@corbat-tech/coco 2.39.0 → 2.40.0

package/dist/cli/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { execFileSync, spawn, execSync, execFile, exec } from 'child_process';
+import { execFileSync, execSync, spawn, execFile, exec } from 'child_process';
 import { setGlobalDispatcher, EnvHttpProxyAgent } from 'undici';
 import * as fs5 from 'fs';
 import fs5__default, { accessSync, mkdirSync, appendFileSync, readFileSync, writeFileSync, constants as constants$1 } from 'fs';
@@ -23,7 +23,7 @@ import Anthropic from '@anthropic-ai/sdk';
 import { jsonrepair } from 'jsonrepair';
 import OpenAI from 'openai';
 import { GoogleGenAI, FunctionCallingConfigMode } from '@google/genai';
-import { parse } from 'yaml';
+import { parse as parse$1 } from 'yaml';
 import { minimatch } from 'minimatch';
 import hljs from 'highlight.js/lib/core';
 import bash from 'highlight.js/lib/languages/bash';
@@ -42,7 +42,7 @@ import yaml from 'highlight.js/lib/languages/yaml';
 import { diffLines, diffWords } from 'diff';
 import { glob } from 'glob';
 import { execa } from 'execa';
-import { parse as parse$1 } from '@typescript-eslint/typescript-estree';
+import { parse } from '@typescript-eslint/typescript-estree';
 import { simpleGit } from 'simple-git';
 import { Marked } from 'marked';
 import { markedTerminal } from 'marked-terminal';
@@ -10061,7 +10061,7 @@ function parseSkillMarkdown(raw) {
   const frontmatter = normalized.slice(3, closeIndex).trim();
   const afterMarkerStart = closeIndex + closeMarker.length;
   const contentStart = normalized[afterMarkerStart] === "\n" ? afterMarkerStart + 1 : afterMarkerStart;
-  const parsed = frontmatter.length > 0 ? parse(frontmatter) : {};
+  const parsed = frontmatter.length > 0 ? parse$1(frontmatter) : {};
   return {
     data: parsed && typeof parsed === "object" ? parsed : {},
     content: normalized.slice(contentStart)
@@ -15465,7 +15465,7 @@ var init_complexity = __esm({
        * Analyze single file
        */
       async analyzeFile(file, content) {
-        const ast = parse$1(content, {
+        const ast = parse(content, {
           loc: true,
           range: true,
           comment: false,
@@ -16062,7 +16062,7 @@ var init_completeness = __esm({
         for (const file of files) {
           try {
             const content = await readFile(file, "utf-8");
-            const ast = parse$1(content, {
+            const ast = parse(content, {
               loc: true,
               range: true,
               jsx: file.endsWith(".tsx") || file.endsWith(".jsx")
@@ -16275,7 +16275,7 @@ var init_robustness = __esm({
         for (const file of targetFiles) {
           try {
             const content = await readFile(file, "utf-8");
-            const ast = parse$1(content, {
+            const ast = parse(content, {
               loc: true,
               range: true,
               jsx: file.endsWith(".tsx") || file.endsWith(".jsx")
@@ -16568,7 +16568,7 @@ var init_documentation = __esm({
         for (const file of targetFiles) {
           try {
             const content = await readFile(file, "utf-8");
-            const ast = parse$1(content, {
+            const ast = parse(content, {
               loc: true,
               range: true,
               comment: true,
@@ -16946,7 +16946,7 @@ var init_readability = __esm({
         for (const file of targetFiles) {
           try {
             const content = await readFile(file, "utf-8");
-            const ast = parse$1(content, {
+            const ast = parse(content, {
               loc: true,
               range: true,
               jsx: file.endsWith(".tsx") || file.endsWith(".jsx")
@@ -17104,7 +17104,7 @@ var init_maintainability = __esm({
           try {
             const content = await readFile(file, "utf-8");
             const lineCount = countLines(content);
-            const ast = parse$1(content, {
+            const ast = parse(content, {
               loc: true,
               range: true,
               jsx: file.endsWith(".tsx") || file.endsWith(".jsx")
@@ -43310,7 +43310,7 @@ var InMemorySharedWorkspaceStore = class {
   write(input) {
     assertProvenance(input.provenance);
     const record = {
-      id: `state-${randomUUID()}`,
+      id: input.id ?? `state-${randomUUID()}`,
       kind: input.kind,
       key: input.key,
       value: cloneUnknown(input.value),
@@ -43353,7 +43353,7 @@ var AgentGraphEngine = class {
   constructor(options = {}) {
     this.eventLog = options.eventLog;
     this.sharedState = options.sharedState ?? new InMemorySharedWorkspaceStore();
-    this.nodeExecutor = options.nodeExecutor ?? defaultAgentGraphNodeExecutor;
+    this.nodeExecutor = options.nodeExecutor ?? (options.allowSimulated ? dryRunAgentGraphNodeExecutor : missingAgentGraphNodeExecutor);
     this.gateEvaluator = options.gateEvaluator ?? defaultAgentGateEvaluator;
     this.trace = options.trace ?? createAgentTraceContext();
   }
@@ -43437,6 +43437,39 @@ var AgentGraphEngine = class {
     }
   }
   async executeNode(input) {
+    const skipReason = shouldSkipNode(input.node, input.graph, input.input, input.nodeResults);
+    if (skipReason) {
+      const completedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const task = graphNodeToTask(input.node, input.input);
+      const skipped = normalizeAgentRunResult({
+        id: `${input.workflowRunId}-${input.node.id}-skipped`,
+        taskId: task.id,
+        role: task.role,
+        success: true,
+        status: "cancelled",
+        output: `Skipped node '${input.node.id}': ${skipReason}`,
+        startedAt: completedAt,
+        completedAt,
+        durationMs: 0,
+        metadata: {
+          workflowRunId: input.workflowRunId,
+          nodeId: input.node.id,
+          skipped: true,
+          skipReason
+        }
+      });
+      this.eventLog?.record("agent.completed", {
+        workflowRunId: input.workflowRunId,
+        nodeId: input.node.id,
+        agentRunId: skipped.id,
+        taskId: task.id,
+        role: skipped.role,
+        skipped: true,
+        reason: skipReason,
+        trace: input.graphTrace
+      });
+      return skipped;
+    }
     const attempts = input.node.retryPolicy?.maxAttempts ?? 1;
     let lastResult;
     for (let attempt = 1; attempt <= attempts; attempt++) {
@@ -43455,19 +43488,40 @@ var AgentGraphEngine = class {
         attempt,
         trace
       });
-      const result = await this.nodeExecutor({
-        node: input.node,
-        task,
-        attempt,
-        workflowRunId: input.workflowRunId,
-        trace,
-        dependencyResults: input.nodeResults,
-        sharedState: this.sharedState,
-        eventLog: this.eventLog ?? NULL_EVENT_LOG
-      });
+      const result = await runWithOptionalTimeout(
+        this.nodeExecutor({
+          node: input.node,
+          task,
+          attempt,
+          workflowRunId: input.workflowRunId,
+          trace,
+          dependencyResults: input.nodeResults,
+          sharedState: this.sharedState,
+          eventLog: this.eventLog ?? NULL_EVENT_LOG
+        }),
+        input.node.timeoutMs,
+        () => normalizeAgentRunResult({
+          id: `${input.workflowRunId}-${input.node.id}-attempt-${attempt}-timeout`,
+          taskId: task.id,
+          role: task.role,
+          success: false,
+          status: "timeout",
+          output: "",
+          startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          durationMs: input.node.timeoutMs ?? 0,
+          error: `Node '${input.node.id}' timed out after ${input.node.timeoutMs}ms.`,
+          metadata: {
+            workflowRunId: input.workflowRunId,
+            nodeId: input.node.id,
+            trace,
+            timeoutMs: input.node.timeoutMs
+          }
+        })
+      );
       lastResult = result;
       for (const artifact of result.artifacts) {
-        this.sharedState.write({
+        const record = this.sharedState.write({
           kind: "artifact",
           key: artifact.id,
           value: artifact,
@@ -43479,6 +43533,15 @@ var AgentGraphEngine = class {
             risk: input.node.risk
           }
         });
+        this.eventLog?.record("shared_state.updated", {
+          workflowRunId: input.workflowRunId,
+          nodeId: input.node.id,
+          agentRunId: result.id,
+          recordId: record.id,
+          kind: record.kind,
+          key: record.key,
+          trace
+        });
         this.eventLog?.record("agent.artifact.created", {
           workflowRunId: input.workflowRunId,
           nodeId: input.node.id,
@@ -43499,6 +43562,14 @@ var AgentGraphEngine = class {
           attempt,
           trace
         });
+        this.eventLog?.record("checkpoint.created", {
+          workflowRunId: input.workflowRunId,
+          nodeId: input.node.id,
+          agentRunId: result.id,
+          taskId: task.id,
+          attempt,
+          trace
+        });
         return result;
       }
       this.eventLog?.record("agent.failed", {
@@ -43712,7 +43783,7 @@ function graphNodeToTask(node, workflowInput) {
     constraints: node.requiredTools?.map((tool) => `Requires tool: ${tool}`)
   };
 }
-async function defaultAgentGraphNodeExecutor(execution) {
+async function dryRunAgentGraphNodeExecutor(execution) {
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
   const dependencyOutputs = Object.fromEntries(
     [...execution.dependencyResults.entries()].map(([id, result]) => [
@@ -43744,10 +43815,36 @@ async function defaultAgentGraphNodeExecutor(execution) {
     }
   });
 }
+async function missingAgentGraphNodeExecutor(execution) {
+  const completedAt = (/* @__PURE__ */ new Date()).toISOString();
+  return normalizeAgentRunResult({
+    id: `${execution.workflowRunId}-${execution.node.id}-missing-executor`,
+    taskId: execution.task.id,
+    role: execution.task.role,
+    success: false,
+    output: "",
+    startedAt: completedAt,
+    completedAt,
+    durationMs: 0,
+    error: "AgentGraphEngine requires a nodeExecutor. Pass a real executor or set allowSimulated: true for dry-run/demo workflows.",
+    metadata: {
+      workflowRunId: execution.workflowRunId,
+      nodeId: execution.node.id,
+      trace: execution.trace,
+      missingExecutor: true
+    }
+  });
+}
 async function defaultAgentGateEvaluator(input) {
   if (!input.result.success) {
     return { passed: false, reason: "Agent result was not successful." };
   }
+  if (input.gate.kind === "tests" || input.gate.kind === "coverage" || input.gate.kind === "security" || input.gate.kind === "quality-score" || input.gate.kind === "human-approval") {
+    return {
+      passed: false,
+      reason: `Gate '${input.gate.kind}' requires an explicit evaluator.`
+    };
+  }
   return { passed: true };
 }
 function chunk(items, size) {
@@ -43758,6 +43855,71 @@ function chunk(items, size) {
   }
   return result;
 }
+async function runWithOptionalTimeout(promise, timeoutMs, onTimeout) {
+  if (!timeoutMs || timeoutMs <= 0) return promise;
+  return Promise.race([
+    promise,
+    new Promise((resolve4) => {
+      setTimeout(() => resolve4(onTimeout()), timeoutMs);
+    })
+  ]);
+}
+function shouldSkipNode(node, graph, workflowInput, dependencyResults) {
+  const nodeCondition = evaluateGraphCondition(node.condition, workflowInput, dependencyResults);
+  if (!nodeCondition.passed) return nodeCondition.reason;
+  for (const edge of graph.edges ?? []) {
+    if (edge.to !== node.id || !edge.condition) continue;
+    const edgeCondition = evaluateGraphCondition(edge.condition, workflowInput, dependencyResults);
+    if (!edgeCondition.passed) {
+      return `edge '${edge.from}' -> '${edge.to}' condition '${edge.condition}' was false`;
+    }
+  }
+  return void 0;
+}
+function evaluateGraphCondition(condition, workflowInput, dependencyResults) {
+  if (!condition || condition === "always") return { passed: true };
+  if (condition === "never") return { passed: false, reason: "condition 'never' was false" };
+  if (condition.startsWith("!input.")) {
+    const path65 = condition.slice("!input.".length);
+    return {
+      passed: !readPath(workflowInput, path65),
+      reason: `condition '${condition}' was false`
+    };
+  }
+  if (condition.startsWith("input.")) {
+    const path65 = condition.slice("input.".length);
+    return {
+      passed: Boolean(readPath(workflowInput, path65)),
+      reason: `condition '${condition}' was false`
+    };
+  }
+  if (condition.startsWith("dependency.") && condition.endsWith(".success")) {
+    const id = condition.slice("dependency.".length, -".success".length);
+    return {
+      passed: dependencyResults.get(id)?.success === true,
+      reason: `condition '${condition}' was false`
+    };
+  }
+  if (condition.startsWith("dependency.") && condition.endsWith(".failed")) {
+    const id = condition.slice("dependency.".length, -".failed".length);
+    return {
+      passed: dependencyResults.get(id)?.success === false,
+      reason: `condition '${condition}' was false`
+    };
+  }
+  return {
+    passed: false,
+    reason: `Unsupported graph condition '${condition}'.`
+  };
+}
+function readPath(input, path65) {
+  return path65.split(".").reduce((current, segment) => {
+    if (current && typeof current === "object" && segment in current) {
+      return current[segment];
+    }
+    return void 0;
+  }, input);
+}
 function cloneUnknown(value) {
   if (value === void 0 || value === null) return value;
   try {
@@ -43783,14 +43945,524 @@ function cloneArtifact(artifact) {
   };
 }
 
+// src/runtime/context.ts
+function createRuntimeRequestContext(input = {}) {
+  return {
+    surface: input.surface ?? "api",
+    tenant: input.tenant ? { ...input.tenant, metadata: { ...input.tenant.metadata } } : void 0,
+    user: input.user ? {
+      ...input.user,
+      roles: [...input.user.roles ?? []],
+      groups: [...input.user.groups ?? []],
+      metadata: { ...input.user.metadata }
+    } : void 0,
+    channel: input.channel,
+    correlationId: input.correlationId,
+    policy: input.policy ? cloneRuntimePolicy(input.policy) : void 0,
+    metadata: { ...input.metadata }
+  };
+}
+function mergeRuntimePolicy(base, override) {
+  if (!base && !override) return void 0;
+  return {
+    ...base,
+    ...override,
+    allowedTools: override?.allowedTools ? [...override.allowedTools] : base?.allowedTools ? [...base.allowedTools] : void 0,
+    requireHumanApprovalFor: override?.requireHumanApprovalFor ? [...override.requireHumanApprovalFor] : base?.requireHumanApprovalFor ? [...base.requireHumanApprovalFor] : void 0,
+    dataBoundary: { ...base?.dataBoundary, ...override?.dataBoundary },
+    costBudget: { ...base?.costBudget, ...override?.costBudget },
+    retention: { ...base?.retention, ...override?.retention },
+    rateLimit: { ...base?.rateLimit, ...override?.rateLimit }
+  };
+}
+function runtimeContextToMetadata(context) {
+  if (!context) return {};
+  return {
+    surface: context.surface,
+    channel: context.channel,
+    correlationId: context.correlationId,
+    tenantId: context.tenant?.id,
+    tenantName: context.tenant?.name,
+    userId: context.user?.id,
+    userRoles: context.user?.roles,
+    dataClassification: context.policy?.dataBoundary?.classification
+  };
+}
+function evaluateRuntimeToolPolicy(policy, input) {
+  if (policy?.allowedTools && !policy.allowedTools.includes(input.toolName)) {
+    return {
+      allowed: false,
+      reason: `Runtime policy does not allow tool: ${input.toolName}`,
+      risk: input.risk
+    };
+  }
+  if (policy?.maxToolRisk && riskRank(input.risk) > riskRank(policy.maxToolRisk)) {
+    return {
+      allowed: false,
+      reason: `Runtime policy allows tools up to ${policy.maxToolRisk} risk; ${input.toolName} is ${input.risk}.`,
+      risk: input.risk
+    };
+  }
+  if (policy?.requireHumanApprovalFor?.includes(input.risk) && input.confirmed !== true) {
+    return {
+      allowed: false,
+      requiresConfirmation: true,
+      reason: `Runtime policy requires human approval for ${input.risk} tools.`,
+      risk: input.risk
+    };
+  }
+  return { allowed: true, risk: input.risk };
+}
+function evaluateRuntimeRiskPolicy(policy, input) {
+  if (policy?.maxToolRisk && riskRank(input.risk) > riskRank(policy.maxToolRisk)) {
+    return {
+      allowed: false,
+      reason: `Runtime policy allows work up to ${policy.maxToolRisk} risk; ${input.subject} is ${input.risk}.`,
+      risk: input.risk
+    };
+  }
+  if (policy?.requireHumanApprovalFor?.includes(input.risk) && input.confirmed !== true) {
+    return {
+      allowed: false,
+      requiresConfirmation: true,
+      reason: `Runtime policy requires human approval for ${input.risk} work.`,
+      risk: input.risk
+    };
+  }
+  return { allowed: true, risk: input.risk };
+}
+function assertRuntimeUsageWithinPolicy(policy, usage) {
+  const budget = policy?.costBudget;
+  if (!budget) return;
+  if (budget.maxInputTokens !== void 0 && (usage.inputTokens ?? 0) > budget.maxInputTokens) {
+    throw new Error(
+      `Runtime policy input token budget exceeded: ${usage.inputTokens ?? 0}/${budget.maxInputTokens}`
+    );
+  }
+  if (budget.maxOutputTokens !== void 0 && (usage.outputTokens ?? 0) > budget.maxOutputTokens) {
+    throw new Error(
+      `Runtime policy output token budget exceeded: ${usage.outputTokens ?? 0}/${budget.maxOutputTokens}`
+    );
+  }
+}
+function cloneRuntimePolicy(policy) {
+  return mergeRuntimePolicy(void 0, policy) ?? {};
+}
+function riskRank(risk) {
+  switch (risk) {
+    case "read-only":
+      return 0;
+    case "network":
+      return 1;
+    case "write":
+      return 2;
+    case "destructive":
+      return 3;
+    case "secrets-sensitive":
+      return 4;
+  }
+}
+var InMemoryEventLog = class {
+  events = [];
+  record(type, data = {}) {
+    const event = {
+      id: randomUUID(),
+      type,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      data
+    };
+    this.events.push(event);
+    return event;
+  }
+  list() {
+    return [...this.events];
+  }
+  count() {
+    return this.events.length;
+  }
+  clear() {
+    this.events = [];
+  }
+};
+var FileEventLog = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+    try {
+      mkdirSync(dirname(filePath), { recursive: true });
+    } catch {
+      this.writable = false;
+    }
+  }
+  filePath;
+  memory = new InMemoryEventLog();
+  writable = true;
+  record(type, data = {}) {
+    const event = this.memory.record(type, data);
+    if (this.writable) {
+      try {
+        appendFileSync(this.filePath, JSON.stringify(event) + "\n", "utf-8");
+      } catch {
+        this.writable = false;
+      }
+    }
+    return event;
+  }
+  list() {
+    if (!this.writable) return this.memory.list();
+    try {
+      const raw = readFileSync(this.filePath, "utf-8");
+      return raw.split("\n").filter(Boolean).flatMap((line) => {
+        try {
+          return [JSON.parse(line)];
+        } catch {
+          return [];
+        }
+      });
+    } catch {
+      return this.memory.list();
+    }
+  }
+  count() {
+    return this.list().length;
+  }
+  clear() {
+    this.memory.clear();
+    if (this.writable) {
+      try {
+        writeFileSync(this.filePath, "", "utf-8");
+      } catch {
+        this.writable = false;
+      }
+    }
+  }
+};
+function createEventLog() {
+  return new InMemoryEventLog();
+}
+function createFileEventLog(filePath) {
+  return new FileEventLog(filePath);
+}
+
+// src/runtime/agent-modes.ts
+var AGENT_MODES = {
+  ask: {
+    id: "ask",
+    label: "Ask",
+    description: "Answer questions and explain code without modifying files.",
+    readOnly: true,
+    preferredTools: ["read_file", "grep", "glob", "codebase_map", "lsp_definition"],
+    requiresVerification: false
+  },
+  plan: {
+    id: "plan",
+    label: "Plan",
+    description: "Explore and produce an implementation plan with read-only tools.",
+    readOnly: true,
+    preferredTools: ["read_file", "grep", "glob", "codebase_map", "lsp_workspace_symbols"],
+    requiresVerification: false
+  },
+  build: {
+    id: "build",
+    label: "Build",
+    description: "Implement code changes and verify them.",
+    readOnly: false,
+    preferredTools: ["read_file", "edit_file", "write_file", "bash_exec", "run_tests"],
+    requiresVerification: true
+  },
+  debug: {
+    id: "debug",
+    label: "Debug",
+    description: "Reproduce failures, trace root cause, patch, and verify.",
+    readOnly: false,
+    preferredTools: ["bash_exec", "read_file", "grep", "lsp_references", "edit_file"],
+    requiresVerification: true
+  },
+  review: {
+    id: "review",
+    label: "Review",
+    description: "Inspect code quality, security, behavior changes, and test gaps.",
+    readOnly: true,
+    preferredTools: ["git_diff", "read_file", "grep", "review_code", "calculate_quality"],
+    requiresVerification: false
+  },
+  architect: {
+    id: "architect",
+    label: "Architect",
+    description: "Design architecture and split work for architect/editor execution.",
+    readOnly: true,
+    preferredTools: ["codebase_map", "lsp_workspace_symbols", "grep", "create_agent_plan"],
+    requiresVerification: false
+  }
+};
+function getAgentMode(mode) {
+  return AGENT_MODES[mode];
+}
+function listAgentModes() {
+  return Object.values(AGENT_MODES);
+}
+function isAgentMode(value) {
+  return value in AGENT_MODES;
+}
+
+// src/runtime/permission-policy.ts
+var READ_ONLY_CATEGORIES = /* @__PURE__ */ new Set(["search", "web", "document"]);
+var WRITE_CATEGORIES = /* @__PURE__ */ new Set(["file", "git", "test", "build", "memory"]);
+var READ_ONLY_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "glob",
+  "read_file",
+  "list_dir",
+  "tree",
+  "grep",
+  "find_in_file",
+  "semantic_search",
+  "codebase_map",
+  "repo_context",
+  "lsp_status",
+  "lsp_document_symbols",
+  "lsp_workspace_symbols",
+  "lsp_definition",
+  "lsp_references",
+  "git_status",
+  "git_log",
+  "git_diff",
+  "git_show",
+  "git_branch",
+  "recall_memory",
+  "list_memories",
+  "list_checkpoints",
+  "checkAgentCapability"
+]);
+var WRITE_CAPABLE_TOOL_NAMES = /* @__PURE__ */ new Set(["run_linter"]);
+var DESTRUCTIVE_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "bash_exec",
+  "write_file",
+  "edit_file",
+  "delete_file",
+  "restore_checkpoint",
+  "git_commit",
+  "git_push",
+  "request_human_escalation"
+]);
+function riskForTool(tool) {
+  if (READ_ONLY_TOOL_NAMES.has(tool.name)) return "read-only";
+  if (DESTRUCTIVE_TOOL_NAMES.has(tool.name)) return "destructive";
+  if (WRITE_CAPABLE_TOOL_NAMES.has(tool.name)) return "write";
+  if (tool.category === "web") return "network";
+  if (WRITE_CATEGORIES.has(tool.category)) return "write";
+  if (tool.category === "quality") return "write";
+  return "read-only";
+}
+var DefaultPermissionPolicy = class {
+  canExecuteTool(mode, tool) {
+    const definition = getAgentMode(mode);
+    const risk = riskForTool(tool);
+    const readOnlyTool = READ_ONLY_TOOL_NAMES.has(tool.name) || READ_ONLY_CATEGORIES.has(tool.category);
+    if (definition.readOnly && !readOnlyTool) {
+      return {
+        allowed: false,
+        reason: `${definition.label} mode is read-only; ${tool.name} is a ${tool.category} tool.`,
+        risk
+      };
+    }
+    if (risk === "destructive") {
+      return {
+        allowed: true,
+        requiresConfirmation: true,
+        reason: `${tool.name} can change repository state and should be confirmed.`,
+        risk
+      };
+    }
+    return { allowed: true, risk };
+  }
+  canExecuteToolInput(mode, tool, input) {
+    if (tool.name === "spawnSimpleAgent") {
+      const risk = riskForSpawnedAgent(input);
+      const definition2 = getAgentMode(mode);
+      if (definition2.readOnly && risk !== "read-only" && risk !== "network") {
+        return {
+          allowed: false,
+          reason: `${definition2.label} mode is read-only; spawnSimpleAgent with this role can perform ${risk} work.`,
+          risk
+        };
+      }
+      return {
+        allowed: true,
+        requiresConfirmation: risk === "destructive" || risk === "secrets-sensitive",
+        risk
+      };
+    }
+    if (tool.name !== "run_linter") {
+      return this.canExecuteTool(mode, tool);
+    }
+    const definition = getAgentMode(mode);
+    const fixEnabled = input["fix"] === true;
+    const decision = fixEnabled ? { allowed: true, risk: "write" } : { allowed: true, risk: "read-only" };
+    if (definition.readOnly && fixEnabled) {
+      return {
+        allowed: false,
+        reason: `${definition.label} mode is read-only; run_linter with fix=true can modify files.`,
+        risk: "write"
+      };
+    }
+    return decision;
+  }
+};
+function createPermissionPolicy() {
+  return new DefaultPermissionPolicy();
+}
+function riskForSpawnedAgent(input) {
+  const type = typeof input["type"] === "string" ? input["type"] : void 0;
+  const role = typeof input["role"] === "string" ? input["role"] : void 0;
+  const resolved = type ?? role;
+  switch (resolved) {
+    case "explore":
+    case "plan":
+    case "review":
+    case "architect":
+    case "security":
+    case "docs":
+    case "researcher":
+    case "reviewer":
+    case "planner":
+      return "read-only";
+    case "database":
+      return "secrets-sensitive";
+    case "test":
+    case "tdd":
+    case "e2e":
+    case "tester":
+      return "destructive";
+    case "debug":
+    case "refactor":
+    case "coder":
+    case "optimizer":
+      return "write";
+    default:
+      return "read-only";
+  }
+}
+
+// src/runtime/runtime-tool-executor.ts
+var RuntimeToolExecutor = class {
+  toolRegistry;
+  eventLog;
+  permissionPolicy;
+  defaultMode;
+  runtimePolicy;
+  constructor(options) {
+    this.toolRegistry = options.toolRegistry;
+    this.eventLog = options.eventLog ?? createEventLog();
+    this.permissionPolicy = options.permissionPolicy ?? createPermissionPolicy();
+    this.defaultMode = options.mode ?? "ask";
+    this.runtimePolicy = options.runtimePolicy;
+  }
+  async execute(input) {
+    const startedAt = performance.now();
+    const mode = input.mode ?? this.defaultMode;
+    const allowedTools = input.allowedTools ? new Set(input.allowedTools) : void 0;
+    if (allowedTools && !allowedTools.has(input.toolName)) {
+      const decision2 = {
+        allowed: false,
+        reason: `Tool '${input.toolName}' is not available to this agent.`,
+        risk: "read-only"
+      };
+      return this.block(input, mode, decision2, startedAt);
+    }
+    const tool = this.toolRegistry.get(input.toolName);
+    if (!tool) {
+      const decision2 = {
+        allowed: false,
+        reason: "Tool not registered.",
+        risk: "read-only"
+      };
+      return this.block(input, mode, decision2, startedAt);
+    }
+    const decision = this.permissionPolicy.canExecuteToolInput ? this.permissionPolicy.canExecuteToolInput(mode, tool, input.input) : this.permissionPolicy.canExecuteTool(mode, tool);
+    const runtimeDecision = decision.allowed ? evaluateRuntimeToolPolicy(this.runtimePolicy, {
+      toolName: input.toolName,
+      risk: decision.risk,
+      confirmed: input.confirmed
+    }) : void 0;
+    if (!decision.allowed || runtimeDecision?.allowed === false || decision.requiresConfirmation && input.confirmed !== true) {
+      const reason = runtimeDecision?.reason ?? decision.reason ?? (decision.requiresConfirmation ? "Tool requires explicit runtime confirmation." : "Tool is not allowed.");
+      return this.block(
+        input,
+        mode,
+        {
+          ...decision,
+          allowed: false,
+          reason,
+          requiresConfirmation: runtimeDecision?.requiresConfirmation ?? decision.requiresConfirmation,
+          risk: runtimeDecision?.risk ?? decision.risk
+        },
+        startedAt,
+        { runtimePolicyBlocked: runtimeDecision ? !runtimeDecision.allowed : false }
+      );
+    }
+    this.eventLog.record("agent.tool.called", {
+      mode,
+      tool: input.toolName,
+      risk: decision.risk,
+      metadata: input.metadata
+    });
+    this.eventLog.record("tool.started", {
+      mode,
+      tool: input.toolName,
+      risk: decision.risk,
+      runtimeApi: true,
+      metadataKeys: Object.keys(input.metadata ?? {}).sort()
+    });
+    const result = await this.toolRegistry.execute(input.toolName, input.input);
+    this.eventLog.record("tool.completed", {
+      mode,
+      tool: input.toolName,
+      success: result.success,
+      duration: result.duration,
+      runtimeApi: true
+    });
+    return {
+      toolName: input.toolName,
+      success: result.success,
+      output: result.data,
+      error: result.error,
+      duration: result.duration,
+      decision
+    };
+  }
+  block(input, mode, decision, startedAt, extraData = {}) {
+    this.eventLog.record("tool.blocked", {
+      mode,
+      tool: input.toolName,
+      reason: decision.reason,
+      risk: decision.risk,
+      requiresConfirmation: decision.requiresConfirmation,
+      runtimeApi: true,
+      metadata: input.metadata,
+      ...extraData
+    });
+    return {
+      toolName: input.toolName,
+      success: false,
+      error: decision.reason ?? "Tool is not allowed.",
+      duration: performance.now() - startedAt,
+      decision
+    };
+  }
+};
+function createRuntimeToolExecutor(options) {
+  return new RuntimeToolExecutor(options);
+}
+
 // src/agents/executor.ts
 var AgentExecutor = class {
-  constructor(provider, toolRegistry) {
+  constructor(provider, toolRegistry, runtimeToolExecutor) {
     this.provider = provider;
     this.toolRegistry = toolRegistry;
+    this.runtimeToolExecutor = runtimeToolExecutor ?? createRuntimeToolExecutor({ toolRegistry, mode: "ask" });
   }
   provider;
   toolRegistry;
+  runtimeToolExecutor;
   /**
    * Execute an agent on a task with multi-turn tool use
    */
@@ -43858,11 +44530,21 @@ var AgentExecutor = class {
         for (const toolCall of response.toolCalls) {
           toolsUsed.add(toolCall.name);
           try {
-            const result = await this.toolRegistry.execute(toolCall.name, toolCall.input);
+            const result = await this.runtimeToolExecutor.execute({
+              toolName: toolCall.name,
+              input: toolCall.input,
+              allowedTools: agent.allowedTools.length > 0 ? agent.allowedTools : void 0,
+              mode: runtimeModeForAgent(agent.role),
+              metadata: {
+                agentRole: agent.role,
+                taskId: task.id,
+                toolCallId: toolCall.id
+              }
+            });
             toolResults.push({
               type: "tool_result",
               tool_use_id: toolCall.id,
-              content: result.success ? JSON.stringify(result.data) : `Error: ${result.error}`,
+              content: result.success ? JSON.stringify(result.output) : `Error: ${result.error}`,
               is_error: !result.success
             });
           } catch (error) {
@@ -44073,6 +44755,22 @@ Use tools to analyze requirements and explore the codebase.`,
     allowedTools: ["read_file", "grep", "glob", "codebase_map"]
   }
 };
+function runtimeModeForAgent(role) {
+  switch (role) {
+    case "researcher":
+    case "planner":
+      return "plan";
+    case "architect":
+      return "architect";
+    case "reviewer":
+      return "review";
+    case "tester":
+    case "editor":
+    case "coder":
+    case "optimizer":
+      return "build";
+  }
+}
 var DEFAULTS = {
   maxConcurrency: os4__default.cpus().length,
   minConcurrency: 1,
@@ -46392,16 +47090,18 @@ var AgentManager = class extends EventEmitter {
   abortControllers = /* @__PURE__ */ new Map();
   provider;
   toolRegistry;
+  runtimeToolExecutor;
   logger = getLogger();
   /**
    * Create a new AgentManager
    * @param provider - LLM provider for agent execution
    * @param toolRegistry - Tool registry for agent tool access
    */
-  constructor(provider, toolRegistry) {
+  constructor(provider, toolRegistry, runtimeToolExecutor) {
     super();
     this.provider = provider;
     this.toolRegistry = toolRegistry;
+    this.runtimeToolExecutor = runtimeToolExecutor ?? createRuntimeToolExecutor({ toolRegistry, mode: "ask" });
   }
   /**
    * Spawn a new subagent for a specific task
@@ -46716,11 +47416,20 @@ var AgentManager = class extends EventEmitter {
         continue;
       }
       try {
-        const result = await this.toolRegistry.execute(toolCall.name, toolCall.input);
+        const result = await this.runtimeToolExecutor.execute({
+          toolName: toolCall.name,
+          input: toolCall.input,
+          allowedTools: config.tools,
+          mode: runtimeModeForAgentType(config.type),
+          metadata: {
+            agentType: config.type,
+            toolCallId: toolCall.id
+          }
+        });
         results.push({
           type: "tool_result",
           tool_use_id: toolCall.id,
-          content: result.success ? String(result.data ?? "Success") : `Error: ${result.error}`,
+          content: result.success ? String(result.output ?? "Success") : `Error: ${result.error}`,
           is_error: !result.success
         });
       } catch (error) {
@@ -46785,6 +47494,27 @@ var AgentManager = class extends EventEmitter {
 function agentTypeToRuntimeRole(type) {
   return mapLegacyAgentRole(type);
 }
+function runtimeModeForAgentType(type) {
+  switch (type) {
+    case "explore":
+    case "plan":
+    case "docs":
+      return "plan";
+    case "review":
+    case "security":
+      return "review";
+    case "architect":
+      return "architect";
+    case "debug":
+      return "debug";
+    case "test":
+    case "tdd":
+    case "e2e":
+    case "refactor":
+    case "database":
+      return "build";
+  }
+}
 
 // src/agents/provider-bridge.ts
 var agentProvider = null;
@@ -50656,7 +51386,7 @@ async function validateCode(code, filePath, _language) {
   const errors = [];
   const warnings = [];
   try {
-    const ast = parse$1(code, {
+    const ast = parse(code, {
       loc: true,
       range: true,
       comment: true,
@@ -50783,7 +51513,7 @@ async function analyzeFile(filePath, includeAst = false) {
   const exports$1 = [];
   let ast;
   try {
-    ast = parse$1(content, {
+    ast = parse(content, {
       loc: true,
       range: true,
       comment: true,
@@ -53261,69 +53991,6 @@ var repoMapCommand = {
     return false;
   }
 };
-
-// src/runtime/agent-modes.ts
-var AGENT_MODES = {
-  ask: {
-    id: "ask",
-    label: "Ask",
-    description: "Answer questions and explain code without modifying files.",
-    readOnly: true,
-    preferredTools: ["read_file", "grep", "glob", "codebase_map", "lsp_definition"],
-    requiresVerification: false
-  },
-  plan: {
-    id: "plan",
-    label: "Plan",
-    description: "Explore and produce an implementation plan with read-only tools.",
-    readOnly: true,
-    preferredTools: ["read_file", "grep", "glob", "codebase_map", "lsp_workspace_symbols"],
-    requiresVerification: false
-  },
-  build: {
-    id: "build",
-    label: "Build",
-    description: "Implement code changes and verify them.",
-    readOnly: false,
-    preferredTools: ["read_file", "edit_file", "write_file", "bash_exec", "run_tests"],
-    requiresVerification: true
-  },
-  debug: {
-    id: "debug",
-    label: "Debug",
-    description: "Reproduce failures, trace root cause, patch, and verify.",
-    readOnly: false,
-    preferredTools: ["bash_exec", "read_file", "grep", "lsp_references", "edit_file"],
-    requiresVerification: true
-  },
-  review: {
-    id: "review",
-    label: "Review",
-    description: "Inspect code quality, security, behavior changes, and test gaps.",
-    readOnly: true,
-    preferredTools: ["git_diff", "read_file", "grep", "review_code", "calculate_quality"],
-    requiresVerification: false
-  },
-  architect: {
-    id: "architect",
-    label: "Architect",
-    description: "Design architecture and split work for architect/editor execution.",
-    readOnly: true,
-    preferredTools: ["codebase_map", "lsp_workspace_symbols", "grep", "create_agent_plan"],
-    requiresVerification: false
-  }
-};
-function getAgentMode(mode) {
-  return AGENT_MODES[mode];
-}
-function listAgentModes() {
-  return Object.values(AGENT_MODES);
-}
-function isAgentMode(value) {
-  return value in AGENT_MODES;
-}
-
-// src/cli/repl/commands/mode.ts
 function currentMode(session) {
   return session.agentMode ?? (session.planMode ? "plan" : "build");
 }
@@ -58030,6 +58697,7 @@ init_providers();
 
 // src/runtime/agent-runtime.ts
 init_env();
+init_registry4();
 
 // src/runtime/default-turn-runner.ts
 var DefaultRuntimeTurnRunner = class {
@@ -58063,224 +58731,6 @@ var DefaultRuntimeTurnRunner = class {
 function createDefaultRuntimeTurnRunner() {
   return new DefaultRuntimeTurnRunner();
 }
-var InMemoryEventLog = class {
-  events = [];
-  record(type, data = {}) {
-    const event = {
-      id: randomUUID(),
-      type,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      data
-    };
-    this.events.push(event);
-    return event;
-  }
-  list() {
-    return [...this.events];
-  }
-  count() {
-    return this.events.length;
-  }
-  clear() {
-    this.events = [];
-  }
-};
-var FileEventLog = class {
-  constructor(filePath) {
-    this.filePath = filePath;
-    try {
-      mkdirSync(dirname(filePath), { recursive: true });
-    } catch {
-      this.writable = false;
-    }
-  }
-  filePath;
-  memory = new InMemoryEventLog();
-  writable = true;
-  record(type, data = {}) {
-    const event = this.memory.record(type, data);
-    if (this.writable) {
-      try {
-        appendFileSync(this.filePath, JSON.stringify(event) + "\n", "utf-8");
-      } catch {
-        this.writable = false;
-      }
-    }
-    return event;
-  }
-  list() {
-    if (!this.writable) return this.memory.list();
-    try {
-      const raw = readFileSync(this.filePath, "utf-8");
-      return raw.split("\n").filter(Boolean).flatMap((line) => {
-        try {
-          return [JSON.parse(line)];
-        } catch {
-          return [];
-        }
-      });
-    } catch {
-      return this.memory.list();
-    }
-  }
-  count() {
-    return this.list().length;
-  }
-  clear() {
-    this.memory.clear();
-    if (this.writable) {
-      try {
-        writeFileSync(this.filePath, "", "utf-8");
-      } catch {
-        this.writable = false;
-      }
-    }
-  }
-};
-function createEventLog() {
-  return new InMemoryEventLog();
-}
-function createFileEventLog(filePath) {
-  return new FileEventLog(filePath);
-}
-
-// src/runtime/permission-policy.ts
-var READ_ONLY_CATEGORIES = /* @__PURE__ */ new Set(["search", "web", "document"]);
-var WRITE_CATEGORIES = /* @__PURE__ */ new Set(["file", "git", "test", "build", "memory"]);
-var READ_ONLY_TOOL_NAMES = /* @__PURE__ */ new Set([
-  "glob",
-  "read_file",
-  "list_dir",
-  "tree",
-  "grep",
-  "find_in_file",
-  "semantic_search",
-  "codebase_map",
-  "repo_context",
-  "lsp_status",
-  "lsp_document_symbols",
-  "lsp_workspace_symbols",
-  "lsp_definition",
-  "lsp_references",
-  "git_status",
-  "git_log",
-  "git_diff",
-  "git_show",
-  "git_branch",
-  "recall_memory",
-  "list_memories",
-  "list_checkpoints",
-  "checkAgentCapability"
-]);
-var WRITE_CAPABLE_TOOL_NAMES = /* @__PURE__ */ new Set(["run_linter"]);
-var DESTRUCTIVE_TOOL_NAMES = /* @__PURE__ */ new Set([
-  "bash_exec",
-  "write_file",
-  "edit_file",
-  "delete_file",
-  "restore_checkpoint",
-  "git_commit",
-  "git_push",
-  "request_human_escalation"
-]);
-function riskForTool(tool) {
-  if (READ_ONLY_TOOL_NAMES.has(tool.name)) return "read-only";
-  if (DESTRUCTIVE_TOOL_NAMES.has(tool.name)) return "destructive";
-  if (WRITE_CAPABLE_TOOL_NAMES.has(tool.name)) return "write";
-  if (tool.category === "web") return "network";
-  if (WRITE_CATEGORIES.has(tool.category)) return "write";
-  if (tool.category === "quality") return "write";
-  return "read-only";
-}
-var DefaultPermissionPolicy = class {
-  canExecuteTool(mode, tool) {
-    const definition = getAgentMode(mode);
-    const risk = riskForTool(tool);
-    const readOnlyTool = READ_ONLY_TOOL_NAMES.has(tool.name) || READ_ONLY_CATEGORIES.has(tool.category);
-    if (definition.readOnly && !readOnlyTool) {
-      return {
-        allowed: false,
-        reason: `${definition.label} mode is read-only; ${tool.name} is a ${tool.category} tool.`,
-        risk
-      };
-    }
-    if (risk === "destructive") {
-      return {
-        allowed: true,
-        requiresConfirmation: true,
-        reason: `${tool.name} can change repository state and should be confirmed.`,
-        risk
-      };
-    }
-    return { allowed: true, risk };
-  }
-  canExecuteToolInput(mode, tool, input) {
-    if (tool.name === "spawnSimpleAgent") {
-      const risk = riskForSpawnedAgent(input);
-      const definition2 = getAgentMode(mode);
-      if (definition2.readOnly && risk !== "read-only" && risk !== "network") {
-        return {
-          allowed: false,
-          reason: `${definition2.label} mode is read-only; spawnSimpleAgent with this role can perform ${risk} work.`,
-          risk
-        };
-      }
-      return {
-        allowed: true,
-        requiresConfirmation: risk === "destructive" || risk === "secrets-sensitive",
-        risk
-      };
-    }
-    if (tool.name !== "run_linter") {
-      return this.canExecuteTool(mode, tool);
-    }
-    const definition = getAgentMode(mode);
-    const fixEnabled = input["fix"] === true;
-    const decision = fixEnabled ? { allowed: true, risk: "write" } : { allowed: true, risk: "read-only" };
-    if (definition.readOnly && fixEnabled) {
-      return {
-        allowed: false,
-        reason: `${definition.label} mode is read-only; run_linter with fix=true can modify files.`,
-        risk: "write"
-      };
-    }
-    return decision;
-  }
-};
-function createPermissionPolicy() {
-  return new DefaultPermissionPolicy();
-}
-function riskForSpawnedAgent(input) {
-  const type = typeof input["type"] === "string" ? input["type"] : void 0;
-  const role = typeof input["role"] === "string" ? input["role"] : void 0;
-  const resolved = type ?? role;
-  switch (resolved) {
-    case "explore":
-    case "plan":
-    case "review":
-    case "architect":
-    case "security":
-    case "docs":
-    case "researcher":
-    case "reviewer":
-    case "planner":
-      return "read-only";
-    case "database":
-      return "secrets-sensitive";
-    case "test":
-    case "tdd":
-    case "e2e":
-    case "tester":
-      return "destructive";
-    case "debug":
-    case "refactor":
-    case "coder":
-    case "optimizer":
-      return "write";
-    default:
-      return "read-only";
-  }
-}
 
 // src/runtime/provider-registry.ts
 init_providers();
@@ -58447,6 +58897,109 @@ var WorkflowCatalog = class {
   }
 };
 var DEFAULT_WORKFLOWS = [
+  {
+    id: "enterprise-rag-answer",
+    name: "Enterprise RAG Answer",
+    description: "Retrieve tenant-scoped knowledge, draft a cited answer, and review for policy compliance.",
+    inputSchema: "question: string; tenantId: string; userId?: string",
+    outputKind: "json",
+    replayable: true,
+    checks: ["retrieval citations", "policy review", "answer quality"],
+    steps: [],
+    parallelism: 2,
+    gates: [
+      {
+        id: "quality",
+        kind: "quality-score",
+        description: "Answer meets tenant quality and citation requirements.",
+        required: true
+      }
+    ],
+    nodes: [
+      {
+        id: "retrieve",
+        agentRole: "researcher",
+        description: "Retrieve tenant-scoped sources and produce citations.",
+        requiredTools: ["knowledge_search"],
+        risk: "read-only",
+        timeoutMs: 3e4
+      },
+      {
+        id: "draft-answer",
+        agentRole: "docs",
+        description: "Draft a concise answer grounded only in retrieved sources.",
+        dependsOn: ["retrieve"],
+        risk: "read-only",
+        timeoutMs: 3e4
+      },
+      {
+        id: "policy-review",
+        agentRole: "reviewer",
+        description: "Review citations, data boundary, and unsupported claims.",
+        dependsOn: ["draft-answer"],
+        gates: ["quality"],
+        risk: "read-only",
+        timeoutMs: 3e4
+      }
+    ]
+  },
+  {
+    id: "whatsapp-support-assistant",
+    name: "WhatsApp Support Assistant",
+    description: "Handle a WhatsApp customer message with retrieval, support draft, and optional escalation.",
+    inputSchema: "message: string; phoneNumber: string; tenantId: string",
+    outputKind: "json",
+    replayable: true,
+    checks: ["retrieval citations", "support policy", "human escalation when needed"],
+    steps: [],
+    parallelism: 2,
+    gates: [
+      {
+        id: "human-escalation",
+        kind: "human-approval",
+        description: "Human review is required before sensitive or external follow-up.",
+        required: false
+      }
+    ],
+    nodes: [
+      {
+        id: "classify-message",
+        agentRole: "planner",
+        description: "Classify intent, urgency, and required data boundary.",
+        risk: "read-only",
+        timeoutMs: 15e3
+      },
+      {
+        id: "retrieve-context",
+        agentRole: "researcher",
+        description: "Retrieve tenant support knowledge relevant to the customer message.",
+        dependsOn: ["classify-message"],
+        requiredTools: ["knowledge_search"],
+        risk: "read-only",
+        timeoutMs: 3e4
+      },
+      {
+        id: "draft-response",
+        agentRole: "docs",
+        description: "Draft a WhatsApp-safe response with concise citations for audit.",
+        dependsOn: ["retrieve-context"],
+        requiredTools: ["create_support_draft"],
+        risk: "read-only",
+        timeoutMs: 3e4
+      },
+      {
+        id: "escalate-if-needed",
+        agentRole: "integrator",
+        description: "Create a human escalation request when classification requires it.",
+        dependsOn: ["draft-response"],
+        requiredTools: ["request_human_escalation"],
+        gates: ["human-escalation"],
+        condition: "input.requiresEscalation",
+        risk: "network",
+        timeoutMs: 3e4
+      }
+    ]
+  },
   {
     id: "architect-editor-verifier",
     name: "Architect / Editor / Verifier",
@@ -58592,11 +59145,13 @@ var WorkflowEngine = class {
     this.eventLog = eventLog;
     this.sharedState = options.sharedState ?? new InMemorySharedWorkspaceStore();
     this.nodeExecutor = options.nodeExecutor;
+    this.runtimePolicy = options.runtimePolicy;
   }
   catalog;
   eventLog;
   handlers = /* @__PURE__ */ new Map();
   sharedState;
+  runtimePolicy;
   nodeExecutor;
   registerHandler(workflowId, handler) {
     if (!this.catalog.get(workflowId)) {
@@ -58627,6 +59182,8 @@ var WorkflowEngine = class {
       trace
     });
     try {
+      const graph = workflowToAgentGraph(workflow);
+      assertWorkflowAllowedByRuntimePolicy(graph, this.runtimePolicy);
       const graphResult = handler ? void 0 : await new AgentGraphEngine({
         eventLog: this.eventLog,
         sharedState: this.sharedState,
@@ -58634,7 +59191,7 @@ var WorkflowEngine = class {
         trace
       }).run({
         workflowRunId: runId,
-        graph: workflowToAgentGraph(workflow),
+        graph,
         input: request.input
       });
       const output = graphResult ?? await handler(request.input, {
@@ -58686,6 +59243,29 @@ var WorkflowEngine = class {
     }
   }
 };
+function assertWorkflowAllowedByRuntimePolicy(graph, policy) {
+  if (!policy) return;
+  for (const node of graph.nodes) {
+    const risk = node.risk ?? "read-only";
+    const riskDecision = evaluateRuntimeRiskPolicy(policy, {
+      subject: `workflow node ${node.id}`,
+      risk
+    });
+    if (!riskDecision.allowed) {
+      throw new Error(
+        `Workflow node ${node.id} is blocked by runtime policy: ${riskDecision.reason}`
+      );
+    }
+    for (const toolName of node.requiredTools ?? []) {
+      const decision = evaluateRuntimeToolPolicy(policy, { toolName, risk });
+      if (!decision.allowed) {
+        throw new Error(
+          `Workflow node ${node.id} is blocked by runtime policy: ${decision.reason}`
+        );
+      }
+    }
+  }
+}
 function createWorkflowEngine(catalog, eventLog, options) {
   return new WorkflowEngine(catalog, eventLog, options);
 }
@@ -58695,15 +59275,17 @@ var AgentRuntime = class {
   constructor(options) {
     this.options = options;
     this.providerRegistry = createProviderRegistry();
-    this.toolRegistry = options.toolRegistry ?? createFullToolRegistry();
+    this.toolRegistry = options.toolRegistry ?? new ToolRegistry();
     this.sessionStore = options.sessionStore;
     this.runtimeSessionStore = options.runtimeSessionStore ?? createRuntimeSessionStore();
     this.eventLog = options.eventLog ?? (options.eventLogPath ? createFileEventLog(options.eventLogPath) : createEventLog());
-    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog);
     this.permissionPolicy = options.permissionPolicy ?? createPermissionPolicy();
     this.turnRunner = options.turnRunner ?? createDefaultRuntimeTurnRunner();
     this.providerType = options.providerType;
     this.model = options.model ?? options.providerConfig?.model ?? getDefaultModel(options.providerType);
+    this.runtimeContext = options.runtimeContext ? createRuntimeRequestContext(options.runtimeContext) : void 0;
+    this.runtimePolicy = mergeRuntimePolicy(this.runtimeContext?.policy, options.runtimePolicy);
+    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog, { runtimePolicy: this.runtimePolicy });
   }
   options;
   providerRegistry;
@@ -58717,6 +59299,8 @@ var AgentRuntime = class {
   providerType;
   model;
   provider;
+  runtimeContext;
+  runtimePolicy;
   async initialize() {
     const providerInjected = Boolean(this.options.provider);
     const provider = this.options.provider ?? await this.providerRegistry.createProvider(this.providerType, {
@@ -58747,8 +59331,8 @@ var AgentRuntime = class {
   }
   publishToGlobalBridge(provider) {
     if (this.options.publishToGlobalBridge !== true) return;
-    setAgentProvider(provider);
-    setAgentToolRegistry(this.toolRegistry);
+    this.options.legacyAgentBridge?.setAgentProvider(provider);
+    this.options.legacyAgentBridge?.setAgentToolRegistry(this.toolRegistry);
   }
   snapshot() {
     const capability = this.providerRegistry.getCapability(this.providerType, this.getModel());
@@ -58763,14 +59347,25 @@ var AgentRuntime = class {
         count: toolNames.length,
         names: toolNames
       },
-      modes: listAgentModes()
+      modes: listAgentModes(),
+      context: this.runtimeContext,
+      policy: this.runtimePolicy
     };
   }
   createSession(options = {}) {
-    const session = this.runtimeSessionStore.create(options);
+    const session = this.runtimeSessionStore.create({
+      ...options,
+      metadata: {
+        ...runtimeContextToMetadata(this.runtimeContext),
+        ...options.metadata
+      }
+    });
     this.eventLog.record("session.created", {
       sessionId: session.id,
       mode: session.mode,
+      ...session.metadata["tenantId"] ? { tenantId: session.metadata["tenantId"] } : {},
+      ...session.metadata["surface"] ? { surface: session.metadata["surface"] } : {},
+      ...session.metadata["correlationId"] ? { correlationId: session.metadata["correlationId"] } : {},
       metadataKeys: Object.keys(session.metadata).sort()
     });
     return session;
@@ -58807,6 +59402,7 @@ var AgentRuntime = class {
         permissionPolicy: this.permissionPolicy,
         eventLog: this.eventLog
       });
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
       const updatedSession = this.runtimeSessionStore.update({
         ...effectiveSession,
         messages: [
@@ -58884,16 +59480,8 @@ var AgentRuntime = class {
           };
         }
       }
-      const updatedSession = this.runtimeSessionStore.update({
-        ...effectiveSession,
-        messages: [
-          ...effectiveSession.messages,
-          { role: "user", content: input.content },
-          { role: "assistant", content }
-        ]
-      });
       const result = {
-        sessionId: updatedSession.id,
+        sessionId: effectiveSession.id,
         content,
         usage: {
           inputTokens: provider.countTokens(input.content),
@@ -58901,8 +59489,19 @@ var AgentRuntime = class {
           estimated: true
         },
         model: input.options?.model ?? this.getModel(),
-        mode: updatedSession.mode
+        mode: effectiveSession.mode
       };
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
+      const updatedSession = this.runtimeSessionStore.update({
+        ...effectiveSession,
+        messages: [
+          ...effectiveSession.messages,
+          { role: "user", content: input.content },
+          { role: "assistant", content }
+        ]
+      });
+      result.sessionId = updatedSession.id;
+      result.mode = updatedSession.mode;
       this.eventLog.record("session.updated", {
         sessionId: updatedSession.id,
         messages: updatedSession.messages.length
@@ -58990,15 +59589,22 @@ var AgentRuntime = class {
       };
     }
     const decision = this.permissionPolicy.canExecuteToolInput ? this.permissionPolicy.canExecuteToolInput(mode, tool, input.input) : this.permissionPolicy.canExecuteTool(mode, tool);
-    if (!decision.allowed || decision.requiresConfirmation && input.confirmed !== true) {
-      const reason = decision.reason ?? (decision.requiresConfirmation ? "Tool requires explicit runtime confirmation." : "Tool is not allowed.");
+    const runtimeDecision = decision.allowed ? evaluateRuntimeToolPolicy(this.runtimePolicy, {
+      toolName: input.toolName,
+      risk: decision.risk,
+      confirmed: input.confirmed
+    }) : void 0;
+    const effectiveDecision = runtimeDecision ?? decision;
+    if (!decision.allowed || !effectiveDecision.allowed || decision.requiresConfirmation && input.confirmed !== true) {
+      const reason = effectiveDecision.reason ?? decision.reason ?? (decision.requiresConfirmation ? "Tool requires explicit runtime confirmation." : "Tool is not allowed.");
       this.eventLog.record("tool.blocked", {
         sessionId: input.sessionId,
         mode,
         tool: input.toolName,
         reason,
-        risk: decision.risk,
-        requiresConfirmation: decision.requiresConfirmation,
+        risk: effectiveDecision.risk,
+        requiresConfirmation: effectiveDecision.requiresConfirmation ?? decision.requiresConfirmation,
+        runtimePolicyBlocked: runtimeDecision ? !runtimeDecision.allowed : false,
         runtimeApi: true
       });
       return {
@@ -59006,14 +59612,20 @@ var AgentRuntime = class {
         success: false,
         error: reason,
         duration: performance.now() - startedAt,
-        decision
+        decision: {
+          ...decision,
+          allowed: false,
+          reason,
+          requiresConfirmation: effectiveDecision.requiresConfirmation ?? decision.requiresConfirmation,
+          risk: effectiveDecision.risk
+        }
       };
     }
     this.eventLog.record("tool.started", {
       sessionId: input.sessionId,
       mode,
       tool: input.toolName,
-      risk: decision.risk,
+      risk: effectiveDecision.risk,
       runtimeApi: true,
       metadataKeys: Object.keys(input.metadata ?? {}).sort()
     });
@@ -59032,7 +59644,11 @@ var AgentRuntime = class {
       output: result.data,
       error: result.error,
       duration: result.duration,
-      decision
+      decision: {
+        ...decision,
+        risk: effectiveDecision.risk,
+        requiresConfirmation: decision.requiresConfirmation
+      }
     };
   }
   assertToolAllowed(mode, toolName, input) {
@@ -59046,12 +59662,24 @@ var AgentRuntime = class {
       return false;
     }
     const decision = input && this.permissionPolicy.canExecuteToolInput ? this.permissionPolicy.canExecuteToolInput(mode, tool, input) : this.permissionPolicy.canExecuteTool(mode, tool);
-    this.eventLog.record(decision.allowed ? "tool.allowed" : "tool.blocked", {
+    const runtimeDecision = decision.allowed ? evaluateRuntimeToolPolicy(this.runtimePolicy, {
+      toolName,
+      risk: decision.risk,
+      confirmed: false
+    }) : void 0;
+    const allowed = decision.allowed && runtimeDecision?.allowed !== false;
+    this.eventLog.record(allowed ? "tool.allowed" : "tool.blocked", {
       mode,
       tool: toolName,
-      ...decision
+      ...decision,
+      ...runtimeDecision && !runtimeDecision.allowed ? {
+        allowed: false,
+        reason: runtimeDecision.reason,
+        requiresConfirmation: runtimeDecision.requiresConfirmation,
+        runtimePolicyBlocked: true
+      } : {}
     });
-    return decision.allowed;
+    return allowed;
   }
 };
 async function createAgentRuntime(options) {
@@ -59729,8 +60357,10 @@ async function startRepl(options = {}) {
     providerType: internalProviderId,
     model: session.config.provider.model || void 0,
     provider,
+    toolRegistry: createFullToolRegistry(),
     eventLogPath: path39__default.join(projectPath, ".coco", "events", `${session.id}.jsonl`),
-    publishToGlobalBridge: true
+    publishToGlobalBridge: true,
+    legacyAgentBridge: { setAgentProvider, setAgentToolRegistry }
   });
   session.runtime = runtime;
   const toolRegistry = runtime.toolRegistry;
@@ -61005,9 +61635,11 @@ ${stdinContent}
       providerType,
       model: session.config.provider.model || void 0,
       provider,
+      toolRegistry: createFullToolRegistry(),
       eventLogPath: path39__default.join(options.projectPath, ".coco", "events", `${session.id}.jsonl`),
       turnRunner: options.useRuntimeRunner ? createToolCallingRuntimeTurnRunner() : void 0,
-      publishToGlobalBridge: true
+      publishToGlobalBridge: true,
+      legacyAgentBridge: { setAgentProvider, setAgentToolRegistry }
     });
     session.runtime = runtime;
     const toolRegistry = runtime.toolRegistry;