@corbat-tech/coco 2.40.0 → 2.41.0

package/dist/presets/index.js

@@ -3363,6 +3363,53 @@ function defineTool(definition) {
 // src/runtime/agent-runtime.ts
 init_env();
 
+// src/providers/pricing.ts
+init_catalog();
+var MODEL_PRICING = getCatalogModelPricingMap();
+var DEFAULT_PRICING = {
+  anthropic: { inputPerMillion: 3, outputPerMillion: 15, contextWindow: 2e5 },
+  openai: { inputPerMillion: 2.5, outputPerMillion: 10, contextWindow: 128e3 },
+  codex: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 128e3 },
+  // ChatGPT Plus/Pro subscription
+  gemini: { inputPerMillion: 0.1, outputPerMillion: 0.4, contextWindow: 1e6 },
+  vertex: { inputPerMillion: 0.1, outputPerMillion: 0.4, contextWindow: 1048576 },
+  kimi: { inputPerMillion: 1.2, outputPerMillion: 1.2, contextWindow: 8192 },
+  "kimi-code": { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 131072 },
+  // Included in subscription
+  copilot: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 2e5 },
+  // Included in subscription
+  lmstudio: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 32768 },
+  // Free - local models
+  ollama: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 128e3 },
+  // Free - local models
+  groq: { inputPerMillion: 0.05, outputPerMillion: 0.08, contextWindow: 128e3 },
+  // Free tier available
+  openrouter: { inputPerMillion: 2, outputPerMillion: 8, contextWindow: 2e5 },
+  // Varies by model
+  mistral: { inputPerMillion: 0.25, outputPerMillion: 0.75, contextWindow: 32768 },
+  deepseek: { inputPerMillion: 0.14, outputPerMillion: 0.28, contextWindow: 128e3 },
+  // Very cheap
+  together: { inputPerMillion: 0.2, outputPerMillion: 0.2, contextWindow: 32768 },
+  huggingface: { inputPerMillion: 0, outputPerMillion: 0, contextWindow: 32768 },
+  // Free tier
+  qwen: { inputPerMillion: 0.3, outputPerMillion: 1.2, contextWindow: 131072 }
+  // qwen-coder-plus pricing
+};
+function estimateCost(model2, inputTokens, outputTokens, provider) {
+  const pricing = MODEL_PRICING[model2] ?? (provider ? DEFAULT_PRICING[provider] : DEFAULT_PRICING.anthropic);
+  const inputCost = inputTokens / 1e6 * pricing.inputPerMillion;
+  const outputCost = outputTokens / 1e6 * pricing.outputPerMillion;
+  return {
+    inputCost,
+    outputCost,
+    totalCost: inputCost + outputCost,
+    inputTokens,
+    outputTokens,
+    model: model2,
+    currency: "USD"
+  };
+}
+
 // src/runtime/agent-modes.ts
 var AGENT_MODES = {
   ask: {
@@ -3422,6 +3469,22 @@ function listAgentModes() {
 }
 
 // src/runtime/context.ts
+var RuntimePolicyViolation = class extends Error {
+  code;
+  subject;
+  tenantId;
+  policyPath;
+  severity;
+  constructor(input) {
+    super(input.message);
+    this.name = "RuntimePolicyViolation";
+    this.code = input.code;
+    this.subject = input.subject;
+    this.tenantId = input.tenantId;
+    this.policyPath = input.policyPath;
+    this.severity = input.severity ?? "blocked";
+  }
+};
 function createRuntimeRequestContext(input = {}) {
   return {
     surface: input.surface ?? "api",
@@ -3464,6 +3527,27 @@ function runtimeContextToMetadata(context) {
     dataClassification: context.policy?.dataBoundary?.classification
   };
 }
+function createRuntimeTenantBoundary(context, hostMode = "local") {
+  return {
+    hostMode,
+    surface: context?.surface ?? "api",
+    tenantId: context?.tenant?.id,
+    required: hostMode === "hosted" && context?.surface !== "cli"
+  };
+}
+function assertRuntimeTenantBoundary(context, hostMode = "local", subject = "runtime operation") {
+  const boundary = createRuntimeTenantBoundary(context, hostMode);
+  if (boundary.required && !boundary.tenantId) {
+    throw new RuntimePolicyViolation({
+      code: "tenant_required",
+      subject,
+      tenantId: boundary.tenantId,
+      policyPath: "runtimeContext.tenant.id",
+      message: `Runtime tenant is required for hosted ${boundary.surface} operations.`
+    });
+  }
+  return boundary;
+}
 function evaluateRuntimeToolPolicy(policy, input) {
   if (policy?.allowedTools && !policy.allowedTools.includes(input.toolName)) {
     return {
@@ -3507,23 +3591,65 @@ function evaluateRuntimeRiskPolicy(policy, input) {
   }
   return { allowed: true, risk: input.risk };
 }
+function assertRuntimeTurnWithinPolicy(policy, input) {
+  const maxTurns = policy?.costBudget?.maxTurns;
+  if (maxTurns !== void 0 && input.currentTurns >= maxTurns) {
+    throw new RuntimePolicyViolation({
+      code: "max_turns_exceeded",
+      subject: input.subject,
+      tenantId: input.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxTurns",
+      message: `Runtime policy turn budget exceeded: ${input.currentTurns}/${maxTurns}`
+    });
+  }
+}
 function assertRuntimeUsageWithinPolicy(policy, usage) {
   const budget = policy?.costBudget;
+  const subject = usage.subject ?? "runtime usage";
   if (!budget) return;
   if (budget.maxInputTokens !== void 0 && (usage.inputTokens ?? 0) > budget.maxInputTokens) {
-    throw new Error(
-      `Runtime policy input token budget exceeded: ${usage.inputTokens ?? 0}/${budget.maxInputTokens}`
-    );
+    throw new RuntimePolicyViolation({
+      code: "input_tokens_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxInputTokens",
+      message: `Runtime policy input token budget exceeded: ${usage.inputTokens ?? 0}/${budget.maxInputTokens}`
+    });
   }
   if (budget.maxOutputTokens !== void 0 && (usage.outputTokens ?? 0) > budget.maxOutputTokens) {
-    throw new Error(
-      `Runtime policy output token budget exceeded: ${usage.outputTokens ?? 0}/${budget.maxOutputTokens}`
-    );
+    throw new RuntimePolicyViolation({
+      code: "output_tokens_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxOutputTokens",
+      message: `Runtime policy output token budget exceeded: ${usage.outputTokens ?? 0}/${budget.maxOutputTokens}`
+    });
+  }
+  if (budget.maxEstimatedCostUsd !== void 0 && (usage.estimatedCostUsd ?? 0) > budget.maxEstimatedCostUsd) {
+    throw new RuntimePolicyViolation({
+      code: "estimated_cost_exceeded",
+      subject,
+      tenantId: usage.tenantId,
+      policyPath: "runtimePolicy.costBudget.maxEstimatedCostUsd",
+      message: `Runtime policy estimated cost budget exceeded: ${usage.estimatedCostUsd ?? 0}/${budget.maxEstimatedCostUsd}`
+    });
   }
 }
+function createRetentionCutoffs(policy, now = /* @__PURE__ */ new Date()) {
+  const retention = policy?.retention;
+  return {
+    conversationBefore: cutoffIso(now, retention?.conversationDays),
+    eventBefore: cutoffIso(now, retention?.eventDays),
+    artifactBefore: cutoffIso(now, retention?.artifactDays)
+  };
+}
 function cloneRuntimePolicy(policy) {
   return mergeRuntimePolicy(void 0, policy) ?? {};
 }
+function cutoffIso(now, days) {
+  if (days === void 0) return void 0;
+  return new Date(now.getTime() - days * 24 * 60 * 60 * 1e3).toISOString();
+}
 function riskRank(risk) {
   switch (risk) {
     case "read-only":
@@ -7855,10 +7981,6 @@ var VertexProvider = class {
   }
 };
 
-// src/providers/pricing.ts
-init_catalog();
-getCatalogModelPricingMap();
-
 // src/providers/circuit-breaker.ts
 init_errors();
 var DEFAULT_CIRCUIT_BREAKER_CONFIG = {
@@ -8431,6 +8553,7 @@ var LEGACY_ROLE_MAPPINGS = [
   { legacy: "coder", role: "coder", reason: "legacy executor role" },
   { legacy: "test", role: "tester", reason: "test authoring/execution" },
   { legacy: "tester", role: "tester", reason: "legacy executor role" },
+  { legacy: "verifier", role: "tester", reason: "verification maps to tester capability" },
   { legacy: "tdd", role: "tester", reason: "test-first implementation" },
   { legacy: "e2e", role: "tester", reason: "end-to-end testing" },
   { legacy: "review", role: "reviewer", reason: "code review" },
@@ -8444,7 +8567,10 @@ var LEGACY_ROLE_MAPPINGS = [
   { legacy: "docs", role: "docs", reason: "documentation" },
   { legacy: "database", role: "database", reason: "database work" }
 ];
-new Map(LEGACY_ROLE_MAPPINGS.map((mapping) => [mapping.legacy, mapping]));
+var LEGACY_ROLE_MAP = new Map(LEGACY_ROLE_MAPPINGS.map((mapping) => [mapping.legacy, mapping]));
+function mapLegacyAgentRole(legacyRole, fallback = "coder") {
+  return LEGACY_ROLE_MAP.get(legacyRole)?.role ?? fallback;
+}
 function assertProvenance(provenance) {
   if (!provenance.workflowRunId) {
     throw new Error("Shared workspace writes require workflowRunId provenance.");
@@ -8524,6 +8650,39 @@ var InMemorySharedWorkspaceStore = class {
     this.records = [];
   }
 };
+function evaluateAgentToolPolicy(input) {
+  const manifestEntry = input.manifest?.[input.toolName];
+  const risk = manifestEntry?.risk ?? input.capability.risk;
+  if (!input.capability.allowedTools.includes(input.toolName)) {
+    return {
+      allowed: false,
+      risk,
+      reason: `Tool '${input.toolName}' is not allowed for agent role '${input.capability.role}'.`
+    };
+  }
+  if (manifestEntry?.requiredCapability) {
+    const allowedRoles = Array.isArray(manifestEntry.requiredCapability) ? manifestEntry.requiredCapability : [manifestEntry.requiredCapability];
+    if (!allowedRoles.includes(input.capability.role)) {
+      return {
+        allowed: false,
+        risk,
+        reason: `Tool '${input.toolName}' requires role ${allowedRoles.join(", ")}.`
+      };
+    }
+  }
+  if (riskRank2(risk) > riskRank2(input.capability.risk)) {
+    return {
+      allowed: false,
+      risk,
+      reason: `Tool '${input.toolName}' risk '${risk}' exceeds agent capability risk '${input.capability.risk}'.`
+    };
+  }
+  return {
+    allowed: true,
+    risk,
+    requiresConsent: manifestEntry?.requiresConsent ?? (risk === "destructive" || risk === "secrets-sensitive")
+  };
+}
 function createAgentTraceContext(input = {}) {
   return {
     traceId: input.traceId ?? `trace-${randomUUID()}`,
@@ -8964,7 +9123,7 @@ var NULL_EVENT_LOG = {
 function graphNodeToTask(node, workflowInput) {
   return {
     id: node.id,
-    role: node.agentRole ?? "coder",
+    role: node.agentRole ?? mapLegacyAgentRole(node.id, "coder"),
     objective: node.description,
     context: {
       workflowInput,
@@ -9111,6 +9270,20 @@ function readPath(input, path38) {
     return void 0;
   }, input);
 }
+function riskRank2(risk) {
+  switch (risk) {
+    case "read-only":
+      return 0;
+    case "network":
+      return 1;
+    case "write":
+      return 2;
+    case "destructive":
+      return 3;
+    case "secrets-sensitive":
+      return 4;
+  }
+}
 function cloneUnknown(value) {
   if (value === void 0 || value === null) return value;
   try {
@@ -9136,6 +9309,206 @@ function cloneArtifact(artifact) {
   };
 }
 
+// src/runtime/agent-runner.ts
+var AgentRunner = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  options;
+  async run(input) {
+    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const trace = input.trace ?? createAgentTraceContext({ taskId: input.task.id });
+    this.options.eventLog?.record("agent.started", {
+      taskId: input.task.id,
+      role: input.task.role,
+      trace
+    });
+    try {
+      const raw = await (this.options.executor ?? defaultExecutor)({
+        task: input.task,
+        capability: input.capability,
+        trace,
+        assertToolAllowed: (toolName) => {
+          const decision = evaluateAgentToolPolicy({
+            capability: input.capability,
+            toolName,
+            manifest: input.toolRiskManifest
+          });
+          this.options.eventLog?.record("agent.tool.called", {
+            taskId: input.task.id,
+            role: input.task.role,
+            toolName,
+            decision,
+            trace
+          });
+          if (!decision.allowed) {
+            throw new Error(decision.reason ?? `Tool '${toolName}' is not allowed.`);
+          }
+        }
+      });
+      const result = normalizeAgentRunResult({
+        id: `${input.task.id}-run-${Date.now().toString(36)}`,
+        taskId: input.task.id,
+        role: input.task.role,
+        success: raw.success ?? true,
+        output: raw.output,
+        turns: raw.turns,
+        toolsUsed: raw.toolsUsed,
+        usage: {
+          inputTokens: raw.inputTokens ?? 0,
+          outputTokens: raw.outputTokens ?? 0,
+          estimated: raw.inputTokens === void 0 || raw.outputTokens === void 0
+        },
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: Date.now() - Date.parse(startedAt),
+        error: raw.error,
+        metadata: { ...raw.metadata, trace }
+      });
+      this.options.eventLog?.record(result.success ? "agent.completed" : "agent.failed", {
+        taskId: input.task.id,
+        role: input.task.role,
+        agentRunId: result.id,
+        trace,
+        error: result.error
+      });
+      return result;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const result = normalizeAgentRunResult({
+        id: `${input.task.id}-run-${Date.now().toString(36)}`,
+        taskId: input.task.id,
+        role: input.task.role,
+        success: false,
+        output: message,
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        durationMs: Date.now() - Date.parse(startedAt),
+        error: message,
+        metadata: { trace }
+      });
+      this.options.eventLog?.record("agent.failed", {
+        taskId: input.task.id,
+        role: input.task.role,
+        agentRunId: result.id,
+        trace,
+        error: message
+      });
+      return result;
+    }
+  }
+};
+async function defaultExecutor(context) {
+  return {
+    output: `Agent ${context.capability.role} accepted task '${context.task.objective}'.`
+  };
+}
+
+// src/runtime/runtime-agent-node-executor.ts
+var RuntimeAgentNodeExecutor = class {
+  constructor(options) {
+    this.options = options;
+    this.runner = options.runner ?? new AgentRunner(options.runnerOptions);
+  }
+  options;
+  runner;
+  execute = async (execution) => {
+    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const definition = this.options.registry.getByRole(execution.task.role);
+    if (!definition) {
+      return normalizeAgentRunResult({
+        id: `${execution.workflowRunId}-${execution.node.id}-missing-definition`,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        success: false,
+        output: "",
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        error: `No agent definition registered for role '${execution.task.role}'.`,
+        metadata: {
+          workflowRunId: execution.workflowRunId,
+          nodeId: execution.node.id,
+          trace: execution.trace
+        }
+      });
+    }
+    const blockedTool = this.findBlockedTool(definition, execution);
+    if (blockedTool) {
+      return normalizeAgentRunResult({
+        id: `${execution.workflowRunId}-${execution.node.id}-policy-blocked`,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        success: false,
+        output: "",
+        startedAt,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        error: blockedTool,
+        metadata: {
+          workflowRunId: execution.workflowRunId,
+          nodeId: execution.node.id,
+          agentDefinitionId: definition.id,
+          trace: execution.trace
+        }
+      });
+    }
+    const input = {
+      task: {
+        ...execution.task,
+        context: {
+          ...execution.task.context,
+          instructions: definition.instructions,
+          sharedState: execution.sharedState.readForRole(definition.role)
+        }
+      },
+      capability: definition.capability,
+      trace: execution.trace,
+      toolRiskManifest: this.options.toolRiskManifest
+    };
+    const result = await this.runner.run(input);
+    return normalizeAgentRunResult({
+      ...result,
+      metadata: {
+        ...result.metadata,
+        workflowRunId: execution.workflowRunId,
+        nodeId: execution.node.id,
+        agentDefinitionId: definition.id
+      }
+    });
+  };
+  findBlockedTool(definition, execution) {
+    for (const toolName of execution.node.requiredTools ?? []) {
+      const agentDecision = evaluateAgentToolPolicy({
+        capability: definition.capability,
+        toolName,
+        manifest: this.options.toolRiskManifest
+      });
+      execution.eventLog.record("agent.tool.called", {
+        workflowRunId: execution.workflowRunId,
+        nodeId: execution.node.id,
+        taskId: execution.task.id,
+        role: execution.task.role,
+        toolName,
+        decision: agentDecision,
+        trace: execution.trace
+      });
+      if (!agentDecision.allowed) {
+        return agentDecision.reason ?? `Tool '${toolName}' is not allowed for agent.`;
+      }
+      const runtimeDecision = evaluateRuntimeToolPolicy(this.options.runtimePolicy, {
+        toolName,
+        risk: agentDecision.risk
+      });
+      if (!runtimeDecision.allowed) {
+        return runtimeDecision.reason ?? `Tool '${toolName}' is blocked by runtime policy.`;
+      }
+    }
+    return void 0;
+  }
+};
+function createRuntimeAgentNodeExecutor(options) {
+  return new RuntimeAgentNodeExecutor(options).execute;
+}
+
 // src/runtime/workflow-registry.ts
 function cloneWorkflow(workflow) {
   return {
@@ -9465,14 +9838,22 @@ var WorkflowEngine = class {
     this.catalog = catalog;
     this.eventLog = eventLog;
     this.sharedState = options.sharedState ?? new InMemorySharedWorkspaceStore();
-    this.nodeExecutor = options.nodeExecutor;
     this.runtimePolicy = options.runtimePolicy;
+    this.runtimeContext = options.runtimeContext;
+    this.runtimeHostMode = options.runtimeHostMode ?? "local";
+    this.nodeExecutor = options.nodeExecutor ?? (options.agentDefinitionRegistry ? createRuntimeAgentNodeExecutor({
+      ...options.agentNodeExecutorOptions,
+      registry: options.agentDefinitionRegistry,
+      runtimePolicy: options.runtimePolicy
+    }) : void 0);
   }
   catalog;
   eventLog;
   handlers = /* @__PURE__ */ new Map();
   sharedState;
   runtimePolicy;
+  runtimeContext;
+  runtimeHostMode;
   nodeExecutor;
   registerHandler(workflowId, handler) {
     if (!this.catalog.get(workflowId)) {
@@ -9487,6 +9868,7 @@ var WorkflowEngine = class {
     return this.catalog.createPlan(workflowId, input, this.eventLog);
   }
   async run(request) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "workflow.run");
     const workflow = this.catalog.get(request.workflowId);
     if (!workflow) {
       throw new Error(`Unknown workflow: ${request.workflowId}`);
@@ -9606,7 +9988,14 @@ var AgentRuntime = class {
     this.model = options.model ?? options.providerConfig?.model ?? getDefaultModel(options.providerType);
     this.runtimeContext = options.runtimeContext ? createRuntimeRequestContext(options.runtimeContext) : void 0;
     this.runtimePolicy = mergeRuntimePolicy(this.runtimeContext?.policy, options.runtimePolicy);
-    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog, { runtimePolicy: this.runtimePolicy });
+    this.runtimeHostMode = options.runtimeHostMode ?? "local";
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "runtime.initialize");
+    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog, {
+      runtimePolicy: this.runtimePolicy,
+      runtimeContext: this.runtimeContext,
+      runtimeHostMode: this.runtimeHostMode,
+      agentDefinitionRegistry: options.agentDefinitionRegistry
+    });
   }
   options;
   providerRegistry;
@@ -9622,6 +10011,9 @@ var AgentRuntime = class {
   provider;
   runtimeContext;
   runtimePolicy;
+  runtimeHostMode;
+  requestTimestampsBySubject = /* @__PURE__ */ new Map();
+  activeRuns = 0;
   async initialize() {
     const providerInjected = Boolean(this.options.provider);
     const provider = this.options.provider ?? await this.providerRegistry.createProvider(this.providerType, {
@@ -9670,10 +10062,12 @@ var AgentRuntime = class {
       },
       modes: listAgentModes(),
       context: this.runtimeContext,
-      policy: this.runtimePolicy
+      policy: this.runtimePolicy,
+      hostMode: this.runtimeHostMode
     };
   }
   createSession(options = {}) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "session.create");
     const session = this.runtimeSessionStore.create({
       ...options,
       metadata: {
@@ -9697,6 +10091,27 @@ var AgentRuntime = class {
   listSessions() {
     return this.runtimeSessionStore.list();
   }
+  cleanupRetention(options = {}) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "retention.cleanup");
+    const dryRun = options.dryRun ?? true;
+    const cutoffs = createRetentionCutoffs(this.runtimePolicy, options.now);
+    const expiredSessionIds = cutoffs.conversationBefore ? this.runtimeSessionStore.list().filter((session) => session.updatedAt < cutoffs.conversationBefore).map((session) => session.id) : [];
+    const deletedSessionIds = dryRun ? [] : expiredSessionIds.filter((id) => this.runtimeSessionStore.delete(id));
+    this.eventLog.record("retention.cleanup", {
+      dryRun,
+      cutoffs,
+      expiredSessionIds,
+      deletedSessionIds,
+      tenantId: this.runtimeContext?.tenant?.id,
+      runtimeApi: true
+    });
+    return {
+      dryRun,
+      cutoffs,
+      expiredSessionIds,
+      deletedSessionIds
+    };
+  }
   async runTurn(input) {
     const provider = this.provider;
     if (!provider) {
@@ -9707,6 +10122,12 @@ var AgentRuntime = class {
       throw new Error(`Runtime session not found: ${input.sessionId}`);
     }
     const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    assertRuntimeTurnWithinPolicy(this.runtimePolicy, {
+      subject: "turn.run",
+      currentTurns: countUserTurns(effectiveSession),
+      tenantId: this.runtimeContext?.tenant?.id
+    });
+    const releaseRuntimeRequest = this.beginRuntimeRequest("turn.run");
     this.eventLog.record("turn.started", {
       sessionId: effectiveSession.id,
       provider: this.providerType,
@@ -9723,7 +10144,13 @@ var AgentRuntime = class {
         permissionPolicy: this.permissionPolicy,
         eventLog: this.eventLog
       });
-      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
+      const estimatedCostUsd = this.estimateTurnCost(result);
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, {
+        ...result.usage,
+        estimatedCostUsd,
+        tenantId: this.runtimeContext?.tenant?.id,
+        subject: "turn.run"
+      });
       const updatedSession = this.runtimeSessionStore.update({
         ...effectiveSession,
         messages: [
@@ -9740,6 +10167,7 @@ var AgentRuntime = class {
         sessionId: updatedSession.id,
         inputTokens: result.usage.inputTokens,
         outputTokens: result.usage.outputTokens,
+        estimatedCostUsd,
         model: result.model,
         runtimeApi: true
       });
@@ -9751,6 +10179,8 @@ var AgentRuntime = class {
         runtimeApi: true
       });
       throw error;
+    } finally {
+      releaseRuntimeRequest();
     }
   }
   async *streamTurn(input) {
@@ -9763,6 +10193,12 @@ var AgentRuntime = class {
       throw new Error(`Runtime session not found: ${input.sessionId}`);
     }
     const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    assertRuntimeTurnWithinPolicy(this.runtimePolicy, {
+      subject: "turn.stream",
+      currentTurns: countUserTurns(effectiveSession),
+      tenantId: this.runtimeContext?.tenant?.id
+    });
+    const releaseRuntimeRequest = this.beginRuntimeRequest("turn.stream");
     const messages = [
       ...effectiveSession.messages,
       {
@@ -9812,7 +10248,13 @@ var AgentRuntime = class {
         model: input.options?.model ?? this.getModel(),
         mode: effectiveSession.mode
       };
-      assertRuntimeUsageWithinPolicy(this.runtimePolicy, result.usage);
+      const estimatedCostUsd = this.estimateTurnCost(result);
+      assertRuntimeUsageWithinPolicy(this.runtimePolicy, {
+        ...result.usage,
+        estimatedCostUsd,
+        tenantId: this.runtimeContext?.tenant?.id,
+        subject: "turn.stream"
+      });
       const updatedSession = this.runtimeSessionStore.update({
         ...effectiveSession,
         messages: [
@@ -9831,6 +10273,7 @@ var AgentRuntime = class {
         sessionId: updatedSession.id,
         inputTokens: result.usage.inputTokens,
         outputTokens: result.usage.outputTokens,
+        estimatedCostUsd,
         model: result.model,
         streaming: true,
         runtimeApi: true
@@ -9860,9 +10303,11 @@ var AgentRuntime = class {
           runtimeApi: true
         });
       }
+      releaseRuntimeRequest();
     }
   }
   async executeTool(input) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "tool.execute");
     const startedAt = performance.now();
     const session = input.sessionId ? this.getSession(input.sessionId) : void 0;
     if (input.sessionId && !session) {
@@ -9973,6 +10418,7 @@ var AgentRuntime = class {
     };
   }
   assertToolAllowed(mode, toolName, input) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, "tool.assertAllowed");
     const tool = this.toolRegistry.get(toolName);
     if (!tool) {
       this.eventLog.record("tool.blocked", {
@@ -10002,7 +10448,65 @@ var AgentRuntime = class {
     });
     return allowed;
   }
+  beginRuntimeRequest(subject) {
+    assertRuntimeTenantBoundary(this.runtimeContext, this.runtimeHostMode, subject);
+    this.assertWithinRateLimit(subject);
+    this.assertWithinConcurrencyLimit(subject);
+    this.activeRuns += 1;
+    let released = false;
+    return () => {
+      if (released) return;
+      released = true;
+      this.activeRuns = Math.max(0, this.activeRuns - 1);
+    };
+  }
+  assertWithinRateLimit(subject) {
+    const maxRequestsPerMinute = this.runtimePolicy?.rateLimit?.maxRequestsPerMinute;
+    if (maxRequestsPerMinute === void 0) return;
+    const now = Date.now();
+    const windowStart = now - 6e4;
+    const key = `${this.runtimeContext?.tenant?.id ?? "global"}:${subject}`;
+    const recent = (this.requestTimestampsBySubject.get(key) ?? []).filter(
+      (timestamp) => timestamp > windowStart
+    );
+    if (recent.length >= maxRequestsPerMinute) {
+      this.requestTimestampsBySubject.set(key, recent);
+      throw new RuntimePolicyViolation({
+        code: "rate_limit_exceeded",
+        subject,
+        tenantId: this.runtimeContext?.tenant?.id,
+        policyPath: "runtimePolicy.rateLimit.maxRequestsPerMinute",
+        message: `Runtime policy rate limit exceeded: ${recent.length}/${maxRequestsPerMinute} requests per minute.`
+      });
+    }
+    recent.push(now);
+    this.requestTimestampsBySubject.set(key, recent);
+  }
+  assertWithinConcurrencyLimit(subject) {
+    const maxConcurrentRuns = this.runtimePolicy?.rateLimit?.maxConcurrentRuns;
+    if (maxConcurrentRuns === void 0) return;
+    if (this.activeRuns >= maxConcurrentRuns) {
+      throw new RuntimePolicyViolation({
+        code: "concurrency_limit_exceeded",
+        subject,
+        tenantId: this.runtimeContext?.tenant?.id,
+        policyPath: "runtimePolicy.rateLimit.maxConcurrentRuns",
+        message: `Runtime policy concurrency limit exceeded: ${this.activeRuns}/${maxConcurrentRuns} active runs.`
+      });
+    }
+  }
+  estimateTurnCost(result) {
+    return estimateCost(
+      result.model,
+      result.usage.inputTokens,
+      result.usage.outputTokens,
+      this.providerType
+    ).totalCost;
+  }
 };
+function countUserTurns(session) {
+  return session.messages.filter((message) => message.role === "user").length;
+}
 async function createAgentRuntime(options) {
   const runtime = new AgentRuntime(options);
   await runtime.initialize();