@cat-factory/node-server 0.6.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Igor Savin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/config.d.ts

@@ -0,0 +1,3 @@
+import type { AppConfig } from '@cat-factory/server';
+export declare function loadNodeConfig(env: NodeJS.ProcessEnv): AppConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,SAAS,EAAgC,MAAM,qBAAqB,CAAA;AA8FlF,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,SAAS,CAqOhE"}

package/dist/config.js

@@ -0,0 +1,297 @@
+import { ALL_SUBSCRIPTION_VENDORS, effectiveCatalog, resolveModelRef, } from '@cat-factory/kernel';
+import { DEFAULT_SPEND_PRICING, modelCostResolver } from '@cat-factory/spend';
+// Translate the Node process environment into the shared AppConfig contract. This is
+// the Node analogue of the Worker's `loadConfig(env)`: same SHAPE, different source.
+// Integrations (GitHub/documents/tasks/environments/runners/fragment-library) default
+// to disabled in this MVP; the core (board/workspaces/pipelines/executions/spend +
+// auth) is fully configured from env.
+const MIN_SESSION_SECRET_LENGTH = 32;
+const PRODUCTION_ENVIRONMENTS = new Set(['production', 'prod', 'staging']);
+function num(value) {
+    if (value === undefined || value.trim() === '')
+        return undefined;
+    const n = Number(value);
+    return Number.isFinite(n) ? n : undefined;
+}
+function csv(value) {
+    return (value ?? '')
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean);
+}
+// The task sources the Node facade can serve, mirroring the Worker's `ALL_SOURCES`.
+// GitHub issues reuse the workspace's installed GitHub App (wired in the container
+// only when a GitHub client is available); Jira carries its own per-workspace creds.
+const NODE_TASK_SOURCES = ['jira', 'github'];
+const ALL_DOCUMENT_SOURCES = ['confluence', 'notion', 'github'];
+/** Parse the comma-separated `DOCUMENT_SOURCES` allow-list, defaulting to all. */
+function parseDocumentSources(raw) {
+    const requested = csv(raw).map((s) => s.toLowerCase());
+    if (requested.length === 0)
+        return [...ALL_DOCUMENT_SOURCES];
+    const selected = ALL_DOCUMENT_SOURCES.filter((s) => requested.includes(s));
+    return selected.length > 0 ? selected : [...ALL_DOCUMENT_SOURCES];
+}
+/**
+ * Document-source integration config, mirroring the Worker's `loadDocumentsConfig`:
+ * always on (tenants connect Notion/Confluence/GitHub-docs through the UI), with the
+ * shared ENCRYPTION_KEY backing per-workspace credential encryption at rest. The
+ * planner defaults to LLM mode; the container only wires a model provider when one is
+ * configured, so absent that the planner degrades to its deterministic heading parser.
+ */
+function loadDocumentsConfig(env) {
+    const encryptionKey = env.ENCRYPTION_KEY?.trim();
+    if (!encryptionKey) {
+        throw new Error('ENCRYPTION_KEY is required: the document-source integration (Notion, Confluence, …) ' +
+            'encrypts per-workspace source credentials at rest. Set it to a base64-encoded key of ' +
+            'at least 32 bytes.');
+    }
+    return {
+        enabled: true,
+        sources: parseDocumentSources(env.DOCUMENT_SOURCES),
+        planner: env.DOCUMENT_PLANNER?.trim() === 'headings' ? 'headings' : 'llm',
+        encryptionKey,
+    };
+}
+/**
+ * Task-source integration config, mirroring the Worker's `loadTasksConfig`: always on
+ * (tenants connect their own trackers through the UI, so there is no enable flag), with
+ * a mandatory encryption key so credentials are never stored in plaintext. The key is
+ * missing → fail loudly at config load rather than silently disabling the feature.
+ * `TASK_SOURCES` narrows the registered providers (defaults to all Node-supported ones).
+ */
+function loadTasksConfig(env) {
+    // The shared ENCRYPTION_KEY backs every integration (the cipher domain-separates per
+    // integration via its HKDF `info`, so one key safely backs them all).
+    const encryptionKey = env.ENCRYPTION_KEY?.trim();
+    if (!encryptionKey) {
+        throw new Error('ENCRYPTION_KEY is required: the task-source integration (Jira, …) encrypts ' +
+            'per-workspace source credentials at rest. Set it to a base64-encoded key of at ' +
+            'least 32 bytes.');
+    }
+    const requested = csv(env.TASK_SOURCES).map((s) => s.toLowerCase());
+    const sources = requested.length > 0
+        ? NODE_TASK_SOURCES.filter((s) => requested.includes(s))
+        : [...NODE_TASK_SOURCES];
+    return {
+        enabled: true,
+        sources: sources.length > 0 ? sources : [...NODE_TASK_SOURCES],
+        encryptionKey,
+    };
+}
+export function loadNodeConfig(env) {
+    // Deployment-level capabilities: direct keys are per-workspace (resolved at run time
+    // from the DB pool), so none are known here; Cloudflare Workers AI is opt-in over
+    // REST (account id + API token). The per-workspace `/models` endpoint recomputes
+    // selectability against each workspace's configured keys + subscriptions.
+    const caps = {
+        directProviders: new Set(),
+        subscriptionVendors: new Set(ALL_SUBSCRIPTION_VENDORS),
+        cloudflareEnabled: !!(env.CLOUDFLARE_ACCOUNT_ID && env.CLOUDFLARE_API_TOKEN),
+    };
+    // Default unpinned agents to Qwen (the Cloudflare flavour when enabled, upgraded to
+    // direct DashScope per-workspace by the executor when a Qwen key is configured); the
+    // agentic kinds default to GLM-5.2 — mirroring the Worker's routing.
+    const qwenDefault = resolveModelRef('qwen', caps);
+    const defaultConfig = {
+        ref: {
+            provider: env.AGENT_DEFAULT_PROVIDER ?? qwenDefault?.provider ?? 'workers-ai',
+            model: env.AGENT_DEFAULT_MODEL ?? qwenDefault?.model ?? '@cf/qwen/qwen3-30b-a3b-fp8',
+        },
+        temperature: num(env.AGENT_DEFAULT_TEMPERATURE) ?? 0.4,
+        maxOutputTokens: num(env.AGENT_MAX_OUTPUT_TOKENS) ?? 5000,
+    };
+    const agenticDefault = {
+        ref: { provider: 'workers-ai', model: '@cf/zai-org/glm-5.2' },
+        temperature: num(env.AGENT_DEFAULT_TEMPERATURE) ?? 0.3,
+        maxOutputTokens: num(env.AGENT_MAX_OUTPUT_TOKENS) ?? 5000,
+    };
+    // Companions (reviewer / spec-companion / architect-companion) return their whole
+    // verdict — rating + summary + per-item comments — as ONE inline JSON reply. On a
+    // reasoning model the <think> tokens share the output budget, so the 5000 cap can
+    // truncate the JSON mid-comment, leaving it unparseable. Give companions a larger
+    // budget so the verdict fits (mirrors the Worker's routing).
+    const companionDefault = {
+        ref: { provider: 'workers-ai', model: '@cf/zai-org/glm-5.2' },
+        temperature: num(env.AGENT_DEFAULT_TEMPERATURE) ?? 0.3,
+        maxOutputTokens: num(env.AGENT_MAX_OUTPUT_TOKENS) ?? 12000,
+    };
+    const sessionSecret = env.AUTH_SESSION_SECRET?.trim() ?? '';
+    // The GitHub App (private key + app id) backs container-agent runs: it mints the
+    // short-lived push token the harness clones/pushes with. Enable the integration
+    // only when both are present (the container executor also requires it — see
+    // container.ts), so a partial config doesn't half-enable repo-operating steps.
+    const githubAppId = env.GITHUB_APP_ID?.trim() ?? '';
+    const githubAppConfigured = githubAppId !== '' && (env.GITHUB_APP_PRIVATE_KEY?.trim() ?? '') !== '';
+    // Self-hosted runner pools encrypt their scheduler credentials at rest; opt-in via
+    // the enable flag, sealed with the shared ENCRYPTION_KEY (mirroring the Worker).
+    const runnersEncryptionKey = env.ENCRYPTION_KEY?.trim() ?? '';
+    // Slack notification transport: opt-in (SLACK_ENABLED), the per-account bot token
+    // sealed with the shared ENCRYPTION_KEY. OAuth credentials are optional (manual
+    // bot-token onboarding works without them); when set they enable "Add to Slack".
+    const slackEnabled = env.SLACK_ENABLED?.trim() === 'true';
+    const slackEncryptionKey = env.ENCRYPTION_KEY?.trim() ?? '';
+    const slackClientId = env.SLACK_CLIENT_ID?.trim() ?? '';
+    const slackClientSecret = env.SLACK_CLIENT_SECRET?.trim() ?? '';
+    const slackRedirectUrl = env.SLACK_REDIRECT_URL?.trim() ?? '';
+    const slackOAuth = slackClientId && slackClientSecret && slackRedirectUrl
+        ? { clientId: slackClientId, clientSecret: slackClientSecret, redirectUrl: slackRedirectUrl }
+        : undefined;
+    const clientId = env.GITHUB_OAUTH_CLIENT_ID?.trim() ?? '';
+    const clientSecret = env.GITHUB_OAUTH_CLIENT_SECRET?.trim() ?? '';
+    const googleClientId = env.GOOGLE_OAUTH_CLIENT_ID?.trim() ?? '';
+    const googleClientSecret = env.GOOGLE_OAUTH_CLIENT_SECRET?.trim() ?? '';
+    const environment = env.ENVIRONMENT?.trim().toLowerCase() ?? '';
+    const ttlHours = num(env.AUTH_SESSION_TTL_HOURS);
+    const strongSecret = sessionSecret.length >= MIN_SESSION_SECRET_LENGTH;
+    const githubEnabled = clientId !== '' && clientSecret !== '' && strongSecret;
+    const googleEnabled = googleClientId !== '' && googleClientSecret !== '' && strongSecret;
+    const passwordEnabled = env.AUTH_PASSWORD_ENABLED?.trim() === 'true' && strongSecret;
+    const devOpen = env.AUTH_DEV_OPEN?.trim() === 'true' && !PRODUCTION_ENVIRONMENTS.has(environment);
+    // Fail fast on the silent-brick footgun: OAuth credentials are set (so real auth is
+    // intended) but the session secret is missing/too short, which would disable the auth
+    // gate and — with no dev-open fallback — make it fail closed, 503-ing every protected
+    // route with no hint why. Refuse to boot with a clear message instead.
+    if (clientId !== '' &&
+        clientSecret !== '' &&
+        sessionSecret.length < MIN_SESSION_SECRET_LENGTH &&
+        !devOpen) {
+        throw new Error(`AUTH_SESSION_SECRET must be at least ${MIN_SESSION_SECRET_LENGTH} characters when GitHub OAuth is configured ` +
+            `(got ${sessionSecret.length}). Set a longer secret or enable AUTH_DEV_OPEN in a non-production environment.`);
+    }
+    const spend = {
+        ...DEFAULT_SPEND_PRICING,
+        currency: env.SPEND_CURRENCY?.trim() || DEFAULT_SPEND_PRICING.currency,
+        monthlyLimit: num(env.SPEND_MONTHLY_LIMIT) ?? DEFAULT_SPEND_PRICING.monthlyLimit,
+    };
+    return {
+        agents: {
+            routing: {
+                default: defaultConfig,
+                byKind: {
+                    architect: agenticDefault,
+                    coder: agenticDefault,
+                    reviewer: companionDefault,
+                    'spec-companion': companionDefault,
+                    'architect-companion': companionDefault,
+                },
+            },
+            resolveBlockModel: (modelId) => resolveModelRef(modelId, caps),
+        },
+        // Surface each model's informational list cost in the picker (from spend pricing).
+        models: effectiveCatalog(caps, modelCostResolver(spend)),
+        execution: {
+            decisionTimeout: env.DECISION_TIMEOUT?.trim() || '24 hours',
+            jobPollInterval: env.JOB_POLL_INTERVAL?.trim() || '15 seconds',
+            jobMaxPolls: num(env.JOB_MAX_POLLS) ?? 280,
+            jobPollFailureTolerance: num(env.JOB_POLL_FAILURE_TOLERANCE) ?? 6,
+            ciPollInterval: env.CI_POLL_INTERVAL?.trim() || '30 seconds',
+            ciMaxPolls: num(env.CI_MAX_POLLS) ?? 120,
+            containerMaxAgeMs: Math.max(75, num(env.CONTAINER_MAX_AGE_MINUTES) ?? 90) * 60_000,
+        },
+        spend,
+        github: {
+            enabled: githubAppConfigured,
+            appId: env.GITHUB_APP_ID?.trim() ?? '',
+            appSlug: env.GITHUB_APP_SLUG?.trim() ?? '',
+            apiBase: env.GITHUB_API_BASE?.trim() || 'https://api.github.com',
+            setupRedirectUrl: env.GITHUB_SETUP_REDIRECT_URL?.trim() || '/',
+            webhookSecret: env.GITHUB_WEBHOOK_SECRET ?? '',
+        },
+        auth: {
+            enabled: githubEnabled || googleEnabled || passwordEnabled,
+            devOpen,
+            githubEnabled,
+            clientId,
+            clientSecret,
+            sessionSecret,
+            apiBase: env.GITHUB_API_BASE?.trim() || 'https://api.github.com',
+            oauthBase: env.GITHUB_OAUTH_BASE?.trim() || 'https://github.com',
+            sessionTtlMs: (ttlHours !== undefined && ttlHours > 0 ? ttlHours : 168) * 60 * 60 * 1000,
+            successRedirectUrl: env.AUTH_SUCCESS_REDIRECT_URL?.trim() || '',
+            callbackUrl: env.AUTH_CALLBACK_URL?.trim() || '',
+            passwordEnabled,
+            ...(googleEnabled
+                ? {
+                    google: {
+                        clientId: googleClientId,
+                        clientSecret: googleClientSecret,
+                        redirectUrl: env.GOOGLE_OAUTH_REDIRECT_URL?.trim() || '',
+                    },
+                }
+                : {}),
+            allowedEmailDomains: csv(env.AUTH_ALLOWED_EMAIL_DOMAINS).map((d) => d.toLowerCase()),
+            allowedLogins: csv(env.AUTH_ALLOWED_LOGINS).map((l) => l.toLowerCase()),
+            allowedOrgs: csv(env.AUTH_ALLOWED_ORGS).map((o) => o.toLowerCase()),
+            allowedRedirectOrigins: csv(env.AUTH_ALLOWED_REDIRECT_ORIGINS).map((o) => {
+                try {
+                    return new URL(o).origin;
+                }
+                catch {
+                    return o;
+                }
+            }),
+        },
+        email: env.EMAIL_ENABLED?.trim() === 'true' && env.ENCRYPTION_KEY?.trim()
+            ? {
+                enabled: true,
+                encryptionKey: env.ENCRYPTION_KEY.trim(),
+                appBaseUrl: env.APP_BASE_URL?.trim() || env.AUTH_SUCCESS_REDIRECT_URL?.trim() || '',
+            }
+            : {
+                enabled: false,
+                appBaseUrl: env.APP_BASE_URL?.trim() || env.AUTH_SUCCESS_REDIRECT_URL?.trim() || '',
+            },
+        // Document-source integration: the providers (Confluence/Notion/GitHub-docs) are
+        // the shared `@cat-factory/integrations` fetch shells, wired in the container
+        // exactly like the Worker's `selectDocumentsDeps`. Always on (the shared
+        // ENCRYPTION_KEY backs credential encryption at rest).
+        documents: loadDocumentsConfig(env),
+        tasks: loadTasksConfig(env),
+        // Ephemeral-environment provider integration: opt-in (a tenant rolls its own
+        // environment-management API), gated on ENVIRONMENTS_ENABLED + the shared
+        // ENCRYPTION_KEY (credentials are encrypted at rest), mirroring the Worker.
+        environments: env.ENVIRONMENTS_ENABLED === 'true' && env.ENCRYPTION_KEY?.trim()
+            ? { enabled: true, encryptionKey: env.ENCRYPTION_KEY.trim() }
+            : { enabled: false },
+        runners: runnersEncryptionKey
+            ? { enabled: true, encryptionKey: runnersEncryptionKey }
+            : { enabled: false },
+        slack: slackEnabled && slackEncryptionKey
+            ? {
+                enabled: true,
+                encryptionKey: slackEncryptionKey,
+                ...(slackOAuth ? { oauth: slackOAuth } : {}),
+            }
+            : { enabled: false },
+        retention: {
+            tokenUsageMs: (num(env.TOKEN_USAGE_RETENTION_DAYS) ?? 395) * 24 * 60 * 60 * 1000,
+            rateLimitMs: (num(env.GITHUB_RATE_LIMIT_RETENTION_DAYS) ?? 7) * 24 * 60 * 60 * 1000,
+            commitMs: (num(env.GITHUB_COMMIT_RETENTION_DAYS) ?? 90) * 24 * 60 * 60 * 1000,
+            // Heavy full per-call prompt/response; pruned aggressively (default 3 days).
+            llmCallMetricsMs: (num(env.LLM_CALL_METRICS_RETENTION_DAYS) ?? 3) * 24 * 60 * 60 * 1000,
+        },
+        // Prompt-fragment library (ADR 0006): opt-in (`PROMPT_LIBRARY_ENABLED=true`),
+        // needs no encryption key (fragments are not secrets). Mirrors the Worker's
+        // mapping; `PROMPT_LIBRARY_SELECTOR=llm` ranks per run, else the deterministic
+        // tag matcher (which also backs the `llm` selector's graceful fallback).
+        fragmentLibrary: {
+            enabled: env.PROMPT_LIBRARY_ENABLED?.trim() === 'true',
+            selector: env.PROMPT_LIBRARY_SELECTOR?.trim() === 'llm' ? 'llm' : 'deterministic',
+        },
+        // Recording the complete prompts is on by default; opt out with
+        // `LLM_RECORD_PROMPTS=false` to keep the numeric telemetry but drop the prompt body.
+        observability: { recordPrompts: env.LLM_RECORD_PROMPTS?.trim() !== 'false' },
+        // Optional Langfuse trace sink: off unless `LANGFUSE_ENABLED=true` AND both keys are
+        // present (a half-configured sink silently does nothing). Mirrors the Worker mapping.
+        langfuse: {
+            enabled: env.LANGFUSE_ENABLED?.trim() === 'true' &&
+                !!env.LANGFUSE_PUBLIC_KEY?.trim() &&
+                !!env.LANGFUSE_SECRET_KEY?.trim(),
+            publicKey: env.LANGFUSE_PUBLIC_KEY?.trim(),
+            secretKey: env.LANGFUSE_SECRET_KEY?.trim(),
+            baseUrl: env.LANGFUSE_BASE_URL?.trim() || undefined,
+        },
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AACA,OAAO,EACL,wBAAwB,EAExB,gBAAgB,EAChB,eAAe,GAChB,MAAM,qBAAqB,CAAA;AAG5B,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAE7E,qFAAqF;AACrF,qFAAqF;AACrF,sFAAsF;AACtF,mFAAmF;AACnF,sCAAsC;AAEtC,MAAM,yBAAyB,GAAG,EAAE,CAAA;AACpC,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAA;AAE1E,SAAS,GAAG,CAAC,KAAyB;IACpC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,SAAS,CAAA;IAChE,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IACvB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;AAC3C,CAAC;AAED,SAAS,GAAG,CAAC,KAAyB;IACpC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;SACjB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAA;AACpB,CAAC;AAED,oFAAoF;AACpF,mFAAmF;AACnF,qFAAqF;AACrF,MAAM,iBAAiB,GAA8B,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;AAEvE,MAAM,oBAAoB,GAAkC,CAAC,YAAY,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;AAE9F,kFAAkF;AAClF,SAAS,oBAAoB,CAAC,GAAuB;IACnD,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IACtD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,GAAG,oBAAoB,CAAC,CAAA;IAC5D,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1E,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,oBAAoB,CAAC,CAAA;AACnE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,GAAsB;IACjD,MAAM,aAAa,GAAG,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,CAAA;IAChD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,sFAAsF;YACpF,uFAAuF;YACvF,oBAAoB,CACvB,CAAA;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,oBAAoB,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnD,OAAO,EAAE,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK;QACzE,aAAa;KACd,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,GAAsB;IAC7C,qFAAqF;IACrF,sEAAsE;IACtE,MAAM,aAAa,GAAG,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,CAAA;IAChD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,6EAA6E;YAC3E,iFAAiF;YACjF,iBAAiB,CACpB,CAAA;IACH,CAAC;IACD,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IACnE,MAAM,OAAO,GACX,SAAS,CAAC,MAAM,GAAG,CAAC;QAClB,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC,GAAG,iBAAiB,CAAC,CAAA;IAC5B,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,iBAAiB,CAAC;QAC9D,aAAa;KACd,CAAA;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAsB;IACnD,qFAAqF;IACrF,kFAAkF;IAClF,iFAAiF;IACjF,0EAA0E;IAC1E,MAAM,IAAI,GAAyB;QACjC,eAAe,EAAE,IAAI,GAAG,EAAE;QAC1B,mBAAmB,EAAE,IAAI,GAAG,CAAC,wBAAwB,CAAC;QACtD,iBAAiB,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,qBAAqB,IAAI,GAAG,CAAC,oBAAoB,CAAC;KAC7E,CAAA;IAED,oFAAoF;IACpF,qFAAqF;IACrF,qEAAqE;IACrE,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IACjD,MAAM,aAAa,GAAqB;QACtC,GAAG,EAAE;YACH,QAAQ,EAAE,GAAG,CAAC,sBAAsB,IAAI,WAAW,EAAE,QAAQ,IAAI,YAAY;YAC7E,KAAK,EAAE,GAAG,CAAC,mBAAmB,IAAI,WAAW,EAAE,KAAK,IAAI,4BAA4B;SACrF;QACD,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,GAAG;QACtD,eAAe,EAAE,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,IAAI;KAC1D,CAAA;IACD,MAAM,cAAc,GAAqB;QACvC,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,qBAAqB,EAAE;QAC7D,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,GAAG;QACtD,eAAe,EAAE,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,IAAI;KAC1D,CAAA;IACD,kFAAkF;IAClF,kFAAkF;IAClF,kFAAkF;IAClF,kFAAkF;IAClF,6DAA6D;IAC7D,MAAM,gBAAgB,GAAqB;QACzC,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,qBAAqB,EAAE;QAC7D,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,GAAG;QACtD,eAAe,EAAE,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,KAAK;KAC3D,CAAA;IAED,MAAM,aAAa,GAAG,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC3D,iFAAiF;IACjF,gFAAgF;IAChF,4EAA4E;IAC5E,+EAA+E;IAC/E,MAAM,WAAW,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACnD,MAAM,mBAAmB,GACvB,WAAW,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,CAAA;IACzE,mFAAmF;IACnF,iFAAiF;IACjF,MAAM,oBAAoB,GAAG,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC7D,kFAAkF;IAClF,gFAAgF;IAChF,iFAAiF;IACjF,MAAM,YAAY,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,MAAM,CAAA;IACzD,MAAM,kBAAkB,GAAG,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC3D,MAAM,aAAa,GAAG,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACvD,MAAM,iBAAiB,GAAG,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC/D,MAAM,gBAAgB,GAAG,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC7D,MAAM,UAAU,GACd,aAAa,IAAI,iBAAiB,IAAI,gBAAgB;QACpD,CAAC,CAAC,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,gBAAgB,EAAE;QAC7F,CAAC,CAAC,SAAS,CAAA;IACf,MAAM,QAAQ,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACzD,MAAM,YAAY,GAAG,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACjE,MAAM,cAAc,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IAC/D,MAAM,kBAAkB,GAAG,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACvE,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,EAAE,CAAA;IAC/D,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAA;IAChD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,IAAI,yBAAyB,CAAA;IACtE,MAAM,aAAa,GAAG,QAAQ,KAAK,EAAE,IAAI,YAAY,KAAK,EAAE,IAAI,YAAY,CAAA;IAC5E,MAAM,aAAa,GAAG,cAAc,KAAK,EAAE,IAAI,kBAAkB,KAAK,EAAE,IAAI,YAAY,CAAA;IACxF,MAAM,eAAe,GAAG,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,KAAK,MAAM,IAAI,YAAY,CAAA;IAEpF,MAAM,OAAO,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAEjG,oFAAoF;IACpF,sFAAsF;IACtF,sFAAsF;IACtF,uEAAuE;IACvE,IACE,QAAQ,KAAK,EAAE;QACf,YAAY,KAAK,EAAE;QACnB,aAAa,CAAC,MAAM,GAAG,yBAAyB;QAChD,CAAC,OAAO,EACR,CAAC;QACD,MAAM,IAAI,KAAK,CACb,wCAAwC,yBAAyB,8CAA8C;YAC7G,QAAQ,aAAa,CAAC,MAAM,iFAAiF,CAChH,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,GAAG,qBAAqB;QACxB,QAAQ,EAAE,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,IAAI,qBAAqB,CAAC,QAAQ;QACtE,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,qBAAqB,CAAC,YAAY;KACjF,CAAA;IAED,OAAO;QACL,MAAM,EAAE;YACN,OAAO,EAAE;gBACP,OAAO,EAAE,aAAa;gBACtB,MAAM,EAAE;oBACN,SAAS,EAAE,cAAc;oBACzB,KAAK,EAAE,cAAc;oBACrB,QAAQ,EAAE,gBAAgB;oBAC1B,gBAAgB,EAAE,gBAAgB;oBAClC,qBAAqB,EAAE,gBAAgB;iBACxC;aACF;YACD,iBAAiB,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC;SAC/D;QACD,mFAAmF;QACnF,MAAM,EAAE,gBAAgB,CAAC,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACxD,SAAS,EAAE;YACT,eAAe,EAAE,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,IAAI,UAAU;YAC3D,eAAe,EAAE,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,YAAY;YAC9D,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG;YAC1C,uBAAuB,EAAE,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,CAAC;YACjE,cAAc,EAAE,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,IAAI,YAAY;YAC5D,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG;YACxC,iBAAiB,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM;SACnF;QACD,KAAK;QACL,MAAM,EAAE;YACN,OAAO,EAAE,mBAAmB;YAC5B,KAAK,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE;YACtC,OAAO,EAAE,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE;YAC1C,OAAO,EAAE,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,wBAAwB;YAChE,gBAAgB,EAAE,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,GAAG;YAC9D,aAAa,EAAE,GAAG,CAAC,qBAAqB,IAAI,EAAE;SAC/C;QACD,IAAI,EAAE;YACJ,OAAO,EAAE,aAAa,IAAI,aAAa,IAAI,eAAe;YAC1D,OAAO;YACP,aAAa;YACb,QAAQ;YACR,YAAY;YACZ,aAAa;YACb,OAAO,EAAE,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,wBAAwB;YAChE,SAAS,EAAE,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,oBAAoB;YAChE,YAAY,EAAE,CAAC,QAAQ,KAAK,SAAS,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;YACxF,kBAAkB,EAAE,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,EAAE;YAC/D,WAAW,EAAE,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE;YAChD,eAAe;YACf,GAAG,CAAC,aAAa;gBACf,CAAC,CAAC;oBACE,MAAM,EAAE;wBACN,QAAQ,EAAE,cAAc;wBACxB,YAAY,EAAE,kBAAkB;wBAChC,WAAW,EAAE,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,EAAE;qBACzD;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,mBAAmB,EAAE,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YACpF,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YACvE,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YACnE,sBAAsB,EAAE,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBACvE,IAAI,CAAC;oBACH,OAAO,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,CAAA;gBACV,CAAC;YACH,CAAC,CAAC;SACH;QACD,KAAK,EACH,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK,MAAM,IAAI,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE;YAChE,CAAC,CAAC;gBACE,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE;gBACxC,UAAU,EAAE,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,EAAE;aACpF;YACH,CAAC,CAAC;gBACE,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,EAAE;aACpF;QACP,iFAAiF;QACjF,8EAA8E;QAC9E,yEAAyE;QACzE,uDAAuD;QACvD,SAAS,EAAE,mBAAmB,CAAC,GAAG,CAAC;QACnC,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC;QAC3B,6EAA6E;QAC7E,0EAA0E;QAC1E,4EAA4E;QAC5E,YAAY,EACV,GAAG,CAAC,oBAAoB,KAAK,MAAM,IAAI,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE;YAC/D,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,EAAE;YAC7D,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QACxB,OAAO,EAAE,oBAAoB;YAC3B,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,oBAAoB,EAAE;YACxD,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QACtB,KAAK,EACH,YAAY,IAAI,kBAAkB;YAChC,CAAC,CAAC;gBACE,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,kBAAkB;gBACjC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC7C;YACH,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QACxB,SAAS,EAAE;YACT,YAAY,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;YAChF,WAAW,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAgC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;YACnF,QAAQ,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;YAC7E,6EAA6E;YAC7E,gBAAgB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,+BAA+B,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;SACxF;QACD,8EAA8E;QAC9E,4EAA4E;QAC5E,+EAA+E;QAC/E,yEAAyE;QACzE,eAAe,EAAE;YACf,OAAO,EAAE,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,KAAK,MAAM;YACtD,QAAQ,EAAE,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe;SAClF;QACD,gEAAgE;QAChE,qFAAqF;QACrF,aAAa,EAAE,EAAE,aAAa,EAAE,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,KAAK,OAAO,EAAE;QAC5E,qFAAqF;QACrF,sFAAsF;QACtF,QAAQ,EAAE;YACR,OAAO,EACL,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,KAAK,MAAM;gBACvC,CAAC,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE;gBACjC,CAAC,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE;YACnC,SAAS,EAAE,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE;YAC1C,SAAS,EAAE,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE;YAC1C,OAAO,EAAE,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,SAAS;SACpD;KACF,CAAA;AACH,CAAC"}

package/dist/container.d.ts

@@ -0,0 +1,88 @@
+import { type GitHubClient, type GitHubInstallationRepository } from '@cat-factory/kernel';
+import { type CoreDependencies } from '@cat-factory/orchestration';
+import { type AppConfig, type ResolveRunnerTransport, type ServerContainer } from '@cat-factory/server';
+import type { PgBoss } from 'pg-boss';
+import type { DrizzleDb } from './db/client.js';
+import { type NodeRealtimeHub } from './realtime.js';
+import { createDrizzleRepositories } from './repositories/drizzle.js';
+export interface NodeContainerOptions {
+    /** The Drizzle/Postgres client (the single persistence layer). */
+    db: DrizzleDb;
+    /**
+     * Pre-built repositories; defaults to building them from {@link db}. Lets the caller
+     * (e.g. {@link start}) share one set with the retention sweeper rather than rebuild.
+     */
+    repos?: ReturnType<typeof createDrizzleRepositories>;
+    /**
+     * Started pg-boss instance for durable execution. When present the container wires
+     * a {@link PgBossWorkRunner}; otherwise runs fall back to the engine's NoopWorkRunner
+     * (the caller drives runs itself — e.g. tests).
+     */
+    boss?: PgBoss;
+    /** Pre-resolved config; defaults to `loadNodeConfig(env)`. */
+    config?: AppConfig;
+    /** Environment source; defaults to `process.env`. */
+    env?: NodeJS.ProcessEnv;
+    /** Override core dependencies — used by tests (e.g. a fake agent executor). */
+    overrides?: Partial<CoreDependencies>;
+    /**
+     * Override the runner backend the container-agent steps dispatch to. When provided
+     * (even as `null`) it REPLACES the default self-hosted-pool resolution, so a sibling
+     * facade can supply its own transport (e.g. the local-mode Docker transport) without
+     * registering a runner pool. Undefined → the default Node behaviour (resolve a
+     * workspace's self-hosted pool when runner pools are enabled).
+     */
+    resolveTransport?: ResolveRunnerTransport | null;
+    /**
+     * Override how the container executor mints the push/clone token. When provided it
+     * REPLACES the GitHub-App token mint, so a sibling facade can authenticate with a
+     * static credential instead of an App installation (e.g. a PAT in local mode). The
+     * `installationId` argument is then ignored. Undefined → mint via the GitHub App
+     * (requires `GITHUB_APP_PRIVATE_KEY`).
+     */
+    mintInstallationToken?: (installationId: number) => Promise<string>;
+    /**
+     * A GitHub client used to wire the CI gate + the merge / mergeability providers
+     * (so a run gates on real CI and merges for real). When provided, the
+     * `ciStatusProvider`, `mergeabilityProvider` and `pullRequestMerger` are wired from
+     * it + the resolved repo target. Undefined → those gates pass through (the existing
+     * Node behaviour). The local facade passes a PAT-backed client.
+     */
+    githubClient?: GitHubClient;
+    /**
+     * Override the GitHub installation repository. When provided it REPLACES the default
+     * Drizzle one, so a sibling facade can wrap it — e.g. local mode decorates it to
+     * auto-provision a synthetic per-workspace installation for its PAT, since there is no
+     * GitHub-App connect flow. Undefined → the default Drizzle repository over {@link db}.
+     */
+    githubInstallationRepository?: GitHubInstallationRepository;
+    /**
+     * Force the Cloudflare-AI opt-in flag (the cross-runtime conformance suite forces it
+     * off for parity). Undefined → derived from the REST credentials being present.
+     */
+    cloudflareModelsEnabled?: boolean;
+    /**
+     * The real-time subscriber registry. When provided, the container wires a
+     * {@link NodeEventPublisher} (so the engine pushes execution/board/notification events
+     * to subscribed browsers) and composes an in-app notification channel. `start()`
+     * creates the hub and attaches it to the HTTP server via {@link attachRealtime};
+     * `createServer`/tests leave it unset and the engine falls back to the no-op publisher
+     * (no live push), exactly as before.
+     */
+    realtimeHub?: NodeRealtimeHub;
+}
+/**
+ * The Node composition root: assemble the framework-agnostic domain `Core` with
+ * Drizzle/Postgres repositories + Node implementations of the runtime ports, then
+ * attach the shared-controller extras (`config`, the kind-spanning agent-run repo,
+ * the runtime gateways). The same persistence is used in dev, test and prod — tests
+ * run against a real Postgres, exactly as the Worker runs against a real D1.
+ *
+ * Repo-operating agent steps (coder, blueprints, merger, …) run in a container
+ * dispatched to a workspace's self-hosted runner pool — the shared
+ * `ContainerAgentExecutor`, exactly as on the Worker. When the prerequisites (GitHub
+ * App, `PUBLIC_URL`, `AUTH_SESSION_SECRET`, `ENCRYPTION_KEY`) are absent the
+ * composite still serves inline kinds but fails container kinds loudly.
+ */
+export declare function buildNodeContainer(options: NodeContainerOptions): ServerContainer;
+//# sourceMappingURL=container.d.ts.map

package/dist/container.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"container.d.ts","sourceRoot":"","sources":["../src/container.ts"],"names":[],"mappings":"AA0BA,OAAO,EAKL,KAAK,YAAY,EACjB,KAAK,4BAA4B,EAQlC,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,KAAK,gBAAgB,EAAc,MAAM,4BAA4B,CAAA;AAE9E,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EAsBrB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAErC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AAO/C,OAAO,EAAsB,KAAK,eAAe,EAAE,MAAM,eAAe,CAAA;AAqBxE,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAA;AAkMrE,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,EAAE,EAAE,SAAS,CAAA;IACb;;;OAGG;IACH,KAAK,CAAC,EAAE,UAAU,CAAC,OAAO,yBAAyB,CAAC,CAAA;IACpD;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,8DAA8D;IAC9D,MAAM,CAAC,EAAE,SAAS,CAAA;IAClB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAA;IACvB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAA;IACrC;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,IAAI,CAAA;IAChD;;;;;;OAMG;IACH,qBAAqB,CAAC,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;IACnE;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B;;;;;OAKG;IACH,4BAA4B,CAAC,EAAE,4BAA4B,CAAA;IAC3D;;;OAGG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAA;IACjC;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,eAAe,CAAA;CAC9B;AA6UD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CAkcjF"}