npm - @openape/nest - Versions diffs - 0.3.0 → 1.1.0 - Mend

@openape/nest 0.3.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +39 -0
package/dist/index.mjs +244 -1476
package/package.json +1 -1
package/dist/node-WKMHQLLZ-IJUWLHGB.mjs +0 -20

package/dist/index.mjs CHANGED Viewed

@@ -1,8 +1,12 @@
 #!/usr/bin/env node
 // src/index.ts
-import { createServer } from "http";
-import process2 from "process";
+import process3 from "process";
+// src/lib/intent-channel.ts
+import { readdirSync, readFileSync as readFileSync2, renameSync, statSync, unlinkSync, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, chmodSync } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
 // src/api/agents.ts
 import { execFile } from "child_process";
@@ -57,14 +61,6 @@ function removeAgent(name) {
 // src/api/agents.ts
 var execFileAsync = promisify(execFile);
 var NAME_REGEX = /^[a-z][a-z0-9-]{0,23}$/;
-function handleNestStatus(_ctx) {
-  return {
-    agents: listAgents().length
-  };
-}
-function handleAgentsList(_ctx) {
-  return { agents: listAgents() };
-}
 async function handleAgentSpawn(ctx) {
   const body = ctx.body;
   const name = typeof body?.name === "string" ? body.name : "";
@@ -99,6 +95,7 @@ async function handleAgentSpawn(ctx) {
     } : void 0
   };
   upsertAgent(entry);
+  await ctx.supervisor.reconcile(listAgents());
   return { name, email: entry.email, uid, home: entry.home };
 }
 async function handleAgentDestroy(ctx, name) {
@@ -109,6 +106,7 @@ async function handleAgentDestroy(ctx, name) {
   const args = ["run", "--as", "root", "--", "apes", "agents", "destroy", name, "--force"];
   await execFileAsync(ctx.apesBin, args, { maxBuffer: 4 * 1024 * 1024 });
   removeAgent(name);
+  await ctx.supervisor.reconcile(listAgents());
   return { name, removed: true };
 }
 async function readUidFromDscl(name) {
@@ -121,1514 +119,284 @@ async function readUidFromDscl(name) {
   return -1;
 }
-// src/lib/auth.ts
-import { hostname } from "os";
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/base64url.js
-import { Buffer as Buffer2 } from "buffer";
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/buffer_utils.js
-var encoder = new TextEncoder();
-var decoder = new TextDecoder();
-var MAX_INT32 = 2 ** 32;
-function concat(...buffers) {
-  const size = buffers.reduce((acc, { length }) => acc + length, 0);
-  const buf = new Uint8Array(size);
-  let i = 0;
-  for (const buffer of buffers) {
-    buf.set(buffer, i);
-    i += buffer.length;
-  }
-  return buf;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/base64url.js
-function normalize(input) {
-  let encoded = input;
-  if (encoded instanceof Uint8Array) {
-    encoded = decoder.decode(encoded);
-  }
-  return encoded;
-}
-var decode = (input) => new Uint8Array(Buffer2.from(normalize(input), "base64url"));
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/util/errors.js
-var JOSEError = class extends Error {
-  static code = "ERR_JOSE_GENERIC";
-  code = "ERR_JOSE_GENERIC";
-  constructor(message2, options) {
-    super(message2, options);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-};
-var JWTClaimValidationFailed = class extends JOSEError {
-  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
-  }
-};
-var JWTExpired = class extends JOSEError {
-  static code = "ERR_JWT_EXPIRED";
-  code = "ERR_JWT_EXPIRED";
-  claim;
-  reason;
-  payload;
-  constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-    super(message2, { cause: { claim, reason, payload } });
-    this.claim = claim;
-    this.reason = reason;
-    this.payload = payload;
-  }
-};
-var JOSEAlgNotAllowed = class extends JOSEError {
-  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
-  code = "ERR_JOSE_ALG_NOT_ALLOWED";
-};
-var JOSENotSupported = class extends JOSEError {
-  static code = "ERR_JOSE_NOT_SUPPORTED";
-  code = "ERR_JOSE_NOT_SUPPORTED";
-};
-var JWSInvalid = class extends JOSEError {
-  static code = "ERR_JWS_INVALID";
-  code = "ERR_JWS_INVALID";
-};
-var JWTInvalid = class extends JOSEError {
-  static code = "ERR_JWT_INVALID";
-  code = "ERR_JWT_INVALID";
-};
-var JWKSInvalid = class extends JOSEError {
-  static code = "ERR_JWKS_INVALID";
-  code = "ERR_JWKS_INVALID";
-};
-var JWKSNoMatchingKey = class extends JOSEError {
-  static code = "ERR_JWKS_NO_MATCHING_KEY";
-  code = "ERR_JWKS_NO_MATCHING_KEY";
-  constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
-    super(message2, options);
-  }
-};
-var JWKSMultipleMatchingKeys = class extends JOSEError {
-  [Symbol.asyncIterator];
-  static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-  code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-  constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
-    super(message2, options);
-  }
-};
-var JWKSTimeout = class extends JOSEError {
-  static code = "ERR_JWKS_TIMEOUT";
-  code = "ERR_JWKS_TIMEOUT";
-  constructor(message2 = "request timed out", options) {
-    super(message2, options);
-  }
-};
-var JWSSignatureVerificationFailed = class extends JOSEError {
-  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  constructor(message2 = "signature verification failed", options) {
-    super(message2, options);
-  }
-};
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/is_key_object.js
-import * as util from "util";
-var is_key_object_default = (obj) => util.types.isKeyObject(obj);
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/webcrypto.js
-import * as crypto2 from "crypto";
-import * as util2 from "util";
-var webcrypto2 = crypto2.webcrypto;
-var webcrypto_default = webcrypto2;
-var isCryptoKey = (key) => util2.types.isCryptoKey(key);
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/crypto_key.js
-function unusable(name, prop = "algorithm.name") {
-  return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-}
-function isAlgorithm(algorithm, name) {
-  return algorithm.name === name;
-}
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usages) {
-  if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {
-    let msg = "CryptoKey does not support this operation, its usages must include ";
-    if (usages.length > 2) {
-      const last = usages.pop();
-      msg += `one of ${usages.join(", ")}, or ${last}.`;
-    } else if (usages.length === 2) {
-      msg += `one of ${usages[0]} or ${usages[1]}.`;
-    } else {
-      msg += `${usages[0]}.`;
-    }
-    throw new TypeError(msg);
-  }
-}
-function checkSigCryptoKey(key, alg, ...usages) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "EdDSA": {
-      if (key.algorithm.name !== "Ed25519" && key.algorithm.name !== "Ed448") {
-        throw unusable("Ed25519 or Ed448");
-      }
-      break;
-    }
-    case "Ed25519": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usages);
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/invalid_key_input.js
-function message(msg, actual, ...types4) {
-  types4 = types4.filter(Boolean);
-  if (types4.length > 2) {
-    const last = types4.pop();
-    msg += `one of type ${types4.join(", ")}, or ${last}.`;
-  } else if (types4.length === 2) {
-    msg += `one of type ${types4[0]} or ${types4[1]}.`;
-  } else {
-    msg += `of type ${types4[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalid_key_input_default = (actual, ...types4) => {
-  return message("Key must be ", actual, ...types4);
-};
-function withAlg(alg, actual, ...types4) {
-  return message(`Key for the ${alg} algorithm must be `, actual, ...types4);
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/is_key_like.js
-var is_key_like_default = (key) => is_key_object_default(key) || isCryptoKey(key);
-var types3 = ["KeyObject"];
-if (globalThis.CryptoKey || webcrypto_default?.CryptoKey) {
-  types3.push("CryptoKey");
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_disjoint.js
-var isDisjoint = (...headers) => {
-  const sources = headers.filter(Boolean);
-  if (sources.length === 0 || sources.length === 1) {
-    return true;
-  }
-  let acc;
-  for (const header of sources) {
-    const parameters = Object.keys(header);
-    if (!acc || acc.size === 0) {
-      acc = new Set(parameters);
-      continue;
-    }
-    for (const parameter of parameters) {
-      if (acc.has(parameter)) {
-        return false;
-      }
-      acc.add(parameter);
-    }
-  }
-  return true;
-};
-var is_disjoint_default = isDisjoint;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_object.js
-function isObjectLike(value) {
-  return typeof value === "object" && value !== null;
-}
-function isObject(input) {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/get_named_curve.js
-import { KeyObject } from "crypto";
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/is_jwk.js
-function isJWK(key) {
-  return isObject(key) && typeof key.kty === "string";
-}
-function isPrivateJWK(key) {
-  return key.kty !== "oct" && typeof key.d === "string";
-}
-function isPublicJWK(key) {
-  return key.kty !== "oct" && typeof key.d === "undefined";
-}
-function isSecretJWK(key) {
-  return isJWK(key) && key.kty === "oct" && typeof key.k === "string";
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/get_named_curve.js
-var namedCurveToJOSE = (namedCurve) => {
-  switch (namedCurve) {
-    case "prime256v1":
-      return "P-256";
-    case "secp384r1":
-      return "P-384";
-    case "secp521r1":
-      return "P-521";
-    case "secp256k1":
-      return "secp256k1";
-    default:
-      throw new JOSENotSupported("Unsupported key curve for this operation");
-  }
-};
-var getNamedCurve2 = (kee, raw) => {
-  let key;
-  if (isCryptoKey(kee)) {
-    key = KeyObject.from(kee);
-  } else if (is_key_object_default(kee)) {
-    key = kee;
-  } else if (isJWK(kee)) {
-    return kee.crv;
-  } else {
-    throw new TypeError(invalid_key_input_default(kee, ...types3));
-  }
-  if (key.type === "secret") {
-    throw new TypeError('only "private" or "public" type keys can be used for this operation');
-  }
-  switch (key.asymmetricKeyType) {
-    case "ed25519":
-    case "ed448":
-      return `Ed${key.asymmetricKeyType.slice(2)}`;
-    case "x25519":
-    case "x448":
-      return `X${key.asymmetricKeyType.slice(1)}`;
-    case "ec": {
-      const namedCurve = key.asymmetricKeyDetails.namedCurve;
-      if (raw) {
-        return namedCurve;
-      }
-      return namedCurveToJOSE(namedCurve);
+// src/lib/intent-channel.ts
+var POLL_MS = 1e3;
+var INTENTS_DIR = join2(homedir2(), "intents");
+var IntentChannel = class {
+  constructor(deps) {
+    this.deps = deps;
+    mkdirSync2(INTENTS_DIR, { recursive: true });
+    chmodSync(INTENTS_DIR, 504);
+  }
+  timer;
+  inflight = /* @__PURE__ */ new Set();
+  start() {
+    if (this.timer) return;
+    this.timer = setInterval(() => void this.tick(), POLL_MS);
+    this.deps.log(`intent-channel: polling ${INTENTS_DIR}`);
+  }
+  stop() {
+    if (this.timer) clearInterval(this.timer);
+    this.timer = void 0;
+  }
+  async tick() {
+    let entries;
+    try {
+      entries = readdirSync(INTENTS_DIR);
+    } catch {
+      return;
     }
-    default:
-      throw new TypeError("Invalid asymmetric key type for this operation");
-  }
-};
-var get_named_curve_default = getNamedCurve2;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/check_key_length.js
-import { KeyObject as KeyObject2 } from "crypto";
-var check_key_length_default = (key, alg) => {
-  let modulusLength;
-  try {
-    if (key instanceof KeyObject2) {
-      modulusLength = key.asymmetricKeyDetails?.modulusLength;
-    } else {
-      modulusLength = Buffer.from(key.n, "base64url").byteLength << 3;
+    for (const f of entries) {
+      if (!f.endsWith(".json")) continue;
+      if (this.inflight.has(f)) continue;
+      this.inflight.add(f);
+      void this.process(f).finally(() => this.inflight.delete(f));
     }
-  } catch {
-  }
-  if (typeof modulusLength !== "number" || modulusLength < 2048) {
-    throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-  }
-};
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/jwk_to_key.js
-import { createPrivateKey, createPublicKey } from "crypto";
-var parse = (key) => {
-  if (key.d) {
-    return createPrivateKey({ format: "jwk", key });
-  }
-  return createPublicKey({ format: "jwk", key });
-};
-var jwk_to_key_default = parse;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/key/import.js
-async function importJWK(jwk, alg) {
-  if (!isObject(jwk)) {
-    throw new TypeError("JWK must be an object");
   }
-  alg ||= jwk.alg;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== void 0) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+  async process(filename) {
+    const path = join2(INTENTS_DIR, filename);
+    let intent;
+    try {
+      const raw = readFileSync2(path, "utf8");
+      intent = JSON.parse(raw);
+    } catch (err) {
+      this.deps.log(`intent-channel: failed to read ${filename}: ${err instanceof Error ? err.message : String(err)}`);
+      try {
+        unlinkSync(path);
+      } catch {
       }
-    case "EC":
-    case "OKP":
-      return jwk_to_key_default({ ...jwk, alg });
-    default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/check_key_type.js
-var tag = (key) => key?.[Symbol.toStringTag];
-var jwkMatchesOp = (alg, key, usage) => {
-  if (key.use !== void 0 && key.use !== "sig") {
-    throw new TypeError("Invalid key for this operation, when present its use must be sig");
-  }
-  if (key.key_ops !== void 0 && key.key_ops.includes?.(usage) !== true) {
-    throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage}`);
-  }
-  if (key.alg !== void 0 && key.alg !== alg) {
-    throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
-  }
-  return true;
-};
-var symmetricTypeCheck = (alg, key, usage, allowJwk) => {
-  if (key instanceof Uint8Array)
-    return;
-  if (allowJwk && isJWK(key)) {
-    if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
       return;
-    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-  }
-  if (!is_key_like_default(key)) {
-    throw new TypeError(withAlg(alg, key, ...types3, "Uint8Array", allowJwk ? "JSON Web Key" : null));
-  }
-  if (key.type !== "secret") {
-    throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-  }
-};
-var asymmetricTypeCheck = (alg, key, usage, allowJwk) => {
-  if (allowJwk && isJWK(key)) {
-    switch (usage) {
-      case "sign":
-        if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
-          return;
-        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
-      case "verify":
-        if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
-          return;
-        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
-    }
-  }
-  if (!is_key_like_default(key)) {
-    throw new TypeError(withAlg(alg, key, ...types3, allowJwk ? "JSON Web Key" : null));
-  }
-  if (key.type === "secret") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-  }
-  if (usage === "sign" && key.type === "public") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-  }
-  if (usage === "decrypt" && key.type === "public") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-  }
-  if (key.algorithm && usage === "verify" && key.type === "private") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-  }
-  if (key.algorithm && usage === "encrypt" && key.type === "private") {
-    throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-  }
-};
-function checkKeyType(allowJwk, alg, key, usage) {
-  const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
-  if (symmetric) {
-    symmetricTypeCheck(alg, key, usage, allowJwk);
-  } else {
-    asymmetricTypeCheck(alg, key, usage, allowJwk);
-  }
-}
-var check_key_type_default = checkKeyType.bind(void 0, false);
-var checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === void 0) {
-    return /* @__PURE__ */ new Set();
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== void 0) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
     }
-  }
-  return new Set(protectedHeader.crit);
-}
-var validate_crit_default = validateCrit;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/validate_algorithms.js
-var validateAlgorithms = (option, algorithms) => {
-  if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return void 0;
-  }
-  return new Set(algorithms);
-};
-var validate_algorithms_default = validateAlgorithms;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/verify.js
-import * as crypto4 from "crypto";
-import { promisify as promisify3 } from "util";
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/dsa_digest.js
-function dsaDigest(alg) {
-  switch (alg) {
-    case "PS256":
-    case "RS256":
-    case "ES256":
-    case "ES256K":
-      return "sha256";
-    case "PS384":
-    case "RS384":
-    case "ES384":
-      return "sha384";
-    case "PS512":
-    case "RS512":
-    case "ES512":
-      return "sha512";
-    case "Ed25519":
-    case "EdDSA":
-      return void 0;
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/node_key.js
-import { constants, KeyObject as KeyObject3 } from "crypto";
-var ecCurveAlgMap = /* @__PURE__ */ new Map([
-  ["ES256", "P-256"],
-  ["ES256K", "secp256k1"],
-  ["ES384", "P-384"],
-  ["ES512", "P-521"]
-]);
-function keyForCrypto(alg, key) {
-  let asymmetricKeyType;
-  let asymmetricKeyDetails;
-  let isJWK2;
-  if (key instanceof KeyObject3) {
-    asymmetricKeyType = key.asymmetricKeyType;
-    asymmetricKeyDetails = key.asymmetricKeyDetails;
-  } else {
-    isJWK2 = true;
-    switch (key.kty) {
-      case "RSA":
-        asymmetricKeyType = "rsa";
-        break;
-      case "EC":
-        asymmetricKeyType = "ec";
-        break;
-      case "OKP": {
-        if (key.crv === "Ed25519") {
-          asymmetricKeyType = "ed25519";
+    this.deps.log(`intent-channel: processing ${intent.action} (id=${intent.id})`);
+    let response;
+    try {
+      const ctx = {
+        url: new URL("intent:/"),
+        body: intent,
+        log: this.deps.log,
+        apesBin: this.deps.apesBin,
+        caller: "<intent-channel>",
+        grantId: intent.id,
+        supervisor: this.deps.supervisor
+      };
+      let result;
+      switch (intent.action) {
+        case "spawn":
+          result = await handleAgentSpawn(ctx);
           break;
-        }
-        if (key.crv === "Ed448") {
-          asymmetricKeyType = "ed448";
+        case "destroy":
+          result = await handleAgentDestroy(ctx, intent.name);
           break;
-        }
-        throw new TypeError("Invalid key for this operation, its crv must be Ed25519 or Ed448");
-      }
-      default:
-        throw new TypeError("Invalid key for this operation, its kty must be RSA, OKP, or EC");
-    }
-  }
-  let options;
-  switch (alg) {
-    case "Ed25519":
-      if (asymmetricKeyType !== "ed25519") {
-        throw new TypeError(`Invalid key for this operation, its asymmetricKeyType must be ed25519`);
-      }
-      break;
-    case "EdDSA":
-      if (!["ed25519", "ed448"].includes(asymmetricKeyType)) {
-        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");
-      }
-      break;
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      if (asymmetricKeyType !== "rsa") {
-        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
-      }
-      check_key_length_default(key, alg);
-      break;
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      if (asymmetricKeyType === "rsa-pss") {
-        const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = asymmetricKeyDetails;
-        const length = parseInt(alg.slice(-3), 10);
-        if (hashAlgorithm !== void 0 && (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) {
-          throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${alg}`);
-        }
-        if (saltLength !== void 0 && saltLength > length >> 3) {
-          throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`);
-        }
-      } else if (asymmetricKeyType !== "rsa") {
-        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");
-      }
-      check_key_length_default(key, alg);
-      options = {
-        padding: constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: constants.RSA_PSS_SALTLEN_DIGEST
-      };
-      break;
-    case "ES256":
-    case "ES256K":
-    case "ES384":
-    case "ES512": {
-      if (asymmetricKeyType !== "ec") {
-        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");
-      }
-      const actual = get_named_curve_default(key);
-      const expected = ecCurveAlgMap.get(alg);
-      if (actual !== expected) {
-        throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`);
+        case "list":
+          result = { agents: listAgents() };
+          break;
+        default:
+          throw new Error(`unknown action: ${intent.action ?? "<undefined>"}`);
       }
-      options = { dsaEncoding: "ieee-p1363" };
-      break;
-    }
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-  if (isJWK2) {
-    return { format: "jwk", key, ...options };
-  }
-  return options ? { ...options, key } : key;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/sign.js
-import * as crypto3 from "crypto";
-import { promisify as promisify2 } from "util";
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/hmac_digest.js
-function hmacDigest(alg) {
-  switch (alg) {
-    case "HS256":
-      return "sha256";
-    case "HS384":
-      return "sha384";
-    case "HS512":
-      return "sha512";
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/get_sign_verify_key.js
-import { KeyObject as KeyObject4, createSecretKey } from "crypto";
-function getSignVerifyKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalid_key_input_default(key, ...types3));
-    }
-    return createSecretKey(key);
-  }
-  if (key instanceof KeyObject4) {
-    return key;
-  }
-  if (isCryptoKey(key)) {
-    checkSigCryptoKey(key, alg, usage);
-    return KeyObject4.from(key);
-  }
-  if (isJWK(key)) {
-    if (alg.startsWith("HS")) {
-      return createSecretKey(Buffer.from(key.k, "base64url"));
-    }
-    return key;
-  }
-  throw new TypeError(invalid_key_input_default(key, ...types3, "Uint8Array", "JSON Web Key"));
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/sign.js
-var oneShotSign = promisify2(crypto3.sign);
-var sign2 = async (alg, key, data) => {
-  const k = getSignVerifyKey(alg, key, "sign");
-  if (alg.startsWith("HS")) {
-    const hmac = crypto3.createHmac(hmacDigest(alg), k);
-    hmac.update(data);
-    return hmac.digest();
-  }
-  return oneShotSign(dsaDigest(alg), data, keyForCrypto(alg, k));
-};
-var sign_default = sign2;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/verify.js
-var oneShotVerify = promisify3(crypto4.verify);
-var verify2 = async (alg, key, signature, data) => {
-  const k = getSignVerifyKey(alg, key, "verify");
-  if (alg.startsWith("HS")) {
-    const expected = await sign_default(alg, k, data);
-    const actual = signature;
+      response = { ok: true, result };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      this.deps.log(`intent-channel: ${intent.action} failed: ${msg}`);
+      response = { ok: false, error: msg };
+    }
+    const respTmp = `${path.replace(/\.json$/, "")}.response.tmp`;
+    const respFinal = `${path.replace(/\.json$/, "")}.response`;
+    writeFileSync2(respTmp, `${JSON.stringify(response)}
+`, { mode: 432 });
+    renameSync(respTmp, respFinal);
     try {
-      return crypto4.timingSafeEqual(actual, expected);
+      unlinkSync(path);
     } catch {
-      return false;
     }
   }
-  const algorithm = dsaDigest(alg);
-  const keyInput = keyForCrypto(alg, k);
-  try {
-    return await oneShotVerify(algorithm, data, keyInput, signature);
-  } catch {
-    return false;
-  }
 };
-var verify_default = verify2;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jws/flattened/verify.js
-async function flattenedVerify(jws, key, options) {
-  if (!isObject(jws)) {
-    throw new JWSInvalid("Flattened JWS must be an object");
-  }
-  if (jws.protected === void 0 && jws.header === void 0) {
-    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
-  }
-  if (jws.protected !== void 0 && typeof jws.protected !== "string") {
-    throw new JWSInvalid("JWS Protected Header incorrect type");
-  }
-  if (jws.payload === void 0) {
-    throw new JWSInvalid("JWS Payload missing");
-  }
-  if (typeof jws.signature !== "string") {
-    throw new JWSInvalid("JWS Signature missing or incorrect type");
-  }
-  if (jws.header !== void 0 && !isObject(jws.header)) {
-    throw new JWSInvalid("JWS Unprotected Header incorrect type");
-  }
-  let parsedProt = {};
-  if (jws.protected) {
-    try {
-      const protectedHeader = decode(jws.protected);
-      parsedProt = JSON.parse(decoder.decode(protectedHeader));
-    } catch {
-      throw new JWSInvalid("JWS Protected Header is invalid");
-    }
-  }
-  if (!is_disjoint_default(parsedProt, jws.header)) {
-    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-  }
-  const joseHeader = {
-    ...parsedProt,
-    ...jws.header
-  };
-  const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
-  let b64 = true;
-  if (extensions.has("b64")) {
-    b64 = parsedProt.b64;
-    if (typeof b64 !== "boolean") {
-      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-    }
-  }
-  const { alg } = joseHeader;
-  if (typeof alg !== "string" || !alg) {
-    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  }
-  const algorithms = options && validate_algorithms_default("algorithms", options.algorithms);
-  if (algorithms && !algorithms.has(alg)) {
-    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
-  }
-  if (b64) {
-    if (typeof jws.payload !== "string") {
-      throw new JWSInvalid("JWS Payload must be a string");
-    }
-  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
-    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
-  }
-  let resolvedKey = false;
-  if (typeof key === "function") {
-    key = await key(parsedProt, jws);
-    resolvedKey = true;
-    checkKeyTypeWithJwk(alg, key, "verify");
-    if (isJWK(key)) {
-      key = await importJWK(key, alg);
-    }
-  } else {
-    checkKeyTypeWithJwk(alg, key, "verify");
-  }
-  const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
-  let signature;
+function reapStaleResponses(log2) {
+  let entries;
   try {
-    signature = decode(jws.signature);
+    entries = readdirSync(INTENTS_DIR);
   } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
-  const verified = await verify_default(alg, key, signature, data);
-  if (!verified) {
-    throw new JWSSignatureVerificationFailed();
+    return;
   }
-  let payload;
-  if (b64) {
+  const now = Date.now();
+  for (const f of entries) {
+    if (!f.endsWith(".response")) continue;
+    const path = join2(INTENTS_DIR, f);
     try {
-      payload = decode(jws.payload);
+      const st = statSync(path);
+      if (now - st.mtimeMs > 60 * 60 * 1e3) {
+        unlinkSync(path);
+        log2(`intent-channel: reaped stale ${f}`);
+      }
     } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
-  } else if (typeof jws.payload === "string") {
-    payload = encoder.encode(jws.payload);
-  } else {
-    payload = jws.payload;
-  }
-  const result = { payload };
-  if (jws.protected !== void 0) {
-    result.protectedHeader = parsedProt;
-  }
-  if (jws.header !== void 0) {
-    result.unprotectedHeader = jws.header;
-  }
-  if (resolvedKey) {
-    return { ...result, key };
-  }
-  return result;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jws/compact/verify.js
-async function compactVerify(jws, key, options) {
-  if (jws instanceof Uint8Array) {
-    jws = decoder.decode(jws);
-  }
-  if (typeof jws !== "string") {
-    throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
-  }
-  const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
-  if (length !== 3) {
-    throw new JWSInvalid("Invalid Compact JWS");
-  }
-  const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);
-  const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
-  if (typeof key === "function") {
-    return { ...result, key: verified.key };
-  }
-  return result;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/epoch.js
-var epoch_default = (date) => Math.floor(date.getTime() / 1e3);
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/secs.js
-var minute = 60;
-var hour = minute * 60;
-var day = hour * 24;
-var week = day * 7;
-var year = day * 365.25;
-var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-var secs_default = (str) => {
-  const matched = REGEX.exec(str);
-  if (!matched || matched[4] && matched[1]) {
-    throw new TypeError("Invalid time period format");
-  }
-  const value = parseFloat(matched[2]);
-  const unit = matched[3].toLowerCase();
-  let numericDate;
-  switch (unit) {
-    case "sec":
-    case "secs":
-    case "second":
-    case "seconds":
-    case "s":
-      numericDate = Math.round(value);
-      break;
-    case "minute":
-    case "minutes":
-    case "min":
-    case "mins":
-    case "m":
-      numericDate = Math.round(value * minute);
-      break;
-    case "hour":
-    case "hours":
-    case "hr":
-    case "hrs":
-    case "h":
-      numericDate = Math.round(value * hour);
-      break;
-    case "day":
-    case "days":
-    case "d":
-      numericDate = Math.round(value * day);
-      break;
-    case "week":
-    case "weeks":
-    case "w":
-      numericDate = Math.round(value * week);
-      break;
-    default:
-      numericDate = Math.round(value * year);
-      break;
-  }
-  if (matched[1] === "-" || matched[4] === "ago") {
-    return -numericDate;
-  }
-  return numericDate;
-};
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/lib/jwt_claims_set.js
-var normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, "");
-var checkAudiencePresence = (audPayload, audOption) => {
-  if (typeof audPayload === "string") {
-    return audOption.includes(audPayload);
-  }
-  if (Array.isArray(audPayload)) {
-    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
-  }
-  return false;
-};
-var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-  let payload;
-  try {
-    payload = JSON.parse(decoder.decode(encodedPayload));
-  } catch {
-  }
-  if (!isObject(payload)) {
-    throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
-  }
-  const { typ } = options;
-  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
-    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, "typ", "check_failed");
-  }
-  const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
-  const presenceCheck = [...requiredClaims];
-  if (maxTokenAge !== void 0)
-    presenceCheck.push("iat");
-  if (audience !== void 0)
-    presenceCheck.push("aud");
-  if (subject !== void 0)
-    presenceCheck.push("sub");
-  if (issuer !== void 0)
-    presenceCheck.push("iss");
-  for (const claim of new Set(presenceCheck.reverse())) {
-    if (!(claim in payload)) {
-      throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
     }
   }
-  if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
-    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, "iss", "check_failed");
-  }
-  if (subject && payload.sub !== subject) {
-    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, "sub", "check_failed");
-  }
-  if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
-    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, "aud", "check_failed");
-  }
-  let tolerance;
-  switch (typeof options.clockTolerance) {
-    case "string":
-      tolerance = secs_default(options.clockTolerance);
-      break;
-    case "number":
-      tolerance = options.clockTolerance;
-      break;
-    case "undefined":
-      tolerance = 0;
-      break;
-    default:
-      throw new TypeError("Invalid clockTolerance option type");
-  }
-  const { currentDate } = options;
-  const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
-  if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
-    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
-  }
-  if (payload.nbf !== void 0) {
-    if (typeof payload.nbf !== "number") {
-      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, "nbf", "invalid");
-    }
-    if (payload.nbf > now + tolerance) {
-      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, "nbf", "check_failed");
-    }
-  }
-  if (payload.exp !== void 0) {
-    if (typeof payload.exp !== "number") {
-      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, "exp", "invalid");
-    }
-    if (payload.exp <= now - tolerance) {
-      throw new JWTExpired('"exp" claim timestamp check failed', payload, "exp", "check_failed");
-    }
-  }
-  if (maxTokenAge) {
-    const age = now - payload.iat;
-    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
-    if (age - tolerance > max) {
-      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
-    }
-    if (age < 0 - tolerance) {
-      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, "iat", "check_failed");
-    }
-  }
-  return payload;
-};
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwt/verify.js
-async function jwtVerify(jwt, key, options) {
-  const verified = await compactVerify(jwt, key, options);
-  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
-    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-  }
-  const payload = jwt_claims_set_default(verified.protectedHeader, verified.payload, options);
-  const result = { payload, protectedHeader: verified.protectedHeader };
-  if (typeof key === "function") {
-    return { ...result, key: verified.key };
-  }
-  return result;
 }
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwks/local.js
-function getKtyFromAlg(alg) {
-  switch (typeof alg === "string" && alg.slice(0, 2)) {
-    case "RS":
-    case "PS":
-      return "RSA";
-    case "ES":
-      return "EC";
-    case "Ed":
-      return "OKP";
-    default:
-      throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
-  }
-}
-function isJWKSLike(jwks) {
-  return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
-}
-function isJWKLike(key) {
-  return isObject(key);
-}
-function clone(obj) {
-  if (typeof structuredClone === "function") {
-    return structuredClone(obj);
-  }
-  return JSON.parse(JSON.stringify(obj));
-}
-var LocalJWKSet = class {
-  _jwks;
-  _cached = /* @__PURE__ */ new WeakMap();
-  constructor(jwks) {
-    if (!isJWKSLike(jwks)) {
-      throw new JWKSInvalid("JSON Web Key Set malformed");
-    }
-    this._jwks = clone(jwks);
-  }
-  async getKey(protectedHeader, token) {
-    const { alg, kid } = { ...protectedHeader, ...token?.header };
-    const kty = getKtyFromAlg(alg);
-    const candidates = this._jwks.keys.filter((jwk2) => {
-      let candidate = kty === jwk2.kty;
-      if (candidate && typeof kid === "string") {
-        candidate = kid === jwk2.kid;
-      }
-      if (candidate && typeof jwk2.alg === "string") {
-        candidate = alg === jwk2.alg;
-      }
-      if (candidate && typeof jwk2.use === "string") {
-        candidate = jwk2.use === "sig";
-      }
-      if (candidate && Array.isArray(jwk2.key_ops)) {
-        candidate = jwk2.key_ops.includes("verify");
-      }
-      if (candidate) {
-        switch (alg) {
-          case "ES256":
-            candidate = jwk2.crv === "P-256";
-            break;
-          case "ES256K":
-            candidate = jwk2.crv === "secp256k1";
-            break;
-          case "ES384":
-            candidate = jwk2.crv === "P-384";
-            break;
-          case "ES512":
-            candidate = jwk2.crv === "P-521";
-            break;
-          case "Ed25519":
-            candidate = jwk2.crv === "Ed25519";
-            break;
-          case "EdDSA":
-            candidate = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448";
-            break;
-        }
+// src/lib/pm2-supervisor.ts
+import { execFile as execFile2 } from "child_process";
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3 } from "fs";
+import { join as join3 } from "path";
+import process from "process";
+import { promisify as promisify2 } from "util";
+var execFileAsync2 = promisify2(execFile2);
+var AGENTS_DIR = "/var/openape/nest/agents";
+function pm2AppName(agentName) {
+  return `openape-bridge-${agentName}`;
+}
+function ecosystemPath(agentName) {
+  return join3(AGENTS_DIR, agentName, "ecosystem.config.js");
+}
+function ecosystemContents(apesBin, agentName) {
+  void apesBin;
+  return `// Auto-generated by Pm2Supervisor for agent '${agentName}'.
+// Edit at runtime via:
+//   apes run --as ${agentName} -- pm2 reload ${pm2AppName(agentName)}
+module.exports = {
+  apps: [{
+    name: '${pm2AppName(agentName)}',
+    script: 'openape-chat-bridge',
+    autorestart: true,
+    max_restarts: 10,
+    min_uptime: '30s',
+    restart_delay: 2000,
+    merge_logs: true,
+  }],
+}
+`;
+}
+var Pm2Supervisor = class {
+  constructor(deps) {
+    this.deps = deps;
+  }
+  inflight = /* @__PURE__ */ new Set();
+  /** Bring per-agent pm2 state in line with the registry. Idempotent. */
+  async reconcile(desired) {
+    for (const agent of desired) {
+      if (agent.bridge == null) continue;
+      if (this.inflight.has(agent.name)) continue;
+      this.inflight.add(agent.name);
+      try {
+        await this.startOrReload(agent.name);
+      } catch (err) {
+        this.deps.log(`pm2-supervisor: ${agent.name} startOrReload failed: ${err instanceof Error ? err.message.split("\n")[0] : String(err)}`);
+      } finally {
+        this.inflight.delete(agent.name);
       }
-      return candidate;
-    });
-    const { 0: jwk, length } = candidates;
-    if (length === 0) {
-      throw new JWKSNoMatchingKey();
-    }
-    if (length !== 1) {
-      const error = new JWKSMultipleMatchingKeys();
-      const { _cached } = this;
-      error[Symbol.asyncIterator] = async function* () {
-        for (const jwk2 of candidates) {
-          try {
-            yield await importWithAlgCache(_cached, jwk2, alg);
-          } catch {
-          }
-        }
-      };
-      throw error;
     }
-    return importWithAlgCache(this._cached, jwk, alg);
-  }
-};
-async function importWithAlgCache(cache, jwk, alg) {
-  const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
-  if (cached[alg] === void 0) {
-    const key = await importJWK({ ...jwk, ext: true }, alg);
-    if (key instanceof Uint8Array || key.type !== "public") {
-      throw new JWKSInvalid("JSON Web Key Set members must be public keys");
-    }
-    cached[alg] = key;
-  }
-  return cached[alg];
-}
-function createLocalJWKSet(jwks) {
-  const set = new LocalJWKSet(jwks);
-  const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-  Object.defineProperties(localJWKSet, {
-    jwks: {
-      value: () => clone(set._jwks),
-      enumerable: true,
-      configurable: false,
-      writable: false
-    }
-  });
-  return localJWKSet;
-}
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/runtime/fetch_jwks.js
-import * as http from "http";
-import * as https from "https";
-import { once } from "events";
-var fetchJwks = async (url, timeout, options) => {
-  let get3;
-  switch (url.protocol) {
-    case "https:":
-      get3 = https.get;
-      break;
-    case "http:":
-      get3 = http.get;
-      break;
-    default:
-      throw new TypeError("Unsupported URL protocol.");
-  }
-  const { agent, headers } = options;
-  const req = get3(url.href, {
-    agent,
-    timeout,
-    headers
-  });
-  const [response] = await Promise.race([once(req, "response"), once(req, "timeout")]);
-  if (!response) {
-    req.destroy();
-    throw new JWKSTimeout();
-  }
-  if (response.statusCode !== 200) {
-    throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
-  }
-  const parts = [];
-  for await (const part of response) {
-    parts.push(part);
   }
-  try {
-    return JSON.parse(decoder.decode(concat(...parts)));
-  } catch {
-    throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+  /** Stop one agent's pm2 app — used at destroy time. */
+  async stop(agentName) {
+    const name = pm2AppName(agentName);
+    try {
+      await this.runAsAgent(agentName, ["pm2", "delete", name]);
+      this.deps.log(`pm2-supervisor: deleted ${name}`);
+    } catch (err) {
+      this.deps.log(`pm2-supervisor: delete ${name}: ${err instanceof Error ? err.message.split("\n")[0] : String(err)}`);
+    }
+  }
+  /** Best-effort cleanup — called on Nest shutdown. We don't kill
+   *  the per-agent pm2-daemons; they should keep running so bridges
+   *  stay alive across Nest restarts. No-op for now. */
+  async stopAll() {
+  }
+  async startOrReload(agentName) {
+    const dir = join3(AGENTS_DIR, agentName);
+    mkdirSync3(dir, { recursive: true });
+    const path = ecosystemPath(agentName);
+    writeFileSync3(path, ecosystemContents(this.deps.apesBin, agentName), { mode: 420 });
+    await this.runAsAgent(agentName, ["pm2", "startOrReload", path]);
+    this.deps.log(`pm2-supervisor: ${agentName} bridge (re)started via pm2`);
+  }
+  /** Run a pm2 subcommand AS the agent — escapes-helper does the
+   *  setuid switch, then exec's pm2 in the agent's uid. */
+  async runAsAgent(agentName, args) {
+    return execFileAsync2(
+      this.deps.apesBin,
+      ["run", "--as", agentName, "--wait", "--", ...args],
+      { maxBuffer: 1024 * 1024, env: process.env, timeout: 6e4 }
+    );
   }
 };
-var fetch_jwks_default = fetchJwks;
-// ../../node_modules/.pnpm/jose@5.10.0/node_modules/jose/dist/node/esm/jwks/remote.js
-function isCloudflareWorkers() {
-  return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
-}
-var USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-  const NAME = "jose";
-  const VERSION = "v5.10.0";
-  USER_AGENT = `${NAME}/${VERSION}`;
-}
-var jwksCache = /* @__PURE__ */ Symbol();
-function isFreshJwksCache(input, cacheMaxAge) {
-  if (typeof input !== "object" || input === null) {
-    return false;
-  }
-  if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) {
-    return false;
-  }
-  if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) {
-    return false;
-  }
-  return true;
-}
-var RemoteJWKSet = class {
-  _url;
-  _timeoutDuration;
-  _cooldownDuration;
-  _cacheMaxAge;
-  _jwksTimestamp;
-  _pendingFetch;
-  _options;
-  _local;
-  _cache;
-  constructor(url, options) {
-    if (!(url instanceof URL)) {
-      throw new TypeError("url must be an instance of URL");
-    }
-    this._url = new URL(url.href);
-    this._options = { agent: options?.agent, headers: options?.headers };
-    this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
-    this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
-    this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
-    if (options?.[jwksCache] !== void 0) {
-      this._cache = options?.[jwksCache];
-      if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
-        this._jwksTimestamp = this._cache.uat;
-        this._local = createLocalJWKSet(this._cache.jwks);
+// src/lib/troop-sync.ts
+import { execFile as execFile3 } from "child_process";
+import process2 from "process";
+import { promisify as promisify3 } from "util";
+var execFileAsync3 = promisify3(execFile3);
+var TICK_MS = 5 * 60 * 1e3;
+var TroopSync = class {
+  constructor(deps) {
+    this.deps = deps;
+  }
+  timer;
+  inflight = false;
+  start() {
+    if (this.timer) return;
+    setTimeout(() => this.tick(), 3e4).unref();
+    this.timer = setInterval(() => this.tick(), TICK_MS);
+    this.deps.log("troop-sync: loop started (interval=5min)");
+  }
+  stop() {
+    if (this.timer) clearInterval(this.timer);
+    this.timer = void 0;
+  }
+  async tick() {
+    if (this.inflight) return;
+    this.inflight = true;
+    try {
+      const agents = listAgents();
+      if (agents.length === 0) return;
+      this.deps.log(`troop-sync: reconciling ${agents.length} agent(s)`);
+      for (const agent of agents) {
+        await this.syncOne(agent.name);
       }
+    } finally {
+      this.inflight = false;
     }
   }
-  coolingDown() {
-    return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
-  }
-  fresh() {
-    return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
-  }
-  async getKey(protectedHeader, token) {
-    if (!this._local || !this.fresh()) {
-      await this.reload();
-    }
+  async syncOne(name) {
     try {
-      return await this._local(protectedHeader, token);
+      await execFileAsync3(
+        this.deps.apesBin,
+        ["run", "--as", name, "--wait", "--", "apes", "agents", "sync"],
+        { maxBuffer: 1024 * 1024, env: process2.env, timeout: 6e4 }
+      );
     } catch (err) {
-      if (err instanceof JWKSNoMatchingKey) {
-        if (this.coolingDown() === false) {
-          await this.reload();
-          return this._local(protectedHeader, token);
-        }
-      }
-      throw err;
-    }
-  }
-  async reload() {
-    if (this._pendingFetch && isCloudflareWorkers()) {
-      this._pendingFetch = void 0;
-    }
-    const headers = new Headers(this._options.headers);
-    if (USER_AGENT && !headers.has("User-Agent")) {
-      headers.set("User-Agent", USER_AGENT);
-      this._options.headers = Object.fromEntries(headers.entries());
+      this.deps.log(`troop-sync: ${name} failed: ${err instanceof Error ? err.message.split("\n")[0] : String(err)}`);
     }
-    this._pendingFetch ||= fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
-      this._local = createLocalJWKSet(json);
-      if (this._cache) {
-        this._cache.uat = Date.now();
-        this._cache.jwks = json;
-      }
-      this._jwksTimestamp = Date.now();
-      this._pendingFetch = void 0;
-    }).catch((err) => {
-      this._pendingFetch = void 0;
-      throw err;
-    });
-    await this._pendingFetch;
   }
 };
-function createRemoteJWKSet(url, options) {
-  const set = new RemoteJWKSet(url, options);
-  const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-  Object.defineProperties(remoteJWKSet, {
-    coolingDown: {
-      get: () => set.coolingDown(),
-      enumerable: true,
-      configurable: false
-    },
-    fresh: {
-      get: () => set.fresh(),
-      enumerable: true,
-      configurable: false
-    },
-    reload: {
-      value: () => set.reload(),
-      enumerable: true,
-      configurable: false,
-      writable: false
-    },
-    reloading: {
-      get: () => !!set._pendingFetch,
-      enumerable: true,
-      configurable: false
-    },
-    jwks: {
-      value: () => set._local?.jwks(),
-      enumerable: true,
-      configurable: false,
-      writable: false
-    }
-  });
-  return remoteJWKSet;
-}
-// ../../packages/core/dist/index.js
-var ALGORITHM = "EdDSA";
-async function verifyJWT(token, keyOrJWKS, options) {
-  const verifyOptions = { algorithms: [ALGORITHM], ...options };
-  const result = typeof keyOrJWKS === "function" ? await jwtVerify(token, keyOrJWKS, verifyOptions) : await jwtVerify(token, keyOrJWKS, verifyOptions);
-  return result;
-}
-function createRemoteJWKS(jwksUri) {
-  return createRemoteJWKSet(new URL(jwksUri));
-}
-// src/lib/auth.ts
-var NEST_AUDIENCE = "nest";
-var idpUrl = process.env.OPENAPE_IDP_URL ?? "https://id.openape.ai";
-var _jwks = null;
-function getJwks() {
-  if (!_jwks) {
-    const url = new URL("/.well-known/jwks.json", idpUrl).toString();
-    _jwks = createRemoteJWKS(url);
-  }
-  return _jwks;
-}
-var NestAuthError = class extends Error {
-  constructor(status, title) {
-    super(title);
-    this.status = status;
-    this.title = title;
-  }
-};
-async function verifyNestGrant(token, expectedCommand) {
-  let claims;
-  try {
-    const result = await verifyJWT(token, getJwks(), {
-      issuer: idpUrl,
-      audience: NEST_AUDIENCE
-    });
-    claims = result.payload;
-  } catch (err) {
-    throw new NestAuthError(401, `Invalid or expired grant token: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  if (typeof claims.sub !== "string" || !claims.sub) {
-    throw new NestAuthError(401, "Grant token missing sub claim");
-  }
-  if (claims.target_host !== hostname()) {
-    throw new NestAuthError(403, `Grant target_host (${claims.target_host}) does not match this nest (${hostname()})`);
-  }
-  const cmd = claims.command ?? [];
-  if (cmd.length !== expectedCommand.length || cmd.some((c, i) => c !== expectedCommand[i])) {
-    throw new NestAuthError(
-      403,
-      `Grant command (${JSON.stringify(cmd)}) does not match this route (${JSON.stringify(expectedCommand)})`
-    );
-  }
-  return { caller: claims.sub, grantId: claims.grant_id, command: cmd };
-}
-async function primeJwksCache(log2) {
-  try {
-    await verifyJWT("eyJhbGciOiJFZERTQSJ9.e30.invalid", getJwks(), {}).catch(() => {
-    });
-    log2(`nest: JWKS primed from ${idpUrl}/.well-known/jwks.json`);
-  } catch (err) {
-    log2(`nest: warning \u2014 JWKS prime failed: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
 // src/index.ts
-var HOST = "127.0.0.1";
-var PORT = Number(process2.env.OPENAPE_NEST_PORT ?? 9091);
-var APES_BIN = process2.env.OPENAPE_APES_BIN ?? "apes";
+var APES_BIN = process3.env.OPENAPE_APES_BIN ?? "apes";
 function log(line) {
-  process2.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
+  process3.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
 `);
 }
-async function readJsonBody(req) {
-  const chunks = [];
-  for await (const chunk of req) chunks.push(chunk);
-  if (chunks.length === 0) return {};
-  const text = Buffer.concat(chunks).toString("utf8");
-  if (!text.trim()) return {};
-  try {
-    return JSON.parse(text);
-  } catch {
-    throw new Error("invalid JSON body");
-  }
-}
-function send(res, status, body) {
-  res.writeHead(status, { "content-type": "application/json" });
-  res.end(JSON.stringify(body));
-}
-function sendProblem(res, status, title) {
-  send(res, status, { type: "about:blank", status, title });
-}
-async function requireNestGrant(req, res, expectedCommand) {
-  const auth = req.headers.authorization;
-  if (!auth || !auth.toLowerCase().startsWith("bearer ")) {
-    sendProblem(res, 401, "Bearer grant token required");
-    return null;
-  }
-  const token = auth.slice(7).trim();
-  try {
-    return await verifyNestGrant(token, expectedCommand);
-  } catch (err) {
-    if (err instanceof NestAuthError) {
-      sendProblem(res, err.status, err.title);
-      return null;
-    }
-    sendProblem(res, 401, err instanceof Error ? err.message : String(err));
-    return null;
-  }
-}
-var server = createServer((req, res) => {
-  ;
-  (async () => {
-    try {
-      const url = new URL(req.url ?? "/", `http://${HOST}:${PORT}`);
-      const body = req.method && ["POST", "PUT", "PATCH"].includes(req.method) ? await readJsonBody(req) : {};
-      if (req.method === "GET" && url.pathname === "/status") {
-        const grant = await requireNestGrant(req, res, ["nest", "status"]);
-        if (!grant) return;
-        log(`nest: GET /status authorized (caller=${grant.caller}, grant=${grant.grantId})`);
-        const ctx = { url, body, log, apesBin: APES_BIN, caller: grant.caller, grantId: grant.grantId };
-        return send(res, 200, handleNestStatus(ctx));
-      }
-      if (req.method === "GET" && url.pathname === "/agents") {
-        const grant = await requireNestGrant(req, res, ["nest", "list"]);
-        if (!grant) return;
-        log(`nest: GET /agents authorized (caller=${grant.caller}, grant=${grant.grantId})`);
-        const ctx = { url, body, log, apesBin: APES_BIN, caller: grant.caller, grantId: grant.grantId };
-        return send(res, 200, handleAgentsList(ctx));
-      }
-      if (req.method === "POST" && url.pathname === "/agents") {
-        const name = body?.name;
-        if (typeof name !== "string" || !name) {
-          return sendProblem(res, 400, "POST /agents requires body.name (string)");
-        }
-        const grant = await requireNestGrant(req, res, ["nest", "spawn"]);
-        if (!grant) return;
-        log(`nest: POST /agents (spawn ${name}) authorized (caller=${grant.caller}, grant=${grant.grantId})`);
-        const ctx = { url, body, log, apesBin: APES_BIN, caller: grant.caller, grantId: grant.grantId };
-        const result = await handleAgentSpawn(ctx);
-        return send(res, 201, result);
-      }
-      const destroyMatch = req.method === "DELETE" && url.pathname.match(/^\/agents\/([^/]+)$/);
-      if (destroyMatch) {
-        const name = destroyMatch[1];
-        const grant = await requireNestGrant(req, res, ["nest", "destroy", name]);
-        if (!grant) return;
-        log(`nest: DELETE /agents/${name} authorized (caller=${grant.caller}, grant=${grant.grantId})`);
-        const ctx = { url, body, log, apesBin: APES_BIN, caller: grant.caller, grantId: grant.grantId };
-        const result = await handleAgentDestroy(ctx, name);
-        return send(res, 200, result);
-      }
-      send(res, 404, { error: "not found" });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      log(`nest: request failed: ${msg}`);
-      send(res, 500, { error: msg });
-    }
-  })();
-});
-void primeJwksCache(log);
-server.listen(PORT, HOST, () => {
-  log(`nest: listening on http://${HOST}:${PORT}`);
+var supervisor = new Pm2Supervisor({ apesBin: APES_BIN, log });
+var troopSync = new TroopSync({ apesBin: APES_BIN, log });
+var intentChannel = new IntentChannel({ apesBin: APES_BIN, supervisor, log });
+void supervisor.reconcile(listAgents()).then(
+  () => log("nest: pm2-supervisor reconciled with registry")
+).catch((err) => {
+  log(`nest: pm2-supervisor reconcile failed: ${err instanceof Error ? err.message : String(err)}`);
 });
-process2.on("SIGTERM", () => {
-  log("nest: SIGTERM \u2014 shutting down");
-  server.close(() => process2.exit(0));
+troopSync.start();
+intentChannel.start();
+var reaperTimer = setInterval(reapStaleResponses, 60 * 60 * 1e3, log);
+process3.on("SIGTERM", () => {
+  log("nest: SIGTERM \u2014 stopping");
+  void supervisor.stopAll();
+  troopSync.stop();
+  intentChannel.stop();
+  clearInterval(reaperTimer);
+  process3.exit(0);
 });
-process2.on("SIGINT", () => {
-  log("nest: SIGINT \u2014 shutting down");
-  server.close(() => process2.exit(0));
+process3.on("SIGINT", () => {
+  log("nest: SIGINT \u2014 stopping");
+  void supervisor.stopAll();
+  troopSync.stop();
+  intentChannel.stop();
+  clearInterval(reaperTimer);
+  process3.exit(0);
 });