@codemation/host 0.0.1

package/src/infrastructure/persistence/generated/prisma-client/schema.prisma

@@ -0,0 +1,179 @@
+generator client {
+  provider = "prisma-client-js"
+  output   = "../src/infrastructure/persistence/generated/prisma-client"
+}
+
+datasource db {
+  provider = "postgresql"
+}
+
+model Run {
+  runId                String  @id @map("run_id")
+  workflowId           String  @map("workflow_id")
+  startedAt            String  @map("started_at")
+  status               String
+  parentJson           String? @map("parent_json")
+  executionOptionsJson String? @map("execution_options_json")
+  updatedAt            String  @map("updated_at")
+  stateJson            String  @map("state_json")
+}
+
+model WorkflowDebuggerOverlay {
+  workflowId      String  @id @map("workflow_id")
+  updatedAt       String  @map("updated_at")
+  copiedFromRunId String? @map("copied_from_run_id")
+  stateJson       String  @map("state_json")
+}
+
+model WorkflowActivation {
+  workflowId String  @id @map("workflow_id")
+  isActive   Boolean @default(false) @map("is_active")
+  updatedAt  String  @map("updated_at")
+}
+
+model TriggerSetupState {
+  workflowId String @map("workflow_id")
+  nodeId     String @map("node_id")
+  updatedAt  String @map("updated_at")
+  stateJson  String @map("state_json")
+
+  @@id([workflowId, nodeId])
+}
+
+model CredentialInstance {
+  instanceId       String @id @map("instance_id")
+  typeId           String @map("type_id")
+  displayName      String @map("display_name")
+  sourceKind       String @map("source_kind")
+  publicConfigJson String @map("public_config_json")
+  secretRefJson    String @map("secret_ref_json")
+  tagsJson         String @map("tags_json")
+  setupStatus      String @map("setup_status")
+  createdAt        String @map("created_at")
+  updatedAt        String @map("updated_at")
+}
+
+model CredentialSecretMaterial {
+  instanceId      String @id @map("instance_id")
+  encryptedJson   String @map("encrypted_json")
+  encryptionKeyId String @map("encryption_key_id")
+  schemaVersion   Int    @map("schema_version")
+  updatedAt       String @map("updated_at")
+}
+
+model CredentialOAuth2Material {
+  instanceId      String  @id @map("instance_id")
+  encryptedJson   String  @map("encrypted_json")
+  encryptionKeyId String  @map("encryption_key_id")
+  schemaVersion   Int     @map("schema_version")
+  providerId      String  @map("provider_id")
+  connectedEmail  String? @map("connected_email")
+  connectedAt     String? @map("connected_at")
+  scopesJson      String  @map("scopes_json")
+  updatedAt       String  @map("updated_at")
+}
+
+model CredentialOAuth2State {
+  state               String  @id
+  instanceId          String  @map("instance_id")
+  codeVerifier        String? @map("code_verifier")
+  providerId          String? @map("provider_id")
+  requestedScopesJson String  @map("requested_scopes_json")
+  createdAt           String  @map("created_at")
+  expiresAt           String  @map("expires_at")
+
+  @@index([instanceId])
+  @@index([expiresAt])
+}
+
+model CredentialBinding {
+  workflowId String @map("workflow_id")
+  nodeId     String @map("node_id")
+  slotKey    String @map("slot_key")
+  instanceId String @map("instance_id")
+  updatedAt  String @map("updated_at")
+
+  @@id([workflowId, nodeId, slotKey])
+  @@index([instanceId])
+}
+
+model CredentialTestResult {
+  testId      String  @id @map("test_id")
+  instanceId  String  @map("instance_id")
+  status      String
+  message     String?
+  detailsJson String  @map("details_json")
+  testedAt    String  @map("tested_at")
+  expiresAt   String? @map("expires_at")
+
+  @@index([instanceId, testedAt])
+}
+
+/// Auth.js / NextAuth user directory (JWT sessions; optional OAuth linking)
+model User {
+  id            String       @id @default(cuid())
+  name          String?
+  email         String?      @unique
+  emailVerified DateTime?    @map("email_verified")
+  image         String?
+  passwordHash  String?      @map("password_hash")
+  /// invited | active | inactive (local directory / invite flow)
+  accountStatus String       @default("active") @map("account_status")
+  accounts      Account[]
+  sessions      Session[]
+  invites       UserInvite[]
+
+  @@map("codemation_auth_user")
+}
+
+model UserInvite {
+  id        String    @id @default(cuid())
+  userId    String    @map("user_id")
+  tokenHash String    @unique @map("token_hash")
+  expiresAt DateTime  @map("expires_at")
+  createdAt DateTime  @map("created_at")
+  revokedAt DateTime? @map("revoked_at")
+  user      User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@map("codemation_auth_user_invite")
+}
+
+model Account {
+  id                String  @id @default(cuid())
+  userId            String  @map("user_id")
+  type              String
+  provider          String
+  providerAccountId String  @map("provider_account_id")
+  refresh_token     String? @db.Text
+  access_token      String? @db.Text
+  expires_at        Int?
+  token_type        String?
+  scope             String? @db.Text
+  id_token          String? @db.Text
+  session_state     String?
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([provider, providerAccountId])
+  @@map("codemation_auth_account")
+}
+
+model Session {
+  id           String   @id @default(cuid())
+  sessionToken String   @unique @map("session_token")
+  userId       String   @map("user_id")
+  expires      DateTime
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@map("codemation_auth_session")
+}
+
+model VerificationToken {
+  identifier String
+  token      String
+  expires    DateTime
+
+  @@unique([identifier, token])
+  @@map("codemation_auth_verification_token")
+}

package/src/infrastructure/persistence/generated/prisma-client/wasm-edge-light-loader.mjs

@@ -0,0 +1,5 @@
+
+/* !!! This is code generated by Prisma. Do not edit directly. !!!
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+export default import('./query_compiler_fast_bg.wasm?module')

package/src/infrastructure/persistence/generated/prisma-client/wasm-worker-loader.mjs

@@ -0,0 +1,5 @@
+
+/* !!! This is code generated by Prisma. Do not edit directly. !!!
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+export default import('./query_compiler_fast_bg.wasm')

package/src/infrastructure/runtime/LiveWorkflowRepository.ts

@@ -0,0 +1,14 @@
+import type { WorkflowDefinition } from "@codemation/core";
+import { InMemoryLiveWorkflowRepository } from "@codemation/core";
+import type { AIAgentConnectionWorkflowExpander } from "@codemation/core-nodes";
+
+/** Host-owned mutable workflow repository; expands AI agent connections before registration. */
+export class LiveWorkflowRepository extends InMemoryLiveWorkflowRepository {
+  constructor(private readonly connectionExpander: AIAgentConnectionWorkflowExpander) {
+    super();
+  }
+
+  setWorkflows(workflows: ReadonlyArray<WorkflowDefinition>): void {
+    super.setWorkflows(workflows.map((workflow) => this.connectionExpander.expand(workflow)));
+  }
+}

package/src/infrastructure/runtime/WorkerRuntimeScheduler.ts

@@ -0,0 +1,35 @@
+import type {
+  BinaryStorage,
+  CredentialSessionService,
+  EngineExecutionLimitsPolicy,
+  NodeActivationContinuation,
+  NodeExecutionScheduler,
+  NodeResolver,
+  WorkflowExecutionRepository,
+  WorkflowDefinition,
+  WorkflowId,
+} from "@codemation/core";
+
+export type WorkerRuntimeHandle = Readonly<{
+  stop: () => Promise<void>;
+}>;
+
+export interface WorkerRuntimeScheduler extends NodeExecutionScheduler {
+  createWorker(
+    args: Readonly<{
+      queues: ReadonlyArray<string>;
+      workflowsById: ReadonlyMap<WorkflowId, WorkflowDefinition>;
+      nodeResolver: NodeResolver;
+      credentialSessions: CredentialSessionService;
+      workflowExecutionRepository: WorkflowExecutionRepository;
+      continuation: NodeActivationContinuation;
+      binaryStorage?: BinaryStorage;
+      workflows?: unknown;
+      now?: () => Date;
+      /** When set, must match the host engine policy so worker execution contexts use the same limits as `runtime.engineExecutionLimits`. */
+      executionLimitsPolicy?: EngineExecutionLimitsPolicy;
+    }>,
+  ): WorkerRuntimeHandle;
+
+  close(): Promise<void>;
+}

package/src/infrastructure/server/http/ServerHttpRouteParams.ts

@@ -0,0 +1 @@
+export type { ServerHttpRouteParams } from "../../../presentation/http/ServerHttpRouteParams";

package/src/infrastructure/webhooks/RequestToWebhookItemMapper.ts

@@ -0,0 +1,128 @@
+import type {
+  ActivationIdFactory,
+  BinaryAttachment,
+  BinaryBody,
+  BinaryStorage,
+  Item,
+  ItemBinary,
+  RunIdFactory,
+  WebhookInvocationMatch,
+} from "@codemation/core";
+import { CoreTokens, DefaultExecutionBinaryService, inject, injectable } from "@codemation/core";
+
+@injectable()
+export class RequestToWebhookItemMapper {
+  constructor(
+    @inject(CoreTokens.BinaryStorage)
+    private readonly binaryStorage: BinaryStorage,
+    @inject(CoreTokens.RunIdFactory)
+    private readonly runIdFactory: RunIdFactory,
+    @inject(CoreTokens.ActivationIdFactory)
+    private readonly activationIdFactory: ActivationIdFactory,
+  ) {}
+
+  async map(request: Request, match: WebhookInvocationMatch): Promise<Item> {
+    const url = new URL(request.url);
+    const contentType = request.headers.get("content-type") ?? "";
+    if (contentType.toLowerCase().includes("multipart/form-data")) {
+      return await this.mapMultipart(request, match, url);
+    }
+    const bodyText = await request.text();
+    const parsedJsonBody = this.parseJsonBody(bodyText, request, match.parseJsonBody);
+    const body = parsedJsonBody.didParse ? parsedJsonBody.raw : this.resolveBody(bodyText);
+    const json = parsedJsonBody.didParse ? parsedJsonBody.value : undefined;
+
+    return {
+      json: {
+        headers: this.toHeaders(request),
+        ...(body === undefined ? {} : { body }),
+        ...(json === undefined ? {} : { json }),
+        method: request.method.toUpperCase(),
+        url: request.url,
+        query: this.toQuery(url),
+      },
+    };
+  }
+
+  private async mapMultipart(request: Request, match: WebhookInvocationMatch, url: URL): Promise<Item> {
+    const formData = await request.formData();
+    const ingressRunId = `webhook-ingress-${this.runIdFactory.makeRunId()}`;
+    const ingressActivationId = `webhook-ingress-${this.activationIdFactory.makeActivationId()}`;
+    const binaryService = new DefaultExecutionBinaryService(
+      this.binaryStorage,
+      match.workflowId,
+      ingressRunId,
+      () => new Date(),
+    );
+    const nodeBinary = binaryService.forNode({
+      nodeId: match.nodeId,
+      activationId: ingressActivationId,
+    });
+    const formFields: Record<string, string> = {};
+    const binaryParts: Record<string, BinaryAttachment> = {};
+    for (const [key, value] of formData as unknown as Iterable<[string, string | File]>) {
+      if (value instanceof File) {
+        const attachment = await nodeBinary.attach({
+          name: key,
+          body: value.stream() as BinaryBody,
+          mimeType: value.type || "application/octet-stream",
+          filename: value.name,
+        });
+        binaryParts[key] = attachment;
+      } else {
+        formFields[key] = value;
+      }
+    }
+    const binary: ItemBinary | undefined = Object.keys(binaryParts).length > 0 ? binaryParts : undefined;
+    return {
+      json: {
+        headers: this.toHeaders(request),
+        method: request.method.toUpperCase(),
+        url: request.url,
+        query: this.toQuery(url),
+        formFields,
+      },
+      binary,
+    };
+  }
+
+  private parseJsonBody(
+    bodyText: string,
+    request: Request,
+    parseJsonBody: ((body: unknown) => unknown) | undefined,
+  ): Readonly<{ didParse: boolean; raw?: unknown; value?: unknown }> {
+    if (!bodyText) return { didParse: false };
+    if (!parseJsonBody && !this.isJsonRequest(request)) return { didParse: false };
+
+    const raw = JSON.parse(bodyText) as unknown;
+    return {
+      didParse: true,
+      raw,
+      value: parseJsonBody ? parseJsonBody(raw) : raw,
+    };
+  }
+
+  private isJsonRequest(request: Request): boolean {
+    return request.headers.get("content-type")?.toLowerCase().includes("application/json") ?? false;
+  }
+
+  private resolveBody(bodyText: string): string | undefined {
+    return bodyText ? bodyText : undefined;
+  }
+
+  private toHeaders(request: Request): Record<string, string> {
+    const headers: Record<string, string> = {};
+    request.headers.forEach((value, key) => {
+      headers[key] = value;
+    });
+    return headers;
+  }
+
+  private toQuery(url: URL): Record<string, string> {
+    const query: Record<string, string> = {};
+    url.searchParams.forEach((value, key) => {
+      query[key] = value;
+    });
+    return query;
+  }
+}

package/src/nextServer.ts

@@ -0,0 +1,31 @@
+export type { DevBootstrapSummaryJson } from "./application/dev/DevBootstrapSummaryJson.types";
+export type { LogFilter } from "./application/logging/LogFilter";
+export type { Logger, LoggerFactory } from "./application/logging/Logger";
+export { FilteringLogger } from "./infrastructure/logging/FilteringLogger";
+export { logLevelPolicyFactory, LogLevelPolicyFactory } from "./infrastructure/logging/LogLevelPolicyFactory";
+export { PerformanceLogPolicy } from "./infrastructure/logging/PerformanceLogPolicy";
+export {
+  performanceLogPolicyFactory,
+  PerformanceLogPolicyFactory,
+} from "./infrastructure/logging/PerformanceLogPolicyFactory";
+export { ServerLoggerFactory } from "./infrastructure/logging/ServerLoggerFactory";
+export { RunBinaryAttachmentLookupService } from "./application/binary/RunBinaryAttachmentLookupService";
+export { WorkflowDefinitionMapper } from "./application/mapping/WorkflowDefinitionMapper";
+export { WorkflowPolicyUiPresentationFactory } from "./application/mapping/WorkflowPolicyUiPresentationFactory";
+export { WorkflowRunRetentionPruneScheduler } from "./application/runs/WorkflowRunRetentionPruneScheduler";
+export { ApplicationTokens } from "./applicationTokens";
+export { CodemationApplication } from "./codemationApplication";
+export { CodemationBootstrapRequest } from "./bootstrap/CodemationBootstrapRequest";
+export { CodemationFrontendBootstrapRequest } from "./bootstrap/CodemationFrontendBootstrapRequest";
+export { CodemationWorkerBootstrapRequest } from "./bootstrap/CodemationWorkerBootstrapRequest";
+export { CodemationPluginListMerger } from "./presentation/config/CodemationPluginListMerger";
+export { CredentialBindingService, CredentialInstanceService } from "./domain/credentials/CredentialServices";
+export { RequestToWebhookItemMapper } from "./infrastructure/webhooks/RequestToWebhookItemMapper";
+export { CodemationHonoApiApp } from "./presentation/http/hono/CodemationHonoApiAppFactory";
+export { BinaryHttpRouteHandler } from "./presentation/http/routeHandlers/BinaryHttpRouteHandlerFactory";
+export { CredentialHttpRouteHandler } from "./presentation/http/routeHandlers/CredentialHttpRouteHandler";
+export { OAuth2HttpRouteHandler } from "./presentation/http/routeHandlers/OAuth2HttpRouteHandlerFactory";
+export { RunHttpRouteHandler } from "./presentation/http/routeHandlers/RunHttpRouteHandler";
+export { WebhookHttpRouteHandler } from "./presentation/http/routeHandlers/WebhookHttpRouteHandler";
+export { WorkflowHttpRouteHandler } from "./presentation/http/routeHandlers/WorkflowHttpRouteHandler";
+export { WorkflowWebsocketServer } from "./presentation/websocket/WorkflowWebsocketServer";

package/src/persistenceServer.ts

@@ -0,0 +1,5 @@
+export { CodemationPostgresPrismaClientFactory } from "./infrastructure/persistence/CodemationPostgresPrismaClientFactory";
+export { DatabasePersistenceResolver } from "./infrastructure/persistence/DatabasePersistenceResolver";
+export type { ResolvedDatabasePersistence } from "./infrastructure/persistence/DatabasePersistenceResolver";
+export { PrismaMigrationDeployer } from "./infrastructure/persistence/PrismaMigrationDeployer";
+export { PrismaClient } from "./infrastructure/persistence/generated/prisma-client/client.js";

package/src/presentation/config/AppConfig.ts

@@ -0,0 +1,25 @@
+import type { CodemationDatabaseConfig, CodemationEventBusKind, CodemationSchedulerKind } from "./CodemationConfig";
+import type { CodemationAuthConfig } from "./CodemationAuthConfig";
+import type { CodemationWhitelabelConfig } from "./CodemationWhitelabelConfig";
+
+export interface AppConfig {
+  readonly consumerRoot: string;
+  readonly repoRoot: string;
+  readonly env: Readonly<NodeJS.ProcessEnv>;
+  readonly workflowSources: ReadonlyArray<string>;
+  readonly databaseUrl?: string;
+  readonly database?: CodemationDatabaseConfig;
+  readonly scheduler: Readonly<{
+    kind: CodemationSchedulerKind;
+    queuePrefix?: string;
+    workerQueues: ReadonlyArray<string>;
+    redisUrl?: string;
+  }>;
+  readonly eventing: Readonly<{
+    kind: CodemationEventBusKind;
+    queuePrefix?: string;
+    redisUrl?: string;
+  }>;
+  readonly auth?: CodemationAuthConfig;
+  readonly whitelabel: CodemationWhitelabelConfig;
+}

package/src/presentation/config/CodemationAppContext.ts

@@ -0,0 +1,19 @@
+import type { AnyCredentialType, Container, TypeToken, WorkflowDefinition } from "@codemation/core";
+import type { AppConfig } from "./AppConfig";
+import type { CodemationClassToken } from "./CodemationClassToken";
+
+export interface CodemationRegistrationContextBase {
+  readonly appConfig?: AppConfig;
+
+  registerCredentialType(type: AnyCredentialType): void;
+  registerNode<TValue>(token: TypeToken<TValue>, implementation?: CodemationClassToken<TValue>): void;
+  registerValue<TValue>(token: TypeToken<TValue>, value: TValue): void;
+  registerClass<TValue>(token: TypeToken<TValue>, implementation: CodemationClassToken<TValue>): void;
+  registerFactory<TValue>(token: TypeToken<TValue>, factory: (container: Container) => TValue): void;
+}
+
+export interface CodemationAppContext extends CodemationRegistrationContextBase {
+  registerWorkflow(workflow: WorkflowDefinition): void;
+  registerWorkflows(workflows: ReadonlyArray<WorkflowDefinition>): void;
+  discoverWorkflows(...directories: ReadonlyArray<string>): void;
+}

package/src/presentation/config/CodemationApplicationFacade.ts

@@ -0,0 +1,5 @@
+import type { AnyCredentialType } from "@codemation/core";
+
+export interface CodemationApplicationFacade {
+  registerCredentialType(type: AnyCredentialType): void;
+}

package/src/presentation/config/CodemationAuthConfig.ts

@@ -0,0 +1,31 @@
+/**
+ * Consumer-declared authentication profile for the hosted UI + HTTP API.
+ * NextAuth / Auth.js wires concrete providers from this configuration plus environment secrets.
+ */
+export type CodemationAuthKind = "local" | "oauth" | "oidc";
+
+export interface CodemationAuthOAuthProviderConfig {
+  readonly provider: "google" | "github" | "microsoft-entra-id";
+  readonly clientIdEnv: string;
+  readonly clientSecretEnv: string;
+  /** Microsoft Entra ID tenant; environment variable name whose value is the tenant ID. */
+  readonly tenantIdEnv?: string;
+}
+
+export interface CodemationAuthOidcProviderConfig {
+  readonly id: string;
+  readonly issuer: string;
+  readonly clientIdEnv: string;
+  readonly clientSecretEnv: string;
+}
+
+export interface CodemationAuthConfig {
+  readonly kind: CodemationAuthKind;
+  /**
+   * When true and NODE_ENV is not production, the API accepts requests without a real session
+   * (synthetic principal only — never honored in production).
+   */
+  readonly allowUnauthenticatedInDevelopment?: boolean;
+  readonly oauth?: ReadonlyArray<CodemationAuthOAuthProviderConfig>;
+  readonly oidc?: ReadonlyArray<CodemationAuthOidcProviderConfig>;
+}

package/src/presentation/config/CodemationClassToken.ts

@@ -0,0 +1,3 @@
+import type { TypeToken } from "@codemation/core";
+
+export type CodemationClassToken<TValue> = TypeToken<TValue> & (new (...args: never[]) => TValue);

package/src/presentation/config/CodemationConfig.ts

@@ -0,0 +1,86 @@
+import type { AnyCredentialType, EngineExecutionLimitsPolicyConfig, WorkflowDefinition } from "@codemation/core";
+import type { CodemationAuthConfig } from "./CodemationAuthConfig";
+import type { CodemationAppContext } from "./CodemationAppContext";
+import type { CodemationPlugin } from "./CodemationPlugin";
+import type { CodemationLogConfig } from "./CodemationLogConfig";
+import type { CodemationWhitelabelConfig } from "./CodemationWhitelabelConfig";
+import type { CodemationWorkflowDiscovery } from "./CodemationWorkflowDiscovery";
+
+export type CodemationEventBusKind = "memory" | "redis";
+export type CodemationSchedulerKind = "local" | "bullmq";
+export type CodemationDatabaseKind = "postgresql" | "pglite";
+
+export interface CodemationDatabaseConfig {
+  readonly kind?: CodemationDatabaseKind;
+  /** TCP PostgreSQL URL when `kind` is `postgresql` (or omitted with a postgres URL). */
+  readonly url?: string;
+  /** Directory for embedded PGlite data when `kind` is `pglite`. Relative paths resolve from the consumer app root. */
+  readonly pgliteDataDir?: string;
+}
+
+export interface CodemationEventBusConfig {
+  readonly kind?: CodemationEventBusKind;
+  readonly redisUrl?: string;
+  readonly queuePrefix?: string;
+}
+
+export interface CodemationSchedulerConfig {
+  readonly kind?: CodemationSchedulerKind;
+  readonly queuePrefix?: string;
+  readonly workerQueues?: ReadonlyArray<string>;
+}
+
+export type CodemationAppSchedulerKind = "inline" | "queue";
+
+export interface CodemationAppSchedulerConfig {
+  readonly kind?: CodemationAppSchedulerKind;
+  readonly queuePrefix?: string;
+  readonly workerQueues?: ReadonlyArray<string>;
+  readonly redisUrl?: string;
+}
+
+/**
+ * Optional overrides for engine execution limits (activation budget and subworkflow depth caps).
+ * Omitted fields keep framework defaults. Advanced users can bind `CoreTokens.EngineExecutionLimitsPolicy` for full control.
+ */
+export type CodemationEngineExecutionLimitsConfig = Readonly<Partial<EngineExecutionLimitsPolicyConfig>>;
+
+export interface CodemationAppDefinition {
+  readonly frontendPort?: number;
+  readonly databaseUrl?: string;
+  readonly database?: CodemationDatabaseConfig;
+  readonly scheduler?: CodemationAppSchedulerConfig;
+  readonly auth?: CodemationAuthConfig;
+  readonly whitelabel?: CodemationWhitelabelConfig;
+  readonly log?: CodemationLogConfig;
+  readonly engineExecutionLimits?: CodemationEngineExecutionLimitsConfig;
+}
+
+export interface CodemationApplicationRuntimeConfig {
+  readonly frontendPort?: number;
+  readonly database?: CodemationDatabaseConfig;
+  readonly eventBus?: CodemationEventBusConfig;
+  readonly scheduler?: CodemationSchedulerConfig;
+  /** Merged with engine defaults when building the execution limits policy (API + workers). */
+  readonly engineExecutionLimits?: CodemationEngineExecutionLimitsConfig;
+}
+
+export interface CodemationConfig {
+  readonly app?: CodemationAppDefinition;
+  readonly register?: (context: CodemationAppContext) => void;
+  readonly runtime?: CodemationApplicationRuntimeConfig;
+  readonly workflows?: ReadonlyArray<WorkflowDefinition>;
+  readonly workflowDiscovery?: CodemationWorkflowDiscovery;
+  readonly plugins?: ReadonlyArray<CodemationPlugin>;
+  /** Consumer-defined `CredentialType` entries (see `@codemation/core`), applied when the host loads config. */
+  readonly credentialTypes?: ReadonlyArray<AnyCredentialType>;
+  /** Optional shell whitelabel (product name, logo path). */
+  readonly whitelabel?: CodemationWhitelabelConfig;
+  /** Required for production hosts; optional only when using development bypass (never in production). */
+  readonly auth?: CodemationAuthConfig;
+  /**
+   * Namespace-level log filters (first matching rule wins). Unmatched namespaces use `CODEMATION_LOG_LEVEL` / defaults.
+   * Omit to keep env-only behavior.
+   */
+  readonly log?: CodemationLogConfig;
+}