@kynver-app/runtime 0.1.108 → 0.1.112

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/dist/cleanup-git-rev-cache.d.ts +5 -0
  2. package/dist/cleanup-git-status-cache.d.ts +5 -0
  3. package/dist/cleanup-guards.d.ts +2 -0
  4. package/dist/cleanup-index-status.d.ts +8 -1
  5. package/dist/cleanup-run-liveness.d.ts +8 -1
  6. package/dist/cli.js +372 -73
  7. package/dist/cli.js.map +4 -4
  8. package/dist/daemon-platform-guard.d.ts +2 -0
  9. package/dist/index.js +364 -65
  10. package/dist/index.js.map +4 -4
  11. package/dist/landing/cli-auth.d.ts +5 -1
  12. package/dist/landing/land-pr.d.ts +8 -0
  13. package/dist/server/cleanup.js +185 -38
  14. package/dist/server/cleanup.js.map +3 -3
  15. package/dist/server/default-repo.js +11 -1
  16. package/dist/server/default-repo.js.map +3 -3
  17. package/dist/server/memory-cost-enforce.js +11 -1
  18. package/dist/server/memory-cost-enforce.js.map +3 -3
  19. package/dist/server/monitor.js +14 -2
  20. package/dist/server/monitor.js.map +2 -2
  21. package/dist/worker-ops.d.ts +4 -0
  22. package/package.json +1 -1
package/dist/server/default-repo.js CHANGED
@@ -15,6 +15,12 @@ import { fileURLToPath } from "node:url";
15
15
  // src/git.ts
16
16
  import { spawnSync } from "node:child_process";
17
17
 
18
+ // src/util.ts
19
+ function hiddenSpawnOptions(opts) {
20
+ if (process.platform !== "win32") return opts;
21
+ return { windowsHide: true, ...opts };
22
+ }
23
+
18
24
  // src/worker-env.ts
19
25
  var FORBIDDEN_WORKER_ENV_KEYS = [
20
26
  "ANTHROPIC_API_KEY",
@@ -53,7 +59,11 @@ var FORBIDDEN_KEY_SET = new Set(FORBIDDEN_WORKER_ENV_KEYS);
53
59
  // src/git.ts
54
60
  function gitCapture(cwd, args) {
55
61
  try {
56
- const res = spawnSync("git", args, { cwd, encoding: "utf8" });
62
+ const res = spawnSync(
63
+ "git",
64
+ args,
65
+ hiddenSpawnOptions({ cwd, encoding: "utf8" })
66
+ );
57
67
  return {
58
68
  status: res.status,
59
69
  stdout: res.stdout || "",
package/dist/server/default-repo.js.map CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 3,
3
- "sources": ["../../src/default-repo.ts", "../../src/config.ts", "../../src/default-repo-discovery.ts", "../../src/git.ts", "../../src/worker-env.ts", "../../src/path-values.ts", "../../src/wsl-host.ts", "../../src/disk-gate.ts", "../../src/paths.ts", "../../src/resource-gate.ts"],
4
- "sourcesContent": ["import path from \"node:path\";\r\nimport { loadUserConfig, saveUserConfig, type KynverUserConfig } from \"./config.js\";\r\nimport {\r\n discoverDefaultRepo,\r\n type DefaultRepoDiscoverySource,\r\n type DiscoveredDefaultRepo,\r\n} from \"./default-repo-discovery.js\";\r\nimport { displayUserPath, redactHomePath, resolveUserPath } from \"./path-values.js\";\r\n\r\nexport type DefaultRepoSource =\r\n | \"config\"\r\n | \"env_default_repo\"\r\n | \"env_harness_repo\"\r\n | DefaultRepoDiscoverySource;\r\n\r\nexport interface ResolvedDefaultRepo {\r\n repo: string;\r\n source: DefaultRepoSource;\r\n persistedInConfig: boolean;\r\n}\r\n\r\nexport interface ResolveDefaultRepoOptions {\r\n config?: KynverUserConfig;\r\n env?: NodeJS.ProcessEnv;\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}\r\n\r\nfunction expandConfiguredRepo(value: string): string {\r\n return path.resolve(resolveUserPath(value.trim()));\r\n}\r\n\r\nfunction fromConfigured(\r\n value: string | undefined,\r\n source: Extract<DefaultRepoSource, \"config\" | \"env_default_repo\" | \"env_harness_repo\">,\r\n persistedInConfig: boolean,\r\n): ResolvedDefaultRepo | null {\r\n const trimmed = value?.trim();\r\n if (!trimmed) return null;\r\n return {\r\n repo: expandConfiguredRepo(trimmed),\r\n source,\r\n persistedInConfig,\r\n };\r\n}\r\n\r\nexport function resolveDefaultRepo(opts: ResolveDefaultRepoOptions = {}): ResolvedDefaultRepo | null {\r\n const env = opts.env ?? process.env;\r\n const config = opts.config ?? loadUserConfig();\r\n\r\n const fromConfig = fromConfigured(config.defaultRepo, \"config\", true);\r\n if (fromConfig) return fromConfig;\r\n\r\n const fromDefaultEnv = fromConfigured(env.KYNVER_DEFAULT_REPO, \"env_default_repo\", false);\r\n if (fromDefaultEnv) return fromDefaultEnv;\r\n\r\n const fromHarnessEnv = fromConfigured(env.KYNVER_HARNESS_REPO, \"env_harness_repo\", false);\r\n if (fromHarnessEnv) return fromHarnessEnv;\r\n\r\n const discovered = discoverDefaultRepo({\r\n cwd: opts.cwd,\r\n runtimeModuleUrl: opts.runtimeModuleUrl,\r\n });\r\n if (!discovered) return null;\r\n\r\n return {\r\n repo: discovered.repo,\r\n source: discovered.source,\r\n persistedInConfig: false,\r\n };\r\n}\r\n\r\nexport function persistDefaultRepo(repo: string, existing?: KynverUserConfig): KynverUserConfig {\r\n const config: KynverUserConfig = {\r\n ...(existing ?? loadUserConfig()),\r\n defaultRepo: redactHomePath(path.resolve(repo)),\r\n };\r\n saveUserConfig(config);\r\n return config;\r\n}\r\n\r\nexport function remediateDefaultRepo(opts?: ResolveDefaultRepoOptions): {\r\n ok: true;\r\n resolved: ResolvedDefaultRepo;\r\n config: KynverUserConfig;\r\n} | {\r\n ok: false;\r\n reason: string;\r\n} {\r\n const existing = opts?.config ?? loadUserConfig();\r\n const resolved = resolveDefaultRepo({ ...opts, config: existing });\r\n if (!resolved) {\r\n return {\r\n ok: false,\r\n reason:\r\n \"No Kynver git checkout found. Clone the repo, cd into it, then run `kynver setup --repo /path/to/Kynver` (or export KYNVER_DEFAULT_REPO).\",\r\n };\r\n }\r\n\r\n if (resolved.persistedInConfig) {\r\n return { ok: true, resolved, config: existing };\r\n }\r\n\r\n const config = persistDefaultRepo(resolved.repo, existing);\r\n return {\r\n ok: true,\r\n resolved: { ...resolved, persistedInConfig: true, source: \"config\" },\r\n config,\r\n };\r\n}\r\n\r\nexport function formatResolvedDefaultRepo(resolved: ResolvedDefaultRepo): {\r\n defaultRepo: string;\r\n source: DefaultRepoSource;\r\n persistedInConfig: boolean;\r\n} {\r\n return {\r\n defaultRepo: displayUserPath(resolved.repo),\r\n source: resolved.source,\r\n persistedInConfig: resolved.persistedInConfig,\r\n };\r\n}\r\n\r\nexport type { DiscoveredDefaultRepo };\r\n", "import { existsSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\r\nimport { homedir, totalmem } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { discoverDefaultRepo } from \"./default-repo-discovery.js\";\r\nimport { displayUserPath, redactHomePath } from \"./path-values.js\";\r\nimport { trimTrailingSlash } from \"./util.js\";\r\nimport { normalizeWorkerPoolBoxKind, resolveBoxIdentity } from \"./box-identity.js\";\r\nimport { recommendSetupWorkerCap } from \"./worker-cap-source.js\";\r\nimport { observeRunnerDiskGate } from \"./disk-gate.js\";\r\nimport os from \"node:os\";\r\n\r\nexport interface KynverUserConfig {\r\n apiBaseUrl?: string;\r\n agentOsSlug?: string;\r\n agentOsId?: string;\r\n defaultRepo?: string;\r\n workerProvider?: string;\r\n /** Default Claude model when dispatch does not infer or pass `--model`. */\r\n defaultModel?: string;\r\n harnessRoot?: string;\r\n /**\r\n * Operator attestation that the hosted Kynver deployment uses this scheduler provider\r\n * (set on user runners after Vercel env cutover \u2014 scheduling is deployment-owned).\r\n */\r\n deploymentSchedulerProvider?: \"qstash\" | \"kynver-cron\" | \"openclaw-cron\";\r\n /** Physical box pool for capacity snapshots (`forge` | `ghost`). Set via `kynver setup --box-kind`. */\r\n boxKind?: \"ghost\" | \"forge\";\r\n /** Max concurrent workers on this machine. Omit to auto-size from RAM. */\r\n maxConcurrentWorkers?: number;\r\n /** Where maxConcurrentWorkers came from. */\r\n maxConcurrentWorkersSource?: \"setup-auto\" | \"setup-flag\" | \"operator\";\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n perWorkerMemBytes?: number;\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n memReserveBytes?: number;\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n memUtilization?: number;\r\n}\r\n\r\nconst CONFIG_DIR = path.join(homedir(), \".kynver\");\r\nconst CONFIG_FILE = path.join(CONFIG_DIR, \"config.json\");\r\nconst CREDENTIALS_FILE = path.join(CONFIG_DIR, \"credentials\");\r\n\r\ninterface KynverCredentialsFile {\r\n apiKey?: string;\r\n /** Scoped `krc1.*` runner token for AgentOS by-id callbacks. */\r\n runnerToken?: string;\r\n runnerTokenAgentOsId?: string;\r\n}\r\n\r\nexport function loadUserConfig(): KynverUserConfig {\r\n if (!existsSync(CONFIG_FILE)) return {};\r\n try {\r\n return JSON.parse(readFileSync(CONFIG_FILE, \"utf8\")) as KynverUserConfig;\r\n } catch {\r\n return {};\r\n }\r\n}\r\n\r\nexport function saveUserConfig(config: KynverUserConfig): void {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CONFIG_FILE, `${JSON.stringify(normalizeConfigPaths(config), null, 2)}\\n`, { mode: 0o600 });\r\n}\r\n\r\n/** Persist path fields with `~` instead of absolute home directories. */\r\nexport function normalizeConfigPaths(config: KynverUserConfig): KynverUserConfig {\r\n return {\r\n ...config,\r\n ...(config.harnessRoot?.trim() ? { harnessRoot: redactHomePath(config.harnessRoot.trim()) } : {}),\r\n ...(config.defaultRepo?.trim() ? { defaultRepo: redactHomePath(config.defaultRepo.trim()) } : {}),\r\n };\r\n}\r\n\r\n/** Values for setup output (never emit `/home/<user>/\u2026`). */\r\nexport function presentUserConfig(config: KynverUserConfig): KynverUserConfig {\r\n return normalizeConfigPaths(config);\r\n}\r\n\r\nfunction inferSetupFields(\r\n existing: KynverUserConfig,\r\n args: Record<string, string | boolean>,\r\n): Partial<KynverUserConfig> {\r\n const creds = loadCredentialsFile();\r\n const apiBaseUrl =\r\n (typeof args.apiBaseUrl === \"string\" ? args.apiBaseUrl : undefined) ||\r\n existing.apiBaseUrl?.trim() ||\r\n process.env.KYNVER_API_URL?.trim() ||\r\n process.env.KYNVER_CRON_FIRE_BASE_URL?.trim() ||\r\n process.env.OPENCLAW_CRON_FIRE_BASE_URL?.trim();\r\n const agentOsId =\r\n (typeof args.agentOsId === \"string\" ? args.agentOsId : undefined) ||\r\n existing.agentOsId?.trim() ||\r\n process.env.KYNVER_AGENT_OS_ID?.trim() ||\r\n (creds.runnerToken?.trim().startsWith(\"krc1.\") ? creds.runnerTokenAgentOsId?.trim() : undefined);\r\n const explicitRepo =\r\n typeof args.repo === \"string\"\r\n ? args.repo\r\n : args.discoverRepo === true || args.discoverRepo === \"true\"\r\n ? discoverDefaultRepo()?.repo\r\n : undefined;\r\n const defaultRepo =\r\n explicitRepo ||\r\n existing.defaultRepo?.trim() ||\r\n process.env.KYNVER_DEFAULT_REPO?.trim() ||\r\n process.env.KYNVER_HARNESS_REPO?.trim() ||\r\n discoverDefaultRepo()?.repo;\r\n const harnessRoot =\r\n (typeof args.harnessRoot === \"string\" ? args.harnessRoot : undefined) ||\r\n existing.harnessRoot?.trim() ||\r\n process.env.KYNVER_HARNESS_ROOT?.trim() ||\r\n process.env.OPUS_HARNESS_ROOT?.trim();\r\n\r\n return {\r\n ...(apiBaseUrl ? { apiBaseUrl: trimTrailingSlash(apiBaseUrl) } : {}),\r\n ...(agentOsId ? { agentOsId } : {}),\r\n ...(defaultRepo ? { defaultRepo } : {}),\r\n ...(harnessRoot ? { harnessRoot } : {}),\r\n ...(typeof args.agentOsSlug === \"string\"\r\n ? { agentOsSlug: args.agentOsSlug }\r\n : existing.agentOsSlug\r\n ? { agentOsSlug: existing.agentOsSlug }\r\n : {}),\r\n };\r\n}\r\n\r\nconst SETUP_PER_WORKER_MEM_BYTES = 500 * 1024 * 1024;\r\nconst SETUP_MEM_RESERVE_BYTES = 4 * 1024 * 1024 * 1024;\r\nconst SETUP_MEM_UTILIZATION = 0.85;\r\nconst SETUP_AUTO_MAX_WORKERS_CEILING = 64;\r\n\r\nfunction normalizeBoxKind(raw: unknown): \"ghost\" | \"forge\" | undefined {\r\n const kind = String(raw ?? \"\").trim().toLowerCase();\r\n if (!kind) return undefined;\r\n if (kind === \"ghost\" || kind.includes(\"ghost\") || kind.includes(\"openclaw\")) return \"ghost\";\r\n if (kind === \"forge\" || kind.includes(\"forge\")) return \"forge\";\r\n return undefined;\r\n}\r\n\r\nexport function computeSetupAutoMaxWorkers(totalMemBytes: number): number {\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * SETUP_MEM_UTILIZATION) - SETUP_MEM_RESERVE_BYTES);\r\n const raw = Math.max(1, Math.floor(budgetBytes / SETUP_PER_WORKER_MEM_BYTES));\r\n return Math.min(raw, SETUP_AUTO_MAX_WORKERS_CEILING);\r\n}\r\n\r\nexport function resolveSetupWorkerConfig(\r\n existing: KynverUserConfig,\r\n args: Record<string, string | boolean>,\r\n totalMemBytes = totalmem(),\r\n): Pick<KynverUserConfig, \"maxConcurrentWorkers\" | \"maxConcurrentWorkersSource\" | \"boxKind\"> {\r\n const maxWorkersRaw =\r\n typeof args.maxWorkers === \"string\"\r\n ? args.maxWorkers\r\n : typeof args.maxConcurrentWorkers === \"string\"\r\n ? args.maxConcurrentWorkers\r\n : undefined;\r\n const explicitBoxKindArg =\r\n typeof args.boxKind === \"string\"\r\n ? args.boxKind\r\n : typeof args[\"box-kind\"] === \"string\"\r\n ? String(args[\"box-kind\"])\r\n : undefined;\r\n const boxKind = resolveBoxIdentity(process.env, {\r\n ...existing,\r\n ...(explicitBoxKindArg ? { boxKind: normalizeWorkerPoolBoxKind(explicitBoxKindArg) } : {}),\r\n }).boxKind;\r\n const diskGate = observeRunnerDiskGate({\r\n diskPath: typeof args.diskPath === \"string\" ? args.diskPath : \"/\",\r\n });\r\n const capRecommendation = recommendSetupWorkerCap({\r\n totalMemBytes,\r\n diskPath: diskGate.path,\r\n diskGateOk: diskGate.ok,\r\n diskFreeBytes: diskGate.freeBytes,\r\n config: existing,\r\n });\r\n if (maxWorkersRaw) {\r\n return {\r\n maxConcurrentWorkers: Math.max(1, Math.floor(Number(maxWorkersRaw))),\r\n maxConcurrentWorkersSource: \"setup-flag\",\r\n boxKind,\r\n };\r\n }\r\n if (existing.maxConcurrentWorkers !== undefined && existing.maxConcurrentWorkers !== null) {\r\n return {\r\n maxConcurrentWorkers: Math.max(1, Math.floor(Number(existing.maxConcurrentWorkers))),\r\n maxConcurrentWorkersSource: existing.maxConcurrentWorkersSource ?? \"operator\",\r\n boxKind,\r\n };\r\n }\r\n return {\r\n maxConcurrentWorkers: capRecommendation.recommendedMaxWorkers,\r\n maxConcurrentWorkersSource: \"setup-auto\",\r\n boxKind,\r\n };\r\n}\r\n\r\nfunction loadCredentialsFile(): KynverCredentialsFile {\r\n if (!existsSync(CREDENTIALS_FILE)) return {};\r\n try {\r\n return JSON.parse(readFileSync(CREDENTIALS_FILE, \"utf8\")) as KynverCredentialsFile;\r\n } catch {\r\n return {};\r\n }\r\n}\r\n\r\nfunction saveCredentialsFile(parsed: KynverCredentialsFile): void {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CREDENTIALS_FILE, `${JSON.stringify(parsed, null, 2)}\\n`, { mode: 0o600 });\r\n}\r\n\r\nexport function loadApiKey(): string | undefined {\r\n if (process.env.KYNVER_API_KEY) return process.env.KYNVER_API_KEY;\r\n return loadCredentialsFile().apiKey;\r\n}\r\n\r\nexport function saveApiKey(apiKey: string): void {\r\n saveCredentialsFile({ ...loadCredentialsFile(), apiKey });\r\n}\r\n\r\nexport function loadRunnerToken(agentOsId?: string): string | undefined {\r\n const envToken = process.env.KYNVER_RUNNER_TOKEN?.trim();\r\n if (envToken) return envToken;\r\n\r\n const creds = loadCredentialsFile();\r\n if (!creds.runnerToken) return undefined;\r\n if (agentOsId && creds.runnerTokenAgentOsId && creds.runnerTokenAgentOsId !== agentOsId) {\r\n return undefined;\r\n }\r\n return creds.runnerToken;\r\n}\r\n\r\nexport function saveRunnerToken(agentOsId: string, token: string): void {\r\n saveCredentialsFile({\r\n ...loadCredentialsFile(),\r\n runnerToken: token,\r\n runnerTokenAgentOsId: agentOsId,\r\n });\r\n}\r\n\r\nexport function resolveBaseUrl(argsBaseUrl?: string): string {\r\n const baseUrl = resolveConfiguredBaseUrl(argsBaseUrl);\r\n if (!baseUrl) failConfig(\"requires --base-url, KYNVER_API_URL, KYNVER_CRON_FIRE_BASE_URL, or ~/.kynver/config.json apiBaseUrl\");\r\n return baseUrl;\r\n}\r\n\r\nfunction resolveConfiguredBaseUrl(argsBaseUrl?: string): string | undefined {\r\n const baseUrl =\r\n argsBaseUrl ||\r\n process.env.KYNVER_API_URL ||\r\n process.env.KYNVER_CRON_FIRE_BASE_URL ||\r\n process.env.OPENCLAW_CRON_FIRE_BASE_URL ||\r\n loadUserConfig().apiBaseUrl;\r\n return baseUrl ? trimTrailingSlash(String(baseUrl)) : undefined;\r\n}\r\n\r\nfunction resolveConfiguredCallbackSecret(argsSecret?: string, agentOsId?: string): string | undefined {\r\n const scoped =\r\n argsSecret ||\r\n loadRunnerToken(agentOsId) ||\r\n (agentOsId ? undefined : loadRunnerToken(loadUserConfig().agentOsId));\r\n if (scoped) return String(scoped);\r\n\r\n const globalSecret =\r\n process.env.KYNVER_RUNTIME_SECRET ||\r\n process.env.KYNVER_CRON_SECRET ||\r\n process.env.OPENCLAW_CRON_SECRET;\r\n if (globalSecret) {\r\n console.warn(\r\n \"[kynver] using deployment-level callback secret; run `kynver runner credential --agent-os-id <id>` for a scoped token\",\r\n );\r\n return String(globalSecret);\r\n }\r\n\r\n return undefined;\r\n}\r\n\r\nexport function resolveCallbackSecret(argsSecret?: string, agentOsId?: string): string {\r\n const configured = resolveConfiguredCallbackSecret(argsSecret, agentOsId);\r\n if (configured) return configured;\r\n\r\n failConfig(\r\n \"requires --secret, KYNVER_RUNNER_TOKEN, a scoped runner token (`kynver runner credential`), ~/.kynver/credentials runnerToken, KYNVER_API_KEY with an API base URL to mint one, or (legacy) KYNVER_RUNTIME_SECRET / KYNVER_CRON_SECRET / OPENCLAW_CRON_SECRET\",\r\n );\r\n}\r\n\r\nexport async function resolveCallbackSecretWithMint(\r\n argsSecret?: string,\r\n agentOsId?: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<string> {\r\n const configured = resolveConfiguredCallbackSecret(argsSecret, agentOsId);\r\n if (configured) return configured;\r\n\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (apiKey && agentOsId && baseUrl) {\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n saveRunnerToken(agentOsId, token);\r\n return token;\r\n } catch (error) {\r\n failConfig(`runner credential mint failed: ${(error as Error).message}`);\r\n }\r\n }\r\n\r\n failConfig(\r\n \"requires --secret, KYNVER_RUNNER_TOKEN, a scoped runner token (`kynver runner credential`), ~/.kynver/credentials runnerToken, KYNVER_API_KEY with an API base URL to mint one, or (legacy) KYNVER_RUNTIME_SECRET / KYNVER_CRON_SECRET / OPENCLAW_CRON_SECRET\",\r\n );\r\n}\r\n\r\n/**\r\n * Force-mint a fresh scoped runner token for `agentOsId`, bypassing any cached\r\n * or env token. Recovery path for a callback that 401s because the configured\r\n * token is revoked, expired, or scoped to a *different* workspace (the\r\n * self-linked repair case). Requires an API key + base URL to mint; returns\r\n * `null` when a fresh token cannot be obtained, so the caller degrades to a\r\n * structural blocker instead of papering the worker over as done.\r\n */\r\nexport async function refreshRunnerToken(\r\n agentOsId: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<string | null> {\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (!apiKey || !agentOsId || !baseUrl) return null;\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n saveRunnerToken(agentOsId, token);\r\n return token;\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport async function refreshRunnerTokenForAuthFailure(\r\n rejectedSecret: string,\r\n agentOsId: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<{ ok: true; token: string } | { ok: false; reason: string }> {\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (!apiKey) return { ok: false, reason: \"KYNVER_API_KEY is required to refresh a rejected runner token\" };\r\n if (!agentOsId) return { ok: false, reason: \"agentOsId is required to refresh a rejected runner token\" };\r\n if (!baseUrl) return { ok: false, reason: \"KYNVER_API_URL or --base-url is required to refresh a rejected runner token\" };\r\n\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n if (token && token !== rejectedSecret) {\r\n saveRunnerToken(agentOsId, token);\r\n return { ok: true, token };\r\n }\r\n return { ok: false, reason: \"runner credential refresh returned the rejected token\" };\r\n } catch (error) {\r\n return { ok: false, reason: (error as Error).message };\r\n }\r\n}\r\n\r\nexport async function fetchRunnerCredential(\r\n agentOsId: string,\r\n opts?: { baseUrl?: string; apiKey?: string },\r\n): Promise<string> {\r\n const apiKey = opts?.apiKey || loadApiKey();\r\n if (!apiKey) throw new Error(\"API key required \u2014 run `kynver login` first\");\r\n\r\n const base = resolveBaseUrl(opts?.baseUrl);\r\n const url = `${base}/api/agent-os/by-id/${encodeURIComponent(agentOsId)}/runner-credentials`;\r\n const res = await fetch(url, {\r\n method: \"POST\",\r\n headers: {\r\n \"Content-Type\": \"application/json\",\r\n Authorization: `Bearer ${apiKey}`,\r\n },\r\n body: JSON.stringify({}),\r\n });\r\n\r\n const text = await res.text();\r\n let parsed: { token?: string; error?: string } | null = null;\r\n try {\r\n parsed = JSON.parse(text) as { token?: string; error?: string };\r\n } catch {\r\n parsed = null;\r\n }\r\n if (!res.ok || !parsed?.token) {\r\n throw new Error(\r\n `runner credential mint failed (${res.status}): ${parsed?.error ?? text.slice(0, 200)}`,\r\n );\r\n }\r\n return parsed.token;\r\n}\r\n\r\nexport async function mintRunnerCredential(args: Record<string, string | boolean>): Promise<void> {\r\n const agentOsId =\r\n (args.agentOsId ? String(args.agentOsId) : loadUserConfig().agentOsId) || \"\";\r\n if (!agentOsId) failConfig(\"runner credential requires --agent-os-id or agentOsId in ~/.kynver/config.json\");\r\n\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, {\r\n baseUrl: args.baseUrl ? String(args.baseUrl) : undefined,\r\n });\r\n saveRunnerToken(agentOsId, token);\r\n console.log(\r\n JSON.stringify(\r\n {\r\n ok: true,\r\n agentOsId,\r\n credentialsPath: displayUserPath(CREDENTIALS_FILE),\r\n tokenPrefix: `${token.slice(0, 12)}\u2026`,\r\n note: \"Scoped runner token saved; callbacks use X-Kynver-Runner-Token.\",\r\n },\r\n null,\r\n 2,\r\n ),\r\n );\r\n } catch (err) {\r\n console.error(err instanceof Error ? err.message : String(err));\r\n process.exit(1);\r\n }\r\n}\r\n\r\nfunction failConfig(message: string): never {\r\n console.error(message);\r\n process.exit(1);\r\n}\r\n\r\nexport function parseArgs(argv: string[]): Record<string, string | boolean> {\r\n const args: Record<string, string | boolean> = {};\r\n for (let i = 0; i < argv.length; i++) {\r\n const item = argv[i];\r\n if (!item.startsWith(\"--\")) continue;\r\n const key = item.slice(2).replace(/-([a-z])/g, (_, c: string) => c.toUpperCase());\r\n const next = argv[i + 1];\r\n if (!next || next.startsWith(\"--\")) args[key] = true;\r\n else {\r\n args[key] = next;\r\n i++;\r\n }\r\n }\r\n return args;\r\n}\r\n\r\nexport async function runSetup(args: Record<string, string | boolean>): Promise<void> {\r\n const existing = loadUserConfig();\r\n const diskGate = observeRunnerDiskGate({\r\n diskPath: typeof args.diskPath === \"string\" ? args.diskPath : \"/\",\r\n });\r\n const capRecommendation = recommendSetupWorkerCap({\r\n totalMemBytes: os.totalmem(),\r\n diskPath: diskGate.path,\r\n diskGateOk: diskGate.ok,\r\n diskFreeBytes: diskGate.freeBytes,\r\n config: existing,\r\n });\r\n const workerConfig = resolveSetupWorkerConfig(existing, args);\r\n const config: KynverUserConfig = normalizeConfigPaths({\r\n ...existing,\r\n ...inferSetupFields(existing, args),\r\n ...workerConfig,\r\n workerProvider:\r\n typeof args.provider === \"string\"\r\n ? args.provider\r\n : existing.workerProvider || \"cursor\",\r\n });\r\n saveUserConfig(config);\r\n const boxIdentity = resolveBoxIdentity(process.env, config);\r\n\r\n let runnerCredentialNote: string | undefined;\r\n const apiKey = loadApiKey();\r\n const agentOsId = config.agentOsId;\r\n if (apiKey && agentOsId) {\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, {\r\n baseUrl: typeof args.apiBaseUrl === \"string\" ? args.apiBaseUrl : config.apiBaseUrl,\r\n apiKey,\r\n });\r\n saveRunnerToken(agentOsId, token);\r\n runnerCredentialNote = \"Scoped runner token minted and saved to ~/.kynver/credentials.\";\r\n } catch {\r\n runnerCredentialNote =\r\n \"Runner token not minted (server offline or master secret unset). Run `kynver runner credential` after deploy.\";\r\n }\r\n }\r\n\r\n console.log(\r\n JSON.stringify(\r\n {\r\n ok: true,\r\n configPath: displayUserPath(CONFIG_FILE),\r\n config: presentUserConfig(config),\r\n boxKind: config.boxKind,\r\n boxKindSource: boxIdentity.source,\r\n workerCapRecommendation: capRecommendation,\r\n ...(boxIdentity.warnings.length ? { boxIdentityWarnings: boxIdentity.warnings } : {}),\r\n note:\r\n runnerCredentialNote ??\r\n \"boxKind and maxConcurrentWorkers persisted; override with --box-kind and --max-workers. Run `kynver login` + `kynver runner credential` for scoped callbacks.\",\r\n },\r\n null,\r\n 2,\r\n ),\r\n );\r\n}\r\n\r\nexport async function runLogin(args: Record<string, string | boolean>): Promise<void> {\r\n const apiKey = typeof args.apiKey === \"string\" ? args.apiKey : process.env.KYNVER_API_KEY;\r\n if (!apiKey) failConfig(\"kynver login requires --api-key or KYNVER_API_KEY\");\r\n saveApiKey(apiKey);\r\n console.log(JSON.stringify({ ok: true, credentialsPath: displayUserPath(CREDENTIALS_FILE) }, null, 2));\r\n}\r\n", "import { existsSync, readFileSync } from \"node:fs\";\r\nimport { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { fileURLToPath } from \"node:url\";\r\nimport { gitCapture } from \"./git.js\";\r\nimport { resolveUserPath } from \"./path-values.js\";\r\n\r\nexport type DefaultRepoDiscoverySource =\r\n | \"cwd_git\"\r\n | \"runtime_checkout\"\r\n | \"well_known_path\";\r\n\r\nexport interface DiscoveredDefaultRepo {\r\n repo: string;\r\n source: DefaultRepoDiscoverySource;\r\n}\r\n\r\nconst WELL_KNOWN_REPO_DIRS = [\r\n \"Kynver\",\r\n \"repos/Kynver\",\r\n \"repos/kynver-source-main\",\r\n \"code/Kynver\",\r\n \"projects/Kynver\",\r\n] as const;\r\n\r\nfunction readPackageName(repoRoot: string): string | null {\r\n const pkgPath = path.join(repoRoot, \"package.json\");\r\n if (!existsSync(pkgPath)) return null;\r\n try {\r\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf8\")) as { name?: string };\r\n return typeof pkg.name === \"string\" ? pkg.name.trim() : null;\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport function isKynverMonorepoRoot(repoRoot: string): boolean {\r\n return readPackageName(repoRoot) === \"kynver\";\r\n}\r\n\r\nexport function gitRepoRoot(startDir: string): string | null {\r\n const resolvedStart = path.resolve(startDir);\r\n if (!existsSync(resolvedStart)) return null;\r\n const probe = gitCapture(resolvedStart, [\"rev-parse\", \"--show-toplevel\"]);\r\n if (probe.status !== 0) return null;\r\n const root = probe.stdout.trim();\r\n return root.length ? path.resolve(root) : null;\r\n}\r\n\r\nfunction resolveRuntimePackageRoot(moduleUrl: string = import.meta.url): string | null {\r\n let dir = path.dirname(fileURLToPath(moduleUrl));\r\n for (let depth = 0; depth < 8; depth += 1) {\r\n const pkgPath = path.join(dir, \"package.json\");\r\n if (existsSync(pkgPath)) {\r\n try {\r\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf8\")) as { name?: string };\r\n if (pkg.name === \"@kynver-app/runtime\") return dir;\r\n } catch {\r\n // continue walking\r\n }\r\n }\r\n const parent = path.dirname(dir);\r\n if (parent === dir) break;\r\n dir = parent;\r\n }\r\n return null;\r\n}\r\n\r\nfunction pushCandidate(\r\n seen: Set<string>,\r\n out: DiscoveredDefaultRepo[],\r\n repo: string | null,\r\n source: DefaultRepoDiscoverySource,\r\n): void {\r\n if (!repo) return;\r\n const resolved = path.resolve(repo);\r\n if (seen.has(resolved)) return;\r\n if (!isKynverMonorepoRoot(resolved)) return;\r\n seen.add(resolved);\r\n out.push({ repo: resolved, source });\r\n}\r\n\r\nexport function discoverDefaultRepoCandidates(opts?: {\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}): DiscoveredDefaultRepo[] {\r\n const cwd = opts?.cwd ?? process.cwd();\r\n const seen = new Set<string>();\r\n const candidates: DiscoveredDefaultRepo[] = [];\r\n\r\n pushCandidate(seen, candidates, gitRepoRoot(cwd), \"cwd_git\");\r\n\r\n const runtimePkgRoot = resolveRuntimePackageRoot(opts?.runtimeModuleUrl ?? import.meta.url);\r\n if (runtimePkgRoot) {\r\n pushCandidate(seen, candidates, gitRepoRoot(runtimePkgRoot), \"runtime_checkout\");\r\n }\r\n\r\n const home = homedir();\r\n for (const rel of WELL_KNOWN_REPO_DIRS) {\r\n pushCandidate(seen, candidates, resolveUserPath(path.join(home, rel)), \"well_known_path\");\r\n }\r\n\r\n return candidates;\r\n}\r\n\r\nexport function discoverDefaultRepo(opts?: {\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}): DiscoveredDefaultRepo | null {\r\n return discoverDefaultRepoCandidates(opts)[0] ?? null;\r\n}\r\n", "import { spawnSync } from \"node:child_process\";\r\nimport { fail } from \"./util.js\";\r\n\r\nexport interface GitOptions {\r\n allowFailure?: boolean;\r\n throwError?: boolean;\r\n}\r\n\r\nexport function git(cwd: string, args: string[], options: GitOptions = {}): string {\r\n const res = spawnSync(\"git\", args, { cwd, encoding: \"utf8\" });\r\n if (res.status !== 0 && !options.allowFailure) {\r\n const message = `git ${args.join(\" \")} failed: ${res.stderr || res.stdout}`;\r\n if (options.throwError) throw new Error(message);\r\n fail(message);\r\n }\r\n return res.stdout || \"\";\r\n}\r\n\r\nexport function ensureGitRepo(repo: string): void {\r\n git(repo, [\"rev-parse\", \"--show-toplevel\"]);\r\n}\r\n\r\nexport function gitStatusShort(worktreePath: string): string[] {\r\n return git(worktreePath, [\"status\", \"--short\"], { allowFailure: true })\r\n .split(\"\\n\")\r\n .map((line) => line.trim())\r\n .filter(Boolean);\r\n}\r\n\r\nexport interface GitCaptureResult {\r\n status: number | null;\r\n stdout: string;\r\n stderr: string;\r\n error: string | null;\r\n}\r\n\r\nexport function gitCapture(cwd: string, args: string[]): GitCaptureResult {\r\n try {\r\n const res = spawnSync(\"git\", args, { cwd, encoding: \"utf8\" });\r\n return {\r\n status: res.status,\r\n stdout: res.stdout || \"\",\r\n stderr: res.stderr || \"\",\r\n error: res.error ? res.error.message : null,\r\n };\r\n } catch (error) {\r\n return {\r\n status: null,\r\n stdout: \"\",\r\n stderr: \"\",\r\n error: (error as Error).message,\r\n };\r\n }\r\n}\r\n\r\nexport function gitIsAncestor(\r\n cwd: string,\r\n ancestor: string,\r\n descendant: string,\r\n): { isAncestor: boolean | null; error: string | null } {\r\n const res = gitCapture(cwd, [\"merge-base\", \"--is-ancestor\", ancestor, descendant]);\r\n if (res.status === 0) return { isAncestor: true, error: null };\r\n if (res.status === 1) return { isAncestor: false, error: null };\r\n return { isAncestor: null, error: res.error || res.stderr || res.stdout || `git exited ${res.status}` };\r\n}\r\n\r\nexport type GitAncestryRelation = \"synced\" | \"merged\" | \"ahead\" | \"diverged\" | \"unknown\";\r\n\r\nexport interface GitAncestry {\r\n checked: boolean;\r\n base: string;\r\n head: string | null;\r\n baseHead: string | null;\r\n baseIsAncestorOfHead: boolean | null;\r\n headIsAncestorOfBase: boolean | null;\r\n relation: GitAncestryRelation;\r\n error?: string;\r\n}\r\n\r\nexport interface GitAncestryOptions {\r\n /** Branch or ref name (e.g. origin/main). Used when baseCommit is unset. */\r\n base?: string;\r\n /** Pinned SHA the worktree was created from \u2014 preferred over a moving branch ref. */\r\n baseCommit?: string;\r\n}\r\n\r\nexport function computeGitAncestry(worktreePath: string, baseOrOptions: string | GitAncestryOptions = \"origin/main\"): GitAncestry {\r\n const options: GitAncestryOptions =\r\n typeof baseOrOptions === \"string\" ? { base: baseOrOptions } : baseOrOptions;\r\n const baseLabel = options.baseCommit?.trim() || options.base?.trim() || \"origin/main\";\r\n const pinnedBaseCommit = options.baseCommit?.trim() || null;\r\n\r\n if (!worktreePath) {\r\n return unknownAncestry(baseLabel, \"missing worktree path\");\r\n }\r\n\r\n const head = gitCapture(worktreePath, [\"rev-parse\", \"HEAD\"]);\r\n if (head.status !== 0) {\r\n return unknownAncestry(baseLabel, head.error || head.stderr || head.stdout || \"failed to resolve HEAD\");\r\n }\r\n\r\n let baseSha: string;\r\n if (pinnedBaseCommit) {\r\n baseSha = pinnedBaseCommit;\r\n } else {\r\n const baseHead = gitCapture(worktreePath, [\"rev-parse\", baseLabel]);\r\n if (baseHead.status !== 0) {\r\n return unknownAncestry(\r\n baseLabel,\r\n baseHead.error || baseHead.stderr || baseHead.stdout || `failed to resolve ${baseLabel}`,\r\n head.stdout.trim(),\r\n );\r\n }\r\n baseSha = baseHead.stdout.trim();\r\n }\r\n\r\n const headSha = head.stdout.trim();\r\n if (headSha === baseSha) {\r\n return {\r\n checked: true,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: true,\r\n headIsAncestorOfBase: true,\r\n relation: \"synced\",\r\n };\r\n }\r\n\r\n const baseIsAncestorOfHead = gitIsAncestor(worktreePath, baseSha, headSha);\r\n const headIsAncestorOfBase = gitIsAncestor(worktreePath, headSha, baseSha);\r\n const error = baseIsAncestorOfHead.error || headIsAncestorOfBase.error || undefined;\r\n if (baseIsAncestorOfHead.isAncestor == null || headIsAncestorOfBase.isAncestor == null) {\r\n return {\r\n checked: false,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: baseIsAncestorOfHead.isAncestor,\r\n headIsAncestorOfBase: headIsAncestorOfBase.isAncestor,\r\n relation: \"unknown\",\r\n ...(error ? { error } : {}),\r\n };\r\n }\r\n\r\n const relation: GitAncestryRelation = baseIsAncestorOfHead.isAncestor\r\n ? \"ahead\"\r\n : headIsAncestorOfBase.isAncestor\r\n ? \"merged\"\r\n : \"diverged\";\r\n\r\n return {\r\n checked: true,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: baseIsAncestorOfHead.isAncestor,\r\n headIsAncestorOfBase: headIsAncestorOfBase.isAncestor,\r\n relation,\r\n ...(error ? { error } : {}),\r\n };\r\n}\r\n\r\nfunction unknownAncestry(base: string, error: string, head: string | null = null): GitAncestry {\r\n return {\r\n checked: false,\r\n base,\r\n head,\r\n baseHead: null,\r\n baseIsAncestorOfHead: null,\r\n headIsAncestorOfBase: null,\r\n relation: \"unknown\",\r\n error,\r\n };\r\n}\r\n\r\nexport { scrubClaudeEnv, scrubWorkerEnv } from \"./worker-env.js\";\r\n", "/**\r\n * Worker spawn env scrub \u2014 harness workers must not inherit host deployment secrets.\r\n */\r\n\r\n/** Exact env keys that must never reach a worker child process. */\r\nexport const FORBIDDEN_WORKER_ENV_KEYS = [\r\n \"ANTHROPIC_API_KEY\",\r\n \"ANALYST_API_KEY\",\r\n \"RECRUITER_API_KEY\",\r\n \"AUTH_SECRET\",\r\n \"NEXTAUTH_SECRET\",\r\n \"DATABASE_URL\",\r\n \"PRODUCTION_DATABASE_URL\",\r\n \"KYNVER_PRODUCTION_DATABASE_URL\",\r\n \"REDIS_URL\",\r\n \"GOOGLE_CLIENT_SECRET\",\r\n \"GITHUB_CLIENT_SECRET\",\r\n \"KYNVER_API_KEY\",\r\n \"KYNVER_SERVICE_SECRET\",\r\n \"KYNVER_RUNTIME_SECRET\",\r\n \"KYNVER_CRON_SECRET\",\r\n \"OPENCLAW_CRON_SECRET\",\r\n \"QSTASH_TOKEN\",\r\n \"QSTASH_CURRENT_SIGNING_KEY\",\r\n \"QSTASH_NEXT_SIGNING_KEY\",\r\n \"TOOL_SECRETS_KEK\",\r\n \"TOOL_EXECUTOR_DISPATCH_SECRET\",\r\n \"CLOUDFLARE_API_TOKEN\",\r\n \"STRIPE_SECRET_KEY\",\r\n \"STRIPE_WEBHOOK_SECRET\",\r\n \"STRIPE_IDENTITY_WEBHOOK_SECRET\",\r\n \"VOYAGE_API_KEY\",\r\n \"PERPLEXITY_API_KEY\",\r\n \"FRED_API_KEY\",\r\n \"FMP_API_KEY\",\r\n \"CURSOR_API_KEY\",\r\n] as const;\r\n\r\nconst FORBIDDEN_KEY_SET = new Set<string>(FORBIDDEN_WORKER_ENV_KEYS);\r\n\r\n/** Keys matching these suffixes are stripped (case-sensitive). */\r\nconst FORBIDDEN_SUFFIXES = [\"_SECRET\", \"_API_KEY\"] as const;\r\n\r\nexport function isForbiddenWorkerEnvKey(key: string): boolean {\r\n if (FORBIDDEN_KEY_SET.has(key)) return true;\r\n return FORBIDDEN_SUFFIXES.some((suffix) => key.endsWith(suffix));\r\n}\r\n\r\nexport function listForbiddenWorkerEnvKeys(env: NodeJS.ProcessEnv): string[] {\r\n return Object.keys(env).filter(isForbiddenWorkerEnvKey).sort();\r\n}\r\n\r\nexport function scrubWorkerEnv(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {\r\n const next = { ...env };\r\n for (const key of Object.keys(next)) {\r\n if (isForbiddenWorkerEnvKey(key)) delete next[key];\r\n }\r\n return next;\r\n}\r\n\r\nexport interface WorkerEnvAudit {\r\n forbiddenPresent: string[];\r\n safe: boolean;\r\n}\r\n\r\nexport function auditWorkerEnv(env: NodeJS.ProcessEnv): WorkerEnvAudit {\r\n const forbiddenPresent = listForbiddenWorkerEnvKeys(env);\r\n return { forbiddenPresent, safe: forbiddenPresent.length === 0 };\r\n}\r\n\r\n/** @deprecated Use {@link scrubWorkerEnv} \u2014 kept for existing imports from git.ts */\r\nexport function scrubClaudeEnv(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {\r\n return scrubWorkerEnv(env);\r\n}\r\n", "import { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\n\r\nexport function expandHomePath(value: string): string {\r\n if (value === \"~\") return homedir();\r\n if (value.startsWith(\"~/\") || value.startsWith(\"~\\\\\")) {\r\n return path.join(homedir(), value.slice(2));\r\n }\r\n return value;\r\n}\r\n\r\nexport function resolveUserPath(value: string): string {\r\n return path.resolve(expandHomePath(value));\r\n}\r\n\r\nexport function redactHomePath(value: string): string {\r\n const expanded = expandHomePath(value);\r\n const resolved = path.resolve(expanded);\r\n const home = path.resolve(homedir());\r\n\r\n if (resolved === home) return \"~\";\r\n if (resolved.startsWith(`${home}${path.sep}`)) {\r\n return `~/${path.relative(home, resolved).split(path.sep).join(\"/\")}`;\r\n }\r\n\r\n const posix = resolved.replace(/\\\\/g, \"/\");\r\n const redacted = posix\r\n .replace(/^\\/home\\/[^/]+(?=\\/|$)/, \"~\")\r\n .replace(/^\\/Users\\/[^/]+(?=\\/|$)/, \"~\")\r\n // Windows resolves Unix-style `/home/...` paths to `C:\\home\\...`.\r\n .replace(/^[A-Za-z]:\\/home\\/[^/]+(?=\\/|$)/i, \"~\")\r\n .replace(/^[A-Za-z]:\\/Users\\/[^/]+(?=\\/|$)/i, \"~\");\r\n return redacted;\r\n}\r\n\r\n/** User-facing path strings (doctor JSON, setup output). */\r\nexport function displayUserPath(value: string): string {\r\n return redactHomePath(value);\r\n}\r\n", "import { existsSync, readFileSync, statfsSync } from \"node:fs\";\r\n\r\n/**\r\n * WSL host disk probe.\r\n *\r\n * Under WSL, the runtime VHDX (mounted at `/`) grows dynamically into the\r\n * Windows host C: drive. When Windows C: fills up, the VHDX cannot expand:\r\n * writes return SIGBUS, workers exit 135, and the Vmmem VM degrades while\r\n * the Linux-side `statfs /` still reports plenty of free space inside the\r\n * VHDX. This module gives the harness a cheap signal for that pressure so\r\n * it can block dispatch *before* a large npm install/build pushes Windows\r\n * C: into the ground.\r\n */\r\n\r\n/** Default warn threshold for the Windows host disk (25 GiB free). */\r\nexport const DEFAULT_WSL_HOST_WARN_FREE_BYTES = 25 * 1024 * 1024 * 1024;\r\n/** Default critical threshold for the Windows host disk (12 GiB free). Below\r\n * this, large rebuilds have been observed to trigger SIGBUS / exit 135 on\r\n * WSL when the VHDX cannot grow further. */\r\nexport const DEFAULT_WSL_HOST_CRITICAL_FREE_BYTES = 12 * 1024 * 1024 * 1024;\r\n/** Default Windows host mount point under WSL. Overridable via env or option. */\r\nexport const DEFAULT_WSL_HOST_MOUNT = \"/mnt/c\";\r\n\r\nexport interface WslHostDiskShape {\r\n ok: boolean;\r\n /** Mount point that was probed. */\r\n path: string;\r\n freeBytes: number;\r\n totalBytes: number;\r\n usedPercent: number;\r\n warnBelowBytes: number;\r\n criticalBelowBytes: number;\r\n /** Human-readable explanation when the host disk is under pressure. */\r\n reason: string | null;\r\n /** True when the probe itself failed (mount missing, statfs error). */\r\n probeError: string | null;\r\n}\r\n\r\n/**\r\n * Cheap WSL detection. Reads `/proc/sys/kernel/osrelease` (kernel string\r\n * contains \"microsoft\" / \"WSL2\" on Microsoft's WSL kernel) and falls back\r\n * to `/proc/version`. Both reads are one-shot and gated by `existsSync`,\r\n * so non-Linux hosts return false without throwing.\r\n */\r\nexport function isWslHost(): boolean {\r\n if (process.platform !== \"linux\") return false;\r\n for (const probe of [\"/proc/sys/kernel/osrelease\", \"/proc/version\"]) {\r\n try {\r\n if (!existsSync(probe)) continue;\r\n const text = readFileSync(probe, \"utf8\");\r\n if (/microsoft|wsl/i.test(text)) return true;\r\n } catch {\r\n // ignore \u2014 try the next probe path\r\n }\r\n }\r\n return false;\r\n}\r\n\r\nexport interface ObserveWslHostDiskOptions {\r\n /** Override the Windows host mount path (e.g. `/mnt/d`). Falls back to\r\n * `KYNVER_WSL_HOST_MOUNT` env, then `/mnt/c`. */\r\n wslHostMount?: string;\r\n wslHostFreeWarnBytes?: number;\r\n wslHostFreeCriticalBytes?: number;\r\n /** Override WSL detection for tests / cross-platform CI:\r\n * `true` \u2192 treat host as WSL; `false` \u2192 treat host as non-WSL;\r\n * `undefined` \u2192 autodetect via `isWslHost()`. */\r\n forceWsl?: boolean;\r\n /** Test seam \u2014 swap in a fake statfs. */\r\n statfs?: (path: string) => { bavail: bigint | number; blocks: bigint | number; bsize: bigint | number };\r\n}\r\n\r\n/**\r\n * Probe the Windows host disk under WSL. Returns `null` when this host is\r\n * not WSL (so callers can treat the field as optional in the gate output).\r\n * When WSL but the mount is unreachable, returns a `probeError` row with\r\n * `ok = false` rather than throwing \u2014 the gate must still block dispatch\r\n * because we can't prove the host disk is healthy.\r\n */\r\nexport function observeWslHostDisk(\r\n options: ObserveWslHostDiskOptions = {},\r\n): WslHostDiskShape | null {\r\n const wsl = options.forceWsl === undefined ? isWslHost() : options.forceWsl;\r\n if (!wsl) return null;\r\n\r\n const path =\r\n options.wslHostMount?.trim() ||\r\n process.env.KYNVER_WSL_HOST_MOUNT?.trim() ||\r\n DEFAULT_WSL_HOST_MOUNT;\r\n const warnBelowBytes = options.wslHostFreeWarnBytes ?? DEFAULT_WSL_HOST_WARN_FREE_BYTES;\r\n const criticalBelowBytes =\r\n options.wslHostFreeCriticalBytes ?? DEFAULT_WSL_HOST_CRITICAL_FREE_BYTES;\r\n\r\n const statfs = options.statfs ?? statfsSync;\r\n let stats: { bavail: bigint | number; blocks: bigint | number; bsize: bigint | number };\r\n try {\r\n stats = statfs(path);\r\n } catch (error) {\r\n return {\r\n ok: false,\r\n path,\r\n freeBytes: 0,\r\n totalBytes: 0,\r\n usedPercent: 100,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n reason: `Windows host disk probe failed at ${path}: ${(error as Error).message}`,\r\n probeError: (error as Error).message,\r\n };\r\n }\r\n\r\n const freeBytes = Number(stats.bavail) * Number(stats.bsize);\r\n const totalBytes = Number(stats.blocks) * Number(stats.bsize);\r\n const usedPercent = totalBytes > 0 ? ((totalBytes - freeBytes) / totalBytes) * 100 : 100;\r\n const lowFree = freeBytes < warnBelowBytes;\r\n const criticalFree = freeBytes < criticalBelowBytes;\r\n const ok = !lowFree && !criticalFree;\r\n\r\n const freeGiB = (freeBytes / (1024 * 1024 * 1024)).toFixed(1);\r\n let reason: string | null = null;\r\n if (!ok) {\r\n const tag = criticalFree ? \"critical\" : \"warning\";\r\n reason =\r\n `Windows host disk ${path} at ${tag}: ${freeGiB} GiB free ` +\r\n `(<${(criticalFree ? criticalBelowBytes : warnBelowBytes) / 1024 / 1024 / 1024} GiB); ` +\r\n `WSL VHDX cannot grow safely. ${summarizeWslRecoverySteps()}`;\r\n }\r\n\r\n return {\r\n ok,\r\n path,\r\n freeBytes,\r\n totalBytes,\r\n usedPercent,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n reason,\r\n probeError: null,\r\n };\r\n}\r\n\r\n/**\r\n * Short operator recovery hint embedded in gate reasons so AgentOS evidence\r\n * surfaces actionable steps without a doc lookup. Keep terse \u2014 full runbook\r\n * lives at `docs/runbooks/wsl-disk-pressure.md`.\r\n */\r\nexport function summarizeWslRecoverySteps(): string {\r\n return (\r\n \"Recovery: \" +\r\n \"1) free Windows C: (empty Recycle Bin / Storage Sense / clear %TEMP%); \" +\r\n \"2) shut down WSL (`wsl --shutdown`) then compact the VHDX (`Optimize-VHD` or `diskpart compact vdisk`); \" +\r\n \"3) clear local node_modules / .next / harness worktrees before restarting workers. \" +\r\n \"Full runbook: docs/runbooks/wsl-disk-pressure.md.\"\r\n );\r\n}\r\n", "import { statfsSync } from \"node:fs\";\r\nimport type { DispatchNextDiskGateShape } from \"./callbacks.js\";\r\nimport {\r\n observeWslHostDisk,\r\n type ObserveWslHostDiskOptions,\r\n type WslHostDiskShape,\r\n} from \"./wsl-host.js\";\r\n\r\nconst DEFAULT_WARN_FREE_BYTES = 30 * 1024 * 1024 * 1024;\r\nconst DEFAULT_CRITICAL_FREE_BYTES = 15 * 1024 * 1024 * 1024;\r\nconst DEFAULT_MAX_USED_PERCENT = 80;\r\nconst DEFAULT_HARD_MAX_USED_PERCENT = 90;\r\n\r\nexport interface ObserveDiskGateInput {\r\n diskPath?: string;\r\n diskFreeWarnBytes?: number;\r\n diskFreeCriticalBytes?: number;\r\n diskMaxUsedPercent?: number;\r\n diskHardMaxUsedPercent?: number;\r\n /** Opt-out for the WSL host disk probe \u2014 leave `false`/undefined by\r\n * default so we always check `/mnt/c` under WSL. */\r\n skipWslHostCheck?: boolean;\r\n wslHost?: ObserveWslHostDiskOptions;\r\n}\r\n\r\nexport function observeRunnerDiskGate(input: ObserveDiskGateInput = {}): DispatchNextDiskGateShape {\r\n const path = input.diskPath?.trim() || \"/\";\r\n const warnBelowBytes = input.diskFreeWarnBytes ?? DEFAULT_WARN_FREE_BYTES;\r\n const criticalBelowBytes = input.diskFreeCriticalBytes ?? DEFAULT_CRITICAL_FREE_BYTES;\r\n const maxUsedPercent = input.diskMaxUsedPercent ?? DEFAULT_MAX_USED_PERCENT;\r\n const hardMaxUsedPercent = input.diskHardMaxUsedPercent ?? DEFAULT_HARD_MAX_USED_PERCENT;\r\n\r\n const stats = statfsSync(path);\r\n const freeBytes = Number(stats.bavail) * Number(stats.bsize);\r\n const totalBytes = Number(stats.blocks) * Number(stats.bsize);\r\n const usedPercent = totalBytes > 0 ? ((totalBytes - freeBytes) / totalBytes) * 100 : 100;\r\n const lowFree = freeBytes < warnBelowBytes;\r\n const criticalFree = freeBytes < criticalBelowBytes;\r\n const highUse = usedPercent > maxUsedPercent;\r\n const hardHighUse = usedPercent > hardMaxUsedPercent;\r\n const localOk = !lowFree && !criticalFree && !highUse && !hardHighUse;\r\n\r\n // WSL guard: the VHDX (mounted at `/`) grows into Windows C:; a healthy\r\n // local statfs is meaningless if the host disk is about to refuse writes.\r\n const wslHost: WslHostDiskShape | null = input.skipWslHostCheck\r\n ? null\r\n : observeWslHostDisk(input.wslHost);\r\n\r\n const ok = localOk && (wslHost ? wslHost.ok : true);\r\n\r\n let reason: string | null = null;\r\n if (!ok) {\r\n reason = [\r\n criticalFree ? `free space below critical ${criticalBelowBytes} bytes` : null,\r\n lowFree ? `free space below warning ${warnBelowBytes} bytes` : null,\r\n hardHighUse ? `used percent above hard cap ${hardMaxUsedPercent}%` : null,\r\n highUse ? `used percent above cap ${maxUsedPercent}%` : null,\r\n wslHost && !wslHost.ok ? wslHost.reason : null,\r\n ]\r\n .filter(Boolean)\r\n .join(\"; \");\r\n }\r\n\r\n return {\r\n ok,\r\n path,\r\n freeBytes,\r\n totalBytes,\r\n usedPercent,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n maxUsedPercent,\r\n hardMaxUsedPercent,\r\n reason,\r\n wslHost,\r\n };\r\n}\r\n", "import { existsSync } from \"node:fs\";\r\nimport { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { loadUserConfig } from \"./config.js\";\r\nimport { resolveUserPath } from \"./path-values.js\";\r\nimport { safeSlug } from \"./util.js\";\r\n\r\nconst LEGACY_ROOT = path.join(homedir(), \".openclaw\", \"harness\");\r\n\r\nconst HARNESS_LAYOUT_DIR_NAMES = new Set([\"runs\", \"worktrees\"]);\r\n\r\n/**\r\n * Canonical harness root: the directory that contains `runs/` and `worktrees/`.\r\n * Strips mistaken trailing layout segments (e.g. env set to `.../harness/runs`).\r\n * Server mirror: agent-os.harness-root.ts\r\n */\r\nexport function normalizeHarnessRoot(root: string): string {\r\n let resolved = path.resolve(resolveUserPath(root.trim()));\r\n while (HARNESS_LAYOUT_DIR_NAMES.has(path.basename(resolved))) {\r\n resolved = path.dirname(resolved);\r\n }\r\n return resolved;\r\n}\r\n\r\n/** Canonical harness root for CLI/workers. */\r\nexport function resolveHarnessRoot(): string {\r\n const env = process.env.KYNVER_HARNESS_ROOT || process.env.OPUS_HARNESS_ROOT;\r\n if (env) return normalizeHarnessRoot(env);\r\n const configured = loadUserConfig().harnessRoot?.trim();\r\n if (configured) return normalizeHarnessRoot(configured);\r\n const kynverRoot = path.join(homedir(), \".kynver\", \"harness\");\r\n if (existsSync(kynverRoot)) return kynverRoot;\r\n if (existsSync(LEGACY_ROOT)) return LEGACY_ROOT;\r\n return kynverRoot;\r\n}\r\n\r\nexport function harnessRunsDir(harnessRoot: string): string {\r\n return path.join(normalizeHarnessRoot(harnessRoot), \"runs\");\r\n}\r\n\r\nexport function harnessWorktreesDir(harnessRoot: string): string {\r\n return path.join(normalizeHarnessRoot(harnessRoot), \"worktrees\");\r\n}\r\n\r\nexport function getHarnessPaths() {\r\n const harnessRoot = resolveHarnessRoot();\r\n return {\r\n harnessRoot,\r\n runsDir: harnessRunsDir(harnessRoot),\r\n worktreesDir: harnessWorktreesDir(harnessRoot),\r\n };\r\n}\r\n\r\nexport function runDir(runsDir: string, id: string): string {\r\n return path.join(runsDir, safeSlug(id));\r\n}\r\n", "import os from \"node:os\";\r\nimport { readMemAvailableBytes } from \"./bounded-build/meminfo.js\";\r\nimport path from \"node:path\";\r\nimport { loadUserConfig, type KynverUserConfig } from \"./config.js\";\r\nimport { resolveBoxKindFromConfig } from \"./box-identity.js\";\r\nimport type { WorkerCapSource } from \"./worker-cap-source.js\";\r\nimport { resolveWorkerCap } from \"./worker-cap-source.js\";\r\nimport type { DispatchNextDiskGateShape } from \"./callbacks.js\";\r\nimport { observeRunnerDiskGate } from \"./disk-gate.js\";\r\nimport { listRunRecords, loadRun, runDirectory, type HarnessRunRecord } from \"./run-store.js\";\r\nimport { listRunWorkerNames } from \"./run-worker-index.js\";\r\nimport { isActiveHarnessWorker, workerProcessMatchesRecord } from \"./harness-worker-active.js\";\r\nimport { readJson, safeSlug } from \"./util.js\";\r\nimport type { HarnessWorkerRecord } from \"./status.js\";\r\n\r\nexport { workerProcessMatchesRecord };\r\n\r\n/** Default RAM budget per worker (~500 MiB, dogfood measured). Internal \u2014 not a setup knob. */\r\nexport const DEFAULT_PER_WORKER_MEM_BYTES = 500 * 1024 * 1024;\r\n\r\n/** Keep headroom for OS / IDE. Internal \u2014 not a setup knob. */\r\nexport const DEFAULT_MEM_RESERVE_BYTES = 4 * 1024 * 1024 * 1024;\r\n\r\n/** Fraction of total RAM used when auto-sizing worker cap. Internal. */\r\nexport const DEFAULT_MEM_UTILIZATION = 0.85;\r\n\r\n/** Auto cap when the user has not set maxConcurrentWorkers (safety on huge hosts). */\r\nexport const AUTO_MAX_WORKERS_CEILING = 64;\r\n\r\nexport interface RunnerResourceGateShape {\r\n ok: boolean;\r\n totalMemBytes: number;\r\n freeMemBytes: number;\r\n memReserveBytes: number;\r\n perWorkerMemBytes: number;\r\n configuredMaxWorkers: number | null;\r\n /** Where the effective worker cap was resolved (workspace override, env, config, or auto). */\r\n workerCapSource: WorkerCapSource;\r\n /** Physical pool for this host (`forge` | `ghost`). */\r\n boxKind: string;\r\n autoCap: number;\r\n capacityWorkers: number;\r\n maxConcurrentWorkers: number;\r\n activeWorkers: number;\r\n slotsAvailable: number;\r\n reason: string | null;\r\n /** Present unless `KYNVER_RESOURCE_GATE_SKIP_DISK=1`. */\r\n diskGate?: DispatchNextDiskGateShape;\r\n}\r\n\r\nexport interface ObserveResourceGateInput {\r\n runId: string;\r\n config?: KynverUserConfig;\r\n /** Command Center / workspace override \u2014 wins over local config when set. */\r\n configuredMaxWorkersOverride?: number | null;\r\n /** Override active worker count (tests). */\r\n activeWorkers?: number;\r\n totalMemBytes?: number;\r\n freeMemBytes?: number;\r\n diskPath?: string;\r\n skipDiskGate?: boolean;\r\n}\r\n\r\nfunction positiveInt(value: unknown, fallback: number): number {\r\n const n = Number(value);\r\n if (!Number.isFinite(n) || n <= 0) return fallback;\r\n return Math.floor(n);\r\n}\r\n\r\nfunction resolveResourceConfig(\r\n config: KynverUserConfig = loadUserConfig(),\r\n configuredMaxWorkersOverride?: number | null,\r\n totalMemBytes?: number,\r\n) {\r\n const perWorkerMemBytes = positiveInt(config.perWorkerMemBytes, DEFAULT_PER_WORKER_MEM_BYTES);\r\n const memReserveBytes = positiveInt(config.memReserveBytes, DEFAULT_MEM_RESERVE_BYTES);\r\n const memUtilization = Math.min(\r\n 1,\r\n Math.max(0.1, Number(config.memUtilization) > 0 ? Number(config.memUtilization) : DEFAULT_MEM_UTILIZATION),\r\n );\r\n const cap = resolveWorkerCap({\r\n config,\r\n configuredMaxWorkersOverride,\r\n totalMemBytes: totalMemBytes ?? os.totalmem(),\r\n });\r\n return {\r\n perWorkerMemBytes,\r\n memReserveBytes,\r\n memUtilization,\r\n configuredMaxWorkers: cap.configuredMaxWorkers,\r\n autoCap: cap.autoCap,\r\n workerCapSource: cap.workerCapSource,\r\n };\r\n}\r\n\r\n/** How many workers this host could run from RAM alone (before a user cap). */\r\nexport function computeAutoMaxWorkers(\r\n totalMemBytes: number,\r\n opts: { perWorkerMemBytes?: number; memReserveBytes?: number; memUtilization?: number } = {},\r\n): number {\r\n const perWorkerMemBytes = opts.perWorkerMemBytes ?? DEFAULT_PER_WORKER_MEM_BYTES;\r\n const memReserveBytes = opts.memReserveBytes ?? DEFAULT_MEM_RESERVE_BYTES;\r\n const memUtilization = opts.memUtilization ?? DEFAULT_MEM_UTILIZATION;\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * memUtilization) - memReserveBytes);\r\n const raw = Math.max(1, Math.floor(budgetBytes / perWorkerMemBytes));\r\n return Math.min(raw, AUTO_MAX_WORKERS_CEILING);\r\n}\r\n\r\nfunction readAvailableMemBytes(): number {\r\n return readMemAvailableBytes();\r\n}\r\n\r\n/** Count alive, still-executing workers in a single run record. */\r\nfunction countActiveWorkersForRun(run: HarnessRunRecord): number {\r\n let active = 0;\r\n for (const name of listRunWorkerNames(run)) {\r\n const worker = readJson<HarnessWorkerRecord | undefined>(\r\n path.join(runDirectory(run.id), \"workers\", safeSlug(name), \"worker.json\"),\r\n undefined,\r\n );\r\n if (!worker || !isActiveHarnessWorker(worker)) continue;\r\n active++;\r\n }\r\n return active;\r\n}\r\n\r\n/** Count active workers in ONE run (kept for callers/tests scoped to a run). */\r\nexport function countActiveWorkers(runId: string): number {\r\n return countActiveWorkersForRun(loadRun(runId));\r\n}\r\n\r\n/**\r\n * Count active workers across EVERY run on disk. The harness creates a new run\r\n * per task, so a per-run count let concurrent runs each believe the machine was\r\n * idle \u2014 the configured cap was never a real global ceiling (the \"spawns 4 or\r\n * infinity, never N\" bug). This machine-wide count is what the gate must use.\r\n */\r\nexport function countActiveWorkersGlobal(): number {\r\n let active = 0;\r\n for (const run of listRunRecords()) active += countActiveWorkersForRun(run);\r\n return active;\r\n}\r\n\r\n/**\r\n * Compute how many workers this host can run and how many dispatch slots remain.\r\n * Uses total RAM for steady-state capacity and free RAM as a hard safety gate.\r\n */\r\nexport function observeRunnerResourceGate(input: ObserveResourceGateInput): RunnerResourceGateShape {\r\n const config = input.config ?? loadUserConfig();\r\n const totalMemBytes = input.totalMemBytes ?? os.totalmem();\r\n const { perWorkerMemBytes, memReserveBytes, memUtilization, configuredMaxWorkers, autoCap: resolvedAutoCap, workerCapSource } =\r\n resolveResourceConfig(config, input.configuredMaxWorkersOverride, totalMemBytes);\r\n const boxKind = resolveBoxKindFromConfig(config);\r\n const freeMemBytes = input.freeMemBytes ?? readAvailableMemBytes();\r\n // Active count is GLOBAL across all runs (see countActiveWorkersGlobal), so the\r\n // cap is a true machine-wide ceiling rather than per-run.\r\n const activeWorkers = input.activeWorkers ?? countActiveWorkersGlobal();\r\n\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * memUtilization) - memReserveBytes);\r\n const capacityFromTotal = Math.max(0, Math.floor(budgetBytes / perWorkerMemBytes));\r\n const capacityFromFree = Math.max(0, Math.floor(Math.max(0, freeMemBytes - memReserveBytes) / perWorkerMemBytes));\r\n\r\n const autoCap = resolvedAutoCap;\r\n const targetCap = configuredMaxWorkers ?? autoCap;\r\n const maxConcurrentWorkers = Math.max(0, Math.min(targetCap, capacityFromTotal));\r\n const slotsByCapacity = Math.max(0, maxConcurrentWorkers - activeWorkers);\r\n // capacityFromFree is ADDITIONAL headroom: free/available RAM already excludes\r\n // memory held by running workers, so we must NOT subtract activeWorkers again.\r\n // Doing so (the old `capacityFromFree - activeWorkers`) double-counted active\r\n // workers and collapsed dispatch to a handful of slots under load.\r\n const slotsByFreeMem = capacityFromFree;\r\n let slotsAvailable = Math.min(slotsByCapacity, slotsByFreeMem);\r\n\r\n const skipDisk = input.skipDiskGate || process.env.KYNVER_RESOURCE_GATE_SKIP_DISK === \"1\";\r\n const diskGate = skipDisk\r\n ? undefined\r\n : observeRunnerDiskGate({\r\n diskPath:\r\n input.diskPath?.trim() ||\r\n process.env.KYNVER_DISK_GUARD_PATH?.trim() ||\r\n \"/\",\r\n });\r\n if (diskGate && !diskGate.ok) slotsAvailable = 0;\r\n\r\n let reason: string | null = null;\r\n if (slotsAvailable <= 0) {\r\n if (diskGate && !diskGate.ok) {\r\n reason = diskGate.reason ?? \"disk gate blocked worker admission\";\r\n } else if (activeWorkers >= maxConcurrentWorkers) {\r\n reason = `at worker limit (${activeWorkers}/${maxConcurrentWorkers} running)`;\r\n } else if (capacityFromFree <= 0) {\r\n reason = \"insufficient free memory \u2014 waiting for workers to finish\";\r\n } else {\r\n reason = \"no worker slots available\";\r\n }\r\n }\r\n\r\n return {\r\n ok: slotsAvailable > 0,\r\n totalMemBytes,\r\n freeMemBytes,\r\n memReserveBytes,\r\n perWorkerMemBytes,\r\n configuredMaxWorkers,\r\n workerCapSource,\r\n boxKind,\r\n autoCap,\r\n capacityWorkers: capacityFromTotal,\r\n maxConcurrentWorkers,\r\n activeWorkers,\r\n slotsAvailable,\r\n reason,\r\n ...(diskGate ? { diskGate } : {}),\r\n };\r\n}\r\n"],
5
- "mappings": ";AAAA,OAAOA,WAAU;;;ACAjB,SAAS,cAAAC,aAAY,WAAW,gBAAAC,eAAc,qBAAqB;AACnE,SAAS,WAAAC,UAAS,gBAAgB;AAClC,OAAOC,WAAU;;;ACFjB,SAAS,YAAY,oBAAoB;AACzC,SAAS,WAAAC,gBAAe;AACxB,OAAOC,WAAU;AACjB,SAAS,qBAAqB;;;ACH9B,SAAS,iBAAiB;;;ACKnB,IAAM,4BAA4B;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,oBAAoB,IAAI,IAAY,yBAAyB;;;ADF5D,SAAS,WAAW,KAAa,MAAkC;AACxE,MAAI;AACF,UAAM,MAAM,UAAU,OAAO,MAAM,EAAE,KAAK,UAAU,OAAO,CAAC;AAC5D,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,QAAQ,IAAI,UAAU;AAAA,MACtB,QAAQ,IAAI,UAAU;AAAA,MACtB,OAAO,IAAI,QAAQ,IAAI,MAAM,UAAU;AAAA,IACzC;AAAA,EACF,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,OAAQ,MAAgB;AAAA,IAC1B;AAAA,EACF;AACF;;;AErDA,SAAS,eAAe;AACxB,OAAO,UAAU;AAEV,SAAS,eAAe,OAAuB;AACpD,MAAI,UAAU,IAAK,QAAO,QAAQ;AAClC,MAAI,MAAM,WAAW,IAAI,KAAK,MAAM,WAAW,KAAK,GAAG;AACrD,WAAO,KAAK,KAAK,QAAQ,GAAG,MAAM,MAAM,CAAC,CAAC;AAAA,EAC5C;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,OAAuB;AACrD,SAAO,KAAK,QAAQ,eAAe,KAAK,CAAC;AAC3C;;;AHIA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,gBAAgB,UAAiC;AACxD,QAAM,UAAUC,MAAK,KAAK,UAAU,cAAc;AAClD,MAAI,CAAC,WAAW,OAAO,EAAG,QAAO;AACjC,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,aAAa,SAAS,MAAM,CAAC;AACpD,WAAO,OAAO,IAAI,SAAS,WAAW,IAAI,KAAK,KAAK,IAAI;AAAA,EAC1D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,qBAAqB,UAA2B;AAC9D,SAAO,gBAAgB,QAAQ,MAAM;AACvC;AAEO,SAAS,YAAY,UAAiC;AAC3D,QAAM,gBAAgBA,MAAK,QAAQ,QAAQ;AAC3C,MAAI,CAAC,WAAW,aAAa,EAAG,QAAO;AACvC,QAAM,QAAQ,WAAW,eAAe,CAAC,aAAa,iBAAiB,CAAC;AACxE,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,OAAO,MAAM,OAAO,KAAK;AAC/B,SAAO,KAAK,SAASA,MAAK,QAAQ,IAAI,IAAI;AAC5C;AAEA,SAAS,0BAA0B,YAAoB,YAAY,KAAoB;AACrF,MAAI,MAAMA,MAAK,QAAQ,cAAc,SAAS,CAAC;AAC/C,WAAS,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG;AACzC,UAAM,UAAUA,MAAK,KAAK,KAAK,cAAc;AAC7C,QAAI,WAAW,OAAO,GAAG;AACvB,UAAI;AACF,cAAM,MAAM,KAAK,MAAM,aAAa,SAAS,MAAM,CAAC;AACpD,YAAI,IAAI,SAAS,sBAAuB,QAAO;AAAA,MACjD,QAAQ;AAAA,MAER;AAAA,IACF;AACA,UAAM,SAASA,MAAK,QAAQ,GAAG;AAC/B,QAAI,WAAW,IAAK;AACpB,UAAM;AAAA,EACR;AACA,SAAO;AACT;AAEA,SAAS,cACP,MACA,KACA,MACA,QACM;AACN,MAAI,CAAC,KAAM;AACX,QAAM,WAAWA,MAAK,QAAQ,IAAI;AAClC,MAAI,KAAK,IAAI,QAAQ,EAAG;AACxB,MAAI,CAAC,qBAAqB,QAAQ,EAAG;AACrC,OAAK,IAAI,QAAQ;AACjB,MAAI,KAAK,EAAE,MAAM,UAAU,OAAO,CAAC;AACrC;AAEO,SAAS,8BAA8B,MAGlB;AAC1B,QAAM,MAAM,MAAM,OAAO,QAAQ,IAAI;AACrC,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAsC,CAAC;AAE7C,gBAAc,MAAM,YAAY,YAAY,GAAG,GAAG,SAAS;AAE3D,QAAM,iBAAiB,0BAA0B,MAAM,oBAAoB,YAAY,GAAG;AAC1F,MAAI,gBAAgB;AAClB,kBAAc,MAAM,YAAY,YAAY,cAAc,GAAG,kBAAkB;AAAA,EACjF;AAEA,QAAM,OAAOC,SAAQ;AACrB,aAAW,OAAO,sBAAsB;AACtC,kBAAc,MAAM,YAAY,gBAAgBD,MAAK,KAAK,MAAM,GAAG,CAAC,GAAG,iBAAiB;AAAA,EAC1F;AAEA,SAAO;AACT;AAEO,SAAS,oBAAoB,MAGH;AAC/B,SAAO,8BAA8B,IAAI,EAAE,CAAC,KAAK;AACnD;;;AI/FO,IAAM,mCAAmC,KAAK,OAAO,OAAO;AAI5D,IAAM,uCAAuC,KAAK,OAAO,OAAO;;;ACXvE,IAAM,0BAA0B,KAAK,OAAO,OAAO;AACnD,IAAM,8BAA8B,KAAK,OAAO,OAAO;;;ACRvD,SAAS,WAAAE,gBAAe;AACxB,OAAOC,WAAU;AAKjB,IAAM,cAAcC,MAAK,KAAKC,SAAQ,GAAG,aAAa,SAAS;;;ACWxD,IAAM,+BAA+B,MAAM,OAAO;AAGlD,IAAM,4BAA4B,IAAI,OAAO,OAAO;;;ARkB3D,IAAM,aAAaC,MAAK,KAAKC,SAAQ,GAAG,SAAS;AACjD,IAAM,cAAcD,MAAK,KAAK,YAAY,aAAa;AACvD,IAAM,mBAAmBA,MAAK,KAAK,YAAY,aAAa;AASrD,SAAS,iBAAmC;AACjD,MAAI,CAACE,YAAW,WAAW,EAAG,QAAO,CAAC;AACtC,MAAI;AACF,WAAO,KAAK,MAAMC,cAAa,aAAa,MAAM,CAAC;AAAA,EACrD,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAoEA,IAAM,6BAA6B,MAAM,OAAO;AAChD,IAAM,0BAA0B,IAAI,OAAO,OAAO;;;ADlGlD,SAAS,qBAAqB,OAAuB;AACnD,SAAOC,MAAK,QAAQ,gBAAgB,MAAM,KAAK,CAAC,CAAC;AACnD;AAEA,SAAS,eACP,OACA,QACA,mBAC4B;AAC5B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO;AAAA,IACL,MAAM,qBAAqB,OAAO;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBAAmB,OAAkC,CAAC,GAA+B;AACnG,QAAM,MAAM,KAAK,OAAO,QAAQ;AAChC,QAAM,SAAS,KAAK,UAAU,eAAe;AAE7C,QAAM,aAAa,eAAe,OAAO,aAAa,UAAU,IAAI;AACpE,MAAI,WAAY,QAAO;AAEvB,QAAM,iBAAiB,eAAe,IAAI,qBAAqB,oBAAoB,KAAK;AACxF,MAAI,eAAgB,QAAO;AAE3B,QAAM,iBAAiB,eAAe,IAAI,qBAAqB,oBAAoB,KAAK;AACxF,MAAI,eAAgB,QAAO;AAE3B,QAAM,aAAa,oBAAoB;AAAA,IACrC,KAAK,KAAK;AAAA,IACV,kBAAkB,KAAK;AAAA,EACzB,CAAC;AACD,MAAI,CAAC,WAAY,QAAO;AAExB,SAAO;AAAA,IACL,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,IACnB,mBAAmB;AAAA,EACrB;AACF;",
3
+ "sources": ["../../src/default-repo.ts", "../../src/config.ts", "../../src/default-repo-discovery.ts", "../../src/git.ts", "../../src/util.ts", "../../src/worker-env.ts", "../../src/path-values.ts", "../../src/wsl-host.ts", "../../src/disk-gate.ts", "../../src/paths.ts", "../../src/resource-gate.ts"],
4
+ "sourcesContent": ["import path from \"node:path\";\r\nimport { loadUserConfig, saveUserConfig, type KynverUserConfig } from \"./config.js\";\r\nimport {\r\n discoverDefaultRepo,\r\n type DefaultRepoDiscoverySource,\r\n type DiscoveredDefaultRepo,\r\n} from \"./default-repo-discovery.js\";\r\nimport { displayUserPath, redactHomePath, resolveUserPath } from \"./path-values.js\";\r\n\r\nexport type DefaultRepoSource =\r\n | \"config\"\r\n | \"env_default_repo\"\r\n | \"env_harness_repo\"\r\n | DefaultRepoDiscoverySource;\r\n\r\nexport interface ResolvedDefaultRepo {\r\n repo: string;\r\n source: DefaultRepoSource;\r\n persistedInConfig: boolean;\r\n}\r\n\r\nexport interface ResolveDefaultRepoOptions {\r\n config?: KynverUserConfig;\r\n env?: NodeJS.ProcessEnv;\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}\r\n\r\nfunction expandConfiguredRepo(value: string): string {\r\n return path.resolve(resolveUserPath(value.trim()));\r\n}\r\n\r\nfunction fromConfigured(\r\n value: string | undefined,\r\n source: Extract<DefaultRepoSource, \"config\" | \"env_default_repo\" | \"env_harness_repo\">,\r\n persistedInConfig: boolean,\r\n): ResolvedDefaultRepo | null {\r\n const trimmed = value?.trim();\r\n if (!trimmed) return null;\r\n return {\r\n repo: expandConfiguredRepo(trimmed),\r\n source,\r\n persistedInConfig,\r\n };\r\n}\r\n\r\nexport function resolveDefaultRepo(opts: ResolveDefaultRepoOptions = {}): ResolvedDefaultRepo | null {\r\n const env = opts.env ?? process.env;\r\n const config = opts.config ?? loadUserConfig();\r\n\r\n const fromConfig = fromConfigured(config.defaultRepo, \"config\", true);\r\n if (fromConfig) return fromConfig;\r\n\r\n const fromDefaultEnv = fromConfigured(env.KYNVER_DEFAULT_REPO, \"env_default_repo\", false);\r\n if (fromDefaultEnv) return fromDefaultEnv;\r\n\r\n const fromHarnessEnv = fromConfigured(env.KYNVER_HARNESS_REPO, \"env_harness_repo\", false);\r\n if (fromHarnessEnv) return fromHarnessEnv;\r\n\r\n const discovered = discoverDefaultRepo({\r\n cwd: opts.cwd,\r\n runtimeModuleUrl: opts.runtimeModuleUrl,\r\n });\r\n if (!discovered) return null;\r\n\r\n return {\r\n repo: discovered.repo,\r\n source: discovered.source,\r\n persistedInConfig: false,\r\n };\r\n}\r\n\r\nexport function persistDefaultRepo(repo: string, existing?: KynverUserConfig): KynverUserConfig {\r\n const config: KynverUserConfig = {\r\n ...(existing ?? loadUserConfig()),\r\n defaultRepo: redactHomePath(path.resolve(repo)),\r\n };\r\n saveUserConfig(config);\r\n return config;\r\n}\r\n\r\nexport function remediateDefaultRepo(opts?: ResolveDefaultRepoOptions): {\r\n ok: true;\r\n resolved: ResolvedDefaultRepo;\r\n config: KynverUserConfig;\r\n} | {\r\n ok: false;\r\n reason: string;\r\n} {\r\n const existing = opts?.config ?? loadUserConfig();\r\n const resolved = resolveDefaultRepo({ ...opts, config: existing });\r\n if (!resolved) {\r\n return {\r\n ok: false,\r\n reason:\r\n \"No Kynver git checkout found. Clone the repo, cd into it, then run `kynver setup --repo /path/to/Kynver` (or export KYNVER_DEFAULT_REPO).\",\r\n };\r\n }\r\n\r\n if (resolved.persistedInConfig) {\r\n return { ok: true, resolved, config: existing };\r\n }\r\n\r\n const config = persistDefaultRepo(resolved.repo, existing);\r\n return {\r\n ok: true,\r\n resolved: { ...resolved, persistedInConfig: true, source: \"config\" },\r\n config,\r\n };\r\n}\r\n\r\nexport function formatResolvedDefaultRepo(resolved: ResolvedDefaultRepo): {\r\n defaultRepo: string;\r\n source: DefaultRepoSource;\r\n persistedInConfig: boolean;\r\n} {\r\n return {\r\n defaultRepo: displayUserPath(resolved.repo),\r\n source: resolved.source,\r\n persistedInConfig: resolved.persistedInConfig,\r\n };\r\n}\r\n\r\nexport type { DiscoveredDefaultRepo };\r\n", "import { existsSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\r\nimport { homedir, totalmem } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { discoverDefaultRepo } from \"./default-repo-discovery.js\";\r\nimport { displayUserPath, redactHomePath } from \"./path-values.js\";\r\nimport { trimTrailingSlash } from \"./util.js\";\r\nimport { normalizeWorkerPoolBoxKind, resolveBoxIdentity } from \"./box-identity.js\";\r\nimport { recommendSetupWorkerCap } from \"./worker-cap-source.js\";\r\nimport { observeRunnerDiskGate } from \"./disk-gate.js\";\r\nimport os from \"node:os\";\r\n\r\nexport interface KynverUserConfig {\r\n apiBaseUrl?: string;\r\n agentOsSlug?: string;\r\n agentOsId?: string;\r\n defaultRepo?: string;\r\n workerProvider?: string;\r\n /** Default Claude model when dispatch does not infer or pass `--model`. */\r\n defaultModel?: string;\r\n harnessRoot?: string;\r\n /**\r\n * Operator attestation that the hosted Kynver deployment uses this scheduler provider\r\n * (set on user runners after Vercel env cutover \u2014 scheduling is deployment-owned).\r\n */\r\n deploymentSchedulerProvider?: \"qstash\" | \"kynver-cron\" | \"openclaw-cron\";\r\n /** Physical box pool for capacity snapshots (`forge` | `ghost`). Set via `kynver setup --box-kind`. */\r\n boxKind?: \"ghost\" | \"forge\";\r\n /** Max concurrent workers on this machine. Omit to auto-size from RAM. */\r\n maxConcurrentWorkers?: number;\r\n /** Where maxConcurrentWorkers came from. */\r\n maxConcurrentWorkersSource?: \"setup-auto\" | \"setup-flag\" | \"operator\";\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n perWorkerMemBytes?: number;\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n memReserveBytes?: number;\r\n /** @internal Advanced tuning \u2014 not required for setup. */\r\n memUtilization?: number;\r\n}\r\n\r\nconst CONFIG_DIR = path.join(homedir(), \".kynver\");\r\nconst CONFIG_FILE = path.join(CONFIG_DIR, \"config.json\");\r\nconst CREDENTIALS_FILE = path.join(CONFIG_DIR, \"credentials\");\r\n\r\ninterface KynverCredentialsFile {\r\n apiKey?: string;\r\n /** Scoped `krc1.*` runner token for AgentOS by-id callbacks. */\r\n runnerToken?: string;\r\n runnerTokenAgentOsId?: string;\r\n}\r\n\r\nexport function loadUserConfig(): KynverUserConfig {\r\n if (!existsSync(CONFIG_FILE)) return {};\r\n try {\r\n return JSON.parse(readFileSync(CONFIG_FILE, \"utf8\")) as KynverUserConfig;\r\n } catch {\r\n return {};\r\n }\r\n}\r\n\r\nexport function saveUserConfig(config: KynverUserConfig): void {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CONFIG_FILE, `${JSON.stringify(normalizeConfigPaths(config), null, 2)}\\n`, { mode: 0o600 });\r\n}\r\n\r\n/** Persist path fields with `~` instead of absolute home directories. */\r\nexport function normalizeConfigPaths(config: KynverUserConfig): KynverUserConfig {\r\n return {\r\n ...config,\r\n ...(config.harnessRoot?.trim() ? { harnessRoot: redactHomePath(config.harnessRoot.trim()) } : {}),\r\n ...(config.defaultRepo?.trim() ? { defaultRepo: redactHomePath(config.defaultRepo.trim()) } : {}),\r\n };\r\n}\r\n\r\n/** Values for setup output (never emit `/home/<user>/\u2026`). */\r\nexport function presentUserConfig(config: KynverUserConfig): KynverUserConfig {\r\n return normalizeConfigPaths(config);\r\n}\r\n\r\nfunction inferSetupFields(\r\n existing: KynverUserConfig,\r\n args: Record<string, string | boolean>,\r\n): Partial<KynverUserConfig> {\r\n const creds = loadCredentialsFile();\r\n const apiBaseUrl =\r\n (typeof args.apiBaseUrl === \"string\" ? args.apiBaseUrl : undefined) ||\r\n existing.apiBaseUrl?.trim() ||\r\n process.env.KYNVER_API_URL?.trim() ||\r\n process.env.KYNVER_CRON_FIRE_BASE_URL?.trim() ||\r\n process.env.OPENCLAW_CRON_FIRE_BASE_URL?.trim();\r\n const agentOsId =\r\n (typeof args.agentOsId === \"string\" ? args.agentOsId : undefined) ||\r\n existing.agentOsId?.trim() ||\r\n process.env.KYNVER_AGENT_OS_ID?.trim() ||\r\n (creds.runnerToken?.trim().startsWith(\"krc1.\") ? creds.runnerTokenAgentOsId?.trim() : undefined);\r\n const explicitRepo =\r\n typeof args.repo === \"string\"\r\n ? args.repo\r\n : args.discoverRepo === true || args.discoverRepo === \"true\"\r\n ? discoverDefaultRepo()?.repo\r\n : undefined;\r\n const defaultRepo =\r\n explicitRepo ||\r\n existing.defaultRepo?.trim() ||\r\n process.env.KYNVER_DEFAULT_REPO?.trim() ||\r\n process.env.KYNVER_HARNESS_REPO?.trim() ||\r\n discoverDefaultRepo()?.repo;\r\n const harnessRoot =\r\n (typeof args.harnessRoot === \"string\" ? args.harnessRoot : undefined) ||\r\n existing.harnessRoot?.trim() ||\r\n process.env.KYNVER_HARNESS_ROOT?.trim() ||\r\n process.env.OPUS_HARNESS_ROOT?.trim();\r\n\r\n return {\r\n ...(apiBaseUrl ? { apiBaseUrl: trimTrailingSlash(apiBaseUrl) } : {}),\r\n ...(agentOsId ? { agentOsId } : {}),\r\n ...(defaultRepo ? { defaultRepo } : {}),\r\n ...(harnessRoot ? { harnessRoot } : {}),\r\n ...(typeof args.agentOsSlug === \"string\"\r\n ? { agentOsSlug: args.agentOsSlug }\r\n : existing.agentOsSlug\r\n ? { agentOsSlug: existing.agentOsSlug }\r\n : {}),\r\n };\r\n}\r\n\r\nconst SETUP_PER_WORKER_MEM_BYTES = 500 * 1024 * 1024;\r\nconst SETUP_MEM_RESERVE_BYTES = 4 * 1024 * 1024 * 1024;\r\nconst SETUP_MEM_UTILIZATION = 0.85;\r\nconst SETUP_AUTO_MAX_WORKERS_CEILING = 64;\r\n\r\nfunction normalizeBoxKind(raw: unknown): \"ghost\" | \"forge\" | undefined {\r\n const kind = String(raw ?? \"\").trim().toLowerCase();\r\n if (!kind) return undefined;\r\n if (kind === \"ghost\" || kind.includes(\"ghost\") || kind.includes(\"openclaw\")) return \"ghost\";\r\n if (kind === \"forge\" || kind.includes(\"forge\")) return \"forge\";\r\n return undefined;\r\n}\r\n\r\nexport function computeSetupAutoMaxWorkers(totalMemBytes: number): number {\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * SETUP_MEM_UTILIZATION) - SETUP_MEM_RESERVE_BYTES);\r\n const raw = Math.max(1, Math.floor(budgetBytes / SETUP_PER_WORKER_MEM_BYTES));\r\n return Math.min(raw, SETUP_AUTO_MAX_WORKERS_CEILING);\r\n}\r\n\r\nexport function resolveSetupWorkerConfig(\r\n existing: KynverUserConfig,\r\n args: Record<string, string | boolean>,\r\n totalMemBytes = totalmem(),\r\n): Pick<KynverUserConfig, \"maxConcurrentWorkers\" | \"maxConcurrentWorkersSource\" | \"boxKind\"> {\r\n const maxWorkersRaw =\r\n typeof args.maxWorkers === \"string\"\r\n ? args.maxWorkers\r\n : typeof args.maxConcurrentWorkers === \"string\"\r\n ? args.maxConcurrentWorkers\r\n : undefined;\r\n const explicitBoxKindArg =\r\n typeof args.boxKind === \"string\"\r\n ? args.boxKind\r\n : typeof args[\"box-kind\"] === \"string\"\r\n ? String(args[\"box-kind\"])\r\n : undefined;\r\n const boxKind = resolveBoxIdentity(process.env, {\r\n ...existing,\r\n ...(explicitBoxKindArg ? { boxKind: normalizeWorkerPoolBoxKind(explicitBoxKindArg) } : {}),\r\n }).boxKind;\r\n const diskGate = observeRunnerDiskGate({\r\n diskPath: typeof args.diskPath === \"string\" ? args.diskPath : \"/\",\r\n });\r\n const capRecommendation = recommendSetupWorkerCap({\r\n totalMemBytes,\r\n diskPath: diskGate.path,\r\n diskGateOk: diskGate.ok,\r\n diskFreeBytes: diskGate.freeBytes,\r\n config: existing,\r\n });\r\n if (maxWorkersRaw) {\r\n return {\r\n maxConcurrentWorkers: Math.max(1, Math.floor(Number(maxWorkersRaw))),\r\n maxConcurrentWorkersSource: \"setup-flag\",\r\n boxKind,\r\n };\r\n }\r\n if (existing.maxConcurrentWorkers !== undefined && existing.maxConcurrentWorkers !== null) {\r\n return {\r\n maxConcurrentWorkers: Math.max(1, Math.floor(Number(existing.maxConcurrentWorkers))),\r\n maxConcurrentWorkersSource: existing.maxConcurrentWorkersSource ?? \"operator\",\r\n boxKind,\r\n };\r\n }\r\n return {\r\n maxConcurrentWorkers: capRecommendation.recommendedMaxWorkers,\r\n maxConcurrentWorkersSource: \"setup-auto\",\r\n boxKind,\r\n };\r\n}\r\n\r\nfunction loadCredentialsFile(): KynverCredentialsFile {\r\n if (!existsSync(CREDENTIALS_FILE)) return {};\r\n try {\r\n return JSON.parse(readFileSync(CREDENTIALS_FILE, \"utf8\")) as KynverCredentialsFile;\r\n } catch {\r\n return {};\r\n }\r\n}\r\n\r\nfunction saveCredentialsFile(parsed: KynverCredentialsFile): void {\r\n mkdirSync(CONFIG_DIR, { recursive: true });\r\n writeFileSync(CREDENTIALS_FILE, `${JSON.stringify(parsed, null, 2)}\\n`, { mode: 0o600 });\r\n}\r\n\r\nexport function loadApiKey(): string | undefined {\r\n if (process.env.KYNVER_API_KEY) return process.env.KYNVER_API_KEY;\r\n return loadCredentialsFile().apiKey;\r\n}\r\n\r\nexport function saveApiKey(apiKey: string): void {\r\n saveCredentialsFile({ ...loadCredentialsFile(), apiKey });\r\n}\r\n\r\nexport function loadRunnerToken(agentOsId?: string): string | undefined {\r\n const envToken = process.env.KYNVER_RUNNER_TOKEN?.trim();\r\n if (envToken) return envToken;\r\n\r\n const creds = loadCredentialsFile();\r\n if (!creds.runnerToken) return undefined;\r\n if (agentOsId && creds.runnerTokenAgentOsId && creds.runnerTokenAgentOsId !== agentOsId) {\r\n return undefined;\r\n }\r\n return creds.runnerToken;\r\n}\r\n\r\nexport function saveRunnerToken(agentOsId: string, token: string): void {\r\n saveCredentialsFile({\r\n ...loadCredentialsFile(),\r\n runnerToken: token,\r\n runnerTokenAgentOsId: agentOsId,\r\n });\r\n}\r\n\r\nexport function resolveBaseUrl(argsBaseUrl?: string): string {\r\n const baseUrl = resolveConfiguredBaseUrl(argsBaseUrl);\r\n if (!baseUrl) failConfig(\"requires --base-url, KYNVER_API_URL, KYNVER_CRON_FIRE_BASE_URL, or ~/.kynver/config.json apiBaseUrl\");\r\n return baseUrl;\r\n}\r\n\r\nfunction resolveConfiguredBaseUrl(argsBaseUrl?: string): string | undefined {\r\n const baseUrl =\r\n argsBaseUrl ||\r\n process.env.KYNVER_API_URL ||\r\n process.env.KYNVER_CRON_FIRE_BASE_URL ||\r\n process.env.OPENCLAW_CRON_FIRE_BASE_URL ||\r\n loadUserConfig().apiBaseUrl;\r\n return baseUrl ? trimTrailingSlash(String(baseUrl)) : undefined;\r\n}\r\n\r\nfunction resolveConfiguredCallbackSecret(argsSecret?: string, agentOsId?: string): string | undefined {\r\n const scoped =\r\n argsSecret ||\r\n loadRunnerToken(agentOsId) ||\r\n (agentOsId ? undefined : loadRunnerToken(loadUserConfig().agentOsId));\r\n if (scoped) return String(scoped);\r\n\r\n const globalSecret =\r\n process.env.KYNVER_RUNTIME_SECRET ||\r\n process.env.KYNVER_CRON_SECRET ||\r\n process.env.OPENCLAW_CRON_SECRET;\r\n if (globalSecret) {\r\n console.warn(\r\n \"[kynver] using deployment-level callback secret; run `kynver runner credential --agent-os-id <id>` for a scoped token\",\r\n );\r\n return String(globalSecret);\r\n }\r\n\r\n return undefined;\r\n}\r\n\r\nexport function resolveCallbackSecret(argsSecret?: string, agentOsId?: string): string {\r\n const configured = resolveConfiguredCallbackSecret(argsSecret, agentOsId);\r\n if (configured) return configured;\r\n\r\n failConfig(\r\n \"requires --secret, KYNVER_RUNNER_TOKEN, a scoped runner token (`kynver runner credential`), ~/.kynver/credentials runnerToken, KYNVER_API_KEY with an API base URL to mint one, or (legacy) KYNVER_RUNTIME_SECRET / KYNVER_CRON_SECRET / OPENCLAW_CRON_SECRET\",\r\n );\r\n}\r\n\r\nexport async function resolveCallbackSecretWithMint(\r\n argsSecret?: string,\r\n agentOsId?: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<string> {\r\n const configured = resolveConfiguredCallbackSecret(argsSecret, agentOsId);\r\n if (configured) return configured;\r\n\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (apiKey && agentOsId && baseUrl) {\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n saveRunnerToken(agentOsId, token);\r\n return token;\r\n } catch (error) {\r\n failConfig(`runner credential mint failed: ${(error as Error).message}`);\r\n }\r\n }\r\n\r\n failConfig(\r\n \"requires --secret, KYNVER_RUNNER_TOKEN, a scoped runner token (`kynver runner credential`), ~/.kynver/credentials runnerToken, KYNVER_API_KEY with an API base URL to mint one, or (legacy) KYNVER_RUNTIME_SECRET / KYNVER_CRON_SECRET / OPENCLAW_CRON_SECRET\",\r\n );\r\n}\r\n\r\n/**\r\n * Force-mint a fresh scoped runner token for `agentOsId`, bypassing any cached\r\n * or env token. Recovery path for a callback that 401s because the configured\r\n * token is revoked, expired, or scoped to a *different* workspace (the\r\n * self-linked repair case). Requires an API key + base URL to mint; returns\r\n * `null` when a fresh token cannot be obtained, so the caller degrades to a\r\n * structural blocker instead of papering the worker over as done.\r\n */\r\nexport async function refreshRunnerToken(\r\n agentOsId: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<string | null> {\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (!apiKey || !agentOsId || !baseUrl) return null;\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n saveRunnerToken(agentOsId, token);\r\n return token;\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport async function refreshRunnerTokenForAuthFailure(\r\n rejectedSecret: string,\r\n agentOsId: string,\r\n opts?: { baseUrl?: string },\r\n): Promise<{ ok: true; token: string } | { ok: false; reason: string }> {\r\n const apiKey = loadApiKey();\r\n const baseUrl = resolveConfiguredBaseUrl(opts?.baseUrl);\r\n if (!apiKey) return { ok: false, reason: \"KYNVER_API_KEY is required to refresh a rejected runner token\" };\r\n if (!agentOsId) return { ok: false, reason: \"agentOsId is required to refresh a rejected runner token\" };\r\n if (!baseUrl) return { ok: false, reason: \"KYNVER_API_URL or --base-url is required to refresh a rejected runner token\" };\r\n\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, { baseUrl, apiKey });\r\n if (token && token !== rejectedSecret) {\r\n saveRunnerToken(agentOsId, token);\r\n return { ok: true, token };\r\n }\r\n return { ok: false, reason: \"runner credential refresh returned the rejected token\" };\r\n } catch (error) {\r\n return { ok: false, reason: (error as Error).message };\r\n }\r\n}\r\n\r\nexport async function fetchRunnerCredential(\r\n agentOsId: string,\r\n opts?: { baseUrl?: string; apiKey?: string },\r\n): Promise<string> {\r\n const apiKey = opts?.apiKey || loadApiKey();\r\n if (!apiKey) throw new Error(\"API key required \u2014 run `kynver login` first\");\r\n\r\n const base = resolveBaseUrl(opts?.baseUrl);\r\n const url = `${base}/api/agent-os/by-id/${encodeURIComponent(agentOsId)}/runner-credentials`;\r\n const res = await fetch(url, {\r\n method: \"POST\",\r\n headers: {\r\n \"Content-Type\": \"application/json\",\r\n Authorization: `Bearer ${apiKey}`,\r\n },\r\n body: JSON.stringify({}),\r\n });\r\n\r\n const text = await res.text();\r\n let parsed: { token?: string; error?: string } | null = null;\r\n try {\r\n parsed = JSON.parse(text) as { token?: string; error?: string };\r\n } catch {\r\n parsed = null;\r\n }\r\n if (!res.ok || !parsed?.token) {\r\n throw new Error(\r\n `runner credential mint failed (${res.status}): ${parsed?.error ?? text.slice(0, 200)}`,\r\n );\r\n }\r\n return parsed.token;\r\n}\r\n\r\nexport async function mintRunnerCredential(args: Record<string, string | boolean>): Promise<void> {\r\n const agentOsId =\r\n (args.agentOsId ? String(args.agentOsId) : loadUserConfig().agentOsId) || \"\";\r\n if (!agentOsId) failConfig(\"runner credential requires --agent-os-id or agentOsId in ~/.kynver/config.json\");\r\n\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, {\r\n baseUrl: args.baseUrl ? String(args.baseUrl) : undefined,\r\n });\r\n saveRunnerToken(agentOsId, token);\r\n console.log(\r\n JSON.stringify(\r\n {\r\n ok: true,\r\n agentOsId,\r\n credentialsPath: displayUserPath(CREDENTIALS_FILE),\r\n tokenPrefix: `${token.slice(0, 12)}\u2026`,\r\n note: \"Scoped runner token saved; callbacks use X-Kynver-Runner-Token.\",\r\n },\r\n null,\r\n 2,\r\n ),\r\n );\r\n } catch (err) {\r\n console.error(err instanceof Error ? err.message : String(err));\r\n process.exit(1);\r\n }\r\n}\r\n\r\nfunction failConfig(message: string): never {\r\n console.error(message);\r\n process.exit(1);\r\n}\r\n\r\nexport function parseArgs(argv: string[]): Record<string, string | boolean> {\r\n const args: Record<string, string | boolean> = {};\r\n for (let i = 0; i < argv.length; i++) {\r\n const item = argv[i];\r\n if (!item.startsWith(\"--\")) continue;\r\n const key = item.slice(2).replace(/-([a-z])/g, (_, c: string) => c.toUpperCase());\r\n const next = argv[i + 1];\r\n if (!next || next.startsWith(\"--\")) args[key] = true;\r\n else {\r\n args[key] = next;\r\n i++;\r\n }\r\n }\r\n return args;\r\n}\r\n\r\nexport async function runSetup(args: Record<string, string | boolean>): Promise<void> {\r\n const existing = loadUserConfig();\r\n const diskGate = observeRunnerDiskGate({\r\n diskPath: typeof args.diskPath === \"string\" ? args.diskPath : \"/\",\r\n });\r\n const capRecommendation = recommendSetupWorkerCap({\r\n totalMemBytes: os.totalmem(),\r\n diskPath: diskGate.path,\r\n diskGateOk: diskGate.ok,\r\n diskFreeBytes: diskGate.freeBytes,\r\n config: existing,\r\n });\r\n const workerConfig = resolveSetupWorkerConfig(existing, args);\r\n const config: KynverUserConfig = normalizeConfigPaths({\r\n ...existing,\r\n ...inferSetupFields(existing, args),\r\n ...workerConfig,\r\n workerProvider:\r\n typeof args.provider === \"string\"\r\n ? args.provider\r\n : existing.workerProvider || \"cursor\",\r\n });\r\n saveUserConfig(config);\r\n const boxIdentity = resolveBoxIdentity(process.env, config);\r\n\r\n let runnerCredentialNote: string | undefined;\r\n const apiKey = loadApiKey();\r\n const agentOsId = config.agentOsId;\r\n if (apiKey && agentOsId) {\r\n try {\r\n const token = await fetchRunnerCredential(agentOsId, {\r\n baseUrl: typeof args.apiBaseUrl === \"string\" ? args.apiBaseUrl : config.apiBaseUrl,\r\n apiKey,\r\n });\r\n saveRunnerToken(agentOsId, token);\r\n runnerCredentialNote = \"Scoped runner token minted and saved to ~/.kynver/credentials.\";\r\n } catch {\r\n runnerCredentialNote =\r\n \"Runner token not minted (server offline or master secret unset). Run `kynver runner credential` after deploy.\";\r\n }\r\n }\r\n\r\n console.log(\r\n JSON.stringify(\r\n {\r\n ok: true,\r\n configPath: displayUserPath(CONFIG_FILE),\r\n config: presentUserConfig(config),\r\n boxKind: config.boxKind,\r\n boxKindSource: boxIdentity.source,\r\n workerCapRecommendation: capRecommendation,\r\n ...(boxIdentity.warnings.length ? { boxIdentityWarnings: boxIdentity.warnings } : {}),\r\n note:\r\n runnerCredentialNote ??\r\n \"boxKind and maxConcurrentWorkers persisted; override with --box-kind and --max-workers. Run `kynver login` + `kynver runner credential` for scoped callbacks.\",\r\n },\r\n null,\r\n 2,\r\n ),\r\n );\r\n}\r\n\r\nexport async function runLogin(args: Record<string, string | boolean>): Promise<void> {\r\n const apiKey = typeof args.apiKey === \"string\" ? args.apiKey : process.env.KYNVER_API_KEY;\r\n if (!apiKey) failConfig(\"kynver login requires --api-key or KYNVER_API_KEY\");\r\n saveApiKey(apiKey);\r\n console.log(JSON.stringify({ ok: true, credentialsPath: displayUserPath(CREDENTIALS_FILE) }, null, 2));\r\n}\r\n", "import { existsSync, readFileSync } from \"node:fs\";\r\nimport { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { fileURLToPath } from \"node:url\";\r\nimport { gitCapture } from \"./git.js\";\r\nimport { resolveUserPath } from \"./path-values.js\";\r\n\r\nexport type DefaultRepoDiscoverySource =\r\n | \"cwd_git\"\r\n | \"runtime_checkout\"\r\n | \"well_known_path\";\r\n\r\nexport interface DiscoveredDefaultRepo {\r\n repo: string;\r\n source: DefaultRepoDiscoverySource;\r\n}\r\n\r\nconst WELL_KNOWN_REPO_DIRS = [\r\n \"Kynver\",\r\n \"repos/Kynver\",\r\n \"repos/kynver-source-main\",\r\n \"code/Kynver\",\r\n \"projects/Kynver\",\r\n] as const;\r\n\r\nfunction readPackageName(repoRoot: string): string | null {\r\n const pkgPath = path.join(repoRoot, \"package.json\");\r\n if (!existsSync(pkgPath)) return null;\r\n try {\r\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf8\")) as { name?: string };\r\n return typeof pkg.name === \"string\" ? pkg.name.trim() : null;\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport function isKynverMonorepoRoot(repoRoot: string): boolean {\r\n return readPackageName(repoRoot) === \"kynver\";\r\n}\r\n\r\nexport function gitRepoRoot(startDir: string): string | null {\r\n const resolvedStart = path.resolve(startDir);\r\n if (!existsSync(resolvedStart)) return null;\r\n const probe = gitCapture(resolvedStart, [\"rev-parse\", \"--show-toplevel\"]);\r\n if (probe.status !== 0) return null;\r\n const root = probe.stdout.trim();\r\n return root.length ? path.resolve(root) : null;\r\n}\r\n\r\nfunction resolveRuntimePackageRoot(moduleUrl: string = import.meta.url): string | null {\r\n let dir = path.dirname(fileURLToPath(moduleUrl));\r\n for (let depth = 0; depth < 8; depth += 1) {\r\n const pkgPath = path.join(dir, \"package.json\");\r\n if (existsSync(pkgPath)) {\r\n try {\r\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf8\")) as { name?: string };\r\n if (pkg.name === \"@kynver-app/runtime\") return dir;\r\n } catch {\r\n // continue walking\r\n }\r\n }\r\n const parent = path.dirname(dir);\r\n if (parent === dir) break;\r\n dir = parent;\r\n }\r\n return null;\r\n}\r\n\r\nfunction pushCandidate(\r\n seen: Set<string>,\r\n out: DiscoveredDefaultRepo[],\r\n repo: string | null,\r\n source: DefaultRepoDiscoverySource,\r\n): void {\r\n if (!repo) return;\r\n const resolved = path.resolve(repo);\r\n if (seen.has(resolved)) return;\r\n if (!isKynverMonorepoRoot(resolved)) return;\r\n seen.add(resolved);\r\n out.push({ repo: resolved, source });\r\n}\r\n\r\nexport function discoverDefaultRepoCandidates(opts?: {\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}): DiscoveredDefaultRepo[] {\r\n const cwd = opts?.cwd ?? process.cwd();\r\n const seen = new Set<string>();\r\n const candidates: DiscoveredDefaultRepo[] = [];\r\n\r\n pushCandidate(seen, candidates, gitRepoRoot(cwd), \"cwd_git\");\r\n\r\n const runtimePkgRoot = resolveRuntimePackageRoot(opts?.runtimeModuleUrl ?? import.meta.url);\r\n if (runtimePkgRoot) {\r\n pushCandidate(seen, candidates, gitRepoRoot(runtimePkgRoot), \"runtime_checkout\");\r\n }\r\n\r\n const home = homedir();\r\n for (const rel of WELL_KNOWN_REPO_DIRS) {\r\n pushCandidate(seen, candidates, resolveUserPath(path.join(home, rel)), \"well_known_path\");\r\n }\r\n\r\n return candidates;\r\n}\r\n\r\nexport function discoverDefaultRepo(opts?: {\r\n cwd?: string;\r\n runtimeModuleUrl?: string;\r\n}): DiscoveredDefaultRepo | null {\r\n return discoverDefaultRepoCandidates(opts)[0] ?? null;\r\n}\r\n", "import { spawnSync } from \"node:child_process\";\r\nimport { fail, hiddenSpawnOptions } from \"./util.js\";\r\n\r\nexport interface GitOptions {\r\n allowFailure?: boolean;\r\n throwError?: boolean;\r\n}\r\n\r\nexport function git(cwd: string, args: string[], options: GitOptions = {}): string {\r\n const res = spawnSync(\r\n \"git\",\r\n args,\r\n hiddenSpawnOptions({ cwd, encoding: \"utf8\" as const }),\r\n );\r\n if (res.status !== 0 && !options.allowFailure) {\r\n const message = `git ${args.join(\" \")} failed: ${res.stderr || res.stdout}`;\r\n if (options.throwError) throw new Error(message);\r\n fail(message);\r\n }\r\n return res.stdout || \"\";\r\n}\r\n\r\nexport function ensureGitRepo(repo: string): void {\r\n git(repo, [\"rev-parse\", \"--show-toplevel\"]);\r\n}\r\n\r\nexport function gitStatusShort(worktreePath: string): string[] {\r\n return git(worktreePath, [\"status\", \"--short\"], { allowFailure: true })\r\n .split(\"\\n\")\r\n .map((line) => line.trim())\r\n .filter(Boolean);\r\n}\r\n\r\nexport interface GitCaptureResult {\r\n status: number | null;\r\n stdout: string;\r\n stderr: string;\r\n error: string | null;\r\n}\r\n\r\nexport function gitCapture(cwd: string, args: string[]): GitCaptureResult {\r\n try {\r\n const res = spawnSync(\r\n \"git\",\r\n args,\r\n hiddenSpawnOptions({ cwd, encoding: \"utf8\" as const }),\r\n );\r\n return {\r\n status: res.status,\r\n stdout: res.stdout || \"\",\r\n stderr: res.stderr || \"\",\r\n error: res.error ? res.error.message : null,\r\n };\r\n } catch (error) {\r\n return {\r\n status: null,\r\n stdout: \"\",\r\n stderr: \"\",\r\n error: (error as Error).message,\r\n };\r\n }\r\n}\r\n\r\nexport function gitIsAncestor(\r\n cwd: string,\r\n ancestor: string,\r\n descendant: string,\r\n): { isAncestor: boolean | null; error: string | null } {\r\n const res = gitCapture(cwd, [\"merge-base\", \"--is-ancestor\", ancestor, descendant]);\r\n if (res.status === 0) return { isAncestor: true, error: null };\r\n if (res.status === 1) return { isAncestor: false, error: null };\r\n return { isAncestor: null, error: res.error || res.stderr || res.stdout || `git exited ${res.status}` };\r\n}\r\n\r\nexport type GitAncestryRelation = \"synced\" | \"merged\" | \"ahead\" | \"diverged\" | \"unknown\";\r\n\r\nexport interface GitAncestry {\r\n checked: boolean;\r\n base: string;\r\n head: string | null;\r\n baseHead: string | null;\r\n baseIsAncestorOfHead: boolean | null;\r\n headIsAncestorOfBase: boolean | null;\r\n relation: GitAncestryRelation;\r\n error?: string;\r\n}\r\n\r\nexport interface GitAncestryOptions {\r\n /** Branch or ref name (e.g. origin/main). Used when baseCommit is unset. */\r\n base?: string;\r\n /** Pinned SHA the worktree was created from \u2014 preferred over a moving branch ref. */\r\n baseCommit?: string;\r\n}\r\n\r\nexport function computeGitAncestry(worktreePath: string, baseOrOptions: string | GitAncestryOptions = \"origin/main\"): GitAncestry {\r\n const options: GitAncestryOptions =\r\n typeof baseOrOptions === \"string\" ? { base: baseOrOptions } : baseOrOptions;\r\n const baseLabel = options.baseCommit?.trim() || options.base?.trim() || \"origin/main\";\r\n const pinnedBaseCommit = options.baseCommit?.trim() || null;\r\n\r\n if (!worktreePath) {\r\n return unknownAncestry(baseLabel, \"missing worktree path\");\r\n }\r\n\r\n const head = gitCapture(worktreePath, [\"rev-parse\", \"HEAD\"]);\r\n if (head.status !== 0) {\r\n return unknownAncestry(baseLabel, head.error || head.stderr || head.stdout || \"failed to resolve HEAD\");\r\n }\r\n\r\n let baseSha: string;\r\n if (pinnedBaseCommit) {\r\n baseSha = pinnedBaseCommit;\r\n } else {\r\n const baseHead = gitCapture(worktreePath, [\"rev-parse\", baseLabel]);\r\n if (baseHead.status !== 0) {\r\n return unknownAncestry(\r\n baseLabel,\r\n baseHead.error || baseHead.stderr || baseHead.stdout || `failed to resolve ${baseLabel}`,\r\n head.stdout.trim(),\r\n );\r\n }\r\n baseSha = baseHead.stdout.trim();\r\n }\r\n\r\n const headSha = head.stdout.trim();\r\n if (headSha === baseSha) {\r\n return {\r\n checked: true,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: true,\r\n headIsAncestorOfBase: true,\r\n relation: \"synced\",\r\n };\r\n }\r\n\r\n const baseIsAncestorOfHead = gitIsAncestor(worktreePath, baseSha, headSha);\r\n const headIsAncestorOfBase = gitIsAncestor(worktreePath, headSha, baseSha);\r\n const error = baseIsAncestorOfHead.error || headIsAncestorOfBase.error || undefined;\r\n if (baseIsAncestorOfHead.isAncestor == null || headIsAncestorOfBase.isAncestor == null) {\r\n return {\r\n checked: false,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: baseIsAncestorOfHead.isAncestor,\r\n headIsAncestorOfBase: headIsAncestorOfBase.isAncestor,\r\n relation: \"unknown\",\r\n ...(error ? { error } : {}),\r\n };\r\n }\r\n\r\n const relation: GitAncestryRelation = baseIsAncestorOfHead.isAncestor\r\n ? \"ahead\"\r\n : headIsAncestorOfBase.isAncestor\r\n ? \"merged\"\r\n : \"diverged\";\r\n\r\n return {\r\n checked: true,\r\n base: baseLabel,\r\n head: headSha,\r\n baseHead: baseSha,\r\n baseIsAncestorOfHead: baseIsAncestorOfHead.isAncestor,\r\n headIsAncestorOfBase: headIsAncestorOfBase.isAncestor,\r\n relation,\r\n ...(error ? { error } : {}),\r\n };\r\n}\r\n\r\nfunction unknownAncestry(base: string, error: string, head: string | null = null): GitAncestry {\r\n return {\r\n checked: false,\r\n base,\r\n head,\r\n baseHead: null,\r\n baseIsAncestorOfHead: null,\r\n headIsAncestorOfBase: null,\r\n relation: \"unknown\",\r\n error,\r\n };\r\n}\r\n\r\nexport { scrubClaudeEnv, scrubWorkerEnv } from \"./worker-env.js\";\r\n", "import { existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\nexport function fail(message: string): never {\r\n console.error(message);\r\n process.exit(1);\r\n}\r\n\r\n/** Avoid flashing a visible console on Windows when spawning worker/sidecar children. */\r\nexport function hiddenSpawnOptions<T extends Record<string, unknown>>(opts: T): T {\r\n if (process.platform !== \"win32\") return opts;\r\n return { windowsHide: true, ...opts };\r\n}\r\n\r\nexport function required(value: string | undefined, name: string): string {\r\n if (!value) fail(`missing ${name}`);\r\n return value;\r\n}\r\n\r\nexport function safeJson(line: string): unknown {\r\n try {\r\n return JSON.parse(line);\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport function readJson<T>(file: string, fallback?: T): T {\r\n try {\r\n return JSON.parse(readFileSync(file, \"utf8\")) as T;\r\n } catch (error) {\r\n if (arguments.length > 1) return fallback as T;\r\n fail(`failed to read ${file}: ${(error as Error).message}`);\r\n }\r\n}\r\n\r\nexport function writeJson(file: string, value: unknown): void {\r\n mkdirSync(path.dirname(file), { recursive: true });\r\n writeFileSync(file, `${JSON.stringify(value, null, 2)}\\n`);\r\n}\r\n\r\nexport function safeSlug(value: string | undefined): string {\r\n return (\r\n String(value || \"\")\r\n .toLowerCase()\r\n .replace(/[^a-z0-9._-]+/g, \"-\")\r\n .replace(/^-+|-+$/g, \"\") || \"worker\"\r\n );\r\n}\r\n\r\nexport function timestampSlug(name: string): string {\r\n return safeSlug(`${new Date().toISOString().replace(/[-:]/g, \"\").replace(/\\..+/, \"Z\")}-${name}`);\r\n}\r\n\r\nexport function splitCsv(value: string | undefined): string[] {\r\n return value ? String(value).split(\",\").map((item) => item.trim()).filter(Boolean) : [];\r\n}\r\n\r\nexport function trimTrailingSlash(url: string): string {\r\n return String(url).replace(/\\/+$/, \"\");\r\n}\r\n\r\nexport function oneLine(value: string): string {\r\n return String(value || \"\")\r\n .replace(/\\s+/g, \" \")\r\n .trim();\r\n}\r\n\r\nexport function fileSize(file: string): number {\r\n try {\r\n return statSync(file).size;\r\n } catch {\r\n return 0;\r\n }\r\n}\r\n\r\nexport function fileMtime(file: string): string | null {\r\n try {\r\n return statSync(file).mtime.toISOString();\r\n } catch {\r\n return null;\r\n }\r\n}\r\n\r\nexport function tailFile(file: string, lines: number): string {\r\n if (!existsSync(file)) return \"\";\r\n const data = readFileSync(file, \"utf8\");\r\n return data.split(\"\\n\").slice(-lines).join(\"\\n\");\r\n}\r\n\r\nexport function readMaybeFile(file: string | undefined): string {\r\n return file ? readFileSync(path.resolve(file), \"utf8\") : \"\";\r\n}\r\n\r\nexport function listRunIds(runsDir: string): string[] {\r\n if (!existsSync(runsDir)) return [];\r\n return readdirSync(runsDir, { withFileTypes: true })\r\n .filter((entry) => entry.isDirectory())\r\n .map((entry) => entry.name);\r\n}\r\n\r\nexport function sleepMs(ms: number): void {\r\n Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);\r\n}\r\n\r\n/** Non-blocking sleep for async loops (daemon backoff, interruptible shutdown). */\r\nexport function sleepMsAsync(ms: number): Promise<void> {\r\n return new Promise((resolve) => setTimeout(resolve, ms));\r\n}\r\n\r\nexport function isPidAlive(pid: number | undefined): boolean {\r\n if (!pid) return false;\r\n try {\r\n process.kill(pid, 0);\r\n return true;\r\n } catch {\r\n return false;\r\n }\r\n}\r\n\r\nexport function killWorkerProcess(pid: number, signal: NodeJS.Signals): void {\r\n try {\r\n process.kill(-pid, signal);\r\n } catch {\r\n process.kill(pid, signal);\r\n }\r\n}\r\n\r\nexport function latestIso(values: Array<string | null | undefined>): string | null {\r\n let best: string | null = null;\r\n let bestMs = -Infinity;\r\n for (const value of values) {\r\n if (!value) continue;\r\n const ms = Date.parse(value);\r\n if (Number.isFinite(ms) && ms > bestMs) {\r\n bestMs = ms;\r\n best = value;\r\n }\r\n }\r\n return best;\r\n}\r\n\r\nexport function secsAgo(ms: number): number {\r\n return Math.max(0, Math.round((Date.now() - ms) / 1000));\r\n}\r\n", "/**\r\n * Worker spawn env scrub \u2014 harness workers must not inherit host deployment secrets.\r\n */\r\n\r\n/** Exact env keys that must never reach a worker child process. */\r\nexport const FORBIDDEN_WORKER_ENV_KEYS = [\r\n \"ANTHROPIC_API_KEY\",\r\n \"ANALYST_API_KEY\",\r\n \"RECRUITER_API_KEY\",\r\n \"AUTH_SECRET\",\r\n \"NEXTAUTH_SECRET\",\r\n \"DATABASE_URL\",\r\n \"PRODUCTION_DATABASE_URL\",\r\n \"KYNVER_PRODUCTION_DATABASE_URL\",\r\n \"REDIS_URL\",\r\n \"GOOGLE_CLIENT_SECRET\",\r\n \"GITHUB_CLIENT_SECRET\",\r\n \"KYNVER_API_KEY\",\r\n \"KYNVER_SERVICE_SECRET\",\r\n \"KYNVER_RUNTIME_SECRET\",\r\n \"KYNVER_CRON_SECRET\",\r\n \"OPENCLAW_CRON_SECRET\",\r\n \"QSTASH_TOKEN\",\r\n \"QSTASH_CURRENT_SIGNING_KEY\",\r\n \"QSTASH_NEXT_SIGNING_KEY\",\r\n \"TOOL_SECRETS_KEK\",\r\n \"TOOL_EXECUTOR_DISPATCH_SECRET\",\r\n \"CLOUDFLARE_API_TOKEN\",\r\n \"STRIPE_SECRET_KEY\",\r\n \"STRIPE_WEBHOOK_SECRET\",\r\n \"STRIPE_IDENTITY_WEBHOOK_SECRET\",\r\n \"VOYAGE_API_KEY\",\r\n \"PERPLEXITY_API_KEY\",\r\n \"FRED_API_KEY\",\r\n \"FMP_API_KEY\",\r\n \"CURSOR_API_KEY\",\r\n] as const;\r\n\r\nconst FORBIDDEN_KEY_SET = new Set<string>(FORBIDDEN_WORKER_ENV_KEYS);\r\n\r\n/** Keys matching these suffixes are stripped (case-sensitive). */\r\nconst FORBIDDEN_SUFFIXES = [\"_SECRET\", \"_API_KEY\"] as const;\r\n\r\nexport function isForbiddenWorkerEnvKey(key: string): boolean {\r\n if (FORBIDDEN_KEY_SET.has(key)) return true;\r\n return FORBIDDEN_SUFFIXES.some((suffix) => key.endsWith(suffix));\r\n}\r\n\r\nexport function listForbiddenWorkerEnvKeys(env: NodeJS.ProcessEnv): string[] {\r\n return Object.keys(env).filter(isForbiddenWorkerEnvKey).sort();\r\n}\r\n\r\nexport function scrubWorkerEnv(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {\r\n const next = { ...env };\r\n for (const key of Object.keys(next)) {\r\n if (isForbiddenWorkerEnvKey(key)) delete next[key];\r\n }\r\n return next;\r\n}\r\n\r\nexport interface WorkerEnvAudit {\r\n forbiddenPresent: string[];\r\n safe: boolean;\r\n}\r\n\r\nexport function auditWorkerEnv(env: NodeJS.ProcessEnv): WorkerEnvAudit {\r\n const forbiddenPresent = listForbiddenWorkerEnvKeys(env);\r\n return { forbiddenPresent, safe: forbiddenPresent.length === 0 };\r\n}\r\n\r\n/** @deprecated Use {@link scrubWorkerEnv} \u2014 kept for existing imports from git.ts */\r\nexport function scrubClaudeEnv(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {\r\n return scrubWorkerEnv(env);\r\n}\r\n", "import { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\n\r\nexport function expandHomePath(value: string): string {\r\n if (value === \"~\") return homedir();\r\n if (value.startsWith(\"~/\") || value.startsWith(\"~\\\\\")) {\r\n return path.join(homedir(), value.slice(2));\r\n }\r\n return value;\r\n}\r\n\r\nexport function resolveUserPath(value: string): string {\r\n return path.resolve(expandHomePath(value));\r\n}\r\n\r\nexport function redactHomePath(value: string): string {\r\n const expanded = expandHomePath(value);\r\n const resolved = path.resolve(expanded);\r\n const home = path.resolve(homedir());\r\n\r\n if (resolved === home) return \"~\";\r\n if (resolved.startsWith(`${home}${path.sep}`)) {\r\n return `~/${path.relative(home, resolved).split(path.sep).join(\"/\")}`;\r\n }\r\n\r\n const posix = resolved.replace(/\\\\/g, \"/\");\r\n const redacted = posix\r\n .replace(/^\\/home\\/[^/]+(?=\\/|$)/, \"~\")\r\n .replace(/^\\/Users\\/[^/]+(?=\\/|$)/, \"~\")\r\n // Windows resolves Unix-style `/home/...` paths to `C:\\home\\...`.\r\n .replace(/^[A-Za-z]:\\/home\\/[^/]+(?=\\/|$)/i, \"~\")\r\n .replace(/^[A-Za-z]:\\/Users\\/[^/]+(?=\\/|$)/i, \"~\");\r\n return redacted;\r\n}\r\n\r\n/** User-facing path strings (doctor JSON, setup output). */\r\nexport function displayUserPath(value: string): string {\r\n return redactHomePath(value);\r\n}\r\n", "import { existsSync, readFileSync, statfsSync } from \"node:fs\";\r\n\r\n/**\r\n * WSL host disk probe.\r\n *\r\n * Under WSL, the runtime VHDX (mounted at `/`) grows dynamically into the\r\n * Windows host C: drive. When Windows C: fills up, the VHDX cannot expand:\r\n * writes return SIGBUS, workers exit 135, and the Vmmem VM degrades while\r\n * the Linux-side `statfs /` still reports plenty of free space inside the\r\n * VHDX. This module gives the harness a cheap signal for that pressure so\r\n * it can block dispatch *before* a large npm install/build pushes Windows\r\n * C: into the ground.\r\n */\r\n\r\n/** Default warn threshold for the Windows host disk (25 GiB free). */\r\nexport const DEFAULT_WSL_HOST_WARN_FREE_BYTES = 25 * 1024 * 1024 * 1024;\r\n/** Default critical threshold for the Windows host disk (12 GiB free). Below\r\n * this, large rebuilds have been observed to trigger SIGBUS / exit 135 on\r\n * WSL when the VHDX cannot grow further. */\r\nexport const DEFAULT_WSL_HOST_CRITICAL_FREE_BYTES = 12 * 1024 * 1024 * 1024;\r\n/** Default Windows host mount point under WSL. Overridable via env or option. */\r\nexport const DEFAULT_WSL_HOST_MOUNT = \"/mnt/c\";\r\n\r\nexport interface WslHostDiskShape {\r\n ok: boolean;\r\n /** Mount point that was probed. */\r\n path: string;\r\n freeBytes: number;\r\n totalBytes: number;\r\n usedPercent: number;\r\n warnBelowBytes: number;\r\n criticalBelowBytes: number;\r\n /** Human-readable explanation when the host disk is under pressure. */\r\n reason: string | null;\r\n /** True when the probe itself failed (mount missing, statfs error). */\r\n probeError: string | null;\r\n}\r\n\r\n/**\r\n * Cheap WSL detection. Reads `/proc/sys/kernel/osrelease` (kernel string\r\n * contains \"microsoft\" / \"WSL2\" on Microsoft's WSL kernel) and falls back\r\n * to `/proc/version`. Both reads are one-shot and gated by `existsSync`,\r\n * so non-Linux hosts return false without throwing.\r\n */\r\nexport function isWslHost(): boolean {\r\n if (process.platform !== \"linux\") return false;\r\n for (const probe of [\"/proc/sys/kernel/osrelease\", \"/proc/version\"]) {\r\n try {\r\n if (!existsSync(probe)) continue;\r\n const text = readFileSync(probe, \"utf8\");\r\n if (/microsoft|wsl/i.test(text)) return true;\r\n } catch {\r\n // ignore \u2014 try the next probe path\r\n }\r\n }\r\n return false;\r\n}\r\n\r\nexport interface ObserveWslHostDiskOptions {\r\n /** Override the Windows host mount path (e.g. `/mnt/d`). Falls back to\r\n * `KYNVER_WSL_HOST_MOUNT` env, then `/mnt/c`. */\r\n wslHostMount?: string;\r\n wslHostFreeWarnBytes?: number;\r\n wslHostFreeCriticalBytes?: number;\r\n /** Override WSL detection for tests / cross-platform CI:\r\n * `true` \u2192 treat host as WSL; `false` \u2192 treat host as non-WSL;\r\n * `undefined` \u2192 autodetect via `isWslHost()`. */\r\n forceWsl?: boolean;\r\n /** Test seam \u2014 swap in a fake statfs. */\r\n statfs?: (path: string) => { bavail: bigint | number; blocks: bigint | number; bsize: bigint | number };\r\n}\r\n\r\n/**\r\n * Probe the Windows host disk under WSL. Returns `null` when this host is\r\n * not WSL (so callers can treat the field as optional in the gate output).\r\n * When WSL but the mount is unreachable, returns a `probeError` row with\r\n * `ok = false` rather than throwing \u2014 the gate must still block dispatch\r\n * because we can't prove the host disk is healthy.\r\n */\r\nexport function observeWslHostDisk(\r\n options: ObserveWslHostDiskOptions = {},\r\n): WslHostDiskShape | null {\r\n const wsl = options.forceWsl === undefined ? isWslHost() : options.forceWsl;\r\n if (!wsl) return null;\r\n\r\n const path =\r\n options.wslHostMount?.trim() ||\r\n process.env.KYNVER_WSL_HOST_MOUNT?.trim() ||\r\n DEFAULT_WSL_HOST_MOUNT;\r\n const warnBelowBytes = options.wslHostFreeWarnBytes ?? DEFAULT_WSL_HOST_WARN_FREE_BYTES;\r\n const criticalBelowBytes =\r\n options.wslHostFreeCriticalBytes ?? DEFAULT_WSL_HOST_CRITICAL_FREE_BYTES;\r\n\r\n const statfs = options.statfs ?? statfsSync;\r\n let stats: { bavail: bigint | number; blocks: bigint | number; bsize: bigint | number };\r\n try {\r\n stats = statfs(path);\r\n } catch (error) {\r\n return {\r\n ok: false,\r\n path,\r\n freeBytes: 0,\r\n totalBytes: 0,\r\n usedPercent: 100,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n reason: `Windows host disk probe failed at ${path}: ${(error as Error).message}`,\r\n probeError: (error as Error).message,\r\n };\r\n }\r\n\r\n const freeBytes = Number(stats.bavail) * Number(stats.bsize);\r\n const totalBytes = Number(stats.blocks) * Number(stats.bsize);\r\n const usedPercent = totalBytes > 0 ? ((totalBytes - freeBytes) / totalBytes) * 100 : 100;\r\n const lowFree = freeBytes < warnBelowBytes;\r\n const criticalFree = freeBytes < criticalBelowBytes;\r\n const ok = !lowFree && !criticalFree;\r\n\r\n const freeGiB = (freeBytes / (1024 * 1024 * 1024)).toFixed(1);\r\n let reason: string | null = null;\r\n if (!ok) {\r\n const tag = criticalFree ? \"critical\" : \"warning\";\r\n reason =\r\n `Windows host disk ${path} at ${tag}: ${freeGiB} GiB free ` +\r\n `(<${(criticalFree ? criticalBelowBytes : warnBelowBytes) / 1024 / 1024 / 1024} GiB); ` +\r\n `WSL VHDX cannot grow safely. ${summarizeWslRecoverySteps()}`;\r\n }\r\n\r\n return {\r\n ok,\r\n path,\r\n freeBytes,\r\n totalBytes,\r\n usedPercent,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n reason,\r\n probeError: null,\r\n };\r\n}\r\n\r\n/**\r\n * Short operator recovery hint embedded in gate reasons so AgentOS evidence\r\n * surfaces actionable steps without a doc lookup. Keep terse \u2014 full runbook\r\n * lives at `docs/runbooks/wsl-disk-pressure.md`.\r\n */\r\nexport function summarizeWslRecoverySteps(): string {\r\n return (\r\n \"Recovery: \" +\r\n \"1) free Windows C: (empty Recycle Bin / Storage Sense / clear %TEMP%); \" +\r\n \"2) shut down WSL (`wsl --shutdown`) then compact the VHDX (`Optimize-VHD` or `diskpart compact vdisk`); \" +\r\n \"3) clear local node_modules / .next / harness worktrees before restarting workers. \" +\r\n \"Full runbook: docs/runbooks/wsl-disk-pressure.md.\"\r\n );\r\n}\r\n", "import { statfsSync } from \"node:fs\";\r\nimport type { DispatchNextDiskGateShape } from \"./callbacks.js\";\r\nimport {\r\n observeWslHostDisk,\r\n type ObserveWslHostDiskOptions,\r\n type WslHostDiskShape,\r\n} from \"./wsl-host.js\";\r\n\r\nconst DEFAULT_WARN_FREE_BYTES = 30 * 1024 * 1024 * 1024;\r\nconst DEFAULT_CRITICAL_FREE_BYTES = 15 * 1024 * 1024 * 1024;\r\nconst DEFAULT_MAX_USED_PERCENT = 80;\r\nconst DEFAULT_HARD_MAX_USED_PERCENT = 90;\r\n\r\nexport interface ObserveDiskGateInput {\r\n diskPath?: string;\r\n diskFreeWarnBytes?: number;\r\n diskFreeCriticalBytes?: number;\r\n diskMaxUsedPercent?: number;\r\n diskHardMaxUsedPercent?: number;\r\n /** Opt-out for the WSL host disk probe \u2014 leave `false`/undefined by\r\n * default so we always check `/mnt/c` under WSL. */\r\n skipWslHostCheck?: boolean;\r\n wslHost?: ObserveWslHostDiskOptions;\r\n}\r\n\r\nexport function observeRunnerDiskGate(input: ObserveDiskGateInput = {}): DispatchNextDiskGateShape {\r\n const path = input.diskPath?.trim() || \"/\";\r\n const warnBelowBytes = input.diskFreeWarnBytes ?? DEFAULT_WARN_FREE_BYTES;\r\n const criticalBelowBytes = input.diskFreeCriticalBytes ?? DEFAULT_CRITICAL_FREE_BYTES;\r\n const maxUsedPercent = input.diskMaxUsedPercent ?? DEFAULT_MAX_USED_PERCENT;\r\n const hardMaxUsedPercent = input.diskHardMaxUsedPercent ?? DEFAULT_HARD_MAX_USED_PERCENT;\r\n\r\n const stats = statfsSync(path);\r\n const freeBytes = Number(stats.bavail) * Number(stats.bsize);\r\n const totalBytes = Number(stats.blocks) * Number(stats.bsize);\r\n const usedPercent = totalBytes > 0 ? ((totalBytes - freeBytes) / totalBytes) * 100 : 100;\r\n const lowFree = freeBytes < warnBelowBytes;\r\n const criticalFree = freeBytes < criticalBelowBytes;\r\n const highUse = usedPercent > maxUsedPercent;\r\n const hardHighUse = usedPercent > hardMaxUsedPercent;\r\n const localOk = !lowFree && !criticalFree && !highUse && !hardHighUse;\r\n\r\n // WSL guard: the VHDX (mounted at `/`) grows into Windows C:; a healthy\r\n // local statfs is meaningless if the host disk is about to refuse writes.\r\n const wslHost: WslHostDiskShape | null = input.skipWslHostCheck\r\n ? null\r\n : observeWslHostDisk(input.wslHost);\r\n\r\n const ok = localOk && (wslHost ? wslHost.ok : true);\r\n\r\n let reason: string | null = null;\r\n if (!ok) {\r\n reason = [\r\n criticalFree ? `free space below critical ${criticalBelowBytes} bytes` : null,\r\n lowFree ? `free space below warning ${warnBelowBytes} bytes` : null,\r\n hardHighUse ? `used percent above hard cap ${hardMaxUsedPercent}%` : null,\r\n highUse ? `used percent above cap ${maxUsedPercent}%` : null,\r\n wslHost && !wslHost.ok ? wslHost.reason : null,\r\n ]\r\n .filter(Boolean)\r\n .join(\"; \");\r\n }\r\n\r\n return {\r\n ok,\r\n path,\r\n freeBytes,\r\n totalBytes,\r\n usedPercent,\r\n warnBelowBytes,\r\n criticalBelowBytes,\r\n maxUsedPercent,\r\n hardMaxUsedPercent,\r\n reason,\r\n wslHost,\r\n };\r\n}\r\n", "import { existsSync } from \"node:fs\";\r\nimport { homedir } from \"node:os\";\r\nimport path from \"node:path\";\r\nimport { loadUserConfig } from \"./config.js\";\r\nimport { resolveUserPath } from \"./path-values.js\";\r\nimport { safeSlug } from \"./util.js\";\r\n\r\nconst LEGACY_ROOT = path.join(homedir(), \".openclaw\", \"harness\");\r\n\r\nconst HARNESS_LAYOUT_DIR_NAMES = new Set([\"runs\", \"worktrees\"]);\r\n\r\n/**\r\n * Canonical harness root: the directory that contains `runs/` and `worktrees/`.\r\n * Strips mistaken trailing layout segments (e.g. env set to `.../harness/runs`).\r\n * Server mirror: agent-os.harness-root.ts\r\n */\r\nexport function normalizeHarnessRoot(root: string): string {\r\n let resolved = path.resolve(resolveUserPath(root.trim()));\r\n while (HARNESS_LAYOUT_DIR_NAMES.has(path.basename(resolved))) {\r\n resolved = path.dirname(resolved);\r\n }\r\n return resolved;\r\n}\r\n\r\n/** Canonical harness root for CLI/workers. */\r\nexport function resolveHarnessRoot(): string {\r\n const env = process.env.KYNVER_HARNESS_ROOT || process.env.OPUS_HARNESS_ROOT;\r\n if (env) return normalizeHarnessRoot(env);\r\n const configured = loadUserConfig().harnessRoot?.trim();\r\n if (configured) return normalizeHarnessRoot(configured);\r\n const kynverRoot = path.join(homedir(), \".kynver\", \"harness\");\r\n if (existsSync(kynverRoot)) return kynverRoot;\r\n if (existsSync(LEGACY_ROOT)) return LEGACY_ROOT;\r\n return kynverRoot;\r\n}\r\n\r\nexport function harnessRunsDir(harnessRoot: string): string {\r\n return path.join(normalizeHarnessRoot(harnessRoot), \"runs\");\r\n}\r\n\r\nexport function harnessWorktreesDir(harnessRoot: string): string {\r\n return path.join(normalizeHarnessRoot(harnessRoot), \"worktrees\");\r\n}\r\n\r\nexport function getHarnessPaths() {\r\n const harnessRoot = resolveHarnessRoot();\r\n return {\r\n harnessRoot,\r\n runsDir: harnessRunsDir(harnessRoot),\r\n worktreesDir: harnessWorktreesDir(harnessRoot),\r\n };\r\n}\r\n\r\nexport function runDir(runsDir: string, id: string): string {\r\n return path.join(runsDir, safeSlug(id));\r\n}\r\n", "import os from \"node:os\";\r\nimport { readMemAvailableBytes } from \"./bounded-build/meminfo.js\";\r\nimport path from \"node:path\";\r\nimport { loadUserConfig, type KynverUserConfig } from \"./config.js\";\r\nimport { resolveBoxKindFromConfig } from \"./box-identity.js\";\r\nimport type { WorkerCapSource } from \"./worker-cap-source.js\";\r\nimport { resolveWorkerCap } from \"./worker-cap-source.js\";\r\nimport type { DispatchNextDiskGateShape } from \"./callbacks.js\";\r\nimport { observeRunnerDiskGate } from \"./disk-gate.js\";\r\nimport { listRunRecords, loadRun, runDirectory, type HarnessRunRecord } from \"./run-store.js\";\r\nimport { listRunWorkerNames } from \"./run-worker-index.js\";\r\nimport { isActiveHarnessWorker, workerProcessMatchesRecord } from \"./harness-worker-active.js\";\r\nimport { readJson, safeSlug } from \"./util.js\";\r\nimport type { HarnessWorkerRecord } from \"./status.js\";\r\n\r\nexport { workerProcessMatchesRecord };\r\n\r\n/** Default RAM budget per worker (~500 MiB, dogfood measured). Internal \u2014 not a setup knob. */\r\nexport const DEFAULT_PER_WORKER_MEM_BYTES = 500 * 1024 * 1024;\r\n\r\n/** Keep headroom for OS / IDE. Internal \u2014 not a setup knob. */\r\nexport const DEFAULT_MEM_RESERVE_BYTES = 4 * 1024 * 1024 * 1024;\r\n\r\n/** Fraction of total RAM used when auto-sizing worker cap. Internal. */\r\nexport const DEFAULT_MEM_UTILIZATION = 0.85;\r\n\r\n/** Auto cap when the user has not set maxConcurrentWorkers (safety on huge hosts). */\r\nexport const AUTO_MAX_WORKERS_CEILING = 64;\r\n\r\nexport interface RunnerResourceGateShape {\r\n ok: boolean;\r\n totalMemBytes: number;\r\n freeMemBytes: number;\r\n memReserveBytes: number;\r\n perWorkerMemBytes: number;\r\n configuredMaxWorkers: number | null;\r\n /** Where the effective worker cap was resolved (workspace override, env, config, or auto). */\r\n workerCapSource: WorkerCapSource;\r\n /** Physical pool for this host (`forge` | `ghost`). */\r\n boxKind: string;\r\n autoCap: number;\r\n capacityWorkers: number;\r\n maxConcurrentWorkers: number;\r\n activeWorkers: number;\r\n slotsAvailable: number;\r\n reason: string | null;\r\n /** Present unless `KYNVER_RESOURCE_GATE_SKIP_DISK=1`. */\r\n diskGate?: DispatchNextDiskGateShape;\r\n}\r\n\r\nexport interface ObserveResourceGateInput {\r\n runId: string;\r\n config?: KynverUserConfig;\r\n /** Command Center / workspace override \u2014 wins over local config when set. */\r\n configuredMaxWorkersOverride?: number | null;\r\n /** Override active worker count (tests). */\r\n activeWorkers?: number;\r\n totalMemBytes?: number;\r\n freeMemBytes?: number;\r\n diskPath?: string;\r\n skipDiskGate?: boolean;\r\n}\r\n\r\nfunction positiveInt(value: unknown, fallback: number): number {\r\n const n = Number(value);\r\n if (!Number.isFinite(n) || n <= 0) return fallback;\r\n return Math.floor(n);\r\n}\r\n\r\nfunction resolveResourceConfig(\r\n config: KynverUserConfig = loadUserConfig(),\r\n configuredMaxWorkersOverride?: number | null,\r\n totalMemBytes?: number,\r\n) {\r\n const perWorkerMemBytes = positiveInt(config.perWorkerMemBytes, DEFAULT_PER_WORKER_MEM_BYTES);\r\n const memReserveBytes = positiveInt(config.memReserveBytes, DEFAULT_MEM_RESERVE_BYTES);\r\n const memUtilization = Math.min(\r\n 1,\r\n Math.max(0.1, Number(config.memUtilization) > 0 ? Number(config.memUtilization) : DEFAULT_MEM_UTILIZATION),\r\n );\r\n const cap = resolveWorkerCap({\r\n config,\r\n configuredMaxWorkersOverride,\r\n totalMemBytes: totalMemBytes ?? os.totalmem(),\r\n });\r\n return {\r\n perWorkerMemBytes,\r\n memReserveBytes,\r\n memUtilization,\r\n configuredMaxWorkers: cap.configuredMaxWorkers,\r\n autoCap: cap.autoCap,\r\n workerCapSource: cap.workerCapSource,\r\n };\r\n}\r\n\r\n/** How many workers this host could run from RAM alone (before a user cap). */\r\nexport function computeAutoMaxWorkers(\r\n totalMemBytes: number,\r\n opts: { perWorkerMemBytes?: number; memReserveBytes?: number; memUtilization?: number } = {},\r\n): number {\r\n const perWorkerMemBytes = opts.perWorkerMemBytes ?? DEFAULT_PER_WORKER_MEM_BYTES;\r\n const memReserveBytes = opts.memReserveBytes ?? DEFAULT_MEM_RESERVE_BYTES;\r\n const memUtilization = opts.memUtilization ?? DEFAULT_MEM_UTILIZATION;\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * memUtilization) - memReserveBytes);\r\n const raw = Math.max(1, Math.floor(budgetBytes / perWorkerMemBytes));\r\n return Math.min(raw, AUTO_MAX_WORKERS_CEILING);\r\n}\r\n\r\nfunction readAvailableMemBytes(): number {\r\n return readMemAvailableBytes();\r\n}\r\n\r\n/** Count alive, still-executing workers in a single run record. */\r\nfunction countActiveWorkersForRun(run: HarnessRunRecord): number {\r\n let active = 0;\r\n for (const name of listRunWorkerNames(run)) {\r\n const worker = readJson<HarnessWorkerRecord | undefined>(\r\n path.join(runDirectory(run.id), \"workers\", safeSlug(name), \"worker.json\"),\r\n undefined,\r\n );\r\n if (!worker || !isActiveHarnessWorker(worker)) continue;\r\n active++;\r\n }\r\n return active;\r\n}\r\n\r\n/** Count active workers in ONE run (kept for callers/tests scoped to a run). */\r\nexport function countActiveWorkers(runId: string): number {\r\n return countActiveWorkersForRun(loadRun(runId));\r\n}\r\n\r\n/**\r\n * Count active workers across EVERY run on disk. The harness creates a new run\r\n * per task, so a per-run count let concurrent runs each believe the machine was\r\n * idle \u2014 the configured cap was never a real global ceiling (the \"spawns 4 or\r\n * infinity, never N\" bug). This machine-wide count is what the gate must use.\r\n */\r\nexport function countActiveWorkersGlobal(): number {\r\n let active = 0;\r\n for (const run of listRunRecords()) active += countActiveWorkersForRun(run);\r\n return active;\r\n}\r\n\r\n/**\r\n * Compute how many workers this host can run and how many dispatch slots remain.\r\n * Uses total RAM for steady-state capacity and free RAM as a hard safety gate.\r\n */\r\nexport function observeRunnerResourceGate(input: ObserveResourceGateInput): RunnerResourceGateShape {\r\n const config = input.config ?? loadUserConfig();\r\n const totalMemBytes = input.totalMemBytes ?? os.totalmem();\r\n const { perWorkerMemBytes, memReserveBytes, memUtilization, configuredMaxWorkers, autoCap: resolvedAutoCap, workerCapSource } =\r\n resolveResourceConfig(config, input.configuredMaxWorkersOverride, totalMemBytes);\r\n const boxKind = resolveBoxKindFromConfig(config);\r\n const freeMemBytes = input.freeMemBytes ?? readAvailableMemBytes();\r\n // Active count is GLOBAL across all runs (see countActiveWorkersGlobal), so the\r\n // cap is a true machine-wide ceiling rather than per-run.\r\n const activeWorkers = input.activeWorkers ?? countActiveWorkersGlobal();\r\n\r\n const budgetBytes = Math.max(0, Math.floor(totalMemBytes * memUtilization) - memReserveBytes);\r\n const capacityFromTotal = Math.max(0, Math.floor(budgetBytes / perWorkerMemBytes));\r\n const capacityFromFree = Math.max(0, Math.floor(Math.max(0, freeMemBytes - memReserveBytes) / perWorkerMemBytes));\r\n\r\n const autoCap = resolvedAutoCap;\r\n const targetCap = configuredMaxWorkers ?? autoCap;\r\n const maxConcurrentWorkers = Math.max(0, Math.min(targetCap, capacityFromTotal));\r\n const slotsByCapacity = Math.max(0, maxConcurrentWorkers - activeWorkers);\r\n // capacityFromFree is ADDITIONAL headroom: free/available RAM already excludes\r\n // memory held by running workers, so we must NOT subtract activeWorkers again.\r\n // Doing so (the old `capacityFromFree - activeWorkers`) double-counted active\r\n // workers and collapsed dispatch to a handful of slots under load.\r\n const slotsByFreeMem = capacityFromFree;\r\n let slotsAvailable = Math.min(slotsByCapacity, slotsByFreeMem);\r\n\r\n const skipDisk = input.skipDiskGate || process.env.KYNVER_RESOURCE_GATE_SKIP_DISK === \"1\";\r\n const diskGate = skipDisk\r\n ? undefined\r\n : observeRunnerDiskGate({\r\n diskPath:\r\n input.diskPath?.trim() ||\r\n process.env.KYNVER_DISK_GUARD_PATH?.trim() ||\r\n \"/\",\r\n });\r\n if (diskGate && !diskGate.ok) slotsAvailable = 0;\r\n\r\n let reason: string | null = null;\r\n if (slotsAvailable <= 0) {\r\n if (diskGate && !diskGate.ok) {\r\n reason = diskGate.reason ?? \"disk gate blocked worker admission\";\r\n } else if (activeWorkers >= maxConcurrentWorkers) {\r\n reason = `at worker limit (${activeWorkers}/${maxConcurrentWorkers} running)`;\r\n } else if (capacityFromFree <= 0) {\r\n reason = \"insufficient free memory \u2014 waiting for workers to finish\";\r\n } else {\r\n reason = \"no worker slots available\";\r\n }\r\n }\r\n\r\n return {\r\n ok: slotsAvailable > 0,\r\n totalMemBytes,\r\n freeMemBytes,\r\n memReserveBytes,\r\n perWorkerMemBytes,\r\n configuredMaxWorkers,\r\n workerCapSource,\r\n boxKind,\r\n autoCap,\r\n capacityWorkers: capacityFromTotal,\r\n maxConcurrentWorkers,\r\n activeWorkers,\r\n slotsAvailable,\r\n reason,\r\n ...(diskGate ? { diskGate } : {}),\r\n };\r\n}\r\n"],
5
+ "mappings": ";AAAA,OAAOA,WAAU;;;ACAjB,SAAS,cAAAC,aAAY,WAAW,gBAAAC,eAAc,qBAAqB;AACnE,SAAS,WAAAC,UAAS,gBAAgB;AAClC,OAAOC,WAAU;;;ACFjB,SAAS,YAAY,oBAAoB;AACzC,SAAS,WAAAC,gBAAe;AACxB,OAAOC,WAAU;AACjB,SAAS,qBAAqB;;;ACH9B,SAAS,iBAAiB;;;ACSnB,SAAS,mBAAsD,MAAY;AAChF,MAAI,QAAQ,aAAa,QAAS,QAAO;AACzC,SAAO,EAAE,aAAa,MAAM,GAAG,KAAK;AACtC;;;ACPO,IAAM,4BAA4B;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,oBAAoB,IAAI,IAAY,yBAAyB;;;AFE5D,SAAS,WAAW,KAAa,MAAkC;AACxE,MAAI;AACF,UAAM,MAAM;AAAA,MACZ;AAAA,MACA;AAAA,MACA,mBAAmB,EAAE,KAAK,UAAU,OAAgB,CAAC;AAAA,IACvD;AACE,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,QAAQ,IAAI,UAAU;AAAA,MACtB,QAAQ,IAAI,UAAU;AAAA,MACtB,OAAO,IAAI,QAAQ,IAAI,MAAM,UAAU;AAAA,IACzC;AAAA,EACF,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,OAAQ,MAAgB;AAAA,IAC1B;AAAA,EACF;AACF;;;AG7DA,SAAS,eAAe;AACxB,OAAO,UAAU;AAEV,SAAS,eAAe,OAAuB;AACpD,MAAI,UAAU,IAAK,QAAO,QAAQ;AAClC,MAAI,MAAM,WAAW,IAAI,KAAK,MAAM,WAAW,KAAK,GAAG;AACrD,WAAO,KAAK,KAAK,QAAQ,GAAG,MAAM,MAAM,CAAC,CAAC;AAAA,EAC5C;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,OAAuB;AACrD,SAAO,KAAK,QAAQ,eAAe,KAAK,CAAC;AAC3C;;;AJIA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,gBAAgB,UAAiC;AACxD,QAAM,UAAUC,MAAK,KAAK,UAAU,cAAc;AAClD,MAAI,CAAC,WAAW,OAAO,EAAG,QAAO;AACjC,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,aAAa,SAAS,MAAM,CAAC;AACpD,WAAO,OAAO,IAAI,SAAS,WAAW,IAAI,KAAK,KAAK,IAAI;AAAA,EAC1D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,qBAAqB,UAA2B;AAC9D,SAAO,gBAAgB,QAAQ,MAAM;AACvC;AAEO,SAAS,YAAY,UAAiC;AAC3D,QAAM,gBAAgBA,MAAK,QAAQ,QAAQ;AAC3C,MAAI,CAAC,WAAW,aAAa,EAAG,QAAO;AACvC,QAAM,QAAQ,WAAW,eAAe,CAAC,aAAa,iBAAiB,CAAC;AACxE,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,OAAO,MAAM,OAAO,KAAK;AAC/B,SAAO,KAAK,SAASA,MAAK,QAAQ,IAAI,IAAI;AAC5C;AAEA,SAAS,0BAA0B,YAAoB,YAAY,KAAoB;AACrF,MAAI,MAAMA,MAAK,QAAQ,cAAc,SAAS,CAAC;AAC/C,WAAS,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG;AACzC,UAAM,UAAUA,MAAK,KAAK,KAAK,cAAc;AAC7C,QAAI,WAAW,OAAO,GAAG;AACvB,UAAI;AACF,cAAM,MAAM,KAAK,MAAM,aAAa,SAAS,MAAM,CAAC;AACpD,YAAI,IAAI,SAAS,sBAAuB,QAAO;AAAA,MACjD,QAAQ;AAAA,MAER;AAAA,IACF;AACA,UAAM,SAASA,MAAK,QAAQ,GAAG;AAC/B,QAAI,WAAW,IAAK;AACpB,UAAM;AAAA,EACR;AACA,SAAO;AACT;AAEA,SAAS,cACP,MACA,KACA,MACA,QACM;AACN,MAAI,CAAC,KAAM;AACX,QAAM,WAAWA,MAAK,QAAQ,IAAI;AAClC,MAAI,KAAK,IAAI,QAAQ,EAAG;AACxB,MAAI,CAAC,qBAAqB,QAAQ,EAAG;AACrC,OAAK,IAAI,QAAQ;AACjB,MAAI,KAAK,EAAE,MAAM,UAAU,OAAO,CAAC;AACrC;AAEO,SAAS,8BAA8B,MAGlB;AAC1B,QAAM,MAAM,MAAM,OAAO,QAAQ,IAAI;AACrC,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAsC,CAAC;AAE7C,gBAAc,MAAM,YAAY,YAAY,GAAG,GAAG,SAAS;AAE3D,QAAM,iBAAiB,0BAA0B,MAAM,oBAAoB,YAAY,GAAG;AAC1F,MAAI,gBAAgB;AAClB,kBAAc,MAAM,YAAY,YAAY,cAAc,GAAG,kBAAkB;AAAA,EACjF;AAEA,QAAM,OAAOC,SAAQ;AACrB,aAAW,OAAO,sBAAsB;AACtC,kBAAc,MAAM,YAAY,gBAAgBD,MAAK,KAAK,MAAM,GAAG,CAAC,GAAG,iBAAiB;AAAA,EAC1F;AAEA,SAAO;AACT;AAEO,SAAS,oBAAoB,MAGH;AAC/B,SAAO,8BAA8B,IAAI,EAAE,CAAC,KAAK;AACnD;;;AK/FO,IAAM,mCAAmC,KAAK,OAAO,OAAO;AAI5D,IAAM,uCAAuC,KAAK,OAAO,OAAO;;;ACXvE,IAAM,0BAA0B,KAAK,OAAO,OAAO;AACnD,IAAM,8BAA8B,KAAK,OAAO,OAAO;;;ACRvD,SAAS,WAAAE,gBAAe;AACxB,OAAOC,WAAU;AAKjB,IAAM,cAAcC,MAAK,KAAKC,SAAQ,GAAG,aAAa,SAAS;;;ACWxD,IAAM,+BAA+B,MAAM,OAAO;AAGlD,IAAM,4BAA4B,IAAI,OAAO,OAAO;;;ATkB3D,IAAM,aAAaC,MAAK,KAAKC,SAAQ,GAAG,SAAS;AACjD,IAAM,cAAcD,MAAK,KAAK,YAAY,aAAa;AACvD,IAAM,mBAAmBA,MAAK,KAAK,YAAY,aAAa;AASrD,SAAS,iBAAmC;AACjD,MAAI,CAACE,YAAW,WAAW,EAAG,QAAO,CAAC;AACtC,MAAI;AACF,WAAO,KAAK,MAAMC,cAAa,aAAa,MAAM,CAAC;AAAA,EACrD,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAoEA,IAAM,6BAA6B,MAAM,OAAO;AAChD,IAAM,0BAA0B,IAAI,OAAO,OAAO;;;ADlGlD,SAAS,qBAAqB,OAAuB;AACnD,SAAOC,MAAK,QAAQ,gBAAgB,MAAM,KAAK,CAAC,CAAC;AACnD;AAEA,SAAS,eACP,OACA,QACA,mBAC4B;AAC5B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO;AAAA,IACL,MAAM,qBAAqB,OAAO;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBAAmB,OAAkC,CAAC,GAA+B;AACnG,QAAM,MAAM,KAAK,OAAO,QAAQ;AAChC,QAAM,SAAS,KAAK,UAAU,eAAe;AAE7C,QAAM,aAAa,eAAe,OAAO,aAAa,UAAU,IAAI;AACpE,MAAI,WAAY,QAAO;AAEvB,QAAM,iBAAiB,eAAe,IAAI,qBAAqB,oBAAoB,KAAK;AACxF,MAAI,eAAgB,QAAO;AAE3B,QAAM,iBAAiB,eAAe,IAAI,qBAAqB,oBAAoB,KAAK;AACxF,MAAI,eAAgB,QAAO;AAE3B,QAAM,aAAa,oBAAoB;AAAA,IACrC,KAAK,KAAK;AAAA,IACV,kBAAkB,KAAK;AAAA,EACzB,CAAC;AACD,MAAI,CAAC,WAAY,QAAO;AAExB,SAAO;AAAA,IACL,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,IACnB,mBAAmB;AAAA,EACrB;AACF;",
6
6
  "names": ["path", "existsSync", "readFileSync", "homedir", "path", "homedir", "path", "path", "homedir", "homedir", "path", "path", "homedir", "path", "homedir", "existsSync", "readFileSync", "path"]
7
7
  }
package/dist/server/memory-cost-enforce.js CHANGED
@@ -16,6 +16,12 @@ import { fileURLToPath } from "node:url";
16
16
  // src/git.ts
17
17
  import { spawnSync } from "node:child_process";
18
18
 
19
+ // src/util.ts
20
+ function hiddenSpawnOptions(opts) {
21
+ if (process.platform !== "win32") return opts;
22
+ return { windowsHide: true, ...opts };
23
+ }
24
+
19
25
  // src/worker-env.ts
20
26
  var FORBIDDEN_WORKER_ENV_KEYS = [
21
27
  "ANTHROPIC_API_KEY",
@@ -54,7 +60,11 @@ var FORBIDDEN_KEY_SET = new Set(FORBIDDEN_WORKER_ENV_KEYS);
54
60
  // src/git.ts
55
61
  function gitCapture(cwd, args) {
56
62
  try {
57
- const res = spawnSync("git", args, { cwd, encoding: "utf8" });
63
+ const res = spawnSync(
64
+ "git",
65
+ args,
66
+ hiddenSpawnOptions({ cwd, encoding: "utf8" })
67
+ );
58
68
  return {
59
69
  status: res.status,
60
70
  stdout: res.stdout || "",