@exaudeus/workrail 0.16.0 → 0.17.0

package/dist/di/container.js

@@ -181,6 +181,7 @@ async function registerV2Services() {
     const { NodeBase64UrlV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/base64url/index.js')));
     const { NodeRandomEntropyV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/random-entropy/index.js')));
     const { NodeTimeClockV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/time-clock/index.js')));
+    const { IdFactoryV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/id-factory/index.js')));
     tsyringe_1.container.register(tokens_js_1.DI.V2.DataDir, {
         useFactory: (0, tsyringe_1.instanceCachingFactory)(() => new LocalDataDirV2(process.env)),
     });
@@ -205,6 +206,12 @@ async function registerV2Services() {
     tsyringe_1.container.register(tokens_js_1.DI.V2.TimeClock, {
         useFactory: (0, tsyringe_1.instanceCachingFactory)(() => new NodeTimeClockV2()),
     });
+    tsyringe_1.container.register(tokens_js_1.DI.V2.IdFactory, {
+        useFactory: (0, tsyringe_1.instanceCachingFactory)((c) => {
+            const entropy = c.resolve(tokens_js_1.DI.V2.RandomEntropy);
+            return new IdFactoryV2(entropy);
+        }),
+    });
     const { LocalKeyringV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/keyring/index.js')));
     const { LocalSessionEventLogStoreV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/session-store/index.js')));
     const { LocalSnapshotStoreV2 } = await Promise.resolve().then(() => __importStar(require('../v2/infra/local/snapshot-store/index.js')));

package/dist/di/tokens.d.ts

@@ -30,6 +30,7 @@ export declare const DI: {
         readonly Base64Url: symbol;
         readonly RandomEntropy: symbol;
         readonly TimeClock: symbol;
+        readonly IdFactory: symbol;
         readonly Keyring: symbol;
         readonly SessionStore: symbol;
         readonly SnapshotStore: symbol;

package/dist/di/tokens.js

@@ -33,6 +33,7 @@ exports.DI = {
         Base64Url: Symbol('V2.Base64Url'),
         RandomEntropy: Symbol('V2.RandomEntropy'),
         TimeClock: Symbol('V2.TimeClock'),
+        IdFactory: Symbol('V2.IdFactory'),
         Keyring: Symbol('V2.Keyring'),
         SessionStore: Symbol('V2.SessionStore'),
         SnapshotStore: Symbol('V2.SnapshotStore'),

package/dist/manifest.json

@@ -254,16 +254,16 @@
       "bytes": 565
     },
     "di/container.js": {
-      "sha256": "ab2e782ae89f52655598140677903c37257ee14d15dab77fcaa2ca43afb9a260",
-      "bytes": 18492
+      "sha256": "200c41528c64e4e8cf0e04046bfd254cdbe0900c157be2dfd8c302a4a096d193",
+      "bytes": 18890
     },
     "di/tokens.d.ts": {
-      "sha256": "2be51a547ab9bfdd2026e7e9cfdc79ee693ad5454fa3dd773e72659a49837fde",
-      "bytes": 1846
+      "sha256": "3b9e46e178107ad65575350da5d99c238e7a4389d3537e67ff516a04df1191fe",
+      "bytes": 1882
     },
     "di/tokens.js": {
-      "sha256": "a8774e7c93f07a829d4770b33f6aef663cc68a055ed88236a085f553bf161297",
-      "bytes": 2284
+      "sha256": "aa90a1af7eba9941663beeeb13a25e2f3ba877ba37cb786bac46b468cc840f1b",
+      "bytes": 2327
     },
     "domain/execution/error.d.ts": {
       "sha256": "2eac85c42ec399a23724f868641eeadd0d196b4d324ee4caaff82a6b46155bd9",
@@ -534,8 +534,8 @@
       "bytes": 399
     },
     "mcp/handlers/v2-execution.js": {
-      "sha256": "58502dd04d88634578de5e32af45fc1671e2decc90b8eb9d8a6819a37b9d1bce",
-      "bytes": 52776
+      "sha256": "4f3f7d9009007a6795e2dfe998165722f660354323f7e856b26f1a7f62a136be",
+      "bytes": 53400
     },
     "mcp/handlers/v2-workflow.d.ts": {
       "sha256": "9fbd4d44854e2060c54982b21e72c608970bb2bd107bb15a8388b26c6b492e55",
@@ -574,8 +574,8 @@
       "bytes": 168
     },
     "mcp/server.js": {
-      "sha256": "cf128711a6d74bb604653431c9e3bac4fac9fed94bd4da8326438e86809501e3",
-      "bytes": 13866
+      "sha256": "f6bc4b1f3416d03add7b715a5bdae7955a877eae8008c0d2f8b8490dd8ae5708",
+      "bytes": 14097
     },
     "mcp/tool-description-provider.d.ts": {
       "sha256": "1d46abc3112e11b68e57197e846f5708293ec9b2281fa71a9124ee2aad71e41b",
@@ -610,8 +610,8 @@
       "bytes": 8020
     },
     "mcp/types.d.ts": {
-      "sha256": "4ab4a4af1eeedf9ba9bcdc70476a5adcc24ce05b3d7d715d70979052b1eb7246",
-      "bytes": 3473
+      "sha256": "3b7d7d7d30d65cd22b47bc9d559820b3f51984476fce11d4f3b6d820e2ce1eb8",
+      "bytes": 3683
     },
     "mcp/types.js": {
       "sha256": "0c12576fd0053115ff096fe26b38f77f1e830b7ec4781aaf94564827c4c9e81a",
@@ -993,6 +993,22 @@
       "sha256": "ae16a0df03c3dec30e9ffca0066b6148568966f6660a3c660f82853e077a0cbd",
       "bytes": 817
     },
+    "v2/durable-core/encoding/base32-lower.d.ts": {
+      "sha256": "849ef1984db20984f1fce7f40b15d3680c888e01411932d30af6fae4d2132a67",
+      "bytes": 175
+    },
+    "v2/durable-core/encoding/base32-lower.js": {
+      "sha256": "9065da38936496a34c2808388b5fb68d8aaac6bd3f0f05de184abc101e07c419",
+      "bytes": 934
+    },
+    "v2/durable-core/ids/attempt-id-derivation.d.ts": {
+      "sha256": "baee295f114d8d4a74e9fa529e7c72d458a7c7244f50fad9ebbaea06c57dfe92",
+      "bytes": 207
+    },
+    "v2/durable-core/ids/attempt-id-derivation.js": {
+      "sha256": "c13da44f23890d85edfb64a471f4f4817e973a63b41287d79144a3c9c6a5dcea",
+      "bytes": 1309
+    },
     "v2/durable-core/ids/index.d.ts": {
       "sha256": "5525efc423ad30635996907f7560f53559e49e33a64411a684370ebd1ae56410",
       "bytes": 1792
@@ -1134,8 +1150,8 @@
       "bytes": 6756
     },
     "v2/durable-core/tokens/payloads.js": {
-      "sha256": "f1026ba47d9b2e0ab3bbec47aa9e8afd5695805f6f4a83ecddd4610616ea4def",
-      "bytes": 2343
+      "sha256": "24978999201e0413cb193e1fee2b9977335ecaa9e2170b901358c9119fac6c3a",
+      "bytes": 2479
     },
     "v2/durable-core/tokens/token-codec.d.ts": {
       "sha256": "44bd65c6102b3aa5fcd82d2854f5466263a20c0b9cbd31aa25f169dfeed8e045",
@@ -1193,6 +1209,14 @@
       "sha256": "11917c1d29f34efcd7139f5573067ad20a4093a1c5190e6069ccdc25acf53f24",
       "bytes": 578
     },
+    "v2/infra/local/id-factory/index.d.ts": {
+      "sha256": "ffcbdcce6a9c6a93c2703e0d844f84fef59e6ef8a3f657d50750e885b88e879b",
+      "bytes": 432
+    },
+    "v2/infra/local/id-factory/index.js": {
+      "sha256": "bd7d8cde4fb63b299f11ff51721c9b468c887856d581e95867bbbee6547642e4",
+      "bytes": 1044
+    },
     "v2/infra/local/keyring/index.d.ts": {
       "sha256": "e8698dab64327f994bf78e1a6c30131062d8418847417610e6b071ce7e873763",
       "bytes": 932

package/dist/mcp/handlers/v2-execution.js

@@ -36,7 +36,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.handleV2StartWorkflow = handleV2StartWorkflow;
 exports.handleV2ContinueWorkflow = handleV2ContinueWorkflow;
 const os = __importStar(require("os"));
-const crypto_1 = require("crypto");
 const types_js_1 = require("../types.js");
 const output_schemas_js_1 = require("../output-schemas.js");
 const snapshot_state_js_1 = require("../../v2/durable-core/projections/snapshot-state.js");
@@ -45,6 +44,7 @@ const index_js_1 = require("../../v2/durable-core/tokens/index.js");
 const index_js_2 = require("../../v2/durable-core/tokens/index.js");
 const workflow_js_1 = require("../../types/workflow.js");
 const index_js_3 = require("../../v2/durable-core/ids/index.js");
+const attempt_id_derivation_js_1 = require("../../v2/durable-core/ids/attempt-id-derivation.js");
 const neverthrow_1 = require("neverthrow");
 const v1_to_v2_shim_js_1 = require("../../v2/read-only/v1-to-v2-shim.js");
 const hashing_js_1 = require("../../v2/durable-core/canonical/hashing.js");
@@ -238,7 +238,7 @@ function mapInternalErrorToToolError(e) {
     }
 }
 function replayFromRecordedAdvance(args) {
-    const { recordedEvent, truth, sessionId, runId, nodeId, workflowHash, attemptId, inputStateToken, inputAckToken, pinnedWorkflow, snapshotStore, keyring, hmac, base64url, } = args;
+    const { recordedEvent, truth, sessionId, runId, nodeId, workflowHash, attemptId, inputStateToken, inputAckToken, pinnedWorkflow, snapshotStore, keyring, sha256, hmac, base64url, } = args;
     const checkpointTokenRes = signTokenOrErr({
         unsignedPrefix: 'chk.v1.',
         payload: { tokenVersion: 1, tokenKind: 'checkpoint', sessionId, runId, nodeId, attemptId },
@@ -295,7 +295,7 @@ function replayFromRecordedAdvance(args) {
         }
         const pending = (0, snapshot_state_js_1.derivePendingStep)(snap.enginePayload.engineState);
         const isComplete = (0, snapshot_state_js_1.deriveIsComplete)(snap.enginePayload.engineState);
-        const nextAttemptId = attemptIdForNextNode(attemptId);
+        const nextAttemptId = attemptIdForNextNode(attemptId, sha256);
         const nextAckTokenRes = signTokenOrErr({
             unsignedPrefix: 'ack.v1.',
             payload: { tokenVersion: 1, tokenKind: 'ack', sessionId, runId, nodeId: toNodeIdBranded, attemptId: nextAttemptId },
@@ -338,7 +338,7 @@ function replayFromRecordedAdvance(args) {
     });
 }
 function advanceAndRecord(args) {
-    const { truth, sessionId, runId, nodeId, attemptId, workflowHash, dedupeKey, inputContext, inputOutput, lock, pinnedWorkflow, snapshotStore, sessionStore } = args;
+    const { truth, sessionId, runId, nodeId, attemptId, workflowHash, dedupeKey, inputContext, inputOutput, lock, pinnedWorkflow, snapshotStore, sessionStore, idFactory } = args;
     const hasRun = truth.events.some((e) => e.kind === 'run_started' && e.scope?.runId === String(runId));
     const hasNode = truth.events.some((e) => e.kind === 'node_created' && e.scope?.runId === String(runId) && e.scope?.nodeId === String(nodeId));
     if (!hasRun || !hasNode) {
@@ -385,11 +385,11 @@ function advanceAndRecord(args) {
             enginePayload: { v: 1, engineState: newEngineState },
         };
         return snapshotStore.putExecutionSnapshotV1(snapshotFile).andThen((newSnapshotRef) => {
-            const toNodeId = `node_${(0, crypto_1.randomUUID)()}`;
+            const toNodeId = String(idFactory.mintNodeId());
             const nextEventIndex = truth.events.length === 0 ? 0 : truth.events[truth.events.length - 1].eventIndex + 1;
-            const evtAdvanceRecorded = `evt_${(0, crypto_1.randomUUID)()}`;
-            const evtNodeCreated = `evt_${(0, crypto_1.randomUUID)()}`;
-            const evtEdgeCreated = `evt_${(0, crypto_1.randomUUID)()}`;
+            const evtAdvanceRecorded = idFactory.mintEventId();
+            const evtNodeCreated = idFactory.mintEventId();
+            const evtEdgeCreated = idFactory.mintEventId();
             const hasChildren = truth.events.some((e) => e.kind === 'edge_created' && e.data.fromNodeId === String(nodeId));
             const causeKind = hasChildren ? 'non_tip_advance' : 'intentional_fork';
             const outputId = (0, index_js_1.asOutputId)(`out_recap_${String(attemptId)}`);
@@ -406,7 +406,7 @@ function advanceAndRecord(args) {
                 ]
                 : [];
             const normalizedOutputs = (0, outputs_js_1.normalizeOutputsForAppend)(outputsToAppend);
-            const outputEventIds = normalizedOutputs.map(() => `evt_${(0, crypto_1.randomUUID)()}`);
+            const outputEventIds = normalizedOutputs.map(() => idFactory.mintEventId());
             const planRes = (0, ack_advance_append_plan_js_1.buildAckAdvanceAppendPlanV1)({
                 sessionId: String(sessionId),
                 runId: String(runId),
@@ -534,11 +534,11 @@ function parseAckTokenOrFail(raw, keyring, hmac, base64url) {
     }
     return { ok: true, token: parsedRes.value };
 }
-function newAttemptId() {
-    return (0, index_js_1.asAttemptId)(`attempt_${(0, crypto_1.randomUUID)()}`);
+function newAttemptId(idFactory) {
+    return idFactory.mintAttemptId();
 }
-function attemptIdForNextNode(parentAttemptId) {
-    return (0, index_js_1.asAttemptId)(`next_${parentAttemptId}`);
+function attemptIdForNextNode(parentAttemptId, sha256) {
+    return (0, attempt_id_derivation_js_1.deriveChildAttemptId)(parentAttemptId, sha256);
 }
 function signTokenOrErr(args) {
     const bytes = (0, index_js_2.encodeTokenPayloadV1)(args.payload);
@@ -630,7 +630,14 @@ function executeStartWorkflow(input, ctx) {
     if (!ctx.v2) {
         return (0, neverthrow_1.errAsync)({ kind: 'precondition_failed', message: 'v2 tools disabled', suggestion: 'Enable v2Tools flag' });
     }
-    const { gate, sessionStore, snapshotStore, pinnedStore, keyring, crypto, hmac, base64url } = ctx.v2;
+    const { gate, sessionStore, snapshotStore, pinnedStore, keyring, crypto, hmac, base64url, idFactory } = ctx.v2;
+    if (!idFactory) {
+        return (0, neverthrow_1.errAsync)({
+            kind: 'precondition_failed',
+            message: 'v2 context missing idFactory',
+            suggestion: 'Reinitialize v2 tool context (idFactory must be provided when v2Tools are enabled).',
+        });
+    }
     const ctxCheck = checkContextBudget({ tool: 'start_workflow', context: input.context });
     if (!ctxCheck.ok)
         return (0, neverthrow_1.errAsync)({ kind: 'validation_failed', failure: ctxCheck.error });
@@ -678,9 +685,9 @@ function executeStartWorkflow(input, ctx) {
         });
     })
         .andThen(({ workflow, firstStep, workflowHash, pinnedWorkflow }) => {
-        const sessionId = (0, index_js_3.asSessionId)(`sess_${(0, crypto_1.randomUUID)()}`);
-        const runId = (0, index_js_3.asRunId)(`run_${(0, crypto_1.randomUUID)()}`);
-        const nodeId = (0, index_js_3.asNodeId)(`node_${(0, crypto_1.randomUUID)()}`);
+        const sessionId = idFactory.mintSessionId();
+        const runId = idFactory.mintRunId();
+        const nodeId = idFactory.mintNodeId();
         const snapshot = {
             v: 1,
             kind: 'execution_snapshot',
@@ -697,9 +704,9 @@ function executeStartWorkflow(input, ctx) {
         return snapshotStore.putExecutionSnapshotV1(snapshot)
             .mapErr((cause) => ({ kind: 'snapshot_creation_failed', cause }))
             .andThen((snapshotRef) => {
-            const evtSessionCreated = `evt_${(0, crypto_1.randomUUID)()}`;
-            const evtRunStarted = `evt_${(0, crypto_1.randomUUID)()}`;
-            const evtNodeCreated = `evt_${(0, crypto_1.randomUUID)()}`;
+            const evtSessionCreated = idFactory.mintEventId();
+            const evtRunStarted = idFactory.mintEventId();
+            const evtNodeCreated = idFactory.mintEventId();
             return gate.withHealthySessionLock(sessionId, (lock) => {
                 const eventsArray = [
                     {
@@ -768,7 +775,7 @@ function executeStartWorkflow(input, ctx) {
             nodeId,
             workflowHash,
         };
-        const attemptId = newAttemptId();
+        const attemptId = newAttemptId(idFactory);
         const ackPayload = {
             tokenVersion: 1,
             tokenKind: 'ack',
@@ -812,7 +819,14 @@ function executeContinueWorkflow(input, ctx) {
     if (!ctx.v2) {
         return (0, neverthrow_1.errAsync)({ kind: 'precondition_failed', message: 'v2 tools disabled', suggestion: 'Enable v2Tools flag' });
     }
-    const { gate, sessionStore, snapshotStore, pinnedStore, keyring, crypto, hmac, base64url } = ctx.v2;
+    const { gate, sessionStore, snapshotStore, pinnedStore, keyring, sha256, crypto, hmac, base64url, idFactory } = ctx.v2;
+    if (!sha256 || !idFactory) {
+        return (0, neverthrow_1.errAsync)({
+            kind: 'precondition_failed',
+            message: 'v2 context missing required dependencies',
+            suggestion: 'Reinitialize v2 tool context (sha256 and idFactory must be provided when v2Tools are enabled).',
+        });
+    }
     const stateRes = parseStateTokenOrFail(input.stateToken, keyring, hmac, base64url);
     if (!stateRes.ok)
         return (0, neverthrow_1.errAsync)({ kind: 'validation_failed', failure: stateRes.failure });
@@ -864,7 +878,7 @@ function executeContinueWorkflow(input, ctx) {
                 const engineState = snapshot.enginePayload.engineState;
                 const pending = (0, snapshot_state_js_1.derivePendingStep)(engineState);
                 const isComplete = (0, snapshot_state_js_1.deriveIsComplete)(engineState);
-                const attemptId = newAttemptId();
+                const attemptId = newAttemptId(idFactory);
                 const ackTokenRes = signTokenOrErr({
                     unsignedPrefix: 'ack.v1.',
                     payload: { tokenVersion: 1, tokenKind: 'ack', sessionId, runId, nodeId, attemptId },
@@ -963,6 +977,7 @@ function executeContinueWorkflow(input, ctx) {
                     pinnedWorkflow,
                     snapshotStore,
                     keyring,
+                    sha256,
                     hmac,
                     base64url,
                 });
@@ -986,6 +1001,7 @@ function executeContinueWorkflow(input, ctx) {
                     pinnedWorkflow,
                     snapshotStore,
                     sessionStore,
+                    idFactory,
                 }).andThen(() => sessionStore
                     .load(sessionId)
                     .map((truthAfter) => ({ kind: 'replay', truth: truthAfter, recordedEvent: null })));
@@ -1035,6 +1051,7 @@ function executeContinueWorkflow(input, ctx) {
                     pinnedWorkflow,
                     snapshotStore,
                     keyring,
+                    sha256,
                     hmac,
                     base64url,
                 });

package/dist/mcp/server.js

@@ -95,18 +95,22 @@ async function createToolContext() {
             console.error('[FeatureFlags] v2 tools disabled due to keyring initialization failure');
         }
         else {
+            const sha256 = container_js_1.container.resolve(tokens_js_1.DI.V2.Sha256);
             const crypto = container_js_1.container.resolve(tokens_js_1.DI.V2.Crypto);
             const hmac = container_js_1.container.resolve(tokens_js_1.DI.V2.HmacSha256);
             const base64url = container_js_1.container.resolve(tokens_js_1.DI.V2.Base64Url);
+            const idFactory = container_js_1.container.resolve(tokens_js_1.DI.V2.IdFactory);
             v2 = {
                 gate,
                 sessionStore,
                 snapshotStore,
                 pinnedStore,
                 keyring: keyringResult.value,
+                sha256,
                 crypto,
                 hmac,
                 base64url,
+                idFactory,
             };
             console.error('[FeatureFlags] v2 tools enabled');
         }

package/dist/mcp/types.d.ts

@@ -8,9 +8,11 @@ import type { SessionEventLogAppendStorePortV2, SessionEventLogReadonlyStorePort
 import type { SnapshotStorePortV2 } from '../v2/ports/snapshot-store.port.js';
 import type { PinnedWorkflowStorePortV2 } from '../v2/ports/pinned-workflow-store.port.js';
 import type { KeyringV1 } from '../v2/ports/keyring.port.js';
+import type { Sha256PortV2 } from '../v2/ports/sha256.port.js';
 import type { CryptoPortV2 } from '../v2/durable-core/canonical/hashing.js';
 import type { HmacSha256PortV2 } from '../v2/ports/hmac-sha256.port.js';
 import type { Base64UrlPortV2 } from '../v2/ports/base64url.port.js';
+import type { IdFactoryV2 } from '../v2/infra/local/id-factory/index.js';
 import type { JsonValue } from './output-schemas.js';
 export interface SessionHealthDetails {
     readonly health: SessionHealthV2;
@@ -48,9 +50,11 @@ export interface V2Dependencies {
     readonly snapshotStore: SnapshotStorePortV2;
     readonly pinnedStore: PinnedWorkflowStorePortV2;
     readonly keyring: KeyringV1;
+    readonly sha256: Sha256PortV2;
     readonly crypto: CryptoPortV2;
     readonly hmac: HmacSha256PortV2;
     readonly base64url: Base64UrlPortV2;
+    readonly idFactory: IdFactoryV2;
 }
 export interface ToolContext {
     readonly workflowService: WorkflowService;

package/dist/v2/durable-core/encoding/base32-lower.d.ts

@@ -0,0 +1,4 @@
+export type Base32LowerNoPad = string & {
+    readonly __brand: 'v2.Base32LowerNoPad';
+};
+export declare function encodeBase32LowerNoPad(bytes: Uint8Array): Base32LowerNoPad;

package/dist/v2/durable-core/encoding/base32-lower.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encodeBase32LowerNoPad = encodeBase32LowerNoPad;
+const BASE32_LOWER_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
+function encodeBase32LowerNoPad(bytes) {
+    let out = '';
+    let buffer = 0n;
+    let bits = 0;
+    for (const b of bytes) {
+        buffer = (buffer << 8n) | BigInt(b);
+        bits += 8;
+        while (bits >= 5) {
+            const shift = BigInt(bits - 5);
+            const index = Number((buffer >> shift) & 31n);
+            out += BASE32_LOWER_ALPHABET[index];
+            bits -= 5;
+            if (bits === 0) {
+                buffer = 0n;
+            }
+            else {
+                buffer = buffer & ((1n << BigInt(bits)) - 1n);
+            }
+        }
+    }
+    if (bits > 0) {
+        const index = Number((buffer << BigInt(5 - bits)) & 31n);
+        out += BASE32_LOWER_ALPHABET[index];
+    }
+    return out;
+}

package/dist/v2/durable-core/ids/attempt-id-derivation.d.ts

@@ -0,0 +1,3 @@
+import type { Sha256PortV2 } from '../../ports/sha256.port.js';
+import type { AttemptId } from './index.js';
+export declare function deriveChildAttemptId(parent: AttemptId, sha256: Sha256PortV2): AttemptId;

package/dist/v2/durable-core/ids/attempt-id-derivation.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveChildAttemptId = deriveChildAttemptId;
+const index_js_1 = require("./index.js");
+const base32_lower_js_1 = require("../encoding/base32-lower.js");
+const PREFIX = 'wr_attempt_next_v1:';
+function hexToBytes(hex) {
+    if (hex.length % 2 !== 0) {
+        throw new Error('hex string must have even length');
+    }
+    const out = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < out.length; i++) {
+        const byteHex = hex.slice(i * 2, i * 2 + 2);
+        const n = Number.parseInt(byteHex, 16);
+        if (Number.isNaN(n)) {
+            throw new Error(`invalid hex byte: ${byteHex}`);
+        }
+        out[i] = n;
+    }
+    return out;
+}
+const SHA256_DIGEST_RE = /^sha256:[0-9a-f]{64}$/;
+function deriveChildAttemptId(parent, sha256) {
+    const bytes = new TextEncoder().encode(`${PREFIX}${String(parent)}`);
+    const digest = String(sha256.sha256(bytes));
+    if (!SHA256_DIGEST_RE.test(digest)) {
+        throw new Error(`expected sha256:<64hex> digest, got: ${digest}`);
+    }
+    const first16 = hexToBytes(digest.slice('sha256:'.length, 'sha256:'.length + 32));
+    const suffix = (0, base32_lower_js_1.encodeBase32LowerNoPad)(first16);
+    return (0, index_js_1.asAttemptId)(`attempt_${suffix}`);
+}

package/dist/v2/durable-core/tokens/payloads.js

@@ -8,10 +8,11 @@ const index_js_1 = require("../ids/index.js");
 const sha256DigestSchema = zod_1.z.string().regex(/^sha256:[0-9a-f]{64}$/, 'Expected sha256:<64 hex chars>');
 const workflowHashSchema = sha256DigestSchema.transform((v) => (0, index_js_1.asWorkflowHash)((0, index_js_1.asSha256Digest)(v)));
 const nonEmpty = zod_1.z.string().min(1);
-exports.AttemptIdSchema = nonEmpty.transform(index_js_1.asAttemptId);
-exports.SessionIdSchema = nonEmpty.transform(index_js_1.asSessionId);
-exports.RunIdSchema = nonEmpty.transform(index_js_1.asRunId);
-exports.NodeIdSchema = nonEmpty.transform(index_js_1.asNodeId);
+const delimiterSafeId = nonEmpty.regex(/^[^:\s]+$/, 'Expected a delimiter-safe ID (no ":" or whitespace)');
+exports.AttemptIdSchema = delimiterSafeId.transform(index_js_1.asAttemptId);
+exports.SessionIdSchema = delimiterSafeId.transform(index_js_1.asSessionId);
+exports.RunIdSchema = delimiterSafeId.transform(index_js_1.asRunId);
+exports.NodeIdSchema = delimiterSafeId.transform(index_js_1.asNodeId);
 exports.StateTokenPayloadV1Schema = zod_1.z.object({
     tokenVersion: zod_1.z.literal(1),
     tokenKind: zod_1.z.literal('state'),

package/dist/v2/infra/local/id-factory/index.d.ts

@@ -0,0 +1,11 @@
+import type { RandomEntropyPortV2 } from '../../../ports/random-entropy.port.js';
+import type { AttemptId, NodeId, RunId, SessionId } from '../../../durable-core/ids/index.js';
+export declare class IdFactoryV2 {
+    private readonly entropy;
+    constructor(entropy: RandomEntropyPortV2);
+    mintSessionId(): SessionId;
+    mintRunId(): RunId;
+    mintNodeId(): NodeId;
+    mintAttemptId(): AttemptId;
+    mintEventId(): string;
+}

package/dist/v2/infra/local/id-factory/index.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdFactoryV2 = void 0;
+const index_js_1 = require("../../../durable-core/ids/index.js");
+const base32_lower_js_1 = require("../../../durable-core/encoding/base32-lower.js");
+const BYTES = 16;
+function mint(prefix, entropy) {
+    const bytes = entropy.generateBytes(BYTES);
+    const suffix = (0, base32_lower_js_1.encodeBase32LowerNoPad)(bytes);
+    return `${prefix}_${suffix}`;
+}
+class IdFactoryV2 {
+    constructor(entropy) {
+        this.entropy = entropy;
+    }
+    mintSessionId() {
+        return (0, index_js_1.asSessionId)(mint('sess', this.entropy));
+    }
+    mintRunId() {
+        return (0, index_js_1.asRunId)(mint('run', this.entropy));
+    }
+    mintNodeId() {
+        return (0, index_js_1.asNodeId)(mint('node', this.entropy));
+    }
+    mintAttemptId() {
+        return (0, index_js_1.asAttemptId)(mint('attempt', this.entropy));
+    }
+    mintEventId() {
+        return mint('evt', this.entropy);
+    }
+}
+exports.IdFactoryV2 = IdFactoryV2;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exaudeus/workrail",
-  "version": "0.16.0",
+  "version": "0.17.0",
   "description": "Step-by-step workflow enforcement for AI agents via MCP",
   "license": "MIT",
   "repository": {