimeAudience))\n\t\t.map((egressHost) => egressHost.host);\n}\n\nexport function gatewayVmAllowedHosts(egressHosts: readonly EgressHostConfig[]): readonly string[] {\n\treturn Array.from(new Set([controllerVmHost, ...egressHostsForAudience(egressHosts, 'gateway')]));\n}\n","/**\n * Canonical NODE_OPTIONS value for forcing IPv4-preference egress\n * in agent-vm VMs.\n *\n * Background: Gondolin's synthetic DNS (when tcpHosts is enabled)\n * returns a per-host IPv4 (reverse-lookable) and a single shared\n * IPv4-mapped IPv6 (::ffff:198.18.0.1, NOT reverse-lookable). Node\n * 20+'s fetch (via undici, autoSelectFamily: true) races both\n * families; when the IPv6 race wins (~5-20% under sequential load),\n * gondolin cannot route it and the request fails with a non-JSON\n * 400 (HTTP) or 403 (TLS). The two flags below stop the race:\n *\n * --dns-result-order=ipv4first changes dns.lookup() so\n * IPv4 addresses are listed\n * before IPv6.\n *\n * --no-network-family-autoselection disables Node's Happy\n * Eyeballs entirely. This is\n * the load-bearing flag —\n * --dns-result-order alone\n * doesn't prevent Node from\n * racing both families if\n * IPv4 is slow.\n *\n * Composition: NODE_OPTIONS is whitespace-separated. To add more\n * flags downstream, append rather than replace. Example:\n *\n * NODE_OPTIONS: `${FORCE_IPV4_EGRESS_NODE_OPTIONS} --inspect`\n *\n * Reference: see `shravan-claw@0ddf5f2:docs/wip/debugging/\n * 2026-05-21-lease-keepalive-400-and-discord-403-ipv6-race.md`\n * for the full root-cause analysis. Node-side flag references:\n * https://github.com/nodejs/node/issues/54359 (autoSelectFamily\n * revert recommendation by the Node core team).\n */\nexport const FORCE_IPV4_EGRESS_NODE_OPTIONS =\n\t'--dns-result-order=ipv4first --no-network-family-autoselection';\n\n/**\n * Compose the forced IPv4-preference flags with a user-provided\n * NODE_OPTIONS value (if any).\n *\n * Use this at every site where NODE_OPTIONS is set into a VM env\n * block AFTER a spread of user-controlled secrets, to guarantee\n * the forced flags are always present in the final value even if\n * a zone secret happens to provide its own NODE_OPTIONS.\n *\n * Forced flags come FIRST so they are unambiguously applied.\n * User-provided flags are appended verbatim. Node treats NODE_OPTIONS\n * as a whitespace-separated list and all flags apply.\n *\n * Returns just the forced flags if the user value is undefined,\n * empty, or whitespace-only.\n *\n * Examples:\n *\n * composeNodeOptions(undefined)\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection'\n *\n * composeNodeOptions('--inspect=0.0.0.0:9229')\n * ──► '--dns-result-order=ipv4first --no-network-family-autoselection\n * --inspect=0.0.0.0:9229'\n */\nexport function composeNodeOptions(userValue: string | undefined): string {\n\tconst trimmed = userValue?.trim() ?? '';\n\tif (trimmed === '') {\n\t\treturn FORCE_IPV4_EGRESS_NODE_OPTIONS;\n\t}\n\treturn `${FORCE_IPV4_EGRESS_NODE_OPTIONS} ${trimmed}`;\n}\n","import type { MediatedSecretSpec } from '@agent-vm/secret-management';\n\nimport { targetsAudience, type RuntimeVmAudience } from './audience.js';\nimport type { GatewaySecretConfig, GatewayZoneConfig } from './gateway-lifecycle.js';\n\nexport interface SplitResolvedSecretsResult {\n\treadonly environmentSecrets: Record<string, string>;\n\treadonly mediatedSecrets: Record<string, MediatedSecretSpec>;\n}\n\nexport interface MergeRuntimeGatewaySecretsOptions {\n\treadonly logPrefix?: string;\n\treadonly runtimeEnvironment?: Readonly<Record<string, string>> | undefined;\n\treadonly runtimeMediatedSecrets?: Readonly<Record<string, MediatedSecretSpec>> | undefined;\n}\n\nexport type SecretInjectionConfig = GatewaySecretConfig;\n\nexport interface SplitResolvedSecretsOptions {\n\treadonly audience: RuntimeVmAudience;\n\treadonly logPrefix?: string;\n}\n\nexport function splitResolvedSecretsByInjection(\n\tsecretConfigs: Readonly<Record<string, SecretInjectionConfig>>,\n\tresolvedSecrets: Record<string, string>,\n\toptions: SplitResolvedSecretsOptions,\n): SplitResolvedSecretsResult {\n\tconst environmentSecrets: Record<string, string> = {};\n\tconst mediatedSecrets: Record<string, MediatedSecretSpec> = {};\n\tconst logPrefix = options.logPrefix ?? 'split-resolved-secrets';\n\n\tfor (const [secretName, secretValue] of Object.entries(resolvedSecrets)) {\n\t\tconst secretConfig = secretConfigs[secretName];\n\t\tif (!secretConfig) {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' was resolved but has no matching secret config.`,\n\t\t\t);\n\t\t}\n\t\tif (!targetsAudience(secretConfig.audience, options.audience)) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (secretConfig.injection === 'http-mediation') {\n\t\t\tif (secretConfig.hosts.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses http-mediation but declares no hosts.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tmediatedSecrets[secretName] = {\n\t\t\t\thosts: [...secretConfig.hosts],\n\t\t\t\tvalue: secretValue,\n\t\t\t};\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst envSecretAudience = (secretConfig as { readonly audience: string }).audience;\n\t\tif (envSecretAudience !== 'gateway') {\n\t\t\tthrow new Error(\n\t\t\t\t`[${logPrefix}] Secret '${secretName}' uses env injection with non-gateway audience '${envSecretAudience}'.`,\n\t\t\t);\n\t\t}\n\t\tif (options.audience === 'gateway') {\n\t\t\tenvironmentSecrets[secretName] = secretValue;\n\t\t}\n\t}\n\n\treturn { environmentSecrets, mediatedSecrets };\n}\n\nexport type SplitResolvedGatewaySecretsResult = SplitResolvedSecretsResult;\n\nexport function splitResolvedGatewaySecrets(\n\tzone: GatewayZoneConfig,\n\tresolvedSecrets: Record<string, string>,\n): SplitResolvedGatewaySecretsResult {\n\treturn splitResolvedSecretsByInjection(zone.secrets, resolvedSecrets, {\n\t\taudience: 'gateway',\n\t\tlogPrefix: 'split-resolved-gateway-secrets',\n\t});\n}\n\nfunction assertNoRuntimeSecretCollision(\n\tsecretName: string,\n\ttarget: 'environment' | 'http-mediation',\n\tbaseSecrets: SplitResolvedSecretsResult,\n\truntimeSeen: Set<string>,\n\tlogPrefix: string,\n): void {\n\tif (runtimeSeen.has(secretName)) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway secret '${secretName}' is declared for both environment and http-mediation injection.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.environmentSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored environment secret.`,\n\t\t);\n\t}\n\tif (secretName in baseSecrets.mediatedSecrets) {\n\t\tthrow new Error(\n\t\t\t`[${logPrefix}] Runtime gateway ${target} secret '${secretName}' would overwrite an authored http-mediation secret.`,\n\t\t);\n\t}\n\truntimeSeen.add(secretName);\n}\n\nexport function mergeRuntimeGatewaySecrets(\n\tbaseSecrets: SplitResolvedSecretsResult,\n\toptions: MergeRuntimeGatewaySecretsOptions = {},\n): SplitResolvedSecretsResult {\n\tconst logPrefix = options.logPrefix ?? 'merge-runtime-gateway-secrets';\n\tconst runtimeSeen = new Set<string>();\n\tfor (const secretName of Object.keys(options.runtimeEnvironment ?? {})) {\n\t\tassertNoRuntimeSecretCollision(secretName, 'environment', baseSecrets, runtimeSeen, logPrefix);\n\t}\n\tfor (const secretName of Object.keys(options.runtimeMediatedSecrets ?? {})) {\n\t\tassertNoRuntimeSecretCollision(\n\t\t\tsecretName,\n\t\t\t'http-mediation',\n\t\t\tbaseSecrets,\n\t\t\truntimeSeen,\n\t\t\tlogPrefix,\n\t\t);\n\t}\n\n\treturn {\n\t\tenvironmentSecrets: {\n\t\t\t...baseSecrets.environmentSecrets,\n\t\t\t...options.runtimeEnvironment,\n\t\t},\n\t\tmediatedSecrets: {\n\t\t\t...baseSecrets.mediatedSecrets,\n\t\t\t...options.runtimeMediatedSecrets,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\nexport type ToolVmActiveUseOutcome =\n\t| 'abandoned'\n\t| 'cancelled'\n\t| 'completed'\n\t| 'failed'\n\t| 'timed-out';\n\nexport interface ToolVmActiveUseCorrelation {\n\treadonly agentId?: string | undefined;\n\treadonly sessionId?: string | undefined;\n\treadonly sessionKey?: string | undefined;\n\treadonly toolCallId?: string | undefined;\n\treadonly toolName?: string | undefined;\n}\n\nexport type ToolVmSshOperationPhase =\n\t| 'completed'\n\t| 'failed'\n\t| 'probe-succeeded'\n\t| 'running'\n\t| 'starting';\n\nexport type ToolVmSshFailureKind =\n\t| 'active-use-refreshable-failure'\n\t| 'ssh-command-failed'\n\t| 'ssh-command-timed-out'\n\t| 'ssh-probe-failed';\n\nexport interface ToolVmSshFailureReport {\n\treadonly kind: ToolVmSshFailureKind;\n\treadonly message: string;\n}\n\nexport interface ToolVmSshOperationReport {\n\treadonly failure?: ToolVmSshFailureReport | undefined;\n\treadonly probeSucceeded?: boolean | undefined;\n}\n\nexport interface ToolVmActiveUseOperationReport {\n\treadonly observedAtMs: number;\n\treadonly phase: ToolVmSshOperationPhase;\n\treadonly ssh?: ToolVmSshOperationReport | undefined;\n}\n\nexport interface StartToolVmActiveUseRequest {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n\treadonly useId: string;\n}\n\nexport interface StartToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n\treadonly useId: string;\n}\n\nexport interface HeartbeatToolVmActiveUseResponse {\n\treadonly expiresAt: number;\n\treadonly heartbeatAfterMs: number;\n}\n\nexport interface HeartbeatToolVmActiveUseRequest {\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface EndToolVmActiveUseRequest {\n\treadonly outcome: ToolVmActiveUseOutcome;\n\treadonly report?: ToolVmActiveUseOperationReport | undefined;\n}\n\nexport interface ToolVmActiveUseHandle {\n\treadonly signal: AbortSignal;\n\treadonly useId: string;\n\tdispose(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\tend(outcome?: ToolVmActiveUseOutcome): Promise<void>;\n\treport(report: ToolVmActiveUseOperationReport): void;\n}\n\nexport interface CreateToolVmActiveUseHandleOptions {\n\treadonly correlation?: ToolVmActiveUseCorrelation | undefined;\n\treadonly endActiveUse: (useId: string, request: EndToolVmActiveUseRequest) => Promise<void>;\n\treadonly heartbeatActiveUse: (\n\t\tuseId: string,\n\t\trequest: HeartbeatToolVmActiveUseRequest,\n\t) => Promise<HeartbeatToolVmActiveUseResponse>;\n\treadonly heartbeatJitterRatio?: number | undefined;\n\treadonly isEndErrorTolerable?: (error: unknown) => boolean;\n\treadonly isHeartbeatErrorRefreshable?: (error: unknown) => boolean;\n\treadonly logEndFailure?: (error: unknown) => void;\n\treadonly logHeartbeatFailure?: (error: unknown) => void;\n\treadonly maxHeartbeatDurationMs?: number | undefined;\n\treadonly nowImpl?: (() => number) | undefined;\n\treadonly onRefreshableHeartbeatFailure?: (error: unknown) => Promise<void>;\n\treadonly randomImpl?: (() => number) | undefined;\n\treadonly startActiveUse: (\n\t\trequest: StartToolVmActiveUseRequest,\n\t) => Promise<StartToolVmActiveUseResponse>;\n\treadonly setTimeoutImpl?: typeof setTimeout | undefined;\n\treadonly clearTimeoutImpl?: typeof clearTimeout | undefined;\n}\n\ntype HeartbeatTimer = ReturnType<typeof setTimeout>;\n\nconst defaultMaxHeartbeatDurationMs = 12 * 60 * 60 * 1000;\n\nfunction jitterDelayMs(params: {\n\treadonly delayMs: number;\n\treadonly jitterRatio: number;\n\treadonly random: () => number;\n}): number {\n\tif (params.jitterRatio <= 0) {\n\t\treturn params.delayMs;\n\t}\n\tconst spreadMs = params.delayMs * params.jitterRatio;\n\tconst minMs = params.delayMs - spreadMs;\n\tconst jitteredMs = minMs + params.random() * spreadMs * 2;\n\treturn Math.max(1, Math.round(jitteredMs));\n}\n\nexport function createToolVmActiveUseId(): string {\n\treturn uuidv7();\n}\n\nexport function isToolVmActiveUseId(value: string): boolean {\n\treturn validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport async function createToolVmActiveUseHandle(\n\toptions: CreateToolVmActiveUseHandleOptions,\n): Promise<ToolVmActiveUseHandle> {\n\tconst useId = createToolVmActiveUseId();\n\tconst startedUse = await options.startActiveUse({\n\t\t...(options.correlation ? { correlation: options.correlation } : {}),\n\t\tuseId,\n\t});\n\tconst setTimeoutImpl = options.setTimeoutImpl ?? setTimeout;\n\tconst clearTimeoutImpl = options.clearTimeoutImpl ?? clearTimeout;\n\tconst now = options.nowImpl ?? Date.now;\n\tconst startedAt = now();\n\tconst maxHeartbeatDurationMs = options.maxHeartbeatDurationMs ?? defaultMaxHeartbeatDurationMs;\n\tconst heartbeatJitterRatio = options.heartbeatJitterRatio ?? 0.1;\n\tconst random = options.randomImpl ?? Math.random;\n\tconst operationAbortController = new AbortController();\n\tlet ended = false;\n\tlet heartbeatTimer: HeartbeatTimer | undefined;\n\tlet latestReport: ToolVmActiveUseOperationReport | undefined;\n\n\tconst clearHeartbeatTimer = (): void => {\n\t\tif (heartbeatTimer) {\n\t\t\tclearTimeoutImpl(heartbeatTimer);\n\t\t\theartbeatTimer = undefined;\n\t\t}\n\t};\n\n\tconst scheduleHeartbeat = (delayMs: number): void => {\n\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\treturn;\n\t\t}\n\t\tclearHeartbeatTimer();\n\t\theartbeatTimer = setTimeoutImpl(\n\t\t\t() => {\n\t\t\t\tif (now() - startedAt >= maxHeartbeatDurationMs) {\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst heartbeatRequest: HeartbeatToolVmActiveUseRequest =\n\t\t\t\t\tlatestReport === undefined ? {} : { report: latestReport };\n\t\t\t\tvoid options\n\t\t\t\t\t.heartbeatActiveUse(startedUse.useId, heartbeatRequest)\n\t\t\t\t\t.then((heartbeat) => {\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(heartbeat.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t})\n\t\t\t\t\t.catch((error: unknown) => {\n\t\t\t\t\t\toptions.logHeartbeatFailure?.(error);\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\toptions.isHeartbeatErrorRefreshable?.(error) === true &&\n\t\t\t\t\t\t\toptions.onRefreshableHeartbeatFailure\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\toperationAbortController.abort(error);\n\t\t\t\t\t\t\tended = true;\n\t\t\t\t\t\t\tclearHeartbeatTimer();\n\t\t\t\t\t\t\tvoid options.onRefreshableHeartbeatFailure(error).catch((staleError: unknown) => {\n\t\t\t\t\t\t\t\toptions.logHeartbeatFailure?.(staleError);\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!ended) {\n\t\t\t\t\t\t\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\t\t\t\t\t\t}\n\t\t\t\t\t});\n\t\t\t},\n\t\t\tjitterDelayMs({ delayMs, jitterRatio: heartbeatJitterRatio, random }),\n\t\t);\n\t};\n\n\tscheduleHeartbeat(startedUse.heartbeatAfterMs);\n\n\tconst end = async (outcome: ToolVmActiveUseOutcome = 'completed'): Promise<void> => {\n\t\tif (ended) {\n\t\t\treturn;\n\t\t}\n\t\tended = true;\n\t\tclearHeartbeatTimer();\n\t\ttry {\n\t\t\tawait options.endActiveUse(startedUse.useId, {\n\t\t\t\toutcome,\n\t\t\t\t...(latestReport === undefined ? {} : { report: latestReport }),\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tif (options.isEndErrorTolerable?.(error) === true) {\n\t\t\t\toptions.logEndFailure?.(error);\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\treturn {\n\t\tsignal: operationAbortController.signal,\n\t\tuseId: startedUse.useId,\n\t\tdispose: end,\n\t\tend,\n\t\treport: (report): void => {\n\t\t\tif (ended) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tlatestReport = report;\n\t\t},\n\t};\n}\n","export const TOOL_VM_WORKSPACE_GUEST_ROOT = '/workspace';\nexport const TOOL_VM_SCRATCH_GUEST_ROOT = '/work';\nexport const OPENCLAW_STATE_VM_ROOT = '/home/openclaw/.openclaw/state';\nexport const OPENCLAW_STATE_SANDBOXES_VM_ROOT = `${OPENCLAW_STATE_VM_ROOT}/sandboxes`;\n\nexport type RuntimePathPurpose = 'executionCwd' | 'leaseMount';\n\nexport interface RuntimePathCapabilities {\n\treadonly executionCwd: boolean;\n\treadonly leaseMount: boolean;\n}\n\nexport type RuntimePathBacking =\n\t| {\n\t\t\treadonly kind: 'host-realfs';\n\t\t\treadonly durability: 'durable' | 'runtime' | 'cache';\n\t\t\treadonly backup: 'included' | 'excluded';\n\t }\n\t| {\n\t\t\treadonly kind: 'guest-rootfs-cow';\n\t\t\treadonly durability: 'vm-lifetime';\n\t };\n\ninterface RuntimePathRootMappingBase {\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly guidanceLabel: string;\n\treadonly id: string;\n\treadonly rootPathAllowed: boolean;\n}\n\nexport type RuntimePathRootMapping =\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'host-realfs' }>;\n\t\t\treadonly guestRoot?: string;\n\t\t\treadonly hostRoot: string;\n\t\t\treadonly showHostRootInGuidance?: boolean;\n\t })\n\t| (RuntimePathRootMappingBase & {\n\t\t\treadonly backing: Extract<RuntimePathBacking, { readonly kind: 'guest-rootfs-cow' }>;\n\t\t\treadonly capabilities: RuntimePathCapabilities & { readonly leaseMount: false };\n\t\t\treadonly guestRoot: string;\n\t\t\treadonly hostRoot?: never;\n\t\t\treadonly showHostRootInGuidance?: never;\n\t });\n\nfunction isHostRealfsRootMapping(\n\troot: RuntimePathRootMapping,\n): root is Extract<RuntimePathRootMapping, { readonly backing: { readonly kind: 'host-realfs' } }> {\n\treturn root.backing.kind === 'host-realfs';\n}\n\nexport interface RuntimePathMapping {\n\treadonly id: string;\n\treadonly roots: readonly RuntimePathRootMapping[];\n}\n\nexport interface TranslateRuntimePathInput {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly purpose: RuntimePathPurpose;\n}\n\ninterface RuntimePathTranslationBase {\n\treadonly backing: RuntimePathBacking;\n\treadonly capabilities: RuntimePathCapabilities;\n\treadonly inputNamespace: 'guest' | 'host';\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly relativePath: string;\n\treadonly rootId: string;\n}\n\nexport type RuntimePathTranslation =\n\t| (RuntimePathTranslationBase & {\n\t\t\treadonly guestPath?: string;\n\t\t\treadonly guestRoot?: string;\n\t\t\treadonly hasHostBacking: true;\n\t\t\treadonly hostPath: string;\n\t\t\treadonly hostRoot: string;\n\t\t\treadonly kind: 'host-backed';\n\t })\n\t| (RuntimePathTranslationBase & {\n\t\t\treadonly guestPath: string;\n\t\t\treadonly guestRoot: string;\n\t\t\treadonly hasHostBacking: false;\n\t\t\treadonly hostPath?: never;\n\t\t\treadonly hostRoot?: never;\n\t\t\treadonly kind: 'guest-only';\n\t });\n\nexport type RuntimePathTranslationErrorCode =\n\t| 'path-not-absolute'\n\t| 'path-parent-traversal'\n\t| 'invalid-runtime-root'\n\t| 'unknown-runtime-path'\n\t| 'purpose-not-allowed'\n\t| 'root-path-not-allowed';\n\nexport interface RuntimePathTranslationError {\n\treadonly allowedPathForms: readonly string[];\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mappingId: string;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n\treadonly retryGuidance: string;\n}\n\nexport type TranslateRuntimePathResult =\n\t| {\n\t\t\treadonly ok: true;\n\t\t\treadonly value: RuntimePathTranslation;\n\t }\n\t| {\n\t\t\treadonly ok: false;\n\t\t\treadonly error: RuntimePathTranslationError;\n\t };\n\ninterface RuntimePathRootMatch {\n\treadonly inputNamespace: 'guest' | 'host';\n\treadonly matchedRoot: string;\n\treadonly root: RuntimePathRootMapping;\n}\n\nfunction pathContainsParentTraversal(inputPath: string): boolean {\n\treturn inputPath.split(/\\/+/u).includes('..');\n}\n\nfunction normalizeAbsolutePath(inputPath: string): string {\n\tconst rawSegments = inputPath.split('/').filter((segment) => segment !== '' && segment !== '.');\n\treturn `/${rawSegments.join('/')}`;\n}\n\nfunction normalizeRoot(rootPath: string): string {\n\tconst normalizedRoot = normalizeAbsolutePath(rootPath);\n\treturn normalizedRoot === '/' ? normalizedRoot : normalizedRoot.replace(/\\/+$/u, '');\n}\n\nfunction pathMatchesRoot(candidatePath: string, rootPath: string): boolean {\n\treturn candidatePath === rootPath || candidatePath.startsWith(`${rootPath}/`);\n}\n\nfunction relativePathForRoot(candidatePath: string, rootPath: string): string {\n\treturn candidatePath === rootPath ? '' : candidatePath.slice(rootPath.length + 1);\n}\n\nfunction joinRootAndRelative(rootPath: string, relativePath: string): string {\n\treturn relativePath === '' ? rootPath : `${rootPath}/${relativePath}`;\n}\n\nfunction allowedPathFormsForMapping(\n\tmapping: RuntimePathMapping,\n\tpurpose: RuntimePathPurpose,\n): readonly string[] {\n\treturn mapping.roots.flatMap((root) => {\n\t\tif (!root.capabilities[purpose]) {\n\t\t\treturn [];\n\t\t}\n\t\tconst suffix = root.rootPathAllowed ? '[/subpath]' : '/<child>';\n\t\tconst pathForms = [\n\t\t\troot.guestRoot,\n\t\t\troot.backing.kind === 'host-realfs' && root.showHostRootInGuidance !== false\n\t\t\t\t? root.hostRoot\n\t\t\t\t: undefined,\n\t\t];\n\t\treturn pathForms\n\t\t\t.filter((value): value is string => value !== undefined)\n\t\t\t.map((value) => `${normalizeRoot(value)}${suffix}`);\n\t});\n}\n\nfunction retryGuidanceForMapping(mapping: RuntimePathMapping, purpose: RuntimePathPurpose): string {\n\treturn `Use one of the allowed path forms for ${mapping.id} ${purpose}: ${allowedPathFormsForMapping(mapping, purpose).join(', ')}.`;\n}\n\nfunction errorResult(params: {\n\treadonly code: RuntimePathTranslationErrorCode;\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n\treadonly message: string;\n\treadonly purpose: RuntimePathPurpose;\n}): TranslateRuntimePathResult {\n\treturn {\n\t\terror: {\n\t\t\tallowedPathForms: allowedPathFormsForMapping(params.mapping, params.purpose),\n\t\t\tcode: params.code,\n\t\t\tinputPath: params.inputPath,\n\t\t\tmappingId: params.mapping.id,\n\t\t\tmessage: params.message,\n\t\t\tpurpose: params.purpose,\n\t\t\tretryGuidance: retryGuidanceForMapping(params.mapping, params.purpose),\n\t\t},\n\t\tok: false,\n\t};\n}\n\nfunction findBestRootMatch(params: {\n\treadonly inputPath: string;\n\treadonly mapping: RuntimePathMapping;\n}): RuntimePathRootMatch | undefined {\n\tconst matches = params.mapping.roots.flatMap((root): RuntimePathRootMatch[] => {\n\t\tconst guestRoot = root.guestRoot === undefined ? undefined : normalizeRoot(root.guestRoot);\n\t\tlet hostRoot: string | undefined;\n\t\tif (isHostRealfsRootMapping(root)) {\n\t\t\thostRoot = normalizeRoot(root.hostRoot);\n\t\t}\n\t\tconst rootMatches: RuntimePathRootMatch[] = [];\n\t\tif (guestRoot !== undefined && pathMatchesRoot(params.inputPath, guestRoot)) {\n\t\t\trootMatches.push({ inputNamespace: 'guest', matchedRoot: guestRoot, root });\n\t\t}\n\t\tif (hostRoot !== undefined && pathMatchesRoot(params.inputPath, hostRoot)) {\n\t\t\trootMatches.push({ inputNamespace: 'host', matchedRoot: hostRoot, root });\n\t\t}\n\t\treturn rootMatches;\n\t});\n\treturn matches.toSorted((left, right) => right.matchedRoot.length - left.matchedRoot.length)[0];\n}\n\nexport function translateRuntimePath(input: TranslateRuntimePathInput): TranslateRuntimePathResult {\n\tif (!input.inputPath.startsWith('/')) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-not-absolute',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must be absolute.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tif (pathContainsParentTraversal(input.inputPath)) {\n\t\treturn errorResult({\n\t\t\tcode: 'path-parent-traversal',\n\t\t\tinputPath: input.inputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${input.inputPath}' must not contain parent traversal.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst normalizedInputPath = normalizeAbsolutePath(input.inputPath);\n\tconst match = findBestRootMatch({\n\t\tinputPath: normalizedInputPath,\n\t\tmapping: input.mapping,\n\t});\n\tif (match === undefined) {\n\t\treturn errorResult({\n\t\t\tcode: 'unknown-runtime-path',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' is not part of runtime path mapping '${input.mapping.id}'.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst relativePath = relativePathForRoot(normalizedInputPath, match.matchedRoot);\n\tif (relativePath === '' && !match.root.rootPathAllowed) {\n\t\treturn errorResult({\n\t\t\tcode: 'root-path-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel}, but the root itself is not allowed for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tif (!match.root.capabilities[input.purpose]) {\n\t\treturn errorResult({\n\t\t\tcode: 'purpose-not-allowed',\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tmapping: input.mapping,\n\t\t\tmessage: `Path '${normalizedInputPath}' matched ${match.root.guidanceLabel} but cannot be used for ${input.purpose}.`,\n\t\t\tpurpose: input.purpose,\n\t\t});\n\t}\n\tconst guestRoot =\n\t\tmatch.root.guestRoot === undefined ? undefined : normalizeRoot(match.root.guestRoot);\n\tlet hostRoot: string | undefined;\n\tif (isHostRealfsRootMapping(match.root)) {\n\t\thostRoot = normalizeRoot(match.root.hostRoot);\n\t}\n\tif (hostRoot === undefined) {\n\t\tif (guestRoot === undefined) {\n\t\t\treturn errorResult({\n\t\t\t\tcode: 'invalid-runtime-root',\n\t\t\t\tinputPath: normalizedInputPath,\n\t\t\t\tmapping: input.mapping,\n\t\t\t\tmessage: `Runtime path root '${match.root.id}' has no guest path.`,\n\t\t\t\tpurpose: input.purpose,\n\t\t\t});\n\t\t}\n\t\treturn {\n\t\t\tok: true,\n\t\t\tvalue: {\n\t\t\t\tbacking: match.root.backing,\n\t\t\t\tcapabilities: match.root.capabilities,\n\t\t\t\tguestPath: joinRootAndRelative(guestRoot, relativePath),\n\t\t\t\tguestRoot,\n\t\t\t\thasHostBacking: false,\n\t\t\t\tinputNamespace: match.inputNamespace,\n\t\t\t\tinputPath: normalizedInputPath,\n\t\t\t\tkind: 'guest-only',\n\t\t\t\tmappingId: input.mapping.id,\n\t\t\t\trelativePath,\n\t\t\t\trootId: match.root.id,\n\t\t\t},\n\t\t};\n\t}\n\treturn {\n\t\tok: true,\n\t\tvalue: {\n\t\t\tbacking: match.root.backing,\n\t\t\tcapabilities: match.root.capabilities,\n\t\t\t...(guestRoot !== undefined\n\t\t\t\t? { guestPath: joinRootAndRelative(guestRoot, relativePath) }\n\t\t\t\t: {}),\n\t\t\t...(guestRoot !== undefined ? { guestRoot } : {}),\n\t\t\thasHostBacking: true,\n\t\t\thostPath: joinRootAndRelative(hostRoot, relativePath),\n\t\t\thostRoot,\n\t\t\tinputNamespace: match.inputNamespace,\n\t\t\tinputPath: normalizedInputPath,\n\t\t\tkind: 'host-backed',\n\t\t\tmappingId: input.mapping.id,\n\t\t\trelativePath,\n\t\t\trootId: match.root.id,\n\t\t},\n\t};\n}\n","import { v7 as uuidv7, validate as validateUuid, version as uuidVersion } from 'uuid';\n\ndeclare const toolVmLeaseIdBrand: unique symbol;\n\nexport type ToolVmLeaseId = string & {\n\treadonly [toolVmLeaseIdBrand]: true;\n};\n\nexport function createToolVmLeaseId(): ToolVmLeaseId {\n\treturn parseToolVmLeaseId(uuidv7());\n}\n\nexport function isToolVmLeaseId(value: unknown): value is ToolVmLeaseId {\n\treturn typeof value === 'string' && validateUuid(value) && uuidVersion(value) === 7;\n}\n\nexport function parseToolVmLeaseId(value: unknown): ToolVmLeaseId {\n\tif (isToolVmLeaseId(value)) {\n\t\treturn value;\n\t}\n\tthrow new TypeError('Tool VM lease id must be an opaque UUIDv7 string.');\n}\n","const VM_SSH_PUBLIC_ENDPOINT_KEYS = new Set(['host', 'port', 'user']);\n\n/**\n * Small host-issued capability envelope shared by VM-backed transports. The\n * transport tag keeps SSH Tool VM leases distinct from future host-side\n * Gondolin RPC or bridge capabilities without inventing a transport object.\n */\nexport interface VmCapabilityLease<TTransport extends string> {\n\treadonly leaseId: string;\n\treadonly transport: TTransport;\n}\n\nexport interface VmSshEndpoint {\n\treadonly host: string;\n\treadonly identityPem: string;\n\treadonly knownHostsLine: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshPublicEndpoint {\n\treadonly host: string;\n\treadonly port: number;\n\treadonly user: string;\n}\n\nexport interface VmSshLease<TTransport extends string> extends VmCapabilityLease<TTransport> {\n\treadonly ssh: VmSshEndpoint;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n\treturn typeof value === 'string' && value.trim().length > 0;\n}\n\nexport function isVmCapabilityLease<TTransport extends string>(\n\tvalue: unknown,\n\ttransport: TTransport,\n): value is VmCapabilityLease<TTransport> {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'leaseId') === 'string' &&\n\t\tReflect.get(record, 'transport') === transport\n\t);\n}\n\nexport function isVmSshEndpoint(value: unknown): value is VmSshEndpoint {\n\tconst record = objectValue(value);\n\treturn (\n\t\trecord !== undefined &&\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\tisNonEmptyString(Reflect.get(record, 'identityPem')) &&\n\t\ttypeof Reflect.get(record, 'knownHostsLine') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n\nexport function isVmSshPublicEndpoint(value: unknown): value is VmSshPublicEndpoint {\n\tconst record = objectValue(value);\n\tif (record === undefined) {\n\t\treturn false;\n\t}\n\tfor (const key of Object.keys(record)) {\n\t\tif (!VM_SSH_PUBLIC_ENDPOINT_KEYS.has(key)) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn (\n\t\ttypeof Reflect.get(record, 'host') === 'string' &&\n\t\ttypeof Reflect.get(record, 'port') === 'number' &&\n\t\ttypeof Reflect.get(record, 'user') === 'string'\n\t);\n}\n","import { isToolVmLeaseId, type ToolVmLeaseId } from './tool-vm-lease-id.js';\nimport {\n\tisVmCapabilityLease,\n\tisVmSshEndpoint,\n\tisVmSshPublicEndpoint,\n\ttype VmCapabilityLease,\n\ttype VmSshLease,\n\ttype VmSshPublicEndpoint,\n} from './vm-capability-lease.js';\n\nexport interface ToolVmSshLease extends VmSshLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly idleTtlMs: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n}\n\nexport interface ToolVmLeasePeek extends VmCapabilityLease<'ssh-sandbox'> {\n\treadonly agentId: string;\n\treadonly createdAt: number;\n\treadonly idleTtlMs: number;\n\treadonly lastUsedAt: number;\n\treadonly leaseId: ToolVmLeaseId;\n\treadonly profileId: string;\n\treadonly ssh: VmSshPublicEndpoint;\n\treadonly tcpSlot: number;\n\treadonly workdir: string;\n\treadonly zoneId: string;\n}\n\nfunction objectValue(value: unknown): object | undefined {\n\treturn typeof value === 'object' && value !== null ? value : undefined;\n}\n\nconst deprecatedScopeKeyPropertyName = ['scope', 'Key'].join('');\n\nexport function isToolVmSshLease(value: unknown): value is ToolVmSshLease {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\tisVmSshEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n\nexport function isToolVmLeasePeek(value: unknown): value is ToolVmLeasePeek {\n\tconst record = objectValue(value);\n\treturn (\n\t\tisVmCapabilityLease(record, 'ssh-sandbox') &&\n\t\tisToolVmLeaseId(Reflect.get(record, 'leaseId')) &&\n\t\ttypeof Reflect.get(record, 'agentId') === 'string' &&\n\t\ttypeof Reflect.get(record, 'createdAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'idleTtlMs') === 'number' &&\n\t\ttypeof Reflect.get(record, 'lastUsedAt') === 'number' &&\n\t\ttypeof Reflect.get(record, 'profileId') === 'string' &&\n\t\tisVmSshPublicEndpoint(Reflect.get(record, 'ssh')) &&\n\t\ttypeof Reflect.get(record, 'tcpSlot') === 'number' &&\n\t\ttypeof Reflect.get(record, 'workdir') === 'string' &&\n\t\ttypeof Reflect.get(record, 'zoneId') === 'string' &&\n\t\t!Reflect.has(record, deprecatedScopeKeyPropertyName)\n\t);\n}\n"],"mappings":";;AAAA,MAAa,oBAAoB,CAAC,YAAY,SAAS;AAIvD,SAAgB,yBAAyB,kBAA0B,QAAwB;CAC1F,OAAO,GAAG,iBAAiB,GAAG,OAAO;;AAGtC,SAAgB,sBACf,kBACA,QACA,SACS;CACT,OAAO,GAAG,iBAAiB,GAAG,OAAO,QAAQ;;;;ACb9C,MAAa,mBAAmB;CAAC;CAAW;CAAW;CAAO;AAU9D,MAAa,mBAAmB;AAEhC,SAAgB,gBACf,gBACA,iBACU;CACV,OAAO,mBAAmB,mBAAmB,mBAAmB;;AAGjE,SAAgB,uBACf,aACA,iBACoB;CACpB,OAAO,YACL,QAAQ,eAAe,gBAAgB,WAAW,UAAU,gBAAgB,CAAC,CAC7E,KAAK,eAAe,WAAW,KAAK;;AAGvC,SAAgB,sBAAsB,aAA6D;CAClG,OAAO,MAAM,KAAK,IAAI,IAAI,CAAC,kBAAkB,GAAG,uBAAuB,aAAa,UAAU,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACMlG,MAAa,iCACZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BD,SAAgB,mBAAmB,WAAuC;CACzE,MAAM,UAAU,WAAW,MAAM,IAAI;CACrC,IAAI,YAAY,IACf,OAAO;CAER,OAAO,GAAG,+BAA+B,GAAG;;;;AChD7C,SAAgB,gCACf,eACA,iBACA,SAC6B;CAC7B,MAAM,qBAA6C,EAAE;CACrD,MAAM,kBAAsD,EAAE;CAC9D,MAAM,YAAY,QAAQ,aAAa;CAEvC,KAAK,MAAM,CAAC,YAAY,gBAAgB,OAAO,QAAQ,gBAAgB,EAAE;EACxE,MAAM,eAAe,cAAc;EACnC,IAAI,CAAC,cACJ,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,mDACrC;EAEF,IAAI,CAAC,gBAAgB,aAAa,UAAU,QAAQ,SAAS,EAC5D;EAGD,IAAI,aAAa,cAAc,kBAAkB;GAChD,IAAI,aAAa,MAAM,WAAW,GACjC,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,8CACrC;GAEF,gBAAgB,cAAc;IAC7B,OAAO,CAAC,GAAG,aAAa,MAAM;IAC9B,OAAO;IACP;GACD;;EAGD,MAAM,oBAAqB,aAA+C;EAC1E,IAAI,sBAAsB,WACzB,MAAM,IAAI,MACT,IAAI,UAAU,YAAY,WAAW,kDAAkD,kBAAkB,IACzG;EAEF,IAAI,QAAQ,aAAa,WACxB,mBAAmB,cAAc;;CAInC,OAAO;EAAE;EAAoB;EAAiB;;AAK/C,SAAgB,4BACf,MACA,iBACoC;CACpC,OAAO,gCAAgC,KAAK,SAAS,iBAAiB;EACrE,UAAU;EACV,WAAW;EACX,CAAC;;AAGH,SAAS,+BACR,YACA,QACA,aACA,aACA,WACO;CACP,IAAI,YAAY,IAAI,WAAW,EAC9B,MAAM,IAAI,MACT,IAAI,UAAU,4BAA4B,WAAW,kEACrD;CAEF,IAAI,cAAc,YAAY,oBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,mDAC/D;CAEF,IAAI,cAAc,YAAY,iBAC7B,MAAM,IAAI,MACT,IAAI,UAAU,oBAAoB,OAAO,WAAW,WAAW,sDAC/D;CAEF,YAAY,IAAI,WAAW;;AAG5B,SAAgB,2BACf,aACA,UAA6C,EAAE,EAClB;CAC7B,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,8BAAc,IAAI,KAAa;CACrC,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,sBAAsB,EAAE,CAAC,EACrE,+BAA+B,YAAY,eAAe,aAAa,aAAa,UAAU;CAE/F,KAAK,MAAM,cAAc,OAAO,KAAK,QAAQ,0BAA0B,EAAE,CAAC,EACzE,+BACC,YACA,kBACA,aACA,aACA,UACA;CAGF,OAAO;EACN,oBAAoB;GACnB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD,iBAAiB;GAChB,GAAG,YAAY;GACf,GAAG,QAAQ;GACX;EACD;;;;AC9BF,MAAM,gCAAgC,MAAU,KAAK;AAErD,SAAS,cAAc,QAIZ;CACV,IAAI,OAAO,eAAe,GACzB,OAAO,OAAO;CAEf,MAAM,WAAW,OAAO,UAAU,OAAO;CAEzC,MAAM,aADQ,OAAO,UAAU,WACJ,OAAO,QAAQ,GAAG,WAAW;CACxD,OAAO,KAAK,IAAI,GAAG,KAAK,MAAM,WAAW,CAAC;;AAG3C,SAAgB,0BAAkC;CACjD,OAAOA,IAAQ;;AAGhB,SAAgB,oBAAoB,OAAwB;CAC3D,OAAOC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGtD,eAAsB,4BACrB,SACiC;CACjC,MAAM,QAAQ,yBAAyB;CACvC,MAAM,aAAa,MAAM,QAAQ,eAAe;EAC/C,GAAI,QAAQ,cAAc,EAAE,aAAa,QAAQ,aAAa,GAAG,EAAE;EACnE;EACA,CAAC;CACF,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,mBAAmB,QAAQ,oBAAoB;CACrD,MAAM,MAAM,QAAQ,WAAW,KAAK;CACpC,MAAM,YAAY,KAAK;CACvB,MAAM,yBAAyB,QAAQ,0BAA0B;CACjE,MAAM,uBAAuB,QAAQ,wBAAwB;CAC7D,MAAM,SAAS,QAAQ,cAAc,KAAK;CAC1C,MAAM,2BAA2B,IAAI,iBAAiB;CACtD,IAAI,QAAQ;CACZ,IAAI;CACJ,IAAI;CAEJ,MAAM,4BAAkC;EACvC,IAAI,gBAAgB;GACnB,iBAAiB,eAAe;GAChC,iBAAiB,KAAA;;;CAInB,MAAM,qBAAqB,YAA0B;EACpD,IAAI,KAAK,GAAG,aAAa,wBACxB;EAED,qBAAqB;EACrB,iBAAiB,qBACV;GACL,IAAI,KAAK,GAAG,aAAa,wBACxB;GAED,MAAM,mBACL,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;GAC3D,QACE,mBAAmB,WAAW,OAAO,iBAAiB,CACtD,MAAM,cAAc;IACpB,IAAI,CAAC,OACJ,kBAAkB,UAAU,iBAAiB;KAE7C,CACD,OAAO,UAAmB;IAC1B,QAAQ,sBAAsB,MAAM;IACpC,IACC,QAAQ,8BAA8B,MAAM,KAAK,QACjD,QAAQ,+BACP;KACD,yBAAyB,MAAM,MAAM;KACrC,QAAQ;KACR,qBAAqB;KACrB,QAAa,8BAA8B,MAAM,CAAC,OAAO,eAAwB;MAChF,QAAQ,sBAAsB,WAAW;OACxC;KACF;;IAED,IAAI,CAAC,OACJ,kBAAkB,WAAW,iBAAiB;KAE9C;KAEJ,cAAc;GAAE;GAAS,aAAa;GAAsB;GAAQ,CAAC,CACrE;;CAGF,kBAAkB,WAAW,iBAAiB;CAE9C,MAAM,MAAM,OAAO,UAAkC,gBAA+B;EACnF,IAAI,OACH;EAED,QAAQ;EACR,qBAAqB;EACrB,IAAI;GACH,MAAM,QAAQ,aAAa,WAAW,OAAO;IAC5C;IACA,GAAI,iBAAiB,KAAA,IAAY,EAAE,GAAG,EAAE,QAAQ,cAAc;IAC9D,CAAC;WACM,OAAO;GACf,IAAI,QAAQ,sBAAsB,MAAM,KAAK,MAAM;IAClD,QAAQ,gBAAgB,MAAM;IAC9B;;GAED,MAAM;;;CAIR,OAAO;EACN,QAAQ,yBAAyB;EACjC,OAAO,WAAW;EAClB,SAAS;EACT;EACA,SAAS,WAAiB;GACzB,IAAI,OACH;GAED,eAAe;;EAEhB;;;;ACvOF,MAAa,+BAA+B;AAC5C,MAAa,6BAA6B;AAC1C,MAAa,yBAAyB;AACtC,MAAa,mCAAmC,GAAG,uBAAuB;AA0C1E,SAAS,wBACR,MACkG;CAClG,OAAO,KAAK,QAAQ,SAAS;;AA4E9B,SAAS,4BAA4B,WAA4B;CAChE,OAAO,UAAU,MAAM,OAAO,CAAC,SAAS,KAAK;;AAG9C,SAAS,sBAAsB,WAA2B;CAEzD,OAAO,IADa,UAAU,MAAM,IAAI,CAAC,QAAQ,YAAY,YAAY,MAAM,YAAY,IACrE,CAAC,KAAK,IAAI;;AAGjC,SAAS,cAAc,UAA0B;CAChD,MAAM,iBAAiB,sBAAsB,SAAS;CACtD,OAAO,mBAAmB,MAAM,iBAAiB,eAAe,QAAQ,SAAS,GAAG;;AAGrF,SAAS,gBAAgB,eAAuB,UAA2B;CAC1E,OAAO,kBAAkB,YAAY,cAAc,WAAW,GAAG,SAAS,GAAG;;AAG9E,SAAS,oBAAoB,eAAuB,UAA0B;CAC7E,OAAO,kBAAkB,WAAW,KAAK,cAAc,MAAM,SAAS,SAAS,EAAE;;AAGlF,SAAS,oBAAoB,UAAkB,cAA8B;CAC5E,OAAO,iBAAiB,KAAK,WAAW,GAAG,SAAS,GAAG;;AAGxD,SAAS,2BACR,SACA,SACoB;CACpB,OAAO,QAAQ,MAAM,SAAS,SAAS;EACtC,IAAI,CAAC,KAAK,aAAa,UACtB,OAAO,EAAE;EAEV,MAAM,SAAS,KAAK,kBAAkB,eAAe;EAOrD,OAAO,CALN,KAAK,WACL,KAAK,QAAQ,SAAS,iBAAiB,KAAK,2BAA2B,QACpE,KAAK,WACL,KAAA,EAEY,CACd,QAAQ,UAA2B,UAAU,KAAA,EAAU,CACvD,KAAK,UAAU,GAAG,cAAc,MAAM,GAAG,SAAS;GACnD;;AAGH,SAAS,wBAAwB,SAA6B,SAAqC;CAClG,OAAO,yCAAyC,QAAQ,GAAG,GAAG,QAAQ,IAAI,2BAA2B,SAAS,QAAQ,CAAC,KAAK,KAAK,CAAC;;AAGnI,SAAS,YAAY,QAMU;CAC9B,OAAO;EACN,OAAO;GACN,kBAAkB,2BAA2B,OAAO,SAAS,OAAO,QAAQ;GAC5E,MAAM,OAAO;GACb,WAAW,OAAO;GAClB,WAAW,OAAO,QAAQ;GAC1B,SAAS,OAAO;GAChB,SAAS,OAAO;GAChB,eAAe,wBAAwB,OAAO,SAAS,OAAO,QAAQ;GACtE;EACD,IAAI;EACJ;;AAGF,SAAS,kBAAkB,QAGU;CAgBpC,OAfgB,OAAO,QAAQ,MAAM,SAAS,SAAiC;EAC9E,MAAM,YAAY,KAAK,cAAc,KAAA,IAAY,KAAA,IAAY,cAAc,KAAK,UAAU;EAC1F,IAAI;EACJ,IAAI,wBAAwB,KAAK,EAChC,WAAW,cAAc,KAAK,SAAS;EAExC,MAAM,cAAsC,EAAE;EAC9C,IAAI,cAAc,KAAA,KAAa,gBAAgB,OAAO,WAAW,UAAU,EAC1E,YAAY,KAAK;GAAE,gBAAgB;GAAS,aAAa;GAAW;GAAM,CAAC;EAE5E,IAAI,aAAa,KAAA,KAAa,gBAAgB,OAAO,WAAW,SAAS,EACxE,YAAY,KAAK;GAAE,gBAAgB;GAAQ,aAAa;GAAU;GAAM,CAAC;EAE1E,OAAO;GAEM,CAAC,UAAU,MAAM,UAAU,MAAM,YAAY,SAAS,KAAK,YAAY,OAAO,CAAC;;AAG9F,SAAgB,qBAAqB,OAA8D;CAClG,IAAI,CAAC,MAAM,UAAU,WAAW,IAAI,EACnC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAEH,IAAI,4BAA4B,MAAM,UAAU,EAC/C,OAAO,YAAY;EAClB,MAAM;EACN,WAAW,MAAM;EACjB,SAAS,MAAM;EACf,SAAS,SAAS,MAAM,UAAU;EAClC,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,sBAAsB,sBAAsB,MAAM,UAAU;CAClE,MAAM,QAAQ,kBAAkB;EAC/B,WAAW;EACX,SAAS,MAAM;EACf,CAAC;CACF,IAAI,UAAU,KAAA,GACb,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,yCAAyC,MAAM,QAAQ,GAAG;EAChG,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,eAAe,oBAAoB,qBAAqB,MAAM,YAAY;CAChF,IAAI,iBAAiB,MAAM,CAAC,MAAM,KAAK,iBACtC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,2CAA2C,MAAM,QAAQ;EACpI,SAAS,MAAM;EACf,CAAC;CAEH,IAAI,CAAC,MAAM,KAAK,aAAa,MAAM,UAClC,OAAO,YAAY;EAClB,MAAM;EACN,WAAW;EACX,SAAS,MAAM;EACf,SAAS,SAAS,oBAAoB,YAAY,MAAM,KAAK,cAAc,0BAA0B,MAAM,QAAQ;EACnH,SAAS,MAAM;EACf,CAAC;CAEH,MAAM,YACL,MAAM,KAAK,cAAc,KAAA,IAAY,KAAA,IAAY,cAAc,MAAM,KAAK,UAAU;CACrF,IAAI;CACJ,IAAI,wBAAwB,MAAM,KAAK,EACtC,WAAW,cAAc,MAAM,KAAK,SAAS;CAE9C,IAAI,aAAa,KAAA,GAAW;EAC3B,IAAI,cAAc,KAAA,GACjB,OAAO,YAAY;GAClB,MAAM;GACN,WAAW;GACX,SAAS,MAAM;GACf,SAAS,sBAAsB,MAAM,KAAK,GAAG;GAC7C,SAAS,MAAM;GACf,CAAC;EAEH,OAAO;GACN,IAAI;GACJ,OAAO;IACN,SAAS,MAAM,KAAK;IACpB,cAAc,MAAM,KAAK;IACzB,WAAW,oBAAoB,WAAW,aAAa;IACvD;IACA,gBAAgB;IAChB,gBAAgB,MAAM;IACtB,WAAW;IACX,MAAM;IACN,WAAW,MAAM,QAAQ;IACzB;IACA,QAAQ,MAAM,KAAK;IACnB;GACD;;CAEF,OAAO;EACN,IAAI;EACJ,OAAO;GACN,SAAS,MAAM,KAAK;GACpB,cAAc,MAAM,KAAK;GACzB,GAAI,cAAc,KAAA,IACf,EAAE,WAAW,oBAAoB,WAAW,aAAa,EAAE,GAC3D,EAAE;GACL,GAAI,cAAc,KAAA,IAAY,EAAE,WAAW,GAAG,EAAE;GAChD,gBAAgB;GAChB,UAAU,oBAAoB,UAAU,aAAa;GACrD;GACA,gBAAgB,MAAM;GACtB,WAAW;GACX,MAAM;GACN,WAAW,MAAM,QAAQ;GACzB;GACA,QAAQ,MAAM,KAAK;GACnB;EACD;;;;AC1TF,SAAgB,sBAAqC;CACpD,OAAO,mBAAmBC,IAAQ,CAAC;;AAGpC,SAAgB,gBAAgB,OAAwC;CACvE,OAAO,OAAO,UAAU,YAAYC,SAAa,MAAM,IAAIC,QAAY,MAAM,KAAK;;AAGnF,SAAgB,mBAAmB,OAA+B;CACjE,IAAI,gBAAgB,MAAM,EACzB,OAAO;CAER,MAAM,IAAI,UAAU,oDAAoD;;;;ACpBzE,MAAM,8BAA8B,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;AA8BrE,SAASC,cAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,SAAS,iBAAiB,OAAiC;CAC1D,OAAO,OAAO,UAAU,YAAY,MAAM,MAAM,CAAC,SAAS;;AAG3D,SAAgB,oBACf,OACA,WACyC;CACzC,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,QAAQ,IAAI,QAAQ,YAAY,KAAK;;AAIvC,SAAgB,gBAAgB,OAAwC;CACvE,MAAM,SAASA,cAAY,MAAM;CACjC,OACC,WAAW,KAAA,KACX,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,iBAAiB,QAAQ,IAAI,QAAQ,cAAc,CAAC,IACpD,OAAO,QAAQ,IAAI,QAAQ,iBAAiB,KAAK,YACjD,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;AAIzC,SAAgB,sBAAsB,OAA8C;CACnF,MAAM,SAASA,cAAY,MAAM;CACjC,IAAI,WAAW,KAAA,GACd,OAAO;CAER,KAAK,MAAM,OAAO,OAAO,KAAK,OAAO,EACpC,IAAI,CAAC,4BAA4B,IAAI,IAAI,EACxC,OAAO;CAGT,OACC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK,YACvC,OAAO,QAAQ,IAAI,QAAQ,OAAO,KAAK;;;;AC5CzC,SAAS,YAAY,OAAoC;CACxD,OAAO,OAAO,UAAU,YAAY,UAAU,OAAO,QAAQ,KAAA;;AAG9D,MAAM,iCAAiC,CAAC,SAAS,MAAM,CAAC,KAAK,GAAG;AAEhE,SAAgB,iBAAiB,OAAyC;CACzE,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IAC3C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,CAAC,QAAQ,IAAI,QAAQ,+BAA+B;;AAItD,SAAgB,kBAAkB,OAA0C;CAC3E,MAAM,SAAS,YAAY,MAAM;CACjC,OACC,oBAAoB,QAAQ,cAAc,IAC1C,gBAAgB,QAAQ,IAAI,QAAQ,UAAU,CAAC,IAC/C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,OAAO,QAAQ,IAAI,QAAQ,aAAa,KAAK,YAC7C,OAAO,QAAQ,IAAI,QAAQ,YAAY,KAAK,YAC5C,sBAAsB,QAAQ,IAAI,QAAQ,MAAM,CAAC,IACjD,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,UAAU,KAAK,YAC1C,OAAO,QAAQ,IAAI,QAAQ,SAAS,KAAK,YACzC,CAAC,QAAQ,IAAI,QAAQ,+BAA+B"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-vm/gateway-interface",
3
- "version": "0.0.80",
3
+ "version": "0.0.82",
4
4
  "description": "Shared TypeScript interfaces for VM gateway lifecycles, VmSpec, and ProcessSpec.",
5
5
  "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
6
6
  "bugs": {
@@ -30,8 +30,8 @@
30
30
  },
31
31
  "dependencies": {
32
32
  "uuid": "^11.1.1",
33
- "@agent-vm/secret-management": "0.0.80",
34
- "@agent-vm/gondolin-adapter": "0.0.80"
33
+ "@agent-vm/gondolin-adapter": "0.0.82",
34
+ "@agent-vm/secret-management": "0.0.82"
35
35
  },
36
36
  "scripts": {
37
37
  "build": "tsdown",