@kynver-app/runtime 0.1.123 → 0.1.128

package/dist/server/orchestration.js

@@ -1,444 +1 @@
-// src/orchestration-providers/claude-oauth-binding.ts
-import { existsSync } from "node:fs";
-import { homedir } from "node:os";
-import path from "node:path";
-
-// src/orchestration-providers/oauth-binding-utils.ts
-import { createHash } from "node:crypto";
-import { statSync } from "node:fs";
-import { spawnSync } from "node:child_process";
-function fingerprintAuthStore(filePath) {
-  try {
-    const st = statSync(filePath);
-    const material = `${filePath}|${st.size}|${st.mtimeMs}`;
-    return createHash("sha256").update(material).digest("hex").slice(0, 16);
-  } catch {
-    return void 0;
-  }
-}
-function envKeyFingerprint(envKey) {
-  return createHash("sha256").update(`env:${envKey}`).digest("hex").slice(0, 16);
-}
-function resolveCliBin(defaultBin, envKeys) {
-  for (const key of envKeys) {
-    const value = process.env[key]?.trim();
-    if (value) return value;
-  }
-  return defaultBin;
-}
-function probeCliCommand(bin, args, options = {}) {
-  const timeoutMs = options.timeoutMs ?? 8e3;
-  try {
-    const result = spawnSync(bin, args, {
-      encoding: "utf8",
-      timeout: timeoutMs,
-      env: { ...process.env, CI: "1", NO_COLOR: "1" }
-    });
-    if (result.status === 0) {
-      return { ok: true, note: options.okNote ?? `${bin} ${args.join(" ")}: ok` };
-    }
-    const stderr = (result.stderr || result.stdout || "").trim();
-    const prefix = options.failPrefix ?? `${bin} ${args.join(" ")} failed`;
-    return {
-      ok: false,
-      note: stderr ? `${prefix}: ${stderr.slice(0, 200)}` : prefix
-    };
-  } catch (err) {
-    return {
-      ok: false,
-      note: err instanceof Error ? err.message : `${bin} probe failed`
-    };
-  }
-}
-function probeCliExitCodeOnly(bin, args, options = {}) {
-  const timeoutMs = options.timeoutMs ?? 8e3;
-  try {
-    const result = spawnSync(bin, args, {
-      stdio: "ignore",
-      timeout: timeoutMs,
-      env: { ...process.env, CI: "1", NO_COLOR: "1" }
-    });
-    if (result.status === 0) {
-      return { ok: true, note: options.okNote ?? `${bin} authenticated` };
-    }
-    return { ok: false, note: options.failNote ?? `${bin} not authenticated` };
-  } catch (err) {
-    return {
-      ok: false,
-      note: err instanceof Error ? err.message : `${bin} auth probe failed`
-    };
-  }
-}
-
-// src/orchestration-providers/claude-oauth-binding.ts
-var DEFAULT_CLAUDE_BIN = "claude";
-function claudeAuthStoreCandidates() {
-  const home = homedir();
-  return [path.join(home, ".claude", ".credentials.json")];
-}
-function probeClaudeOAuthBinding(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const bin = resolveCliBin(DEFAULT_CLAUDE_BIN, ["KYNVER_CLAUDE_BIN", "CLAUDE_BIN"]);
-  if (process.env.ANTHROPIC_API_KEY?.trim()) {
-    return {
-      providerId: "claude",
-      ready: true,
-      authSource: "api_key_env",
-      sessionFingerprint: envKeyFingerprint("ANTHROPIC_API_KEY"),
-      checkedAt: nowIso,
-      note: "ANTHROPIC_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"
-    };
-  }
-  const cli = probeCliCommand(bin, ["--version"], {
-    okNote: `${bin} CLI available`,
-    failPrefix: `${bin} CLI not available`
-  });
-  const authPath = claudeAuthStoreCandidates().find((p) => existsSync(p));
-  const login = probeCliExitCodeOnly(bin, ["auth", "status"], {
-    okNote: "claude auth status: authenticated",
-    failNote: "claude auth status: not authenticated"
-  });
-  const ready = cli.ok && (login.ok || Boolean(authPath));
-  return {
-    providerId: "claude",
-    ready,
-    authSource: "oauth_local",
-    sessionFingerprint: authPath ? fingerprintAuthStore(authPath) : void 0,
-    checkedAt: nowIso,
-    note: ready ? "Local Claude Code OAuth session bound on runner" : [cli.note, login.note, authPath ? void 0 : "no ~/.claude/.credentials.json"].filter(Boolean).join("; ")
-  };
-}
-
-// src/orchestration-providers/codex-oauth-binding.ts
-import { existsSync as existsSync2 } from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import path2 from "node:path";
-var DEFAULT_CODEX_BIN = "codex";
-function authStoreCandidates() {
-  const home = homedir2();
-  return [
-    path2.join(home, ".codex", "auth.json"),
-    path2.join(home, ".config", "codex", "auth.json")
-  ];
-}
-function probeCodexOAuthBinding(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const bin = resolveCliBin(DEFAULT_CODEX_BIN, ["KYNVER_CODEX_BIN", "CODEX_BIN"]);
-  if (process.env.CODEX_API_KEY?.trim()) {
-    return {
-      providerId: "codex",
-      ready: true,
-      authSource: "api_key_env",
-      sessionFingerprint: envKeyFingerprint("CODEX_API_KEY"),
-      checkedAt: nowIso,
-      note: "CODEX_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"
-    };
-  }
-  const authPath = authStoreCandidates().find((p) => existsSync2(p));
-  const login = probeCliCommand(bin, ["login", "status"], {
-    okNote: "codex login status: authenticated",
-    failPrefix: "codex login status"
-  });
-  const ready = Boolean(authPath) && login.ok;
-  return {
-    providerId: "codex",
-    ready,
-    authSource: "oauth_local",
-    sessionFingerprint: authPath ? fingerprintAuthStore(authPath) : void 0,
-    checkedAt: nowIso,
-    note: ready ? "Local Codex OAuth session bound on runner" : [login.note, authPath ? void 0 : "no ~/.codex/auth.json"].filter(Boolean).join("; ")
-  };
-}
-
-// src/orchestration-providers/hermes-openai-codex-binding.ts
-import { existsSync as existsSync3 } from "node:fs";
-import { homedir as homedir3 } from "node:os";
-import path3 from "node:path";
-function hermesAuthStorePath() {
-  const configured = process.env.HERMES_HOME?.trim();
-  const home = configured ? path3.resolve(configured) : path3.join(homedir3(), ".hermes");
-  return path3.join(home, "auth.json");
-}
-function probeHermesOpenAiCodexBinding(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const bin = resolveCliBin("hermes", ["KYNVER_HERMES_BIN", "HERMES_BIN"]);
-  const cli = probeCliCommand(bin, ["--version"], {
-    okNote: `${bin} CLI available`,
-    failPrefix: `${bin} CLI not available`
-  });
-  const authPath = hermesAuthStorePath();
-  const authStorePresent = existsSync3(authPath);
-  const auth = probeCliExitCodeOnly(bin, ["auth", "status", "openai-codex"], {
-    okNote: "hermes openai-codex: logged in",
-    failNote: "hermes openai-codex: not logged in"
-  });
-  const ready = cli.ok && auth.ok;
-  const authSource = ready ? "subscription_hermes" : "none";
-  return {
-    path: "hermes_openai_codex",
-    ready,
-    authSource,
-    sessionFingerprint: authStorePresent ? fingerprintAuthStore(authPath) : void 0,
-    checkedAt: nowIso,
-    note: ready ? "Hermes openai-codex subscription session bound (ChatGPT Codex OAuth)" : [cli.note, auth.note, authStorePresent ? void 0 : "no ~/.hermes/auth.json"].filter(Boolean).join("; ")
-  };
-}
-
-// src/orchestration-providers/codex-orchestration-adapter.ts
-function resolveCodexOrchestrationAdapter(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const cliBinding = probeCodexOAuthBinding(nowIso);
-  if (cliBinding.ready) {
-    return { ...cliBinding, path: "codex_cli" };
-  }
-  const hermes = probeHermesOpenAiCodexBinding(nowIso);
-  if (hermes.ready) {
-    return {
-      providerId: "codex",
-      ready: true,
-      authSource: hermes.authSource,
-      sessionFingerprint: hermes.sessionFingerprint,
-      checkedAt: hermes.checkedAt,
-      note: hermes.note,
-      path: "hermes_openai_codex",
-      hermesOpenAiCodex: hermes
-    };
-  }
-  return {
-    providerId: "codex",
-    ready: false,
-    authSource: "none",
-    checkedAt: nowIso,
-    path: "none",
-    hermesOpenAiCodex: hermes,
-    note: [cliBinding.note, hermes.note].filter(Boolean).join("; ") || "Codex CLI and Hermes openai-codex unavailable"
-  };
-}
-
-// src/orchestration-providers/cursor-oauth-binding.ts
-import { existsSync as existsSync4 } from "node:fs";
-import { homedir as homedir4 } from "node:os";
-import path4 from "node:path";
-var DEFAULT_AGENT_BIN = "agent";
-function cursorAuthStoreCandidates() {
-  const home = homedir4();
-  return [path4.join(home, ".config", "cursor", "auth.json")];
-}
-function probeCursorOAuthBinding(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const bin = resolveCliBin(DEFAULT_AGENT_BIN, [
-    "KYNVER_CURSOR_AGENT_BIN",
-    "CURSOR_AGENT_BIN"
-  ]);
-  if (process.env.CURSOR_API_KEY?.trim()) {
-    return {
-      providerId: "cursor",
-      ready: true,
-      authSource: "api_key_env",
-      sessionFingerprint: envKeyFingerprint("CURSOR_API_KEY"),
-      checkedAt: nowIso,
-      note: "CURSOR_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"
-    };
-  }
-  const cli = probeCliCommand(bin, ["-v"], {
-    okNote: `${bin} CLI available`,
-    failPrefix: `${bin} CLI not available`
-  });
-  const authPath = cursorAuthStoreCandidates().find((p) => existsSync4(p));
-  const ready = Boolean(authPath) && cli.ok;
-  return {
-    providerId: "cursor",
-    ready,
-    authSource: "oauth_local",
-    sessionFingerprint: authPath ? fingerprintAuthStore(authPath) : void 0,
-    checkedAt: nowIso,
-    note: ready ? "Local Cursor/Composer OAuth session bound on runner" : [cli.note, authPath ? void 0 : "no ~/.config/cursor/auth.json"].filter(Boolean).join("; ")
-  };
-}
-
-// src/orchestration-providers/hermes-cli-adapter.ts
-import { existsSync as existsSync5, readFileSync } from "node:fs";
-import { homedir as homedir5 } from "node:os";
-import path5 from "node:path";
-var PROFILE_ENV_KEYS = [
-  "OPENAI_API_KEY",
-  "ANTHROPIC_API_KEY",
-  "KYNVER_API_KEY",
-  "KYNVER_BASE_URL"
-];
-function hermesProfileEnvPath() {
-  const configured = process.env.HERMES_HOME?.trim();
-  const home = configured ? path5.resolve(configured) : path5.join(homedir5(), ".hermes");
-  return path5.join(home, ".env");
-}
-function profileEnvKeyPresence(envPath) {
-  try {
-    const text = readFileSync(envPath, "utf8");
-    const present = [];
-    for (const key of PROFILE_ENV_KEYS) {
-      const re = new RegExp(`^${key}=`, "m");
-      if (re.test(text)) present.push(key);
-    }
-    return present;
-  } catch {
-    return [];
-  }
-}
-function probeHermesCliAdapter(nowIso = (/* @__PURE__ */ new Date()).toISOString()) {
-  const bin = resolveCliBin("hermes", ["KYNVER_HERMES_BIN", "HERMES_BIN"]);
-  const cli = probeCliCommand(bin, ["--version"], {
-    okNote: `${bin} CLI available`,
-    failPrefix: `${bin} CLI not available`
-  });
-  const profilePath = hermesProfileEnvPath();
-  const profileBound = existsSync5(profilePath);
-  const envKeys = profileBound ? profileEnvKeyPresence(profilePath) : [];
-  const hasApiKeys = envKeys.some((k) => k.endsWith("_API_KEY"));
-  const authSource = hasApiKeys ? "api_key_env" : profileBound ? "oauth_local" : "none";
-  const ready = cli.ok && profileBound;
-  return {
-    adapterId: "hermes",
-    cliAvailable: cli.ok,
-    profileBound,
-    authSource,
-    sessionFingerprint: profileBound ? fingerprintAuthStore(profilePath) : void 0,
-    checkedAt: nowIso,
-    note: ready ? `Hermes profile bound (${envKeys.length ? `keys: ${envKeys.join(", ")}` : "no API keys detected"})` : [cli.note, profileBound ? void 0 : "no ~/.hermes/.env"].filter(Boolean).join("; ")
-  };
-}
-
-// src/orchestration-providers/inventory.ts
-function buildOrchestrationProviderInventory(options = {}) {
-  const generatedAt = options.nowIso?.() ?? (/* @__PURE__ */ new Date()).toISOString();
-  const codexAdapter = resolveCodexOrchestrationAdapter(generatedAt);
-  const bindings = {
-    codex: codexAdapter,
-    cursor: probeCursorOAuthBinding(generatedAt),
-    claude: probeClaudeOAuthBinding(generatedAt)
-  };
-  const readyCount = Object.values(bindings).filter((b) => b.ready).length;
-  return {
-    generatedAt,
-    bindings,
-    cloudApiCredits: {
-      anthropicApiKey: Boolean(process.env.ANTHROPIC_API_KEY?.trim()),
-      openaiApiKey: Boolean(process.env.OPENAI_API_KEY?.trim()),
-      codexApiKey: Boolean(process.env.CODEX_API_KEY?.trim())
-    },
-    hermes: probeHermesCliAdapter(generatedAt),
-    hermesOpenAiCodex: probeHermesOpenAiCodexBinding(generatedAt),
-    codexAdapterPath: codexAdapter.path,
-    readyCount
-  };
-}
-
-// src/orchestration-providers/capabilities.ts
-var CAPABILITIES = {
-  codex: {
-    id: "codex",
-    displayName: "Codex (BYO OAuth / Hermes openai-codex)",
-    costTier: "low",
-    authSources: ["oauth_local", "api_key_env", "subscription_hermes"],
-    supportsLowRiskOrchestration: true,
-    supportsPrivilegedPlatformActions: false
-  },
-  cursor: {
-    id: "cursor",
-    displayName: "Cursor / Composer",
-    costTier: "medium",
-    authSources: ["oauth_local", "api_key_env"],
-    supportsLowRiskOrchestration: true,
-    supportsPrivilegedPlatformActions: true
-  },
-  claude: {
-    id: "claude",
-    displayName: "Claude Code",
-    costTier: "high",
-    authSources: ["oauth_local"],
-    supportsLowRiskOrchestration: true,
-    supportsPrivilegedPlatformActions: true
-  }
-};
-function listOrchestrationProviderCapabilities() {
-  return Object.values(CAPABILITIES);
-}
-
-// src/orchestration-enforcement/types.ts
-var ORCHESTRATION_POLICY_MODES = ["off", "observe", "enforce"];
-
-// src/orchestration-enforcement/config.ts
-function normalizeMode(raw) {
-  const value = (raw ?? "off").trim().toLowerCase();
-  if (ORCHESTRATION_POLICY_MODES.includes(value)) {
-    return value;
-  }
-  return "off";
-}
-function resolveOrchestrationPolicyMode(env = process.env) {
-  return normalizeMode(env.KYNVER_ORCHESTRATION_POLICY_MODE);
-}
-function isOrchestrationEnforceTasksEnabled(env = process.env) {
-  const raw = env.KYNVER_ORCHESTRATION_ENFORCE_TASKS?.trim().toLowerCase();
-  if (!raw) return resolveOrchestrationPolicyMode(env) === "enforce";
-  return raw === "1" || raw === "true" || raw === "yes" || raw === "on";
-}
-
-// src/orchestration-enforcement/idempotency.ts
-import { createHash as createHash2 } from "node:crypto";
-function trimOrNull(value) {
-  if (value == null) return null;
-  const t = value.trim();
-  return t.length ? t : null;
-}
-function buildForegroundHarnessIdempotencyKey(input) {
-  const session = trimOrNull(input.sessionId) ?? "anonymous";
-  const title = trimOrNull(input.title) ?? trimOrNull(input.action) ?? "foreground";
-  const digest = createHash2("sha256").update(
-    [
-      trimOrNull(input.planId) ?? "",
-      trimOrNull(input.parentTaskId) ?? "",
-      title.toLowerCase()
-    ].join("|")
-  ).digest("hex").slice(0, 16);
-  return `hermes-foreground:${session}:${digest}`;
-}
-
-// src/orchestration-enforcement/evaluator.ts
-function decisionForMode(mode, enforceEnabled) {
-  if (mode === "enforce" && enforceEnabled) return "enforce_harness_task";
-  if (mode === "observe") return "observe_bypass";
-  return "allow_local";
-}
-function evaluateOrchestrationPolicy(input, env = process.env) {
-  const mode = resolveOrchestrationPolicyMode(env);
-  const enforceEnabled = isOrchestrationEnforceTasksEnabled(env);
-  const decision = decisionForMode(mode, enforceEnabled);
-  const idempotencyKey = decision === "enforce_harness_task" ? buildForegroundHarnessIdempotencyKey({
-    sessionId: input.sessionId,
-    planId: input.planId,
-    parentTaskId: input.parentTaskId,
-    title: input.title,
-    action: input.action
-  }) : null;
-  let reason;
-  if (mode === "off") {
-    reason = "Orchestration policy off \u2014 local foreground path allowed.";
-  } else if (decision === "observe_bypass") {
-    reason = `Observe mode: ${input.action} bypass logged; local fallback preserved.`;
-  } else if (decision === "enforce_harness_task") {
-    reason = `Enforce mode: ${input.action} must create linked harness AgentTask (${idempotencyKey}).`;
-  } else {
-    reason = "Local foreground path allowed.";
-  }
-  return {
-    mode,
-    decision,
-    idempotencyKey,
-    bypassLogged: decision === "observe_bypass",
-    reason
-  };
-}
-export {
-  buildForegroundHarnessIdempotencyKey,
-  buildOrchestrationProviderInventory,
-  evaluateOrchestrationPolicy,
-  isOrchestrationEnforceTasksEnabled,
-  listOrchestrationProviderCapabilities,
-  resolveOrchestrationPolicyMode
-};
-//# sourceMappingURL=orchestration.js.map
+import{existsSync as R}from"node:fs";import{homedir as K}from"node:os";import H from"node:path";import{createHash as v}from"node:crypto";import{statSync as B}from"node:fs";import{spawnSync as A}from"node:child_process";function a(e){try{let t=B(e),r=`${e}|${t.size}|${t.mtimeMs}`;return v("sha256").update(r).digest("hex").slice(0,16)}catch{return}}function u(e){return v("sha256").update(`env:${e}`).digest("hex").slice(0,16)}function c(e,t){for(let r of t){let n=process.env[r]?.trim();if(n)return n}return e}function d(e,t,r={}){let n=r.timeoutMs??8e3;try{let o=A(e,t,{encoding:"utf8",timeout:n,env:{...process.env,CI:"1",NO_COLOR:"1"}});if(o.status===0)return{ok:!0,note:r.okNote??`${e} ${t.join(" ")}: ok`};let i=(o.stderr||o.stdout||"").trim(),s=r.failPrefix??`${e} ${t.join(" ")} failed`;return{ok:!1,note:i?`${s}: ${i.slice(0,200)}`:s}}catch(o){return{ok:!1,note:o instanceof Error?o.message:`${e} probe failed`}}}function l(e,t,r={}){let n=r.timeoutMs??8e3;try{return A(e,t,{stdio:"ignore",timeout:n,env:{...process.env,CI:"1",NO_COLOR:"1"}}).status===0?{ok:!0,note:r.okNote??`${e} authenticated`}:{ok:!1,note:r.failNote??`${e} not authenticated`}}catch(o){return{ok:!1,note:o instanceof Error?o.message:`${e} auth probe failed`}}}var T="claude";function j(){let e=K();return[H.join(e,".claude",".credentials.json")]}function _(e=new Date().toISOString()){let t=c(T,["KYNVER_CLAUDE_BIN","CLAUDE_BIN"]);if(process.env.ANTHROPIC_API_KEY?.trim())return{providerId:"claude",ready:!0,authSource:"api_key_env",sessionFingerprint:u("ANTHROPIC_API_KEY"),checkedAt:e,note:"ANTHROPIC_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"};let r=d(t,["--version"],{okNote:`${t} CLI available`,failPrefix:`${t} CLI not available`}),n=j().find(s=>R(s)),o=l(t,["auth","status"],{okNote:"claude auth status: authenticated",failNote:"claude auth status: not authenticated"}),i=r.ok&&(o.ok||!!n);return{providerId:"claude",ready:i,authSource:"oauth_local",sessionFingerprint:n?a(n):void 0,checkedAt:e,note:i?"Local Claude Code OAuth session bound on runner":[r.note,o.note,n?void 0:"no ~/.claude/.credentials.json"].filter(Boolean).join("; ")}}import{existsSync as L}from"node:fs";import{homedir as Y}from"node:os";import x from"node:path";var D="codex";function M(){let e=Y();return[x.join(e,".codex","auth.json"),x.join(e,".config","codex","auth.json")]}function P(e=new Date().toISOString()){let t=c(D,["KYNVER_CODEX_BIN","CODEX_BIN"]);if(process.env.CODEX_API_KEY?.trim())return{providerId:"codex",ready:!0,authSource:"api_key_env",sessionFingerprint:u("CODEX_API_KEY"),checkedAt:e,note:"CODEX_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"};let r=M().find(i=>L(i)),n=d(t,["login","status"],{okNote:"codex login status: authenticated",failPrefix:"codex login status"}),o=!!r&&n.ok;return{providerId:"codex",ready:o,authSource:"oauth_local",sessionFingerprint:r?a(r):void 0,checkedAt:e,note:o?"Local Codex OAuth session bound on runner":[n.note,r?void 0:"no ~/.codex/auth.json"].filter(Boolean).join("; ")}}import{existsSync as $}from"node:fs";import{homedir as F}from"node:os";import f from"node:path";function w(){let e=process.env.HERMES_HOME?.trim(),t=e?f.resolve(e):f.join(F(),".hermes");return f.join(t,"auth.json")}function h(e=new Date().toISOString()){let t=c("hermes",["KYNVER_HERMES_BIN","HERMES_BIN"]),r=d(t,["--version"],{okNote:`${t} CLI available`,failPrefix:`${t} CLI not available`}),n=w(),o=$(n),i=l(t,["auth","status","openai-codex"],{okNote:"hermes openai-codex: logged in",failNote:"hermes openai-codex: not logged in"}),s=r.ok&&i.ok;return{path:"hermes_openai_codex",ready:s,authSource:s?"subscription_hermes":"none",sessionFingerprint:o?a(n):void 0,checkedAt:e,note:s?"Hermes openai-codex subscription session bound (ChatGPT Codex OAuth)":[r.note,i.note,o?void 0:"no ~/.hermes/auth.json"].filter(Boolean).join("; ")}}function I(e=new Date().toISOString()){let t=P(e);if(t.ready)return{...t,path:"codex_cli"};let r=h(e);return r.ready?{providerId:"codex",ready:!0,authSource:r.authSource,sessionFingerprint:r.sessionFingerprint,checkedAt:r.checkedAt,note:r.note,path:"hermes_openai_codex",hermesOpenAiCodex:r}:{providerId:"codex",ready:!1,authSource:"none",checkedAt:e,path:"none",hermesOpenAiCodex:r,note:[t.note,r.note].filter(Boolean).join("; ")||"Codex CLI and Hermes openai-codex unavailable"}}import{existsSync as U}from"node:fs";import{homedir as V}from"node:os";import X from"node:path";var G="agent";function J(){let e=V();return[X.join(e,".config","cursor","auth.json")]}function S(e=new Date().toISOString()){let t=c(G,["KYNVER_CURSOR_AGENT_BIN","CURSOR_AGENT_BIN"]);if(process.env.CURSOR_API_KEY?.trim())return{providerId:"cursor",ready:!0,authSource:"api_key_env",sessionFingerprint:u("CURSOR_API_KEY"),checkedAt:e,note:"CURSOR_API_KEY present (env binding \u2014 cloud credits path, no token stored in Kynver)"};let r=d(t,["-v"],{okNote:`${t} CLI available`,failPrefix:`${t} CLI not available`}),n=J().find(i=>U(i)),o=!!n&&r.ok;return{providerId:"cursor",ready:o,authSource:"oauth_local",sessionFingerprint:n?a(n):void 0,checkedAt:e,note:o?"Local Cursor/Composer OAuth session bound on runner":[r.note,n?void 0:"no ~/.config/cursor/auth.json"].filter(Boolean).join("; ")}}import{existsSync as z,readFileSync as W}from"node:fs";import{homedir as q}from"node:os";import O from"node:path";var Q=["OPENAI_API_KEY","ANTHROPIC_API_KEY","KYNVER_API_KEY","KYNVER_BASE_URL"];function Z(){let e=process.env.HERMES_HOME?.trim(),t=e?O.resolve(e):O.join(q(),".hermes");return O.join(t,".env")}function ee(e){try{let t=W(e,"utf8"),r=[];for(let n of Q)new RegExp(`^${n}=`,"m").test(t)&&r.push(n);return r}catch{return[]}}function E(e=new Date().toISOString()){let t=c("hermes",["KYNVER_HERMES_BIN","HERMES_BIN"]),r=d(t,["--version"],{okNote:`${t} CLI available`,failPrefix:`${t} CLI not available`}),n=Z(),o=z(n),i=o?ee(n):[],C=i.some(k=>k.endsWith("_API_KEY"))?"api_key_env":o?"oauth_local":"none",N=r.ok&&o;return{adapterId:"hermes",cliAvailable:r.ok,profileBound:o,authSource:C,sessionFingerprint:o?a(n):void 0,checkedAt:e,note:N?`Hermes profile bound (${i.length?`keys: ${i.join(", ")}`:"no API keys detected"})`:[r.note,o?void 0:"no ~/.hermes/.env"].filter(Boolean).join("; ")}}function te(e={}){let t=e.nowIso?.()??new Date().toISOString(),r=I(t),n={codex:r,cursor:S(t),claude:_(t)},o=Object.values(n).filter(i=>i.ready).length;return{generatedAt:t,bindings:n,cloudApiCredits:{anthropicApiKey:!!process.env.ANTHROPIC_API_KEY?.trim(),openaiApiKey:!!process.env.OPENAI_API_KEY?.trim(),codexApiKey:!!process.env.CODEX_API_KEY?.trim()},hermes:E(t),hermesOpenAiCodex:h(t),codexAdapterPath:r.path,readyCount:o}}var re={codex:{id:"codex",displayName:"Codex (BYO OAuth / Hermes openai-codex)",costTier:"low",authSources:["oauth_local","api_key_env","subscription_hermes"],supportsLowRiskOrchestration:!0,supportsPrivilegedPlatformActions:!1},cursor:{id:"cursor",displayName:"Cursor / Composer",costTier:"medium",authSources:["oauth_local","api_key_env"],supportsLowRiskOrchestration:!0,supportsPrivilegedPlatformActions:!0},claude:{id:"claude",displayName:"Claude Code",costTier:"high",authSources:["oauth_local"],supportsLowRiskOrchestration:!0,supportsPrivilegedPlatformActions:!0}};function oe(){return Object.values(re)}var b=["off","observe","enforce"];function ne(e){let t=(e??"off").trim().toLowerCase();return b.includes(t)?t:"off"}function m(e=process.env){return ne(e.KYNVER_ORCHESTRATION_POLICY_MODE)}function g(e=process.env){let t=e.KYNVER_ORCHESTRATION_ENFORCE_TASKS?.trim().toLowerCase();return t?t==="1"||t==="true"||t==="yes"||t==="on":m(e)==="enforce"}import{createHash as ie}from"node:crypto";function p(e){if(e==null)return null;let t=e.trim();return t.length?t:null}function y(e){let t=p(e.sessionId)??"anonymous",r=p(e.title)??p(e.action)??"foreground",n=ie("sha256").update([p(e.planId)??"",p(e.parentTaskId)??"",r.toLowerCase()].join("|")).digest("hex").slice(0,16);return`hermes-foreground:${t}:${n}`}function se(e,t){return e==="enforce"&&t?"enforce_harness_task":e==="observe"?"observe_bypass":"allow_local"}function ae(e,t=process.env){let r=m(t),n=g(t),o=se(r,n),i=o==="enforce_harness_task"?y({sessionId:e.sessionId,planId:e.planId,parentTaskId:e.parentTaskId,title:e.title,action:e.action}):null,s;return r==="off"?s="Orchestration policy off \u2014 local foreground path allowed.":o==="observe_bypass"?s=`Observe mode: ${e.action} bypass logged; local fallback preserved.`:o==="enforce_harness_task"?s=`Enforce mode: ${e.action} must create linked harness AgentTask (${i}).`:s="Local foreground path allowed.",{mode:r,decision:o,idempotencyKey:i,bypassLogged:o==="observe_bypass",reason:s}}export{y as buildForegroundHarnessIdempotencyKey,te as buildOrchestrationProviderInventory,ae as evaluateOrchestrationPolicy,g as isOrchestrationEnforceTasksEnabled,oe as listOrchestrationProviderCapabilities,m as resolveOrchestrationPolicyMode};

package/dist/server/pr-evidence.js

@@ -1,163 +1 @@
-// src/vercel/vercel-url.ts
-var VERCEL_HOST_RE = /(^|\.)vercel\.app$/i;
-var DPL_ID_RE = /^dpl_[a-z0-9]+$/i;
-function tryParseUrl(raw) {
-  const trimmed = raw.trim();
-  if (!trimmed) return null;
-  try {
-    return new URL(trimmed);
-  } catch {
-    return null;
-  }
-}
-function parseDashboardDeployment(url) {
-  const parts = url.pathname.split("/").filter(Boolean);
-  if (parts.length < 3) return null;
-  const deploymentId = parts[parts.length - 1]?.trim();
-  if (!deploymentId || deploymentId === "deployments") return null;
-  return deploymentId;
-}
-function parseDeploymentsSegment(url) {
-  const parts = url.pathname.split("/").filter(Boolean);
-  const idx = parts.indexOf("deployments");
-  if (idx < 0 || idx >= parts.length - 1) return null;
-  const deploymentId = parts[idx + 1]?.trim();
-  return deploymentId || null;
-}
-function classifyVercelUrl(raw) {
-  const empty = {
-    kind: "unknown",
-    previewUrl: null,
-    inspectTarget: null,
-    deploymentId: null
-  };
-  const trimmed = raw.trim();
-  if (!trimmed) return empty;
-  if (/^dpl_[a-z0-9]+$/i.test(trimmed)) {
-    return {
-      kind: "deployment_id",
-      previewUrl: null,
-      inspectTarget: trimmed,
-      deploymentId: trimmed
-    };
-  }
-  const url = tryParseUrl(trimmed);
-  if (!url) return empty;
-  if (VERCEL_HOST_RE.test(url.hostname)) {
-    const hostUrl = url.origin;
-    return {
-      kind: "deployment_host",
-      previewUrl: hostUrl,
-      inspectTarget: hostUrl,
-      deploymentId: null
-    };
-  }
-  if (url.hostname === "vercel.com" || url.hostname.endsWith(".vercel.com")) {
-    const deploymentId = parseDeploymentsSegment(url) ?? parseDashboardDeployment(url);
-    const inspectTarget = deploymentId && DPL_ID_RE.test(deploymentId) ? deploymentId : null;
-    return {
-      kind: "dashboard",
-      previewUrl: null,
-      inspectTarget,
-      deploymentId
-    };
-  }
-  return empty;
-}
-
-// src/vercel/vercel-github-status.ts
-var VERCEL_CONTEXT_RE = /vercel/i;
-function normalizeGitHubStatusState(state) {
-  const value = typeof state === "string" ? state.trim().toLowerCase() : "";
-  if (value === "success") return "success";
-  if (value === "pending") return "pending";
-  if (value === "failure") return "failure";
-  if (value === "error") return "error";
-  return "unknown";
-}
-function isVercelStatusContext(context) {
-  const label = typeof context === "string" ? context.trim() : "";
-  return Boolean(label && VERCEL_CONTEXT_RE.test(label));
-}
-function pickVercelStatusContext(statuses) {
-  const rows = Array.isArray(statuses) ? statuses : [];
-  const vercelRows = rows.filter((row) => isVercelStatusContext(row.context));
-  if (vercelRows.length === 0) return null;
-  const score = (state) => {
-    if (state === "failure" || state === "error") return 0;
-    if (state === "pending") return 1;
-    if (state === "success") return 2;
-    return 1;
-  };
-  let best = null;
-  let bestScore = Infinity;
-  for (const row of vercelRows) {
-    const rowScore = score(normalizeGitHubStatusState(row.state));
-    if (rowScore < bestScore) {
-      best = row;
-      bestScore = rowScore;
-    }
-  }
-  if (!best) return null;
-  const targetUrl = typeof best.target_url === "string" && best.target_url.trim() ? best.target_url.trim() : null;
-  const classified = targetUrl ? classifyVercelUrl(targetUrl) : null;
-  return {
-    context: String(best.context ?? "Vercel").trim(),
-    state: normalizeGitHubStatusState(best.state),
-    targetUrl,
-    description: typeof best.description === "string" && best.description.trim() ? best.description.trim() : null,
-    deploymentId: classified?.deploymentId ?? null,
-    previewUrl: classified?.previewUrl ?? null,
-    dashboardUrl: classified?.kind === "dashboard" ? targetUrl : null
-  };
-}
-
-// src/vercel/vercel-evidence.ts
-function mapGitHubStateToEvidence(state) {
-  if (state === "success") return "ready";
-  if (state === "pending") return "building";
-  if (state === "failure" || state === "error") return "error";
-  return "unavailable";
-}
-function evidenceSummary(parts) {
-  return parts.filter(Boolean).join("; ");
-}
-function evidenceFromGitHubVercelStatus(statuses, options = {}) {
-  const observedAt = options.observedAt ?? (/* @__PURE__ */ new Date()).toISOString();
-  const row = pickVercelStatusContext(statuses);
-  if (!row) {
-    return {
-      status: "not_run",
-      previewUrl: null,
-      deploymentUrl: null,
-      summary: "No Vercel GitHub status context on commit",
-      observedAt,
-      inspectSkipped: true,
-      inspectReason: "no_vercel_status_context",
-      githubState: null,
-      vercelContext: null
-    };
-  }
-  const status = mapGitHubStateToEvidence(row.state);
-  const previewUrl = row.previewUrl ?? row.dashboardUrl;
-  const deploymentUrl = row.previewUrl ?? row.dashboardUrl;
-  return {
-    status,
-    previewUrl,
-    deploymentUrl,
-    summary: evidenceSummary([
-      `GitHub ${row.context}=${row.state}`,
-      row.description ?? "",
-      row.dashboardUrl ? "dashboard target_url (API lookup skipped)" : ""
-    ]),
-    observedAt,
-    inspectSkipped: true,
-    inspectReason: row.dashboardUrl && row.state === "success" ? "trusted_github_status_dashboard_url" : row.dashboardUrl ? "dashboard_url_not_api_inspectable" : "github_status_only",
-    githubState: row.state,
-    vercelContext: row.context
-  };
-}
-export {
-  evidenceFromGitHubVercelStatus
-};
-//# sourceMappingURL=pr-evidence.js.map
+var m=/(^|\.)vercel\.app$/i,f=/^dpl_[a-z0-9]+$/i;function g(t){let r=t.trim();if(!r)return null;try{return new URL(r)}catch{return null}}function y(t){let r=t.pathname.split("/").filter(Boolean);if(r.length<3)return null;let l=r[r.length-1]?.trim();return!l||l==="deployments"?null:l}function b(t){let r=t.pathname.split("/").filter(Boolean),l=r.indexOf("deployments");return l<0||l>=r.length-1?null:r[l+1]?.trim()||null}function a(t){let r={kind:"unknown",previewUrl:null,inspectTarget:null,deploymentId:null},l=t.trim();if(!l)return r;if(/^dpl_[a-z0-9]+$/i.test(l))return{kind:"deployment_id",previewUrl:null,inspectTarget:l,deploymentId:l};let e=g(l);if(!e)return r;if(m.test(e.hostname)){let n=e.origin;return{kind:"deployment_host",previewUrl:n,inspectTarget:n,deploymentId:null}}if(e.hostname==="vercel.com"||e.hostname.endsWith(".vercel.com")){let n=b(e)??y(e);return{kind:"dashboard",previewUrl:null,inspectTarget:n&&f.test(n)?n:null,deploymentId:n}}return r}var S=/vercel/i;function p(t){let r=typeof t=="string"?t.trim().toLowerCase():"";return r==="success"?"success":r==="pending"?"pending":r==="failure"?"failure":r==="error"?"error":"unknown"}function v(t){let r=typeof t=="string"?t.trim():"";return!!(r&&S.test(r))}function d(t){let l=(Array.isArray(t)?t:[]).filter(s=>v(s.context));if(l.length===0)return null;let e=s=>s==="failure"||s==="error"?0:s==="pending"?1:s==="success"?2:1,n=null,i=1/0;for(let s of l){let c=e(p(s.state));c<i&&(n=s,i=c)}if(!n)return null;let o=typeof n.target_url=="string"&&n.target_url.trim()?n.target_url.trim():null,u=o?a(o):null;return{context:String(n.context??"Vercel").trim(),state:p(n.state),targetUrl:o,description:typeof n.description=="string"&&n.description.trim()?n.description.trim():null,deploymentId:u?.deploymentId??null,previewUrl:u?.previewUrl??null,dashboardUrl:u?.kind==="dashboard"?o:null}}function U(t){return t==="success"?"ready":t==="pending"?"building":t==="failure"||t==="error"?"error":"unavailable"}function h(t){return t.filter(Boolean).join("; ")}function V(t,r={}){let l=r.observedAt??new Date().toISOString(),e=d(t);if(!e)return{status:"not_run",previewUrl:null,deploymentUrl:null,summary:"No Vercel GitHub status context on commit",observedAt:l,inspectSkipped:!0,inspectReason:"no_vercel_status_context",githubState:null,vercelContext:null};let n=U(e.state),i=e.previewUrl??e.dashboardUrl,o=e.previewUrl??e.dashboardUrl;return{status:n,previewUrl:i,deploymentUrl:o,summary:h([`GitHub ${e.context}=${e.state}`,e.description??"",e.dashboardUrl?"dashboard target_url (API lookup skipped)":""]),observedAt:l,inspectSkipped:!0,inspectReason:e.dashboardUrl&&e.state==="success"?"trusted_github_status_dashboard_url":e.dashboardUrl?"dashboard_url_not_api_inspectable":"github_status_only",githubState:e.state,vercelContext:e.context}}export{V as evidenceFromGitHubVercelStatus};