@agentworkforce/deploy 3.0.2 → 3.0.4

package/dist/modes/cloud.js

@@ -1,77 +1,655 @@
 import { readFile } from 'node:fs/promises';
+import { CloudApiClient, connectProvider, defaultApiUrl, readStoredAuth, refreshStoredAuth } from '@agent-relay/cloud';
+import { resolveWorkspaceToken } from '../login.js';
+const BUILD_YOUR_OWN_CLOUD_DOCS_URL = 'https://docs.agentworkforce.com/deploy/build-your-own-cloud';
+const USER_AGENT = 'workforce-deploy';
+const MAX_ATTEMPTS = 3;
+const POLL_TIMEOUT_MS = 60_000;
+const POLL_INTERVAL_MS = 2_000;
+const defaultCloudCredentialDeps = {
+    readStoredAuth,
+    refreshStoredAuth,
+    connectProvider,
+    createCloudApiClient(auth, apiUrl) {
+        return new CloudApiClient({
+            apiUrl,
+            accessToken: auth.accessToken,
+            refreshToken: auth.refreshToken,
+            accessTokenExpiresAt: auth.accessTokenExpiresAt
+        });
+    }
+};
+let cloudCredentialDeps = defaultCloudCredentialDeps;
+export function configureCloudCredentialDepsForTest(overrides) {
+    const previous = cloudCredentialDeps;
+    cloudCredentialDeps = { ...cloudCredentialDeps, ...overrides };
+    return () => {
+        cloudCredentialDeps = previous;
+    };
+}
 /**
- * Workforce-cloud-hosted deploy mode. Uploads the bundle to the workforce
- * cloud deployments endpoint and lets the cloud runtime host the agent.
- *
- * The endpoint (`POST /api/v1/workspaces/:id/deployments`) is part of the
- * proactive-runtime backend roadmap and is not yet live. Until it is,
- * `--mode cloud` returns a clean error that points users at the working
- * modes (`--mode sandbox` and `--mode dev`).
- *
- * When the endpoint ships, the implementation flow is:
- *   1. POST persona.json + agent.bundle.mjs + runner.mjs as multipart.
- *   2. Receive `{ deploymentId, statusUrl }`.
- *   3. Poll `statusUrl` until the cloud reports `running`.
- *   4. Return a handle whose `stop()` calls DELETE on the deployment.
+ * Cloud-hosted deploy mode. Uploads the deploy-ready persona bundle to a
+ * workforce-compatible cloud endpoint. The implementation is intentionally
+ * OSS-generic: callers may point at any compatible runtime with
+ * `--cloud-url`, `WORKFORCE_CLOUD_URL`, or `persona.cloud.deployUrl`; the
+ * production AgentRelay URL is only the final default.
  */
 export const cloudLauncher = {
     async launch(input) {
-        const cloudUrl = (input.cloudUrl ?? process.env.WORKFORCE_CLOUD_URL)?.replace(/\/$/, '');
-        const token = process.env.WORKFORCE_WORKSPACE_TOKEN;
-        if (cloudUrl && token) {
-            return postCloudDeployment(input, cloudUrl, token);
+        const cloudUrl = resolveCloudUrl(input);
+        const noPrompt = isNoPrompt(input);
+        const auth = input.workspaceToken
+            ? { token: input.workspaceToken }
+            : await resolveWorkspaceToken({
+                workspace: input.workspace,
+                cloudUrl,
+                io: input.io,
+                noPrompt
+            });
+        const credentialSelections = await ensureHarnessReady({
+            cloudUrl,
+            workspaceId: input.workspace,
+            token: auth.token,
+            persona: input.persona,
+            io: input.io,
+            noPrompt,
+            harnessSource: input.harnessSource,
+            byokKey: input.byokKey
+        });
+        const existingPersona = await handleExistingPersona({
+            cloudUrl,
+            workspaceId: input.workspace,
+            token: auth.token,
+            personaId: input.persona.id,
+            io: input.io,
+            noPrompt,
+            onExists: input.onExists
+        });
+        if (existingPersona.cancelled) {
+            return {
+                id: existingPersona.agentId,
+                agentId: existingPersona.agentId,
+                deploymentId: 'cancelled',
+                status: 'cancelled',
+                async stop() {
+                    /* no-op: user chose not to change the existing hosted persona. */
+                },
+                done: Promise.resolve({ code: 0 })
+            };
         }
-        throw new Error('--mode cloud is not yet available: the workforce cloud deployments endpoint is in progress. Use --mode sandbox (Daytona) or --mode dev (local) today.');
+        const endpoint = `${cloudUrl}/api/v1/workspaces/${encodeURIComponent(input.workspace)}/deployments`;
+        const body = JSON.stringify({
+            persona: input.persona,
+            bundle: {
+                runner: await readFile(input.bundle.runnerPath, 'utf8'),
+                agent: await readFile(input.bundle.bundlePath, 'utf8'),
+                packageJson: JSON.parse(await readFile(input.bundle.packageJsonPath, 'utf8'))
+            },
+            // Keep both casings until all cloud deploy endpoints converge; older
+            // previews read snake_case, while current routes read camelCase.
+            credentialSelections,
+            credential_selections: credentialSelections,
+            inputs: input.inputs ?? readInputsOverride()
+        });
+        input.io.info(`cloud: deploying persona bundle to ${cloudUrl}`);
+        const deployBody = await requestJsonWithRetry(endpoint, {
+            method: 'POST',
+            headers: jsonHeaders(auth.token),
+            body
+        }, { action: 'cloud deploy' });
+        const agentId = expectString(deployBody.agentId, 'agentId');
+        const deploymentId = expectString(deployBody.deploymentId, 'deploymentId');
+        const initialStatus = expectStatus(deployBody.status);
+        input.io.info(`cloud: deployment ${deploymentId} created for agent ${agentId}`);
+        let stopping = false;
+        const done = (async () => {
+            if (initialStatus === 'active')
+                return { code: 0 };
+            if (initialStatus === 'failed')
+                return { code: 1 };
+            try {
+                const finalStatus = await pollAgentStatus({
+                    cloudUrl,
+                    workspaceId: input.workspace,
+                    agentId,
+                    token: auth.token,
+                    io: input.io,
+                    onLog: input.onLog
+                });
+                return { code: finalStatus === 'active' ? 0 : 1 };
+            }
+            catch (err) {
+                if (!stopping) {
+                    input.io.error(`cloud: status polling failed: ${err instanceof Error ? err.message : String(err)}`);
+                }
+                return { code: 1 };
+            }
+        })();
+        const stop = async () => {
+            if (stopping)
+                return;
+            stopping = true;
+            await deleteAgent({
+                cloudUrl,
+                workspaceId: input.workspace,
+                agentId,
+                token: auth.token,
+                action: 'cloud stop'
+            });
+        };
+        return {
+            id: agentId,
+            agentId,
+            deploymentId,
+            status: initialStatus,
+            stop,
+            done
+        };
     }
 };
-const CLOUD_DEPLOY_TIMEOUT_MS = 30_000;
-async function postCloudDeployment(input, cloudUrl, workspaceToken) {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), CLOUD_DEPLOY_TIMEOUT_MS);
-    let res;
-    try {
-        res = await fetch(`${cloudUrl}/api/v1/workspaces/${encodeURIComponent(input.workspace)}/deployments`, {
-            method: 'POST',
-            headers: {
-                authorization: `Bearer ${workspaceToken}`,
-                'content-type': 'application/json'
-            },
-            body: JSON.stringify({
-                persona: input.persona,
-                bundle: {
-                    runner: await readFile(input.bundle.runnerPath, 'utf8'),
-                    agent: await readFile(input.bundle.bundlePath, 'utf8'),
-                    packageJson: JSON.parse(await readFile(input.bundle.packageJsonPath, 'utf8'))
-                },
-                ...(input.inputs && Object.keys(input.inputs).length > 0 ? { inputs: input.inputs } : {})
-            }),
-            signal: controller.signal
+function resolveCloudUrl(input) {
+    const fromInput = input.cloudUrl?.trim();
+    const fromEnv = process.env.WORKFORCE_DEPLOY_CLOUD_URL?.trim()
+        || process.env.WORKFORCE_CLOUD_URL?.trim();
+    const fromPersona = readPersonaCloudDeployUrl(input.persona);
+    const raw = fromInput || fromEnv || fromPersona || defaultApiUrl();
+    const resolved = normalizeCloudUrl(raw);
+    if (resolved !== normalizeCloudUrl(defaultApiUrl())) {
+        input.io.info(`cloud: using custom cloud URL ${resolved}. Build your own cloud docs: ${BUILD_YOUR_OWN_CLOUD_DOCS_URL}`);
+    }
+    return resolved;
+}
+function isNoPrompt(input) {
+    if (input.noPrompt)
+        return true;
+    const raw = process.env.WORKFORCE_DEPLOY_NO_PROMPT?.trim().toLowerCase();
+    return raw === '1' || raw === 'true' || raw === 'yes';
+}
+async function ensureHarnessReady(args) {
+    const source = await resolveHarnessSource(args);
+    const modelProvider = deriveModelProvider(args.persona);
+    if (source === 'plan') {
+        const credentialId = await saveProviderCredential({
+            cloudUrl: args.cloudUrl,
+            workspaceId: args.workspaceId,
+            token: args.token,
+            modelProvider,
+            authType: 'relay_managed'
         });
+        args.io.info(`cloud: using workforce plan credentials for ${args.persona.harness}`);
+        return { [modelProvider]: credentialId };
     }
-    catch (err) {
-        if (err instanceof Error && err.name === 'AbortError') {
-            throw new Error(`Cloud deploy failed: request timed out after ${CLOUD_DEPLOY_TIMEOUT_MS / 1000}s`);
-        }
-        throw err;
+    if (source === 'byok') {
+        const key = await resolveByokKey(args);
+        const credentialId = await saveProviderCredential({
+            cloudUrl: args.cloudUrl,
+            workspaceId: args.workspaceId,
+            token: args.token,
+            modelProvider,
+            authType: 'byo_api_key',
+            apiKey: key
+        });
+        args.io.info(`cloud: using BYOK credentials for ${args.persona.harness}`);
+        return { [modelProvider]: credentialId };
     }
-    finally {
-        clearTimeout(timeout);
+    await ensureHarnessOauth(args);
+    return {};
+}
+async function resolveHarnessSource(args) {
+    if (args.harnessSource)
+        return args.harnessSource;
+    const fromEnv = process.env.WORKFORCE_DEPLOY_HARNESS_SOURCE?.trim();
+    if (fromEnv)
+        return expectHarnessSource(fromEnv);
+    const available = await isHarnessOauthConnected(args);
+    if (available)
+        return 'oauth';
+    if (args.noPrompt) {
+        throw new Error(`cloud: ${args.persona.harness} credentials are not connected. Re-run with --harness-source plan|byok|oauth, set WORKFORCE_DEPLOY_HARNESS_SOURCE, or run without --no-prompt.`);
+    }
+    const answer = await args.io.prompt(`${args.persona.harness} credentials are not connected. Choose harness source (plan/byok/oauth)`, { defaultValue: 'plan' });
+    return expectHarnessSource(answer);
+}
+async function isHarnessOauthConnected(args) {
+    const auth = await readUsableCloudAuth(args.cloudUrl);
+    if (!auth)
+        return false;
+    const client = cloudCredentialDeps.createCloudApiClient(auth, args.cloudUrl);
+    const path = `/api/v1/users/me/provider_credentials?model_provider=${encodeURIComponent(deriveModelProvider(args.persona))}`;
+    const res = await client.fetch(path, {
+        method: 'GET',
+        headers: { 'user-agent': USER_AGENT }
+    });
+    if (res.status === 404 || res.status === 405)
+        return false;
+    if (res.status === 401) {
+        throw new Error('cloud harness check failed: unauthorized. Run `workforce login` and retry.');
     }
     if (!res.ok) {
-        throw new Error(`Cloud deploy failed: ${res.status} ${await res.text()}`);
+        throw new Error(`cloud harness check failed: ${res.status} ${await responseExcerpt(res)}`);
     }
     const body = (await res.json());
-    const id = body.deploymentId ?? body.agentId;
-    if (!id) {
-        throw new Error(`Cloud deploy failed: response missing deploymentId/agentId`);
+    return providerCredentialsReady(body);
+}
+async function resolveByokKey(args) {
+    if (args.byokKey?.trim())
+        return args.byokKey.trim();
+    const fromEnv = process.env.WORKFORCE_DEPLOY_BYOK_KEY?.trim();
+    if (fromEnv)
+        return fromEnv;
+    if (args.noPrompt) {
+        throw new Error(`cloud: --harness-source byok requires --byok-key or WORKFORCE_DEPLOY_BYOK_KEY for ${args.persona.harness}`);
+    }
+    const answer = await args.io.prompt(`API key for ${args.persona.harness}`);
+    if (!answer.trim()) {
+        throw new Error(`cloud: missing BYOK API key for ${args.persona.harness}`);
+    }
+    return answer.trim();
+}
+async function ensureHarnessOauth(args) {
+    if (await isHarnessOauthConnected(args)) {
+        args.io.info(`cloud: ${args.persona.harness} credentials already connected`);
+        return;
     }
-    input.io.info(`cloud: ${body.status ?? 'submitted'}`);
+    if (args.noPrompt) {
+        throw new Error(`cloud: ${args.persona.harness} OAuth credentials are not connected. Run without --no-prompt or choose --harness-source plan/byok.`);
+    }
+    const ok = await args.io.confirm(`Connect ${args.persona.harness} credentials now? (opens browser)`, { defaultValue: true });
+    if (!ok) {
+        throw new Error(`cloud: ${args.persona.harness} credentials are required for deploy`);
+    }
+    const modelProvider = deriveModelProvider(args.persona);
+    await cloudCredentialDeps.connectProvider({
+        provider: modelProvider,
+        apiUrl: args.cloudUrl,
+        language: 'typescript',
+        io: {
+            log: (...parts) => args.io.info(parts.map(String).join(' ')),
+            error: (...parts) => args.io.error(parts.map(String).join(' '))
+        }
+    });
+    await pollUntil(() => isHarnessOauthConnected(args), `timed out waiting for ${args.persona.harness} OAuth credentials`);
+    args.io.info(`cloud: ${args.persona.harness} credentials connected`);
+}
+async function handleExistingPersona(args) {
+    const existing = await findExistingAgent(args);
+    if (!existing)
+        return { cancelled: false };
+    const choice = await resolveOnExists(args);
+    if (choice === 'cancel') {
+        args.io.info(`cloud: deploy cancelled because persona ${args.personaId} already exists`);
+        return { cancelled: true, agentId: existing.id };
+    }
+    if (choice === 'update') {
+        args.io.info(`cloud: updating existing persona ${args.personaId}`);
+        return { cancelled: false };
+    }
+    args.io.info(`cloud: destroying existing persona ${args.personaId} before deploy`);
+    await deleteAgent({
+        cloudUrl: args.cloudUrl,
+        workspaceId: args.workspaceId,
+        token: args.token,
+        agentId: existing.id,
+        action: 'cloud existing persona destroy'
+    });
+    return { cancelled: false };
+}
+async function findExistingAgent(args) {
+    const url = `${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/agents?persona_slug=${encodeURIComponent(args.personaId)}`;
+    const res = await fetch(url, {
+        method: 'GET',
+        headers: {
+            authorization: `Bearer ${args.token}`,
+            'user-agent': USER_AGENT
+        }
+    });
+    if (res.status === 404 || res.status === 405)
+        return null;
+    if (res.status === 401) {
+        throw new Error('cloud existing persona check failed: unauthorized. Run `workforce login` and retry.');
+    }
+    if (!res.ok) {
+        throw new Error(`cloud existing persona check failed: ${res.status} ${await responseExcerpt(res)}`);
+    }
+    return parseExistingAgent((await res.json()));
+}
+async function resolveOnExists(args) {
+    if (args.onExists)
+        return args.onExists;
+    const fromEnv = process.env.WORKFORCE_DEPLOY_ON_EXISTS?.trim();
+    if (fromEnv)
+        return expectOnExistsChoice(fromEnv);
+    if (args.noPrompt) {
+        return 'cancel';
+    }
+    const answer = await args.io.prompt(`Persona ${args.personaId} already exists. Choose update, destroy, or cancel`, { defaultValue: 'cancel' });
+    return expectOnExistsChoice(answer);
+}
+async function deleteAgent(args) {
+    const destroyUrl = `${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/agents/${encodeURIComponent(args.agentId)}/destroy`;
+    const res = await fetch(destroyUrl, {
+        method: 'POST',
+        headers: {
+            authorization: `Bearer ${args.token}`,
+            'user-agent': USER_AGENT
+        }
+    });
+    if (res.status === 401) {
+        throw new Error(`${args.action} failed: unauthorized. Run \`workforce login\` and retry.`);
+    }
+    if (res.status === 404 || res.status === 405) {
+        throw new Error(`${args.action} failed: destroy not yet wired; cancel and run with --force-replace later.`);
+    }
+    if (!res.ok) {
+        throw new Error(`${args.action} failed: ${res.status} ${await responseExcerpt(res)}`);
+    }
+}
+function parseExistingAgent(body) {
+    const direct = parseAgentLike(body.agent);
+    if (direct)
+        return direct;
+    if (Array.isArray(body.agents)) {
+        for (const agent of body.agents) {
+            const parsed = parseAgentLike(agent);
+            if (parsed)
+                return parsed;
+        }
+    }
+    return null;
+}
+function parseAgentLike(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return null;
+    const record = value;
+    if (typeof record.id !== 'string' || !record.id.trim())
+        return null;
     return {
-        id,
-        async stop() {
-            throw new Error('cloud deployment stop is not wired yet');
-        },
-        done: Promise.resolve({ code: body.status === 'failed' ? 1 : 0 })
+        id: record.id,
+        ...(typeof record.status === 'string' ? { status: record.status } : {})
     };
 }
+async function saveProviderCredential(args) {
+    if (args.authType === 'relay_managed') {
+        const url = new URL(`${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/provider-credentials/managed`);
+        url.searchParams.set('provider', args.modelProvider);
+        const body = await requestJsonWithRetry(url.toString(), {
+            method: 'POST',
+            headers: jsonHeaders(args.token)
+        }, { action: 'cloud managed provider credentials' });
+        return readCredentialId(body);
+    }
+    const body = await requestJsonWithRetry(`${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/provider-credentials/byok`, {
+        method: 'POST',
+        headers: jsonHeaders(args.token),
+        body: JSON.stringify({
+            // Keep both casings during the deploy-v1 rollout for the same mixed
+            // preview/production route compatibility as the deploy payload above.
+            modelProvider: args.modelProvider,
+            model_provider: args.modelProvider,
+            key: args.apiKey,
+            api_key: args.apiKey
+        })
+    }, { action: 'cloud BYOK provider credentials' });
+    return readCredentialId(body);
+}
+function deriveModelProvider(persona) {
+    const model = typeof persona.model === 'string' ? persona.model.trim() : '';
+    if (!model)
+        return persona.harness;
+    const lower = model.toLowerCase();
+    if (matchesProviderToken(lower, ['anthropic', 'claude']))
+        return 'anthropic';
+    if (matchesProviderToken(lower, ['openai', 'codex', 'gpt']))
+        return 'openai';
+    if (matchesProviderToken(lower, ['google', 'gemini']))
+        return 'google';
+    if (matchesProviderToken(lower, ['openrouter', 'opencode']))
+        return 'openrouter';
+    const [provider] = model.split(/[/:]/, 1);
+    if (provider?.trim())
+        return provider.trim().toLowerCase();
+    return persona.harness;
+}
+function matchesProviderToken(model, tokens) {
+    return tokens.some((token) => new RegExp(`^${escapeRegExp(token)}($|[/:._-])`).test(model));
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function readCredentialId(body) {
+    const direct = readFirstString(body, ['providerCredentialId', 'provider_credential_id', 'credentialId', 'id']);
+    if (direct)
+        return direct;
+    for (const field of ['credential', 'providerCredential']) {
+        const nested = body[field];
+        if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+            const nestedId = readFirstString(nested, ['id', 'providerCredentialId', 'provider_credential_id']);
+            if (nestedId)
+                return nestedId;
+        }
+    }
+    throw new Error('cloud provider credentials response missing credential id');
+}
+function providerCredentialsReady(body) {
+    const candidates = [
+        body.credential,
+        ...(Array.isArray(body.credentials) ? body.credentials : []),
+        ...(Array.isArray(body.providerCredentials) ? body.providerCredentials : []),
+        body
+    ];
+    return candidates.some((candidate) => {
+        if (!candidate || typeof candidate !== 'object' || Array.isArray(candidate))
+            return false;
+        const record = candidate;
+        return record.connected === true
+            || record.status === 'connected'
+            || record.status === 'active'
+            || Boolean(record.credentialStoredAt)
+            || Boolean(record.createdAt)
+            || typeof record.id === 'string';
+    });
+}
+function expectHarnessSource(value) {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === 'plan' || normalized === 'byok' || normalized === 'oauth') {
+        return normalized;
+    }
+    throw new Error(`cloud: harness source must be one of plan|byok|oauth; got "${value}"`);
+}
+function expectOnExistsChoice(value) {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === 'update' || normalized === 'destroy' || normalized === 'cancel') {
+        return normalized;
+    }
+    throw new Error(`cloud: on-exists must be one of update|destroy|cancel; got "${value}"`);
+}
+function readFirstString(body, fields) {
+    const record = body;
+    for (const field of fields) {
+        const value = record[field];
+        if (typeof value === 'string' && value.trim()) {
+            return value.trim();
+        }
+    }
+    return undefined;
+}
+async function pollUntil(check, timeoutMessage) {
+    const deadline = Date.now() + pollTimeoutMs();
+    while (Date.now() < deadline) {
+        if (await check())
+            return;
+        await sleep(pollIntervalMs());
+    }
+    throw new Error(timeoutMessage);
+}
+function readPersonaCloudDeployUrl(persona) {
+    const cloud = persona.cloud;
+    if (cloud !== null && typeof cloud === 'object' && 'deployUrl' in cloud) {
+        const deployUrl = cloud.deployUrl;
+        if (typeof deployUrl === 'string' && deployUrl.trim()) {
+            return deployUrl.trim();
+        }
+    }
+    return undefined;
+}
+function normalizeCloudUrl(url) {
+    const trimmed = url.trim();
+    if (!trimmed)
+        return normalizeCloudUrl(defaultApiUrl());
+    return trimmed.replace(/\/+$/, '');
+}
+async function readUsableCloudAuth(apiUrl) {
+    let auth = await cloudCredentialDeps.readStoredAuth().catch(() => null);
+    if (!auth)
+        return null;
+    if (isAuthExpired(auth.accessTokenExpiresAt)) {
+        auth = await cloudCredentialDeps.refreshStoredAuth(auth).catch((err) => {
+            console.warn(`cloud: stored auth refresh failed: ${formatErrorMessage(err)}`);
+            return null;
+        });
+    }
+    if (!auth)
+        return null;
+    return {
+        ...auth,
+        apiUrl
+    };
+}
+function formatErrorMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+function isAuthExpired(expiresAt) {
+    const millis = Date.parse(expiresAt);
+    return Number.isNaN(millis) || millis <= Date.now() + 60_000;
+}
+function readInputsOverride() {
+    const raw = process.env.WORKFORCE_DEPLOY_INPUTS_JSON?.trim();
+    if (!raw)
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new Error('WORKFORCE_DEPLOY_INPUTS_JSON is not valid JSON');
+    }
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        throw new Error('WORKFORCE_DEPLOY_INPUTS_JSON must be a JSON object');
+    }
+    const out = {};
+    for (const [key, value] of Object.entries(parsed)) {
+        if (typeof value !== 'string') {
+            throw new Error(`WORKFORCE_DEPLOY_INPUTS_JSON.${key} must be a string`);
+        }
+        out[key] = value;
+    }
+    return out;
+}
+async function pollAgentStatus(args) {
+    const statusUrl = `${args.cloudUrl}/api/v1/workspaces/${encodeURIComponent(args.workspaceId)}/agents/${encodeURIComponent(args.agentId)}`;
+    const deadline = Date.now() + pollTimeoutMs();
+    let lastStatus = 'starting';
+    while (Date.now() < deadline) {
+        await sleep(pollIntervalMs());
+        const body = await requestJsonWithRetry(statusUrl, {
+            method: 'GET',
+            headers: {
+                authorization: `Bearer ${args.token}`,
+                'user-agent': USER_AGENT
+            }
+        }, { action: 'cloud status poll' });
+        const status = expectStatus(body.status);
+        if (status !== lastStatus) {
+            emitLog(args, `cloud: status ${status}`);
+            lastStatus = status;
+        }
+        if (status === 'active' || status === 'failed')
+            return status;
+    }
+    throw new Error(`timed out after ${pollTimeoutMs() / 1000}s waiting for agent ${args.agentId}`);
+}
+function jsonHeaders(token) {
+    return {
+        authorization: `Bearer ${token}`,
+        'content-type': 'application/json',
+        'user-agent': USER_AGENT
+    };
+}
+async function requestJsonWithRetry(url, init, opts) {
+    let lastError;
+    for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt += 1) {
+        try {
+            const res = await fetch(url, init);
+            if (res.status === 401) {
+                throw new Error(`${opts.action} failed: unauthorized. Run \`workforce login\` and retry.`);
+            }
+            if (res.status >= 500 && attempt < MAX_ATTEMPTS) {
+                lastError = new Error(`${opts.action} failed: ${res.status} ${await responseExcerpt(res)}`);
+            }
+            else if (!res.ok) {
+                throw new Error(`${opts.action} failed: ${res.status} ${await responseExcerpt(res)}`);
+            }
+            else {
+                return (await res.json());
+            }
+        }
+        catch (err) {
+            lastError = err;
+            if (attempt === MAX_ATTEMPTS || !isRetryableError(err)) {
+                throw err;
+            }
+        }
+        await sleep(backoffMs(attempt));
+    }
+    throw lastError instanceof Error ? lastError : new Error(String(lastError));
+}
+function isRetryableError(err) {
+    if (!(err instanceof Error))
+        return false;
+    if (err.message.includes('unauthorized'))
+        return false;
+    if (err.message.includes('failed: 4'))
+        return false;
+    return true;
+}
+function backoffMs(attempt) {
+    const override = numberFromEnv('WORKFORCE_DEPLOY_RETRY_BACKOFF_MS');
+    return override ?? attempt * 500;
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function emitLog(args, line) {
+    args.onLog?.(line);
+    args.io.info(line);
+}
+function pollTimeoutMs() {
+    return numberFromEnv('WORKFORCE_DEPLOY_POLL_TIMEOUT_MS') ?? POLL_TIMEOUT_MS;
+}
+function pollIntervalMs() {
+    return numberFromEnv('WORKFORCE_DEPLOY_POLL_INTERVAL_MS') ?? POLL_INTERVAL_MS;
+}
+function numberFromEnv(name) {
+    const raw = process.env[name]?.trim();
+    if (!raw)
+        return undefined;
+    const parsed = Number(raw);
+    return Number.isFinite(parsed) && parsed >= 0 ? parsed : undefined;
+}
+async function responseExcerpt(res) {
+    const text = await res.text().catch(() => '');
+    return text.trim().slice(0, 500);
+}
+function expectString(value, field) {
+    if (typeof value !== 'string' || !value.trim()) {
+        throw new Error(`cloud deploy response missing ${field}`);
+    }
+    return value;
+}
+function expectStatus(value) {
+    if (value === 'starting' || value === 'active' || value === 'failed' || value === 'cancelled') {
+        return value;
+    }
+    throw new Error(`cloud deploy response has unknown status "${String(value)}"`);
+}
 //# sourceMappingURL=cloud.js.map