@cat-factory/local-server 0.6.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Igor Savin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/LocalDockerRunnerTransport.d.ts

@@ -0,0 +1,95 @@
+import type { RunnerDispatchKind, RunnerDispatchOptions, RunnerJobRef, RunnerJobView, RunnerTransport } from '@cat-factory/kernel';
+/** Injectable docker/podman CLI runner — overridable in tests. */
+export type DockerExec = (args: string[]) => Promise<{
+    stdout: string;
+    stderr: string;
+}>;
+export interface LocalDockerRunnerTransportOptions {
+    /** The executor-harness image ref (a GHCR pull or a locally built tag). */
+    image: string;
+    /** The container CLI binary. Default `docker` (Podman works via the same surface). */
+    binary?: string;
+    /**
+     * Shared secret injected as `HARNESS_SHARED_SECRET` and sent as the
+     * `x-harness-secret` header on every call. Defaults to a random per-process value.
+     */
+    sharedSecret?: string;
+    /**
+     * Add `--add-host=host.docker.internal:host-gateway` so the harness can reach the
+     * backend LLM proxy at `host.docker.internal` (needed on Linux; harmless on
+     * Docker Desktop). Default true.
+     */
+    addHostGateway?: boolean;
+    /** Optional `--network` for the container. */
+    network?: string;
+    /** Extra `-e KEY=VALUE` env passed into the container (rarely needed). */
+    env?: Record<string, string>;
+    /** Injectable docker exec — defaults to running {@link binary} via execFile. */
+    exec?: DockerExec;
+    /** Injectable fetch — defaults to the global. */
+    fetchImpl?: typeof fetch;
+    /** How long to wait for the container's port + `/health` after start. Default 60s. */
+    readyTimeoutMs?: number;
+    /** Per-HTTP-call timeout. Default 30s. */
+    requestTimeoutMs?: number;
+    /**
+     * Run the Tester (`test`) job container with `--privileged` so its in-container
+     * Docker-in-Docker daemon can start and the Tester can `docker compose up` the
+     * service's local infra. This is the local analogue of the Cloudflare harness's
+     * rootless-dockerd path, but reliable: on a developer machine privileged DinD
+     * "just works", keeping the service's dependencies on the job container's own
+     * `localhost` (exactly what the Tester prompt assumes). Default true; set false to
+     * fall back to the harness's best-effort rootless daemon (e.g. under Podman, whose
+     * rootless containers can run nested Podman without `--privileged`). Only the
+     * `test` kind gets it — every other kind runs unprivileged. See entrypoint.sh.
+     */
+    privilegedTestJobs?: boolean;
+}
+export declare class LocalDockerRunnerTransport implements RunnerTransport {
+    private readonly image;
+    private readonly binary;
+    private readonly sharedSecret;
+    private readonly addHostGateway;
+    private readonly network?;
+    private readonly extraEnv;
+    private readonly exec;
+    private readonly fetchImpl;
+    private readonly readyTimeoutMs;
+    private readonly requestTimeoutMs;
+    private readonly privilegedTestJobs;
+    /** runId → resolved container handle, to spare a `docker` lookup on the hot poll path. */
+    private readonly cache;
+    constructor(options: LocalDockerRunnerTransportOptions);
+    dispatch(ref: RunnerJobRef, spec: Record<string, unknown>, kind?: RunnerDispatchKind, options?: RunnerDispatchOptions): Promise<void>;
+    poll(ref: RunnerJobRef): Promise<RunnerJobView>;
+    /**
+     * Reclaim the per-RUN container now (`docker rm -f`) rather than leaving it idle —
+     * this tears down the whole run's container (and with it any step still running in
+     * it). Best-effort and idempotent: removing an already-gone container is a no-op.
+     */
+    release(ref: RunnerJobRef): Promise<void>;
+    /**
+     * Reap exited per-job containers this transport manages — orphans a crash or hard
+     * kill left behind (release() never ran for them). Best-effort; returns the count
+     * removed. Call once at boot, before any job is in flight.
+     */
+    reapExited(): Promise<number>;
+    /** Force-remove every (running or exited) container labelled with this run id. */
+    private removeContainersForRun;
+    private url;
+    /** The container handle for a run from the cache, else rediscovered by label. */
+    private resolve;
+    /** The (running-or-exited) container id labelled with this run id, if any. */
+    private findContainer;
+    /** Parse the published host port for the harness port, or undefined if unmapped. */
+    private hostPort;
+    private waitForPort;
+    private waitForHealth;
+    private isRunning;
+}
+/**
+ * Build a {@link LocalDockerRunnerTransport} from the process environment. The image
+ * ref (`LOCAL_HARNESS_IMAGE`) is required; everything else has sane local defaults.
+ */
+export declare function createLocalDockerTransportFromEnv(env: NodeJS.ProcessEnv): LocalDockerRunnerTransport;
+//# sourceMappingURL=LocalDockerRunnerTransport.d.ts.map

package/dist/LocalDockerRunnerTransport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalDockerRunnerTransport.d.ts","sourceRoot":"","sources":["../src/LocalDockerRunnerTransport.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,kBAAkB,EAClB,qBAAqB,EACrB,YAAY,EACZ,aAAa,EACb,eAAe,EAChB,MAAM,qBAAqB,CAAA;AAkD5B,kEAAkE;AAClE,MAAM,MAAM,UAAU,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAAA;AAExF,MAAM,WAAW,iCAAiC;IAChD,2EAA2E;IAC3E,KAAK,EAAE,MAAM,CAAA;IACb,sFAAsF;IACtF,MAAM,CAAC,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;OAIG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,0EAA0E;IAC1E,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC5B,gFAAgF;IAChF,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,iDAAiD;IACjD,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACxB,sFAAsF;IACtF,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,0CAA0C;IAC1C,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAC7B;AAID,qBAAa,0BAA2B,YAAW,eAAe;IAChE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAQ;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAQ;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAwB;IACjD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAc;IACxC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAQ;IACvC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAQ;IACzC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAE5C,0FAA0F;IAC1F,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2D;IAEjF,YAAY,OAAO,EAAE,iCAAiC,EAarD;IAEK,QAAQ,CACZ,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,IAAI,GAAE,kBAA0B,EAChC,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,IAAI,CAAC,CA+Df;IAEK,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CAmCpD;IAED;;;;OAIG;IACG,OAAO,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAM9C;IAED;;;;OAIG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CAgBlC;IAID,kFAAkF;YACpE,sBAAsB;IAiBpC,OAAO,CAAC,GAAG;IAIX,iFAAiF;YACnE,OAAO;IAYrB,8EAA8E;YAChE,aAAa;IAY3B,oFAAoF;YACtE,QAAQ;YAUR,WAAW;YAYX,aAAa;YAmBb,SAAS;CASxB;AAUD;;;GAGG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,MAAM,CAAC,UAAU,GACrB,0BAA0B,CAmB5B"}

package/dist/LocalDockerRunnerTransport.js

@@ -0,0 +1,342 @@
+import { execFile } from 'node:child_process';
+import { randomBytes } from 'node:crypto';
+import { promisify } from 'node:util';
+import { resolveDockerResources } from '@cat-factory/contracts';
+const execFileAsync = promisify(execFile);
+// The local-mode runner backend: each RUN gets its OWN local Docker/Podman container
+// — the SAME executor-harness image the Cloudflare Worker runs per-run Containers
+// from — which hosts that run's whole sequence of step jobs. It is the local analogue
+// of `CloudflareContainerTransport` (a per-run Cloudflare Container) and of
+// `RunnerPoolTransport` (an org's self-hosted pool): the ContainerAgentExecutor drives
+// all three identically through the `RunnerTransport` port, addressed by a
+// {@link RunnerJobRef} — the run id (which container) plus the per-step job id.
+//
+// A container is started per RUN (`docker run -d`, harness `:8080` published to an
+// ephemeral host port), labelled with the run id so the run's later steps re-attach to
+// it instead of starting a duplicate, and the harness keys each step's job by the
+// per-step job id (so siblings never collide). The harness reaches this service's LLM proxy at
+// `host.docker.internal` — published via `--add-host` on Linux — and clones/pushes
+// to github.com directly with the per-job token in the request body. Nothing
+// long-lived is mounted: the per-job GitHub + proxy tokens travel in the POST body
+// and live only for the job, in the container's ephemeral filesystem.
+/** Maps a dispatch kind to the harness HTTP route that starts that job. */
+const KIND_ROUTE = {
+    run: '/run',
+    blueprint: '/blueprint',
+    spec: '/spec',
+    explore: '/explore',
+    bootstrap: '/bootstrap',
+    'ci-fix': '/ci-fix',
+    'resolve-conflicts': '/resolve-conflicts',
+    merge: '/merge',
+    test: '/test',
+    'fix-tests': '/fix-tests',
+};
+// The failed-poll error the engine classifies as a container eviction (matched by
+// orchestration `isContainerEvictionError`, also used by the bootstrap flow). A
+// vanished/exited local container maps to it so the run stops and the stale-run
+// sweeper can re-drive it — mirroring the Worker transport's 404 mapping.
+const EVICTION_ERROR = 'Job not found (container evicted or crashed)';
+// Labels the per-RUN container by its run id (the container key). A run's steps share
+// one container, so this is the run id, not a per-step job id.
+const LABEL_RUN = 'cat-factory.runId';
+const LABEL_MANAGED = 'cat-factory.managed=local-docker';
+/** The port the harness listens on inside the container. */
+const HARNESS_PORT = 8080;
+const SECRET_HEADER = 'x-harness-secret';
+const delay = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+export class LocalDockerRunnerTransport {
+    image;
+    binary;
+    sharedSecret;
+    addHostGateway;
+    network;
+    extraEnv;
+    exec;
+    fetchImpl;
+    readyTimeoutMs;
+    requestTimeoutMs;
+    privilegedTestJobs;
+    /** runId → resolved container handle, to spare a `docker` lookup on the hot poll path. */
+    cache = new Map();
+    constructor(options) {
+        this.image = options.image;
+        this.binary = options.binary ?? 'docker';
+        this.sharedSecret = options.sharedSecret ?? randomBytes(24).toString('hex');
+        this.addHostGateway = options.addHostGateway ?? true;
+        this.network = options.network;
+        this.extraEnv = options.env ?? {};
+        this.exec =
+            options.exec ?? ((args) => execFileAsync(this.binary, args, { maxBuffer: 16 * 1024 * 1024 }));
+        this.fetchImpl = options.fetchImpl ?? fetch;
+        this.readyTimeoutMs = options.readyTimeoutMs ?? 60_000;
+        this.requestTimeoutMs = options.requestTimeoutMs ?? 30_000;
+        this.privilegedTestJobs = options.privilegedTestJobs ?? true;
+    }
+    async dispatch(ref, spec, kind = 'run', options) {
+        // The container is per-RUN: a run's first step starts it, later steps re-attach to
+        // it (resolved by the run-id label), and the harness keys each step's job by the
+        // per-step `ref.jobId` carried in the spec body.
+        const runId = ref.runId;
+        let resolved = await this.resolve(runId);
+        if (!resolved) {
+            // A prior attempt may have left an exited/dead container under this run label
+            // (resolve() returns undefined for one whose port is no longer published). Remove
+            // any such container first so it can't shadow the fresh one in later label lookups
+            // (findContainer returns the first match).
+            await this.removeContainersForRun(runId);
+            const args = [
+                'run',
+                '-d',
+                '--label',
+                `${LABEL_RUN}=${runId}`,
+                '--label',
+                LABEL_MANAGED,
+                '-p',
+                `127.0.0.1:0:${HARNESS_PORT}`,
+                '-e',
+                `HARNESS_SHARED_SECRET=${this.sharedSecret}`,
+            ];
+            // Size the per-job container on the host daemon from the service's abstract
+            // instance size — the local backend never touches a cloud, it just provisions a
+            // bigger/smaller Docker container (`--memory`/`--cpus`).
+            if (options?.instanceSize) {
+                const { memory, cpus } = resolveDockerResources(options.instanceSize);
+                args.push('--memory', memory, '--cpus', cpus);
+            }
+            // The Tester stands its infra up with `docker compose` INSIDE the job container
+            // (Docker-in-Docker), so the dependencies sit on the container's own localhost.
+            // Run that one kind privileged so the in-container daemon can start. No other
+            // kind needs Docker, so none other gets elevated.
+            if (kind === 'test' && this.privilegedTestJobs)
+                args.push('--privileged');
+            if (this.addHostGateway)
+                args.push('--add-host=host.docker.internal:host-gateway');
+            if (this.network)
+                args.push('--network', this.network);
+            for (const [k, v] of Object.entries(this.extraEnv))
+                args.push('-e', `${k}=${v}`);
+            args.push(this.image);
+            const { stdout } = await this.exec(args);
+            const containerId = stdout.trim().split(/\s+/).pop();
+            if (!containerId)
+                throw new Error('docker run returned no container id');
+            const port = await this.waitForPort(containerId);
+            resolved = { containerId, port };
+            this.cache.set(runId, resolved);
+            await this.waitForHealth(resolved.port);
+        }
+        // POST the job to the kind's route. Idempotent: re-attaching to an already-running
+        // container re-POSTs, which the harness's per-id registry treats as a re-attach.
+        const res = await this.fetchImpl(this.url(resolved.port, KIND_ROUTE[kind]), {
+            method: 'POST',
+            headers: { 'content-type': 'application/json', [SECRET_HEADER]: this.sharedSecret },
+            body: JSON.stringify(spec),
+            signal: AbortSignal.timeout(this.requestTimeoutMs),
+        });
+        if (!res.ok) {
+            throw new Error(`Local container dispatch failed (HTTP ${res.status}): ${await safeText(res)}`);
+        }
+    }
+    async poll(ref) {
+        const resolved = await this.resolve(ref.runId);
+        // No container for this run at all → it was evicted/reaped (or never started).
+        if (!resolved)
+            return { state: 'failed', error: EVICTION_ERROR };
+        let res;
+        try {
+            // Address the per-RUN container, but read the per-step job by its own id.
+            res = await this.fetchImpl(this.url(resolved.port, `/jobs/${encodeURIComponent(ref.jobId)}`), {
+                method: 'GET',
+                headers: { [SECRET_HEADER]: this.sharedSecret },
+                signal: AbortSignal.timeout(this.requestTimeoutMs),
+            });
+        }
+        catch (err) {
+            // Connection refused / DNS gone: the container most likely exited. Confirm via
+            // the daemon — if it is no longer running, report an eviction so the run stops;
+            // otherwise surface the transient error so the caller can retry.
+            if (!(await this.isRunning(resolved.containerId))) {
+                this.cache.delete(ref.runId);
+                return { state: 'failed', error: EVICTION_ERROR };
+            }
+            throw err;
+        }
+        // The container is up but the harness no longer knows this job id (it was reaped
+        // after completion, or the container was recreated): treat as an eviction.
+        if (res.status === 404)
+            return { state: 'failed', error: EVICTION_ERROR };
+        if (!res.ok) {
+            throw new Error(`Local container job poll failed (HTTP ${res.status}): ${await safeText(res)}`);
+        }
+        return (await res.json());
+    }
+    /**
+     * Reclaim the per-RUN container now (`docker rm -f`) rather than leaving it idle —
+     * this tears down the whole run's container (and with it any step still running in
+     * it). Best-effort and idempotent: removing an already-gone container is a no-op.
+     */
+    async release(ref) {
+        const containerId = this.cache.get(ref.runId)?.containerId ?? (await this.findContainer(ref.runId));
+        this.cache.delete(ref.runId);
+        if (!containerId)
+            return;
+        await this.exec(['rm', '-f', containerId]).catch(() => undefined);
+    }
+    /**
+     * Reap exited per-job containers this transport manages — orphans a crash or hard
+     * kill left behind (release() never ran for them). Best-effort; returns the count
+     * removed. Call once at boot, before any job is in flight.
+     */
+    async reapExited() {
+        const { stdout } = await this.exec([
+            'ps',
+            '-aq',
+            '--filter',
+            `label=${LABEL_MANAGED}`,
+            '--filter',
+            'status=exited',
+        ]);
+        const ids = stdout
+            .trim()
+            .split('\n')
+            .map((s) => s.trim())
+            .filter(Boolean);
+        if (ids.length)
+            await this.exec(['rm', '-f', ...ids]).catch(() => undefined);
+        return ids.length;
+    }
+    // --- internals ----------------------------------------------------------
+    /** Force-remove every (running or exited) container labelled with this run id. */
+    async removeContainersForRun(runId) {
+        const { stdout } = await this.exec([
+            'ps',
+            '-aq',
+            '--filter',
+            `label=${LABEL_RUN}=${runId}`,
+            '--filter',
+            `label=${LABEL_MANAGED}`,
+        ]);
+        const ids = stdout
+            .trim()
+            .split('\n')
+            .map((s) => s.trim())
+            .filter(Boolean);
+        if (ids.length)
+            await this.exec(['rm', '-f', ...ids]).catch(() => undefined);
+    }
+    url(port, path) {
+        return `http://127.0.0.1:${port}${path}`;
+    }
+    /** The container handle for a run from the cache, else rediscovered by label. */
+    async resolve(runId) {
+        const cached = this.cache.get(runId);
+        if (cached)
+            return cached;
+        const containerId = await this.findContainer(runId);
+        if (!containerId)
+            return undefined;
+        const port = await this.hostPort(containerId);
+        if (port === undefined)
+            return undefined;
+        const resolved = { containerId, port };
+        this.cache.set(runId, resolved);
+        return resolved;
+    }
+    /** The (running-or-exited) container id labelled with this run id, if any. */
+    async findContainer(runId) {
+        const { stdout } = await this.exec([
+            'ps',
+            '-aq',
+            '--filter',
+            `label=${LABEL_RUN}=${runId}`,
+            '--filter',
+            `label=${LABEL_MANAGED}`,
+        ]);
+        return stdout.trim().split('\n')[0]?.trim() || undefined;
+    }
+    /** Parse the published host port for the harness port, or undefined if unmapped. */
+    async hostPort(containerId) {
+        const { stdout } = await this.exec(['port', containerId, `${HARNESS_PORT}/tcp`]);
+        // e.g. "127.0.0.1:49153" (possibly several lines for IPv4/IPv6); take the last
+        // numeric segment of the first line.
+        const line = stdout.trim().split('\n')[0]?.trim();
+        if (!line)
+            return undefined;
+        const port = Number(line.slice(line.lastIndexOf(':') + 1));
+        return Number.isFinite(port) && port > 0 ? port : undefined;
+    }
+    async waitForPort(containerId) {
+        const deadline = Date.now() + this.readyTimeoutMs;
+        for (;;) {
+            const port = await this.hostPort(containerId).catch(() => undefined);
+            if (port !== undefined)
+                return port;
+            if (Date.now() >= deadline) {
+                throw new Error(`Timed out waiting for container ${containerId} to publish its port`);
+            }
+            await delay(250);
+        }
+    }
+    async waitForHealth(port) {
+        const deadline = Date.now() + this.readyTimeoutMs;
+        for (;;) {
+            try {
+                const res = await this.fetchImpl(this.url(port, '/health'), {
+                    method: 'GET',
+                    signal: AbortSignal.timeout(Math.min(this.requestTimeoutMs, 5_000)),
+                });
+                if (res.ok)
+                    return;
+            }
+            catch {
+                // not up yet
+            }
+            if (Date.now() >= deadline) {
+                throw new Error(`Timed out waiting for the harness on :${port} to become healthy`);
+            }
+            await delay(300);
+        }
+    }
+    async isRunning(containerId) {
+        try {
+            const { stdout } = await this.exec(['inspect', '-f', '{{.State.Running}}', containerId]);
+            return stdout.trim() === 'true';
+        }
+        catch {
+            // No such container → not running.
+            return false;
+        }
+    }
+}
+async function safeText(res) {
+    try {
+        return (await res.text()).slice(0, 500);
+    }
+    catch {
+        return '(no body)';
+    }
+}
+/**
+ * Build a {@link LocalDockerRunnerTransport} from the process environment. The image
+ * ref (`LOCAL_HARNESS_IMAGE`) is required; everything else has sane local defaults.
+ */
+export function createLocalDockerTransportFromEnv(env) {
+    const image = env.LOCAL_HARNESS_IMAGE?.trim();
+    if (!image) {
+        throw new Error('LOCAL_HARNESS_IMAGE is required for local mode: set it to the executor-harness image ref ' +
+            '(a GHCR pull or a tag built from backend/internal/executor-harness/Dockerfile).');
+    }
+    return new LocalDockerRunnerTransport({
+        image,
+        binary: env.LOCAL_DOCKER_BINARY?.trim() || 'docker',
+        sharedSecret: env.HARNESS_SHARED_SECRET?.trim() || undefined,
+        network: env.LOCAL_DOCKER_NETWORK?.trim() || undefined,
+        addHostGateway: env.LOCAL_DOCKER_ADD_HOST_GATEWAY?.trim() !== 'false',
+        // Default on: the Tester stands its docker-compose infra up via Docker-in-Docker,
+        // which needs a privileged job container. Set to `false` for runtimes that run
+        // nested containers without it (e.g. rootless Podman).
+        privilegedTestJobs: env.LOCAL_DOCKER_PRIVILEGED_TEST_JOBS?.trim() !== 'false',
+    });
+}
+//# sourceMappingURL=LocalDockerRunnerTransport.js.map

package/dist/LocalDockerRunnerTransport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalDockerRunnerTransport.js","sourceRoot":"","sources":["../src/LocalDockerRunnerTransport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AAQrC,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAA;AAE/D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;AAEzC,qFAAqF;AACrF,kFAAkF;AAClF,sFAAsF;AACtF,4EAA4E;AAC5E,uFAAuF;AACvF,2EAA2E;AAC3E,gFAAgF;AAChF,EAAE;AACF,mFAAmF;AACnF,uFAAuF;AACvF,kFAAkF;AAClF,+FAA+F;AAC/F,mFAAmF;AACnF,6EAA6E;AAC7E,mFAAmF;AACnF,sEAAsE;AAEtE,2EAA2E;AAC3E,MAAM,UAAU,GAAuC;IACrD,GAAG,EAAE,MAAM;IACX,SAAS,EAAE,YAAY;IACvB,IAAI,EAAE,OAAO;IACb,OAAO,EAAE,UAAU;IACnB,SAAS,EAAE,YAAY;IACvB,QAAQ,EAAE,SAAS;IACnB,mBAAmB,EAAE,oBAAoB;IACzC,KAAK,EAAE,QAAQ;IACf,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,YAAY;CAC1B,CAAA;AAED,kFAAkF;AAClF,gFAAgF;AAChF,gFAAgF;AAChF,0EAA0E;AAC1E,MAAM,cAAc,GAAG,8CAA8C,CAAA;AAErE,sFAAsF;AACtF,+DAA+D;AAC/D,MAAM,SAAS,GAAG,mBAAmB,CAAA;AACrC,MAAM,aAAa,GAAG,kCAAkC,CAAA;AACxD,4DAA4D;AAC5D,MAAM,YAAY,GAAG,IAAI,CAAA;AACzB,MAAM,aAAa,GAAG,kBAAkB,CAAA;AA+CxC,MAAM,KAAK,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AAErF,MAAM,OAAO,0BAA0B;IACpB,KAAK,CAAQ;IACb,MAAM,CAAQ;IACd,YAAY,CAAQ;IACpB,cAAc,CAAS;IACvB,OAAO,CAAS;IAChB,QAAQ,CAAwB;IAChC,IAAI,CAAY;IAChB,SAAS,CAAc;IACvB,cAAc,CAAQ;IACtB,gBAAgB,CAAQ;IACxB,kBAAkB,CAAS;IAE5C,0FAA0F;IACzE,KAAK,GAAG,IAAI,GAAG,EAAiD,CAAA;IAEjF,YAAY,OAA0C;QACpD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;QAC1B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAA;QACxC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QAC3E,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,CAAA;QACpD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;QAC9B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAA;QACjC,IAAI,CAAC,IAAI;YACP,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC,CAAA;QAC/F,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAA;QAC3C,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,MAAM,CAAA;QACtD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,MAAM,CAAA;QAC1D,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAA;IAC9D,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,GAAiB,EACjB,IAA6B,EAC7B,IAAI,GAAuB,KAAK,EAChC,OAA+B;QAE/B,mFAAmF;QACnF,iFAAiF;QACjF,iDAAiD;QACjD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAA;QACvB,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,8EAA8E;YAC9E,kFAAkF;YAClF,mFAAmF;YACnF,2CAA2C;YAC3C,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;YACxC,MAAM,IAAI,GAAG;gBACX,KAAK;gBACL,IAAI;gBACJ,SAAS;gBACT,GAAG,SAAS,IAAI,KAAK,EAAE;gBACvB,SAAS;gBACT,aAAa;gBACb,IAAI;gBACJ,eAAe,YAAY,EAAE;gBAC7B,IAAI;gBACJ,yBAAyB,IAAI,CAAC,YAAY,EAAE;aAC7C,CAAA;YACD,4EAA4E;YAC5E,gFAAgF;YAChF,yDAAyD;YACzD,IAAI,OAAO,EAAE,YAAY,EAAE,CAAC;gBAC1B,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,sBAAsB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;gBACrE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC/C,CAAC;YACD,gFAAgF;YAChF,gFAAgF;YAChF,8EAA8E;YAC9E,kDAAkD;YAClD,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,kBAAkB;gBAAE,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;YACzE,IAAI,IAAI,CAAC,cAAc;gBAAE,IAAI,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAA;YAClF,IAAI,IAAI,CAAC,OAAO;gBAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;YACtD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;YAChF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAErB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACxC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAA;YACpD,IAAI,CAAC,WAAW;gBAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;YACxE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAA;YAChD,QAAQ,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CAAA;YAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAA;YAC/B,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;QACzC,CAAC;QAED,mFAAmF;QACnF,iFAAiF;QACjF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE;YAC1E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,aAAa,CAAC,EAAE,IAAI,CAAC,YAAY,EAAE;YACnF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC;SACnD,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,yCAAyC,GAAG,CAAC,MAAM,MAAM,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAA;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAiB;QAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAC9C,+EAA+E;QAC/E,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,CAAA;QAEhE,IAAI,GAAa,CAAA;QACjB,IAAI,CAAC;YACH,0EAA0E;YAC1E,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CACxB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EACjE;gBACE,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,EAAE,IAAI,CAAC,YAAY,EAAE;gBAC/C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC;aACnD,CACF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,+EAA+E;YAC/E,gFAAgF;YAChF,iEAAiE;YACjE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBAClD,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;gBAC5B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,CAAA;YACnD,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;QACD,iFAAiF;QACjF,2EAA2E;QAC3E,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,CAAA;QACzE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,yCAAyC,GAAG,CAAC,MAAM,MAAM,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAA;QACH,CAAC;QACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAA;IAC5C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CAAC,GAAiB;QAC7B,MAAM,WAAW,GACf,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,WAAW,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAA;QACjF,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAC5B,IAAI,CAAC,WAAW;YAAE,OAAM;QACxB,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;IACnE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC;YACjC,IAAI;YACJ,KAAK;YACL,UAAU;YACV,SAAS,aAAa,EAAE;YACxB,UAAU;YACV,eAAe;SAChB,CAAC,CAAA;QACF,MAAM,GAAG,GAAG,MAAM;aACf,IAAI,EAAE;aACN,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CAAA;QAClB,IAAI,GAAG,CAAC,MAAM;YAAE,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;QAC5E,OAAO,GAAG,CAAC,MAAM,CAAA;IACnB,CAAC;IAED,2EAA2E;IAE3E,kFAAkF;IAC1E,KAAK,CAAC,sBAAsB,CAAC,KAAa;QAChD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC;YACjC,IAAI;YACJ,KAAK;YACL,UAAU;YACV,SAAS,SAAS,IAAI,KAAK,EAAE;YAC7B,UAAU;YACV,SAAS,aAAa,EAAE;SACzB,CAAC,CAAA;QACF,MAAM,GAAG,GAAG,MAAM;aACf,IAAI,EAAE;aACN,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CAAA;QAClB,IAAI,GAAG,CAAC,MAAM;YAAE,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;IAC9E,CAAC;IAEO,GAAG,CAAC,IAAY,EAAE,IAAY;QACpC,OAAO,oBAAoB,IAAI,GAAG,IAAI,EAAE,CAAA;IAC1C,CAAC;IAED,iFAAiF;IACzE,KAAK,CAAC,OAAO,CAAC,KAAa;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACpC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QACzB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;QACnD,IAAI,CAAC,WAAW;YAAE,OAAO,SAAS,CAAA;QAClC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAC7C,IAAI,IAAI,KAAK,SAAS;YAAE,OAAO,SAAS,CAAA;QACxC,MAAM,QAAQ,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,CAAA;QACtC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAA;QAC/B,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,8EAA8E;IACtE,KAAK,CAAC,aAAa,CAAC,KAAa;QACvC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC;YACjC,IAAI;YACJ,KAAK;YACL,UAAU;YACV,SAAS,SAAS,IAAI,KAAK,EAAE;YAC7B,UAAU;YACV,SAAS,aAAa,EAAE;SACzB,CAAC,CAAA;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAA;IAC1D,CAAC;IAED,oFAAoF;IAC5E,KAAK,CAAC,QAAQ,CAAC,WAAmB;QACxC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,YAAY,MAAM,CAAC,CAAC,CAAA;QAChF,+EAA+E;QAC/E,qCAAqC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAA;QACjD,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAA;QAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QAC1D,OAAO,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;IAC7D,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,WAAmB;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,CAAA;QACjD,SAAS,CAAC;YACR,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;YACpE,IAAI,IAAI,KAAK,SAAS;gBAAE,OAAO,IAAI,CAAA;YACnC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,WAAW,sBAAsB,CAAC,CAAA;YACvF,CAAC;YACD,MAAM,KAAK,CAAC,GAAG,CAAC,CAAA;QAClB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,IAAY;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,CAAA;QACjD,SAAS,CAAC;YACR,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE;oBAC1D,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;iBACpE,CAAC,CAAA;gBACF,IAAI,GAAG,CAAC,EAAE;oBAAE,OAAM;YACpB,CAAC;YAAC,MAAM,CAAC;gBACP,aAAa;YACf,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,yCAAyC,IAAI,oBAAoB,CAAC,CAAA;YACpF,CAAC;YACD,MAAM,KAAK,CAAC,GAAG,CAAC,CAAA;QAClB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,WAAmB;QACzC,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,CAAC,CAAC,CAAA;YACxF,OAAO,MAAM,CAAC,IAAI,EAAE,KAAK,MAAM,CAAA;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;YACnC,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;CACF;AAED,KAAK,UAAU,QAAQ,CAAC,GAAa;IACnC,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,CAAA;IACpB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iCAAiC,CAC/C,GAAsB;IAEtB,MAAM,KAAK,GAAG,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,CAAA;IAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,2FAA2F;YACzF,iFAAiF,CACpF,CAAA;IACH,CAAC;IACD,OAAO,IAAI,0BAA0B,CAAC;QACpC,KAAK;QACL,MAAM,EAAE,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,IAAI,QAAQ;QACnD,YAAY,EAAE,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,IAAI,SAAS;QAC5D,OAAO,EAAE,GAAG,CAAC,oBAAoB,EAAE,IAAI,EAAE,IAAI,SAAS;QACtD,cAAc,EAAE,GAAG,CAAC,6BAA6B,EAAE,IAAI,EAAE,KAAK,OAAO;QACrE,kFAAkF;QAClF,+EAA+E;QAC/E,uDAAuD;QACvD,kBAAkB,EAAE,GAAG,CAAC,iCAAiC,EAAE,IAAI,EAAE,KAAK,OAAO;KAC9E,CAAC,CAAA;AACJ,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,9 @@
+import type { AppConfig } from '@cat-factory/server';
+/**
+ * Apply local-mode env defaults onto a copy of {@link env}. Idempotent: an explicitly
+ * set value is always preserved, so calling it twice (loader + container) is safe.
+ */
+export declare function applyLocalDefaults(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
+/** The shared {@link AppConfig} with local-mode defaults applied. */
+export declare function loadLocalConfig(env: NodeJS.ProcessEnv): AppConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAepD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAmB5E;AAED,qEAAqE;AACrE,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,SAAS,CAEjE"}

package/dist/config.js

@@ -0,0 +1,42 @@
+import { randomBytes } from 'node:crypto';
+import { loadNodeConfig } from '@cat-factory/node-server';
+// Local mode is a single developer running the whole product on their own machine.
+// It reuses the Node facade's config loader verbatim and only changes the defaults
+// that would otherwise force cloud-style setup:
+//   - the auth gate defaults OPEN (no GitHub OAuth app to register) — never in a
+//     production ENVIRONMENT (`loadNodeConfig` enforces that);
+//   - a session secret is generated if absent (it only signs the short-lived LLM-proxy
+//     tokens the local container uses; a per-process value is fine for dev);
+//   - PUBLIC_URL defaults to `host.docker.internal:<PORT>` so a job's container can
+//     reach this service's LLM proxy from inside Docker.
+// Every default is overridable: setting the corresponding env var wins.
+const DEFAULT_PORT = '8787';
+/**
+ * Apply local-mode env defaults onto a copy of {@link env}. Idempotent: an explicitly
+ * set value is always preserved, so calling it twice (loader + container) is safe.
+ */
+export function applyLocalDefaults(env) {
+    const port = env.PORT?.trim() || DEFAULT_PORT;
+    return {
+        ...env,
+        // `|| 'true'` (not `??`) so an explicit empty `AUTH_DEV_OPEN=` still defaults open,
+        // consistent with the other fields here; set `AUTH_DEV_OPEN=false` to close the gate.
+        AUTH_DEV_OPEN: env.AUTH_DEV_OPEN?.trim() || 'true',
+        // Stable within a process; only signs short-lived proxy tokens for local jobs.
+        AUTH_SESSION_SECRET: env.AUTH_SESSION_SECRET?.trim() || randomBytes(32).toString('hex'),
+        // The shared key backing credential encryption at rest (document/task/runner/slack
+        // integrations, personal subscriptions). `loadNodeConfig` requires it, so generate a
+        // per-process key when absent — enough to boot and run a pipeline. Set ENCRYPTION_KEY
+        // explicitly to keep encrypted-at-rest credentials decryptable across restarts.
+        ENCRYPTION_KEY: env.ENCRYPTION_KEY?.trim() || randomBytes(32).toString('base64'),
+        // The harness (inside Docker) posts to `${PUBLIC_URL}/v1`; host.docker.internal
+        // routes back to this service on the host. The transport publishes the gateway
+        // host alias on Linux via `--add-host`.
+        PUBLIC_URL: env.PUBLIC_URL?.trim() || `http://host.docker.internal:${port}`,
+    };
+}
+/** The shared {@link AppConfig} with local-mode defaults applied. */
+export function loadLocalConfig(env) {
+    return loadNodeConfig(applyLocalDefaults(env));
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,mFAAmF;AACnF,mFAAmF;AACnF,gDAAgD;AAChD,iFAAiF;AACjF,+DAA+D;AAC/D,uFAAuF;AACvF,6EAA6E;AAC7E,oFAAoF;AACpF,yDAAyD;AACzD,wEAAwE;AAExE,MAAM,YAAY,GAAG,MAAM,CAAA;AAE3B;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAsB;IACvD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,YAAY,CAAA;IAC7C,OAAO;QACL,GAAG,GAAG;QACN,oFAAoF;QACpF,sFAAsF;QACtF,aAAa,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,MAAM;QAClD,+EAA+E;QAC/E,mBAAmB,EAAE,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACvF,mFAAmF;QACnF,qFAAqF;QACrF,sFAAsF;QACtF,gFAAgF;QAChF,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAChF,gFAAgF;QAChF,+EAA+E;QAC/E,wCAAwC;QACxC,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,+BAA+B,IAAI,EAAE;KAC5E,CAAA;AACH,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAAC,GAAsB;IACpD,OAAO,cAAc,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAA;AAChD,CAAC"}

package/dist/container.d.ts

@@ -0,0 +1,4 @@
+import type { NodeContainerOptions } from '@cat-factory/node-server';
+import type { ServerContainer } from '@cat-factory/server';
+export declare function buildLocalContainer(options: NodeContainerOptions): ServerContainer;
+//# sourceMappingURL=container.d.ts.map

package/dist/container.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"container.d.ts","sourceRoot":"","sources":["../src/container.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AACpE,OAAO,KAAK,EAAqC,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAwB7F,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CAuElF"}

package/dist/container.js

@@ -0,0 +1,84 @@
+import { DrizzleGitHubInstallationRepository, buildNodeContainer, loadNodeConfig, } from '@cat-factory/node-server';
+import { applyLocalDefaults } from './config.js';
+import { createLocalGitHubClient, fetchPatAccount, githubPatCreationUrl } from './github.js';
+import { AutoProvisioningInstallationRepository } from './installations.js';
+import { createLocalDockerTransportFromEnv, } from './LocalDockerRunnerTransport.js';
+// The local-mode composition root. It is intentionally thin: the ENTIRE Drizzle/
+// Postgres persistence, pg-boss durable execution, gateways and model provisioning
+// come from `buildNodeContainer` unchanged. Local mode only swaps the two
+// differentiators behind the seams `buildNodeContainer` exposes:
+//   - the runner backend → a per-job local Docker container (LocalDockerRunnerTransport)
+//     instead of a self-hosted runner pool;
+//   - the push/clone token → a static GitHub PAT (`GITHUB_PAT`) instead of a GitHub
+//     App installation token.
+// Repo resolution is unchanged: the executor still resolves a block's repo from the
+// `github_repos` / `github_installations` projection (seed those rows for a target
+// repo with the link helper). So a developer can run coder/mocker/playwright/
+// blueprints/ci-fixer/merger jobs entirely locally, pushing real branches and opening
+// real PRs on github.com via the PAT.
+export function buildLocalContainer(options) {
+    const env = applyLocalDefaults(options.env ?? process.env);
+    const pat = env.GITHUB_PAT?.trim();
+    const base = options.config ?? loadNodeConfig(env);
+    // Tag the config as local mode and, when no PAT is set, carry the (scopes-preselected)
+    // creation URL so the SPA can surface it as a dismissible banner — the server-side warn
+    // log alone is easy to miss in a dev terminal. With a PAT, force the GitHub integration
+    // ON: the Node loader only enables it for a configured GitHub App, but local mode reaches
+    // GitHub through the PAT-backed client, so the read/link endpoints (connection, available
+    // repos, "add from existing repo") should be served the same way.
+    const config = {
+        ...base,
+        ...(pat ? { github: { ...base.github, enabled: true } } : {}),
+        localMode: {
+            enabled: true,
+            ...(pat ? {} : { githubPatSetupUrl: githubPatCreationUrl() }),
+        },
+    };
+    // Local mode has no GitHub-App connect flow, so a workspace's installation is conjured
+    // from the PAT on first read (see AutoProvisioningInstallationRepository): the synthetic
+    // row makes `getConnection` report connected and gives the sync service an installation
+    // id to list/link repos under. The PAT account is fetched once and shared across
+    // workspaces (a single developer's token).
+    let accountPromise;
+    const resolveAccount = () => (accountPromise ??= fetchPatAccount(env));
+    const githubInstallationRepository = pat && options.db
+        ? new AutoProvisioningInstallationRepository(new DrizzleGitHubInstallationRepository(options.db), resolveAccount)
+        : undefined;
+    // The Docker transport is constructed LAZILY on first container-job dispatch, so the
+    // service still boots to serve the board (and inline kinds) when LOCAL_HARNESS_IMAGE
+    // is unset — only repo-operating kinds then fail, loudly and with a clear message,
+    // mirroring how the Node facade treats a missing runner backend.
+    let transport;
+    const resolveTransport = () => {
+        transport ??= createLocalDockerTransportFromEnv(env);
+        return Promise.resolve(transport);
+    };
+    return buildNodeContainer({
+        ...options,
+        env,
+        config,
+        // Always dispatch container jobs to the local Docker transport (a constant
+        // resolver, ignoring workspace — local mode has no per-workspace runner pools).
+        resolveTransport,
+        // Authenticate git with the developer's PAT when present. Absent → the executor
+        // falls back to the GitHub App path (and is null without it), so container kinds
+        // fail loudly rather than silently mis-running.
+        ...(pat ? { mintInstallationToken: async () => pat } : {}),
+        // The PAT-backed GitHub client wires the CI gate + merge / mergeability providers,
+        // so a local pipeline gates on real GitHub Actions CI and merges the PR for real, AND
+        // serves the read/link endpoints (it lists repos via /user/repos, the PAT analogue of
+        // the App-only /installation/repositories).
+        ...(pat ? { githubClient: createLocalGitHubClient(env) } : {}),
+        // Auto-provision the synthetic per-workspace installation so the integration reports
+        // connected with no manual connect step.
+        ...(githubInstallationRepository ? { githubInstallationRepository } : {}),
+        overrides: {
+            ...options.overrides,
+            // The local PAT carries `workflow` scope (the creation URL pre-selects it), so the
+            // connection isn't missing workflows: write — report it granted to suppress the
+            // advisory banner. (The App-permissions probe this normally uses needs an app JWT.)
+            ...(pat ? { workflowsGranted: async () => true } : {}),
+        },
+    });
+}
+//# sourceMappingURL=container.js.map