@companyhelm/runner 0.1.1 → 0.2.0

package/dist/provisioning/runtime_provisioning/script_renderer.js

@@ -0,0 +1,120 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RuntimeProvisioningScriptRenderer = void 0;
+const node_path_1 = require("node:path");
+const runtime_bashrc_js_1 = require("../../service/runtime_bashrc.js");
+const runtime_shell_js_1 = require("../../service/runtime_shell.js");
+const template_renderer_js_1 = require("../template_renderer.js");
+function shellQuote(value) {
+    return `'${value.replace(/'/g, `'"'"'`)}'`;
+}
+function resolveThreadGitSkillsCloneRootDirectory(options) {
+    return options.cloneRootDirectory.trim().length > 0
+        ? options.cloneRootDirectory.trim()
+        : "/skills";
+}
+class RuntimeProvisioningScriptRenderer {
+    constructor(templateRenderer = new template_renderer_js_1.TemplateRenderer()) {
+        this.templateRenderer = templateRenderer;
+    }
+    renderIdentityScript(user) {
+        return this.templateRenderer.render("provisioning/runtime_identity.sh.j2", {
+            agent_user: shellQuote(user.agentUser),
+            agent_home: shellQuote(user.agentHomeDirectory),
+            agent_uid: shellQuote(String(user.uid)),
+            agent_gid: shellQuote(String(user.gid)),
+        });
+    }
+    renderToolingValidationScript(user) {
+        return this.templateRenderer.render("provisioning/runtime_tooling_validation.sh.j2", {
+            bootstrap: (0, runtime_shell_js_1.buildNvmCodexBootstrapScript)(user.agentHomeDirectory),
+        });
+    }
+    renderBashrcScript(user) {
+        return this.templateRenderer.render("provisioning/runtime_bashrc.sh.j2", {
+            agent_home: shellQuote(user.agentHomeDirectory),
+            bashrc_content: shellQuote((0, runtime_bashrc_js_1.renderRuntimeBashrc)(user.agentHomeDirectory)),
+        });
+    }
+    renderCodexConfigScript(user, configToml) {
+        return this.templateRenderer.render("provisioning/runtime_codex_config.sh.j2", {
+            agent_home: shellQuote(user.agentHomeDirectory),
+            config_content: shellQuote(configToml),
+        });
+    }
+    renderGitConfigScript(gitUserName, gitUserEmail) {
+        return this.templateRenderer.render("provisioning/runtime_git_config.sh.j2", {
+            default_git_user_name: shellQuote(gitUserName),
+            default_git_user_email: shellQuote(gitUserEmail),
+        });
+    }
+    renderThreadGitSkillsCloneScript(options) {
+        const cloneRootDirectory = resolveThreadGitSkillsCloneRootDirectory(options);
+        const packageBlocks = options.packages.map((pkg) => {
+            const checkoutPath = (0, node_path_1.join)(cloneRootDirectory, pkg.checkoutDirectoryName);
+            const sourceMarkerPath = (0, node_path_1.join)(checkoutPath, ".companyhelm-source");
+            return [
+                `PACKAGE_DIR=${shellQuote(checkoutPath)}`,
+                `PACKAGE_SOURCE_MARKER=${shellQuote(sourceMarkerPath)}`,
+                `PACKAGE_REPO_URL=${shellQuote(pkg.repositoryUrl)}`,
+                `PACKAGE_COMMIT_REF=${shellQuote(pkg.commitReference)}`,
+                'if [ ! -d "$PACKAGE_DIR/.git" ] || [ ! -f "$PACKAGE_SOURCE_MARKER" ] || [ "$(cat "$PACKAGE_SOURCE_MARKER")" != "$PACKAGE_REPO_URL#$PACKAGE_COMMIT_REF" ]; then',
+                '  rm -rf "$PACKAGE_DIR"',
+                '  if ! git clone --depth 1 --branch "$PACKAGE_COMMIT_REF" "$PACKAGE_REPO_URL" "$PACKAGE_DIR"; then',
+                '    rm -rf "$PACKAGE_DIR"',
+                '    git clone --depth 1 "$PACKAGE_REPO_URL" "$PACKAGE_DIR"',
+                '    git -C "$PACKAGE_DIR" fetch --depth 1 origin "$PACKAGE_COMMIT_REF"',
+                '    git -C "$PACKAGE_DIR" checkout --detach FETCH_HEAD',
+                "  fi",
+                '  printf \'%s\' "$PACKAGE_REPO_URL#$PACKAGE_COMMIT_REF" > "$PACKAGE_SOURCE_MARKER"',
+                "fi",
+                'chmod -R a+rX "$PACKAGE_DIR" || true',
+            ].join("\n");
+        }).join("\n\n");
+        return this.templateRenderer.render("provisioning/runtime_thread_git_skills_clone.sh.j2", {
+            skills_root: shellQuote(cloneRootDirectory),
+            package_blocks: packageBlocks,
+        });
+    }
+    renderThreadGitSkillsLinkScript(user, options) {
+        const cloneRootDirectory = resolveThreadGitSkillsCloneRootDirectory(options);
+        const codexSkillsDirectory = (0, node_path_1.join)(user.agentHomeDirectory, ".codex", "skills");
+        const skillBlocks = options.packages.flatMap((pkg) => pkg.skills.map((skill) => [
+            `SKILL_SOURCE=${shellQuote((0, node_path_1.join)(cloneRootDirectory, pkg.checkoutDirectoryName, skill.directoryPath))}`,
+            `SKILL_LINK=${shellQuote((0, node_path_1.join)(codexSkillsDirectory, skill.linkName))}`,
+            'if [ ! -d "$SKILL_SOURCE" ]; then',
+            '  echo "Thread git skill directory not found: $SKILL_SOURCE" >&2',
+            "  exit 1",
+            "fi",
+            'if [ ! -f "$SKILL_SOURCE/SKILL.md" ]; then',
+            '  echo "Thread git skill directory is missing SKILL.md: $SKILL_SOURCE" >&2',
+            "  exit 1",
+            "fi",
+            'rm -rf "$SKILL_LINK"',
+            'ln -s "$SKILL_SOURCE" "$SKILL_LINK"',
+        ].join("\n"))).join("\n\n");
+        return this.templateRenderer.render("provisioning/runtime_thread_git_skills_link.sh.j2", {
+            skills_root: shellQuote(cloneRootDirectory),
+            codex_skills_root: shellQuote(codexSkillsDirectory),
+            skill_blocks: skillBlocks,
+        });
+    }
+    renderAgentMetadataScript(user, files) {
+        const metadataRoot = (0, node_path_1.join)(user.agentHomeDirectory, ".companyhelm", "agent");
+        const fileBlocks = files.map((file) => {
+            const filePath = (0, node_path_1.join)(metadataRoot, file.filename);
+            return [
+                `FILE_PATH=${shellQuote(filePath)}`,
+                `FILE_CONTENT=${shellQuote(file.content)}`,
+                'printf \'%s\' "$FILE_CONTENT" > "$FILE_PATH"',
+                'chmod 0600 "$FILE_PATH"',
+            ].join("\n");
+        }).join("\n\n");
+        return this.templateRenderer.render("provisioning/runtime_agent_metadata.sh.j2", {
+            agent_home: shellQuote(user.agentHomeDirectory),
+            metadata_root: shellQuote(metadataRoot),
+            file_blocks: fileBlocks,
+        });
+    }
+}
+exports.RuntimeProvisioningScriptRenderer = RuntimeProvisioningScriptRenderer;

package/dist/provisioning/runtime_provisioning/system_prompt.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RuntimeSystemPromptRenderer = void 0;
+exports.renderRuntimeSystemPrompt = renderRuntimeSystemPrompt;
+exports.buildCodexDeveloperInstructions = buildCodexDeveloperInstructions;
+const template_renderer_js_1 = require("../template_renderer.js");
+function normalizeAdditionalInstructions(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+class RuntimeSystemPromptRenderer {
+    constructor(templateRenderer = new template_renderer_js_1.TemplateRenderer()) {
+        this.templateRenderer = templateRenderer;
+    }
+    render(options) {
+        const context = {
+            home_directory: options.homeDirectory,
+            agent_api_url: options.agentApiUrl,
+            agent_token: options.agentToken,
+            thread_id: options.threadId,
+        };
+        const common = this.templateRenderer.render("system_prompts/common.md.j2", context).trim();
+        const workspaceSpecificTemplate = options.workspaceMode === "dedicated"
+            ? "system_prompts/dedicated_workspace.md.j2"
+            : "system_prompts/shared_workspace.md.j2";
+        const workspaceSpecific = this.templateRenderer.render(workspaceSpecificTemplate, context).trim();
+        return `${common}\n\n${workspaceSpecific}\n`;
+    }
+}
+exports.RuntimeSystemPromptRenderer = RuntimeSystemPromptRenderer;
+function renderRuntimeSystemPrompt(options) {
+    return new RuntimeSystemPromptRenderer().render(options);
+}
+function buildCodexDeveloperInstructions(additionalInstructions, options) {
+    const systemPrompt = renderRuntimeSystemPrompt(options).trimEnd();
+    const normalizedAdditionalInstructions = normalizeAdditionalInstructions(additionalInstructions);
+    if (!normalizedAdditionalInstructions) {
+        return `${systemPrompt}\n`;
+    }
+    return `${systemPrompt}\n\n${normalizedAdditionalInstructions}\n`;
+}

package/dist/provisioning/template_renderer.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TemplateRenderer = void 0;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+class TemplateRenderer {
+    resolveTemplatePath(relativePath) {
+        const distRelativePath = (0, node_path_1.join)(__dirname, "..", "templates", relativePath);
+        if ((0, node_fs_1.existsSync)(distRelativePath)) {
+            return distRelativePath;
+        }
+        const sourceRelativePath = (0, node_path_1.join)(__dirname, "..", "..", "src", "templates", relativePath);
+        if ((0, node_fs_1.existsSync)(sourceRelativePath)) {
+            return sourceRelativePath;
+        }
+        throw new Error(`Template was not found at ${distRelativePath} or ${sourceRelativePath}`);
+    }
+    render(relativePath, context) {
+        const template = (0, node_fs_1.readFileSync)(this.resolveTemplatePath(relativePath), "utf8");
+        return template.replace(/{{\s*([a-zA-Z0-9_]+)\s*}}/g, (_match, key) => {
+            const value = context[key];
+            if (value === undefined) {
+                throw new Error(`Missing template value for key '${key}' in '${relativePath}'`);
+            }
+            return value;
+        });
+    }
+}
+exports.TemplateRenderer = TemplateRenderer;

package/dist/service/companyhelm_api_client.js

@@ -120,24 +120,6 @@ function createAgentRunnerControlServiceDefinition(pathPrefix = "") {
             responseSerialize: (response) => Buffer.from((0, protobuf_1.toBinary)(protos_1.ServerMessageSchema, response)),
             responseDeserialize: (bytes) => (0, protobuf_1.fromBinary)(protos_1.ServerMessageSchema, bytes),
         },
-        listGithubInstallationsForRunner: {
-            path: buildRpcPath(methods.listGithubInstallations.name, pathPrefix),
-            requestStream: false,
-            responseStream: false,
-            requestSerialize: (request) => Buffer.from((0, protobuf_1.toBinary)(protos_1.ListGithubInstallationsRequestSchema, request)),
-            requestDeserialize: (bytes) => (0, protobuf_1.fromBinary)(protos_1.ListGithubInstallationsRequestSchema, bytes),
-            responseSerialize: (response) => Buffer.from((0, protobuf_1.toBinary)(protos_1.ListGithubInstallationsResponseSchema, response)),
-            responseDeserialize: (bytes) => (0, protobuf_1.fromBinary)(protos_1.ListGithubInstallationsResponseSchema, bytes),
-        },
-        getGithubInstallationAccessTokenForRunner: {
-            path: buildRpcPath(methods.githubInstallationAccessToken.name, pathPrefix),
-            requestStream: false,
-            responseStream: false,
-            requestSerialize: (request) => Buffer.from((0, protobuf_1.toBinary)(protos_1.GithubInstallationAccessTokenRequestSchema, request)),
-            requestDeserialize: (bytes) => (0, protobuf_1.fromBinary)(protos_1.GithubInstallationAccessTokenRequestSchema, bytes),
-            responseSerialize: (response) => Buffer.from((0, protobuf_1.toBinary)(protos_1.GithubInstallationAccessTokenResponseSchema, response)),
-            responseDeserialize: (bytes) => (0, protobuf_1.fromBinary)(protos_1.GithubInstallationAccessTokenResponseSchema, bytes),
-        },
     };
 }
 function createAgentRunnerControlClient(endpoint, credentials, channelOptions) {
@@ -300,36 +282,6 @@ class CompanyhelmApiClient {
         const stream = this.client.controlChannel(options?.metadata, options?.callOptions);
         return new CompanyhelmCommandChannel(stream, this.logger);
     }
-    listGithubInstallationsForRunner(options) {
-        const metadata = options?.metadata ?? new grpc.Metadata();
-        const callOptions = options?.callOptions ?? {};
-        const request = (0, protobuf_1.create)(protos_1.ListGithubInstallationsRequestSchema, {});
-        return new Promise((resolve, reject) => {
-            this.client.listGithubInstallationsForRunner(request, metadata, callOptions, (error, response) => {
-                if (error) {
-                    reject(error);
-                    return;
-                }
-                resolve(response ?? (0, protobuf_1.create)(protos_1.ListGithubInstallationsResponseSchema, {}));
-            });
-        });
-    }
-    getGithubInstallationAccessTokenForRunner(installationId, options) {
-        const metadata = options?.metadata ?? new grpc.Metadata();
-        const callOptions = options?.callOptions ?? {};
-        const request = (0, protobuf_1.create)(protos_1.GithubInstallationAccessTokenRequestSchema, {
-            installationId,
-        });
-        return new Promise((resolve, reject) => {
-            this.client.getGithubInstallationAccessTokenForRunner(request, metadata, callOptions, (error, response) => {
-                if (error) {
-                    reject(error);
-                    return;
-                }
-                resolve(response ?? (0, protobuf_1.create)(protos_1.GithubInstallationAccessTokenResponseSchema, {}));
-            });
-        });
-    }
     close() {
         this.client.close();
     }

package/dist/service/docker/app_server_container.js

@@ -110,6 +110,13 @@ class AppServerContainerService {
     static isRecord(value) {
         return typeof value === "object" && value !== null;
     }
+    static isRemoteManifestUnknown(error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return /manifest\s+for .* not found|manifest unknown/i.test(message);
+    }
+    static buildRemoteManifestUnknownError(image) {
+        return new Error(`Docker image '${image}' is not available remotely yet. The Docker build/push may still be running. Wait for the image publish to finish, or set runtime_image to an available tag, then retry.`);
+    }
     async pullImage(image) {
         let lastReportedProgressBucket = -1;
         const layerProgress = new Map();
@@ -186,7 +193,15 @@ class AppServerContainerService {
             }
         }
         this.reportImageStatus(`Docker image '${image}' not found locally. Pulling remotely.`);
-        await this.pullImage(image);
+        try {
+            await this.pullImage(image);
+        }
+        catch (error) {
+            if (AppServerContainerService.isRemoteManifestUnknown(error)) {
+                throw AppServerContainerService.buildRemoteManifestUnknownError(image);
+            }
+            throw error;
+        }
         this.reportImageStatus(`Docker image '${image}' is ready.`);
     }
     async start() {

package/dist/service/sdk/refresh_models.js

@@ -11,7 +11,15 @@ const app_server_container_js_1 = require("../docker/app_server_container.js");
 function toErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
+function isRuntimeImageUnavailable(error) {
+    const message = toErrorMessage(error);
+    return /manifest\s+for .* not found|manifest unknown/i.test(message);
+}
 function formatSdkModelRefreshFailure(sdk, error) {
+    if (isRuntimeImageUnavailable(error)) {
+        return (`Failed to refresh ${sdk} models from the local Codex app-server: ${toErrorMessage(error)}. ` +
+            "The configured runner image is not available from Docker yet. The Docker build/push may still be running. Wait for the image publish to finish or set runtime_image to an available tag, then retry.");
+    }
     return (`Failed to refresh ${sdk} models from the local Codex app-server: ${toErrorMessage(error)}. ` +
         "Verify the runner image can start Codex app-server with valid auth, then retry.");
 }

package/dist/service/thread_lifecycle.js

@@ -15,6 +15,7 @@ const dockerode_1 = __importDefault(require("dockerode"));
 const node_child_process_1 = require("node:child_process");
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
+const script_renderer_js_1 = require("../provisioning/runtime_provisioning/script_renderer.js");
 const path_js_1 = require("../utils/path.js");
 const runtime_bashrc_js_1 = require("./runtime_bashrc.js");
 const runtime_shell_js_1 = require("./runtime_shell.js");
@@ -193,12 +194,6 @@ function buildRuntimeToolingValidationScript(user) {
     return [
         bootstrap,
         "",
-        'if ! command -v companyhelm-agent >/dev/null 2>&1; then',
-        '  echo "companyhelm-agent CLI is not available after sourcing nvm." >&2',
-        '  echo "Fix: install @companyhelm/agent-cli in the runtime image." >&2',
-        "  exit 1",
-        "fi",
-        "",
         'if ! command -v aws >/dev/null 2>&1; then',
         '  echo "aws CLI is not available in runtime PATH." >&2',
         '  echo "Fix: install awscli in the runtime image." >&2',
@@ -318,21 +313,6 @@ function buildRuntimeThreadGitSkillsLinkScript(user, options) {
     }
     return scriptLines.join("\n");
 }
-function buildRuntimeAgentCliConfigScript(user, config) {
-    const configDirectory = (0, node_path_1.join)(user.agentHomeDirectory, ".config", "companyhelm-agent-cli");
-    const configPath = (0, node_path_1.join)(configDirectory, "config.json");
-    const configContent = `${JSON.stringify(config, null, 2)}\n`;
-    return [
-        "set -euo pipefail",
-        `CONFIG_DIR=${shellQuote(configDirectory)}`,
-        `CONFIG_PATH=${shellQuote(configPath)}`,
-        `CONFIG_CONTENT=${shellQuote(configContent)}`,
-        "",
-        'install -d -m 0755 "$CONFIG_DIR"',
-        'printf \'%s\' "$CONFIG_CONTENT" > "$CONFIG_PATH"',
-        'chmod 0600 "$CONFIG_PATH"',
-    ].join("\n");
-}
 function buildDindContainerOptions(options) {
     return {
         name: options.names.dind,
@@ -442,6 +422,7 @@ class ThreadContainerService {
     constructor(docker, runCommand = node_child_process_1.spawnSync) {
         this.docker = docker ?? new dockerode_1.default();
         this.runCommand = runCommand;
+        this.scriptRenderer = new script_renderer_js_1.RuntimeProvisioningScriptRenderer();
     }
     runDockerExecScript(args, contextMessage) {
         const result = this.runCommand("docker", args, {
@@ -616,46 +597,54 @@ class ThreadContainerService {
         }
     }
     async ensureRuntimeContainerIdentity(name, user) {
-        const script = buildRuntimeIdentityProvisionScript(user);
+        const script = this.scriptRenderer.renderIdentityScript(user);
         this.runDockerExecScript(["exec", "-u", "0", name, "bash", "-lc", script], `Failed to provision runtime user '${user.agentUser}' in container '${name}'`);
     }
     async ensureRuntimeContainerTooling(name, user) {
-        const script = buildRuntimeToolingValidationScript(user);
-        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to validate runtime tooling (nvm/codex/companyhelm-agent/aws/playwright) in container '${name}'`);
+        const script = this.scriptRenderer.renderToolingValidationScript(user);
+        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to validate runtime tooling (nvm/codex/aws/playwright) in container '${name}'`);
     }
     async ensureRuntimeContainerBashrc(name, user) {
-        const script = buildRuntimeBashrcProvisionScript(user);
+        const script = this.scriptRenderer.renderBashrcScript(user);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to provision runtime .bashrc in container '${name}'`);
     }
     async ensureRuntimeContainerCodexConfig(name, user, configToml) {
-        const script = [
-            "set -euo pipefail",
-            `AGENT_HOME=${shellQuote(user.agentHomeDirectory)}`,
-            `CONFIG_CONTENT=${shellQuote(configToml)}`,
-            "",
-            'install -d -m 0755 "$AGENT_HOME/.codex"',
-            'printf \'%s\' "$CONFIG_CONTENT" > "$AGENT_HOME/.codex/config.toml"',
-            'chmod 0644 "$AGENT_HOME/.codex/config.toml"',
-        ].join("\n");
+        const script = this.scriptRenderer.renderCodexConfigScript(user, configToml);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to write runtime Codex config.toml in container '${name}'`);
     }
-    async ensureRuntimeContainerAgentCliConfig(name, user, config) {
-        const script = buildRuntimeAgentCliConfigScript(user, config);
-        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to write runtime companyhelm-agent CLI config in container '${name}'`);
-    }
     async ensureRuntimeContainerGitConfig(name, user, gitUserName, gitUserEmail) {
-        const script = buildRuntimeGitConfigScript(gitUserName, gitUserEmail);
+        const script = this.scriptRenderer.renderGitConfigScript(gitUserName, gitUserEmail);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to configure git author defaults in runtime container '${name}'`);
     }
     async ensureRuntimeContainerThreadGitSkills(name, user, options) {
         if (options.packages.length === 0) {
             return;
         }
-        const cloneScript = buildRuntimeThreadGitSkillsCloneScript(options);
+        const cloneScript = this.scriptRenderer.renderThreadGitSkillsCloneScript(options);
         this.runDockerExecScript(["exec", "-u", "0", name, "bash", "-lc", cloneScript], `Failed to provision thread git skills in runtime container '${name}'`);
-        const linkScript = buildRuntimeThreadGitSkillsLinkScript(user, options);
+        const linkScript = this.scriptRenderer.renderThreadGitSkillsLinkScript(user, options);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", linkScript], `Failed to provision thread git skills in runtime container '${name}'`);
     }
+    async ensureRuntimeContainerAgentMetadataFiles(name, user, files, contextMessage) {
+        if (files.length === 0) {
+            return;
+        }
+        const script = this.scriptRenderer.renderAgentMetadataScript(user, files);
+        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], contextMessage);
+    }
+    async ensureRuntimeContainerThreadMetadata(name, user, payload) {
+        const files = [
+            {
+                filename: "thread-mcp.json",
+                content: `${JSON.stringify({ servers: payload.mcpServers }, null, 2)}\n`,
+            },
+            {
+                filename: "thread-git-skills.json",
+                content: `${JSON.stringify({ packages: payload.gitSkillPackages }, null, 2)}\n`,
+            },
+        ];
+        await this.ensureRuntimeContainerAgentMetadataFiles(name, user, files, `Failed to write runtime thread metadata in container '${name}'`);
+    }
     async stopContainer(name) {
         try {
             await this.docker.getContainer(name).stop({ t: 10 });

package/dist/service/thread_turn_state.js

@@ -12,6 +12,7 @@ async function loadThreadMessageExecutionState(stateDbPath, threadId) {
             .select({
             id: schema_js_1.threads.id,
             workspace: schema_js_1.threads.workspace,
+            cliSecret: schema_js_1.threads.cliSecret,
             sdkThreadId: schema_js_1.threads.sdkThreadId,
             model: schema_js_1.threads.model,
             reasoningLevel: schema_js_1.threads.reasoningLevel,

package/dist/templates/provisioning/runtime_agent_metadata.sh.j2

@@ -0,0 +1,8 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+METADATA_ROOT={{metadata_root}}
+
+install -d -m 0755 "$AGENT_HOME/.companyhelm"
+install -d -m 0755 "$METADATA_ROOT"
+
+{{file_blocks}}

package/dist/templates/provisioning/runtime_bashrc.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+BASHRC_CONTENT={{bashrc_content}}
+
+install -d -m 0755 "$AGENT_HOME"
+printf '%s' "$BASHRC_CONTENT" > "$AGENT_HOME/.bashrc"
+chmod 0644 "$AGENT_HOME/.bashrc"

package/dist/templates/provisioning/runtime_codex_config.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+CONFIG_CONTENT={{config_content}}
+
+install -d -m 0755 "$AGENT_HOME/.codex"
+printf '%s' "$CONFIG_CONTENT" > "$AGENT_HOME/.codex/config.toml"
+chmod 0644 "$AGENT_HOME/.codex/config.toml"

package/dist/templates/provisioning/runtime_git_config.sh.j2

@@ -0,0 +1,28 @@
+set -euo pipefail
+DEFAULT_GIT_USER_NAME={{default_git_user_name}}
+DEFAULT_GIT_USER_EMAIL={{default_git_user_email}}
+
+if ! command -v git >/dev/null 2>&1; then
+  exit 0
+fi
+
+if ! git config --global --get user.name >/dev/null 2>&1; then
+  git config --global user.name "$DEFAULT_GIT_USER_NAME"
+fi
+if ! git config --global --get user.email >/dev/null 2>&1; then
+  git config --global user.email "$DEFAULT_GIT_USER_EMAIL"
+fi
+
+if [ ! -d /workspace ]; then
+  exit 0
+fi
+
+while IFS= read -r -d '' git_dir; do
+  repo_root="$(dirname "$git_dir")"
+  if ! git -C "$repo_root" config --local --get user.name >/dev/null 2>&1; then
+    git -C "$repo_root" config --local user.name "$DEFAULT_GIT_USER_NAME"
+  fi
+  if ! git -C "$repo_root" config --local --get user.email >/dev/null 2>&1; then
+    git -C "$repo_root" config --local user.email "$DEFAULT_GIT_USER_EMAIL"
+  fi
+done < <(find /workspace -type d -name .git -print0 2>/dev/null || true)

package/dist/templates/provisioning/runtime_identity.sh.j2

@@ -0,0 +1,65 @@
+set -euo pipefail
+AGENT_USER={{agent_user}}
+AGENT_HOME={{agent_home}}
+AGENT_UID={{agent_uid}}
+AGENT_GID={{agent_gid}}
+
+AGENT_GROUP="$AGENT_USER"
+EXISTING_GID_GROUP="$(getent group "$AGENT_GID" | cut -d: -f1 || true)"
+if [ -n "$EXISTING_GID_GROUP" ] && [ "$EXISTING_GID_GROUP" != "$AGENT_USER" ] && ! getent group "$AGENT_USER" >/dev/null 2>&1; then
+  groupmod -n "$AGENT_USER" "$EXISTING_GID_GROUP"
+fi
+if getent group "$AGENT_USER" >/dev/null 2>&1; then
+  if [ "$(getent group "$AGENT_USER" | cut -d: -f3)" != "$AGENT_GID" ]; then
+    groupmod -g "$AGENT_GID" "$AGENT_USER"
+  fi
+else
+  groupadd -g "$AGENT_GID" "$AGENT_USER"
+fi
+
+EXISTING_UID_USER="$(getent passwd "$AGENT_UID" | cut -d: -f1 || true)"
+if [ -n "$EXISTING_UID_USER" ] && [ "$EXISTING_UID_USER" != "$AGENT_USER" ] && ! id -u "$AGENT_USER" >/dev/null 2>&1; then
+  usermod -l "$AGENT_USER" -d "$AGENT_HOME" -g "$AGENT_GROUP" -s /bin/bash "$EXISTING_UID_USER"
+elif id -u "$AGENT_USER" >/dev/null 2>&1; then
+  usermod -u "$AGENT_UID" -g "$AGENT_GROUP" -d "$AGENT_HOME" -s /bin/bash "$AGENT_USER"
+else
+  useradd -m -d "$AGENT_HOME" -u "$AGENT_UID" -g "$AGENT_GROUP" -s /bin/bash "$AGENT_USER"
+fi
+
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME"
+
+SUDOERS_FILE="/etc/sudoers.d/90-companyhelm-agent"
+if command -v sudo >/dev/null 2>&1; then
+  install -d -m 0750 /etc/sudoers.d
+  printf '%s\n' "$AGENT_USER ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
+  chmod 0440 "$SUDOERS_FILE"
+  if command -v visudo >/dev/null 2>&1; then
+    visudo -cf "$SUDOERS_FILE" >/dev/null
+  fi
+fi
+
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.codex"
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.cache"
+if [ -e "$AGENT_HOME/.codex/auth.json" ]; then
+  chown "$AGENT_UID:$AGENT_GID" "$AGENT_HOME/.codex/auth.json" || true
+fi
+
+PLAYWRIGHT_SHARED_CACHE="/ms-playwright"
+PLAYWRIGHT_DEFAULT_CACHE="$AGENT_HOME/.cache/ms-playwright"
+install -d -m 0755 "$PLAYWRIGHT_SHARED_CACHE"
+if [ "$(stat -c '%u:%g' "$PLAYWRIGHT_SHARED_CACHE" 2>/dev/null || true)" != "$AGENT_UID:$AGENT_GID" ]; then
+  chown -R "$AGENT_UID:$AGENT_GID" "$PLAYWRIGHT_SHARED_CACHE" || true
+fi
+if [ -L "$PLAYWRIGHT_DEFAULT_CACHE" ]; then
+  if [ "$(readlink "$PLAYWRIGHT_DEFAULT_CACHE" 2>/dev/null || true)" != "$PLAYWRIGHT_SHARED_CACHE" ]; then
+    rm -f "$PLAYWRIGHT_DEFAULT_CACHE"
+    ln -s "$PLAYWRIGHT_SHARED_CACHE" "$PLAYWRIGHT_DEFAULT_CACHE"
+  fi
+elif [ ! -e "$PLAYWRIGHT_DEFAULT_CACHE" ]; then
+  ln -s "$PLAYWRIGHT_SHARED_CACHE" "$PLAYWRIGHT_DEFAULT_CACHE"
+else
+  chown -R "$AGENT_UID:$AGENT_GID" "$PLAYWRIGHT_DEFAULT_CACHE" || true
+fi
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.companyhelm"
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.companyhelm/agent"
+chown -R "$AGENT_UID:$AGENT_GID" "$AGENT_HOME" || true

package/dist/templates/provisioning/runtime_thread_git_skills_clone.sh.j2

@@ -0,0 +1,11 @@
+set -euo pipefail
+SKILLS_ROOT={{skills_root}}
+
+install -d -m 0755 "$SKILLS_ROOT"
+
+if ! command -v git >/dev/null 2>&1; then
+  echo "git is not available in the runtime container." >&2
+  exit 1
+fi
+
+{{package_blocks}}

package/dist/templates/provisioning/runtime_thread_git_skills_link.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+SKILLS_ROOT={{skills_root}}
+CODEX_SKILLS_ROOT={{codex_skills_root}}
+
+install -d -m 0755 "$CODEX_SKILLS_ROOT"
+
+{{skill_blocks}}

package/dist/templates/provisioning/runtime_tooling_validation.sh.j2

@@ -0,0 +1,32 @@
+{{bootstrap}}
+
+if ! command -v aws >/dev/null 2>&1; then
+  echo "aws CLI is not available in runtime PATH." >&2
+  echo "Fix: install awscli in the runtime image." >&2
+  exit 1
+fi
+
+if ! command -v playwright >/dev/null 2>&1; then
+  echo "playwright CLI is not available after sourcing nvm." >&2
+  echo "Fix: install playwright in the runtime image (for example: npm install --global playwright)." >&2
+  exit 1
+fi
+
+PLAYWRIGHT_CACHE_DIR="${PLAYWRIGHT_BROWSERS_PATH:-$HOME/.cache/ms-playwright}"
+if [ ! -d "$PLAYWRIGHT_CACHE_DIR" ]; then
+  echo "Playwright browser cache directory is missing: $PLAYWRIGHT_CACHE_DIR" >&2
+  echo "Fix: set PLAYWRIGHT_BROWSERS_PATH and run npx playwright install chromium during runtime image build." >&2
+  exit 1
+fi
+
+CHROMIUM_BIN="$(find "$PLAYWRIGHT_CACHE_DIR" -type f -path "*/chrome-linux/chrome" -print -quit 2>/dev/null || true)"
+if [ -z "$CHROMIUM_BIN" ]; then
+  echo "Playwright chromium binary is missing under $PLAYWRIGHT_CACHE_DIR." >&2
+  echo "Fix: run npx playwright install chromium while building the runtime image." >&2
+  exit 1
+fi
+
+if [ ! -x "$CHROMIUM_BIN" ]; then
+  echo "Playwright chromium binary exists but is not executable: $CHROMIUM_BIN" >&2
+  exit 1
+fi

package/dist/templates/system_prompts/common.md.j2

@@ -0,0 +1,37 @@
+# Agent Instructions
+
+## Identity
+
+- Your CompanyHelm API thread id is `{{thread_id}}`.
+- Use this thread id when you need to correlate your own runtime actions with CompanyHelm thread state.
+
+## Workspace Structure
+
+- You are running in a thread-specific container and workspace.
+- This workspace may be shared or dedicated depending on runner startup configuration.
+- Repositories should live in subdirectories of `/workspace`.
+
+## Docker
+
+Docker is available, the docker host runs in a separate container. The network is shared with the container.
+- Only `/workspace` is shared with the docker host.
+- `{{home_directory}}/.codex/auth.json` is also shared with the docker host.
+- Nested DinD is not supported in this environment because the outer runtime already uses rootless DinD.
+- If you need Docker in Docker, mount the configured host runtime instead of trying nested DinD.
+
+## Available CLI Tools
+
+- `aws`: AWS CLI is pre-installed and available in `PATH`.
+- For scripted PR creation and updates, use `gh pr create --body-file <path>` and `gh pr edit --body-file <path>`.
+- Playwright CLI is already installed and available with Chromium pre-installed.
+
+## Agent API
+
+- Use the CompanyHelm agent REST API directly with `Authorization: Bearer {{agent_token}}`.
+- Agent API base URL: `{{agent_api_url}}`
+- The bearer token above is the existing thread secret.
+
+```bash
+curl -H "Authorization: Bearer {{agent_token}}" \
+  {{agent_api_url}}/
+```