@paybond/kit 0.9.8 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (368) hide show
  1. package/completion-presets/catalog.json +1187 -0
  2. package/completion-presets/catalog.sha256 +1 -0
  3. package/dev/trace-ui/dashboard.html +617 -0
  4. package/dist/agent/adapter.d.ts +51 -0
  5. package/dist/agent/adapter.js +66 -0
  6. package/dist/agent/attach-bundle.d.ts +37 -0
  7. package/dist/agent/attach-bundle.js +118 -0
  8. package/dist/agent/authorization-cache.d.ts +22 -0
  9. package/dist/agent/authorization-cache.js +36 -0
  10. package/dist/agent/deferred-tools.d.ts +11 -0
  11. package/dist/agent/deferred-tools.js +62 -0
  12. package/dist/agent/discover.d.ts +41 -0
  13. package/dist/agent/discover.js +147 -0
  14. package/dist/agent/evidence.d.ts +9 -0
  15. package/dist/agent/evidence.js +28 -0
  16. package/dist/agent/facade.d.ts +48 -0
  17. package/dist/agent/facade.js +112 -0
  18. package/dist/agent/gateway-trace-reporter.d.ts +28 -0
  19. package/dist/agent/gateway-trace-reporter.js +49 -0
  20. package/dist/agent/generic-runner.d.ts +14 -0
  21. package/dist/agent/generic-runner.js +49 -0
  22. package/dist/agent/generic-sandbox-demo.d.ts +36 -0
  23. package/dist/agent/generic-sandbox-demo.js +82 -0
  24. package/dist/agent/guarded-agent.d.ts +49 -0
  25. package/dist/agent/guarded-agent.js +100 -0
  26. package/dist/agent/index.d.ts +13 -0
  27. package/dist/agent/index.js +13 -0
  28. package/dist/agent/instrument.d.ts +156 -0
  29. package/dist/agent/instrument.js +442 -0
  30. package/dist/agent/interceptor.d.ts +24 -0
  31. package/dist/agent/interceptor.js +440 -0
  32. package/dist/agent/lazy-context-tools.d.ts +15 -0
  33. package/dist/agent/lazy-context-tools.js +81 -0
  34. package/dist/agent/registry-file.d.ts +39 -0
  35. package/dist/agent/registry-file.js +219 -0
  36. package/dist/agent/registry.d.ts +37 -0
  37. package/dist/agent/registry.js +128 -0
  38. package/dist/agent/run.d.ts +124 -0
  39. package/dist/agent/run.js +301 -0
  40. package/dist/agent/types.d.ts +318 -0
  41. package/dist/agent/types.js +42 -0
  42. package/dist/agent-recognition.d.ts +72 -0
  43. package/dist/agent-recognition.js +165 -0
  44. package/dist/bincode-wire.d.ts +18 -0
  45. package/dist/bincode-wire.js +93 -0
  46. package/dist/claude-agents/config.d.ts +21 -0
  47. package/dist/claude-agents/config.js +145 -0
  48. package/dist/claude-agents/index.d.ts +2 -0
  49. package/dist/claude-agents/index.js +2 -0
  50. package/dist/claude-agents/sandbox-demo.d.ts +30 -0
  51. package/dist/claude-agents/sandbox-demo.js +91 -0
  52. package/dist/cli/agent/env-quote.d.ts +1 -0
  53. package/dist/cli/agent/env-quote.js +6 -0
  54. package/dist/cli/agent/env-write.d.ts +8 -0
  55. package/dist/cli/agent/env-write.js +47 -0
  56. package/dist/cli/agent/paybond.d.ts +16 -0
  57. package/dist/cli/agent/paybond.js +55 -0
  58. package/dist/cli/agent/policy-file.d.ts +29 -0
  59. package/dist/cli/agent/policy-file.js +61 -0
  60. package/dist/cli/agent/production-evidence.d.ts +24 -0
  61. package/dist/cli/agent/production-evidence.js +98 -0
  62. package/dist/cli/agent/run-store.d.ts +30 -0
  63. package/dist/cli/agent/run-store.js +42 -0
  64. package/dist/cli/agent/run-trace-store.d.ts +39 -0
  65. package/dist/cli/agent/run-trace-store.js +143 -0
  66. package/dist/cli/agent-run-trace-table.d.ts +9 -0
  67. package/dist/cli/agent-run-trace-table.js +24 -0
  68. package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
  69. package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
  70. package/dist/cli/audit-export.d.ts +7 -0
  71. package/dist/cli/audit-export.js +120 -0
  72. package/dist/cli/automation.d.ts +25 -0
  73. package/dist/cli/automation.js +297 -0
  74. package/dist/cli/body.d.ts +7 -0
  75. package/dist/cli/body.js +22 -0
  76. package/dist/cli/color.d.ts +15 -0
  77. package/dist/cli/color.js +39 -0
  78. package/dist/cli/command-spec.d.ts +13 -0
  79. package/dist/cli/command-spec.js +611 -0
  80. package/dist/cli/commands/agent.d.ts +16 -0
  81. package/dist/cli/commands/agent.js +1135 -0
  82. package/dist/cli/commands/dev.d.ts +7 -0
  83. package/dist/cli/commands/dev.js +348 -0
  84. package/dist/cli/commands/discovery.d.ts +8 -0
  85. package/dist/cli/commands/discovery.js +194 -0
  86. package/dist/cli/commands/policy.d.ts +13 -0
  87. package/dist/cli/commands/policy.js +769 -0
  88. package/dist/cli/commands/setup.d.ts +18 -0
  89. package/dist/cli/commands/setup.js +513 -0
  90. package/dist/cli/commands/workflows.d.ts +7 -0
  91. package/dist/cli/commands/workflows.js +214 -0
  92. package/dist/cli/config.d.ts +16 -0
  93. package/dist/cli/config.js +98 -0
  94. package/dist/cli/context.d.ts +22 -0
  95. package/dist/cli/context.js +110 -0
  96. package/dist/cli/credentials.d.ts +21 -0
  97. package/dist/cli/credentials.js +141 -0
  98. package/dist/cli/doctor-agent-middleware.d.ts +5 -0
  99. package/dist/cli/doctor-agent-middleware.js +49 -0
  100. package/dist/cli/doctor-agent.d.ts +15 -0
  101. package/dist/cli/doctor-agent.js +311 -0
  102. package/dist/cli/envelope.d.ts +14 -0
  103. package/dist/cli/envelope.js +46 -0
  104. package/dist/cli/globals.d.ts +23 -0
  105. package/dist/cli/globals.js +248 -0
  106. package/dist/cli/help.d.ts +3 -0
  107. package/dist/cli/help.js +83 -0
  108. package/dist/cli/mcp-install.d.ts +41 -0
  109. package/dist/cli/mcp-install.js +95 -0
  110. package/dist/cli/mcp-policy.d.ts +26 -0
  111. package/dist/cli/mcp-policy.js +110 -0
  112. package/dist/cli/mcp-verify-config.d.ts +37 -0
  113. package/dist/cli/mcp-verify-config.js +172 -0
  114. package/dist/cli/redact.d.ts +4 -0
  115. package/dist/cli/redact.js +88 -0
  116. package/dist/cli/request-id.d.ts +2 -0
  117. package/dist/cli/request-id.js +5 -0
  118. package/dist/cli/router.d.ts +2 -0
  119. package/dist/cli/router.js +378 -0
  120. package/dist/cli/smoke-deep-links.d.ts +15 -0
  121. package/dist/cli/smoke-deep-links.js +63 -0
  122. package/dist/cli/suggest.d.ts +4 -0
  123. package/dist/cli/suggest.js +58 -0
  124. package/dist/cli/support-diagnostics.d.ts +19 -0
  125. package/dist/cli/support-diagnostics.js +47 -0
  126. package/dist/cli/telemetry.d.ts +17 -0
  127. package/dist/cli/telemetry.js +94 -0
  128. package/dist/cli/types.d.ts +72 -0
  129. package/dist/cli/types.js +60 -0
  130. package/dist/cli/ux.d.ts +8 -0
  131. package/dist/cli/ux.js +164 -0
  132. package/dist/cli.d.ts +2 -0
  133. package/dist/cli.js +38 -0
  134. package/dist/completion-catalog-digest.d.ts +2 -0
  135. package/dist/completion-catalog-digest.js +2 -0
  136. package/dist/completion-catalog-integrity.d.ts +2 -0
  137. package/dist/completion-catalog-integrity.js +17 -0
  138. package/dist/completion-catalog.d.ts +49 -0
  139. package/dist/completion-catalog.js +62 -0
  140. package/dist/completion-contract-digest.d.ts +37 -0
  141. package/dist/completion-contract-digest.js +73 -0
  142. package/dist/completion-forbidden-fields.d.ts +5 -0
  143. package/dist/completion-forbidden-fields.js +26 -0
  144. package/dist/completion-init.d.ts +8 -0
  145. package/dist/completion-init.js +334 -0
  146. package/dist/completion-resolve.d.ts +21 -0
  147. package/dist/completion-resolve.js +86 -0
  148. package/dist/completion-validate-evidence.d.ts +24 -0
  149. package/dist/completion-validate-evidence.js +145 -0
  150. package/dist/dev/offline-gateway.d.ts +24 -0
  151. package/dist/dev/offline-gateway.js +102 -0
  152. package/dist/dev/trace-buffer.d.ts +61 -0
  153. package/dist/dev/trace-buffer.js +330 -0
  154. package/dist/dev/trace-security-headers.d.ts +11 -0
  155. package/dist/dev/trace-security-headers.js +16 -0
  156. package/dist/dev/trace-server.d.ts +8 -0
  157. package/dist/dev/trace-server.js +38 -0
  158. package/dist/dev/trace-ui.d.ts +4 -0
  159. package/dist/dev/trace-ui.js +25 -0
  160. package/dist/dev/wiremock-up.d.ts +15 -0
  161. package/dist/dev/wiremock-up.js +118 -0
  162. package/dist/doctor-completion.d.ts +17 -0
  163. package/dist/doctor-completion.js +428 -0
  164. package/dist/gateway-url.d.ts +7 -0
  165. package/dist/gateway-url.js +69 -0
  166. package/dist/index.d.ts +119 -2
  167. package/dist/index.js +267 -6
  168. package/dist/init.js +380 -68
  169. package/dist/langgraph/awrap-tool-call.d.ts +25 -0
  170. package/dist/langgraph/awrap-tool-call.js +81 -0
  171. package/dist/langgraph/config.d.ts +13 -0
  172. package/dist/langgraph/config.js +11 -0
  173. package/dist/langgraph/index.d.ts +4 -0
  174. package/dist/langgraph/index.js +4 -0
  175. package/dist/langgraph/sandbox-demo.d.ts +40 -0
  176. package/dist/langgraph/sandbox-demo.js +96 -0
  177. package/dist/langgraph/tool-node.d.ts +10 -0
  178. package/dist/langgraph/tool-node.js +38 -0
  179. package/dist/login.d.ts +14 -1
  180. package/dist/login.js +130 -63
  181. package/dist/mcp/index.d.ts +1 -0
  182. package/dist/mcp/index.js +1 -0
  183. package/dist/mcp/tool-surface.d.ts +25 -0
  184. package/dist/mcp/tool-surface.js +17 -0
  185. package/dist/mcp-capability-token-cache.d.ts +24 -0
  186. package/dist/mcp-capability-token-cache.js +101 -0
  187. package/dist/mcp-evidence-policy.d.ts +48 -0
  188. package/dist/mcp-evidence-policy.js +117 -0
  189. package/dist/mcp-policy-reload.d.ts +79 -0
  190. package/dist/mcp-policy-reload.js +200 -0
  191. package/dist/mcp-sep2828-evidence.d.ts +36 -0
  192. package/dist/mcp-sep2828-evidence.js +65 -0
  193. package/dist/mcp-server.d.ts +10 -0
  194. package/dist/mcp-server.js +423 -115
  195. package/dist/openai-agents/index.d.ts +40 -0
  196. package/dist/openai-agents/index.js +151 -0
  197. package/dist/openai-agents/sandbox-demo.d.ts +34 -0
  198. package/dist/openai-agents/sandbox-demo.js +118 -0
  199. package/dist/payee-evidence.js +2 -29
  200. package/dist/policy/catalog.d.ts +31 -0
  201. package/dist/policy/catalog.js +48 -0
  202. package/dist/policy/compose-utils.d.ts +3 -0
  203. package/dist/policy/compose-utils.js +4 -0
  204. package/dist/policy/compose.d.ts +20 -0
  205. package/dist/policy/compose.js +240 -0
  206. package/dist/policy/digest.d.ts +7 -0
  207. package/dist/policy/digest.js +75 -0
  208. package/dist/policy/domain.d.ts +15 -0
  209. package/dist/policy/domain.js +28 -0
  210. package/dist/policy/guardrail-spec.d.ts +17 -0
  211. package/dist/policy/guardrail-spec.js +140 -0
  212. package/dist/policy/guardrails.d.ts +48 -0
  213. package/dist/policy/guardrails.js +72 -0
  214. package/dist/policy/index.d.ts +21 -0
  215. package/dist/policy/index.js +21 -0
  216. package/dist/policy/init.d.ts +102 -0
  217. package/dist/policy/init.js +351 -0
  218. package/dist/policy/intent-spec.d.ts +52 -0
  219. package/dist/policy/intent-spec.js +176 -0
  220. package/dist/policy/json-path.d.ts +4 -0
  221. package/dist/policy/json-path.js +23 -0
  222. package/dist/policy/layers-io.d.ts +7 -0
  223. package/dist/policy/layers-io.js +28 -0
  224. package/dist/policy/load-effective.d.ts +22 -0
  225. package/dist/policy/load-effective.js +77 -0
  226. package/dist/policy/load.d.ts +85 -0
  227. package/dist/policy/load.js +164 -0
  228. package/dist/policy/merge.d.ts +29 -0
  229. package/dist/policy/merge.js +297 -0
  230. package/dist/policy/parse-text.d.ts +2 -0
  231. package/dist/policy/parse-text.js +126 -0
  232. package/dist/policy/policy-api.d.ts +45 -0
  233. package/dist/policy/policy-api.js +61 -0
  234. package/dist/policy/presets.d.ts +19 -0
  235. package/dist/policy/presets.js +66 -0
  236. package/dist/policy/registry.d.ts +7 -0
  237. package/dist/policy/registry.js +33 -0
  238. package/dist/policy/reload.d.ts +86 -0
  239. package/dist/policy/reload.js +233 -0
  240. package/dist/policy/render-yaml.d.ts +3 -0
  241. package/dist/policy/render-yaml.js +69 -0
  242. package/dist/policy/sandbox-bootstrap.d.ts +19 -0
  243. package/dist/policy/sandbox-bootstrap.js +66 -0
  244. package/dist/policy/schema.d.ts +204 -0
  245. package/dist/policy/schema.js +255 -0
  246. package/dist/policy/snapshot.d.ts +33 -0
  247. package/dist/policy/snapshot.js +23 -0
  248. package/dist/policy/validate-remote.d.ts +43 -0
  249. package/dist/policy/validate-remote.js +104 -0
  250. package/dist/policy/validate.d.ts +36 -0
  251. package/dist/policy/validate.js +150 -0
  252. package/dist/policy/watcher.d.ts +29 -0
  253. package/dist/policy/watcher.js +112 -0
  254. package/dist/principal-intent.d.ts +52 -0
  255. package/dist/principal-intent.js +193 -37
  256. package/dist/project-init.d.ts +34 -0
  257. package/dist/project-init.js +898 -0
  258. package/dist/sep2828-signature.d.ts +10 -0
  259. package/dist/sep2828-signature.js +134 -0
  260. package/dist/solutions/api.d.ts +22 -0
  261. package/dist/solutions/api.js +40 -0
  262. package/dist/solutions/catalog.d.ts +34 -0
  263. package/dist/solutions/catalog.js +129 -0
  264. package/dist/solutions/index.d.ts +2 -0
  265. package/dist/solutions/index.js +2 -0
  266. package/dist/template-init.d.ts +54 -0
  267. package/dist/template-init.js +203 -0
  268. package/dist/vercel-ai/config.d.ts +15 -0
  269. package/dist/vercel-ai/config.js +13 -0
  270. package/dist/vercel-ai/index.d.ts +4 -0
  271. package/dist/vercel-ai/index.js +4 -0
  272. package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
  273. package/dist/vercel-ai/sandbox-demo.js +153 -0
  274. package/dist/vercel-ai/tool-approval.d.ts +16 -0
  275. package/dist/vercel-ai/tool-approval.js +41 -0
  276. package/dist/vercel-ai/wrap-tools.d.ts +9 -0
  277. package/dist/vercel-ai/wrap-tools.js +40 -0
  278. package/dist/x402-receipt-evidence.d.ts +29 -0
  279. package/dist/x402-receipt-evidence.js +97 -0
  280. package/dist/x402-receipt-signature.d.ts +12 -0
  281. package/dist/x402-receipt-signature.js +211 -0
  282. package/package.json +79 -4
  283. package/solutions/aws.json +17 -0
  284. package/solutions/saas.json +17 -0
  285. package/solutions/shopping.json +17 -0
  286. package/solutions/travel.json +18 -0
  287. package/templates/manifest.json +169 -0
  288. package/templates/openai-shopping-agent/.env.example +3 -0
  289. package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
  290. package/templates/openai-shopping-agent/LICENSE +201 -0
  291. package/templates/openai-shopping-agent/README.md +29 -0
  292. package/templates/openai-shopping-agent/package.json +22 -0
  293. package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
  294. package/templates/openai-shopping-agent/src/index.ts +22 -0
  295. package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
  296. package/templates/openai-shopping-agent/tsconfig.json +13 -0
  297. package/templates/paybond-aws-operator/.env.example +3 -0
  298. package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
  299. package/templates/paybond-aws-operator/LICENSE +201 -0
  300. package/templates/paybond-aws-operator/README.md +29 -0
  301. package/templates/paybond-aws-operator/package.json +20 -0
  302. package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
  303. package/templates/paybond-aws-operator/src/index.ts +54 -0
  304. package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
  305. package/templates/paybond-aws-operator/tsconfig.json +13 -0
  306. package/templates/paybond-claude-agents-demo/.env.example +3 -0
  307. package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
  308. package/templates/paybond-claude-agents-demo/LICENSE +201 -0
  309. package/templates/paybond-claude-agents-demo/README.md +29 -0
  310. package/templates/paybond-claude-agents-demo/package.json +22 -0
  311. package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
  312. package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
  313. package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
  314. package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
  315. package/templates/paybond-invoice-agent/.env.example +3 -0
  316. package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
  317. package/templates/paybond-invoice-agent/LICENSE +201 -0
  318. package/templates/paybond-invoice-agent/README.md +29 -0
  319. package/templates/paybond-invoice-agent/app.py +27 -0
  320. package/templates/paybond-invoice-agent/package.json +6 -0
  321. package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
  322. package/templates/paybond-invoice-agent/paybond_config.py +45 -0
  323. package/templates/paybond-invoice-agent/requirements.txt +2 -0
  324. package/templates/paybond-mcp-coding-agent/.env.example +3 -0
  325. package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
  326. package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
  327. package/templates/paybond-mcp-coding-agent/README.md +39 -0
  328. package/templates/paybond-mcp-coding-agent/package.json +20 -0
  329. package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
  330. package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
  331. package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
  332. package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
  333. package/templates/paybond-openai-agents-demo/.env.example +3 -0
  334. package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
  335. package/templates/paybond-openai-agents-demo/LICENSE +201 -0
  336. package/templates/paybond-openai-agents-demo/README.md +29 -0
  337. package/templates/paybond-openai-agents-demo/package.json +22 -0
  338. package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
  339. package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
  340. package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
  341. package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
  342. package/templates/paybond-procurement-agent/.env.example +3 -0
  343. package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
  344. package/templates/paybond-procurement-agent/LICENSE +201 -0
  345. package/templates/paybond-procurement-agent/README.md +29 -0
  346. package/templates/paybond-procurement-agent/package.json +20 -0
  347. package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
  348. package/templates/paybond-procurement-agent/src/index.ts +54 -0
  349. package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
  350. package/templates/paybond-procurement-agent/tsconfig.json +13 -0
  351. package/templates/paybond-travel-agent/.env.example +3 -0
  352. package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
  353. package/templates/paybond-travel-agent/LICENSE +201 -0
  354. package/templates/paybond-travel-agent/README.md +29 -0
  355. package/templates/paybond-travel-agent/package.json +23 -0
  356. package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
  357. package/templates/paybond-travel-agent/src/index.ts +22 -0
  358. package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
  359. package/templates/paybond-travel-agent/tsconfig.json +13 -0
  360. package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
  361. package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
  362. package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
  363. package/templates/paybond-vercel-shopping-agent/README.md +29 -0
  364. package/templates/paybond-vercel-shopping-agent/package.json +22 -0
  365. package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
  366. package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
  367. package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
  368. package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
@@ -0,0 +1,47 @@
1
+ import { readFile, writeFile } from "node:fs/promises";
2
+ import { resolve } from "node:path";
3
+ import { quoteEnvValue } from "./env-quote.js";
4
+ export async function appendAgentRunEnvVars(input) {
5
+ const envPath = resolve(input.cwd, input.envFile);
6
+ let existing = "";
7
+ try {
8
+ existing = await readFile(envPath, "utf8");
9
+ }
10
+ catch (err) {
11
+ if (!(err && typeof err === "object" && "code" in err && err.code === "ENOENT")) {
12
+ throw err;
13
+ }
14
+ }
15
+ const lines = [
16
+ `PAYBOND_INTENT_ID=${quoteEnvValue(input.intentId)}`,
17
+ `PAYBOND_CAPABILITY_TOKEN=${quoteEnvValue(input.capabilityToken)}`,
18
+ `PAYBOND_RUN_ID=${quoteEnvValue(input.runId)}`,
19
+ ];
20
+ const updates = new Map();
21
+ for (const line of lines) {
22
+ const key = line.split("=", 1)[0];
23
+ updates.set(key, line);
24
+ }
25
+ const output = [];
26
+ const seen = new Set();
27
+ for (const rawLine of existing.split(/\r?\n/)) {
28
+ const match = /^(\s*(?:export\s+)?([A-Z0-9_]+)\s*=)/.exec(rawLine);
29
+ if (match && updates.has(match[2])) {
30
+ output.push(updates.get(match[2]));
31
+ seen.add(match[2]);
32
+ continue;
33
+ }
34
+ output.push(rawLine);
35
+ }
36
+ for (const [key, line] of updates) {
37
+ if (!seen.has(key)) {
38
+ output.push(line);
39
+ }
40
+ }
41
+ let body = output.join("\n");
42
+ if (body.length > 0 && !body.endsWith("\n")) {
43
+ body += "\n";
44
+ }
45
+ await writeFile(envPath, body, { encoding: "utf8", mode: 0o600 });
46
+ return envPath;
47
+ }
@@ -0,0 +1,16 @@
1
+ import { Paybond, type PaybondEnvironment } from "../../index.js";
2
+ import type { CliContext } from "../context.js";
3
+ export declare function apiKeyEnvironment(apiKey: string): PaybondEnvironment | "unknown";
4
+ export declare function assertAgentSandboxDefault(apiKey: string, production: boolean): void;
5
+ export type PaybondAgentCliSession = {
6
+ paybond: Paybond;
7
+ apiKey: string;
8
+ warnings: string[];
9
+ };
10
+ /**
11
+ * Open a Paybond SDK session and run gateway-backed agent middleware work while
12
+ * `ctx.fetch` is patched (bootstrap, verify, evidence, spend complete).
13
+ */
14
+ export declare function withPaybondAgentCli<T>(ctx: CliContext, production: boolean, handler: (session: PaybondAgentCliSession) => Promise<T>): Promise<T>;
15
+ /** @deprecated Use {@link withPaybondAgentCli} so SDK gateway calls stay on `ctx.fetch`. */
16
+ export declare function openPaybondForAgentCli(ctx: CliContext, production: boolean): Promise<PaybondAgentCliSession>;
@@ -0,0 +1,55 @@
1
+ import { Paybond } from "../../index.js";
2
+ import { resolveApiKeyWithMeta } from "../credentials.js";
3
+ import { CliError } from "../types.js";
4
+ export function apiKeyEnvironment(apiKey) {
5
+ if (apiKey.includes("_sandbox_")) {
6
+ return "sandbox";
7
+ }
8
+ if (apiKey.includes("_live_")) {
9
+ return "live";
10
+ }
11
+ return "unknown";
12
+ }
13
+ export function assertAgentSandboxDefault(apiKey, production) {
14
+ if (production) {
15
+ return;
16
+ }
17
+ const env = apiKeyEnvironment(apiKey);
18
+ if (env === "live") {
19
+ throw new CliError("agent commands default to sandbox-only; pass --production to use live credentials", {
20
+ category: "validation",
21
+ code: "cli.agent.production_required",
22
+ exitCode: 1,
23
+ });
24
+ }
25
+ }
26
+ /**
27
+ * Open a Paybond SDK session and run gateway-backed agent middleware work while
28
+ * `ctx.fetch` is patched (bootstrap, verify, evidence, spend complete).
29
+ */
30
+ export async function withPaybondAgentCli(ctx, production, handler) {
31
+ const resolved = await resolveApiKeyWithMeta(ctx.globals, ctx.cwd);
32
+ assertAgentSandboxDefault(resolved.apiKey, production);
33
+ const expectedEnvironment = production ? undefined : "sandbox";
34
+ const originalFetch = globalThis.fetch;
35
+ globalThis.fetch = ctx.fetch;
36
+ try {
37
+ const paybond = await Paybond.open({
38
+ apiKey: resolved.apiKey,
39
+ gatewayBaseUrl: ctx.globals.gateway,
40
+ expectedEnvironment,
41
+ });
42
+ return await handler({
43
+ paybond,
44
+ apiKey: resolved.apiKey,
45
+ warnings: resolved.warnings,
46
+ });
47
+ }
48
+ finally {
49
+ globalThis.fetch = originalFetch;
50
+ }
51
+ }
52
+ /** @deprecated Use {@link withPaybondAgentCli} so SDK gateway calls stay on `ctx.fetch`. */
53
+ export async function openPaybondForAgentCli(ctx, production) {
54
+ return withPaybondAgentCli(ctx, production, async (session) => session);
55
+ }
@@ -0,0 +1,29 @@
1
+ import type { PaybondToolRegistry } from "../../agent/registry.js";
2
+ import type { PaybondRunBindingSandboxBootstrapInput } from "../../agent/types.js";
3
+ import { PaybondPolicy } from "../../policy/load.js";
4
+ import { type PaybondPolicySnapshot } from "../../policy/snapshot.js";
5
+ export type ResolvedAgentPolicyBind = {
6
+ policyPath: string;
7
+ policy: PaybondPolicy;
8
+ registry: PaybondToolRegistry;
9
+ policySnapshot: PaybondPolicySnapshot;
10
+ defaultDeny: boolean;
11
+ bootstrap?: PaybondRunBindingSandboxBootstrapInput;
12
+ operation: string;
13
+ completionPreset?: string;
14
+ };
15
+ /** Resolve bind inputs from persisted policy file content (CLI re-attach for reload). */
16
+ export declare function resolveAgentPolicyBindFromContent(options: {
17
+ policyPath: string;
18
+ content: string;
19
+ operation?: string;
20
+ requestedSpendCents?: number;
21
+ forAttach?: boolean;
22
+ }): ResolvedAgentPolicyBind;
23
+ export declare function resolveAgentPolicyBind(options: {
24
+ cwd: string;
25
+ policyFile: string;
26
+ operation?: string;
27
+ requestedSpendCents?: number;
28
+ forAttach?: boolean;
29
+ }): Promise<ResolvedAgentPolicyBind>;
@@ -0,0 +1,61 @@
1
+ import { resolve } from "node:path";
2
+ import { PaybondPolicy } from "../../policy/load.js";
3
+ import { parsePolicyDocumentText } from "../../policy/parse-text.js";
4
+ import { parsePaybondPolicyDocument, parsePaybondPolicyDocumentV1 } from "../../policy/schema.js";
5
+ import { PaybondPolicySandboxBootstrapError } from "../../policy/sandbox-bootstrap.js";
6
+ import { createPolicySnapshot } from "../../policy/snapshot.js";
7
+ function resolveAgentPolicyDocument(policyPath, content) {
8
+ const raw = parsePolicyDocumentText(content, policyPath);
9
+ const document = parsePaybondPolicyDocument(raw);
10
+ return PaybondPolicy.fromDocument(parsePaybondPolicyDocumentV1(document));
11
+ }
12
+ function finalizeAgentPolicyBind(policyPath, policy, options) {
13
+ const registry = policy.toToolRegistry();
14
+ const defaultDeny = policy.defaultDeny;
15
+ const policySnapshot = createPolicySnapshot({
16
+ document: policy.document,
17
+ registry,
18
+ source: "file",
19
+ });
20
+ if (options.forAttach) {
21
+ const sideEffecting = Object.entries(policy.document.tools).find(([, entry]) => entry.side_effecting);
22
+ const operation = options.operation?.trim() ||
23
+ (sideEffecting
24
+ ? sideEffecting[1].operation?.trim() || sideEffecting[0]
25
+ : "");
26
+ return { policyPath, policy, registry, policySnapshot, defaultDeny, operation };
27
+ }
28
+ const bootstrap = policy.sandboxBootstrap({
29
+ operation: options.operation,
30
+ requestedSpendCents: options.requestedSpendCents,
31
+ });
32
+ return {
33
+ policyPath,
34
+ policy,
35
+ registry,
36
+ policySnapshot,
37
+ defaultDeny,
38
+ bootstrap,
39
+ operation: bootstrap.operation,
40
+ completionPreset: bootstrap.completionPreset,
41
+ };
42
+ }
43
+ /** Resolve bind inputs from persisted policy file content (CLI re-attach for reload). */
44
+ export function resolveAgentPolicyBindFromContent(options) {
45
+ const policy = resolveAgentPolicyDocument(options.policyPath, options.content);
46
+ return finalizeAgentPolicyBind(options.policyPath, policy, options);
47
+ }
48
+ export async function resolveAgentPolicyBind(options) {
49
+ const policyPath = resolve(options.cwd, options.policyFile);
50
+ let policy;
51
+ try {
52
+ policy = await PaybondPolicy.load(policyPath);
53
+ }
54
+ catch (err) {
55
+ if (err instanceof PaybondPolicySandboxBootstrapError) {
56
+ throw err;
57
+ }
58
+ throw err;
59
+ }
60
+ return finalizeAgentPolicyBind(policyPath, policy, options);
61
+ }
@@ -0,0 +1,24 @@
1
+ import type { PaybondRunProductionEvidenceCredentials } from "../../agent/types.js";
2
+ export type PersistedProductionEvidence = {
3
+ payee_did: string;
4
+ agent_recognition_key_id: string;
5
+ };
6
+ /** Resolve production auto-evidence credentials from CLI flags and APP_* env fallbacks. */
7
+ export declare function resolveProductionEvidenceFromCli(input: {
8
+ cwd: string;
9
+ envFile: string;
10
+ payeeDid?: string;
11
+ payeeSigningSeedHex?: string;
12
+ agentRecognitionKeyId?: string;
13
+ agentRecognitionSigningSeedHex?: string;
14
+ }): Promise<PaybondRunProductionEvidenceCredentials>;
15
+ export declare function productionEvidenceToPersisted(credentials: PaybondRunProductionEvidenceCredentials): PersistedProductionEvidence;
16
+ /** Re-supply signing seeds at tool execute (or other re-attach) time; metadata comes from the run store. */
17
+ export declare function resolveProductionEvidenceForReattach(input: {
18
+ cwd: string;
19
+ envFile: string;
20
+ persisted: PersistedProductionEvidence;
21
+ payeeSigningSeedHex?: string;
22
+ agentRecognitionSigningSeedHex?: string;
23
+ command?: string;
24
+ }): Promise<PaybondRunProductionEvidenceCredentials>;
@@ -0,0 +1,98 @@
1
+ import { readFile } from "node:fs/promises";
2
+ import { resolve } from "node:path";
3
+ import { readEnvFileValue } from "../credentials.js";
4
+ import { CliError } from "../types.js";
5
+ function resolveEnvPath(cwd, envFile) {
6
+ return resolve(cwd, envFile);
7
+ }
8
+ async function readConfiguredEnvValue(cwd, envFile, key) {
9
+ const fromProcess = process.env[key]?.trim();
10
+ if (fromProcess) {
11
+ return fromProcess;
12
+ }
13
+ try {
14
+ const body = await readFile(resolveEnvPath(cwd, envFile), "utf8");
15
+ return readEnvFileValue(body, key);
16
+ }
17
+ catch (err) {
18
+ if (err && typeof err === "object" && "code" in err && err.code === "ENOENT") {
19
+ return undefined;
20
+ }
21
+ throw err;
22
+ }
23
+ }
24
+ function parseSeed32Hex(raw, field) {
25
+ const hex = raw.trim().replace(/^0x/i, "");
26
+ if (!/^[0-9a-fA-F]{64}$/.test(hex)) {
27
+ throw new CliError(`${field} must be a 32-byte Ed25519 seed (64 hex characters)`, {
28
+ category: "usage",
29
+ code: "cli.agent.invalid_signing_seed",
30
+ details: { field },
31
+ });
32
+ }
33
+ const out = new Uint8Array(32);
34
+ for (let i = 0; i < 32; i++) {
35
+ out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16);
36
+ }
37
+ return out;
38
+ }
39
+ /** Resolve production auto-evidence credentials from CLI flags and APP_* env fallbacks. */
40
+ export async function resolveProductionEvidenceFromCli(input) {
41
+ const payeeDid = input.payeeDid?.trim() ||
42
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_PAYEE_DID"));
43
+ const payeeSigningSeedHex = input.payeeSigningSeedHex?.trim() ||
44
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_PAYEE_SEED_HEX"));
45
+ const agentRecognitionKeyId = input.agentRecognitionKeyId?.trim() ||
46
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_AGENT_RECOGNITION_KEY_ID"));
47
+ const agentRecognitionSigningSeedHex = input.agentRecognitionSigningSeedHex?.trim() ||
48
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_AGENT_RECOGNITION_SEED_HEX"));
49
+ if (!payeeDid) {
50
+ throw new CliError("production attach requires --payee-did or APP_PAYEE_DID", { category: "usage", code: "cli.agent.production_evidence_incomplete" });
51
+ }
52
+ if (!payeeSigningSeedHex) {
53
+ throw new CliError("production attach requires --payee-signing-seed-hex or APP_PAYEE_SEED_HEX", { category: "usage", code: "cli.agent.production_evidence_incomplete" });
54
+ }
55
+ if (!agentRecognitionKeyId) {
56
+ throw new CliError("production attach requires --agent-recognition-key-id or APP_AGENT_RECOGNITION_KEY_ID", { category: "usage", code: "cli.agent.production_evidence_incomplete" });
57
+ }
58
+ if (!agentRecognitionSigningSeedHex) {
59
+ throw new CliError("production attach requires --agent-recognition-signing-seed-hex or APP_AGENT_RECOGNITION_SEED_HEX", { category: "usage", code: "cli.agent.production_evidence_incomplete" });
60
+ }
61
+ return {
62
+ payeeDid,
63
+ payeeSigningSeed: parseSeed32Hex(payeeSigningSeedHex, "--payee-signing-seed-hex"),
64
+ agentRecognitionKeyId,
65
+ agentRecognitionSigningSeed: parseSeed32Hex(agentRecognitionSigningSeedHex, "--agent-recognition-signing-seed-hex"),
66
+ };
67
+ }
68
+ export function productionEvidenceToPersisted(credentials) {
69
+ return {
70
+ payee_did: credentials.payeeDid,
71
+ agent_recognition_key_id: credentials.agentRecognitionKeyId,
72
+ };
73
+ }
74
+ /** Re-supply signing seeds at tool execute (or other re-attach) time; metadata comes from the run store. */
75
+ export async function resolveProductionEvidenceForReattach(input) {
76
+ const command = input.command ?? "agent tool execute";
77
+ const payeeDid = input.persisted.payee_did?.trim() ?? "";
78
+ const keyId = input.persisted.agent_recognition_key_id?.trim() ?? "";
79
+ if (!payeeDid || !keyId) {
80
+ throw new CliError("run is missing production_evidence metadata; re-bind with production attach flags", { category: "validation", code: "cli.agent.missing_production_evidence" });
81
+ }
82
+ const payeeSigningSeedHex = input.payeeSigningSeedHex?.trim() ||
83
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_PAYEE_SEED_HEX"));
84
+ const agentRecognitionSigningSeedHex = input.agentRecognitionSigningSeedHex?.trim() ||
85
+ (await readConfiguredEnvValue(input.cwd, input.envFile, "APP_AGENT_RECOGNITION_SEED_HEX"));
86
+ if (!payeeSigningSeedHex) {
87
+ throw new CliError(`${command} requires --payee-signing-seed-hex or APP_PAYEE_SEED_HEX for production runs`, { category: "usage", code: "cli.agent.production_signing_seed_required" });
88
+ }
89
+ if (!agentRecognitionSigningSeedHex) {
90
+ throw new CliError(`${command} requires --agent-recognition-signing-seed-hex or APP_AGENT_RECOGNITION_SEED_HEX for production runs`, { category: "usage", code: "cli.agent.production_signing_seed_required" });
91
+ }
92
+ return {
93
+ payeeDid,
94
+ payeeSigningSeed: parseSeed32Hex(payeeSigningSeedHex, "--payee-signing-seed-hex"),
95
+ agentRecognitionKeyId: keyId,
96
+ agentRecognitionSigningSeed: parseSeed32Hex(agentRecognitionSigningSeedHex, "--agent-recognition-signing-seed-hex"),
97
+ };
98
+ }
@@ -0,0 +1,30 @@
1
+ import type { PersistedProductionEvidence } from "./production-evidence.js";
2
+ export type PersistedAgentRunContext = {
3
+ run_id: string;
4
+ tenant_id: string;
5
+ intent_id: string;
6
+ capability_token: string;
7
+ operation: string;
8
+ allowed_tools: string[];
9
+ sandbox: boolean;
10
+ sandbox_lifecycle_status?: string;
11
+ requested_spend_cents?: number;
12
+ completion_preset?: string;
13
+ registry_file?: string;
14
+ default_deny?: boolean;
15
+ policy_digest?: string;
16
+ policy_version?: string;
17
+ policy_loaded_at?: string;
18
+ reload_watch?: boolean;
19
+ reload_poll?: boolean;
20
+ last_reload_at?: string;
21
+ /** Raw policy file content at last successful bind/reload (for CLI re-attach). */
22
+ policy_bind_content?: string;
23
+ /** Production auto-evidence credentials for non-sandbox attach binds. */
24
+ production_evidence?: PersistedProductionEvidence;
25
+ created_at: string;
26
+ };
27
+ export declare function agentRunsDir(cwd: string): string;
28
+ export declare function agentRunFilePath(cwd: string, runId: string): string;
29
+ export declare function persistAgentRunContext(cwd: string, context: PersistedAgentRunContext): Promise<string>;
30
+ export declare function loadAgentRunContext(cwd: string, runId: string): Promise<PersistedAgentRunContext>;
@@ -0,0 +1,42 @@
1
+ import { mkdir, readFile } from "node:fs/promises";
2
+ import { join } from "node:path";
3
+ import { writeAtomicFileAsync } from "../automation.js";
4
+ import { CliError } from "../types.js";
5
+ export function agentRunsDir(cwd) {
6
+ return join(cwd, ".paybond", "runs");
7
+ }
8
+ export function agentRunFilePath(cwd, runId) {
9
+ return join(agentRunsDir(cwd), `${runId.trim()}.json`);
10
+ }
11
+ export async function persistAgentRunContext(cwd, context) {
12
+ const path = agentRunFilePath(cwd, context.run_id);
13
+ await mkdir(agentRunsDir(cwd), { recursive: true });
14
+ await writeAtomicFileAsync(path, `${JSON.stringify(context, null, 2)}\n`, 0o600);
15
+ return path;
16
+ }
17
+ export async function loadAgentRunContext(cwd, runId) {
18
+ const path = agentRunFilePath(cwd, runId.trim());
19
+ let raw;
20
+ try {
21
+ raw = await readFile(path, "utf8");
22
+ }
23
+ catch (err) {
24
+ if (err && typeof err === "object" && "code" in err && err.code === "ENOENT") {
25
+ throw new CliError(`unknown run_id "${runId}"; run paybond agent run bind first`, {
26
+ category: "validation",
27
+ code: "cli.agent.unknown_run_id",
28
+ exitCode: 1,
29
+ details: { run_id: runId, path },
30
+ });
31
+ }
32
+ throw err;
33
+ }
34
+ const parsed = JSON.parse(raw);
35
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
36
+ throw new CliError(`invalid run context at ${path}`, {
37
+ category: "validation",
38
+ code: "cli.agent.invalid_run_context",
39
+ });
40
+ }
41
+ return parsed;
42
+ }
@@ -0,0 +1,39 @@
1
+ import type { PaybondTraceEvent, PaybondTraceSink } from "../../agent/types.js";
2
+ import type { PaybondAgentRun } from "../../agent/run.js";
3
+ import { type AgentRunUpsertInput } from "../../agent/gateway-trace-reporter.js";
4
+ type GatewayAgentRunHost = Readonly<{
5
+ harbor: {
6
+ createAgentRunTraceReporter(runId: string): {
7
+ registerRun(input: AgentRunUpsertInput): void;
8
+ reportEvent(event: PaybondTraceEvent): void;
9
+ };
10
+ };
11
+ }>;
12
+ export type PersistedAgentRunTrace = {
13
+ run_id: string;
14
+ intent_id: string;
15
+ trace_events: PaybondTraceEvent[];
16
+ updated_at: string;
17
+ };
18
+ export declare function agentRunTraceFilePath(cwd: string, runId: string): string;
19
+ export declare function loadAgentRunTraceIfExistsSync(cwd: string, runId: string): PersistedAgentRunTrace | undefined;
20
+ export declare function loadAgentRunTraceIfExists(cwd: string, runId: string): Promise<PersistedAgentRunTrace | undefined>;
21
+ export declare function loadAgentRunTrace(cwd: string, runId: string): Promise<PersistedAgentRunTrace>;
22
+ export declare function appendAgentRunTraceEventSync(cwd: string, runId: string, event: PaybondTraceEvent, intentId?: string): void;
23
+ export declare function appendAgentRunTraceEvent(cwd: string, runId: string, event: PaybondTraceEvent, intentId?: string): Promise<void>;
24
+ export declare function persistAgentRunTraceEventsSync(cwd: string, runId: string, events: readonly PaybondTraceEvent[], intentId?: string): string;
25
+ export declare function persistAgentRunTraceEvents(cwd: string, runId: string, events: readonly PaybondTraceEvent[], intentId?: string): Promise<string>;
26
+ /** Composite sink that persists per-run trace events and optionally forwards to another sink. */
27
+ export declare function createAgentRunTraceSink(cwd: string, runId: string, options?: {
28
+ intentId?: string;
29
+ forward?: PaybondTraceSink;
30
+ }): PaybondTraceSink;
31
+ /** Forward middleware trace events to Gateway when a tenant session is available. */
32
+ export declare function createGatewayAgentRunTraceSink(paybond: GatewayAgentRunHost, runId: string): PaybondTraceSink;
33
+ /** Register run metadata on Gateway after a successful bind. */
34
+ export declare function registerGatewayAgentRun(paybond: GatewayAgentRunHost, run: PaybondAgentRun, options?: {
35
+ completionPreset?: string;
36
+ }): void;
37
+ /** Composite sink: local run trace file, optional dev collector, optional Gateway reporter. */
38
+ export declare function resolveAgentRunTraceSink(cwd: string, runId: string, intentId?: string, forward?: PaybondTraceSink, gateway?: PaybondTraceSink): PaybondTraceSink;
39
+ export {};
@@ -0,0 +1,143 @@
1
+ import { mkdirSync, readFileSync } from "node:fs";
2
+ import { mkdir, readFile } from "node:fs/promises";
3
+ import { writeAtomicFile, writeAtomicFileAsync } from "../automation.js";
4
+ import { CliError } from "../types.js";
5
+ import { agentRunFilePath, agentRunsDir } from "./run-store.js";
6
+ export function agentRunTraceFilePath(cwd, runId) {
7
+ return `${agentRunFilePath(cwd, runId).replace(/\.json$/, "")}.trace.json`;
8
+ }
9
+ export function loadAgentRunTraceIfExistsSync(cwd, runId) {
10
+ const path = agentRunTraceFilePath(cwd, runId);
11
+ try {
12
+ const raw = readFileSync(path, "utf8");
13
+ const parsed = JSON.parse(raw);
14
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
15
+ throw new CliError(`invalid run trace at ${path}`, {
16
+ category: "validation",
17
+ code: "cli.agent.invalid_run_trace",
18
+ });
19
+ }
20
+ return parsed;
21
+ }
22
+ catch (err) {
23
+ if (err && typeof err === "object" && "code" in err && err.code === "ENOENT") {
24
+ return undefined;
25
+ }
26
+ throw err;
27
+ }
28
+ }
29
+ export async function loadAgentRunTraceIfExists(cwd, runId) {
30
+ const path = agentRunTraceFilePath(cwd, runId);
31
+ let raw;
32
+ try {
33
+ raw = await readFile(path, "utf8");
34
+ }
35
+ catch (err) {
36
+ if (err && typeof err === "object" && "code" in err && err.code === "ENOENT") {
37
+ return undefined;
38
+ }
39
+ throw err;
40
+ }
41
+ const parsed = JSON.parse(raw);
42
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
43
+ throw new CliError(`invalid run trace at ${path}`, {
44
+ category: "validation",
45
+ code: "cli.agent.invalid_run_trace",
46
+ });
47
+ }
48
+ return parsed;
49
+ }
50
+ export async function loadAgentRunTrace(cwd, runId) {
51
+ const stored = await loadAgentRunTraceIfExists(cwd, runId);
52
+ if (!stored) {
53
+ throw new CliError(`no trace events for run "${runId}"; run paybond agent tool execute first`, {
54
+ category: "validation",
55
+ code: "cli.agent.trace_not_found",
56
+ exitCode: 1,
57
+ details: { run_id: runId, path: agentRunTraceFilePath(cwd, runId) },
58
+ });
59
+ }
60
+ return stored;
61
+ }
62
+ export function appendAgentRunTraceEventSync(cwd, runId, event, intentId) {
63
+ const existing = loadAgentRunTraceIfExistsSync(cwd, runId);
64
+ const traceEvents = [...(existing?.trace_events ?? []), event];
65
+ persistAgentRunTraceEventsSync(cwd, runId, traceEvents, intentId ?? existing?.intent_id ?? "");
66
+ }
67
+ export async function appendAgentRunTraceEvent(cwd, runId, event, intentId) {
68
+ const existing = await loadAgentRunTraceIfExists(cwd, runId);
69
+ const traceEvents = [...(existing?.trace_events ?? []), event];
70
+ await persistAgentRunTraceEvents(cwd, runId, traceEvents, intentId ?? existing?.intent_id ?? "");
71
+ }
72
+ export function persistAgentRunTraceEventsSync(cwd, runId, events, intentId = "") {
73
+ const path = agentRunTraceFilePath(cwd, runId);
74
+ mkdirSync(agentRunsDir(cwd), { recursive: true });
75
+ const payload = {
76
+ run_id: runId.trim(),
77
+ intent_id: intentId,
78
+ trace_events: [...events],
79
+ updated_at: new Date().toISOString(),
80
+ };
81
+ writeAtomicFile(path, `${JSON.stringify(payload, null, 2)}\n`, 0o600);
82
+ return path;
83
+ }
84
+ export async function persistAgentRunTraceEvents(cwd, runId, events, intentId = "") {
85
+ const path = agentRunTraceFilePath(cwd, runId);
86
+ await mkdir(agentRunsDir(cwd), { recursive: true });
87
+ const payload = {
88
+ run_id: runId.trim(),
89
+ intent_id: intentId,
90
+ trace_events: [...events],
91
+ updated_at: new Date().toISOString(),
92
+ };
93
+ await writeAtomicFileAsync(path, `${JSON.stringify(payload, null, 2)}\n`, 0o600);
94
+ return path;
95
+ }
96
+ /** Composite sink that persists per-run trace events and optionally forwards to another sink. */
97
+ export function createAgentRunTraceSink(cwd, runId, options) {
98
+ return (event) => {
99
+ appendAgentRunTraceEventSync(cwd, runId, event, options?.intentId);
100
+ options?.forward?.(event);
101
+ };
102
+ }
103
+ /** Forward middleware trace events to Gateway when a tenant session is available. */
104
+ export function createGatewayAgentRunTraceSink(paybond, runId) {
105
+ const reporter = paybond.harbor.createAgentRunTraceReporter(runId);
106
+ return (event) => {
107
+ reporter.reportEvent(event);
108
+ };
109
+ }
110
+ /** Register run metadata on Gateway after a successful bind. */
111
+ export function registerGatewayAgentRun(paybond, run, options) {
112
+ const meta = {
113
+ intentId: run.intentId,
114
+ operation: run.binding.sandbox?.operation ?? run.allowedTools[0] ?? "",
115
+ sandbox: Boolean(run.binding.sandbox),
116
+ allowedTools: run.allowedTools,
117
+ completionPreset: options?.completionPreset,
118
+ };
119
+ paybond.harbor.createAgentRunTraceReporter(run.runId).registerRun(meta);
120
+ }
121
+ /** Composite sink: local run trace file, optional dev collector, optional Gateway reporter. */
122
+ export function resolveAgentRunTraceSink(cwd, runId, intentId, forward, gateway) {
123
+ const sinks = [];
124
+ if (gateway) {
125
+ sinks.push(gateway);
126
+ }
127
+ if (forward) {
128
+ sinks.push(forward);
129
+ }
130
+ const composed = sinks.length === 0
131
+ ? undefined
132
+ : sinks.length === 1
133
+ ? sinks[0]
134
+ : (event) => {
135
+ for (const sink of sinks) {
136
+ sink(event);
137
+ }
138
+ };
139
+ return createAgentRunTraceSink(cwd, runId, {
140
+ intentId,
141
+ forward: composed,
142
+ });
143
+ }
@@ -0,0 +1,9 @@
1
+ import type { DevTraceStep } from "../dev/trace-buffer.js";
2
+ import type { GlobalOptions } from "./types.js";
3
+ /** Build human-readable agent run trace lines for `--format table`. */
4
+ export declare function formatAgentRunTraceTable(options: {
5
+ runId: string;
6
+ intentId: string;
7
+ steps: readonly DevTraceStep[];
8
+ globals: GlobalOptions;
9
+ }): string[];
@@ -0,0 +1,24 @@
1
+ import { colorize, shouldUseColor } from "./color.js";
2
+ /** Build human-readable agent run trace lines for `--format table`. */
3
+ export function formatAgentRunTraceTable(options) {
4
+ const useColor = shouldUseColor(options.globals);
5
+ const mark = (line) => {
6
+ if (line.startsWith("✓")) {
7
+ return colorize(line, "green", useColor);
8
+ }
9
+ return line;
10
+ };
11
+ const lines = [
12
+ `run_id: ${options.runId}`,
13
+ `intent_id: ${options.intentId}`,
14
+ "",
15
+ ];
16
+ if (options.steps.length === 0) {
17
+ lines.push("No trace events recorded.");
18
+ return lines;
19
+ }
20
+ for (const step of options.steps) {
21
+ lines.push(mark(`✓ ${step.label}`));
22
+ }
23
+ return lines;
24
+ }
@@ -0,0 +1,9 @@
1
+ import type { GlobalOptions } from "./types.js";
2
+ /** Build human-readable sandbox smoke checklist lines for `--format table`. */
3
+ export declare function formatAgentSandboxSmokeChecklist(options: {
4
+ presetId?: string;
5
+ bind: Record<string, unknown>;
6
+ execute: Record<string, unknown>;
7
+ resultBody: Record<string, unknown>;
8
+ globals: GlobalOptions;
9
+ }): string[];