@cat-factory/kernel 0.6.0

package/dist/ports/model-provider.d.ts

@@ -0,0 +1,69 @@
+import type { LanguageModel } from 'ai';
+/** Which container harness runs an agent for a model. */
+export type HarnessKind = 'pi' | 'claude-code' | 'codex';
+export interface ModelRef {
+    /** Provider id, e.g. `openai`, `anthropic`, `workers-ai`, `mock`. */
+    provider: string;
+    /** Model id within the provider, e.g. `gpt-4o-mini`. */
+    model: string;
+    /**
+     * The container harness that runs this model. Absent ⇒ the default Pi harness
+     * (reached through the LLM proxy). `claude-code` / `codex` are subscription
+     * harnesses authenticated with a stored OAuth token, talking direct to the
+     * vendor — the executor leases a pool token instead of minting a proxy session.
+     */
+    harness?: HarnessKind;
+    /**
+     * The total context window for THIS flavour, in tokens, as published by the provider
+     * that actually serves it — the combined input + output the model can process in one
+     * request, NOT a max-output limit. It is per-flavour because the SAME catalog model
+     * can be served with a different window depending on where it runs, in EITHER
+     * direction: Cloudflare may cap below the vendor's full window (e.g. GLM-5.2 is 256K
+     * on Cloudflare vs 1M on a Z.ai subscription), match it (Kimi K2.6 is 256K both on
+     * Cloudflare and direct), or even exceed a direct sibling (the Cloudflare R1 distill
+     * serves 80K while the direct flagship chat model is 64K). Set it from the serving
+     * provider's own model docs, not a general spec sheet. Surfaced in the picker so a
+     * user sees the window the selected flavour will really give them. Absent ⇒ unknown.
+     */
+    contextTokens?: number;
+}
+/**
+ * Degrade a model ref that demands a container-only subscription harness
+ * (`claude-code` / `codex`) to an inline-servable `fallback`. Such a ref names a
+ * vendor with NO provider key (the credential is a pooled subscription token used
+ * only inside the per-run container), so resolving it through a {@link ModelProvider}
+ * for an INLINE LLM call would fail. A block's model is shared by every step of its
+ * pipeline (container AND inline), so this is the single seam every inline path (the
+ * inline agent executor, the requirements reviewer/rework) routes a pinned
+ * subscription model through: the container steps keep the harness, the inline steps
+ * fall back to a provider model. A `pi` (or absent) harness is already inline-servable
+ * and passes through unchanged.
+ */
+export declare function inlineModelRef(ref: ModelRef, fallback: ModelRef): ModelRef;
+export interface ModelProvider {
+    /** Resolve a model handle the AI SDK can call, or throw if unconfigured. */
+    resolve(ref: ModelRef): LanguageModel;
+}
+/**
+ * The credential scope a run draws model-provider keys from: the workspace, its
+ * owning account, and the run initiator's own user keys are merged into one pool.
+ */
+export interface ModelScope {
+    workspaceId: string;
+    /** The workspace's owning account id (resolved automatically when omitted). */
+    accountId?: string | null;
+    /** The run initiator's `usr_*` id, to also draw from their personal keys. */
+    userId?: string | null;
+}
+/**
+ * Resolves a {@link ModelProvider} bound to a run's credential scope. Direct-provider
+ * API keys live in the DB (account/workspace/user scoped), so the provider can no
+ * longer be a single process-wide instance built from env: each inline LLM call asks
+ * for the provider for its scope, which leases the configured keys for that
+ * workspace+account+user. `resolve` itself stays synchronous (keys are leased up
+ * front when the scoped provider is built).
+ */
+export interface ModelProviderResolver {
+    forScope(scope: ModelScope): Promise<ModelProvider>;
+}
+//# sourceMappingURL=model-provider.d.ts.map

package/dist/ports/model-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-provider.d.ts","sourceRoot":"","sources":["../../src/ports/model-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,IAAI,CAAA;AAOvC,yDAAyD;AACzD,MAAM,MAAM,WAAW,GAAG,IAAI,GAAG,aAAa,GAAG,OAAO,CAAA;AAExD,MAAM,WAAW,QAAQ;IACvB,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAA;IAChB,wDAAwD;IACxD,KAAK,EAAE,MAAM,CAAA;IACb;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAA;IACrB;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAE1E;AAED,MAAM,WAAW,aAAa;IAC5B,4EAA4E;IAC5E,OAAO,CAAC,GAAG,EAAE,QAAQ,GAAG,aAAa,CAAA;CACtC;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACvB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;CACpD"}

package/dist/ports/model-provider.js

@@ -0,0 +1,16 @@
+/**
+ * Degrade a model ref that demands a container-only subscription harness
+ * (`claude-code` / `codex`) to an inline-servable `fallback`. Such a ref names a
+ * vendor with NO provider key (the credential is a pooled subscription token used
+ * only inside the per-run container), so resolving it through a {@link ModelProvider}
+ * for an INLINE LLM call would fail. A block's model is shared by every step of its
+ * pipeline (container AND inline), so this is the single seam every inline path (the
+ * inline agent executor, the requirements reviewer/rework) routes a pinned
+ * subscription model through: the container steps keep the harness, the inline steps
+ * fall back to a provider model. A `pi` (or absent) harness is already inline-servable
+ * and passes through unchanged.
+ */
+export function inlineModelRef(ref, fallback) {
+    return ref.harness && ref.harness !== 'pi' ? fallback : ref;
+}
+//# sourceMappingURL=model-provider.js.map

package/dist/ports/model-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-provider.js","sourceRoot":"","sources":["../../src/ports/model-provider.ts"],"names":[],"mappings":"AAqCA;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,GAAa,EAAE,QAAkB;IAC9D,OAAO,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAA;AAC7D,CAAC"}

package/dist/ports/notification-channel.d.ts

@@ -0,0 +1,16 @@
+import type { Notification } from '../domain/types.js';
+export interface NotificationChannel {
+    /** Deliver (or re-deliver, on resolve) a notification to this channel's medium. */
+    deliver(workspaceId: string, notification: Notification): Promise<void>;
+}
+/** Fan a notification out to every configured channel, isolating per-channel failures. */
+export declare class CompositeNotificationChannel implements NotificationChannel {
+    private readonly channels;
+    constructor(channels: NotificationChannel[]);
+    deliver(workspaceId: string, notification: Notification): Promise<void>;
+}
+/** The no-op channel: delivers nothing (tests, or a deployment with no channels wired). */
+export declare class NoopNotificationChannel implements NotificationChannel {
+    deliver(): Promise<void>;
+}
+//# sourceMappingURL=notification-channel.d.ts.map

package/dist/ports/notification-channel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification-channel.d.ts","sourceRoot":"","sources":["../../src/ports/notification-channel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AActD,MAAM,WAAW,mBAAmB;IAClC,mFAAmF;IACnF,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACxE;AAED,0FAA0F;AAC1F,qBAAa,4BAA6B,YAAW,mBAAmB;IAC1D,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAArC,YAA6B,QAAQ,EAAE,mBAAmB,EAAE,EAAI;IAE1D,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAU5E;CACF;AAED,2FAA2F;AAC3F,qBAAa,uBAAwB,YAAW,mBAAmB;IAC3D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAG;CAClC"}

package/dist/ports/notification-channel.js

@@ -0,0 +1,22 @@
+/** Fan a notification out to every configured channel, isolating per-channel failures. */
+export class CompositeNotificationChannel {
+    channels;
+    constructor(channels) {
+        this.channels = channels;
+    }
+    async deliver(workspaceId, notification) {
+        await Promise.all(this.channels.map(async (channel) => {
+            try {
+                await channel.deliver(workspaceId, notification);
+            }
+            catch {
+                // Best-effort: one channel failing must not block the others or the caller.
+            }
+        }));
+    }
+}
+/** The no-op channel: delivers nothing (tests, or a deployment with no channels wired). */
+export class NoopNotificationChannel {
+    async deliver() { }
+}
+//# sourceMappingURL=notification-channel.js.map

package/dist/ports/notification-channel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification-channel.js","sourceRoot":"","sources":["../../src/ports/notification-channel.ts"],"names":[],"mappings":"AAmBA,0FAA0F;AAC1F,MAAM,OAAO,4BAA4B;IACV,QAAQ;IAArC,YAA6B,QAA+B;wBAA/B,QAAQ;IAA0B,CAAC;IAEhE,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,YAA0B;QAC3D,MAAM,OAAO,CAAC,GAAG,CACf,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YAClC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,4EAA4E;YAC9E,CAAC;QACH,CAAC,CAAC,CACH,CAAA;IACH,CAAC;CACF;AAED,2FAA2F;AAC3F,MAAM,OAAO,uBAAuB;IAClC,KAAK,CAAC,OAAO,KAAmB,CAAC;CAClC"}

package/dist/ports/notification-repositories.d.ts

@@ -0,0 +1,15 @@
+import type { Notification, NotificationType } from '../domain/types.js';
+export interface NotificationRepository {
+    /** A notification by id, or null if it does not exist. */
+    get(workspaceId: string, id: string): Promise<Notification | null>;
+    /** All currently-open notifications for a workspace (newest first), for the inbox + snapshot. */
+    listOpen(workspaceId: string): Promise<Notification[]>;
+    /**
+     * The open notification of `type` for `blockId`, if any — used to de-duplicate so
+     * a re-driven run doesn't stack identical cards on the same block.
+     */
+    findOpenByBlock(workspaceId: string, blockId: string, type: NotificationType): Promise<Notification | null>;
+    /** Create or replace a notification (keyed by id). */
+    upsert(workspaceId: string, notification: Notification): Promise<void>;
+}
+//# sourceMappingURL=notification-repositories.d.ts.map

package/dist/ports/notification-repositories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification-repositories.d.ts","sourceRoot":"","sources":["../../src/ports/notification-repositories.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAMxE,MAAM,WAAW,sBAAsB;IACrC,0DAA0D;IAC1D,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAA;IAClE,iGAAiG;IACjG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;IACtD;;;OAGG;IACH,eAAe,CACb,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAA;IAC/B,sDAAsD;IACtD,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACvE"}

package/dist/ports/notification-repositories.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=notification-repositories.js.map

package/dist/ports/notification-repositories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification-repositories.js","sourceRoot":"","sources":["../../src/ports/notification-repositories.ts"],"names":[],"mappings":""}

package/dist/ports/password-hasher.d.ts

@@ -0,0 +1,14 @@
+export interface PasswordHasher {
+    /** Hash a plaintext password, returning a self-describing PHC-like string. */
+    hash(password: string): Promise<string>;
+    /** Constant-time verify a plaintext password against a stored hash. */
+    verify(password: string, stored: string): Promise<boolean>;
+    /**
+     * Whether a stored hash was produced with weaker-than-current parameters (a
+     * different scheme or a lower iteration count) and should be transparently
+     * re-hashed after the next successful login. A malformed value returns true so the
+     * caller upgrades it. Used to migrate password cost upward without a flag day.
+     */
+    needsRehash(stored: string): boolean;
+}
+//# sourceMappingURL=password-hasher.d.ts.map

package/dist/ports/password-hasher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-hasher.d.ts","sourceRoot":"","sources":["../../src/ports/password-hasher.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,8EAA8E;IAC9E,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACvC,uEAAuE;IACvE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC1D;;;;;OAKG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAA;CACrC"}

package/dist/ports/password-hasher.js

@@ -0,0 +1,9 @@
+// Port for password hashing used by the email/password login provider. The facade
+// supplies a Web Crypto implementation (PBKDF2-HMAC-SHA256 with a random per-record
+// salt) that runs identically on Cloudflare workerd and Node — native argon2/bcrypt
+// modules do NOT run in a Workers isolate, so the runtimes would diverge.
+//
+// `hash` returns a self-describing PHC-like string that embeds the algorithm,
+// iteration count, and salt, so `verify` can re-derive without any external params.
+export {};
+//# sourceMappingURL=password-hasher.js.map

package/dist/ports/password-hasher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-hasher.js","sourceRoot":"","sources":["../../src/ports/password-hasher.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,oFAAoF;AACpF,oFAAoF;AACpF,0EAA0E;AAC1E,EAAE;AACF,8EAA8E;AAC9E,oFAAoF"}

package/dist/ports/personal-secret-cipher.d.ts

@@ -0,0 +1,7 @@
+export interface PersonalSecretCipher {
+    /** Seal plaintext under a key derived from `password`, returning an opaque envelope. */
+    seal(plaintext: string, password: string): Promise<string>;
+    /** Open an envelope produced by {@link seal}; throws if `password` is wrong/tampered. */
+    open(envelope: string, password: string): Promise<string>;
+}
+//# sourceMappingURL=personal-secret-cipher.d.ts.map

package/dist/ports/personal-secret-cipher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-secret-cipher.d.ts","sourceRoot":"","sources":["../../src/ports/personal-secret-cipher.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,oBAAoB;IACnC,wFAAwF;IACxF,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC1D,yFAAyF;IACzF,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAC1D"}

package/dist/ports/personal-secret-cipher.js

@@ -0,0 +1,12 @@
+// Port for the SECOND, password-derived encryption layer used by individual-usage
+// subscriptions. Distinct from {@link SecretCipher} (the system layer): this seals a
+// plaintext under a key derived from the user's PERSONAL PASSWORD, which is never
+// stored. The facade supplies a Web Crypto implementation (PBKDF2 → AES-256-GCM) with
+// a self-describing envelope that embeds the per-record salt + IV.
+//
+// `open` throws when the password is wrong (the AEAD auth check fails and a magic
+// header mismatch is detected), which the service maps to a `wrong_password`
+// credential-required error. The system layer is applied on top of this envelope so
+// the at-rest credential needs BOTH the system key AND the user's password to recover.
+export {};
+//# sourceMappingURL=personal-secret-cipher.js.map

package/dist/ports/personal-secret-cipher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-secret-cipher.js","sourceRoot":"","sources":["../../src/ports/personal-secret-cipher.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,qFAAqF;AACrF,kFAAkF;AAClF,sFAAsF;AACtF,mEAAmE;AACnE,EAAE;AACF,kFAAkF;AAClF,6EAA6E;AAC7E,oFAAoF;AACpF,uFAAuF"}

package/dist/ports/personal-subscription-repositories.d.ts

@@ -0,0 +1,72 @@
+import type { SubscriptionVendor } from './provider-subscription-repositories.js';
+/**
+ * A user's personal subscription credential at rest. `tokenCipher` is the
+ * double-encrypted envelope: `system.encrypt(personal.seal(rawToken, password))`.
+ * `expiresAt` is the subscription's own end date (for renewal warnings + a hard
+ * block once lapsed), distinct from an activation's short TTL.
+ */
+export interface PersonalSubscriptionRecord {
+    id: string;
+    /** Internal user id (`usr_*`) of the owner. */
+    userId: string;
+    vendor: SubscriptionVendor;
+    label: string;
+    /** Double-encrypted credential (password layer inside the system layer). */
+    tokenCipher: string;
+    /** Subscription's own expiry (null = no fixed end date). */
+    expiresAt: number | null;
+    createdAt: number;
+    updatedAt: number;
+    /** When a run last activated this credential (null = never). */
+    lastUsedAt: number | null;
+    /** Tombstone when the user removes it. */
+    deletedAt: number | null;
+}
+export interface PersonalSubscriptionRepository {
+    /** The user's live credential for a vendor, or null. */
+    getByUserVendor(userId: string, vendor: SubscriptionVendor): Promise<PersonalSubscriptionRecord | null>;
+    /** Every live credential the user owns (metadata for the status surface). */
+    listByUser(userId: string): Promise<PersonalSubscriptionRecord[]>;
+    /** Insert or replace the user's credential for a vendor (one per user+vendor). */
+    upsert(record: PersonalSubscriptionRecord): Promise<void>;
+    /** Stamp `lastUsedAt` when a run activates the credential. */
+    markUsed(userId: string, vendor: SubscriptionVendor, at: number): Promise<void>;
+    /** Tombstone the user's credential for a vendor. */
+    softDelete(userId: string, vendor: SubscriptionVendor, at: number): Promise<void>;
+    /**
+     * Live credentials whose subscription `expiresAt` is at/after `now` but at/before
+     * `before` (the advance-warning horizon) — the renewal-nudge sweep reads these.
+     * Excludes ones with no expiry.
+     */
+    listExpiring(now: number, before: number): Promise<PersonalSubscriptionRecord[]>;
+}
+/**
+ * A per-run, system-key-only activation of a personal credential. Scoped to one
+ * execution (`executionId`) + its owner; `tokenCipher` is `system.encrypt(rawToken)`
+ * so the durable driver/executor can decrypt it for every step of that run without
+ * the password. `expiresAt` is the activation TTL (longer than a run normally needs,
+ * refreshed on user interaction, and the row is deleted when the run completes).
+ */
+export interface SubscriptionActivationRecord {
+    id: string;
+    executionId: string;
+    userId: string;
+    vendor: SubscriptionVendor;
+    /** System-key-only ciphertext of the raw token. */
+    tokenCipher: string;
+    createdAt: number;
+    expiresAt: number;
+}
+export interface SubscriptionActivationRepository {
+    /** The live (unexpired) activation for a run+user+vendor, or null. */
+    get(executionId: string, userId: string, vendor: SubscriptionVendor, now: number): Promise<SubscriptionActivationRecord | null>;
+    /** Create or replace the activation for a run+user+vendor. */
+    upsert(record: SubscriptionActivationRecord): Promise<void>;
+    /** Extend an existing activation's TTL (refresh on interaction). No-op if absent. */
+    refresh(executionId: string, userId: string, vendor: SubscriptionVendor, expiresAt: number): Promise<void>;
+    /** Delete every activation for a finished run. */
+    deleteByExecution(executionId: string): Promise<void>;
+    /** Delete activations whose TTL has passed (the expiry sweep). Returns the count. */
+    deleteExpired(now: number): Promise<number>;
+}
+//# sourceMappingURL=personal-subscription-repositories.d.ts.map

package/dist/ports/personal-subscription-repositories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-subscription-repositories.d.ts","sourceRoot":"","sources":["../../src/ports/personal-subscription-repositories.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAA;AAmBjF;;;;;GAKG;AACH,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAA;IACV,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,kBAAkB,CAAA;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,4EAA4E;IAC5E,WAAW,EAAE,MAAM,CAAA;IACnB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,gEAAgE;IAChE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CACzB;AAED,MAAM,WAAW,8BAA8B;IAC7C,wDAAwD;IACxD,eAAe,CACb,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CAAA;IAC7C,6EAA6E;IAC7E,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,EAAE,CAAC,CAAA;IACjE,kFAAkF;IAClF,MAAM,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACzD,8DAA8D;IAC9D,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/E,oDAAoD;IACpD,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjF;;;;OAIG;IACH,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,EAAE,CAAC,CAAA;CACjF;AAED;;;;;;GAMG;AACH,MAAM,WAAW,4BAA4B;IAC3C,EAAE,EAAE,MAAM,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,kBAAkB,CAAA;IAC1B,mDAAmD;IACnD,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,gCAAgC;IAC/C,sEAAsE;IACtE,GAAG,CACD,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,EAC1B,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,4BAA4B,GAAG,IAAI,CAAC,CAAA;IAC/C,8DAA8D;IAC9D,MAAM,CAAC,MAAM,EAAE,4BAA4B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3D,qFAAqF;IACrF,OAAO,CACL,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,EAC1B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAAA;IAChB,kDAAkD;IAClD,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrD,qFAAqF;IACrF,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAC5C"}

package/dist/ports/personal-subscription-repositories.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=personal-subscription-repositories.js.map

package/dist/ports/personal-subscription-repositories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personal-subscription-repositories.js","sourceRoot":"","sources":["../../src/ports/personal-subscription-repositories.ts"],"names":[],"mappings":""}

package/dist/ports/pr-mergeability.d.ts

@@ -0,0 +1,24 @@
+/**
+ * The normalised mergeability of a PR:
+ *  - `mergeable`  — merges cleanly into its base (nothing to resolve).
+ *  - `conflicted` — conflicts with its base and needs resolution.
+ *  - `unknown`    — GitHub has not finished computing mergeability yet (it is
+ *                   computed asynchronously), so the caller should poll again.
+ */
+export type MergeabilityVerdict = 'mergeable' | 'conflicted' | 'unknown';
+export interface MergeabilityReport {
+    /** The PR head commit these refer to; null when no open PR/branch is resolved. */
+    headSha: string | null;
+    /** The mergeability verdict; see {@link MergeabilityVerdict}. */
+    verdict: MergeabilityVerdict;
+}
+export interface PullRequestMergeabilityProvider {
+    /**
+     * Resolve the block's open PR and report whether it merges cleanly into its base.
+     * Returns `headSha: null` (verdict `unknown`) when no PR/branch is resolved — the
+     * engine treats that as "nothing to gate" and advances. Returns `unknown` with a
+     * head sha while GitHub is still computing mergeability, so the gate re-polls.
+     */
+    getMergeability(workspaceId: string, blockId: string): Promise<MergeabilityReport>;
+}
+//# sourceMappingURL=pr-mergeability.d.ts.map

package/dist/ports/pr-mergeability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pr-mergeability.d.ts","sourceRoot":"","sources":["../../src/ports/pr-mergeability.ts"],"names":[],"mappings":"AAMA;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG,WAAW,GAAG,YAAY,GAAG,SAAS,CAAA;AAExE,MAAM,WAAW,kBAAkB;IACjC,kFAAkF;IAClF,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;IACtB,iEAAiE;IACjE,OAAO,EAAE,mBAAmB,CAAA;CAC7B;AAED,MAAM,WAAW,+BAA+B;IAC9C;;;;;OAKG;IACH,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAA;CACnF"}

package/dist/ports/pr-mergeability.js

@@ -0,0 +1,7 @@
+// Port for "can this block's PR be merged into its base, or does it conflict?".
+// The execution engine's `conflicts` gate calls this — and ONLY this — to decide
+// whether to dispatch the conflict-resolver before the merge step. Modelled as a
+// port so core stays free of GitHub specifics; the worker implements it against
+// the PR's lazily-computed `mergeable`/`mergeable_state`, and tests supply a fake.
+export {};
+//# sourceMappingURL=pr-mergeability.js.map

package/dist/ports/pr-mergeability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pr-mergeability.js","sourceRoot":"","sources":["../../src/ports/pr-mergeability.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,iFAAiF;AACjF,iFAAiF;AACjF,gFAAgF;AAChF,mFAAmF"}

package/dist/ports/pr-merger.d.ts

@@ -0,0 +1,10 @@
+export interface PullRequestMerger {
+    /**
+     * Merge the open pull request recorded on `blockId` (from its `pullRequest`
+     * ref). Resolves once the remote reports the merge succeeded. Throws if the
+     * block has no PR, the merge is blocked (e.g. failing required checks, conflicts)
+     * or the API call fails — the caller leaves the block awaiting a manual merge.
+     */
+    mergeForBlock(workspaceId: string, blockId: string): Promise<void>;
+}
+//# sourceMappingURL=pr-merger.d.ts.map

package/dist/ports/pr-merger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pr-merger.d.ts","sourceRoot":"","sources":["../../src/ports/pr-merger.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACnE"}

package/dist/ports/pr-merger.js

@@ -0,0 +1,8 @@
+// Port for actually merging a block's pull request on the remote (GitHub). The
+// execution engine calls this — and ONLY this — when a task should transition to
+// `done`, so "done" provably means "the PR was merged" rather than a board-only
+// status flip. Modelled as a port so core stays free of GitHub specifics; the
+// worker implements it by resolving the block's repo target + open PR and calling
+// `GitHubClient.mergePullRequest`, and tests supply a fake.
+export {};
+//# sourceMappingURL=pr-merger.js.map

package/dist/ports/pr-merger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pr-merger.js","sourceRoot":"","sources":["../../src/ports/pr-merger.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,iFAAiF;AACjF,gFAAgF;AAChF,8EAA8E;AAC9E,kFAAkF;AAClF,4DAA4D"}

package/dist/ports/provider-api-key-repositories.d.ts

@@ -0,0 +1,71 @@
+/** The scope a stored API key belongs to. */
+export type ApiKeyScope = 'account' | 'workspace' | 'user';
+/** The direct providers that own a poolable API key (NOT subscription vendors). */
+export type ApiKeyProvider = 'openai' | 'anthropic' | 'qwen' | 'deepseek' | 'moonshot' | 'openrouter' | 'litellm';
+/** A (scope, scopeId) pair — the addressing of a pool segment. */
+export interface ApiKeyScopeRef {
+    scope: ApiKeyScope;
+    /** The workspace id, account id, or `usr_*` user id, per scope. */
+    scopeId: string;
+}
+/**
+ * One API key in a scope's pool. `keyCipher` is the SecretCipher envelope of the
+ * raw vendor key. Usage counters are scoped to the current rolling window (reset
+ * when `windowStartedAt` ages out), mirroring the subscription pool.
+ */
+export interface ProviderApiKeyRecord {
+    id: string;
+    scope: ApiKeyScope;
+    /** workspace id | account id | `usr_*` user id, per `scope`. */
+    scopeId: string;
+    provider: ApiKeyProvider;
+    label: string;
+    /** Ciphertext of the raw API key (SecretCipher envelope). */
+    keyCipher: string;
+    createdAt: number;
+    /** When this key was last leased (null = never used). */
+    lastUsedAt: number | null;
+    /** Start of the current rolling usage window (null = no usage recorded yet). */
+    windowStartedAt: number | null;
+    inputTokens: number;
+    outputTokens: number;
+    requestCount: number;
+    /** Set when the key is removed (tombstone). */
+    deletedAt: number | null;
+}
+export interface ProviderApiKeyRepository {
+    /**
+     * All live keys for one (scope, scopeId), oldest first. Filtered to a single
+     * `provider` when given, else every provider in the scope (one query, not N).
+     */
+    listByScope(scope: ApiKeyScope, scopeId: string, provider?: ApiKeyProvider): Promise<ProviderApiKeyRecord[]>;
+    /**
+     * All live keys for one provider across MANY scope segments — the merged-pool
+     * read used by lease(). Returns rows from every matching (scope, scopeId).
+     */
+    listForPool(scopes: ApiKeyScopeRef[], provider: ApiKeyProvider): Promise<ProviderApiKeyRecord[]>;
+    /** Distinct providers that have ≥1 live key across the given scope segments. */
+    listConfiguredProviders(scopes: ApiKeyScopeRef[]): Promise<ApiKeyProvider[]>;
+    /** Fetch one live key by id (scoped to its segment). */
+    getById(scope: ApiKeyScope, scopeId: string, id: string): Promise<ProviderApiKeyRecord | null>;
+    /** Insert a new key. */
+    add(record: ProviderApiKeyRecord): Promise<void>;
+    /**
+     * Stamp `lastUsedAt` on the leased key. Keyed by ROW ID alone: a leased row may
+     * belong to any of the three scopes merged at lease time, so there is no single
+     * scope to filter by. Ids are opaque (`apikey_*`) and never exposed cross-tenant.
+     */
+    markLeased(id: string, at: number): Promise<void>;
+    /**
+     * Fold a completed call's usage into the key's rolling-window counters (keyed by
+     * row id, see markLeased). When `windowStartedAt` is null or older than
+     * `windowMs`, the window resets to `at` and the counters start from this call.
+     */
+    recordUsage(id: string, usage: {
+        inputTokens: number;
+        outputTokens: number;
+    }, at: number, windowMs: number): Promise<void>;
+    /** Tombstone a key (scoped to its segment). */
+    softDelete(scope: ApiKeyScope, scopeId: string, id: string, at: number): Promise<void>;
+}
+//# sourceMappingURL=provider-api-key-repositories.d.ts.map

package/dist/ports/provider-api-key-repositories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-api-key-repositories.d.ts","sourceRoot":"","sources":["../../src/ports/provider-api-key-repositories.ts"],"names":[],"mappings":"AAcA,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,WAAW,GAAG,MAAM,CAAA;AAE1D,mFAAmF;AACnF,MAAM,MAAM,cAAc,GACtB,QAAQ,GACR,WAAW,GACX,MAAM,GACN,UAAU,GACV,UAAU,GACV,YAAY,GACZ,SAAS,CAAA;AAEb,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,WAAW,CAAA;IAClB,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,WAAW,CAAA;IAClB,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,cAAc,CAAA;IACxB,KAAK,EAAE,MAAM,CAAA;IACb,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CACzB;AAED,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,WAAW,CACT,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAA;IAClC;;;OAGG;IACH,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAA;IAChG,gFAAgF;IAChF,uBAAuB,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAA;IAC5E,wDAAwD;IACxD,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAA;IAC9F,wBAAwB;IACxB,GAAG,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChD;;;;OAIG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjD;;;;OAIG;IACH,WAAW,CACT,EAAE,EAAE,MAAM,EACV,KAAK,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,EACpD,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAAA;IAChB,+CAA+C;IAC/C,UAAU,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACvF"}

package/dist/ports/provider-api-key-repositories.js

@@ -0,0 +1,15 @@
+// Persistence port for the direct-provider API-key pool. Unlike subscription
+// tokens (Claude Code / Codex harness credentials, scoped per workspace+vendor),
+// these are raw vendor API keys (OpenAI/Anthropic/Qwen/DeepSeek/Moonshot) that
+// authenticate the LLM proxy + inline model calls. They are onboarded via the UI
+// and stored encrypted in the DB (a SecretCipher envelope — never plaintext),
+// replacing the old deployment-env onboarding.
+//
+// A key is stored at one of three SCOPES — account, workspace, or user. When a
+// run in a workspace needs a provider key, the candidate pool is the UNION of the
+// workspace's keys, its owning account's keys, and the run initiator's own user
+// keys; the least-loaded key wins (usage-aware rotation, identical to the
+// subscription pool). Both runtimes implement this (Cloudflare D1 + Node/local
+// Postgres) so behaviour is identical everywhere.
+export {};
+//# sourceMappingURL=provider-api-key-repositories.js.map

package/dist/ports/provider-api-key-repositories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-api-key-repositories.js","sourceRoot":"","sources":["../../src/ports/provider-api-key-repositories.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,iFAAiF;AACjF,+EAA+E;AAC/E,iFAAiF;AACjF,8EAA8E;AAC9E,+CAA+C;AAC/C,EAAE;AACF,+EAA+E;AAC/E,kFAAkF;AAClF,gFAAgF;AAChF,0EAA0E;AAC1E,+EAA+E;AAC/E,kDAAkD"}

package/dist/ports/provider-subscription-repositories.d.ts

@@ -0,0 +1,51 @@
+/** The vendors whose subscription harnesses we support. */
+export type SubscriptionVendor = 'claude' | 'codex' | 'glm' | 'kimi' | 'deepseek';
+/**
+ * One subscription credential in a workspace's pool. `tokenCipher` is the
+ * SecretCipher envelope of the raw secret: a `CLAUDE_CODE_OAUTH_TOKEN` string
+ * for `claude`, or the full `auth.json` text for `codex`. Usage counters are
+ * scoped to the current rolling window (reset when `windowStartedAt` ages out).
+ */
+export interface ProviderSubscriptionTokenRecord {
+    id: string;
+    workspaceId: string;
+    vendor: SubscriptionVendor;
+    label: string;
+    /** Ciphertext of the credential (SecretCipher envelope). */
+    tokenCipher: string;
+    createdAt: number;
+    /** When this token was last leased for a job (null = never used). */
+    lastUsedAt: number | null;
+    /** Start of the current rolling usage window (null = no usage recorded yet). */
+    windowStartedAt: number | null;
+    /** Input tokens consumed in the current window. */
+    inputTokens: number;
+    /** Output tokens consumed in the current window. */
+    outputTokens: number;
+    /** Job count in the current window. */
+    requestCount: number;
+    /** Set when the workspace removes the token (tombstone). */
+    deletedAt: number | null;
+}
+export interface ProviderSubscriptionTokenRepository {
+    /** All live tokens for a workspace + vendor, oldest first. */
+    listByVendor(workspaceId: string, vendor: SubscriptionVendor): Promise<ProviderSubscriptionTokenRecord[]>;
+    /** Fetch one live token by id (scoped to the workspace). */
+    getById(workspaceId: string, id: string): Promise<ProviderSubscriptionTokenRecord | null>;
+    /** Insert a new pool token. */
+    add(record: ProviderSubscriptionTokenRecord): Promise<void>;
+    /** Stamp `lastUsedAt` on the leased token (scoped to the workspace). */
+    markLeased(workspaceId: string, id: string, at: number): Promise<void>;
+    /**
+     * Fold a completed job's usage into the token's rolling-window counters (scoped to
+     * the workspace). When `windowStartedAt` is null or older than `windowMs`, the
+     * window resets to `at` and the counters start from this run.
+     */
+    recordUsage(workspaceId: string, id: string, usage: {
+        inputTokens: number;
+        outputTokens: number;
+    }, at: number, windowMs: number): Promise<void>;
+    /** Tombstone a token. */
+    softDelete(workspaceId: string, id: string, at: number): Promise<void>;
+}
+//# sourceMappingURL=provider-subscription-repositories.d.ts.map

package/dist/ports/provider-subscription-repositories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-subscription-repositories.d.ts","sourceRoot":"","sources":["../../src/ports/provider-subscription-repositories.ts"],"names":[],"mappings":"AAcA,2DAA2D;AAC3D,MAAM,MAAM,kBAAkB,GAAG,QAAQ,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,CAAA;AAEjF;;;;;GAKG;AACH,MAAM,WAAW,+BAA+B;IAC9C,EAAE,EAAE,MAAM,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,kBAAkB,CAAA;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,4DAA4D;IAC5D,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,qEAAqE;IACrE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,mDAAmD;IACnD,WAAW,EAAE,MAAM,CAAA;IACnB,oDAAoD;IACpD,YAAY,EAAE,MAAM,CAAA;IACpB,uCAAuC;IACvC,YAAY,EAAE,MAAM,CAAA;IACpB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CACzB;AAED,MAAM,WAAW,mCAAmC;IAClD,8DAA8D;IAC9D,YAAY,CACV,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,+BAA+B,EAAE,CAAC,CAAA;IAC7C,4DAA4D;IAC5D,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,+BAA+B,GAAG,IAAI,CAAC,CAAA;IACzF,+BAA+B;IAC/B,GAAG,CAAC,MAAM,EAAE,+BAA+B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3D,wEAAwE;IACxE,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtE;;;;OAIG;IACH,WAAW,CACT,WAAW,EAAE,MAAM,EACnB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,EACpD,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAAA;IAChB,yBAAyB;IACzB,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACvE"}

package/dist/ports/provider-subscription-repositories.js

@@ -0,0 +1,15 @@
+// Persistence port for the provider-subscription token pool. A workspace can
+// connect one or more subscription credentials per vendor (a Claude
+// Pro/Max OAuth token, a ChatGPT Plus/Pro `auth.json` bundle) so the
+// Claude Code / Codex harnesses can authenticate inside a per-run container
+// without an API key. Rows are scoped by workspace + vendor; the credential is
+// stored as opaque ciphertext (see the SecretCipher port) — this record never
+// holds the plaintext token.
+//
+// The pool is leased with usage-aware rotation: each row carries rolling-window
+// usage counters that the dispatch path updates after a run, so the least-loaded
+// token is preferred (round-robin by lastUsedAt is only the tiebreaker). Both
+// runtimes implement this (Cloudflare D1 + Node/local Postgres) so the harness
+// behaves identically everywhere.
+export {};
+//# sourceMappingURL=provider-subscription-repositories.js.map

package/dist/ports/provider-subscription-repositories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-subscription-repositories.js","sourceRoot":"","sources":["../../src/ports/provider-subscription-repositories.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,oEAAoE;AACpE,qEAAqE;AACrE,4EAA4E;AAC5E,+EAA+E;AAC/E,8EAA8E;AAC9E,6BAA6B;AAC7B,EAAE;AACF,gFAAgF;AAChF,iFAAiF;AACjF,8EAA8E;AAC9E,+EAA+E;AAC/E,kCAAkC"}

package/dist/ports/recurring-repositories.d.ts

@@ -0,0 +1,46 @@
+import type { PipelineSchedule, ScheduleRun } from '../domain/types.js';
+/** A due schedule the sweeper should fire, paired with its owning workspace. */
+export interface DueSchedule {
+    workspaceId: string;
+    schedule: PipelineSchedule;
+}
+export interface PipelineScheduleRepository {
+    /** A schedule by id, or null if it does not exist. */
+    get(workspaceId: string, id: string): Promise<PipelineSchedule | null>;
+    /** The schedule whose reused block is `blockId`, or null. */
+    getByBlock(workspaceId: string, blockId: string): Promise<PipelineSchedule | null>;
+    /** All schedules for a workspace (for the snapshot + UI). */
+    list(workspaceId: string): Promise<PipelineSchedule[]>;
+    /**
+     * All schedules owned by a service, regardless of which workspace created them. Backs
+     * the in-org board: a schedule on a shared service shows on every workspace that mounts
+     * it. (Matches the schedule's `service_id` column.)
+     */
+    listByService(serviceId: string): Promise<PipelineSchedule[]>;
+    /**
+     * Every schedule owned by ANY of the given services, in a single (chunked) query — the
+     * batched form of {@link PipelineScheduleRepository.listByService} used to compose a board's
+     * schedules from all the services it mounts without one round-trip per mount. Empty input →
+     * empty.
+     */
+    listByServices(serviceIds: string[]): Promise<PipelineSchedule[]>;
+    /**
+     * Every enabled schedule across ALL workspaces whose `nextRunAt <= asOf`. The
+     * sweeper fires each one; the engine skips any whose block already has an active
+     * run. Ordered by `nextRunAt` ascending.
+     */
+    listDue(asOf: number): Promise<DueSchedule[]>;
+    /** Create or replace a schedule (keyed by id). */
+    upsert(workspaceId: string, schedule: PipelineSchedule): Promise<void>;
+    /** Remove a schedule by id (no-op if absent). Does not touch its run history. */
+    remove(workspaceId: string, id: string): Promise<void>;
+    /** Record a fire of a schedule. */
+    insertRun(workspaceId: string, run: ScheduleRun): Promise<void>;
+    /** Patch a run (e.g. set `status`/`finishedAt`/`outcome`). */
+    updateRun(workspaceId: string, runId: string, patch: Partial<Pick<ScheduleRun, 'status' | 'finishedAt' | 'outcome' | 'executionId'>>): Promise<void>;
+    /** A schedule's run history (most recent first). */
+    listRuns(workspaceId: string, scheduleId: string): Promise<ScheduleRun[]>;
+    /** Delete all run history started before `before` (retention). Returns rows removed. */
+    pruneRunsBefore(before: number): Promise<number>;
+}
+//# sourceMappingURL=recurring-repositories.d.ts.map