@alexkroman1/aai 0.10.4 → 0.11.1

package/dist/{constants-BbAOvKl_.js → constants-CpLN9WGY.js}

@@ -1,4 +1,4 @@
-//#region constants.ts
+//#region isolate/constants.ts
 /**
 * Centralised numeric constants — timeouts, size limits, sample rates.
 *
@@ -35,8 +35,6 @@ const MAX_VALUE_SIZE = 65536;
 const MAX_GLOB_PATTERN_LENGTH = 1024;
 /** Maximum conversation messages to retain (sliding window). */
 const DEFAULT_MAX_HISTORY = 200;
-/** Memory limit for run_code isolates (MB). */
-const RUN_CODE_MEMORY_MB = 32;
 /**
 * Content-Security-Policy applied to agent UI pages (both self-hosted and
 * platform). Single source of truth — used by `secureHeaders` middleware
@@ -44,4 +42,4 @@ const RUN_CODE_MEMORY_MB = 32;
 */
 const AGENT_CSP = "default-src 'self'; script-src 'self' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src 'self' wss: ws:; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; object-src 'none'; base-uri 'self'";
 //#endregion
-export { TOOL_EXECUTION_TIMEOUT_MS as _, DEFAULT_SHUTDOWN_TIMEOUT_MS as a, FETCH_TIMEOUT_MS as c, MAX_HTML_BYTES as d, MAX_PAGE_CHARS as f, RUN_CODE_TIMEOUT_MS as g, RUN_CODE_MEMORY_MB as h, DEFAULT_SESSION_START_TIMEOUT_MS as i, HOOK_TIMEOUT_MS as l, MAX_VALUE_SIZE as m, DEFAULT_IDLE_TIMEOUT_MS as n, DEFAULT_STT_SAMPLE_RATE as o, MAX_TOOL_RESULT_CHARS as p, DEFAULT_MAX_HISTORY as r, DEFAULT_TTS_SAMPLE_RATE as s, AGENT_CSP as t, MAX_GLOB_PATTERN_LENGTH as u };
+export { DEFAULT_SHUTDOWN_TIMEOUT_MS as a, FETCH_TIMEOUT_MS as c, MAX_HTML_BYTES as d, MAX_PAGE_CHARS as f, TOOL_EXECUTION_TIMEOUT_MS as g, RUN_CODE_TIMEOUT_MS as h, DEFAULT_SESSION_START_TIMEOUT_MS as i, HOOK_TIMEOUT_MS as l, MAX_VALUE_SIZE as m, DEFAULT_IDLE_TIMEOUT_MS as n, DEFAULT_STT_SAMPLE_RATE as o, MAX_TOOL_RESULT_CHARS as p, DEFAULT_MAX_HISTORY as r, DEFAULT_TTS_SAMPLE_RATE as s, AGENT_CSP as t, MAX_GLOB_PATTERN_LENGTH as u };

package/dist/{direct-executor-BfHrDdPL.js → direct-executor-DyY-Y4ZE.js}

@@ -1,321 +1,86 @@
-import { BuiltinToolSchema, DEFAULT_INSTRUCTIONS, ToolChoiceSchema, defineTool } from "./types.js";
-import { _ as TOOL_EXECUTION_TIMEOUT_MS, a as DEFAULT_SHUTDOWN_TIMEOUT_MS, c as FETCH_TIMEOUT_MS, d as MAX_HTML_BYTES, f as MAX_PAGE_CHARS, g as RUN_CODE_TIMEOUT_MS, l as HOOK_TIMEOUT_MS, m as MAX_VALUE_SIZE, o as DEFAULT_STT_SAMPLE_RATE, p as MAX_TOOL_RESULT_CHARS, s as DEFAULT_TTS_SAMPLE_RATE } from "./constants-BbAOvKl_.js";
-import { errorDetail, errorMessage, isReadOnlyFsOp, toolError } from "./_utils.js";
-import { callResolveTurnConfig, createAgentHooks } from "./hooks.js";
-import { ClientMessageSchema, buildReadyConfig } from "./protocol.js";
-import { matchGlob, sortAndPaginate } from "./kv.js";
+import { i as EMPTY_PARAMS, n as memoryTools, o as agentToolsToSchemas, s as toAgentConfig, t as buildSystemPrompt } from "./system-prompt-u19j6xfA.js";
+import { errorDetail, errorMessage, toolError } from "./isolate/_utils.js";
+import { a as DEFAULT_SHUTDOWN_TIMEOUT_MS, c as FETCH_TIMEOUT_MS, d as MAX_HTML_BYTES, f as MAX_PAGE_CHARS, g as TOOL_EXECUTION_TIMEOUT_MS, h as RUN_CODE_TIMEOUT_MS, l as HOOK_TIMEOUT_MS, m as MAX_VALUE_SIZE, o as DEFAULT_STT_SAMPLE_RATE, p as MAX_TOOL_RESULT_CHARS, s as DEFAULT_TTS_SAMPLE_RATE } from "./constants-CpLN9WGY.js";
+import { callResolveTurnConfig, createAgentHooks } from "./isolate/hooks.js";
+import { matchGlob, sortAndPaginate } from "./isolate/kv.js";
+import { ClientMessageSchema, buildReadyConfig } from "./isolate/protocol.js";
 import { z } from "zod";
-import WsWebSocket from "ws";
 import pTimeout from "p-timeout";
 import { createStorage, prefixStorage } from "unstorage";
+import vm from "node:vm";
 import { createNanoEvents } from "nanoevents";
-//#region runtime.ts
-/**
-* Runtime dependencies injected into the session pipeline.
-*
-* Defines the {@link Logger} interface, a default {@link consoleLogger},
-* and the {@link S2SConfig} for Speech-to-Speech endpoint configuration.
-*/
-/** Default console-backed logger. */
-const consoleLogger = {
-	info: (msg, ctx) => ctx ? console.log(msg, ctx) : console.log(msg),
-	warn: (msg, ctx) => ctx ? console.warn(msg, ctx) : console.warn(msg),
-	error: (msg, ctx) => ctx ? console.error(msg, ctx) : console.error(msg),
-	debug: (msg, ctx) => ctx ? console.debug(msg, ctx) : console.debug(msg)
-};
-/**
-* Structured JSON logger for production diagnostics. Each log entry is a
-* single-line JSON object with `timestamp`, `level`, `msg`, and any
-* caller-provided context fields.
-*/
-function jsonLog(level) {
-	return (msg, ctx) => {
-		const entry = {
-			timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-			level,
-			msg
-		};
-		if (ctx) Object.assign(entry, ctx);
-		(level === "error" || level === "warn" ? process.stderr : process.stdout).write(`${JSON.stringify(entry)}\n`);
-	};
-}
-const jsonLogger = {
-	info: jsonLog("info"),
-	warn: jsonLog("warn"),
-	error: jsonLog("error"),
-	debug: jsonLog("debug")
-};
-/** Default S2S endpoint configuration. */
-const DEFAULT_S2S_CONFIG = {
-	wssUrl: "wss://speech-to-speech.us.assemblyai.com/v1/realtime",
-	inputSampleRate: DEFAULT_STT_SAMPLE_RATE,
-	outputSampleRate: DEFAULT_TTS_SAMPLE_RATE
-};
-//#endregion
-//#region _internal-types.ts
-/**
-* Zod schema for serializable agent configuration sent over the wire.
-*
-* This is the JSON-safe subset of the agent definition that can be
-* transmitted between the worker and the host process via structured clone.
-*/
-const AgentConfigSchema = z.object({
-	name: z.string().min(1),
-	instructions: z.string(),
-	greeting: z.string(),
-	sttPrompt: z.string().optional(),
-	maxSteps: z.number().int().positive().optional(),
-	toolChoice: ToolChoiceSchema.optional(),
-	builtinTools: z.array(BuiltinToolSchema).readonly().optional(),
-	idleTimeoutMs: z.number().nonnegative().optional()
-});
-/** Extract the serializable {@link AgentConfig} subset from a source object. */
-function toAgentConfig(src) {
-	const config = {
-		name: src.name,
-		instructions: src.instructions,
-		greeting: src.greeting
-	};
-	if (src.sttPrompt !== void 0) config.sttPrompt = src.sttPrompt;
-	if (typeof src.maxSteps !== "function" && src.maxSteps !== void 0) config.maxSteps = src.maxSteps;
-	if (src.toolChoice !== void 0) config.toolChoice = src.toolChoice;
-	if (src.builtinTools) config.builtinTools = [...src.builtinTools];
-	if (src.idleTimeoutMs !== void 0) config.idleTimeoutMs = src.idleTimeoutMs;
-	return config;
-}
-/**
-* Zod schema for serialized tool definitions sent over the wire.
-*
-* `parameters` must be a valid JSON Schema object (with `type`, `properties`,
-* etc.) — the Vercel AI SDK wraps it via `jsonSchema()`.
-*/
-const ToolSchemaSchema = z.object({
-	name: z.string().min(1),
-	description: z.string().min(1),
-	parameters: z.record(z.string(), z.unknown())
-});
-/** Empty Zod object schema used as default when tools have no parameters. */
-const EMPTY_PARAMS = z.object({});
-/**
-* Convert agent tool definitions to JSON Schema format for wire transport.
-*
-* Transforms the Zod-based `parameters` of each tool into a plain JSON Schema
-* object suitable for structured clone / JSON serialization.
-*/
-function agentToolsToSchemas(tools) {
-	return Object.entries(tools).map(([name, def]) => ({
-		name,
-		description: def.description,
-		parameters: z.toJSONSchema(def.parameters ?? EMPTY_PARAMS)
-	}));
-}
-//#endregion
-//#region _run-code.ts
+import WsWebSocket from "ws";
+//#region host/_run-code.ts
 /**
-* run_code built-in tool — executes user JavaScript in a fresh secure-exec
-* V8 isolate with no network, filesystem writes, or env access.
+* run_code built-in tool — executes user JavaScript in a fresh `node:vm`
+* context with no network, filesystem, or process access.
 */
 const runCodeParams = z.object({ code: z.string().describe("JavaScript code to execute. Use console.log() for output.") });
 /**
-* Execute JavaScript code inside a fresh secure-exec V8 isolate.
+* Execute JavaScript code inside a fresh `node:vm` context.
 *
-* Each invocation spins up a disposable isolate with:
-* - No filesystem writes
-* - No network access
+* Each invocation creates a disposable VM context with:
+* - No filesystem access (`node:fs` and other built-ins unavailable)
+* - No network access (`fetch`, `http` unavailable)
 * - No child process spawning
-* - No environment variable access
-* - 32 MB memory limit
-* - 5 second execution timeout
+* - No environment variable access (`process` unavailable)
+* - Execution timeout (default 5 s)
 *
-* The isolate is disposed immediately after execution, so no state
-* leaks between invocations or across sessions.
+* The context is discarded after execution, so no state leaks between
+* invocations or across sessions.
 */
 function createRunCode() {
 	return {
-		description: "Execute JavaScript code in a secure sandbox and return the output. Use this for calculations, data transformations, string manipulation, or any task that benefits from running code. Output is captured from console.log(). No network or filesystem access.",
+		description: "Execute JavaScript code in a sandbox and return the output. Use this for calculations, data transformations, string manipulation, or any task that benefits from running code. Output is captured from console.log(). No network or filesystem access.",
 		parameters: runCodeParams,
 		async execute(args) {
 			return executeInIsolate(args.code);
 		}
 	};
 }
-/** Lazily import secure-exec to avoid top-level side effects. */
-let _secureExecPromise;
-function getSecureExec() {
-	_secureExecPromise ??= import("secure-exec");
-	return _secureExecPromise;
-}
-const RUN_CODE_HARNESS = `
-import { readFileSync } from "node:fs";
-
-const __output = [];
-const __capture = (...args) => __output.push(args.map(String).join(" "));
-const __console = {
-  log: __capture, info: __capture, warn: __capture,
-  error: __capture, debug: __capture,
-};
-try {
-  const __userCode = readFileSync("/app/user-code.js", "utf8");
-  const __AsyncFn = Object.getPrototypeOf(async function(){}).constructor;
-  const __fn = new __AsyncFn("console", __userCode);
-  await __fn(__console);
-  const result = __output.join("\\n").trim();
-  process.stdout.write(JSON.stringify({ ok: true, result: result || "Code ran successfully (no output)" }));
-} catch (err) {
-  process.stdout.write(JSON.stringify({ ok: false, error: String(err?.message ?? err) }));
-}
-`;
-const IsolateOutputSchema = z.object({
-	ok: z.boolean(),
-	result: z.string().optional(),
-	error: z.string().optional()
-});
-/** Parse stdout from the run_code harness into a result or error. */
-function parseIsolateOutput(stdout, stderr) {
-	if (!stdout) {
-		if (stderr) return { error: stderr.trim() };
-		return { error: "Code execution timed out" };
-	}
-	try {
-		const parsed = IsolateOutputSchema.parse(JSON.parse(stdout));
-		if (parsed.ok) return parsed.result ?? "Code ran successfully (no output)";
-		return { error: parsed.error ?? "Unknown error" };
-	} catch {
-		return stdout.trim() || "Code ran successfully (no output)";
-	}
-}
 /**
-* Exported for testing — execute user code in a fresh secure-exec V8 isolate.
+* Execute user code in a fresh `node:vm` context.
+*
+* @remarks
+* The VM context only exposes standard ECMAScript globals and a console
+* object that captures output. Node.js APIs (`process`, `require`,
+* `import()`) are not available inside the sandbox.
 */
 async function executeInIsolate(code) {
-	const { createInMemoryFileSystem, createNodeDriver, createNodeRuntimeDriverFactory, NodeRuntime } = await getSecureExec();
-	const fs = createInMemoryFileSystem();
-	await fs.writeFile("/app/harness.js", RUN_CODE_HARNESS);
-	await fs.writeFile("/app/user-code.js", code);
-	const stdoutChunks = [];
-	const stderrChunks = [];
-	let resolveOutput = null;
-	const outputReady = new Promise((r) => {
-		resolveOutput = r;
-	});
-	const runtime = new NodeRuntime({
-		systemDriver: createNodeDriver({
-			filesystem: fs,
-			permissions: {
-				fs: (req) => isReadOnlyFsOp(req.op) ? { allow: true } : {
-					allow: false,
-					reason: "Filesystem is read-only"
-				},
-				network: () => ({
-					allow: false,
-					reason: "Network access is disabled in run_code"
-				}),
-				childProcess: () => ({
-					allow: false,
-					reason: "Subprocess spawning is disabled"
-				}),
-				env: () => ({
-					allow: false,
-					reason: "Env access is disabled in run_code"
-				})
-			}
-		}),
-		runtimeDriverFactory: createNodeRuntimeDriverFactory(),
-		memoryLimit: 32,
-		onStdio(event) {
-			if (event.channel === "stdout") stdoutChunks.push(event.message);
-			if (event.channel === "stderr") stderrChunks.push(event.message);
-			resolveOutput?.();
-		}
+	const output = [];
+	const capture = (...args) => output.push(args.map(String).join(" "));
+	const context = vm.createContext({
+		console: {
+			log: capture,
+			info: capture,
+			warn: capture,
+			error: capture,
+			debug: capture
+		},
+		setTimeout,
+		clearTimeout,
+		setInterval,
+		clearInterval,
+		URL,
+		URLSearchParams,
+		TextEncoder,
+		TextDecoder,
+		atob,
+		btoa,
+		structuredClone,
+		queueMicrotask
 	});
-	const execPromise = runtime.exec("import \"/app/harness.js\";", { cwd: "/app" });
 	try {
-		await Promise.race([outputReady, new Promise((r) => setTimeout(r, RUN_CODE_TIMEOUT_MS))]);
-		await Promise.race([execPromise.catch(() => {}), new Promise((r) => setTimeout(r, 200))]);
-		return parseIsolateOutput(stdoutChunks.join(""), stderrChunks.join(""));
+		const wrapped = `(async () => {\n${code}\n})()`;
+		const promise = new vm.Script(wrapped, { filename: "run_code.js" }).runInContext(context, { timeout: RUN_CODE_TIMEOUT_MS });
+		await Promise.race([promise, new Promise((_, reject) => setTimeout(() => reject(/* @__PURE__ */ new Error("Code execution timed out")), RUN_CODE_TIMEOUT_MS))]);
+		return output.join("\n").trim() || "Code ran successfully (no output)";
 	} catch (err) {
 		return { error: errorMessage(err) };
-	} finally {
-		runtime.dispose();
 	}
 }
 //#endregion
-//#region memory-tools.ts
-/**
-* KV-backed memory tools for agent persistent state.
-*/
-/**
-* Returns a standard set of KV-backed memory tools: `save_memory`,
-* `recall_memory`, `list_memories`, and `forget_memory`.
-*
-* Spread the result into your agent's `tools` record.
-*
-* @example
-* ```ts
-* import { defineAgent, memoryTools } from "aai";
-*
-* export default defineAgent({
-*   name: "My Agent",
-*   tools: { ...memoryTools() },
-* });
-* ```
-*
-* @returns A record with four tool definitions: `save_memory`, `recall_memory`,
-*   `list_memories`, and `forget_memory`.
-* @public
-*/
-function memoryTools() {
-	return {
-		save_memory: defineTool({
-			description: "Save a piece of information to persistent memory. Use a descriptive key like 'user:name' or 'project:status'.",
-			parameters: z.object({
-				key: z.string().describe("A descriptive key for this memory (e.g. 'user:name', 'preference:color')"),
-				value: z.string().describe("The information to remember")
-			}),
-			execute: async ({ key, value }, ctx) => {
-				await ctx.kv.set(key, value);
-				return { saved: key };
-			}
-		}),
-		recall_memory: defineTool({
-			description: "Retrieve a previously saved memory by its key.",
-			parameters: z.object({ key: z.string().describe("The key to look up") }),
-			execute: async ({ key }, ctx) => {
-				const value = await ctx.kv.get(key);
-				if (value === null) return {
-					found: false,
-					key
-				};
-				return {
-					found: true,
-					key,
-					value
-				};
-			}
-		}),
-		list_memories: defineTool({
-			description: "List all saved memory keys, optionally filtered by a prefix (e.g. 'user:').",
-			parameters: z.object({ prefix: z.string().describe("Prefix to filter keys (e.g. 'user:'). Use empty string for all.").optional() }),
-			execute: async ({ prefix }, ctx) => {
-				const entries = await ctx.kv.list(prefix ?? "");
-				return {
-					count: entries.length,
-					keys: entries.map((e) => e.key)
-				};
-			}
-		}),
-		forget_memory: defineTool({
-			description: "Delete a previously saved memory by its key.",
-			parameters: z.object({ key: z.string().describe("The key to delete") }),
-			execute: async ({ key }, ctx) => {
-				await ctx.kv.delete(key);
-				return { deleted: key };
-			}
-		})
-	};
-}
-//#endregion
-//#region builtin-tools.ts
+//#region host/builtin-tools.ts
 /**
 * Built-in tool definitions for the AAI agent SDK.
 *
@@ -477,7 +242,50 @@ function getBuiltinToolSchemas(names) {
 	})));
 }
 //#endregion
-//#region s2s.ts
+//#region host/runtime.ts
+/**
+* Runtime dependencies injected into the session pipeline.
+*
+* Defines the {@link Logger} interface, a default {@link consoleLogger},
+* and the {@link S2SConfig} for Speech-to-Speech endpoint configuration.
+*/
+/** Default console-backed logger. */
+const consoleLogger = {
+	info: (msg, ctx) => ctx ? console.log(msg, ctx) : console.log(msg),
+	warn: (msg, ctx) => ctx ? console.warn(msg, ctx) : console.warn(msg),
+	error: (msg, ctx) => ctx ? console.error(msg, ctx) : console.error(msg),
+	debug: (msg, ctx) => ctx ? console.debug(msg, ctx) : console.debug(msg)
+};
+/**
+* Structured JSON logger for production diagnostics. Each log entry is a
+* single-line JSON object with `timestamp`, `level`, `msg`, and any
+* caller-provided context fields.
+*/
+function jsonLog(level) {
+	return (msg, ctx) => {
+		const entry = {
+			timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+			level,
+			msg
+		};
+		if (ctx) Object.assign(entry, ctx);
+		(level === "error" || level === "warn" ? process.stderr : process.stdout).write(`${JSON.stringify(entry)}\n`);
+	};
+}
+const jsonLogger = {
+	info: jsonLog("info"),
+	warn: jsonLog("warn"),
+	error: jsonLog("error"),
+	debug: jsonLog("debug")
+};
+/** Default S2S endpoint configuration. */
+const DEFAULT_S2S_CONFIG = {
+	wssUrl: "wss://speech-to-speech.us.assemblyai.com/v1/realtime",
+	inputSampleRate: DEFAULT_STT_SAMPLE_RATE,
+	outputSampleRate: DEFAULT_TTS_SAMPLE_RATE
+};
+//#endregion
+//#region host/s2s.ts
 const uint8ToBase64 = (bytes) => Buffer.from(bytes).toString("base64");
 const base64ToUint8 = (base64) => new Uint8Array(Buffer.from(base64, "base64"));
 const WS_OPEN = 1;
@@ -726,37 +534,7 @@ function connectS2s(opts) {
 	});
 }
 //#endregion
-//#region system-prompt.ts
-function getFormattedDate() {
-	return (/* @__PURE__ */ new Date()).toLocaleDateString("en-US", {
-		weekday: "long",
-		year: "numeric",
-		month: "long",
-		day: "numeric"
-	});
-}
-const VOICE_RULES = "\n\nCRITICAL OUTPUT RULES — you MUST follow these for EVERY response:\nYour response will be spoken aloud by a TTS system and displayed as plain text.\n- NEVER use markdown: no **, no *, no _, no #, no `, no [](), no ---\n- NEVER use bullet points (-, *, •) or numbered lists (1., 2.)\n- NEVER use code blocks or inline code\n- NEVER mention tools, search, APIs, or technical failures to the user. If a tool returns no results, just answer naturally without explaining why.\n- Write exactly as you would say it out loud to a friend\n- Use short conversational sentences. To list things, say \"First,\" \"Next,\" \"Finally,\"\n- Keep responses concise — 1 to 3 sentences max";
-/**
-* Build the system prompt sent to the LLM from the agent configuration.
-*
-* Assembles the default instructions, today's date, agent-specific instructions,
-* and optional sections for tool usage preamble and voice output rules.
-*
-* @param config - The serializable agent configuration (name, instructions, etc.).
-* @param opts.hasTools - When `true`, appends a preamble instructing the LLM to
-*   speak a brief phrase before each tool call to fill silence.
-* @param opts.voice - When `true`, appends strict voice-specific output rules
-*   (no markdown, no bullet points, conversational tone, concise responses).
-* @returns The assembled system prompt string.
-*/
-function buildSystemPrompt(config, opts) {
-	const { hasTools } = opts;
-	const agentInstructions = config.instructions && config.instructions !== DEFAULT_INSTRUCTIONS ? `\n\nAgent-Specific Instructions:\n${config.instructions}` : "";
-	const toolPreamble = hasTools ? "\n\nWhen you decide to use a tool, ALWAYS say a brief natural phrase BEFORE the tool call (e.g. \"Let me look that up\" or \"One moment while I check\"). This fills silence while the tool executes. Keep preambles to one short sentence." : "";
-	return DEFAULT_INSTRUCTIONS + `\n\nToday's date is ${getFormattedDate()}.` + agentInstructions + toolPreamble + (opts.voice ? VOICE_RULES : "");
-}
-//#endregion
-//#region session.ts
+//#region host/session.ts
 function buildCtx(opts) {
 	const { id, agentConfig, hooks, log } = opts;
 	const maxHistory = opts.maxHistory ?? 200;
@@ -1149,7 +927,7 @@ function createS2sSession(opts) {
 	};
 }
 //#endregion
-//#region unstorage-kv.ts
+//#region host/unstorage-kv.ts
 /**
 * Key-value store backed by unstorage.
 *
@@ -1210,7 +988,7 @@ function createUnstorageKv(options) {
 	};
 }
 //#endregion
-//#region ws-handler.ts
+//#region host/ws-handler.ts
 /**
 * WebSocket session lifecycle handler.
 *
@@ -1400,7 +1178,7 @@ function wireSessionSocket(ws, opts) {
 	});
 }
 //#endregion
-//#region direct-executor.ts
+//#region host/direct-executor.ts
 /**
 * Agent runtime — the execution engine for voice agents.
 *
@@ -1586,4 +1364,4 @@ function createRuntime(opts) {
 	};
 }
 //#endregion
-export { consoleLogger as _, _internals as a, buildSystemPrompt as c, AgentConfigSchema as d, EMPTY_PARAMS as f, DEFAULT_S2S_CONFIG as g, toAgentConfig as h, createUnstorageKv as i, connectS2s as l, agentToolsToSchemas as m, executeToolCall as n, buildCtx as o, ToolSchemaSchema as p, wireSessionSocket as r, createS2sSession as s, createRuntime as t, defaultCreateS2sWebSocket as u, jsonLogger as v };
+export { _internals as a, connectS2s as c, consoleLogger as d, jsonLogger as f, createUnstorageKv as i, defaultCreateS2sWebSocket as l, executeToolCall as n, buildCtx as o, wireSessionSocket as r, createS2sSession as s, createRuntime as t, DEFAULT_S2S_CONFIG as u };

package/dist/host/_run-code.d.ts

@@ -0,0 +1,35 @@
+/**
+ * run_code built-in tool — executes user JavaScript in a fresh `node:vm`
+ * context with no network, filesystem, or process access.
+ */
+import { z } from "zod";
+import type { ToolDef } from "../isolate/types.ts";
+declare const runCodeParams: z.ZodObject<{
+    code: z.ZodString;
+}, z.core.$strip>;
+/**
+ * Execute JavaScript code inside a fresh `node:vm` context.
+ *
+ * Each invocation creates a disposable VM context with:
+ * - No filesystem access (`node:fs` and other built-ins unavailable)
+ * - No network access (`fetch`, `http` unavailable)
+ * - No child process spawning
+ * - No environment variable access (`process` unavailable)
+ * - Execution timeout (default 5 s)
+ *
+ * The context is discarded after execution, so no state leaks between
+ * invocations or across sessions.
+ */
+export declare function createRunCode(): ToolDef<typeof runCodeParams>;
+/**
+ * Execute user code in a fresh `node:vm` context.
+ *
+ * @remarks
+ * The VM context only exposes standard ECMAScript globals and a console
+ * object that captures output. Node.js APIs (`process`, `require`,
+ * `import()`) are not available inside the sandbox.
+ */
+export declare function executeInIsolate(code: string): Promise<string | {
+    error: string;
+}>;
+export {};

package/dist/host/_runtime-conformance.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Shared runtime conformance tests.
+ *
+ * Both the self-hosted direct executor and the platform sandbox must satisfy
+ * the same behavioral contract. This module defines that contract as a
+ * reusable test suite that can be wired to either runtime.
+ *
+ * Inspired by Nitro's `testNitro()` pattern: one test fixture, many runtimes.
+ *
+ * @example Direct executor (unit test)
+ * ```ts
+ * import { testRuntime } from "./_runtime-conformance.ts";
+ *
+ * testRuntime("direct", () => {
+ *   const exec = createRuntime({ agent: CONFORMANCE_AGENT, env: { MY_VAR: "test-value" } });
+ *   return { executeTool: exec.executeTool, hooks: exec.hooks };
+ * });
+ * ```
+ *
+ * @example Sandbox (integration test in aai-server)
+ * ```ts
+ * import { testRuntime } from "@alexkroman1/aai/host";
+ *
+ * testRuntime("sandbox", async () => {
+ *   // ... start isolate with a bundled agent
+ *   return { executeTool: buildExecuteTool(...), hooks: buildHookInvoker(...) };
+ * });
+ * ```
+ */
+import type { ExecuteTool } from "../isolate/_internal-types.ts";
+import type { AgentHooks } from "../isolate/hooks.ts";
+import { type AgentDef } from "../isolate/types.ts";
+/**
+ * Minimal runtime surface needed for conformance tests.
+ *
+ * Both `Runtime` and `buildExecuteTool`/`buildHookInvoker` from the
+ * sandbox produce objects that satisfy this interface.
+ */
+export type RuntimeTestContext = {
+    executeTool: ExecuteTool;
+    hooks: AgentHooks;
+};
+/** Agent definition used by the conformance suite (direct executor path). */
+export declare const CONFORMANCE_AGENT: AgentDef;
+/**
+ * Run the runtime conformance test suite against a given runtime context.
+ *
+ * The `getContext` callback is invoked once per test to retrieve the
+ * current {@link RuntimeTestContext}. This allows the caller to set up
+ * the runtime in a `beforeAll` and return it lazily.
+ *
+ * All tests assume the runtime was created with {@link CONFORMANCE_AGENT}
+ * (or its bundle equivalent) and `env: { MY_VAR: "test-value" }`.
+ */
+export declare function testRuntime(label: string, getContext: () => RuntimeTestContext): void;

package/dist/{_test-utils.d.ts → host/_test-utils.d.ts}

@@ -1,14 +1,17 @@
-import type { AgentConfig } from "./_internal-types.ts";
-import type { ClientSink } from "./protocol.ts";
+import type { AgentConfig } from "../isolate/_internal-types.ts";
+import type { ClientSink } from "../isolate/protocol.ts";
+import type { AgentDef, ToolContext, ToolDef } from "../isolate/types.ts";
 import type { S2sEvents, S2sHandle } from "./s2s.ts";
+import type { Session } from "./session.ts";
 import { type S2sSessionOptions } from "./session.ts";
-import type { AgentDef, ToolContext, ToolDef } from "./types.ts";
 /** Yield to the microtask queue so pending promises settle. */
 export declare function flush(): Promise<void>;
 export declare function createMockToolContext(overrides?: Partial<ToolContext>): ToolContext;
 export declare function makeTool(overrides?: Partial<ToolDef>): ToolDef;
 export declare function makeAgent(overrides?: Partial<AgentDef>): AgentDef;
 export declare function makeConfig(overrides?: Partial<AgentConfig>): AgentConfig;
+/** Create a stub Session with all methods as vi.fn() spies. */
+export declare function makeStubSession(overrides?: Partial<Session>): Session;
 export type MockS2sHandle = S2sHandle & {
     _fire: <K extends keyof S2sEvents>(type: K, ...args: Parameters<S2sEvents[K]>) => void;
 };
@@ -55,7 +58,7 @@ export declare function replayFixtureMessages(handle: MockS2sHandle, messages: R
 export declare function createFixtureSession(agent: AgentDef<any>, opts?: {
     env?: Record<string, string>;
 }): {
-    session: import("./session.ts").Session;
+    session: Session;
     client: ClientSink & {
         events: unknown[];
         audioChunks: Uint8Array[];

package/dist/{builtin-tools.d.ts → host/builtin-tools.d.ts}

@@ -6,10 +6,10 @@
  * Network requests go through the host's fetch proxy (with SSRF protection).
  */
 import { z } from "zod";
-import { type ToolSchema } from "./_internal-types.ts";
-import type { ToolDef } from "./types.ts";
+import { type ToolSchema } from "../isolate/_internal-types.ts";
+import type { ToolDef } from "../isolate/types.ts";
+export { memoryTools } from "../isolate/memory-tools.ts";
 export { executeInIsolate } from "./_run-code.ts";
-export { memoryTools } from "./memory-tools.ts";
 /** Options for creating built-in tool definitions. */
 export type BuiltinToolOptions = {
     /** Override fetch implementation (defaults to globalThis.fetch). For testing. */