@cat-factory/server 0.6.0

package/dist/modules/providers/PersonalSubscriptionController.js

@@ -0,0 +1,48 @@
+import { storePersonalSubscriptionSchema, subscriptionVendorSchema } from '@cat-factory/contracts';
+import * as v from 'valibot';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+// Per-USER individual-usage subscription endpoints (Claude). Unlike the workspace
+// vendor-credential pool, these are scoped to the signed-in user: a personal
+// subscription is licensed for that individual only, stored DOUBLE-encrypted (a
+// personal-password layer inside the system layer), and never shared. Mounted at the
+// root (not under a workspace) and require a signed-in user — with auth disabled there
+// is no individual to own a personal credential.
+const signInRequired = (c) => c.json({ error: { code: 'unauthorized', message: 'Sign in to manage personal subscriptions' } }, 401);
+const unavailable = (c) => c.json({ error: { code: 'unavailable', message: 'Personal subscription storage is not configured' } }, 503);
+export function personalSubscriptionController() {
+    const app = new Hono();
+    app.get('/personal-subscriptions', async (c) => {
+        const personal = c.get('container').personalSubscriptions;
+        if (!personal)
+            return unavailable(c);
+        const user = c.get('user');
+        if (!user)
+            return signInRequired(c);
+        return c.json({ subscriptions: await personal.list(user.id) });
+    });
+    app.post('/personal-subscriptions', jsonBody(storePersonalSubscriptionSchema), async (c) => {
+        const personal = c.get('container').personalSubscriptions;
+        if (!personal)
+            return unavailable(c);
+        const user = c.get('user');
+        if (!user)
+            return signInRequired(c);
+        const status = await personal.store(user.id, c.req.valid('json'));
+        return c.json(status, 201);
+    });
+    app.delete('/personal-subscriptions/:vendor', async (c) => {
+        const personal = c.get('container').personalSubscriptions;
+        if (!personal)
+            return unavailable(c);
+        const user = c.get('user');
+        if (!user)
+            return signInRequired(c);
+        const vendor = v.parse(subscriptionVendorSchema, param(c, 'vendor'));
+        await personal.remove(user.id, vendor);
+        return c.body(null, 204);
+    });
+    return app;
+}
+//# sourceMappingURL=PersonalSubscriptionController.js.map

package/dist/modules/providers/PersonalSubscriptionController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PersonalSubscriptionController.js","sourceRoot":"","sources":["../../../src/modules/providers/PersonalSubscriptionController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAA;AAClG,OAAO,KAAK,CAAC,MAAM,SAAS,CAAA;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,kFAAkF;AAClF,6EAA6E;AAC7E,gFAAgF;AAChF,qFAAqF;AACrF,uFAAuF;AACvF,iDAAiD;AAEjD,MAAM,cAAc,GAAG,CAAC,CAAkB,EAAE,EAAE,CAC5C,CAAC,CAAC,IAAI,CACJ,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0CAA0C,EAAE,EAAE,EACxF,GAAG,CACJ,CAAA;AAEH,MAAM,WAAW,GAAG,CAAC,CAAkB,EAAE,EAAE,CACzC,CAAC,CAAC,IAAI,CACJ,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iDAAiD,EAAE,EAAE,EAC9F,GAAG,CACJ,CAAA;AAEH,MAAM,UAAU,8BAA8B;IAC5C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAA;IAE9B,GAAG,CAAC,GAAG,CAAC,yBAAyB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,qBAAqB,CAAA;QACzD,IAAI,CAAC,QAAQ;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC1B,IAAI,CAAC,IAAI;YAAE,OAAO,cAAc,CAAC,CAAC,CAAC,CAAA;QACnC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;IAChE,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,QAAQ,CAAC,+BAA+B,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzF,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,qBAAqB,CAAA;QACzD,IAAI,CAAC,QAAQ;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC1B,IAAI,CAAC,IAAI;YAAE,OAAO,cAAc,CAAC,CAAC,CAAC,CAAA;QACnC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QACjE,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,MAAM,CAAC,iCAAiC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,qBAAqB,CAAA;QACzD,IAAI,CAAC,QAAQ;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC1B,IAAI,CAAC,IAAI;YAAE,OAAO,cAAc,CAAC,CAAC,CAAC,CAAA;QACnC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAA;QACpE,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QACtC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/providers/VendorCredentialController.d.ts

@@ -0,0 +1,4 @@
+import { Hono } from 'hono';
+import type { AppEnv } from '../../http/env.js';
+export declare function vendorCredentialController(): Hono<AppEnv>;
+//# sourceMappingURL=VendorCredentialController.d.ts.map

package/dist/modules/providers/VendorCredentialController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"VendorCredentialController.d.ts","sourceRoot":"","sources":["../../../src/modules/providers/VendorCredentialController.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAE3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAmC/C,wBAAgB,0BAA0B,IAAI,IAAI,CAAC,MAAM,CAAC,CA0BzD"}

package/dist/modules/providers/VendorCredentialController.js

@@ -0,0 +1,55 @@
+import { addVendorCredentialSchema } from '@cat-factory/contracts';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+// Workspace-scoped vendor-credential (subscription token pool) endpoints. A user
+// connects one or more Claude Pro/Max OAuth tokens or ChatGPT auth.json bundles;
+// the Claude Code / Codex harnesses lease them with usage-aware rotation. Tokens
+// are write-only — only metadata + rolling-window usage is ever returned. Mounted
+// under `/workspaces/:workspaceId`.
+const unavailable = (c) => c.json({
+    error: {
+        code: 'unavailable',
+        message: 'Subscription credential storage is not configured',
+    },
+}, 503);
+/** Project the service summary onto the wire type (already secret-free). */
+function toWire(summary) {
+    return {
+        id: summary.id,
+        vendor: summary.vendor,
+        label: summary.label,
+        createdAt: summary.createdAt,
+        lastUsedAt: summary.lastUsedAt,
+        inputTokens: summary.inputTokens,
+        outputTokens: summary.outputTokens,
+        requestCount: summary.requestCount,
+    };
+}
+export function vendorCredentialController() {
+    const app = new Hono();
+    app.get('/vendor-credentials', async (c) => {
+        const subscriptions = c.get('container').subscriptions;
+        if (!subscriptions)
+            return unavailable(c);
+        const tokens = await subscriptions.listTokens(param(c, 'workspaceId'));
+        return c.json({ credentials: tokens.map(toWire) });
+    });
+    app.post('/vendor-credentials', jsonBody(addVendorCredentialSchema), async (c) => {
+        const subscriptions = c.get('container').subscriptions;
+        if (!subscriptions)
+            return unavailable(c);
+        const input = c.req.valid('json');
+        const summary = await subscriptions.addToken(param(c, 'workspaceId'), input);
+        return c.json(toWire(summary), 201);
+    });
+    app.delete('/vendor-credentials/:id', async (c) => {
+        const subscriptions = c.get('container').subscriptions;
+        if (!subscriptions)
+            return unavailable(c);
+        await subscriptions.removeToken(param(c, 'workspaceId'), param(c, 'id'));
+        return c.body(null, 204);
+    });
+    return app;
+}
+//# sourceMappingURL=VendorCredentialController.js.map

package/dist/modules/providers/VendorCredentialController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"VendorCredentialController.js","sourceRoot":"","sources":["../../../src/modules/providers/VendorCredentialController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAyB,MAAM,wBAAwB,CAAA;AAEzF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,iFAAiF;AACjF,iFAAiF;AACjF,iFAAiF;AACjF,kFAAkF;AAClF,oCAAoC;AAEpC,MAAM,WAAW,GAAG,CAAC,CAAkB,EAAE,EAAE,CACzC,CAAC,CAAC,IAAI,CACJ;IACE,KAAK,EAAE;QACL,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mDAAmD;KAC7D;CACF,EACD,GAAG,CACJ,CAAA;AAEH,4EAA4E;AAC5E,SAAS,MAAM,CAAC,OAAgC;IAC9C,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAA;IAE9B,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzC,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,aAAa,CAAA;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACzC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAA;QACtE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;IACpD,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,yBAAyB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC/E,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,aAAa,CAAA;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACzC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QACjC,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAA;QAC5E,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,GAAG,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,MAAM,CAAC,yBAAyB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAChD,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,aAAa,CAAA;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACzC,MAAM,aAAa,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;QACxE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/providers/personalCredentialGate.d.ts

@@ -0,0 +1,34 @@
+import type { Context } from 'hono';
+import type { AppEnv, ServerContainer } from '../../http/env.js';
+import type { SessionPayload } from '../../auth/signing.js';
+/**
+ * Read the ambient personal password from the request header (see
+ * `PERSONAL_PASSWORD_HEADER`). The client attaches it on the gated run calls the way it
+ * attaches the bearer token, so it never lives in a request body. Absent ⇒ undefined.
+ */
+export declare function readPersonalPassword(c: Context<AppEnv>): string | undefined;
+/**
+ * Best-effort, transparent re-mint of a run's individual-usage activation(s) when a user
+ * interacts with it (resolve decision / approve / request changes). Runs BEFORE the engine
+ * advances and dispatches the next step, so a freshly-minted activation is in place even if
+ * the previous one lapsed under its short TTL — keeping an actively-tended run alive without
+ * re-prompting. Driven off the cached password on the header; a wrong/absent one is ignored
+ * (the next dispatch then 428s and the client re-prompts on retry). Never throws, and skips
+ * entirely for non-individual runs (no password work on the common path).
+ */
+export declare function remintActivations(c: Context<AppEnv>, workspaceId: string, executionId: string): Promise<void>;
+export interface PersonalCredentialGate {
+    /** Recorded on the run (individual-usage credential ownership). */
+    initiatedBy: string | null;
+    /**
+     * Mints the per-run activation(s); passed to `executionService.start`/`retry` so it
+     * runs with the new run id before dispatch. Undefined when the run needs no personal
+     * credential.
+     */
+    activate?: (executionId: string) => Promise<void>;
+}
+/** Gate for STARTING a run on a block with a given pipeline. */
+export declare function personalGateForBlock(container: ServerContainer, workspaceId: string, blockId: string, pipelineId: string, user: SessionPayload | undefined, password: string | undefined): Promise<PersonalCredentialGate>;
+/** Gate for RETRYING a failed run. */
+export declare function personalGateForRun(container: ServerContainer, workspaceId: string, executionId: string, user: SessionPayload | undefined, password: string | undefined): Promise<PersonalCredentialGate>;
+//# sourceMappingURL=personalCredentialGate.d.ts.map

package/dist/modules/providers/personalCredentialGate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"personalCredentialGate.d.ts","sourceRoot":"","sources":["../../../src/modules/providers/personalCredentialGate.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAE3D;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,SAAS,CAE3E;AAmBD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,EAClB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAyBf;AASD,MAAM,WAAW,sBAAsB;IACrC,mEAAmE;IACnE,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;CAClD;AAiDD,gEAAgE;AAChE,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,cAAc,GAAG,SAAS,EAChC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAC3B,OAAO,CAAC,sBAAsB,CAAC,CAQjC;AAED,sCAAsC;AACtC,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,cAAc,GAAG,SAAS,EAChC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAC3B,OAAO,CAAC,sBAAsB,CAAC,CAOjC"}

package/dist/modules/providers/personalCredentialGate.js

@@ -0,0 +1,106 @@
+import { CredentialRequiredError } from '@cat-factory/kernel';
+import { PERSONAL_PASSWORD_HEADER } from '@cat-factory/contracts';
+/**
+ * Read the ambient personal password from the request header (see
+ * `PERSONAL_PASSWORD_HEADER`). The client attaches it on the gated run calls the way it
+ * attaches the bearer token, so it never lives in a request body. Absent ⇒ undefined.
+ */
+export function readPersonalPassword(c) {
+    return c.req.header(PERSONAL_PASSWORD_HEADER) || undefined;
+}
+/**
+ * A predicate over the vendors the run's user has their OWN personal subscription for.
+ * Passed into the engine's vendor resolution so a DUAL-MODE individual model (GLM) gates
+ * only a subscriber (a non-subscriber runs it on the Cloudflare base). Empty for an
+ * unauthenticated/unconfigured caller — then only subscription-ONLY individual models
+ * (Claude / Codex) gate.
+ */
+async function resolvePersonalVendorPredicate(container, user) {
+    const personal = container.personalSubscriptions;
+    if (!personal || !user)
+        return () => false;
+    const owned = new Set((await personal.list(user.id)).map((s) => s.vendor));
+    return (vendor) => owned.has(vendor);
+}
+/**
+ * Best-effort, transparent re-mint of a run's individual-usage activation(s) when a user
+ * interacts with it (resolve decision / approve / request changes). Runs BEFORE the engine
+ * advances and dispatches the next step, so a freshly-minted activation is in place even if
+ * the previous one lapsed under its short TTL — keeping an actively-tended run alive without
+ * re-prompting. Driven off the cached password on the header; a wrong/absent one is ignored
+ * (the next dispatch then 428s and the client re-prompts on retry). Never throws, and skips
+ * entirely for non-individual runs (no password work on the common path).
+ */
+export async function remintActivations(c, workspaceId, executionId) {
+    const container = c.get('container');
+    const personal = container.personalSubscriptions;
+    const user = c.get('user');
+    if (!personal || !user)
+        return;
+    try {
+        const vendors = await container.executionService.individualVendorsForRun(workspaceId, executionId, await resolvePersonalVendorPredicate(container, user));
+        if (vendors.length === 0)
+            return;
+        const password = readPersonalPassword(c);
+        if (password) {
+            // Re-mint from the password — robust even when the prior activation already expired.
+            for (const vendor of vendors) {
+                await personal.activateForRun(executionId, user.id, vendor, password);
+            }
+        }
+        else {
+            // No password on hand — just extend any still-live activation (no-op if expired).
+            await personal.refreshActivations(executionId, user.id);
+        }
+    }
+    catch {
+        // Best-effort: a lapsed run surfaces 428 at the next dispatch, which the client retries.
+    }
+}
+/**
+ * Build the gate for the set of individual-usage vendors a run will use (empty ⇒ no
+ * personal credential needed). The same password unlocks every vendor's activation: the
+ * client caches one password and rides it along, and a per-vendor failure (wrong/missing
+ * password, no subscription) surfaces as a `428 credential_required` the client re-prompts
+ * on. Vendors are activated in order, so the first one that can't be unlocked is reported.
+ */
+function gate(container, vendors, user, password) {
+    if (vendors.length === 0)
+        return { initiatedBy: user?.id ?? null };
+    // The vendor named in the up-front errors (before any activation is attempted).
+    const first = vendors[0];
+    if (!user) {
+        throw new CredentialRequiredError(`Sign in to run a ${first} model with your personal subscription.`, { vendor: first, reason: 'no_subscription' });
+    }
+    const personal = container.personalSubscriptions;
+    if (!personal) {
+        throw new CredentialRequiredError(`Personal ${first} subscriptions are not configured on this deployment.`, { vendor: first, reason: 'no_subscription' });
+    }
+    if (!password) {
+        // The credential exists (or not) — either way the unlock needs the password; the
+        // client re-prompts on this reason and retries with it.
+        throw new CredentialRequiredError(`Enter your personal password to run this ${first} model.`, {
+            vendor: first,
+            reason: 'password_required',
+        });
+    }
+    return {
+        initiatedBy: user.id,
+        activate: async (executionId) => {
+            for (const vendor of vendors) {
+                await personal.activateForRun(executionId, user.id, vendor, password);
+            }
+        },
+    };
+}
+/** Gate for STARTING a run on a block with a given pipeline. */
+export async function personalGateForBlock(container, workspaceId, blockId, pipelineId, user, password) {
+    const vendors = await container.executionService.individualVendorsForBlock(workspaceId, blockId, pipelineId, await resolvePersonalVendorPredicate(container, user));
+    return gate(container, vendors, user, password);
+}
+/** Gate for RETRYING a failed run. */
+export async function personalGateForRun(container, workspaceId, executionId, user, password) {
+    const vendors = await container.executionService.individualVendorsForRun(workspaceId, executionId, await resolvePersonalVendorPredicate(container, user));
+    return gate(container, vendors, user, password);
+}
+//# sourceMappingURL=personalCredentialGate.js.map

package/dist/modules/providers/personalCredentialGate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"personalCredentialGate.js","sourceRoot":"","sources":["../../../src/modules/providers/personalCredentialGate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAA2B,MAAM,qBAAqB,CAAA;AACtF,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAA;AAKjE;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,CAAkB;IACrD,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,wBAAwB,CAAC,IAAI,SAAS,CAAA;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,8BAA8B,CAC3C,SAA0B,EAC1B,IAAgC;IAEhC,MAAM,QAAQ,GAAG,SAAS,CAAC,qBAAqB,CAAA;IAChD,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,EAAE,CAAC,KAAK,CAAA;IAC1C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1E,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;AACtC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,CAAkB,EAClB,WAAmB,EACnB,WAAmB;IAEnB,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IACpC,MAAM,QAAQ,GAAG,SAAS,CAAC,qBAAqB,CAAA;IAChD,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1B,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI;QAAE,OAAM;IAC9B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,uBAAuB,CACtE,WAAW,EACX,WAAW,EACX,MAAM,8BAA8B,CAAC,SAAS,EAAE,IAAI,CAAC,CACtD,CAAA;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAM;QAChC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QACxC,IAAI,QAAQ,EAAE,CAAC;YACb,qFAAqF;YACrF,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,QAAQ,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,kFAAkF;YAClF,MAAM,QAAQ,CAAC,kBAAkB,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yFAAyF;IAC3F,CAAC;AACH,CAAC;AAoBD;;;;;;GAMG;AACH,SAAS,IAAI,CACX,SAA0B,EAC1B,OAA6B,EAC7B,IAAgC,EAChC,QAA4B;IAE5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,CAAA;IAClE,gFAAgF;IAChF,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAE,CAAA;IACzB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,uBAAuB,CAC/B,oBAAoB,KAAK,yCAAyC,EAClE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAC7C,CAAA;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,SAAS,CAAC,qBAAqB,CAAA;IAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,uBAAuB,CAC/B,YAAY,KAAK,uDAAuD,EACxE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAC7C,CAAA;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,iFAAiF;QACjF,wDAAwD;QACxD,MAAM,IAAI,uBAAuB,CAAC,4CAA4C,KAAK,SAAS,EAAE;YAC5F,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,mBAAmB;SAC5B,CAAC,CAAA;IACJ,CAAC;IACD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,EAAE;QACpB,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;YAC9B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,QAAQ,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED,gEAAgE;AAChE,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAA0B,EAC1B,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,IAAgC,EAChC,QAA4B;IAE5B,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,yBAAyB,CACxE,WAAW,EACX,OAAO,EACP,UAAU,EACV,MAAM,8BAA8B,CAAC,SAAS,EAAE,IAAI,CAAC,CACtD,CAAA;IACD,OAAO,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAA;AACjD,CAAC;AAED,sCAAsC;AACtC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAA0B,EAC1B,WAAmB,EACnB,WAAmB,EACnB,IAAgC,EAChC,QAA4B;IAE5B,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,uBAAuB,CACtE,WAAW,EACX,WAAW,EACX,MAAM,8BAA8B,CAAC,SAAS,EAAE,IAAI,CAAC,CACtD,CAAA;IACD,OAAO,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAA;AACjD,CAAC"}

package/dist/modules/recurring/RecurringPipelineController.d.ts

@@ -0,0 +1,8 @@
+import { Hono } from 'hono';
+import type { AppEnv } from '../../http/env.js';
+/**
+ * CRUD + run history for a workspace's recurring pipelines (schedules that re-run a
+ * pipeline against a service on a cadence). Mounted under `/workspaces/:workspaceId`.
+ */
+export declare function recurringPipelineController(): Hono<AppEnv>;
+//# sourceMappingURL=RecurringPipelineController.d.ts.map

package/dist/modules/recurring/RecurringPipelineController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RecurringPipelineController.d.ts","sourceRoot":"","sources":["../../../src/modules/recurring/RecurringPipelineController.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAY/C;;;GAGG;AACH,wBAAgB,2BAA2B,IAAI,IAAI,CAAC,MAAM,CAAC,CAgD1D"}

package/dist/modules/recurring/RecurringPipelineController.js

@@ -0,0 +1,58 @@
+import { createScheduleSchema, updateScheduleSchema } from '@cat-factory/contracts';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+/** Resolve the recurring-pipeline module or send a 503, returning null when unconfigured. */
+function requireRecurring(c) {
+    return c.get('container').recurring ?? null;
+}
+const unavailable = (c) => c.json({ error: { code: 'unavailable', message: 'Recurring pipelines are not configured' } }, 503);
+/**
+ * CRUD + run history for a workspace's recurring pipelines (schedules that re-run a
+ * pipeline against a service on a cadence). Mounted under `/workspaces/:workspaceId`.
+ */
+export function recurringPipelineController() {
+    const app = new Hono();
+    app.get('/recurring-pipelines', async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        return c.json(await recurring.service.list(param(c, 'workspaceId')));
+    });
+    app.post('/recurring-pipelines', jsonBody(createScheduleSchema), async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        const schedule = await recurring.service.create(param(c, 'workspaceId'), c.req.valid('json'));
+        return c.json(schedule, 201);
+    });
+    app.patch('/recurring-pipelines/:scheduleId', jsonBody(updateScheduleSchema), async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        const schedule = await recurring.service.update(param(c, 'workspaceId'), param(c, 'scheduleId'), c.req.valid('json'));
+        return c.json(schedule);
+    });
+    app.delete('/recurring-pipelines/:scheduleId', async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        await recurring.service.remove(param(c, 'workspaceId'), param(c, 'scheduleId'));
+        return c.body(null, 204);
+    });
+    app.get('/recurring-pipelines/:scheduleId/runs', async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        return c.json(await recurring.service.listRuns(param(c, 'workspaceId'), param(c, 'scheduleId')));
+    });
+    app.post('/recurring-pipelines/:scheduleId/run-now', async (c) => {
+        const recurring = requireRecurring(c);
+        if (!recurring)
+            return unavailable(c);
+        const schedule = await recurring.service.runNow(param(c, 'workspaceId'), param(c, 'scheduleId'));
+        return c.json(schedule);
+    });
+    return app;
+}
+//# sourceMappingURL=RecurringPipelineController.js.map

package/dist/modules/recurring/RecurringPipelineController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RecurringPipelineController.js","sourceRoot":"","sources":["../../../src/modules/recurring/RecurringPipelineController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAA;AACnF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAI3B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,6FAA6F;AAC7F,SAAS,gBAAgB,CAAC,CAAkB;IAC1C,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,SAAS,IAAI,IAAI,CAAA;AAC7C,CAAC;AAED,MAAM,WAAW,GAAG,CAAC,CAAkB,EAAE,EAAE,CACzC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,wCAAwC,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AAEpG;;;GAGG;AACH,MAAM,UAAU,2BAA2B;IACzC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAA;IAE9B,GAAG,CAAC,GAAG,CAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;IACtE,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3E,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAC7F,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IAC9B,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,KAAK,CAAC,kCAAkC,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxF,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,MAAM,CAC7C,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EACvB,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,EACtB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CACpB,CAAA;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,MAAM,CAAC,kCAAkC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzD,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,MAAM,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAA;QAC/E,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CAAC,uCAAuC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3D,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,CAAA;IAClG,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,IAAI,CAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC/D,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,SAAS;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAA;QAChG,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/recurring/TrackerSettingsController.d.ts

@@ -0,0 +1,8 @@
+import { Hono } from 'hono';
+import type { AppEnv } from '../../http/env.js';
+/**
+ * Read/write a workspace's issue-tracker selection (GitHub Issues or Jira). Mounted
+ * under `/workspaces/:workspaceId`.
+ */
+export declare function trackerSettingsController(): Hono<AppEnv>;
+//# sourceMappingURL=TrackerSettingsController.d.ts.map

package/dist/modules/recurring/TrackerSettingsController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TrackerSettingsController.d.ts","sourceRoot":"","sources":["../../../src/modules/recurring/TrackerSettingsController.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAY/C;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAAC,MAAM,CAAC,CAgBxD"}

package/dist/modules/recurring/TrackerSettingsController.js

@@ -0,0 +1,30 @@
+import { putTrackerSettingsSchema } from '@cat-factory/contracts';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+/** Resolve the tracker-settings module or send a 503, returning null when unconfigured. */
+function requireTracker(c) {
+    return c.get('container').tracker ?? null;
+}
+const unavailable = (c) => c.json({ error: { code: 'unavailable', message: 'Issue tracker is not configured' } }, 503);
+/**
+ * Read/write a workspace's issue-tracker selection (GitHub Issues or Jira). Mounted
+ * under `/workspaces/:workspaceId`.
+ */
+export function trackerSettingsController() {
+    const app = new Hono();
+    app.get('/tracker-settings', async (c) => {
+        const tracker = requireTracker(c);
+        if (!tracker)
+            return unavailable(c);
+        return c.json(await tracker.service.get(param(c, 'workspaceId')));
+    });
+    app.put('/tracker-settings', jsonBody(putTrackerSettingsSchema), async (c) => {
+        const tracker = requireTracker(c);
+        if (!tracker)
+            return unavailable(c);
+        return c.json(await tracker.service.put(param(c, 'workspaceId'), c.req.valid('json')));
+    });
+    return app;
+}
+//# sourceMappingURL=TrackerSettingsController.js.map

package/dist/modules/recurring/TrackerSettingsController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TrackerSettingsController.js","sourceRoot":"","sources":["../../../src/modules/recurring/TrackerSettingsController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAA;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAI3B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,2FAA2F;AAC3F,SAAS,cAAc,CAAC,CAAkB;IACxC,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,OAAO,IAAI,IAAI,CAAA;AAC3C,CAAC;AAED,MAAM,WAAW,GAAG,CAAC,CAAkB,EAAE,EAAE,CACzC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iCAAiC,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AAE7F;;;GAGG;AACH,MAAM,UAAU,yBAAyB;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAA;IAE9B,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACvC,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACnC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;IACnE,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,QAAQ,CAAC,wBAAwB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3E,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACnC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;IACxF,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/releaseHealth/ReleaseHealthController.d.ts

@@ -0,0 +1,9 @@
+import { Hono } from 'hono';
+import type { AppEnv } from '../../http/env.js';
+/**
+ * Per-workspace settings for the post-release-health gate: the (single) Datadog
+ * connection (keys write-only, never read back) and the per-block monitor/SLO
+ * mappings the gate reads. Mounted under `/workspaces/:workspaceId`.
+ */
+export declare function releaseHealthController(): Hono<AppEnv>;
+//# sourceMappingURL=ReleaseHealthController.d.ts.map

package/dist/modules/releaseHealth/ReleaseHealthController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReleaseHealthController.d.ts","sourceRoot":"","sources":["../../../src/modules/releaseHealth/ReleaseHealthController.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAe/C;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAAC,MAAM,CAAC,CAmDtD"}

package/dist/modules/releaseHealth/ReleaseHealthController.js

@@ -0,0 +1,58 @@
+import { upsertDatadogConnectionSchema, upsertReleaseHealthConfigSchema, } from '@cat-factory/contracts';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+/** Resolve the release-health module or send a 503, returning null when unconfigured. */
+function requireReleaseHealth(c) {
+    return c.get('container').releaseHealth ?? null;
+}
+const unavailable = (c) => c.json({ error: { code: 'unavailable', message: 'The Datadog integration is not configured' } }, 503);
+/**
+ * Per-workspace settings for the post-release-health gate: the (single) Datadog
+ * connection (keys write-only, never read back) and the per-block monitor/SLO
+ * mappings the gate reads. Mounted under `/workspaces/:workspaceId`.
+ */
+export function releaseHealthController() {
+    const app = new Hono();
+    app.get('/datadog/connection', async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        return c.json(await rh.service.getConnection(param(c, 'workspaceId')));
+    });
+    app.put('/datadog/connection', jsonBody(upsertDatadogConnectionSchema), async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        return c.json(await rh.service.setConnection(param(c, 'workspaceId'), c.req.valid('json')));
+    });
+    app.delete('/datadog/connection', async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        await rh.service.deleteConnection(param(c, 'workspaceId'));
+        return c.body(null, 204);
+    });
+    app.get('/release-health-configs', async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        return c.json(await rh.service.listConfigs(param(c, 'workspaceId')));
+    });
+    app.put('/release-health-configs/:blockId', jsonBody(upsertReleaseHealthConfigSchema), async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        const config = await rh.service.upsertConfig(param(c, 'workspaceId'), param(c, 'blockId'), c.req.valid('json'));
+        return c.json(config);
+    });
+    app.delete('/release-health-configs/:blockId', async (c) => {
+        const rh = requireReleaseHealth(c);
+        if (!rh)
+            return unavailable(c);
+        await rh.service.deleteConfig(param(c, 'workspaceId'), param(c, 'blockId'));
+        return c.body(null, 204);
+    });
+    return app;
+}
+//# sourceMappingURL=ReleaseHealthController.js.map

package/dist/modules/releaseHealth/ReleaseHealthController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReleaseHealthController.js","sourceRoot":"","sources":["../../../src/modules/releaseHealth/ReleaseHealthController.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,6BAA6B,EAC7B,+BAA+B,GAChC,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAI3B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,yFAAyF;AACzF,SAAS,oBAAoB,CAAC,CAAkB;IAC9C,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,aAAa,IAAI,IAAI,CAAA;AACjD,CAAC;AAED,MAAM,WAAW,GAAG,CAAC,CAAkB,EAAE,EAAE,CACzC,CAAC,CAAC,IAAI,CACJ,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,2CAA2C,EAAE,EAAE,EACxF,GAAG,CACJ,CAAA;AAEH;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAA;IAE9B,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzC,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,QAAQ,CAAC,6BAA6B,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAClF,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;IAC7F,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,MAAM,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5C,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAA;QAC1D,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CAAC,yBAAyB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC7C,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;IACtE,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CACL,kCAAkC,EAClC,QAAQ,CAAC,+BAA+B,CAAC,EACzC,KAAK,EAAE,CAAC,EAAE,EAAE;QACV,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAC1C,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EACvB,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,EACnB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CACpB,CAAA;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IACvB,CAAC,CACF,CAAA;IAED,GAAG,CAAC,MAAM,CAAC,kCAAkC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzD,MAAM,EAAE,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,CAAC,EAAE;YAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAA;QAC3E,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/modules/requirements/RequirementReviewController.d.ts

@@ -0,0 +1,12 @@
+import { Hono } from 'hono';
+import type { AppEnv } from '../../http/env.js';
+/**
+ * Workspace-scoped requirements-review endpoints. The initial review runs an LLM inline and
+ * returns the entity. Incorporation, by contrast, is ASYNCHRONOUS: it records the human's
+ * intent on the parked run, signals the durable driver to fold + re-review in the
+ * background, and returns at once with the `incorporating` review so the SPA can return the
+ * user to the board — they are summoned again (a notification) only if input is needed.
+ * Mounted under `/workspaces/:workspaceId`.
+ */
+export declare function requirementReviewController(): Hono<AppEnv>;
+//# sourceMappingURL=RequirementReviewController.d.ts.map

package/dist/modules/requirements/RequirementReviewController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequirementReviewController.d.ts","sourceRoot":"","sources":["../../../src/modules/requirements/RequirementReviewController.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAY/C;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,IAAI,IAAI,CAAC,MAAM,CAAC,CA8H1D"}

package/dist/modules/requirements/RequirementReviewController.js

@@ -0,0 +1,107 @@
+import { incorporateRequirementsSchema, replyReviewItemSchema, resolveRequirementsExceededSchema, updateReviewItemStatusSchema, } from '@cat-factory/contracts';
+import { Hono } from 'hono';
+import { param } from '../../http/params.js';
+import { jsonBody } from '../../http/validation.js';
+/** Resolve the requirements module or send a 503, returning null when unconfigured. */
+function requireRequirements(c) {
+    return c.get('container').requirements ?? null;
+}
+const unavailable = (c) => c.json({ error: { code: 'unavailable', message: 'Requirements review is not configured' } }, 503);
+/**
+ * Workspace-scoped requirements-review endpoints. The initial review runs an LLM inline and
+ * returns the entity. Incorporation, by contrast, is ASYNCHRONOUS: it records the human's
+ * intent on the parked run, signals the durable driver to fold + re-review in the
+ * background, and returns at once with the `incorporating` review so the SPA can return the
+ * user to the board — they are summoned again (a notification) only if input is needed.
+ * Mounted under `/workspaces/:workspaceId`.
+ */
+export function requirementReviewController() {
+    const app = new Hono();
+    // The current review for a block (null when none has been run yet).
+    app.get('/blocks/:blockId/requirement-review', async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await requirements.service.getForBlock(param(c, 'workspaceId'), param(c, 'blockId'));
+        return c.json(review);
+    });
+    // Run a fresh review of the block's collected requirements (replaces any prior).
+    // Routed through the execution service so the off-path surface honours the task's
+    // merge-preset knobs (iteration budget + tolerated severity) exactly like the gate.
+    app.post('/blocks/:blockId/requirement-review', async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await c
+            .get('container')
+            .executionService.reviewRequirements(param(c, 'workspaceId'), param(c, 'blockId'));
+        return c.json(review, 201);
+    });
+    // Answer a single review item.
+    app.post('/requirement-reviews/:reviewId/items/:itemId/reply', jsonBody(replyReviewItemSchema), async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await requirements.service.replyToItem(param(c, 'workspaceId'), param(c, 'reviewId'), param(c, 'itemId'), c.req.valid('json').reply);
+        return c.json(review);
+    });
+    // Set a review item's status (resolve / dismiss / reopen).
+    app.patch('/requirement-reviews/:reviewId/items/:itemId', jsonBody(updateReviewItemStatusSchema), async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await requirements.service.setItemStatus(param(c, 'workspaceId'), param(c, 'reviewId'), param(c, 'itemId'), c.req.valid('json').status);
+        return c.json(review);
+    });
+    // Incorporate the answers ASYNCHRONOUSLY: the durable driver folds them into one
+    // standard-format document and re-reviews it in the background. Optional `feedback` is the
+    // "do it differently" lever when redoing a merge. Returns the `incorporating` review at
+    // once (no LLM in the request) so the SPA returns the user to the board; a notification
+    // calls them back only if the re-review needs input. Blocks scoped (the review is resolved
+    // from the block) to match the other run-driving endpoints.
+    app.post('/blocks/:blockId/requirement-review/incorporate', jsonBody(incorporateRequirementsSchema), async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await c
+            .get('container')
+            .executionService.incorporateRequirements(param(c, 'workspaceId'), param(c, 'blockId'), c.req.valid('json').feedback);
+        return c.json(review);
+    });
+    // Re-review the incorporated document (one more reviewer pass). On convergence the
+    // parked run advances; otherwise the response carries the next cycle's findings (or the
+    // iteration-cap state). Returns the updated review.
+    app.post('/blocks/:blockId/requirement-review/re-review', async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await c
+            .get('container')
+            .executionService.reReviewRequirements(param(c, 'workspaceId'), param(c, 'blockId'));
+        return c.json(review);
+    });
+    // Proceed: settle the requirements (last incorporated doc wins downstream) and advance
+    // the parked run. Used when every finding is dismissed.
+    app.post('/blocks/:blockId/requirement-review/proceed', async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await c
+            .get('container')
+            .executionService.proceedRequirements(param(c, 'workspaceId'), param(c, 'blockId'));
+        return c.json(review);
+    });
+    // Resolve a review that hit its iteration cap: one more round / proceed anyway / stop
+    // and reset the task to phase zero. Returns the updated review.
+    app.post('/blocks/:blockId/requirement-review/resolve-exceeded', jsonBody(resolveRequirementsExceededSchema), async (c) => {
+        const requirements = requireRequirements(c);
+        if (!requirements)
+            return unavailable(c);
+        const review = await c
+            .get('container')
+            .executionService.resolveRequirementsExceeded(param(c, 'workspaceId'), param(c, 'blockId'), c.req.valid('json').choice);
+        return c.json(review);
+    });
+    return app;
+}
+//# sourceMappingURL=RequirementReviewController.js.map