@exaudeus/workrail 2.1.0 → 3.1.0

package/dist/v2/durable-core/schemas/session/events.d.ts

@@ -874,8 +874,8 @@ export declare const DomainEventV1Schema: z.ZodDiscriminatedUnion<"kind", [z.Zod
         }>;
     }, "strict", z.ZodTypeAny, {
         contractRef: string;
-        validationId: string;
         attemptId: string;
+        validationId: string;
         result: {
             issues: readonly string[];
             valid: boolean;
@@ -883,8 +883,8 @@ export declare const DomainEventV1Schema: z.ZodDiscriminatedUnion<"kind", [z.Zod
         };
     }, {
         contractRef: string;
-        validationId: string;
         attemptId: string;
+        validationId: string;
         result: {
             issues: readonly string[];
             valid: boolean;
@@ -896,8 +896,8 @@ export declare const DomainEventV1Schema: z.ZodDiscriminatedUnion<"kind", [z.Zod
     sessionId: string;
     data: {
         contractRef: string;
-        validationId: string;
         attemptId: string;
+        validationId: string;
         result: {
             issues: readonly string[];
             valid: boolean;
@@ -917,8 +917,8 @@ export declare const DomainEventV1Schema: z.ZodDiscriminatedUnion<"kind", [z.Zod
     sessionId: string;
     data: {
         contractRef: string;
-        validationId: string;
         attemptId: string;
+        validationId: string;
         result: {
             issues: readonly string[];
             valid: boolean;

package/dist/v2/durable-core/schemas/session/validation-event.d.ts

@@ -47,8 +47,8 @@ export declare const ValidationPerformedDataV1Schema: z.ZodObject<{
     }>;
 }, "strict", z.ZodTypeAny, {
     contractRef: string;
-    validationId: string;
     attemptId: string;
+    validationId: string;
     result: {
         issues: readonly string[];
         valid: boolean;
@@ -56,8 +56,8 @@ export declare const ValidationPerformedDataV1Schema: z.ZodObject<{
     };
 }, {
     contractRef: string;
-    validationId: string;
     attemptId: string;
+    validationId: string;
     result: {
         issues: readonly string[];
         valid: boolean;

package/dist/v2/durable-core/tokens/payloads.d.ts

@@ -17,24 +17,24 @@ export declare const StateTokenPayloadV1Schema: z.ZodObject<{
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
+    tokenKind: "state";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
-    tokenVersion: 1;
-    tokenKind: "state";
     workflowHashRef: string & {
         readonly __brand: "v2.WorkflowHashRef";
     };
+    tokenVersion: 1;
 }, {
     sessionId: string;
+    tokenKind: "state";
     runId: string;
     nodeId: string;
-    tokenVersion: 1;
-    tokenKind: "state";
     workflowHashRef: string;
+    tokenVersion: 1;
 }>;
 export type StateTokenPayloadV1 = z.infer<typeof StateTokenPayloadV1Schema> & {
     readonly tokenVersion: TokenVersionV1;
@@ -55,24 +55,24 @@ export declare const AckTokenPayloadV1Schema: z.ZodObject<{
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
-    attemptId: string & {
-        readonly __brand: "v2.AttemptId";
-    };
+    tokenKind: "ack";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
+    attemptId: string & {
+        readonly __brand: "v2.AttemptId";
+    };
     tokenVersion: 1;
-    tokenKind: "ack";
 }, {
     sessionId: string;
-    attemptId: string;
+    tokenKind: "ack";
     runId: string;
     nodeId: string;
+    attemptId: string;
     tokenVersion: 1;
-    tokenKind: "ack";
 }>;
 export type AckTokenPayloadV1 = z.infer<typeof AckTokenPayloadV1Schema> & {
     readonly tokenVersion: TokenVersionV1;
@@ -93,24 +93,24 @@ export declare const CheckpointTokenPayloadV1Schema: z.ZodObject<{
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
-    attemptId: string & {
-        readonly __brand: "v2.AttemptId";
-    };
+    tokenKind: "checkpoint";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
+    attemptId: string & {
+        readonly __brand: "v2.AttemptId";
+    };
     tokenVersion: 1;
-    tokenKind: "checkpoint";
 }, {
     sessionId: string;
-    attemptId: string;
+    tokenKind: "checkpoint";
     runId: string;
     nodeId: string;
+    attemptId: string;
     tokenVersion: 1;
-    tokenKind: "checkpoint";
 }>;
 export type CheckpointTokenPayloadV1 = z.infer<typeof CheckpointTokenPayloadV1Schema> & {
     readonly tokenVersion: TokenVersionV1;
@@ -131,24 +131,24 @@ export declare const TokenPayloadV1Schema: z.ZodDiscriminatedUnion<"tokenKind",
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
+    tokenKind: "state";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
-    tokenVersion: 1;
-    tokenKind: "state";
     workflowHashRef: string & {
         readonly __brand: "v2.WorkflowHashRef";
     };
+    tokenVersion: 1;
 }, {
     sessionId: string;
+    tokenKind: "state";
     runId: string;
     nodeId: string;
-    tokenVersion: 1;
-    tokenKind: "state";
     workflowHashRef: string;
+    tokenVersion: 1;
 }>, z.ZodObject<{
     tokenVersion: z.ZodLiteral<1>;
     tokenKind: z.ZodLiteral<"ack">;
@@ -160,24 +160,24 @@ export declare const TokenPayloadV1Schema: z.ZodDiscriminatedUnion<"tokenKind",
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
-    attemptId: string & {
-        readonly __brand: "v2.AttemptId";
-    };
+    tokenKind: "ack";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
+    attemptId: string & {
+        readonly __brand: "v2.AttemptId";
+    };
     tokenVersion: 1;
-    tokenKind: "ack";
 }, {
     sessionId: string;
-    attemptId: string;
+    tokenKind: "ack";
     runId: string;
     nodeId: string;
+    attemptId: string;
     tokenVersion: 1;
-    tokenKind: "ack";
 }>, z.ZodObject<{
     tokenVersion: z.ZodLiteral<1>;
     tokenKind: z.ZodLiteral<"checkpoint">;
@@ -189,24 +189,24 @@ export declare const TokenPayloadV1Schema: z.ZodDiscriminatedUnion<"tokenKind",
     sessionId: string & {
         readonly __brand: "v2.SessionId";
     };
-    attemptId: string & {
-        readonly __brand: "v2.AttemptId";
-    };
+    tokenKind: "checkpoint";
     runId: string & {
         readonly __brand: "v2.RunId";
     };
     nodeId: string & {
         readonly __brand: "v2.NodeId";
     };
+    attemptId: string & {
+        readonly __brand: "v2.AttemptId";
+    };
     tokenVersion: 1;
-    tokenKind: "checkpoint";
 }, {
     sessionId: string;
-    attemptId: string;
+    tokenKind: "checkpoint";
     runId: string;
     nodeId: string;
+    attemptId: string;
     tokenVersion: 1;
-    tokenKind: "checkpoint";
 }>]>;
 export type TokenPayloadV1 = StateTokenPayloadV1 | AckTokenPayloadV1 | CheckpointTokenPayloadV1;
 export type TokenPrefixV1 = 'st' | 'ack' | 'chk';

package/dist/v2/durable-core/tokens/short-token.d.ts

@@ -0,0 +1,38 @@
+import type { Result } from 'neverthrow';
+import type { HmacSha256PortV2 } from '../../ports/hmac-sha256.port.js';
+import type { Base64UrlPortV2 } from '../../ports/base64url.port.js';
+import type { KeyringV1 } from '../../ports/keyring.port.js';
+export type ShortTokenKind = 'state' | 'ack' | 'checkpoint' | 'continue';
+export declare const SHORT_TOKEN_NONCE_BYTES = 12;
+export declare const SHORT_TOKEN_HMAC_BYTES = 6;
+export declare const SHORT_TOKEN_PAYLOAD_BYTES: number;
+export type ShortTokenError = {
+    readonly code: 'SHORT_TOKEN_UNKNOWN_PREFIX';
+    readonly raw: string;
+} | {
+    readonly code: 'SHORT_TOKEN_INVALID_LENGTH';
+    readonly expected: number;
+    readonly actual: number;
+} | {
+    readonly code: 'SHORT_TOKEN_INVALID_ENCODING';
+    readonly message: string;
+} | {
+    readonly code: 'SHORT_TOKEN_BAD_SIGNATURE';
+} | {
+    readonly code: 'SHORT_TOKEN_SIGNING_FAILED';
+    readonly message: string;
+};
+export interface ParsedShortToken {
+    readonly kind: ShortTokenKind;
+    readonly nonce: Uint8Array;
+    readonly hmac6: Uint8Array;
+    readonly nonceHex: string;
+}
+export declare function mintShortToken(kind: ShortTokenKind, nonce: Uint8Array, keyring: KeyringV1, hmac: HmacSha256PortV2, base64url: Base64UrlPortV2): Result<string, ShortTokenError>;
+export declare function parseShortToken(raw: string, base64url: Base64UrlPortV2): Result<ParsedShortToken, ShortTokenError>;
+export declare function verifyShortTokenHmac(parsed: ParsedShortToken, keyring: KeyringV1, hmac: HmacSha256PortV2, base64url: Base64UrlPortV2): Result<void, ShortTokenError>;
+export interface NativeParsedShortToken {
+    readonly kind: ShortTokenKind;
+    readonly nonceHex: string;
+}
+export declare function parseShortTokenNative(raw: string): NativeParsedShortToken | null;

package/dist/v2/durable-core/tokens/short-token.js

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SHORT_TOKEN_PAYLOAD_BYTES = exports.SHORT_TOKEN_HMAC_BYTES = exports.SHORT_TOKEN_NONCE_BYTES = void 0;
+exports.mintShortToken = mintShortToken;
+exports.parseShortToken = parseShortToken;
+exports.verifyShortTokenHmac = verifyShortTokenHmac;
+exports.parseShortTokenNative = parseShortTokenNative;
+const neverthrow_1 = require("neverthrow");
+const KIND_PREFIXES = {
+    state: 'st_',
+    ack: 'ak_',
+    checkpoint: 'ck_',
+    continue: 'ct_',
+};
+const PREFIX_TO_KIND = {
+    'st_': 'state',
+    'ak_': 'ack',
+    'ck_': 'checkpoint',
+    'ct_': 'continue',
+};
+const KIND_BYTES = {
+    state: 0x01,
+    ack: 0x02,
+    checkpoint: 0x03,
+    continue: 0x04,
+};
+exports.SHORT_TOKEN_NONCE_BYTES = 12;
+exports.SHORT_TOKEN_HMAC_BYTES = 6;
+exports.SHORT_TOKEN_PAYLOAD_BYTES = exports.SHORT_TOKEN_NONCE_BYTES + exports.SHORT_TOKEN_HMAC_BYTES;
+function mintShortToken(kind, nonce, keyring, hmac, base64url) {
+    if (nonce.length !== exports.SHORT_TOKEN_NONCE_BYTES) {
+        return (0, neverthrow_1.err)({
+            code: 'SHORT_TOKEN_INVALID_LENGTH',
+            expected: exports.SHORT_TOKEN_NONCE_BYTES,
+            actual: nonce.length,
+        });
+    }
+    const keyResult = decodeKey(keyring.current.keyBase64Url, base64url);
+    if (keyResult.isErr())
+        return (0, neverthrow_1.err)(keyResult.error);
+    const key = keyResult.value;
+    const hmacInput = buildHmacInput(nonce, kind);
+    const hmacFull = hmac.hmacSha256(key, hmacInput);
+    const hmac6 = hmacFull.slice(0, exports.SHORT_TOKEN_HMAC_BYTES);
+    const payload = new Uint8Array(exports.SHORT_TOKEN_PAYLOAD_BYTES);
+    payload.set(nonce, 0);
+    payload.set(hmac6, exports.SHORT_TOKEN_NONCE_BYTES);
+    const encoded = base64url.encodeBase64Url(payload);
+    return (0, neverthrow_1.ok)(`${KIND_PREFIXES[kind]}${encoded}`);
+}
+function parseShortToken(raw, base64url) {
+    const prefix = raw.slice(0, 3);
+    const kind = PREFIX_TO_KIND[prefix];
+    if (!kind) {
+        return (0, neverthrow_1.err)({ code: 'SHORT_TOKEN_UNKNOWN_PREFIX', raw });
+    }
+    const encoded = raw.slice(3);
+    const decoded = base64url.decodeBase64Url(encoded);
+    if (decoded.isErr()) {
+        return (0, neverthrow_1.err)({ code: 'SHORT_TOKEN_INVALID_ENCODING', message: decoded.error.message });
+    }
+    const bytes = decoded.value;
+    if (bytes.length !== exports.SHORT_TOKEN_PAYLOAD_BYTES) {
+        return (0, neverthrow_1.err)({
+            code: 'SHORT_TOKEN_INVALID_LENGTH',
+            expected: exports.SHORT_TOKEN_PAYLOAD_BYTES,
+            actual: bytes.length,
+        });
+    }
+    const nonce = bytes.slice(0, exports.SHORT_TOKEN_NONCE_BYTES);
+    const hmac6 = bytes.slice(exports.SHORT_TOKEN_NONCE_BYTES);
+    const nonceHex = bufToHex(nonce);
+    return (0, neverthrow_1.ok)({ kind, nonce, hmac6, nonceHex });
+}
+function verifyShortTokenHmac(parsed, keyring, hmac, base64url) {
+    const hmacInput = buildHmacInput(parsed.nonce, parsed.kind);
+    if (checkHmac(parsed.hmac6, hmacInput, keyring.current.keyBase64Url, hmac, base64url)) {
+        return (0, neverthrow_1.ok)(undefined);
+    }
+    if (keyring.previous) {
+        if (checkHmac(parsed.hmac6, hmacInput, keyring.previous.keyBase64Url, hmac, base64url)) {
+            return (0, neverthrow_1.ok)(undefined);
+        }
+    }
+    return (0, neverthrow_1.err)({ code: 'SHORT_TOKEN_BAD_SIGNATURE' });
+}
+function buildHmacInput(nonce, kind) {
+    const input = new Uint8Array(exports.SHORT_TOKEN_NONCE_BYTES + 1);
+    input.set(nonce, 0);
+    input[exports.SHORT_TOKEN_NONCE_BYTES] = KIND_BYTES[kind];
+    return input;
+}
+function checkHmac(expected6, hmacInput, keyBase64Url, hmac, base64url) {
+    const keyResult = decodeKey(keyBase64Url, base64url);
+    if (keyResult.isErr())
+        return false;
+    const full = hmac.hmacSha256(keyResult.value, hmacInput);
+    const truncated = full.slice(0, exports.SHORT_TOKEN_HMAC_BYTES);
+    return hmac.timingSafeEqual(truncated, expected6);
+}
+function decodeKey(keyBase64Url, base64url) {
+    const r = base64url.decodeBase64Url(keyBase64Url);
+    if (r.isErr())
+        return (0, neverthrow_1.err)({ code: 'SHORT_TOKEN_SIGNING_FAILED', message: r.error.message });
+    return (0, neverthrow_1.ok)(r.value);
+}
+function bufToHex(bytes) {
+    return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+function parseShortTokenNative(raw) {
+    const prefix = raw.slice(0, 3);
+    const kind = PREFIX_TO_KIND[prefix];
+    if (!kind)
+        return null;
+    const encoded = raw.slice(3);
+    try {
+        const bytes = Buffer.from(encoded, 'base64url');
+        if (bytes.length !== exports.SHORT_TOKEN_PAYLOAD_BYTES)
+            return null;
+        const nonceHex = Buffer.from(bytes.slice(0, exports.SHORT_TOKEN_NONCE_BYTES)).toString('hex');
+        return { kind, nonceHex };
+    }
+    catch {
+        return null;
+    }
+}

package/dist/v2/durable-core/tokens/token-patterns.d.ts

@@ -0,0 +1,4 @@
+export declare const STATE_TOKEN_PATTERN: RegExp;
+export declare const ACK_TOKEN_PATTERN: RegExp;
+export declare const CHECKPOINT_TOKEN_PATTERN: RegExp;
+export declare const CONTINUE_TOKEN_PATTERN: RegExp;

package/dist/v2/durable-core/tokens/token-patterns.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONTINUE_TOKEN_PATTERN = exports.CHECKPOINT_TOKEN_PATTERN = exports.ACK_TOKEN_PATTERN = exports.STATE_TOKEN_PATTERN = void 0;
+const BECH32_CHARS = '[023456789acdefghjklmnpqrstuvwxyz]+';
+const BASE64URL_24 = '[A-Za-z0-9_-]{24}';
+exports.STATE_TOKEN_PATTERN = new RegExp(`^(st1${BECH32_CHARS}|st_${BASE64URL_24})$`);
+exports.ACK_TOKEN_PATTERN = new RegExp(`^(ack1${BECH32_CHARS}|ak_${BASE64URL_24})$`);
+exports.CHECKPOINT_TOKEN_PATTERN = new RegExp(`^(chk1${BECH32_CHARS}|ck_${BASE64URL_24})$`);
+exports.CONTINUE_TOKEN_PATTERN = new RegExp(`^ct_${BASE64URL_24}$`);

package/dist/v2/infra/in-memory/token-alias-store/index.d.ts

@@ -0,0 +1,11 @@
+import type { ResultAsync } from 'neverthrow';
+import type { TokenAliasStorePortV2, TokenAliasEntryV2, TokenAliasRegistrationError, TokenAliasLoadError } from '../../../ports/token-alias-store.port.js';
+import type { ShortTokenKind } from '../../../durable-core/tokens/short-token.js';
+export declare class InMemoryTokenAliasStoreV2 implements TokenAliasStorePortV2 {
+    private readonly index;
+    private readonly positionIndex;
+    register(entry: TokenAliasEntryV2): ResultAsync<void, TokenAliasRegistrationError>;
+    lookup(nonceHex: string): TokenAliasEntryV2 | null;
+    lookupByPosition(tokenKind: ShortTokenKind, sessionId: string, nodeId: string, attemptId?: string, aliasSlot?: 'retry'): TokenAliasEntryV2 | null;
+    loadIndex(): ResultAsync<void, TokenAliasLoadError>;
+}

package/dist/v2/infra/in-memory/token-alias-store/index.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryTokenAliasStoreV2 = void 0;
+const neverthrow_1 = require("neverthrow");
+function positionKey(tokenKind, sessionId, nodeId, attemptId, aliasSlot) {
+    return `${tokenKind}:${aliasSlot ?? ''}:${sessionId}:${nodeId}:${attemptId ?? ''}`;
+}
+class InMemoryTokenAliasStoreV2 {
+    constructor() {
+        this.index = new Map();
+        this.positionIndex = new Map();
+    }
+    register(entry) {
+        if (this.index.has(entry.nonceHex)) {
+            return (0, neverthrow_1.errAsync)({
+                code: 'ALIAS_DUPLICATE_NONCE',
+                nonceHex: entry.nonceHex,
+            });
+        }
+        this.index.set(entry.nonceHex, entry);
+        this.positionIndex.set(positionKey(entry.tokenKind, entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot), entry.nonceHex);
+        return (0, neverthrow_1.okAsync)(undefined);
+    }
+    lookup(nonceHex) {
+        return this.index.get(nonceHex) ?? null;
+    }
+    lookupByPosition(tokenKind, sessionId, nodeId, attemptId, aliasSlot) {
+        const key = positionKey(tokenKind, sessionId, nodeId, attemptId, aliasSlot);
+        const nonceHex = this.positionIndex.get(key);
+        if (!nonceHex)
+            return null;
+        return this.index.get(nonceHex) ?? null;
+    }
+    loadIndex() {
+        return (0, neverthrow_1.okAsync)(undefined);
+    }
+}
+exports.InMemoryTokenAliasStoreV2 = InMemoryTokenAliasStoreV2;

package/dist/v2/infra/local/data-dir/index.d.ts

@@ -16,4 +16,5 @@ export declare class LocalDataDirV2 implements DataDirPortV2 {
     sessionEventsDir(sessionId: SessionId): string;
     sessionManifestPath(sessionId: SessionId): string;
     sessionLockPath(sessionId: SessionId): string;
+    tokenIndexPath(): string;
 }

package/dist/v2/infra/local/data-dir/index.js

@@ -80,5 +80,8 @@ class LocalDataDirV2 {
     sessionLockPath(sessionId) {
         return path.join(this.sessionDir(sessionId), '.lock');
     }
+    tokenIndexPath() {
+        return path.join(this.keysDir(), 'token-index.jsonl');
+    }
 }
 exports.LocalDataDirV2 = LocalDataDirV2;

package/dist/v2/infra/local/token-alias-store/index.d.ts

@@ -0,0 +1,16 @@
+import type { ResultAsync } from 'neverthrow';
+import type { DataDirPortV2 } from '../../../ports/data-dir.port.js';
+import type { FileSystemPortV2 } from '../../../ports/fs.port.js';
+import type { TokenAliasStorePortV2, TokenAliasEntryV2, TokenAliasRegistrationError, TokenAliasLoadError } from '../../../ports/token-alias-store.port.js';
+import type { ShortTokenKind } from '../../../durable-core/tokens/short-token.js';
+export declare class LocalTokenAliasStoreV2 implements TokenAliasStorePortV2 {
+    private readonly dataDir;
+    private readonly fs;
+    private readonly index;
+    private readonly positionIndex;
+    constructor(dataDir: DataDirPortV2, fs: FileSystemPortV2);
+    register(entry: TokenAliasEntryV2): ResultAsync<void, TokenAliasRegistrationError>;
+    lookup(nonceHex: string): TokenAliasEntryV2 | null;
+    lookupByPosition(tokenKind: ShortTokenKind, sessionId: string, nodeId: string, attemptId?: string, aliasSlot?: 'retry'): TokenAliasEntryV2 | null;
+    loadIndex(): ResultAsync<void, TokenAliasLoadError>;
+}

package/dist/v2/infra/local/token-alias-store/index.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalTokenAliasStoreV2 = void 0;
+const neverthrow_1 = require("neverthrow");
+const ALIAS_FILE_VERSION = 1;
+function positionKey(tokenKind, sessionId, nodeId, attemptId, aliasSlot) {
+    return `${tokenKind}:${aliasSlot ?? ''}:${sessionId}:${nodeId}:${attemptId ?? ''}`;
+}
+class LocalTokenAliasStoreV2 {
+    constructor(dataDir, fs) {
+        this.dataDir = dataDir;
+        this.fs = fs;
+        this.index = new Map();
+        this.positionIndex = new Map();
+    }
+    register(entry) {
+        if (this.index.has(entry.nonceHex)) {
+            return (0, neverthrow_1.errAsync)({
+                code: 'ALIAS_DUPLICATE_NONCE',
+                nonceHex: entry.nonceHex,
+            });
+        }
+        const line = { v: ALIAS_FILE_VERSION, ...entry };
+        const lineBytes = encodeJsonlLine(line);
+        const filePath = this.dataDir.tokenIndexPath();
+        const dir = this.dataDir.keysDir();
+        return this.fs.mkdirp(dir)
+            .andThen(() => this.fs.openAppend(filePath))
+            .andThen((handle) => this.fs.writeAll(handle.fd, lineBytes)
+            .andThen(() => this.fs.fsyncFile(handle.fd))
+            .andThen(() => this.fs.closeFile(handle.fd))
+            .orElse((e) => this.fs.closeFile(handle.fd)
+            .mapErr(() => e)
+            .andThen(() => (0, neverthrow_1.errAsync)(e))))
+            .map(() => {
+            this.index.set(entry.nonceHex, entry);
+            this.positionIndex.set(positionKey(entry.tokenKind, entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot), entry.nonceHex);
+        })
+            .mapErr((e) => ({
+            code: 'ALIAS_IO_ERROR',
+            message: e.message ?? String(e),
+        }));
+    }
+    lookup(nonceHex) {
+        return this.index.get(nonceHex) ?? null;
+    }
+    lookupByPosition(tokenKind, sessionId, nodeId, attemptId, aliasSlot) {
+        const key = positionKey(tokenKind, sessionId, nodeId, attemptId, aliasSlot);
+        const nonceHex = this.positionIndex.get(key);
+        if (!nonceHex)
+            return null;
+        return this.index.get(nonceHex) ?? null;
+    }
+    loadIndex() {
+        const filePath = this.dataDir.tokenIndexPath();
+        return this.fs.readFileUtf8(filePath)
+            .map((content) => {
+            let loaded = 0;
+            let skipped = 0;
+            for (const line of content.split('\n')) {
+                const trimmed = line.trim();
+                if (!trimmed)
+                    continue;
+                try {
+                    const parsed = JSON.parse(trimmed);
+                    const entry = parseAliasLine(parsed);
+                    if (entry) {
+                        this.index.set(entry.nonceHex, entry);
+                        this.positionIndex.set(positionKey(entry.tokenKind, entry.sessionId, entry.nodeId, entry.attemptId, entry.aliasSlot), entry.nonceHex);
+                        loaded++;
+                    }
+                    else {
+                        skipped++;
+                    }
+                }
+                catch {
+                    skipped++;
+                }
+            }
+            if (skipped > 0) {
+                process.stderr.write(`[TokenAliasStore] loadIndex: loaded=${loaded} skipped=${skipped} (malformed lines)\n`);
+            }
+        })
+            .orElse((e) => {
+            if (e.code === 'FS_NOT_FOUND')
+                return (0, neverthrow_1.okAsync)(undefined);
+            return (0, neverthrow_1.errAsync)({ code: 'ALIAS_IO_ERROR', message: e.message });
+        });
+    }
+}
+exports.LocalTokenAliasStoreV2 = LocalTokenAliasStoreV2;
+function encodeJsonlLine(line) {
+    return new TextEncoder().encode(JSON.stringify(line) + '\n');
+}
+function parseAliasLine(parsed) {
+    if (typeof parsed !== 'object' || parsed === null)
+        return null;
+    const r = parsed;
+    if (r['v'] !== ALIAS_FILE_VERSION ||
+        typeof r['nonceHex'] !== 'string' ||
+        (r['tokenKind'] !== 'state' && r['tokenKind'] !== 'ack' && r['tokenKind'] !== 'checkpoint' && r['tokenKind'] !== 'continue') ||
+        typeof r['sessionId'] !== 'string' ||
+        typeof r['runId'] !== 'string' ||
+        typeof r['nodeId'] !== 'string') {
+        return null;
+    }
+    return {
+        nonceHex: r['nonceHex'],
+        tokenKind: r['tokenKind'],
+        sessionId: r['sessionId'],
+        runId: r['runId'],
+        nodeId: r['nodeId'],
+        ...(typeof r['attemptId'] === 'string' ? { attemptId: r['attemptId'] } : {}),
+        ...(r['aliasSlot'] === 'retry' ? { aliasSlot: 'retry' } : {}),
+        ...(typeof r['workflowHashRef'] === 'string' ? { workflowHashRef: r['workflowHashRef'] } : {}),
+    };
+}

package/dist/v2/ports/data-dir.port.d.ts

@@ -11,4 +11,5 @@ export interface DataDirPortV2 {
     sessionEventsDir(sessionId: SessionId): string;
     sessionManifestPath(sessionId: SessionId): string;
     sessionLockPath(sessionId: SessionId): string;
+    tokenIndexPath(): string;
 }

package/dist/v2/ports/token-alias-store.port.d.ts

@@ -0,0 +1,33 @@
+import type { ResultAsync } from 'neverthrow';
+import type { ShortTokenKind } from '../durable-core/tokens/short-token.js';
+export interface TokenAliasEntryV2 {
+    readonly nonceHex: string;
+    readonly tokenKind: ShortTokenKind;
+    readonly aliasSlot?: 'retry';
+    readonly sessionId: string;
+    readonly runId: string;
+    readonly nodeId: string;
+    readonly attemptId?: string;
+    readonly workflowHashRef?: string;
+}
+export type TokenAliasRegistrationError = {
+    readonly code: 'ALIAS_IO_ERROR';
+    readonly message: string;
+} | {
+    readonly code: 'ALIAS_DUPLICATE_NONCE';
+    readonly nonceHex: string;
+};
+export type TokenAliasLookupError = {
+    readonly code: 'ALIAS_IO_ERROR';
+    readonly message: string;
+};
+export type TokenAliasLoadError = {
+    readonly code: 'ALIAS_IO_ERROR';
+    readonly message: string;
+};
+export interface TokenAliasStorePortV2 {
+    register(entry: TokenAliasEntryV2): ResultAsync<void, TokenAliasRegistrationError>;
+    lookup(nonceHex: string): TokenAliasEntryV2 | null;
+    lookupByPosition(tokenKind: ShortTokenKind, sessionId: string, nodeId: string, attemptId?: string, aliasSlot?: 'retry'): TokenAliasEntryV2 | null;
+    loadIndex(): ResultAsync<void, TokenAliasLoadError>;
+}

package/dist/v2/ports/token-alias-store.port.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });