@manifest-network/manifest-agent-core 0.10.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/close-lease.d.ts +3 -2
  2. package/dist/close-lease.d.ts.map +1 -1
  3. package/dist/close-lease.js +4 -3
  4. package/dist/close-lease.js.map +1 -1
  5. package/dist/deploy-app.d.ts +3 -2
  6. package/dist/deploy-app.d.ts.map +1 -1
  7. package/dist/deploy-app.js +245 -77
  8. package/dist/deploy-app.js.map +1 -1
  9. package/dist/index.d.ts +1 -1
  10. package/dist/internals/build-fred-input.d.ts +38 -0
  11. package/dist/internals/build-fred-input.d.ts.map +1 -0
  12. package/dist/internals/build-fred-input.js +147 -0
  13. package/dist/internals/build-fred-input.js.map +1 -0
  14. package/dist/internals/classify-deploy-error.d.ts +13 -9
  15. package/dist/internals/classify-deploy-error.d.ts.map +1 -1
  16. package/dist/internals/classify-deploy-error.js +15 -11
  17. package/dist/internals/classify-deploy-error.js.map +1 -1
  18. package/dist/internals/classify-deploy-response.d.ts.map +1 -1
  19. package/dist/internals/classify-deploy-response.js.map +1 -1
  20. package/dist/internals/connection.d.ts.map +1 -1
  21. package/dist/internals/connection.js.map +1 -1
  22. package/dist/internals/evaluate-readiness-from-fred.d.ts +28 -0
  23. package/dist/internals/evaluate-readiness-from-fred.d.ts.map +1 -0
  24. package/dist/internals/evaluate-readiness-from-fred.js +94 -0
  25. package/dist/internals/evaluate-readiness-from-fred.js.map +1 -0
  26. package/dist/internals/evaluate-readiness.d.ts.map +1 -1
  27. package/dist/internals/evaluate-readiness.js.map +1 -1
  28. package/dist/internals/find-sku-uuid.d.ts.map +1 -1
  29. package/dist/internals/find-sku-uuid.js.map +1 -1
  30. package/dist/internals/format-success.d.ts.map +1 -1
  31. package/dist/internals/format-success.js.map +1 -1
  32. package/dist/internals/guarded-fetch.d.ts +2 -138
  33. package/dist/internals/guarded-fetch.js +1 -241
  34. package/dist/internals/humanize-denom.d.ts.map +1 -1
  35. package/dist/internals/humanize-denom.js.map +1 -1
  36. package/dist/internals/inspect-image.d.ts.map +1 -1
  37. package/dist/internals/inspect-image.js.map +1 -1
  38. package/dist/internals/lease-items.d.ts.map +1 -1
  39. package/dist/internals/lease-items.js +1 -4
  40. package/dist/internals/lease-items.js.map +1 -1
  41. package/dist/internals/lease-state.d.ts.map +1 -1
  42. package/dist/internals/lease-state.js.map +1 -1
  43. package/dist/internals/render-deployment-plan.d.ts.map +1 -1
  44. package/dist/internals/render-deployment-plan.js.map +1 -1
  45. package/dist/internals/render-intent-recap.d.ts.map +1 -1
  46. package/dist/internals/render-intent-recap.js.map +1 -1
  47. package/dist/internals/render-partial-success-prompt.d.ts.map +1 -1
  48. package/dist/internals/render-partial-success-prompt.js.map +1 -1
  49. package/dist/internals/save-manifest.d.ts.map +1 -1
  50. package/dist/internals/save-manifest.js.map +1 -1
  51. package/dist/internals/secret-denylist.d.ts.map +1 -1
  52. package/dist/internals/secret-denylist.js.map +1 -1
  53. package/dist/internals/spec-normalize.d.ts.map +1 -1
  54. package/dist/internals/spec-normalize.js.map +1 -1
  55. package/dist/internals/verify-domain-state.d.ts.map +1 -1
  56. package/dist/internals/verify-domain-state.js.map +1 -1
  57. package/dist/internals/verify-recover.d.ts.map +1 -1
  58. package/dist/internals/verify-recover.js.map +1 -1
  59. package/dist/manage-domain.d.ts +3 -2
  60. package/dist/manage-domain.d.ts.map +1 -1
  61. package/dist/manage-domain.js +4 -3
  62. package/dist/manage-domain.js.map +1 -1
  63. package/dist/troubleshoot.js.map +1 -1
  64. package/dist/types.d.ts +19 -0
  65. package/dist/types.d.ts.map +1 -1
  66. package/package.json +5 -7
  67. package/dist/internals/guarded-fetch.d.ts.map +0 -1
  68. package/dist/internals/guarded-fetch.js.map +0 -1
@@ -1 +1 @@
1
- {"version":3,"file":"lease-state.js","names":[],"sources":["../../src/internals/lease-state.ts"],"sourcesContent":["import type { LeaseStateName } from '../types.js';\n\n/**\n * Canonical chain lease-state enum table + decode helpers, used by\n * `classify-deploy-response.ts` and (later) `deploy-app.ts` /\n * `close-lease.ts` / `troubleshoot.ts` to translate integer state codes\n * the chain emits into the typed `LeaseStateName` literal union.\n *\n * Aligned with the current `@manifest-network/manifestjs@2.4.1` `LeaseState`\n * proto (see\n * `node_modules/@manifest-network/manifestjs/dist/codegen/liftedinit/billing/v1/types.d.ts`):\n *\n * ```\n * 0 → LEASE_STATE_UNSPECIFIED\n * 1 → LEASE_STATE_PENDING — lease awaiting provider acknowledgement; credit locked, billing not started\n * 2 → LEASE_STATE_ACTIVE — provider acknowledged, resources provisioned, billing accruing\n * 3 → LEASE_STATE_CLOSED — lease closed normally; final settlement occurred\n * 4 → LEASE_STATE_REJECTED — provider rejected the lease; credit returned to tenant\n * 5 → LEASE_STATE_EXPIRED — lease expired while in PENDING (provider did not acknowledge within the timeout); credit returned. Pre-active terminal state, NOT a post-active expiry\n * ```\n *\n * The proto's `UNRECOGNIZED = -1` enum convenience is NOT included in the\n * STATES map — that value is a TS-enum sentinel for \"unknown decode,\" never\n * a chain emit.\n *\n * `LEASE_STATE_INSUFFICIENT_FUNDS` is retained as an unreachable variant in\n * the frozen `LeaseStateName` union and in `TERMINAL_STATES` for forward-\n * compat — the chain doesn't emit it under v2.1.0, but the public type\n * permits it and the no-op set entry guards against a future chain\n * regression that re-emits it (defense-in-depth).\n */\n\nconst STATES = {\n 0: 'LEASE_STATE_UNSPECIFIED',\n 1: 'LEASE_STATE_PENDING',\n 2: 'LEASE_STATE_ACTIVE',\n 3: 'LEASE_STATE_CLOSED',\n 4: 'LEASE_STATE_REJECTED',\n 5: 'LEASE_STATE_EXPIRED',\n} as const satisfies Record<number, LeaseStateName>;\n\nexport const TERMINAL_STATES: ReadonlySet<LeaseStateName> =\n new Set<LeaseStateName>([\n 'LEASE_STATE_CLOSED',\n 'LEASE_STATE_REJECTED',\n 'LEASE_STATE_EXPIRED',\n // Retained as defense-in-depth: unreachable from decode() on the\n // current chain (v2.1.0 proto drops INSUFFICIENT_FUNDS), but still a\n // legal LeaseStateName variant. If a future chain regression re-emits\n // it, terminal-state checks downstream still classify correctly without\n // a coordinated update across deploy-app / close-lease / troubleshoot.\n 'LEASE_STATE_INSUFFICIENT_FUNDS',\n ]);\n\n/**\n * Decode an integer-or-string lease state into the canonical\n * `LEASE_STATE_*` name. Returns `undefined` for unrecognized input so\n * callers can distinguish \"no info\" from a known state. Callers that\n * need a display sentinel may widen the return type via `|| 'UNKNOWN'`\n * (or similar) for logging/UI purposes only — `'UNKNOWN'` is NOT a\n * `LeaseStateName` variant, so the widening explicitly opts out of the\n * type narrowing the union provides.\n *\n * Accepts either:\n * - a numeric (or numeric-coercible string) integer matching a STATES key,\n * - a string that already starts with `LEASE_STATE_` (passthrough), in\n * which case the value is returned verbatim — the chain's JSON form\n * emits the name directly via `leaseStateToJSON`, so this branch\n * handles both the codec.toJSON() shape and raw integer emit paths.\n *\n * Unrecognized strings (no `LEASE_STATE_` prefix) and out-of-range integers\n * return `undefined`. The passthrough does not validate the suffix against\n * `LeaseStateName` because the chain proto is the source of truth — if a\n * future enum variant appears, it'll flow through; if a malformed string\n * appears, the caller's typed handling catches it.\n */\nexport function decode(\n state: number | string | undefined,\n): LeaseStateName | undefined {\n if (typeof state === 'string' && state.startsWith('LEASE_STATE_')) {\n return state as LeaseStateName;\n }\n const n = Number(state);\n if (Number.isInteger(n) && n in STATES) {\n return STATES[n as keyof typeof STATES];\n }\n return undefined;\n}\n\n/** True iff `name` is in the `TERMINAL_STATES` set. Accepts any string for caller convenience. */\nexport function isTerminal(name: string | undefined): boolean {\n if (typeof name !== 'string') return false;\n return TERMINAL_STATES.has(name as LeaseStateName);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,MAAM,SAAS;CACb,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;CACJ;AAED,MAAa,kBACX,IAAI,IAAoB;CACtB;CACA;CACA;CAMA;CACD,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBJ,SAAgB,OACd,OAC4B;AAC5B,KAAI,OAAO,UAAU,YAAY,MAAM,WAAW,eAAe,CAC/D,QAAO;CAET,MAAM,IAAI,OAAO,MAAM;AACvB,KAAI,OAAO,UAAU,EAAE,IAAI,KAAK,OAC9B,QAAO,OAAO;;;AAMlB,SAAgB,WAAW,MAAmC;AAC5D,KAAI,OAAO,SAAS,SAAU,QAAO;AACrC,QAAO,gBAAgB,IAAI,KAAuB"}
1
+ {"version":3,"file":"lease-state.js","names":[],"sources":["../../src/internals/lease-state.ts"],"sourcesContent":["import type { LeaseStateName } from '../types.js';\n\n/**\n * Canonical chain lease-state enum table + decode helpers, used by\n * `classify-deploy-response.ts` and (later) `deploy-app.ts` /\n * `close-lease.ts` / `troubleshoot.ts` to translate integer state codes\n * the chain emits into the typed `LeaseStateName` literal union.\n *\n * Aligned with the current `@manifest-network/manifestjs@2.4.1` `LeaseState`\n * proto (see\n * `node_modules/@manifest-network/manifestjs/dist/codegen/liftedinit/billing/v1/types.d.ts`):\n *\n * ```\n * 0 → LEASE_STATE_UNSPECIFIED\n * 1 → LEASE_STATE_PENDING — lease awaiting provider acknowledgement; credit locked, billing not started\n * 2 → LEASE_STATE_ACTIVE — provider acknowledged, resources provisioned, billing accruing\n * 3 → LEASE_STATE_CLOSED — lease closed normally; final settlement occurred\n * 4 → LEASE_STATE_REJECTED — provider rejected the lease; credit returned to tenant\n * 5 → LEASE_STATE_EXPIRED — lease expired while in PENDING (provider did not acknowledge within the timeout); credit returned. Pre-active terminal state, NOT a post-active expiry\n * ```\n *\n * The proto's `UNRECOGNIZED = -1` enum convenience is NOT included in the\n * STATES map — that value is a TS-enum sentinel for \"unknown decode,\" never\n * a chain emit.\n *\n * `LEASE_STATE_INSUFFICIENT_FUNDS` is retained as an unreachable variant in\n * the frozen `LeaseStateName` union and in `TERMINAL_STATES` for forward-\n * compat — the chain doesn't emit it under v2.1.0, but the public type\n * permits it and the no-op set entry guards against a future chain\n * regression that re-emits it (defense-in-depth).\n */\n\nconst STATES = {\n 0: 'LEASE_STATE_UNSPECIFIED',\n 1: 'LEASE_STATE_PENDING',\n 2: 'LEASE_STATE_ACTIVE',\n 3: 'LEASE_STATE_CLOSED',\n 4: 'LEASE_STATE_REJECTED',\n 5: 'LEASE_STATE_EXPIRED',\n} as const satisfies Record<number, LeaseStateName>;\n\nexport const TERMINAL_STATES: ReadonlySet<LeaseStateName> =\n new Set<LeaseStateName>([\n 'LEASE_STATE_CLOSED',\n 'LEASE_STATE_REJECTED',\n 'LEASE_STATE_EXPIRED',\n // Retained as defense-in-depth: unreachable from decode() on the\n // current chain (v2.1.0 proto drops INSUFFICIENT_FUNDS), but still a\n // legal LeaseStateName variant. If a future chain regression re-emits\n // it, terminal-state checks downstream still classify correctly without\n // a coordinated update across deploy-app / close-lease / troubleshoot.\n 'LEASE_STATE_INSUFFICIENT_FUNDS',\n ]);\n\n/**\n * Decode an integer-or-string lease state into the canonical\n * `LEASE_STATE_*` name. Returns `undefined` for unrecognized input so\n * callers can distinguish \"no info\" from a known state. Callers that\n * need a display sentinel may widen the return type via `|| 'UNKNOWN'`\n * (or similar) for logging/UI purposes only — `'UNKNOWN'` is NOT a\n * `LeaseStateName` variant, so the widening explicitly opts out of the\n * type narrowing the union provides.\n *\n * Accepts either:\n * - a numeric (or numeric-coercible string) integer matching a STATES key,\n * - a string that already starts with `LEASE_STATE_` (passthrough), in\n * which case the value is returned verbatim — the chain's JSON form\n * emits the name directly via `leaseStateToJSON`, so this branch\n * handles both the codec.toJSON() shape and raw integer emit paths.\n *\n * Unrecognized strings (no `LEASE_STATE_` prefix) and out-of-range integers\n * return `undefined`. The passthrough does not validate the suffix against\n * `LeaseStateName` because the chain proto is the source of truth — if a\n * future enum variant appears, it'll flow through; if a malformed string\n * appears, the caller's typed handling catches it.\n */\nexport function decode(\n state: number | string | undefined,\n): LeaseStateName | undefined {\n if (typeof state === 'string' && state.startsWith('LEASE_STATE_')) {\n return state as LeaseStateName;\n }\n const n = Number(state);\n if (Number.isInteger(n) && n in STATES) {\n return STATES[n as keyof typeof STATES];\n }\n return undefined;\n}\n\n/** True iff `name` is in the `TERMINAL_STATES` set. Accepts any string for caller convenience. */\nexport function isTerminal(name: string | undefined): boolean {\n if (typeof name !== 'string') return false;\n return TERMINAL_STATES.has(name as LeaseStateName);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,MAAM,SAAS;CACb,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;AACL;AAEA,MAAa,kBACX,IAAI,IAAoB;CACtB;CACA;CACA;CAMA;AACF,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBH,SAAgB,OACd,OAC4B;CAC5B,IAAI,OAAO,UAAU,YAAY,MAAM,WAAW,cAAc,GAC9D,OAAO;CAET,MAAM,IAAI,OAAO,KAAK;CACtB,IAAI,OAAO,UAAU,CAAC,KAAK,KAAK,QAC9B,OAAO,OAAO;AAGlB;;AAGA,SAAgB,WAAW,MAAmC;CAC5D,IAAI,OAAO,SAAS,UAAU,OAAO;CACrC,OAAO,gBAAgB,IAAI,IAAsB;AACnD"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-deployment-plan.d.ts","names":[],"sources":["../../src/internals/render-deployment-plan.ts"],"mappings":";;UAgHiB,yBAAA;;EAEf,IAAA,EAAM,IAAA;EAFkC;EAIxC,QAAA,GAAW,QAAA;EAAQ;EAEnB,KAAA;EAJM;EAMN,IAAA;EAJW;EAMX,QAAA;EAFA;EAIA,YAAA;EAAA;EAEA,mBAAA;AAAA;AAAA,iBAGc,oBAAA,CACd,KAAA,EAAO,yBAAA,GACN,mBAAA"}
1
+ {"version":3,"file":"render-deployment-plan.d.ts","names":[],"sources":["../../src/internals/render-deployment-plan.ts"],"mappings":";;UAgHiB,yBAAA;;EAEf,IAAA,EAAM,IAAA;EAFkC;EAIxC,QAAA,GAAW,QAAQ;EAAA;EAEnB,KAAA;EAJM;EAMN,IAAA;EAJW;EAMX,QAAA;EAFA;EAIA,YAAA;EAAA;EAEA,mBAAA;AAAA;AAAA,iBAGc,oBAAA,CACd,KAAA,EAAO,yBAAA,GACN,mBAAmB"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-deployment-plan.js","names":[],"sources":["../../src/internals/render-deployment-plan.ts"],"sourcesContent":["import type { DeploymentPlanBlock, FeeEstimate, Plan } from '../types.js';\nimport {\n type DenomMap,\n EMPTY_DENOM_MAP,\n humanizeBalances,\n humanizeCoin,\n} from './humanize-denom.js';\n\n/**\n * Render the canonical `DeploymentPlan` block for `deployApp`'s\n * confirmation step. Consumes the typed `Plan` + `FeeEstimate {coins, gas}`\n * shape.\n *\n * **Why this is a renderer, not a builder:** the function consumes a\n * fully-resolved `Plan` (summary + readiness + fees) plus orchestrator-\n * supplied trim data (image / size / metaHash / customDomain). It\n * doesn't compose those inputs — `deployApp.ts` (commit B) constructs\n * the `Plan` from chain queries + estimates and threads it here.\n *\n * **Sync, pure-decision function** (per Q4 Bii pattern): no I/O, no\n * mutation, no implicit lookups. Caller pre-loads the `DenomMap` via\n * `await loadChainDenomMap(chainDataFile)` and passes it in. Default\n * fallback is the no-op `EMPTY_DENOM_MAP` — raw on-chain denoms render\n * verbatim. The `(empty)` literal continues to mark missing balances.\n *\n * **Fee humanization:** the new `FeeEstimate {coins: Coin[], gas}` shape\n * preserves multi-coin precision. The CJS read pre-humanized strings\n * (`--tx-fee \"0.0023 MFX\"`); the TS port humanizes `fees.coins[0]` at\n * render time using `humanizeCoin`, then concatenates with `(gas <n>)`.\n * Multi-coin fees: humanizes all coins with `humanizeBalances` (comma-\n * separated) and renders the result verbatim — gas suffix is appended\n * once.\n *\n * **`setDomain` fee sentinel:** when `plan.fees.setDomain` is the\n * `{notEstimated: true, reason}` sentinel (approach-3 no-representative-\n * lease fallback), the line emits the explicit \"(not estimated — no\n * representative lease...)\" message preserving the CJS's user-facing\n * \"skipped\" semantics.\n *\n * Provider line is intentionally absent (chain selects internally; format-\n * success.ts emits it post-deploy).\n */\n\n/**\n * Same-denom single-coin: sum as `BigInt` (the underlying on-chain\n * unit), then humanize the total. Different denom OR multi-coin:\n * `\"<a> + <b>\"` concat (mirrors the CJS's `sumHumanFees` fallback).\n *\n * Copilot review fix (PR #58 r3250445951): the prior `sumHumanFees`\n * parsed humanized strings to float64, summed, and re-formatted —\n * breaking the BigInt invariant the rest of the denom-humanization\n * pipeline maintains (`humanize-denom.ts:_fmtScaledAmount` is\n * BigInt-based). Realistic create-lease + set-domain fees were tiny\n * so the hit rate was low; the inconsistency was real, and amounts\n * above `Number.MAX_SAFE_INTEGER` (2^53-1) would silently round.\n *\n * Operates on the underlying `FeeEstimate.coins` arrays directly so\n * BigInt precision is preserved through the sum. Humanization\n * happens once, at the end.\n */\nfunction sumFees(a: FeeEstimate, b: FeeEstimate, denomMap: DenomMap): string {\n // Same-denom single-coin: BigInt sum, then humanize.\n if (a.coins.length === 1 && b.coins.length === 1) {\n const ca = a.coins[0];\n const cb = b.coins[0];\n if (ca && cb && ca.denom === cb.denom) {\n const sum = (BigInt(ca.amount) + BigInt(cb.amount)).toString();\n return humanizeCoin(sum, ca.denom, denomMap);\n }\n }\n // Different denom or multi-coin: fall back to concat, mirroring the\n // CJS's behavior. Humanize each side independently.\n return `${humanizeFeeAmount(a, denomMap)} + ${humanizeFeeAmount(b, denomMap)}`;\n}\n\n/**\n * Render a `FeeEstimate {coins, gas}` as the user-facing fee string.\n * Empty coins → `(empty)` literal (CJS parity). Single coin → humanized\n * `\"<amount> <symbol>\"`. Multi-coin → comma-joined.\n */\nfunction humanizeFeeAmount(fee: FeeEstimate, denomMap: DenomMap): string {\n if (fee.coins.length === 0) return '(empty)';\n if (fee.coins.length === 1) {\n const c = fee.coins[0];\n if (c === undefined) return '(empty)';\n return humanizeCoin(c.amount, c.denom, denomMap);\n }\n return humanizeBalances(fee.coins, denomMap);\n}\n\nfunction formatFeeLine(humanFee: string, gas: number): string {\n return `${humanFee} (gas ${gas})`;\n}\n\nfunction formatSkuPrice(plan: Plan, denomMap: DenomMap): string {\n const sku = plan.readiness.sku;\n if (sku === null) return '(unknown — SKU has no listed price)';\n return `${humanizeCoin(sku.price.amount, sku.price.denom, denomMap)} / hour`;\n}\n\nfunction formatWallet(plan: Plan, denomMap: DenomMap): string {\n return humanizeBalances(plan.readiness.walletBalances, denomMap);\n}\n\nfunction formatCredits(plan: Plan, denomMap: DenomMap): string {\n const credits = plan.readiness.credits;\n if (credits === null) return 'none';\n const balances = credits.availableBalances;\n if (!Array.isArray(balances) || balances.length === 0) return '(empty)';\n return humanizeBalances(balances, denomMap);\n}\n\nexport interface RenderDeploymentPlanInput {\n /** Frozen Plan (summary + readiness + fees). */\n plan: Plan;\n /** Pre-loaded denom map. Default: `EMPTY_DENOM_MAP` (raw on-chain rendering). */\n denomMap?: DenomMap;\n /** Primary image reference — first service's image for stacks. */\n image: string;\n /** SKU tier name (e.g. `docker-micro`, `small`). */\n size: string;\n /** Manifest meta-hash hex from `build_manifest_preview`. */\n metaHash: string;\n /** Optional custom-domain FQDN; presence drives the two-tx fee layout. */\n customDomain?: string;\n /** Optional stack-service holding the custom domain. */\n customDomainService?: string;\n}\n\nexport function renderDeploymentPlan(\n input: RenderDeploymentPlanInput,\n): DeploymentPlanBlock {\n const denomMap = input.denomMap ?? EMPTY_DENOM_MAP;\n const { summary } = input.plan;\n\n const manifestLine =\n `${summary.format ?? 'single'}, services=${summary.serviceCount}, ` +\n `ports=${summary.portCount}, env=${summary.envCount}`;\n\n const hasDomain =\n typeof input.customDomain === 'string' && input.customDomain.length > 0;\n\n // Create-lease fee — always present in PlanFees.\n const createFee = input.plan.fees.createLease;\n const createHuman = humanizeFeeAmount(createFee, denomMap);\n const createFeeLine = formatFeeLine(createHuman, createFee.gas);\n\n const lines: string[] = [\n 'DeploymentPlan',\n ` Image: ${input.image}`,\n ` Size: ${input.size}`,\n ` Manifest: ${manifestLine}`,\n ` meta_hash: ${input.metaHash}`,\n ];\n\n if (hasDomain) {\n const target =\n typeof input.customDomainService === 'string' &&\n input.customDomainService.length > 0\n ? `-> service ${input.customDomainService}`\n : '-> single-service lease';\n lines.push(` Custom domain: ${input.customDomain} ${target}`);\n }\n\n lines.push(\n ` SKU price: ${formatSkuPrice(input.plan, denomMap)}`,\n );\n\n if (hasDomain) {\n // Two-tx layout: labeled lines + Total fee. Honors approach-3\n // `notEstimated` sentinel for set-domain pre-broadcast estimation\n // fallback (no representative lease).\n const setDomain = input.plan.fees.setDomain;\n let setDomainLine: string;\n // Capture the typed `FeeEstimate` reference (when the set-domain\n // fee is a real estimate, not the sentinel) so the total-line\n // BigInt sum can operate on `coins` directly via `sumFees`. The\n // prior code parsed humanized strings to float64 — see\n // `sumFees`'s docstring for the precision-loss rationale.\n let setDomainReal: FeeEstimate | null = null;\n if (setDomain === undefined) {\n setDomainLine =\n '(not estimated — agent skipped pre-broadcast simulation, policy violation)';\n } else if ('notEstimated' in setDomain) {\n setDomainLine = `(not estimated — ${setDomain.reason})`;\n } else {\n setDomainReal = setDomain;\n setDomainLine = formatFeeLine(\n humanizeFeeAmount(setDomain, denomMap),\n setDomain.gas,\n );\n }\n\n lines.push(` Tx fee (create-lease): ${createFeeLine}`);\n lines.push(` Tx fee (set-domain): ${setDomainLine}`);\n\n // Total only when both fees are real numbers. Sentinel set-domain\n // fees fall through to the placeholder.\n const totalLine =\n setDomainReal !== null\n ? sumFees(createFee, setDomainReal, denomMap)\n : '(partial — see fee lines above)';\n lines.push(` Total fee: ${totalLine}`);\n } else {\n lines.push(` Tx fee: ${createFeeLine}`);\n }\n\n lines.push(\n ` Wallet: ${formatWallet(input.plan, denomMap)}`,\n );\n lines.push(\n ` Credits: ${formatCredits(input.plan, denomMap)}`,\n );\n\n return { text: lines.join('\\n') };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4DA,SAAS,QAAQ,GAAgB,GAAgB,UAA4B;AAE3E,KAAI,EAAE,MAAM,WAAW,KAAK,EAAE,MAAM,WAAW,GAAG;EAChD,MAAM,KAAK,EAAE,MAAM;EACnB,MAAM,KAAK,EAAE,MAAM;AACnB,MAAI,MAAM,MAAM,GAAG,UAAU,GAAG,MAE9B,QAAO,cADM,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,EAAE,UAAU,EACrC,GAAG,OAAO,SAAS;;AAKhD,QAAO,GAAG,kBAAkB,GAAG,SAAS,CAAC,KAAK,kBAAkB,GAAG,SAAS;;;;;;;AAQ9E,SAAS,kBAAkB,KAAkB,UAA4B;AACvE,KAAI,IAAI,MAAM,WAAW,EAAG,QAAO;AACnC,KAAI,IAAI,MAAM,WAAW,GAAG;EAC1B,MAAM,IAAI,IAAI,MAAM;AACpB,MAAI,MAAM,KAAA,EAAW,QAAO;AAC5B,SAAO,aAAa,EAAE,QAAQ,EAAE,OAAO,SAAS;;AAElD,QAAO,iBAAiB,IAAI,OAAO,SAAS;;AAG9C,SAAS,cAAc,UAAkB,KAAqB;AAC5D,QAAO,GAAG,SAAS,QAAQ,IAAI;;AAGjC,SAAS,eAAe,MAAY,UAA4B;CAC9D,MAAM,MAAM,KAAK,UAAU;AAC3B,KAAI,QAAQ,KAAM,QAAO;AACzB,QAAO,GAAG,aAAa,IAAI,MAAM,QAAQ,IAAI,MAAM,OAAO,SAAS,CAAC;;AAGtE,SAAS,aAAa,MAAY,UAA4B;AAC5D,QAAO,iBAAiB,KAAK,UAAU,gBAAgB,SAAS;;AAGlE,SAAS,cAAc,MAAY,UAA4B;CAC7D,MAAM,UAAU,KAAK,UAAU;AAC/B,KAAI,YAAY,KAAM,QAAO;CAC7B,MAAM,WAAW,QAAQ;AACzB,KAAI,CAAC,MAAM,QAAQ,SAAS,IAAI,SAAS,WAAW,EAAG,QAAO;AAC9D,QAAO,iBAAiB,UAAU,SAAS;;AAoB7C,SAAgB,qBACd,OACqB;CACrB,MAAM,WAAW,MAAM,YAAY;CACnC,MAAM,EAAE,YAAY,MAAM;CAE1B,MAAM,eACJ,GAAG,QAAQ,UAAU,SAAS,aAAa,QAAQ,aAAa,UACvD,QAAQ,UAAU,QAAQ,QAAQ;CAE7C,MAAM,YACJ,OAAO,MAAM,iBAAiB,YAAY,MAAM,aAAa,SAAS;CAGxE,MAAM,YAAY,MAAM,KAAK,KAAK;CAElC,MAAM,gBAAgB,cADF,kBAAkB,WAAW,SAAS,EACT,UAAU,IAAI;CAE/D,MAAM,QAAkB;EACtB;EACA,gCAAgC,MAAM;EACtC,gCAAgC,MAAM;EACtC,gCAAgC;EAChC,gCAAgC,MAAM;EACvC;AAED,KAAI,WAAW;EACb,MAAM,SACJ,OAAO,MAAM,wBAAwB,YACrC,MAAM,oBAAoB,SAAS,IAC/B,cAAc,MAAM,wBACpB;AACN,QAAM,KAAK,gCAAgC,MAAM,aAAa,GAAG,SAAS;;AAG5E,OAAM,KACJ,gCAAgC,eAAe,MAAM,MAAM,SAAS,GACrE;AAED,KAAI,WAAW;EAIb,MAAM,YAAY,MAAM,KAAK,KAAK;EAClC,IAAI;EAMJ,IAAI,gBAAoC;AACxC,MAAI,cAAc,KAAA,EAChB,iBACE;WACO,kBAAkB,UAC3B,iBAAgB,oBAAoB,UAAU,OAAO;OAChD;AACL,mBAAgB;AAChB,mBAAgB,cACd,kBAAkB,WAAW,SAAS,EACtC,UAAU,IACX;;AAGH,QAAM,KAAK,gCAAgC,gBAAgB;AAC3D,QAAM,KAAK,gCAAgC,gBAAgB;EAI3D,MAAM,YACJ,kBAAkB,OACd,QAAQ,WAAW,eAAe,SAAS,GAC3C;AACN,QAAM,KAAK,gCAAgC,YAAY;OAEvD,OAAM,KAAK,gCAAgC,gBAAgB;AAG7D,OAAM,KACJ,gCAAgC,aAAa,MAAM,MAAM,SAAS,GACnE;AACD,OAAM,KACJ,gCAAgC,cAAc,MAAM,MAAM,SAAS,GACpE;AAED,QAAO,EAAE,MAAM,MAAM,KAAK,KAAK,EAAE"}
1
+ {"version":3,"file":"render-deployment-plan.js","names":[],"sources":["../../src/internals/render-deployment-plan.ts"],"sourcesContent":["import type { DeploymentPlanBlock, FeeEstimate, Plan } from '../types.js';\nimport {\n type DenomMap,\n EMPTY_DENOM_MAP,\n humanizeBalances,\n humanizeCoin,\n} from './humanize-denom.js';\n\n/**\n * Render the canonical `DeploymentPlan` block for `deployApp`'s\n * confirmation step. Consumes the typed `Plan` + `FeeEstimate {coins, gas}`\n * shape.\n *\n * **Why this is a renderer, not a builder:** the function consumes a\n * fully-resolved `Plan` (summary + readiness + fees) plus orchestrator-\n * supplied trim data (image / size / metaHash / customDomain). It\n * doesn't compose those inputs — `deployApp.ts` (commit B) constructs\n * the `Plan` from chain queries + estimates and threads it here.\n *\n * **Sync, pure-decision function** (per Q4 Bii pattern): no I/O, no\n * mutation, no implicit lookups. Caller pre-loads the `DenomMap` via\n * `await loadChainDenomMap(chainDataFile)` and passes it in. Default\n * fallback is the no-op `EMPTY_DENOM_MAP` — raw on-chain denoms render\n * verbatim. The `(empty)` literal continues to mark missing balances.\n *\n * **Fee humanization:** the new `FeeEstimate {coins: Coin[], gas}` shape\n * preserves multi-coin precision. The CJS read pre-humanized strings\n * (`--tx-fee \"0.0023 MFX\"`); the TS port humanizes `fees.coins[0]` at\n * render time using `humanizeCoin`, then concatenates with `(gas <n>)`.\n * Multi-coin fees: humanizes all coins with `humanizeBalances` (comma-\n * separated) and renders the result verbatim — gas suffix is appended\n * once.\n *\n * **`setDomain` fee sentinel:** when `plan.fees.setDomain` is the\n * `{notEstimated: true, reason}` sentinel (approach-3 no-representative-\n * lease fallback), the line emits the explicit \"(not estimated — no\n * representative lease...)\" message preserving the CJS's user-facing\n * \"skipped\" semantics.\n *\n * Provider line is intentionally absent (chain selects internally; format-\n * success.ts emits it post-deploy).\n */\n\n/**\n * Same-denom single-coin: sum as `BigInt` (the underlying on-chain\n * unit), then humanize the total. Different denom OR multi-coin:\n * `\"<a> + <b>\"` concat (mirrors the CJS's `sumHumanFees` fallback).\n *\n * Copilot review fix (PR #58 r3250445951): the prior `sumHumanFees`\n * parsed humanized strings to float64, summed, and re-formatted —\n * breaking the BigInt invariant the rest of the denom-humanization\n * pipeline maintains (`humanize-denom.ts:_fmtScaledAmount` is\n * BigInt-based). Realistic create-lease + set-domain fees were tiny\n * so the hit rate was low; the inconsistency was real, and amounts\n * above `Number.MAX_SAFE_INTEGER` (2^53-1) would silently round.\n *\n * Operates on the underlying `FeeEstimate.coins` arrays directly so\n * BigInt precision is preserved through the sum. Humanization\n * happens once, at the end.\n */\nfunction sumFees(a: FeeEstimate, b: FeeEstimate, denomMap: DenomMap): string {\n // Same-denom single-coin: BigInt sum, then humanize.\n if (a.coins.length === 1 && b.coins.length === 1) {\n const ca = a.coins[0];\n const cb = b.coins[0];\n if (ca && cb && ca.denom === cb.denom) {\n const sum = (BigInt(ca.amount) + BigInt(cb.amount)).toString();\n return humanizeCoin(sum, ca.denom, denomMap);\n }\n }\n // Different denom or multi-coin: fall back to concat, mirroring the\n // CJS's behavior. Humanize each side independently.\n return `${humanizeFeeAmount(a, denomMap)} + ${humanizeFeeAmount(b, denomMap)}`;\n}\n\n/**\n * Render a `FeeEstimate {coins, gas}` as the user-facing fee string.\n * Empty coins → `(empty)` literal (CJS parity). Single coin → humanized\n * `\"<amount> <symbol>\"`. Multi-coin → comma-joined.\n */\nfunction humanizeFeeAmount(fee: FeeEstimate, denomMap: DenomMap): string {\n if (fee.coins.length === 0) return '(empty)';\n if (fee.coins.length === 1) {\n const c = fee.coins[0];\n if (c === undefined) return '(empty)';\n return humanizeCoin(c.amount, c.denom, denomMap);\n }\n return humanizeBalances(fee.coins, denomMap);\n}\n\nfunction formatFeeLine(humanFee: string, gas: number): string {\n return `${humanFee} (gas ${gas})`;\n}\n\nfunction formatSkuPrice(plan: Plan, denomMap: DenomMap): string {\n const sku = plan.readiness.sku;\n if (sku === null) return '(unknown — SKU has no listed price)';\n return `${humanizeCoin(sku.price.amount, sku.price.denom, denomMap)} / hour`;\n}\n\nfunction formatWallet(plan: Plan, denomMap: DenomMap): string {\n return humanizeBalances(plan.readiness.walletBalances, denomMap);\n}\n\nfunction formatCredits(plan: Plan, denomMap: DenomMap): string {\n const credits = plan.readiness.credits;\n if (credits === null) return 'none';\n const balances = credits.availableBalances;\n if (!Array.isArray(balances) || balances.length === 0) return '(empty)';\n return humanizeBalances(balances, denomMap);\n}\n\nexport interface RenderDeploymentPlanInput {\n /** Frozen Plan (summary + readiness + fees). */\n plan: Plan;\n /** Pre-loaded denom map. Default: `EMPTY_DENOM_MAP` (raw on-chain rendering). */\n denomMap?: DenomMap;\n /** Primary image reference — first service's image for stacks. */\n image: string;\n /** SKU tier name (e.g. `docker-micro`, `small`). */\n size: string;\n /** Manifest meta-hash hex from `build_manifest_preview`. */\n metaHash: string;\n /** Optional custom-domain FQDN; presence drives the two-tx fee layout. */\n customDomain?: string;\n /** Optional stack-service holding the custom domain. */\n customDomainService?: string;\n}\n\nexport function renderDeploymentPlan(\n input: RenderDeploymentPlanInput,\n): DeploymentPlanBlock {\n const denomMap = input.denomMap ?? EMPTY_DENOM_MAP;\n const { summary } = input.plan;\n\n const manifestLine =\n `${summary.format ?? 'single'}, services=${summary.serviceCount}, ` +\n `ports=${summary.portCount}, env=${summary.envCount}`;\n\n const hasDomain =\n typeof input.customDomain === 'string' && input.customDomain.length > 0;\n\n // Create-lease fee — always present in PlanFees.\n const createFee = input.plan.fees.createLease;\n const createHuman = humanizeFeeAmount(createFee, denomMap);\n const createFeeLine = formatFeeLine(createHuman, createFee.gas);\n\n const lines: string[] = [\n 'DeploymentPlan',\n ` Image: ${input.image}`,\n ` Size: ${input.size}`,\n ` Manifest: ${manifestLine}`,\n ` meta_hash: ${input.metaHash}`,\n ];\n\n if (hasDomain) {\n const target =\n typeof input.customDomainService === 'string' &&\n input.customDomainService.length > 0\n ? `-> service ${input.customDomainService}`\n : '-> single-service lease';\n lines.push(` Custom domain: ${input.customDomain} ${target}`);\n }\n\n lines.push(\n ` SKU price: ${formatSkuPrice(input.plan, denomMap)}`,\n );\n\n if (hasDomain) {\n // Two-tx layout: labeled lines + Total fee. Honors approach-3\n // `notEstimated` sentinel for set-domain pre-broadcast estimation\n // fallback (no representative lease).\n const setDomain = input.plan.fees.setDomain;\n let setDomainLine: string;\n // Capture the typed `FeeEstimate` reference (when the set-domain\n // fee is a real estimate, not the sentinel) so the total-line\n // BigInt sum can operate on `coins` directly via `sumFees`. The\n // prior code parsed humanized strings to float64 — see\n // `sumFees`'s docstring for the precision-loss rationale.\n let setDomainReal: FeeEstimate | null = null;\n if (setDomain === undefined) {\n setDomainLine =\n '(not estimated — agent skipped pre-broadcast simulation, policy violation)';\n } else if ('notEstimated' in setDomain) {\n setDomainLine = `(not estimated — ${setDomain.reason})`;\n } else {\n setDomainReal = setDomain;\n setDomainLine = formatFeeLine(\n humanizeFeeAmount(setDomain, denomMap),\n setDomain.gas,\n );\n }\n\n lines.push(` Tx fee (create-lease): ${createFeeLine}`);\n lines.push(` Tx fee (set-domain): ${setDomainLine}`);\n\n // Total only when both fees are real numbers. Sentinel set-domain\n // fees fall through to the placeholder.\n const totalLine =\n setDomainReal !== null\n ? sumFees(createFee, setDomainReal, denomMap)\n : '(partial — see fee lines above)';\n lines.push(` Total fee: ${totalLine}`);\n } else {\n lines.push(` Tx fee: ${createFeeLine}`);\n }\n\n lines.push(\n ` Wallet: ${formatWallet(input.plan, denomMap)}`,\n );\n lines.push(\n ` Credits: ${formatCredits(input.plan, denomMap)}`,\n );\n\n return { text: lines.join('\\n') };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4DA,SAAS,QAAQ,GAAgB,GAAgB,UAA4B;CAE3E,IAAI,EAAE,MAAM,WAAW,KAAK,EAAE,MAAM,WAAW,GAAG;EAChD,MAAM,KAAK,EAAE,MAAM;EACnB,MAAM,KAAK,EAAE,MAAM;EACnB,IAAI,MAAM,MAAM,GAAG,UAAU,GAAG,OAE9B,OAAO,cADM,OAAO,GAAG,MAAM,IAAI,OAAO,GAAG,MAAM,GAAG,SAC9B,GAAG,GAAG,OAAO,QAAQ;CAE/C;CAGA,OAAO,GAAG,kBAAkB,GAAG,QAAQ,EAAE,KAAK,kBAAkB,GAAG,QAAQ;AAC7E;;;;;;AAOA,SAAS,kBAAkB,KAAkB,UAA4B;CACvE,IAAI,IAAI,MAAM,WAAW,GAAG,OAAO;CACnC,IAAI,IAAI,MAAM,WAAW,GAAG;EAC1B,MAAM,IAAI,IAAI,MAAM;EACpB,IAAI,MAAM,KAAA,GAAW,OAAO;EAC5B,OAAO,aAAa,EAAE,QAAQ,EAAE,OAAO,QAAQ;CACjD;CACA,OAAO,iBAAiB,IAAI,OAAO,QAAQ;AAC7C;AAEA,SAAS,cAAc,UAAkB,KAAqB;CAC5D,OAAO,GAAG,SAAS,QAAQ,IAAI;AACjC;AAEA,SAAS,eAAe,MAAY,UAA4B;CAC9D,MAAM,MAAM,KAAK,UAAU;CAC3B,IAAI,QAAQ,MAAM,OAAO;CACzB,OAAO,GAAG,aAAa,IAAI,MAAM,QAAQ,IAAI,MAAM,OAAO,QAAQ,EAAE;AACtE;AAEA,SAAS,aAAa,MAAY,UAA4B;CAC5D,OAAO,iBAAiB,KAAK,UAAU,gBAAgB,QAAQ;AACjE;AAEA,SAAS,cAAc,MAAY,UAA4B;CAC7D,MAAM,UAAU,KAAK,UAAU;CAC/B,IAAI,YAAY,MAAM,OAAO;CAC7B,MAAM,WAAW,QAAQ;CACzB,IAAI,CAAC,MAAM,QAAQ,QAAQ,KAAK,SAAS,WAAW,GAAG,OAAO;CAC9D,OAAO,iBAAiB,UAAU,QAAQ;AAC5C;AAmBA,SAAgB,qBACd,OACqB;CACrB,MAAM,WAAW,MAAM,YAAY;CACnC,MAAM,EAAE,YAAY,MAAM;CAE1B,MAAM,eACJ,GAAG,QAAQ,UAAU,SAAS,aAAa,QAAQ,aAAa,UACvD,QAAQ,UAAU,QAAQ,QAAQ;CAE7C,MAAM,YACJ,OAAO,MAAM,iBAAiB,YAAY,MAAM,aAAa,SAAS;CAGxE,MAAM,YAAY,MAAM,KAAK,KAAK;CAElC,MAAM,gBAAgB,cADF,kBAAkB,WAAW,QACH,GAAG,UAAU,GAAG;CAE9D,MAAM,QAAkB;EACtB;EACA,gCAAgC,MAAM;EACtC,gCAAgC,MAAM;EACtC,gCAAgC;EAChC,gCAAgC,MAAM;CACxC;CAEA,IAAI,WAAW;EACb,MAAM,SACJ,OAAO,MAAM,wBAAwB,YACrC,MAAM,oBAAoB,SAAS,IAC/B,cAAc,MAAM,wBACpB;EACN,MAAM,KAAK,gCAAgC,MAAM,aAAa,GAAG,QAAQ;CAC3E;CAEA,MAAM,KACJ,gCAAgC,eAAe,MAAM,MAAM,QAAQ,GACrE;CAEA,IAAI,WAAW;EAIb,MAAM,YAAY,MAAM,KAAK,KAAK;EAClC,IAAI;EAMJ,IAAI,gBAAoC;EACxC,IAAI,cAAc,KAAA,GAChB,gBACE;OACG,IAAI,kBAAkB,WAC3B,gBAAgB,oBAAoB,UAAU,OAAO;OAChD;GACL,gBAAgB;GAChB,gBAAgB,cACd,kBAAkB,WAAW,QAAQ,GACrC,UAAU,GACZ;EACF;EAEA,MAAM,KAAK,gCAAgC,eAAe;EAC1D,MAAM,KAAK,gCAAgC,eAAe;EAI1D,MAAM,YACJ,kBAAkB,OACd,QAAQ,WAAW,eAAe,QAAQ,IAC1C;EACN,MAAM,KAAK,gCAAgC,WAAW;CACxD,OACE,MAAM,KAAK,gCAAgC,eAAe;CAG5D,MAAM,KACJ,gCAAgC,aAAa,MAAM,MAAM,QAAQ,GACnE;CACA,MAAM,KACJ,gCAAgC,cAAc,MAAM,MAAM,QAAQ,GACpE;CAEA,OAAO,EAAE,MAAM,MAAM,KAAK,IAAI,EAAE;AAClC"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-intent-recap.d.ts","names":[],"sources":["../../src/internals/render-intent-recap.ts"],"mappings":";;;;;AAuCA;;;;;;;;;AAoBA;;;;;;;;;;;;;;;;;;;UApBiB,sBAAA;;EAEf,IAAA,EAAM,UAAA;;EAEN,WAAA;AAAA;AAAA,iBAgBc,iBAAA,CAAkB,KAAA,EAAO,sBAAA"}
1
+ {"version":3,"file":"render-intent-recap.d.ts","names":[],"sources":["../../src/internals/render-intent-recap.ts"],"mappings":";;;;;AAuCA;;;;;;;;AAIa;AAgBb;;;;AAA+D;;;;;;;;;;;;;;;UApB9C,sBAAA;;EAEf,IAAA,EAAM,UAAU;;EAEhB,WAAA;AAAA;AAAA,iBAgBc,iBAAA,CAAkB,KAA6B,EAAtB,sBAAsB"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-intent-recap.js","names":[],"sources":["../../src/internals/render-intent-recap.ts"],"sourcesContent":["import type {\n DeploySpec,\n ServiceDef,\n SingleServiceSpec,\n StackSpec,\n} from '../types.js';\nimport { isStackSpec, normalizeServices } from './spec-normalize.js';\n\n/**\n * Render the structural portion of the intent-recap block shown to the user\n * before any chain round-trips in the deploy-app orchestrator.\n *\n * The 4 deterministic items the recap covers:\n *\n * 1. Deployment surface (service count + per-service `name — image`)\n * 2. Connectivity (per-port ingress posture)\n * 3. Redacted sensitive-key inventory (env / label keys only; never values)\n * 4. Custom-domain + dual-tx clarifier + mainnet warning (when applicable)\n *\n * The 2 LLM-judgment items (\"what you provided vs auto-detected\", \"heads-up:\n * obvious gaps\") stay in prose — the orchestrator appends them between the\n * deterministic block and the `AskUserQuestion` prompt.\n *\n * **Sensitive-value posture:** env values and label values are NEVER\n * surfaced; only keys appear. Mirrors `summarizeSpec`'s contract. FQDNs are\n * not secrets so `customDomain` is surfaced verbatim.\n *\n * **Port-shape handling:** the CJS supports two runtime shapes for ports:\n * - Legacy single-service: `port: number` → renders one ingress=true entry.\n * - Services-map: `ports: Record<portKey, { ingress?: boolean }>` → one\n * entry per port-key with the declared ingress flag (default false).\n *\n * The frozen TS contract narrows `ServiceDef.ports` to `number[]` for the\n * common case; this port also handles the historical Record shape at runtime\n * (matching `summarizeSpec`'s defensive widening) so callers passing\n * unknown-typed input from JSON.parse don't silently drop ports.\n */\n\n/** Render output is a multi-paragraph plain-text block, ready to print verbatim. */\nexport interface RenderIntentRecapInput {\n /** The structured deploy spec (frozen `DeploySpec` shape). */\n spec: DeploySpec;\n /** Active chain — drives the mainnet permanence warning. */\n activeChain: 'testnet' | 'mainnet';\n}\n\ninterface NormalizedService {\n /** `null` for legacy single-service; the services-map key for stack leases. */\n name: string | null;\n /** Image string. Falls back to `(unknown image)` when missing. */\n image: string;\n /** Per-port ingress posture, in declaration order. */\n ports: { port: string; ingress: boolean }[];\n /** Sorted env keys (values redacted). */\n envKeys: string[];\n /** Sorted label keys (values redacted). */\n labelKeys: string[];\n}\n\nexport function renderIntentRecap(input: RenderIntentRecapInput): string {\n if (input.activeChain !== 'testnet' && input.activeChain !== 'mainnet') {\n throw new TypeError(\n `renderIntentRecap: activeChain must be \"testnet\" or \"mainnet\"; got \"${String(input.activeChain)}\"`,\n );\n }\n\n const services = projectServices(input.spec);\n\n const blocks: string[] = [\n renderServiceList(services, input.activeChain),\n renderConnectivity(services),\n renderRedactedInventory(services),\n ];\n const domainBlock = renderCustomDomain(input.spec, input.activeChain);\n if (domainBlock !== null) {\n blocks.push(domainBlock);\n }\n\n return blocks.join('\\n\\n');\n}\n\nfunction projectServices(spec: DeploySpec): NormalizedService[] {\n return normalizeServices(spec).map(({ name, raw }): NormalizedService => {\n const rawRecord = raw as unknown as Record<string, unknown>;\n const image =\n typeof rawRecord.image === 'string' && rawRecord.image.length > 0\n ? rawRecord.image\n : '(unknown image)';\n const ports =\n name === null\n ? extractPortsLegacy((raw as SingleServiceSpec).port)\n : extractPorts((raw as ServiceDef).ports);\n return {\n name,\n image,\n ports,\n envKeys: extractKeys(rawRecord.env),\n labelKeys: extractKeys(rawRecord.labels),\n };\n });\n}\n\n/**\n * Services-map shape: `{ \"80\": { ingress?: boolean }, \"9090\": { ... } }`.\n * Ingress flag may be absent — default `false` matches Fred's cluster-private\n * default. Also handles the typed `number[]` shape (frozen `ServiceDef.ports`)\n * by treating each entry as ingress=false (services-map default).\n */\nfunction extractPorts(ports: unknown): { port: string; ingress: boolean }[] {\n if (Array.isArray(ports)) {\n return ports\n .filter((p): p is number => typeof p === 'number')\n .map((p) => ({ port: String(p), ingress: false }));\n }\n if (ports !== null && typeof ports === 'object') {\n return Object.entries(ports as Record<string, unknown>).map(\n ([port, cfg]) => ({\n port,\n ingress: !!(\n cfg !== null &&\n typeof cfg === 'object' &&\n (cfg as { ingress?: unknown }).ingress\n ),\n }),\n );\n }\n return [];\n}\n\n/**\n * Legacy single-service shape: bare `port: number`. Fred treats this as\n * ingress=true by default — that's the whole point of the simplified\n * shape.\n *\n * Also handles the `number[]` form (the frozen-contract array form):\n * returns one `{ port, ingress: true }` entry per array element, each\n * with `ingress: true` matching the single-service convention. Returns\n * `[]` for any other value (undefined, non-number scalar, non-array\n * object).\n *\n * M2 fix: prior JSDoc incorrectly stated \"Returns `[]` for any other\n * value (including `number[]`...)\" — empirically wrong per the\n * `Array.isArray(port)` branch below.\n */\nfunction extractPortsLegacy(\n port: number | number[] | undefined,\n): { port: string; ingress: boolean }[] {\n if (typeof port === 'number') {\n return [{ port: String(port), ingress: true }];\n }\n if (Array.isArray(port)) {\n return port\n .filter((p): p is number => typeof p === 'number')\n .map((p) => ({ port: String(p), ingress: true }));\n }\n return [];\n}\n\nfunction extractKeys(obj: unknown): string[] {\n if (obj === null || typeof obj !== 'object' || Array.isArray(obj)) return [];\n return Object.keys(obj as Record<string, unknown>).sort();\n}\n\nfunction renderServiceList(\n services: NormalizedService[],\n activeChain: 'testnet' | 'mainnet',\n): string {\n const count = services.length;\n const noun = count === 1 ? 'service' : 'services';\n const lines = [`Deploying ${count} ${noun} on ${activeChain}:`];\n for (const svc of services) {\n const prefix = svc.name === null ? '' : `${svc.name} — `;\n lines.push(` - ${prefix}${svc.image}`);\n }\n return lines.join('\\n');\n}\n\nfunction renderConnectivity(services: NormalizedService[]): string {\n const lines = ['Connectivity:'];\n let total = 0;\n for (const svc of services) {\n if (svc.ports.length === 0) continue;\n for (const p of svc.ports) {\n total += 1;\n const prefix =\n svc.name === null ? `port ${p.port}` : `${svc.name} port ${p.port}`;\n const reach = p.ingress\n ? \"publicly reachable via the provider's HTTPS subdomain\"\n : 'internal only (cluster-private)';\n lines.push(` - ${prefix}: ${reach}`);\n }\n }\n if (total === 0) {\n lines.push(\n ' (no ports declared — the deployment will not expose any network surface)',\n );\n }\n return lines.join('\\n');\n}\n\nfunction renderRedactedInventory(services: NormalizedService[]): string {\n // Always render the section header even if everything is empty — the user\n // should know we'd have shown values if there were any. This is also\n // documentation of the redaction discipline.\n const lines = [\n 'Sensitive values are redacted in this recap (keys only, never values):',\n ];\n let anything = false;\n for (const svc of services) {\n const prefix = svc.name === null ? 'this service' : svc.name;\n const parts: string[] = [];\n if (svc.envKeys.length > 0) {\n anything = true;\n parts.push(`env keys [${svc.envKeys.join(', ')}]`);\n }\n if (svc.labelKeys.length > 0) {\n anything = true;\n parts.push(`label keys [${svc.labelKeys.join(', ')}]`);\n }\n if (parts.length === 0) {\n lines.push(` - ${prefix}: no env or labels supplied`);\n } else {\n lines.push(` - ${prefix}: ${parts.join('; ')}`);\n }\n }\n if (!anything) {\n lines.push(\n ' - (no env or labels supplied across any service — nothing to redact)',\n );\n }\n return lines.join('\\n');\n}\n\nfunction renderCustomDomain(\n spec: DeploySpec,\n activeChain: 'testnet' | 'mainnet',\n): string | null {\n const customDomain = (spec as { customDomain?: unknown }).customDomain;\n if (typeof customDomain !== 'string' || customDomain.length === 0) {\n return null;\n }\n // `serviceName` is only legal on StackSpec; for SingleServiceSpec the\n // single service implicitly receives the domain.\n const serviceName = isStackSpec(spec)\n ? (spec as StackSpec).serviceName\n : undefined;\n const target =\n typeof serviceName === 'string' && serviceName.length > 0\n ? `service ${serviceName}`\n : 'single-service lease';\n const lines = [`Custom domain: ${customDomain} → ${target}`];\n lines.push('');\n lines.push(\n 'Note: when a custom domain is set, deploy_app broadcasts TWO billing\\n' +\n 'transactions atomically: create-lease AND set-item-custom-domain. The\\n' +\n 'single permission prompt that fires later covers BOTH; this textual\\n' +\n 'recap is your per-tx review.',\n );\n if (activeChain === 'mainnet') {\n lines.push('');\n lines.push(\n `Mainnet warning: this transaction permanently associates ${customDomain}\\n` +\n 'with this lease on-chain until you --clear it via\\n' +\n '/manifest-agent:manage-domain or close the lease. FQDN squatting is\\n' +\n 'irreversible.',\n );\n }\n return lines.join('\\n');\n}\n"],"mappings":";;AA2DA,SAAgB,kBAAkB,OAAuC;AACvE,KAAI,MAAM,gBAAgB,aAAa,MAAM,gBAAgB,UAC3D,OAAM,IAAI,UACR,uEAAuE,OAAO,MAAM,YAAY,CAAC,GAClG;CAGH,MAAM,WAAW,gBAAgB,MAAM,KAAK;CAE5C,MAAM,SAAmB;EACvB,kBAAkB,UAAU,MAAM,YAAY;EAC9C,mBAAmB,SAAS;EAC5B,wBAAwB,SAAS;EAClC;CACD,MAAM,cAAc,mBAAmB,MAAM,MAAM,MAAM,YAAY;AACrE,KAAI,gBAAgB,KAClB,QAAO,KAAK,YAAY;AAG1B,QAAO,OAAO,KAAK,OAAO;;AAG5B,SAAS,gBAAgB,MAAuC;AAC9D,QAAO,kBAAkB,KAAK,CAAC,KAAK,EAAE,MAAM,UAA6B;EACvE,MAAM,YAAY;AASlB,SAAO;GACL;GACA,OATA,OAAO,UAAU,UAAU,YAAY,UAAU,MAAM,SAAS,IAC5D,UAAU,QACV;GAQJ,OANA,SAAS,OACL,mBAAoB,IAA0B,KAAK,GACnD,aAAc,IAAmB,MAAM;GAK3C,SAAS,YAAY,UAAU,IAAI;GACnC,WAAW,YAAY,UAAU,OAAO;GACzC;GACD;;;;;;;;AASJ,SAAS,aAAa,OAAsD;AAC1E,KAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MACJ,QAAQ,MAAmB,OAAO,MAAM,SAAS,CACjD,KAAK,OAAO;EAAE,MAAM,OAAO,EAAE;EAAE,SAAS;EAAO,EAAE;AAEtD,KAAI,UAAU,QAAQ,OAAO,UAAU,SACrC,QAAO,OAAO,QAAQ,MAAiC,CAAC,KACrD,CAAC,MAAM,UAAU;EAChB;EACA,SAAS,CAAC,EACR,QAAQ,QACR,OAAO,QAAQ,YACd,IAA8B;EAElC,EACF;AAEH,QAAO,EAAE;;;;;;;;;;;;;;;;;AAkBX,SAAS,mBACP,MACsC;AACtC,KAAI,OAAO,SAAS,SAClB,QAAO,CAAC;EAAE,MAAM,OAAO,KAAK;EAAE,SAAS;EAAM,CAAC;AAEhD,KAAI,MAAM,QAAQ,KAAK,CACrB,QAAO,KACJ,QAAQ,MAAmB,OAAO,MAAM,SAAS,CACjD,KAAK,OAAO;EAAE,MAAM,OAAO,EAAE;EAAE,SAAS;EAAM,EAAE;AAErD,QAAO,EAAE;;AAGX,SAAS,YAAY,KAAwB;AAC3C,KAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,MAAM,QAAQ,IAAI,CAAE,QAAO,EAAE;AAC5E,QAAO,OAAO,KAAK,IAA+B,CAAC,MAAM;;AAG3D,SAAS,kBACP,UACA,aACQ;CACR,MAAM,QAAQ,SAAS;CAEvB,MAAM,QAAQ,CAAC,aAAa,MAAM,GADrB,UAAU,IAAI,YAAY,WACG,MAAM,YAAY,GAAG;AAC/D,MAAK,MAAM,OAAO,UAAU;EAC1B,MAAM,SAAS,IAAI,SAAS,OAAO,KAAK,GAAG,IAAI,KAAK;AACpD,QAAM,KAAK,OAAO,SAAS,IAAI,QAAQ;;AAEzC,QAAO,MAAM,KAAK,KAAK;;AAGzB,SAAS,mBAAmB,UAAuC;CACjE,MAAM,QAAQ,CAAC,gBAAgB;CAC/B,IAAI,QAAQ;AACZ,MAAK,MAAM,OAAO,UAAU;AAC1B,MAAI,IAAI,MAAM,WAAW,EAAG;AAC5B,OAAK,MAAM,KAAK,IAAI,OAAO;AACzB,YAAS;GACT,MAAM,SACJ,IAAI,SAAS,OAAO,QAAQ,EAAE,SAAS,GAAG,IAAI,KAAK,QAAQ,EAAE;GAC/D,MAAM,QAAQ,EAAE,UACZ,0DACA;AACJ,SAAM,KAAK,OAAO,OAAO,IAAI,QAAQ;;;AAGzC,KAAI,UAAU,EACZ,OAAM,KACJ,6EACD;AAEH,QAAO,MAAM,KAAK,KAAK;;AAGzB,SAAS,wBAAwB,UAAuC;CAItE,MAAM,QAAQ,CACZ,yEACD;CACD,IAAI,WAAW;AACf,MAAK,MAAM,OAAO,UAAU;EAC1B,MAAM,SAAS,IAAI,SAAS,OAAO,iBAAiB,IAAI;EACxD,MAAM,QAAkB,EAAE;AAC1B,MAAI,IAAI,QAAQ,SAAS,GAAG;AAC1B,cAAW;AACX,SAAM,KAAK,aAAa,IAAI,QAAQ,KAAK,KAAK,CAAC,GAAG;;AAEpD,MAAI,IAAI,UAAU,SAAS,GAAG;AAC5B,cAAW;AACX,SAAM,KAAK,eAAe,IAAI,UAAU,KAAK,KAAK,CAAC,GAAG;;AAExD,MAAI,MAAM,WAAW,EACnB,OAAM,KAAK,OAAO,OAAO,6BAA6B;MAEtD,OAAM,KAAK,OAAO,OAAO,IAAI,MAAM,KAAK,KAAK,GAAG;;AAGpD,KAAI,CAAC,SACH,OAAM,KACJ,yEACD;AAEH,QAAO,MAAM,KAAK,KAAK;;AAGzB,SAAS,mBACP,MACA,aACe;CACf,MAAM,eAAgB,KAAoC;AAC1D,KAAI,OAAO,iBAAiB,YAAY,aAAa,WAAW,EAC9D,QAAO;CAIT,MAAM,cAAc,YAAY,KAAK,GAChC,KAAmB,cACpB,KAAA;CAKJ,MAAM,QAAQ,CAAC,kBAAkB,aAAa,KAH5C,OAAO,gBAAgB,YAAY,YAAY,SAAS,IACpD,WAAW,gBACX,yBACsD;AAC5D,OAAM,KAAK,GAAG;AACd,OAAM,KACJ,iPAID;AACD,KAAI,gBAAgB,WAAW;AAC7B,QAAM,KAAK,GAAG;AACd,QAAM,KACJ,4DAA4D,aAAa;;eAI1E;;AAEH,QAAO,MAAM,KAAK,KAAK"}
1
+ {"version":3,"file":"render-intent-recap.js","names":[],"sources":["../../src/internals/render-intent-recap.ts"],"sourcesContent":["import type {\n DeploySpec,\n ServiceDef,\n SingleServiceSpec,\n StackSpec,\n} from '../types.js';\nimport { isStackSpec, normalizeServices } from './spec-normalize.js';\n\n/**\n * Render the structural portion of the intent-recap block shown to the user\n * before any chain round-trips in the deploy-app orchestrator.\n *\n * The 4 deterministic items the recap covers:\n *\n * 1. Deployment surface (service count + per-service `name — image`)\n * 2. Connectivity (per-port ingress posture)\n * 3. Redacted sensitive-key inventory (env / label keys only; never values)\n * 4. Custom-domain + dual-tx clarifier + mainnet warning (when applicable)\n *\n * The 2 LLM-judgment items (\"what you provided vs auto-detected\", \"heads-up:\n * obvious gaps\") stay in prose — the orchestrator appends them between the\n * deterministic block and the `AskUserQuestion` prompt.\n *\n * **Sensitive-value posture:** env values and label values are NEVER\n * surfaced; only keys appear. Mirrors `summarizeSpec`'s contract. FQDNs are\n * not secrets so `customDomain` is surfaced verbatim.\n *\n * **Port-shape handling:** the CJS supports two runtime shapes for ports:\n * - Legacy single-service: `port: number` → renders one ingress=true entry.\n * - Services-map: `ports: Record<portKey, { ingress?: boolean }>` → one\n * entry per port-key with the declared ingress flag (default false).\n *\n * The frozen TS contract narrows `ServiceDef.ports` to `number[]` for the\n * common case; this port also handles the historical Record shape at runtime\n * (matching `summarizeSpec`'s defensive widening) so callers passing\n * unknown-typed input from JSON.parse don't silently drop ports.\n */\n\n/** Render output is a multi-paragraph plain-text block, ready to print verbatim. */\nexport interface RenderIntentRecapInput {\n /** The structured deploy spec (frozen `DeploySpec` shape). */\n spec: DeploySpec;\n /** Active chain — drives the mainnet permanence warning. */\n activeChain: 'testnet' | 'mainnet';\n}\n\ninterface NormalizedService {\n /** `null` for legacy single-service; the services-map key for stack leases. */\n name: string | null;\n /** Image string. Falls back to `(unknown image)` when missing. */\n image: string;\n /** Per-port ingress posture, in declaration order. */\n ports: { port: string; ingress: boolean }[];\n /** Sorted env keys (values redacted). */\n envKeys: string[];\n /** Sorted label keys (values redacted). */\n labelKeys: string[];\n}\n\nexport function renderIntentRecap(input: RenderIntentRecapInput): string {\n if (input.activeChain !== 'testnet' && input.activeChain !== 'mainnet') {\n throw new TypeError(\n `renderIntentRecap: activeChain must be \"testnet\" or \"mainnet\"; got \"${String(input.activeChain)}\"`,\n );\n }\n\n const services = projectServices(input.spec);\n\n const blocks: string[] = [\n renderServiceList(services, input.activeChain),\n renderConnectivity(services),\n renderRedactedInventory(services),\n ];\n const domainBlock = renderCustomDomain(input.spec, input.activeChain);\n if (domainBlock !== null) {\n blocks.push(domainBlock);\n }\n\n return blocks.join('\\n\\n');\n}\n\nfunction projectServices(spec: DeploySpec): NormalizedService[] {\n return normalizeServices(spec).map(({ name, raw }): NormalizedService => {\n const rawRecord = raw as unknown as Record<string, unknown>;\n const image =\n typeof rawRecord.image === 'string' && rawRecord.image.length > 0\n ? rawRecord.image\n : '(unknown image)';\n const ports =\n name === null\n ? extractPortsLegacy((raw as SingleServiceSpec).port)\n : extractPorts((raw as ServiceDef).ports);\n return {\n name,\n image,\n ports,\n envKeys: extractKeys(rawRecord.env),\n labelKeys: extractKeys(rawRecord.labels),\n };\n });\n}\n\n/**\n * Services-map shape: `{ \"80\": { ingress?: boolean }, \"9090\": { ... } }`.\n * Ingress flag may be absent — default `false` matches Fred's cluster-private\n * default. Also handles the typed `number[]` shape (frozen `ServiceDef.ports`)\n * by treating each entry as ingress=false (services-map default).\n */\nfunction extractPorts(ports: unknown): { port: string; ingress: boolean }[] {\n if (Array.isArray(ports)) {\n return ports\n .filter((p): p is number => typeof p === 'number')\n .map((p) => ({ port: String(p), ingress: false }));\n }\n if (ports !== null && typeof ports === 'object') {\n return Object.entries(ports as Record<string, unknown>).map(\n ([port, cfg]) => ({\n port,\n ingress: !!(\n cfg !== null &&\n typeof cfg === 'object' &&\n (cfg as { ingress?: unknown }).ingress\n ),\n }),\n );\n }\n return [];\n}\n\n/**\n * Legacy single-service shape: bare `port: number`. Fred treats this as\n * ingress=true by default — that's the whole point of the simplified\n * shape.\n *\n * Also handles the `number[]` form (the frozen-contract array form):\n * returns one `{ port, ingress: true }` entry per array element, each\n * with `ingress: true` matching the single-service convention. Returns\n * `[]` for any other value (undefined, non-number scalar, non-array\n * object).\n *\n * M2 fix: prior JSDoc incorrectly stated \"Returns `[]` for any other\n * value (including `number[]`...)\" — empirically wrong per the\n * `Array.isArray(port)` branch below.\n */\nfunction extractPortsLegacy(\n port: number | number[] | undefined,\n): { port: string; ingress: boolean }[] {\n if (typeof port === 'number') {\n return [{ port: String(port), ingress: true }];\n }\n if (Array.isArray(port)) {\n return port\n .filter((p): p is number => typeof p === 'number')\n .map((p) => ({ port: String(p), ingress: true }));\n }\n return [];\n}\n\nfunction extractKeys(obj: unknown): string[] {\n if (obj === null || typeof obj !== 'object' || Array.isArray(obj)) return [];\n return Object.keys(obj as Record<string, unknown>).sort();\n}\n\nfunction renderServiceList(\n services: NormalizedService[],\n activeChain: 'testnet' | 'mainnet',\n): string {\n const count = services.length;\n const noun = count === 1 ? 'service' : 'services';\n const lines = [`Deploying ${count} ${noun} on ${activeChain}:`];\n for (const svc of services) {\n const prefix = svc.name === null ? '' : `${svc.name} — `;\n lines.push(` - ${prefix}${svc.image}`);\n }\n return lines.join('\\n');\n}\n\nfunction renderConnectivity(services: NormalizedService[]): string {\n const lines = ['Connectivity:'];\n let total = 0;\n for (const svc of services) {\n if (svc.ports.length === 0) continue;\n for (const p of svc.ports) {\n total += 1;\n const prefix =\n svc.name === null ? `port ${p.port}` : `${svc.name} port ${p.port}`;\n const reach = p.ingress\n ? \"publicly reachable via the provider's HTTPS subdomain\"\n : 'internal only (cluster-private)';\n lines.push(` - ${prefix}: ${reach}`);\n }\n }\n if (total === 0) {\n lines.push(\n ' (no ports declared — the deployment will not expose any network surface)',\n );\n }\n return lines.join('\\n');\n}\n\nfunction renderRedactedInventory(services: NormalizedService[]): string {\n // Always render the section header even if everything is empty — the user\n // should know we'd have shown values if there were any. This is also\n // documentation of the redaction discipline.\n const lines = [\n 'Sensitive values are redacted in this recap (keys only, never values):',\n ];\n let anything = false;\n for (const svc of services) {\n const prefix = svc.name === null ? 'this service' : svc.name;\n const parts: string[] = [];\n if (svc.envKeys.length > 0) {\n anything = true;\n parts.push(`env keys [${svc.envKeys.join(', ')}]`);\n }\n if (svc.labelKeys.length > 0) {\n anything = true;\n parts.push(`label keys [${svc.labelKeys.join(', ')}]`);\n }\n if (parts.length === 0) {\n lines.push(` - ${prefix}: no env or labels supplied`);\n } else {\n lines.push(` - ${prefix}: ${parts.join('; ')}`);\n }\n }\n if (!anything) {\n lines.push(\n ' - (no env or labels supplied across any service — nothing to redact)',\n );\n }\n return lines.join('\\n');\n}\n\nfunction renderCustomDomain(\n spec: DeploySpec,\n activeChain: 'testnet' | 'mainnet',\n): string | null {\n const customDomain = (spec as { customDomain?: unknown }).customDomain;\n if (typeof customDomain !== 'string' || customDomain.length === 0) {\n return null;\n }\n // `serviceName` is only legal on StackSpec; for SingleServiceSpec the\n // single service implicitly receives the domain.\n const serviceName = isStackSpec(spec)\n ? (spec as StackSpec).serviceName\n : undefined;\n const target =\n typeof serviceName === 'string' && serviceName.length > 0\n ? `service ${serviceName}`\n : 'single-service lease';\n const lines = [`Custom domain: ${customDomain} → ${target}`];\n lines.push('');\n lines.push(\n 'Note: when a custom domain is set, deploy_app broadcasts TWO billing\\n' +\n 'transactions atomically: create-lease AND set-item-custom-domain. The\\n' +\n 'single permission prompt that fires later covers BOTH; this textual\\n' +\n 'recap is your per-tx review.',\n );\n if (activeChain === 'mainnet') {\n lines.push('');\n lines.push(\n `Mainnet warning: this transaction permanently associates ${customDomain}\\n` +\n 'with this lease on-chain until you --clear it via\\n' +\n '/manifest-agent:manage-domain or close the lease. FQDN squatting is\\n' +\n 'irreversible.',\n );\n }\n return lines.join('\\n');\n}\n"],"mappings":";;AA2DA,SAAgB,kBAAkB,OAAuC;CACvE,IAAI,MAAM,gBAAgB,aAAa,MAAM,gBAAgB,WAC3D,MAAM,IAAI,UACR,uEAAuE,OAAO,MAAM,WAAW,EAAE,EACnG;CAGF,MAAM,WAAW,gBAAgB,MAAM,IAAI;CAE3C,MAAM,SAAmB;EACvB,kBAAkB,UAAU,MAAM,WAAW;EAC7C,mBAAmB,QAAQ;EAC3B,wBAAwB,QAAQ;CAClC;CACA,MAAM,cAAc,mBAAmB,MAAM,MAAM,MAAM,WAAW;CACpE,IAAI,gBAAgB,MAClB,OAAO,KAAK,WAAW;CAGzB,OAAO,OAAO,KAAK,MAAM;AAC3B;AAEA,SAAS,gBAAgB,MAAuC;CAC9D,OAAO,kBAAkB,IAAI,EAAE,KAAK,EAAE,MAAM,UAA6B;EACvE,MAAM,YAAY;EASlB,OAAO;GACL;GACA,OATA,OAAO,UAAU,UAAU,YAAY,UAAU,MAAM,SAAS,IAC5D,UAAU,QACV;GAQJ,OANA,SAAS,OACL,mBAAoB,IAA0B,IAAI,IAClD,aAAc,IAAmB,KAAK;GAK1C,SAAS,YAAY,UAAU,GAAG;GAClC,WAAW,YAAY,UAAU,MAAM;EACzC;CACF,CAAC;AACH;;;;;;;AAQA,SAAS,aAAa,OAAsD;CAC1E,IAAI,MAAM,QAAQ,KAAK,GACrB,OAAO,MACJ,QAAQ,MAAmB,OAAO,MAAM,QAAQ,EAChD,KAAK,OAAO;EAAE,MAAM,OAAO,CAAC;EAAG,SAAS;CAAM,EAAE;CAErD,IAAI,UAAU,QAAQ,OAAO,UAAU,UACrC,OAAO,OAAO,QAAQ,KAAgC,EAAE,KACrD,CAAC,MAAM,UAAU;EAChB;EACA,SAAS,CAAC,EACR,QAAQ,QACR,OAAO,QAAQ,YACd,IAA8B;CAEnC,EACF;CAEF,OAAO,CAAC;AACV;;;;;;;;;;;;;;;;AAiBA,SAAS,mBACP,MACsC;CACtC,IAAI,OAAO,SAAS,UAClB,OAAO,CAAC;EAAE,MAAM,OAAO,IAAI;EAAG,SAAS;CAAK,CAAC;CAE/C,IAAI,MAAM,QAAQ,IAAI,GACpB,OAAO,KACJ,QAAQ,MAAmB,OAAO,MAAM,QAAQ,EAChD,KAAK,OAAO;EAAE,MAAM,OAAO,CAAC;EAAG,SAAS;CAAK,EAAE;CAEpD,OAAO,CAAC;AACV;AAEA,SAAS,YAAY,KAAwB;CAC3C,IAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC;CAC3E,OAAO,OAAO,KAAK,GAA8B,EAAE,KAAK;AAC1D;AAEA,SAAS,kBACP,UACA,aACQ;CACR,MAAM,QAAQ,SAAS;CAEvB,MAAM,QAAQ,CAAC,aAAa,MAAM,GADrB,UAAU,IAAI,YAAY,WACG,MAAM,YAAY,EAAE;CAC9D,KAAK,MAAM,OAAO,UAAU;EAC1B,MAAM,SAAS,IAAI,SAAS,OAAO,KAAK,GAAG,IAAI,KAAK;EACpD,MAAM,KAAK,OAAO,SAAS,IAAI,OAAO;CACxC;CACA,OAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,mBAAmB,UAAuC;CACjE,MAAM,QAAQ,CAAC,eAAe;CAC9B,IAAI,QAAQ;CACZ,KAAK,MAAM,OAAO,UAAU;EAC1B,IAAI,IAAI,MAAM,WAAW,GAAG;EAC5B,KAAK,MAAM,KAAK,IAAI,OAAO;GACzB,SAAS;GACT,MAAM,SACJ,IAAI,SAAS,OAAO,QAAQ,EAAE,SAAS,GAAG,IAAI,KAAK,QAAQ,EAAE;GAC/D,MAAM,QAAQ,EAAE,UACZ,0DACA;GACJ,MAAM,KAAK,OAAO,OAAO,IAAI,OAAO;EACtC;CACF;CACA,IAAI,UAAU,GACZ,MAAM,KACJ,4EACF;CAEF,OAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,wBAAwB,UAAuC;CAItE,MAAM,QAAQ,CACZ,wEACF;CACA,IAAI,WAAW;CACf,KAAK,MAAM,OAAO,UAAU;EAC1B,MAAM,SAAS,IAAI,SAAS,OAAO,iBAAiB,IAAI;EACxD,MAAM,QAAkB,CAAC;EACzB,IAAI,IAAI,QAAQ,SAAS,GAAG;GAC1B,WAAW;GACX,MAAM,KAAK,aAAa,IAAI,QAAQ,KAAK,IAAI,EAAE,EAAE;EACnD;EACA,IAAI,IAAI,UAAU,SAAS,GAAG;GAC5B,WAAW;GACX,MAAM,KAAK,eAAe,IAAI,UAAU,KAAK,IAAI,EAAE,EAAE;EACvD;EACA,IAAI,MAAM,WAAW,GACnB,MAAM,KAAK,OAAO,OAAO,4BAA4B;OAErD,MAAM,KAAK,OAAO,OAAO,IAAI,MAAM,KAAK,IAAI,GAAG;CAEnD;CACA,IAAI,CAAC,UACH,MAAM,KACJ,wEACF;CAEF,OAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,mBACP,MACA,aACe;CACf,MAAM,eAAgB,KAAoC;CAC1D,IAAI,OAAO,iBAAiB,YAAY,aAAa,WAAW,GAC9D,OAAO;CAIT,MAAM,cAAc,YAAY,IAAI,IAC/B,KAAmB,cACpB,KAAA;CAKJ,MAAM,QAAQ,CAAC,kBAAkB,aAAa,KAH5C,OAAO,gBAAgB,YAAY,YAAY,SAAS,IACpD,WAAW,gBACX,wBACqD;CAC3D,MAAM,KAAK,EAAE;CACb,MAAM,KACJ,gPAIF;CACA,IAAI,gBAAgB,WAAW;EAC7B,MAAM,KAAK,EAAE;EACb,MAAM,KACJ,4DAA4D,aAAa;;cAI3E;CACF;CACA,OAAO,MAAM,KAAK,IAAI;AACxB"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-partial-success-prompt.d.ts","names":[],"sources":["../../src/internals/render-partial-success-prompt.ts"],"mappings":";;;UAmCiB,+BAAA;;EAEf,SAAA;EAF8C;EAI9C,YAAA;EAJ8C;EAM9C,MAAA;EAFA;EAIA,qBAAA;AAAA;AAAA,UAGe,oBAAA;EAHM;EAKrB,MAAA;EAFmC;;;;EAOnC,OAAA,EAAS,gBAAA;AAAA;AAAA,iBAGK,0BAAA,CACd,KAAA,EAAO,+BAAA,GACN,oBAAA"}
1
+ {"version":3,"file":"render-partial-success-prompt.d.ts","names":[],"sources":["../../src/internals/render-partial-success-prompt.ts"],"mappings":";;;UAmCiB,+BAAA;;EAEf,SAAA;EAF8C;EAI9C,YAAA;EAJ8C;EAM9C,MAAA;EAFA;EAIA,qBAAA;AAAA;AAAA,UAGe,oBAAA;EAHM;EAKrB,MAAA;EAFmC;;;;EAOnC,OAAA,EAAS,gBAAgB;AAAA;AAAA,iBAGX,0BAAA,CACd,KAAA,EAAO,+BAAA,GACN,oBAAoB"}
@@ -1 +1 @@
1
- {"version":3,"file":"render-partial-success-prompt.js","names":[],"sources":["../../src/internals/render-partial-success-prompt.ts"],"sourcesContent":["import type { RecoveryOptionId } from '../types.js';\n\n/**\n * Render the prompt body + recovery-option set for `deployApp`'s\n * partial-success recovery branch. Uses a fixed structural template —\n * wording stays consistent across runs regardless of LLM paraphrase\n * tendencies.\n *\n * **Conditional inserts:** wording differs by whether a `customDomain`\n * was requested. When absent, the failure description shifts to a\n * generic \"manifest upload or readiness poll failed\" framing and the\n * `retry_set_domain` recovery option is omitted (it's meaningless\n * without a domain request to retry).\n *\n * The CJS emits a single-line JSON object on stdout\n * (`{ prompt, options: string[] }`). The TS port returns a structured\n * `PartialSuccessPrompt` with typed `RecoveryOptionId`s, so the\n * `deployApp` orchestrator can route directly into the inline-closure\n * recovery dispatch (per gate-2 verdict) without intermediate\n * stringification.\n *\n * **Note on `decodedState`:** the caller is expected to have already\n * decoded the chain integer / `LEASE_STATE_*` string via\n * `lease-state.ts:decode` and pass the canonical name (or a\n * `UNKNOWN(<raw>)` sentinel for unrecognized values). This module does\n * not re-decode — the canonical name is shown verbatim in the lease\n * status line so an explicit `LEASE_STATE_` prefix is preserved (the\n * partial-success path surfaces the raw lease state for diagnostic\n * fidelity, unlike `formatSuccess` which strips the prefix for display).\n */\n\n/** RFC 4122 UUID — 36 chars, hex + 4 hyphens, lowercase or upper. */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;\n\nexport interface RenderPartialSuccessPromptInput {\n /** The lease UUID created on-chain (validated RFC 4122). */\n leaseUuid: string;\n /** Canonical lease state name (e.g. `LEASE_STATE_PENDING`) — pre-decoded. */\n decodedState: string;\n /** Failure reason from the MCP error envelope or `classifyDeployError`. */\n reason: string;\n /** Optional: FQDN the user requested. Presence drives wording + retry option. */\n requestedCustomDomain?: string;\n}\n\nexport interface PartialSuccessPrompt {\n /** Multi-line prompt body to pass to AskUserQuestion. */\n prompt: string;\n /**\n * Recovery options offered to the user. `retry_set_domain` is omitted\n * when no domain was requested. Order matches the CJS's option list.\n */\n options: RecoveryOptionId[];\n}\n\nexport function renderPartialSuccessPrompt(\n input: RenderPartialSuccessPromptInput,\n): PartialSuccessPrompt {\n if (!UUID_RE.test(input.leaseUuid)) {\n throw new TypeError(\n `renderPartialSuccessPrompt: leaseUuid must be a UUID; got \"${input.leaseUuid}\"`,\n );\n }\n if (\n typeof input.decodedState !== 'string' ||\n input.decodedState.length === 0\n ) {\n throw new TypeError(\n 'renderPartialSuccessPrompt: decodedState must be a non-empty string',\n );\n }\n if (typeof input.reason !== 'string' || input.reason.length === 0) {\n throw new TypeError(\n 'renderPartialSuccessPrompt: reason must be a non-empty string',\n );\n }\n\n const hasDomain =\n typeof input.requestedCustomDomain === 'string' &&\n input.requestedCustomDomain.length > 0;\n\n const lines: string[] = [\n 'Deploy partially succeeded:',\n ` - Lease ${input.leaseUuid} was created on-chain (state: ${input.decodedState}).`,\n ];\n if (hasDomain) {\n lines.push(\n ` - The set-domain step for ${input.requestedCustomDomain} did NOT complete: ${input.reason}.`,\n ' The manifest was therefore NEVER uploaded to the provider — no app is running on this lease.',\n );\n } else {\n lines.push(\n ` - The manifest upload or readiness poll failed: ${input.reason}.`,\n ' The provider may or may not have started the app.',\n );\n }\n lines.push('', 'What do you want to do?');\n\n const options: RecoveryOptionId[] = [];\n if (hasDomain) {\n options.push('retry_set_domain');\n }\n options.push('salvage_without_domain');\n // CJS emits \"Cancel or close the lease\" as a single user-facing option\n // (3 total when hasDomain, 2 when not). The typed `RecoveryOptionId`\n // vocabulary splits this into two discrete IDs (`cancel_lease`,\n // `close_lease`) for the orchestrator's typed dispatch — `cancel_lease`\n // applies pre-active (abort without on-chain close); `close_lease`\n // applies post-active (on-chain close-lease tx). To preserve the CJS's\n // observable user-option count, we surface the more-general\n // `close_lease` here as the unified terminal choice; the orchestrator's\n // inline-closure dispatch (see `deploy-app.ts`, gate-2 verdict) inspects\n // the lease state at recovery time and routes to the precise terminal\n // tx. `cancel_lease` remains reachable from verify-recover-driven\n // non-user-prompted paths (e.g. terminal lease detected before user\n // input is solicited).\n options.push('close_lease');\n\n return { prompt: lines.join('\\n'), options };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,MAAM,UACJ;AAuBF,SAAgB,2BACd,OACsB;AACtB,KAAI,CAAC,QAAQ,KAAK,MAAM,UAAU,CAChC,OAAM,IAAI,UACR,8DAA8D,MAAM,UAAU,GAC/E;AAEH,KACE,OAAO,MAAM,iBAAiB,YAC9B,MAAM,aAAa,WAAW,EAE9B,OAAM,IAAI,UACR,sEACD;AAEH,KAAI,OAAO,MAAM,WAAW,YAAY,MAAM,OAAO,WAAW,EAC9D,OAAM,IAAI,UACR,gEACD;CAGH,MAAM,YACJ,OAAO,MAAM,0BAA0B,YACvC,MAAM,sBAAsB,SAAS;CAEvC,MAAM,QAAkB,CACtB,+BACA,aAAa,MAAM,UAAU,gCAAgC,MAAM,aAAa,IACjF;AACD,KAAI,UACF,OAAM,KACJ,+BAA+B,MAAM,sBAAsB,qBAAqB,MAAM,OAAO,IAC7F,mGACD;KAED,OAAM,KACJ,qDAAqD,MAAM,OAAO,IAClE,wDACD;AAEH,OAAM,KAAK,IAAI,0BAA0B;CAEzC,MAAM,UAA8B,EAAE;AACtC,KAAI,UACF,SAAQ,KAAK,mBAAmB;AAElC,SAAQ,KAAK,yBAAyB;AActC,SAAQ,KAAK,cAAc;AAE3B,QAAO;EAAE,QAAQ,MAAM,KAAK,KAAK;EAAE;EAAS"}
1
+ {"version":3,"file":"render-partial-success-prompt.js","names":[],"sources":["../../src/internals/render-partial-success-prompt.ts"],"sourcesContent":["import type { RecoveryOptionId } from '../types.js';\n\n/**\n * Render the prompt body + recovery-option set for `deployApp`'s\n * partial-success recovery branch. Uses a fixed structural template —\n * wording stays consistent across runs regardless of LLM paraphrase\n * tendencies.\n *\n * **Conditional inserts:** wording differs by whether a `customDomain`\n * was requested. When absent, the failure description shifts to a\n * generic \"manifest upload or readiness poll failed\" framing and the\n * `retry_set_domain` recovery option is omitted (it's meaningless\n * without a domain request to retry).\n *\n * The CJS emits a single-line JSON object on stdout\n * (`{ prompt, options: string[] }`). The TS port returns a structured\n * `PartialSuccessPrompt` with typed `RecoveryOptionId`s, so the\n * `deployApp` orchestrator can route directly into the inline-closure\n * recovery dispatch (per gate-2 verdict) without intermediate\n * stringification.\n *\n * **Note on `decodedState`:** the caller is expected to have already\n * decoded the chain integer / `LEASE_STATE_*` string via\n * `lease-state.ts:decode` and pass the canonical name (or a\n * `UNKNOWN(<raw>)` sentinel for unrecognized values). This module does\n * not re-decode — the canonical name is shown verbatim in the lease\n * status line so an explicit `LEASE_STATE_` prefix is preserved (the\n * partial-success path surfaces the raw lease state for diagnostic\n * fidelity, unlike `formatSuccess` which strips the prefix for display).\n */\n\n/** RFC 4122 UUID — 36 chars, hex + 4 hyphens, lowercase or upper. */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;\n\nexport interface RenderPartialSuccessPromptInput {\n /** The lease UUID created on-chain (validated RFC 4122). */\n leaseUuid: string;\n /** Canonical lease state name (e.g. `LEASE_STATE_PENDING`) — pre-decoded. */\n decodedState: string;\n /** Failure reason from the MCP error envelope or `classifyDeployError`. */\n reason: string;\n /** Optional: FQDN the user requested. Presence drives wording + retry option. */\n requestedCustomDomain?: string;\n}\n\nexport interface PartialSuccessPrompt {\n /** Multi-line prompt body to pass to AskUserQuestion. */\n prompt: string;\n /**\n * Recovery options offered to the user. `retry_set_domain` is omitted\n * when no domain was requested. Order matches the CJS's option list.\n */\n options: RecoveryOptionId[];\n}\n\nexport function renderPartialSuccessPrompt(\n input: RenderPartialSuccessPromptInput,\n): PartialSuccessPrompt {\n if (!UUID_RE.test(input.leaseUuid)) {\n throw new TypeError(\n `renderPartialSuccessPrompt: leaseUuid must be a UUID; got \"${input.leaseUuid}\"`,\n );\n }\n if (\n typeof input.decodedState !== 'string' ||\n input.decodedState.length === 0\n ) {\n throw new TypeError(\n 'renderPartialSuccessPrompt: decodedState must be a non-empty string',\n );\n }\n if (typeof input.reason !== 'string' || input.reason.length === 0) {\n throw new TypeError(\n 'renderPartialSuccessPrompt: reason must be a non-empty string',\n );\n }\n\n const hasDomain =\n typeof input.requestedCustomDomain === 'string' &&\n input.requestedCustomDomain.length > 0;\n\n const lines: string[] = [\n 'Deploy partially succeeded:',\n ` - Lease ${input.leaseUuid} was created on-chain (state: ${input.decodedState}).`,\n ];\n if (hasDomain) {\n lines.push(\n ` - The set-domain step for ${input.requestedCustomDomain} did NOT complete: ${input.reason}.`,\n ' The manifest was therefore NEVER uploaded to the provider — no app is running on this lease.',\n );\n } else {\n lines.push(\n ` - The manifest upload or readiness poll failed: ${input.reason}.`,\n ' The provider may or may not have started the app.',\n );\n }\n lines.push('', 'What do you want to do?');\n\n const options: RecoveryOptionId[] = [];\n if (hasDomain) {\n options.push('retry_set_domain');\n }\n options.push('salvage_without_domain');\n // CJS emits \"Cancel or close the lease\" as a single user-facing option\n // (3 total when hasDomain, 2 when not). The typed `RecoveryOptionId`\n // vocabulary splits this into two discrete IDs (`cancel_lease`,\n // `close_lease`) for the orchestrator's typed dispatch — `cancel_lease`\n // applies pre-active (abort without on-chain close); `close_lease`\n // applies post-active (on-chain close-lease tx). To preserve the CJS's\n // observable user-option count, we surface the more-general\n // `close_lease` here as the unified terminal choice; the orchestrator's\n // inline-closure dispatch (see `deploy-app.ts`, gate-2 verdict) inspects\n // the lease state at recovery time and routes to the precise terminal\n // tx. `cancel_lease` remains reachable from verify-recover-driven\n // non-user-prompted paths (e.g. terminal lease detected before user\n // input is solicited).\n options.push('close_lease');\n\n return { prompt: lines.join('\\n'), options };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,MAAM,UACJ;AAuBF,SAAgB,2BACd,OACsB;CACtB,IAAI,CAAC,QAAQ,KAAK,MAAM,SAAS,GAC/B,MAAM,IAAI,UACR,8DAA8D,MAAM,UAAU,EAChF;CAEF,IACE,OAAO,MAAM,iBAAiB,YAC9B,MAAM,aAAa,WAAW,GAE9B,MAAM,IAAI,UACR,qEACF;CAEF,IAAI,OAAO,MAAM,WAAW,YAAY,MAAM,OAAO,WAAW,GAC9D,MAAM,IAAI,UACR,+DACF;CAGF,MAAM,YACJ,OAAO,MAAM,0BAA0B,YACvC,MAAM,sBAAsB,SAAS;CAEvC,MAAM,QAAkB,CACtB,+BACA,aAAa,MAAM,UAAU,gCAAgC,MAAM,aAAa,GAClF;CACA,IAAI,WACF,MAAM,KACJ,+BAA+B,MAAM,sBAAsB,qBAAqB,MAAM,OAAO,IAC7F,kGACF;MAEA,MAAM,KACJ,qDAAqD,MAAM,OAAO,IAClE,uDACF;CAEF,MAAM,KAAK,IAAI,yBAAyB;CAExC,MAAM,UAA8B,CAAC;CACrC,IAAI,WACF,QAAQ,KAAK,kBAAkB;CAEjC,QAAQ,KAAK,wBAAwB;CAcrC,QAAQ,KAAK,aAAa;CAE1B,OAAO;EAAE,QAAQ,MAAM,KAAK,IAAI;EAAG;CAAQ;AAC7C"}
@@ -1 +1 @@
1
- {"version":3,"file":"save-manifest.d.ts","names":[],"sources":["../../src/internals/save-manifest.ts"],"mappings":";;AAmDA;;;;;;;;;;;;;;;AAyCA;;;;;AAMA;;;;;;;;;;;;AA2BA;;;;;;;;;;UA1EiB,iBAAA;EA4EN;EA1ET,SAAA;EA0E2B;EAxE3B,KAAA;;EAEA,IAAA;;EAEA,QAAA;;EAEA,OAAA;;;;;;EAMA,YAAA;;;;;;;;;;;;;;;EAeA,OAAA;;EAEA,YAAA;;;;;EAKA,uBAAA;AAAA;AAAA,UAGe,kBAAA;;EAEf,YAAA;AAAA;;cAIW,iBAAA,SAA0B,KAAA;EAAA,SAC5B,IAAA;cAUG,IAAA,EAAM,iBAAA,UAA2B,OAAA;AAAA;;;;;;;;;iBAgBzB,YAAA,CACpB,KAAA,EAAO,iBAAA,GACN,OAAA,CAAQ,kBAAA"}
1
+ {"version":3,"file":"save-manifest.d.ts","names":[],"sources":["../../src/internals/save-manifest.ts"],"mappings":";;AAmDA;;;;;;;;;;;;;;AAsCyB;AAGzB;;;;AAEc;AAId;;;;;;;;;;;AAW8D;AAgB9D;;;;;;;;;;UA1EiB,iBAAA;EA4EN;EA1ET,SAAA;EA0E2B;EAxE3B,KAAA;;EAEA,IAAA;;EAEA,QAAA;;EAEA,OAAA;;;;;;EAMA,YAAA;;;;;;;;;;;;;;;EAeA,OAAA;;EAEA,YAAA;;;;;EAKA,uBAAA;AAAA;AAAA,UAGe,kBAAA;;EAEf,YAAY;AAAA;;cAID,iBAAA,SAA0B,KAAK;EAAA,SACjC,IAAA;cAUG,IAAA,EAAM,iBAAA,UAA2B,OAAA;AAAA;;;;;;;;;iBAgBzB,YAAA,CACpB,KAAA,EAAO,iBAAA,GACN,OAAA,CAAQ,kBAAA"}
@@ -1 +1 @@
1
- {"version":3,"file":"save-manifest.js","names":[],"sources":["../../src/internals/save-manifest.ts"],"sourcesContent":["/**\n * Persist a deployed manifest as a schema-version-3 wrapper to disk.\n *\n * Target directory is a **function argument** (`dataDir: string`) rather\n * than an env-var read: per gate-1 verdict, agent-core's `platform: 'neutral'`\n * build target forbids env-var reads at this layer; callers are responsible\n * for resolving the manifests dir from their own env context and passing it in.\n *\n * **Wrapper shape (schema_version 3):**\n *\n * ```\n * {\n * schema_version: 3,\n * lease_uuid, deployed_at_iso, deployed_at_unix,\n * chain_id, image, size, meta_hash_hex,\n * format, // \"single\" or \"stack\"\n * manifest_json, // string — canonical Fred-rendered JSON\n * custom_domain?, // (v3) FQDN attached to the lease item\n * custom_domain_service_name? // (v3) stack-lease service holder\n * }\n * ```\n *\n * Schema-version compat: v2 wrappers remain readable by all downstream\n * helpers; missing v3 fields are tolerated as undefined.\n *\n * **Audit guarantee:** SHA-256 of the bytes about to be persisted (after\n * normalizing the heredoc-/Write-added trailing newline) MUST equal\n * `metaHash`. Catches paste errors, accidental spec-vs-manifest_json\n * swaps, and transit corruption. Mismatch throws a typed\n * `SaveManifestError` (`code: 'sha256_mismatch'`).\n *\n * **Filesystem layout:** `<dataDir>/manifests/<lease_uuid>.json` with\n * mode 0600; parent `<dataDir>` and `<dataDir>/manifests` ensured at\n * mode 0700 (chmod-tightens an existing parent that was previously\n * looser).\n *\n * **Dynamic node-import discipline** (mirrors `guarded-fetch.ts`): the\n * `node:fs` / `node:path` / `node:crypto` imports are deferred to call\n * time so module load doesn't violate the `platform: 'neutral'` build\n * target. A `typeof process` check throws a clear \"Node-only API\" error\n * if invoked outside a Node-like runtime.\n */\n\n/** SHA-256 hex digest — 64 lowercase hex chars. */\nconst META_HASH_RE = /^[0-9a-f]{64}$/i;\n\n/** RFC 4122 UUID — 36 chars. */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;\n\n/** Input contract for `saveManifest`. All `*Hex` / UUID fields are validated. */\nexport interface SaveManifestInput {\n /** Validated lease UUID (RFC 4122 v1-v5). */\n leaseUuid: string;\n /** Canonical primary image reference (for the wrapper's `image` field). */\n image: string;\n /** SKU name (e.g. `docker-micro`) for the wrapper's `size` field. */\n size: string;\n /** SHA-256 hex of the canonical manifest JSON, from `build_manifest_preview`. */\n metaHash: string;\n /** Chain ID — e.g. `manifest-ledger-testnet-1`. */\n chainId: string;\n /**\n * Canonical Fred-rendered manifest JSON (as a STRING, not a parsed\n * object). The SHA-256 of these bytes (after trimming trailing\n * whitespace) MUST equal `metaHash`.\n */\n manifestJson: string;\n /**\n * Target data directory — the function writes\n * `<dataDir>/manifests/<lease_uuid>.json`. Per gate-1 verdict,\n * supplied by the caller (no env-var read).\n *\n * **MUST be a dedicated manifest-storage directory.** This function\n * `chmod`-tightens any pre-existing `dataDir` (and its `manifests/`\n * subdirectory) to mode `0o700`. Do NOT pass shared parents like\n * `$HOME`, `~/.config`, or a generic data root — doing so would tighten\n * those directories' permissions and potentially break other processes\n * that depend on them. Callers must resolve this to a dedicated\n * subdirectory (e.g. `$XDG_DATA_HOME/manifest-agent/`); the `manifests/`\n * subdir is created inside automatically.\n */\n dataDir: string;\n /** Optional custom-domain FQDN attached to the lease item. */\n customDomain?: string;\n /**\n * Optional stack-lease service name that holds the custom domain.\n * Meaningless without `customDomain`; throws if supplied alone.\n */\n customDomainServiceName?: string;\n}\n\nexport interface SaveManifestResult {\n /** Absolute path to the persisted wrapper. */\n manifestPath: string;\n}\n\n/** Typed error surface for the I/O + validation failure paths. */\nexport class SaveManifestError extends Error {\n readonly code:\n | 'sha256_mismatch'\n | 'manifest_not_object'\n | 'invalid_uuid'\n | 'invalid_meta_hash'\n | 'invalid_data_dir'\n | 'service_name_without_domain'\n | 'manifest_parse_failed'\n | 'platform_unsupported';\n\n constructor(code: SaveManifestError['code'], message: string) {\n super(message);\n this.name = 'SaveManifestError';\n this.code = code;\n Object.setPrototypeOf(this, SaveManifestError.prototype);\n }\n}\n\n/**\n * Persist the manifest wrapper. Returns the absolute output path.\n *\n * Throws `SaveManifestError` for shape / validation failures; lets raw\n * I/O errors (EACCES, ENOSPC, etc.) propagate so the orchestrator can\n * decide whether to suppress them per step-16's \"save-fail → success\n * still returned\" contract.\n */\nexport async function saveManifest(\n input: SaveManifestInput,\n): Promise<SaveManifestResult> {\n if (\n typeof process === 'undefined' ||\n typeof process.versions?.node !== 'string'\n ) {\n throw new SaveManifestError(\n 'platform_unsupported',\n 'saveManifest: requires Node.js runtime (node:fs / node:crypto / node:path)',\n );\n }\n // Copilot review fix (PR #58 r3267373130): reject empty / whitespace-\n // only / non-string `dataDir` BEFORE any I/O. `pathResolve('')` returns\n // `process.cwd()`, and the later `chmodSync(absoluteDataDir, 0o700)`\n // would then tighten the caller's working directory — a real safety\n // hazard if a misconfigured env (`MANIFEST_DATA_DIR=\"\"`) reaches\n // here. Failing fast at the boundary keeps the hazard from\n // materializing.\n if (typeof input.dataDir !== 'string' || input.dataDir.trim().length === 0) {\n throw new SaveManifestError(\n 'invalid_data_dir',\n `saveManifest: dataDir must be a non-empty path; got ${\n typeof input.dataDir === 'string'\n ? `\"${input.dataDir}\"`\n : input.dataDir === null\n ? 'null'\n : typeof input.dataDir\n }.`,\n );\n }\n if (!UUID_RE.test(input.leaseUuid)) {\n throw new SaveManifestError(\n 'invalid_uuid',\n `saveManifest: leaseUuid must be a UUID; got \"${input.leaseUuid}\"`,\n );\n }\n if (!META_HASH_RE.test(input.metaHash)) {\n throw new SaveManifestError(\n 'invalid_meta_hash',\n `saveManifest: metaHash must be a 64-character SHA-256 hex digest; got \"${input.metaHash}\"`,\n );\n }\n if (input.customDomainServiceName && !input.customDomain) {\n throw new SaveManifestError(\n 'service_name_without_domain',\n 'saveManifest: customDomainServiceName requires customDomain',\n );\n }\n\n // Trim trailing newline (heredoc/Write convention) so the SHA-256 of the\n // persisted bytes matches the meta_hash_hex returned by\n // build_manifest_preview.\n const trimmed = input.manifestJson.trimEnd();\n\n // Parse for shape sanity + format derivation. Failures throw a typed\n // `SaveManifestError(manifest_parse_failed)` rather than the raw\n // SyntaxError.\n let parsed: unknown;\n try {\n parsed = JSON.parse(trimmed);\n } catch (err) {\n const reason = err instanceof Error ? err.message : String(err);\n throw new SaveManifestError(\n 'manifest_parse_failed',\n `saveManifest: manifestJson is not valid JSON: ${reason}`,\n );\n }\n if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {\n throw new SaveManifestError(\n 'manifest_not_object',\n 'saveManifest: manifestJson must encode a JSON object',\n );\n }\n const parsedRec = parsed as Record<string, unknown>;\n const isStack =\n parsedRec.services !== null &&\n typeof parsedRec.services === 'object' &&\n !Array.isArray(parsedRec.services);\n const format: 'single' | 'stack' = isStack ? 'stack' : 'single';\n\n // Dynamic imports — node-only deps deferred per the `platform: 'neutral'`\n // build target. Mirrors `guarded-fetch.ts`'s lazy-init pattern.\n const { mkdirSync, chmodSync, writeFileSync, renameSync } = await import(\n 'node:fs'\n );\n const { createHash, randomUUID } = await import('node:crypto');\n const { join, resolve: pathResolve } = await import('node:path');\n\n // SHA-256 audit: catches the most common foot-gun (passing the\n // structured spec where the canonical manifest_json was expected).\n const computedHash = createHash('sha256').update(trimmed).digest('hex');\n if (computedHash !== input.metaHash.toLowerCase()) {\n throw new SaveManifestError(\n 'sha256_mismatch',\n `saveManifest: SHA-256 mismatch. metaHash claims ${input.metaHash} but manifestJson content hashes to ${computedHash}. The wrong content was probably written (e.g. the structured spec instead of the canonical manifest_json string).`,\n );\n }\n\n // C5 fix: resolve dataDir to absolute BEFORE constructing paths.\n // `SaveManifestResult.manifestPath` is documented as absolute; the\n // prior `join(input.dataDir, ...)` returned a relative path when the\n // caller passed a relative dataDir. `path.resolve()` normalizes\n // against the process CWD if input is relative; idempotent for\n // already-absolute inputs.\n const absoluteDataDir = pathResolve(input.dataDir);\n\n // Ensure dataDir + manifests/ exist with tight perms. chmod after mkdir\n // so a pre-existing looser parent gets tightened (mkdir won't chmod\n // existing dirs).\n const manifestsDir = join(absoluteDataDir, 'manifests');\n mkdirSync(absoluteDataDir, { recursive: true, mode: 0o700 });\n chmodSync(absoluteDataDir, 0o700);\n mkdirSync(manifestsDir, { recursive: true, mode: 0o700 });\n chmodSync(manifestsDir, 0o700);\n\n // Copilot review fix (PR #58 r3267708600): single-source the deploy\n // timestamp. The prior code called `new Date().toISOString()` and\n // `Math.floor(Date.now() / 1000)` separately — two distinct clock\n // reads. If the function spans a second boundary, the iso + unix\n // fields refer to different instants, violating the audit\n // metadata's internal-consistency invariant (any tooling cross-\n // checking the pair would flag the drift).\n const deployedAt = new Date();\n const wrapper: Record<string, unknown> = {\n schema_version: 3,\n lease_uuid: input.leaseUuid,\n deployed_at_iso: deployedAt.toISOString(),\n deployed_at_unix: Math.floor(deployedAt.getTime() / 1000),\n chain_id: input.chainId,\n image: input.image,\n size: input.size,\n meta_hash_hex: input.metaHash.toLowerCase(),\n format,\n manifest_json: trimmed,\n };\n if (input.customDomain) {\n wrapper.custom_domain = input.customDomain;\n }\n if (input.customDomainServiceName) {\n wrapper.custom_domain_service_name = input.customDomainServiceName;\n }\n\n const outPath = join(manifestsDir, `${input.leaseUuid}.json`);\n // Atomic write: temp file in same dir + rename. Survives crash mid-write\n // without leaving a partial file at the canonical name. The randomUUID\n // suffix avoids collisions if multiple concurrent saves target the same\n // lease (rare, but the CJS's atomicWrite helper uses the same pattern).\n const tmpPath = `${outPath}.tmp-${randomUUID()}`;\n writeFileSync(tmpPath, `${JSON.stringify(wrapper, null, 2)}\\n`, {\n mode: 0o600,\n });\n renameSync(tmpPath, outPath);\n\n return { manifestPath: outPath };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,MAAM,eAAe;;AAGrB,MAAM,UACJ;;AAkDF,IAAa,oBAAb,MAAa,0BAA0B,MAAM;CAW3C,YAAY,MAAiC,SAAiB;AAC5D,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,kBAAkB,UAAU;;;;;;;;;;;AAY5D,eAAsB,aACpB,OAC6B;AAC7B,KACE,OAAO,YAAY,eACnB,OAAO,QAAQ,UAAU,SAAS,SAElC,OAAM,IAAI,kBACR,wBACA,6EACD;AASH,KAAI,OAAO,MAAM,YAAY,YAAY,MAAM,QAAQ,MAAM,CAAC,WAAW,EACvE,OAAM,IAAI,kBACR,oBACA,uDACE,OAAO,MAAM,YAAY,WACrB,IAAI,MAAM,QAAQ,KAClB,MAAM,YAAY,OAChB,SACA,OAAO,MAAM,QACpB,GACF;AAEH,KAAI,CAAC,QAAQ,KAAK,MAAM,UAAU,CAChC,OAAM,IAAI,kBACR,gBACA,gDAAgD,MAAM,UAAU,GACjE;AAEH,KAAI,CAAC,aAAa,KAAK,MAAM,SAAS,CACpC,OAAM,IAAI,kBACR,qBACA,0EAA0E,MAAM,SAAS,GAC1F;AAEH,KAAI,MAAM,2BAA2B,CAAC,MAAM,aAC1C,OAAM,IAAI,kBACR,+BACA,8DACD;CAMH,MAAM,UAAU,MAAM,aAAa,SAAS;CAK5C,IAAI;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,QAAQ;UACrB,KAAK;AAEZ,QAAM,IAAI,kBACR,yBACA,iDAHa,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAI9D;;AAEH,KAAI,WAAW,QAAQ,OAAO,WAAW,YAAY,MAAM,QAAQ,OAAO,CACxE,OAAM,IAAI,kBACR,uBACA,uDACD;CAEH,MAAM,YAAY;CAKlB,MAAM,SAHJ,UAAU,aAAa,QACvB,OAAO,UAAU,aAAa,YAC9B,CAAC,MAAM,QAAQ,UAAU,SAAS,GACS,UAAU;CAIvD,MAAM,EAAE,WAAW,WAAW,eAAe,eAAe,MAAM,OAChE;CAEF,MAAM,EAAE,YAAY,eAAe,MAAM,OAAO;CAChD,MAAM,EAAE,MAAM,SAAS,gBAAgB,MAAM,OAAO;CAIpD,MAAM,eAAe,WAAW,SAAS,CAAC,OAAO,QAAQ,CAAC,OAAO,MAAM;AACvE,KAAI,iBAAiB,MAAM,SAAS,aAAa,CAC/C,OAAM,IAAI,kBACR,mBACA,mDAAmD,MAAM,SAAS,sCAAsC,aAAa,oHACtH;CASH,MAAM,kBAAkB,YAAY,MAAM,QAAQ;CAKlD,MAAM,eAAe,KAAK,iBAAiB,YAAY;AACvD,WAAU,iBAAiB;EAAE,WAAW;EAAM,MAAM;EAAO,CAAC;AAC5D,WAAU,iBAAiB,IAAM;AACjC,WAAU,cAAc;EAAE,WAAW;EAAM,MAAM;EAAO,CAAC;AACzD,WAAU,cAAc,IAAM;CAS9B,MAAM,6BAAa,IAAI,MAAM;CAC7B,MAAM,UAAmC;EACvC,gBAAgB;EAChB,YAAY,MAAM;EAClB,iBAAiB,WAAW,aAAa;EACzC,kBAAkB,KAAK,MAAM,WAAW,SAAS,GAAG,IAAK;EACzD,UAAU,MAAM;EAChB,OAAO,MAAM;EACb,MAAM,MAAM;EACZ,eAAe,MAAM,SAAS,aAAa;EAC3C;EACA,eAAe;EAChB;AACD,KAAI,MAAM,aACR,SAAQ,gBAAgB,MAAM;AAEhC,KAAI,MAAM,wBACR,SAAQ,6BAA6B,MAAM;CAG7C,MAAM,UAAU,KAAK,cAAc,GAAG,MAAM,UAAU,OAAO;CAK7D,MAAM,UAAU,GAAG,QAAQ,OAAO,YAAY;AAC9C,eAAc,SAAS,GAAG,KAAK,UAAU,SAAS,MAAM,EAAE,CAAC,KAAK,EAC9D,MAAM,KACP,CAAC;AACF,YAAW,SAAS,QAAQ;AAE5B,QAAO,EAAE,cAAc,SAAS"}
1
+ {"version":3,"file":"save-manifest.js","names":[],"sources":["../../src/internals/save-manifest.ts"],"sourcesContent":["/**\n * Persist a deployed manifest as a schema-version-3 wrapper to disk.\n *\n * Target directory is a **function argument** (`dataDir: string`) rather\n * than an env-var read: per gate-1 verdict, agent-core's `platform: 'neutral'`\n * build target forbids env-var reads at this layer; callers are responsible\n * for resolving the manifests dir from their own env context and passing it in.\n *\n * **Wrapper shape (schema_version 3):**\n *\n * ```\n * {\n * schema_version: 3,\n * lease_uuid, deployed_at_iso, deployed_at_unix,\n * chain_id, image, size, meta_hash_hex,\n * format, // \"single\" or \"stack\"\n * manifest_json, // string — canonical Fred-rendered JSON\n * custom_domain?, // (v3) FQDN attached to the lease item\n * custom_domain_service_name? // (v3) stack-lease service holder\n * }\n * ```\n *\n * Schema-version compat: v2 wrappers remain readable by all downstream\n * helpers; missing v3 fields are tolerated as undefined.\n *\n * **Audit guarantee:** SHA-256 of the bytes about to be persisted (after\n * normalizing the heredoc-/Write-added trailing newline) MUST equal\n * `metaHash`. Catches paste errors, accidental spec-vs-manifest_json\n * swaps, and transit corruption. Mismatch throws a typed\n * `SaveManifestError` (`code: 'sha256_mismatch'`).\n *\n * **Filesystem layout:** `<dataDir>/manifests/<lease_uuid>.json` with\n * mode 0600; parent `<dataDir>` and `<dataDir>/manifests` ensured at\n * mode 0700 (chmod-tightens an existing parent that was previously\n * looser).\n *\n * **Dynamic node-import discipline** (mirrors `guarded-fetch.ts`): the\n * `node:fs` / `node:path` / `node:crypto` imports are deferred to call\n * time so module load doesn't violate the `platform: 'neutral'` build\n * target. A `typeof process` check throws a clear \"Node-only API\" error\n * if invoked outside a Node-like runtime.\n */\n\n/** SHA-256 hex digest — 64 lowercase hex chars. */\nconst META_HASH_RE = /^[0-9a-f]{64}$/i;\n\n/** RFC 4122 UUID — 36 chars. */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;\n\n/** Input contract for `saveManifest`. All `*Hex` / UUID fields are validated. */\nexport interface SaveManifestInput {\n /** Validated lease UUID (RFC 4122 v1-v5). */\n leaseUuid: string;\n /** Canonical primary image reference (for the wrapper's `image` field). */\n image: string;\n /** SKU name (e.g. `docker-micro`) for the wrapper's `size` field. */\n size: string;\n /** SHA-256 hex of the canonical manifest JSON, from `build_manifest_preview`. */\n metaHash: string;\n /** Chain ID — e.g. `manifest-ledger-testnet-1`. */\n chainId: string;\n /**\n * Canonical Fred-rendered manifest JSON (as a STRING, not a parsed\n * object). The SHA-256 of these bytes (after trimming trailing\n * whitespace) MUST equal `metaHash`.\n */\n manifestJson: string;\n /**\n * Target data directory — the function writes\n * `<dataDir>/manifests/<lease_uuid>.json`. Per gate-1 verdict,\n * supplied by the caller (no env-var read).\n *\n * **MUST be a dedicated manifest-storage directory.** This function\n * `chmod`-tightens any pre-existing `dataDir` (and its `manifests/`\n * subdirectory) to mode `0o700`. Do NOT pass shared parents like\n * `$HOME`, `~/.config`, or a generic data root — doing so would tighten\n * those directories' permissions and potentially break other processes\n * that depend on them. Callers must resolve this to a dedicated\n * subdirectory (e.g. `$XDG_DATA_HOME/manifest-agent/`); the `manifests/`\n * subdir is created inside automatically.\n */\n dataDir: string;\n /** Optional custom-domain FQDN attached to the lease item. */\n customDomain?: string;\n /**\n * Optional stack-lease service name that holds the custom domain.\n * Meaningless without `customDomain`; throws if supplied alone.\n */\n customDomainServiceName?: string;\n}\n\nexport interface SaveManifestResult {\n /** Absolute path to the persisted wrapper. */\n manifestPath: string;\n}\n\n/** Typed error surface for the I/O + validation failure paths. */\nexport class SaveManifestError extends Error {\n readonly code:\n | 'sha256_mismatch'\n | 'manifest_not_object'\n | 'invalid_uuid'\n | 'invalid_meta_hash'\n | 'invalid_data_dir'\n | 'service_name_without_domain'\n | 'manifest_parse_failed'\n | 'platform_unsupported';\n\n constructor(code: SaveManifestError['code'], message: string) {\n super(message);\n this.name = 'SaveManifestError';\n this.code = code;\n Object.setPrototypeOf(this, SaveManifestError.prototype);\n }\n}\n\n/**\n * Persist the manifest wrapper. Returns the absolute output path.\n *\n * Throws `SaveManifestError` for shape / validation failures; lets raw\n * I/O errors (EACCES, ENOSPC, etc.) propagate so the orchestrator can\n * decide whether to suppress them per step-16's \"save-fail → success\n * still returned\" contract.\n */\nexport async function saveManifest(\n input: SaveManifestInput,\n): Promise<SaveManifestResult> {\n if (\n typeof process === 'undefined' ||\n typeof process.versions?.node !== 'string'\n ) {\n throw new SaveManifestError(\n 'platform_unsupported',\n 'saveManifest: requires Node.js runtime (node:fs / node:crypto / node:path)',\n );\n }\n // Copilot review fix (PR #58 r3267373130): reject empty / whitespace-\n // only / non-string `dataDir` BEFORE any I/O. `pathResolve('')` returns\n // `process.cwd()`, and the later `chmodSync(absoluteDataDir, 0o700)`\n // would then tighten the caller's working directory — a real safety\n // hazard if a misconfigured env (`MANIFEST_DATA_DIR=\"\"`) reaches\n // here. Failing fast at the boundary keeps the hazard from\n // materializing.\n if (typeof input.dataDir !== 'string' || input.dataDir.trim().length === 0) {\n throw new SaveManifestError(\n 'invalid_data_dir',\n `saveManifest: dataDir must be a non-empty path; got ${\n typeof input.dataDir === 'string'\n ? `\"${input.dataDir}\"`\n : input.dataDir === null\n ? 'null'\n : typeof input.dataDir\n }.`,\n );\n }\n if (!UUID_RE.test(input.leaseUuid)) {\n throw new SaveManifestError(\n 'invalid_uuid',\n `saveManifest: leaseUuid must be a UUID; got \"${input.leaseUuid}\"`,\n );\n }\n if (!META_HASH_RE.test(input.metaHash)) {\n throw new SaveManifestError(\n 'invalid_meta_hash',\n `saveManifest: metaHash must be a 64-character SHA-256 hex digest; got \"${input.metaHash}\"`,\n );\n }\n if (input.customDomainServiceName && !input.customDomain) {\n throw new SaveManifestError(\n 'service_name_without_domain',\n 'saveManifest: customDomainServiceName requires customDomain',\n );\n }\n\n // Trim trailing newline (heredoc/Write convention) so the SHA-256 of the\n // persisted bytes matches the meta_hash_hex returned by\n // build_manifest_preview.\n const trimmed = input.manifestJson.trimEnd();\n\n // Parse for shape sanity + format derivation. Failures throw a typed\n // `SaveManifestError(manifest_parse_failed)` rather than the raw\n // SyntaxError.\n let parsed: unknown;\n try {\n parsed = JSON.parse(trimmed);\n } catch (err) {\n const reason = err instanceof Error ? err.message : String(err);\n throw new SaveManifestError(\n 'manifest_parse_failed',\n `saveManifest: manifestJson is not valid JSON: ${reason}`,\n );\n }\n if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {\n throw new SaveManifestError(\n 'manifest_not_object',\n 'saveManifest: manifestJson must encode a JSON object',\n );\n }\n const parsedRec = parsed as Record<string, unknown>;\n const isStack =\n parsedRec.services !== null &&\n typeof parsedRec.services === 'object' &&\n !Array.isArray(parsedRec.services);\n const format: 'single' | 'stack' = isStack ? 'stack' : 'single';\n\n // Dynamic imports — node-only deps deferred per the `platform: 'neutral'`\n // build target. Mirrors `guarded-fetch.ts`'s lazy-init pattern.\n const { mkdirSync, chmodSync, writeFileSync, renameSync } = await import(\n 'node:fs'\n );\n const { createHash, randomUUID } = await import('node:crypto');\n const { join, resolve: pathResolve } = await import('node:path');\n\n // SHA-256 audit: catches the most common foot-gun (passing the\n // structured spec where the canonical manifest_json was expected).\n const computedHash = createHash('sha256').update(trimmed).digest('hex');\n if (computedHash !== input.metaHash.toLowerCase()) {\n throw new SaveManifestError(\n 'sha256_mismatch',\n `saveManifest: SHA-256 mismatch. metaHash claims ${input.metaHash} but manifestJson content hashes to ${computedHash}. The wrong content was probably written (e.g. the structured spec instead of the canonical manifest_json string).`,\n );\n }\n\n // C5 fix: resolve dataDir to absolute BEFORE constructing paths.\n // `SaveManifestResult.manifestPath` is documented as absolute; the\n // prior `join(input.dataDir, ...)` returned a relative path when the\n // caller passed a relative dataDir. `path.resolve()` normalizes\n // against the process CWD if input is relative; idempotent for\n // already-absolute inputs.\n const absoluteDataDir = pathResolve(input.dataDir);\n\n // Ensure dataDir + manifests/ exist with tight perms. chmod after mkdir\n // so a pre-existing looser parent gets tightened (mkdir won't chmod\n // existing dirs).\n const manifestsDir = join(absoluteDataDir, 'manifests');\n mkdirSync(absoluteDataDir, { recursive: true, mode: 0o700 });\n chmodSync(absoluteDataDir, 0o700);\n mkdirSync(manifestsDir, { recursive: true, mode: 0o700 });\n chmodSync(manifestsDir, 0o700);\n\n // Copilot review fix (PR #58 r3267708600): single-source the deploy\n // timestamp. The prior code called `new Date().toISOString()` and\n // `Math.floor(Date.now() / 1000)` separately — two distinct clock\n // reads. If the function spans a second boundary, the iso + unix\n // fields refer to different instants, violating the audit\n // metadata's internal-consistency invariant (any tooling cross-\n // checking the pair would flag the drift).\n const deployedAt = new Date();\n const wrapper: Record<string, unknown> = {\n schema_version: 3,\n lease_uuid: input.leaseUuid,\n deployed_at_iso: deployedAt.toISOString(),\n deployed_at_unix: Math.floor(deployedAt.getTime() / 1000),\n chain_id: input.chainId,\n image: input.image,\n size: input.size,\n meta_hash_hex: input.metaHash.toLowerCase(),\n format,\n manifest_json: trimmed,\n };\n if (input.customDomain) {\n wrapper.custom_domain = input.customDomain;\n }\n if (input.customDomainServiceName) {\n wrapper.custom_domain_service_name = input.customDomainServiceName;\n }\n\n const outPath = join(manifestsDir, `${input.leaseUuid}.json`);\n // Atomic write: temp file in same dir + rename. Survives crash mid-write\n // without leaving a partial file at the canonical name. The randomUUID\n // suffix avoids collisions if multiple concurrent saves target the same\n // lease (rare, but the CJS's atomicWrite helper uses the same pattern).\n const tmpPath = `${outPath}.tmp-${randomUUID()}`;\n writeFileSync(tmpPath, `${JSON.stringify(wrapper, null, 2)}\\n`, {\n mode: 0o600,\n });\n renameSync(tmpPath, outPath);\n\n return { manifestPath: outPath };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,MAAM,eAAe;;AAGrB,MAAM,UACJ;;AAkDF,IAAa,oBAAb,MAAa,0BAA0B,MAAM;CAW3C,YAAY,MAAiC,SAAiB;EAC5D,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,KAAK,OAAO;EACZ,OAAO,eAAe,MAAM,kBAAkB,SAAS;CACzD;AACF;;;;;;;;;AAUA,eAAsB,aACpB,OAC6B;CAC7B,IACE,OAAO,YAAY,eACnB,OAAO,QAAQ,UAAU,SAAS,UAElC,MAAM,IAAI,kBACR,wBACA,4EACF;CASF,IAAI,OAAO,MAAM,YAAY,YAAY,MAAM,QAAQ,KAAK,EAAE,WAAW,GACvE,MAAM,IAAI,kBACR,oBACA,uDACE,OAAO,MAAM,YAAY,WACrB,IAAI,MAAM,QAAQ,KAClB,MAAM,YAAY,OAChB,SACA,OAAO,MAAM,QACpB,EACH;CAEF,IAAI,CAAC,QAAQ,KAAK,MAAM,SAAS,GAC/B,MAAM,IAAI,kBACR,gBACA,gDAAgD,MAAM,UAAU,EAClE;CAEF,IAAI,CAAC,aAAa,KAAK,MAAM,QAAQ,GACnC,MAAM,IAAI,kBACR,qBACA,0EAA0E,MAAM,SAAS,EAC3F;CAEF,IAAI,MAAM,2BAA2B,CAAC,MAAM,cAC1C,MAAM,IAAI,kBACR,+BACA,6DACF;CAMF,MAAM,UAAU,MAAM,aAAa,QAAQ;CAK3C,IAAI;CACJ,IAAI;EACF,SAAS,KAAK,MAAM,OAAO;CAC7B,SAAS,KAAK;EAEZ,MAAM,IAAI,kBACR,yBACA,iDAHa,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAI9D;CACF;CACA,IAAI,WAAW,QAAQ,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,GACvE,MAAM,IAAI,kBACR,uBACA,sDACF;CAEF,MAAM,YAAY;CAKlB,MAAM,SAHJ,UAAU,aAAa,QACvB,OAAO,UAAU,aAAa,YAC9B,CAAC,MAAM,QAAQ,UAAU,QAAQ,IACU,UAAU;CAIvD,MAAM,EAAE,WAAW,WAAW,eAAe,eAAe,MAAM,OAChE;CAEF,MAAM,EAAE,YAAY,eAAe,MAAM,OAAO;CAChD,MAAM,EAAE,MAAM,SAAS,gBAAgB,MAAM,OAAO;CAIpD,MAAM,eAAe,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;CACtE,IAAI,iBAAiB,MAAM,SAAS,YAAY,GAC9C,MAAM,IAAI,kBACR,mBACA,mDAAmD,MAAM,SAAS,sCAAsC,aAAa,mHACvH;CASF,MAAM,kBAAkB,YAAY,MAAM,OAAO;CAKjD,MAAM,eAAe,KAAK,iBAAiB,WAAW;CACtD,UAAU,iBAAiB;EAAE,WAAW;EAAM,MAAM;CAAM,CAAC;CAC3D,UAAU,iBAAiB,GAAK;CAChC,UAAU,cAAc;EAAE,WAAW;EAAM,MAAM;CAAM,CAAC;CACxD,UAAU,cAAc,GAAK;CAS7B,MAAM,6BAAa,IAAI,KAAK;CAC5B,MAAM,UAAmC;EACvC,gBAAgB;EAChB,YAAY,MAAM;EAClB,iBAAiB,WAAW,YAAY;EACxC,kBAAkB,KAAK,MAAM,WAAW,QAAQ,IAAI,GAAI;EACxD,UAAU,MAAM;EAChB,OAAO,MAAM;EACb,MAAM,MAAM;EACZ,eAAe,MAAM,SAAS,YAAY;EAC1C;EACA,eAAe;CACjB;CACA,IAAI,MAAM,cACR,QAAQ,gBAAgB,MAAM;CAEhC,IAAI,MAAM,yBACR,QAAQ,6BAA6B,MAAM;CAG7C,MAAM,UAAU,KAAK,cAAc,GAAG,MAAM,UAAU,MAAM;CAK5D,MAAM,UAAU,GAAG,QAAQ,OAAO,WAAW;CAC7C,cAAc,SAAS,GAAG,KAAK,UAAU,SAAS,MAAM,CAAC,EAAE,KAAK,EAC9D,MAAM,IACR,CAAC;CACD,WAAW,SAAS,OAAO;CAE3B,OAAO,EAAE,cAAc,QAAQ;AACjC"}
@@ -1 +1 @@
1
- {"version":3,"file":"secret-denylist.d.ts","names":[],"sources":["../../src/internals/secret-denylist.ts"],"mappings":";;AAwBA;;;;;AAGA;;;;;AAkBA;;;;;;;;;;;;cArBa,mBAAA,EAAmB,MAAA;AAAA,cAGnB,wBAAA,EAA0B,WAAA;;;;;;;;;;;;;iBAkBvB,aAAA,CAAc,KAAA"}
1
+ {"version":3,"file":"secret-denylist.d.ts","names":[],"sources":["../../src/internals/secret-denylist.ts"],"mappings":";;AAwBA;;;;AACmG;AAEnG;;;;AAAkD;AAkBlD;;;;AAA4C;;;;;;;;cArB/B,mBAAA,EAAmB,MACmE;AAAA,cAEtF,wBAAA,EAA0B,WAAW;;;;;;;;;;;;;iBAkBlC,aAAA,CAAc,KAAc"}
@@ -1 +1 @@
1
- {"version":3,"file":"secret-denylist.js","names":[],"sources":["../../src/internals/secret-denylist.ts"],"sourcesContent":["/**\n * Secret-key denylist + prototype-pollution guard. Used by\n * `verify-recover.ts` to scrub a verifier's diagnostic payload before it\n * reaches the host callback (or the journal record in ENG-124).\n *\n * Two exports:\n *\n * - `SECRET_KEY_DENYLIST` — case-insensitive substring match on KEY names\n * only; values are never inspected. Narrow on purpose: covers the\n * high-confidence sensitive shapes (mnemonic + keyfile password) plus\n * credential-shaped suffixes that catch obvious caller mistakes\n * (`api[_-]?key`, `private[_-]?key`, `secret[_-]?key`, `auth[_-]?token`,\n * `bearer[_-]?token`). The blanket `token` and `secret` keywords are NOT\n * here — this is a blockchain context where `gas_token`, `fee_token`,\n * `token_id`, `token_symbol` are legitimate non-sensitive field names.\n *\n * - `stripDenylist` (in `verify-recover.ts`) — recursive walker over\n * objects + arrays; drops any key matching the denylist regex; ALSO\n * skips the three prototype-pollution-capable keys `__proto__`,\n * `constructor`, `prototype` because `JSON.parse` materializes them as\n * own properties that a bare `out[k] = v` assignment would treat as a\n * prototype mutation.\n */\n\nexport const SECRET_KEY_DENYLIST =\n /(mnemonic|password|private[_-]?key|secret[_-]?key|api[_-]?key|auth[_-]?token|bearer[_-]?token)/i;\n\nexport const PROTOTYPE_POLLUTION_KEYS: ReadonlySet<string> = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n]);\n\n/**\n * Recursively walk a value and remove any object keys that:\n * - Match `SECRET_KEY_DENYLIST` (case-insensitive substring on key name), or\n * - Are one of the prototype-pollution keys (`__proto__`, `constructor`,\n * `prototype`).\n *\n * Arrays are walked element-wise. Primitives (string/number/boolean/null/\n * undefined) pass through untouched.\n *\n * Returns `unknown` because the structural shape changes: object inputs may\n * have fewer keys than they started with. Callers narrow at use sites.\n */\nexport function stripDenylist(value: unknown): unknown {\n if (Array.isArray(value)) {\n return value.map((v) => stripDenylist(v));\n }\n if (value !== null && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n if (PROTOTYPE_POLLUTION_KEYS.has(k)) continue;\n if (SECRET_KEY_DENYLIST.test(k)) continue;\n out[k] = stripDenylist(v);\n }\n return out;\n }\n return value;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAa,sBACX;AAEF,MAAa,2BAAgD,IAAI,IAAI;CACnE;CACA;CACA;CACD,CAAC;;;;;;;;;;;;;AAcF,SAAgB,cAAc,OAAyB;AACrD,KAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MAAM,KAAK,MAAM,cAAc,EAAE,CAAC;AAE3C,KAAI,UAAU,QAAQ,OAAO,UAAU,UAAU;EAC/C,MAAM,MAA+B,EAAE;AACvC,OAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,MAAiC,EAAE;AACrE,OAAI,yBAAyB,IAAI,EAAE,CAAE;AACrC,OAAI,oBAAoB,KAAK,EAAE,CAAE;AACjC,OAAI,KAAK,cAAc,EAAE;;AAE3B,SAAO;;AAET,QAAO"}
1
+ {"version":3,"file":"secret-denylist.js","names":[],"sources":["../../src/internals/secret-denylist.ts"],"sourcesContent":["/**\n * Secret-key denylist + prototype-pollution guard. Used by\n * `verify-recover.ts` to scrub a verifier's diagnostic payload before it\n * reaches the host callback (or the journal record in ENG-124).\n *\n * Two exports:\n *\n * - `SECRET_KEY_DENYLIST` — case-insensitive substring match on KEY names\n * only; values are never inspected. Narrow on purpose: covers the\n * high-confidence sensitive shapes (mnemonic + keyfile password) plus\n * credential-shaped suffixes that catch obvious caller mistakes\n * (`api[_-]?key`, `private[_-]?key`, `secret[_-]?key`, `auth[_-]?token`,\n * `bearer[_-]?token`). The blanket `token` and `secret` keywords are NOT\n * here — this is a blockchain context where `gas_token`, `fee_token`,\n * `token_id`, `token_symbol` are legitimate non-sensitive field names.\n *\n * - `stripDenylist` (in `verify-recover.ts`) — recursive walker over\n * objects + arrays; drops any key matching the denylist regex; ALSO\n * skips the three prototype-pollution-capable keys `__proto__`,\n * `constructor`, `prototype` because `JSON.parse` materializes them as\n * own properties that a bare `out[k] = v` assignment would treat as a\n * prototype mutation.\n */\n\nexport const SECRET_KEY_DENYLIST =\n /(mnemonic|password|private[_-]?key|secret[_-]?key|api[_-]?key|auth[_-]?token|bearer[_-]?token)/i;\n\nexport const PROTOTYPE_POLLUTION_KEYS: ReadonlySet<string> = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n]);\n\n/**\n * Recursively walk a value and remove any object keys that:\n * - Match `SECRET_KEY_DENYLIST` (case-insensitive substring on key name), or\n * - Are one of the prototype-pollution keys (`__proto__`, `constructor`,\n * `prototype`).\n *\n * Arrays are walked element-wise. Primitives (string/number/boolean/null/\n * undefined) pass through untouched.\n *\n * Returns `unknown` because the structural shape changes: object inputs may\n * have fewer keys than they started with. Callers narrow at use sites.\n */\nexport function stripDenylist(value: unknown): unknown {\n if (Array.isArray(value)) {\n return value.map((v) => stripDenylist(v));\n }\n if (value !== null && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n if (PROTOTYPE_POLLUTION_KEYS.has(k)) continue;\n if (SECRET_KEY_DENYLIST.test(k)) continue;\n out[k] = stripDenylist(v);\n }\n return out;\n }\n return value;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAa,sBACX;AAEF,MAAa,2BAAgD,IAAI,IAAI;CACnE;CACA;CACA;AACF,CAAC;;;;;;;;;;;;;AAcD,SAAgB,cAAc,OAAyB;CACrD,IAAI,MAAM,QAAQ,KAAK,GACrB,OAAO,MAAM,KAAK,MAAM,cAAc,CAAC,CAAC;CAE1C,IAAI,UAAU,QAAQ,OAAO,UAAU,UAAU;EAC/C,MAAM,MAA+B,CAAC;EACtC,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,KAAgC,GAAG;GACrE,IAAI,yBAAyB,IAAI,CAAC,GAAG;GACrC,IAAI,oBAAoB,KAAK,CAAC,GAAG;GACjC,IAAI,KAAK,cAAc,CAAC;EAC1B;EACA,OAAO;CACT;CACA,OAAO;AACT"}
@@ -1 +1 @@
1
- {"version":3,"file":"spec-normalize.d.ts","names":[],"sources":["../../src/internals/spec-normalize.ts"],"mappings":";;;;;AAgCA;;;;;;;;;;AAmBA;;;;;AAyBA;;;;;;iBA5CgB,WAAA,CACd,IAAA,EAAM,UAAA,sBACL,IAAA,IAAQ,SAAA;;;;AAiDX;;;iBAhCgB,UAAA,CAAW,IAAA,EAAM,UAAA;;;;;;AA+DjC;;UAtCiB,iBAAA;EAsC2C;EApC1D,IAAA;EAoC4B;EAlC5B,GAAA,EAAK,UAAA,GAAa,iBAAA;AAAA;AAAA,iBAGJ,iBAAA,CACd,IAAA,EAAM,UAAA,sBACL,iBAAA;AAwFH;;;;;;;;;;;;;;AAAA,iBA3DgB,aAAA,CAAc,IAAA,EAAM,UAAA,GAAa,WAAA;;;;;;;;;;;;;;;;;;iBA2DjC,YAAA,CAAa,IAAA,EAAM,UAAA"}
1
+ {"version":3,"file":"spec-normalize.d.ts","names":[],"sources":["../../src/internals/spec-normalize.ts"],"mappings":";;;;;AAgCA;;;;;;;;;AAEoB;AAiBpB;;;;AAA8D;AAyB9D;;;;;;iBA5CgB,WAAA,CACd,IAAA,EAAM,UAAA,sBACL,IAAA,IAAQ,SAAS;;;AA8CiB;AAGrC;;;iBAhCgB,UAAA,CAAW,IAAmC,EAA7B,UAAU;;;;;AAkCvB;AA6BpB;;UAtCiB,iBAAA;EAsC2C;EApC1D,IAAA;EAoC4B;EAlC5B,GAAA,EAAK,UAAA,GAAa,iBAAiB;AAAA;AAAA,iBAGrB,iBAAA,CACd,IAAA,EAAM,UAAA,sBACL,iBAAiB;AAwFpB;;;;AAAgE;;;;;;;;;;AAAhE,iBA3DgB,aAAA,CAAc,IAAA,EAAM,UAAA,GAAa,WAAW;;;;;;;;;;;;;;;;;;iBA2D5C,YAAA,CAAa,IAAmC,EAA7B,UAAU"}
@@ -1 +1 @@
1
- {"version":3,"file":"spec-normalize.js","names":[],"sources":["../../src/internals/spec-normalize.ts"],"sourcesContent":["import type {\n DeploySpec,\n ServiceDef,\n SingleServiceSpec,\n SpecSummary,\n StackSpec,\n} from '../types.js';\n\n/**\n * Spec normalization + summarization helpers. Exports `isStack`,\n * `firstImage`, `normalizeServices`, `summarizeSpec`, and `validateSpec`\n * (the latter surfaces pre-broadcast shape violations).\n *\n * Two spec shapes are supported (frozen in ENG-128's `types.ts`):\n * - **services-map (StackSpec)** — `{ services: { <name>: ServiceDef }, customDomain?, serviceName? }`\n * - **legacy single-service (SingleServiceSpec)** — `{ image, port?, env?, customDomain? }`\n *\n * `normalizeServices` collapses the two shapes into a single iterable form\n * so callers (Plan summary, manifest builder, etc.) walk one structure\n * regardless of which form the user passed.\n *\n * Validation: `validateSpec` throws a plain `TypeError` on shape violations\n * — agent-core has no workspace dep on `@manifest-network/manifest-mcp-core`\n * in PR 1/2 (per parent's REV 1), so `ManifestMCPError` isn't available\n * here. PR 3's high-level `deployApp` re-wraps `TypeError` into\n * `ManifestMCPError(INVALID_CONFIG)` at the public-API boundary.\n */\n\n/**\n * True when `spec` uses the services-map shape (StackSpec). Mirrors\n * `_spec.cjs#isStack`: `services` is a non-null, non-array object.\n */\nexport function isStackSpec(\n spec: DeploySpec | null | undefined,\n): spec is StackSpec {\n if (spec === null || spec === undefined || typeof spec !== 'object')\n return false;\n const services = (spec as { services?: unknown }).services;\n return (\n services !== null &&\n typeof services === 'object' &&\n !Array.isArray(services)\n );\n}\n\n/**\n * Return the canonical first image string for a spec. For legacy single-\n * service: `spec.image`. For stack: the first non-empty `image` in\n * `Object.values(spec.services)`. Returns `null` when neither shape\n * carries an image (or `spec` is malformed).\n */\nexport function firstImage(spec: DeploySpec | null | undefined): string | null {\n if (spec === null || spec === undefined || typeof spec !== 'object')\n return null;\n const single = spec as Partial<SingleServiceSpec>;\n if (typeof single.image === 'string' && single.image.length > 0) {\n return single.image;\n }\n if (isStackSpec(spec)) {\n for (const svc of Object.values(spec.services)) {\n if (svc !== null && typeof svc === 'object') {\n const image = (svc as Partial<ServiceDef>).image;\n if (typeof image === 'string' && image.length > 0) return image;\n }\n }\n }\n return null;\n}\n\n/**\n * Walk a spec as `[{name, raw}]` where:\n * - `name === null` for legacy single-service (only one entry, raw is the spec itself).\n * - `name === <key>` for each services-map entry; `raw` is the per-service ServiceDef.\n *\n * Stable iteration order matches `Object.entries` (insertion order in v8/modern engines).\n */\nexport interface NormalizedService {\n /** `null` for legacy single-service; the services-map key for stack leases. */\n name: string | null;\n /** The per-service object exactly as the spec stores it. No field projection. */\n raw: ServiceDef | SingleServiceSpec;\n}\n\nexport function normalizeServices(\n spec: DeploySpec | null | undefined,\n): NormalizedService[] {\n if (isStackSpec(spec)) {\n return Object.entries(spec.services).map(([name, raw]) => ({\n name,\n raw: (raw ?? {}) as ServiceDef,\n }));\n }\n return [\n {\n name: null,\n raw: (spec ?? {}) as SingleServiceSpec,\n },\n ];\n}\n\n/**\n * Produce the frozen `SpecSummary` shape for inclusion in the `Plan`\n * (camelCase fields: `serviceCount`, etc.).\n *\n * Port count rules:\n * - SingleServiceSpec `port: number` → +1 port.\n * - SingleServiceSpec `port: number[]` → +length ports.\n * - ServiceDef `ports: number[]` (per type) → +length ports.\n * - ServiceDef `ports` shaped as a Record (older codepath) → +key count.\n *\n * Env key uniqueness is computed across services (one `env_keys` set\n * spans the whole spec); `envCount` is the size of that set; `envKeys`\n * is sorted ascending.\n */\nexport function summarizeSpec(spec: DeploySpec): SpecSummary {\n const format: 'single' | 'stack' = isStackSpec(spec) ? 'stack' : 'single';\n const services = normalizeServices(spec);\n\n let portCount = 0;\n const envKeys = new Set<string>();\n const images: string[] = [];\n\n for (const { raw: svc } of services) {\n if (svc !== null && typeof svc === 'object') {\n const svcRecord = svc as unknown as Record<string, unknown>;\n const image = svcRecord.image;\n if (typeof image === 'string' && image.length > 0) images.push(image);\n\n const port = svcRecord.port;\n if (typeof port === 'number') portCount += 1;\n else if (Array.isArray(port)) portCount += port.length;\n\n const ports = svcRecord.ports;\n if (Array.isArray(ports)) {\n portCount += ports.length;\n } else if (ports !== null && typeof ports === 'object') {\n portCount += Object.keys(ports).length;\n }\n\n const env = svcRecord.env;\n if (env !== null && typeof env === 'object' && !Array.isArray(env)) {\n for (const k of Object.keys(env)) envKeys.add(k);\n }\n }\n }\n\n return {\n format,\n serviceCount: services.length,\n portCount,\n envCount: envKeys.size,\n envKeys: Array.from(envKeys).sort(),\n images,\n };\n}\n\n/**\n * Validate a `DeploySpec` shape pre-broadcast. Throws `TypeError` on the\n * first violation. The frozen type union (`SingleServiceSpec | StackSpec`)\n * already enforces most structural rules at compile time; this runtime\n * check defends against `unknown`-cast callers and `JSON.parse`-decoded\n * inputs.\n *\n * Rules (mirror fred's `deployApp.ts` input validation):\n * - `spec` must be a non-null object.\n * - Stack: `services` must have ≥1 entry; each entry's `image` must be a\n * non-empty string.\n * - Single: `image` must be a non-empty string.\n * - Mutually exclusive `image` AND `services` not allowed.\n *\n * The high-level `deployApp` in PR 3 layers domain checks on top\n * (`customDomain` shape, `serviceName` membership, etc.).\n */\nexport function validateSpec(spec: DeploySpec | null | undefined): void {\n if (spec === null || spec === undefined || typeof spec !== 'object') {\n throw new TypeError('validateSpec: spec must be a non-null object');\n }\n const record = spec as unknown as Record<string, unknown>;\n\n // Mutual-exclusion gate uses KEY presence (not value validity). This\n // closes the bypass where a caller supplies a malformed `image` value\n // (empty string, number, null) alongside a valid `services` map: the\n // value-based check would silently treat `image` as \"absent\" and accept\n // the spec, but the caller's intent was ambiguous (which shape did they\n // mean?). Rejecting on key-presence forces the caller to delete one key\n // before submission and removes the ambiguity.\n const hasImageKey = 'image' in record;\n const hasServicesKey = 'services' in record;\n if (hasImageKey && hasServicesKey) {\n throw new TypeError(\n 'validateSpec: spec has both `image` and `services` keys; these are mutually exclusive (regardless of value validity)',\n );\n }\n\n // Downstream value-validity check (after the mutual-exclusion gate has\n // ruled out the ambiguous case). An `image` key with a non-string or\n // empty-string value still fails here when `services` is absent.\n const hasImage = typeof record.image === 'string' && record.image.length > 0;\n const hasServices = isStackSpec(spec);\n if (!hasImage && !hasServices) {\n throw new TypeError(\n 'validateSpec: spec must declare either `image` (SingleServiceSpec) or `services` (StackSpec)',\n );\n }\n\n // Copilot review fix (PR #58 r3266786899): `customDomain` shape at\n // the boundary. The orchestrator's `buildFredDeployInput`\n // (`deploy-app.ts:701`) uses a `if (customDomain)` truthiness check,\n // which silently drops `''`, `null`, `false`, `0`, `NaN` from the\n // emitted `fredInput`. A user spec like `{ ..., customDomain: '' }`\n // passes validation today, fred receives `fredInput` WITHOUT the\n // domain, deploy proceeds — the user's requested domain silently\n // not claimed, no error signal.\n //\n // Boundary check: when `customDomain` is present, it must be a\n // non-empty string. `undefined` (key absent) is fine; that's the\n // \"no domain requested\" case. Fires before the stack-customDomain\n // serviceName check (r3249684707) so the user gets a clear\n // customDomain-shape error rather than a misleading\n // requires-serviceName one.\n // Copilot review fix (PR #58 r3267373001): reject whitespace-only\n // strings AND strings with surrounding whitespace (option (i) from\n // the team-lead's brief — strict; let the caller send a clean,\n // already-trimmed value rather than silently trim for them). The\n // prior `cd.length === 0` predicate accepted `' '`, `'\\t\\n'`,\n // and `' app.example.com '`; fred would either accept the\n // surrounding whitespace as part of the domain (correctness bug)\n // or trim-and-reject (worse UX than agent-core's clear error).\n if ('customDomain' in record) {\n const cd = record.customDomain;\n if (cd !== undefined) {\n const isCleanNonEmptyString =\n typeof cd === 'string' && cd.length > 0 && cd.trim() === cd;\n if (!isCleanNonEmptyString) {\n const got =\n typeof cd === 'string'\n ? cd.trim().length === 0\n ? `\"${cd}\"`\n : `\"${cd}\" (has surrounding whitespace)`\n : cd === null\n ? 'null'\n : typeof cd;\n throw new TypeError(\n `validateSpec: \\`customDomain\\` must be a non-empty trimmed string or absent (got ${got}).`,\n );\n }\n }\n }\n\n if (hasServices) {\n const entries = Object.entries(spec.services);\n if (entries.length === 0) {\n throw new TypeError(\n 'validateSpec: stack spec `services` must have at least one entry',\n );\n }\n for (const [name, svc] of entries) {\n if (svc === null || typeof svc !== 'object') {\n throw new TypeError(\n `validateSpec: stack service \"${name}\" must be a non-null object`,\n );\n }\n const image = (svc as Partial<ServiceDef>).image;\n if (typeof image !== 'string' || image.length === 0) {\n throw new TypeError(\n `validateSpec: stack service \"${name}\" must declare a non-empty \\`image\\` string`,\n );\n }\n }\n\n // Copilot review fix (PR #58 r3249684707): a stack spec with a\n // `customDomain` MUST declare which service receives the domain\n // via `serviceName`, and that value must be a key in `services`.\n // Without this guard, `customDomainServiceOf` in `deploy-app.ts`\n // returns `undefined`, planning proceeds with no target, renderers\n // misrepresent the claim, and fred rejects the set-domain tx\n // ONLY after `create-lease` commits — leaving the user with an\n // orphan lease + a failed domain claim. Catching this at\n // validate-time is fail-fast at the boundary.\n //\n // Single-service specs are unaffected: their `customDomain` is\n // claimed against the implicit single lease item — no\n // serviceName disambiguation needed.\n const stackDomain = (spec as Partial<StackSpec>).customDomain;\n if (typeof stackDomain === 'string' && stackDomain.length > 0) {\n const stackServiceName = (spec as Partial<StackSpec>).serviceName;\n if (\n typeof stackServiceName !== 'string' ||\n stackServiceName.length === 0\n ) {\n throw new TypeError(\n 'validateSpec: stack spec with `customDomain` requires `serviceName` identifying which service receives the domain.',\n );\n }\n // Copilot review fix (PR #58 r3250331968): use an own-key check.\n // The `in` operator walks the prototype chain, so `serviceName:\n // 'constructor'` (or `'toString'`, `'hasOwnProperty'`, etc.)\n // would falsely pass against a `services` map that doesn't\n // declare those names. Mirrors fred's own choice at\n // `packages/fred/src/tools/deployApp.ts:254` for cross-package\n // symmetry. `Object.keys().includes()` (not `Object.hasOwn`,\n // which is ES2022 and our `tsdown.config.ts` targets ES2020).\n if (!Object.keys(spec.services).includes(stackServiceName)) {\n throw new TypeError(\n `validateSpec: stack spec \\`serviceName\\` \"${stackServiceName}\" must be a key in \\`services\\` (got services: [${Object.keys(spec.services).join(', ')}]).`,\n );\n }\n }\n } else {\n // Single-service spec port requirement.\n //\n // Copilot review fix (PR #58 r3249097051): fred's image-mode rejects\n // portless inputs with `port is required when using image`\n // (`packages/fred/src/tools/deployApp.ts:202` +\n // `packages/fred/src/tools/buildManifestPreview.ts:181`). Without\n // an agent-core boundary check the orchestrator silently passed\n // `port: undefined` through `buildManifestPreviewInput` /\n // `buildFredDeployInput`, surfacing fred's error mid-orchestration\n // (after readiness check + plan render). Failing fast at validate\n // time produces a clearer message and avoids partial work.\n //\n // The escape hatch for genuinely internal-only services is the\n // stack spec — service-level `ports` is optional, so a stack with\n // `{ services: { mysvc: { image, env } } }` deploys without ports.\n //\n // Copilot review fix (PR #58 r3249294877): tighten the predicate to\n // a finite positive integer in the TCP port range. The prior\n // `typeof p === 'number'` check accepted `0`, `NaN`, `Infinity`,\n // negative numbers, non-integers, and out-of-range ports —\n // partially defeating the fail-fast intent. Fred catches `port: 0`\n // via `!input.port`, but the other shapes either flow through to a\n // less helpful error or get coerced silently. The shared predicate\n // `isValidPortNumber` (below) is the single source of truth.\n const port = (spec as Partial<SingleServiceSpec>).port;\n const hasValidPort =\n isValidPortNumber(port) ||\n (Array.isArray(port) && port.length > 0 && port.every(isValidPortNumber));\n if (!hasValidPort) {\n throw new TypeError(\n 'validateSpec: single-service specs require at least one port (port must be a finite positive integer in the TCP range (1-65535), or a non-empty array of such); got ' +\n `port=${JSON.stringify(port)}. For internal-only services, use a stack spec instead.`,\n );\n }\n }\n}\n\n/**\n * Predicate: `p` is a finite positive integer in the TCP port range\n * (1-65535). Used by `validateSpec` to gate single-service `port`\n * shapes against the broad `typeof === 'number'` bypass.\n *\n * Co-located in this module because it's exclusive to the port-\n * validation boundary; if a future caller needs the same check,\n * promote it to a shared utility then.\n */\nfunction isValidPortNumber(p: unknown): p is number {\n return typeof p === 'number' && Number.isInteger(p) && p > 0 && p <= 65535;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAgCA,SAAgB,YACd,MACmB;AACnB,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,QAAO;CACT,MAAM,WAAY,KAAgC;AAClD,QACE,aAAa,QACb,OAAO,aAAa,YACpB,CAAC,MAAM,QAAQ,SAAS;;;;;;;;AAU5B,SAAgB,WAAW,MAAoD;AAC7E,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,QAAO;CACT,MAAM,SAAS;AACf,KAAI,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS,EAC5D,QAAO,OAAO;AAEhB,KAAI,YAAY,KAAK;OACd,MAAM,OAAO,OAAO,OAAO,KAAK,SAAS,CAC5C,KAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;GAC3C,MAAM,QAAS,IAA4B;AAC3C,OAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;;;AAIhE,QAAO;;AAiBT,SAAgB,kBACd,MACqB;AACrB,KAAI,YAAY,KAAK,CACnB,QAAO,OAAO,QAAQ,KAAK,SAAS,CAAC,KAAK,CAAC,MAAM,UAAU;EACzD;EACA,KAAM,OAAO,EAAE;EAChB,EAAE;AAEL,QAAO,CACL;EACE,MAAM;EACN,KAAM,QAAQ,EAAE;EACjB,CACF;;;;;;;;;;;;;;;;AAiBH,SAAgB,cAAc,MAA+B;CAC3D,MAAM,SAA6B,YAAY,KAAK,GAAG,UAAU;CACjE,MAAM,WAAW,kBAAkB,KAAK;CAExC,IAAI,YAAY;CAChB,MAAM,0BAAU,IAAI,KAAa;CACjC,MAAM,SAAmB,EAAE;AAE3B,MAAK,MAAM,EAAE,KAAK,SAAS,SACzB,KAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;EAC3C,MAAM,YAAY;EAClB,MAAM,QAAQ,UAAU;AACxB,MAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO,KAAK,MAAM;EAErE,MAAM,OAAO,UAAU;AACvB,MAAI,OAAO,SAAS,SAAU,cAAa;WAClC,MAAM,QAAQ,KAAK,CAAE,cAAa,KAAK;EAEhD,MAAM,QAAQ,UAAU;AACxB,MAAI,MAAM,QAAQ,MAAM,CACtB,cAAa,MAAM;WACV,UAAU,QAAQ,OAAO,UAAU,SAC5C,cAAa,OAAO,KAAK,MAAM,CAAC;EAGlC,MAAM,MAAM,UAAU;AACtB,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,IAAI,CAChE,MAAK,MAAM,KAAK,OAAO,KAAK,IAAI,CAAE,SAAQ,IAAI,EAAE;;AAKtD,QAAO;EACL;EACA,cAAc,SAAS;EACvB;EACA,UAAU,QAAQ;EAClB,SAAS,MAAM,KAAK,QAAQ,CAAC,MAAM;EACnC;EACD;;;;;;;;;;;;;;;;;;;AAoBH,SAAgB,aAAa,MAA2C;AACtE,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,OAAM,IAAI,UAAU,+CAA+C;CAErE,MAAM,SAAS;CASf,MAAM,cAAc,WAAW;CAC/B,MAAM,iBAAiB,cAAc;AACrC,KAAI,eAAe,eACjB,OAAM,IAAI,UACR,uHACD;CAMH,MAAM,WAAW,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS;CAC3E,MAAM,cAAc,YAAY,KAAK;AACrC,KAAI,CAAC,YAAY,CAAC,YAChB,OAAM,IAAI,UACR,+FACD;AA0BH,KAAI,kBAAkB,QAAQ;EAC5B,MAAM,KAAK,OAAO;AAClB,MAAI,OAAO,KAAA;OAGL,EADF,OAAO,OAAO,YAAY,GAAG,SAAS,KAAK,GAAG,MAAM,KAAK,KAC/B;IAC1B,MAAM,MACJ,OAAO,OAAO,WACV,GAAG,MAAM,CAAC,WAAW,IACnB,IAAI,GAAG,KACP,IAAI,GAAG,kCACT,OAAO,OACL,SACA,OAAO;AACf,UAAM,IAAI,UACR,oFAAoF,IAAI,IACzF;;;;AAKP,KAAI,aAAa;EACf,MAAM,UAAU,OAAO,QAAQ,KAAK,SAAS;AAC7C,MAAI,QAAQ,WAAW,EACrB,OAAM,IAAI,UACR,mEACD;AAEH,OAAK,MAAM,CAAC,MAAM,QAAQ,SAAS;AACjC,OAAI,QAAQ,QAAQ,OAAO,QAAQ,SACjC,OAAM,IAAI,UACR,gCAAgC,KAAK,6BACtC;GAEH,MAAM,QAAS,IAA4B;AAC3C,OAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAChD,OAAM,IAAI,UACR,gCAAgC,KAAK,6CACtC;;EAiBL,MAAM,cAAe,KAA4B;AACjD,MAAI,OAAO,gBAAgB,YAAY,YAAY,SAAS,GAAG;GAC7D,MAAM,mBAAoB,KAA4B;AACtD,OACE,OAAO,qBAAqB,YAC5B,iBAAiB,WAAW,EAE5B,OAAM,IAAI,UACR,qHACD;AAUH,OAAI,CAAC,OAAO,KAAK,KAAK,SAAS,CAAC,SAAS,iBAAiB,CACxD,OAAM,IAAI,UACR,6CAA6C,iBAAiB,kDAAkD,OAAO,KAAK,KAAK,SAAS,CAAC,KAAK,KAAK,CAAC,KACvJ;;QAGA;EAyBL,MAAM,OAAQ,KAAoC;AAIlD,MAAI,EAFF,kBAAkB,KAAK,IACtB,MAAM,QAAQ,KAAK,IAAI,KAAK,SAAS,KAAK,KAAK,MAAM,kBAAkB,EAExE,OAAM,IAAI,UACR,4KACU,KAAK,UAAU,KAAK,CAAC,yDAChC;;;;;;;;;;;;AAcP,SAAS,kBAAkB,GAAyB;AAClD,QAAO,OAAO,MAAM,YAAY,OAAO,UAAU,EAAE,IAAI,IAAI,KAAK,KAAK"}
1
+ {"version":3,"file":"spec-normalize.js","names":[],"sources":["../../src/internals/spec-normalize.ts"],"sourcesContent":["import type {\n DeploySpec,\n ServiceDef,\n SingleServiceSpec,\n SpecSummary,\n StackSpec,\n} from '../types.js';\n\n/**\n * Spec normalization + summarization helpers. Exports `isStack`,\n * `firstImage`, `normalizeServices`, `summarizeSpec`, and `validateSpec`\n * (the latter surfaces pre-broadcast shape violations).\n *\n * Two spec shapes are supported (frozen in ENG-128's `types.ts`):\n * - **services-map (StackSpec)** — `{ services: { <name>: ServiceDef }, customDomain?, serviceName? }`\n * - **legacy single-service (SingleServiceSpec)** — `{ image, port?, env?, customDomain? }`\n *\n * `normalizeServices` collapses the two shapes into a single iterable form\n * so callers (Plan summary, manifest builder, etc.) walk one structure\n * regardless of which form the user passed.\n *\n * Validation: `validateSpec` throws a plain `TypeError` on shape violations\n * — agent-core has no workspace dep on `@manifest-network/manifest-mcp-core`\n * in PR 1/2 (per parent's REV 1), so `ManifestMCPError` isn't available\n * here. PR 3's high-level `deployApp` re-wraps `TypeError` into\n * `ManifestMCPError(INVALID_CONFIG)` at the public-API boundary.\n */\n\n/**\n * True when `spec` uses the services-map shape (StackSpec). Mirrors\n * `_spec.cjs#isStack`: `services` is a non-null, non-array object.\n */\nexport function isStackSpec(\n spec: DeploySpec | null | undefined,\n): spec is StackSpec {\n if (spec === null || spec === undefined || typeof spec !== 'object')\n return false;\n const services = (spec as { services?: unknown }).services;\n return (\n services !== null &&\n typeof services === 'object' &&\n !Array.isArray(services)\n );\n}\n\n/**\n * Return the canonical first image string for a spec. For legacy single-\n * service: `spec.image`. For stack: the first non-empty `image` in\n * `Object.values(spec.services)`. Returns `null` when neither shape\n * carries an image (or `spec` is malformed).\n */\nexport function firstImage(spec: DeploySpec | null | undefined): string | null {\n if (spec === null || spec === undefined || typeof spec !== 'object')\n return null;\n const single = spec as Partial<SingleServiceSpec>;\n if (typeof single.image === 'string' && single.image.length > 0) {\n return single.image;\n }\n if (isStackSpec(spec)) {\n for (const svc of Object.values(spec.services)) {\n if (svc !== null && typeof svc === 'object') {\n const image = (svc as Partial<ServiceDef>).image;\n if (typeof image === 'string' && image.length > 0) return image;\n }\n }\n }\n return null;\n}\n\n/**\n * Walk a spec as `[{name, raw}]` where:\n * - `name === null` for legacy single-service (only one entry, raw is the spec itself).\n * - `name === <key>` for each services-map entry; `raw` is the per-service ServiceDef.\n *\n * Stable iteration order matches `Object.entries` (insertion order in v8/modern engines).\n */\nexport interface NormalizedService {\n /** `null` for legacy single-service; the services-map key for stack leases. */\n name: string | null;\n /** The per-service object exactly as the spec stores it. No field projection. */\n raw: ServiceDef | SingleServiceSpec;\n}\n\nexport function normalizeServices(\n spec: DeploySpec | null | undefined,\n): NormalizedService[] {\n if (isStackSpec(spec)) {\n return Object.entries(spec.services).map(([name, raw]) => ({\n name,\n raw: (raw ?? {}) as ServiceDef,\n }));\n }\n return [\n {\n name: null,\n raw: (spec ?? {}) as SingleServiceSpec,\n },\n ];\n}\n\n/**\n * Produce the frozen `SpecSummary` shape for inclusion in the `Plan`\n * (camelCase fields: `serviceCount`, etc.).\n *\n * Port count rules:\n * - SingleServiceSpec `port: number` → +1 port.\n * - SingleServiceSpec `port: number[]` → +length ports.\n * - ServiceDef `ports: number[]` (per type) → +length ports.\n * - ServiceDef `ports` shaped as a Record (older codepath) → +key count.\n *\n * Env key uniqueness is computed across services (one `env_keys` set\n * spans the whole spec); `envCount` is the size of that set; `envKeys`\n * is sorted ascending.\n */\nexport function summarizeSpec(spec: DeploySpec): SpecSummary {\n const format: 'single' | 'stack' = isStackSpec(spec) ? 'stack' : 'single';\n const services = normalizeServices(spec);\n\n let portCount = 0;\n const envKeys = new Set<string>();\n const images: string[] = [];\n\n for (const { raw: svc } of services) {\n if (svc !== null && typeof svc === 'object') {\n const svcRecord = svc as unknown as Record<string, unknown>;\n const image = svcRecord.image;\n if (typeof image === 'string' && image.length > 0) images.push(image);\n\n const port = svcRecord.port;\n if (typeof port === 'number') portCount += 1;\n else if (Array.isArray(port)) portCount += port.length;\n\n const ports = svcRecord.ports;\n if (Array.isArray(ports)) {\n portCount += ports.length;\n } else if (ports !== null && typeof ports === 'object') {\n portCount += Object.keys(ports).length;\n }\n\n const env = svcRecord.env;\n if (env !== null && typeof env === 'object' && !Array.isArray(env)) {\n for (const k of Object.keys(env)) envKeys.add(k);\n }\n }\n }\n\n return {\n format,\n serviceCount: services.length,\n portCount,\n envCount: envKeys.size,\n envKeys: Array.from(envKeys).sort(),\n images,\n };\n}\n\n/**\n * Validate a `DeploySpec` shape pre-broadcast. Throws `TypeError` on the\n * first violation. The frozen type union (`SingleServiceSpec | StackSpec`)\n * already enforces most structural rules at compile time; this runtime\n * check defends against `unknown`-cast callers and `JSON.parse`-decoded\n * inputs.\n *\n * Rules (mirror fred's `deployApp.ts` input validation):\n * - `spec` must be a non-null object.\n * - Stack: `services` must have ≥1 entry; each entry's `image` must be a\n * non-empty string.\n * - Single: `image` must be a non-empty string.\n * - Mutually exclusive `image` AND `services` not allowed.\n *\n * The high-level `deployApp` in PR 3 layers domain checks on top\n * (`customDomain` shape, `serviceName` membership, etc.).\n */\nexport function validateSpec(spec: DeploySpec | null | undefined): void {\n if (spec === null || spec === undefined || typeof spec !== 'object') {\n throw new TypeError('validateSpec: spec must be a non-null object');\n }\n const record = spec as unknown as Record<string, unknown>;\n\n // Mutual-exclusion gate uses KEY presence (not value validity). This\n // closes the bypass where a caller supplies a malformed `image` value\n // (empty string, number, null) alongside a valid `services` map: the\n // value-based check would silently treat `image` as \"absent\" and accept\n // the spec, but the caller's intent was ambiguous (which shape did they\n // mean?). Rejecting on key-presence forces the caller to delete one key\n // before submission and removes the ambiguity.\n const hasImageKey = 'image' in record;\n const hasServicesKey = 'services' in record;\n if (hasImageKey && hasServicesKey) {\n throw new TypeError(\n 'validateSpec: spec has both `image` and `services` keys; these are mutually exclusive (regardless of value validity)',\n );\n }\n\n // Downstream value-validity check (after the mutual-exclusion gate has\n // ruled out the ambiguous case). An `image` key with a non-string or\n // empty-string value still fails here when `services` is absent.\n const hasImage = typeof record.image === 'string' && record.image.length > 0;\n const hasServices = isStackSpec(spec);\n if (!hasImage && !hasServices) {\n throw new TypeError(\n 'validateSpec: spec must declare either `image` (SingleServiceSpec) or `services` (StackSpec)',\n );\n }\n\n // Copilot review fix (PR #58 r3266786899): `customDomain` shape at\n // the boundary. The orchestrator's `buildFredDeployInput`\n // (`deploy-app.ts:701`) uses a `if (customDomain)` truthiness check,\n // which silently drops `''`, `null`, `false`, `0`, `NaN` from the\n // emitted `fredInput`. A user spec like `{ ..., customDomain: '' }`\n // passes validation today, fred receives `fredInput` WITHOUT the\n // domain, deploy proceeds — the user's requested domain silently\n // not claimed, no error signal.\n //\n // Boundary check: when `customDomain` is present, it must be a\n // non-empty string. `undefined` (key absent) is fine; that's the\n // \"no domain requested\" case. Fires before the stack-customDomain\n // serviceName check (r3249684707) so the user gets a clear\n // customDomain-shape error rather than a misleading\n // requires-serviceName one.\n // Copilot review fix (PR #58 r3267373001): reject whitespace-only\n // strings AND strings with surrounding whitespace (option (i) from\n // the team-lead's brief — strict; let the caller send a clean,\n // already-trimmed value rather than silently trim for them). The\n // prior `cd.length === 0` predicate accepted `' '`, `'\\t\\n'`,\n // and `' app.example.com '`; fred would either accept the\n // surrounding whitespace as part of the domain (correctness bug)\n // or trim-and-reject (worse UX than agent-core's clear error).\n if ('customDomain' in record) {\n const cd = record.customDomain;\n if (cd !== undefined) {\n const isCleanNonEmptyString =\n typeof cd === 'string' && cd.length > 0 && cd.trim() === cd;\n if (!isCleanNonEmptyString) {\n const got =\n typeof cd === 'string'\n ? cd.trim().length === 0\n ? `\"${cd}\"`\n : `\"${cd}\" (has surrounding whitespace)`\n : cd === null\n ? 'null'\n : typeof cd;\n throw new TypeError(\n `validateSpec: \\`customDomain\\` must be a non-empty trimmed string or absent (got ${got}).`,\n );\n }\n }\n }\n\n if (hasServices) {\n const entries = Object.entries(spec.services);\n if (entries.length === 0) {\n throw new TypeError(\n 'validateSpec: stack spec `services` must have at least one entry',\n );\n }\n for (const [name, svc] of entries) {\n if (svc === null || typeof svc !== 'object') {\n throw new TypeError(\n `validateSpec: stack service \"${name}\" must be a non-null object`,\n );\n }\n const image = (svc as Partial<ServiceDef>).image;\n if (typeof image !== 'string' || image.length === 0) {\n throw new TypeError(\n `validateSpec: stack service \"${name}\" must declare a non-empty \\`image\\` string`,\n );\n }\n }\n\n // Copilot review fix (PR #58 r3249684707): a stack spec with a\n // `customDomain` MUST declare which service receives the domain\n // via `serviceName`, and that value must be a key in `services`.\n // Without this guard, `customDomainServiceOf` in `deploy-app.ts`\n // returns `undefined`, planning proceeds with no target, renderers\n // misrepresent the claim, and fred rejects the set-domain tx\n // ONLY after `create-lease` commits — leaving the user with an\n // orphan lease + a failed domain claim. Catching this at\n // validate-time is fail-fast at the boundary.\n //\n // Single-service specs are unaffected: their `customDomain` is\n // claimed against the implicit single lease item — no\n // serviceName disambiguation needed.\n const stackDomain = (spec as Partial<StackSpec>).customDomain;\n if (typeof stackDomain === 'string' && stackDomain.length > 0) {\n const stackServiceName = (spec as Partial<StackSpec>).serviceName;\n if (\n typeof stackServiceName !== 'string' ||\n stackServiceName.length === 0\n ) {\n throw new TypeError(\n 'validateSpec: stack spec with `customDomain` requires `serviceName` identifying which service receives the domain.',\n );\n }\n // Copilot review fix (PR #58 r3250331968): use an own-key check.\n // The `in` operator walks the prototype chain, so `serviceName:\n // 'constructor'` (or `'toString'`, `'hasOwnProperty'`, etc.)\n // would falsely pass against a `services` map that doesn't\n // declare those names. Mirrors fred's own choice at\n // `packages/fred/src/tools/deployApp.ts:254` for cross-package\n // symmetry. `Object.keys().includes()` (not `Object.hasOwn`,\n // which is ES2022 and our `tsdown.config.ts` targets ES2020).\n if (!Object.keys(spec.services).includes(stackServiceName)) {\n throw new TypeError(\n `validateSpec: stack spec \\`serviceName\\` \"${stackServiceName}\" must be a key in \\`services\\` (got services: [${Object.keys(spec.services).join(', ')}]).`,\n );\n }\n }\n } else {\n // Single-service spec port requirement.\n //\n // Copilot review fix (PR #58 r3249097051): fred's image-mode rejects\n // portless inputs with `port is required when using image`\n // (`packages/fred/src/tools/deployApp.ts:202` +\n // `packages/fred/src/tools/buildManifestPreview.ts:181`). Without\n // an agent-core boundary check the orchestrator silently passed\n // `port: undefined` through `buildManifestPreviewInput` /\n // `buildFredDeployInput`, surfacing fred's error mid-orchestration\n // (after readiness check + plan render). Failing fast at validate\n // time produces a clearer message and avoids partial work.\n //\n // The escape hatch for genuinely internal-only services is the\n // stack spec — service-level `ports` is optional, so a stack with\n // `{ services: { mysvc: { image, env } } }` deploys without ports.\n //\n // Copilot review fix (PR #58 r3249294877): tighten the predicate to\n // a finite positive integer in the TCP port range. The prior\n // `typeof p === 'number'` check accepted `0`, `NaN`, `Infinity`,\n // negative numbers, non-integers, and out-of-range ports —\n // partially defeating the fail-fast intent. Fred catches `port: 0`\n // via `!input.port`, but the other shapes either flow through to a\n // less helpful error or get coerced silently. The shared predicate\n // `isValidPortNumber` (below) is the single source of truth.\n const port = (spec as Partial<SingleServiceSpec>).port;\n const hasValidPort =\n isValidPortNumber(port) ||\n (Array.isArray(port) && port.length > 0 && port.every(isValidPortNumber));\n if (!hasValidPort) {\n throw new TypeError(\n 'validateSpec: single-service specs require at least one port (port must be a finite positive integer in the TCP range (1-65535), or a non-empty array of such); got ' +\n `port=${JSON.stringify(port)}. For internal-only services, use a stack spec instead.`,\n );\n }\n }\n}\n\n/**\n * Predicate: `p` is a finite positive integer in the TCP port range\n * (1-65535). Used by `validateSpec` to gate single-service `port`\n * shapes against the broad `typeof === 'number'` bypass.\n *\n * Co-located in this module because it's exclusive to the port-\n * validation boundary; if a future caller needs the same check,\n * promote it to a shared utility then.\n */\nfunction isValidPortNumber(p: unknown): p is number {\n return typeof p === 'number' && Number.isInteger(p) && p > 0 && p <= 65535;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAgCA,SAAgB,YACd,MACmB;CACnB,IAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,UACzD,OAAO;CACT,MAAM,WAAY,KAAgC;CAClD,OACE,aAAa,QACb,OAAO,aAAa,YACpB,CAAC,MAAM,QAAQ,QAAQ;AAE3B;;;;;;;AAQA,SAAgB,WAAW,MAAoD;CAC7E,IAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,UACzD,OAAO;CACT,MAAM,SAAS;CACf,IAAI,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS,GAC5D,OAAO,OAAO;CAEhB,IAAI,YAAY,IAAI;OACb,MAAM,OAAO,OAAO,OAAO,KAAK,QAAQ,GAC3C,IAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;GAC3C,MAAM,QAAS,IAA4B;GAC3C,IAAI,OAAO,UAAU,YAAY,MAAM,SAAS,GAAG,OAAO;EAC5D;;CAGJ,OAAO;AACT;AAgBA,SAAgB,kBACd,MACqB;CACrB,IAAI,YAAY,IAAI,GAClB,OAAO,OAAO,QAAQ,KAAK,QAAQ,EAAE,KAAK,CAAC,MAAM,UAAU;EACzD;EACA,KAAM,OAAO,CAAC;CAChB,EAAE;CAEJ,OAAO,CACL;EACE,MAAM;EACN,KAAM,QAAQ,CAAC;CACjB,CACF;AACF;;;;;;;;;;;;;;;AAgBA,SAAgB,cAAc,MAA+B;CAC3D,MAAM,SAA6B,YAAY,IAAI,IAAI,UAAU;CACjE,MAAM,WAAW,kBAAkB,IAAI;CAEvC,IAAI,YAAY;CAChB,MAAM,0BAAU,IAAI,IAAY;CAChC,MAAM,SAAmB,CAAC;CAE1B,KAAK,MAAM,EAAE,KAAK,SAAS,UACzB,IAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;EAC3C,MAAM,YAAY;EAClB,MAAM,QAAQ,UAAU;EACxB,IAAI,OAAO,UAAU,YAAY,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK;EAEpE,MAAM,OAAO,UAAU;EACvB,IAAI,OAAO,SAAS,UAAU,aAAa;OACtC,IAAI,MAAM,QAAQ,IAAI,GAAG,aAAa,KAAK;EAEhD,MAAM,QAAQ,UAAU;EACxB,IAAI,MAAM,QAAQ,KAAK,GACrB,aAAa,MAAM;OACd,IAAI,UAAU,QAAQ,OAAO,UAAU,UAC5C,aAAa,OAAO,KAAK,KAAK,EAAE;EAGlC,MAAM,MAAM,UAAU;EACtB,IAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,GAAG,GAC/D,KAAK,MAAM,KAAK,OAAO,KAAK,GAAG,GAAG,QAAQ,IAAI,CAAC;CAEnD;CAGF,OAAO;EACL;EACA,cAAc,SAAS;EACvB;EACA,UAAU,QAAQ;EAClB,SAAS,MAAM,KAAK,OAAO,EAAE,KAAK;EAClC;CACF;AACF;;;;;;;;;;;;;;;;;;AAmBA,SAAgB,aAAa,MAA2C;CACtE,IAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,UACzD,MAAM,IAAI,UAAU,8CAA8C;CAEpE,MAAM,SAAS;CASf,MAAM,cAAc,WAAW;CAC/B,MAAM,iBAAiB,cAAc;CACrC,IAAI,eAAe,gBACjB,MAAM,IAAI,UACR,sHACF;CAMF,MAAM,WAAW,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS;CAC3E,MAAM,cAAc,YAAY,IAAI;CACpC,IAAI,CAAC,YAAY,CAAC,aAChB,MAAM,IAAI,UACR,8FACF;CA0BF,IAAI,kBAAkB,QAAQ;EAC5B,MAAM,KAAK,OAAO;EAClB,IAAI,OAAO,KAAA;OAGL,EADF,OAAO,OAAO,YAAY,GAAG,SAAS,KAAK,GAAG,KAAK,MAAM,KAC/B;IAC1B,MAAM,MACJ,OAAO,OAAO,WACV,GAAG,KAAK,EAAE,WAAW,IACnB,IAAI,GAAG,KACP,IAAI,GAAG,kCACT,OAAO,OACL,SACA,OAAO;IACf,MAAM,IAAI,UACR,oFAAoF,IAAI,GAC1F;GACF;;CAEJ;CAEA,IAAI,aAAa;EACf,MAAM,UAAU,OAAO,QAAQ,KAAK,QAAQ;EAC5C,IAAI,QAAQ,WAAW,GACrB,MAAM,IAAI,UACR,kEACF;EAEF,KAAK,MAAM,CAAC,MAAM,QAAQ,SAAS;GACjC,IAAI,QAAQ,QAAQ,OAAO,QAAQ,UACjC,MAAM,IAAI,UACR,gCAAgC,KAAK,4BACvC;GAEF,MAAM,QAAS,IAA4B;GAC3C,IAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAChD,MAAM,IAAI,UACR,gCAAgC,KAAK,4CACvC;EAEJ;EAeA,MAAM,cAAe,KAA4B;EACjD,IAAI,OAAO,gBAAgB,YAAY,YAAY,SAAS,GAAG;GAC7D,MAAM,mBAAoB,KAA4B;GACtD,IACE,OAAO,qBAAqB,YAC5B,iBAAiB,WAAW,GAE5B,MAAM,IAAI,UACR,oHACF;GAUF,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,EAAE,SAAS,gBAAgB,GACvD,MAAM,IAAI,UACR,6CAA6C,iBAAiB,kDAAkD,OAAO,KAAK,KAAK,QAAQ,EAAE,KAAK,IAAI,EAAE,IACxJ;EAEJ;CACF,OAAO;EAyBL,MAAM,OAAQ,KAAoC;EAIlD,IAAI,EAFF,kBAAkB,IAAI,KACrB,MAAM,QAAQ,IAAI,KAAK,KAAK,SAAS,KAAK,KAAK,MAAM,iBAAiB,IAEvE,MAAM,IAAI,UACR,4KACU,KAAK,UAAU,IAAI,EAAE,wDACjC;CAEJ;AACF;;;;;;;;;;AAWA,SAAS,kBAAkB,GAAyB;CAClD,OAAO,OAAO,MAAM,YAAY,OAAO,UAAU,CAAC,KAAK,IAAI,KAAK,KAAK;AACvE"}
@@ -1 +1 @@
1
- {"version":3,"file":"verify-domain-state.d.ts","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"mappings":";KA8BY,mBAAA;AAAA,UAEK,kBAAA;EACf,OAAA,EAAS,mBAAA;;EAET,MAAA;EAL6B;EAO7B,MAAA;AAAA;AAAA,UAGe,gBAAA;EACf,SAAA;EARA;EAUA,WAAA;EARA;EAUA,QAAA;AAAA;AAAA,iBAGc,iBAAA,CACd,aAAA,WACA,IAAA,EAAM,gBAAA,GACL,kBAAA"}
1
+ {"version":3,"file":"verify-domain-state.d.ts","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"mappings":";KA8BY,mBAAA;AAAA,UAEK,kBAAA;EACf,OAAA,EAAS,mBAAmB;;EAE5B,MAAA;EAL6B;EAO7B,MAAA;AAAA;AAAA,UAGe,gBAAA;EACf,SAAA;EARA;EAUA,WAAA;EARA;EAUA,QAAA;AAAA;AAAA,iBAGc,iBAAA,CACd,aAAA,WACA,IAAA,EAAM,gBAAA,GACL,kBAAkB"}
@@ -1 +1 @@
1
- {"version":3,"file":"verify-domain-state.js","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"sourcesContent":["import { findLease, normalizeItem } from './lease-items.js';\n\n/**\n * Verify a lease item's `customDomain` against an expected value after a\n * `set_item_custom_domain` broadcast.\n *\n * Decodes the same lease shape as `lease-items.ts`, then compares the\n * matched item's `customDomain` to the expected FQDN (or empty string for\n * clear-mode). Used by the in-process `verifyAndRecover` driver in PR 1\n * and by the high-level `manageDomain` set/clear flows in PR 4.\n *\n * Outcome semantics:\n * - `'match'` — actual `customDomain` equals expected\n * - `'mismatch'` — actual differs from expected (item carries `actual` for surfacing)\n * - `'not_found'` — lease UUID not present in the verification payload, OR multi-item lease but no `serviceName` supplied, OR `serviceName` not present in the lease's items\n *\n * Single-item leases (legacy 1-item lease with `serviceName === ''`) ignore\n * the `serviceName` argument and always use the only item. Multi-item\n * stack leases require `serviceName` to address the target item.\n *\n * Throws `TypeError` for malformed args (non-string leaseUuid, leaseUuid\n * that doesn't match UUID grammar). The CJS exits 1 via stderr; the TS\n * port surfaces a typed error instead of a synthetic `not_found` result\n * so caller-side argument bugs don't masquerade as a chain-state outcome.\n */\n\n/** Anchored UUID-shape regex (8-4-4-4-12, version-byte lenient — matches `_uuid.cjs#UUID_RE`). */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n\nexport type VerifyDomainOutcome = 'match' | 'mismatch' | 'not_found';\n\nexport interface VerifyDomainResult {\n outcome: VerifyDomainOutcome;\n /** Present when outcome is 'match' or 'mismatch'. The lease item's actual customDomain. */\n actual?: string;\n /** Present when outcome is 'not_found'. Human-readable detail. */\n reason?: string;\n}\n\nexport interface VerifyDomainArgs {\n leaseUuid: string;\n /** DNS label addressing an item inside a stack lease. Omit / leave empty for legacy 1-item leases. */\n serviceName?: string;\n /** FQDN to compare against the chain's stored value. Use '' for clear-mode (post-clear verification). */\n expected: string;\n}\n\nexport function verifyDomainState(\n leasesPayload: unknown,\n args: VerifyDomainArgs,\n): VerifyDomainResult {\n if (typeof args.leaseUuid !== 'string') {\n throw new TypeError(\n `verifyDomainState: leaseUuid must be a string, got ${typeof args.leaseUuid}`,\n );\n }\n if (!UUID_RE.test(args.leaseUuid)) {\n throw new TypeError(\n `verifyDomainState: leaseUuid must be a UUID; got \"${args.leaseUuid}\"`,\n );\n }\n if (typeof args.expected !== 'string') {\n throw new TypeError(\n `verifyDomainState: expected must be a string (use '' for clear-mode), got ${typeof args.expected}`,\n );\n }\n\n const lease = findLease(leasesPayload, args.leaseUuid);\n if (lease === null) {\n return {\n outcome: 'not_found',\n reason: 'lease UUID not found in verification payload',\n };\n }\n\n // The lease shape is opaque to TS — pickLeasesArray + findLease validate\n // structural keys but the items array can be missing or non-array.\n const rawItems = (lease as { items?: unknown }).items;\n const itemsArray = Array.isArray(rawItems) ? rawItems : [];\n const items = itemsArray.map(normalizeItem);\n\n const singleItem = items.length === 1 && items[0]?.serviceName === '';\n const requestedService = (args.serviceName ?? '').trim();\n\n let item: ReturnType<typeof normalizeItem> | undefined;\n if (singleItem) {\n item = items[0];\n } else if (requestedService === '') {\n return {\n outcome: 'not_found',\n reason: 'lease has multiple items but --service-name was not supplied',\n };\n } else {\n item = items.find((i) => i.serviceName === requestedService);\n if (!item) {\n return {\n outcome: 'not_found',\n reason: `service-name \"${requestedService}\" not found in lease items`,\n };\n }\n }\n\n const actual = item?.customDomain ?? '';\n const outcome: VerifyDomainOutcome =\n actual === args.expected ? 'match' : 'mismatch';\n return { outcome, actual };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AA2BA,MAAM,UACJ;AAoBF,SAAgB,kBACd,eACA,MACoB;AACpB,KAAI,OAAO,KAAK,cAAc,SAC5B,OAAM,IAAI,UACR,sDAAsD,OAAO,KAAK,YACnE;AAEH,KAAI,CAAC,QAAQ,KAAK,KAAK,UAAU,CAC/B,OAAM,IAAI,UACR,qDAAqD,KAAK,UAAU,GACrE;AAEH,KAAI,OAAO,KAAK,aAAa,SAC3B,OAAM,IAAI,UACR,6EAA6E,OAAO,KAAK,WAC1F;CAGH,MAAM,QAAQ,UAAU,eAAe,KAAK,UAAU;AACtD,KAAI,UAAU,KACZ,QAAO;EACL,SAAS;EACT,QAAQ;EACT;CAKH,MAAM,WAAY,MAA8B;CAEhD,MAAM,SADa,MAAM,QAAQ,SAAS,GAAG,WAAW,EAAE,EACjC,IAAI,cAAc;CAE3C,MAAM,aAAa,MAAM,WAAW,KAAK,MAAM,IAAI,gBAAgB;CACnE,MAAM,oBAAoB,KAAK,eAAe,IAAI,MAAM;CAExD,IAAI;AACJ,KAAI,WACF,QAAO,MAAM;UACJ,qBAAqB,GAC9B,QAAO;EACL,SAAS;EACT,QAAQ;EACT;MACI;AACL,SAAO,MAAM,MAAM,MAAM,EAAE,gBAAgB,iBAAiB;AAC5D,MAAI,CAAC,KACH,QAAO;GACL,SAAS;GACT,QAAQ,iBAAiB,iBAAiB;GAC3C;;CAIL,MAAM,SAAS,MAAM,gBAAgB;AAGrC,QAAO;EAAE,SADP,WAAW,KAAK,WAAW,UAAU;EACrB;EAAQ"}
1
+ {"version":3,"file":"verify-domain-state.js","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"sourcesContent":["import { findLease, normalizeItem } from './lease-items.js';\n\n/**\n * Verify a lease item's `customDomain` against an expected value after a\n * `set_item_custom_domain` broadcast.\n *\n * Decodes the same lease shape as `lease-items.ts`, then compares the\n * matched item's `customDomain` to the expected FQDN (or empty string for\n * clear-mode). Used by the in-process `verifyAndRecover` driver in PR 1\n * and by the high-level `manageDomain` set/clear flows in PR 4.\n *\n * Outcome semantics:\n * - `'match'` — actual `customDomain` equals expected\n * - `'mismatch'` — actual differs from expected (item carries `actual` for surfacing)\n * - `'not_found'` — lease UUID not present in the verification payload, OR multi-item lease but no `serviceName` supplied, OR `serviceName` not present in the lease's items\n *\n * Single-item leases (legacy 1-item lease with `serviceName === ''`) ignore\n * the `serviceName` argument and always use the only item. Multi-item\n * stack leases require `serviceName` to address the target item.\n *\n * Throws `TypeError` for malformed args (non-string leaseUuid, leaseUuid\n * that doesn't match UUID grammar). The CJS exits 1 via stderr; the TS\n * port surfaces a typed error instead of a synthetic `not_found` result\n * so caller-side argument bugs don't masquerade as a chain-state outcome.\n */\n\n/** Anchored UUID-shape regex (8-4-4-4-12, version-byte lenient — matches `_uuid.cjs#UUID_RE`). */\nconst UUID_RE =\n /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n\nexport type VerifyDomainOutcome = 'match' | 'mismatch' | 'not_found';\n\nexport interface VerifyDomainResult {\n outcome: VerifyDomainOutcome;\n /** Present when outcome is 'match' or 'mismatch'. The lease item's actual customDomain. */\n actual?: string;\n /** Present when outcome is 'not_found'. Human-readable detail. */\n reason?: string;\n}\n\nexport interface VerifyDomainArgs {\n leaseUuid: string;\n /** DNS label addressing an item inside a stack lease. Omit / leave empty for legacy 1-item leases. */\n serviceName?: string;\n /** FQDN to compare against the chain's stored value. Use '' for clear-mode (post-clear verification). */\n expected: string;\n}\n\nexport function verifyDomainState(\n leasesPayload: unknown,\n args: VerifyDomainArgs,\n): VerifyDomainResult {\n if (typeof args.leaseUuid !== 'string') {\n throw new TypeError(\n `verifyDomainState: leaseUuid must be a string, got ${typeof args.leaseUuid}`,\n );\n }\n if (!UUID_RE.test(args.leaseUuid)) {\n throw new TypeError(\n `verifyDomainState: leaseUuid must be a UUID; got \"${args.leaseUuid}\"`,\n );\n }\n if (typeof args.expected !== 'string') {\n throw new TypeError(\n `verifyDomainState: expected must be a string (use '' for clear-mode), got ${typeof args.expected}`,\n );\n }\n\n const lease = findLease(leasesPayload, args.leaseUuid);\n if (lease === null) {\n return {\n outcome: 'not_found',\n reason: 'lease UUID not found in verification payload',\n };\n }\n\n // The lease shape is opaque to TS — pickLeasesArray + findLease validate\n // structural keys but the items array can be missing or non-array.\n const rawItems = (lease as { items?: unknown }).items;\n const itemsArray = Array.isArray(rawItems) ? rawItems : [];\n const items = itemsArray.map(normalizeItem);\n\n const singleItem = items.length === 1 && items[0]?.serviceName === '';\n const requestedService = (args.serviceName ?? '').trim();\n\n let item: ReturnType<typeof normalizeItem> | undefined;\n if (singleItem) {\n item = items[0];\n } else if (requestedService === '') {\n return {\n outcome: 'not_found',\n reason: 'lease has multiple items but --service-name was not supplied',\n };\n } else {\n item = items.find((i) => i.serviceName === requestedService);\n if (!item) {\n return {\n outcome: 'not_found',\n reason: `service-name \"${requestedService}\" not found in lease items`,\n };\n }\n }\n\n const actual = item?.customDomain ?? '';\n const outcome: VerifyDomainOutcome =\n actual === args.expected ? 'match' : 'mismatch';\n return { outcome, actual };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AA2BA,MAAM,UACJ;AAoBF,SAAgB,kBACd,eACA,MACoB;CACpB,IAAI,OAAO,KAAK,cAAc,UAC5B,MAAM,IAAI,UACR,sDAAsD,OAAO,KAAK,WACpE;CAEF,IAAI,CAAC,QAAQ,KAAK,KAAK,SAAS,GAC9B,MAAM,IAAI,UACR,qDAAqD,KAAK,UAAU,EACtE;CAEF,IAAI,OAAO,KAAK,aAAa,UAC3B,MAAM,IAAI,UACR,6EAA6E,OAAO,KAAK,UAC3F;CAGF,MAAM,QAAQ,UAAU,eAAe,KAAK,SAAS;CACrD,IAAI,UAAU,MACZ,OAAO;EACL,SAAS;EACT,QAAQ;CACV;CAKF,MAAM,WAAY,MAA8B;CAEhD,MAAM,SADa,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC,GAChC,IAAI,aAAa;CAE1C,MAAM,aAAa,MAAM,WAAW,KAAK,MAAM,IAAI,gBAAgB;CACnE,MAAM,oBAAoB,KAAK,eAAe,IAAI,KAAK;CAEvD,IAAI;CACJ,IAAI,YACF,OAAO,MAAM;MACR,IAAI,qBAAqB,IAC9B,OAAO;EACL,SAAS;EACT,QAAQ;CACV;MACK;EACL,OAAO,MAAM,MAAM,MAAM,EAAE,gBAAgB,gBAAgB;EAC3D,IAAI,CAAC,MACH,OAAO;GACL,SAAS;GACT,QAAQ,iBAAiB,iBAAiB;EAC5C;CAEJ;CAEA,MAAM,SAAS,MAAM,gBAAgB;CAGrC,OAAO;EAAE,SADP,WAAW,KAAK,WAAW,UAAU;EACrB;CAAO;AAC3B"}
@@ -1 +1 @@
1
- {"version":3,"file":"verify-recover.d.ts","names":[],"sources":["../../src/internals/verify-recover.ts"],"mappings":";;;;;AAwCA;;;;;AAaA;;;;;;;;;;;;;;;;;;;;;;;;;KAbY,QAAA;AA+BZ;;;;;AAAA,UAlBiB,kBAAA,SAA2B,MAAA;EAsBgB;EAAA,SApBjD,QAAA,EAAU,QAAA;EAoBM;EAAA,SAlBhB,iBAAA;EAkBuB;EAhBhC,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,eAAA;EAc7C;;;;;;;EANA,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,cAAA;AAAA;;KAInC,QAAA,4CAGF,MAAA,sBACL,OAAA,EAAS,QAAA,KAAa,OAAA,CAAQ,cAAA,CAAe,QAAA,EAAU,KAAA;AAG5D;AAAA,UAAiB,cAAA;EACf,OAAA,EAAS,QAAA;EACT,UAAA,EAAY,KAAA;AAAA;;;;;;;;AAWd;UAAiB,gBAAA,4CAGP,MAAA;EAAA,SAEC,QAAA,EAAU,QAAA,CAAS,QAAA,EAAU,QAAA,EAAU,KAAA;EAFxC;EAAA,SAIC,aAAA,WAAwB,QAAA;EAFK;EAAA,SAI7B,QAAA,EAAU,OAAA,CACjB,MAAA,CAAO,QAAA,gBAAwB,kBAAA,CAAmB,KAAA;AAAA;AAAA,UAIrC,sBAAA,kCAEP,MAAA;EAER,MAAA;EACA,eAAA,EAAiB,QAAA;EATgB;EAWjC,QAAA,EAAU,QAAA;EACV,iBAAA;EAb0B;EAe1B,UAAA,EAAY,KAAA;EAvBZ;EAyBA,OAAA,GAAU,eAAA;EAvBV;EAyBA,cAAA,GAAiB,cAAA;AAAA;AAAA,UAGF,yBAAA;EA1Ba;;;;;;;;EAmC5B,SAAA,IACE,OAAA,EAAS,eAAA,EACT,OAAA,EAAS,cAAA,OACN,OAAA,CAAQ,cAAA;AAAA;;;;AA7Bf;;;;;;;;;;iBA6CsB,gBAAA,4CAGZ,MAAA,kBAAA,CAER,IAAA,EAAM,gBAAA,CAAiB,QAAA,EAAU,QAAA,EAAU,KAAA,GAC3C,OAAA,EAAS,QAAA,EACT,SAAA,GAAW,yBAAA,GACV,OAAA,CAAQ,sBAAA,CAAuB,QAAA,EAAU,KAAA"}
1
+ {"version":3,"file":"verify-recover.d.ts","names":[],"sources":["../../src/internals/verify-recover.ts"],"mappings":";;;;;AAwCA;;;;AAAoB;AAapB;;;;;;;;;;;;;;;;;;;;;;;;;KAbY,QAAA;AA+BZ;;;;;AAAA,UAlBiB,kBAAA,SAA2B,MAAA;EAsBgB;EAAA,SApBjD,QAAA,EAAU,QAAA;EAoBM;EAAA,SAlBhB,iBAAA;EAkBuB;EAhBhC,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,eAAA;EAc7C;;;;;;;EANA,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,cAAA;AAAA;;KAInC,QAAA,4CAGF,MAAA,sBACL,OAAA,EAAS,QAAA,KAAa,OAAA,CAAQ,cAAA,CAAe,QAAA,EAAU,KAAA;AAG5D;AAAA,UAAiB,cAAA;EACf,OAAA,EAAS,QAAA;EACT,UAAA,EAAY,KAAK;AAAA;;;;;;;AAAA;AAWnB;UAAiB,gBAAA,4CAGP,MAAA;EAAA,SAEC,QAAA,EAAU,QAAA,CAAS,QAAA,EAAU,QAAA,EAAU,KAAA;EAFxC;EAAA,SAIC,aAAA,WAAwB,QAAA;EAFK;EAAA,SAI7B,QAAA,EAAU,OAAA,CACjB,MAAA,CAAO,QAAA,gBAAwB,kBAAA,CAAmB,KAAA;AAAA;AAAA,UAIrC,sBAAA,kCAEP,MAAA;EAER,MAAA;EACA,eAAA,EAAiB,QAAA;EATgB;EAWjC,QAAA,EAAU,QAAA;EACV,iBAAA;EAb0B;EAe1B,UAAA,EAAY,KAAA;EAvBZ;EAyBA,OAAA,GAAU,eAAA;EAvBV;EAyBA,cAAA,GAAiB,cAAA;AAAA;AAAA,UAGF,yBAAA;EA1Ba;;;;;;;;EAmC5B,SAAA,IACE,OAAA,EAAS,eAAA,EACT,OAAA,EAAS,cAAA,OACN,OAAA,CAAQ,cAAA;AAAA;;;AAjC4C;AAI3D;;;;;;;;;;iBA6CsB,gBAAA,4CAGZ,MAAA,mBAER,IAAA,EAAM,gBAAA,CAAiB,QAAA,EAAU,QAAA,EAAU,KAAA,GAC3C,OAAA,EAAS,QAAA,EACT,SAAA,GAAW,yBAAA,GACV,OAAA,CAAQ,sBAAA,CAAuB,QAAA,EAAU,KAAA"}
@@ -1 +1 @@
1
- {"version":3,"file":"verify-recover.js","names":[],"sources":["../../src/internals/verify-recover.ts"],"sourcesContent":["import type {\n FailureEnvelope,\n RecoveryChoice,\n RecoveryOption,\n} from '../types.js';\nimport { stripDenylist } from './secret-denylist.js';\n\n/**\n * In-process verify-and-recover driver. Uses an inline async verifier\n * function (L7: agent-core MUST NOT spawn subprocesses).\n *\n * Out of scope (subprocess-only concerns):\n * - verifier-script path sanitization (no path; verifier is a function)\n * - stdin-source indirection (verifier receives typed context)\n * - argv interpolation (verifier closes over context)\n * - `{{var}}` template interpolation on user_message (recovery options\n * carry their own typed-diagnostic closures via `buildRecoveryOptions`)\n * - `timeout` / `maxBuffer` operational caps (no subprocess; an optional\n * AbortController-based timeout can be added per-verifier if needed)\n * - `NODE_ENV` test-override env vars (none of the above need them)\n *\n * Keeps (in-process security still relevant):\n * - `SECRET_KEY_DENYLIST` strip on the diagnostic before it reaches\n * `buildFailureEnvelope` / `buildRecoveryOptions` / the host callback / the result.\n * - Prototype-pollution guard on `__proto__` / `constructor` / `prototype`\n * in the diagnostic walk (defense for verifier-output objects that\n * could have come via `JSON.parse`).\n * - Branch dispatch: `branches[outcome]` → `branches.__other__` →\n * synthesized `unclassified` fallback (CJS calls it `'other'`; the TS\n * port uses `'__other__'` to avoid collisions with a literal outcome\n * string `'other'`).\n *\n * Branch IDs are an internal, closed-set string-literal union — they\n * identify branches for journal/logging purposes but are NOT part of the\n * public type contract (Option A from ENG-128). The public surface for\n * recovery is the frozen `RecoveryOption[]` array, materialized by each\n * branch's inline `buildRecoveryOptions(diag)` closure.\n */\n\n/** Closed-set internal branch identifier. Surfaces via journal/log only. */\nexport type BranchId =\n | 'partial_success_domain'\n | 'lease_terminal'\n | 'domain_verification_mismatch'\n | 'domain_not_found'\n | 'pending_drift'\n | 'unclassified';\n\n/**\n * Per-branch behavior contract. Authored inline at each high-level\n * function's call site (deployApp, manageDomain, etc.) so the closures\n * can bind diagnostic data into the surfaced label/description text.\n */\nexport interface VerificationBranch<TDiag = Record<string, unknown>> {\n /** Internal id for journal write + log; not surfaced to host callbacks directly. */\n readonly branchId: BranchId;\n /** Pass-through tags for the ENG-124 journal `recovery_actions[]`. Empty when not journaling. */\n readonly journalActionTags: readonly string[];\n /** Synthesize the public `FailureEnvelope` (frozen contract) from the post-strip diagnostic. */\n buildFailureEnvelope: (diagnostic: TDiag) => FailureEnvelope;\n /**\n * Materialize the `RecoveryOption[]` for the host's `onFailure` callback.\n * Returning an empty array marks the branch as inform-only:\n * `verifyAndRecover` will return the failure envelope without invoking\n * `onFailure` so callers don't waste a user prompt asking what to do\n * when there's nothing to choose between.\n */\n buildRecoveryOptions: (diagnostic: TDiag) => RecoveryOption[];\n}\n\n/** Verifier function — async; receives typed context; returns typed outcome + free-form diagnostic. */\nexport type Verifier<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> = (context: TContext) => Promise<VerifierResult<TOutcome, TDiag>>;\n\n/** Shape returned by every verifier. `outcome` drives branch selection; `diagnostic` flows into the branch's closures. */\nexport interface VerifierResult<TOutcome extends string, TDiag> {\n outcome: TOutcome;\n diagnostic: TDiag;\n}\n\n/**\n * Verification spec — declarative description of how to verify post-state\n * and dispatch to a recovery branch. Mirrors the CJS spec shape with\n * the subprocess-specific fields dropped.\n *\n * `__other__` is the catch-all branch key, equivalent to the CJS's `'other'`.\n * Renamed to avoid collisions with an outcome literally equal to `'other'`.\n */\nexport interface VerificationSpec<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> {\n readonly verifier: Verifier<TContext, TOutcome, TDiag>;\n /** Outcome values that count as success — no branch dispatch, host's `onFailure` is NOT called. */\n readonly successValues: readonly TOutcome[];\n /** Branch dictionary keyed by outcome string. `__other__` is the catch-all fallback. */\n readonly branches: Partial<\n Record<TOutcome | '__other__', VerificationBranch<TDiag>>\n >;\n}\n\nexport interface VerifyAndRecoverResult<\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> {\n result: 'success' | 'failure';\n verifierOutcome: TOutcome;\n /** `null` on success; the matched branch's id (or `'unclassified'`) on failure. */\n branchId: BranchId | null;\n journalActionTags: readonly string[];\n /** Post-strip diagnostic. Same value the branch closures received. */\n diagnostic: TDiag;\n /** Present iff failure. The synthesized public-surface envelope. */\n failure?: FailureEnvelope;\n /** Present iff failure AND `onFailure` was called AND it returned (i.e., a non-empty `RecoveryOption[]` was presented). */\n recoveryChoice?: RecoveryChoice;\n}\n\nexport interface VerifyAndRecoverCallbacks {\n /**\n * Rich-form failure handler used by `deployApp`. Receives the\n * `FailureEnvelope` synthesized by the matched branch + the closure-\n * built `RecoveryOption[]` and returns the user's pick.\n *\n * Simple-form callers (manageDomain / closeLease / troubleshoot) wrap\n * via an adapter in PR 4 — they don't pass an `onFailure` here directly.\n */\n onFailure?: (\n failure: FailureEnvelope,\n options: RecoveryOption[],\n ) => Promise<RecoveryChoice>;\n}\n\n/**\n * Run the verifier; classify the outcome; on failure, build the public\n * envelope + recovery options and (optionally) invoke the host's\n * `onFailure` callback for a user pick.\n *\n * Throws synchronously on:\n * - Spec runtime-shape violations (missing verifier function, non-array\n * successValues, non-object branches).\n * - Verifier-returned shape violations (missing `outcome` key,\n * non-string `outcome`, missing `diagnostic` key, non-object\n * `diagnostic`).\n * Propagates any error the verifier itself throws.\n */\nexport async function verifyAndRecover<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n>(\n spec: VerificationSpec<TContext, TOutcome, TDiag>,\n context: TContext,\n callbacks: VerifyAndRecoverCallbacks = {},\n): Promise<VerifyAndRecoverResult<TOutcome, TDiag>> {\n validateSpec(spec);\n\n const verifierResult = await spec.verifier(context);\n validateVerifierResult(verifierResult);\n\n // Strip secret-shaped keys + prototype-pollution keys from the\n // diagnostic BEFORE it flows into any branch closure, host callback,\n // or the result object. The strip is the same posture `_journal.cjs`'s\n // `validateRecord` enforces on the write side.\n const diagnostic = stripDenylist(verifierResult.diagnostic) as TDiag;\n const outcome = verifierResult.outcome;\n\n const isSuccess = spec.successValues.includes(outcome);\n if (isSuccess) {\n return {\n result: 'success',\n verifierOutcome: outcome,\n branchId: null,\n journalActionTags: [],\n diagnostic,\n };\n }\n\n // Failure path: dispatch to named branch, `__other__` fallback, or\n // synthesized `unclassified`.\n const branch = selectBranch<TOutcome, TDiag>(spec.branches, outcome);\n const failure = branch.buildFailureEnvelope(diagnostic);\n const options = branch.buildRecoveryOptions(diagnostic);\n\n // Inform-only branches (lease_terminal, unclassified) return [] for\n // RecoveryOption[]. Surface the failure envelope without prompting\n // the host — there's no choice to present.\n if (options.length === 0 || callbacks.onFailure === undefined) {\n return {\n result: 'failure',\n verifierOutcome: outcome,\n branchId: branch.branchId,\n journalActionTags: branch.journalActionTags,\n diagnostic,\n failure,\n };\n }\n\n const recoveryChoice = await callbacks.onFailure(failure, options);\n return {\n result: 'failure',\n verifierOutcome: outcome,\n branchId: branch.branchId,\n journalActionTags: branch.journalActionTags,\n diagnostic,\n failure,\n recoveryChoice,\n };\n}\n\nfunction validateSpec<TContext, TOutcome extends string, TDiag>(\n spec: VerificationSpec<TContext, TOutcome, TDiag>,\n): void {\n if (spec === null || typeof spec !== 'object') {\n throw new Error('verifyAndRecover: spec must be an object');\n }\n if (typeof spec.verifier !== 'function') {\n throw new Error('verifyAndRecover: spec.verifier must be a function');\n }\n if (!Array.isArray(spec.successValues)) {\n throw new Error('verifyAndRecover: spec.successValues must be an array');\n }\n // `typeof null === 'object'` would otherwise let a `branches: null` value\n // slip past a bare typeof check and silently route every failure through\n // the synthesized `unclassified` branch. Explicit guard mirrors the\n // CJS's null-check at line 256-263 of verify-recover.cjs.\n if (\n spec.branches === null ||\n typeof spec.branches !== 'object' ||\n Array.isArray(spec.branches)\n ) {\n throw new Error('verifyAndRecover: spec.branches must be an object');\n }\n}\n\nfunction validateVerifierResult(\n value: unknown,\n): asserts value is VerifierResult<string, unknown> {\n if (value === null || typeof value !== 'object' || Array.isArray(value)) {\n throw new Error(\n 'verifyAndRecover: verifier must return an object with shape { outcome, diagnostic }',\n );\n }\n const r = value as { outcome?: unknown; diagnostic?: unknown };\n if (typeof r.outcome !== 'string') {\n throw new Error(\n 'verifyAndRecover: verifier result is missing the required \"outcome\" string field',\n );\n }\n if (\n r.diagnostic === null ||\n typeof r.diagnostic !== 'object' ||\n Array.isArray(r.diagnostic)\n ) {\n throw new Error(\n 'verifyAndRecover: verifier result is missing a \"diagnostic\" object field',\n );\n }\n}\n\nfunction selectBranch<TOutcome extends string, TDiag>(\n branches: Partial<Record<TOutcome | '__other__', VerificationBranch<TDiag>>>,\n outcome: TOutcome,\n): VerificationBranch<TDiag> {\n const named = branches[outcome];\n if (named !== undefined) return named;\n const other = branches.__other__;\n if (other !== undefined) return other;\n return synthesizeUnclassified<TDiag>(outcome);\n}\n\n/**\n * Fabricate the `unclassified` fallback when no named branch and no\n * `__other__` catch-all match. Mirrors the CJS behavior at line 222-232:\n * journal action tag is `verify-unclassified`; the recovery options list\n * is empty (inform-only); the failure envelope conveys the unrecognized\n * outcome verbatim in `reason`.\n */\nfunction synthesizeUnclassified<TDiag>(\n outcome: string,\n): VerificationBranch<TDiag> {\n return {\n branchId: 'unclassified',\n journalActionTags: ['verify-unclassified'],\n buildFailureEnvelope: () => ({\n outcome: 'failed',\n reason: `Verifier returned outcome '${outcome}' — unrecognized; no branch matched.`,\n }),\n buildRecoveryOptions: () => [],\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;AAsJA,eAAsB,iBAKpB,MACA,SACA,YAAuC,EAAE,EACS;AAClD,cAAa,KAAK;CAElB,MAAM,iBAAiB,MAAM,KAAK,SAAS,QAAQ;AACnD,wBAAuB,eAAe;CAMtC,MAAM,aAAa,cAAc,eAAe,WAAW;CAC3D,MAAM,UAAU,eAAe;AAG/B,KADkB,KAAK,cAAc,SAAS,QAAQ,CAEpD,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU;EACV,mBAAmB,EAAE;EACrB;EACD;CAKH,MAAM,SAAS,aAA8B,KAAK,UAAU,QAAQ;CACpE,MAAM,UAAU,OAAO,qBAAqB,WAAW;CACvD,MAAM,UAAU,OAAO,qBAAqB,WAAW;AAKvD,KAAI,QAAQ,WAAW,KAAK,UAAU,cAAc,KAAA,EAClD,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;EACD;CAGH,MAAM,iBAAiB,MAAM,UAAU,UAAU,SAAS,QAAQ;AAClE,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;EACA;EACD;;AAGH,SAAS,aACP,MACM;AACN,KAAI,SAAS,QAAQ,OAAO,SAAS,SACnC,OAAM,IAAI,MAAM,2CAA2C;AAE7D,KAAI,OAAO,KAAK,aAAa,WAC3B,OAAM,IAAI,MAAM,qDAAqD;AAEvE,KAAI,CAAC,MAAM,QAAQ,KAAK,cAAc,CACpC,OAAM,IAAI,MAAM,wDAAwD;AAM1E,KACE,KAAK,aAAa,QAClB,OAAO,KAAK,aAAa,YACzB,MAAM,QAAQ,KAAK,SAAS,CAE5B,OAAM,IAAI,MAAM,oDAAoD;;AAIxE,SAAS,uBACP,OACkD;AAClD,KAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,MAAM,CACrE,OAAM,IAAI,MACR,sFACD;CAEH,MAAM,IAAI;AACV,KAAI,OAAO,EAAE,YAAY,SACvB,OAAM,IAAI,MACR,qFACD;AAEH,KACE,EAAE,eAAe,QACjB,OAAO,EAAE,eAAe,YACxB,MAAM,QAAQ,EAAE,WAAW,CAE3B,OAAM,IAAI,MACR,6EACD;;AAIL,SAAS,aACP,UACA,SAC2B;CAC3B,MAAM,QAAQ,SAAS;AACvB,KAAI,UAAU,KAAA,EAAW,QAAO;CAChC,MAAM,QAAQ,SAAS;AACvB,KAAI,UAAU,KAAA,EAAW,QAAO;AAChC,QAAO,uBAA8B,QAAQ;;;;;;;;;AAU/C,SAAS,uBACP,SAC2B;AAC3B,QAAO;EACL,UAAU;EACV,mBAAmB,CAAC,sBAAsB;EAC1C,6BAA6B;GAC3B,SAAS;GACT,QAAQ,8BAA8B,QAAQ;GAC/C;EACD,4BAA4B,EAAE;EAC/B"}
1
+ {"version":3,"file":"verify-recover.js","names":[],"sources":["../../src/internals/verify-recover.ts"],"sourcesContent":["import type {\n FailureEnvelope,\n RecoveryChoice,\n RecoveryOption,\n} from '../types.js';\nimport { stripDenylist } from './secret-denylist.js';\n\n/**\n * In-process verify-and-recover driver. Uses an inline async verifier\n * function (L7: agent-core MUST NOT spawn subprocesses).\n *\n * Out of scope (subprocess-only concerns):\n * - verifier-script path sanitization (no path; verifier is a function)\n * - stdin-source indirection (verifier receives typed context)\n * - argv interpolation (verifier closes over context)\n * - `{{var}}` template interpolation on user_message (recovery options\n * carry their own typed-diagnostic closures via `buildRecoveryOptions`)\n * - `timeout` / `maxBuffer` operational caps (no subprocess; an optional\n * AbortController-based timeout can be added per-verifier if needed)\n * - `NODE_ENV` test-override env vars (none of the above need them)\n *\n * Keeps (in-process security still relevant):\n * - `SECRET_KEY_DENYLIST` strip on the diagnostic before it reaches\n * `buildFailureEnvelope` / `buildRecoveryOptions` / the host callback / the result.\n * - Prototype-pollution guard on `__proto__` / `constructor` / `prototype`\n * in the diagnostic walk (defense for verifier-output objects that\n * could have come via `JSON.parse`).\n * - Branch dispatch: `branches[outcome]` → `branches.__other__` →\n * synthesized `unclassified` fallback (CJS calls it `'other'`; the TS\n * port uses `'__other__'` to avoid collisions with a literal outcome\n * string `'other'`).\n *\n * Branch IDs are an internal, closed-set string-literal union — they\n * identify branches for journal/logging purposes but are NOT part of the\n * public type contract (Option A from ENG-128). The public surface for\n * recovery is the frozen `RecoveryOption[]` array, materialized by each\n * branch's inline `buildRecoveryOptions(diag)` closure.\n */\n\n/** Closed-set internal branch identifier. Surfaces via journal/log only. */\nexport type BranchId =\n | 'partial_success_domain'\n | 'lease_terminal'\n | 'domain_verification_mismatch'\n | 'domain_not_found'\n | 'pending_drift'\n | 'unclassified';\n\n/**\n * Per-branch behavior contract. Authored inline at each high-level\n * function's call site (deployApp, manageDomain, etc.) so the closures\n * can bind diagnostic data into the surfaced label/description text.\n */\nexport interface VerificationBranch<TDiag = Record<string, unknown>> {\n /** Internal id for journal write + log; not surfaced to host callbacks directly. */\n readonly branchId: BranchId;\n /** Pass-through tags for the ENG-124 journal `recovery_actions[]`. Empty when not journaling. */\n readonly journalActionTags: readonly string[];\n /** Synthesize the public `FailureEnvelope` (frozen contract) from the post-strip diagnostic. */\n buildFailureEnvelope: (diagnostic: TDiag) => FailureEnvelope;\n /**\n * Materialize the `RecoveryOption[]` for the host's `onFailure` callback.\n * Returning an empty array marks the branch as inform-only:\n * `verifyAndRecover` will return the failure envelope without invoking\n * `onFailure` so callers don't waste a user prompt asking what to do\n * when there's nothing to choose between.\n */\n buildRecoveryOptions: (diagnostic: TDiag) => RecoveryOption[];\n}\n\n/** Verifier function — async; receives typed context; returns typed outcome + free-form diagnostic. */\nexport type Verifier<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> = (context: TContext) => Promise<VerifierResult<TOutcome, TDiag>>;\n\n/** Shape returned by every verifier. `outcome` drives branch selection; `diagnostic` flows into the branch's closures. */\nexport interface VerifierResult<TOutcome extends string, TDiag> {\n outcome: TOutcome;\n diagnostic: TDiag;\n}\n\n/**\n * Verification spec — declarative description of how to verify post-state\n * and dispatch to a recovery branch. Mirrors the CJS spec shape with\n * the subprocess-specific fields dropped.\n *\n * `__other__` is the catch-all branch key, equivalent to the CJS's `'other'`.\n * Renamed to avoid collisions with an outcome literally equal to `'other'`.\n */\nexport interface VerificationSpec<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> {\n readonly verifier: Verifier<TContext, TOutcome, TDiag>;\n /** Outcome values that count as success — no branch dispatch, host's `onFailure` is NOT called. */\n readonly successValues: readonly TOutcome[];\n /** Branch dictionary keyed by outcome string. `__other__` is the catch-all fallback. */\n readonly branches: Partial<\n Record<TOutcome | '__other__', VerificationBranch<TDiag>>\n >;\n}\n\nexport interface VerifyAndRecoverResult<\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n> {\n result: 'success' | 'failure';\n verifierOutcome: TOutcome;\n /** `null` on success; the matched branch's id (or `'unclassified'`) on failure. */\n branchId: BranchId | null;\n journalActionTags: readonly string[];\n /** Post-strip diagnostic. Same value the branch closures received. */\n diagnostic: TDiag;\n /** Present iff failure. The synthesized public-surface envelope. */\n failure?: FailureEnvelope;\n /** Present iff failure AND `onFailure` was called AND it returned (i.e., a non-empty `RecoveryOption[]` was presented). */\n recoveryChoice?: RecoveryChoice;\n}\n\nexport interface VerifyAndRecoverCallbacks {\n /**\n * Rich-form failure handler used by `deployApp`. Receives the\n * `FailureEnvelope` synthesized by the matched branch + the closure-\n * built `RecoveryOption[]` and returns the user's pick.\n *\n * Simple-form callers (manageDomain / closeLease / troubleshoot) wrap\n * via an adapter in PR 4 — they don't pass an `onFailure` here directly.\n */\n onFailure?: (\n failure: FailureEnvelope,\n options: RecoveryOption[],\n ) => Promise<RecoveryChoice>;\n}\n\n/**\n * Run the verifier; classify the outcome; on failure, build the public\n * envelope + recovery options and (optionally) invoke the host's\n * `onFailure` callback for a user pick.\n *\n * Throws synchronously on:\n * - Spec runtime-shape violations (missing verifier function, non-array\n * successValues, non-object branches).\n * - Verifier-returned shape violations (missing `outcome` key,\n * non-string `outcome`, missing `diagnostic` key, non-object\n * `diagnostic`).\n * Propagates any error the verifier itself throws.\n */\nexport async function verifyAndRecover<\n TContext,\n TOutcome extends string,\n TDiag = Record<string, unknown>,\n>(\n spec: VerificationSpec<TContext, TOutcome, TDiag>,\n context: TContext,\n callbacks: VerifyAndRecoverCallbacks = {},\n): Promise<VerifyAndRecoverResult<TOutcome, TDiag>> {\n validateSpec(spec);\n\n const verifierResult = await spec.verifier(context);\n validateVerifierResult(verifierResult);\n\n // Strip secret-shaped keys + prototype-pollution keys from the\n // diagnostic BEFORE it flows into any branch closure, host callback,\n // or the result object. The strip is the same posture `_journal.cjs`'s\n // `validateRecord` enforces on the write side.\n const diagnostic = stripDenylist(verifierResult.diagnostic) as TDiag;\n const outcome = verifierResult.outcome;\n\n const isSuccess = spec.successValues.includes(outcome);\n if (isSuccess) {\n return {\n result: 'success',\n verifierOutcome: outcome,\n branchId: null,\n journalActionTags: [],\n diagnostic,\n };\n }\n\n // Failure path: dispatch to named branch, `__other__` fallback, or\n // synthesized `unclassified`.\n const branch = selectBranch<TOutcome, TDiag>(spec.branches, outcome);\n const failure = branch.buildFailureEnvelope(diagnostic);\n const options = branch.buildRecoveryOptions(diagnostic);\n\n // Inform-only branches (lease_terminal, unclassified) return [] for\n // RecoveryOption[]. Surface the failure envelope without prompting\n // the host — there's no choice to present.\n if (options.length === 0 || callbacks.onFailure === undefined) {\n return {\n result: 'failure',\n verifierOutcome: outcome,\n branchId: branch.branchId,\n journalActionTags: branch.journalActionTags,\n diagnostic,\n failure,\n };\n }\n\n const recoveryChoice = await callbacks.onFailure(failure, options);\n return {\n result: 'failure',\n verifierOutcome: outcome,\n branchId: branch.branchId,\n journalActionTags: branch.journalActionTags,\n diagnostic,\n failure,\n recoveryChoice,\n };\n}\n\nfunction validateSpec<TContext, TOutcome extends string, TDiag>(\n spec: VerificationSpec<TContext, TOutcome, TDiag>,\n): void {\n if (spec === null || typeof spec !== 'object') {\n throw new Error('verifyAndRecover: spec must be an object');\n }\n if (typeof spec.verifier !== 'function') {\n throw new Error('verifyAndRecover: spec.verifier must be a function');\n }\n if (!Array.isArray(spec.successValues)) {\n throw new Error('verifyAndRecover: spec.successValues must be an array');\n }\n // `typeof null === 'object'` would otherwise let a `branches: null` value\n // slip past a bare typeof check and silently route every failure through\n // the synthesized `unclassified` branch. Explicit guard mirrors the\n // CJS's null-check at line 256-263 of verify-recover.cjs.\n if (\n spec.branches === null ||\n typeof spec.branches !== 'object' ||\n Array.isArray(spec.branches)\n ) {\n throw new Error('verifyAndRecover: spec.branches must be an object');\n }\n}\n\nfunction validateVerifierResult(\n value: unknown,\n): asserts value is VerifierResult<string, unknown> {\n if (value === null || typeof value !== 'object' || Array.isArray(value)) {\n throw new Error(\n 'verifyAndRecover: verifier must return an object with shape { outcome, diagnostic }',\n );\n }\n const r = value as { outcome?: unknown; diagnostic?: unknown };\n if (typeof r.outcome !== 'string') {\n throw new Error(\n 'verifyAndRecover: verifier result is missing the required \"outcome\" string field',\n );\n }\n if (\n r.diagnostic === null ||\n typeof r.diagnostic !== 'object' ||\n Array.isArray(r.diagnostic)\n ) {\n throw new Error(\n 'verifyAndRecover: verifier result is missing a \"diagnostic\" object field',\n );\n }\n}\n\nfunction selectBranch<TOutcome extends string, TDiag>(\n branches: Partial<Record<TOutcome | '__other__', VerificationBranch<TDiag>>>,\n outcome: TOutcome,\n): VerificationBranch<TDiag> {\n const named = branches[outcome];\n if (named !== undefined) return named;\n const other = branches.__other__;\n if (other !== undefined) return other;\n return synthesizeUnclassified<TDiag>(outcome);\n}\n\n/**\n * Fabricate the `unclassified` fallback when no named branch and no\n * `__other__` catch-all match. Mirrors the CJS behavior at line 222-232:\n * journal action tag is `verify-unclassified`; the recovery options list\n * is empty (inform-only); the failure envelope conveys the unrecognized\n * outcome verbatim in `reason`.\n */\nfunction synthesizeUnclassified<TDiag>(\n outcome: string,\n): VerificationBranch<TDiag> {\n return {\n branchId: 'unclassified',\n journalActionTags: ['verify-unclassified'],\n buildFailureEnvelope: () => ({\n outcome: 'failed',\n reason: `Verifier returned outcome '${outcome}' — unrecognized; no branch matched.`,\n }),\n buildRecoveryOptions: () => [],\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;AAsJA,eAAsB,iBAKpB,MACA,SACA,YAAuC,CAAC,GACU;CAClD,aAAa,IAAI;CAEjB,MAAM,iBAAiB,MAAM,KAAK,SAAS,OAAO;CAClD,uBAAuB,cAAc;CAMrC,MAAM,aAAa,cAAc,eAAe,UAAU;CAC1D,MAAM,UAAU,eAAe;CAG/B,IADkB,KAAK,cAAc,SAAS,OAClC,GACV,OAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU;EACV,mBAAmB,CAAC;EACpB;CACF;CAKF,MAAM,SAAS,aAA8B,KAAK,UAAU,OAAO;CACnE,MAAM,UAAU,OAAO,qBAAqB,UAAU;CACtD,MAAM,UAAU,OAAO,qBAAqB,UAAU;CAKtD,IAAI,QAAQ,WAAW,KAAK,UAAU,cAAc,KAAA,GAClD,OAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;CACF;CAGF,MAAM,iBAAiB,MAAM,UAAU,UAAU,SAAS,OAAO;CACjE,OAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;EACA;CACF;AACF;AAEA,SAAS,aACP,MACM;CACN,IAAI,SAAS,QAAQ,OAAO,SAAS,UACnC,MAAM,IAAI,MAAM,0CAA0C;CAE5D,IAAI,OAAO,KAAK,aAAa,YAC3B,MAAM,IAAI,MAAM,oDAAoD;CAEtE,IAAI,CAAC,MAAM,QAAQ,KAAK,aAAa,GACnC,MAAM,IAAI,MAAM,uDAAuD;CAMzE,IACE,KAAK,aAAa,QAClB,OAAO,KAAK,aAAa,YACzB,MAAM,QAAQ,KAAK,QAAQ,GAE3B,MAAM,IAAI,MAAM,mDAAmD;AAEvE;AAEA,SAAS,uBACP,OACkD;CAClD,IAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GACpE,MAAM,IAAI,MACR,qFACF;CAEF,MAAM,IAAI;CACV,IAAI,OAAO,EAAE,YAAY,UACvB,MAAM,IAAI,MACR,oFACF;CAEF,IACE,EAAE,eAAe,QACjB,OAAO,EAAE,eAAe,YACxB,MAAM,QAAQ,EAAE,UAAU,GAE1B,MAAM,IAAI,MACR,4EACF;AAEJ;AAEA,SAAS,aACP,UACA,SAC2B;CAC3B,MAAM,QAAQ,SAAS;CACvB,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,MAAM,QAAQ,SAAS;CACvB,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,OAAO,uBAA8B,OAAO;AAC9C;;;;;;;;AASA,SAAS,uBACP,SAC2B;CAC3B,OAAO;EACL,UAAU;EACV,mBAAmB,CAAC,qBAAqB;EACzC,6BAA6B;GAC3B,SAAS;GACT,QAAQ,8BAA8B,QAAQ;EAChD;EACA,4BAA4B,CAAC;CAC/B;AACF"}
@@ -4,8 +4,9 @@ import { ManageDomainArgs, ManageDomainCallbacks, ManageDomainOptions, ManageDom
4
4
  /**
5
5
  * Set / clear / look up a lease item's custom domain.
6
6
  *
7
- * @throws `ManifestMCPError(INVALID_CONFIG)` for args validation or when
8
- * `onConfirm` returns `'no'`.
7
+ * @throws `ManifestMCPError(INVALID_CONFIG)` for args validation.
8
+ * @throws `ManifestMCPError(OPERATION_CANCELLED)` when `onConfirm` returns
9
+ * `'no'` (deliberate user cancellation — ENG-272).
9
10
  * @throws `ManifestMCPError` (typically `TX_FAILED`) propagated as-is
10
11
  * from the `setItemCustomDomain()` broadcast step in `set` / `clear`
11
12
  * paths. Broadcast errors do NOT invoke `onFailure` — that callback
@@ -1 +1 @@
1
- {"version":3,"file":"manage-domain.d.ts","names":[],"sources":["../src/manage-domain.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAiHsB,YAAA,CACpB,IAAA,EAAM,gBAAA,EACN,SAAA,EAAW,qBAAA,EACX,IAAA,EAAM,mBAAA,GACL,OAAA,CAAQ,kBAAA"}
1
+ {"version":3,"file":"manage-domain.d.ts","names":[],"sources":["../src/manage-domain.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAkHsB,YAAA,CACpB,IAAA,EAAM,gBAAA,EACN,SAAA,EAAW,qBAAA,EACX,IAAA,EAAM,mBAAA,GACL,OAAA,CAAQ,kBAAA"}
@@ -47,8 +47,9 @@ const NOT_FOUND_RES = [
47
47
  /**
48
48
  * Set / clear / look up a lease item's custom domain.
49
49
  *
50
- * @throws `ManifestMCPError(INVALID_CONFIG)` for args validation or when
51
- * `onConfirm` returns `'no'`.
50
+ * @throws `ManifestMCPError(INVALID_CONFIG)` for args validation.
51
+ * @throws `ManifestMCPError(OPERATION_CANCELLED)` when `onConfirm` returns
52
+ * `'no'` (deliberate user cancellation — ENG-272).
52
53
  * @throws `ManifestMCPError` (typically `TX_FAILED`) propagated as-is
53
54
  * from the `setItemCustomDomain()` broadcast step in `set` / `clear`
54
55
  * paths. Broadcast errors do NOT invoke `onFailure` — that callback
@@ -80,7 +81,7 @@ async function manageDomain(args, callbacks, opts) {
80
81
  const fqdn = args.action === "set" ? args.fqdn.trim() : "";
81
82
  const block = renderConfirmationBlock(args);
82
83
  if (callbacks.onConfirm) {
83
- if (await callbacks.onConfirm(block) !== "yes") throw new ManifestMCPError(ManifestMCPErrorCode.INVALID_CONFIG, `User declined to proceed with manage-domain ${args.action}.`);
84
+ if (await callbacks.onConfirm(block) !== "yes") throw new ManifestMCPError(ManifestMCPErrorCode.OPERATION_CANCELLED, `User declined to proceed with manage-domain ${args.action}.`);
84
85
  }
85
86
  callbacks.onProgress?.({ kind: "user_confirmed" });
86
87
  const setOpts = args.action === "set" ? serviceName ? { serviceName } : void 0 : {