@corbat-tech/coco 2.40.0 → 2.41.0

package/dist/runtime/index.js

@@ -1704,6 +1704,53 @@ var init_auth = __esm({
 
 // src/runtime/agent-runtime.ts
 init_env();
+
+// src/providers/pricing.ts
+init_catalog();
+var MODEL_PRICING = getCatalogModelPricingMap();
+var DEFAULT_PRICING = {
+  anthropic: { inputPerMillion: 3, outputPerMillion: 15, contextWindow: 2e5 },
+  openai: { inputPerMillion: 2.5, outputPerMillion: 10, contextWindow: 128e3 },
+  codex: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 128e3 },
+  // ChatGPT Plus/Pro subscription
+  gemini: { inputPerMillion: 0.1, outputPerMillion: 0.4, contextWindow: 1e6 },
+  vertex: { inputPerMillion: 0.1, outputPerMillion: 0.4, contextWindow: 1048576 },
+  kimi: { inputPerMillion: 1.2, outputPerMillion: 1.2, contextWindow: 8192 },
+  "kimi-code": { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 131072 },
+  // Included in subscription
+  copilot: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 2e5 },
+  // Included in subscription
+  lmstudio: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 32768 },
+  // Free - local models
+  ollama: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 128e3 },
+  // Free - local models
+  groq: { inputPerMillion: 0.05, outputPerMillion: 0.08, contextWindow: 128e3 },
+  // Free tier available
+  openrouter: { inputPerMillion: 2, outputPerMillion: 8, contextWindow: 2e5 },
+  // Varies by model
+  mistral: { inputPerMillion: 0.25, outputPerMillion: 0.75, contextWindow: 32768 },
+  deepseek: { inputPerMillion: 0.14, outputPerMillion: 0.28, contextWindow: 128e3 },
+  // Very cheap
+  together: { inputPerMillion: 0.2, outputPerMillion: 0.2, contextWindow: 32768 },
+  huggingface: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 32768 },
+  // Free tier
+  qwen: { inputPerMillion: 0.3, outputPerMillion: 1.2, contextWindow: 131072 }
+  // qwen-coder-plus pricing
+};
+function estimateCost(model2, inputTokens, outputTokens, provider) {
+  const pricing = MODEL_PRICING[model2] ?? (provider ? DEFAULT_PRICING[provider] : DEFAULT_PRICING.anthropic);
+  const inputCost = inputTokens / 1e6 * pricing.inputPerMillion;
+  const outputCost = outputTokens / 1e6 * pricing.outputPerMillion;
+  return {
+    inputCost,
+    outputCost,
+    totalCost: inputCost + outputCost,
+    inputTokens,
+    outputTokens,
+    model: model2,
+    currency: "USD"
+  };
+}
 var DEFAULT_CONFIG = {
   name: "coco",
   level: "info",
@@ -2172,6 +2219,22 @@ function isAgentMode(value) {
 }
 
 // src/runtime/context.ts
+var RuntimePolicyViolation = class extends Error {
+  code;
+  subject;
+  tenantId;
+  policyPath;
+  severity;
+  constructor(input) {
+    super(input.message);
+    this.name = "RuntimePolicyViolation";
+    this.code = input.code;
+    this.subject = input.subject;
+    this.tenantId = input.tenantId;
+    this.policyPath = input.policyPath;
+    this.severity = input.severity ?? "blocked";
+  }
+};
 function createRuntimeRequestContext(input = {}) {
   return {
     surface: input.surface ?? "api",
@@ -2214,6 +2277,27 @@ function runtimeContextToMetadata(context) {
     dataClassification: context.policy?.dataBoundary?.classification
   };
 }
+function createRuntimeTenantBoundary(context, hostMode = "local") {
+  return {
+    hostMode,
+    surface: context?.surface ?? "api",
+    tenantId: context?.tenant?.id,
+    required: hostMode === "hosted" && context?.surface !== "cli"
+  };
+}
+function assertRuntimeTenantBoundary(context, hostMode = "local", subject = "runtime operation") {
+  const boundary = createRuntimeTenantBoundary(context, hostMode);
+  if (boundary.required && !boundary.tenantId) {
+    throw new RuntimePolicyViolation({
+      code: "tenant_required",
+      subject,
+      tenantId: boundary.tenantId,
+      policyPath: "runtimeContext.tenant.id",
+      message: `Runtime tenant is required for hosted ${boundary.surface} operations.`
+    });
+  }
+  return boundary;
+}
 function evaluateRuntimeToolPolicy(policy, input) {
   if (policy?.allowedTools && !policy.allowedTools.includes(input.toolName)) {
     return {
@@ -2257,23 +2341,65 @@ function evaluateRuntimeRiskPolicy(policy, input) {
   }
   return { allowed: true, risk: input.risk };
 }
+function assertRuntimeTurnWithinPolicy(policy, input) {
+  const maxTurns = policy?.costBudget?.maxTurns;
+  if (maxTurns !== void 0 && input.currentTurns >= maxTurns) {
+    throw new RuntimePolicyViolation({
+      code: "max_turns_exceeded",
+      subject: input.subject,
+      tenantId: input.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxTurns",
+      message: `Runtime policy turn budget exceeded: ${input.currentTurns}/${maxTurns}`
+    });
+  }
+}
 function assertRuntimeUsageWithinPolicy(policy, usage) {
   const budget = policy?.costBudget;
+  const subject = usage.subject ?? "runtime usage";
   if (!budget) return;
   if (budget.maxInputTokens !== void 0 && (usage.inputTokens ?? 0) > budget.maxInputTokens) {
-    throw new Error(
-      `Runtime policy input token budget exceeded: ${usage.inputTokens ?? 0}/${budget.maxInputTokens}`
-    );
+    throw new RuntimePolicyViolation({
+      code: "input_tokens_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxInputTokens",
+      message: `Runtime policy input token budget exceeded: ${usage.inputTokens ?? 0}/${budget.maxInputTokens}`
+    });
   }
   if (budget.maxOutputTokens !== void 0 && (usage.outputTokens ?? 0) > budget.maxOutputTokens) {
-    throw new Error(
-      `Runtime policy output token budget exceeded: ${usage.outputTokens ?? 0}/${budget.maxOutputTokens}`
-    );
+    throw new RuntimePolicyViolation({
+      code: "output_tokens_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxOutputTokens",
+      message: `Runtime policy output token budget exceeded: ${usage.outputTokens ?? 0}/${budget.maxOutputTokens}`
+    });
+  }
+  if (budget.maxEstimatedCostUsd !== void 0 && (usage.estimatedCostUsd ?? 0) > budget.maxEstimatedCostUsd) {
+    throw new RuntimePolicyViolation({
+      code: "estimated_cost_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxEstimatedCostUsd",
+      message: `Runtime policy estimated cost budget exceeded: ${usage.estimatedCostUsd ?? 0}/${budget.maxEstimatedCostUsd}`
+    });
   }
 }
+function createRetentionCutoffs(policy, now = /* @__PURE__ */ new Date()) {
+  const retention = policy?.retention;
+  return {
+    conversationBefore: cutoffIso(now, retention?.conversationDays),
+    eventBefore: cutoffIso(now, retention?.eventDays),
+    artifactBefore: cutoffIso(now, retention?.artifactDays)
+  };
+}
 function cloneRuntimePolicy(policy) {
   return mergeRuntimePolicy(void 0, policy) ?? {};
 }
+function cutoffIso(now, days) {
+  if (days === void 0) return void 0;
+  return new Date(now.getTime() - days * 24 * 60 * 60 * 1e3).toISOString();
+}
 function riskRank(risk) {
   switch (risk) {
     case "read-only":
@@ -6602,10 +6728,6 @@ var VertexProvider = class {
   }
 };
 
-// src/providers/pricing.ts
-init_catalog();
-getCatalogModelPricingMap();
-
 // src/providers/circuit-breaker.ts
 init_errors();
 var DEFAULT_CIRCUIT_BREAKER_CONFIG = {
@@ -7262,6 +7384,7 @@ var LEGACY_ROLE_MAPPINGS = [
   { legacy: "coder", role: "coder", reason: "legacy executor role" },
   { legacy: "test", role: "tester", reason: "test authoring/execution" },
   { legacy: "tester", role: "tester", reason: "legacy executor role" },
+  { legacy: "verifier", role: "tester", reason: "verification maps to tester capability" },
   { legacy: "tdd", role: "tester", reason: "test-first implementation" },
   { legacy: "e2e", role: "tester", reason: "end-to-end testing" },
   { legacy: "review", role: "reviewer", reason: "code review" },
@@ -7997,7 +8120,7 @@ var NULL_EVENT_LOG = {
 function graphNodeToTask(node, workflowInput) {
   return {
     id: node.id,
-    role: node.agentRole ?? "coder",
+    role: node.agentRole ?? mapLegacyAgentRole(node.id, "coder"),
     objective: node.description,
     context: {
       workflowInput,
@@ -8183,6 +8306,239 @@ function cloneArtifact(artifact) {
   };
 }
 
+// src/runtime/agent-runner.ts
+var AgentRunner = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  options;
+  async run(input) {
+    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const trace = input.trace ?? createAgentTraceContext({ taskId: input.task.id });
+    this.options.eventLog?.record("agent.started", {
+      taskId: input.task.id,
+      role: input.task.role,
+      trace
+    });
+    try {
+      const raw = await (this.options.executor ?? defaultExecutor)({
+        task: input.task,
+        capability: input.capability,
+        trace,
+        assertToolAllowed: (toolName) => {
+          const decision = evaluateAgentToolPolicy({
+            capability: input.capability,
+            toolName,
+            manifest: input.toolRiskManifest
+          });
+          this.options.eventLog?.record("agent.tool.called", {
+            taskId: input.task.id,
+            role: input.task.role,
+            toolName,
+            decision,
+            trace
+          });
+          if (!decision.allowed) {
+            throw new Error(decision.reason ?? `Tool '${toolName}' is not allowed.`);
+          }
+        }
+      });
+      const result = normalizeAgentRunResult({
+        id: `${input.task.id}-run-${Date.now().toString(36)}`,
+        taskId: input.task.id,
+        role: input.task.role,
+        success: raw.success ?? true,
+        output: raw.output,
+        turns: raw.turns,
+        toolsUsed: raw.toolsUsed,
+        usage: {
+          inputTokens: raw.inputTokens ?? 0,
+          outputTokens: raw.outputTokens ?? 0,
+          estimated: raw.inputTokens === void 0 || raw.outputTokens === void 0
+        },
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: Date.now() - Date.parse(startedAt),
+        error: raw.error,
+        metadata: { ...raw.metadata, trace }
+      });
+      this.options.eventLog?.record(result.success ? "agent.completed" : "agent.failed", {
+        taskId: input.task.id,
+        role: input.task.role,
+        agentRunId: result.id,
+        trace,
+        error: result.error
+      });
+      return result;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const result = normalizeAgentRunResult({
+        id: `${input.task.id}-run-${Date.now().toString(36)}`,
+        taskId: input.task.id,
+        role: input.task.role,
+        success: false,
+        output: message,
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: Date.now() - Date.parse(startedAt),
+        error: message,
+        metadata: { trace }
+      });
+      this.options.eventLog?.record("agent.failed", {
+        taskId: input.task.id,
+        role: input.task.role,
+        agentRunId: result.id,
+        trace,
+        error: message
+      });
+      return result;
+    }
+  }
+};
+function createAgentRunner(options) {
+  return new AgentRunner(options);
+}
+async function defaultExecutor(context) {
+  return {
+    output: `Agent ${context.capability.role} accepted task '${context.task.objective}'.`
+  };
+}
+
+// src/runtime/runtime-agent-node-executor.ts
+var AgentDefinitionRegistry = class {
+  definitionsByRole = /* @__PURE__ */ new Map();
+  definitionsById = /* @__PURE__ */ new Map();
+  constructor(definitions = []) {
+    for (const definition of definitions) {
+      this.register(definition);
+    }
+  }
+  register(definition) {
+    this.definitionsById.set(definition.id, cloneDefinition(definition));
+    this.definitionsByRole.set(definition.role, cloneDefinition(definition));
+  }
+  get(id) {
+    const definition = this.definitionsById.get(id);
+    return definition ? cloneDefinition(definition) : void 0;
+  }
+  getByRole(role) {
+    const definition = this.definitionsByRole.get(role);
+    return definition ? cloneDefinition(definition) : void 0;
+  }
+  list() {
+    return [...this.definitionsById.values()].map(cloneDefinition);
+  }
+};
+var RuntimeAgentNodeExecutor = class {
+  constructor(options) {
+    this.options = options;
+    this.runner = options.runner ?? new AgentRunner(options.runnerOptions);
+  }
+  options;
+  runner;
+  execute = async (execution) => {
+    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const definition = this.options.registry.getByRole(execution.task.role);
+    if (!definition) {
+      return normalizeAgentRunResult({
+        id: `${execution.workflowRunId}-${execution.node.id}-missing-definition`,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        success: false,
+        output: "",
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        error: `No agent definition registered for role '${execution.task.role}'.`,
+        metadata: {
+          workflowRunId: execution.workflowRunId,
+          nodeId: execution.node.id,
+          trace: execution.trace
+        }
+      });
+    }
+    const blockedTool = this.findBlockedTool(definition, execution);
+    if (blockedTool) {
+      return normalizeAgentRunResult({
+        id: `${execution.workflowRunId}-${execution.node.id}-policy-blocked`,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        success: false,
+        output: "",
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        error: blockedTool,
+        metadata: {
+          workflowRunId: execution.workflowRunId,
+          nodeId: execution.node.id,
+          agentDefinitionId: definition.id,
+          trace: execution.trace
+        }
+      });
+    }
+    const input = {
+      task: {
+        ...execution.task,
+        context: {
+          ...execution.task.context,
+          instructions: definition.instructions,
+          sharedState: execution.sharedState.readForRole(definition.role)
+        }
+      },
+      capability: definition.capability,
+      trace: execution.trace,
+      toolRiskManifest: this.options.toolRiskManifest
+    };
+    const result = await this.runner.run(input);
+    return normalizeAgentRunResult({
+      ...result,
+      metadata: {
+        ...result.metadata,
+        workflowRunId: execution.workflowRunId,
+        nodeId: execution.node.id,
+        agentDefinitionId: definition.id
+      }
+    });
+  };
+  findBlockedTool(definition, execution) {
+    for (const toolName of execution.node.requiredTools ?? []) {
+      const agentDecision = evaluateAgentToolPolicy({
+        capability: definition.capability,
+        toolName,
+        manifest: this.options.toolRiskManifest
+      });
+      execution.eventLog.record("agent.tool.called", {
+        workflowRunId: execution.workflowRunId,
+        nodeId: execution.node.id,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        toolName,
+        decision: agentDecision,
+        trace: execution.trace
+      });
+      if (!agentDecision.allowed) {
+        return agentDecision.reason ?? `Tool '${toolName}' is not allowed for agent.`;
+      }
+      const runtimeDecision = evaluateRuntimeToolPolicy(this.options.runtimePolicy, {
+        toolName,
+        risk: agentDecision.risk
+      });
+      if (!runtimeDecision.allowed) {
+        return runtimeDecision.reason ?? `Tool '${toolName}' is blocked by runtime policy.`;
+      }
+    }
+    return void 0;
+  }
+};
+function createAgentDefinitionRegistry(definitions = []) {
+  return new AgentDefinitionRegistry(definitions);
+}
+function createRuntimeAgentNodeExecutor(options) {
+  return new RuntimeAgentNodeExecutor(options).execute;
+}
+function cloneDefinition(definition) {
+  return structuredClone(definition);
+}
+
 // src/runtime/workflow-registry.ts
 function cloneWorkflow(workflow) {
   return {
@@ -8516,14 +8872,22 @@ var WorkflowEngine = class {
     this.catalog = catalog;
     this.eventLog = eventLog;
     this.sharedState = options.sharedState ?? new InMemorySharedWorkspaceStore();
-    this.nodeExecutor = options.nodeExecutor;
     this.runtimePolicy = options.runtimePolicy;
+    this.runtimeContext = options.runtimeContext;
+    this.runtimeHostMode = options.runtimeHostMode ?? "local";
+    this.nodeExecutor = options.nodeExecutor ?? (options.agentDefinitionRegistry ? createRuntimeAgentNodeExecutor({
+      ...options.agentNodeExecutorOptions,
+      registry: options.agentDefinitionRegistry,
+      runtimePolicy: options.runtimePolicy
+    }) : void 0);
   }
   catalog;
   eventLog;
   handlers = /* @__PURE__ */ new Map();
   sharedState;
   runtimePolicy;
+  runtimeContext;
+  runtimeHostMode;
   nodeExecutor;
   registerHandler(workflowId, handler) {
     if (!this.catalog.get(workflowId)) {
@@ -8538,6 +8902,7 @@ var WorkflowEngine = class {
     return this.catalog.createPlan(workflowId, input, this.eventLog);
   }
   async run(request) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "workflow.run");
     const workflow = this.catalog.get(request.workflowId);
     if (!workflow) {
       throw new Error(`Unknown workflow: ${request.workflowId}`);
@@ -8657,7 +9022,14 @@ var AgentRuntime = class {
     this.model = options.model ?? options.providerConfig?.model ?? getDefaultModel(options.providerType);
     this.runtimeContext = options.runtimeContext ? createRuntimeRequestContext(options.runtimeContext) : void 0;
     this.runtimePolicy = mergeRuntimePolicy(this.runtimeContext?.policy, options.runtimePolicy);
-    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog, { runtimePolicy: this.runtimePolicy });
+    this.runtimeHostMode = options.runtimeHostMode ?? "local";
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "runtime.initialize");
+    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog, {
+      runtimePolicy: this.runtimePolicy,
+      runtimeContext: this.runtimeContext,
+      runtimeHostMode: this.runtimeHostMode,
+      agentDefinitionRegistry: options.agentDefinitionRegistry
+    });
   }
   options;
   providerRegistry;
@@ -8673,6 +9045,9 @@ var AgentRuntime = class {
   provider;
   runtimeContext;
   runtimePolicy;
+  runtimeHostMode;
+  requestTimestampsBySubject = /* @__PURE__ */ new Map();
+  activeRuns = 0;
   async initialize() {
     const providerInjected = Boolean(this.options.provider);
     const provider = this.options.provider ?? await this.providerRegistry.createProvider(this.providerType, {
@@ -8721,10 +9096,12 @@ var AgentRuntime = class {
       },
       modes: listAgentModes(),
       context: this.runtimeContext,
-      policy: this.runtimePolicy
+      policy: this.runtimePolicy,
+      hostMode: this.runtimeHostMode
     };
   }
   createSession(options = {}) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "session.create");
     const session = this.runtimeSessionStore.create({
       ...options,
       metadata: {
@@ -8748,6 +9125,27 @@ var AgentRuntime = class {
   listSessions() {
     return this.runtimeSessionStore.list();
   }
+  cleanupRetention(options = {}) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "retention.cleanup");
+    const dryRun = options.dryRun ?? true;
+    const cutoffs = createRetentionCutoffs(this.runtimePolicy, options.now);
+    const expiredSessionIds = cutoffs.conversationBefore ? this.runtimeSessionStore.list().filter((session) => session.updatedAt < cutoffs.conversationBefore).map((session) => session.id) : [];
+    const deletedSessionIds = dryRun ? [] : expiredSessionIds.filter((id) => this.runtimeSessionStore.delete(id));
+    this.eventLog.record("retention.cleanup", {
+      dryRun,
+      cutoffs,
+      expiredSessionIds,
+      deletedSessionIds,
+      tenantId: this.runtimeContext?.tenant?.id,
+      runtimeApi: true
+    });
+    return {
+      dryRun,
+      cutoffs,
+      expiredSessionIds,
+      deletedSessionIds
+    };
+  }
   async runTurn(input) {
     const provider = this.provider;
     if (!provider) {
@@ -8758,6 +9156,12 @@ var AgentRuntime = class {
       throw new Error(`Runtime session not found: ${input.sessionId}`);
     }
     const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    assertRuntimeTurnWithinPolicy(this.runtimePolicy, {
+      subject: "turn.run",
+      currentTurns: countUserTurns(effectiveSession),
+      tenantId: this.runtimeContext?.tenant?.id
+    });
+    const releaseRuntimeRequest = this.beginRuntimeRequest("turn.run");
     this.eventLog.record("turn.started", {
       sessionId: effectiveSession.id,
       provider: this.providerType,
@@ -8774,7 +9178,13 @@ var AgentRuntime = class {
         permissionPolicy: this.permissionPolicy,
         eventLog: this.eventLog
       });
-      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
+      const estimatedCostUsd = this.estimateTurnCost(result);
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, {
+        ...result.usage,
+        estimatedCostUsd,
+        tenantId: this.runtimeContext?.tenant?.id,
+        subject: "turn.run"
+      });
       const updatedSession = this.runtimeSessionStore.update({
         ...effectiveSession,
         messages: [
@@ -8791,6 +9201,7 @@ var AgentRuntime = class {
         sessionId: updatedSession.id,
         inputTokens: result.usage.inputTokens,
         outputTokens: result.usage.outputTokens,
+        estimatedCostUsd,
         model: result.model,
         runtimeApi: true
       });
@@ -8802,6 +9213,8 @@ var AgentRuntime = class {
         runtimeApi: true
       });
       throw error;
+    } finally {
+      releaseRuntimeRequest();
     }
   }
   async *streamTurn(input) {
@@ -8814,6 +9227,12 @@ var AgentRuntime = class {
       throw new Error(`Runtime session not found: ${input.sessionId}`);
     }
     const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    assertRuntimeTurnWithinPolicy(this.runtimePolicy, {
+      subject: "turn.stream",
+      currentTurns: countUserTurns(effectiveSession),
+      tenantId: this.runtimeContext?.tenant?.id
+    });
+    const releaseRuntimeRequest = this.beginRuntimeRequest("turn.stream");
     const messages = [
       ...effectiveSession.messages,
       {
@@ -8863,7 +9282,13 @@ var AgentRuntime = class {
         model: input.options?.model ?? this.getModel(),
         mode: effectiveSession.mode
       };
-      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
+      const estimatedCostUsd = this.estimateTurnCost(result);
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, {
+        ...result.usage,
+        estimatedCostUsd,
+        tenantId: this.runtimeContext?.tenant?.id,
+        subject: "turn.stream"
+      });
       const updatedSession = this.runtimeSessionStore.update({
         ...effectiveSession,
         messages: [
@@ -8882,6 +9307,7 @@ var AgentRuntime = class {
         sessionId: updatedSession.id,
         inputTokens: result.usage.inputTokens,
         outputTokens: result.usage.outputTokens,
+        estimatedCostUsd,
         model: result.model,
         streaming: true,
         runtimeApi: true
@@ -8911,9 +9337,11 @@ var AgentRuntime = class {
           runtimeApi: true
         });
       }
+      releaseRuntimeRequest();
     }
   }
   async executeTool(input) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "tool.execute");
     const startedAt = performance.now();
     const session = input.sessionId ? this.getSession(input.sessionId) : void 0;
     if (input.sessionId && !session) {
@@ -9024,6 +9452,7 @@ var AgentRuntime = class {
     };
   }
   assertToolAllowed(mode, toolName, input) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "tool.assertAllowed");
     const tool = this.toolRegistry.get(toolName);
     if (!tool) {
       this.eventLog.record("tool.blocked", {
@@ -9053,109 +9482,69 @@ var AgentRuntime = class {
     });
     return allowed;
   }
-};
-async function createAgentRuntime(options) {
-  const runtime = new AgentRuntime(options);
-  await runtime.initialize();
-  return runtime;
-}
-
-// src/runtime/agent-runner.ts
-var AgentRunner = class {
-  constructor(options = {}) {
-    this.options = options;
+  beginRuntimeRequest(subject) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, subject);
+    this.assertWithinRateLimit(subject);
+    this.assertWithinConcurrencyLimit(subject);
+    this.activeRuns += 1;
+    let released = false;
+    return () => {
+      if (released) return;
+      released = true;
+      this.activeRuns = Math.max(0, this.activeRuns - 1);
+    };
   }
-  options;
-  async run(input) {
-    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-    const trace = input.trace ?? createAgentTraceContext({ taskId: input.task.id });
-    this.options.eventLog?.record("agent.started", {
-      taskId: input.task.id,
-      role: input.task.role,
-      trace
-    });
-    try {
-      const raw = await (this.options.executor ?? defaultExecutor)({
-        task: input.task,
-        capability: input.capability,
-        trace,
-        assertToolAllowed: (toolName) => {
-          const decision = evaluateAgentToolPolicy({
-            capability: input.capability,
-            toolName,
-            manifest: input.toolRiskManifest
-          });
-          this.options.eventLog?.record("agent.tool.called", {
-            taskId: input.task.id,
-            role: input.task.role,
-            toolName,
-            decision,
-            trace
-          });
-          if (!decision.allowed) {
-            throw new Error(decision.reason ?? `Tool '${toolName}' is not allowed.`);
-          }
-        }
-      });
-      const result = normalizeAgentRunResult({
-        id: `${input.task.id}-run-${Date.now().toString(36)}`,
-        taskId: input.task.id,
-        role: input.task.role,
-        success: raw.success ?? true,
-        output: raw.output,
-        turns: raw.turns,
-        toolsUsed: raw.toolsUsed,
-        usage: {
-          inputTokens: raw.inputTokens ?? 0,
-          outputTokens: raw.outputTokens ?? 0,
-          estimated: raw.inputTokens === void 0 || raw.outputTokens === void 0
-        },
-        startedAt,
-        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        durationMs: Date.now() - Date.parse(startedAt),
-        error: raw.error,
-        metadata: { ...raw.metadata, trace }
-      });
-      this.options.eventLog?.record(result.success ? "agent.completed" : "agent.failed", {
-        taskId: input.task.id,
-        role: input.task.role,
-        agentRunId: result.id,
-        trace,
-        error: result.error
-      });
-      return result;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      const result = normalizeAgentRunResult({
-        id: `${input.task.id}-run-${Date.now().toString(36)}`,
-        taskId: input.task.id,
-        role: input.task.role,
-        success: false,
-        output: message,
-        startedAt,
-        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        durationMs: Date.now() - Date.parse(startedAt),
-        error: message,
-        metadata: { trace }
+  assertWithinRateLimit(subject) {
+    const maxRequestsPerMinute = this.runtimePolicy?.rateLimit?.maxRequestsPerMinute;
+    if (maxRequestsPerMinute === void 0) return;
+    const now = Date.now();
+    const windowStart = now - 6e4;
+    const key = `${this.runtimeContext?.tenant?.id ?? "global"}:${subject}`;
+    const recent = (this.requestTimestampsBySubject.get(key) ?? []).filter(
+      (timestamp) => timestamp > windowStart
+    );
+    if (recent.length >= maxRequestsPerMinute) {
+      this.requestTimestampsBySubject.set(key, recent);
+      throw new RuntimePolicyViolation({
+        code: "rate_limit_exceeded",
+        subject,
+        tenantId: this.runtimeContext?.tenant?.id,
+        policyPath: "runtimePolicy.rateLimit.maxRequestsPerMinute",
+        message: `Runtime policy rate limit exceeded: ${recent.length}/${maxRequestsPerMinute} requests per minute.`
       });
-      this.options.eventLog?.record("agent.failed", {
-        taskId: input.task.id,
-        role: input.task.role,
-        agentRunId: result.id,
-        trace,
-        error: message
+    }
+    recent.push(now);
+    this.requestTimestampsBySubject.set(key, recent);
+  }
+  assertWithinConcurrencyLimit(subject) {
+    const maxConcurrentRuns = this.runtimePolicy?.rateLimit?.maxConcurrentRuns;
+    if (maxConcurrentRuns === void 0) return;
+    if (this.activeRuns >= maxConcurrentRuns) {
+      throw new RuntimePolicyViolation({
+        code: "concurrency_limit_exceeded",
+        subject,
+        tenantId: this.runtimeContext?.tenant?.id,
+        policyPath: "runtimePolicy.rateLimit.maxConcurrentRuns",
+        message: `Runtime policy concurrency limit exceeded: ${this.activeRuns}/${maxConcurrentRuns} active runs.`
       });
-      return result;
     }
   }
+  estimateTurnCost(result) {
+    return estimateCost(
+      result.model,
+      result.usage.inputTokens,
+      result.usage.outputTokens,
+      this.providerType
+    ).totalCost;
+  }
 };
-function createAgentRunner(options) {
-  return new AgentRunner(options);
+function countUserTurns(session) {
+  return session.messages.filter((message) => message.role === "user").length;
 }
-async function defaultExecutor(context) {
-  return {
-    output: `Agent ${context.capability.role} accepted task '${context.task.objective}'.`
-  };
+async function createAgentRuntime(options) {
+  const runtime = new AgentRuntime(options);
+  await runtime.initialize();
+  return runtime;
 }
 
 // src/runtime/tool-calling-turn-runner.ts
@@ -9398,10 +9787,24 @@ function rowToEvent(row) {
 function persistBestEffort(promise) {
   void promise.catch(() => void 0);
 }
+function assertPostgresSyncStoreNotHosted(options) {
+  if (options.hostMode === "hosted") {
+    throw new Error(
+      "Postgres sync runtime stores are local/cache-compatible only. Use async hosted Postgres stores in hosted mode."
+    );
+  }
+}
+function requireTenantId(options) {
+  if (!options.tenantId) {
+    throw new Error("Postgres hosted runtime stores require tenantId.");
+  }
+  return options.tenantId;
+}
 var PostgresRuntimeSessionStore = class {
   constructor(client, options = {}) {
     this.client = client;
     this.options = options;
+    assertPostgresSyncStoreNotHosted(options);
   }
   client;
   options;
@@ -9482,6 +9885,104 @@ var PostgresRuntimeSessionStore = class {
     return deleted;
   }
 };
+var AsyncPostgresRuntimeSessionStore = class {
+  constructor(client, options) {
+    this.client = client;
+    this.tenantId = requireTenantId(options);
+  }
+  client;
+  tenantId;
+  async create(options = {}) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const session = {
+      id: options.id ?? createSessionId2(),
+      createdAt: now,
+      updatedAt: now,
+      mode: options.mode ?? "ask",
+      messages: options.messages ? options.messages.map((message) => ({ ...message })) : [],
+      instructions: options.instructions,
+      metadata: { ...options.metadata, tenantId: this.tenantId }
+    };
+    const result = await this.client.query(
+      `insert into coco_runtime_sessions
+        (id, tenant_id, created_at, updated_at, mode, messages, instructions, metadata)
+       values ($1, $2, $3, $4, $5, $6::jsonb, $7, $8::jsonb)
+       on conflict (id) do update set
+        updated_at = excluded.updated_at,
+        mode = excluded.mode,
+        messages = excluded.messages,
+        instructions = excluded.instructions,
+        metadata = excluded.metadata
+       where coco_runtime_sessions.tenant_id = excluded.tenant_id`,
+      [
+        session.id,
+        this.tenantId,
+        session.createdAt,
+        session.updatedAt,
+        session.mode,
+        JSON.stringify(session.messages),
+        session.instructions ?? null,
+        JSON.stringify(session.metadata)
+      ]
+    );
+    if (result.rowCount === 0) {
+      throw new Error(`Runtime session id is already owned by another tenant: ${session.id}`);
+    }
+    return structuredClone(session);
+  }
+  async get(id) {
+    const result = await this.client.query(
+      `select * from coco_runtime_sessions
+       where id = $1 and tenant_id = $2
+       limit 1`,
+      [id, this.tenantId]
+    );
+    const row = result.rows[0];
+    return row ? rowToSession(row) : void 0;
+  }
+  async update(session) {
+    const updated = {
+      ...session,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      messages: session.messages.map((message) => ({ ...message })),
+      metadata: { ...session.metadata, tenantId: this.tenantId }
+    };
+    const result = await this.client.query(
+      `update coco_runtime_sessions
+       set updated_at = $3, mode = $4, messages = $5::jsonb, instructions = $6, metadata = $7::jsonb
+       where id = $1 and tenant_id = $2`,
+      [
+        updated.id,
+        this.tenantId,
+        updated.updatedAt,
+        updated.mode,
+        JSON.stringify(updated.messages),
+        updated.instructions ?? null,
+        JSON.stringify(updated.metadata)
+      ]
+    );
+    if (result.rowCount === 0) {
+      throw new Error(`Runtime session not found for tenant ${this.tenantId}: ${updated.id}`);
+    }
+    return structuredClone(updated);
+  }
+  async list() {
+    const result = await this.client.query(
+      `select * from coco_runtime_sessions
+       where tenant_id = $1
+       order by updated_at desc`,
+      [this.tenantId]
+    );
+    return result.rows.map(rowToSession);
+  }
+  async delete(id) {
+    const result = await this.client.query(
+      "delete from coco_runtime_sessions where id = $1 and tenant_id = $2",
+      [id, this.tenantId]
+    );
+    return (result.rowCount ?? 0) > 0;
+  }
+};
 function createPostgresRuntimeSessionQueries(client, options = {}) {
   return {
     async get(id) {
@@ -9509,6 +10010,7 @@ var PostgresEventLog = class {
   constructor(client, options = {}) {
     this.client = client;
     this.options = options;
+    assertPostgresSyncStoreNotHosted(options);
   }
   client;
   options;
@@ -9546,12 +10048,106 @@ var PostgresEventLog = class {
     this.events = [];
   }
 };
+var AsyncPostgresEventLog = class {
+  constructor(client, options) {
+    this.client = client;
+    this.tenantId = requireTenantId(options);
+  }
+  client;
+  tenantId;
+  async record(type, data = {}) {
+    const event = {
+      id: randomUUID(),
+      type,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      data: { ...data, tenantId: this.tenantId }
+    };
+    await this.client.query(
+      `insert into coco_runtime_events (id, tenant_id, type, timestamp, data)
+       values ($1, $2, $3, $4, $5::jsonb)`,
+      [event.id, this.tenantId, event.type, event.timestamp, JSON.stringify(event.data)]
+    );
+    return event;
+  }
+  async list() {
+    return listPostgresRuntimeEvents(this.client, { tenantId: this.tenantId });
+  }
+  async count() {
+    const result = await this.client.query(
+      "select count(*)::int as count from coco_runtime_events where tenant_id = $1",
+      [this.tenantId]
+    );
+    return Number(result.rows[0]?.count ?? 0);
+  }
+  async clear() {
+    await this.client.query("delete from coco_runtime_events where tenant_id = $1", [
+      this.tenantId
+    ]);
+  }
+};
+var PostgresRuntimeAuditStore = class {
+  constructor(client, options) {
+    this.client = client;
+    this.tenantId = requireTenantId(options);
+  }
+  client;
+  tenantId;
+  async record(input) {
+    const record = {
+      id: randomUUID(),
+      tenantId: this.tenantId,
+      type: input.type,
+      subject: input.subject,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      data: { ...input.data }
+    };
+    await this.client.query(
+      `insert into coco_runtime_audit_events
+        (id, tenant_id, type, subject, timestamp, data)
+       values ($1, $2, $3, $4, $5, $6::jsonb)`,
+      [
+        record.id,
+        record.tenantId,
+        record.type,
+        record.subject ?? null,
+        record.timestamp,
+        JSON.stringify(record.data)
+      ]
+    );
+    return record;
+  }
+  async list() {
+    const result = await this.client.query(
+      `select * from coco_runtime_audit_events
+       where tenant_id = $1
+       order by timestamp asc`,
+      [this.tenantId]
+    );
+    return result.rows.map((row) => ({
+      id: row.id,
+      tenantId: row.tenant_id,
+      type: row.type,
+      subject: row.subject ?? void 0,
+      timestamp: dateToIso(row.timestamp),
+      data: parseJson(row.data, {})
+    }));
+  }
+};
 function createPostgresRuntimeSessionStore(client, options) {
   return new PostgresRuntimeSessionStore(client, options);
 }
 function createPostgresEventLog(client, options) {
   return new PostgresEventLog(client, options);
 }
+function createAsyncPostgresRuntimeSessionStore(client, options) {
+  return new AsyncPostgresRuntimeSessionStore(client, options);
+}
+function createAsyncPostgresEventLog(client, options) {
+  return new AsyncPostgresEventLog(client, options);
+}
+function createPostgresRuntimeAuditStore(client, options) {
+  return new PostgresRuntimeAuditStore(client, options);
+}
 async function listPostgresRuntimeEvents(client, options = {}) {
   const result = await client.query(
     `select * from coco_runtime_events
@@ -9563,6 +10159,76 @@ async function listPostgresRuntimeEvents(client, options = {}) {
   return result.rows.map(rowToEvent);
 }
 
+// src/runtime/tenant-scope.ts
+var TenantScopedRuntimeSessionStore = class {
+  constructor(inner, options) {
+    this.inner = inner;
+    this.options = options;
+  }
+  inner;
+  options;
+  create(options = {}) {
+    return this.inner.create({
+      ...options,
+      metadata: this.withTenant(options.metadata)
+    });
+  }
+  get(id) {
+    const session = this.inner.get(id);
+    return session && this.belongsToTenant(session) ? session : void 0;
+  }
+  update(session) {
+    if (!this.belongsToTenant(session)) {
+      throw new Error(
+        `Runtime session ${session.id} does not belong to tenant ${this.options.tenantId}.`
+      );
+    }
+    return this.inner.update({
+      ...session,
+      metadata: this.withTenant(session.metadata)
+    });
+  }
+  list() {
+    return this.inner.list().filter((session) => this.belongsToTenant(session));
+  }
+  delete(id) {
+    if (!this.get(id)) return false;
+    return this.inner.delete(id);
+  }
+  withTenant(metadata) {
+    return { ...metadata, tenantId: this.options.tenantId };
+  }
+  belongsToTenant(session) {
+    return session.metadata["tenantId"] === this.options.tenantId;
+  }
+};
+var TenantScopedEventLog = class {
+  constructor(inner, options) {
+    this.inner = inner;
+    this.options = options;
+  }
+  inner;
+  options;
+  record(type, data = {}) {
+    return this.inner.record(type, { ...data, tenantId: this.options.tenantId });
+  }
+  list() {
+    return this.inner.list().filter((event) => event.data["tenantId"] === this.options.tenantId);
+  }
+  count() {
+    return this.list().length;
+  }
+  clear() {
+    throw new Error("Tenant-scoped event logs do not support partial clear.");
+  }
+};
+function createTenantScopedRuntimeSessionStore(inner, tenantId) {
+  return new TenantScopedRuntimeSessionStore(inner, { tenantId });
+}
+function createTenantScopedEventLog(inner, tenantId) {
+  return new TenantScopedEventLog(inner, { tenantId });
+}
+
 // src/runtime/extension-manifests.ts
 function createMcpToolPolicy(server, tool, risk, allowedModes = ["ask", "plan", "build", "debug", "review", "architect"]) {
   return {
@@ -9655,7 +10321,7 @@ function runGuardrails(stage, content, config = {}) {
         findings.push({
           id,
           stage,
-          severity: "warning",
+          severity: actionToSeverity(config.promptInjectionAction ?? "warn"),
           message: `Potential prompt-injection pattern detected: ${id}`
         });
       }
@@ -9678,6 +10344,26 @@ function runGuardrails(stage, content, config = {}) {
     findings
   };
 }
+async function runGuardrailPipeline(steps, config = {}) {
+  const outputs = [];
+  const findings = [];
+  for (const step of steps) {
+    const effectiveConfig = { ...config, ...step.config };
+    const result = runGuardrails(step.stage, step.content, effectiveConfig);
+    const policyFindings = await effectiveConfig.policyProvider?.evaluate({
+      stage: step.stage,
+      content: result.content,
+      findings: result.findings
+    }) ?? [];
+    outputs.push({ stage: step.stage, content: result.content });
+    findings.push(...result.findings, ...policyFindings);
+  }
+  return {
+    allowed: !findings.some((finding) => finding.severity === "blocked"),
+    outputs,
+    findings
+  };
+}
 function validateStructuredOutput(output, schema) {
   if (!schema) return [];
   const result = schema.safeParse(output);
@@ -9691,6 +10377,16 @@ function validateStructuredOutput(output, schema) {
     }
   ];
 }
+function actionToSeverity(action) {
+  switch (action) {
+    case "allow":
+      return "info";
+    case "warn":
+      return "warning";
+    case "block":
+      return "blocked";
+  }
+}
 
 // src/runtime/blueprints.ts
 function mapActionModeToRuntimeMode(mode) {
@@ -9788,7 +10484,7 @@ var InMemoryKnowledgeRetriever = class {
     const limit = options.limit ?? 5;
     const minScore = options.minScore ?? 0;
     const tenantId = tenantIdFromRetrievalOptions(options);
-    return this.documents.filter((document) => sourceMatchesTenant(document.metadata, tenantId, options.dataBoundary)).map((document) => ({
+    return this.documents.filter((document) => sourceAccessible(document, { ...options, tenantId })).map((document) => ({
       ...document,
       score: scoreDocument(document, terms)
     })).filter((source) => source.score >= minScore && source.score > 0).sort((a, b) => b.score - a.score).slice(0, limit);
@@ -9813,7 +10509,24 @@ var SimpleTextChunker = class {
         title: document.title,
         content,
         url: document.url,
-        metadata: { ...document.metadata, chunkIndex: index }
+        tenantId: document.tenantId,
+        sourceId: document.sourceId,
+        acl: document.acl,
+        classification: document.classification,
+        version: document.version,
+        updatedAt: document.updatedAt,
+        deletedAt: document.deletedAt,
+        metadata: {
+          ...document.metadata,
+          tenantId: document.tenantId ?? document.metadata?.["tenantId"],
+          sourceId: document.sourceId ?? document.metadata?.["sourceId"],
+          acl: document.acl ?? document.metadata?.["acl"],
+          classification: document.classification ?? document.metadata?.["classification"],
+          version: document.version ?? document.metadata?.["version"],
+          updatedAt: document.updatedAt ?? document.metadata?.["updatedAt"],
+          deletedAt: document.deletedAt ?? document.metadata?.["deletedAt"],
+          chunkIndex: index
+        }
       });
       index++;
       offset += maxChars - overlapChars;
@@ -9832,16 +10545,104 @@ var InMemoryVectorStore = class {
     const limit = options.limit ?? 5;
     const minScore = options.minScore ?? 0;
     const tenantId = tenantIdFromRetrievalOptions(options);
-    return this.chunks.filter((chunk2) => sourceMatchesTenant(chunk2.metadata, tenantId, options.dataBoundary)).map((chunk2) => ({
+    return this.chunks.filter((chunk2) => sourceAccessible(chunk2, { ...options, tenantId })).map((chunk2) => ({
       id: chunk2.id,
       title: chunk2.title,
       content: chunk2.content,
       url: chunk2.url,
       score: cosineSimilarity(embedding, chunk2.embedding),
-      metadata: { ...chunk2.metadata, documentId: chunk2.documentId }
+      metadata: {
+        ...chunk2.metadata,
+        tenantId: chunk2.tenantId ?? chunk2.metadata?.["tenantId"],
+        sourceId: chunk2.sourceId ?? chunk2.metadata?.["sourceId"],
+        acl: chunk2.acl ?? chunk2.metadata?.["acl"],
+        classification: chunk2.classification ?? chunk2.metadata?.["classification"],
+        version: chunk2.version ?? chunk2.metadata?.["version"],
+        updatedAt: chunk2.updatedAt ?? chunk2.metadata?.["updatedAt"],
+        deletedAt: chunk2.deletedAt ?? chunk2.metadata?.["deletedAt"],
+        documentId: chunk2.documentId
+      }
     })).filter((source) => source.score >= minScore).sort((a, b) => b.score - a.score).slice(0, limit);
   }
 };
+function createDocumentAccessPolicy(input) {
+  return {
+    canAccess({ document, options }) {
+      const tenantId = options.tenantId ?? input.tenantId;
+      const userId = options.userId ?? input.userId;
+      const roles = options.roles ?? input.roles ?? [];
+      const groups = options.groups ?? input.groups ?? [];
+      const metadata = document.metadata ?? {};
+      if (document.deletedAt ?? metadata["deletedAt"]) return false;
+      const documentTenantId = document.tenantId ?? stringMetadata(metadata, "tenantId");
+      const visibility = stringMetadata(metadata, "visibility");
+      if (tenantId && documentTenantId !== tenantId && visibility !== "global") return false;
+      const acl = document.acl ?? metadata["acl"];
+      if (!acl) return input.requireAcl !== true;
+      if (acl.public === true) return true;
+      if (userId && acl.userIds?.includes(userId)) return true;
+      if (acl.roles?.some((role) => roles.includes(role))) return true;
+      if (acl.groups?.some((group) => groups.includes(group))) return true;
+      return false;
+    }
+  };
+}
+function createRagIngestionJob(id, pipeline) {
+  const job = {
+    id,
+    status: "pending",
+    async run() {
+      job.status = "running";
+      job.startedAt = (/* @__PURE__ */ new Date()).toISOString();
+      try {
+        job.result = await pipeline.ingest();
+        job.status = "completed";
+      } catch (error) {
+        job.status = "failed";
+        job.error = error instanceof Error ? error.message : String(error);
+      } finally {
+        job.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+      }
+      return { ...job };
+    }
+  };
+  return job;
+}
+function verifyCitations(citations, sources) {
+  const byId = new Map(sources.map((source) => [source.id, source]));
+  const unsupportedCitations = [];
+  const missingSourceIds = [];
+  for (const citation of citations) {
+    const source = byId.get(citation.sourceId);
+    if (!source) {
+      missingSourceIds.push(citation.sourceId);
+      unsupportedCitations.push(citation);
+    }
+  }
+  return {
+    valid: unsupportedCitations.length === 0,
+    unsupportedCitations,
+    missingSourceIds
+  };
+}
+function evaluateGroundedness(answer, sources) {
+  const answerTerms = new Set(tokenize(answer));
+  const sourceTerms = new Set(sources.flatMap((source) => tokenize(source.content)));
+  const overlap = [...answerTerms].filter((term) => sourceTerms.has(term)).length;
+  const score = answerTerms.size === 0 ? 0 : overlap / answerTerms.size;
+  const injection = /ignore|override|bypass|reveal|exfiltrate/i.test(
+    sources.map((source) => source.content).join("\n")
+  );
+  const reasons = [];
+  if (score < 0.2) reasons.push("Answer has low lexical support in retrieved sources.");
+  if (injection) reasons.push("Retrieved sources contain prompt-injection indicators.");
+  return {
+    grounded: score >= 0.2 && !injection,
+    score,
+    blocked: injection,
+    reasons
+  };
+}
 function createInMemoryKnowledgeRetriever(documents) {
   return new InMemoryKnowledgeRetriever(documents);
 }
@@ -9908,10 +10709,15 @@ function mergeRetrievalOptionsWithRuntimeContext(options, runtimeContext) {
 function tenantIdFromRetrievalOptions(options) {
   return options.tenantId ?? options.runtimeContext?.tenant?.id;
 }
-function sourceMatchesTenant(metadata, tenantId, dataBoundary) {
-  if (!tenantId || dataBoundary?.allowCrossTenantMemory === true) return true;
-  const sourceTenantId = metadata?.["tenantId"];
-  return sourceTenantId === tenantId || metadata?.["visibility"] === "global";
+function sourceAccessible(document, options) {
+  if (options.documentAccessPolicy) {
+    return options.documentAccessPolicy.canAccess({ document, options });
+  }
+  const metadata = document.metadata ?? {};
+  if (document.deletedAt ?? metadata["deletedAt"]) return false;
+  if (!options.tenantId || options.dataBoundary?.allowCrossTenantMemory === true) return true;
+  const sourceTenantId = document.tenantId ?? metadata["tenantId"];
+  return sourceTenantId === options.tenantId || metadata["visibility"] === "global";
 }
 async function retrieveFromVectorPipeline(query, options, retrievalOptions) {
   if (!options.embeddingProvider || !options.vectorStore) return [];
@@ -9919,6 +10725,10 @@ async function retrieveFromVectorPipeline(query, options, retrievalOptions) {
   if (!embedding) return [];
   return options.vectorStore.search(embedding, retrievalOptions);
 }
+function stringMetadata(metadata, key) {
+  const value = metadata[key];
+  return typeof value === "string" ? value : void 0;
+}
 function cosineSimilarity(a, b) {
   if (a.length === 0 || b.length === 0 || a.length !== b.length) return 0;
   let dot = 0;
@@ -10043,7 +10853,188 @@ var RuntimeToolExecutor = class {
 function createRuntimeToolExecutor(options) {
   return new RuntimeToolExecutor(options);
 }
+var InMemoryTraceExporter = class {
+  spans = [];
+  async export(span) {
+    this.spans.push(structuredClone(span));
+  }
+  list() {
+    return this.spans.map((span) => structuredClone(span));
+  }
+  clear() {
+    this.spans = [];
+  }
+};
+var FileTraceExporter = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+    mkdirSync(dirname(filePath), { recursive: true });
+  }
+  filePath;
+  async export(span) {
+    appendFileSync(this.filePath, JSON.stringify(span) + "\n", "utf-8");
+  }
+  list() {
+    try {
+      return readFileSync(this.filePath, "utf-8").split("\n").filter(Boolean).map((line) => JSON.parse(line));
+    } catch {
+      return [];
+    }
+  }
+  clear() {
+    writeFileSync(this.filePath, "", "utf-8");
+  }
+};
+var OpenTelemetryTraceExporter = class {
+  spans = [];
+  async export(span) {
+    this.spans.push(structuredClone(span));
+  }
+  toOtlpJson() {
+    return {
+      resourceSpans: [
+        {
+          scopeSpans: [
+            {
+              spans: this.spans.map((span) => ({
+                traceId: span.traceId,
+                spanId: span.spanId,
+                parentSpanId: span.parentSpanId,
+                name: span.name,
+                kind: span.kind,
+                startTimeUnixNano: Date.parse(span.timestamp) * 1e6,
+                endTimeUnixNano: Date.parse(span.timestamp) * 1e6,
+                attributes: Object.entries(span.attributes).map(([key, value]) => ({
+                  key,
+                  value: { stringValue: JSON.stringify(value) }
+                }))
+              }))
+            }
+          ]
+        }
+      ]
+    };
+  }
+};
+async function exportRuntimeEventsAsSpans(events, exporter) {
+  const spans = events.map(eventToSpan);
+  for (const span of spans) {
+    await exporter.export(span);
+  }
+  await exporter.flush?.();
+  return spans;
+}
+function eventToSpan(event) {
+  const trace = isRecord(event.data["trace"]) ? event.data["trace"] : {};
+  const traceId = stringValue(trace["traceId"]) ?? stringValue(event.data["traceId"]) ?? event.id;
+  const spanId = stringValue(trace["spanId"]) ?? stringValue(event.data["spanId"]) ?? event.id;
+  return {
+    id: event.id,
+    traceId,
+    spanId,
+    parentSpanId: stringValue(trace["parentSpanId"]) ?? stringValue(event.data["parentSpanId"]),
+    kind: inferSpanKind(event),
+    name: event.type,
+    timestamp: event.timestamp,
+    attributes: redactTraceAttributes(event.data)
+  };
+}
+function collectRuntimeMetrics(events) {
+  const snapshot = {
+    events: events.length,
+    byKind: {
+      workflow: 0,
+      agent: 0,
+      llm: 0,
+      tool: 0,
+      rag: 0,
+      gate: 0,
+      handoff: 0,
+      state: 0,
+      runtime: 0
+    },
+    tokens: { input: 0, output: 0 },
+    estimatedCostUsd: 0,
+    retries: 0,
+    policyBlocks: 0,
+    errorsByClass: {},
+    toolsUsed: {},
+    gatesFailed: 0,
+    tenantUsage: {}
+  };
+  for (const event of events) {
+    const kind = inferSpanKind(event);
+    snapshot.byKind[kind] += 1;
+    const inputTokens = numberValue(event.data["inputTokens"]);
+    const outputTokens = numberValue(event.data["outputTokens"]);
+    const estimatedCostUsd = numberValue(event.data["estimatedCostUsd"]);
+    snapshot.tokens.input += inputTokens;
+    snapshot.tokens.output += outputTokens;
+    snapshot.estimatedCostUsd += estimatedCostUsd;
+    if (event.data["attempt"] && numberValue(event.data["attempt"]) > 1) snapshot.retries += 1;
+    if (event.type === "tool.blocked" || event.data["runtimePolicyBlocked"] === true) {
+      snapshot.policyBlocks += 1;
+    }
+    if (event.type.endsWith(".failed") || event.type === "error") {
+      const key = stringValue(event.data["error"]) ?? event.type;
+      snapshot.errorsByClass[key] = (snapshot.errorsByClass[key] ?? 0) + 1;
+    }
+    const tool = stringValue(event.data["tool"]) ?? stringValue(event.data["toolName"]);
+    if (tool) snapshot.toolsUsed[tool] = (snapshot.toolsUsed[tool] ?? 0) + 1;
+    if (event.type === "workflow.gate.failed") snapshot.gatesFailed += 1;
+    const tenantId = stringValue(event.data["tenantId"]);
+    if (tenantId) {
+      snapshot.tenantUsage[tenantId] ??= {
+        events: 0,
+        inputTokens: 0,
+        outputTokens: 0,
+        estimatedCostUsd: 0
+      };
+      snapshot.tenantUsage[tenantId].events += 1;
+      snapshot.tenantUsage[tenantId].inputTokens += inputTokens;
+      snapshot.tenantUsage[tenantId].outputTokens += outputTokens;
+      snapshot.tenantUsage[tenantId].estimatedCostUsd += estimatedCostUsd;
+    }
+  }
+  return snapshot;
+}
+function redactTraceAttributes(input) {
+  return redactUnknown(input);
+}
+function inferSpanKind(event) {
+  if (event.type.startsWith("workflow.gate")) return "gate";
+  if (event.type.startsWith("workflow.")) return "workflow";
+  if (event.type.startsWith("agent.handoff")) return "handoff";
+  if (event.type.startsWith("agent.")) return "agent";
+  if (event.type.startsWith("tool.") || event.type === "agent.tool.called") return "tool";
+  if (event.type.startsWith("shared_state.") || event.type.startsWith("checkpoint.")) {
+    return "state";
+  }
+  if (event.type.startsWith("turn.")) return "llm";
+  return "runtime";
+}
+function redactUnknown(value) {
+  if (typeof value === "string") {
+    return redactSecrets(value, { enabled: true }).content;
+  }
+  if (Array.isArray(value)) return value.map(redactUnknown);
+  if (isRecord(value)) {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, nested]) => [key, redactUnknown(nested)])
+    );
+  }
+  return value;
+}
+function isRecord(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function stringValue(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function numberValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
 
-export { AGENT_MODES, AgentGraphEngine, AgentRunner, AgentRuntime, DEFAULT_WORKFLOWS, DefaultPermissionPolicy, DefaultRuntimeTurnRunner, FileEventLog, FileRuntimeSessionStore, FileSharedWorkspaceStore, InMemoryEventLog, InMemoryKnowledgeRetriever, InMemoryRuntimeSessionStore, InMemorySharedWorkspaceStore, InMemoryVectorStore, PostgresEventLog, PostgresRuntimeSessionStore, ProviderRegistry, RuntimeToolExecutor, SharedWorkspaceState, SimpleTextChunker, ToolCallingRuntimeTurnRunner, WorkflowCatalog, WorkflowEngine, WorkflowRegistry, createAgentArtifact, createAgentFromBlueprint, createAgentGraphEngine, createAgentRunner, createAgentRuntime, createAgentTraceContext, createBaseBlueprint, createDefaultRuntimeTurnRunner, createEventLog, createFileEventLog, createFileRuntimeSessionStore, createInMemoryKnowledgeRetriever, createInMemoryVectorStore, createMcpToolPolicy, createPermissionPolicy, createPostgresEventLog, createPostgresRuntimeSessionQueries, createPostgresRuntimeSessionStore, createProviderRegistry, createRagPipeline, createRuntimeHttpServer, createRuntimeRequestContext, createRuntimeSessionStore, createRuntimeToolExecutor, createSafeToolRegistry, createSimpleTextChunker, createSummaryArtifact, createToolCallingRuntimeTurnRunner, createWorkflowCatalog, createWorkflowEngine, createWorkflowRegistry, defaultPublicGuardrails, dryRunAgentGraphNodeExecutor, evaluateAgentToolPolicy, formatRetrievedSourcesForPrompt, getAgentMode, isAgentMode, listAgentModes, listLegacyAgentRoleMappings, listPostgresRuntimeEvents, mapActionModeToRuntimeMode, mapLegacyAgentRole, mergeRuntimePolicy, normalizeAgentRunResult, redactSecrets, runGuardrails, runtimeContextToMetadata, validateAgentCapabilities, validateAgentGraph, validateStructuredOutput, workflowToAgentGraph };
+export { AGENT_MODES, AgentDefinitionRegistry, AgentGraphEngine, AgentRunner, AgentRuntime, AsyncPostgresEventLog, AsyncPostgresRuntimeSessionStore, DEFAULT_WORKFLOWS, DefaultPermissionPolicy, DefaultRuntimeTurnRunner, FileEventLog, FileRuntimeSessionStore, FileSharedWorkspaceStore, FileTraceExporter, InMemoryEventLog, InMemoryKnowledgeRetriever, InMemoryRuntimeSessionStore, InMemorySharedWorkspaceStore, InMemoryTraceExporter, InMemoryVectorStore, OpenTelemetryTraceExporter, PostgresEventLog, PostgresRuntimeAuditStore, PostgresRuntimeSessionStore, ProviderRegistry, RuntimeAgentNodeExecutor, RuntimePolicyViolation, RuntimeToolExecutor, SharedWorkspaceState, SimpleTextChunker, TenantScopedEventLog, TenantScopedRuntimeSessionStore, ToolCallingRuntimeTurnRunner, WorkflowCatalog, WorkflowEngine, WorkflowRegistry, assertRuntimeTenantBoundary, assertRuntimeTurnWithinPolicy, collectRuntimeMetrics, createAgentArtifact, createAgentDefinitionRegistry, createAgentFromBlueprint, createAgentGraphEngine, createAgentRunner, createAgentRuntime, createAgentTraceContext, createAsyncPostgresEventLog, createAsyncPostgresRuntimeSessionStore, createBaseBlueprint, createDefaultRuntimeTurnRunner, createDocumentAccessPolicy, createEventLog, createFileEventLog, createFileRuntimeSessionStore, createInMemoryKnowledgeRetriever, createInMemoryVectorStore, createMcpToolPolicy, createPermissionPolicy, createPostgresEventLog, createPostgresRuntimeAuditStore, createPostgresRuntimeSessionQueries, createPostgresRuntimeSessionStore, createProviderRegistry, createRagIngestionJob, createRagPipeline, createRetentionCutoffs, createRuntimeAgentNodeExecutor, createRuntimeHttpServer, createRuntimeRequestContext, createRuntimeSessionStore, createRuntimeTenantBoundary, createRuntimeToolExecutor, createSafeToolRegistry, createSimpleTextChunker, createSummaryArtifact, createTenantScopedEventLog, createTenantScopedRuntimeSessionStore, createToolCallingRuntimeTurnRunner, createWorkflowCatalog, createWorkflowEngine, createWorkflowRegistry, defaultPublicGuardrails, dryRunAgentGraphNodeExecutor, evaluateAgentToolPolicy, evaluateGroundedness, eventToSpan, exportRuntimeEventsAsSpans, formatRetrievedSourcesForPrompt, getAgentMode, isAgentMode, listAgentModes, listLegacyAgentRoleMappings, listPostgresRuntimeEvents, mapActionModeToRuntimeMode, mapLegacyAgentRole, mergeRuntimePolicy, normalizeAgentRunResult, redactSecrets, redactTraceAttributes, runGuardrailPipeline, runGuardrails, runtimeContextToMetadata, validateAgentCapabilities, validateAgentGraph, validateStructuredOutput, verifyCitations, workflowToAgentGraph };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map