@manifest-network/manifest-agent-core 0.9.0

package/dist/internals/spec-normalize.js

@@ -0,0 +1,169 @@
+//#region src/internals/spec-normalize.ts
+/**
+* Spec normalization + summarization helpers. Exports `isStack`,
+* `firstImage`, `normalizeServices`, `summarizeSpec`, and `validateSpec`
+* (the latter surfaces pre-broadcast shape violations).
+*
+* Two spec shapes are supported (frozen in ENG-128's `types.ts`):
+*   - **services-map (StackSpec)** — `{ services: { <name>: ServiceDef }, customDomain?, serviceName? }`
+*   - **legacy single-service (SingleServiceSpec)** — `{ image, port?, env?, customDomain? }`
+*
+* `normalizeServices` collapses the two shapes into a single iterable form
+* so callers (Plan summary, manifest builder, etc.) walk one structure
+* regardless of which form the user passed.
+*
+* Validation: `validateSpec` throws a plain `TypeError` on shape violations
+* — agent-core has no workspace dep on `@manifest-network/manifest-mcp-core`
+* in PR 1/2 (per parent's REV 1), so `ManifestMCPError` isn't available
+* here. PR 3's high-level `deployApp` re-wraps `TypeError` into
+* `ManifestMCPError(INVALID_CONFIG)` at the public-API boundary.
+*/
+/**
+* True when `spec` uses the services-map shape (StackSpec). Mirrors
+* `_spec.cjs#isStack`: `services` is a non-null, non-array object.
+*/
+function isStackSpec(spec) {
+	if (spec === null || spec === void 0 || typeof spec !== "object") return false;
+	const services = spec.services;
+	return services !== null && typeof services === "object" && !Array.isArray(services);
+}
+/**
+* Return the canonical first image string for a spec. For legacy single-
+* service: `spec.image`. For stack: the first non-empty `image` in
+* `Object.values(spec.services)`. Returns `null` when neither shape
+* carries an image (or `spec` is malformed).
+*/
+function firstImage(spec) {
+	if (spec === null || spec === void 0 || typeof spec !== "object") return null;
+	const single = spec;
+	if (typeof single.image === "string" && single.image.length > 0) return single.image;
+	if (isStackSpec(spec)) {
+		for (const svc of Object.values(spec.services)) if (svc !== null && typeof svc === "object") {
+			const image = svc.image;
+			if (typeof image === "string" && image.length > 0) return image;
+		}
+	}
+	return null;
+}
+function normalizeServices(spec) {
+	if (isStackSpec(spec)) return Object.entries(spec.services).map(([name, raw]) => ({
+		name,
+		raw: raw ?? {}
+	}));
+	return [{
+		name: null,
+		raw: spec ?? {}
+	}];
+}
+/**
+* Produce the frozen `SpecSummary` shape for inclusion in the `Plan`
+* (camelCase fields: `serviceCount`, etc.).
+*
+* Port count rules:
+*   - SingleServiceSpec `port: number` → +1 port.
+*   - SingleServiceSpec `port: number[]` → +length ports.
+*   - ServiceDef `ports: number[]` (per type) → +length ports.
+*   - ServiceDef `ports` shaped as a Record (older codepath) → +key count.
+*
+* Env key uniqueness is computed across services (one `env_keys` set
+* spans the whole spec); `envCount` is the size of that set; `envKeys`
+* is sorted ascending.
+*/
+function summarizeSpec(spec) {
+	const format = isStackSpec(spec) ? "stack" : "single";
+	const services = normalizeServices(spec);
+	let portCount = 0;
+	const envKeys = /* @__PURE__ */ new Set();
+	const images = [];
+	for (const { raw: svc } of services) if (svc !== null && typeof svc === "object") {
+		const svcRecord = svc;
+		const image = svcRecord.image;
+		if (typeof image === "string" && image.length > 0) images.push(image);
+		const port = svcRecord.port;
+		if (typeof port === "number") portCount += 1;
+		else if (Array.isArray(port)) portCount += port.length;
+		const ports = svcRecord.ports;
+		if (Array.isArray(ports)) portCount += ports.length;
+		else if (ports !== null && typeof ports === "object") portCount += Object.keys(ports).length;
+		const env = svcRecord.env;
+		if (env !== null && typeof env === "object" && !Array.isArray(env)) for (const k of Object.keys(env)) envKeys.add(k);
+	}
+	return {
+		format,
+		serviceCount: services.length,
+		portCount,
+		envCount: envKeys.size,
+		envKeys: Array.from(envKeys).sort(),
+		images
+	};
+}
+/**
+* Validate a `DeploySpec` shape pre-broadcast. Throws `TypeError` on the
+* first violation. The frozen type union (`SingleServiceSpec | StackSpec`)
+* already enforces most structural rules at compile time; this runtime
+* check defends against `unknown`-cast callers and `JSON.parse`-decoded
+* inputs.
+*
+* Rules (mirror fred's `deployApp.ts` input validation):
+*   - `spec` must be a non-null object.
+*   - Stack: `services` must have ≥1 entry; each entry's `image` must be a
+*     non-empty string.
+*   - Single: `image` must be a non-empty string.
+*   - Mutually exclusive `image` AND `services` not allowed.
+*
+* The high-level `deployApp` in PR 3 layers domain checks on top
+* (`customDomain` shape, `serviceName` membership, etc.).
+*/
+function validateSpec(spec) {
+	if (spec === null || spec === void 0 || typeof spec !== "object") throw new TypeError("validateSpec: spec must be a non-null object");
+	const record = spec;
+	const hasImageKey = "image" in record;
+	const hasServicesKey = "services" in record;
+	if (hasImageKey && hasServicesKey) throw new TypeError("validateSpec: spec has both `image` and `services` keys; these are mutually exclusive (regardless of value validity)");
+	const hasImage = typeof record.image === "string" && record.image.length > 0;
+	const hasServices = isStackSpec(spec);
+	if (!hasImage && !hasServices) throw new TypeError("validateSpec: spec must declare either `image` (SingleServiceSpec) or `services` (StackSpec)");
+	if ("customDomain" in record) {
+		const cd = record.customDomain;
+		if (cd !== void 0) {
+			if (!(typeof cd === "string" && cd.length > 0 && cd.trim() === cd)) {
+				const got = typeof cd === "string" ? cd.trim().length === 0 ? `"${cd}"` : `"${cd}" (has surrounding whitespace)` : cd === null ? "null" : typeof cd;
+				throw new TypeError(`validateSpec: \`customDomain\` must be a non-empty trimmed string or absent (got ${got}).`);
+			}
+		}
+	}
+	if (hasServices) {
+		const entries = Object.entries(spec.services);
+		if (entries.length === 0) throw new TypeError("validateSpec: stack spec `services` must have at least one entry");
+		for (const [name, svc] of entries) {
+			if (svc === null || typeof svc !== "object") throw new TypeError(`validateSpec: stack service "${name}" must be a non-null object`);
+			const image = svc.image;
+			if (typeof image !== "string" || image.length === 0) throw new TypeError(`validateSpec: stack service "${name}" must declare a non-empty \`image\` string`);
+		}
+		const stackDomain = spec.customDomain;
+		if (typeof stackDomain === "string" && stackDomain.length > 0) {
+			const stackServiceName = spec.serviceName;
+			if (typeof stackServiceName !== "string" || stackServiceName.length === 0) throw new TypeError("validateSpec: stack spec with `customDomain` requires `serviceName` identifying which service receives the domain.");
+			if (!Object.keys(spec.services).includes(stackServiceName)) throw new TypeError(`validateSpec: stack spec \`serviceName\` "${stackServiceName}" must be a key in \`services\` (got services: [${Object.keys(spec.services).join(", ")}]).`);
+		}
+	} else {
+		const port = spec.port;
+		if (!(isValidPortNumber(port) || Array.isArray(port) && port.length > 0 && port.every(isValidPortNumber))) throw new TypeError(`validateSpec: single-service specs require at least one port (port must be a finite positive integer in the TCP range (1-65535), or a non-empty array of such); got port=${JSON.stringify(port)}. For internal-only services, use a stack spec instead.`);
+	}
+}
+/**
+* Predicate: `p` is a finite positive integer in the TCP port range
+* (1-65535). Used by `validateSpec` to gate single-service `port`
+* shapes against the broad `typeof === 'number'` bypass.
+*
+* Co-located in this module because it's exclusive to the port-
+* validation boundary; if a future caller needs the same check,
+* promote it to a shared utility then.
+*/
+function isValidPortNumber(p) {
+	return typeof p === "number" && Number.isInteger(p) && p > 0 && p <= 65535;
+}
+//#endregion
+export { firstImage, isStackSpec, normalizeServices, summarizeSpec, validateSpec };
+
+//# sourceMappingURL=spec-normalize.js.map

package/dist/internals/spec-normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spec-normalize.js","names":[],"sources":["../../src/internals/spec-normalize.ts"],"sourcesContent":["import type {\n  DeploySpec,\n  ServiceDef,\n  SingleServiceSpec,\n  SpecSummary,\n  StackSpec,\n} from '../types.js';\n\n/**\n * Spec normalization + summarization helpers. Exports `isStack`,\n * `firstImage`, `normalizeServices`, `summarizeSpec`, and `validateSpec`\n * (the latter surfaces pre-broadcast shape violations).\n *\n * Two spec shapes are supported (frozen in ENG-128's `types.ts`):\n *   - **services-map (StackSpec)** — `{ services: { <name>: ServiceDef }, customDomain?, serviceName? }`\n *   - **legacy single-service (SingleServiceSpec)** — `{ image, port?, env?, customDomain? }`\n *\n * `normalizeServices` collapses the two shapes into a single iterable form\n * so callers (Plan summary, manifest builder, etc.) walk one structure\n * regardless of which form the user passed.\n *\n * Validation: `validateSpec` throws a plain `TypeError` on shape violations\n * — agent-core has no workspace dep on `@manifest-network/manifest-mcp-core`\n * in PR 1/2 (per parent's REV 1), so `ManifestMCPError` isn't available\n * here. PR 3's high-level `deployApp` re-wraps `TypeError` into\n * `ManifestMCPError(INVALID_CONFIG)` at the public-API boundary.\n */\n\n/**\n * True when `spec` uses the services-map shape (StackSpec). Mirrors\n * `_spec.cjs#isStack`: `services` is a non-null, non-array object.\n */\nexport function isStackSpec(\n  spec: DeploySpec | null | undefined,\n): spec is StackSpec {\n  if (spec === null || spec === undefined || typeof spec !== 'object')\n    return false;\n  const services = (spec as { services?: unknown }).services;\n  return (\n    services !== null &&\n    typeof services === 'object' &&\n    !Array.isArray(services)\n  );\n}\n\n/**\n * Return the canonical first image string for a spec. For legacy single-\n * service: `spec.image`. For stack: the first non-empty `image` in\n * `Object.values(spec.services)`. Returns `null` when neither shape\n * carries an image (or `spec` is malformed).\n */\nexport function firstImage(spec: DeploySpec | null | undefined): string | null {\n  if (spec === null || spec === undefined || typeof spec !== 'object')\n    return null;\n  const single = spec as Partial<SingleServiceSpec>;\n  if (typeof single.image === 'string' && single.image.length > 0) {\n    return single.image;\n  }\n  if (isStackSpec(spec)) {\n    for (const svc of Object.values(spec.services)) {\n      if (svc !== null && typeof svc === 'object') {\n        const image = (svc as Partial<ServiceDef>).image;\n        if (typeof image === 'string' && image.length > 0) return image;\n      }\n    }\n  }\n  return null;\n}\n\n/**\n * Walk a spec as `[{name, raw}]` where:\n *   - `name === null` for legacy single-service (only one entry, raw is the spec itself).\n *   - `name === <key>` for each services-map entry; `raw` is the per-service ServiceDef.\n *\n * Stable iteration order matches `Object.entries` (insertion order in v8/modern engines).\n */\nexport interface NormalizedService {\n  /** `null` for legacy single-service; the services-map key for stack leases. */\n  name: string | null;\n  /** The per-service object exactly as the spec stores it. No field projection. */\n  raw: ServiceDef | SingleServiceSpec;\n}\n\nexport function normalizeServices(\n  spec: DeploySpec | null | undefined,\n): NormalizedService[] {\n  if (isStackSpec(spec)) {\n    return Object.entries(spec.services).map(([name, raw]) => ({\n      name,\n      raw: (raw ?? {}) as ServiceDef,\n    }));\n  }\n  return [\n    {\n      name: null,\n      raw: (spec ?? {}) as SingleServiceSpec,\n    },\n  ];\n}\n\n/**\n * Produce the frozen `SpecSummary` shape for inclusion in the `Plan`\n * (camelCase fields: `serviceCount`, etc.).\n *\n * Port count rules:\n *   - SingleServiceSpec `port: number` → +1 port.\n *   - SingleServiceSpec `port: number[]` → +length ports.\n *   - ServiceDef `ports: number[]` (per type) → +length ports.\n *   - ServiceDef `ports` shaped as a Record (older codepath) → +key count.\n *\n * Env key uniqueness is computed across services (one `env_keys` set\n * spans the whole spec); `envCount` is the size of that set; `envKeys`\n * is sorted ascending.\n */\nexport function summarizeSpec(spec: DeploySpec): SpecSummary {\n  const format: 'single' | 'stack' = isStackSpec(spec) ? 'stack' : 'single';\n  const services = normalizeServices(spec);\n\n  let portCount = 0;\n  const envKeys = new Set<string>();\n  const images: string[] = [];\n\n  for (const { raw: svc } of services) {\n    if (svc !== null && typeof svc === 'object') {\n      const svcRecord = svc as unknown as Record<string, unknown>;\n      const image = svcRecord.image;\n      if (typeof image === 'string' && image.length > 0) images.push(image);\n\n      const port = svcRecord.port;\n      if (typeof port === 'number') portCount += 1;\n      else if (Array.isArray(port)) portCount += port.length;\n\n      const ports = svcRecord.ports;\n      if (Array.isArray(ports)) {\n        portCount += ports.length;\n      } else if (ports !== null && typeof ports === 'object') {\n        portCount += Object.keys(ports).length;\n      }\n\n      const env = svcRecord.env;\n      if (env !== null && typeof env === 'object' && !Array.isArray(env)) {\n        for (const k of Object.keys(env)) envKeys.add(k);\n      }\n    }\n  }\n\n  return {\n    format,\n    serviceCount: services.length,\n    portCount,\n    envCount: envKeys.size,\n    envKeys: Array.from(envKeys).sort(),\n    images,\n  };\n}\n\n/**\n * Validate a `DeploySpec` shape pre-broadcast. Throws `TypeError` on the\n * first violation. The frozen type union (`SingleServiceSpec | StackSpec`)\n * already enforces most structural rules at compile time; this runtime\n * check defends against `unknown`-cast callers and `JSON.parse`-decoded\n * inputs.\n *\n * Rules (mirror fred's `deployApp.ts` input validation):\n *   - `spec` must be a non-null object.\n *   - Stack: `services` must have ≥1 entry; each entry's `image` must be a\n *     non-empty string.\n *   - Single: `image` must be a non-empty string.\n *   - Mutually exclusive `image` AND `services` not allowed.\n *\n * The high-level `deployApp` in PR 3 layers domain checks on top\n * (`customDomain` shape, `serviceName` membership, etc.).\n */\nexport function validateSpec(spec: DeploySpec | null | undefined): void {\n  if (spec === null || spec === undefined || typeof spec !== 'object') {\n    throw new TypeError('validateSpec: spec must be a non-null object');\n  }\n  const record = spec as unknown as Record<string, unknown>;\n\n  // Mutual-exclusion gate uses KEY presence (not value validity). This\n  // closes the bypass where a caller supplies a malformed `image` value\n  // (empty string, number, null) alongside a valid `services` map: the\n  // value-based check would silently treat `image` as \"absent\" and accept\n  // the spec, but the caller's intent was ambiguous (which shape did they\n  // mean?). Rejecting on key-presence forces the caller to delete one key\n  // before submission and removes the ambiguity.\n  const hasImageKey = 'image' in record;\n  const hasServicesKey = 'services' in record;\n  if (hasImageKey && hasServicesKey) {\n    throw new TypeError(\n      'validateSpec: spec has both `image` and `services` keys; these are mutually exclusive (regardless of value validity)',\n    );\n  }\n\n  // Downstream value-validity check (after the mutual-exclusion gate has\n  // ruled out the ambiguous case). An `image` key with a non-string or\n  // empty-string value still fails here when `services` is absent.\n  const hasImage = typeof record.image === 'string' && record.image.length > 0;\n  const hasServices = isStackSpec(spec);\n  if (!hasImage && !hasServices) {\n    throw new TypeError(\n      'validateSpec: spec must declare either `image` (SingleServiceSpec) or `services` (StackSpec)',\n    );\n  }\n\n  // Copilot review fix (PR #58 r3266786899): `customDomain` shape at\n  // the boundary. The orchestrator's `buildFredDeployInput`\n  // (`deploy-app.ts:701`) uses a `if (customDomain)` truthiness check,\n  // which silently drops `''`, `null`, `false`, `0`, `NaN` from the\n  // emitted `fredInput`. A user spec like `{ ..., customDomain: '' }`\n  // passes validation today, fred receives `fredInput` WITHOUT the\n  // domain, deploy proceeds — the user's requested domain silently\n  // not claimed, no error signal.\n  //\n  // Boundary check: when `customDomain` is present, it must be a\n  // non-empty string. `undefined` (key absent) is fine; that's the\n  // \"no domain requested\" case. Fires before the stack-customDomain\n  // serviceName check (r3249684707) so the user gets a clear\n  // customDomain-shape error rather than a misleading\n  // requires-serviceName one.\n  // Copilot review fix (PR #58 r3267373001): reject whitespace-only\n  // strings AND strings with surrounding whitespace (option (i) from\n  // the team-lead's brief — strict; let the caller send a clean,\n  // already-trimmed value rather than silently trim for them). The\n  // prior `cd.length === 0` predicate accepted `'   '`, `'\\t\\n'`,\n  // and `' app.example.com '`; fred would either accept the\n  // surrounding whitespace as part of the domain (correctness bug)\n  // or trim-and-reject (worse UX than agent-core's clear error).\n  if ('customDomain' in record) {\n    const cd = record.customDomain;\n    if (cd !== undefined) {\n      const isCleanNonEmptyString =\n        typeof cd === 'string' && cd.length > 0 && cd.trim() === cd;\n      if (!isCleanNonEmptyString) {\n        const got =\n          typeof cd === 'string'\n            ? cd.trim().length === 0\n              ? `\"${cd}\"`\n              : `\"${cd}\" (has surrounding whitespace)`\n            : cd === null\n              ? 'null'\n              : typeof cd;\n        throw new TypeError(\n          `validateSpec: \\`customDomain\\` must be a non-empty trimmed string or absent (got ${got}).`,\n        );\n      }\n    }\n  }\n\n  if (hasServices) {\n    const entries = Object.entries(spec.services);\n    if (entries.length === 0) {\n      throw new TypeError(\n        'validateSpec: stack spec `services` must have at least one entry',\n      );\n    }\n    for (const [name, svc] of entries) {\n      if (svc === null || typeof svc !== 'object') {\n        throw new TypeError(\n          `validateSpec: stack service \"${name}\" must be a non-null object`,\n        );\n      }\n      const image = (svc as Partial<ServiceDef>).image;\n      if (typeof image !== 'string' || image.length === 0) {\n        throw new TypeError(\n          `validateSpec: stack service \"${name}\" must declare a non-empty \\`image\\` string`,\n        );\n      }\n    }\n\n    // Copilot review fix (PR #58 r3249684707): a stack spec with a\n    // `customDomain` MUST declare which service receives the domain\n    // via `serviceName`, and that value must be a key in `services`.\n    // Without this guard, `customDomainServiceOf` in `deploy-app.ts`\n    // returns `undefined`, planning proceeds with no target, renderers\n    // misrepresent the claim, and fred rejects the set-domain tx\n    // ONLY after `create-lease` commits — leaving the user with an\n    // orphan lease + a failed domain claim. Catching this at\n    // validate-time is fail-fast at the boundary.\n    //\n    // Single-service specs are unaffected: their `customDomain` is\n    // claimed against the implicit single lease item — no\n    // serviceName disambiguation needed.\n    const stackDomain = (spec as Partial<StackSpec>).customDomain;\n    if (typeof stackDomain === 'string' && stackDomain.length > 0) {\n      const stackServiceName = (spec as Partial<StackSpec>).serviceName;\n      if (\n        typeof stackServiceName !== 'string' ||\n        stackServiceName.length === 0\n      ) {\n        throw new TypeError(\n          'validateSpec: stack spec with `customDomain` requires `serviceName` identifying which service receives the domain.',\n        );\n      }\n      // Copilot review fix (PR #58 r3250331968): use an own-key check.\n      // The `in` operator walks the prototype chain, so `serviceName:\n      // 'constructor'` (or `'toString'`, `'hasOwnProperty'`, etc.)\n      // would falsely pass against a `services` map that doesn't\n      // declare those names. Mirrors fred's own choice at\n      // `packages/fred/src/tools/deployApp.ts:254` for cross-package\n      // symmetry. `Object.keys().includes()` (not `Object.hasOwn`,\n      // which is ES2022 and our `tsdown.config.ts` targets ES2020).\n      if (!Object.keys(spec.services).includes(stackServiceName)) {\n        throw new TypeError(\n          `validateSpec: stack spec \\`serviceName\\` \"${stackServiceName}\" must be a key in \\`services\\` (got services: [${Object.keys(spec.services).join(', ')}]).`,\n        );\n      }\n    }\n  } else {\n    // Single-service spec port requirement.\n    //\n    // Copilot review fix (PR #58 r3249097051): fred's image-mode rejects\n    // portless inputs with `port is required when using image`\n    // (`packages/fred/src/tools/deployApp.ts:202` +\n    // `packages/fred/src/tools/buildManifestPreview.ts:181`). Without\n    // an agent-core boundary check the orchestrator silently passed\n    // `port: undefined` through `buildManifestPreviewInput` /\n    // `buildFredDeployInput`, surfacing fred's error mid-orchestration\n    // (after readiness check + plan render). Failing fast at validate\n    // time produces a clearer message and avoids partial work.\n    //\n    // The escape hatch for genuinely internal-only services is the\n    // stack spec — service-level `ports` is optional, so a stack with\n    // `{ services: { mysvc: { image, env } } }` deploys without ports.\n    //\n    // Copilot review fix (PR #58 r3249294877): tighten the predicate to\n    // a finite positive integer in the TCP port range. The prior\n    // `typeof p === 'number'` check accepted `0`, `NaN`, `Infinity`,\n    // negative numbers, non-integers, and out-of-range ports —\n    // partially defeating the fail-fast intent. Fred catches `port: 0`\n    // via `!input.port`, but the other shapes either flow through to a\n    // less helpful error or get coerced silently. The shared predicate\n    // `isValidPortNumber` (below) is the single source of truth.\n    const port = (spec as Partial<SingleServiceSpec>).port;\n    const hasValidPort =\n      isValidPortNumber(port) ||\n      (Array.isArray(port) && port.length > 0 && port.every(isValidPortNumber));\n    if (!hasValidPort) {\n      throw new TypeError(\n        'validateSpec: single-service specs require at least one port (port must be a finite positive integer in the TCP range (1-65535), or a non-empty array of such); got ' +\n          `port=${JSON.stringify(port)}. For internal-only services, use a stack spec instead.`,\n      );\n    }\n  }\n}\n\n/**\n * Predicate: `p` is a finite positive integer in the TCP port range\n * (1-65535). Used by `validateSpec` to gate single-service `port`\n * shapes against the broad `typeof === 'number'` bypass.\n *\n * Co-located in this module because it's exclusive to the port-\n * validation boundary; if a future caller needs the same check,\n * promote it to a shared utility then.\n */\nfunction isValidPortNumber(p: unknown): p is number {\n  return typeof p === 'number' && Number.isInteger(p) && p > 0 && p <= 65535;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAgCA,SAAgB,YACd,MACmB;AACnB,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,QAAO;CACT,MAAM,WAAY,KAAgC;AAClD,QACE,aAAa,QACb,OAAO,aAAa,YACpB,CAAC,MAAM,QAAQ,SAAS;;;;;;;;AAU5B,SAAgB,WAAW,MAAoD;AAC7E,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,QAAO;CACT,MAAM,SAAS;AACf,KAAI,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS,EAC5D,QAAO,OAAO;AAEhB,KAAI,YAAY,KAAK;OACd,MAAM,OAAO,OAAO,OAAO,KAAK,SAAS,CAC5C,KAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;GAC3C,MAAM,QAAS,IAA4B;AAC3C,OAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;;;AAIhE,QAAO;;AAiBT,SAAgB,kBACd,MACqB;AACrB,KAAI,YAAY,KAAK,CACnB,QAAO,OAAO,QAAQ,KAAK,SAAS,CAAC,KAAK,CAAC,MAAM,UAAU;EACzD;EACA,KAAM,OAAO,EAAE;EAChB,EAAE;AAEL,QAAO,CACL;EACE,MAAM;EACN,KAAM,QAAQ,EAAE;EACjB,CACF;;;;;;;;;;;;;;;;AAiBH,SAAgB,cAAc,MAA+B;CAC3D,MAAM,SAA6B,YAAY,KAAK,GAAG,UAAU;CACjE,MAAM,WAAW,kBAAkB,KAAK;CAExC,IAAI,YAAY;CAChB,MAAM,0BAAU,IAAI,KAAa;CACjC,MAAM,SAAmB,EAAE;AAE3B,MAAK,MAAM,EAAE,KAAK,SAAS,SACzB,KAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;EAC3C,MAAM,YAAY;EAClB,MAAM,QAAQ,UAAU;AACxB,MAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO,KAAK,MAAM;EAErE,MAAM,OAAO,UAAU;AACvB,MAAI,OAAO,SAAS,SAAU,cAAa;WAClC,MAAM,QAAQ,KAAK,CAAE,cAAa,KAAK;EAEhD,MAAM,QAAQ,UAAU;AACxB,MAAI,MAAM,QAAQ,MAAM,CACtB,cAAa,MAAM;WACV,UAAU,QAAQ,OAAO,UAAU,SAC5C,cAAa,OAAO,KAAK,MAAM,CAAC;EAGlC,MAAM,MAAM,UAAU;AACtB,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,IAAI,CAChE,MAAK,MAAM,KAAK,OAAO,KAAK,IAAI,CAAE,SAAQ,IAAI,EAAE;;AAKtD,QAAO;EACL;EACA,cAAc,SAAS;EACvB;EACA,UAAU,QAAQ;EAClB,SAAS,MAAM,KAAK,QAAQ,CAAC,MAAM;EACnC;EACD;;;;;;;;;;;;;;;;;;;AAoBH,SAAgB,aAAa,MAA2C;AACtE,KAAI,SAAS,QAAQ,SAAS,KAAA,KAAa,OAAO,SAAS,SACzD,OAAM,IAAI,UAAU,+CAA+C;CAErE,MAAM,SAAS;CASf,MAAM,cAAc,WAAW;CAC/B,MAAM,iBAAiB,cAAc;AACrC,KAAI,eAAe,eACjB,OAAM,IAAI,UACR,uHACD;CAMH,MAAM,WAAW,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,SAAS;CAC3E,MAAM,cAAc,YAAY,KAAK;AACrC,KAAI,CAAC,YAAY,CAAC,YAChB,OAAM,IAAI,UACR,+FACD;AA0BH,KAAI,kBAAkB,QAAQ;EAC5B,MAAM,KAAK,OAAO;AAClB,MAAI,OAAO,KAAA;OAGL,EADF,OAAO,OAAO,YAAY,GAAG,SAAS,KAAK,GAAG,MAAM,KAAK,KAC/B;IAC1B,MAAM,MACJ,OAAO,OAAO,WACV,GAAG,MAAM,CAAC,WAAW,IACnB,IAAI,GAAG,KACP,IAAI,GAAG,kCACT,OAAO,OACL,SACA,OAAO;AACf,UAAM,IAAI,UACR,oFAAoF,IAAI,IACzF;;;;AAKP,KAAI,aAAa;EACf,MAAM,UAAU,OAAO,QAAQ,KAAK,SAAS;AAC7C,MAAI,QAAQ,WAAW,EACrB,OAAM,IAAI,UACR,mEACD;AAEH,OAAK,MAAM,CAAC,MAAM,QAAQ,SAAS;AACjC,OAAI,QAAQ,QAAQ,OAAO,QAAQ,SACjC,OAAM,IAAI,UACR,gCAAgC,KAAK,6BACtC;GAEH,MAAM,QAAS,IAA4B;AAC3C,OAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAChD,OAAM,IAAI,UACR,gCAAgC,KAAK,6CACtC;;EAiBL,MAAM,cAAe,KAA4B;AACjD,MAAI,OAAO,gBAAgB,YAAY,YAAY,SAAS,GAAG;GAC7D,MAAM,mBAAoB,KAA4B;AACtD,OACE,OAAO,qBAAqB,YAC5B,iBAAiB,WAAW,EAE5B,OAAM,IAAI,UACR,qHACD;AAUH,OAAI,CAAC,OAAO,KAAK,KAAK,SAAS,CAAC,SAAS,iBAAiB,CACxD,OAAM,IAAI,UACR,6CAA6C,iBAAiB,kDAAkD,OAAO,KAAK,KAAK,SAAS,CAAC,KAAK,KAAK,CAAC,KACvJ;;QAGA;EAyBL,MAAM,OAAQ,KAAoC;AAIlD,MAAI,EAFF,kBAAkB,KAAK,IACtB,MAAM,QAAQ,KAAK,IAAI,KAAK,SAAS,KAAK,KAAK,MAAM,kBAAkB,EAExE,OAAM,IAAI,UACR,4KACU,KAAK,UAAU,KAAK,CAAC,yDAChC;;;;;;;;;;;;AAcP,SAAS,kBAAkB,GAAyB;AAClD,QAAO,OAAO,MAAM,YAAY,OAAO,UAAU,EAAE,IAAI,IAAI,KAAK,KAAK"}

package/dist/internals/verify-domain-state.d.ts

@@ -0,0 +1,20 @@
+//#region src/internals/verify-domain-state.d.ts
+type VerifyDomainOutcome = 'match' | 'mismatch' | 'not_found';
+interface VerifyDomainResult {
+  outcome: VerifyDomainOutcome;
+  /** Present when outcome is 'match' or 'mismatch'. The lease item's actual customDomain. */
+  actual?: string;
+  /** Present when outcome is 'not_found'. Human-readable detail. */
+  reason?: string;
+}
+interface VerifyDomainArgs {
+  leaseUuid: string;
+  /** DNS label addressing an item inside a stack lease. Omit / leave empty for legacy 1-item leases. */
+  serviceName?: string;
+  /** FQDN to compare against the chain's stored value. Use '' for clear-mode (post-clear verification). */
+  expected: string;
+}
+declare function verifyDomainState(leasesPayload: unknown, args: VerifyDomainArgs): VerifyDomainResult;
+//#endregion
+export { VerifyDomainArgs, VerifyDomainOutcome, VerifyDomainResult, verifyDomainState };
+//# sourceMappingURL=verify-domain-state.d.ts.map

package/dist/internals/verify-domain-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-domain-state.d.ts","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"mappings":";KA8BY,mBAAA;AAAA,UAEK,kBAAA;EACf,OAAA,EAAS,mBAAA;;EAET,MAAA;EAL6B;EAO7B,MAAA;AAAA;AAAA,UAGe,gBAAA;EACf,SAAA;EARA;EAUA,WAAA;EARA;EAUA,QAAA;AAAA;AAAA,iBAGc,iBAAA,CACd,aAAA,WACA,IAAA,EAAM,gBAAA,GACL,kBAAA"}

package/dist/internals/verify-domain-state.js

@@ -0,0 +1,63 @@
+import { findLease, normalizeItem } from "./lease-items.js";
+//#region src/internals/verify-domain-state.ts
+/**
+* Verify a lease item's `customDomain` against an expected value after a
+* `set_item_custom_domain` broadcast.
+*
+* Decodes the same lease shape as `lease-items.ts`, then compares the
+* matched item's `customDomain` to the expected FQDN (or empty string for
+* clear-mode). Used by the in-process `verifyAndRecover` driver in PR 1
+* and by the high-level `manageDomain` set/clear flows in PR 4.
+*
+* Outcome semantics:
+*   - `'match'`     — actual `customDomain` equals expected
+*   - `'mismatch'`  — actual differs from expected (item carries `actual` for surfacing)
+*   - `'not_found'` — lease UUID not present in the verification payload, OR multi-item lease but no `serviceName` supplied, OR `serviceName` not present in the lease's items
+*
+* Single-item leases (legacy 1-item lease with `serviceName === ''`) ignore
+* the `serviceName` argument and always use the only item. Multi-item
+* stack leases require `serviceName` to address the target item.
+*
+* Throws `TypeError` for malformed args (non-string leaseUuid, leaseUuid
+* that doesn't match UUID grammar). The CJS exits 1 via stderr; the TS
+* port surfaces a typed error instead of a synthetic `not_found` result
+* so caller-side argument bugs don't masquerade as a chain-state outcome.
+*/
+/** Anchored UUID-shape regex (8-4-4-4-12, version-byte lenient — matches `_uuid.cjs#UUID_RE`). */
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function verifyDomainState(leasesPayload, args) {
+	if (typeof args.leaseUuid !== "string") throw new TypeError(`verifyDomainState: leaseUuid must be a string, got ${typeof args.leaseUuid}`);
+	if (!UUID_RE.test(args.leaseUuid)) throw new TypeError(`verifyDomainState: leaseUuid must be a UUID; got "${args.leaseUuid}"`);
+	if (typeof args.expected !== "string") throw new TypeError(`verifyDomainState: expected must be a string (use '' for clear-mode), got ${typeof args.expected}`);
+	const lease = findLease(leasesPayload, args.leaseUuid);
+	if (lease === null) return {
+		outcome: "not_found",
+		reason: "lease UUID not found in verification payload"
+	};
+	const rawItems = lease.items;
+	const items = (Array.isArray(rawItems) ? rawItems : []).map(normalizeItem);
+	const singleItem = items.length === 1 && items[0]?.serviceName === "";
+	const requestedService = (args.serviceName ?? "").trim();
+	let item;
+	if (singleItem) item = items[0];
+	else if (requestedService === "") return {
+		outcome: "not_found",
+		reason: "lease has multiple items but --service-name was not supplied"
+	};
+	else {
+		item = items.find((i) => i.serviceName === requestedService);
+		if (!item) return {
+			outcome: "not_found",
+			reason: `service-name "${requestedService}" not found in lease items`
+		};
+	}
+	const actual = item?.customDomain ?? "";
+	return {
+		outcome: actual === args.expected ? "match" : "mismatch",
+		actual
+	};
+}
+//#endregion
+export { verifyDomainState };
+
+//# sourceMappingURL=verify-domain-state.js.map

package/dist/internals/verify-domain-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-domain-state.js","names":[],"sources":["../../src/internals/verify-domain-state.ts"],"sourcesContent":["import { findLease, normalizeItem } from './lease-items.js';\n\n/**\n * Verify a lease item's `customDomain` against an expected value after a\n * `set_item_custom_domain` broadcast.\n *\n * Decodes the same lease shape as `lease-items.ts`, then compares the\n * matched item's `customDomain` to the expected FQDN (or empty string for\n * clear-mode). Used by the in-process `verifyAndRecover` driver in PR 1\n * and by the high-level `manageDomain` set/clear flows in PR 4.\n *\n * Outcome semantics:\n *   - `'match'`     — actual `customDomain` equals expected\n *   - `'mismatch'`  — actual differs from expected (item carries `actual` for surfacing)\n *   - `'not_found'` — lease UUID not present in the verification payload, OR multi-item lease but no `serviceName` supplied, OR `serviceName` not present in the lease's items\n *\n * Single-item leases (legacy 1-item lease with `serviceName === ''`) ignore\n * the `serviceName` argument and always use the only item. Multi-item\n * stack leases require `serviceName` to address the target item.\n *\n * Throws `TypeError` for malformed args (non-string leaseUuid, leaseUuid\n * that doesn't match UUID grammar). The CJS exits 1 via stderr; the TS\n * port surfaces a typed error instead of a synthetic `not_found` result\n * so caller-side argument bugs don't masquerade as a chain-state outcome.\n */\n\n/** Anchored UUID-shape regex (8-4-4-4-12, version-byte lenient — matches `_uuid.cjs#UUID_RE`). */\nconst UUID_RE =\n  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n\nexport type VerifyDomainOutcome = 'match' | 'mismatch' | 'not_found';\n\nexport interface VerifyDomainResult {\n  outcome: VerifyDomainOutcome;\n  /** Present when outcome is 'match' or 'mismatch'. The lease item's actual customDomain. */\n  actual?: string;\n  /** Present when outcome is 'not_found'. Human-readable detail. */\n  reason?: string;\n}\n\nexport interface VerifyDomainArgs {\n  leaseUuid: string;\n  /** DNS label addressing an item inside a stack lease. Omit / leave empty for legacy 1-item leases. */\n  serviceName?: string;\n  /** FQDN to compare against the chain's stored value. Use '' for clear-mode (post-clear verification). */\n  expected: string;\n}\n\nexport function verifyDomainState(\n  leasesPayload: unknown,\n  args: VerifyDomainArgs,\n): VerifyDomainResult {\n  if (typeof args.leaseUuid !== 'string') {\n    throw new TypeError(\n      `verifyDomainState: leaseUuid must be a string, got ${typeof args.leaseUuid}`,\n    );\n  }\n  if (!UUID_RE.test(args.leaseUuid)) {\n    throw new TypeError(\n      `verifyDomainState: leaseUuid must be a UUID; got \"${args.leaseUuid}\"`,\n    );\n  }\n  if (typeof args.expected !== 'string') {\n    throw new TypeError(\n      `verifyDomainState: expected must be a string (use '' for clear-mode), got ${typeof args.expected}`,\n    );\n  }\n\n  const lease = findLease(leasesPayload, args.leaseUuid);\n  if (lease === null) {\n    return {\n      outcome: 'not_found',\n      reason: 'lease UUID not found in verification payload',\n    };\n  }\n\n  // The lease shape is opaque to TS — pickLeasesArray + findLease validate\n  // structural keys but the items array can be missing or non-array.\n  const rawItems = (lease as { items?: unknown }).items;\n  const itemsArray = Array.isArray(rawItems) ? rawItems : [];\n  const items = itemsArray.map(normalizeItem);\n\n  const singleItem = items.length === 1 && items[0]?.serviceName === '';\n  const requestedService = (args.serviceName ?? '').trim();\n\n  let item: ReturnType<typeof normalizeItem> | undefined;\n  if (singleItem) {\n    item = items[0];\n  } else if (requestedService === '') {\n    return {\n      outcome: 'not_found',\n      reason: 'lease has multiple items but --service-name was not supplied',\n    };\n  } else {\n    item = items.find((i) => i.serviceName === requestedService);\n    if (!item) {\n      return {\n        outcome: 'not_found',\n        reason: `service-name \"${requestedService}\" not found in lease items`,\n      };\n    }\n  }\n\n  const actual = item?.customDomain ?? '';\n  const outcome: VerifyDomainOutcome =\n    actual === args.expected ? 'match' : 'mismatch';\n  return { outcome, actual };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AA2BA,MAAM,UACJ;AAoBF,SAAgB,kBACd,eACA,MACoB;AACpB,KAAI,OAAO,KAAK,cAAc,SAC5B,OAAM,IAAI,UACR,sDAAsD,OAAO,KAAK,YACnE;AAEH,KAAI,CAAC,QAAQ,KAAK,KAAK,UAAU,CAC/B,OAAM,IAAI,UACR,qDAAqD,KAAK,UAAU,GACrE;AAEH,KAAI,OAAO,KAAK,aAAa,SAC3B,OAAM,IAAI,UACR,6EAA6E,OAAO,KAAK,WAC1F;CAGH,MAAM,QAAQ,UAAU,eAAe,KAAK,UAAU;AACtD,KAAI,UAAU,KACZ,QAAO;EACL,SAAS;EACT,QAAQ;EACT;CAKH,MAAM,WAAY,MAA8B;CAEhD,MAAM,SADa,MAAM,QAAQ,SAAS,GAAG,WAAW,EAAE,EACjC,IAAI,cAAc;CAE3C,MAAM,aAAa,MAAM,WAAW,KAAK,MAAM,IAAI,gBAAgB;CACnE,MAAM,oBAAoB,KAAK,eAAe,IAAI,MAAM;CAExD,IAAI;AACJ,KAAI,WACF,QAAO,MAAM;UACJ,qBAAqB,GAC9B,QAAO;EACL,SAAS;EACT,QAAQ;EACT;MACI;AACL,SAAO,MAAM,MAAM,MAAM,EAAE,gBAAgB,iBAAiB;AAC5D,MAAI,CAAC,KACH,QAAO;GACL,SAAS;GACT,QAAQ,iBAAiB,iBAAiB;GAC3C;;CAIL,MAAM,SAAS,MAAM,gBAAgB;AAGrC,QAAO;EAAE,SADP,WAAW,KAAK,WAAW,UAAU;EACrB;EAAQ"}

package/dist/internals/verify-recover.d.ts

@@ -0,0 +1,120 @@
+import { FailureEnvelope, RecoveryChoice, RecoveryOption } from "../types.js";
+
+//#region src/internals/verify-recover.d.ts
+/**
+ * In-process verify-and-recover driver. Uses an inline async verifier
+ * function (L7: agent-core MUST NOT spawn subprocesses).
+ *
+ * Out of scope (subprocess-only concerns):
+ *   - verifier-script path sanitization (no path; verifier is a function)
+ *   - stdin-source indirection (verifier receives typed context)
+ *   - argv interpolation (verifier closes over context)
+ *   - `{{var}}` template interpolation on user_message (recovery options
+ *     carry their own typed-diagnostic closures via `buildRecoveryOptions`)
+ *   - `timeout` / `maxBuffer` operational caps (no subprocess; an optional
+ *     AbortController-based timeout can be added per-verifier if needed)
+ *   - `NODE_ENV` test-override env vars (none of the above need them)
+ *
+ * Keeps (in-process security still relevant):
+ *   - `SECRET_KEY_DENYLIST` strip on the diagnostic before it reaches
+ *     `buildFailureEnvelope` / `buildRecoveryOptions` / the host callback / the result.
+ *   - Prototype-pollution guard on `__proto__` / `constructor` / `prototype`
+ *     in the diagnostic walk (defense for verifier-output objects that
+ *     could have come via `JSON.parse`).
+ *   - Branch dispatch: `branches[outcome]` → `branches.__other__` →
+ *     synthesized `unclassified` fallback (CJS calls it `'other'`; the TS
+ *     port uses `'__other__'` to avoid collisions with a literal outcome
+ *     string `'other'`).
+ *
+ * Branch IDs are an internal, closed-set string-literal union — they
+ * identify branches for journal/logging purposes but are NOT part of the
+ * public type contract (Option A from ENG-128). The public surface for
+ * recovery is the frozen `RecoveryOption[]` array, materialized by each
+ * branch's inline `buildRecoveryOptions(diag)` closure.
+ */
+/** Closed-set internal branch identifier. Surfaces via journal/log only. */
+type BranchId = 'partial_success_domain' | 'lease_terminal' | 'domain_verification_mismatch' | 'domain_not_found' | 'pending_drift' | 'unclassified';
+/**
+ * Per-branch behavior contract. Authored inline at each high-level
+ * function's call site (deployApp, manageDomain, etc.) so the closures
+ * can bind diagnostic data into the surfaced label/description text.
+ */
+interface VerificationBranch<TDiag = Record<string, unknown>> {
+  /** Internal id for journal write + log; not surfaced to host callbacks directly. */
+  readonly branchId: BranchId;
+  /** Pass-through tags for the ENG-124 journal `recovery_actions[]`. Empty when not journaling. */
+  readonly journalActionTags: readonly string[];
+  /** Synthesize the public `FailureEnvelope` (frozen contract) from the post-strip diagnostic. */
+  buildFailureEnvelope: (diagnostic: TDiag) => FailureEnvelope;
+  /**
+   * Materialize the `RecoveryOption[]` for the host's `onFailure` callback.
+   * Returning an empty array marks the branch as inform-only:
+   * `verifyAndRecover` will return the failure envelope without invoking
+   * `onFailure` so callers don't waste a user prompt asking what to do
+   * when there's nothing to choose between.
+   */
+  buildRecoveryOptions: (diagnostic: TDiag) => RecoveryOption[];
+}
+/** Verifier function — async; receives typed context; returns typed outcome + free-form diagnostic. */
+type Verifier<TContext, TOutcome extends string, TDiag = Record<string, unknown>> = (context: TContext) => Promise<VerifierResult<TOutcome, TDiag>>;
+/** Shape returned by every verifier. `outcome` drives branch selection; `diagnostic` flows into the branch's closures. */
+interface VerifierResult<TOutcome extends string, TDiag> {
+  outcome: TOutcome;
+  diagnostic: TDiag;
+}
+/**
+ * Verification spec — declarative description of how to verify post-state
+ * and dispatch to a recovery branch. Mirrors the CJS spec shape with
+ * the subprocess-specific fields dropped.
+ *
+ * `__other__` is the catch-all branch key, equivalent to the CJS's `'other'`.
+ * Renamed to avoid collisions with an outcome literally equal to `'other'`.
+ */
+interface VerificationSpec<TContext, TOutcome extends string, TDiag = Record<string, unknown>> {
+  readonly verifier: Verifier<TContext, TOutcome, TDiag>;
+  /** Outcome values that count as success — no branch dispatch, host's `onFailure` is NOT called. */
+  readonly successValues: readonly TOutcome[];
+  /** Branch dictionary keyed by outcome string. `__other__` is the catch-all fallback. */
+  readonly branches: Partial<Record<TOutcome | '__other__', VerificationBranch<TDiag>>>;
+}
+interface VerifyAndRecoverResult<TOutcome extends string, TDiag = Record<string, unknown>> {
+  result: 'success' | 'failure';
+  verifierOutcome: TOutcome;
+  /** `null` on success; the matched branch's id (or `'unclassified'`) on failure. */
+  branchId: BranchId | null;
+  journalActionTags: readonly string[];
+  /** Post-strip diagnostic. Same value the branch closures received. */
+  diagnostic: TDiag;
+  /** Present iff failure. The synthesized public-surface envelope. */
+  failure?: FailureEnvelope;
+  /** Present iff failure AND `onFailure` was called AND it returned (i.e., a non-empty `RecoveryOption[]` was presented). */
+  recoveryChoice?: RecoveryChoice;
+}
+interface VerifyAndRecoverCallbacks {
+  /**
+   * Rich-form failure handler used by `deployApp`. Receives the
+   * `FailureEnvelope` synthesized by the matched branch + the closure-
+   * built `RecoveryOption[]` and returns the user's pick.
+   *
+   * Simple-form callers (manageDomain / closeLease / troubleshoot) wrap
+   * via an adapter in PR 4 — they don't pass an `onFailure` here directly.
+   */
+  onFailure?: (failure: FailureEnvelope, options: RecoveryOption[]) => Promise<RecoveryChoice>;
+}
+/**
+ * Run the verifier; classify the outcome; on failure, build the public
+ * envelope + recovery options and (optionally) invoke the host's
+ * `onFailure` callback for a user pick.
+ *
+ * Throws synchronously on:
+ *   - Spec runtime-shape violations (missing verifier function, non-array
+ *     successValues, non-object branches).
+ *   - Verifier-returned shape violations (missing `outcome` key,
+ *     non-string `outcome`, missing `diagnostic` key, non-object
+ *     `diagnostic`).
+ * Propagates any error the verifier itself throws.
+ */
+declare function verifyAndRecover<TContext, TOutcome extends string, TDiag = Record<string, unknown>>(spec: VerificationSpec<TContext, TOutcome, TDiag>, context: TContext, callbacks?: VerifyAndRecoverCallbacks): Promise<VerifyAndRecoverResult<TOutcome, TDiag>>;
+//#endregion
+export { BranchId, VerificationBranch, VerificationSpec, Verifier, VerifierResult, VerifyAndRecoverCallbacks, VerifyAndRecoverResult, verifyAndRecover };
+//# sourceMappingURL=verify-recover.d.ts.map

package/dist/internals/verify-recover.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-recover.d.ts","names":[],"sources":["../../src/internals/verify-recover.ts"],"mappings":";;;;;AAwCA;;;;;AAaA;;;;;;;;;;;;;;;;;;;;;;;;;KAbY,QAAA;AA+BZ;;;;;AAAA,UAlBiB,kBAAA,SAA2B,MAAA;EAsBgB;EAAA,SApBjD,QAAA,EAAU,QAAA;EAoBM;EAAA,SAlBhB,iBAAA;EAkBuB;EAhBhC,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,eAAA;EAc7C;;;;;;;EANA,oBAAA,GAAuB,UAAA,EAAY,KAAA,KAAU,cAAA;AAAA;;KAInC,QAAA,4CAGF,MAAA,sBACL,OAAA,EAAS,QAAA,KAAa,OAAA,CAAQ,cAAA,CAAe,QAAA,EAAU,KAAA;AAG5D;AAAA,UAAiB,cAAA;EACf,OAAA,EAAS,QAAA;EACT,UAAA,EAAY,KAAA;AAAA;;;;;;;;AAWd;UAAiB,gBAAA,4CAGP,MAAA;EAAA,SAEC,QAAA,EAAU,QAAA,CAAS,QAAA,EAAU,QAAA,EAAU,KAAA;EAFxC;EAAA,SAIC,aAAA,WAAwB,QAAA;EAFK;EAAA,SAI7B,QAAA,EAAU,OAAA,CACjB,MAAA,CAAO,QAAA,gBAAwB,kBAAA,CAAmB,KAAA;AAAA;AAAA,UAIrC,sBAAA,kCAEP,MAAA;EAER,MAAA;EACA,eAAA,EAAiB,QAAA;EATgB;EAWjC,QAAA,EAAU,QAAA;EACV,iBAAA;EAb0B;EAe1B,UAAA,EAAY,KAAA;EAvBZ;EAyBA,OAAA,GAAU,eAAA;EAvBV;EAyBA,cAAA,GAAiB,cAAA;AAAA;AAAA,UAGF,yBAAA;EA1Ba;;;;;;;;EAmC5B,SAAA,IACE,OAAA,EAAS,eAAA,EACT,OAAA,EAAS,cAAA,OACN,OAAA,CAAQ,cAAA;AAAA;;;;AA7Bf;;;;;;;;;;iBA6CsB,gBAAA,4CAGZ,MAAA,kBAAA,CAER,IAAA,EAAM,gBAAA,CAAiB,QAAA,EAAU,QAAA,EAAU,KAAA,GAC3C,OAAA,EAAS,QAAA,EACT,SAAA,GAAW,yBAAA,GACV,OAAA,CAAQ,sBAAA,CAAuB,QAAA,EAAU,KAAA"}

package/dist/internals/verify-recover.js

@@ -0,0 +1,91 @@
+import { stripDenylist } from "./secret-denylist.js";
+//#region src/internals/verify-recover.ts
+/**
+* Run the verifier; classify the outcome; on failure, build the public
+* envelope + recovery options and (optionally) invoke the host's
+* `onFailure` callback for a user pick.
+*
+* Throws synchronously on:
+*   - Spec runtime-shape violations (missing verifier function, non-array
+*     successValues, non-object branches).
+*   - Verifier-returned shape violations (missing `outcome` key,
+*     non-string `outcome`, missing `diagnostic` key, non-object
+*     `diagnostic`).
+* Propagates any error the verifier itself throws.
+*/
+async function verifyAndRecover(spec, context, callbacks = {}) {
+	validateSpec(spec);
+	const verifierResult = await spec.verifier(context);
+	validateVerifierResult(verifierResult);
+	const diagnostic = stripDenylist(verifierResult.diagnostic);
+	const outcome = verifierResult.outcome;
+	if (spec.successValues.includes(outcome)) return {
+		result: "success",
+		verifierOutcome: outcome,
+		branchId: null,
+		journalActionTags: [],
+		diagnostic
+	};
+	const branch = selectBranch(spec.branches, outcome);
+	const failure = branch.buildFailureEnvelope(diagnostic);
+	const options = branch.buildRecoveryOptions(diagnostic);
+	if (options.length === 0 || callbacks.onFailure === void 0) return {
+		result: "failure",
+		verifierOutcome: outcome,
+		branchId: branch.branchId,
+		journalActionTags: branch.journalActionTags,
+		diagnostic,
+		failure
+	};
+	const recoveryChoice = await callbacks.onFailure(failure, options);
+	return {
+		result: "failure",
+		verifierOutcome: outcome,
+		branchId: branch.branchId,
+		journalActionTags: branch.journalActionTags,
+		diagnostic,
+		failure,
+		recoveryChoice
+	};
+}
+function validateSpec(spec) {
+	if (spec === null || typeof spec !== "object") throw new Error("verifyAndRecover: spec must be an object");
+	if (typeof spec.verifier !== "function") throw new Error("verifyAndRecover: spec.verifier must be a function");
+	if (!Array.isArray(spec.successValues)) throw new Error("verifyAndRecover: spec.successValues must be an array");
+	if (spec.branches === null || typeof spec.branches !== "object" || Array.isArray(spec.branches)) throw new Error("verifyAndRecover: spec.branches must be an object");
+}
+function validateVerifierResult(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) throw new Error("verifyAndRecover: verifier must return an object with shape { outcome, diagnostic }");
+	const r = value;
+	if (typeof r.outcome !== "string") throw new Error("verifyAndRecover: verifier result is missing the required \"outcome\" string field");
+	if (r.diagnostic === null || typeof r.diagnostic !== "object" || Array.isArray(r.diagnostic)) throw new Error("verifyAndRecover: verifier result is missing a \"diagnostic\" object field");
+}
+function selectBranch(branches, outcome) {
+	const named = branches[outcome];
+	if (named !== void 0) return named;
+	const other = branches.__other__;
+	if (other !== void 0) return other;
+	return synthesizeUnclassified(outcome);
+}
+/**
+* Fabricate the `unclassified` fallback when no named branch and no
+* `__other__` catch-all match. Mirrors the CJS behavior at line 222-232:
+* journal action tag is `verify-unclassified`; the recovery options list
+* is empty (inform-only); the failure envelope conveys the unrecognized
+* outcome verbatim in `reason`.
+*/
+function synthesizeUnclassified(outcome) {
+	return {
+		branchId: "unclassified",
+		journalActionTags: ["verify-unclassified"],
+		buildFailureEnvelope: () => ({
+			outcome: "failed",
+			reason: `Verifier returned outcome '${outcome}' — unrecognized; no branch matched.`
+		}),
+		buildRecoveryOptions: () => []
+	};
+}
+//#endregion
+export { verifyAndRecover };
+
+//# sourceMappingURL=verify-recover.js.map

package/dist/internals/verify-recover.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-recover.js","names":[],"sources":["../../src/internals/verify-recover.ts"],"sourcesContent":["import type {\n  FailureEnvelope,\n  RecoveryChoice,\n  RecoveryOption,\n} from '../types.js';\nimport { stripDenylist } from './secret-denylist.js';\n\n/**\n * In-process verify-and-recover driver. Uses an inline async verifier\n * function (L7: agent-core MUST NOT spawn subprocesses).\n *\n * Out of scope (subprocess-only concerns):\n *   - verifier-script path sanitization (no path; verifier is a function)\n *   - stdin-source indirection (verifier receives typed context)\n *   - argv interpolation (verifier closes over context)\n *   - `{{var}}` template interpolation on user_message (recovery options\n *     carry their own typed-diagnostic closures via `buildRecoveryOptions`)\n *   - `timeout` / `maxBuffer` operational caps (no subprocess; an optional\n *     AbortController-based timeout can be added per-verifier if needed)\n *   - `NODE_ENV` test-override env vars (none of the above need them)\n *\n * Keeps (in-process security still relevant):\n *   - `SECRET_KEY_DENYLIST` strip on the diagnostic before it reaches\n *     `buildFailureEnvelope` / `buildRecoveryOptions` / the host callback / the result.\n *   - Prototype-pollution guard on `__proto__` / `constructor` / `prototype`\n *     in the diagnostic walk (defense for verifier-output objects that\n *     could have come via `JSON.parse`).\n *   - Branch dispatch: `branches[outcome]` → `branches.__other__` →\n *     synthesized `unclassified` fallback (CJS calls it `'other'`; the TS\n *     port uses `'__other__'` to avoid collisions with a literal outcome\n *     string `'other'`).\n *\n * Branch IDs are an internal, closed-set string-literal union — they\n * identify branches for journal/logging purposes but are NOT part of the\n * public type contract (Option A from ENG-128). The public surface for\n * recovery is the frozen `RecoveryOption[]` array, materialized by each\n * branch's inline `buildRecoveryOptions(diag)` closure.\n */\n\n/** Closed-set internal branch identifier. Surfaces via journal/log only. */\nexport type BranchId =\n  | 'partial_success_domain'\n  | 'lease_terminal'\n  | 'domain_verification_mismatch'\n  | 'domain_not_found'\n  | 'pending_drift'\n  | 'unclassified';\n\n/**\n * Per-branch behavior contract. Authored inline at each high-level\n * function's call site (deployApp, manageDomain, etc.) so the closures\n * can bind diagnostic data into the surfaced label/description text.\n */\nexport interface VerificationBranch<TDiag = Record<string, unknown>> {\n  /** Internal id for journal write + log; not surfaced to host callbacks directly. */\n  readonly branchId: BranchId;\n  /** Pass-through tags for the ENG-124 journal `recovery_actions[]`. Empty when not journaling. */\n  readonly journalActionTags: readonly string[];\n  /** Synthesize the public `FailureEnvelope` (frozen contract) from the post-strip diagnostic. */\n  buildFailureEnvelope: (diagnostic: TDiag) => FailureEnvelope;\n  /**\n   * Materialize the `RecoveryOption[]` for the host's `onFailure` callback.\n   * Returning an empty array marks the branch as inform-only:\n   * `verifyAndRecover` will return the failure envelope without invoking\n   * `onFailure` so callers don't waste a user prompt asking what to do\n   * when there's nothing to choose between.\n   */\n  buildRecoveryOptions: (diagnostic: TDiag) => RecoveryOption[];\n}\n\n/** Verifier function — async; receives typed context; returns typed outcome + free-form diagnostic. */\nexport type Verifier<\n  TContext,\n  TOutcome extends string,\n  TDiag = Record<string, unknown>,\n> = (context: TContext) => Promise<VerifierResult<TOutcome, TDiag>>;\n\n/** Shape returned by every verifier. `outcome` drives branch selection; `diagnostic` flows into the branch's closures. */\nexport interface VerifierResult<TOutcome extends string, TDiag> {\n  outcome: TOutcome;\n  diagnostic: TDiag;\n}\n\n/**\n * Verification spec — declarative description of how to verify post-state\n * and dispatch to a recovery branch. Mirrors the CJS spec shape with\n * the subprocess-specific fields dropped.\n *\n * `__other__` is the catch-all branch key, equivalent to the CJS's `'other'`.\n * Renamed to avoid collisions with an outcome literally equal to `'other'`.\n */\nexport interface VerificationSpec<\n  TContext,\n  TOutcome extends string,\n  TDiag = Record<string, unknown>,\n> {\n  readonly verifier: Verifier<TContext, TOutcome, TDiag>;\n  /** Outcome values that count as success — no branch dispatch, host's `onFailure` is NOT called. */\n  readonly successValues: readonly TOutcome[];\n  /** Branch dictionary keyed by outcome string. `__other__` is the catch-all fallback. */\n  readonly branches: Partial<\n    Record<TOutcome | '__other__', VerificationBranch<TDiag>>\n  >;\n}\n\nexport interface VerifyAndRecoverResult<\n  TOutcome extends string,\n  TDiag = Record<string, unknown>,\n> {\n  result: 'success' | 'failure';\n  verifierOutcome: TOutcome;\n  /** `null` on success; the matched branch's id (or `'unclassified'`) on failure. */\n  branchId: BranchId | null;\n  journalActionTags: readonly string[];\n  /** Post-strip diagnostic. Same value the branch closures received. */\n  diagnostic: TDiag;\n  /** Present iff failure. The synthesized public-surface envelope. */\n  failure?: FailureEnvelope;\n  /** Present iff failure AND `onFailure` was called AND it returned (i.e., a non-empty `RecoveryOption[]` was presented). */\n  recoveryChoice?: RecoveryChoice;\n}\n\nexport interface VerifyAndRecoverCallbacks {\n  /**\n   * Rich-form failure handler used by `deployApp`. Receives the\n   * `FailureEnvelope` synthesized by the matched branch + the closure-\n   * built `RecoveryOption[]` and returns the user's pick.\n   *\n   * Simple-form callers (manageDomain / closeLease / troubleshoot) wrap\n   * via an adapter in PR 4 — they don't pass an `onFailure` here directly.\n   */\n  onFailure?: (\n    failure: FailureEnvelope,\n    options: RecoveryOption[],\n  ) => Promise<RecoveryChoice>;\n}\n\n/**\n * Run the verifier; classify the outcome; on failure, build the public\n * envelope + recovery options and (optionally) invoke the host's\n * `onFailure` callback for a user pick.\n *\n * Throws synchronously on:\n *   - Spec runtime-shape violations (missing verifier function, non-array\n *     successValues, non-object branches).\n *   - Verifier-returned shape violations (missing `outcome` key,\n *     non-string `outcome`, missing `diagnostic` key, non-object\n *     `diagnostic`).\n * Propagates any error the verifier itself throws.\n */\nexport async function verifyAndRecover<\n  TContext,\n  TOutcome extends string,\n  TDiag = Record<string, unknown>,\n>(\n  spec: VerificationSpec<TContext, TOutcome, TDiag>,\n  context: TContext,\n  callbacks: VerifyAndRecoverCallbacks = {},\n): Promise<VerifyAndRecoverResult<TOutcome, TDiag>> {\n  validateSpec(spec);\n\n  const verifierResult = await spec.verifier(context);\n  validateVerifierResult(verifierResult);\n\n  // Strip secret-shaped keys + prototype-pollution keys from the\n  // diagnostic BEFORE it flows into any branch closure, host callback,\n  // or the result object. The strip is the same posture `_journal.cjs`'s\n  // `validateRecord` enforces on the write side.\n  const diagnostic = stripDenylist(verifierResult.diagnostic) as TDiag;\n  const outcome = verifierResult.outcome;\n\n  const isSuccess = spec.successValues.includes(outcome);\n  if (isSuccess) {\n    return {\n      result: 'success',\n      verifierOutcome: outcome,\n      branchId: null,\n      journalActionTags: [],\n      diagnostic,\n    };\n  }\n\n  // Failure path: dispatch to named branch, `__other__` fallback, or\n  // synthesized `unclassified`.\n  const branch = selectBranch<TOutcome, TDiag>(spec.branches, outcome);\n  const failure = branch.buildFailureEnvelope(diagnostic);\n  const options = branch.buildRecoveryOptions(diagnostic);\n\n  // Inform-only branches (lease_terminal, unclassified) return [] for\n  // RecoveryOption[]. Surface the failure envelope without prompting\n  // the host — there's no choice to present.\n  if (options.length === 0 || callbacks.onFailure === undefined) {\n    return {\n      result: 'failure',\n      verifierOutcome: outcome,\n      branchId: branch.branchId,\n      journalActionTags: branch.journalActionTags,\n      diagnostic,\n      failure,\n    };\n  }\n\n  const recoveryChoice = await callbacks.onFailure(failure, options);\n  return {\n    result: 'failure',\n    verifierOutcome: outcome,\n    branchId: branch.branchId,\n    journalActionTags: branch.journalActionTags,\n    diagnostic,\n    failure,\n    recoveryChoice,\n  };\n}\n\nfunction validateSpec<TContext, TOutcome extends string, TDiag>(\n  spec: VerificationSpec<TContext, TOutcome, TDiag>,\n): void {\n  if (spec === null || typeof spec !== 'object') {\n    throw new Error('verifyAndRecover: spec must be an object');\n  }\n  if (typeof spec.verifier !== 'function') {\n    throw new Error('verifyAndRecover: spec.verifier must be a function');\n  }\n  if (!Array.isArray(spec.successValues)) {\n    throw new Error('verifyAndRecover: spec.successValues must be an array');\n  }\n  // `typeof null === 'object'` would otherwise let a `branches: null` value\n  // slip past a bare typeof check and silently route every failure through\n  // the synthesized `unclassified` branch. Explicit guard mirrors the\n  // CJS's null-check at line 256-263 of verify-recover.cjs.\n  if (\n    spec.branches === null ||\n    typeof spec.branches !== 'object' ||\n    Array.isArray(spec.branches)\n  ) {\n    throw new Error('verifyAndRecover: spec.branches must be an object');\n  }\n}\n\nfunction validateVerifierResult(\n  value: unknown,\n): asserts value is VerifierResult<string, unknown> {\n  if (value === null || typeof value !== 'object' || Array.isArray(value)) {\n    throw new Error(\n      'verifyAndRecover: verifier must return an object with shape { outcome, diagnostic }',\n    );\n  }\n  const r = value as { outcome?: unknown; diagnostic?: unknown };\n  if (typeof r.outcome !== 'string') {\n    throw new Error(\n      'verifyAndRecover: verifier result is missing the required \"outcome\" string field',\n    );\n  }\n  if (\n    r.diagnostic === null ||\n    typeof r.diagnostic !== 'object' ||\n    Array.isArray(r.diagnostic)\n  ) {\n    throw new Error(\n      'verifyAndRecover: verifier result is missing a \"diagnostic\" object field',\n    );\n  }\n}\n\nfunction selectBranch<TOutcome extends string, TDiag>(\n  branches: Partial<Record<TOutcome | '__other__', VerificationBranch<TDiag>>>,\n  outcome: TOutcome,\n): VerificationBranch<TDiag> {\n  const named = branches[outcome];\n  if (named !== undefined) return named;\n  const other = branches.__other__;\n  if (other !== undefined) return other;\n  return synthesizeUnclassified<TDiag>(outcome);\n}\n\n/**\n * Fabricate the `unclassified` fallback when no named branch and no\n * `__other__` catch-all match. Mirrors the CJS behavior at line 222-232:\n * journal action tag is `verify-unclassified`; the recovery options list\n * is empty (inform-only); the failure envelope conveys the unrecognized\n * outcome verbatim in `reason`.\n */\nfunction synthesizeUnclassified<TDiag>(\n  outcome: string,\n): VerificationBranch<TDiag> {\n  return {\n    branchId: 'unclassified',\n    journalActionTags: ['verify-unclassified'],\n    buildFailureEnvelope: () => ({\n      outcome: 'failed',\n      reason: `Verifier returned outcome '${outcome}' — unrecognized; no branch matched.`,\n    }),\n    buildRecoveryOptions: () => [],\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;AAsJA,eAAsB,iBAKpB,MACA,SACA,YAAuC,EAAE,EACS;AAClD,cAAa,KAAK;CAElB,MAAM,iBAAiB,MAAM,KAAK,SAAS,QAAQ;AACnD,wBAAuB,eAAe;CAMtC,MAAM,aAAa,cAAc,eAAe,WAAW;CAC3D,MAAM,UAAU,eAAe;AAG/B,KADkB,KAAK,cAAc,SAAS,QAAQ,CAEpD,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU;EACV,mBAAmB,EAAE;EACrB;EACD;CAKH,MAAM,SAAS,aAA8B,KAAK,UAAU,QAAQ;CACpE,MAAM,UAAU,OAAO,qBAAqB,WAAW;CACvD,MAAM,UAAU,OAAO,qBAAqB,WAAW;AAKvD,KAAI,QAAQ,WAAW,KAAK,UAAU,cAAc,KAAA,EAClD,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;EACD;CAGH,MAAM,iBAAiB,MAAM,UAAU,UAAU,SAAS,QAAQ;AAClE,QAAO;EACL,QAAQ;EACR,iBAAiB;EACjB,UAAU,OAAO;EACjB,mBAAmB,OAAO;EAC1B;EACA;EACA;EACD;;AAGH,SAAS,aACP,MACM;AACN,KAAI,SAAS,QAAQ,OAAO,SAAS,SACnC,OAAM,IAAI,MAAM,2CAA2C;AAE7D,KAAI,OAAO,KAAK,aAAa,WAC3B,OAAM,IAAI,MAAM,qDAAqD;AAEvE,KAAI,CAAC,MAAM,QAAQ,KAAK,cAAc,CACpC,OAAM,IAAI,MAAM,wDAAwD;AAM1E,KACE,KAAK,aAAa,QAClB,OAAO,KAAK,aAAa,YACzB,MAAM,QAAQ,KAAK,SAAS,CAE5B,OAAM,IAAI,MAAM,oDAAoD;;AAIxE,SAAS,uBACP,OACkD;AAClD,KAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,MAAM,CACrE,OAAM,IAAI,MACR,sFACD;CAEH,MAAM,IAAI;AACV,KAAI,OAAO,EAAE,YAAY,SACvB,OAAM,IAAI,MACR,qFACD;AAEH,KACE,EAAE,eAAe,QACjB,OAAO,EAAE,eAAe,YACxB,MAAM,QAAQ,EAAE,WAAW,CAE3B,OAAM,IAAI,MACR,6EACD;;AAIL,SAAS,aACP,UACA,SAC2B;CAC3B,MAAM,QAAQ,SAAS;AACvB,KAAI,UAAU,KAAA,EAAW,QAAO;CAChC,MAAM,QAAQ,SAAS;AACvB,KAAI,UAAU,KAAA,EAAW,QAAO;AAChC,QAAO,uBAA8B,QAAQ;;;;;;;;;AAU/C,SAAS,uBACP,SAC2B;AAC3B,QAAO;EACL,UAAU;EACV,mBAAmB,CAAC,sBAAsB;EAC1C,6BAA6B;GAC3B,SAAS;GACT,QAAQ,8BAA8B,QAAQ;GAC/C;EACD,4BAA4B,EAAE;EAC/B"}

package/dist/manage-domain.d.ts

@@ -0,0 +1,36 @@
+import { ManageDomainArgs, ManageDomainCallbacks, ManageDomainOptions, ManageDomainResult } from "./types.js";
+
+//#region src/manage-domain.d.ts
+/**
+ * Set / clear / look up a lease item's custom domain.
+ *
+ * @throws `ManifestMCPError(INVALID_CONFIG)` for args validation or when
+ *   `onConfirm` returns `'no'`.
+ * @throws `ManifestMCPError` (typically `TX_FAILED`) propagated as-is
+ *   from the `setItemCustomDomain()` broadcast step in `set` / `clear`
+ *   paths. Broadcast errors do NOT invoke `onFailure` — that callback
+ *   is reserved for post-broadcast verification failures.
+ *   `setItemCustomDomain` already raises a structured `ManifestMCPError`
+ *   from the core package; wrapping it again at this layer would be
+ *   redundant. Callers wanting to react to broadcast errors should
+ *   catch them at the call site.
+ * @throws `ManifestMCPError(TX_FAILED)` when post-broadcast verification
+ *   reaches a `not_found` / `mismatch` outcome (after `onFailure` has
+ *   been invoked so the caller can react).
+ * @throws `ManifestMCPError(QUERY_FAILED)` when a chain query raises a
+ *   non-NotFound error (RPC / transport / decoding failure). Two paths
+ *   surface this:
+ *     - the `lookup` chain query (`lease_by_custom_domain`); the keeper's
+ *       `NotFound` on an unclaimed FQDN is surfaced as a typed
+ *       `{ lease: null }` result, not a throw.
+ *     - the post-broadcast verify chain query (`billing.v1.lease`) in
+ *       the `set` / `clear` paths (wrapped inside the verifier closure
+ *       so the failure flows through `onFailure({ reason })` before the
+ *       throw).
+ *   Structured `ManifestMCPError`s raised by the chain client are
+ *   re-thrown as-is (with `onFailure` invoked first).
+ */
+declare function manageDomain(args: ManageDomainArgs, callbacks: ManageDomainCallbacks, opts: ManageDomainOptions): Promise<ManageDomainResult>;
+//#endregion
+export { manageDomain };
+//# sourceMappingURL=manage-domain.d.ts.map

package/dist/manage-domain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manage-domain.d.ts","names":[],"sources":["../src/manage-domain.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAiHsB,YAAA,CACpB,IAAA,EAAM,gBAAA,EACN,SAAA,EAAW,qBAAA,EACX,IAAA,EAAM,mBAAA,GACL,OAAA,CAAQ,kBAAA"}