@exaudeus/workrail 2.1.0 → 3.1.0

package/dist/mcp/handlers/v2-execution/start.js

@@ -183,51 +183,22 @@ function buildInitialEvents(args) {
     return mutableEvents;
 }
 function mintStartTokens(args) {
-    const { sessionId, runId, nodeId, attemptId, workflowHashRef, ports } = args;
-    const statePayload = {
-        tokenVersion: 1,
-        tokenKind: 'state',
-        sessionId,
-        runId,
-        nodeId,
-        workflowHashRef,
+    const { sessionId, runId, nodeId, attemptId, workflowHashRef, ports, aliasStore, entropy } = args;
+    const entryBase = {
+        sessionId: String(sessionId),
+        runId: String(runId),
+        nodeId: String(nodeId),
+        attemptId: String(attemptId),
+        workflowHashRef: String(workflowHashRef),
     };
-    const ackPayload = {
-        tokenVersion: 1,
-        tokenKind: 'ack',
-        sessionId,
-        runId,
-        nodeId,
-        attemptId,
-    };
-    const checkpointPayload = {
-        tokenVersion: 1,
-        tokenKind: 'checkpoint',
-        sessionId,
-        runId,
-        nodeId,
-        attemptId,
-    };
-    const stateTokenRes = (0, v2_token_ops_js_1.signTokenOrErr)({ payload: statePayload, ports });
-    if (stateTokenRes.isErr()) {
-        return (0, neverthrow_1.errAsync)({ kind: 'token_signing_failed', cause: stateTokenRes.error });
-    }
-    const ackTokenRes = (0, v2_token_ops_js_1.signTokenOrErr)({ payload: ackPayload, ports });
-    if (ackTokenRes.isErr()) {
-        return (0, neverthrow_1.errAsync)({ kind: 'token_signing_failed', cause: ackTokenRes.error });
-    }
-    const checkpointTokenRes = (0, v2_token_ops_js_1.signTokenOrErr)({ payload: checkpointPayload, ports });
-    if (checkpointTokenRes.isErr()) {
-        return (0, neverthrow_1.errAsync)({ kind: 'token_signing_failed', cause: checkpointTokenRes.error });
-    }
-    return (0, neverthrow_1.okAsync)({
-        stateToken: stateTokenRes.value,
-        ackToken: ackTokenRes.value,
-        checkpointToken: checkpointTokenRes.value,
-    });
+    return (0, v2_token_ops_js_1.mintContinueAndCheckpointTokens)({ entry: entryBase, ports, aliasStore, entropy })
+        .mapErr((failure) => ({
+        kind: 'token_signing_failed',
+        cause: failure,
+    }));
 }
 function executeStartWorkflow(input, ctx) {
-    const { gate, sessionStore, snapshotStore, pinnedStore, crypto, tokenCodecPorts, idFactory, validationPipelineDeps } = ctx.v2;
+    const { gate, sessionStore, snapshotStore, pinnedStore, crypto, tokenCodecPorts, idFactory, validationPipelineDeps, tokenAliasStore, entropy } = ctx.v2;
     const workflowReader = (0, request_workflow_reader_js_1.hasRequestWorkspaceSignal)({
         workspacePath: input.workspacePath,
         resolvedRootUris: ctx.v2.resolvedRootUris,
@@ -315,6 +286,8 @@ function executeStartWorkflow(input, ctx) {
             attemptId,
             workflowHashRef: wfRefRes.value,
             ports: tokenCodecPorts,
+            aliasStore: tokenAliasStore,
+            entropy,
         }).andThen((tokens) => {
             const metaResult = (0, prompt_renderer_js_1.renderPendingPrompt)({
                 workflow: pinnedWorkflow,
@@ -332,18 +305,17 @@ function executeStartWorkflow(input, ctx) {
                 });
             }
             const meta = metaResult.value;
-            const pending = { stepId: meta.stepId, title: meta.title, prompt: meta.prompt };
+            const pending = (0, output_schemas_js_1.toPendingStep)(meta);
             const preferences = v2_execution_helpers_js_1.defaultPreferences;
             const nextIntent = (0, v2_state_conversion_js_1.deriveNextIntent)({ rehydrateOnly: false, isComplete: false, pending: meta });
             return (0, neverthrow_1.okAsync)(output_schemas_js_1.V2StartWorkflowOutputSchema.parse({
-                stateToken: tokens.stateToken,
-                ackToken: tokens.ackToken,
+                continueToken: tokens.continueToken,
                 checkpointToken: tokens.checkpointToken,
                 isComplete: false,
                 pending,
                 preferences,
                 nextIntent,
-                nextCall: (0, index_js_2.buildNextCall)({ stateToken: tokens.stateToken, ackToken: tokens.ackToken, isComplete: false, pending }),
+                nextCall: (0, index_js_2.buildNextCall)({ continueToken: tokens.continueToken, isComplete: false, pending }),
             }));
         });
     });

package/dist/mcp/handlers/v2-token-ops.d.ts

@@ -1,38 +1,59 @@
+import type { ResultAsync } from 'neverthrow';
 import type { Result } from 'neverthrow';
 import { type ParsedTokenV1Binary, type TokenDecodeErrorV2, type TokenVerifyErrorV2, type TokenSignErrorV2, type TokenPayloadV1, type AttemptId } from '../../v2/durable-core/tokens/index.js';
 import type { TokenCodecPorts } from '../../v2/durable-core/tokens/token-codec-ports.js';
 import type { Sha256PortV2 } from '../../v2/ports/sha256.port.js';
 import { type ToolFailure } from './v2-execution-helpers.js';
+import type { TokenAliasStorePortV2, TokenAliasEntryV2 } from '../../v2/ports/token-alias-store.port.js';
+import type { RandomEntropyPortV2 } from '../../v2/ports/random-entropy.port.js';
+import type { StateTokenPayloadV1, AckTokenPayloadV1, CheckpointTokenPayloadV1 } from '../../v2/durable-core/tokens/payloads.js';
 export type StateTokenInput = ParsedTokenV1Binary & {
-    readonly payload: import('../../v2/durable-core/tokens/payloads.js').StateTokenPayloadV1;
+    readonly payload: StateTokenPayloadV1;
 };
 export type AckTokenInput = ParsedTokenV1Binary & {
-    readonly payload: import('../../v2/durable-core/tokens/payloads.js').AckTokenPayloadV1;
+    readonly payload: AckTokenPayloadV1;
 };
 export type CheckpointTokenInput = ParsedTokenV1Binary & {
-    readonly payload: import('../../v2/durable-core/tokens/payloads.js').CheckpointTokenPayloadV1;
-};
-export declare function parseStateTokenOrFail(raw: string, ports: TokenCodecPorts): {
-    ok: true;
-    token: StateTokenInput;
-} | {
-    ok: false;
-    failure: ToolFailure;
-};
-export declare function parseAckTokenOrFail(raw: string, ports: TokenCodecPorts): {
-    ok: true;
-    token: AckTokenInput;
-} | {
-    ok: false;
-    failure: ToolFailure;
-};
-export declare function parseCheckpointTokenOrFail(raw: string, ports: TokenCodecPorts): {
-    ok: true;
-    token: CheckpointTokenInput;
-} | {
-    ok: false;
-    failure: ToolFailure;
+    readonly payload: CheckpointTokenPayloadV1;
 };
+export interface ContinueTokenResolved {
+    readonly sessionId: string;
+    readonly runId: string;
+    readonly nodeId: string;
+    readonly attemptId: string;
+    readonly workflowHashRef: string;
+}
+export declare function parseStateTokenOrFail(raw: string, ports: TokenCodecPorts, aliasStore: TokenAliasStorePortV2): ResultAsync<StateTokenInput, ToolFailure>;
+export declare function parseAckTokenOrFail(raw: string, ports: TokenCodecPorts, aliasStore: TokenAliasStorePortV2): ResultAsync<AckTokenInput, ToolFailure>;
+export declare function parseCheckpointTokenOrFail(raw: string, ports: TokenCodecPorts, aliasStore: TokenAliasStorePortV2): ResultAsync<CheckpointTokenInput, ToolFailure>;
+export declare function parseContinueTokenOrFail(raw: string, ports: TokenCodecPorts, aliasStore: TokenAliasStorePortV2): ResultAsync<ContinueTokenResolved, ToolFailure>;
+export interface ContinueAndCheckpointTokens {
+    readonly continueToken: string;
+    readonly checkpointToken: string;
+}
+export declare function mintContinueAndCheckpointTokens(args: Omit<MintShortTokenTripleArgs, 'entry'> & {
+    readonly entry: Omit<TokenAliasEntryV2, 'nonceHex' | 'tokenKind'>;
+}): ResultAsync<ContinueAndCheckpointTokens, ToolFailure>;
+export interface ShortTokenTriple {
+    readonly stateToken: string;
+    readonly ackToken: string;
+    readonly checkpointToken: string;
+}
+export interface MintShortTokenTripleArgs {
+    readonly entry: Omit<TokenAliasEntryV2, 'nonceHex' | 'tokenKind'>;
+    readonly ports: TokenCodecPorts;
+    readonly aliasStore: TokenAliasStorePortV2;
+    readonly entropy: RandomEntropyPortV2;
+}
+export declare function mintShortTokenTriple(args: MintShortTokenTripleArgs): ResultAsync<ShortTokenTriple, ToolFailure>;
+export interface MintSingleShortTokenArgs {
+    readonly kind: import('../../v2/durable-core/tokens/short-token.js').ShortTokenKind;
+    readonly entry: Omit<TokenAliasEntryV2, 'nonceHex' | 'tokenKind'>;
+    readonly ports: TokenCodecPorts;
+    readonly aliasStore: TokenAliasStorePortV2;
+    readonly entropy: RandomEntropyPortV2;
+}
+export declare function mintSingleShortToken(args: MintSingleShortTokenArgs): ResultAsync<string, ToolFailure>;
 export declare function newAttemptId(idFactory: {
     readonly mintAttemptId: () => AttemptId;
 }): AttemptId;

package/dist/mcp/handlers/v2-token-ops.js

@@ -3,70 +3,410 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseStateTokenOrFail = parseStateTokenOrFail;
 exports.parseAckTokenOrFail = parseAckTokenOrFail;
 exports.parseCheckpointTokenOrFail = parseCheckpointTokenOrFail;
+exports.parseContinueTokenOrFail = parseContinueTokenOrFail;
+exports.mintContinueAndCheckpointTokens = mintContinueAndCheckpointTokens;
+exports.mintShortTokenTriple = mintShortTokenTriple;
+exports.mintSingleShortToken = mintSingleShortToken;
 exports.newAttemptId = newAttemptId;
 exports.attemptIdForNextNode = attemptIdForNextNode;
 exports.signTokenOrErr = signTokenOrErr;
 const neverthrow_1 = require("neverthrow");
+const neverthrow_2 = require("neverthrow");
 const index_js_1 = require("../../v2/durable-core/tokens/index.js");
 const attempt_id_derivation_js_1 = require("../../v2/durable-core/ids/attempt-id-derivation.js");
 const types_js_1 = require("../types.js");
 const v2_execution_helpers_js_1 = require("./v2-execution-helpers.js");
-function parseStateTokenOrFail(raw, ports) {
+const short_token_js_1 = require("../../v2/durable-core/tokens/short-token.js");
+const index_js_2 = require("../../v2/durable-core/ids/index.js");
+function resolveShortToken(raw, ports, aliasStore) {
+    const parsed = (0, short_token_js_1.parseShortToken)(raw, ports.base64url);
+    if (parsed.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', `Short token format invalid: ${parsed.error.code}`, {
+            suggestion: 'Use the token returned by WorkRail (st_... / ak_... / ck_...).',
+        }));
+    }
+    const hmacResult = (0, short_token_js_1.verifyShortTokenHmac)(parsed.value, ports.keyring, ports.hmac, ports.base64url);
+    if (hmacResult.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_BAD_SIGNATURE', 'Short token HMAC verification failed.', {
+            suggestion: 'Use the exact token returned by WorkRail — do not modify it.',
+        }));
+    }
+    const entry = aliasStore.lookup(parsed.value.nonceHex);
+    if (!entry) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Short token not found in alias index (unknown nonce).', {
+            suggestion: 'Use the token returned by WorkRail in the current session.',
+        }));
+    }
+    let payload;
+    if (entry.tokenKind === 'state') {
+        if (!entry.workflowHashRef) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for state token is missing workflowHashRef.'));
+        }
+        const statePayload = {
+            tokenVersion: 1,
+            tokenKind: 'state',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            workflowHashRef: (0, index_js_2.asWorkflowHashRef)(entry.workflowHashRef),
+        };
+        payload = statePayload;
+    }
+    else if (entry.tokenKind === 'ack') {
+        if (!entry.attemptId) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for ack token is missing attemptId.'));
+        }
+        const ackPayload = {
+            tokenVersion: 1,
+            tokenKind: 'ack',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            attemptId: (0, index_js_2.asAttemptId)(entry.attemptId),
+        };
+        payload = ackPayload;
+    }
+    else {
+        if (!entry.attemptId) {
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Alias entry for checkpoint token is missing attemptId.'));
+        }
+        const ckPayload = {
+            tokenVersion: 1,
+            tokenKind: 'checkpoint',
+            sessionId: (0, index_js_2.asSessionId)(entry.sessionId),
+            runId: (0, index_js_2.asRunId)(entry.runId),
+            nodeId: (0, index_js_2.asNodeId)(entry.nodeId),
+            attemptId: (0, index_js_2.asAttemptId)(entry.attemptId),
+        };
+        payload = ckPayload;
+    }
+    const synthetic = {
+        hrp: entry.tokenKind === 'state' ? 'st' : entry.tokenKind === 'ack' ? 'ack' : 'chk',
+        version: '1',
+        payloadBytes: new Uint8Array(66),
+        signatureBytes: new Uint8Array(32),
+        payload,
+    };
+    return (0, neverthrow_1.okAsync)(synthetic);
+}
+function parseStateTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('st_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'state') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st_... or st1...).', {
+                    suggestion: 'Use the stateToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'state') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st1...).', {
-                suggestion: 'Use the stateToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a state token (st1...).', {
+            suggestion: 'Use the stateToken returned by WorkRail.',
+        }));
     }
-    return { ok: true, token: parsedRes.value };
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
 }
-function parseAckTokenOrFail(raw, ports) {
+function parseAckTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('ak_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'ack') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ak_... or ack1...).', {
+                    suggestion: 'Use the ackToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'ack') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ack1...).', {
-                suggestion: 'Use the ackToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected an ack token (ack1...).', {
+            suggestion: 'Use the ackToken returned by WorkRail.',
+        }));
     }
-    return { ok: true, token: parsedRes.value };
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
 }
-function parseCheckpointTokenOrFail(raw, ports) {
+function parseCheckpointTokenOrFail(raw, ports, aliasStore) {
+    if (raw.startsWith('ck_')) {
+        return resolveShortToken(raw, ports, aliasStore).andThen((resolved) => {
+            if (resolved.payload.tokenKind !== 'checkpoint') {
+                return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (ck_... or chk1...).', {
+                    suggestion: 'Use the checkpointToken returned by WorkRail.',
+                }));
+            }
+            return (0, neverthrow_1.okAsync)(resolved);
+        });
+    }
     const parsedRes = (0, index_js_1.parseTokenV1Binary)(raw, ports);
     if (parsedRes.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenDecodeErrorToToolError)(parsedRes.error));
     }
     const verified = (0, index_js_1.verifyTokenSignatureV1Binary)(parsedRes.value, ports);
     if (verified.isErr()) {
-        return { ok: false, failure: (0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error) };
+        return (0, neverthrow_1.errAsync)((0, v2_execution_helpers_js_1.mapTokenVerifyErrorToToolError)(verified.error));
     }
     if (parsedRes.value.payload.tokenKind !== 'checkpoint') {
-        return {
-            ok: false,
-            failure: (0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (chk1...).', {
-                suggestion: 'Use the checkpointToken returned by WorkRail.',
-            }),
-        };
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a checkpoint token (chk1...).', {
+            suggestion: 'Use the checkpointToken returned by WorkRail.',
+        }));
+    }
+    return (0, neverthrow_1.okAsync)(parsedRes.value);
+}
+function parseContinueTokenOrFail(raw, ports, aliasStore) {
+    if (!raw.startsWith('ct_')) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Expected a continue token (ct_...).', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    const parsed = (0, short_token_js_1.parseShortToken)(raw, ports.base64url);
+    if (parsed.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', `Continue token format invalid: ${parsed.error.code}`, {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    const hmacResult = (0, short_token_js_1.verifyShortTokenHmac)(parsed.value, ports.keyring, ports.hmac, ports.base64url);
+    if (hmacResult.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_BAD_SIGNATURE', 'Continue token HMAC verification failed.', {
+            suggestion: 'Use the exact continueToken returned by WorkRail -- do not modify it.',
+        }));
+    }
+    const entry = aliasStore.lookup(parsed.value.nonceHex);
+    if (!entry) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Continue token not found in alias index (unknown nonce).', {
+            suggestion: 'Use the continueToken returned by WorkRail in the current session.',
+        }));
+    }
+    if (entry.tokenKind !== 'continue') {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Token alias is not a continue token.', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    if (!entry.attemptId || !entry.workflowHashRef) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('TOKEN_INVALID_FORMAT', 'Continue token alias entry is missing required fields.', {
+            suggestion: 'Use the continueToken returned by WorkRail.',
+        }));
+    }
+    return (0, neverthrow_1.okAsync)({
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+        workflowHashRef: entry.workflowHashRef,
+    });
+}
+function mintContinueAndCheckpointTokens(args) {
+    const { entry, ports, aliasStore, entropy } = args;
+    const existingContinue = aliasStore.lookupByPosition('continue', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    const existingCk = aliasStore.lookupByPosition('checkpoint', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    if (existingContinue && existingCk) {
+        const replayContinue = reTokenFromNonceHex('continue', existingContinue.nonceHex, ports);
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayContinue.isOk() && replayCk.isOk()) {
+            return (0, neverthrow_1.okAsync)({
+                continueToken: replayContinue.value,
+                checkpointToken: replayCk.value,
+            });
+        }
+    }
+    const continueNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const continueMinted = (0, short_token_js_1.mintShortToken)('continue', continueNonce, ports.keyring, ports.hmac, ports.base64url);
+    if (continueMinted.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${continueMinted.error.code}`));
+    }
+    const continueNonceHex = bufToHex(continueNonce);
+    let ckTokenStr;
+    if (existingCk) {
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayCk.isOk()) {
+            const continueEntry = {
+                nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot,
+                sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId,
+                attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef,
+            };
+            return aliasStore.register(continueEntry)
+                .map(() => ({ continueToken: continueMinted.value, checkpointToken: replayCk.value }))
+                .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+        }
+        const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+        const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+        if (ckMinted.isErr())
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${ckMinted.error.code}`));
+        ckTokenStr = ckMinted.value;
+        const ckEntry = { nonceHex: bufToHex(ckNonce), tokenKind: 'checkpoint', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId };
+        return aliasStore.register({ nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef })
+            .andThen(() => aliasStore.register(ckEntry))
+            .map(() => ({ continueToken: continueMinted.value, checkpointToken: ckTokenStr }))
+            .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+    }
+    else {
+        const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+        const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+        if (ckMinted.isErr())
+            return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token minting failed: ${ckMinted.error.code}`));
+        ckTokenStr = ckMinted.value;
+        const ckEntry = { nonceHex: bufToHex(ckNonce), tokenKind: 'checkpoint', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId };
+        return aliasStore.register({ nonceHex: continueNonceHex, tokenKind: 'continue', aliasSlot: entry.aliasSlot, sessionId: entry.sessionId, runId: entry.runId, nodeId: entry.nodeId, attemptId: entry.attemptId, workflowHashRef: entry.workflowHashRef })
+            .andThen(() => aliasStore.register(ckEntry))
+            .map(() => ({ continueToken: continueMinted.value, checkpointToken: ckTokenStr }))
+            .mapErr((regErr) => (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Alias registration failed: ${regErr.code}`));
+    }
+}
+function reTokenFromNonceHex(kind, nonceHex, ports) {
+    const nonceBytes = hexToBuf(nonceHex);
+    if (!nonceBytes) {
+        return (0, neverthrow_2.err)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Invalid stored nonce hex: ${nonceHex}`));
+    }
+    const result = (0, short_token_js_1.mintShortToken)(kind, nonceBytes, ports.keyring, ports.hmac, ports.base64url);
+    if (result.isErr()) {
+        return (0, neverthrow_2.err)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Failed to reconstruct token from nonce: ${result.error.code}`));
+    }
+    return (0, neverthrow_2.ok)(result.value);
+}
+function mintShortTokenTriple(args) {
+    const { entry, ports, aliasStore, entropy } = args;
+    const existingState = aliasStore.lookupByPosition('state', entry.sessionId, entry.nodeId, undefined, entry.aliasSlot);
+    const existingAck = aliasStore.lookupByPosition('ack', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    const existingCk = aliasStore.lookupByPosition('checkpoint', entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot);
+    if (existingState && existingAck && existingCk) {
+        const replayState = reTokenFromNonceHex('state', existingState.nonceHex, ports);
+        const replayAck = reTokenFromNonceHex('ack', existingAck.nonceHex, ports);
+        const replayCk = reTokenFromNonceHex('checkpoint', existingCk.nonceHex, ports);
+        if (replayState.isOk() && replayAck.isOk() && replayCk.isOk()) {
+            return (0, neverthrow_1.okAsync)({
+                stateToken: replayState.value,
+                ackToken: replayAck.value,
+                checkpointToken: replayCk.value,
+            });
+        }
+    }
+    const stateNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const ackNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const ckNonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const stateMinted = (0, short_token_js_1.mintShortToken)('state', stateNonce, ports.keyring, ports.hmac, ports.base64url);
+    const ackMinted = (0, short_token_js_1.mintShortToken)('ack', ackNonce, ports.keyring, ports.hmac, ports.base64url);
+    const ckMinted = (0, short_token_js_1.mintShortToken)('checkpoint', ckNonce, ports.keyring, ports.hmac, ports.base64url);
+    if (stateMinted.isErr() || ackMinted.isErr() || ckMinted.isErr()) {
+        const msg = stateMinted.isErr()
+            ? stateMinted.error.code
+            : ackMinted.isErr()
+                ? ackMinted.error.code
+                : ckMinted.isErr()
+                    ? ckMinted.error.code
+                    : 'UNKNOWN';
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Short token minting failed: ${msg}`));
+    }
+    const stateTokenStr = stateMinted.value;
+    const ackTokenStr = ackMinted.value;
+    const ckTokenStr = ckMinted.value;
+    const stateNonceHex = bufToHex(stateNonce);
+    const ackNonceHex = bufToHex(ackNonce);
+    const ckNonceHex = bufToHex(ckNonce);
+    const stateEntry = {
+        nonceHex: stateNonceHex,
+        tokenKind: 'state',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        workflowHashRef: entry.workflowHashRef,
+    };
+    const ackEntry = {
+        nonceHex: ackNonceHex,
+        tokenKind: 'ack',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+    };
+    const ckEntry = {
+        nonceHex: ckNonceHex,
+        tokenKind: 'checkpoint',
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+    };
+    return aliasStore.register(stateEntry)
+        .andThen(() => aliasStore.register(ackEntry))
+        .andThen(() => aliasStore.register(ckEntry))
+        .map(() => ({
+        stateToken: stateTokenStr,
+        ackToken: ackTokenStr,
+        checkpointToken: ckTokenStr,
+    }))
+        .mapErr((regErr) => {
+        const detail = regErr.code === 'ALIAS_DUPLICATE_NONCE'
+            ? `duplicate nonce: ${regErr.nonceHex}`
+            : regErr.message;
+        return (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token alias registration failed: ${detail}`);
+    });
+}
+function mintSingleShortToken(args) {
+    const { kind, entry, ports, aliasStore, entropy } = args;
+    const lookupAttemptId = kind === 'state' ? undefined : entry.attemptId;
+    const existing = aliasStore.lookupByPosition(kind, entry.sessionId, entry.nodeId, lookupAttemptId, entry.aliasSlot);
+    if (existing) {
+        const rebuilt = reTokenFromNonceHex(kind, existing.nonceHex, ports);
+        if (rebuilt.isOk())
+            return (0, neverthrow_1.okAsync)(rebuilt.value);
+    }
+    const nonce = entropy.generateBytes(short_token_js_1.SHORT_TOKEN_NONCE_BYTES);
+    const minted = (0, short_token_js_1.mintShortToken)(kind, nonce, ports.keyring, ports.hmac, ports.base64url);
+    if (minted.isErr()) {
+        return (0, neverthrow_1.errAsync)((0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Short token minting failed: ${minted.error.code}`));
+    }
+    const tokenStr = minted.value;
+    const nonceHex = bufToHex(nonce);
+    const aliasEntry = {
+        nonceHex,
+        tokenKind: kind,
+        aliasSlot: entry.aliasSlot,
+        sessionId: entry.sessionId,
+        runId: entry.runId,
+        nodeId: entry.nodeId,
+        attemptId: entry.attemptId,
+        workflowHashRef: entry.workflowHashRef,
+    };
+    return aliasStore.register(aliasEntry)
+        .map(() => tokenStr)
+        .mapErr((regErr) => {
+        const detail = regErr.code === 'ALIAS_DUPLICATE_NONCE'
+            ? `duplicate nonce: ${regErr.nonceHex}`
+            : regErr.message;
+        return (0, types_js_1.errNotRetryable)('INTERNAL_ERROR', `Token alias registration failed: ${detail}`);
+    });
+}
+function bufToHex(bytes) {
+    return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+function hexToBuf(hex) {
+    if (hex.length % 2 !== 0)
+        return null;
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        const byte = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+        if (isNaN(byte))
+            return null;
+        bytes[i] = byte;
     }
-    return { ok: true, token: parsedRes.value };
+    return bytes;
 }
 function newAttemptId(idFactory) {
     return idFactory.mintAttemptId();
@@ -77,6 +417,6 @@ function attemptIdForNextNode(parentAttemptId, sha256) {
 function signTokenOrErr(args) {
     const token = (0, index_js_1.signTokenV1Binary)(args.payload, args.ports);
     if (token.isErr())
-        return (0, neverthrow_1.err)(token.error);
-    return (0, neverthrow_1.ok)(token.value);
+        return (0, neverthrow_2.err)(token.error);
+    return (0, neverthrow_2.ok)(token.value);
 }