@ondc/automation-mock-runner 1.3.43 → 1.3.45

package/dist/lib/helpers/default-helpers.js

@@ -0,0 +1,200 @@
+"use strict";
+/*
+ * Default helpers available to every `generate()` in a mock step.
+ *
+ * Authoring rules:
+ *   1. Prefer `function` declarations — they hoist, so cross-helper calls
+ *      work regardless of order.
+ *   2. No `require` / `import` inside function bodies. The VM sandbox has no
+ *      module system. Only sandbox-whitelisted globals (Math, Date, JSON, …)
+ *      and sibling helpers are in scope.
+ *   3. If the helper needs request-scope data, take `sessionData` as an
+ *      explicit parameter. Free-variable references to `sessionData` do NOT
+ *      resolve at runtime — helpers run at script scope, `sessionData` is
+ *      only a parameter of `generate()`.
+ *   4. Document every helper with a leading JSDoc block (`@param`, `@returns`).
+ *
+ * The full file (minus the trailing `module.exports = {...}` block) is
+ * embedded verbatim into the sandbox bundle by
+ * `scripts/generate-helpers-source.js`, so JSDoc reaches end users unchanged.
+ * Re-run `npm run helpers:gen` after editing.
+ */
+/**
+ * Resolve the BPP or BAP subscriber URL from session data.
+ *
+ * @param {Object} sessionData  session data (reads `bppUri` or `bapUri`)
+ * @param {"bpp"|"bap"|string} type  subscriber kind; anything other than "bpp" returns bapUri
+ * @returns {string} the subscriber URL
+ */
+function getSubscriberUrl(sessionData, type) {
+    if (type === "bpp") {
+        return sessionData.bppUri;
+    }
+    else {
+        return sessionData.bapUri;
+    }
+}
+/**
+ * Generate a UUID v4 (RFC 4122, random-based).
+ *
+ * @returns {string} a new UUID v4, e.g. "550e8400-e29b-41d4-a716-446655440000"
+ */
+function uuidv4() {
+    return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function (c) {
+        const r = (Math.random() * 16) | 0;
+        const v = c === "x" ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}
+/**
+ * Generate a 6-digit numeric string ID in [100000, 999999].
+ *
+ * @returns {string} a zero-padded 6-digit numeric string
+ */
+function generate6DigitId() {
+    return Math.floor(100000 + Math.random() * 900000).toString();
+}
+/**
+ * Get the current ISO-8601 UTC timestamp.
+ *
+ * @returns {string} e.g. "2026-04-23T12:34:56.789Z"
+ */
+function currentTimestamp() {
+    return new Date().toISOString();
+}
+/**
+ * Convert an ISO 8601 duration string (e.g. "PT1H30M", "P2DT3H") to total seconds.
+ *
+ * Approximations used: 1 week = 7 days, 1 month ≈ 30.42 days (2628288 sec),
+ * 1 year = 365 days. Not calendar-exact.
+ *
+ * @param {string} duration  ISO 8601 duration string
+ * @returns {number} total seconds; 0 when the input is unparseable
+ */
+function isoDurToSec(duration) {
+    const durRE = /P((\d+)Y)?((\d+)M)?((\d+)W)?((\d+)D)?T?((\d+)H)?((\d+)M)?((\d+)S)?/;
+    const s = durRE.exec(duration);
+    if (!s)
+        return 0;
+    return ((Number(s?.[2]) || 0) * 31536000 +
+        (Number(s?.[4]) || 0) * 2628288 +
+        (Number(s?.[6]) || 0) * 604800 +
+        (Number(s?.[8]) || 0) * 86400 +
+        (Number(s?.[10]) || 0) * 3600 +
+        (Number(s?.[12]) || 0) * 60 +
+        (Number(s?.[14]) || 0));
+}
+/**
+ * Mutate `payload.context` in place to set the city code from `inputs.city_code`.
+ *
+ * Version-aware: ONDC v1.x uses flat `context.city`, v2.x uses nested
+ * `context.location.city.code`. Falls back to "*" when `city_code` is missing.
+ * No-op when `inputs` is falsy.
+ *
+ * @param {Object} payload  payload with a `context` to mutate
+ * @param {Object|null|undefined} inputs  object with optional `city_code`
+ * @returns {string|undefined} "*" when inputs is falsy; otherwise undefined
+ */
+function setCityFromInputs(payload, inputs) {
+    if (!inputs)
+        return "*";
+    const version = payload.context.version || payload.context.core_version || "2.0.0";
+    if (version.startsWith("1")) {
+        payload.context.city = inputs.city_code ?? "*";
+    }
+    else {
+        payload.context.location.city.code = inputs.city_code ?? "*";
+    }
+}
+/**
+ * Build a form submission URL from session data.
+ *
+ * @param {string} domain       ONDC domain (e.g. "ONDC:RET10")
+ * @param {string} formId       form identifier
+ * @param {Object} sessionData  reads `mockBaseUrl`, `transactionId[0]`, `sessionId`
+ * @returns {string} `${baseURL}/forms/${domain}/${formId}/?transaction_id=...&session_id=...`
+ */
+function createFormURL(domain, formId, sessionData) {
+    const baseURL = sessionData.mockBaseUrl;
+    const transactionId = sessionData.transactionId[0];
+    const sessionId = sessionData.sessionId;
+    return `${baseURL}/forms/${domain}/${formId}/?transaction_id=${transactionId}&session_id=${sessionId}`;
+}
+/**
+ * Generate a consent handler from the Finvu AA Service.
+ *
+ * Reads the service base URL from `sessionData.finvuUrl` — the installing
+ * service MUST include that origin in
+ *   MockRunner.initSharedRunner({ allowedFetchBaseUrls: [...] })
+ * otherwise the sandboxed fetch will be blocked.
+ *
+ * Times out after 10s via AbortController.
+ *
+ * @param {Object} sessionData  session data; `sessionData.finvuUrl` is required
+ * @param {Object} params
+ * @param {string} params.custId                customer ID (required)
+ * @param {string} [params.templateName]        defaults to "FINVUDEMO_TESTING"
+ * @param {string} [params.consentDescription]  defaults to "Gold Loan Account Aggregator Consent"
+ * @param {string} [params.redirectUrl]         defaults to "https://google.co.in"
+ * @returns {Promise<string>} the `consentHandler` returned by the AA service
+ * @throws {Error} when `custId` or `sessionData.finvuUrl` is missing, on non-OK
+ *   response, on missing `consentHandler` in the body, or on 10s timeout
+ */
+async function generateConsentHandler(sessionData, { custId, templateName = "FINVUDEMO_TESTING", consentDescription = "Gold Loan Account Aggregator Consent", redirectUrl = "https://google.co.in", }) {
+    if (!custId) {
+        throw new Error("custId is required");
+    }
+    const baseUrl = sessionData && sessionData.finvuUrl;
+    if (!baseUrl) {
+        throw new Error("sessionData.finvuUrl is required");
+    }
+    const url = `${baseUrl}/finvu-aa/consent/generate`;
+    const payload = {
+        custId,
+        templateName,
+        consentDescription,
+        redirectUrl,
+    };
+    console.log("Calling Finvu AA Service:", url);
+    console.log("Consent request payload:", payload);
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10000);
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Request failed: ${res.status} ${text}`);
+        }
+        const data = await res.json();
+        if (!data || !data.consentHandler) {
+            throw new Error("Invalid response: consentHandler missing");
+        }
+        return data.consentHandler;
+    }
+    catch (err) {
+        if (err && err.name === "AbortError") {
+            throw new Error("Request timed out after 10 seconds");
+        }
+        throw err;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+module.exports = {
+    getSubscriberUrl,
+    uuidv4,
+    generate6DigitId,
+    currentTimestamp,
+    isoDurToSec,
+    setCityFromInputs,
+    createFormURL,
+    generateConsentHandler,
+};

package/dist/lib/helpers/default-helpers.test.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Unit tests for the default helper functions + bundle integrity.
+ *
+ * Unit tests import the functions as a normal CJS module and call them.
+ * The bundle test loads DEFAULT_HELPER_LIB into a fresh vm context — this
+ * simulates how the string is actually used in the worker sandbox and
+ * catches any stringification / hoisting / free-variable regressions.
+ */
+export {};

package/dist/lib/helpers/default-helpers.test.js

@@ -0,0 +1,265 @@
+"use strict";
+/**
+ * Unit tests for the default helper functions + bundle integrity.
+ *
+ * Unit tests import the functions as a normal CJS module and call them.
+ * The bundle test loads DEFAULT_HELPER_LIB into a fresh vm context — this
+ * simulates how the string is actually used in the worker sandbox and
+ * catches any stringification / hoisting / free-variable regressions.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const vm = __importStar(require("vm"));
+const default_helpers_1 = require("./default-helpers");
+const index_1 = require("./index");
+describe("default helpers — unit", () => {
+    describe("uuidv4", () => {
+        it("matches the RFC 4122 v4 shape", () => {
+            expect((0, default_helpers_1.uuidv4)()).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+        });
+        it("produces distinct values", () => {
+            expect((0, default_helpers_1.uuidv4)()).not.toBe((0, default_helpers_1.uuidv4)());
+        });
+    });
+    describe("generate6DigitId", () => {
+        it("returns a 6-digit string in [100000, 999999]", () => {
+            for (let i = 0; i < 50; i++) {
+                const id = (0, default_helpers_1.generate6DigitId)();
+                expect(id).toMatch(/^\d{6}$/);
+                const n = parseInt(id, 10);
+                expect(n).toBeGreaterThanOrEqual(100000);
+                expect(n).toBeLessThanOrEqual(999999);
+            }
+        });
+    });
+    describe("currentTimestamp", () => {
+        it("returns a parseable ISO timestamp close to now", () => {
+            const before = Date.now();
+            const ts = (0, default_helpers_1.currentTimestamp)();
+            const after = Date.now();
+            const parsed = Date.parse(ts);
+            expect(parsed).toBeGreaterThanOrEqual(before);
+            expect(parsed).toBeLessThanOrEqual(after);
+            expect(ts.endsWith("Z")).toBe(true);
+        });
+    });
+    describe("isoDurToSec", () => {
+        it.each([
+            ["PT30S", 30],
+            ["PT5M", 300],
+            ["PT1H", 3600],
+            ["P1D", 86400],
+            ["PT1H30M", 5400],
+            ["PT0S", 0],
+        ])("%s → %d sec", (dur, expected) => {
+            expect((0, default_helpers_1.isoDurToSec)(dur)).toBe(expected);
+        });
+        it("returns 0 on unparseable input", () => {
+            expect((0, default_helpers_1.isoDurToSec)("not-a-duration")).toBe(0);
+        });
+    });
+    describe("setCityFromInputs", () => {
+        it("writes flat context.city for v1.x", () => {
+            const payload = { context: { core_version: "1.2.0", city: "*" } };
+            (0, default_helpers_1.setCityFromInputs)(payload, { city_code: "std:080" });
+            expect(payload.context.city).toBe("std:080");
+        });
+        it("writes nested context.location.city.code for v2.x", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "*" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, { city_code: "std:011" });
+            expect(payload.context.location.city.code).toBe("std:011");
+        });
+        it("falls back to '*' when city_code is missing", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "foo" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, {});
+            expect(payload.context.location.city.code).toBe("*");
+        });
+        it("no-ops when inputs is falsy", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "keep" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, null);
+            expect(payload.context.location.city.code).toBe("keep");
+        });
+    });
+    describe("createFormURL", () => {
+        it("interpolates domain, formId, transactionId, sessionId", () => {
+            const url = (0, default_helpers_1.createFormURL)("ONDC:RET10", "FORM_A", {
+                mockBaseUrl: "https://mocks.example.com",
+                transactionId: ["txn-xyz"],
+                sessionId: "sess-1",
+            });
+            expect(url).toBe("https://mocks.example.com/forms/ONDC:RET10/FORM_A/?transaction_id=txn-xyz&session_id=sess-1");
+        });
+    });
+    describe("getSubscriberUrl", () => {
+        const sessionData = { bppUri: "https://bpp.example.com", bapUri: "https://bap.example.com" };
+        it("returns bppUri when type is 'bpp'", () => {
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "bpp")).toBe("https://bpp.example.com");
+        });
+        it("returns bapUri otherwise", () => {
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "bap")).toBe("https://bap.example.com");
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "anything-else")).toBe("https://bap.example.com");
+        });
+    });
+    describe("generateConsentHandler", () => {
+        function fakeResponse(init) {
+            return {
+                ok: init.ok,
+                status: init.status ?? (init.ok ? 200 : 500),
+                json: init.json ?? (async () => ({})),
+                text: init.text ?? (async () => ""),
+            };
+        }
+        let fetchSpy;
+        beforeEach(() => {
+            fetchSpy = jest.spyOn(global, "fetch");
+        });
+        afterEach(() => {
+            fetchSpy.mockRestore();
+        });
+        it("throws when custId is missing", async () => {
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu" }, {})).rejects.toThrow("custId is required");
+            expect(fetchSpy).not.toHaveBeenCalled();
+        });
+        it("throws when sessionData.finvuUrl is missing", async () => {
+            await expect((0, default_helpers_1.generateConsentHandler)({}, { custId: "c1" })).rejects.toThrow("sessionData.finvuUrl is required");
+            expect(fetchSpy).not.toHaveBeenCalled();
+        });
+        it("POSTs JSON to /finvu-aa/consent/generate and returns consentHandler", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: true,
+                json: async () => ({ consentHandler: "HANDLE-123" }),
+            }));
+            const result = await (0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local:3002" }, { custId: "cust-42" });
+            expect(result).toBe("HANDLE-123");
+            expect(fetchSpy).toHaveBeenCalledTimes(1);
+            const [url, init] = fetchSpy.mock.calls[0];
+            expect(url).toBe("http://finvu.local:3002/finvu-aa/consent/generate");
+            expect(init?.method).toBe("POST");
+            expect((init?.headers)["Content-Type"]).toBe("application/json");
+            const body = JSON.parse(init?.body);
+            expect(body).toEqual({
+                custId: "cust-42",
+                templateName: "FINVUDEMO_TESTING",
+                consentDescription: "Gold Loan Account Aggregator Consent",
+                redirectUrl: "https://google.co.in",
+            });
+            expect(init?.signal).toBeDefined();
+        });
+        it("throws 'Request failed' on non-OK responses", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: false,
+                status: 503,
+                text: async () => "Service Unavailable",
+            }));
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Request failed: 503 Service Unavailable");
+        });
+        it("throws when consentHandler is missing from response body", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: true,
+                json: async () => ({ somethingElse: true }),
+            }));
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Invalid response: consentHandler missing");
+        });
+        it("surfaces AbortError as a timeout message", async () => {
+            fetchSpy.mockImplementationOnce(async () => {
+                const err = new Error("aborted");
+                err.name = "AbortError";
+                throw err;
+            });
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Request timed out after 10 seconds");
+        });
+    });
+});
+describe("DEFAULT_HELPER_LIB bundle", () => {
+    const EXPECTED_NAMES = [
+        "getSubscriberUrl",
+        "uuidv4",
+        "generate6DigitId",
+        "currentTimestamp",
+        "isoDurToSec",
+        "setCityFromInputs",
+        "createFormURL",
+        "generateConsentHandler",
+    ];
+    function loadBundle() {
+        const sandbox = {};
+        vm.createContext(sandbox);
+        vm.runInContext(index_1.DEFAULT_HELPER_LIB, sandbox);
+        return sandbox;
+    }
+    it("does not leak `module.exports` or `require` into the bundle source", () => {
+        // Statement-level `module.exports = ...` (line-anchored) would throw
+        // ReferenceError in the sandbox. Mentions inside comments are harmless.
+        expect(index_1.DEFAULT_HELPER_LIB).not.toMatch(/^module\.exports\s*=/m);
+        expect(index_1.DEFAULT_HELPER_LIB).not.toMatch(/\brequire\s*\(/);
+    });
+    it("declares every expected helper as a function", () => {
+        const sandbox = loadBundle();
+        for (const name of EXPECTED_NAMES) {
+            expect(typeof sandbox[name]).toBe("function");
+        }
+    });
+    it("round-trips key helpers when executed in the vm context", () => {
+        const sandbox = loadBundle();
+        expect(sandbox.uuidv4()).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+        expect(sandbox.generate6DigitId()).toMatch(/^\d{6}$/);
+        expect(sandbox.isoDurToSec("PT1H")).toBe(3600);
+        const payload = {
+            context: { version: "2.0.0", location: { city: { code: "*" } } },
+        };
+        sandbox.setCityFromInputs(payload, { city_code: "std:022" });
+        expect(payload.context.location.city.code).toBe("std:022");
+        expect(sandbox.getSubscriberUrl({ bppUri: "http://bpp" }, "bpp")).toBe("http://bpp");
+    });
+    it("preserves in-body docs so playground users see them", () => {
+        // Guard against a future refactor silently dropping the in-body comments
+        // the way the pre-refactor .toString() pattern did.
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("Generate a UUID v4");
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("ISO 8601 duration");
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("Finvu AA Service");
+    });
+    it("preserves source fidelity (no bundler lowering / numeric packing)", () => {
+        // If a future build step reintroduces fn.toString() or otherwise lets a
+        // minifier touch the helper bodies, these canaries break.
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("s?.[2]");
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("100000 + Math.random() * 900000");
+    });
+});

package/dist/lib/helpers/index.d.ts

@@ -0,0 +1 @@
+export declare const DEFAULT_HELPER_LIB: string;

package/dist/lib/helpers/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_HELPER_LIB = void 0;
+const default_helpers_source_1 = require("./default-helpers-source");
+const HEADER = `/*
+	Custom helper functions available in all mock generate() functions.
+	Source: src/lib/helpers/default-helpers.js — edit there, then run
+	\`npm run helpers:gen\` to refresh.
+*/`;
+exports.DEFAULT_HELPER_LIB = HEADER + "\n\n" + default_helpers_source_1.DEFAULT_HELPERS_RAW;

package/dist/lib/runners/node-runner.d.ts

@@ -1,6 +1,19 @@
 import { FunctionSchema } from "../constants/function-registry";
 import { ExecutionResult } from "../types/execution-results";
 import { BaseCodeRunner } from "./base-runner";
+export interface NodeRunnerOptions {
+    maxMemoryMB?: number;
+    poolSize?: number;
+    maxExecutionsPerWorker?: number;
+    maxWorkerAgeMs?: number;
+    /**
+     * Base URLs that `generate` functions may fetch. Each entry is parsed with
+     * `new URL(entry)`; a request is allowed iff its origin matches the entry's
+     * origin AND its pathname is a strict segment-prefix of the entry's pathname.
+     * Absent / empty → fetch is not injected (blocked).
+     */
+    allowedFetchBaseUrls?: string[];
+}
 export declare class NodeRunner implements BaseCodeRunner {
     private pool;
     private waitQueue;
@@ -11,12 +24,8 @@ export declare class NodeRunner implements BaseCodeRunner {
     private readonly poolSize;
     private readonly maxExecutionsPerWorker;
     private readonly maxWorkerAgeMs;
-    constructor(options?: {
-        maxMemoryMB?: number;
-        poolSize?: number;
-        maxExecutionsPerWorker?: number;
-        maxWorkerAgeMs?: number;
-    });
+    private readonly allowedFetchBaseUrls;
+    constructor(options?: NodeRunnerOptions);
     private createPooledWorker;
     /**
      * Terminate old worker (frees its V8 isolate) and replace with a fresh one.

package/dist/lib/runners/node-runner.js

@@ -52,6 +52,7 @@ class NodeRunner {
         this.maxExecutionsPerWorker =
             options.maxExecutionsPerWorker || MAX_EXECUTIONS_PER_WORKER;
         this.maxWorkerAgeMs = options.maxWorkerAgeMs || MAX_WORKER_AGE_MS;
+        this.allowedFetchBaseUrls = options.allowedFetchBaseUrls ?? [];
         // Pre-warm the pool
         for (let i = 0; i < this.poolSize; i++) {
             this.pool.push(this.createPooledWorker());
@@ -66,6 +67,9 @@ class NodeRunner {
                 codeRangeSizeMb: 16,
             },
             env: {},
+            workerData: {
+                allowedFetchBaseUrls: this.allowedFetchBaseUrls,
+            },
         });
         const pw = {
             worker,

package/dist/lib/runners/runner-factory.d.ts

@@ -1,6 +1,7 @@
 import { Worker } from "worker_threads";
 import { BrowserRunner } from "./browser-runner";
-import { NodeRunner } from "./node-runner";
+import { NodeRunner, NodeRunnerOptions } from "./node-runner";
+export type RunnerOptions = NodeRunnerOptions;
 /**
  * Factory for creating workers in both browser and Node.js environments
  */
@@ -21,5 +22,5 @@ export declare class RunnerFactory {
     /**
      * Creates appropriate runner based on environment
      */
-    static createRunner(options?: any, logger?: any): BrowserRunner | NodeRunner;
+    static createRunner(options?: RunnerOptions, logger?: any): BrowserRunner | NodeRunner;
 }

package/dist/lib/validators/code-validator.js

@@ -316,7 +316,9 @@ CodeValidator.FORBIDDEN_GLOBALS = [
     "SharedWorker",
     "WebSocket",
     "XMLHttpRequest",
-    "fetch",
+    // `fetch` is allowed past static analysis and gated at runtime in the
+    // worker sandbox: injected only for `generate` and only when the
+    // configured allowlist matches origin + path prefix.
 ];
 CodeValidator.FORBIDDEN_PROPERTIES = [
     "localStorage",

package/dist/test/GenerateFetchAndTimeout.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for generate-only fetch allowlist + 45s sandbox setTimeout cap.
+ */
+export {};