@poncho-ai/harness 0.43.1 → 0.44.0

package/dist/index.js

@@ -2340,7 +2340,7 @@ var ponchoDocsTool = defineTool({
 
 // src/harness.ts
 import { randomUUID as randomUUID5 } from "crypto";
-import { readFile as readFile8 } from "fs/promises";
+import { readFile as readFile9 } from "fs/promises";
 import { resolve as resolve11 } from "path";
 import { defineTool as defineTool12, getTextContent as getTextContent2, createLogger as createLogger6, formatError as fmtErr, url as urlColor } from "@poncho-ai/sdk";
 
@@ -2422,6 +2422,23 @@ var deriveUploadKey = (data, mediaType) => {
   const ext = mimeToExt(mediaType);
   return `${hash}${ext}`;
 };
+var DATA_URI_PREFIX = /^data:[^,]*?;base64,/;
+var decodeFileInputData = async (data) => {
+  if (data.startsWith("http://") || data.startsWith("https://")) {
+    const resp = await fetch(data);
+    if (!resp.ok) {
+      throw new Error(
+        `uploads: failed to fetch file at ${data}: ${resp.status} ${resp.statusText}`
+      );
+    }
+    return Buffer.from(await resp.arrayBuffer());
+  }
+  const match = data.match(DATA_URI_PREFIX);
+  if (match) {
+    return Buffer.from(data.slice(match[0].length), "base64");
+  }
+  return Buffer.from(data, "base64");
+};
 var MIME_EXT_MAP = {
   "image/jpeg": ".jpg",
   "image/png": ".png",
@@ -2470,9 +2487,9 @@ var VercelBlobUploadStore = class {
   sdk;
   workingDir;
   access;
-  constructor(workingDir, access3 = "public") {
+  constructor(workingDir, access4 = "public") {
     this.workingDir = workingDir;
-    this.access = access3;
+    this.access = access4;
   }
   async loadSdk() {
     if (this.sdk) return this.sdk;
@@ -3319,6 +3336,25 @@ var migrations = [
          ON conversations (parent_conversation_id, parent_message_id)
          WHERE parent_message_id IS NOT NULL`
     ]
+  },
+  {
+    version: 7,
+    name: "fix_reminder_scheduled_at_precision",
+    // Postgres maps `REAL` to float4 (4 bytes, ~7 digit precision),
+    // which silently rounds millisecond epochs (13 digits) — every
+    // reminder write+read on Postgres returned a different value than
+    // it stored. SQLite's REAL is float8 (15+ digit precision) so it
+    // was always fine there.
+    //
+    // Convert the Postgres column to BIGINT so future writes are exact
+    // (already-stored rounded values aren't recoverable but they were
+    // never correct in the first place).
+    up: (d) => {
+      if (d === "sqlite") return [];
+      return [
+        `ALTER TABLE reminders ALTER COLUMN scheduled_at TYPE BIGINT USING scheduled_at::bigint`
+      ];
+    }
   }
 ];
 
@@ -3982,9 +4018,9 @@ var SqlStorageEngine = class {
       }
     },
     deleteFile: async (tenantId, path) => {
-      const stat3 = await this.vfs.stat(tenantId, path);
-      if (!stat3) throw new Error(`ENOENT: no such file or directory, unlink '${path}'`);
-      if (stat3.type === "directory") throw new Error(`EISDIR: illegal operation on a directory, unlink '${path}'`);
+      const stat4 = await this.vfs.stat(tenantId, path);
+      if (!stat4) throw new Error(`ENOENT: no such file or directory, unlink '${path}'`);
+      if (stat4.type === "directory") throw new Error(`EISDIR: illegal operation on a directory, unlink '${path}'`);
       await this.executor.run(
         rewrite(
           "DELETE FROM vfs_entries WHERE agent_id = $1 AND tenant_id = $2 AND path = $3",
@@ -4224,7 +4260,10 @@ var SqlStorageEngine = class {
     return {
       id: row.id,
       task: row.task,
-      scheduledAt: row.scheduled_at,
+      // Postgres-js returns BIGINT columns as strings to avoid silent
+      // precision loss in JS. Coerce to Number — ms epochs max out at
+      // ~10^16 in year 2286, well under Number.MAX_SAFE_INTEGER (2^53).
+      scheduledAt: Number(row.scheduled_at),
       timezone: row.timezone ?? void 0,
       status: row.status,
       createdAt: new Date(row.created_at).getTime(),
@@ -4232,7 +4271,7 @@ var SqlStorageEngine = class {
       ownerId: row.owner_id ?? void 0,
       tenantId: tid === DEFAULT_TENANT2 ? null : tid,
       recurrence,
-      occurrenceCount: row.occurrence_count ?? 0
+      occurrenceCount: Number(row.occurrence_count ?? 0)
     };
   }
   toUint8Array(value) {
@@ -4528,6 +4567,9 @@ function createReminderStoreFromEngine(engine) {
 import { Bash } from "just-bash";
 
 // src/vfs/poncho-fs-adapter.ts
+import * as nodeFs from "fs/promises";
+import * as nodeFsSync from "fs";
+import * as nodePath from "path";
 var MIME_MAP = {
   ".txt": "text/plain",
   ".html": "text/html",
@@ -4584,52 +4626,190 @@ var normalize = (path) => {
   }
   return "/" + out.join("/");
 };
+var READ_ONLY_ERROR = (path, op) => new Error(`EROFS: read-only mount, ${op} '${path}'`);
 var PonchoFsAdapter = class {
-  constructor(engine, tenantId, limits) {
+  constructor(engine, tenantId, limits, mounts = []) {
     this.engine = engine;
     this.tenantId = tenantId;
     this.limits = limits;
+    this.mounts = mounts.map((m) => {
+      const prefix = m.prefix.endsWith("/") ? m.prefix : m.prefix + "/";
+      return {
+        prefix,
+        prefixNoSlash: prefix.slice(0, -1),
+        source: m.source.replace(/\/+$/, "")
+      };
+    });
+  }
+  mounts;
+  /** Find which mount, if any, a normalised VFS path falls under.
+   *  Returns the relative path within the mount's source dir (empty string
+   *  when the path is exactly the mount root). */
+  routeToMount(np) {
+    for (const m of this.mounts) {
+      if (np === m.prefixNoSlash) return { mount: m, relative: "" };
+      if (np.startsWith(m.prefix)) return { mount: m, relative: np.slice(m.prefix.length) };
+    }
+    return null;
+  }
+  /** Treat `np` as a directory and return mount-root segments that should be
+   *  listed as virtual subdirectories. E.g. with mount "/system/", reading
+   *  "/" returns ["system"]; reading "/system" goes via routeToMount and
+   *  serves from local FS instead. */
+  virtualChildrenAt(np) {
+    const dirPrefix = np === "/" ? "/" : np + "/";
+    const out = [];
+    for (const m of this.mounts) {
+      if (m.prefix.startsWith(dirPrefix) && m.prefix !== dirPrefix) {
+        const remaining = m.prefix.slice(dirPrefix.length);
+        const seg = remaining.split("/")[0];
+        if (seg && !out.includes(seg)) out.push(seg);
+      }
+    }
+    return out;
+  }
+  toLocal(mount, relative) {
+    return nodePath.join(mount.source, relative);
+  }
+  /** Build an FsStat from a node fs.Stats. */
+  toFsStat(s) {
+    return {
+      isFile: s.isFile(),
+      isDirectory: s.isDirectory(),
+      isSymbolicLink: s.isSymbolicLink(),
+      mode: s.mode,
+      size: s.size,
+      mtime: s.mtime
+    };
+  }
+  /** Synthesise a directory stat for a virtual ancestor (e.g. "/system"
+   *  when "/system/jobs/" is mounted but "/system" itself isn't a real dir
+   *  on disk). Used so `ls /` and `stat /system` work without surprises. */
+  syntheticDirStat() {
+    return {
+      isFile: false,
+      isDirectory: true,
+      isSymbolicLink: false,
+      mode: 493,
+      size: 0,
+      mtime: /* @__PURE__ */ new Date(0)
+    };
   }
   // --- Reads ---
   async readFile(path, _options) {
-    const buf = await this.engine.vfs.readFile(this.tenantId, normalize(path));
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      const buf2 = await nodeFs.readFile(this.toLocal(route.mount, route.relative));
+      return buf2.toString("utf8");
+    }
+    const buf = await this.engine.vfs.readFile(this.tenantId, np);
     return new TextDecoder().decode(buf);
   }
   async readFileBuffer(path) {
-    return this.engine.vfs.readFile(this.tenantId, normalize(path));
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      const buf = await nodeFs.readFile(this.toLocal(route.mount, route.relative));
+      return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+    }
+    return this.engine.vfs.readFile(this.tenantId, np);
   }
   async exists(path) {
-    const s = await this.engine.vfs.stat(this.tenantId, normalize(path));
-    return s !== void 0;
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      try {
+        await nodeFs.access(this.toLocal(route.mount, route.relative));
+        return true;
+      } catch {
+        return false;
+      }
+    }
+    const s = await this.engine.vfs.stat(this.tenantId, np);
+    if (s) return true;
+    return this.virtualChildrenAt(np).length > 0;
   }
   async stat(path) {
     const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      try {
+        const s2 = await nodeFs.stat(this.toLocal(route.mount, route.relative));
+        return this.toFsStat(s2);
+      } catch {
+        throw new Error(`ENOENT: no such file or directory, stat '${path}'`);
+      }
+    }
     const s = await this.engine.vfs.stat(this.tenantId, np);
-    if (!s) throw new Error(`ENOENT: no such file or directory, stat '${path}'`);
-    return {
-      isFile: s.type === "file",
-      isDirectory: s.type === "directory",
-      isSymbolicLink: s.type === "symlink",
-      mode: s.mode,
-      size: s.size,
-      mtime: new Date(s.updatedAt)
-    };
+    if (s) {
+      return {
+        isFile: s.type === "file",
+        isDirectory: s.type === "directory",
+        isSymbolicLink: s.type === "symlink",
+        mode: s.mode,
+        size: s.size,
+        mtime: new Date(s.updatedAt)
+      };
+    }
+    if (this.virtualChildrenAt(np).length > 0) return this.syntheticDirStat();
+    throw new Error(`ENOENT: no such file or directory, stat '${path}'`);
   }
   async readdir(path) {
-    const entries = await this.engine.vfs.readdir(this.tenantId, normalize(path));
-    return entries.map((e) => e.name);
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      return nodeFs.readdir(this.toLocal(route.mount, route.relative));
+    }
+    let engineNames = [];
+    try {
+      const entries = await this.engine.vfs.readdir(this.tenantId, np);
+      engineNames = entries.map((e) => e.name);
+    } catch {
+    }
+    const virtualSegs = this.virtualChildrenAt(np);
+    if (virtualSegs.length === 0) return engineNames;
+    const merged = new Set(engineNames);
+    for (const seg of virtualSegs) merged.add(seg);
+    return Array.from(merged);
   }
   async readdirWithFileTypes(path) {
-    const entries = await this.engine.vfs.readdir(this.tenantId, normalize(path));
-    return entries.map((e) => ({
-      name: e.name,
-      isFile: e.type === "file",
-      isDirectory: e.type === "directory",
-      isSymbolicLink: e.type === "symlink"
-    }));
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      const entries = await nodeFs.readdir(this.toLocal(route.mount, route.relative), { withFileTypes: true });
+      return entries.map((e) => ({
+        name: e.name,
+        isFile: e.isFile(),
+        isDirectory: e.isDirectory(),
+        isSymbolicLink: e.isSymbolicLink()
+      }));
+    }
+    let engineEntries = [];
+    try {
+      const entries = await this.engine.vfs.readdir(this.tenantId, np);
+      engineEntries = entries.map((e) => ({
+        name: e.name,
+        isFile: e.type === "file",
+        isDirectory: e.type === "directory",
+        isSymbolicLink: e.type === "symlink"
+      }));
+    } catch {
+    }
+    const virtualSegs = this.virtualChildrenAt(np);
+    if (virtualSegs.length === 0) return engineEntries;
+    const seen = new Set(engineEntries.map((e) => e.name));
+    for (const seg of virtualSegs) {
+      if (!seen.has(seg)) {
+        engineEntries.push({ name: seg, isFile: false, isDirectory: true, isSymbolicLink: false });
+      }
+    }
+    return engineEntries;
   }
   // --- Writes ---
   async writeFile(path, content, _options) {
+    const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "writeFile");
     const buf = typeof content === "string" ? new TextEncoder().encode(content) : content;
     if (buf.byteLength > this.limits.maxFileSize) {
       throw new Error(
@@ -4637,17 +4817,22 @@ var PonchoFsAdapter = class {
       );
     }
     const mime = mimeFromExtension(path);
-    await this.engine.vfs.writeFile(this.tenantId, normalize(path), buf, mime);
+    await this.engine.vfs.writeFile(this.tenantId, np, buf, mime);
   }
   async appendFile(path, content, _options) {
+    const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "appendFile");
     const buf = typeof content === "string" ? new TextEncoder().encode(content) : content;
-    await this.engine.vfs.appendFile(this.tenantId, normalize(path), buf);
+    await this.engine.vfs.appendFile(this.tenantId, np, buf);
   }
   async mkdir(path, options) {
-    await this.engine.vfs.mkdir(this.tenantId, normalize(path), options?.recursive);
+    const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "mkdir");
+    await this.engine.vfs.mkdir(this.tenantId, np, options?.recursive);
   }
   async rm(path, options) {
     const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "rm");
     const s = await this.engine.vfs.stat(this.tenantId, np);
     if (!s) {
       if (options?.force) return;
@@ -4663,25 +4848,30 @@ var PonchoFsAdapter = class {
   async cp(src, dest, options) {
     const srcNorm = normalize(src);
     const destNorm = normalize(dest);
-    const srcStat = await this.engine.vfs.stat(this.tenantId, srcNorm);
+    if (this.routeToMount(destNorm)) throw READ_ONLY_ERROR(dest, "cp");
+    const srcStat = await this.stat(srcNorm).catch(() => null);
     if (!srcStat) throw new Error(`ENOENT: no such file or directory, cp '${src}'`);
-    if (srcStat.type === "directory") {
+    if (srcStat.isDirectory) {
       if (!options?.recursive) {
         throw new Error(`EISDIR: cp -r not specified; omitting directory '${src}'`);
       }
       await this.engine.vfs.mkdir(this.tenantId, destNorm, true);
-      const entries = await this.engine.vfs.readdir(this.tenantId, srcNorm);
-      for (const entry of entries) {
-        await this.cp(`${srcNorm}/${entry.name}`, `${destNorm}/${entry.name}`, options);
+      const entries = await this.readdir(srcNorm);
+      for (const name of entries) {
+        await this.cp(`${srcNorm}/${name}`, `${destNorm}/${name}`, options);
       }
     } else {
-      const content = await this.engine.vfs.readFile(this.tenantId, srcNorm);
+      const content = await this.readFileBuffer(srcNorm);
       const mime = mimeFromExtension(destNorm);
       await this.engine.vfs.writeFile(this.tenantId, destNorm, content, mime);
     }
   }
   async mv(src, dest) {
-    await this.engine.vfs.rename(this.tenantId, normalize(src), normalize(dest));
+    const srcNorm = normalize(src);
+    const destNorm = normalize(dest);
+    if (this.routeToMount(srcNorm)) throw READ_ONLY_ERROR(src, "mv (source)");
+    if (this.routeToMount(destNorm)) throw READ_ONLY_ERROR(dest, "mv (dest)");
+    await this.engine.vfs.rename(this.tenantId, srcNorm, destNorm);
   }
   // --- Path resolution ---
   resolvePath(base, path) {
@@ -4690,8 +4880,22 @@ var PonchoFsAdapter = class {
   }
   async realpath(path) {
     const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      const localResolved = await nodeFs.realpath(this.toLocal(route.mount, route.relative));
+      const localRoot = await nodeFs.realpath(route.mount.source).catch(() => route.mount.source);
+      if (localResolved === localRoot) return route.mount.prefixNoSlash;
+      if (localResolved.startsWith(localRoot + nodePath.sep)) {
+        const rel = localResolved.slice(localRoot.length + 1).split(nodePath.sep).join("/");
+        return `${route.mount.prefix}${rel}`;
+      }
+      return np;
+    }
     const s = await this.engine.vfs.lstat(this.tenantId, np);
-    if (!s) throw new Error(`ENOENT: no such file or directory, realpath '${path}'`);
+    if (!s) {
+      if (this.virtualChildrenAt(np).length > 0) return np;
+      throw new Error(`ENOENT: no such file or directory, realpath '${path}'`);
+    }
     if (s.type === "symlink" && s.symlinkTarget) {
       const target = s.symlinkTarget.startsWith("/") ? s.symlinkTarget : normalize(`${np.slice(0, np.lastIndexOf("/"))}/${s.symlinkTarget}`);
       return this.realpath(target);
@@ -4700,39 +4904,92 @@ var PonchoFsAdapter = class {
   }
   // --- Sync: required by just-bash for glob/find ---
   getAllPaths() {
-    return this.engine.vfs.listAllPaths(this.tenantId);
+    const enginePaths = this.engine.vfs.listAllPaths(this.tenantId);
+    if (this.mounts.length === 0) return enginePaths;
+    const out = new Set(enginePaths);
+    for (const m of this.mounts) {
+      out.add(m.prefixNoSlash);
+      try {
+        const stack = [
+          { abs: m.source, vfs: m.prefixNoSlash }
+        ];
+        while (stack.length > 0) {
+          const { abs, vfs } = stack.pop();
+          let entries;
+          try {
+            entries = nodeFsSync.readdirSync(abs, { withFileTypes: true });
+          } catch {
+            continue;
+          }
+          for (const e of entries) {
+            const childVfs = `${vfs}/${e.name}`;
+            out.add(childVfs);
+            if (e.isDirectory()) {
+              stack.push({ abs: nodePath.join(abs, e.name), vfs: childVfs });
+            }
+          }
+        }
+      } catch {
+      }
+    }
+    return Array.from(out);
   }
   // --- Metadata ---
   async chmod(path, mode) {
-    await this.engine.vfs.chmod(this.tenantId, normalize(path), mode);
+    const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "chmod");
+    await this.engine.vfs.chmod(this.tenantId, np, mode);
   }
   async utimes(path, _atime, mtime) {
-    await this.engine.vfs.utimes(this.tenantId, normalize(path), mtime);
+    const np = normalize(path);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(path, "utimes");
+    await this.engine.vfs.utimes(this.tenantId, np, mtime);
   }
   // --- Symlinks ---
   async symlink(target, linkPath) {
-    await this.engine.vfs.symlink(this.tenantId, target, normalize(linkPath));
+    const np = normalize(linkPath);
+    if (this.routeToMount(np)) throw READ_ONLY_ERROR(linkPath, "symlink");
+    await this.engine.vfs.symlink(this.tenantId, target, np);
   }
   async link(existingPath, newPath) {
-    const content = await this.engine.vfs.readFile(this.tenantId, normalize(existingPath));
+    const npNew = normalize(newPath);
+    if (this.routeToMount(npNew)) throw READ_ONLY_ERROR(newPath, "link");
+    const content = await this.readFileBuffer(existingPath);
     const mime = mimeFromExtension(newPath);
-    await this.engine.vfs.writeFile(this.tenantId, normalize(newPath), content, mime);
+    await this.engine.vfs.writeFile(this.tenantId, npNew, content, mime);
   }
   async readlink(path) {
-    return this.engine.vfs.readlink(this.tenantId, normalize(path));
+    const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      return nodeFs.readlink(this.toLocal(route.mount, route.relative));
+    }
+    return this.engine.vfs.readlink(this.tenantId, np);
   }
   async lstat(path) {
     const np = normalize(path);
+    const route = this.routeToMount(np);
+    if (route) {
+      try {
+        const s2 = await nodeFs.lstat(this.toLocal(route.mount, route.relative));
+        return this.toFsStat(s2);
+      } catch {
+        throw new Error(`ENOENT: no such file or directory, lstat '${path}'`);
+      }
+    }
     const s = await this.engine.vfs.lstat(this.tenantId, np);
-    if (!s) throw new Error(`ENOENT: no such file or directory, lstat '${path}'`);
-    return {
-      isFile: s.type === "file",
-      isDirectory: s.type === "directory",
-      isSymbolicLink: s.type === "symlink",
-      mode: s.mode,
-      size: s.size,
-      mtime: new Date(s.updatedAt)
-    };
+    if (s) {
+      return {
+        isFile: s.type === "file",
+        isDirectory: s.type === "directory",
+        isSymbolicLink: s.type === "symlink",
+        mode: s.mode,
+        size: s.size,
+        mtime: new Date(s.updatedAt)
+      };
+    }
+    if (this.virtualChildrenAt(np).length > 0) return this.syntheticDirStat();
+    throw new Error(`ENOENT: no such file or directory, lstat '${path}'`);
   }
 };
 
@@ -4909,21 +5166,23 @@ function toBashOptions(cfg, network) {
   return opts;
 }
 var BashEnvironmentManager = class {
-  constructor(engine, limits, workingDir, bashConfig, network) {
+  constructor(engine, limits, workingDir, bashConfig, network, virtualMounts = []) {
     this.engine = engine;
     this.limits = limits;
     this.workingDir = workingDir;
     this.bashOptions = toBashOptions(bashConfig, network);
+    this.virtualMounts = virtualMounts;
   }
   environments = /* @__PURE__ */ new Map();
   filesystems = /* @__PURE__ */ new Map();
   workingDir;
   bashOptions;
+  virtualMounts;
   /** Return the combined IFileSystem (VFS + optional /project mount) for a tenant. */
   getFs(tenantId) {
     let fs = this.filesystems.get(tenantId);
     if (!fs) {
-      const adapter = new PonchoFsAdapter(this.engine, tenantId, this.limits);
+      const adapter = new PonchoFsAdapter(this.engine, tenantId, this.limits, this.virtualMounts);
       fs = createBashFs(adapter, this.workingDir);
       this.filesystems.set(tenantId, fs);
     }
@@ -4943,7 +5202,7 @@ var BashEnvironmentManager = class {
     return bash;
   }
   getAdapter(tenantId) {
-    return new PonchoFsAdapter(this.engine, tenantId, this.limits);
+    return new PonchoFsAdapter(this.engine, tenantId, this.limits, this.virtualMounts);
   }
   /** Refresh the PostgreSQL path cache before a bash.exec() call. */
   async refreshPathCache(tenantId) {
@@ -5062,8 +5321,8 @@ var createReadFileTool = (getFs) => defineTool3({
     if (!await fs.exists(filePath)) {
       throw new Error(`File not found: ${filePath}`);
     }
-    const stat3 = await fs.stat(filePath);
-    if (stat3.isDirectory) {
+    const stat4 = await fs.stat(filePath);
+    if (stat4.isDirectory) {
       throw new Error(`${filePath} is a directory, not a file`);
     }
     const mediaType = mimeFromPath(filePath) ?? "application/octet-stream";
@@ -5115,8 +5374,8 @@ var createEditFileTool = (getFs) => defineTool4({
     const tenantId = context.tenantId ?? "__default__";
     const fs = getFs(tenantId);
     if (!await fs.exists(filePath)) throw new Error(`File not found: ${filePath}`);
-    const stat3 = await fs.stat(filePath);
-    if (stat3.isDirectory) throw new Error(`${filePath} is a directory`);
+    const stat4 = await fs.stat(filePath);
+    if (stat4.isDirectory) throw new Error(`${filePath} is a directory`);
     const content = await fs.readFile(filePath);
     const first = content.indexOf(oldStr);
     if (first === -1) {
@@ -5611,7 +5870,7 @@ var createTodoTools = (store) => {
 
 // src/secrets-store.ts
 import { createCipheriv, createDecipheriv, randomBytes as randomBytes2, createHash as createHash3 } from "crypto";
-import { mkdir as mkdir3, readFile as readFile5, writeFile as writeFile4 } from "fs/promises";
+import { mkdir as mkdir3, readFile as readFile6, writeFile as writeFile4 } from "fs/promises";
 import { dirname as dirname3, resolve as resolve7 } from "path";
 function deriveKey(signingKey) {
   return createHash3("sha256").update("poncho-secrets-v1:" + signingKey).digest();
@@ -5657,7 +5916,7 @@ var FileSecretsStore = class {
   }
   async readAll(tenantId) {
     try {
-      const raw = await readFile5(await this.filePath(tenantId), "utf8");
+      const raw = await readFile6(await this.filePath(tenantId), "utf8");
       return JSON.parse(raw);
     } catch {
       return {};
@@ -6567,7 +6826,7 @@ import { createAnthropic } from "@ai-sdk/anthropic";
 // src/openai-codex-auth.ts
 import { homedir as homedir3 } from "os";
 import { dirname as dirname4, resolve as resolve8 } from "path";
-import { mkdir as mkdir4, readFile as readFile6, chmod, writeFile as writeFile5, rm as rm3 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile7, chmod, writeFile as writeFile5, rm as rm3 } from "fs/promises";
 var OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 var OPENAI_AUTH_ISSUER = "https://auth.openai.com";
 var REFRESH_TOKEN_GRACE_MS = 5 * 60 * 1e3;
@@ -6606,7 +6865,7 @@ var getOpenAICodexAuthFilePath = (config) => {
 var readOpenAICodexSession = async (config) => {
   const filePath = getOpenAICodexAuthFilePath(config);
   try {
-    const content = await readFile6(filePath, "utf8");
+    const content = await readFile7(filePath, "utf8");
     const parsed = JSON.parse(content);
     if (typeof parsed.refreshToken !== "string" || parsed.refreshToken.length === 0) {
       return void 0;
@@ -6941,7 +7200,7 @@ var createModelProvider = (provider, config) => {
 };
 
 // src/skill-context.ts
-import { readFile as readFile7, readdir as readdir2, stat } from "fs/promises";
+import { readFile as readFile8, readdir as readdir3, stat as stat2 } from "fs/promises";
 import { dirname as dirname5, resolve as resolve9, normalize as normalize2 } from "path";
 import YAML3 from "yaml";
 import { createLogger as createLogger4 } from "@poncho-ai/sdk";
@@ -7022,7 +7281,7 @@ var parseSkillFrontmatter = (content) => {
   };
 };
 var collectSkillManifests = async (directory) => {
-  const entries = await readdir2(directory, { withFileTypes: true });
+  const entries = await readdir3(directory, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
     const fullPath = resolve9(directory, entry.name);
@@ -7030,7 +7289,7 @@ var collectSkillManifests = async (directory) => {
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
       try {
-        const s = await stat(fullPath);
+        const s = await stat2(fullPath);
         isDir = s.isDirectory();
         isFile = s.isFile();
       } catch {
@@ -7060,7 +7319,7 @@ var loadSkillMetadata = async (workingDir, extraSkillPaths) => {
   const seen = /* @__PURE__ */ new Set();
   for (const manifest of allManifests) {
     try {
-      const content = await readFile7(manifest, "utf8");
+      const content = await readFile8(manifest, "utf8");
       const parsed = parseSkillFrontmatter(content);
       if (parsed && !seen.has(parsed.name)) {
         seen.add(parsed.name);
@@ -7163,7 +7422,7 @@ var mergeSkills = (repoSkills, vfsSkills, onCollision) => {
 var loadSkillInstructions = async (skill, engine) => {
   const raw = skill.source.kind === "vfs" ? decoder.decode(
     await requireEngine(engine).vfs.readFile(skill.source.tenantId, skill.skillPath)
-  ) : await readFile7(skill.skillPath, "utf8");
+  ) : await readFile8(skill.skillPath, "utf8");
   const match = raw.match(FRONTMATTER_PATTERN3);
   return match ? match[2].trim() : raw.trim();
 };
@@ -7184,7 +7443,7 @@ var readSkillResource = async (skill, relativePath, engine) => {
   if (!fullPath.startsWith(skill.skillDir)) {
     throw new Error("Path escapes the skill directory");
   }
-  return await readFile7(fullPath, "utf8");
+  return await readFile8(fullPath, "utf8");
 };
 var requireEngine = (engine) => {
   if (!engine) {
@@ -7312,8 +7571,8 @@ function convertSchema(schema) {
 
 // src/skill-tools.ts
 import { defineTool as defineTool9 } from "@poncho-ai/sdk";
-import { access as access2, readdir as readdir3, stat as stat2 } from "fs/promises";
-import { extname, normalize as normalize3, resolve as resolve10, sep as sep2 } from "path";
+import { access as access3, readdir as readdir4, stat as stat3 } from "fs/promises";
+import { extname, normalize as normalize3, resolve as resolve10, sep as sep3 } from "path";
 import { pathToFileURL } from "url";
 import { createJiti as createJiti2 } from "jiti";
 var findSkill = async (options, tenantId, name) => {
@@ -7498,7 +7757,7 @@ var createSkillTools = (options) => {
                 error: `Script "${resolved2.relativePath}" for skill "${name}" is not allowed by policy.`
               };
             }
-            await access2(resolved2.fullPath);
+            await access3(resolved2.fullPath);
             const fn2 = await loadRunnableScriptFunction(resolved2.fullPath);
             const output2 = await fn2(payload, {
               scope: "skill",
@@ -7514,7 +7773,7 @@ var createSkillTools = (options) => {
               error: `Script "${resolved.relativePath}" is not allowed by policy.`
             };
           }
-          await access2(resolved.fullPath);
+          await access3(resolved.fullPath);
           const fn = await loadRunnableScriptFunction(resolved.fullPath);
           const output = await fn(payload, {
             scope: "agent",
@@ -7534,7 +7793,7 @@ var SCRIPT_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs", ".ts", "
 var VFS_SCRIPT_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".ts", ".mts"]);
 var listRepoSkillScripts = async (skill, isScriptAllowed) => {
   const scripts = await collectScriptFiles(skill.skillDir);
-  return scripts.map((fullPath) => fullPath.slice(skill.skillDir.length + 1).split(sep2).join("/")).filter((relativePath) => relativePath.toLowerCase() !== "skill.md").map(
+  return scripts.map((fullPath) => fullPath.slice(skill.skillDir.length + 1).split(sep3).join("/")).filter((relativePath) => relativePath.toLowerCase() !== "skill.md").map(
     (relativePath) => relativePath.includes("/") ? relativePath : `./${relativePath}`
   ).filter((path) => isScriptAllowed ? isScriptAllowed(skill.name, path) : true).sort();
 };
@@ -7567,7 +7826,7 @@ var listVfsSkillScripts = async (skill, engine, isScriptAllowed) => {
   return found.filter((path) => isScriptAllowed ? isScriptAllowed(skill.name, path) : true).sort();
 };
 var collectScriptFiles = async (directory) => {
-  const entries = await readdir3(directory, { withFileTypes: true });
+  const entries = await readdir4(directory, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
     if (entry.name === "node_modules") continue;
@@ -7576,7 +7835,7 @@ var collectScriptFiles = async (directory) => {
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
       try {
-        const s = await stat2(fullPath);
+        const s = await stat3(fullPath);
         isDir = s.isDirectory();
         isFile = s.isFile();
       } catch {
@@ -7598,7 +7857,7 @@ var collectScriptFiles = async (directory) => {
 };
 var normalizeScriptPolicyPath = (relativePath) => {
   const trimmed = relativePath.trim();
-  const normalized = normalize3(trimmed).split(sep2).join("/");
+  const normalized = normalize3(trimmed).split(sep3).join("/");
   if (normalized.startsWith("/")) {
     throw new Error("Script path must be relative and within the allowed directory");
   }
@@ -7612,7 +7871,7 @@ var resolveScriptPath = (baseDir, relativePath, containmentDir) => {
   const normalized = normalizeScriptPolicyPath(relativePath);
   const fullPath = resolve10(baseDir, normalized);
   const boundary = resolve10(containmentDir ?? baseDir);
-  if (!fullPath.startsWith(`${boundary}${sep2}`) && fullPath !== boundary) {
+  if (!fullPath.startsWith(`${boundary}${sep3}`) && fullPath !== boundary) {
     throw new Error("Script path must stay inside the allowed directory");
   }
   const extension = extname(fullPath).toLowerCase();
@@ -8776,6 +9035,8 @@ var AgentHarness = class _AgentHarness {
   storageEngine;
   /** Bash environment manager (creates per-tenant bash instances). */
   bashManager;
+  /** Read-only virtual mounts overlaid on the VFS. Empty by default. */
+  virtualMounts = [];
   resolveToolAccess(toolName) {
     const tools = this.loadedConfig?.tools;
     if (!tools) return true;
@@ -8789,8 +9050,8 @@ var AgentHarness = class _AgentHarness {
     return true;
   }
   isToolEnabled(name) {
-    const access3 = this.resolveToolAccess(name);
-    if (access3 === false) return false;
+    const access4 = this.resolveToolAccess(name);
+    if (access4 === false) return false;
     if (name === "write_file" || name === "edit_file" || name === "delete_file" || name === "delete_directory") {
       return this.shouldEnableWriteTool();
     }
@@ -8947,6 +9208,7 @@ var AgentHarness = class _AgentHarness {
       this.storageEngine = options.storageEngine;
       this.injectedStorageEngine = true;
     }
+    this.virtualMounts = options.virtualMounts ?? [];
     if (options.toolDefinitions?.length) {
       this.dispatcher.registerMany(options.toolDefinitions);
     }
@@ -9118,6 +9380,10 @@ var AgentHarness = class _AgentHarness {
       return this.loadedSkills;
     }
     const effectiveTenant = tenantId || "__default__";
+    const engineWithRefresh = this.storageEngine;
+    if (typeof engineWithRefresh.refreshPathCache === "function") {
+      await engineWithRefresh.refreshPathCache(effectiveTenant);
+    }
     const fingerprint = this.computeVfsSkillFingerprint(effectiveTenant);
     const cached = this.skillCache.get(effectiveTenant);
     if (cached && cached.fingerprint === fingerprint) {
@@ -9368,7 +9634,7 @@ var AgentHarness = class _AgentHarness {
     }
     try {
       const agentFilePath = resolve11(this.workingDir, "AGENT.md");
-      const rawContent = await readFile8(agentFilePath, "utf8");
+      const rawContent = await readFile9(agentFilePath, "utf8");
       if (rawContent === this.agentFileFingerprint) {
         return false;
       }
@@ -9441,7 +9707,7 @@ var AgentHarness = class _AgentHarness {
       }
     } else {
       const agentFilePath = resolve11(this.workingDir, "AGENT.md");
-      const agentRawContent = await readFile8(agentFilePath, "utf8");
+      const agentRawContent = await readFile9(agentFilePath, "utf8");
       this.parsedAgent = parseAgentMarkdown(agentRawContent);
       this.agentFileFingerprint = agentRawContent;
       const identity = await ensureAgentIdentity(this.workingDir);
@@ -9488,7 +9754,8 @@ var AgentHarness = class _AgentHarness {
       { maxFileSize, maxTotalStorage },
       bashWorkingDir,
       config?.bash,
-      config?.network
+      config?.network,
+      this.virtualMounts
     );
     this.registerIfMissing(createBashTool(this.bashManager));
     const getFs = (tenantId) => this.bashManager.getFs(tenantId);
@@ -9586,9 +9853,9 @@ var AgentHarness = class _AgentHarness {
           await writeFile6(filePath, json, "utf8");
         },
         async load() {
-          const { readFile: readFile9 } = await import("fs/promises");
+          const { readFile: readFile10 } = await import("fs/promises");
           try {
-            return await readFile9(filePath, "utf8");
+            return await readFile10(filePath, "utf8");
           } catch {
             return void 0;
           }
@@ -9607,9 +9874,9 @@ var AgentHarness = class _AgentHarness {
           await writeFile6(filePath, json, "utf8");
         },
         async load() {
-          const { readFile: readFile9 } = await import("fs/promises");
+          const { readFile: readFile10 } = await import("fs/promises");
           try {
-            return await readFile9(filePath, "utf8");
+            return await readFile10(filePath, "utf8");
           } catch {
             return void 0;
           }
@@ -9623,12 +9890,12 @@ var AgentHarness = class _AgentHarness {
     let browserMod;
     try {
       const { existsSync } = await import("fs");
-      const { join, dirname: dirname6 } = await import("path");
+      const { join: join2, dirname: dirname6 } = await import("path");
       const { pathToFileURL: pathToFileURL2 } = await import("url");
       let searchDir = this.workingDir;
       let entryPath;
       for (; ; ) {
-        const candidate = join(searchDir, "node_modules", "@poncho-ai", "browser", "dist", "index.js");
+        const candidate = join2(searchDir, "node_modules", "@poncho-ai", "browser", "dist", "index.js");
         if (existsSync(candidate)) {
           entryPath = candidate;
           break;
@@ -9949,7 +10216,7 @@ ${this.skillFingerprint}`;
           ];
           for (const file of input.files) {
             if (this.uploadStore) {
-              const buf = Buffer.from(file.data, "base64");
+              const buf = await decodeFileInputData(file.data);
               const key = deriveUploadKey(buf, file.mediaType);
               const ref = await this.uploadStore.put(key, buf, file.mediaType);
               parts.push({
@@ -13064,7 +13331,7 @@ var runConversationTurn = async (opts) => {
   if (opts.files && opts.files.length > 0 && opts.harness.uploadStore) {
     const uploadedParts = await Promise.all(
       opts.files.map(async (f) => {
-        const buf = Buffer.from(f.data, "base64");
+        const buf = await decodeFileInputData(f.data);
         const key = deriveUploadKey(buf, f.mediaType);
         const ref = await opts.harness.uploadStore.put(key, buf, f.mediaType);
         return {
@@ -13418,6 +13685,7 @@ export {
   createTurnDraftState,
   createUploadStore,
   createWriteTool,
+  decodeFileInputData,
   defaultAgentDefinition,
   defineTool13 as defineTool,
   deleteOpenAICodexSession,