@exaudeus/workrail 2.0.0 → 3.0.0

package/dist/mcp/handlers/v2-token-ops.js

@@ -3,70 +3,410 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseStateTokenOrFail = parseStateTokenOrFail;
 exports.parseAckTokenOrFail = parseAckTokenOrFail;
 exports.parseCheckpointTokenOrFail = parseCheckpointTokenOrFail;
+exports.parseContinueTokenOrFail = parseContinueTokenOrFail;
+exports.mintContinueAndCheckpointTokens = mintContinueAndCheckpointTokens;
+exports.mintShortTokenTriple = mintShortTokenTriple;
+exports.mintSingleShortToken = mintSingleShortToken;
 exports.newAttemptId = newAttemptId;
 exports.attemptIdForNextNode = attemptIdForNextNode;
 exports.signTokenOrErr = signTokenOrErr;
 const neverthrow_1 = require("neverthrow");
+const neverthrow_2 = require("neverthrow");
 const index_js_1 = require("../../v2/durable-core/tokens/index.js");
 const attempt_id_derivation_js_1 = require("../../v2/durable-core/ids/attempt-id-derivation.js");
 const types_js_1 = require("../types.js");
 const v2_execution_helpers_js_1 = require("./v2-execution-helpers.js");
-function parseStateTokenOrFail(raw, ports) {
+const short_token_js_1 = require("../../v2/durable-core/tokens/short-token.js");
+const index_js_2 = require("../../v2/durable-core/ids/index.js");
+function resolveShortToken(raw, ports, aliasStore) {
+    const parsed = (0, short_token_js_1.parseShortToken)(raw, ports.base64url);
+    if (parsed.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', `Short token format invalid: ${parsed.error.code}`, {
+            suggestion: 'Use the token returned by WorkRail (st_... / ak_... / ck_...).',
+        }));
+    }
+    const hmacResult = (0, short_token_js_1.verifyShortTokenHmac)(parsed.value, ports.keyring, ports.hmac, ports.base64url);
+    if (hmacResult.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_BAD_SIGNATURE', 'Short token HMAC verification failed.', {
+            suggestion: 'Use the exact token returned by WorkRail — do not modify it.',
+        }));
+    }
+    const entry = aliasStore.lookup(parsed.value.nonceHex);
+    if (!entry) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Short token not found in alias index (unknown nonce).', {
+            suggestion: 'Use the token returned by WorkRail in the current session.',
+        }));
+    }
+    let payload;
+    if (entry.tokenKind === 'state') {
+        if (!entry.workflowHashRef) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for state token is missing workflowHashRef.'));
+        }
+        const statePayload = {
+            tokenVersion: 1,
+            tokenKind: 'state',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            workflowHashRef: (0, index_js_2.asWorkflowHashRef)(entry.workflowHashRef),
+        };
+        payload = statePayload;
+    }
+    else if (entry.tokenKind === 'ack') {
+        if (!entry.attemptId) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for ack token is missing attemptId.'));
+        }
+        const ackPayload = {
+            tokenVersion: 1,
+            tokenKind: 'ack',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            attemptId: (0, index_js_2.asAttemptId)(entry.attemptId),
+        };
+        payload = ackPayload;
+    }
+    else {
+        if (!entry.attemptId) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for checkpoint token is missing attemptId.'));
+        }
+        const ckPayload = {
+            tokenVersion: 1,
+            tokenKind: 'checkpoint',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            attemptId: (0, index_js_2.asAttemptId)(entry.attemptId),
+        };
+        payload = ckPayload;
+    }
+    const synthetic = {
+        hrp: entry.tokenKind === 'state' ? 'st' : entry.tokenKind === 'ack' ? 'ack' : 'chk',
+        version: '1',
+        payloadBytes: new Uint8Array(66),
+        signatureBytes: new Uint8Array(32),
+        payload,
+    };
+    return (0, neverthrow_1.okAsync)(synthetic);
+}
+function parseStateTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('st_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'state') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st_... or st1...).', {
+                    suggestion: 'Use the stateToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'state') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st1...).', {
-                suggestion: 'Use the stateToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st1...).', {
+            suggestion: 'Use the stateToken returned by WorkRail.',
+        }));
     }
-    return { ok: true, token: parsedRes.value };
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
 }
-function parseAckTokenOrFail(raw, ports) {
+function parseAckTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('ak_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'ack') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ak_... or ack1...).', {
+                    suggestion: 'Use the ackToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'ack') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ack1...).', {
-                suggestion: 'Use the ackToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ack1...).', {
+            suggestion: 'Use the ackToken returned by WorkRail.',
+        }));
     }
-    return { ok: true, token: parsedRes.value };
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
 }
-function parseCheckpointTokenOrFail(raw, ports) {
+function parseCheckpointTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('ck_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'checkpoint') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (ck_... or chk1...).', {
+                    suggestion: 'Use the checkpointToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'checkpoint') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (chk1...).', {
-                suggestion: 'Use the checkpointToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (chk1...).', {
+            suggestion: 'Use the checkpointToken returned by WorkRail.',
+        }));
+    }
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
+}
+function parseContinueTokenOrFail(raw, ports, aliasStore) {
+    if (!raw.startsWith('ct_')) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a continue token (ct_...).', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    const parsed = (0, short_token_js_1.parseShortToken)(raw, ports.base64url);
+    if (parsed.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', `Continue token format invalid: ${parsed.error.code}`, {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    const hmacResult = (0, short_token_js_1.verifyShortTokenHmac)(parsed.value, ports.keyring, ports.hmac, ports.base64url);
+    if (hmacResult.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_BAD_SIGNATURE', 'Continue token HMAC verification failed.', {
+            suggestion: 'Use the exact continueToken returned by WorkRail -- do not modify it.',
+        }));
+    }
+    const entry = aliasStore.lookup(parsed.value.nonceHex);
+    if (!entry) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Continue token not found in alias index (unknown nonce).', {
+            suggestion: 'Use the continueToken returned by WorkRail in the current session.',
+        }));
+    }
+    if (entry.tokenKind !== 'continue') {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Token alias is not a continue token.', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    if (!entry.attemptId || !entry.workflowHashRef) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Continue token alias entry is missing required fields.', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    return (0, neverthrow_1.okAsync)({
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+        workflowHashRef: entry.workflowHashRef,
+    });
+}
+function mintContinueAndCheckpointTokens(args) {
+    const { entry, ports, aliasStore, entropy } = args;
+    const existingContinue = aliasStore.lookupByPosition('continue', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    const existingCk = aliasStore.lookupByPosition('checkpoint', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    if (existingContinue && existingCk) {
+        const replayContinue = reTokenFromNonceHex('continue', existingContinue.nonceHex, ports);
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayContinue.isOk() && replayCk.isOk()) {
+            return (0, neverthrow_1.okAsync)({
+                continueToken: replayContinue.value,
+                checkpointToken: replayCk.value,
+            });
+        }
+    }
+    const continueNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const continueMinted = (0, short_token_js_1.mintShortToken)('continue', continueNonce, ports.keyring, ports.hmac, ports.base64url);
+    if (continueMinted.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${continueMinted.error.code}`));
+    }
+    const continueNonceHex = bufToHex(continueNonce);
+    let ckTokenStr;
+    if (existingCk) {
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayCk.isOk()) {
+            const continueEntry = {
+                nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot,
+                sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId,
+                attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef,
+            };
+            return aliasStore.register(continueEntry)
+                .map(() => ({ continueToken: continueMinted.value, checkpointToken: replayCk.value }))
+                .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+        }
+        const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+        const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+        if (ckMinted.isErr())
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${ckMinted.error.code}`));
+        ckTokenStr = ckMinted.value;
+        const ckEntry = { nonceHex: bufToHex(ckNonce), tokenKind: 'checkpoint', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId };
+        return aliasStore.register({ nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef })
+            .andThen(() => aliasStore.register(ckEntry))
+            .map(() => ({ continueToken: continueMinted.value, checkpointToken: ckTokenStr }))
+            .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+    }
+    else {
+        const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+        const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+        if (ckMinted.isErr())
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${ckMinted.error.code}`));
+        ckTokenStr = ckMinted.value;
+        const ckEntry = { nonceHex: bufToHex(ckNonce), tokenKind: 'checkpoint', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId };
+        return aliasStore.register({ nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef })
+            .andThen(() => aliasStore.register(ckEntry))
+            .map(() => ({ continueToken: continueMinted.value, checkpointToken: ckTokenStr }))
+            .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+    }
+}
+function reTokenFromNonceHex(kind, nonceHex, ports) {
+    const nonceBytes = hexToBuf(nonceHex);
+    if (!nonceBytes) {
+        return (0, neverthrow_2.err)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Invalid stored nonce hex: ${nonceHex}`));
+    }
+    const result = (0, short_token_js_1.mintShortToken)(kind, nonceBytes, ports.keyring, ports.hmac, ports.base64url);
+    if (result.isErr()) {
+        return (0, neverthrow_2.err)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Failed to reconstruct token from nonce: ${result.error.code}`));
+    }
+    return (0, neverthrow_2.ok)(result.value);
+}
+function mintShortTokenTriple(args) {
+    const { entry, ports, aliasStore, entropy } = args;
+    const existingState = aliasStore.lookupByPosition('state', entry.sessionId, entry.nodeId, undefined, entry.aliasSlot);
+    const existingAck = aliasStore.lookupByPosition('ack', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    const existingCk = aliasStore.lookupByPosition('checkpoint', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    if (existingState && existingAck && existingCk) {
+        const replayState = reTokenFromNonceHex('state', existingState.nonceHex, ports);
+        const replayAck = reTokenFromNonceHex('ack', existingAck.nonceHex, ports);
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayState.isOk() && replayAck.isOk() && replayCk.isOk()) {
+            return (0, neverthrow_1.okAsync)({
+                stateToken: replayState.value,
+                ackToken: replayAck.value,
+                checkpointToken: replayCk.value,
+            });
+        }
+    }
+    const stateNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const ackNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const stateMinted = (0, short_token_js_1.mintShortToken)('state', stateNonce, ports.keyring, ports.hmac, ports.base64url);
+    const ackMinted = (0, short_token_js_1.mintShortToken)('ack', ackNonce, ports.keyring, ports.hmac, ports.base64url);
+    const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+    if (stateMinted.isErr() || ackMinted.isErr() || ckMinted.isErr()) {
+        const msg = stateMinted.isErr()
+            ? stateMinted.error.code
+            : ackMinted.isErr()
+                ? ackMinted.error.code
+                : ckMinted.isErr()
+                    ? ckMinted.error.code
+                    : 'UNKNOWN';
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Short token minting failed: ${msg}`));
+    }
+    const stateTokenStr = stateMinted.value;
+    const ackTokenStr = ackMinted.value;
+    const ckTokenStr = ckMinted.value;
+    const stateNonceHex = bufToHex(stateNonce);
+    const ackNonceHex = bufToHex(ackNonce);
+    const ckNonceHex = bufToHex(ckNonce);
+    const stateEntry = {
+        nonceHex: stateNonceHex,
+        tokenKind: 'state',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        workflowHashRef: entry.workflowHashRef,
+    };
+    const ackEntry = {
+        nonceHex: ackNonceHex,
+        tokenKind: 'ack',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+    };
+    const ckEntry = {
+        nonceHex: ckNonceHex,
+        tokenKind: 'checkpoint',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+    };
+    return aliasStore.register(stateEntry)
+        .andThen(() => aliasStore.register(ackEntry))
+        .andThen(() => aliasStore.register(ckEntry))
+        .map(() => ({
+        stateToken: stateTokenStr,
+        ackToken: ackTokenStr,
+        checkpointToken: ckTokenStr,
+    }))
+        .mapErr((regErr) => {
+        const detail = regErr.code === 'ALIAS_DUPLICATE_NONCE'
+            ? `duplicate nonce: ${regErr.nonceHex}`
+            : regErr.message;
+        return (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token alias registration failed: ${detail}`);
+    });
+}
+function mintSingleShortToken(args) {
+    const { kind, entry, ports, aliasStore, entropy } = args;
+    const lookupAttemptId = kind === 'state' ? undefined : entry.attemptId;
+    const existing = aliasStore.lookupByPosition(kind, entry.sessionId, entry.nodeId, lookupAttemptId, entry.aliasSlot);
+    if (existing) {
+        const rebuilt = reTokenFromNonceHex(kind, existing.nonceHex, ports);
+        if (rebuilt.isOk())
+            return (0, neverthrow_1.okAsync)(rebuilt.value);
+    }
+    const nonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const minted = (0, short_token_js_1.mintShortToken)(kind, nonce, ports.keyring, ports.hmac, ports.base64url);
+    if (minted.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Short token minting failed: ${minted.error.code}`));
+    }
+    const tokenStr = minted.value;
+    const nonceHex = bufToHex(nonce);
+    const aliasEntry = {
+        nonceHex,
+        tokenKind: kind,
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+        workflowHashRef: entry.workflowHashRef,
+    };
+    return aliasStore.register(aliasEntry)
+        .map(() => tokenStr)
+        .mapErr((regErr) => {
+        const detail = regErr.code === 'ALIAS_DUPLICATE_NONCE'
+            ? `duplicate nonce: ${regErr.nonceHex}`
+            : regErr.message;
+        return (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token alias registration failed: ${detail}`);
+    });
+}
+function bufToHex(bytes) {
+    return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+function hexToBuf(hex) {
+    if (hex.length % 2 !== 0)
+        return null;
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        const byte = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+        if (isNaN(byte))
+            return null;
+        bytes[i] = byte;
     }
-    return { ok: true, token: parsedRes.value };
+    return bytes;
 }
 function newAttemptId(idFactory) {
     return idFactory.mintAttemptId();
@@ -77,6 +417,6 @@ function attemptIdForNextNode(parentAttemptId, sha256) {
 function signTokenOrErr(args) {
     const token = (0, index_js_1.signTokenV1Binary)(args.payload, args.ports);
     if (token.isErr())
-        return (0, neverthrow_1.err)(token.error);
-    return (0, neverthrow_1.ok)(token.value);
+        return (0, neverthrow_2.err)(token.error);
+    return (0, neverthrow_2.ok)(token.value);
 }

package/dist/mcp/handlers/v2-workflow.d.ts

@@ -1,4 +1,4 @@
 import type { ToolContext, ToolResult } from '../types.js';
 import type { V2InspectWorkflowInput, V2ListWorkflowsInput } from '../v2/tools.js';
-export declare function handleV2ListWorkflows(_input: V2ListWorkflowsInput, ctx: ToolContext): Promise<ToolResult<unknown>>;
+export declare function handleV2ListWorkflows(input: V2ListWorkflowsInput, ctx: ToolContext): Promise<ToolResult<unknown>>;
 export declare function handleV2InspectWorkflow(input: V2InspectWorkflowInput, ctx: ToolContext): Promise<ToolResult<unknown>>;

package/dist/mcp/handlers/v2-workflow.js

@@ -11,13 +11,24 @@ const v1_to_v2_shim_js_1 = require("../../v2/read-only/v1-to-v2-shim.js");
 const hashing_js_1 = require("../../v2/durable-core/canonical/hashing.js");
 const TIMEOUT_MS = 30000;
 const with_timeout_js_1 = require("./shared/with-timeout.js");
-async function handleV2ListWorkflows(_input, ctx) {
+const request_workflow_reader_js_1 = require("./shared/request-workflow-reader.js");
+async function handleV2ListWorkflows(input, ctx) {
     const guard = (0, types_js_1.requireV2Context)(ctx);
     if (!guard.ok)
         return guard.error;
     const { crypto, pinnedStore } = guard.ctx.v2;
-    return neverthrow_1.ResultAsync.fromPromise((0, with_timeout_js_1.withTimeout)(ctx.workflowService.listWorkflowSummaries(), TIMEOUT_MS, 'list_workflows'), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err))
-        .andThen((summaries) => neverthrow_1.ResultAsync.combine(summaries.map((s) => neverthrow_1.ResultAsync.fromPromise(ctx.workflowService.getWorkflowById(s.id), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err)).andThen((wf) => {
+    const workflowReader = (0, request_workflow_reader_js_1.hasRequestWorkspaceSignal)({
+        workspacePath: input.workspacePath,
+        resolvedRootUris: guard.ctx.v2.resolvedRootUris,
+    })
+        ? (0, request_workflow_reader_js_1.createWorkflowReaderForRequest)({
+            featureFlags: ctx.featureFlags,
+            workspacePath: input.workspacePath,
+            resolvedRootUris: guard.ctx.v2.resolvedRootUris,
+        })
+        : ctx.workflowService;
+    return neverthrow_1.ResultAsync.fromPromise((0, with_timeout_js_1.withTimeout)(workflowReader.listWorkflowSummaries(), TIMEOUT_MS, 'list_workflows'), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err))
+        .andThen((summaries) => neverthrow_1.ResultAsync.combine(summaries.map((s) => neverthrow_1.ResultAsync.fromPromise(workflowReader.getWorkflowById(s.id), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err)).andThen((wf) => {
         if (!wf) {
             return (0, neverthrow_1.okAsync)({
                 workflowId: s.id,
@@ -79,7 +90,17 @@ async function handleV2InspectWorkflow(input, ctx) {
     if (!guard.ok)
         return guard.error;
     const { crypto, pinnedStore } = guard.ctx.v2;
-    return neverthrow_1.ResultAsync.fromPromise((0, with_timeout_js_1.withTimeout)(ctx.workflowService.getWorkflowById(input.workflowId), TIMEOUT_MS, 'inspect_workflow'), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err))
+    const workflowReader = (0, request_workflow_reader_js_1.hasRequestWorkspaceSignal)({
+        workspacePath: input.workspacePath,
+        resolvedRootUris: guard.ctx.v2.resolvedRootUris,
+    })
+        ? (0, request_workflow_reader_js_1.createWorkflowReaderForRequest)({
+            featureFlags: ctx.featureFlags,
+            workspacePath: input.workspacePath,
+            resolvedRootUris: guard.ctx.v2.resolvedRootUris,
+        })
+        : ctx.workflowService;
+    return neverthrow_1.ResultAsync.fromPromise((0, with_timeout_js_1.withTimeout)(workflowReader.getWorkflowById(input.workflowId), TIMEOUT_MS, 'inspect_workflow'), (err) => (0, error_mapper_js_1.mapUnknownErrorToToolError)(err))
         .andThen((workflow) => {
         if (!workflow) {
             return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('NOT_FOUND', `Workflow not found: ${input.workflowId}`));