@salesforce/sfdx-agent-sdk 0.16.0 → 0.18.0

package/dist/harness/agent-harness.d.ts

@@ -4,6 +4,7 @@ import type { ChatStreamResult } from '../types/events.js';
 import type { Message, MessagePart } from '../types/messages.js';
 import type { TelemetryEventCallback } from '../types/telemetry-events.js';
 import type { ToolResultInfo } from '../types/tools.js';
+import type { AgentHooks } from '../types/redaction.js';
 import type { AgentConfig, HarnessAgentConfig, StreamOptions } from './harness-config.js';
 import type { LLMGatewayClient } from '@salesforce/llm-gateway-sdk';
 export declare const SUPPORTED_PROTOCOL_VERSIONS: readonly [1];
@@ -105,10 +106,24 @@ export interface AgentHarness {
      * @param projectRoot - Project folder the agent is allowed to manipulate files from.
      * @param llmGatewayClient - Pre-configured LLM gateway client for this agent.
      * @param config - Engine-facing agent configuration (org resolution omitted).
-     * @param options - Optional execution options, including abort signals.
+     * @param options - Optional execution options.
+     *   - `abortSignal` — caller-side cancellation; harnesses thread it
+     *     through long-running install work (rules load, MCP discovery, …).
+     *   - `hooks` — per-agent {@link AgentHooks} bag, resolved by the SDK
+     *     from `createAgentManager`'s `hooksForAgent` callback. The bag is
+     *     opaque to the SDK; harnesses MUST store it on per-agent state and
+     *     route each recognized hook to their native seam (Claude
+     *     `PostToolUse`, Mastra `processInputStep`). Harnesses MUST IGNORE
+     *     hook fields they do not recognize (forward-compat). Harnesses
+     *     MUST NOT swallow hook throws — exceptions MUST propagate on the
+     *     native error path so the original tool output never leaks to the
+     *     model. The SDK does not own fail-closed semantics; consumers
+     *     wrap their hook bodies in `try`/`catch` themselves when they
+     *     want a richer fail-closed substitute.
      */
     createAgent(agentId: string, projectRoot: string, llmGatewayClient: LLMGatewayClient, config?: HarnessAgentConfig, options?: {
         abortSignal?: AbortSignal;
+        hooks?: AgentHooks;
     }): Promise<void>;
     /**
      * Destroy an agent and release its resources (MCP connections, workspace, memory).
@@ -122,6 +137,81 @@ export interface AgentHarness {
      * @returns `true` after a real removal.
      */
     destroyAgent(agentId: string): Promise<boolean>;
+    /**
+     * Apply a new configuration to a registered agent without recycling MCP
+     * clients whose `MCPServerConfig` is structurally equal to the
+     * currently-applied one.
+     *
+     * This is the load-bearing primitive behind `Agent.updateAgentConfig`'s
+     * "don't blow up live MCP clients on a model-only / instructions-only /
+     * org-connect change" contract. Pre-#541 the SDK called
+     * `destroyAgent` + `createAgent` here, which closed every MCP client and
+     * forced the model to wait through the discovery wave again. With
+     * `updateAgent` the SDK calls one method and the harness preserves
+     * unchanged servers in place.
+     *
+     * Implementors MUST:
+     *
+     * - throw `AgentSDKError(AGENT_NOT_FOUND)` on unknown `agentId`,
+     *   matching the rest of the cross-harness contract.
+     * - preserve the in-memory MCP client (and its discovered tool catalog)
+     *   for any server name whose config is `mcpServerConfigEqual` to the
+     *   currently-applied one. No transport teardown, no `tools/list`
+     *   re-run, no per-server discovery telemetry.
+     * - cycle (disconnect-then-reconnect) any server whose config differs.
+     * - disconnect any server present in the currently-applied config but
+     *   absent from the next config, removing it from
+     *   `getMcpServerInfo()`'s output.
+     * - connect any server present in the next config but absent from the
+     *   currently-applied one, running discovery the same way `createAgent`
+     *   would (background, non-blocking; failures land on
+     *   `McpServerState.error`, not as a thrown rejection).
+     * - apply non-MCP changes — `instructions`, `model`, `tools`, `skills`,
+     *   `rules`, harness-specific extra-config fields surviving via
+     *   `toHarnessConfig`'s spread — atomically with the MCP diff. After
+     *   this resolves, the agent's effective config is the one passed in.
+     * - be idempotent on a no-op call at the MCP layer: when the next
+     *   config's `mcpServers` is deep-equal (per `mcpServerConfigEqual`) to
+     *   the currently-applied one, no server is cycled, no `tools/list` is
+     *   re-run, and no per-server discovery telemetry fires. Implementors
+     *   MAY rebuild non-MCP state (e.g. Mastra reconstructs its `Agent`
+     *   unconditionally) — that work is local and cheap; correct no-op
+     *   detection across `orgJwt` rotation, hook-bag closures, and
+     *   harness-specific extra-config fields is not.
+     * - write per-server state incrementally so a subsequent `updateAgent`
+     *   call (e.g. SDK rollback against `previousConfig`) sees the harness's
+     *   current truth, not a snapshot from the start of the failed update.
+     *
+     * Implementors MUST NOT:
+     *
+     * - touch persisted thread / session state. Sessions are config-
+     *   independent — `Agent.updateAgentConfig` does not invalidate them.
+     * - dispose in-flight stream coordinators. In-flight turns continue
+     *   executing against the agent state captured at stream-start; the
+     *   next `stream()` after this resolves uses the new state.
+     * - mutate `AgentConfig` or persist anything to disk. Persistence is
+     *   the SDK's responsibility (`AgentIdentityStore.write` is gated by
+     *   `Agent.updateAgentConfig` after this method resolves).
+     *
+     * @param agentId - ID of the agent to update.
+     * @param llmGatewayClient - LLM gateway client bound to the next config's org / model.
+     * @param config - Engine-facing agent configuration to apply.
+     * @param options - Optional execution options.
+     *   - `abortSignal` — caller-side cancellation; harnesses thread it
+     *     through long-running update work (rules load, MCP discovery, …).
+     *   - `hooks` — per-agent {@link AgentHooks} bag, resolved by the SDK
+     *     from `createAgentManager`'s `hooksForAgent` callback against the
+     *     incoming `nextConfig`. Same semantics as `createAgent.options.hooks`:
+     *     opaque to the SDK; harnesses store it on per-agent state and
+     *     re-route each recognized hook to its native seam. The bag is
+     *     re-resolved on every `updateAgent` so consumers can vary hooks by
+     *     config (and so a rollback `updateAgent(previousConfig)` restores
+     *     the prior hook bag too).
+     */
+    updateAgent(agentId: string, llmGatewayClient: LLMGatewayClient, config?: HarnessAgentConfig, options?: {
+        abortSignal?: AbortSignal;
+        hooks?: AgentHooks;
+    }): Promise<void>;
     /**
      * List the IDs of all currently registered agents.
      */

package/dist/harness/always-active.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Tool-exposure policy entry shape consumed by both
+ * {@link MastraAgentConfig.toolSearch.alwaysActive} and
+ * {@link ClaudeAgentConfig.toolSearch.alwaysActive}.
+ *
+ * One entry covers three matching patterns:
+ *
+ * | Entry shape | Matches |
+ * | --- | --- |
+ * | `{ serverName: 'X' }` | every tool advertised by server `X` (post-discovery expansion) |
+ * | `{ serverName: 'X', toolName: 'Y' }` | exactly tool `Y` on server `X` |
+ * | `{ toolName: 'Y' }` | any tool named `Y`, **regardless of source** — built-ins, workspace tools, consumer-declared tools, AND any MCP server's tool surface |
+ *
+ * The `{ toolName }` pattern is intentionally broad — it's the consumer's
+ * escape hatch for "I want this tool always-active and I don't care where it
+ * comes from." The `{ serverName, toolName }` form is the precise version for
+ * when ambiguity matters.
+ *
+ * **Validation rule:** at least one of `serverName` or `toolName` must be
+ * present. An empty `{}` is rejected at config time via
+ * {@link validateAlwaysActiveEntry} — a typo should fail loud, not silently
+ * match nothing (and definitely not silently match everything).
+ *
+ * Lives on the harness public surface (`@salesforce/sfdx-agent-sdk/harness`)
+ * because it's harness-implementation shape that both production harnesses
+ * share. Ready to graduate to `AgentConfig.toolSearch` on the SDK contract
+ * surface once a third harness exercises it — same graduation pattern PR
+ * #563 established for `skillSearch`.
+ */
+export type AlwaysActiveEntry = {
+    serverName: string;
+    toolName?: string;
+} | {
+    serverName?: undefined;
+    toolName: string;
+};
+/**
+ * Throws on an entry whose `serverName` AND `toolName` are both absent. Both
+ * harness boundaries call this on every entry before reading it so a typo
+ * (`{}` / `{ severName: 'X' }` with a misspelled key) fails loud at config
+ * time rather than silently dropping the entry — or worse, silently matching
+ * nothing while looking like it should match everything.
+ */
+export declare function validateAlwaysActiveEntry(entry: AlwaysActiveEntry): void;
+/**
+ * Returns `true` when `(serverName, toolName)` matches at least one entry in
+ * `entries`. Pure / deterministic; harnesses call it per-tool when building
+ * their tool catalogs.
+ *
+ * - `{ serverName: 'X' }` matches every tool from server X.
+ * - `{ serverName: 'X', toolName: 'Y' }` matches only `Y` on `X`.
+ * - `{ toolName: 'Y' }` matches `Y` from any source (built-ins, workspace,
+ *   consumer-declared tools, every connected MCP server).
+ *
+ * For tools without a server (built-ins, in-process workspace), pass
+ * `serverName: undefined`. The `{ toolName }`-only entries match those;
+ * `{ serverName: 'X' }` and `{ serverName: 'X', toolName: ... }` entries do
+ * not.
+ */
+export declare function matchesAlwaysActive(entries: readonly AlwaysActiveEntry[] | undefined, serverName: string | undefined, toolName: string): boolean;

package/dist/harness/always-active.js

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2026, Salesforce, Inc. All rights reserved.
+ * See LICENSE.txt for license terms.
+ */
+/**
+ * Throws on an entry whose `serverName` AND `toolName` are both absent. Both
+ * harness boundaries call this on every entry before reading it so a typo
+ * (`{}` / `{ severName: 'X' }` with a misspelled key) fails loud at config
+ * time rather than silently dropping the entry — or worse, silently matching
+ * nothing while looking like it should match everything.
+ */
+export function validateAlwaysActiveEntry(entry) {
+    const serverName = entry.serverName;
+    const toolName = entry.toolName;
+    if ((typeof serverName !== 'string' || serverName.length === 0) &&
+        (typeof toolName !== 'string' || toolName.length === 0)) {
+        throw new Error('AlwaysActiveEntry must declare at least one of `serverName` or `toolName` (received: ' +
+            JSON.stringify(entry) +
+            ')');
+    }
+}
+/**
+ * Returns `true` when `(serverName, toolName)` matches at least one entry in
+ * `entries`. Pure / deterministic; harnesses call it per-tool when building
+ * their tool catalogs.
+ *
+ * - `{ serverName: 'X' }` matches every tool from server X.
+ * - `{ serverName: 'X', toolName: 'Y' }` matches only `Y` on `X`.
+ * - `{ toolName: 'Y' }` matches `Y` from any source (built-ins, workspace,
+ *   consumer-declared tools, every connected MCP server).
+ *
+ * For tools without a server (built-ins, in-process workspace), pass
+ * `serverName: undefined`. The `{ toolName }`-only entries match those;
+ * `{ serverName: 'X' }` and `{ serverName: 'X', toolName: ... }` entries do
+ * not.
+ */
+export function matchesAlwaysActive(entries, serverName, toolName) {
+    if (!entries || entries.length === 0)
+        return false;
+    for (const entry of entries) {
+        const entryServer = entry.serverName;
+        const entryTool = entry.toolName;
+        if (entryServer !== undefined) {
+            if (entryServer !== serverName)
+                continue;
+            if (entryTool === undefined)
+                return true; // server-wide
+            if (entryTool === toolName)
+                return true; // exact server+tool
+            continue;
+        }
+        // entryServer === undefined ⇒ entryTool MUST be defined (validated upstream)
+        if (entryTool === toolName)
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=always-active.js.map

package/dist/harness/public.d.ts

@@ -43,7 +43,10 @@
  * not "harness vs. consumer."
  */
 export type { AgentHarness, HarnessFactory, WithAgentConfig, ConfigOf } from './index.js';
+export type { AgentHooks } from '../types/redaction.js';
 export { SUPPORTED_PROTOCOL_VERSIONS } from './agent-harness.js';
+export { mcpServerConfigEqual } from '../mcp-config.js';
 export { HarnessBusOwner } from './harness-bus-owner.js';
 export { lowerStreamInput, type InputMessagePart } from './stream-input.js';
 export { GenSink } from './gen-sink.js';
+export { matchesAlwaysActive, validateAlwaysActiveEntry, type AlwaysActiveEntry } from './always-active.js';

package/dist/harness/public.js

@@ -3,8 +3,10 @@
  * See LICENSE.txt for license terms.
  */
 export { SUPPORTED_PROTOCOL_VERSIONS } from './agent-harness.js';
+export { mcpServerConfigEqual } from '../mcp-config.js';
 // ── Harness-implementation helpers ──────────────────────────────────
 export { HarnessBusOwner } from './harness-bus-owner.js';
 export { lowerStreamInput } from './stream-input.js';
 export { GenSink } from './gen-sink.js';
+export { matchesAlwaysActive, validateAlwaysActiveEntry } from './always-active.js';
 //# sourceMappingURL=public.js.map

package/dist/index.d.ts

@@ -2,10 +2,11 @@ export type { Message, MessagePart, ImagePart, FilePart } from './types/messages
 export type { ChatEvent, StartEvent, TextDeltaEvent, ReasoningDeltaEvent, ToolCallEvent, ToolApprovalRequestEvent, ToolResultEvent, StepStartEvent, StepFinishEvent, ErrorEvent, FinishEvent, ChatStreamResult, } from './types/events.js';
 export type { ToolDefinition, ToolCallInfo, ToolResultInfo } from './types/tools.js';
 export type { ContextUsage, FinishReason, UsageMetadata } from './types/usage.js';
+export type { AgentHooks, HooksForAgent, ToolResultRedactor, ToolResultRedactionInput, ToolResultRedactionResult, } from './types/redaction.js';
 export type { AgentConfig, HarnessAgentConfig, StreamOptions, ToolApprovalMode } from './harness/harness-config.js';
 export { DEFAULT_MAX_STEPS, resolveToolApprovalMode } from './harness/harness-config.js';
 export type { MCPConfiguration, MCPServerConfig, MCPStdioServerConfig, MCPRemoteServerConfig, McpServerInfo, McpServerErrorCategory, McpServerErrorDetail, McpToolInfo, McpToolAnnotations, } from './mcp-config.js';
-export { McpServerStatus } from './mcp-config.js';
+export { McpServerStatus, mcpServerConfigEqual } from './mcp-config.js';
 export { Model, ModelName, createClaudeModel } from '@salesforce/llm-gateway-sdk';
 export type { ClaudeModelOverrides } from '@salesforce/llm-gateway-sdk';
 export { inferSfApiEnv, SfApiEnv } from '@salesforce/agentic-common';

package/dist/index.js

@@ -3,7 +3,7 @@
  * See LICENSE.txt for license terms.
  */
 export { DEFAULT_MAX_STEPS, resolveToolApprovalMode } from './harness/harness-config.js';
-export { McpServerStatus } from './mcp-config.js';
+export { McpServerStatus, mcpServerConfigEqual } from './mcp-config.js';
 export { Model, ModelName, createClaudeModel } from '@salesforce/llm-gateway-sdk';
 export { inferSfApiEnv, SfApiEnv } from '@salesforce/agentic-common';
 // ── Agent Layer ─────────────────────────────────────────────────────

package/dist/mcp-config.d.ts

@@ -34,25 +34,6 @@ export type MCPStdioServerConfig = {
     enabled?: boolean;
     /** Timeout in milliseconds for individual requests to the server. */
     timeout?: number;
-    /**
-     * Opt the server's tool surface out of the active runtime's tool-search
-     * deferral. When `true`, every tool advertised by this server is
-     * registered with the model up-front instead of sitting behind a
-     * search/load round-trip. Useful for small, discovery-critical surfaces
-     * (e.g. ≤ 10 tools the model needs to find without prompting). Default
-     * (`undefined` / `false`): tools may be deferred when the active runtime
-     * enables tool search.
-     *
-     * **Harness behavior:**
-     * - **Claude harness** — sets `_meta['anthropic/alwaysLoad'] = true` on
-     *   each tool the bridge forwards, equivalent to
-     *   `defer_loading: false` on the API. Skill-bridge and consumer-tool
-     *   tools are always-load regardless of this flag (see
-     *   `@salesforce/sfdx-agent-harness-claude` ARCHITECTURE.md).
-     * - **Mastra harness** — no-op; Mastra eager-loads MCP tools at every
-     *   turn already, so there's no deferral to opt out of.
-     */
-    alwaysLoad?: boolean;
 };
 /** MCP server accessible over HTTP/SSE at a remote URL. */
 export type MCPRemoteServerConfig = {
@@ -91,11 +72,6 @@ export type MCPRemoteServerConfig = {
         /** Factor by which the reconnection delay grows after each attempt. Default `1.5`. */
         reconnectionDelayGrowFactor?: number;
     };
-    /**
-     * Opt the server's tool surface out of the active runtime's tool-search
-     * deferral. See {@link MCPStdioServerConfig.alwaysLoad}.
-     */
-    alwaysLoad?: boolean;
 };
 /** Connection status of a single MCP server. */
 export declare enum McpServerStatus {
@@ -260,6 +236,36 @@ export type McpServerErrorDetail = {
      */
     retriable: boolean;
 };
+/**
+ * Structural deep-equality predicate over {@link MCPServerConfig}. Returns
+ * `true` when two configs would behave identically at the harness layer —
+ * meaning a harness handed `b` while currently bound to `a` MUST be free to
+ * preserve its existing transport, client instance, and discovered tool
+ * catalog without cycling.
+ *
+ * Used by harnesses inside `AgentHarness.updateAgent` to decide which MCP
+ * servers to preserve vs. cycle when an agent's config changes. Exported so
+ * both production harnesses use the same equality and a third harness can
+ * adopt it without duplicating the rules.
+ *
+ * **Equality rules:**
+ * - Both `undefined` ⇒ `true`. Exactly one `undefined` ⇒ `false`.
+ * - `type` mismatch ⇒ `false` (the discriminated union splits stdio vs remote).
+ * - `enabled: undefined` and `enabled: true` compare equal — both type docs
+ *   declare `true` as the default.
+ * - Stdio: structural compare on `command`, `args` (order-sensitive),
+ *   `env` (key-order-insensitive), `timeout`.
+ * - Remote: `url` is compared via `String(url)` so `URL` instances and
+ *   strings round-trip; `headers` (key-order-insensitive); `timeout`,
+ *   `reconnectionOptions` (field-wise).
+ *
+ * Two configs that pass this predicate but produce different runtime tools
+ * (e.g. an upstream stdio server whose binary was overwritten on disk) are
+ * NOT detected here — the predicate compares declared config, not runtime
+ * state. Use `Agent.reconnectMcpServer(name)` to force a per-server cycle in
+ * that case.
+ */
+export declare function mcpServerConfigEqual(a: MCPServerConfig | undefined, b: MCPServerConfig | undefined): boolean;
 /** Runtime status of a configured MCP server, including its discovered tools. */
 export type McpServerInfo = {
     name: string;

package/dist/mcp-config.js

@@ -17,4 +17,102 @@ export var McpServerStatus;
      */
     McpServerStatus["Reconnecting"] = "reconnecting";
 })(McpServerStatus || (McpServerStatus = {}));
+/**
+ * Structural deep-equality predicate over {@link MCPServerConfig}. Returns
+ * `true` when two configs would behave identically at the harness layer —
+ * meaning a harness handed `b` while currently bound to `a` MUST be free to
+ * preserve its existing transport, client instance, and discovered tool
+ * catalog without cycling.
+ *
+ * Used by harnesses inside `AgentHarness.updateAgent` to decide which MCP
+ * servers to preserve vs. cycle when an agent's config changes. Exported so
+ * both production harnesses use the same equality and a third harness can
+ * adopt it without duplicating the rules.
+ *
+ * **Equality rules:**
+ * - Both `undefined` ⇒ `true`. Exactly one `undefined` ⇒ `false`.
+ * - `type` mismatch ⇒ `false` (the discriminated union splits stdio vs remote).
+ * - `enabled: undefined` and `enabled: true` compare equal — both type docs
+ *   declare `true` as the default.
+ * - Stdio: structural compare on `command`, `args` (order-sensitive),
+ *   `env` (key-order-insensitive), `timeout`.
+ * - Remote: `url` is compared via `String(url)` so `URL` instances and
+ *   strings round-trip; `headers` (key-order-insensitive); `timeout`,
+ *   `reconnectionOptions` (field-wise).
+ *
+ * Two configs that pass this predicate but produce different runtime tools
+ * (e.g. an upstream stdio server whose binary was overwritten on disk) are
+ * NOT detected here — the predicate compares declared config, not runtime
+ * state. Use `Agent.reconnectMcpServer(name)` to force a per-server cycle in
+ * that case.
+ */
+export function mcpServerConfigEqual(a, b) {
+    if (a === b)
+        return true;
+    if (!a || !b)
+        return false;
+    if (a.type !== b.type)
+        return false;
+    if ((a.enabled ?? true) !== (b.enabled ?? true))
+        return false;
+    if (a.timeout !== b.timeout)
+        return false;
+    if (a.type === 'stdio' && b.type === 'stdio') {
+        if (a.command !== b.command)
+            return false;
+        if (!arraysEqual(a.args, b.args))
+            return false;
+        if (!recordsEqual(a.env, b.env))
+            return false;
+        return true;
+    }
+    if (a.type === 'remote' && b.type === 'remote') {
+        if (String(a.url) !== String(b.url))
+            return false;
+        if (!recordsEqual(a.headers, b.headers))
+            return false;
+        if (!reconnectionOptionsEqual(a.reconnectionOptions, b.reconnectionOptions))
+            return false;
+        return true;
+    }
+    return false;
+}
+function arraysEqual(a, b) {
+    if (a === b)
+        return true;
+    if (!a || !b)
+        return (a?.length ?? 0) === (b?.length ?? 0);
+    if (a.length !== b.length)
+        return false;
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i])
+            return false;
+    }
+    return true;
+}
+function recordsEqual(a, b) {
+    if (a === b)
+        return true;
+    const aKeys = a ? Object.keys(a) : [];
+    const bKeys = b ? Object.keys(b) : [];
+    if (aKeys.length !== bKeys.length)
+        return false;
+    for (const k of aKeys) {
+        if (!Object.prototype.hasOwnProperty.call(b ?? {}, k))
+            return false;
+        if (a[k] !== b[k])
+            return false;
+    }
+    return true;
+}
+function reconnectionOptionsEqual(a, b) {
+    if (a === b)
+        return true;
+    if (!a || !b)
+        return !a && !b;
+    return (a.maxRetries === b.maxRetries &&
+        a.initialReconnectionDelay === b.initialReconnectionDelay &&
+        a.maxReconnectionDelay === b.maxReconnectionDelay &&
+        a.reconnectionDelayGrowFactor === b.reconnectionDelayGrowFactor);
+}
 //# sourceMappingURL=mcp-config.js.map

package/dist/types/redaction.d.ts

@@ -0,0 +1,171 @@
+import type { AgentConfig } from '../harness/harness-config.js';
+/**
+ * Sync-or-async callback the harness invokes for every tool result before it
+ * enters the model's context. The redactor inspects the upstream output and
+ * either replaces it (returning `{ output }`) or passes it through unchanged
+ * (returning `undefined`).
+ *
+ * Wired per-agent via {@link HooksForAgent} on `createAgentManager`; the SDK
+ * surfaces it inside the harness through {@link AgentHooks.onToolResult} on
+ * `AgentHarness.createAgent`'s `options.hooks` bag. A single registration
+ * covers built-in tools (`Bash`, `Read`, `Edit`, …), MCP tools, and
+ * consumer-executed tools declared via {@link AgentConfig.tools}.
+ *
+ * ### Why this lives in the harness layer
+ *
+ * Once a tool result reaches the SDK boundary the model has already seen it —
+ * any value can then be echoed in the reply, routed into a later tool call
+ * (`Bash` arg, file write), or sent to provider logs. Redaction has to fire
+ * INSIDE the engine, before the result is folded into the model's next
+ * request. The SDK exposes a harness-agnostic shape; each harness wires its
+ * native seam (Claude Agent SDK `PostToolUse` hook,
+ * Mastra `processInputStep`).
+ *
+ * ### Audit / preserving the original
+ *
+ * The redactor sees the unmodified `output` at the call site. Consumers that
+ * need an audit trail of the original value MUST log it themselves before
+ * returning the redaction. The SDK does not put the original on its telemetry
+ * bus or persist it anywhere — that would defeat the point.
+ *
+ * ### Throw policy is the consumer's
+ *
+ * The SDK does not own fail-closed semantics. If the redactor throws, the
+ * harness re-throws on its native error path: Claude routes through the
+ * Claude Agent SDK's `PostToolUse` hook-error path (which synthesizes a
+ * `tool_result(is_error=true)`); Mastra propagates from `processInputStep`
+ * and surfaces as an `error` ChatEvent on the consumer's eventStream.
+ * Consumers requiring a richer fail-closed substitute wrap their redactor's
+ * body in `try`/`catch` themselves — see the SDK README's
+ * "Tool-Result Redaction" section for the recommended boilerplate.
+ *
+ * ### Tool-shape constraints
+ *
+ * The harness does NOT validate that the replacement `output` has the same
+ * shape as the original — the redactor knows what tool it is redacting and
+ * is responsible for honoring that tool's expected return shape. Notable
+ * cases:
+ *
+ * - **Claude built-in `Bash`** — the replacement MUST keep the
+ *   `{ stdout, stderr, interrupted }` shape. A bare-string return is rejected
+ *   by the Claude Agent SDK and the original leaks.
+ * - **MCP tools** — the replacement MUST be a valid MCP `CallToolResult`
+ *   shape (`{ content: [...], isError? }`).
+ * - **Consumer-executed tools** — replacement passes through unchanged to
+ *   `submitToolResult`, so any shape the consumer accepts is fine.
+ *
+ * ### Performance
+ *
+ * Both harnesses skip their per-result hook entirely when
+ * `hooks.onToolResult` is undefined, so the no-op overhead is exactly zero.
+ * When set, both engines await the redactor (sync redactors collapse to a
+ * microtask).
+ *
+ * @example
+ * ```ts
+ * const redactor: ToolResultRedactor = ({ toolName, output, isError }) => {
+ *     // Caller-side audit (consumer's responsibility — SDK does not log originals).
+ *     auditLog.write({ toolName, originalLength: JSON.stringify(output).length });
+ *
+ *     // Bash needs its native shape preserved.
+ *     if (toolName === 'Bash') {
+ *         const bash = output as { stdout: string; stderr: string; interrupted: boolean };
+ *         return { output: { ...bash, stdout: scrub(bash.stdout), stderr: scrub(bash.stderr) } };
+ *     }
+ *
+ *     // Other tools: walk the structured output and scrub field-by-field.
+ *     return { output: scrubDeep(output) };
+ * };
+ *
+ * const manager = await createAgentManager(storage, factory, {
+ *     hooksForAgent: () => ({ onToolResult: redactor }),
+ * });
+ * ```
+ */
+export type ToolResultRedactor = (input: ToolResultRedactionInput) => ToolResultRedactionResult | Promise<ToolResultRedactionResult>;
+/**
+ * Inputs the harness hands the {@link ToolResultRedactor} for each tool
+ * result. Carries enough identity for the redactor to decide what (if
+ * anything) to redact and to attribute audit log entries.
+ */
+export type ToolResultRedactionInput = {
+    /** Agent that produced the tool result. */
+    agentId: string;
+    /** Conversation thread the result belongs to. */
+    threadId: string;
+    /** Stable id linking this result to the originating `tool-call` event. */
+    toolCallId: string;
+    /** Tool name the model invoked. Built-in / consumer / namespaced MCP form depends on the harness. */
+    toolName: string;
+    /**
+     * Originating MCP server when the tool came from an MCP catalog.
+     * `undefined` for built-ins, consumer-executed tools, and Mastra workspace
+     * tools. Mirrors the enrichment on {@link ToolResultEvent.serverName}.
+     */
+    serverName?: string;
+    /**
+     * Raw upstream output, exactly as the engine received it. The redactor
+     * MUST treat this as input only — mutating it is undefined behavior.
+     */
+    output: unknown;
+    /** `true` when the tool execution failed (engine flagged the result as an error). */
+    isError: boolean;
+};
+/**
+ * Return value from a {@link ToolResultRedactor} invocation.
+ *
+ * - `{ output }` — replace the original with this value.
+ * - `undefined` — pass the original through unchanged.
+ *
+ * The function signature already permits "no return" (an arrow body that
+ * doesn't `return` resolves to `undefined`), so a separate `void` variant
+ * isn't needed in the value-type union.
+ *
+ * The replacement shape MUST match what the originating tool produces. See
+ * the tool-shape notes on {@link ToolResultRedactor} for the harness-specific
+ * constraints (notably the Claude `Bash` `{ stdout, stderr, interrupted }`
+ * requirement).
+ */
+export type ToolResultRedactionResult = {
+    output: unknown;
+} | undefined;
+/**
+ * Per-agent hook bag the SDK resolves once per agent install / update via
+ * {@link HooksForAgent} and threads through to the harness on
+ * `AgentHarness.createAgent`'s `options.hooks`. Today the bag carries one
+ * field; the shape is open so future hooks (e.g. `onToolCall`, `onStep`)
+ * can be added without churning `*HarnessFactoryConfig`s.
+ *
+ * Harnesses MUST treat this object as opaque: store it on per-agent state,
+ * route the hooks they recognize to their native seam, and IGNORE unknown
+ * fields (forward-compat). Harnesses MUST NOT swallow hook throws — an
+ * exception from a hook MUST propagate on the harness's native error path
+ * so the original value never leaks to the model.
+ *
+ * The SDK never reads, persists, or surfaces this bag on its telemetry bus.
+ */
+export type AgentHooks = {
+    /**
+     * Optional redactor invoked for every tool result before it enters the
+     * model's context. See {@link ToolResultRedactor}. Each harness routes
+     * this to its native seam (Claude `PostToolUse`, Mastra
+     * `processInputStep`); the SDK does not enforce fail-closed semantics.
+     */
+    onToolResult?: ToolResultRedactor;
+};
+/**
+ * Resolves a per-agent {@link AgentHooks} bag from the agent's id and the
+ * config the SDK currently has on file for that agent. Invoked by
+ * `AgentManager` once per agent install (`createAgent`, boot-time restore,
+ * `Agent.updateAgentConfig`); the resolved bag is handed to
+ * `AgentHarness.createAgent`'s `options.hooks`.
+ *
+ * The callback is sync — the SDK does not await. Consumers needing async
+ * setup (e.g. remote feature flags) pre-resolve before constructing the
+ * manager.
+ *
+ * Consumers with one global policy ignore both arguments and return the
+ * same bag every time; consumers wanting per-agent variation branch on
+ * `agentId` or fields of `config`.
+ */
+export type HooksForAgent = (agentId: string, config: AgentConfig) => AgentHooks;

package/dist/types/redaction.js

@@ -0,0 +1,6 @@
+/*
+ * Copyright 2026, Salesforce, Inc. All rights reserved.
+ * See LICENSE.txt for license terms.
+ */
+export {};
+//# sourceMappingURL=redaction.js.map