@mono-agent/agent-runtime 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (119) hide show
  1. package/ARCHITECTURE.md +37 -16
  2. package/MIGRATION.md +185 -7
  3. package/README.md +24 -14
  4. package/package.json +103 -10
  5. package/src/agent/allowlists.js +3 -0
  6. package/src/agent/approval.js +3 -0
  7. package/src/agent/compaction.js +244 -1
  8. package/src/agent/prompt/skill-index.js +6 -0
  9. package/src/agent/sandbox-seam.js +227 -0
  10. package/src/agent/tool-bloat.js +8 -2
  11. package/src/agent/tools/bash.js +16 -8
  12. package/src/agent/tools/edit.js +7 -3
  13. package/src/agent/tools/glob.js +11 -5
  14. package/src/agent/tools/grep.js +11 -5
  15. package/src/agent/tools/pi-bridge.js +227 -45
  16. package/src/agent/tools/read.js +28 -3
  17. package/src/agent/tools/shared/output-truncation.js +8 -3
  18. package/src/agent/tools/shared/path-resolver.js +24 -18
  19. package/src/agent/tools/shared/ripgrep.js +33 -6
  20. package/src/agent/tools/shared/runtime-context.js +60 -50
  21. package/src/agent/tools/shared/tool-context.js +157 -0
  22. package/src/agent/tools/web-fetch.js +21 -10
  23. package/src/agent/tools/web-search.js +11 -4
  24. package/src/agent/tools/write.js +7 -3
  25. package/src/agent/transcript.js +16 -1
  26. package/src/ai/cost.js +128 -3
  27. package/src/ai/failure.js +96 -4
  28. package/src/ai/live-input-prompt.js +11 -1
  29. package/src/ai/providers/claude-cli.js +2 -2
  30. package/src/ai/providers/claude-sdk.js +55 -12
  31. package/src/ai/providers/codex-app.js +36 -23
  32. package/src/ai/providers/opencode-app.js +2 -2
  33. package/src/ai/providers/opencode-discovery.js +2 -2
  34. package/src/ai/providers/pi-events.js +5 -0
  35. package/src/ai/providers/pi-models.js +21 -4
  36. package/src/ai/providers/pi-native/compaction-driver.js +394 -0
  37. package/src/ai/providers/pi-native/result-builder.js +312 -0
  38. package/src/ai/providers/pi-native/session-lifecycle.js +438 -0
  39. package/src/ai/providers/pi-native/stream-subscriber.js +148 -0
  40. package/src/ai/providers/pi-native/structured-output.js +130 -0
  41. package/src/ai/providers/pi-native/turn-runner.js +278 -0
  42. package/src/ai/providers/pi-native.js +415 -1106
  43. package/src/ai/runtime/model-refs.js +30 -0
  44. package/src/ai/runtime/registry.js +29 -0
  45. package/src/ai/runtime/router.js +96 -12
  46. package/src/ai/runtime/session-liveness.js +110 -0
  47. package/src/ai/runtime/sessions.js +16 -0
  48. package/src/ai/types.js +252 -19
  49. package/src/index.js +1 -1
  50. package/src/pi-auth.js +147 -16
  51. package/src/runtime-brand.js +21 -1
  52. package/src/runtime.js +72 -8
  53. package/types/agent/allowlists.d.ts +25 -0
  54. package/types/agent/approval.d.ts +30 -0
  55. package/types/agent/compaction.d.ts +97 -0
  56. package/types/agent/index.d.ts +5 -0
  57. package/types/agent/prompt/skill-index.d.ts +19 -0
  58. package/types/agent/sandbox-seam.d.ts +148 -0
  59. package/types/agent/tool-bloat.d.ts +22 -0
  60. package/types/agent/tools/bash.d.ts +16 -0
  61. package/types/agent/tools/edit.d.ts +14 -0
  62. package/types/agent/tools/glob.d.ts +16 -0
  63. package/types/agent/tools/grep.d.ts +22 -0
  64. package/types/agent/tools/index.d.ts +10 -0
  65. package/types/agent/tools/pi-bridge.d.ts +144 -0
  66. package/types/agent/tools/read.d.ts +19 -0
  67. package/types/agent/tools/shared/constants.d.ts +13 -0
  68. package/types/agent/tools/shared/dedup.d.ts +8 -0
  69. package/types/agent/tools/shared/output-truncation.d.ts +22 -0
  70. package/types/agent/tools/shared/path-resolver.d.ts +6 -0
  71. package/types/agent/tools/shared/ripgrep.d.ts +38 -0
  72. package/types/agent/tools/shared/runtime-context.d.ts +27 -0
  73. package/types/agent/tools/shared/tool-context.d.ts +48 -0
  74. package/types/agent/tools/web-fetch.d.ts +13 -0
  75. package/types/agent/tools/web-search.d.ts +11 -0
  76. package/types/agent/tools/write.d.ts +12 -0
  77. package/types/agent/transcript.d.ts +45 -0
  78. package/types/ai/backend.d.ts +41 -0
  79. package/types/ai/cost.d.ts +96 -0
  80. package/types/ai/failure.d.ts +117 -0
  81. package/types/ai/file-change-stats.d.ts +75 -0
  82. package/types/ai/index.d.ts +7 -0
  83. package/types/ai/live-input-prompt.d.ts +6 -0
  84. package/types/ai/observer.d.ts +68 -0
  85. package/types/ai/providers/claude-cli.d.ts +211 -0
  86. package/types/ai/providers/claude-sdk.d.ts +66 -0
  87. package/types/ai/providers/claude-subagents.d.ts +2 -0
  88. package/types/ai/providers/codex-app.d.ts +151 -0
  89. package/types/ai/providers/opencode-app.d.ts +95 -0
  90. package/types/ai/providers/opencode-discovery.d.ts +4 -0
  91. package/types/ai/providers/pi-errors.d.ts +3 -0
  92. package/types/ai/providers/pi-events.d.ts +24 -0
  93. package/types/ai/providers/pi-messages.d.ts +5 -0
  94. package/types/ai/providers/pi-models.d.ts +57 -0
  95. package/types/ai/providers/pi-native/compaction-driver.d.ts +86 -0
  96. package/types/ai/providers/pi-native/result-builder.d.ts +168 -0
  97. package/types/ai/providers/pi-native/session-lifecycle.d.ts +62 -0
  98. package/types/ai/providers/pi-native/stream-subscriber.d.ts +50 -0
  99. package/types/ai/providers/pi-native/structured-output.d.ts +69 -0
  100. package/types/ai/providers/pi-native/turn-runner.d.ts +60 -0
  101. package/types/ai/providers/pi-native.d.ts +18 -0
  102. package/types/ai/registry.d.ts +1 -0
  103. package/types/ai/runtime/capabilities-used.d.ts +21 -0
  104. package/types/ai/runtime/capabilities.d.ts +33 -0
  105. package/types/ai/runtime/context-windows.d.ts +8 -0
  106. package/types/ai/runtime/fast-mode.d.ts +2 -0
  107. package/types/ai/runtime/model-refs.d.ts +35 -0
  108. package/types/ai/runtime/registry.d.ts +38 -0
  109. package/types/ai/runtime/router.d.ts +56 -0
  110. package/types/ai/runtime/session-liveness.d.ts +55 -0
  111. package/types/ai/runtime/sessions.d.ts +38 -0
  112. package/types/ai/streaming/codex-events.d.ts +30 -0
  113. package/types/ai/streaming/opencode-events.d.ts +41 -0
  114. package/types/ai/types.d.ts +702 -0
  115. package/types/index.d.ts +7 -0
  116. package/types/pi-auth.d.ts +28 -0
  117. package/types/runtime-brand.d.ts +30 -0
  118. package/types/runtime.d.ts +10 -0
  119. package/src/ai/providers/pi-sdk.js +0 -35
package/src/runtime.js CHANGED
@@ -1,8 +1,10 @@
1
1
  // Top-level runtime factory.
2
2
  //
3
3
  // `createRuntime(host)` is the ergonomic entry point for hosts. It binds the
4
- // host integration callbacks (pricing, persistence, credentials), configures
5
- // the module-level tool runtime, and returns a `.run(systemPrompt, options)`
4
+ // host integration callbacks (pricing, persistence, credentials), builds a
5
+ // per-instance `ToolContext` (agent/tools/shared/tool-context.js) that this
6
+ // runtime instance threads to every bridge call via `options.toolContext`
7
+ // instead of a process-global, and returns a `.run(systemPrompt, options)`
6
8
  // method that resolves the right provider bridge based on `options.model` +
7
9
  // `options.executionMode`.
8
10
  //
@@ -24,12 +26,22 @@
24
26
  // a product-specific result object,
25
27
  // task envelopes, etc.) parse it themselves.
26
28
 
29
+ // @ts-check
30
+
27
31
  import { resolveRuntimeBridge } from "./ai/runtime/registry.js";
28
32
  import { createObserverHub } from "./ai/observer.js";
29
33
  import { disposeAllProviderSessions, disposeProviderSession } from "./ai/runtime/sessions.js";
30
- import { configureToolRuntime } from "./agent/tools/shared/runtime-context.js";
34
+ import { createToolContext, updateToolContext } from "./agent/tools/shared/tool-context.js";
31
35
  import { resolveRuntimeBrand } from "./runtime-brand.js";
32
36
 
37
+ /**
38
+ * @typedef {import('./ai/types.js').AgentRuntimeHostOptions} AgentRuntimeHostOptions
39
+ * @typedef {import('./ai/types.js').AgentRuntimeToolOptions} AgentRuntimeToolOptions
40
+ * @typedef {import('./ai/types.js').AgentRuntimeInstance} AgentRuntimeInstance
41
+ * @typedef {import('./ai/types.js').RuntimeRunOptions} RuntimeRunOptions
42
+ * @typedef {import('./ai/types.js').RuntimeResult} RuntimeResult
43
+ */
44
+
33
45
  const HOST_KEYS = [
34
46
  "resolveCustomPricing",
35
47
  "resolvePiApiKey",
@@ -48,8 +60,15 @@ const TOOL_RUNTIME_KEYS = [
48
60
  "ripgrepPath",
49
61
  "qaOutputDir",
50
62
  "sandboxPolicy",
63
+ "sandboxEngine",
64
+ "sandbox",
51
65
  ];
52
66
 
67
+ /**
68
+ * @param {Object<string, *>} source
69
+ * @param {Array<string>} keys
70
+ * @returns {Object<string, *>}
71
+ */
53
72
  function pickDefined(source, keys) {
54
73
  const out = {};
55
74
  for (const key of keys) {
@@ -58,17 +77,53 @@ function pickDefined(source, keys) {
58
77
  return out;
59
78
  }
60
79
 
80
+ const PROMPT_OVERRIDE_KEYS = ["structuredOutputInstruction", "structuredOutputFinalization", "liveInputGuidance"];
81
+
82
+ /**
83
+ * Per-field merge of the prompt overrides: a run-level override wins over the
84
+ * host-level default wins over the bridge's built-in default (an absent field
85
+ * leaves the bridge on its built-in string). Kept out of the `...hostDefaults,
86
+ * ...options` spread so a run that overrides ONE prompt does not drop the host's
87
+ * other prompt defaults (an object-replacing spread would).
88
+ * @param {import('./ai/types.js').RuntimePromptOverrides} [hostPrompts]
89
+ * @param {import('./ai/types.js').RuntimePromptOverrides} [runPrompts]
90
+ * @returns {import('./ai/types.js').RuntimePromptOverrides|undefined}
91
+ */
92
+ function resolvePrompts(hostPrompts, runPrompts) {
93
+ if (!hostPrompts && !runPrompts) return undefined;
94
+ /** @type {Record<string, *>} */
95
+ const merged = {};
96
+ for (const key of PROMPT_OVERRIDE_KEYS) {
97
+ const value = /** @type {any} */ (runPrompts)?.[key] ?? /** @type {any} */ (hostPrompts)?.[key];
98
+ if (value !== undefined) merged[key] = value;
99
+ }
100
+ return merged;
101
+ }
102
+
103
+ /**
104
+ * @param {AgentRuntimeHostOptions} [host]
105
+ * @returns {AgentRuntimeInstance}
106
+ */
61
107
  export function createRuntime(host = {}) {
62
108
  const hostDefaults = pickDefined(host, HOST_KEYS);
63
109
  const toolRuntime = pickDefined(host, TOOL_RUNTIME_KEYS);
64
110
  const runtimeBrand = resolveRuntimeBrand(host.runtimeBrand);
65
111
  const hostObservers = Array.isArray(host.observers) ? host.observers.slice() : [];
66
- // Always configure: even when no tool keys are supplied, we must publish
67
- // the resolved brand so internal modules (transcript, pi-bridge, ripgrep
68
- // error message) pick it up.
69
- configureToolRuntime({ ...toolRuntime, runtimeBrand });
112
+ // Per-instance tool context, built once and threaded to every bridge via
113
+ // `options.toolContext` (below). It replaces the former global side effect:
114
+ // two runtimes in one process now keep independent workspace/brand/sandbox
115
+ // config instead of clobbering a shared singleton. `configureTools` mutates
116
+ // THIS object so later runs of this instance observe the update.
117
+ const toolContext = createToolContext({ ...toolRuntime, runtimeBrand });
70
118
 
71
119
  return {
120
+ /**
121
+ * @param {string} systemPrompt
122
+ * @param {Partial<RuntimeRunOptions>} [options] Optional only so the
123
+ * `options.model` guard below can throw a descriptive error; every
124
+ * real caller must supply a model (see AgentRuntimeInstance.run).
125
+ * @returns {Promise<RuntimeResult>}
126
+ */
72
127
  async run(systemPrompt, options = {}) {
73
128
  if (!options.model) throw new Error("createRuntime.run requires options.model");
74
129
  const executionMode = typeof options.executionMode === "string" ? options.executionMode : "sdk";
@@ -81,19 +136,28 @@ export function createRuntime(host = {}) {
81
136
  observers: [...hostObservers, ...callObservers],
82
137
  onEvent: options.onEvent,
83
138
  });
139
+ const prompts = resolvePrompts(host.prompts, options.prompts);
84
140
  const result = await bridge.execute(systemPrompt, {
85
141
  ...hostDefaults,
86
142
  ...options,
143
+ // `...options` alone doesn't carry the `options.model` narrowing above
144
+ // (spread reads the parameter's declared — Partial — type); re-assert
145
+ // the already-validated model so the request satisfies RuntimeRequest.
146
+ model: options.model,
87
147
  executionMode,
88
148
  runtimeBrand,
149
+ toolContext,
89
150
  observerHub: hub,
90
151
  onEvent: hub.emit,
152
+ // Merged AFTER the spreads so the per-field run>host>default precedence
153
+ // wins over either bag's whole-object `prompts`.
154
+ ...(prompts === undefined ? {} : { prompts }),
91
155
  });
92
156
  await hub.flush();
93
157
  return result;
94
158
  },
95
159
  configureTools(next = {}) {
96
- configureToolRuntime(pickDefined(next, TOOL_RUNTIME_KEYS));
160
+ updateToolContext(toolContext, pickDefined(next, TOOL_RUNTIME_KEYS));
97
161
  },
98
162
  async disposeSession(providerSessionId) {
99
163
  return disposeProviderSession(providerSessionId);
@@ -0,0 +1,25 @@
1
+ export function normalizeList(value: any): any[];
2
+ export function normalizeAllowlistMode(value: any): any;
3
+ export function storedAllowlistMode(value: any): "all" | "custom";
4
+ export function parseStoredAllowlist(value: any): any[];
5
+ /**
6
+ * @param {{mode?: string, list?: any, fallback?: string}} [options]
7
+ */
8
+ export function inferAllowlistMode({ mode, list, fallback }?: {
9
+ mode?: string;
10
+ list?: any;
11
+ fallback?: string;
12
+ }): any;
13
+ export function resolveAllowlist({ mode, allowlist, all, getName }: {
14
+ mode: any;
15
+ allowlist: any;
16
+ all: any;
17
+ getName?: (item: any) => any;
18
+ }): any;
19
+ export function resolveAllowlistMap({ mode, allowlist, all }: {
20
+ mode: any;
21
+ allowlist: any;
22
+ all: any;
23
+ }): any;
24
+ export const ALLOWLIST_MODE_ALL: "all";
25
+ export const ALLOWLIST_MODE_CUSTOM: "custom";
@@ -0,0 +1,30 @@
1
+ /**
2
+ * @param {{onToolApprovalRequest?: any, defaultRiskTier?: string, timeoutMs?: number, onEvent?: (event: any) => void, riskTiersByTool?: any, alwaysAllowTools?: any}} [options]
3
+ */
4
+ export function createApprovalManager({ onToolApprovalRequest, defaultRiskTier, timeoutMs, onEvent, riskTiersByTool, alwaysAllowTools, }?: {
5
+ onToolApprovalRequest?: any;
6
+ defaultRiskTier?: string;
7
+ timeoutMs?: number;
8
+ onEvent?: (event: any) => void;
9
+ riskTiersByTool?: any;
10
+ alwaysAllowTools?: any;
11
+ }): {
12
+ request: (toolCall?: {}) => Promise<{
13
+ decision: string;
14
+ reason: string;
15
+ riskTier: any;
16
+ } | {
17
+ requestId: any;
18
+ riskTier: any;
19
+ decision: any;
20
+ reason: any;
21
+ }>;
22
+ riskTierFor: (toolName: any) => any;
23
+ sessionAllowlist: () => Set<any>;
24
+ isAlwaysAllowed: (toolName: any) => boolean;
25
+ };
26
+ export function wrapToolsWithApprovalGate(tools: any, approvalManager: any, { model }?: {
27
+ model?: any;
28
+ }): any[];
29
+ export const APPROVAL_DECISIONS: readonly string[];
30
+ export const RISK_TIERS: readonly string[];
@@ -0,0 +1,97 @@
1
+ /**
2
+ * @param {Object<string, *>} [settings]
3
+ * @param {Object} [model]
4
+ * @param {number} [model.contextWindow]
5
+ * @returns {AgentCompactionPolicy}
6
+ */
7
+ export function resolveAgentCompactionPolicy(settings?: {
8
+ [x: string]: any;
9
+ }, model?: {
10
+ contextWindow?: number;
11
+ }): AgentCompactionPolicy;
12
+ /**
13
+ * Fold the typed `toolLimits` / `compaction` policy objects and the deprecated
14
+ * `settings` bag into ONE settings-like object resolveAgentCompactionPolicy
15
+ * consumes, honoring PER-GROUP precedence: when a typed object is present its
16
+ * fields win and the legacy settings keys for that group are ignored entirely;
17
+ * when the typed object is absent, that group's settings keys are consumed (and
18
+ * reported in `consumedSettingsKeys` so the caller can emit exactly one
19
+ * deprecation warning per run).
20
+ * @param {{toolLimits?: Object<string, *>, compaction?: Object<string, *>, settings?: Object<string, *>}} [options]
21
+ * @returns {{settingsLike: Object<string, *>, consumedSettingsKeys: Array<string>}}
22
+ */
23
+ export function resolveRuntimePolicyInputs({ toolLimits, compaction, settings }?: {
24
+ toolLimits?: {
25
+ [x: string]: any;
26
+ };
27
+ compaction?: {
28
+ [x: string]: any;
29
+ };
30
+ settings?: {
31
+ [x: string]: any;
32
+ };
33
+ }): {
34
+ settingsLike: {
35
+ [x: string]: any;
36
+ };
37
+ consumedSettingsKeys: Array<string>;
38
+ };
39
+ /**
40
+ * Build the one-per-run deprecation warning fired when the legacy `settings`
41
+ * bag was consumed as a policy fallback. Shape matches the other pi/claude
42
+ * bridge runtime warnings ({warning_kind, source, message}).
43
+ * @param {ReadonlyArray<string>} consumedKeys
44
+ * @returns {{warning_kind: string, source: string, message: string, settings_keys: Array<string>}}
45
+ */
46
+ export function deprecatedSettingsWarning(consumedKeys: ReadonlyArray<string>): {
47
+ warning_kind: string;
48
+ source: string;
49
+ message: string;
50
+ settings_keys: Array<string>;
51
+ };
52
+ /**
53
+ * @param {Object} [options]
54
+ * @param {string} [options.systemPrompt]
55
+ * @param {Array<Object>} [options.tools]
56
+ * @param {Array<Object>} [options.messages]
57
+ * @returns {{systemPromptTokens: number, toolSchemaTokens: number, userMessageTokens: number, fixedOverheadTokens: number}}
58
+ */
59
+ export function estimateFixedOverheadTokens({ systemPrompt, tools, messages }?: {
60
+ systemPrompt?: string;
61
+ tools?: Array<any>;
62
+ messages?: Array<any>;
63
+ }): {
64
+ systemPromptTokens: number;
65
+ toolSchemaTokens: number;
66
+ userMessageTokens: number;
67
+ fixedOverheadTokens: number;
68
+ };
69
+ /**
70
+ * @param {string} message
71
+ * @param {Object<string, *>} [diagnostics]
72
+ * @returns {boolean}
73
+ */
74
+ export function isLikelyContextTermination(message: string, diagnostics?: {
75
+ [x: string]: any;
76
+ }): boolean;
77
+ export const DEPRECATED_SETTINGS_WARNING_KIND: "deprecated_settings_option";
78
+ export type AgentCompactionPolicy = {
79
+ enabled: boolean;
80
+ contextWindow: number;
81
+ triggerRatio: number;
82
+ triggerTokens: number;
83
+ keepRecentTokens: number;
84
+ summaryMaxTokens: number;
85
+ fixedOverheadEnabled: boolean;
86
+ compactionMinSavingsTokens: number;
87
+ toolPayloadCompactionTriggerChars: number;
88
+ toolPruneTriggerTokens: number;
89
+ toolTextLimitChars: number;
90
+ bashOutputLimitChars: number;
91
+ mcpTextLimitChars: number;
92
+ searchResultLimit: number;
93
+ imageInlineMaxBytes: number;
94
+ toolPayloadMaxBytes: number;
95
+ mcpCallTimeoutMs: number;
96
+ mcpCallMaxTotalTimeoutMs: number;
97
+ };
@@ -0,0 +1,5 @@
1
+ export { isLikelyContextTermination, resolveAgentCompactionPolicy } from "./compaction.js";
2
+ export { buildTranscriptTailSnapshot, renderResumeSnapshot } from "./transcript.js";
3
+ export { ALLOWLIST_MODE_ALL, ALLOWLIST_MODE_CUSTOM, inferAllowlistMode, normalizeAllowlistMode, normalizeList, parseStoredAllowlist, resolveAllowlist, resolveAllowlistMap, storedAllowlistMode } from "./allowlists.js";
4
+ export { APPROVAL_DECISIONS, RISK_TIERS, createApprovalManager, wrapToolsWithApprovalGate } from "./approval.js";
5
+ export { BINARY_BLOAT_TOOLS, DEFAULT_TOOL_BLOAT_CONFIG, MAX_TOOL_RESULT_BYTES } from "./tool-bloat.js";
@@ -0,0 +1,19 @@
1
+ export function inferSkillsRoot(skills?: any[]): string;
2
+ export function getSkillAccessDirs(skills?: any[]): string[];
3
+ /**
4
+ * @param {{assetsPath?: string, skillsRoot?: any}} [options]
5
+ */
6
+ export function buildSkillPathNote({ assetsPath, skillsRoot }?: {
7
+ assetsPath?: string;
8
+ skillsRoot?: any;
9
+ }): string;
10
+ /**
11
+ * @param {{body?: string, assetsPath?: string, skillsRoot?: any, maxChars?: number}} [options]
12
+ */
13
+ export function formatSkillBodyWithPathNote({ body, assetsPath, skillsRoot, maxChars }?: {
14
+ body?: string;
15
+ assetsPath?: string;
16
+ skillsRoot?: any;
17
+ maxChars?: number;
18
+ }): string;
19
+ export function buildSkillIndex(skills: any): string;
@@ -0,0 +1,148 @@
1
+ /** @type {RuntimeSandbox} */
2
+ export const passthroughSandbox: RuntimeSandbox;
3
+ export type SandboxCommandSpec = {
4
+ command: string;
5
+ args?: ReadonlyArray<string>;
6
+ cwd?: string;
7
+ env?: {
8
+ [x: string]: string;
9
+ };
10
+ };
11
+ export type PreparedSandboxCommand = SandboxCommandSpec & {
12
+ sandboxed: boolean;
13
+ cleanup?: () => Promise<void>;
14
+ };
15
+ export type SandboxNetworkPolicyLike = {
16
+ mode?: string;
17
+ allowlist?: ReadonlyArray<string>;
18
+ };
19
+ /**
20
+ * Opaque, host-defined sandbox policy. The kernel itself only ever inspects
21
+ * `mode` (passthroughSandbox's fail-closed check) and `network.mode`
22
+ * (passthroughSandbox's networkAllowsUrl) — every other field (root,
23
+ * readableRoots, writableRoots, denyWrite, ...) is read directly off whatever
24
+ * the injected `mergePolicies` returns by path-resolver.js, and is opaque
25
+ * pass-through data as far as this module is concerned. Real hosts get the
26
+ * full, richly-typed policy from
27
+ */
28
+ export type SandboxPolicy = any;
29
+ /**
30
+ * Optional concrete sandboxing backend a caller can hand to `prepareCommand`
31
+ * (matches
32
+ */
33
+ export type RuntimeSandboxEngine = any;
34
+ export type PrepareSandboxedCommandInput = {
35
+ policy?: SandboxPolicy;
36
+ engine?: RuntimeSandboxEngine;
37
+ command: SandboxCommandSpec;
38
+ };
39
+ /**
40
+ * The injectable sandbox seam. A host constructs one (or reuses
41
+ * `passthroughSandbox`) and passes it to `createRuntime({sandbox})`.
42
+ */
43
+ export type RuntimeSandbox = {
44
+ /**
45
+ * Monotonic tighten-only merge (I13): the result must never allow anything
46
+ * `configured` alone would have denied.
47
+ */
48
+ mergePolicies: (configured: (SandboxPolicy | undefined), request: (SandboxPolicy | undefined)) => (SandboxPolicy | undefined);
49
+ /**
50
+ * Resolves a command spec into whatever the underlying process spawner
51
+ * should actually exec (identity when no enforcement is needed).
52
+ */
53
+ prepareCommand: (input: PrepareSandboxedCommandInput) => Promise<PreparedSandboxCommand>;
54
+ /**
55
+ * Whether a tool call to `url` is allowed under `policy`.
56
+ */
57
+ networkAllowsUrl: (policy: (SandboxPolicy | undefined), url: string) => boolean;
58
+ /**
59
+ * Optional host-provided extra read-allowed roots beyond the tool
60
+ * context's workspace/repoRoot. Not consumed by any kernel helper today;
61
+ * documented for forward-compatibility with host-side path resolution.
62
+ */
63
+ additionalReadPaths?: ReadonlyArray<string>;
64
+ };
65
+ /**
66
+ * Plain Error with a `.code`/`.details` shape matching the workspace's
67
+ * CodedError convention (code discriminant + details that echo it, see the
68
+ * agent-contracts package's CodedError) — duplicated here rather than
69
+ * imported, since the kernel must not depend on any workspace package.
70
+ */
71
+ export class SandboxUnavailableError extends Error {
72
+ /**
73
+ * @param {string} message
74
+ * @param {Record<string, unknown>} [details]
75
+ */
76
+ constructor(message: string, details?: Record<string, unknown>);
77
+ code: string;
78
+ details: {
79
+ code: string;
80
+ };
81
+ }
82
+ /**
83
+ * @typedef {Object} SandboxCommandSpec
84
+ * @property {string} command
85
+ * @property {ReadonlyArray<string>} [args]
86
+ * @property {string} [cwd]
87
+ * @property {Object<string, string|undefined>} [env]
88
+ */
89
+ /**
90
+ * @typedef {SandboxCommandSpec & {sandboxed: boolean, cleanup?: () => Promise<void>}} PreparedSandboxCommand
91
+ */
92
+ /**
93
+ * @typedef {Object} SandboxNetworkPolicyLike
94
+ * @property {string} [mode]
95
+ * @property {ReadonlyArray<string>} [allowlist]
96
+ */
97
+ /**
98
+ * @typedef {Object} SandboxPolicy
99
+ * Opaque, host-defined sandbox policy. The kernel itself only ever inspects
100
+ * `mode` (passthroughSandbox's fail-closed check) and `network.mode`
101
+ * (passthroughSandbox's networkAllowsUrl) — every other field (root,
102
+ * readableRoots, writableRoots, denyWrite, ...) is read directly off whatever
103
+ * the injected `mergePolicies` returns by path-resolver.js, and is opaque
104
+ * pass-through data as far as this module is concerned. Real hosts get the
105
+ * full, richly-typed policy from @mono-agent/runtime-adapter
106
+ * (`packages/runtime-adapter/src/sandbox.ts`), whose `SandboxPolicy` is a
107
+ * structural superset of this shape.
108
+ * @property {string} [mode]
109
+ * @property {SandboxNetworkPolicyLike} [network]
110
+ * @property {ReadonlyArray<string>} [readableRoots]
111
+ * @property {ReadonlyArray<string>} [writableRoots]
112
+ * @property {ReadonlyArray<string>} [denyWrite]
113
+ * @property {string} [root]
114
+ */
115
+ /**
116
+ * @typedef {Object} RuntimeSandboxEngine
117
+ * Optional concrete sandboxing backend a caller can hand to `prepareCommand`
118
+ * (matches @mono-agent/runtime-adapter's `SandboxEngine`). Not used by
119
+ * `passthroughSandbox` (see module doc: adapters live in runtime-adapter, not
120
+ * the kernel) — documented here only because it is part of the
121
+ * `prepareCommand` input shape real implementations accept.
122
+ * @property {() => Promise<boolean>} isAvailable
123
+ * @property {(command: SandboxCommandSpec, policy: SandboxPolicy) => Promise<PreparedSandboxCommand>} prepareCommand
124
+ */
125
+ /**
126
+ * @typedef {Object} PrepareSandboxedCommandInput
127
+ * @property {SandboxPolicy} [policy]
128
+ * @property {RuntimeSandboxEngine} [engine]
129
+ * @property {SandboxCommandSpec} command
130
+ */
131
+ /**
132
+ * @typedef {Object} RuntimeSandbox
133
+ * The injectable sandbox seam. A host constructs one (or reuses
134
+ * `passthroughSandbox`) and passes it to `createRuntime({sandbox})`.
135
+ * @property {(configured: (SandboxPolicy|undefined), request: (SandboxPolicy|undefined)) => (SandboxPolicy|undefined)} mergePolicies
136
+ * Monotonic tighten-only merge (I13): the result must never allow anything
137
+ * `configured` alone would have denied.
138
+ * @property {(input: PrepareSandboxedCommandInput) => Promise<PreparedSandboxCommand>} prepareCommand
139
+ * Resolves a command spec into whatever the underlying process spawner
140
+ * should actually exec (identity when no enforcement is needed).
141
+ * @property {(policy: (SandboxPolicy|undefined), url: string) => boolean} networkAllowsUrl
142
+ * Whether a tool call to `url` is allowed under `policy`.
143
+ * @property {ReadonlyArray<string>} [additionalReadPaths]
144
+ * Optional host-provided extra read-allowed roots beyond the tool
145
+ * context's workspace/repoRoot. Not consumed by any kernel helper today;
146
+ * documented for forward-compatibility with host-side path resolution.
147
+ */
148
+ export const SANDBOX_UNAVAILABLE_CODE: "sandbox_unavailable";
@@ -0,0 +1,22 @@
1
+ export function summarisePayload(toolName: any, contentBlocks: any, persistArtifact: any, options?: {}): {
2
+ rewrittenBlocks: any[];
3
+ savedPaths: any[];
4
+ originalBytes: any;
5
+ truncated: boolean;
6
+ } | {
7
+ rewrittenBlocks: {
8
+ type: string;
9
+ text: string;
10
+ }[];
11
+ savedPaths: any[];
12
+ originalBytes: any;
13
+ truncated: boolean;
14
+ };
15
+ export function applyToolBloatGuard(toolName: any, executePromise: any, options?: {}): Promise<any>;
16
+ export function wrapToolsWithBloatGuard(tools: any, options?: {}): any[];
17
+ export const MAX_TOOL_RESULT_BYTES: 262144;
18
+ export const BINARY_BLOAT_TOOLS: readonly string[];
19
+ export const DEFAULT_TOOL_BLOAT_CONFIG: Readonly<{
20
+ maxBytes: 262144;
21
+ binaryBloatTools: readonly string[];
22
+ }>;
@@ -0,0 +1,16 @@
1
+ export function normalizeBashTimeoutMs(value: any, fallback?: number): number;
2
+ /**
3
+ * @param {{command: string, timeout?: number, max_output_chars?: number, workdir?: string}} params
4
+ * @param {{signal?: any, sandboxPolicy?: any, sandboxEngine?: any, ctx?: any}} [options]
5
+ */
6
+ export function bashToolImpl({ command, timeout, max_output_chars, workdir }: {
7
+ command: string;
8
+ timeout?: number;
9
+ max_output_chars?: number;
10
+ workdir?: string;
11
+ }, { signal, sandboxPolicy, sandboxEngine, ctx }?: {
12
+ signal?: any;
13
+ sandboxPolicy?: any;
14
+ sandboxEngine?: any;
15
+ ctx?: any;
16
+ }): Promise<string>;
@@ -0,0 +1,14 @@
1
+ /**
2
+ * @param {{file_path: string, old_string: string, new_string: string, replace_all?: boolean, workdir?: string}} params
3
+ * @param {{sandboxPolicy?: any, ctx?: any}} [options]
4
+ */
5
+ export function editToolImpl({ file_path, old_string, new_string, replace_all, workdir }: {
6
+ file_path: string;
7
+ old_string: string;
8
+ new_string: string;
9
+ replace_all?: boolean;
10
+ workdir?: string;
11
+ }, { sandboxPolicy, ctx }?: {
12
+ sandboxPolicy?: any;
13
+ ctx?: any;
14
+ }): Promise<string>;
@@ -0,0 +1,16 @@
1
+ /**
2
+ * @param {{pattern: string, path?: string, limit?: number, offset?: number, max_matches?: number, max_output_chars?: number, workdir?: string}} params
3
+ * @param {{sandboxPolicy?: any, ctx?: any}} [options]
4
+ */
5
+ export function globToolImpl({ pattern, path, limit, offset, max_matches, max_output_chars, workdir }: {
6
+ pattern: string;
7
+ path?: string;
8
+ limit?: number;
9
+ offset?: number;
10
+ max_matches?: number;
11
+ max_output_chars?: number;
12
+ workdir?: string;
13
+ }, { sandboxPolicy, ctx }?: {
14
+ sandboxPolicy?: any;
15
+ ctx?: any;
16
+ }): Promise<string>;
@@ -0,0 +1,22 @@
1
+ /**
2
+ * @param {{pattern: string, path?: string, glob?: string, type?: string, output_mode?: string, context?: number, case_insensitive?: boolean, multiline?: boolean, head_limit?: number, offset?: number, max_matches?: number, max_output_chars?: number, workdir?: string}} params
3
+ * @param {{sandboxPolicy?: any, ctx?: any}} [options]
4
+ */
5
+ export function grepToolImpl({ pattern, path, glob, type, output_mode, context, case_insensitive, multiline, head_limit, offset, max_matches, max_output_chars, workdir, }: {
6
+ pattern: string;
7
+ path?: string;
8
+ glob?: string;
9
+ type?: string;
10
+ output_mode?: string;
11
+ context?: number;
12
+ case_insensitive?: boolean;
13
+ multiline?: boolean;
14
+ head_limit?: number;
15
+ offset?: number;
16
+ max_matches?: number;
17
+ max_output_chars?: number;
18
+ workdir?: string;
19
+ }, { sandboxPolicy, ctx }?: {
20
+ sandboxPolicy?: any;
21
+ ctx?: any;
22
+ }): Promise<string>;
@@ -0,0 +1,10 @@
1
+ export { readToolImpl } from "./read.js";
2
+ export { writeToolImpl } from "./write.js";
3
+ export { editToolImpl } from "./edit.js";
4
+ export { globToolImpl } from "./glob.js";
5
+ export { grepToolImpl } from "./grep.js";
6
+ export { webFetchToolImpl } from "./web-fetch.js";
7
+ export { webSearchToolImpl } from "./web-search.js";
8
+ export { resolveRgPath } from "./shared/ripgrep.js";
9
+ export { bashToolImpl, normalizeBashTimeoutMs } from "./bash.js";
10
+ export { isPathAllowed, isWorkdirAllowed } from "./shared/path-resolver.js";