@desplega.ai/agent-swarm 1.80.0 → 1.80.1

package/src/providers/claude-adapter.ts

@@ -541,8 +541,29 @@ class ClaudeSession implements ProviderSession {
       // Tool use from assistant messages — emit tool_start for auto-progress
       if (json.type === "assistant" && json.message) {
         const message = json.message as {
-          content?: Array<{ type: string; name?: string; id?: string; input?: unknown }>;
+          content?: Array<{
+            type: string;
+            name?: string;
+            id?: string;
+            input?: unknown;
+            text?: string;
+          }>;
         };
+
+        // Emit a `message` event BEFORE any tool_start events for this turn.
+        // The runner uses this as an "assistant turn boundary" to implicit-close
+        // any worker.tool spans left open by the previous turn (the Claude CLI
+        // doesn't emit per-tool completion events for harness-side tools like
+        // Bash/Read/Edit, so without this boundary their spans would stay open
+        // until session shutdown and report inflated duration_ms).
+        const text = Array.isArray(message.content)
+          ? message.content
+              .filter((b) => b.type === "text" && typeof b.text === "string")
+              .map((b) => b.text as string)
+              .join("")
+          : "";
+        this.emit({ type: "message", role: "assistant", content: text });
+
         if (message.content) {
           for (const block of message.content) {
             if (block.type === "tool_use" && block.name) {

package/src/scripts-runtime/ctx.ts

@@ -0,0 +1,23 @@
+import { stdlib } from "./stdlib";
+import type { SwarmConfig } from "./swarm-config";
+import { createSwarmSdk } from "./swarm-sdk";
+
+export type RuntimeCtx = {
+  swarm: Record<string, unknown> & { config: SwarmConfig };
+  stdlib: typeof stdlib;
+  logger: {
+    log: (...args: unknown[]) => void;
+    warn: (...args: unknown[]) => void;
+    error: (...args: unknown[]) => void;
+  };
+};
+
+export function buildCtx({ swarmConfig }: { swarmConfig: SwarmConfig }): RuntimeCtx {
+  const swarm = createSwarmSdk(swarmConfig) as Record<string, unknown> & { config: SwarmConfig };
+  swarm.config = swarmConfig;
+  return {
+    swarm,
+    stdlib,
+    logger: console,
+  };
+}

package/src/scripts-runtime/eval-harness.ts

@@ -0,0 +1,39 @@
+import { buildCtx } from "./ctx";
+import type { SwarmConfigPayload } from "./executors/types";
+import { SwarmConfig } from "./swarm-config";
+
+function requiredEnv(name: string): string {
+  const value = process.env[name];
+  if (!value) throw new Error(`Missing required env ${name}`);
+  return value;
+}
+
+try {
+  const stdin = await Bun.stdin.text();
+  if (!stdin.trim()) {
+    console.error("Swarm script config payload was empty");
+    process.exit(2);
+  }
+
+  const payload = JSON.parse(stdin) as SwarmConfigPayload;
+  const swarmConfig = new SwarmConfig(payload);
+  const rawArgs = JSON.parse(await Bun.file(requiredEnv("SWARM_SCRIPT_ARGS_FILE")).text());
+  // Accept both shapes: callers may pass an already-serialized JSON string.
+  const parsedArgs = typeof rawArgs === "string" ? JSON.parse(rawArgs) : rawArgs;
+  const ctx = buildCtx({ swarmConfig });
+
+  const sourceText = await Bun.file(requiredEnv("SWARM_SCRIPT_SOURCE_FILE")).text();
+  const userModulePath = `${requiredEnv("SWARM_SCRIPT_TMPDIR")}/user-script.ts`;
+  await Bun.write(userModulePath, sourceText);
+
+  const mod = await import(userModulePath);
+  if (typeof mod.default !== "function") {
+    throw new Error("Swarm script must export a default function");
+  }
+
+  const result = await mod.default(parsedArgs, ctx);
+  await Bun.write(requiredEnv("SWARM_SCRIPT_RESULT_FILE"), JSON.stringify(result ?? null));
+} catch (error) {
+  console.error(error instanceof Error ? error.stack || error.message : String(error));
+  process.exit(1);
+}

package/src/scripts-runtime/executors/native.ts

@@ -0,0 +1,229 @@
+import type { ExecutorInput, ExecutorOutput, ScriptExecutor, ScriptExecutorError } from "./types";
+
+type CappedText = { text: string; truncated: boolean };
+
+function makeUnsupportedOutput(stderr: string): ExecutorOutput {
+  return {
+    result: undefined,
+    stdout: "",
+    stderr,
+    truncated: { stdout: false, stderr: false },
+    durationMs: 0,
+    exitCode: 1,
+    error: "executor_error",
+  };
+}
+
+async function readCapped(
+  stream: ReadableStream<Uint8Array> | null,
+  maxBytes: number,
+): Promise<CappedText> {
+  if (!stream) return { text: "", truncated: false };
+  const reader = stream.getReader();
+  const chunks: Uint8Array[] = [];
+  let total = 0;
+  let truncated = false;
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    if (!value) continue;
+
+    const remaining = maxBytes - total;
+    if (remaining > 0) {
+      const accepted = value.byteLength > remaining ? value.slice(0, remaining) : value;
+      chunks.push(accepted);
+      total += accepted.byteLength;
+    }
+    if (value.byteLength > remaining) truncated = true;
+  }
+
+  return { text: new TextDecoder().decode(Buffer.concat(chunks)), truncated };
+}
+
+function classifyExit(
+  exitCode: number,
+  timedOut: boolean,
+  killed: boolean,
+): ScriptExecutorError | undefined {
+  if (timedOut) return "timeout";
+  if (killed) return "killed";
+  if (exitCode === 0) return undefined;
+  if (exitCode === 137 || exitCode === 9) return "killed";
+  return "eval_error";
+}
+
+async function readResultFile(path: string): Promise<unknown | undefined> {
+  const file = Bun.file(path);
+  if (!(await file.exists())) return undefined;
+  const text = await file.text();
+  if (!text) return undefined;
+  return JSON.parse(text);
+}
+
+async function writeBareImportShim(tmpdir: string, name: string, targetUrl: URL): Promise<void> {
+  const dir = `${tmpdir}/node_modules/${name}`;
+  await Bun.$`mkdir -p ${dir}`;
+  await Bun.write(`${dir}/package.json`, JSON.stringify({ type: "module", main: "index.ts" }));
+  await Bun.write(`${dir}/index.ts`, `export * from ${JSON.stringify(targetUrl.href)};\n`);
+}
+
+async function writeBareImportShims(tmpdir: string): Promise<void> {
+  const runtimeDir = process.env.SCRIPT_RUNTIME_DIR;
+  if (runtimeDir) {
+    // Compiled binary mode: use pre-built bundles on real filesystem.
+    // import.meta.url resolves to /$bunfs/ which spawned subprocesses can't access.
+    const shims: [string, string][] = [
+      ["stdlib", `${runtimeDir}/stdlib.bundle.js`],
+      ["swarm-sdk", `${runtimeDir}/swarm-sdk.bundle.js`],
+    ];
+    for (const [name, bundlePath] of shims) {
+      const dir = `${tmpdir}/node_modules/${name}`;
+      await Bun.$`mkdir -p ${dir}`;
+      await Bun.write(`${dir}/package.json`, JSON.stringify({ type: "module", main: "index.js" }));
+      await Bun.write(
+        `${dir}/index.js`,
+        `export * from ${JSON.stringify(`file://${bundlePath}`)};\n`,
+      );
+    }
+    return;
+  }
+  await writeBareImportShim(tmpdir, "stdlib", new URL("../stdlib/index.ts", import.meta.url));
+  await writeBareImportShim(tmpdir, "swarm-sdk", new URL("../swarm-sdk.ts", import.meta.url));
+}
+
+function harnessCommand(harnessPath: string, input: ExecutorInput): string[] {
+  if (process.platform === "win32") {
+    return ["bun", "run", harnessPath];
+  }
+
+  // Bun's Linux runtime reserves several GB of virtual address space at startup.
+  // A lower RLIMIT_AS kills the harness before user code runs, so keep vmem as
+  // a coarse guard and rely on the tighter CPU/proc/fd/file/output caps for v1.
+  const virtualMemoryMb = Math.max(input.resources.memoryMb, 4096);
+  const shellQuote = (value: string) => `'${value.replaceAll("'", "'\\''")}'`;
+  const ulimits = [
+    `ulimit -v ${Math.floor(virtualMemoryMb * 1024)} 2>/dev/null || true`,
+    `ulimit -t ${input.resources.cpuTimeSec} 2>/dev/null || true`,
+    `ulimit -u ${input.resources.maxProcs} 2>/dev/null || true`,
+    `ulimit -f ${Math.floor(input.resources.maxFileBytes / 1024)} 2>/dev/null || true`,
+    `ulimit -n ${input.resources.maxFdCount} 2>/dev/null || true`,
+  ].join("; ");
+  const harness = shellQuote(harnessPath);
+  return [
+    "sh",
+    "-c",
+    `${ulimits}; exec env -i PATH="$PATH" HOME="$HOME" LANG="$LANG" LC_ALL="$LC_ALL" TMPDIR="$TMPDIR" SWARM_SCRIPT_TMPDIR="$SWARM_SCRIPT_TMPDIR" SWARM_SCRIPT_ARGS_FILE="$SWARM_SCRIPT_ARGS_FILE" SWARM_SCRIPT_SOURCE_FILE="$SWARM_SCRIPT_SOURCE_FILE" SWARM_SCRIPT_RESULT_FILE="$SWARM_SCRIPT_RESULT_FILE" bun run ${harness}`,
+  ];
+}
+
+export class NativeScriptExecutor implements ScriptExecutor {
+  readonly name = "native";
+
+  async run(input: ExecutorInput): Promise<ExecutorOutput> {
+    if (input.fsMode === "workspace-rw") {
+      return makeUnsupportedOutput("workspace-rw not supported by native executor in v1");
+    }
+
+    const start = Date.now();
+    const tmpdir = `${process.env.TMPDIR ?? "/tmp"}/swarm-script-${crypto.randomUUID()}`;
+    await Bun.$`mkdir -p ${tmpdir}`;
+
+    const argsFile = `${tmpdir}/args.json`;
+    const sourceFile = `${tmpdir}/source.ts`;
+    const resultFile = `${tmpdir}/result.json`;
+    // In compiled binary mode, import.meta.url points into /$bunfs/ which spawned
+    // subprocesses cannot access. Use the pre-built bundle from real filesystem instead.
+    const harnessPath = process.env.SCRIPT_RUNTIME_DIR
+      ? `${process.env.SCRIPT_RUNTIME_DIR}/eval-harness.bundle.js`
+      : new URL("../eval-harness.ts", import.meta.url).pathname;
+    const controller = new AbortController();
+    let timedOut = false;
+    let killed = input.signal?.aborted ?? false;
+    let removeAbortListener: (() => void) | undefined;
+
+    try {
+      if (killed) {
+        return {
+          result: undefined,
+          stdout: "",
+          stderr: "",
+          truncated: { stdout: false, stderr: false },
+          durationMs: Date.now() - start,
+          exitCode: 1,
+          error: "killed",
+        };
+      }
+
+      await Bun.write(argsFile, JSON.stringify(input.args ?? null));
+      await Bun.write(sourceFile, input.source);
+      await writeBareImportShims(tmpdir);
+
+      const onExternalAbort = () => {
+        killed = true;
+        controller.abort();
+      };
+      input.signal?.addEventListener("abort", onExternalAbort, { once: true });
+      removeAbortListener = () => input.signal?.removeEventListener("abort", onExternalAbort);
+
+      const timeout = setTimeout(() => {
+        timedOut = true;
+        controller.abort();
+      }, input.resources.wallClockMs);
+
+      const proc = Bun.spawn(harnessCommand(harnessPath, input), {
+        env: {
+          PATH: process.env.PATH ?? "/usr/bin:/bin",
+          HOME: process.env.HOME ?? "/tmp",
+          LANG: process.env.LANG ?? "C.UTF-8",
+          LC_ALL: process.env.LC_ALL ?? "C.UTF-8",
+          TMPDIR: tmpdir,
+          SWARM_SCRIPT_TMPDIR: tmpdir,
+          SWARM_SCRIPT_ARGS_FILE: argsFile,
+          SWARM_SCRIPT_SOURCE_FILE: sourceFile,
+          SWARM_SCRIPT_RESULT_FILE: resultFile,
+        },
+        cwd: tmpdir,
+        stdin: "pipe",
+        stdout: "pipe",
+        stderr: "pipe",
+        signal: controller.signal,
+      });
+
+      proc.stdin.write(JSON.stringify(input.configPayload));
+      proc.stdin.end();
+
+      const [stdout, stderr, exitCode] = await Promise.all([
+        readCapped(proc.stdout, input.resources.maxStdoutBytes),
+        readCapped(proc.stderr, input.resources.maxStdoutBytes),
+        proc.exited.catch(() => (timedOut ? 124 : 1)),
+      ]).finally(() => clearTimeout(timeout));
+
+      const result = exitCode === 0 ? await readResultFile(resultFile) : undefined;
+      const error = classifyExit(exitCode, timedOut, killed);
+
+      return {
+        result,
+        stdout: stdout.text,
+        stderr: stderr.text,
+        truncated: { stdout: stdout.truncated, stderr: stderr.truncated },
+        durationMs: Date.now() - start,
+        exitCode,
+        ...(error ? { error } : {}),
+      };
+    } catch (error) {
+      return {
+        result: undefined,
+        stdout: "",
+        stderr: error instanceof Error ? error.message : String(error),
+        truncated: { stdout: false, stderr: false },
+        durationMs: Date.now() - start,
+        exitCode: 1,
+        error: timedOut ? "timeout" : killed ? "killed" : "executor_error",
+      };
+    } finally {
+      removeAbortListener?.();
+      await Bun.$`rm -rf ${tmpdir}`;
+    }
+  }
+}

package/src/scripts-runtime/executors/registry.ts

@@ -0,0 +1,16 @@
+import { NativeScriptExecutor } from "./native";
+import type { ScriptExecutor } from "./types";
+
+const EXECUTORS: Record<string, () => ScriptExecutor> = {
+  native: () => new NativeScriptExecutor(),
+};
+
+export function getScriptExecutor(name = process.env.SCRIPT_EXECUTOR ?? "native"): ScriptExecutor {
+  const factory = EXECUTORS[name];
+  if (!factory) {
+    throw new Error(
+      `Unknown SCRIPT_EXECUTOR: ${name}. Available: ${Object.keys(EXECUTORS).join(", ")}`,
+    );
+  }
+  return factory();
+}

package/src/scripts-runtime/executors/types.ts

@@ -0,0 +1,63 @@
+export type ScriptFsMode = "none" | "workspace-rw";
+
+export type SwarmConfigPayload = {
+  system: {
+    apiKey: { value: string; isSecret: true };
+    agentId: { value: string; isSecret: false };
+    mcpBaseUrl: { value: string; isSecret: false };
+  };
+  user: Record<string, { value: string; isSecret: boolean }>;
+};
+
+export type ScriptResourcePolicy = {
+  memoryMb: number;
+  cpuTimeSec: number;
+  wallClockMs: number;
+  maxProcs: number;
+  maxFdCount: number;
+  maxFileBytes: number;
+  maxStdoutBytes: number;
+};
+
+export type ExecutorInput = {
+  source: string;
+  args: unknown;
+  configPayload: SwarmConfigPayload;
+  resources: ScriptResourcePolicy;
+  fsMode: ScriptFsMode;
+  network: "open" | { allowlist: string[] };
+  signal?: AbortSignal;
+};
+
+export type ScriptExecutorError =
+  | "timeout"
+  | "oom"
+  | "killed"
+  | "import_violation"
+  | "eval_error"
+  | "executor_error";
+
+export type ExecutorOutput = {
+  result: unknown | undefined;
+  stdout: string;
+  stderr: string;
+  truncated: { stdout: boolean; stderr: boolean };
+  durationMs: number;
+  exitCode: number;
+  error?: ScriptExecutorError;
+};
+
+export interface ScriptExecutor {
+  readonly name: string;
+  run(input: ExecutorInput): Promise<ExecutorOutput>;
+}
+
+export const DEFAULT_SCRIPT_RESOURCES: ScriptResourcePolicy = {
+  memoryMb: 512,
+  cpuTimeSec: 60,
+  wallClockMs: 30_000,
+  maxProcs: 32,
+  maxFdCount: 64,
+  maxFileBytes: 64_000_000,
+  maxStdoutBytes: 1_048_576,
+};

package/src/scripts-runtime/extract-signature.ts

@@ -0,0 +1,81 @@
+import ts from "typescript";
+
+export type ScriptSignature = {
+  argsType: string;
+  resultType: string;
+  description: string;
+};
+
+const FALLBACK_SIGNATURE: ScriptSignature = {
+  argsType: "unknown",
+  resultType: "unknown",
+  description: "",
+};
+
+function getJsDocDescription(node: ts.Node, sourceFile: ts.SourceFile): string {
+  const comments = ts.getJSDocCommentsAndTags(node);
+  const comment = comments.find(ts.isJSDoc);
+  if (!comment?.comment) return "";
+  if (typeof comment.comment === "string") return comment.comment;
+  return comment.comment.map((part) => part.getText(sourceFile)).join("");
+}
+
+function unwrapPromise(typeText: string): string {
+  const trimmed = typeText.trim();
+  if (trimmed.startsWith("Promise<") && trimmed.endsWith(">")) {
+    return trimmed.slice("Promise<".length, -1).trim();
+  }
+  return trimmed;
+}
+
+function fromFunctionLike(
+  node: ts.FunctionLikeDeclarationBase,
+  sourceFile: ts.SourceFile,
+): ScriptSignature {
+  const [firstParam] = node.parameters;
+  return {
+    argsType: firstParam?.type?.getText(sourceFile) ?? "unknown",
+    resultType: unwrapPromise(node.type?.getText(sourceFile) ?? "unknown"),
+    description: getJsDocDescription(node, sourceFile),
+  };
+}
+
+function isExportDefault(node: ts.Node): boolean {
+  return (
+    ts.canHaveModifiers(node) &&
+    (ts.getModifiers(node) ?? []).some((modifier) => modifier.kind === ts.SyntaxKind.DefaultKeyword)
+  );
+}
+
+export function extractScriptSignature(source: string): ScriptSignature {
+  try {
+    const sourceFile = ts.createSourceFile(
+      "user-script.ts",
+      source,
+      ts.ScriptTarget.Latest,
+      true,
+      ts.ScriptKind.TS,
+    );
+    const parseDiagnostics = (
+      sourceFile as ts.SourceFile & { parseDiagnostics?: readonly ts.Diagnostic[] }
+    ).parseDiagnostics;
+    if (parseDiagnostics && parseDiagnostics.length > 0) return FALLBACK_SIGNATURE;
+
+    for (const statement of sourceFile.statements) {
+      if (ts.isFunctionDeclaration(statement) && isExportDefault(statement)) {
+        return fromFunctionLike(statement, sourceFile);
+      }
+
+      if (ts.isExportAssignment(statement)) {
+        const expression = statement.expression;
+        if (ts.isArrowFunction(expression) || ts.isFunctionExpression(expression)) {
+          return fromFunctionLike(expression, sourceFile);
+        }
+      }
+    }
+  } catch {
+    return FALLBACK_SIGNATURE;
+  }
+
+  return FALLBACK_SIGNATURE;
+}

package/src/scripts-runtime/import-allowlist.ts

@@ -0,0 +1,109 @@
+import ts from "typescript";
+
+const ALLOWED_BARE_IMPORTS = new Set(["swarm-sdk", "stdlib"]);
+const FORBIDDEN_HINTS = new Set(["node:", "bun:", "fs", "child_process", "crypto", "bun:sqlite"]);
+
+export type ImportAllowlistResult =
+  | { ok: true }
+  | { ok: false; diagnostic: string; imports: string[] };
+
+function isRelative(specifier: string): boolean {
+  return specifier.startsWith("./") || specifier.startsWith("../");
+}
+
+function isAllowed(specifier: string): boolean {
+  return isRelative(specifier) || ALLOWED_BARE_IMPORTS.has(specifier);
+}
+
+function collectImportSpecifiers(source: string): string[] {
+  const sourceFile = ts.createSourceFile(
+    "user-script.ts",
+    source,
+    ts.ScriptTarget.Latest,
+    true,
+    ts.ScriptKind.TS,
+  );
+  const imports: string[] = [];
+
+  const visit = (node: ts.Node) => {
+    if (ts.isImportDeclaration(node) || ts.isExportDeclaration(node)) {
+      const moduleSpecifier = node.moduleSpecifier;
+      if (moduleSpecifier && ts.isStringLiteral(moduleSpecifier))
+        imports.push(moduleSpecifier.text);
+    }
+
+    if (ts.isCallExpression(node) && node.expression.kind === ts.SyntaxKind.ImportKeyword) {
+      const [arg] = node.arguments;
+      if (arg && ts.isStringLiteral(arg)) imports.push(arg.text);
+    }
+
+    ts.forEachChild(node, visit);
+  };
+
+  visit(sourceFile);
+  return imports;
+}
+
+function findForbiddenDynamicCode(source: string): string | null {
+  const sourceFile = ts.createSourceFile(
+    "user-script.ts",
+    source,
+    ts.ScriptTarget.Latest,
+    true,
+    ts.ScriptKind.TS,
+  );
+  let diagnostic: string | null = null;
+
+  const visit = (node: ts.Node) => {
+    if (diagnostic) return;
+
+    if (
+      ts.isCallExpression(node) &&
+      node.expression.kind === ts.SyntaxKind.Identifier &&
+      node.expression.getText(sourceFile) === "eval"
+    ) {
+      diagnostic = "eval is not allowed in swarm scripts";
+      return;
+    }
+
+    if (
+      ts.isNewExpression(node) &&
+      node.expression.kind === ts.SyntaxKind.Identifier &&
+      node.expression.getText(sourceFile) === "Function"
+    ) {
+      diagnostic = "Function constructor is not allowed in swarm scripts";
+      return;
+    }
+
+    if (
+      ts.isCallExpression(node) &&
+      node.expression.kind === ts.SyntaxKind.Identifier &&
+      node.expression.getText(sourceFile) === "Function"
+    ) {
+      diagnostic = "Function constructor is not allowed in swarm scripts";
+      return;
+    }
+
+    ts.forEachChild(node, visit);
+  };
+
+  visit(sourceFile);
+  return diagnostic;
+}
+
+export function validateScriptImports(source: string): ImportAllowlistResult {
+  const dynamicDiagnostic = findForbiddenDynamicCode(source);
+  if (dynamicDiagnostic) return { ok: false, diagnostic: dynamicDiagnostic, imports: [] };
+
+  const imports = collectImportSpecifiers(source);
+  const rejected = imports.filter((specifier) => !isAllowed(specifier));
+  if (rejected.length === 0) return { ok: true };
+
+  const hint = rejected.find(
+    (specifier) => FORBIDDEN_HINTS.has(specifier) || specifier.startsWith("node:"),
+  );
+  const reason = hint
+    ? `Import '${hint}' is not allowed in swarm scripts`
+    : `Import '${rejected[0]}' is not on the swarm script allowlist`;
+  return { ok: false, diagnostic: reason, imports: rejected };
+}

package/src/scripts-runtime/loader.ts

@@ -0,0 +1,96 @@
+import { getApiKey } from "../utils/api-key";
+import { scrubObject, scrubSecrets } from "../utils/secret-scrubber";
+import { getScriptExecutor } from "./executors/registry";
+import {
+  DEFAULT_SCRIPT_RESOURCES,
+  type ExecutorOutput,
+  type ScriptFsMode,
+  type ScriptResourcePolicy,
+  type SwarmConfigPayload,
+} from "./executors/types";
+import { validateScriptImports } from "./import-allowlist";
+
+export type RunScriptInput = {
+  source: string;
+  args?: unknown;
+  fsMode?: ScriptFsMode;
+  agentId: string;
+  signal?: AbortSignal;
+  timeoutMs?: number;
+  mcpBaseUrl?: string;
+  resources?: Partial<ScriptResourcePolicy>;
+  userConfig?: Record<string, { value: string; isSecret: boolean }>;
+};
+
+export type RunScriptOutput = Omit<ExecutorOutput, "result" | "stdout" | "stderr"> & {
+  result: unknown | undefined;
+  stdout: string;
+  stderr: string;
+};
+
+function buildConfigPayload(input: RunScriptInput): SwarmConfigPayload {
+  const apiKey = getApiKey();
+  if (!apiKey) throw new Error("Swarm API key is required to run scripts");
+
+  return {
+    system: {
+      apiKey: { value: apiKey, isSecret: true },
+      agentId: { value: input.agentId, isSecret: false },
+      mcpBaseUrl: {
+        value: input.mcpBaseUrl ?? process.env.MCP_BASE_URL ?? "http://localhost:3013",
+        isSecret: false,
+      },
+    },
+    user: input.userConfig ?? {},
+  };
+}
+
+export async function runScript(input: RunScriptInput): Promise<RunScriptOutput> {
+  if (input.fsMode === "workspace-rw") {
+    return {
+      result: undefined,
+      stdout: "",
+      stderr: "workspace-rw not supported in scripts-runtime v1",
+      truncated: { stdout: false, stderr: false },
+      durationMs: 0,
+      exitCode: 1,
+      error: "executor_error",
+    };
+  }
+
+  const imports = validateScriptImports(input.source);
+  if (!imports.ok) {
+    return {
+      result: undefined,
+      stdout: "",
+      stderr: imports.diagnostic,
+      truncated: { stdout: false, stderr: false },
+      durationMs: 0,
+      exitCode: 1,
+      error: "import_violation",
+    };
+  }
+
+  const resources = {
+    ...DEFAULT_SCRIPT_RESOURCES,
+    ...input.resources,
+    ...(input.timeoutMs ? { wallClockMs: input.timeoutMs } : {}),
+  };
+
+  const output = await getScriptExecutor().run({
+    source: input.source,
+    args: input.args ?? null,
+    configPayload: buildConfigPayload(input),
+    resources,
+    fsMode: input.fsMode ?? "none",
+    network: "open",
+    signal: input.signal,
+  });
+
+  return {
+    ...output,
+    result: scrubObject(output.result),
+    stdout: scrubSecrets(output.stdout),
+    stderr: scrubSecrets(output.stderr),
+  };
+}