@exaudeus/workrail 0.17.0 → 1.0.0

package/dist/v2/durable-core/tokens/payloads.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import type { AttemptId, NodeId, RunId, SessionId, TokenStringV1, WorkflowHash } from '../ids/index.js';
+import type { AttemptId, NodeId, RunId, SessionId, TokenStringV1, WorkflowHashRef } from '../ids/index.js';
 export type TokenVersionV1 = 1;
 export type TokenKindV1 = 'state' | 'ack' | 'checkpoint';
 export declare const AttemptIdSchema: z.ZodEffects<z.ZodString, AttemptId, string>;
@@ -12,7 +12,7 @@ export declare const StateTokenPayloadV1Schema: z.ZodObject<{
     sessionId: z.ZodEffects<z.ZodString, SessionId, string>;
     runId: z.ZodEffects<z.ZodString, RunId, string>;
     nodeId: z.ZodEffects<z.ZodString, NodeId, string>;
-    workflowHash: z.ZodEffects<z.ZodString, never, string>;
+    workflowHashRef: z.ZodEffects<z.ZodString, WorkflowHashRef, string>;
 }, "strip", z.ZodTypeAny, {
     sessionId: string & {
         readonly __brand: "v2.SessionId";
@@ -23,16 +23,18 @@ export declare const StateTokenPayloadV1Schema: z.ZodObject<{
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
-    workflowHash: never;
     tokenVersion: 1;
     tokenKind: "state";
+    workflowHashRef: string & {
+        readonly __brand: "v2.WorkflowHashRef";
+    };
 }, {
     sessionId: string;
     runId: string;
     nodeId: string;
-    workflowHash: string;
     tokenVersion: 1;
     tokenKind: "state";
+    workflowHashRef: string;
 }>;
 export type StateTokenPayloadV1 = z.infer<typeof StateTokenPayloadV1Schema> & {
     readonly tokenVersion: TokenVersionV1;
@@ -40,7 +42,7 @@ export type StateTokenPayloadV1 = z.infer<typeof StateTokenPayloadV1Schema> & {
     readonly sessionId: SessionId;
     readonly runId: RunId;
     readonly nodeId: NodeId;
-    readonly workflowHash: WorkflowHash;
+    readonly workflowHashRef: WorkflowHashRef;
 };
 export declare const AckTokenPayloadV1Schema: z.ZodObject<{
     tokenVersion: z.ZodLiteral<1>;
@@ -124,7 +126,7 @@ export declare const TokenPayloadV1Schema: z.ZodDiscriminatedUnion<"tokenKind",
     sessionId: z.ZodEffects<z.ZodString, SessionId, string>;
     runId: z.ZodEffects<z.ZodString, RunId, string>;
     nodeId: z.ZodEffects<z.ZodString, NodeId, string>;
-    workflowHash: z.ZodEffects<z.ZodString, never, string>;
+    workflowHashRef: z.ZodEffects<z.ZodString, WorkflowHashRef, string>;
 }, "strip", z.ZodTypeAny, {
     sessionId: string & {
         readonly __brand: "v2.SessionId";
@@ -135,16 +137,18 @@ export declare const TokenPayloadV1Schema: z.ZodDiscriminatedUnion<"tokenKind",
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
-    workflowHash: never;
     tokenVersion: 1;
     tokenKind: "state";
+    workflowHashRef: string & {
+        readonly __brand: "v2.WorkflowHashRef";
+    };
 }, {
     sessionId: string;
     runId: string;
     nodeId: string;
-    workflowHash: string;
     tokenVersion: 1;
     tokenKind: "state";
+    workflowHashRef: string;
 }>, z.ZodObject<{
     tokenVersion: z.ZodLiteral<1>;
     tokenKind: z.ZodLiteral<"ack">;

package/dist/v2/durable-core/tokens/payloads.js

@@ -5,8 +5,10 @@ exports.expectedPrefixForTokenKind = expectedPrefixForTokenKind;
 exports.asTokenString = asTokenString;
 const zod_1 = require("zod");
 const index_js_1 = require("../ids/index.js");
-const sha256DigestSchema = zod_1.z.string().regex(/^sha256:[0-9a-f]{64}$/, 'Expected sha256:<64 hex chars>');
-const workflowHashSchema = sha256DigestSchema.transform((v) => (0, index_js_1.asWorkflowHash)((0, index_js_1.asSha256Digest)(v)));
+const workflowHashRefSchema = zod_1.z
+    .string()
+    .regex(/^wf_[a-z2-7]{26}$/, 'Expected wf_<26 base32 chars [a-z2-7]>')
+    .transform((v) => (0, index_js_1.asWorkflowHashRef)(v));
 const nonEmpty = zod_1.z.string().min(1);
 const delimiterSafeId = nonEmpty.regex(/^[^:\s]+$/, 'Expected a delimiter-safe ID (no ":" or whitespace)');
 exports.AttemptIdSchema = delimiterSafeId.transform(index_js_1.asAttemptId);
@@ -19,7 +21,7 @@ exports.StateTokenPayloadV1Schema = zod_1.z.object({
     sessionId: exports.SessionIdSchema,
     runId: exports.RunIdSchema,
     nodeId: exports.NodeIdSchema,
-    workflowHash: workflowHashSchema,
+    workflowHashRef: workflowHashRefSchema,
 });
 exports.AckTokenPayloadV1Schema = zod_1.z.object({
     tokenVersion: zod_1.z.literal(1),

package/dist/v2/durable-core/tokens/token-codec-capabilities.d.ts

@@ -0,0 +1,4 @@
+import type { TokenCodecPorts } from './token-codec-ports.js';
+export type TokenParsePorts = Pick<TokenCodecPorts, 'bech32m' | 'base32'>;
+export type TokenVerifyPorts = Pick<TokenCodecPorts, 'keyring' | 'hmac' | 'base64url'>;
+export type TokenSignPorts = TokenCodecPorts;

package/dist/v2/durable-core/tokens/token-codec-capabilities.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/v2/durable-core/tokens/token-codec-ports.d.ts

@@ -0,0 +1,42 @@
+import type { Result } from 'neverthrow';
+import type { KeyringV1 } from '../../ports/keyring.port.js';
+import type { HmacSha256PortV2 } from '../../ports/hmac-sha256.port.js';
+import type { Base64UrlPortV2 } from '../../ports/base64url.port.js';
+import type { Base32PortV2 } from '../../ports/base32.port.js';
+import type { Bech32mPortV2 } from '../../ports/bech32m.port.js';
+declare const tokenCodecPortsBrand: unique symbol;
+export type TokenCodecPorts = Readonly<{
+    readonly keyring: KeyringV1;
+    readonly hmac: HmacSha256PortV2;
+    readonly base64url: Base64UrlPortV2;
+    readonly base32: Base32PortV2;
+    readonly bech32m: Bech32mPortV2;
+}> & {
+    readonly [tokenCodecPortsBrand]: 'TokenCodecPorts';
+};
+export type TokenCodecPortsError = {
+    readonly code: 'TOKEN_CODEC_PORTS_MISSING_KEYRING';
+} | {
+    readonly code: 'TOKEN_CODEC_PORTS_MISSING_HMAC';
+} | {
+    readonly code: 'TOKEN_CODEC_PORTS_MISSING_BASE64URL';
+} | {
+    readonly code: 'TOKEN_CODEC_PORTS_MISSING_BASE32';
+} | {
+    readonly code: 'TOKEN_CODEC_PORTS_MISSING_BECH32M';
+};
+export declare function createTokenCodecPorts(deps: {
+    readonly keyring?: KeyringV1 | null;
+    readonly hmac?: HmacSha256PortV2 | null;
+    readonly base64url?: Base64UrlPortV2 | null;
+    readonly base32?: Base32PortV2 | null;
+    readonly bech32m?: Bech32mPortV2 | null;
+}): Result<TokenCodecPorts, TokenCodecPortsError>;
+export declare function unsafeTokenCodecPorts(deps: {
+    readonly keyring: KeyringV1;
+    readonly hmac: HmacSha256PortV2;
+    readonly base64url: Base64UrlPortV2;
+    readonly base32: Base32PortV2;
+    readonly bech32m: Bech32mPortV2;
+}): TokenCodecPorts;
+export {};

package/dist/v2/durable-core/tokens/token-codec-ports.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTokenCodecPorts = createTokenCodecPorts;
+exports.unsafeTokenCodecPorts = unsafeTokenCodecPorts;
+const neverthrow_1 = require("neverthrow");
+function createTokenCodecPorts(deps) {
+    if (!deps.keyring)
+        return (0, neverthrow_1.err)({ code: 'TOKEN_CODEC_PORTS_MISSING_KEYRING' });
+    if (!deps.hmac)
+        return (0, neverthrow_1.err)({ code: 'TOKEN_CODEC_PORTS_MISSING_HMAC' });
+    if (!deps.base64url)
+        return (0, neverthrow_1.err)({ code: 'TOKEN_CODEC_PORTS_MISSING_BASE64URL' });
+    if (!deps.base32)
+        return (0, neverthrow_1.err)({ code: 'TOKEN_CODEC_PORTS_MISSING_BASE32' });
+    if (!deps.bech32m)
+        return (0, neverthrow_1.err)({ code: 'TOKEN_CODEC_PORTS_MISSING_BECH32M' });
+    return (0, neverthrow_1.ok)(Object.freeze({
+        keyring: deps.keyring,
+        hmac: deps.hmac,
+        base64url: deps.base64url,
+        base32: deps.base32,
+        bech32m: deps.bech32m,
+    }));
+}
+function unsafeTokenCodecPorts(deps) {
+    return Object.freeze({ ...deps });
+}

package/dist/v2/durable-core/tokens/token-codec.d.ts

@@ -2,10 +2,16 @@ import type { Result } from 'neverthrow';
 import type { CanonicalBytes } from '../ids/index.js';
 import type { TokenStringV1 } from '../ids/index.js';
 import type { Base64UrlPortV2 } from '../../ports/base64url.port.js';
+import type { Bech32mDecodeError, TokenHrp } from '../../ports/bech32m.port.js';
+import type { Base32PortV2 } from '../../ports/base32.port.js';
 import { type TokenPayloadV1, type TokenPrefixV1 } from './payloads.js';
+import type { TokenParsePorts } from './token-codec-capabilities.js';
 export type TokenDecodeErrorV2 = {
     readonly code: 'TOKEN_INVALID_FORMAT';
     readonly message: string;
+    readonly details?: {
+        bech32mError?: Bech32mDecodeError;
+    };
 } | {
     readonly code: 'TOKEN_UNSUPPORTED_VERSION';
     readonly message: string;
@@ -30,3 +36,15 @@ export declare function encodeUnsignedTokenV1(payload: TokenPayloadV1, base64url
     readonly payloadBytes: CanonicalBytes;
 }, TokenDecodeErrorV2>;
 export declare function parseTokenV1(token: string, base64url: Base64UrlPortV2): Result<ParsedTokenV1, TokenDecodeErrorV2>;
+export interface ParsedTokenV1Binary {
+    readonly hrp: TokenHrp;
+    readonly version: '1';
+    readonly payloadBytes: Uint8Array;
+    readonly signatureBytes: Uint8Array;
+    readonly payload: TokenPayloadV1;
+}
+export declare function encodeTokenPayloadV1Binary(payload: TokenPayloadV1, base32: Base32PortV2): Result<{
+    payloadBytes: Uint8Array;
+    hrp: TokenHrp;
+}, TokenDecodeErrorV2>;
+export declare function parseTokenV1Binary(tokenString: string, ports: TokenParsePorts): Result<ParsedTokenV1Binary, TokenDecodeErrorV2>;

package/dist/v2/durable-core/tokens/token-codec.js

@@ -3,10 +3,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.encodeTokenPayloadV1 = encodeTokenPayloadV1;
 exports.encodeUnsignedTokenV1 = encodeUnsignedTokenV1;
 exports.parseTokenV1 = parseTokenV1;
+exports.encodeTokenPayloadV1Binary = encodeTokenPayloadV1Binary;
+exports.parseTokenV1Binary = parseTokenV1Binary;
 const neverthrow_1 = require("neverthrow");
 const jcs_js_1 = require("../canonical/jcs.js");
 const index_js_1 = require("../ids/index.js");
 const payloads_js_1 = require("./payloads.js");
+const binary_payload_js_1 = require("./binary-payload.js");
 function encodeTokenPayloadV1(payload) {
     return (0, jcs_js_1.toCanonicalBytes)(payload).mapErr((e) => ({
         code: 'TOKEN_PAYLOAD_INVALID',
@@ -68,3 +71,108 @@ function parseTokenV1(token, base64url) {
         payload: validated.data,
     });
 }
+function encodeTokenPayloadV1Binary(payload, base32) {
+    let packResult;
+    let hrp;
+    switch (payload.tokenKind) {
+        case 'state':
+            packResult = (0, binary_payload_js_1.packStateTokenPayload)(payload, base32);
+            hrp = 'st';
+            break;
+        case 'ack':
+            packResult = (0, binary_payload_js_1.packAckTokenPayload)(payload, base32);
+            hrp = 'ack';
+            break;
+        case 'checkpoint':
+            packResult = (0, binary_payload_js_1.packCheckpointTokenPayload)(payload, base32);
+            hrp = 'chk';
+            break;
+        default: {
+            const _exhaustive = payload;
+            return (0, neverthrow_1.err)({
+                code: 'TOKEN_PAYLOAD_INVALID',
+                message: `Unknown token kind in payload: expected 'state' | 'ack' | 'checkpoint'`,
+            });
+        }
+    }
+    if (packResult.isErr()) {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_PAYLOAD_INVALID',
+            message: `Binary pack failed: ${packResult.error.code}`,
+        });
+    }
+    return (0, neverthrow_1.ok)({ payloadBytes: packResult.value, hrp });
+}
+function parseTokenV1Binary(tokenString, ports) {
+    const { bech32m, base32 } = ports;
+    let hrp;
+    let expectedKind;
+    if (tokenString.startsWith('st1')) {
+        hrp = 'st';
+        expectedKind = 0;
+    }
+    else if (tokenString.startsWith('ack1')) {
+        hrp = 'ack';
+        expectedKind = 1;
+    }
+    else if (tokenString.startsWith('chk1')) {
+        hrp = 'chk';
+        expectedKind = 2;
+    }
+    else {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_INVALID_FORMAT',
+            message: `Invalid token format: expected st1/ack1/chk1 prefix, got '${tokenString.slice(0, 4)}'`,
+        });
+    }
+    const decodedResult = bech32m.decode(tokenString, hrp);
+    if (decodedResult.isErr()) {
+        const bech32mErr = decodedResult.error;
+        if (bech32mErr.code === 'BECH32M_CHECKSUM_FAILED') {
+            return (0, neverthrow_1.err)({
+                code: 'TOKEN_INVALID_FORMAT',
+                message: 'Token corrupted (bech32m checksum failed). Likely copy/paste error.',
+                details: { bech32mError: bech32mErr },
+            });
+        }
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_INVALID_FORMAT',
+            message: `Bech32m decode failed: ${bech32mErr.message}`,
+            details: { bech32mError: bech32mErr },
+        });
+    }
+    const allBytes = decodedResult.value;
+    if (allBytes.length !== 98) {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_INVALID_FORMAT',
+            message: `Expected 98 bytes (66 payload + 32 sig), got ${allBytes.length}`,
+        });
+    }
+    const payloadBytes = allBytes.slice(0, 66);
+    const signatureBytes = allBytes.slice(66, 98);
+    const unpackedResult = (0, binary_payload_js_1.unpackTokenPayload)(payloadBytes, base32);
+    if (unpackedResult.isErr()) {
+        const unpackErr = unpackedResult.error;
+        return (0, neverthrow_1.err)({
+            code: unpackErr.code === 'BINARY_UNSUPPORTED_VERSION' ? 'TOKEN_UNSUPPORTED_VERSION' : 'TOKEN_INVALID_FORMAT',
+            message: `Payload unpack failed: ${unpackErr.code}`,
+        });
+    }
+    const actualKind = unpackedResult.value.tokenKind;
+    const expectedKindStr = expectedKind === 0 ? 'state' : expectedKind === 1 ? 'ack' : 'checkpoint';
+    if ((expectedKind === 0 && actualKind !== 'state') ||
+        (expectedKind === 1 && actualKind !== 'ack') ||
+        (expectedKind === 2 && actualKind !== 'checkpoint')) {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_INVALID_FORMAT',
+            message: `Token kind mismatch: HRP implies ${expectedKindStr}, payload contains ${actualKind}`,
+        });
+    }
+    return (0, neverthrow_1.ok)({
+        hrp,
+        version: '1',
+        payloadBytes: payloadBytes.slice(),
+        signatureBytes: signatureBytes.slice(),
+        payload: unpackedResult.value,
+    });
+}

package/dist/v2/durable-core/tokens/token-signer.d.ts

@@ -3,7 +3,9 @@ import type { HmacSha256PortV2 } from '../../ports/hmac-sha256.port.js';
 import type { KeyringV1 } from '../../ports/keyring.port.js';
 import type { Base64UrlPortV2 } from '../../ports/base64url.port.js';
 import type { CanonicalBytes, TokenStringV1 } from '../ids/index.js';
-import type { ParsedTokenV1, TokenDecodeErrorV2 } from './token-codec.js';
+import type { ParsedTokenV1, ParsedTokenV1Binary, TokenDecodeErrorV2 } from './token-codec.js';
+import type { TokenPayloadV1 } from './payloads.js';
+import type { TokenSignPorts, TokenVerifyPorts } from './token-codec-capabilities.js';
 export type TokenVerifyErrorV2 = {
     readonly code: 'TOKEN_BAD_SIGNATURE';
     readonly message: string;
@@ -14,3 +16,13 @@ export type TokenVerifyErrorV2 = {
 export declare function signTokenV1(unsignedTokenPrefix: 'st.v1.' | 'ack.v1.' | 'chk.v1.', payloadBytes: CanonicalBytes, keyring: KeyringV1, hmac: HmacSha256PortV2, base64url: Base64UrlPortV2): Result<TokenStringV1, TokenVerifyErrorV2>;
 export declare function verifyTokenSignatureV1(parsed: ParsedTokenV1, keyring: KeyringV1, hmac: HmacSha256PortV2, base64url: Base64UrlPortV2): Result<void, TokenVerifyErrorV2>;
 export declare function assertTokenScopeMatchesState(state: ParsedTokenV1, other: ParsedTokenV1): Result<void, TokenDecodeErrorV2>;
+export type TokenSignErrorV2 = {
+    readonly code: 'TOKEN_ENCODE_FAILED';
+    readonly message: string;
+} | {
+    readonly code: 'KEYRING_INVALID';
+    readonly message: string;
+};
+export declare function signTokenV1Binary(payload: TokenPayloadV1, ports: TokenSignPorts): Result<string, TokenSignErrorV2>;
+export declare function verifyTokenSignatureV1Binary(parsed: ParsedTokenV1Binary, ports: TokenVerifyPorts): Result<void, TokenVerifyErrorV2>;
+export declare function assertTokenScopeMatchesStateBinary(state: ParsedTokenV1Binary, other: ParsedTokenV1Binary): Result<void, TokenDecodeErrorV2>;

package/dist/v2/durable-core/tokens/token-signer.js

@@ -3,8 +3,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.signTokenV1 = signTokenV1;
 exports.verifyTokenSignatureV1 = verifyTokenSignatureV1;
 exports.assertTokenScopeMatchesState = assertTokenScopeMatchesState;
+exports.signTokenV1Binary = signTokenV1Binary;
+exports.verifyTokenSignatureV1Binary = verifyTokenSignatureV1Binary;
+exports.assertTokenScopeMatchesStateBinary = assertTokenScopeMatchesStateBinary;
 const neverthrow_1 = require("neverthrow");
 const index_js_1 = require("../ids/index.js");
+const token_codec_js_1 = require("./token-codec.js");
 function decodeKeyBytes(keyBase64Url, base64url) {
     const decoded = base64url.decodeBase64Url(keyBase64Url);
     if (decoded.isErr())
@@ -52,3 +56,64 @@ function assertTokenScopeMatchesState(state, other) {
         return (0, neverthrow_1.err)({ code: 'TOKEN_SCOPE_MISMATCH', message: 'nodeId mismatch' });
     return (0, neverthrow_1.ok)(undefined);
 }
+function signTokenV1Binary(payload, ports) {
+    const { keyring, hmac, base64url, base32, bech32m } = ports;
+    const key = decodeKeyBytes(keyring.current.keyBase64Url, base64url);
+    if (key.isErr()) {
+        return (0, neverthrow_1.err)({ code: 'KEYRING_INVALID', message: 'Invalid current key' });
+    }
+    const encodeResult = (0, token_codec_js_1.encodeTokenPayloadV1Binary)(payload, base32);
+    if (encodeResult.isErr()) {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_ENCODE_FAILED',
+            message: `Binary pack failed: ${encodeResult.error.message}`,
+        });
+    }
+    const { payloadBytes, hrp } = encodeResult.value;
+    const signature = hmac.hmacSha256(key.value, payloadBytes);
+    const combined = new Uint8Array(98);
+    combined.set(payloadBytes, 0);
+    combined.set(signature, 66);
+    const token = bech32m.encode(hrp, combined);
+    return (0, neverthrow_1.ok)(token);
+}
+function verifyTokenSignatureV1Binary(parsed, ports) {
+    const { keyring, hmac, base64url } = ports;
+    if (parsed.signatureBytes.length !== 32) {
+        return (0, neverthrow_1.err)({
+            code: 'TOKEN_INVALID_FORMAT',
+            message: `Expected 32-byte signature, got ${parsed.signatureBytes.length}`,
+        });
+    }
+    const keys = [keyring.current.keyBase64Url];
+    if (keyring.previous)
+        keys.push(keyring.previous.keyBase64Url);
+    for (const k of keys) {
+        const key = decodeKeyBytes(k, base64url);
+        if (key.isErr())
+            continue;
+        const expected = hmac.hmacSha256(key.value, parsed.payloadBytes);
+        if (hmac.timingSafeEqual(expected, parsed.signatureBytes)) {
+            return (0, neverthrow_1.ok)(undefined);
+        }
+    }
+    return (0, neverthrow_1.err)({
+        code: 'TOKEN_BAD_SIGNATURE',
+        message: 'Signature verification failed',
+    });
+}
+function assertTokenScopeMatchesStateBinary(state, other) {
+    if (state.payload.tokenKind !== 'state') {
+        return (0, neverthrow_1.err)({ code: 'TOKEN_SCOPE_MISMATCH', message: 'Expected a state token for scope comparison' });
+    }
+    if (state.payload.sessionId !== other.payload.sessionId) {
+        return (0, neverthrow_1.err)({ code: 'TOKEN_SCOPE_MISMATCH', message: 'sessionId mismatch' });
+    }
+    if (state.payload.runId !== other.payload.runId) {
+        return (0, neverthrow_1.err)({ code: 'TOKEN_SCOPE_MISMATCH', message: 'runId mismatch' });
+    }
+    if (state.payload.nodeId !== other.payload.nodeId) {
+        return (0, neverthrow_1.err)({ code: 'TOKEN_SCOPE_MISMATCH', message: 'nodeId mismatch' });
+    }
+    return (0, neverthrow_1.ok)(undefined);
+}

package/dist/v2/infra/local/base32/index.d.ts

@@ -0,0 +1,6 @@
+import type { Result } from 'neverthrow';
+import type { Base32PortV2, Base32DecodeError } from '../../../ports/base32.port.js';
+export declare class Base32AdapterV2 implements Base32PortV2 {
+    encode(bytes: Uint8Array): string;
+    decode(encoded: string): Result<Uint8Array, Base32DecodeError>;
+}

package/dist/v2/infra/local/base32/index.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Base32AdapterV2 = void 0;
+const neverthrow_1 = require("neverthrow");
+const base32_lower_js_1 = require("../../../durable-core/encoding/base32-lower.js");
+class Base32AdapterV2 {
+    encode(bytes) {
+        return (0, base32_lower_js_1.encodeBase32LowerNoPad)(bytes);
+    }
+    decode(encoded) {
+        if (!/^[a-z2-7]+$/.test(encoded)) {
+            const invalidMatch = encoded.match(/[^a-z2-7]/);
+            return (0, neverthrow_1.err)({
+                code: 'BASE32_INVALID_CHARACTERS',
+                message: `Invalid base32 character: ${invalidMatch?.[0] || 'unknown'}`,
+                position: invalidMatch?.index,
+            });
+        }
+        try {
+            const bytes = (0, base32_lower_js_1.decodeBase32LowerNoPad)(encoded);
+            return (0, neverthrow_1.ok)(bytes);
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            if (/padding|non-canonical/i.test(message)) {
+                return (0, neverthrow_1.err)({
+                    code: 'BASE32_NON_CANONICAL',
+                    message: `Non-canonical base32 encoding: ${message}`,
+                });
+            }
+            if (/length/i.test(message)) {
+                return (0, neverthrow_1.err)({
+                    code: 'BASE32_INVALID_LENGTH',
+                    message: `Invalid base32 length: ${message}`,
+                });
+            }
+            return (0, neverthrow_1.err)({
+                code: 'BASE32_INVALID_CHARACTERS',
+                message: `Base32 decode failed: ${message}`,
+            });
+        }
+    }
+}
+exports.Base32AdapterV2 = Base32AdapterV2;

package/dist/v2/infra/local/bech32m/index.d.ts

@@ -0,0 +1,8 @@
+import type { Result } from 'neverthrow';
+import type { Bech32mPortV2, Bech32mDecodeError, TokenHrp } from '../../../ports/bech32m.port.js';
+export declare class Bech32mAdapterV2 implements Bech32mPortV2 {
+    private static readonly MAX_LENGTH;
+    encode(hrp: TokenHrp, data: Uint8Array): string;
+    decode(encoded: string, expectedHrp: TokenHrp): Result<Uint8Array, Bech32mDecodeError>;
+    private tryExtractPosition;
+}

package/dist/v2/infra/local/bech32m/index.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Bech32mAdapterV2 = void 0;
+const base_1 = require("@scure/base");
+const neverthrow_1 = require("neverthrow");
+class Bech32mAdapterV2 {
+    encode(hrp, data) {
+        const words = base_1.bech32m.toWords(data);
+        return base_1.bech32m.encode(hrp, words, Bech32mAdapterV2.MAX_LENGTH);
+    }
+    decode(encoded, expectedHrp) {
+        try {
+            const decoded = base_1.bech32m.decode(encoded, Bech32mAdapterV2.MAX_LENGTH);
+            if (decoded.prefix !== expectedHrp) {
+                return (0, neverthrow_1.err)({
+                    code: 'BECH32M_HRP_MISMATCH',
+                    message: `HRP mismatch: expected '${expectedHrp}', got '${decoded.prefix}'`,
+                });
+            }
+            const bytes = base_1.bech32m.fromWords(decoded.words);
+            return (0, neverthrow_1.ok)(new Uint8Array(bytes));
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            if (/checksum/i.test(msg) || /invalid/i.test(msg)) {
+                return (0, neverthrow_1.err)({
+                    code: 'BECH32M_CHECKSUM_FAILED',
+                    message: `Bech32m checksum validation failed (likely corruption): ${msg}`,
+                    position: this.tryExtractPosition(msg),
+                });
+            }
+            return (0, neverthrow_1.err)({
+                code: 'BECH32M_INVALID_FORMAT',
+                message: `Invalid bech32m: ${msg}`,
+            });
+        }
+    }
+    tryExtractPosition(msg) {
+        const patterns = [
+            /position\s*:?\s*(\d+)/i,
+            /at\s+position\s+(\d+)/i,
+            /pos\s+(\d+)/i,
+            /index\s+(\d+)/i,
+        ];
+        for (const pattern of patterns) {
+            const match = msg.match(pattern);
+            if (match) {
+                const pos = parseInt(match[1], 10);
+                return Number.isNaN(pos) ? undefined : pos;
+            }
+        }
+        return undefined;
+    }
+}
+exports.Bech32mAdapterV2 = Bech32mAdapterV2;
+Bech32mAdapterV2.MAX_LENGTH = 1023;

package/dist/v2/infra/local/data-dir/index.d.ts

@@ -2,6 +2,7 @@ import type { DataDirPortV2 } from '../../../ports/data-dir.port.js';
 export declare class LocalDataDirV2 implements DataDirPortV2 {
     private readonly env;
     constructor(env: Record<string, string | undefined>);
+    private safeFileSegment;
     private root;
     snapshotsDir(): string;
     snapshotPath(snapshotRef: string): string;

package/dist/v2/infra/local/data-dir/index.js

@@ -40,6 +40,9 @@ class LocalDataDirV2 {
     constructor(env) {
         this.env = env;
     }
+    safeFileSegment(raw) {
+        return raw.replace(/[^a-zA-Z0-9._-]/g, '_');
+    }
     root() {
         const configured = this.env['WORKRAIL_DATA_DIR'];
         return configured ? configured : path.join(os.homedir(), '.workrail', 'data');
@@ -48,7 +51,7 @@ class LocalDataDirV2 {
         return path.join(this.root(), 'snapshots');
     }
     snapshotPath(snapshotRef) {
-        return path.join(this.snapshotsDir(), `${snapshotRef}.json`);
+        return path.join(this.snapshotsDir(), `${this.safeFileSegment(snapshotRef)}.json`);
     }
     keysDir() {
         return path.join(this.root(), 'keys');
@@ -60,7 +63,7 @@ class LocalDataDirV2 {
         return path.join(this.root(), 'workflows', 'pinned');
     }
     pinnedWorkflowPath(workflowHash) {
-        return path.join(this.pinnedWorkflowsDir(), `${workflowHash}.json`);
+        return path.join(this.pinnedWorkflowsDir(), `${this.safeFileSegment(workflowHash)}.json`);
     }
     sessionsDir() {
         return path.join(this.root(), 'sessions');

package/dist/v2/infra/local/fs/index.js

@@ -124,6 +124,9 @@ class NodeFileSystemV2 {
         }), (e) => mapFsError(e, `fd:${fd}`));
     }
     fsyncDir(dirPath) {
+        if (process.platform === 'win32') {
+            return neverthrow_1.ResultAsync.fromPromise(Promise.resolve(undefined), (e) => mapFsError(e, dirPath));
+        }
         return neverthrow_1.ResultAsync.fromPromise((async () => {
             const dirHandle = await fs.open(dirPath, 'r');
             try {