@cat-factory/integrations 0.6.0

package/dist/modules/runners/HttpRunnerPoolProvider.js

@@ -0,0 +1,304 @@
+import { STRICT_URL_SAFETY_POLICY } from '@cat-factory/kernel';
+import * as environmentsLogic from '../environments/environments.logic.js';
+import * as runnersLogic from './runners.logic.js';
+// The single generic adapter that interprets ANY runner-pool manifest. There are
+// no per-org presets: an org's pool scheduler API is described as HTTP request
+// templates with `{{var}}` interpolation, an auth scheme, and a dot-path mapping
+// from its (arbitrary) status response onto the canonical harness job view. This
+// is the runner-pool sibling of HttpEnvironmentProvider and reuses the same
+// generic primitives (interpolation, dot-path extraction, the SSRF guard).
+//
+// Runtime-neutral (`fetch` + Web APIs only), so both the Cloudflare Worker and the
+// Node service drive an org's self-hosted pool through one shared implementation.
+//
+// Security: every URL is SSRF-guarded before it is fetched; the per-tenant
+// scheduler secrets are resolved in-memory via the injected resolver and only
+// ever placed in request headers — never logged or echoed in errors (error
+// bodies are length-capped and carry no request headers). The per-job GitHub +
+// LLM-proxy tokens travel inside the interpolated dispatch body (the runner needs
+// them) and are likewise never logged.
+const DEFAULT_TIMEOUT_MS = 30_000;
+const MAX_RESPONSE_CHARS = 200_000;
+const USER_AGENT = 'cat-factory';
+/** Carries the HTTP status so callers can surface a meaningful (redacted) error. */
+export class RunnerPoolApiError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+        this.name = 'RunnerPoolApiError';
+    }
+}
+export class HttpRunnerPoolProvider {
+    defaultTimeoutMs;
+    urlPolicy;
+    /** Per-isolate OAuth token cache, keyed by token URL + client id. */
+    oauthCache = new Map();
+    constructor(options = {}) {
+        this.defaultTimeoutMs = options.defaultTimeoutMs ?? DEFAULT_TIMEOUT_MS;
+        this.urlPolicy = options.urlPolicy ?? STRICT_URL_SAFETY_POLICY;
+    }
+    async dispatch(req) {
+        await this.execute(req.manifest, req.manifest.dispatch, this.scope(req.jobId, req.spec), req.resolveSecret);
+    }
+    async poll(req) {
+        const json = await this.execute(req.manifest, req.manifest.poll, this.scope(req.jobId), req.resolveSecret);
+        return this.mapJobView(req.manifest, json);
+    }
+    async release(req) {
+        if (!req.manifest.release)
+            return;
+        await this.execute(req.manifest, req.manifest.release, this.scope(req.jobId), req.resolveSecret);
+    }
+    // --- internals ----------------------------------------------------------
+    /**
+     * The bounded interpolation scope a template sees:
+     *   - `{{input.jobId}}` — the id the pool is keyed on (sticky routing target);
+     *   - `{{input.job}}`   — the full harness job spec as JSON, so a body template can
+     *                         forward it verbatim (`{"payload":{{input.job}}}`);
+     *   - `{{input.kind}}`  — the harness job kind (`run` | `blueprint` | `spec` |
+     *                         `explore` | `bootstrap` | `ci-fix` | `resolve-conflicts` |
+     *                         `merge` | `on-call` | `test` | `fix-tests`). The harness
+     *                         itself reads the kind from the job body (`POST /jobs`), so
+     *                         a manifest does NOT need to route by kind; this is exposed
+     *                         flat only so a manifest can map it to a scheduler-side
+     *                         node selector / queue / resource hint without decoding the
+     *                         embedded `{{input.job}}` JSON;
+     *   - `{{input.instanceType}}` / `{{input.cloudProvider}}` — the provisioning hints
+     *                         the transport stamped on for a self-provisioning pool
+     *                         (present only when the service pins a size/provider), so a
+     *                         manifest can map them to a node selector / resource request
+     *                         / queue without decoding `{{input.job}}`.
+     * Reuses the environments interpolation machinery; the second (`provision`)
+     * namespace is unused by runner manifests.
+     */
+    scope(jobId, spec) {
+        const input = {
+            jobId,
+            job: spec ? JSON.stringify(spec) : '',
+        };
+        // Surface the routing/sizing hints the RunnerPoolTransport stamps onto the
+        // dispatch spec as first-class `{{input.*}}` variables. They live inside
+        // `{{input.job}}` too, but a path/query/header template can't reach into that JSON
+        // string — exposing them flat lets a manifest route-by-kind and size declaratively.
+        for (const key of ['kind', 'instanceType', 'cloudProvider']) {
+            const value = spec?.[key];
+            if (typeof value === 'string')
+                input[key] = value;
+        }
+        return { input, provision: {} };
+    }
+    async execute(manifest, template, scope, resolveSecret) {
+        const url = this.buildUrl(manifest.baseUrl, template, scope);
+        environmentsLogic.assertSafeEnvironmentUrl(url, 'request URL', this.urlPolicy);
+        const headers = {
+            accept: 'application/json',
+            'user-agent': USER_AGENT,
+            ...(await this.authHeaders(manifest.auth, resolveSecret)),
+        };
+        for (const h of template.headers ?? []) {
+            headers[h.name] = environmentsLogic.interpolateTemplate(h.value, scope);
+        }
+        let body;
+        if (template.bodyTemplate !== undefined && template.method !== 'GET') {
+            body = environmentsLogic.interpolateTemplate(template.bodyTemplate, scope);
+            if (!headers['content-type'])
+                headers['content-type'] = 'application/json';
+        }
+        const res = await fetch(url, {
+            method: template.method,
+            headers,
+            body,
+            signal: AbortSignal.timeout(template.timeoutMs ?? this.defaultTimeoutMs),
+        });
+        const text = await res.text().catch(() => '');
+        if (!res.ok) {
+            throw new RunnerPoolApiError(res.status, `Runner pool ${template.method} → ${res.status}: ${text.slice(0, 300)}`);
+        }
+        if (text.length > MAX_RESPONSE_CHARS) {
+            throw new RunnerPoolApiError(502, 'Runner pool response too large');
+        }
+        if (!text)
+            return {};
+        try {
+            return JSON.parse(text);
+        }
+        catch {
+            return {};
+        }
+    }
+    buildUrl(baseUrl, template, scope) {
+        const base = baseUrl.replace(/\/+$/, '');
+        const path = environmentsLogic.interpolateTemplate(template.pathTemplate, scope);
+        let url = path ? `${base}${path.startsWith('/') ? '' : '/'}${path}` : base;
+        const query = (template.query ?? [])
+            .map((q) => `${encodeURIComponent(q.key)}=${encodeURIComponent(environmentsLogic.interpolateTemplate(q.value, scope))}`)
+            .join('&');
+        if (query)
+            url += `${url.includes('?') ? '&' : '?'}${query}`;
+        return url;
+    }
+    async authHeaders(auth, resolveSecret) {
+        const secret = (key) => {
+            const value = resolveSecret(key);
+            if (value === undefined)
+                throw new RunnerPoolApiError(500, `Missing secret '${key}'`);
+            return value;
+        };
+        switch (auth.type) {
+            case 'none':
+                return {};
+            case 'api_key':
+                return { [auth.headerName]: `${auth.valuePrefix ?? ''}${secret(auth.secretRef.key)}` };
+            case 'bearer':
+                return { authorization: `Bearer ${secret(auth.secretRef.key)}` };
+            case 'basic':
+                return {
+                    authorization: `Basic ${btoa(`${secret(auth.usernameSecretRef.key)}:${secret(auth.passwordSecretRef.key)}`)}`,
+                };
+            case 'oauth2_client_credentials':
+                return { authorization: `Bearer ${await this.oauthToken(auth, secret)}` };
+            case 'custom_headers': {
+                const headers = {};
+                for (const h of auth.headers)
+                    headers[h.name] = secret(h.secretRef.key);
+                return headers;
+            }
+        }
+    }
+    async oauthToken(auth, secret) {
+        const clientId = secret(auth.clientIdSecretRef.key);
+        const cacheKey = `${auth.tokenUrl}::${clientId}`;
+        const cached = this.oauthCache.get(cacheKey);
+        if (cached && cached.expiresAt > Date.now() + 5_000)
+            return cached.token;
+        environmentsLogic.assertSafeEnvironmentUrl(auth.tokenUrl, 'OAuth token URL', this.urlPolicy);
+        const form = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: clientId,
+            client_secret: secret(auth.clientSecretSecretRef.key),
+        });
+        if (auth.scope)
+            form.set('scope', auth.scope);
+        if (auth.audience)
+            form.set('audience', auth.audience);
+        const res = await fetch(auth.tokenUrl, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/x-www-form-urlencoded',
+                accept: 'application/json',
+                'user-agent': USER_AGENT,
+            },
+            body: form.toString(),
+            signal: AbortSignal.timeout(this.defaultTimeoutMs),
+        });
+        if (!res.ok) {
+            const text = await res.text().catch(() => '');
+            throw new RunnerPoolApiError(res.status, `OAuth token request → ${res.status}: ${text.slice(0, 200)}`);
+        }
+        const json = (await res.json().catch(() => null));
+        if (!json?.access_token) {
+            throw new RunnerPoolApiError(502, 'OAuth token response missing access_token');
+        }
+        const ttlMs = (typeof json.expires_in === 'number' ? json.expires_in : 300) * 1000;
+        this.oauthCache.set(cacheKey, { token: json.access_token, expiresAt: Date.now() + ttlMs });
+        return json.access_token;
+    }
+    /** Project the scheduler's arbitrary status response onto the canonical view. */
+    mapJobView(manifest, json) {
+        const r = manifest.response;
+        const rawStatus = environmentsLogic.extractString(json, r.statusPath);
+        const state = runnersLogic.mapJobState(rawStatus, r.statusMap);
+        const error = environmentsLogic.extractString(json, r.errorPath);
+        const view = { state };
+        const progress = this.mapProgress(manifest, json);
+        if (progress)
+            view.progress = progress;
+        if (state === 'failed') {
+            view.error = error ?? 'Runner pool reported the job failed';
+            return view;
+        }
+        if (state === 'done') {
+            const result = {};
+            // The WHOLE structured work product when the scheduler exposes the harness
+            // `result` envelope: forwards EVERY product (blueprint tree, spec, merge
+            // assessment, test report, bootstrap branch, …), not just the PR scalars — so a
+            // pool-backed tester/merger/blueprinter reaches the engine intact.
+            if (r.resultPath) {
+                Object.assign(result, coerceRunnerResult(environmentsLogic.extractByPath(json, r.resultPath)));
+            }
+            // Individual scalar paths still apply (and override) for schedulers that surface
+            // the PR url / branch / summary outside any result envelope.
+            const prUrl = environmentsLogic.extractString(json, r.prUrlPath);
+            const branch = environmentsLogic.extractString(json, r.branchPath);
+            const summary = environmentsLogic.extractString(json, r.summaryPath);
+            if (prUrl)
+                result.prUrl = prUrl;
+            if (branch)
+                result.branch = branch;
+            if (summary)
+                result.summary = summary;
+            // A structured error on an otherwise-"done" job is still a failure; the
+            // executor maps a result-level `error` to a failed step.
+            if (error)
+                result.error = error;
+            view.result = result;
+        }
+        return view;
+    }
+    mapProgress(manifest, json) {
+        const r = manifest.response;
+        const num = (path) => {
+            const raw = environmentsLogic.extractString(json, path);
+            if (raw === undefined)
+                return undefined;
+            const n = Number(raw);
+            return Number.isFinite(n) ? n : undefined;
+        };
+        const completed = num(r.progressCompletedPath);
+        const inProgress = num(r.progressInProgressPath);
+        const total = num(r.progressTotalPath);
+        if (completed === undefined && inProgress === undefined && total === undefined)
+            return undefined;
+        return { completed: completed ?? 0, inProgress: inProgress ?? 0, total: total ?? 0 };
+    }
+}
+/**
+ * Coerce a scheduler's `result` envelope into the canonical {@link RunnerJobResult},
+ * picking only the known fields by type. The structured products (`service` /
+ * `spec` / `assessment` / `report`) are passed through verbatim for the engine to
+ * strictly validate; the scalars/booleans are type-guarded. Anything unexpected is
+ * dropped, so a malformed envelope can never inject junk into the run result.
+ */
+function coerceRunnerResult(raw) {
+    if (typeof raw !== 'object' || raw === null)
+        return {};
+    const o = raw;
+    const out = {};
+    const STRINGS = ['prUrl', 'branch', 'summary', 'error', 'defaultBranch'];
+    for (const k of STRINGS) {
+        if (typeof o[k] === 'string')
+            out[k] = o[k];
+    }
+    if (typeof o.pushed === 'boolean')
+        out.pushed = o.pushed;
+    if (typeof o.resolved === 'boolean')
+        out.resolved = o.resolved;
+    // Structured work products (carried as `unknown` on the port — the engine validates).
+    for (const k of ['service', 'spec', 'assessment', 'report']) {
+        if (o[k] !== undefined)
+            out[k] = o[k];
+    }
+    const usage = o.usage;
+    if (typeof usage === 'object' &&
+        usage !== null &&
+        typeof usage.inputTokens === 'number' &&
+        typeof usage.outputTokens === 'number') {
+        out.usage = {
+            inputTokens: usage.inputTokens,
+            outputTokens: usage.outputTokens,
+        };
+    }
+    return out;
+}
+//# sourceMappingURL=HttpRunnerPoolProvider.js.map

package/dist/modules/runners/HttpRunnerPoolProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"HttpRunnerPoolProvider.js","sourceRoot":"","sources":["../../../src/modules/runners/HttpRunnerPoolProvider.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAA;AAC9D,OAAO,KAAK,iBAAiB,MAAM,uCAAuC,CAAA;AAC1E,OAAO,KAAK,YAAY,MAAM,oBAAoB,CAAA;AAElD,iFAAiF;AACjF,+EAA+E;AAC/E,iFAAiF;AACjF,iFAAiF;AACjF,4EAA4E;AAC5E,2EAA2E;AAC3E,EAAE;AACF,mFAAmF;AACnF,kFAAkF;AAClF,EAAE;AACF,2EAA2E;AAC3E,8EAA8E;AAC9E,2EAA2E;AAC3E,+EAA+E;AAC/E,kFAAkF;AAClF,uCAAuC;AAEvC,MAAM,kBAAkB,GAAG,MAAM,CAAA;AACjC,MAAM,kBAAkB,GAAG,OAAO,CAAA;AAClC,MAAM,UAAU,GAAG,aAAa,CAAA;AAEhC,oFAAoF;AACpF,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAEhC,MAAM;IADjB,YACW,MAAc,EACvB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAA;sBAHL,MAAM;QAIf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;IAClC,CAAC;CACF;AAQD,MAAM,OAAO,sBAAsB;IAChB,gBAAgB,CAAQ;IACxB,SAAS,CAAiB;IAC3C,qEAAqE;IACpD,UAAU,GAAG,IAAI,GAAG,EAAgD,CAAA;IAErF,YAAY,OAAO,GAAkC,EAAE;QACrD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,kBAAkB,CAAA;QACtE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAA;IAChE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAA0B;QACvC,MAAM,IAAI,CAAC,OAAO,CAChB,GAAG,CAAC,QAAQ,EACZ,GAAG,CAAC,QAAQ,CAAC,QAAQ,EACrB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,EAC/B,GAAG,CAAC,aAAa,CAClB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAsB;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAC7B,GAAG,CAAC,QAAQ,EACZ,GAAG,CAAC,QAAQ,CAAC,IAAI,EACjB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,EACrB,GAAG,CAAC,aAAa,CAClB,CAAA;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAsB;QAClC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO;YAAE,OAAM;QACjC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,CAAA;IAClG,CAAC;IAED,2EAA2E;IAE3E;;;;;;;;;;;;;;;;;;;;OAoBG;IACK,KAAK,CACX,KAAa,EACb,IAA8B;QAE9B,MAAM,KAAK,GAA2B;YACpC,KAAK;YACL,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;SACtC,CAAA;QACD,2EAA2E;QAC3E,yEAAyE;QACzE,mFAAmF;QACnF,oFAAoF;QACpF,KAAK,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,eAAe,CAAU,EAAE,CAAC;YACrE,MAAM,KAAK,GAAG,IAAI,EAAE,CAAC,GAAG,CAAC,CAAA;YACzB,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;QACnD,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,CAAA;IACjC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,QAA4B,EAC5B,QAAmC,EACnC,KAA2C,EAC3C,aAA6B;QAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAA;QAC5D,iBAAiB,CAAC,wBAAwB,CAAC,GAAG,EAAE,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;QAE9E,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,kBAAkB;YAC1B,YAAY,EAAE,UAAU;YACxB,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;SAC1D,CAAA;QACD,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACvC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;QACzE,CAAC;QAED,IAAI,IAAwB,CAAA;QAC5B,IAAI,QAAQ,CAAC,YAAY,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACrE,IAAI,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;YAC1E,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;gBAAE,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAA;QAC5E,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO;YACP,IAAI;YACJ,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;SACzE,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QAC7C,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,kBAAkB,CAC1B,GAAG,CAAC,MAAM,EACV,eAAe,QAAQ,CAAC,MAAM,MAAM,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACxE,CAAA;QACH,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;YACrC,MAAM,IAAI,kBAAkB,CAAC,GAAG,EAAE,gCAAgC,CAAC,CAAA;QACrE,CAAC;QACD,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAA;QACpB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC;IAEO,QAAQ,CACd,OAAe,EACf,QAAmC,EACnC,KAA2C;QAE3C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QACxC,MAAM,IAAI,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAChF,IAAI,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;QAC1E,MAAM,KAAK,GAAG,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;aACjC,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAChD,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CACtD,EAAE,CACN;aACA,IAAI,CAAC,GAAG,CAAC,CAAA;QACZ,IAAI,KAAK;YAAE,GAAG,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,EAAE,CAAA;QAC5D,OAAO,GAAG,CAAA;IACZ,CAAC;IAEO,KAAK,CAAC,WAAW,CACvB,IAA0B,EAC1B,aAA6B;QAE7B,MAAM,MAAM,GAAG,CAAC,GAAW,EAAU,EAAE;YACrC,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;YAChC,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM,IAAI,kBAAkB,CAAC,GAAG,EAAE,mBAAmB,GAAG,GAAG,CAAC,CAAA;YACrF,OAAO,KAAK,CAAA;QACd,CAAC,CAAA;QACD,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,KAAK,MAAM;gBACT,OAAO,EAAE,CAAA;YACX,KAAK,SAAS;gBACZ,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAA;YACxF,KAAK,QAAQ;gBACX,OAAO,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAA;YAClE,KAAK,OAAO;gBACV,OAAO;oBACL,aAAa,EAAE,SAAS,IAAI,CAC1B,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAC9E,EAAE;iBACJ,CAAA;YACH,KAAK,2BAA2B;gBAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,CAAA;YAC3E,KAAK,gBAAgB,EAAE,CAAC;gBACtB,MAAM,OAAO,GAA2B,EAAE,CAAA;gBAC1C,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;gBACvE,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,IAA0E,EAC1E,MAA+B;QAE/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACnD,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAA;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC5C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAAE,OAAO,MAAM,CAAC,KAAK,CAAA;QAExE,iBAAiB,CAAC,wBAAwB,CAAC,IAAI,CAAC,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;QAC5F,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC;SACtD,CAAC,CAAA;QACF,IAAI,IAAI,CAAC,KAAK;YAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7C,IAAI,IAAI,CAAC,QAAQ;YAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QAEtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;gBAC1B,YAAY,EAAE,UAAU;aACzB;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;YACrB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC;SACnD,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAC7C,MAAM,IAAI,kBAAkB,CAC1B,GAAG,CAAC,MAAM,EACV,yBAAyB,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC7D,CAAA;QACH,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAGxC,CAAA;QACR,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YACxB,MAAM,IAAI,kBAAkB,CAAC,GAAG,EAAE,2CAA2C,CAAC,CAAA;QAChF,CAAC;QACD,MAAM,KAAK,GAAG,CAAC,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAA;QAClF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAA;QAC1F,OAAO,IAAI,CAAC,YAAY,CAAA;IAC1B,CAAC;IAED,iFAAiF;IACzE,UAAU,CAAC,QAA4B,EAAE,IAAa;QAC5D,MAAM,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAA;QAC3B,MAAM,SAAS,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,CAAA;QACrE,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;QAC9D,MAAM,KAAK,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;QAEhE,MAAM,IAAI,GAAkB,EAAE,KAAK,EAAE,CAAA;QAErC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QACjD,IAAI,QAAQ;YAAE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QAEtC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,qCAAqC,CAAA;YAC3D,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;YACrB,MAAM,MAAM,GAAyC,EAAE,CAAA;YACvD,2EAA2E;YAC3E,yEAAyE;YACzE,gFAAgF;YAChF,mEAAmE;YACnE,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;gBACjB,MAAM,CAAC,MAAM,CACX,MAAM,EACN,kBAAkB,CAAC,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CACxE,CAAA;YACH,CAAC;YACD,iFAAiF;YACjF,6DAA6D;YAC7D,MAAM,KAAK,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;YAChE,MAAM,MAAM,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,CAAA;YAClE,MAAM,OAAO,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,CAAC,CAAA;YACpE,IAAI,KAAK;gBAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;YAC/B,IAAI,MAAM;gBAAE,MAAM,CAAC,MAAM,GAAG,MAAM,CAAA;YAClC,IAAI,OAAO;gBAAE,MAAM,CAAC,OAAO,GAAG,OAAO,CAAA;YACrC,wEAAwE;YACxE,yDAAyD;YACzD,IAAI,KAAK;gBAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;YAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACtB,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAEO,WAAW,CACjB,QAA4B,EAC5B,IAAa;QAEb,MAAM,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAA;QAC3B,MAAM,GAAG,GAAG,CAAC,IAAwB,EAAsB,EAAE;YAC3D,MAAM,GAAG,GAAG,iBAAiB,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;YACvD,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAA;YACvC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAA;YACrB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAC3C,CAAC,CAAA;QACD,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAA;QAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAA;QAChD,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAA;QACtC,IAAI,SAAS,KAAK,SAAS,IAAI,UAAU,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS;YAAE,OAAO,SAAS,CAAA;QAChG,OAAO,EAAE,SAAS,EAAE,SAAS,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,IAAI,CAAC,EAAE,CAAA;IACtF,CAAC;CACF;AAED;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,GAAY;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,CAAA;IACtD,MAAM,CAAC,GAAG,GAA8B,CAAA;IACxC,MAAM,GAAG,GAA6B,EAAE,CAAA;IACxC,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,eAAe,CAAU,CAAA;IACjF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAW,CAAA;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS;QAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAA;IACxD,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS;QAAE,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAA;IAC9D,sFAAsF;IACtF,KAAK,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAU,EAAE,CAAC;QACrE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;IACvC,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAA;IACrB,IACE,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,OAAQ,KAAiC,CAAC,WAAW,KAAK,QAAQ;QAClE,OAAQ,KAAiC,CAAC,YAAY,KAAK,QAAQ,EACnE,CAAC;QACD,GAAG,CAAC,KAAK,GAAG;YACV,WAAW,EAAG,KAAiC,CAAC,WAAW;YAC3D,YAAY,EAAG,KAAkC,CAAC,YAAY;SAC/D,CAAA;IACH,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/runners/RunnerPoolConnectionService.d.ts

@@ -0,0 +1,47 @@
+import type { Clock } from '@cat-factory/kernel';
+import type { RunnerPoolConnectionRecord, RunnerPoolConnectionRepository } from '@cat-factory/kernel';
+import type { SecretCipher } from '@cat-factory/kernel';
+import type { SecretResolver, UrlSafetyPolicy } from '@cat-factory/kernel';
+import type { RunnerPoolConnection, RunnerPoolManifest } from '@cat-factory/kernel';
+import type { WorkspaceRepository } from '@cat-factory/kernel';
+export interface RunnerPoolConnectionServiceDependencies {
+    runnerPoolConnectionRepository: RunnerPoolConnectionRepository;
+    workspaceRepository: WorkspaceRepository;
+    secretCipher: SecretCipher;
+    clock: Clock;
+    /** URL/host safety policy applied to a registered manifest. Defaults to strict. */
+    urlPolicy?: UrlSafetyPolicy;
+}
+export interface ResolvedRunnerPool {
+    manifest: RunnerPoolManifest;
+    resolveSecret: SecretResolver;
+}
+export declare class RunnerPoolConnectionService {
+    private readonly deps;
+    constructor(deps: RunnerPoolConnectionServiceDependencies);
+    /** Register (or replace) a workspace's runner pool. */
+    register(workspaceId: string, input: {
+        manifest: RunnerPoolManifest;
+        secrets: Record<string, string>;
+    }): Promise<RunnerPoolConnection>;
+    /** Rotate/replace the secret bundle without re-sending the manifest. */
+    updateSecrets(workspaceId: string, secrets: Record<string, string>): Promise<RunnerPoolConnection>;
+    /** The workspace's current connection (safe metadata), or null. */
+    getConnection(workspaceId: string): Promise<RunnerPoolConnection | null>;
+    /** Resolve the live connection + parsed manifest, or throw if not registered. */
+    requireConnection(workspaceId: string): Promise<{
+        record: RunnerPoolConnectionRecord;
+        manifest: RunnerPoolManifest;
+    }>;
+    /**
+     * Resolve the workspace's pool (parsed manifest + a secret resolver over its
+     * decrypted bundle), or null when it has no live pool registered. Used by the
+     * container executor to pick the self-hosted runner backend per job.
+     */
+    resolve(workspaceId: string): Promise<ResolvedRunnerPool | null>;
+    /** Unregister the pool (tombstones the binding). */
+    unregister(workspaceId: string): Promise<void>;
+    private decryptSecrets;
+    private toConnection;
+}
+//# sourceMappingURL=RunnerPoolConnectionService.d.ts.map

package/dist/modules/runners/RunnerPoolConnectionService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RunnerPoolConnectionService.d.ts","sourceRoot":"","sources":["../../../src/modules/runners/RunnerPoolConnectionService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,KAAK,EACV,0BAA0B,EAC1B,8BAA8B,EAC/B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAC1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AAGnF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AAS9D,MAAM,WAAW,uCAAuC;IACtD,8BAA8B,EAAE,8BAA8B,CAAA;IAC9D,mBAAmB,EAAE,mBAAmB,CAAA;IACxC,YAAY,EAAE,YAAY,CAAA;IAC1B,KAAK,EAAE,KAAK,CAAA;IACZ,mFAAmF;IACnF,SAAS,CAAC,EAAE,eAAe,CAAA;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,aAAa,EAAE,cAAc,CAAA;CAC9B;AAED,qBAAa,2BAA2B;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,uCAAuC,EAAI;IAE9E,uDAAuD;IACjD,QAAQ,CACZ,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE;QAAE,QAAQ,EAAE,kBAAkB,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACvE,OAAO,CAAC,oBAAoB,CAAC,CAwB/B;IAED,wEAAwE;IAClE,aAAa,CACjB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,OAAO,CAAC,oBAAoB,CAAC,CAU/B;IAED,mEAAmE;IAC7D,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAK7E;IAED,iFAAiF;IAC3E,iBAAiB,CACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;QAAE,MAAM,EAAE,0BAA0B,CAAC;QAAC,QAAQ,EAAE,kBAAkB,CAAA;KAAE,CAAC,CAO/E;IAED;;;;OAIG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAMrE;IAED,oDAAoD;IAC9C,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAInD;YAEa,cAAc;IAQ5B,OAAO,CAAC,YAAY;CAYrB"}

package/dist/modules/runners/RunnerPoolConnectionService.js

@@ -0,0 +1,98 @@
+import { ConflictError, STRICT_URL_SAFETY_POLICY, ValidationError } from '@cat-factory/kernel';
+import { requireWorkspace } from '@cat-factory/kernel';
+import { assertManifestUrlsSafe, referencedSecretKeys } from './runners.logic.js';
+export class RunnerPoolConnectionService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /** Register (or replace) a workspace's runner pool. */
+    async register(workspaceId, input) {
+        await requireWorkspace(this.deps.workspaceRepository, workspaceId);
+        const manifest = input.manifest;
+        assertManifestUrlsSafe(manifest, this.deps.urlPolicy ?? STRICT_URL_SAFETY_POLICY);
+        const missing = referencedSecretKeys(manifest).filter((key) => !(key in input.secrets));
+        if (missing.length) {
+            throw new ValidationError(`Missing secret values for: ${missing.join(', ')}`);
+        }
+        const existing = await this.deps.runnerPoolConnectionRepository.getByWorkspace(workspaceId);
+        const secretsCipher = await this.deps.secretCipher.encrypt(JSON.stringify(input.secrets));
+        const record = {
+            workspaceId,
+            providerId: manifest.providerId,
+            label: manifest.label,
+            baseUrl: manifest.baseUrl,
+            manifestJson: JSON.stringify(manifest),
+            secretsCipher,
+            createdAt: existing?.createdAt ?? this.deps.clock.now(),
+            deletedAt: null,
+        };
+        await this.deps.runnerPoolConnectionRepository.upsert(record);
+        return this.toConnection(record, Object.keys(input.secrets));
+    }
+    /** Rotate/replace the secret bundle without re-sending the manifest. */
+    async updateSecrets(workspaceId, secrets) {
+        const { record, manifest } = await this.requireConnection(workspaceId);
+        const missing = referencedSecretKeys(manifest).filter((key) => !(key in secrets));
+        if (missing.length) {
+            throw new ValidationError(`Missing secret values for: ${missing.join(', ')}`);
+        }
+        const secretsCipher = await this.deps.secretCipher.encrypt(JSON.stringify(secrets));
+        const updated = { ...record, secretsCipher };
+        await this.deps.runnerPoolConnectionRepository.upsert(updated);
+        return this.toConnection(updated, Object.keys(secrets));
+    }
+    /** The workspace's current connection (safe metadata), or null. */
+    async getConnection(workspaceId) {
+        const record = await this.deps.runnerPoolConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return null;
+        const keys = Object.keys(await this.decryptSecrets(record));
+        return this.toConnection(record, keys);
+    }
+    /** Resolve the live connection + parsed manifest, or throw if not registered. */
+    async requireConnection(workspaceId) {
+        const record = await this.deps.runnerPoolConnectionRepository.getByWorkspace(workspaceId);
+        if (!record) {
+            throw new ConflictError(`Workspace '${workspaceId}' has no runner pool registered`);
+        }
+        const manifest = JSON.parse(record.manifestJson);
+        return { record, manifest };
+    }
+    /**
+     * Resolve the workspace's pool (parsed manifest + a secret resolver over its
+     * decrypted bundle), or null when it has no live pool registered. Used by the
+     * container executor to pick the self-hosted runner backend per job.
+     */
+    async resolve(workspaceId) {
+        const record = await this.deps.runnerPoolConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return null;
+        const manifest = JSON.parse(record.manifestJson);
+        const bundle = await this.decryptSecrets(record);
+        return { manifest, resolveSecret: (key) => bundle[key] };
+    }
+    /** Unregister the pool (tombstones the binding). */
+    async unregister(workspaceId) {
+        const record = await this.deps.runnerPoolConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return;
+        await this.deps.runnerPoolConnectionRepository.softDelete(workspaceId, this.deps.clock.now());
+    }
+    async decryptSecrets(record) {
+        if (!record.secretsCipher)
+            return {};
+        const parsed = JSON.parse(await this.deps.secretCipher.decrypt(record.secretsCipher));
+        return parsed && typeof parsed === 'object' ? parsed : {};
+    }
+    toConnection(record, secretKeys) {
+        return {
+            providerId: record.providerId,
+            label: record.label,
+            baseUrl: record.baseUrl,
+            connectedAt: record.createdAt,
+            secretKeys,
+        };
+    }
+}
+//# sourceMappingURL=RunnerPoolConnectionService.js.map

package/dist/modules/runners/RunnerPoolConnectionService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RunnerPoolConnectionService.js","sourceRoot":"","sources":["../../../src/modules/runners/RunnerPoolConnectionService.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAC9F,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAEtD,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAsBjF,MAAM,OAAO,2BAA2B;IACT,IAAI;IAAjC,YAA6B,IAA6C;oBAA7C,IAAI;IAA4C,CAAC;IAE9E,uDAAuD;IACvD,KAAK,CAAC,QAAQ,CACZ,WAAmB,EACnB,KAAwE;QAExE,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAC/B,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,wBAAwB,CAAC,CAAA;QAEjF,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QACvF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,eAAe,CAAC,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC/E,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC3F,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QACzF,MAAM,MAAM,GAA+B;YACzC,WAAW;YACX,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;YACtC,aAAa;YACb,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACvD,SAAS,EAAE,IAAI;SAChB,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC7D,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;IAC9D,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,aAAa,CACjB,WAAmB,EACnB,OAA+B;QAE/B,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAAA;QACjF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,eAAe,CAAC,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC/E,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAA;QACnF,MAAM,OAAO,GAA+B,EAAE,GAAG,MAAM,EAAE,aAAa,EAAE,CAAA;QACxE,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC9D,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IACzD,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,aAAa,CAAC,WAAmB;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QACzF,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAA;QAC3D,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IACxC,CAAC;IAED,iFAAiF;IACjF,KAAK,CAAC,iBAAiB,CACrB,WAAmB;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QACzF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,aAAa,CAAC,cAAc,WAAW,iCAAiC,CAAC,CAAA;QACrF,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAuB,CAAA;QACtE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;IAC7B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CAAC,WAAmB;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QACzF,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAuB,CAAA;QACtE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAA;QAChD,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAA;IAClE,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,UAAU,CAAC,WAAmB;QAClC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QACzF,IAAI,CAAC,MAAM;YAAE,OAAM;QACnB,MAAM,IAAI,CAAC,IAAI,CAAC,8BAA8B,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAA;IAC/F,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,MAAkC;QAElC,IAAI,CAAC,MAAM,CAAC,aAAa;YAAE,OAAO,EAAE,CAAA;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAA;QACrF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAiC,CAAC,CAAC,CAAC,EAAE,CAAA;IACvF,CAAC;IAEO,YAAY,CAClB,MAAkC,EAClC,UAAoB;QAEpB,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,UAAU;SACX,CAAA;IACH,CAAC;CACF"}

package/dist/modules/runners/RunnerPoolTransport.d.ts

@@ -0,0 +1,11 @@
+import type { RunnerDispatchKind, RunnerDispatchOptions, RunnerJobRef, RunnerJobView, RunnerPoolManifest, RunnerPoolProvider, RunnerTransport, SecretResolver } from '@cat-factory/kernel';
+export declare class RunnerPoolTransport implements RunnerTransport {
+    private readonly provider;
+    private readonly manifest;
+    private readonly resolveSecret;
+    constructor(provider: RunnerPoolProvider, manifest: RunnerPoolManifest, resolveSecret: SecretResolver);
+    dispatch(ref: RunnerJobRef, spec: Record<string, unknown>, kind?: RunnerDispatchKind, options?: RunnerDispatchOptions): Promise<void>;
+    poll(ref: RunnerJobRef): Promise<RunnerJobView>;
+    release(ref: RunnerJobRef): Promise<void>;
+}
+//# sourceMappingURL=RunnerPoolTransport.d.ts.map

package/dist/modules/runners/RunnerPoolTransport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RunnerPoolTransport.d.ts","sourceRoot":"","sources":["../../../src/modules/runners/RunnerPoolTransport.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,kBAAkB,EAClB,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACf,MAAM,qBAAqB,CAAA;AAgB5B,qBAAa,mBAAoB,YAAW,eAAe;IAEvD,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAHhC,YACmB,QAAQ,EAAE,kBAAkB,EAC5B,QAAQ,EAAE,kBAAkB,EAC5B,aAAa,EAAE,cAAc,EAC5C;IAEJ,QAAQ,CACN,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,IAAI,GAAE,kBAA0B,EAChC,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,IAAI,CAAC,CAsBf;IAED,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CAM9C;IAED,OAAO,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAMxC;CACF"}

package/dist/modules/runners/RunnerPoolTransport.js

@@ -0,0 +1,61 @@
+// Adapts the stateless, manifest-interpreting HttpRunnerPoolProvider to the
+// RunnerTransport the container executor drives, binding one workspace's resolved
+// manifest + secret resolver. One instance per (workspace) dispatch/poll resolution;
+// the underlying provider (and its OAuth cache) is shared.
+//
+// A pool is a PER-JOB backend — it has no per-run container to share across steps —
+// so it keys on the per-step `ref.jobId`; each step is an independent pool job, which
+// is exactly what keeps sibling steps from colliding here too. `ref.runId` is unused
+// (there is no run-scoped resource to address), and `release` cancels the run's
+// in-flight job by its id.
+//
+// Runtime-neutral: both the Cloudflare Worker and the Node service resolve this
+// transport for a workspace whose self-hosted runner pool is registered.
+export class RunnerPoolTransport {
+    provider;
+    manifest;
+    resolveSecret;
+    constructor(provider, manifest, resolveSecret) {
+        this.provider = provider;
+        this.manifest = manifest;
+        this.resolveSecret = resolveSecret;
+    }
+    dispatch(ref, spec, kind = 'run', options) {
+        const jobId = ref.jobId;
+        // A pool runs the SAME executor-harness image as the Cloudflare backend, so it
+        // serves every harness route. Runtime parity is the default and assumed (the "keep
+        // the runtimes symmetric" guideline): there is no opt-in allow-list to gate kinds,
+        // so a new harness kind dispatches to a pool automatically, exactly as it does to a
+        // Cloudflare container, never silently diverging.
+        //
+        // Forward the harness route kind and the resolved provisioning hints (the
+        // instance-type id + the cloud provider) in the dispatch spec so a pool that
+        // provisions on its own cloud can route to the right endpoint and size the runner.
+        return this.provider.dispatch({
+            manifest: this.manifest,
+            jobId,
+            spec: {
+                ...spec,
+                kind,
+                ...(options?.instanceTypeId ? { instanceType: options.instanceTypeId } : {}),
+                ...(options?.provider ? { cloudProvider: options.provider } : {}),
+            },
+            resolveSecret: this.resolveSecret,
+        });
+    }
+    poll(ref) {
+        return this.provider.poll({
+            manifest: this.manifest,
+            jobId: ref.jobId,
+            resolveSecret: this.resolveSecret,
+        });
+    }
+    release(ref) {
+        return this.provider.release({
+            manifest: this.manifest,
+            jobId: ref.jobId,
+            resolveSecret: this.resolveSecret,
+        });
+    }
+}
+//# sourceMappingURL=RunnerPoolTransport.js.map

package/dist/modules/runners/RunnerPoolTransport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RunnerPoolTransport.js","sourceRoot":"","sources":["../../../src/modules/runners/RunnerPoolTransport.ts"],"names":[],"mappings":"AAWA,4EAA4E;AAC5E,kFAAkF;AAClF,qFAAqF;AACrF,2DAA2D;AAC3D,EAAE;AACF,oFAAoF;AACpF,sFAAsF;AACtF,qFAAqF;AACrF,gFAAgF;AAChF,2BAA2B;AAC3B,EAAE;AACF,gFAAgF;AAChF,yEAAyE;AAEzE,MAAM,OAAO,mBAAmB;IAEX,QAAQ;IACR,QAAQ;IACR,aAAa;IAHhC,YACmB,QAA4B,EAC5B,QAA4B,EAC5B,aAA6B;wBAF7B,QAAQ;wBACR,QAAQ;6BACR,aAAa;IAC7B,CAAC;IAEJ,QAAQ,CACN,GAAiB,EACjB,IAA6B,EAC7B,IAAI,GAAuB,KAAK,EAChC,OAA+B;QAE/B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAA;QACvB,+EAA+E;QAC/E,mFAAmF;QACnF,mFAAmF;QACnF,oFAAoF;QACpF,kDAAkD;QAClD,EAAE;QACF,0EAA0E;QAC1E,6EAA6E;QAC7E,mFAAmF;QACnF,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK;YACL,IAAI,EAAE;gBACJ,GAAG,IAAI;gBACP,IAAI;gBACJ,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5E,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClE;YACD,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,GAAiB;QACpB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACxB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,CAAC,GAAiB;QACvB,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAA;IACJ,CAAC;CACF"}

package/dist/modules/runners/runners.logic.d.ts

@@ -0,0 +1,16 @@
+import type { RunnerJobState, RunnerPoolManifest, UrlSafetyPolicy } from '@cat-factory/kernel';
+/** Collect every secret key a manifest's auth scheme references. */
+export declare function referencedSecretKeys(manifest: RunnerPoolManifest): string[];
+/** Validate every URL a manifest will fetch (defence against SSRF). */
+export declare function assertManifestUrlsSafe(manifest: RunnerPoolManifest, policy?: UrlSafetyPolicy): void;
+/**
+ * Map a scheduler's status string onto the harness job state using the manifest's
+ * `statusMap`. Falls back to interpreting the raw value as a state literal
+ * (`running`/`done`/`failed`) when it matches one, else `running` — so a poll
+ * that can't be classified keeps the driver waiting rather than wrongly failing.
+ */
+export declare function mapJobState(raw: string | undefined, statusMap: {
+    from: string;
+    to: RunnerJobState;
+}[] | undefined): RunnerJobState;
+//# sourceMappingURL=runners.logic.d.ts.map

package/dist/modules/runners/runners.logic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runners.logic.d.ts","sourceRoot":"","sources":["../../../src/modules/runners/runners.logic.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAW9F,oEAAoE;AACpE,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,MAAM,EAAE,CAe3E;AAED,uEAAuE;AACvE,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,kBAAkB,EAC5B,MAAM,GAAE,eAA0C,GACjD,IAAI,CAKN;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,SAAS,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,cAAc,CAAA;CAAE,EAAE,GAAG,SAAS,GAC5D,cAAc,CAUhB"}

package/dist/modules/runners/runners.logic.js

@@ -0,0 +1,52 @@
+import { STRICT_URL_SAFETY_POLICY } from '@cat-factory/kernel';
+import { assertSafeEnvironmentUrl } from '../environments/environments.logic.js';
+// Pure helpers for the self-hosted runner-pool integration. The generic URL
+// validation, `{{var}}` interpolation and dot-path extraction live in the
+// environments logic module (they are not environment-specific); we reuse them
+// from the manifest interpreter. What is runner-specific lives here: collecting a
+// manifest's referenced secret keys, validating every URL it will fetch, and
+// mapping a scheduler's status string onto the harness job state.
+/** Collect every secret key a manifest's auth scheme references. */
+export function referencedSecretKeys(manifest) {
+    const auth = manifest.auth;
+    switch (auth.type) {
+        case 'none':
+            return [];
+        case 'api_key':
+        case 'bearer':
+            return [auth.secretRef.key];
+        case 'basic':
+            return [auth.usernameSecretRef.key, auth.passwordSecretRef.key];
+        case 'oauth2_client_credentials':
+            return [auth.clientIdSecretRef.key, auth.clientSecretSecretRef.key];
+        case 'custom_headers':
+            return auth.headers.map((h) => h.secretRef.key);
+    }
+}
+/** Validate every URL a manifest will fetch (defence against SSRF). */
+export function assertManifestUrlsSafe(manifest, policy = STRICT_URL_SAFETY_POLICY) {
+    assertSafeEnvironmentUrl(manifest.baseUrl, 'base URL', policy);
+    if (manifest.auth.type === 'oauth2_client_credentials') {
+        assertSafeEnvironmentUrl(manifest.auth.tokenUrl, 'OAuth token URL', policy);
+    }
+}
+/**
+ * Map a scheduler's status string onto the harness job state using the manifest's
+ * `statusMap`. Falls back to interpreting the raw value as a state literal
+ * (`running`/`done`/`failed`) when it matches one, else `running` — so a poll
+ * that can't be classified keeps the driver waiting rather than wrongly failing.
+ */
+export function mapJobState(raw, statusMap) {
+    if (raw !== undefined) {
+        if (statusMap) {
+            const hit = statusMap.find((m) => m.from.toLowerCase() === raw.toLowerCase());
+            if (hit)
+                return hit.to;
+        }
+        const lower = raw.toLowerCase();
+        if (lower === 'running' || lower === 'done' || lower === 'failed')
+            return lower;
+    }
+    return 'running';
+}
+//# sourceMappingURL=runners.logic.js.map