@agentstep/agent-sdk 0.4.16 → 0.4.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. package/dist/{chunk-BYWW5GFO.js → chunk-4JFYFZEM.js} +1 -1
  2. package/dist/{chunk-W5KXLYJH.js → chunk-4KBTQKWW.js} +2 -2
  3. package/dist/{chunk-TOKLTGSO.js → chunk-5R7FFW3Q.js} +1 -1
  4. package/dist/{chunk-U6GNZJGO.js → chunk-BOV4Y6OS.js} +1 -1
  5. package/dist/{chunk-SMKHXHLP.js → chunk-BZ6V7COK.js} +1 -1
  6. package/dist/{chunk-DHSSHDIG.js → chunk-D2TRWKVQ.js} +2 -2
  7. package/dist/{chunk-LJL3DM2L.js → chunk-DNVTIB2H.js} +1 -1
  8. package/dist/{chunk-JNQLE5D7.js → chunk-FLSWLEC3.js} +1 -1
  9. package/dist/{chunk-PNYCULIF.js → chunk-G5CIMVGV.js} +1 -1
  10. package/dist/{chunk-EUUDZGUE.js → chunk-GBLHY2GY.js} +1 -1
  11. package/dist/{chunk-QDOCVDWJ.js → chunk-HM2NHQ5J.js} +1 -1
  12. package/dist/{chunk-RZMR6H5Y.js → chunk-IXJCHHQC.js} +1 -1
  13. package/dist/{chunk-6RRYNQXP.js → chunk-J77TSQVL.js} +1 -1
  14. package/dist/{chunk-XQA62XTJ.js → chunk-JKV2PP4K.js} +1 -1
  15. package/dist/{chunk-WWYVMGRP.js → chunk-JQBZ2X6N.js} +1 -1
  16. package/dist/{chunk-HJGUG7IH.js → chunk-L3RYJ2HX.js} +19 -6
  17. package/dist/{chunk-FCCWKCGQ.js → chunk-LPLBLYVQ.js} +1 -1
  18. package/dist/{chunk-IHMQQ43E.js → chunk-LS3QPECW.js} +1 -1
  19. package/dist/{chunk-K62YRMVY.js → chunk-M5YT2IM2.js} +2 -2
  20. package/dist/{chunk-TPAHUFSM.js → chunk-N4JBNOB4.js} +1 -1
  21. package/dist/{chunk-LRPU2HS5.js → chunk-NNJ3QFTU.js} +1 -1
  22. package/dist/{chunk-UYNE3WPU.js → chunk-O7NQK4ZO.js} +1 -1
  23. package/dist/{chunk-OWTXN2FU.js → chunk-OXWELRJL.js} +17 -12
  24. package/dist/{chunk-ECRLACEF.js → chunk-Q336Y6X2.js} +1 -1
  25. package/dist/{chunk-QOJMXK4S.js → chunk-RDGOGAQ5.js} +1 -1
  26. package/dist/{chunk-MD4BZGMS.js → chunk-RE6QJXWV.js} +1 -1
  27. package/dist/{chunk-C4IHTLG2.js → chunk-RMN5HYVC.js} +4 -4
  28. package/dist/{chunk-L4T7KCQ2.js → chunk-RZQUEFR3.js} +1 -1
  29. package/dist/{chunk-S6AM7WVH.js → chunk-U7GILP6F.js} +1 -1
  30. package/dist/{chunk-MA7IO6RU.js → chunk-UZHUG6CQ.js} +1 -1
  31. package/dist/{chunk-OFLYKESG.js → chunk-XK3VIZA2.js} +1 -1
  32. package/dist/{chunk-TKV7CFAM.js → chunk-Z2C4OC6I.js} +1 -1
  33. package/dist/{chunk-JOAEFGXZ.js → chunk-ZMCS7MYZ.js} +12 -8
  34. package/dist/{chunk-7CADMELE.js → chunk-ZMV2QI3Q.js} +2 -2
  35. package/dist/containers/lifecycle.js +5 -3
  36. package/dist/handlers/agents.js +7 -7
  37. package/dist/handlers/api_keys.js +7 -7
  38. package/dist/handlers/audit.js +7 -7
  39. package/dist/handlers/batch.js +7 -7
  40. package/dist/handlers/credentials.js +8 -8
  41. package/dist/handlers/environments.js +7 -7
  42. package/dist/handlers/events.js +7 -7
  43. package/dist/handlers/files.js +7 -7
  44. package/dist/handlers/index.js +34 -34
  45. package/dist/handlers/license.js +7 -7
  46. package/dist/handlers/memory.js +7 -7
  47. package/dist/handlers/metrics.js +7 -7
  48. package/dist/handlers/models.js +7 -7
  49. package/dist/handlers/openapi.js +3 -3
  50. package/dist/handlers/providers.js +7 -7
  51. package/dist/handlers/resources.js +7 -7
  52. package/dist/handlers/sessions.js +7 -7
  53. package/dist/handlers/settings.js +7 -7
  54. package/dist/handlers/skills-write.js +7 -7
  55. package/dist/handlers/skills.js +7 -7
  56. package/dist/handlers/stream.js +6 -6
  57. package/dist/handlers/tenants.js +7 -7
  58. package/dist/handlers/threads.js +7 -7
  59. package/dist/handlers/traces.js +7 -7
  60. package/dist/handlers/upstream_keys.js +7 -7
  61. package/dist/handlers/vaults.js +7 -7
  62. package/dist/handlers/whoami.js +7 -7
  63. package/dist/http.js +6 -6
  64. package/dist/index.js +8 -8
  65. package/dist/init.js +5 -5
  66. package/dist/openapi/schemas.js +1 -1
  67. package/dist/openapi/spec.js +2 -2
  68. package/dist/sessions/driver.js +2 -2
  69. package/dist/sessions/sweeper.js +2 -2
  70. package/dist/sessions/threads.js +2 -2
  71. package/dist/shutdown.js +3 -3
  72. package/package.json +2 -2
package/dist/{chunk-BYWW5GFO.js → chunk-4JFYFZEM.js} RENAMED
@@ -18,7 +18,7 @@ import {
18
18
  import {
19
19
  jsonOk,
20
20
  routeWrap
21
- } from "./chunk-LJL3DM2L.js";
21
+ } from "./chunk-DNVTIB2H.js";
22
22
  import {
23
23
  getDb,
24
24
  init_client
package/dist/{chunk-W5KXLYJH.js → chunk-4KBTQKWW.js} RENAMED
@@ -24,7 +24,7 @@ import {
24
24
  import {
25
25
  jsonOk,
26
26
  routeWrap
27
- } from "./chunk-LJL3DM2L.js";
27
+ } from "./chunk-DNVTIB2H.js";
28
28
  import {
29
29
  forwardToAnthropic
30
30
  } from "./chunk-QLWA4MJ5.js";
@@ -34,7 +34,7 @@ import {
34
34
  import {
35
35
  runTurn,
36
36
  writePermissionResponse
37
- } from "./chunk-HJGUG7IH.js";
37
+ } from "./chunk-L3RYJ2HX.js";
38
38
  import {
39
39
  getProxiedTenantId,
40
40
  isProxied
package/dist/{chunk-TOKLTGSO.js → chunk-5R7FFW3Q.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  jsonOk,
3
3
  routeWrap
4
- } from "./chunk-LJL3DM2L.js";
4
+ } from "./chunk-DNVTIB2H.js";
5
5
 
6
6
  // src/handlers/whoami.ts
7
7
  function handleWhoami(request) {
package/dist/{chunk-U6GNZJGO.js → chunk-BOV4Y6OS.js} RENAMED
@@ -12,7 +12,7 @@ import {
12
12
  } from "./chunk-QLWA4MJ5.js";
13
13
  import {
14
14
  ensureInitialized
15
- } from "./chunk-C4IHTLG2.js";
15
+ } from "./chunk-RMN5HYVC.js";
16
16
  import {
17
17
  getProxiedTenantId,
18
18
  isProxied
package/dist/{chunk-SMKHXHLP.js → chunk-BZ6V7COK.js} RENAMED
@@ -4,7 +4,7 @@ import {
4
4
  import {
5
5
  jsonOk,
6
6
  routeWrap
7
- } from "./chunk-LJL3DM2L.js";
7
+ } from "./chunk-DNVTIB2H.js";
8
8
 
9
9
  // src/handlers/license.ts
10
10
  function handleGetLicense(request) {
package/dist/{chunk-DHSSHDIG.js → chunk-D2TRWKVQ.js} RENAMED
@@ -83,7 +83,7 @@ import {
83
83
  VaultListResponseSchema,
84
84
  VaultSchema,
85
85
  WhoamiResponseSchema
86
- } from "./chunk-OWTXN2FU.js";
86
+ } from "./chunk-OXWELRJL.js";
87
87
  import {
88
88
  registry
89
89
  } from "./chunk-7346CKTF.js";
@@ -774,7 +774,7 @@ registry.registerPath({
774
774
  path: "/v1/vaults/{id}/credentials",
775
775
  tags: ["Credentials"],
776
776
  summary: "Create a vault credential",
777
- description: "Creates a structured credential in the vault. The secret token is encrypted at rest and never returned in API responses.",
777
+ description: "Creates a credential in the vault for MCP server authentication or plain API key storage. The token is encrypted at rest and never returned in responses. When `mcp_server_url` is provided, the credential is automatically injected as MCP auth during sessions. Without `mcp_server_url`, the token is injected as an env var derived from `display_name`.",
778
778
  security: [{ ApiKey: [] }],
779
779
  request: {
780
780
  params: z.object({ id: z.string() }),
package/dist/{chunk-LJL3DM2L.js → chunk-DNVTIB2H.js} RENAMED
@@ -10,7 +10,7 @@ import {
10
10
  } from "./chunk-HVUWXUUI.js";
11
11
  import {
12
12
  ensureInitialized
13
- } from "./chunk-C4IHTLG2.js";
13
+ } from "./chunk-RMN5HYVC.js";
14
14
  import {
15
15
  captureException
16
16
  } from "./chunk-3MQ2FWXS.js";
package/dist/{chunk-JNQLE5D7.js → chunk-FLSWLEC3.js} RENAMED
@@ -4,7 +4,7 @@ import {
4
4
  import {
5
5
  jsonOk,
6
6
  routeWrap
7
- } from "./chunk-LJL3DM2L.js";
7
+ } from "./chunk-DNVTIB2H.js";
8
8
 
9
9
  // src/handlers/models.ts
10
10
  function handleListModels(request) {
package/dist/{chunk-PNYCULIF.js → chunk-G5CIMVGV.js} RENAMED
@@ -6,7 +6,7 @@ import {
6
6
  reconcileDockerOrphanSandboxes,
7
7
  reconcileOrphanSandboxes,
8
8
  releaseSession
9
- } from "./chunk-JOAEFGXZ.js";
9
+ } from "./chunk-ZMCS7MYZ.js";
10
10
  import {
11
11
  appendEvent,
12
12
  dropEmitter
package/dist/{chunk-EUUDZGUE.js → chunk-GBLHY2GY.js} RENAMED
@@ -9,7 +9,7 @@ import {
9
9
  import {
10
10
  jsonOk,
11
11
  routeWrap
12
- } from "./chunk-LJL3DM2L.js";
12
+ } from "./chunk-DNVTIB2H.js";
13
13
  import {
14
14
  forwardToAnthropic
15
15
  } from "./chunk-QLWA4MJ5.js";
package/dist/{chunk-QDOCVDWJ.js → chunk-HM2NHQ5J.js} RENAMED
@@ -21,7 +21,7 @@ import {
21
21
  import {
22
22
  jsonOk,
23
23
  routeWrap
24
- } from "./chunk-LJL3DM2L.js";
24
+ } from "./chunk-DNVTIB2H.js";
25
25
  import {
26
26
  badRequest,
27
27
  notFound
package/dist/{chunk-RZMR6H5Y.js → chunk-IXJCHHQC.js} RENAMED
@@ -16,7 +16,7 @@ import {
16
16
  import {
17
17
  jsonOk,
18
18
  routeWrap
19
- } from "./chunk-LJL3DM2L.js";
19
+ } from "./chunk-DNVTIB2H.js";
20
20
  import {
21
21
  getDb,
22
22
  init_client
package/dist/{chunk-6RRYNQXP.js → chunk-J77TSQVL.js} RENAMED
@@ -4,7 +4,7 @@ import {
4
4
  import {
5
5
  jsonOk,
6
6
  routeWrap
7
- } from "./chunk-LJL3DM2L.js";
7
+ } from "./chunk-DNVTIB2H.js";
8
8
  import {
9
9
  exportTrace
10
10
  } from "./chunk-ACKMNK3C.js";
package/dist/{chunk-XQA62XTJ.js → chunk-JKV2PP4K.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  routeWrap
3
- } from "./chunk-LJL3DM2L.js";
3
+ } from "./chunk-DNVTIB2H.js";
4
4
  import {
5
5
  ApiError
6
6
  } from "./chunk-EZYKRG4W.js";
package/dist/{chunk-WWYVMGRP.js → chunk-JQBZ2X6N.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  jsonOk,
3
3
  routeWrap
4
- } from "./chunk-LJL3DM2L.js";
4
+ } from "./chunk-DNVTIB2H.js";
5
5
  import {
6
6
  resolveContainerProvider
7
7
  } from "./chunk-JSLEB2ED.js";
package/dist/{chunk-HJGUG7IH.js → chunk-L3RYJ2HX.js} RENAMED
@@ -28,10 +28,12 @@ import {
28
28
  import {
29
29
  acquireForFirstTurn,
30
30
  installSkills,
31
- provisionResources
32
- } from "./chunk-JOAEFGXZ.js";
31
+ provisionResources,
32
+ wrapProviderWithSecrets
33
+ } from "./chunk-ZMCS7MYZ.js";
33
34
  import {
34
- BLOCKED_ENV_KEYS
35
+ BLOCKED_ENV_KEYS,
36
+ resolveVaultSecrets
35
37
  } from "./chunk-DO4WVWW7.js";
36
38
  import {
37
39
  appendEvent,
@@ -192,6 +194,7 @@ async function runTurn(sessionId, inputs, _depth = 0, parentTrace) {
192
194
  try {
193
195
  sandboxName = await acquireForFirstTurn(sessionId);
194
196
  console.log(`[driver] ${sessionId} container ready: ${sandboxName}`);
197
+ const postAcquireSecrets = getBySession(sessionId)?.vaultSecrets ?? (session.vault_ids?.length ? resolveVaultSecrets(session.vault_ids) : void 0);
195
198
  const latestAgent = getAgent(session.agent.id);
196
199
  if (latestAgent && latestAgent.skills && latestAgent.skills.length > 0) {
197
200
  const currentSkills = new Map((agent.skills ?? []).map((s) => [s.name, s.content.length]));
@@ -201,7 +204,8 @@ async function runTurn(sessionId, inputs, _depth = 0, parentTrace) {
201
204
  if (newSkills.length > 0) {
202
205
  console.log(`[driver] ${sessionId} injecting ${newSkills.length} new skill(s)...`);
203
206
  const envRow = getEnvironment(session.environment_id);
204
- const sp = await resolveContainerProvider(envRow?.config?.provider);
207
+ const baseProvider = await resolveContainerProvider(envRow?.config?.provider);
208
+ const sp = wrapProviderWithSecrets(baseProvider, postAcquireSecrets);
205
209
  await installSkills(sandboxName, sp, newSkills, agent.engine);
206
210
  console.log(`[driver] ${sessionId} skills injected`);
207
211
  }
@@ -209,7 +213,8 @@ async function runTurn(sessionId, inputs, _depth = 0, parentTrace) {
209
213
  const freshSession2 = getSession(sessionId);
210
214
  if (freshSession2?.resources && freshSession2.resources.length > 0) {
211
215
  const envRow = getEnvironment(session.environment_id);
212
- const sp = await resolveContainerProvider(envRow?.config?.provider);
216
+ const baseProvider = await resolveContainerProvider(envRow?.config?.provider);
217
+ const sp = wrapProviderWithSecrets(baseProvider, postAcquireSecrets);
213
218
  await provisionResources(sandboxName, freshSession2.resources, sp);
214
219
  }
215
220
  } catch (err) {
@@ -309,6 +314,14 @@ async function runTurn(sessionId, inputs, _depth = 0, parentTrace) {
309
314
  turnBuild.env.CODEX_API_KEY = "ollama";
310
315
  }
311
316
  }
317
+ if (agent.engine === "codex") {
318
+ const envRow = getEnvironment(session.environment_id);
319
+ const provName = envRow?.config?.provider ?? "docker";
320
+ const firecrackerProviders = /* @__PURE__ */ new Set(["sprites", "fly", "apple-firecracker"]);
321
+ if (firecrackerProviders.has(provName)) {
322
+ turnBuild.env.CODEX_SANDBOX_TYPE = "none";
323
+ }
324
+ }
312
325
  const envLines = Object.entries(turnBuild.env).map(([k, v]) => `${k}=${v}`).join("\n");
313
326
  const stdin = `${envLines}
314
327
 
@@ -316,7 +329,7 @@ ${turnBuild.stdin}`;
316
329
  const env = getEnvironment(session.environment_id);
317
330
  const provider = await resolveContainerProvider(env?.config?.provider);
318
331
  const poolEntry = getBySession(sessionId);
319
- const secrets = poolEntry?.vaultSecrets ?? (session.vault_ids?.length ? (await import("./providers/resolve-secrets.js")).resolveVaultSecrets(session.vault_ids) : void 0);
332
+ const secrets = poolEntry?.vaultSecrets ?? (session.vault_ids?.length ? resolveVaultSecrets(session.vault_ids) : void 0);
320
333
  const tools = resolveToolset(agent.tools);
321
334
  if (agent.threads_enabled) {
322
335
  tools.customToolNames.add("spawn_agent");
package/dist/{chunk-FCCWKCGQ.js → chunk-LPLBLYVQ.js} RENAMED
@@ -8,7 +8,7 @@ import {
8
8
  import {
9
9
  jsonOk,
10
10
  routeWrap
11
- } from "./chunk-LJL3DM2L.js";
11
+ } from "./chunk-DNVTIB2H.js";
12
12
  import {
13
13
  snapshotApiMetrics
14
14
  } from "./chunk-D2XITRN6.js";
package/dist/{chunk-IHMQQ43E.js → chunk-LS3QPECW.js} RENAMED
@@ -8,7 +8,7 @@ import {
8
8
  import {
9
9
  jsonOk,
10
10
  routeWrap
11
- } from "./chunk-LJL3DM2L.js";
11
+ } from "./chunk-DNVTIB2H.js";
12
12
  import {
13
13
  badRequest
14
14
  } from "./chunk-EZYKRG4W.js";
package/dist/{chunk-K62YRMVY.js → chunk-M5YT2IM2.js} RENAMED
@@ -18,7 +18,7 @@ import {
18
18
  import {
19
19
  jsonOk,
20
20
  routeWrap
21
- } from "./chunk-LJL3DM2L.js";
21
+ } from "./chunk-DNVTIB2H.js";
22
22
  import {
23
23
  forwardToAnthropic
24
24
  } from "./chunk-QLWA4MJ5.js";
@@ -38,7 +38,7 @@ import {
38
38
  } from "./chunk-LAWTTG2E.js";
39
39
  import {
40
40
  releaseSession
41
- } from "./chunk-JOAEFGXZ.js";
41
+ } from "./chunk-ZMCS7MYZ.js";
42
42
  import {
43
43
  appendEvent,
44
44
  dropEmitter
package/dist/{chunk-TPAHUFSM.js → chunk-N4JBNOB4.js} RENAMED
@@ -5,7 +5,7 @@ import {
5
5
  import {
6
6
  jsonOk,
7
7
  routeWrap
8
- } from "./chunk-LJL3DM2L.js";
8
+ } from "./chunk-DNVTIB2H.js";
9
9
  import {
10
10
  badRequest
11
11
  } from "./chunk-EZYKRG4W.js";
package/dist/{chunk-LRPU2HS5.js → chunk-NNJ3QFTU.js} RENAMED
@@ -4,7 +4,7 @@ import {
4
4
  import {
5
5
  jsonOk,
6
6
  routeWrap
7
- } from "./chunk-LJL3DM2L.js";
7
+ } from "./chunk-DNVTIB2H.js";
8
8
  import {
9
9
  getProxiedTenantId
10
10
  } from "./chunk-NIOWKTIF.js";
package/dist/{chunk-UYNE3WPU.js → chunk-O7NQK4ZO.js} RENAMED
@@ -6,7 +6,7 @@ import {
6
6
  import {
7
7
  jsonOk,
8
8
  routeWrap
9
- } from "./chunk-LJL3DM2L.js";
9
+ } from "./chunk-DNVTIB2H.js";
10
10
  import {
11
11
  createVault,
12
12
  deleteEntry,
package/dist/{chunk-OWTXN2FU.js → chunk-OXWELRJL.js} RENAMED
@@ -567,26 +567,30 @@ var FileDeletedResponseSchema = registry.register(
567
567
  var VaultCredentialSchema = registry.register(
568
568
  "VaultCredential",
569
569
  z.object({
570
+ type: z.literal("vault_credential"),
570
571
  id: UlidId,
571
572
  vault_id: UlidId,
572
573
  display_name: z.string(),
573
574
  auth: z.object({
574
- type: z.string().openapi({ description: "Auth type, e.g. 'static_bearer'." }),
575
- mcp_server_url: z.string().nullable().openapi({ description: "Associated MCP server URL, if any." })
575
+ type: z.enum(["static_bearer"]).openapi({ description: "Auth type. Currently only `static_bearer` is supported." }),
576
+ mcp_server_url: z.string().nullable().openapi({ description: "MCP server URL this credential authenticates with. Null for plain API keys." })
576
577
  }),
578
+ metadata: z.record(z.string()).optional().openapi({ description: "Arbitrary key-value metadata." }),
577
579
  created_at: IsoTimestamp,
578
- updated_at: IsoTimestamp
579
- }).openapi({ description: "Vault credential metadata. The secret token is NEVER returned in API responses." })
580
+ updated_at: IsoTimestamp,
581
+ archived_at: IsoTimestamp.nullable()
582
+ }).openapi({ description: "Vault credential. Secret fields (token) are write-only \u2014 never returned in responses." })
580
583
  );
581
584
  var CreateCredentialRequestSchema = registry.register(
582
585
  "CreateCredentialRequest",
583
586
  z.object({
584
- display_name: z.string().min(1).max(200),
587
+ display_name: z.string().min(1).max(200).openapi({ description: "Human-readable name for this credential.", example: "Linear API key" }),
585
588
  auth: z.object({
586
- type: z.enum(["static_bearer"]),
587
- token: z.string().min(1).openapi({ description: "Secret token value. Stored encrypted; never returned." }),
588
- mcp_server_url: z.string().url().optional()
589
- })
589
+ type: z.enum(["static_bearer"]).openapi({ description: "Auth type." }),
590
+ mcp_server_url: z.string().url().optional().openapi({ description: "MCP server URL this credential authenticates with. Optional for plain API keys.", example: "https://mcp.linear.app/mcp" }),
591
+ token: z.string().min(1).openapi({ description: "Secret token. Stored encrypted at rest; never returned in responses.", example: "lin_api_xxxxx" })
592
+ }),
593
+ metadata: z.record(z.string()).optional().openapi({ description: "Arbitrary key-value metadata." })
590
594
  })
591
595
  );
592
596
  var UpdateCredentialRequestSchema = registry.register(
@@ -595,9 +599,10 @@ var UpdateCredentialRequestSchema = registry.register(
595
599
  display_name: z.string().min(1).max(200).optional(),
596
600
  auth: z.object({
597
601
  type: z.enum(["static_bearer"]).optional(),
598
- token: z.string().min(1).optional(),
602
+ token: z.string().min(1).optional().openapi({ description: "New token value. Write-only." }),
599
603
  mcp_server_url: z.string().url().nullish()
600
- }).optional()
604
+ }).optional(),
605
+ metadata: z.record(z.string().nullable()).optional().openapi({ description: "Patch semantics: set key to string to upsert, null to delete, omit to preserve." })
601
606
  })
602
607
  );
603
608
  var CredentialListResponseSchema = registry.register(
@@ -606,7 +611,7 @@ var CredentialListResponseSchema = registry.register(
606
611
  );
607
612
  var CredentialDeletedResponseSchema = registry.register(
608
613
  "CredentialDeletedResponse",
609
- z.object({ id: UlidId, type: z.literal("credential_deleted") })
614
+ z.object({ id: UlidId, type: z.literal("vault_credential_deleted") })
610
615
  );
611
616
  var MemoryStoreSchema = registry.register(
612
617
  "MemoryStore",
package/dist/{chunk-ECRLACEF.js → chunk-Q336Y6X2.js} RENAMED
@@ -8,7 +8,7 @@ import {
8
8
  import {
9
9
  jsonOk,
10
10
  routeWrap
11
- } from "./chunk-LJL3DM2L.js";
11
+ } from "./chunk-DNVTIB2H.js";
12
12
 
13
13
  // src/handlers/skills.ts
14
14
  async function handleGetSkillsCatalog(request) {
package/dist/{chunk-QOJMXK4S.js → chunk-RDGOGAQ5.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  buildOpenApiDocument
3
- } from "./chunk-DHSSHDIG.js";
3
+ } from "./chunk-D2TRWKVQ.js";
4
4
 
5
5
  // src/handlers/openapi.ts
6
6
  function originFromRequest(request) {
package/dist/{chunk-MD4BZGMS.js → chunk-RE6QJXWV.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  jsonOk,
3
3
  routeWrap
4
- } from "./chunk-LJL3DM2L.js";
4
+ } from "./chunk-DNVTIB2H.js";
5
5
  import {
6
6
  readSetting,
7
7
  writeSetting
package/dist/{chunk-C4IHTLG2.js → chunk-RMN5HYVC.js} RENAMED
@@ -3,7 +3,7 @@ import {
3
3
  } from "./chunk-HECQRMDR.js";
4
4
  import {
5
5
  runTurn
6
- } from "./chunk-HJGUG7IH.js";
6
+ } from "./chunk-L3RYJ2HX.js";
7
7
  import {
8
8
  installOtlpExporter
9
9
  } from "./chunk-ACKMNK3C.js";
@@ -19,14 +19,14 @@ import {
19
19
  } from "./chunk-3MQ2FWXS.js";
20
20
  import {
21
21
  installShutdownHandlers
22
- } from "./chunk-S6AM7WVH.js";
22
+ } from "./chunk-U7GILP6F.js";
23
23
  import {
24
24
  runSweep
25
- } from "./chunk-PNYCULIF.js";
25
+ } from "./chunk-G5CIMVGV.js";
26
26
  import {
27
27
  reconcileDockerOrphanSandboxes,
28
28
  reconcileOrphanSandboxes
29
- } from "./chunk-JOAEFGXZ.js";
29
+ } from "./chunk-ZMCS7MYZ.js";
30
30
  import {
31
31
  appendEvent,
32
32
  installPayloadRedactor
package/dist/{chunk-L4T7KCQ2.js → chunk-RZQUEFR3.js} RENAMED
@@ -5,7 +5,7 @@ import {
5
5
  import {
6
6
  jsonOk,
7
7
  routeWrap
8
- } from "./chunk-LJL3DM2L.js";
8
+ } from "./chunk-DNVTIB2H.js";
9
9
  import {
10
10
  getSession,
11
11
  listSessions
package/dist/{chunk-S6AM7WVH.js → chunk-U7GILP6F.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  markStopping
3
- } from "./chunk-PNYCULIF.js";
3
+ } from "./chunk-G5CIMVGV.js";
4
4
  import {
5
5
  closeDb,
6
6
  init_client,
package/dist/{chunk-MA7IO6RU.js → chunk-UZHUG6CQ.js} RENAMED
@@ -15,7 +15,7 @@ import {
15
15
  import {
16
16
  jsonOk,
17
17
  routeWrap
18
- } from "./chunk-LJL3DM2L.js";
18
+ } from "./chunk-DNVTIB2H.js";
19
19
  import {
20
20
  createApiKey,
21
21
  getApiKeyById,
package/dist/{chunk-OFLYKESG.js → chunk-XK3VIZA2.js} RENAMED
@@ -6,7 +6,7 @@ import {
6
6
  import {
7
7
  jsonOk,
8
8
  routeWrap
9
- } from "./chunk-LJL3DM2L.js";
9
+ } from "./chunk-DNVTIB2H.js";
10
10
  import {
11
11
  forwardToAnthropic,
12
12
  validateAnthropicProxy
package/dist/{chunk-TKV7CFAM.js → chunk-Z2C4OC6I.js} RENAMED
@@ -10,7 +10,7 @@ import {
10
10
  import {
11
11
  jsonOk,
12
12
  routeWrap
13
- } from "./chunk-LJL3DM2L.js";
13
+ } from "./chunk-DNVTIB2H.js";
14
14
  import {
15
15
  archiveTenant,
16
16
  createTenant,
package/dist/{chunk-JOAEFGXZ.js → chunk-ZMCS7MYZ.js} RENAMED
@@ -52,6 +52,16 @@ var lcLog = (...args) => {
52
52
  if (process.env.DEBUG_LIFECYCLE === "1") console.log(...args);
53
53
  };
54
54
  var SANDBOX_NAME_PREFIX = "ca-sess-";
55
+ function wrapProviderWithSecrets(provider, secrets) {
56
+ if (!secrets || Object.keys(secrets).length === 0) return provider;
57
+ return {
58
+ ...provider,
59
+ exec: (n, argv, opts) => provider.exec(n, argv, { ...opts, secrets }),
60
+ startExec: (n, opts) => provider.startExec(n, { ...opts, secrets }),
61
+ create: (opts) => provider.create({ ...opts, secrets }),
62
+ delete: (n, s) => provider.delete(n, s ?? secrets)
63
+ };
64
+ }
55
65
  async function installSkills(sandboxName, provider, skills, engine) {
56
66
  if (!skills || skills.length === 0) return;
57
67
  const SAFE_NAME_RE = /^[a-zA-Z0-9_.-]+$/;
@@ -117,14 +127,7 @@ async function acquireForFirstTurn(sessionId) {
117
127
  throw new Error(`provider ${provider.name} is not available: ${result.message}`);
118
128
  }
119
129
  }
120
- const hasSecrets = Object.keys(secrets).length > 0;
121
- const sp = hasSecrets ? {
122
- ...provider,
123
- exec: (n, argv, opts) => provider.exec(n, argv, { ...opts, secrets }),
124
- startExec: (n, opts) => provider.startExec(n, { ...opts, secrets }),
125
- create: (opts) => provider.create({ ...opts, secrets }),
126
- delete: (n, s) => provider.delete(n, s ?? secrets)
127
- } : provider;
130
+ const sp = wrapProviderWithSecrets(provider, secrets);
128
131
  const name = deriveSandboxName(sessionId);
129
132
  lcLog(`[lifecycle] ${sessionId} creating container via ${sp.name}...`);
130
133
  try {
@@ -397,6 +400,7 @@ async function reconcileDockerOrphanSandboxes() {
397
400
  }
398
401
 
399
402
  export {
403
+ wrapProviderWithSecrets,
400
404
  installSkills,
401
405
  acquireForFirstTurn,
402
406
  provisionResources,
package/dist/{chunk-7CADMELE.js → chunk-ZMV2QI3Q.js} RENAMED
@@ -1,10 +1,10 @@
1
1
  import {
2
2
  loadVaultForCaller
3
- } from "./chunk-UYNE3WPU.js";
3
+ } from "./chunk-O7NQK4ZO.js";
4
4
  import {
5
5
  jsonOk,
6
6
  routeWrap
7
- } from "./chunk-LJL3DM2L.js";
7
+ } from "./chunk-DNVTIB2H.js";
8
8
  import {
9
9
  createCredential,
10
10
  deleteCredential,
package/dist/containers/lifecycle.js CHANGED
@@ -4,8 +4,9 @@ import {
4
4
  provisionResources,
5
5
  reconcileDockerOrphanSandboxes,
6
6
  reconcileOrphanSandboxes,
7
- releaseSession
8
- } from "../chunk-JOAEFGXZ.js";
7
+ releaseSession,
8
+ wrapProviderWithSecrets
9
+ } from "../chunk-ZMCS7MYZ.js";
9
10
  import "../chunk-DO4WVWW7.js";
10
11
  import "../chunk-RMZRSYIJ.js";
11
12
  import "../chunk-5ZFOKZGR.js";
@@ -81,5 +82,6 @@ export {
81
82
  provisionResources,
82
83
  reconcileDockerOrphanSandboxes,
83
84
  reconcileOrphanSandboxes,
84
- releaseSession
85
+ releaseSession,
86
+ wrapProviderWithSecrets
85
87
  };
package/dist/handlers/agents.js CHANGED
@@ -4,17 +4,17 @@ import {
4
4
  handleGetAgent,
5
5
  handleListAgents,
6
6
  handleUpdateAgent
7
- } from "../chunk-OFLYKESG.js";
7
+ } from "../chunk-XK3VIZA2.js";
8
8
  import "../chunk-23UKWXJH.js";
9
- import "../chunk-LJL3DM2L.js";
9
+ import "../chunk-DNVTIB2H.js";
10
10
  import "../chunk-D2XITRN6.js";
11
11
  import "../chunk-PWWRWR75.js";
12
12
  import "../chunk-QLWA4MJ5.js";
13
13
  import "../chunk-W6WKXFHN.js";
14
14
  import "../chunk-HVUWXUUI.js";
15
- import "../chunk-C4IHTLG2.js";
15
+ import "../chunk-RMN5HYVC.js";
16
16
  import "../chunk-HECQRMDR.js";
17
- import "../chunk-HJGUG7IH.js";
17
+ import "../chunk-L3RYJ2HX.js";
18
18
  import "../chunk-PJZ5TQYW.js";
19
19
  import "../chunk-AU4NAQGA.js";
20
20
  import "../chunk-H6TQGV4L.js";
@@ -27,10 +27,10 @@ import "../chunk-NIOWKTIF.js";
27
27
  import "../chunk-ZQGJKPPY.js";
28
28
  import "../chunk-ADK2TYO4.js";
29
29
  import "../chunk-3MQ2FWXS.js";
30
- import "../chunk-S6AM7WVH.js";
31
- import "../chunk-PNYCULIF.js";
30
+ import "../chunk-U7GILP6F.js";
31
+ import "../chunk-G5CIMVGV.js";
32
32
  import "../chunk-LAWTTG2E.js";
33
- import "../chunk-JOAEFGXZ.js";
33
+ import "../chunk-ZMCS7MYZ.js";
34
34
  import "../chunk-DO4WVWW7.js";
35
35
  import "../chunk-RMZRSYIJ.js";
36
36
  import "../chunk-5ZFOKZGR.js";
package/dist/handlers/api_keys.js CHANGED
@@ -5,19 +5,19 @@ import {
5
5
  handleListApiKeys,
6
6
  handlePatchApiKey,
7
7
  handleRevokeApiKey
8
- } from "../chunk-MA7IO6RU.js";
8
+ } from "../chunk-UZHUG6CQ.js";
9
9
  import "../chunk-23UKWXJH.js";
10
10
  import "../chunk-MHQXDTJB.js";
11
11
  import "../chunk-2N2KL4KM.js";
12
- import "../chunk-LJL3DM2L.js";
12
+ import "../chunk-DNVTIB2H.js";
13
13
  import "../chunk-D2XITRN6.js";
14
14
  import "../chunk-PWWRWR75.js";
15
15
  import "../chunk-QLWA4MJ5.js";
16
16
  import "../chunk-W6WKXFHN.js";
17
17
  import "../chunk-HVUWXUUI.js";
18
- import "../chunk-C4IHTLG2.js";
18
+ import "../chunk-RMN5HYVC.js";
19
19
  import "../chunk-HECQRMDR.js";
20
- import "../chunk-HJGUG7IH.js";
20
+ import "../chunk-L3RYJ2HX.js";
21
21
  import "../chunk-PJZ5TQYW.js";
22
22
  import "../chunk-AU4NAQGA.js";
23
23
  import "../chunk-H6TQGV4L.js";
@@ -30,10 +30,10 @@ import "../chunk-NIOWKTIF.js";
30
30
  import "../chunk-ZQGJKPPY.js";
31
31
  import "../chunk-ADK2TYO4.js";
32
32
  import "../chunk-3MQ2FWXS.js";
33
- import "../chunk-S6AM7WVH.js";
34
- import "../chunk-PNYCULIF.js";
33
+ import "../chunk-U7GILP6F.js";
34
+ import "../chunk-G5CIMVGV.js";
35
35
  import "../chunk-LAWTTG2E.js";
36
- import "../chunk-JOAEFGXZ.js";
36
+ import "../chunk-ZMCS7MYZ.js";
37
37
  import "../chunk-DO4WVWW7.js";
38
38
  import "../chunk-RMZRSYIJ.js";
39
39
  import "../chunk-5ZFOKZGR.js";