@skaile/workspaces 0.16.0 → 0.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/CHANGELOG.md +35 -0
  2. package/dist/{asset-feeds-L4ROBIAZ.js → asset-feeds-CQU46DYQ.js} +8 -8
  3. package/dist/{asset-feeds-L4ROBIAZ.js.map → asset-feeds-CQU46DYQ.js.map} +1 -1
  4. package/dist/asset-manager/index.js +6 -6
  5. package/dist/asset-manager/installer.js +5 -5
  6. package/dist/base-assets/connectors/deploy.js +6 -6
  7. package/dist/base-assets/connectors/devserver.js +6 -6
  8. package/dist/base-assets/connectors/flow/adapter.js +6 -6
  9. package/dist/base-assets/connectors/flow/run-flow.js +7 -7
  10. package/dist/base-assets/connectors/flow.js +6 -6
  11. package/dist/base-assets/connectors/git/driver.d.ts.map +1 -1
  12. package/dist/base-assets/connectors/git.js +6 -6
  13. package/dist/base-assets/connectors/gmail.js +6 -6
  14. package/dist/base-assets/connectors/googledrive.js +6 -6
  15. package/dist/base-assets/connectors/local.js +6 -6
  16. package/dist/base-assets/connectors/mattermost.js +6 -6
  17. package/dist/base-assets/connectors/memory.js +6 -6
  18. package/dist/base-assets/connectors/minio.js +6 -6
  19. package/dist/base-assets/connectors/postgres.js +6 -6
  20. package/dist/base-assets/connectors/redis.js +6 -6
  21. package/dist/base-assets/connectors/s3.js +6 -6
  22. package/dist/base-assets/connectors/sharepoint.js +6 -6
  23. package/dist/base-assets/connectors/sqlite.js +6 -6
  24. package/dist/base-assets/connectors/static-server.js +6 -6
  25. package/dist/base-assets/connectors/tunnel.js +6 -6
  26. package/dist/base-assets/connectors/webdav.js +6 -6
  27. package/dist/base-assets/connectors/xstate-store.js +6 -6
  28. package/dist/base-assets/connectors/xstate.js +6 -6
  29. package/dist/base-assets/connectors/yjs.js +6 -6
  30. package/dist/{chunk-GKIA2PU5.js → chunk-2GX7BE7Q.js} +3 -3
  31. package/dist/{chunk-GKIA2PU5.js.map → chunk-2GX7BE7Q.js.map} +1 -1
  32. package/dist/{chunk-4BRSVK7Q.js → chunk-ATTIX7H2.js} +3 -3
  33. package/dist/{chunk-4BRSVK7Q.js.map → chunk-ATTIX7H2.js.map} +1 -1
  34. package/dist/{chunk-FNCYNUGS.js → chunk-B3XHLXGD.js} +3 -3
  35. package/dist/{chunk-FNCYNUGS.js.map → chunk-B3XHLXGD.js.map} +1 -1
  36. package/dist/{chunk-ZUQXHBEH.js → chunk-D6GE2WA2.js} +2 -2
  37. package/dist/{chunk-ZUQXHBEH.js.map → chunk-D6GE2WA2.js.map} +1 -1
  38. package/dist/{chunk-YMMWP3YL.js → chunk-F6RXWVRE.js} +6 -6
  39. package/dist/{chunk-YMMWP3YL.js.map → chunk-F6RXWVRE.js.map} +1 -1
  40. package/dist/{chunk-ZHLRRT5D.js → chunk-FRPKLIEZ.js} +36 -3
  41. package/dist/chunk-FRPKLIEZ.js.map +1 -0
  42. package/dist/{chunk-SMFZFFIZ.js → chunk-FVWBLAXL.js} +3 -3
  43. package/dist/{chunk-SMFZFFIZ.js.map → chunk-FVWBLAXL.js.map} +1 -1
  44. package/dist/{chunk-ALJM24WL.js → chunk-G5E44VG7.js} +5 -5
  45. package/dist/{chunk-ALJM24WL.js.map → chunk-G5E44VG7.js.map} +1 -1
  46. package/dist/{chunk-YW36VEVN.js → chunk-JMB6VR3I.js} +38 -6
  47. package/dist/chunk-JMB6VR3I.js.map +1 -0
  48. package/dist/{chunk-42YLNYFK.js → chunk-KIGZYGCM.js} +4 -4
  49. package/dist/{chunk-42YLNYFK.js.map → chunk-KIGZYGCM.js.map} +1 -1
  50. package/dist/{chunk-SOQMVRQL.js → chunk-N2C3A5PS.js} +3 -3
  51. package/dist/{chunk-SOQMVRQL.js.map → chunk-N2C3A5PS.js.map} +1 -1
  52. package/dist/{chunk-IY4X7PZN.js → chunk-PBBGKI3L.js} +4 -4
  53. package/dist/{chunk-IY4X7PZN.js.map → chunk-PBBGKI3L.js.map} +1 -1
  54. package/dist/{chunk-75M5W7FX.js → chunk-RVPZOFSQ.js} +8 -8
  55. package/dist/{chunk-75M5W7FX.js.map → chunk-RVPZOFSQ.js.map} +1 -1
  56. package/dist/{chunk-KJ2LLWRF.js → chunk-VMUQAISH.js} +3 -3
  57. package/dist/{chunk-KJ2LLWRF.js.map → chunk-VMUQAISH.js.map} +1 -1
  58. package/dist/{chunk-3DS5VIQP.js → chunk-WGPT6FV6.js} +4 -4
  59. package/dist/{chunk-3DS5VIQP.js.map → chunk-WGPT6FV6.js.map} +1 -1
  60. package/dist/cli/index.js +73 -36
  61. package/dist/cli/index.js.map +1 -1
  62. package/dist/cli/src/commands/manage.d.ts +22 -2
  63. package/dist/cli/src/commands/manage.d.ts.map +1 -1
  64. package/dist/connectors/config.js +5 -5
  65. package/dist/connectors/index.js +6 -6
  66. package/dist/core/index.js +4 -4
  67. package/dist/core/manifest.js +1 -1
  68. package/dist/core/runtime-assets.js +3 -3
  69. package/dist/core/src/manifest.d.ts.map +1 -1
  70. package/dist/core/workspace-config.js +2 -2
  71. package/dist/discovery/index.js +2 -2
  72. package/dist/{ensure-sources-V26CZNJF.js → ensure-sources-HA6L3FBS.js} +8 -8
  73. package/dist/{ensure-sources-V26CZNJF.js.map → ensure-sources-HA6L3FBS.js.map} +1 -1
  74. package/dist/library/index.js +3 -3
  75. package/dist/{open-library-T6RXQJTQ.js → open-library-ICKZYC5K.js} +6 -6
  76. package/dist/{open-library-T6RXQJTQ.js.map → open-library-ICKZYC5K.js.map} +1 -1
  77. package/dist/runner/index.js +8 -8
  78. package/dist/sdk/asset-manager.js +6 -6
  79. package/dist/sdk/core.js +4 -4
  80. package/dist/sdk/index.js +8 -8
  81. package/dist/sdk/runner.js +8 -8
  82. package/dist/{setup-R6VWIPLL.js → setup-DT4VSWSM.js} +6 -6
  83. package/dist/{setup-R6VWIPLL.js.map → setup-DT4VSWSM.js.map} +1 -1
  84. package/dist/store-client-TZ4L73TH.js +14 -0
  85. package/dist/{store-client-FLD3XUY7.js.map → store-client-TZ4L73TH.js.map} +1 -1
  86. package/dist/tui/index.js +8 -8
  87. package/dist/workspace-plugin/index.js +1 -1
  88. package/package.json +1 -1
  89. package/dist/chunk-YW36VEVN.js.map +0 -1
  90. package/dist/chunk-ZHLRRT5D.js.map +0 -1
  91. package/dist/store-client-FLD3XUY7.js +0 -14
package/dist/{chunk-KJ2LLWRF.js → chunk-VMUQAISH.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { resolveSkWorkspaceConfig } from './chunk-SOQMVRQL.js';
1
+ import { resolveSkWorkspaceConfig } from './chunk-N2C3A5PS.js';
2
2
  import { createLogger } from './chunk-24UIWON4.js';
3
3
 
4
4
  // connectors/src/secrets.ts
@@ -302,5 +302,5 @@ function resolveAuthRef(auth, mountId) {
302
302
  }
303
303
 
304
304
  export { EnvSecretProvider, ForgeSecretProvider, InMemorySecretProvider, LegacyAuthGrammarError, LockedSecretProvider, OAuthRequiredError, PreMintedSecretProvider, SecretProviderChain, createCliSecretProviderChain, createForgeSecretProviderChain, loadConnectorDeclarations, resolveAuth, resolveAuthRef, resolveBackendAuthFor };
305
- //# sourceMappingURL=chunk-KJ2LLWRF.js.map
306
- //# sourceMappingURL=chunk-KJ2LLWRF.js.map
305
+ //# sourceMappingURL=chunk-VMUQAISH.js.map
306
+ //# sourceMappingURL=chunk-VMUQAISH.js.map
package/dist/{chunk-KJ2LLWRF.js.map → chunk-VMUQAISH.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../connectors/src/secrets.ts","../connectors/src/config.ts"],"names":[],"mappings":";;;;AAUA,IAAM,MAAM,YAAA,CAAa,EAAE,MAAM,WAAA,EAAa,OAAA,EAAS,WAAW,CAAA;AAqD3D,IAAM,yBAAN,MAAoE;AAAA,EACxD,KAAA,uBAAY,GAAA,EAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC9D,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAEhE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AACjC,IAAA,IAAI,MAAA,KAAW,QAAW,OAAO,MAAA;AACjC,IAAA,OAAO,GAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACrD;AACF;AASO,IAAM,oBAAN,MAAkD;AAAA,EACvD,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,QAAQ,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC3D,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,CAAE,IAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AA0CO,IAAM,0BAAN,MAAwD;AAAA,EAC5C,KAAA,uBAAY,GAAA,EAAiC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9D,YAAY,WAAA,EAGT;AACD,IAAA,IAAI,CAAC,WAAA,EAAa;AAClB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,MAAA,IAAU,EAAE,CAAA,EAAG;AACjE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,MAAA,EAAS,EAAE,IAAI,IAAI,CAAA;AAAA,IACpC;AACA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,UAAA,IAAc,EAAE,CAAA,EAAG;AACrE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,UAAA,EAAa,EAAE,IAAI,IAAI,CAAA;AAAA,IACxC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,GAAA,CAAI,IAAA,EAA6B,EAAA,EAAY,IAAA,EAAiC;AAC5E,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,IAAI,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,CAAM,MAA6B,EAAA,EAAqB;AACtD,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,CAAQ,MAA6B,EAAA,EAA6C;AAChF,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EACvC;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,EAAE,IAAI,UAAA,CAAW,QAAQ,KAAK,GAAA,CAAI,UAAA,CAAW,YAAY,CAAA,CAAA,EAAI,OAAO,MAAA;AACxE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,OAAO,IAAA,EAAM,EAAA,GAAK,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,EACjC;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA,CAAE,OAAO,CAAC,GAAG,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA,CAAE,IAAI,CAAC,CAAC,CAAC,CAAA,KAAM,CAAC,CAAA;AAAA,EACzE;AACF;AAQO,IAAM,sBAAN,MAAiE;AAAA,EACrD,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAEjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAChE,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,MAAA,EAAS,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AAOO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EACnC,QAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOT,WAAA,CAAY,QAAA,EAAkB,OAAA,EAAiB,KAAA,EAAe;AAC5D,IAAA,KAAA,CAAM,CAAA,iCAAA,EAAoC,QAAQ,CAAA,CAAE,CAAA;AACpD,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF;AA+CO,IAAe,uBAAf,MAA8D;AAAA,EACnE,MAAA,GAAS,IAAA;AAAA,EACU,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAGnD,MAAM,OAAO,UAAA,EAAmC;AAC9C,IAAA,MAAM,IAAA,CAAK,SAAS,UAAU,CAAA;AAC9B,IAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AAAA,EAChB;AAAA,EAIA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,IAAA,CAAK,QAAQ,OAAO,MAAA;AACxB,IAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,IAAA,CAAK,MAAM,GAAG,OAAO,MAAA;AACzC,IAAA,OAAO,IAAA,CAAK,MAAM,GAAA,CAAI,GAAA,CAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,EACrD;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,OAAO,EAAC;AACzB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,MAAM,CAAA,CAAE,GAAA,CAAI,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,CAAC,CAAA,CAAE,CAAA;AAAA,EAC/D;AACF;AAIA,IAAM,cAAA,GAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,OAAO,KAAA,EAAO,QAAA,EAAU,UAAU,YAAY,CAAA;AAExF,SAAS,UAAU,GAAA,EAAiC;AAClD,EAAA,OAAO,eAAe,IAAA,CAAK,CAAC,MAAM,GAAA,CAAI,UAAA,CAAW,CAAC,CAAC,CAAA;AACrD;AASO,IAAM,sBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA,EAKzD,YAA6B,SAAA,EAA6B;AAA7B,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EAA8B;AAAA,EAA9B,SAAA;AAAA,EAE7B,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAC5B,IAAA,GAAA,CAAI,MAAM,gBAAA,EAAkB,EAAE,KAAK,MAAA,EAAQ,MAAA,IAAU,UAAU,CAAA;AAC/D,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,QAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,MAChC;AACA,MAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,MAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,IAChC;AACA,IAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,MAAM,GAAA,GAAM,KAAK,SAAA,CAAU,OAAA,CAAQ,CAAC,CAAA,KAAM,CAAA,CAAE,cAAc,CAAA;AAC1D,IAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,EACzB;AAAA;AAAA,EAGA,YAAY,GAAA,EAAyC;AACnD,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,IAAI,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA,KAAM,QAAW,OAAO,CAAA;AAAA,IAC3C;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,WAAW,GAAA,EAA4B;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,GAAG,CAAA;AAClC,IAAA,IACE,SACA,aAAA,IAAiB,KAAA,IACjB,OAAQ,KAAA,CAA8B,gBAAgB,UAAA,EACtD;AACA,MAAA,IAAI;AACF,QAAA,MAAO,KAAA,CAA8B,YAAY,GAAG,CAAA;AAAA,MACtD,SAAS,GAAA,EAAK;AACZ,QAAA,GAAA,CAAI,KAAA,CAAM,oCAAA,EAAsC,GAAA,EAAK,EAAE,KAAK,CAAA;AAC5D,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;AChaO,SAAS,0BAA0B,UAAA,EAA4C;AACpF,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAGlD,EAAA,IAAI,MAAA,CAAO,MAAA,IAAU,MAAA,CAAO,MAAA,CAAO,SAAS,CAAA,EAAG;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,OAAO,UAAA,IAAc,MAAA,CAAO,WAAW,MAAA,KAAW,CAAA,SAAU,EAAC;AAClE,EAAA,OAAO,MAAA,CAAO,UAAA,CAAW,GAAA,CAAI,+BAA+B,CAAA;AAC9D;AAEA,SAAS,gCAAgC,CAAA,EAA6C;AACpF,EAAA,MAAM,IAAA,GAA6B;AAAA,IACjC,IAAI,CAAA,CAAE,EAAA;AAAA,IACN,QAAQ,CAAA,CAAE,MAAA;AAAA,IACV,MAAA,EAAQ,EAAE,MAAA,IAAU,WAAA;AAAA,IACpB,MAAM,CAAA,CAAE,IAAA;AAAA,IACR,SAAS,CAAA,CAAE;AAAA,GACb;AAGA,EAAA,IAAI,EAAE,KAAA,EAAO;AACX,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,KAAA,EAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACf,iBAAA,EAAmB,EAAE,KAAA,CAAM,iBAAA;AAAA,MAC3B,cAAA,EAAgB,EAAE,KAAA,CAAM;AAAA,KAC1B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAcO,SAAS,8BAAA,CACd,aAAA,EACA,cAAA,GAAmC,EAAC,EACf;AACrB,EAAA,OAAO,IAAI,oBAAoB,CAAC,GAAG,gBAAgB,aAAA,EAAe,IAAI,iBAAA,EAAmB,CAAC,CAAA;AAC5F;AASO,SAAS,4BAAA,CACd,YAAA,GAAuC,EAAC,EACnB;AACrB,EAAA,MAAM,GAAA,GAAM,IAAI,sBAAA,EAAuB;AACvC,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,EAC5B;AACA,EAAA,OAAO,IAAI,mBAAA,CAAoB,CAAC,IAAI,iBAAA,EAAkB,EAAG,GAAG,CAAC,CAAA;AAC/D;AAWO,SAAS,WAAA,CACd,MACA,OAAA,EACoB;AACpB,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAClB,EAAA,IAAI,OAAA,EAAS,OAAO,OAAA,CAAQ,OAAA,CAAQ,IAAI,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAC3B,IAAA,OAAO,OAAA,CAAQ,IAAI,MAAM,CAAA;AAAA,EAC3B;AACA,EAAA,OAAO,IAAA;AACT;AA0CO,IAAM,sBAAA,GAAN,cAAqC,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EACT,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,MAAM,KAAA,GAAQ,OAAA,GAAU,CAAA,WAAA,EAAc,OAAO,CAAA,CAAA,CAAA,GAAM,EAAA;AACnD,IAAA,KAAA;AAAA,MACE,CAAA,mCAAA,EAAsC,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA;AAAA;AAAA;AAAA,4DAAA;AAAA,KAKvD;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAmBO,SAAS,qBAAA,CACd,IAAA,EACA,EAAA,EACA,KAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAO,OAAO,MAAA;AACnB,EAAA,OAAO,MAAM,OAAA,CAAQ,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AACtC;AAmBO,SAAS,cAAA,CACd,MACA,OAAA,EAC0B;AAC1B,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAElB,EAAA,IAAI,SAAS,SAAA,EAAW;AACtB,IAAA,OAAO,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,EAAA,EAAI,KAAK,IAAA,EAAK;AAAA,EACjD;AACA,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,KAAA,EAAO,IAAA,CAAK,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,IAAA,EAAK;AAAA,EACpE;AAIA,EAAA,MAAM,IAAI,sBAAA,CAAuB,IAAA,EAAM,OAAO,CAAA;AAChD","file":"chunk-KJ2LLWRF.js","sourcesContent":["/**\n * Secret provider abstraction.\n *\n * Decouples credential resolution from process.env so secrets can be\n * provisioned over the transport bridge instead of living in the\n * container's environment.\n */\n\nimport { createLogger } from \"@skaile/workspaces/core/logging\";\n\nconst log = createLogger({ kind: \"connector\", subkind: \"secrets\" });\n\n// ── Interfaces ──────────────────────────────────────────────────────────────\n\n/**\n * Read-only secret resolution. Adapters receive this interface.\n * @docLink packages/connectors/api-reference#secret-provider\n */\nexport interface SecretProvider {\n /**\n * Resolve a credential reference.\n *\n * @param ref - Credential reference such as \"env:GIT_TOKEN\",\n * \"oauth:google:user@example.com\", or an inline literal.\n * @returns The resolved secret value or undefined if not found.\n */\n resolve(ref: string): string | undefined;\n /**\n * Check whether a reference can be resolved.\n *\n * @param ref - Reference to check.\n * @returns True if resolve(ref) would return a non-undefined value.\n */\n has(ref: string): boolean;\n /**\n * Return all ref strings this provider can currently resolve.\n *\n * @returns All resolvable refs (used by forge UI and ConnectorFieldMissingError).\n */\n capabilities(): string[];\n}\n\n/**\n * Extends `SecretProvider` with the ability to load secrets at runtime via `provision()`.\n * @docLink packages/connectors/api-reference#provisionable-secret-provider\n */\nexport interface ProvisionableSecretProvider extends SecretProvider {\n /** Store a batch of key-value secrets. Keys are bare names (no prefix). */\n provision(secrets: Record<string, string>): void;\n}\n\n// ── Implementations ─────────────────────────────────────────────────────────\n\n/**\n * In-memory secret store. Secrets are provisioned over the transport bridge\n * and stored in a private Map — never touching the filesystem or process.env.\n *\n * Supports ref prefixes:\n * `\"env:KEY\"` — looks up KEY in the store\n * `\"vault:KEY\"` — looks up KEY in the store (future vault compat)\n * (no prefix) — returned as an inline value (backwards compat for non-chain usages)\n * @docLink packages/connectors/api-reference#in-memory-secret-provider\n */\nexport class InMemorySecretProvider implements ProvisionableSecretProvider {\n private readonly store = new Map<string, string>();\n\n /**\n * Store a batch of key-value secrets.\n *\n * @param secrets - Key-value map of secret names to values. Keys are bare names (no prefix).\n */\n provision(secrets: Record<string, string>): void {\n for (const [key, value] of Object.entries(secrets)) {\n this.store.set(key, value);\n }\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"env:\")) return this.store.get(ref.slice(4));\n if (ref.startsWith(\"vault:\")) return this.store.get(ref.slice(6));\n // Bare key: check store first, then fall back to inline literal\n const stored = this.store.get(ref);\n if (stored !== undefined) return stored;\n return ref;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.store.keys()].map((k) => `env:${k}`);\n }\n}\n\n/**\n * Delegates to `process.env`. Used in CLI/standalone mode.\n * Does NOT pass through inline literals — returns `undefined` for any ref\n * that does not start with `\"env:\"`. Use `InMemorySecretProvider` for inline\n * literals in non-chain contexts.\n * @docLink packages/connectors/api-reference#env-secret-provider\n */\nexport class EnvSecretProvider implements SecretProvider {\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"env:\")) return process.env[ref.slice(4)];\n return undefined; // no inline passthrough\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return Object.keys(process.env).map((k) => `env:${k}`);\n }\n}\n\n/**\n * Pre-minted credential entry. Mirrors the discriminated `CredentialMint`\n * shape from `@skaile/workspaces/types` but redeclared here to keep this package\n * free of cross-package type dependencies.\n *\n * The failure branch carries the platform-side `code` + `message` so the\n * `ConnectorManager`'s wrapped mediator can surface the real reason instead of\n * a generic \"no pre-mint\" placeholder when a mint comes back as `ok: false`.\n */\nexport type PreMintedCredential =\n | { ok: true; token: string; expiresAt: string | null; mintedAt?: string }\n | {\n ok: false;\n code?: \"not-configured\" | \"revoked\" | \"provider-error\" | \"backend-error\";\n message?: string;\n };\n\n/**\n * Pre-minted credential store. Holds short-lived tokens delivered upfront in\n * the v3 `session_init` envelope so the runner never has to call back to the\n * platform during mount setup.\n *\n * Resolves refs of the form `mount:<id>` and `connector:<id>`. Returns\n * `undefined` for any other ref so the chain falls through to the next\n * provider (`EnvSecretProvider` for `pat:env:NAME`, etc.).\n *\n * Tokens can be added/removed at runtime via {@link set} / {@link unset} so\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capabilities stay strictly in-process — no round trip to the platform to\n * mint while the mount is hot-attached.\n *\n * For callers that need the full mint metadata (expiry timestamp, mintedAt\n * audit fields), use {@link mintFor} instead of the bare `resolve`. The\n * `ConnectorManager` consults this for the `auth: backend` initial-mint path so\n * the driver retains the original expiry semantics.\n *\n * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`.\n *\n * @docLink packages/connectors/api-reference#pre-minted-secret-provider\n */\nexport class PreMintedSecretProvider implements SecretProvider {\n private readonly mints = new Map<string, PreMintedCredential>();\n\n /**\n * Seed pre-minted credentials from the v3 `session_init.credentials` map.\n *\n * Failed mints (`ok: false`) are stored too so callers can distinguish\n * \"not pre-minted\" from \"pre-minted but failed\"; {@link resolve} treats\n * both as `undefined`.\n *\n * @param credentials Optional initial `{ mounts, connectors }` map.\n */\n constructor(credentials?: {\n mounts?: Record<string, PreMintedCredential>;\n connectors?: Record<string, PreMintedCredential>;\n }) {\n if (!credentials) return;\n for (const [id, mint] of Object.entries(credentials.mounts ?? {})) {\n this.mints.set(`mount:${id}`, mint);\n }\n for (const [id, mint] of Object.entries(credentials.connectors ?? {})) {\n this.mints.set(`connector:${id}`, mint);\n }\n }\n\n /**\n * Insert (or replace) a pre-minted credential. Used by\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capability handlers when the platform delivers new credentials\n * mid-session.\n */\n set(kind: \"mount\" | \"connector\", id: string, mint: PreMintedCredential): void {\n this.mints.set(`${kind}:${id}`, mint);\n }\n\n /**\n * Remove a stored pre-minted credential. Used by the\n * `runner.remove_resource` capability handler.\n */\n unset(kind: \"mount\" | \"connector\", id: string): boolean {\n return this.mints.delete(`${kind}:${id}`);\n }\n\n /**\n * Look up the full {@link PreMintedCredential} for a `mount:` /\n * `connector:` keyed entry. Callers that only need the token use\n * {@link resolve} via the chain; callers that need expiry / audit\n * metadata (e.g. ConnectorManager) use this entry point.\n */\n mintFor(kind: \"mount\" | \"connector\", id: string): PreMintedCredential | undefined {\n return this.mints.get(`${kind}:${id}`);\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (!(ref.startsWith(\"mount:\") || ref.startsWith(\"connector:\"))) return undefined;\n const mint = this.mints.get(ref);\n return mint?.ok ? mint.token : undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.mints.entries()].filter(([, m]) => m.ok).map(([k]) => k);\n }\n}\n\n/**\n * Forge session secret provider. Secrets are provisioned from the Forge settings\n * panel over the transport bridge. Only handles `\"forge:\"` prefixed refs — returns\n * `undefined` for all others.\n * @docLink packages/connectors/api-reference#forge-secret-provider\n */\nexport class ForgeSecretProvider implements ProvisionableSecretProvider {\n private readonly store = new Map<string, string>();\n\n provision(secrets: Record<string, string>): void {\n for (const [key, value] of Object.entries(secrets)) {\n this.store.set(key, value);\n }\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"forge:\")) return this.store.get(ref.slice(6));\n return undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.store.keys()].map((k) => `forge:${k}`);\n }\n}\n\n/**\n * Thrown when an OAuth-secured connector field requires user authorization before\n * it can be resolved. Contains the redirect URL to open in the user's browser.\n * @docLink packages/connectors/api-reference#o-auth-required-error\n */\nexport class OAuthRequiredError extends Error {\n readonly oauthRef: string;\n readonly authUrl: string;\n readonly state: string;\n\n /**\n * @param oauthRef - The 'oauth:<service>:<account>' ref that triggered the error\n * @param authUrl - Browser URL to open for OAuth authorization\n * @param state - OAuth state token for CSRF protection and callback correlation\n */\n constructor(oauthRef: string, authUrl: string, state: string) {\n super(`OAuth authorization required for ${oauthRef}`);\n this.name = \"OAuthRequiredError\";\n this.oauthRef = oauthRef;\n this.authUrl = authUrl;\n this.state = state;\n }\n}\n\n/**\n * Shape of an OAuth token bundle stored by `OAuthSecretProvider`.\n * @docLink packages/connectors/api-reference#o-auth-token-bundle\n */\nexport interface OAuthTokenBundle {\n accessToken: string;\n refreshToken?: string;\n /** Unix timestamp in ms */\n expiry?: number;\n}\n\n/**\n * Return value of `OAuthSecretProvider.initiateFlow()`. Contains the URL and CSRF state token.\n * @docLink packages/connectors/api-reference#o-auth-flow-request\n */\nexport interface OAuthFlowRequest {\n authUrl: string;\n state: string;\n}\n\n/**\n * OAuth token provider. Handles `\"oauth:<service>:<account>\"` refs.\n * Callers must call `chain.prepareRef()` before `chain.resolve()` for `oauth:` refs.\n * @docLink packages/connectors/api-reference#o-auth-secret-provider\n */\nexport interface OAuthSecretProvider extends SecretProvider {\n /**\n * Ensure the token for this ref is fresh.\n * Refreshes if expired.\n * Throws OAuthRequiredError if no token exists and user authorization is needed.\n */\n ensureFresh(ref: string): Promise<void>;\n\n /** Initiate the OAuth authorization flow. Returns URL to open in the user's browser. */\n initiateFlow(oauthService: string, account: string): Promise<OAuthFlowRequest>;\n\n /** Exchange authorization code for tokens and store the bundle. */\n completeFlow(state: string, code: string): Promise<void>;\n}\n\n/**\n * Abstract base for vault-backed secret providers (1Password, KeePass). Subclasses\n * implement `prefix` and `loadKeys()`. Locked until `unlock(credential)` is called.\n * @docLink packages/connectors/api-reference#locked-secret-provider\n */\nexport abstract class LockedSecretProvider implements SecretProvider {\n locked = true;\n protected readonly store = new Map<string, string>();\n abstract readonly prefix: string;\n\n async unlock(credential: string): Promise<void> {\n await this.loadKeys(credential);\n this.locked = false;\n }\n\n protected abstract loadKeys(credential: string): Promise<void>;\n\n resolve(ref: string): string | undefined {\n if (this.locked) return undefined;\n if (!ref.startsWith(this.prefix)) return undefined;\n return this.store.get(ref.slice(this.prefix.length));\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n if (this.locked) return [];\n return [...this.store.keys()].map((k) => `${this.prefix}${k}`);\n }\n}\n\n// ── Known provider prefixes ──────────────────────────────────────────────────\n\nconst KNOWN_PREFIXES = [\"env:\", \"forge:\", \"op:\", \"kp:\", \"oauth:\", \"mount:\", \"connector:\"] as const;\n\nfunction getPrefix(ref: string): string | undefined {\n return KNOWN_PREFIXES.find((p) => ref.startsWith(p));\n}\n\n/**\n * Chains multiple `SecretProvider` instances into a single resolver.\n * - Prefixed refs (`env:`, `forge:`, `op:`, `kp:`, `oauth:`) are routed to the first provider that can resolve them.\n * - Bare refs waterfall through all providers in order.\n * - Plain literals in `skaile.yaml` options are NOT passed to the chain; `ConnectorManager` handles them before calling `resolve()`.\n * @docLink packages/connectors/api-reference#secret-provider-chain\n */\nexport class SecretProviderChain implements SecretProvider {\n /**\n * @param providers - Ordered list of providers. For prefixed refs, the first\n * provider that can resolve wins. For bare refs, waterfall through all in order.\n */\n constructor(private readonly providers: SecretProvider[]) {}\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n const prefix = getPrefix(ref);\n log.debug(\"resolve secret\", { ref, prefix: prefix ?? \"(bare)\" });\n if (prefix) {\n for (const p of this.providers) {\n const val = p.resolve(ref);\n if (val !== undefined) return val;\n }\n log.warn(\"secret not resolvable\", { ref });\n return undefined;\n }\n // Waterfall for bare refs\n for (const p of this.providers) {\n const val = p.resolve(ref);\n if (val !== undefined) return val;\n }\n log.warn(\"secret not resolvable\", { ref });\n return undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n const all = this.providers.flatMap((p) => p.capabilities());\n return [...new Set(all)];\n }\n\n /** Returns the first provider that can resolve this ref. */\n providerFor(ref: string): SecretProvider | undefined {\n for (const p of this.providers) {\n if (p.resolve(ref) !== undefined) return p;\n }\n return undefined;\n }\n\n /**\n * Calls ensureFresh(ref) on the owning provider if it implements OAuthSecretProvider.\n * No-op for providers that don't have ensureFresh().\n *\n * @param ref - Must be an \"oauth:\" prefixed ref for this to have any effect.\n * Calls ensureFresh() on the owning OAuthSecretProvider.\n */\n async prepareRef(ref: string): Promise<void> {\n const owner = this.providerFor(ref);\n if (\n owner &&\n \"ensureFresh\" in owner &&\n typeof (owner as OAuthSecretProvider).ensureFresh === \"function\"\n ) {\n try {\n await (owner as OAuthSecretProvider).ensureFresh(ref);\n } catch (err) {\n log.error(\"secret provider ensureFresh failed\", err, { ref });\n throw err;\n }\n }\n }\n}\n","/**\n * Load connector declarations from skaile.yaml.\n *\n * The top-level `mounts:` key is no longer accepted (hard cut as of Task 11).\n * Filesystem-projected backends must be declared under `connectors:` with a\n * `mount:` sub-block. See `docs/migration-mounts-to-connectors.md`.\n */\n\nimport type { ConnectorDeclaration as WorkspaceConnector } from \"@skaile/workspaces/core\";\nimport { resolveSkWorkspaceConfig } from \"@skaile/workspaces/core\";\nimport type { ConnectorDeclaration } from \"./connector-types.js\";\n\n/**\n * Read `skaile.yaml` in `projectDir` and return all declared connectors as `ConnectorDeclaration[]`.\n *\n * Throws a migration error when the legacy top-level `mounts:` key is present.\n *\n * @param projectDir - Root of the workspace (directory containing `skaile.yaml`).\n * @returns Array of connector declarations, or an empty array if none are declared.\n * @docLink packages/connectors/api-reference#load-connector-declarations\n */\nexport function loadConnectorDeclarations(projectDir: string): ConnectorDeclaration[] {\n const config = resolveSkWorkspaceConfig(projectDir);\n\n // Hard cut: reject legacy top-level `mounts:` key with an actionable message.\n if (config.mounts && config.mounts.length > 0) {\n throw new Error(\n \"'mounts:' is no longer supported — move entries under 'connectors:' with a 'mount:' sub-block. See docs/migration-mounts-to-connectors.md\",\n );\n }\n\n if (!config.connectors || config.connectors.length === 0) return [];\n return config.connectors.map(workspaceConnectorToDeclaration);\n}\n\nfunction workspaceConnectorToDeclaration(c: WorkspaceConnector): ConnectorDeclaration {\n const decl: ConnectorDeclaration = {\n id: c.id,\n driver: c.driver,\n access: c.access ?? \"read-only\",\n auth: c.auth,\n options: c.options,\n };\n\n // Map the optional mount sub-block when present.\n if (c.mount) {\n decl.mount = {\n source: c.mount.source,\n target: c.mount.target,\n watch: c.mount.watch,\n exposeAccessToken: c.mount.exposeAccessToken,\n accessTokenTTL: c.mount.accessTokenTTL,\n };\n }\n\n return decl;\n}\n\nimport type { ForgeSecretProvider, SecretProvider } from \"./secrets.js\";\nimport { EnvSecretProvider, InMemorySecretProvider, SecretProviderChain } from \"./secrets.js\";\n\n/**\n * Build a `SecretProviderChain` for Forge session context.\n * `OAuthSecretProvider` is not wired here — it must be provided externally\n * (the Forge session manager constructs it and passes it in).\n * @param forgeProvider - The Forge-provisioned secret store.\n * @param extraProviders - Additional providers prepended to the chain (e.g. an OAuth provider).\n * @returns A chain that routes `forge:` refs to the Forge store and `env:` refs to process.env.\n * @docLink packages/connectors/api-reference#create-forge-secret-provider-chain\n */\nexport function createForgeSecretProviderChain(\n forgeProvider: ForgeSecretProvider,\n extraProviders: SecretProvider[] = [],\n): SecretProviderChain {\n return new SecretProviderChain([...extraProviders, forgeProvider, new EnvSecretProvider()]);\n}\n\n/**\n * Build a `SecretProviderChain` for CLI/standalone context.\n * `EnvSecretProvider` takes priority; `extraSecrets` are loaded into an `InMemorySecretProvider`.\n * @param extraSecrets - Inline secrets injected into memory (e.g. tokens passed via CLI flags).\n * @returns A chain that resolves `env:` refs from process.env plus any inline extras.\n * @docLink packages/connectors/api-reference#create-cli-secret-provider-chain\n */\nexport function createCliSecretProviderChain(\n extraSecrets: Record<string, string> = {},\n): SecretProviderChain {\n const mem = new InMemorySecretProvider();\n if (Object.keys(extraSecrets).length > 0) {\n mem.provision(extraSecrets);\n }\n return new SecretProviderChain([new EnvSecretProvider(), mem]);\n}\n\n/**\n * Resolve a credential reference using a `SecretProvider`, or fall back to `env:NAME` lookup.\n * @param auth - Credential reference (e.g. `\"env:GIT_TOKEN\"`).\n * @param secrets - Optional provider; falls back to `process.env` if omitted.\n * @returns Resolved secret value or `undefined`.\n * @deprecated Use `SecretProviderChain.resolve()` instead.\n * @docLink packages/connectors/api-reference#resolve-auth\n */\n// @TODO: Code-Review: deprecated shim kept for backward compat — remove once all callers migrate to SecretProviderChain.resolve()\nexport function resolveAuth(\n auth: string | undefined,\n secrets?: import(\"./secrets.js\").SecretProvider,\n): string | undefined {\n if (!auth) return undefined;\n if (secrets) return secrets.resolve(auth);\n if (auth.startsWith(\"env:\")) {\n const envVar = auth.slice(4);\n return process.env[envVar];\n }\n return auth;\n}\n\n// ── Auth grammar (mount-side, Tier 2 credential tiers) ───────────────────────\n\n/**\n * Provider kind for a mount auth ref.\n *\n * Two values are accepted:\n * - `pat` — static personal access token resolved via the secrets chain\n * (standalone CLI / non-platform contexts).\n * - `backend` — token minted by the platform's credential mediator over the\n * transport (`request_access_token` round-trip). Provider\n * dispatch (OAuth, GitHub App, ...) lives backend-side; the\n * runner stays provider-agnostic.\n *\n * @docLink packages/connectors/api-reference#mount-auth-kind\n */\nexport type MountAuthKind = \"pat\" | \"backend\";\n\n/**\n * Parsed mount `auth:` field.\n *\n * - `pat` → `value` is the inner secret ref (e.g. `env:NAME`).\n * - `backend` → `value` is empty (sentinel only); the runner asks the\n * backend for tokens via `request_access_token`.\n *\n * @docLink packages/connectors/api-reference#mount-auth-ref\n */\nexport interface MountAuthRef {\n kind: MountAuthKind;\n /** Prefix-stripped payload — see kind for shape. Empty for `backend`. */\n value: string;\n /** Original auth string from the declaration, kept for diagnostics. */\n raw: string;\n}\n\n/**\n * Thrown when a mount declaration's `auth:` field uses the legacy bare `env:NAME` grammar\n * or any other unrecognized form. Migrate to `pat:env:NAME` (standalone) or `backend`\n * (platform-mediated).\n * @docLink packages/connectors/api-reference#legacy-auth-grammar-error\n */\nexport class LegacyAuthGrammarError extends Error {\n readonly auth: string;\n constructor(auth: string, mountId?: string) {\n const where = mountId ? ` on mount '${mountId}'` : \"\";\n super(\n `Legacy or unrecognized auth grammar${where} ('${auth}'). ` +\n `Replace with one of:\\n` +\n ` - backend (platform-mediated, recommended)\\n` +\n ` - pat:env:NAME (standalone CLI / static token)\\n` +\n `See _devlog/specs/2026-05-06-tier-2-credential-mediation.md.`,\n );\n this.name = \"LegacyAuthGrammarError\";\n this.auth = auth;\n }\n}\n\n/**\n * Resolve the `auth: backend` initial mint for a given mount or connector id\n * by querying the secrets chain with a `${kind}:${id}` ref. Returns the\n * resolved bearer token or `undefined` if no pre-minted credential is\n * available.\n *\n * Used by the runner when wiring `ConnectorManager` to\n * answer initial-mint requests from `PreMintedSecretProvider` without\n * round-tripping to the platform. Drivers continue to receive a\n * `tokenMediator` for refresh + retry-401 paths.\n *\n * @param kind Resource family (`mount` or `connector`).\n * @param id Resource declaration id.\n * @param chain Secrets chain. Pass `undefined` to return `undefined`.\n * @returns The pre-minted token, or `undefined` if not stored on the chain.\n * @docLink packages/connectors/api-reference#resolve-backend-auth-for\n */\nexport function resolveBackendAuthFor(\n kind: \"mount\" | \"connector\",\n id: string,\n chain: import(\"./secrets.js\").SecretProvider | undefined,\n): string | undefined {\n if (!chain) return undefined;\n return chain.resolve(`${kind}:${id}`);\n}\n\n/**\n * Parse a mount-side auth ref into a typed `MountAuthRef`.\n *\n * Accepted forms:\n * - `backend` — platform-mediated mint via `request_access_token`.\n * - `pat:env:NAME` — static PAT resolved from the secrets chain.\n *\n * Rejects bare `env:NAME` (legacy) and provider-prefixed grammars (`oauth:`,\n * `github-app:`) — those moved backend-side as part of Tier-2 mediation.\n * Returns `undefined` when `auth` is absent or empty.\n *\n * @param auth - Raw `auth:` value from the mount declaration.\n * @param mountId - Optional mount id included in error messages.\n * @returns Parsed `MountAuthRef` or `undefined`.\n * @throws {LegacyAuthGrammarError} for any unrecognized grammar.\n * @docLink packages/connectors/api-reference#resolve-auth-ref\n */\nexport function resolveAuthRef(\n auth: string | undefined,\n mountId?: string,\n): MountAuthRef | undefined {\n if (!auth) return undefined;\n\n if (auth === \"backend\") {\n return { kind: \"backend\", value: \"\", raw: auth };\n }\n if (auth.startsWith(\"pat:\")) {\n return { kind: \"pat\", value: auth.slice(\"pat:\".length), raw: auth };\n }\n\n // Legacy bare `env:NAME` and the deprecated provider-prefixed grammars\n // (`oauth:`, `github-app:`) all land here.\n throw new LegacyAuthGrammarError(auth, mountId);\n}\n"]}
1
+ {"version":3,"sources":["../connectors/src/secrets.ts","../connectors/src/config.ts"],"names":[],"mappings":";;;;AAUA,IAAM,MAAM,YAAA,CAAa,EAAE,MAAM,WAAA,EAAa,OAAA,EAAS,WAAW,CAAA;AAqD3D,IAAM,yBAAN,MAAoE;AAAA,EACxD,KAAA,uBAAY,GAAA,EAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC9D,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAEhE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AACjC,IAAA,IAAI,MAAA,KAAW,QAAW,OAAO,MAAA;AACjC,IAAA,OAAO,GAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACrD;AACF;AASO,IAAM,oBAAN,MAAkD;AAAA,EACvD,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,QAAQ,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC3D,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,CAAE,IAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AA0CO,IAAM,0BAAN,MAAwD;AAAA,EAC5C,KAAA,uBAAY,GAAA,EAAiC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9D,YAAY,WAAA,EAGT;AACD,IAAA,IAAI,CAAC,WAAA,EAAa;AAClB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,MAAA,IAAU,EAAE,CAAA,EAAG;AACjE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,MAAA,EAAS,EAAE,IAAI,IAAI,CAAA;AAAA,IACpC;AACA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,UAAA,IAAc,EAAE,CAAA,EAAG;AACrE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,UAAA,EAAa,EAAE,IAAI,IAAI,CAAA;AAAA,IACxC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,GAAA,CAAI,IAAA,EAA6B,EAAA,EAAY,IAAA,EAAiC;AAC5E,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,IAAI,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,CAAM,MAA6B,EAAA,EAAqB;AACtD,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,CAAQ,MAA6B,EAAA,EAA6C;AAChF,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EACvC;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,EAAE,IAAI,UAAA,CAAW,QAAQ,KAAK,GAAA,CAAI,UAAA,CAAW,YAAY,CAAA,CAAA,EAAI,OAAO,MAAA;AACxE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,OAAO,IAAA,EAAM,EAAA,GAAK,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,EACjC;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA,CAAE,OAAO,CAAC,GAAG,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA,CAAE,IAAI,CAAC,CAAC,CAAC,CAAA,KAAM,CAAC,CAAA;AAAA,EACzE;AACF;AAQO,IAAM,sBAAN,MAAiE;AAAA,EACrD,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAEjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAChE,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,MAAA,EAAS,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AAOO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EACnC,QAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOT,WAAA,CAAY,QAAA,EAAkB,OAAA,EAAiB,KAAA,EAAe;AAC5D,IAAA,KAAA,CAAM,CAAA,iCAAA,EAAoC,QAAQ,CAAA,CAAE,CAAA;AACpD,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF;AA+CO,IAAe,uBAAf,MAA8D;AAAA,EACnE,MAAA,GAAS,IAAA;AAAA,EACU,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAGnD,MAAM,OAAO,UAAA,EAAmC;AAC9C,IAAA,MAAM,IAAA,CAAK,SAAS,UAAU,CAAA;AAC9B,IAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AAAA,EAChB;AAAA,EAIA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,IAAA,CAAK,QAAQ,OAAO,MAAA;AACxB,IAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,IAAA,CAAK,MAAM,GAAG,OAAO,MAAA;AACzC,IAAA,OAAO,IAAA,CAAK,MAAM,GAAA,CAAI,GAAA,CAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,EACrD;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,OAAO,EAAC;AACzB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,MAAM,CAAA,CAAE,GAAA,CAAI,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,CAAC,CAAA,CAAE,CAAA;AAAA,EAC/D;AACF;AAIA,IAAM,cAAA,GAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,OAAO,KAAA,EAAO,QAAA,EAAU,UAAU,YAAY,CAAA;AAExF,SAAS,UAAU,GAAA,EAAiC;AAClD,EAAA,OAAO,eAAe,IAAA,CAAK,CAAC,MAAM,GAAA,CAAI,UAAA,CAAW,CAAC,CAAC,CAAA;AACrD;AASO,IAAM,sBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA,EAKzD,YAA6B,SAAA,EAA6B;AAA7B,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EAA8B;AAAA,EAA9B,SAAA;AAAA,EAE7B,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAC5B,IAAA,GAAA,CAAI,MAAM,gBAAA,EAAkB,EAAE,KAAK,MAAA,EAAQ,MAAA,IAAU,UAAU,CAAA;AAC/D,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,QAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,MAChC;AACA,MAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,MAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,IAChC;AACA,IAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,MAAM,GAAA,GAAM,KAAK,SAAA,CAAU,OAAA,CAAQ,CAAC,CAAA,KAAM,CAAA,CAAE,cAAc,CAAA;AAC1D,IAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,EACzB;AAAA;AAAA,EAGA,YAAY,GAAA,EAAyC;AACnD,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,IAAI,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA,KAAM,QAAW,OAAO,CAAA;AAAA,IAC3C;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,WAAW,GAAA,EAA4B;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,GAAG,CAAA;AAClC,IAAA,IACE,SACA,aAAA,IAAiB,KAAA,IACjB,OAAQ,KAAA,CAA8B,gBAAgB,UAAA,EACtD;AACA,MAAA,IAAI;AACF,QAAA,MAAO,KAAA,CAA8B,YAAY,GAAG,CAAA;AAAA,MACtD,SAAS,GAAA,EAAK;AACZ,QAAA,GAAA,CAAI,KAAA,CAAM,oCAAA,EAAsC,GAAA,EAAK,EAAE,KAAK,CAAA;AAC5D,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;AChaO,SAAS,0BAA0B,UAAA,EAA4C;AACpF,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAGlD,EAAA,IAAI,MAAA,CAAO,MAAA,IAAU,MAAA,CAAO,MAAA,CAAO,SAAS,CAAA,EAAG;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,OAAO,UAAA,IAAc,MAAA,CAAO,WAAW,MAAA,KAAW,CAAA,SAAU,EAAC;AAClE,EAAA,OAAO,MAAA,CAAO,UAAA,CAAW,GAAA,CAAI,+BAA+B,CAAA;AAC9D;AAEA,SAAS,gCAAgC,CAAA,EAA6C;AACpF,EAAA,MAAM,IAAA,GAA6B;AAAA,IACjC,IAAI,CAAA,CAAE,EAAA;AAAA,IACN,QAAQ,CAAA,CAAE,MAAA;AAAA,IACV,MAAA,EAAQ,EAAE,MAAA,IAAU,WAAA;AAAA,IACpB,MAAM,CAAA,CAAE,IAAA;AAAA,IACR,SAAS,CAAA,CAAE;AAAA,GACb;AAGA,EAAA,IAAI,EAAE,KAAA,EAAO;AACX,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,KAAA,EAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACf,iBAAA,EAAmB,EAAE,KAAA,CAAM,iBAAA;AAAA,MAC3B,cAAA,EAAgB,EAAE,KAAA,CAAM;AAAA,KAC1B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAcO,SAAS,8BAAA,CACd,aAAA,EACA,cAAA,GAAmC,EAAC,EACf;AACrB,EAAA,OAAO,IAAI,oBAAoB,CAAC,GAAG,gBAAgB,aAAA,EAAe,IAAI,iBAAA,EAAmB,CAAC,CAAA;AAC5F;AASO,SAAS,4BAAA,CACd,YAAA,GAAuC,EAAC,EACnB;AACrB,EAAA,MAAM,GAAA,GAAM,IAAI,sBAAA,EAAuB;AACvC,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,EAC5B;AACA,EAAA,OAAO,IAAI,mBAAA,CAAoB,CAAC,IAAI,iBAAA,EAAkB,EAAG,GAAG,CAAC,CAAA;AAC/D;AAWO,SAAS,WAAA,CACd,MACA,OAAA,EACoB;AACpB,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAClB,EAAA,IAAI,OAAA,EAAS,OAAO,OAAA,CAAQ,OAAA,CAAQ,IAAI,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAC3B,IAAA,OAAO,OAAA,CAAQ,IAAI,MAAM,CAAA;AAAA,EAC3B;AACA,EAAA,OAAO,IAAA;AACT;AA0CO,IAAM,sBAAA,GAAN,cAAqC,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EACT,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,MAAM,KAAA,GAAQ,OAAA,GAAU,CAAA,WAAA,EAAc,OAAO,CAAA,CAAA,CAAA,GAAM,EAAA;AACnD,IAAA,KAAA;AAAA,MACE,CAAA,mCAAA,EAAsC,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA;AAAA;AAAA;AAAA,4DAAA;AAAA,KAKvD;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAmBO,SAAS,qBAAA,CACd,IAAA,EACA,EAAA,EACA,KAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAO,OAAO,MAAA;AACnB,EAAA,OAAO,MAAM,OAAA,CAAQ,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AACtC;AAmBO,SAAS,cAAA,CACd,MACA,OAAA,EAC0B;AAC1B,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAElB,EAAA,IAAI,SAAS,SAAA,EAAW;AACtB,IAAA,OAAO,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,EAAA,EAAI,KAAK,IAAA,EAAK;AAAA,EACjD;AACA,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,KAAA,EAAO,IAAA,CAAK,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,IAAA,EAAK;AAAA,EACpE;AAIA,EAAA,MAAM,IAAI,sBAAA,CAAuB,IAAA,EAAM,OAAO,CAAA;AAChD","file":"chunk-VMUQAISH.js","sourcesContent":["/**\n * Secret provider abstraction.\n *\n * Decouples credential resolution from process.env so secrets can be\n * provisioned over the transport bridge instead of living in the\n * container's environment.\n */\n\nimport { createLogger } from \"@skaile/workspaces/core/logging\";\n\nconst log = createLogger({ kind: \"connector\", subkind: \"secrets\" });\n\n// ── Interfaces ──────────────────────────────────────────────────────────────\n\n/**\n * Read-only secret resolution. Adapters receive this interface.\n * @docLink packages/connectors/api-reference#secret-provider\n */\nexport interface SecretProvider {\n /**\n * Resolve a credential reference.\n *\n * @param ref - Credential reference such as \"env:GIT_TOKEN\",\n * \"oauth:google:user@example.com\", or an inline literal.\n * @returns The resolved secret value or undefined if not found.\n */\n resolve(ref: string): string | undefined;\n /**\n * Check whether a reference can be resolved.\n *\n * @param ref - Reference to check.\n * @returns True if resolve(ref) would return a non-undefined value.\n */\n has(ref: string): boolean;\n /**\n * Return all ref strings this provider can currently resolve.\n *\n * @returns All resolvable refs (used by forge UI and ConnectorFieldMissingError).\n */\n capabilities(): string[];\n}\n\n/**\n * Extends `SecretProvider` with the ability to load secrets at runtime via `provision()`.\n * @docLink packages/connectors/api-reference#provisionable-secret-provider\n */\nexport interface ProvisionableSecretProvider extends SecretProvider {\n /** Store a batch of key-value secrets. Keys are bare names (no prefix). */\n provision(secrets: Record<string, string>): void;\n}\n\n// ── Implementations ─────────────────────────────────────────────────────────\n\n/**\n * In-memory secret store. Secrets are provisioned over the transport bridge\n * and stored in a private Map — never touching the filesystem or process.env.\n *\n * Supports ref prefixes:\n * `\"env:KEY\"` — looks up KEY in the store\n * `\"vault:KEY\"` — looks up KEY in the store (future vault compat)\n * (no prefix) — returned as an inline value (backwards compat for non-chain usages)\n * @docLink packages/connectors/api-reference#in-memory-secret-provider\n */\nexport class InMemorySecretProvider implements ProvisionableSecretProvider {\n private readonly store = new Map<string, string>();\n\n /**\n * Store a batch of key-value secrets.\n *\n * @param secrets - Key-value map of secret names to values. Keys are bare names (no prefix).\n */\n provision(secrets: Record<string, string>): void {\n for (const [key, value] of Object.entries(secrets)) {\n this.store.set(key, value);\n }\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"env:\")) return this.store.get(ref.slice(4));\n if (ref.startsWith(\"vault:\")) return this.store.get(ref.slice(6));\n // Bare key: check store first, then fall back to inline literal\n const stored = this.store.get(ref);\n if (stored !== undefined) return stored;\n return ref;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.store.keys()].map((k) => `env:${k}`);\n }\n}\n\n/**\n * Delegates to `process.env`. Used in CLI/standalone mode.\n * Does NOT pass through inline literals — returns `undefined` for any ref\n * that does not start with `\"env:\"`. Use `InMemorySecretProvider` for inline\n * literals in non-chain contexts.\n * @docLink packages/connectors/api-reference#env-secret-provider\n */\nexport class EnvSecretProvider implements SecretProvider {\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"env:\")) return process.env[ref.slice(4)];\n return undefined; // no inline passthrough\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return Object.keys(process.env).map((k) => `env:${k}`);\n }\n}\n\n/**\n * Pre-minted credential entry. Mirrors the discriminated `CredentialMint`\n * shape from `@skaile/workspaces/types` but redeclared here to keep this package\n * free of cross-package type dependencies.\n *\n * The failure branch carries the platform-side `code` + `message` so the\n * `ConnectorManager`'s wrapped mediator can surface the real reason instead of\n * a generic \"no pre-mint\" placeholder when a mint comes back as `ok: false`.\n */\nexport type PreMintedCredential =\n | { ok: true; token: string; expiresAt: string | null; mintedAt?: string }\n | {\n ok: false;\n code?: \"not-configured\" | \"revoked\" | \"provider-error\" | \"backend-error\";\n message?: string;\n };\n\n/**\n * Pre-minted credential store. Holds short-lived tokens delivered upfront in\n * the v3 `session_init` envelope so the runner never has to call back to the\n * platform during mount setup.\n *\n * Resolves refs of the form `mount:<id>` and `connector:<id>`. Returns\n * `undefined` for any other ref so the chain falls through to the next\n * provider (`EnvSecretProvider` for `pat:env:NAME`, etc.).\n *\n * Tokens can be added/removed at runtime via {@link set} / {@link unset} so\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capabilities stay strictly in-process — no round trip to the platform to\n * mint while the mount is hot-attached.\n *\n * For callers that need the full mint metadata (expiry timestamp, mintedAt\n * audit fields), use {@link mintFor} instead of the bare `resolve`. The\n * `ConnectorManager` consults this for the `auth: backend` initial-mint path so\n * the driver retains the original expiry semantics.\n *\n * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`.\n *\n * @docLink packages/connectors/api-reference#pre-minted-secret-provider\n */\nexport class PreMintedSecretProvider implements SecretProvider {\n private readonly mints = new Map<string, PreMintedCredential>();\n\n /**\n * Seed pre-minted credentials from the v3 `session_init.credentials` map.\n *\n * Failed mints (`ok: false`) are stored too so callers can distinguish\n * \"not pre-minted\" from \"pre-minted but failed\"; {@link resolve} treats\n * both as `undefined`.\n *\n * @param credentials Optional initial `{ mounts, connectors }` map.\n */\n constructor(credentials?: {\n mounts?: Record<string, PreMintedCredential>;\n connectors?: Record<string, PreMintedCredential>;\n }) {\n if (!credentials) return;\n for (const [id, mint] of Object.entries(credentials.mounts ?? {})) {\n this.mints.set(`mount:${id}`, mint);\n }\n for (const [id, mint] of Object.entries(credentials.connectors ?? {})) {\n this.mints.set(`connector:${id}`, mint);\n }\n }\n\n /**\n * Insert (or replace) a pre-minted credential. Used by\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capability handlers when the platform delivers new credentials\n * mid-session.\n */\n set(kind: \"mount\" | \"connector\", id: string, mint: PreMintedCredential): void {\n this.mints.set(`${kind}:${id}`, mint);\n }\n\n /**\n * Remove a stored pre-minted credential. Used by the\n * `runner.remove_resource` capability handler.\n */\n unset(kind: \"mount\" | \"connector\", id: string): boolean {\n return this.mints.delete(`${kind}:${id}`);\n }\n\n /**\n * Look up the full {@link PreMintedCredential} for a `mount:` /\n * `connector:` keyed entry. Callers that only need the token use\n * {@link resolve} via the chain; callers that need expiry / audit\n * metadata (e.g. ConnectorManager) use this entry point.\n */\n mintFor(kind: \"mount\" | \"connector\", id: string): PreMintedCredential | undefined {\n return this.mints.get(`${kind}:${id}`);\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (!(ref.startsWith(\"mount:\") || ref.startsWith(\"connector:\"))) return undefined;\n const mint = this.mints.get(ref);\n return mint?.ok ? mint.token : undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.mints.entries()].filter(([, m]) => m.ok).map(([k]) => k);\n }\n}\n\n/**\n * Forge session secret provider. Secrets are provisioned from the Forge settings\n * panel over the transport bridge. Only handles `\"forge:\"` prefixed refs — returns\n * `undefined` for all others.\n * @docLink packages/connectors/api-reference#forge-secret-provider\n */\nexport class ForgeSecretProvider implements ProvisionableSecretProvider {\n private readonly store = new Map<string, string>();\n\n provision(secrets: Record<string, string>): void {\n for (const [key, value] of Object.entries(secrets)) {\n this.store.set(key, value);\n }\n }\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n if (ref.startsWith(\"forge:\")) return this.store.get(ref.slice(6));\n return undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n return [...this.store.keys()].map((k) => `forge:${k}`);\n }\n}\n\n/**\n * Thrown when an OAuth-secured connector field requires user authorization before\n * it can be resolved. Contains the redirect URL to open in the user's browser.\n * @docLink packages/connectors/api-reference#o-auth-required-error\n */\nexport class OAuthRequiredError extends Error {\n readonly oauthRef: string;\n readonly authUrl: string;\n readonly state: string;\n\n /**\n * @param oauthRef - The 'oauth:<service>:<account>' ref that triggered the error\n * @param authUrl - Browser URL to open for OAuth authorization\n * @param state - OAuth state token for CSRF protection and callback correlation\n */\n constructor(oauthRef: string, authUrl: string, state: string) {\n super(`OAuth authorization required for ${oauthRef}`);\n this.name = \"OAuthRequiredError\";\n this.oauthRef = oauthRef;\n this.authUrl = authUrl;\n this.state = state;\n }\n}\n\n/**\n * Shape of an OAuth token bundle stored by `OAuthSecretProvider`.\n * @docLink packages/connectors/api-reference#o-auth-token-bundle\n */\nexport interface OAuthTokenBundle {\n accessToken: string;\n refreshToken?: string;\n /** Unix timestamp in ms */\n expiry?: number;\n}\n\n/**\n * Return value of `OAuthSecretProvider.initiateFlow()`. Contains the URL and CSRF state token.\n * @docLink packages/connectors/api-reference#o-auth-flow-request\n */\nexport interface OAuthFlowRequest {\n authUrl: string;\n state: string;\n}\n\n/**\n * OAuth token provider. Handles `\"oauth:<service>:<account>\"` refs.\n * Callers must call `chain.prepareRef()` before `chain.resolve()` for `oauth:` refs.\n * @docLink packages/connectors/api-reference#o-auth-secret-provider\n */\nexport interface OAuthSecretProvider extends SecretProvider {\n /**\n * Ensure the token for this ref is fresh.\n * Refreshes if expired.\n * Throws OAuthRequiredError if no token exists and user authorization is needed.\n */\n ensureFresh(ref: string): Promise<void>;\n\n /** Initiate the OAuth authorization flow. Returns URL to open in the user's browser. */\n initiateFlow(oauthService: string, account: string): Promise<OAuthFlowRequest>;\n\n /** Exchange authorization code for tokens and store the bundle. */\n completeFlow(state: string, code: string): Promise<void>;\n}\n\n/**\n * Abstract base for vault-backed secret providers (1Password, KeePass). Subclasses\n * implement `prefix` and `loadKeys()`. Locked until `unlock(credential)` is called.\n * @docLink packages/connectors/api-reference#locked-secret-provider\n */\nexport abstract class LockedSecretProvider implements SecretProvider {\n locked = true;\n protected readonly store = new Map<string, string>();\n abstract readonly prefix: string;\n\n async unlock(credential: string): Promise<void> {\n await this.loadKeys(credential);\n this.locked = false;\n }\n\n protected abstract loadKeys(credential: string): Promise<void>;\n\n resolve(ref: string): string | undefined {\n if (this.locked) return undefined;\n if (!ref.startsWith(this.prefix)) return undefined;\n return this.store.get(ref.slice(this.prefix.length));\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n if (this.locked) return [];\n return [...this.store.keys()].map((k) => `${this.prefix}${k}`);\n }\n}\n\n// ── Known provider prefixes ──────────────────────────────────────────────────\n\nconst KNOWN_PREFIXES = [\"env:\", \"forge:\", \"op:\", \"kp:\", \"oauth:\", \"mount:\", \"connector:\"] as const;\n\nfunction getPrefix(ref: string): string | undefined {\n return KNOWN_PREFIXES.find((p) => ref.startsWith(p));\n}\n\n/**\n * Chains multiple `SecretProvider` instances into a single resolver.\n * - Prefixed refs (`env:`, `forge:`, `op:`, `kp:`, `oauth:`) are routed to the first provider that can resolve them.\n * - Bare refs waterfall through all providers in order.\n * - Plain literals in `skaile.yaml` options are NOT passed to the chain; `ConnectorManager` handles them before calling `resolve()`.\n * @docLink packages/connectors/api-reference#secret-provider-chain\n */\nexport class SecretProviderChain implements SecretProvider {\n /**\n * @param providers - Ordered list of providers. For prefixed refs, the first\n * provider that can resolve wins. For bare refs, waterfall through all in order.\n */\n constructor(private readonly providers: SecretProvider[]) {}\n\n resolve(ref: string): string | undefined {\n if (!ref) return undefined;\n const prefix = getPrefix(ref);\n log.debug(\"resolve secret\", { ref, prefix: prefix ?? \"(bare)\" });\n if (prefix) {\n for (const p of this.providers) {\n const val = p.resolve(ref);\n if (val !== undefined) return val;\n }\n log.warn(\"secret not resolvable\", { ref });\n return undefined;\n }\n // Waterfall for bare refs\n for (const p of this.providers) {\n const val = p.resolve(ref);\n if (val !== undefined) return val;\n }\n log.warn(\"secret not resolvable\", { ref });\n return undefined;\n }\n\n has(ref: string): boolean {\n return this.resolve(ref) !== undefined;\n }\n\n capabilities(): string[] {\n const all = this.providers.flatMap((p) => p.capabilities());\n return [...new Set(all)];\n }\n\n /** Returns the first provider that can resolve this ref. */\n providerFor(ref: string): SecretProvider | undefined {\n for (const p of this.providers) {\n if (p.resolve(ref) !== undefined) return p;\n }\n return undefined;\n }\n\n /**\n * Calls ensureFresh(ref) on the owning provider if it implements OAuthSecretProvider.\n * No-op for providers that don't have ensureFresh().\n *\n * @param ref - Must be an \"oauth:\" prefixed ref for this to have any effect.\n * Calls ensureFresh() on the owning OAuthSecretProvider.\n */\n async prepareRef(ref: string): Promise<void> {\n const owner = this.providerFor(ref);\n if (\n owner &&\n \"ensureFresh\" in owner &&\n typeof (owner as OAuthSecretProvider).ensureFresh === \"function\"\n ) {\n try {\n await (owner as OAuthSecretProvider).ensureFresh(ref);\n } catch (err) {\n log.error(\"secret provider ensureFresh failed\", err, { ref });\n throw err;\n }\n }\n }\n}\n","/**\n * Load connector declarations from skaile.yaml.\n *\n * The top-level `mounts:` key is no longer accepted (hard cut as of Task 11).\n * Filesystem-projected backends must be declared under `connectors:` with a\n * `mount:` sub-block. See `docs/migration-mounts-to-connectors.md`.\n */\n\nimport type { ConnectorDeclaration as WorkspaceConnector } from \"@skaile/workspaces/core\";\nimport { resolveSkWorkspaceConfig } from \"@skaile/workspaces/core\";\nimport type { ConnectorDeclaration } from \"./connector-types.js\";\n\n/**\n * Read `skaile.yaml` in `projectDir` and return all declared connectors as `ConnectorDeclaration[]`.\n *\n * Throws a migration error when the legacy top-level `mounts:` key is present.\n *\n * @param projectDir - Root of the workspace (directory containing `skaile.yaml`).\n * @returns Array of connector declarations, or an empty array if none are declared.\n * @docLink packages/connectors/api-reference#load-connector-declarations\n */\nexport function loadConnectorDeclarations(projectDir: string): ConnectorDeclaration[] {\n const config = resolveSkWorkspaceConfig(projectDir);\n\n // Hard cut: reject legacy top-level `mounts:` key with an actionable message.\n if (config.mounts && config.mounts.length > 0) {\n throw new Error(\n \"'mounts:' is no longer supported — move entries under 'connectors:' with a 'mount:' sub-block. See docs/migration-mounts-to-connectors.md\",\n );\n }\n\n if (!config.connectors || config.connectors.length === 0) return [];\n return config.connectors.map(workspaceConnectorToDeclaration);\n}\n\nfunction workspaceConnectorToDeclaration(c: WorkspaceConnector): ConnectorDeclaration {\n const decl: ConnectorDeclaration = {\n id: c.id,\n driver: c.driver,\n access: c.access ?? \"read-only\",\n auth: c.auth,\n options: c.options,\n };\n\n // Map the optional mount sub-block when present.\n if (c.mount) {\n decl.mount = {\n source: c.mount.source,\n target: c.mount.target,\n watch: c.mount.watch,\n exposeAccessToken: c.mount.exposeAccessToken,\n accessTokenTTL: c.mount.accessTokenTTL,\n };\n }\n\n return decl;\n}\n\nimport type { ForgeSecretProvider, SecretProvider } from \"./secrets.js\";\nimport { EnvSecretProvider, InMemorySecretProvider, SecretProviderChain } from \"./secrets.js\";\n\n/**\n * Build a `SecretProviderChain` for Forge session context.\n * `OAuthSecretProvider` is not wired here — it must be provided externally\n * (the Forge session manager constructs it and passes it in).\n * @param forgeProvider - The Forge-provisioned secret store.\n * @param extraProviders - Additional providers prepended to the chain (e.g. an OAuth provider).\n * @returns A chain that routes `forge:` refs to the Forge store and `env:` refs to process.env.\n * @docLink packages/connectors/api-reference#create-forge-secret-provider-chain\n */\nexport function createForgeSecretProviderChain(\n forgeProvider: ForgeSecretProvider,\n extraProviders: SecretProvider[] = [],\n): SecretProviderChain {\n return new SecretProviderChain([...extraProviders, forgeProvider, new EnvSecretProvider()]);\n}\n\n/**\n * Build a `SecretProviderChain` for CLI/standalone context.\n * `EnvSecretProvider` takes priority; `extraSecrets` are loaded into an `InMemorySecretProvider`.\n * @param extraSecrets - Inline secrets injected into memory (e.g. tokens passed via CLI flags).\n * @returns A chain that resolves `env:` refs from process.env plus any inline extras.\n * @docLink packages/connectors/api-reference#create-cli-secret-provider-chain\n */\nexport function createCliSecretProviderChain(\n extraSecrets: Record<string, string> = {},\n): SecretProviderChain {\n const mem = new InMemorySecretProvider();\n if (Object.keys(extraSecrets).length > 0) {\n mem.provision(extraSecrets);\n }\n return new SecretProviderChain([new EnvSecretProvider(), mem]);\n}\n\n/**\n * Resolve a credential reference using a `SecretProvider`, or fall back to `env:NAME` lookup.\n * @param auth - Credential reference (e.g. `\"env:GIT_TOKEN\"`).\n * @param secrets - Optional provider; falls back to `process.env` if omitted.\n * @returns Resolved secret value or `undefined`.\n * @deprecated Use `SecretProviderChain.resolve()` instead.\n * @docLink packages/connectors/api-reference#resolve-auth\n */\n// @TODO: Code-Review: deprecated shim kept for backward compat — remove once all callers migrate to SecretProviderChain.resolve()\nexport function resolveAuth(\n auth: string | undefined,\n secrets?: import(\"./secrets.js\").SecretProvider,\n): string | undefined {\n if (!auth) return undefined;\n if (secrets) return secrets.resolve(auth);\n if (auth.startsWith(\"env:\")) {\n const envVar = auth.slice(4);\n return process.env[envVar];\n }\n return auth;\n}\n\n// ── Auth grammar (mount-side, Tier 2 credential tiers) ───────────────────────\n\n/**\n * Provider kind for a mount auth ref.\n *\n * Two values are accepted:\n * - `pat` — static personal access token resolved via the secrets chain\n * (standalone CLI / non-platform contexts).\n * - `backend` — token minted by the platform's credential mediator over the\n * transport (`request_access_token` round-trip). Provider\n * dispatch (OAuth, GitHub App, ...) lives backend-side; the\n * runner stays provider-agnostic.\n *\n * @docLink packages/connectors/api-reference#mount-auth-kind\n */\nexport type MountAuthKind = \"pat\" | \"backend\";\n\n/**\n * Parsed mount `auth:` field.\n *\n * - `pat` → `value` is the inner secret ref (e.g. `env:NAME`).\n * - `backend` → `value` is empty (sentinel only); the runner asks the\n * backend for tokens via `request_access_token`.\n *\n * @docLink packages/connectors/api-reference#mount-auth-ref\n */\nexport interface MountAuthRef {\n kind: MountAuthKind;\n /** Prefix-stripped payload — see kind for shape. Empty for `backend`. */\n value: string;\n /** Original auth string from the declaration, kept for diagnostics. */\n raw: string;\n}\n\n/**\n * Thrown when a mount declaration's `auth:` field uses the legacy bare `env:NAME` grammar\n * or any other unrecognized form. Migrate to `pat:env:NAME` (standalone) or `backend`\n * (platform-mediated).\n * @docLink packages/connectors/api-reference#legacy-auth-grammar-error\n */\nexport class LegacyAuthGrammarError extends Error {\n readonly auth: string;\n constructor(auth: string, mountId?: string) {\n const where = mountId ? ` on mount '${mountId}'` : \"\";\n super(\n `Legacy or unrecognized auth grammar${where} ('${auth}'). ` +\n `Replace with one of:\\n` +\n ` - backend (platform-mediated, recommended)\\n` +\n ` - pat:env:NAME (standalone CLI / static token)\\n` +\n `See _devlog/specs/2026-05-06-tier-2-credential-mediation.md.`,\n );\n this.name = \"LegacyAuthGrammarError\";\n this.auth = auth;\n }\n}\n\n/**\n * Resolve the `auth: backend` initial mint for a given mount or connector id\n * by querying the secrets chain with a `${kind}:${id}` ref. Returns the\n * resolved bearer token or `undefined` if no pre-minted credential is\n * available.\n *\n * Used by the runner when wiring `ConnectorManager` to\n * answer initial-mint requests from `PreMintedSecretProvider` without\n * round-tripping to the platform. Drivers continue to receive a\n * `tokenMediator` for refresh + retry-401 paths.\n *\n * @param kind Resource family (`mount` or `connector`).\n * @param id Resource declaration id.\n * @param chain Secrets chain. Pass `undefined` to return `undefined`.\n * @returns The pre-minted token, or `undefined` if not stored on the chain.\n * @docLink packages/connectors/api-reference#resolve-backend-auth-for\n */\nexport function resolveBackendAuthFor(\n kind: \"mount\" | \"connector\",\n id: string,\n chain: import(\"./secrets.js\").SecretProvider | undefined,\n): string | undefined {\n if (!chain) return undefined;\n return chain.resolve(`${kind}:${id}`);\n}\n\n/**\n * Parse a mount-side auth ref into a typed `MountAuthRef`.\n *\n * Accepted forms:\n * - `backend` — platform-mediated mint via `request_access_token`.\n * - `pat:env:NAME` — static PAT resolved from the secrets chain.\n *\n * Rejects bare `env:NAME` (legacy) and provider-prefixed grammars (`oauth:`,\n * `github-app:`) — those moved backend-side as part of Tier-2 mediation.\n * Returns `undefined` when `auth` is absent or empty.\n *\n * @param auth - Raw `auth:` value from the mount declaration.\n * @param mountId - Optional mount id included in error messages.\n * @returns Parsed `MountAuthRef` or `undefined`.\n * @throws {LegacyAuthGrammarError} for any unrecognized grammar.\n * @docLink packages/connectors/api-reference#resolve-auth-ref\n */\nexport function resolveAuthRef(\n auth: string | undefined,\n mountId?: string,\n): MountAuthRef | undefined {\n if (!auth) return undefined;\n\n if (auth === \"backend\") {\n return { kind: \"backend\", value: \"\", raw: auth };\n }\n if (auth.startsWith(\"pat:\")) {\n return { kind: \"pat\", value: auth.slice(\"pat:\".length), raw: auth };\n }\n\n // Legacy bare `env:NAME` and the deprecated provider-prefixed grammars\n // (`oauth:`, `github-app:`) all land here.\n throw new LegacyAuthGrammarError(auth, mountId);\n}\n"]}
package/dist/{chunk-3DS5VIQP.js → chunk-WGPT6FV6.js} RENAMED
@@ -1,5 +1,5 @@
1
- import { resolveSkWorkspaceConfig, readLinks } from './chunk-SOQMVRQL.js';
2
- import { scanDirectory } from './chunk-ZHLRRT5D.js';
1
+ import { resolveSkWorkspaceConfig, readLinks } from './chunk-N2C3A5PS.js';
2
+ import { scanDirectory } from './chunk-FRPKLIEZ.js';
3
3
  import { existsSync, readFileSync, lstatSync } from 'fs';
4
4
  import { resolve, join, dirname } from 'path';
5
5
  import { fileURLToPath } from 'url';
@@ -165,5 +165,5 @@ function findCatalogEntry(entries, query) {
165
165
  }
166
166
 
167
167
  export { BASE_ASSETS_REPO_NAME, resolveBaseAssetsRoot, resolveRuntimeAssets };
168
- //# sourceMappingURL=chunk-3DS5VIQP.js.map
169
- //# sourceMappingURL=chunk-3DS5VIQP.js.map
168
+ //# sourceMappingURL=chunk-WGPT6FV6.js.map
169
+ //# sourceMappingURL=chunk-WGPT6FV6.js.map
package/dist/{chunk-3DS5VIQP.js.map → chunk-WGPT6FV6.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../core/src/runtime-assets.ts"],"names":["resolvePath","require"],"mappings":";;;;;;;AAuFO,IAAM,qBAAA,GAAwB;AAsCrC,eAAsB,qBAAqB,UAAA,EAAkD;AAC3F,EAAA,MAAM,MAAA,GAA8B;AAAA,IAClC,gBAAgB,EAAC;AAAA,IACjB,cAAc,EAAC;AAAA,IACf,iBAAiB,EAAE,QAAA,EAAU,EAAC,EAAG,QAAA,EAAU,EAAC,EAAE;AAAA,IAC9C,UAAU,EAAC;AAAA,IACX,SAAS,YAAY;AACnB,MAAA,MAAM,QAAA,CAAS,YAAY,MAAM,CAAA;AAAA,IACnC,CAAA;AAAA,IACA,WAAW,CAAC,KAAA,KAAU,gBAAA,CAAiB,MAAA,CAAO,gBAAgB,KAAK;AAAA,GACrE;AAEA,EAAA,MAAM,QAAA,CAAS,YAAY,MAAM,CAAA;AACjC,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,qBAAA,GAAgC;AAC9C,EAAA,MAAM,MAAA,GAAS,QAAQ,GAAA,CAAI,sBAAA;AAC3B,EAAA,IAAI,UAAU,UAAA,CAAW,MAAM,CAAA,EAAG,OAAOA,QAAY,MAAM,CAAA;AAE3D,EAAA,IAAI;AACF,IAAA,MAAMC,QAAAA,GAAU,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AAC7C,IAAA,MAAM,OAAA,GAAUA,QAAAA,CAAQ,OAAA,CAAQ,iCAAiC,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,OAAO,GAAG,aAAa,CAAA;AACtD,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG,OAAO,SAAA;AAAA,EACpC,CAAA,CAAA,MAAQ;AAAA,EAER;AAEA,EAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AACpD,EAAA,IAAI,cAAc,OAAO,YAAA;AAEzB,EAAA,MAAM,IAAI,KAAA;AAAA,IACR,CAAA,yLAAA;AAAA,GAIF;AACF;AAOA,SAAS,gBAAgB,QAAA,EAAiC;AACxD,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,OAAA,CAAQ,aAAA,CAAc,QAAQ,CAAC,CAAA;AAAA,EACvC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,GAAA,EAAK,cAAc,CAAA;AACxC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,GAAA,EAAK,aAAa,CAAA;AAC1C,IAAA,IAAI,UAAA,CAAW,OAAO,CAAA,IAAK,UAAA,CAAW,UAAU,CAAA,EAAG;AACjD,MAAA,IAAI;AACF,QAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,OAAA,EAAS,OAAO,CAAC,CAAA;AACrD,QAAA,IAAI,GAAA,CAAI,IAAA,KAAS,oBAAA,EAAsB,OAAO,UAAA;AAAA,MAChD,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,MAAM,MAAA,GAAS,QAAQ,GAAG,CAAA;AAC1B,IAAA,IAAI,WAAW,GAAA,EAAK;AACpB,IAAA,GAAA,GAAM,MAAA;AAAA,EACR;AACA,EAAA,OAAO,IAAA;AACT;AAIA,eAAe,QAAA,CAAS,YAAoB,MAAA,EAA4C;AACtF,EAAA,MAAA,CAAO,iBAAiB,EAAC;AACzB,EAAA,MAAA,CAAO,eAAe,EAAC;AACvB,EAAA,MAAA,CAAO,kBAAkB,EAAE,QAAA,EAAU,EAAC,EAAG,QAAA,EAAU,EAAC,EAAE;AACtD,EAAA,MAAA,CAAO,WAAW,EAAC;AAEnB,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAClD,EAAA,MAAM,YAAA,GAAe,0BAAA,CAA2B,MAAA,CAAO,YAAY,CAAA;AACnE,EAAA,MAAM,KAAA,GAAQ,UAAU,UAAU,CAAA;AAGlC,EAAA,KAAA,MAAW,CAAC,IAAA,EAAM,IAAI,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AACvD,IAAA,MAAM,OAAA,GAAU,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,YAAY,KAAK,CAAA;AAC5D,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,kBAAA;AAAA,QACN,IAAA;AAAA,QACA,OAAA,EAAS,sBAAA,CAAuB,IAAA,EAAM,IAAI;AAAA,OAC3C,CAAA;AACD,MAAA;AAAA,IACF;AACA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,aAAA,CAAc,OAAA,EAAS,IAAI,CAAA,CAAE,OAAO,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,KAAS,WAAW,CAAA;AACjF,MAAA,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,GAAG,OAAO,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,kBAAA;AAAA,QACN,IAAA;AAAA,QACA,OAAA,EAAS,CAAA,2BAAA,EAA8B,IAAI,CAAA,KAAA,EAAQ,OAAO,CAAA,EAAA,EACxD,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CACjD,CAAA;AAAA,OACD,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAA,IAAK,MAAA,CAAO,UAAA,IAAc,EAAC,EAAG;AACvC,IAAA,MAAA,CAAO,YAAA,CAAa,IAAA,CAAK,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA,EAAM,CAAA,CAAE,MAAA,EAAQ,aAAA,EAAe,CAAA,CAAE,EAAA,EAAI,CAAA;AAAA,EACrF;AAGA,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,KAAA,MAAW,GAAA,IAAO,OAAO,YAAA,EAAc;AACrC,IAAA,MAAM,KAAA,GAAQ,gBAAA,CAAiB,MAAA,CAAO,cAAA,EAAgB,GAAG,CAAA;AACzD,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,gBAAA;AAAA,QACN,eAAe,GAAA,CAAI,aAAA;AAAA,QACnB,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,OAAA,EACE,CAAA,QAAA,EAAW,GAAA,CAAI,IAAI,YAAY,GAAA,CAAI,IAAI,CAAA,gBAAA,EAAmB,GAAA,CAAI,IAAI,CAAA,EAAA,EAAK,GAAA,CAAI,aAAa,CAAA,gBAAA,EACxE,IAAI,IAAI,CAAA,sGAAA;AAAA,OAE3B,CAAA;AACD,MAAA;AAAA,IACF;AACA,IAAA,MAAM,GAAA,GAAO,KAAA,CAAM,QAAA,EAAU,QAAA,IAAY,EAAC;AAC1C,IAAA,KAAA,MAAW,KAAK,GAAA,CAAI,QAAA,IAAY,EAAC,EAAG,WAAA,CAAY,IAAI,CAAC,CAAA;AACrD,IAAA,KAAA,MAAW,KAAK,GAAA,CAAI,QAAA,IAAY,EAAC,EAAG,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,EACvD;AACA,EAAA,MAAA,CAAO,eAAA,CAAgB,QAAA,GAAW,CAAC,GAAG,WAAW,CAAA;AACjD,EAAA,MAAA,CAAO,eAAA,CAAgB,QAAA,GAAW,CAAC,GAAG,WAAW,CAAA;AACnD;AAOA,SAAS,2BACP,QAAA,EACuC;AACvC,EAAA,MAAM,MAAA,GAAgD,EAAE,GAAI,QAAA,IAAY,EAAC,EAAG;AAC5E,EAAA,IAAI,CAAC,MAAA,CAAO,qBAAqB,CAAA,EAAG;AAClC,IAAA,IAAI;AACF,MAAA,MAAM,UAAU,qBAAA,EAAsB;AACtC,MAAA,MAAA,CAAO,qBAAqB,CAAA,GAAI,EAAE,IAAA,EAAM,OAAA,EAAQ;AAAA,IAClD,SAAS,GAAA,EAAK;AAIZ,MAAA,MAAA,CAAO,qBAAqB,CAAA,GAAI,EAAE,IAAA,EAAM,EAAA,EAAG;AAAA,IAC7C;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAUA,SAAS,cAAA,CACP,IAAA,EACA,IAAA,EACA,UAAA,EACA,KAAA,EACe;AAEf,EAAA,MAAM,MAAA,GAAS,MAAM,IAAI,CAAA;AACzB,EAAA,IAAI,MAAA,IAAU,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,MAAA;AAGzC,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,MAAM,QAAA,GAAWD,OAAA,CAAY,UAAA,EAAY,IAAA,CAAK,IAAI,CAAA;AAClD,IAAA,OAAO,UAAA,CAAW,QAAQ,CAAA,GAAI,QAAA,GAAW,IAAA;AAAA,EAC3C;AAGA,EAAA,IAAI,KAAK,GAAA,EAAK;AACZ,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,UAAA,EAAY,SAAA,EAAW,SAAS,IAAI,CAAA;AAC7D,IAAA,IAAI,UAAA,CAAW,WAAW,CAAA,EAAG;AAE3B,MAAA,IAAI;AACF,QAAA,OAAO,SAAA,CAAU,WAAW,CAAA,CAAE,cAAA,KAAmB,WAAA,GAAc,WAAA;AAAA,MACjE,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,sBAAA,CAAuB,MAAc,IAAA,EAAqC;AACjF,EAAA,IAAI,SAAS,qBAAA,IAAyB,CAAC,KAAK,IAAA,IAAQ,CAAC,KAAK,GAAA,EAAK;AAC7D,IAAA,OACE,CAAA,kGAAA,CAAA;AAAA,EAGJ;AACA,EAAA,IAAI,KAAK,GAAA,EAAK;AACZ,IAAA,OAAO,CAAA,YAAA,EAAe,IAAI,CAAA,GAAA,EAAM,IAAA,CAAK,GAAG,CAAA,8EAAA,CAAA;AAAA,EAC1C;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,OAAO,CAAA,YAAA,EAAe,IAAI,CAAA,kBAAA,EAAqB,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,EAC1D;AACA,EAAA,OAAO,eAAe,IAAI,CAAA,2BAAA,CAAA;AAC5B;AAEA,SAAS,gBAAA,CACP,SACA,KAAA,EACiC;AACjC,EAAA,IAAI,MAAM,IAAA,EAAM;AACd,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,KAAS,KAAA,CAAM,IAAA,IAAQ,CAAA,CAAE,IAAA,KAAS,KAAA,CAAM,IAAI,CAAA;AAAA,EAC3E;AACA,EAAA,MAAM,OAAA,GAAU,QAAQ,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,IAAA,KAAS,MAAM,IAAI,CAAA;AAC3D,EAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,QAAQ,CAAC,CAAA;AAE1C,EAAA,OAAO,MAAA;AACT","file":"chunk-3DS5VIQP.js","sourcesContent":["/**\n * Runtime asset resolution — read `skaile.yaml`, scan all declared repositories\n * (including the built-in `base-assets/` directory as an implicit default), and\n * produce a unified view of connector catalog entries plus the implicit refs\n * that the `skaile.yaml` `connectors:` section adds to the dependency graph.\n *\n * This module is the single source of truth for \"which connectors does this\n * project see at runtime, and where do their implementations live on disk\".\n * Both the runner (serve, REPL, flow) and the platform's mid-session\n * `add_resource` flow consume `RuntimeAssetsResult.catalogEntries` and pass\n * it into `ConnectorManager` for catalog-based resolution.\n *\n * `base-assets/` is a subdirectory of the single published `@skaile/workspaces`\n * package — not a standalone package. Its on-disk path is resolved with this\n * precedence:\n * 1. `process.env.SKAILE_BASE_ASSETS_DIR` — set by the agent container at\n * runtime to point at `/app/base-assets/`.\n * 2. `require.resolve('@skaile/workspaces/package.json')` + `base-assets/` —\n * works when `@skaile/workspaces` is installed as a dependency.\n * 3. Walk upward from this module's location for the `@skaile/workspaces`\n * package root (a `package.json` whose `name` is `@skaile/workspaces`)\n * that contains a `base-assets/` subdirectory. This is the dev-workspace\n * fallback — it is bounded and works regardless of where the consumer\n * lives in the tree.\n */\n\nimport { existsSync, lstatSync, readFileSync } from \"node:fs\";\nimport { dirname, join, resolve as resolvePath } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { createRequire } from \"node:module\";\nimport type { CatalogEntry } from \"./models.js\";\nimport { scanDirectory } from \"./manifest.js\";\nimport type { RepositoryDeclaration } from \"./workspace-config.js\";\nimport { resolveSkWorkspaceConfig } from \"./workspace-config.js\";\nimport { readLinks } from \"./repo-manager.js\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\n/**\n * Catalog entry filtered to mount/connector kinds. Same shape as `CatalogEntry`.\n * @docLink packages/core/concepts#runtime-catalog-entry\n */\nexport type RuntimeCatalogEntry = CatalogEntry;\n\n/**\n * Implicit catalog reference derived from a `connectors:` declaration in `skaile.yaml`.\n * Each connector driver becomes an implicit ref that must be resolved in the catalog.\n * @docLink packages/core/concepts#runtime-asset-ref\n */\nexport interface RuntimeAssetRef {\n kind: \"connector\";\n /** Driver name — matches `RuntimeCatalogEntry.name`. */\n name: string;\n /** Source declaration id from `skaile.yaml`. */\n declarationId: string;\n}\n\n/**\n * Aggregated npm packages required by all resolved mount/connector adapters.\n * Populated from `metadata.npm_deps` in each matched catalog entry.\n * @docLink packages/core/concepts#runtime-npm-deps\n */\nexport interface RuntimeNpmDeps {\n required: string[];\n optional: string[];\n}\n\n/**\n * Non-fatal warning emitted during `resolveRuntimeAssets` when a repo is unavailable\n * or a driver is not found in any catalog.\n * @docLink packages/core/concepts#runtime-asset-warning\n */\nexport interface RuntimeAssetWarning {\n /** Stable code for filtering / structured logging. */\n code: \"missing_driver\" | \"repo_unavailable\" | \"invalid_repo_decl\";\n message: string;\n /** Declaration id when applicable. */\n declarationId?: string;\n /** Driver / repository name when applicable. */\n name?: string;\n}\n\n/**\n * Repository name used for the implicit `@skaile/base-assets` catalog entry.\n * Callers can override this repo by declaring `repositories: { base-assets: ... }` in `skaile.yaml`.\n * @docLink packages/core/concepts#base-assets-repo-name\n */\nexport const BASE_ASSETS_REPO_NAME = \"base-assets\";\n\n/**\n * Result of `resolveRuntimeAssets`.\n * The same object is mutated in place by `refresh()`, allowing callers to hold\n * a stable reference and observe updates after a new repository is cloned or\n * a driver is installed mid-session.\n * @docLink packages/core/concepts#runtime-assets-result\n */\nexport interface RuntimeAssetsResult {\n catalogEntries: RuntimeCatalogEntry[];\n implicitRefs: RuntimeAssetRef[];\n requiredNpmDeps: RuntimeNpmDeps;\n warnings: RuntimeAssetWarning[];\n /** Re-scan repositories and re-derive implicit refs. Mutates in place. */\n refresh(): Promise<void>;\n /**\n * Catalog lookup. When `kind` is omitted and multiple entries share the\n * `name`, returns `undefined` (caller must disambiguate).\n */\n findEntry(query: { kind?: \"connector\"; name: string }): RuntimeCatalogEntry | undefined;\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────────\n\n/**\n * Resolve all runtime assets visible to a project by scanning declared repositories.\n *\n * Reads `skaile.yaml`, scans every declared repository (plus the implicit\n * `@skaile/base-assets` repo), and derives implicit refs from `mounts:` /\n * `connectors:` declarations. Does not clone or install anything — purely a\n * read-only scan of what is already on disk. URL-only repositories that have\n * not been cloned yet are reported as `repo_unavailable` warnings.\n *\n * @param projectDir - Absolute path to the project workspace root\n * @returns `RuntimeAssetsResult` with catalog entries, implicit refs, npm deps, and warnings\n * @docLink packages/core/concepts#resolve-runtime-assets\n */\nexport async function resolveRuntimeAssets(projectDir: string): Promise<RuntimeAssetsResult> {\n const result: RuntimeAssetsResult = {\n catalogEntries: [],\n implicitRefs: [],\n requiredNpmDeps: { required: [], optional: [] },\n warnings: [],\n refresh: async () => {\n await populate(projectDir, result);\n },\n findEntry: (query) => findCatalogEntry(result.catalogEntries, query),\n };\n\n await populate(projectDir, result);\n return result;\n}\n\n/**\n * Resolve the on-disk root of `@skaile/base-assets`.\n *\n * Resolution tiers:\n * 1. `SKAILE_BASE_ASSETS_DIR` env var\n * 2. `require.resolve('@skaile/workspaces/base-assets/package.json')` (npm install / hoisted)\n * 3. Walk upward from this module looking for `base-assets/package.json` or\n * `ai-assets-skaile/package.json` (legacy shell-repo layout)\n *\n * @returns Absolute path to the `@skaile/base-assets` package directory\n * @throws When none of the three tiers can locate the package\n * @docLink packages/core/concepts#resolve-base-assets-root\n */\nexport function resolveBaseAssetsRoot(): string {\n const envDir = process.env.SKAILE_BASE_ASSETS_DIR;\n if (envDir && existsSync(envDir)) return resolvePath(envDir);\n\n try {\n const require = createRequire(import.meta.url);\n const pkgJson = require.resolve(\"@skaile/workspaces/package.json\");\n const candidate = join(dirname(pkgJson), \"base-assets\");\n if (existsSync(candidate)) return candidate;\n } catch {\n // Fall through to workspace walk.\n }\n\n const workspaceHit = findInWorkspace(import.meta.url);\n if (workspaceHit) return workspaceHit;\n\n throw new Error(\n `Cannot resolve the base-assets directory. ` +\n `Set SKAILE_BASE_ASSETS_DIR to the on-disk path, ` +\n `ensure @skaile/workspaces is installed, ` +\n `or run from within the @skaile/workspaces package tree.`,\n );\n}\n\n/**\n * Walk upward from `startUrl` looking for the `@skaile/workspaces` package\n * root — a directory whose `package.json` `name` is `@skaile/workspaces` and\n * which contains a `base-assets/` subdirectory. Bounded to 8 levels.\n */\nfunction findInWorkspace(startUrl: string): string | null {\n let dir: string;\n try {\n dir = dirname(fileURLToPath(startUrl));\n } catch {\n return null;\n }\n for (let i = 0; i < 8; i++) {\n const pkgPath = join(dir, \"package.json\");\n const baseAssets = join(dir, \"base-assets\");\n if (existsSync(pkgPath) && existsSync(baseAssets)) {\n try {\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf-8\")) as { name?: string };\n if (pkg.name === \"@skaile/workspaces\") return baseAssets;\n } catch {\n // Ignore malformed package.json and keep walking.\n }\n }\n const parent = dirname(dir);\n if (parent === dir) break;\n dir = parent;\n }\n return null;\n}\n\n// ─── Internals ────────────────────────────────────────────────────────────────\n\nasync function populate(projectDir: string, target: RuntimeAssetsResult): Promise<void> {\n target.catalogEntries = [];\n target.implicitRefs = [];\n target.requiredNpmDeps = { required: [], optional: [] };\n target.warnings = [];\n\n const config = resolveSkWorkspaceConfig(projectDir);\n const repositories = buildEffectiveRepositories(config.repositories);\n const links = readLinks(projectDir);\n\n // Scan each repository for connector entries.\n for (const [name, decl] of Object.entries(repositories)) {\n const repoDir = resolveRepoDir(name, decl, projectDir, links);\n if (!repoDir) {\n target.warnings.push({\n code: \"repo_unavailable\",\n name,\n message: repoUnavailableMessage(name, decl),\n });\n continue;\n }\n try {\n const entries = scanDirectory(repoDir, name).filter((e) => e.kind === \"connector\");\n target.catalogEntries.push(...entries);\n } catch (err) {\n target.warnings.push({\n code: \"repo_unavailable\",\n name,\n message: `Failed to scan repository \"${name}\" at ${repoDir}: ${\n err instanceof Error ? err.message : String(err)\n }`,\n });\n }\n }\n\n // Derive implicit refs from skaile.yaml connectors.\n for (const c of config.connectors ?? []) {\n target.implicitRefs.push({ kind: \"connector\", name: c.driver, declarationId: c.id });\n }\n\n // Validate refs and aggregate npm deps.\n const requiredSet = new Set<string>();\n const optionalSet = new Set<string>();\n for (const ref of target.implicitRefs) {\n const entry = findCatalogEntry(target.catalogEntries, ref);\n if (!entry) {\n target.warnings.push({\n code: \"missing_driver\",\n declarationId: ref.declarationId,\n name: ref.name,\n message:\n `Unknown ${ref.kind} driver \"${ref.name}\" referenced by ${ref.kind} \"${ref.declarationId}\". ` +\n `Run \\`skaile ${ref.kind} catalog\\` to see available drivers, ` +\n `or declare a repository in skaile.yaml that provides this driver.`,\n });\n continue;\n }\n const npm = (entry.metadata?.npm_deps ?? {}) as { required?: string[]; optional?: string[] };\n for (const p of npm.required ?? []) requiredSet.add(p);\n for (const p of npm.optional ?? []) optionalSet.add(p);\n }\n target.requiredNpmDeps.required = [...requiredSet];\n target.requiredNpmDeps.optional = [...optionalSet];\n}\n\n/**\n * Build the effective `repositories` map: caller's declarations first, then\n * the implicit `base-assets` repo if absent. Caller's entries always win — an\n * org can override the default by declaring `repositories: { base-assets: {...} }`.\n */\nfunction buildEffectiveRepositories(\n declared: Record<string, RepositoryDeclaration> | undefined,\n): Record<string, RepositoryDeclaration> {\n const result: Record<string, RepositoryDeclaration> = { ...(declared ?? {}) };\n if (!result[BASE_ASSETS_REPO_NAME]) {\n try {\n const baseDir = resolveBaseAssetsRoot();\n result[BASE_ASSETS_REPO_NAME] = { path: baseDir };\n } catch (err) {\n // Surface as a warning during scan rather than throwing here — let the\n // caller decide whether base-assets is required for this project.\n // We re-discover the failure in resolveRepoDir() and emit there.\n result[BASE_ASSETS_REPO_NAME] = { path: \"\" };\n }\n }\n return result;\n}\n\n/**\n * Resolve a repository declaration to an on-disk directory. Order:\n * 1. Linked override (`.skaile/links.yaml`).\n * 2. Local `path` — relative to `projectDir`.\n * 3. Cloned URL repo at `.skaile/repos/<name>/` (must already exist).\n *\n * Returns `null` when none of these resolve. Does not clone.\n */\nfunction resolveRepoDir(\n name: string,\n decl: RepositoryDeclaration,\n projectDir: string,\n links: Record<string, string>,\n): string | null {\n // 1. Linked override\n const linked = links[name];\n if (linked && existsSync(linked)) return linked;\n\n // 2. Local path\n if (decl.path) {\n const resolved = resolvePath(projectDir, decl.path);\n return existsSync(resolved) ? resolved : null;\n }\n\n // 3. URL repo cloned to project's .skaile/repos/<name>\n if (decl.url) {\n const projectDest = join(projectDir, \".skaile\", \"repos\", name);\n if (existsSync(projectDest)) {\n // Either a real directory or a symlink to the global cache.\n try {\n return lstatSync(projectDest).isSymbolicLink() ? projectDest : projectDest;\n } catch {\n return null;\n }\n }\n return null;\n }\n\n return null;\n}\n\nfunction repoUnavailableMessage(name: string, decl: RepositoryDeclaration): string {\n if (name === BASE_ASSETS_REPO_NAME && !decl.path && !decl.url) {\n return (\n `Cannot resolve @skaile/base-assets. ` +\n `Set SKAILE_BASE_ASSETS_DIR or ensure the package is installed.`\n );\n }\n if (decl.url) {\n return `Repository \"${name}\" (${decl.url}) is not available. Register it as a Library Source via \\`skaile source add\\`.`;\n }\n if (decl.path) {\n return `Repository \"${name}\" path not found: ${decl.path}`;\n }\n return `Repository \"${name}\" has neither url nor path.`;\n}\n\nfunction findCatalogEntry(\n entries: RuntimeCatalogEntry[],\n query: { kind?: \"connector\"; name: string },\n): RuntimeCatalogEntry | undefined {\n if (query.kind) {\n return entries.find((e) => e.kind === query.kind && e.name === query.name);\n }\n const matches = entries.filter((e) => e.name === query.name);\n if (matches.length === 1) return matches[0];\n // 0 or >1 with no kind — caller must disambiguate.\n return undefined;\n}\n"]}
1
+ {"version":3,"sources":["../core/src/runtime-assets.ts"],"names":["resolvePath","require"],"mappings":";;;;;;;AAuFO,IAAM,qBAAA,GAAwB;AAsCrC,eAAsB,qBAAqB,UAAA,EAAkD;AAC3F,EAAA,MAAM,MAAA,GAA8B;AAAA,IAClC,gBAAgB,EAAC;AAAA,IACjB,cAAc,EAAC;AAAA,IACf,iBAAiB,EAAE,QAAA,EAAU,EAAC,EAAG,QAAA,EAAU,EAAC,EAAE;AAAA,IAC9C,UAAU,EAAC;AAAA,IACX,SAAS,YAAY;AACnB,MAAA,MAAM,QAAA,CAAS,YAAY,MAAM,CAAA;AAAA,IACnC,CAAA;AAAA,IACA,WAAW,CAAC,KAAA,KAAU,gBAAA,CAAiB,MAAA,CAAO,gBAAgB,KAAK;AAAA,GACrE;AAEA,EAAA,MAAM,QAAA,CAAS,YAAY,MAAM,CAAA;AACjC,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,qBAAA,GAAgC;AAC9C,EAAA,MAAM,MAAA,GAAS,QAAQ,GAAA,CAAI,sBAAA;AAC3B,EAAA,IAAI,UAAU,UAAA,CAAW,MAAM,CAAA,EAAG,OAAOA,QAAY,MAAM,CAAA;AAE3D,EAAA,IAAI;AACF,IAAA,MAAMC,QAAAA,GAAU,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AAC7C,IAAA,MAAM,OAAA,GAAUA,QAAAA,CAAQ,OAAA,CAAQ,iCAAiC,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,OAAO,GAAG,aAAa,CAAA;AACtD,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG,OAAO,SAAA;AAAA,EACpC,CAAA,CAAA,MAAQ;AAAA,EAER;AAEA,EAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AACpD,EAAA,IAAI,cAAc,OAAO,YAAA;AAEzB,EAAA,MAAM,IAAI,KAAA;AAAA,IACR,CAAA,yLAAA;AAAA,GAIF;AACF;AAOA,SAAS,gBAAgB,QAAA,EAAiC;AACxD,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,OAAA,CAAQ,aAAA,CAAc,QAAQ,CAAC,CAAA;AAAA,EACvC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,GAAA,EAAK,cAAc,CAAA;AACxC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,GAAA,EAAK,aAAa,CAAA;AAC1C,IAAA,IAAI,UAAA,CAAW,OAAO,CAAA,IAAK,UAAA,CAAW,UAAU,CAAA,EAAG;AACjD,MAAA,IAAI;AACF,QAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,OAAA,EAAS,OAAO,CAAC,CAAA;AACrD,QAAA,IAAI,GAAA,CAAI,IAAA,KAAS,oBAAA,EAAsB,OAAO,UAAA;AAAA,MAChD,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,MAAM,MAAA,GAAS,QAAQ,GAAG,CAAA;AAC1B,IAAA,IAAI,WAAW,GAAA,EAAK;AACpB,IAAA,GAAA,GAAM,MAAA;AAAA,EACR;AACA,EAAA,OAAO,IAAA;AACT;AAIA,eAAe,QAAA,CAAS,YAAoB,MAAA,EAA4C;AACtF,EAAA,MAAA,CAAO,iBAAiB,EAAC;AACzB,EAAA,MAAA,CAAO,eAAe,EAAC;AACvB,EAAA,MAAA,CAAO,kBAAkB,EAAE,QAAA,EAAU,EAAC,EAAG,QAAA,EAAU,EAAC,EAAE;AACtD,EAAA,MAAA,CAAO,WAAW,EAAC;AAEnB,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAClD,EAAA,MAAM,YAAA,GAAe,0BAAA,CAA2B,MAAA,CAAO,YAAY,CAAA;AACnE,EAAA,MAAM,KAAA,GAAQ,UAAU,UAAU,CAAA;AAGlC,EAAA,KAAA,MAAW,CAAC,IAAA,EAAM,IAAI,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AACvD,IAAA,MAAM,OAAA,GAAU,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,YAAY,KAAK,CAAA;AAC5D,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,kBAAA;AAAA,QACN,IAAA;AAAA,QACA,OAAA,EAAS,sBAAA,CAAuB,IAAA,EAAM,IAAI;AAAA,OAC3C,CAAA;AACD,MAAA;AAAA,IACF;AACA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,aAAA,CAAc,OAAA,EAAS,IAAI,CAAA,CAAE,OAAO,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,KAAS,WAAW,CAAA;AACjF,MAAA,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,GAAG,OAAO,CAAA;AAAA,IACvC,SAAS,GAAA,EAAK;AACZ,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,kBAAA;AAAA,QACN,IAAA;AAAA,QACA,OAAA,EAAS,CAAA,2BAAA,EAA8B,IAAI,CAAA,KAAA,EAAQ,OAAO,CAAA,EAAA,EACxD,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CACjD,CAAA;AAAA,OACD,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAA,IAAK,MAAA,CAAO,UAAA,IAAc,EAAC,EAAG;AACvC,IAAA,MAAA,CAAO,YAAA,CAAa,IAAA,CAAK,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA,EAAM,CAAA,CAAE,MAAA,EAAQ,aAAA,EAAe,CAAA,CAAE,EAAA,EAAI,CAAA;AAAA,EACrF;AAGA,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,KAAA,MAAW,GAAA,IAAO,OAAO,YAAA,EAAc;AACrC,IAAA,MAAM,KAAA,GAAQ,gBAAA,CAAiB,MAAA,CAAO,cAAA,EAAgB,GAAG,CAAA;AACzD,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK;AAAA,QACnB,IAAA,EAAM,gBAAA;AAAA,QACN,eAAe,GAAA,CAAI,aAAA;AAAA,QACnB,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,OAAA,EACE,CAAA,QAAA,EAAW,GAAA,CAAI,IAAI,YAAY,GAAA,CAAI,IAAI,CAAA,gBAAA,EAAmB,GAAA,CAAI,IAAI,CAAA,EAAA,EAAK,GAAA,CAAI,aAAa,CAAA,gBAAA,EACxE,IAAI,IAAI,CAAA,sGAAA;AAAA,OAE3B,CAAA;AACD,MAAA;AAAA,IACF;AACA,IAAA,MAAM,GAAA,GAAO,KAAA,CAAM,QAAA,EAAU,QAAA,IAAY,EAAC;AAC1C,IAAA,KAAA,MAAW,KAAK,GAAA,CAAI,QAAA,IAAY,EAAC,EAAG,WAAA,CAAY,IAAI,CAAC,CAAA;AACrD,IAAA,KAAA,MAAW,KAAK,GAAA,CAAI,QAAA,IAAY,EAAC,EAAG,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,EACvD;AACA,EAAA,MAAA,CAAO,eAAA,CAAgB,QAAA,GAAW,CAAC,GAAG,WAAW,CAAA;AACjD,EAAA,MAAA,CAAO,eAAA,CAAgB,QAAA,GAAW,CAAC,GAAG,WAAW,CAAA;AACnD;AAOA,SAAS,2BACP,QAAA,EACuC;AACvC,EAAA,MAAM,MAAA,GAAgD,EAAE,GAAI,QAAA,IAAY,EAAC,EAAG;AAC5E,EAAA,IAAI,CAAC,MAAA,CAAO,qBAAqB,CAAA,EAAG;AAClC,IAAA,IAAI;AACF,MAAA,MAAM,UAAU,qBAAA,EAAsB;AACtC,MAAA,MAAA,CAAO,qBAAqB,CAAA,GAAI,EAAE,IAAA,EAAM,OAAA,EAAQ;AAAA,IAClD,SAAS,GAAA,EAAK;AAIZ,MAAA,MAAA,CAAO,qBAAqB,CAAA,GAAI,EAAE,IAAA,EAAM,EAAA,EAAG;AAAA,IAC7C;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAUA,SAAS,cAAA,CACP,IAAA,EACA,IAAA,EACA,UAAA,EACA,KAAA,EACe;AAEf,EAAA,MAAM,MAAA,GAAS,MAAM,IAAI,CAAA;AACzB,EAAA,IAAI,MAAA,IAAU,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,MAAA;AAGzC,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,MAAM,QAAA,GAAWD,OAAA,CAAY,UAAA,EAAY,IAAA,CAAK,IAAI,CAAA;AAClD,IAAA,OAAO,UAAA,CAAW,QAAQ,CAAA,GAAI,QAAA,GAAW,IAAA;AAAA,EAC3C;AAGA,EAAA,IAAI,KAAK,GAAA,EAAK;AACZ,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,UAAA,EAAY,SAAA,EAAW,SAAS,IAAI,CAAA;AAC7D,IAAA,IAAI,UAAA,CAAW,WAAW,CAAA,EAAG;AAE3B,MAAA,IAAI;AACF,QAAA,OAAO,SAAA,CAAU,WAAW,CAAA,CAAE,cAAA,KAAmB,WAAA,GAAc,WAAA;AAAA,MACjE,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,sBAAA,CAAuB,MAAc,IAAA,EAAqC;AACjF,EAAA,IAAI,SAAS,qBAAA,IAAyB,CAAC,KAAK,IAAA,IAAQ,CAAC,KAAK,GAAA,EAAK;AAC7D,IAAA,OACE,CAAA,kGAAA,CAAA;AAAA,EAGJ;AACA,EAAA,IAAI,KAAK,GAAA,EAAK;AACZ,IAAA,OAAO,CAAA,YAAA,EAAe,IAAI,CAAA,GAAA,EAAM,IAAA,CAAK,GAAG,CAAA,8EAAA,CAAA;AAAA,EAC1C;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,OAAO,CAAA,YAAA,EAAe,IAAI,CAAA,kBAAA,EAAqB,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,EAC1D;AACA,EAAA,OAAO,eAAe,IAAI,CAAA,2BAAA,CAAA;AAC5B;AAEA,SAAS,gBAAA,CACP,SACA,KAAA,EACiC;AACjC,EAAA,IAAI,MAAM,IAAA,EAAM;AACd,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,KAAS,KAAA,CAAM,IAAA,IAAQ,CAAA,CAAE,IAAA,KAAS,KAAA,CAAM,IAAI,CAAA;AAAA,EAC3E;AACA,EAAA,MAAM,OAAA,GAAU,QAAQ,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,IAAA,KAAS,MAAM,IAAI,CAAA;AAC3D,EAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,QAAQ,CAAC,CAAA;AAE1C,EAAA,OAAO,MAAA;AACT","file":"chunk-WGPT6FV6.js","sourcesContent":["/**\n * Runtime asset resolution — read `skaile.yaml`, scan all declared repositories\n * (including the built-in `base-assets/` directory as an implicit default), and\n * produce a unified view of connector catalog entries plus the implicit refs\n * that the `skaile.yaml` `connectors:` section adds to the dependency graph.\n *\n * This module is the single source of truth for \"which connectors does this\n * project see at runtime, and where do their implementations live on disk\".\n * Both the runner (serve, REPL, flow) and the platform's mid-session\n * `add_resource` flow consume `RuntimeAssetsResult.catalogEntries` and pass\n * it into `ConnectorManager` for catalog-based resolution.\n *\n * `base-assets/` is a subdirectory of the single published `@skaile/workspaces`\n * package — not a standalone package. Its on-disk path is resolved with this\n * precedence:\n * 1. `process.env.SKAILE_BASE_ASSETS_DIR` — set by the agent container at\n * runtime to point at `/app/base-assets/`.\n * 2. `require.resolve('@skaile/workspaces/package.json')` + `base-assets/` —\n * works when `@skaile/workspaces` is installed as a dependency.\n * 3. Walk upward from this module's location for the `@skaile/workspaces`\n * package root (a `package.json` whose `name` is `@skaile/workspaces`)\n * that contains a `base-assets/` subdirectory. This is the dev-workspace\n * fallback — it is bounded and works regardless of where the consumer\n * lives in the tree.\n */\n\nimport { existsSync, lstatSync, readFileSync } from \"node:fs\";\nimport { dirname, join, resolve as resolvePath } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { createRequire } from \"node:module\";\nimport type { CatalogEntry } from \"./models.js\";\nimport { scanDirectory } from \"./manifest.js\";\nimport type { RepositoryDeclaration } from \"./workspace-config.js\";\nimport { resolveSkWorkspaceConfig } from \"./workspace-config.js\";\nimport { readLinks } from \"./repo-manager.js\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\n/**\n * Catalog entry filtered to mount/connector kinds. Same shape as `CatalogEntry`.\n * @docLink packages/core/concepts#runtime-catalog-entry\n */\nexport type RuntimeCatalogEntry = CatalogEntry;\n\n/**\n * Implicit catalog reference derived from a `connectors:` declaration in `skaile.yaml`.\n * Each connector driver becomes an implicit ref that must be resolved in the catalog.\n * @docLink packages/core/concepts#runtime-asset-ref\n */\nexport interface RuntimeAssetRef {\n kind: \"connector\";\n /** Driver name — matches `RuntimeCatalogEntry.name`. */\n name: string;\n /** Source declaration id from `skaile.yaml`. */\n declarationId: string;\n}\n\n/**\n * Aggregated npm packages required by all resolved mount/connector adapters.\n * Populated from `metadata.npm_deps` in each matched catalog entry.\n * @docLink packages/core/concepts#runtime-npm-deps\n */\nexport interface RuntimeNpmDeps {\n required: string[];\n optional: string[];\n}\n\n/**\n * Non-fatal warning emitted during `resolveRuntimeAssets` when a repo is unavailable\n * or a driver is not found in any catalog.\n * @docLink packages/core/concepts#runtime-asset-warning\n */\nexport interface RuntimeAssetWarning {\n /** Stable code for filtering / structured logging. */\n code: \"missing_driver\" | \"repo_unavailable\" | \"invalid_repo_decl\";\n message: string;\n /** Declaration id when applicable. */\n declarationId?: string;\n /** Driver / repository name when applicable. */\n name?: string;\n}\n\n/**\n * Repository name used for the implicit `@skaile/base-assets` catalog entry.\n * Callers can override this repo by declaring `repositories: { base-assets: ... }` in `skaile.yaml`.\n * @docLink packages/core/concepts#base-assets-repo-name\n */\nexport const BASE_ASSETS_REPO_NAME = \"base-assets\";\n\n/**\n * Result of `resolveRuntimeAssets`.\n * The same object is mutated in place by `refresh()`, allowing callers to hold\n * a stable reference and observe updates after a new repository is cloned or\n * a driver is installed mid-session.\n * @docLink packages/core/concepts#runtime-assets-result\n */\nexport interface RuntimeAssetsResult {\n catalogEntries: RuntimeCatalogEntry[];\n implicitRefs: RuntimeAssetRef[];\n requiredNpmDeps: RuntimeNpmDeps;\n warnings: RuntimeAssetWarning[];\n /** Re-scan repositories and re-derive implicit refs. Mutates in place. */\n refresh(): Promise<void>;\n /**\n * Catalog lookup. When `kind` is omitted and multiple entries share the\n * `name`, returns `undefined` (caller must disambiguate).\n */\n findEntry(query: { kind?: \"connector\"; name: string }): RuntimeCatalogEntry | undefined;\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────────\n\n/**\n * Resolve all runtime assets visible to a project by scanning declared repositories.\n *\n * Reads `skaile.yaml`, scans every declared repository (plus the implicit\n * `@skaile/base-assets` repo), and derives implicit refs from `mounts:` /\n * `connectors:` declarations. Does not clone or install anything — purely a\n * read-only scan of what is already on disk. URL-only repositories that have\n * not been cloned yet are reported as `repo_unavailable` warnings.\n *\n * @param projectDir - Absolute path to the project workspace root\n * @returns `RuntimeAssetsResult` with catalog entries, implicit refs, npm deps, and warnings\n * @docLink packages/core/concepts#resolve-runtime-assets\n */\nexport async function resolveRuntimeAssets(projectDir: string): Promise<RuntimeAssetsResult> {\n const result: RuntimeAssetsResult = {\n catalogEntries: [],\n implicitRefs: [],\n requiredNpmDeps: { required: [], optional: [] },\n warnings: [],\n refresh: async () => {\n await populate(projectDir, result);\n },\n findEntry: (query) => findCatalogEntry(result.catalogEntries, query),\n };\n\n await populate(projectDir, result);\n return result;\n}\n\n/**\n * Resolve the on-disk root of `@skaile/base-assets`.\n *\n * Resolution tiers:\n * 1. `SKAILE_BASE_ASSETS_DIR` env var\n * 2. `require.resolve('@skaile/workspaces/base-assets/package.json')` (npm install / hoisted)\n * 3. Walk upward from this module looking for `base-assets/package.json` or\n * `ai-assets-skaile/package.json` (legacy shell-repo layout)\n *\n * @returns Absolute path to the `@skaile/base-assets` package directory\n * @throws When none of the three tiers can locate the package\n * @docLink packages/core/concepts#resolve-base-assets-root\n */\nexport function resolveBaseAssetsRoot(): string {\n const envDir = process.env.SKAILE_BASE_ASSETS_DIR;\n if (envDir && existsSync(envDir)) return resolvePath(envDir);\n\n try {\n const require = createRequire(import.meta.url);\n const pkgJson = require.resolve(\"@skaile/workspaces/package.json\");\n const candidate = join(dirname(pkgJson), \"base-assets\");\n if (existsSync(candidate)) return candidate;\n } catch {\n // Fall through to workspace walk.\n }\n\n const workspaceHit = findInWorkspace(import.meta.url);\n if (workspaceHit) return workspaceHit;\n\n throw new Error(\n `Cannot resolve the base-assets directory. ` +\n `Set SKAILE_BASE_ASSETS_DIR to the on-disk path, ` +\n `ensure @skaile/workspaces is installed, ` +\n `or run from within the @skaile/workspaces package tree.`,\n );\n}\n\n/**\n * Walk upward from `startUrl` looking for the `@skaile/workspaces` package\n * root — a directory whose `package.json` `name` is `@skaile/workspaces` and\n * which contains a `base-assets/` subdirectory. Bounded to 8 levels.\n */\nfunction findInWorkspace(startUrl: string): string | null {\n let dir: string;\n try {\n dir = dirname(fileURLToPath(startUrl));\n } catch {\n return null;\n }\n for (let i = 0; i < 8; i++) {\n const pkgPath = join(dir, \"package.json\");\n const baseAssets = join(dir, \"base-assets\");\n if (existsSync(pkgPath) && existsSync(baseAssets)) {\n try {\n const pkg = JSON.parse(readFileSync(pkgPath, \"utf-8\")) as { name?: string };\n if (pkg.name === \"@skaile/workspaces\") return baseAssets;\n } catch {\n // Ignore malformed package.json and keep walking.\n }\n }\n const parent = dirname(dir);\n if (parent === dir) break;\n dir = parent;\n }\n return null;\n}\n\n// ─── Internals ────────────────────────────────────────────────────────────────\n\nasync function populate(projectDir: string, target: RuntimeAssetsResult): Promise<void> {\n target.catalogEntries = [];\n target.implicitRefs = [];\n target.requiredNpmDeps = { required: [], optional: [] };\n target.warnings = [];\n\n const config = resolveSkWorkspaceConfig(projectDir);\n const repositories = buildEffectiveRepositories(config.repositories);\n const links = readLinks(projectDir);\n\n // Scan each repository for connector entries.\n for (const [name, decl] of Object.entries(repositories)) {\n const repoDir = resolveRepoDir(name, decl, projectDir, links);\n if (!repoDir) {\n target.warnings.push({\n code: \"repo_unavailable\",\n name,\n message: repoUnavailableMessage(name, decl),\n });\n continue;\n }\n try {\n const entries = scanDirectory(repoDir, name).filter((e) => e.kind === \"connector\");\n target.catalogEntries.push(...entries);\n } catch (err) {\n target.warnings.push({\n code: \"repo_unavailable\",\n name,\n message: `Failed to scan repository \"${name}\" at ${repoDir}: ${\n err instanceof Error ? err.message : String(err)\n }`,\n });\n }\n }\n\n // Derive implicit refs from skaile.yaml connectors.\n for (const c of config.connectors ?? []) {\n target.implicitRefs.push({ kind: \"connector\", name: c.driver, declarationId: c.id });\n }\n\n // Validate refs and aggregate npm deps.\n const requiredSet = new Set<string>();\n const optionalSet = new Set<string>();\n for (const ref of target.implicitRefs) {\n const entry = findCatalogEntry(target.catalogEntries, ref);\n if (!entry) {\n target.warnings.push({\n code: \"missing_driver\",\n declarationId: ref.declarationId,\n name: ref.name,\n message:\n `Unknown ${ref.kind} driver \"${ref.name}\" referenced by ${ref.kind} \"${ref.declarationId}\". ` +\n `Run \\`skaile ${ref.kind} catalog\\` to see available drivers, ` +\n `or declare a repository in skaile.yaml that provides this driver.`,\n });\n continue;\n }\n const npm = (entry.metadata?.npm_deps ?? {}) as { required?: string[]; optional?: string[] };\n for (const p of npm.required ?? []) requiredSet.add(p);\n for (const p of npm.optional ?? []) optionalSet.add(p);\n }\n target.requiredNpmDeps.required = [...requiredSet];\n target.requiredNpmDeps.optional = [...optionalSet];\n}\n\n/**\n * Build the effective `repositories` map: caller's declarations first, then\n * the implicit `base-assets` repo if absent. Caller's entries always win — an\n * org can override the default by declaring `repositories: { base-assets: {...} }`.\n */\nfunction buildEffectiveRepositories(\n declared: Record<string, RepositoryDeclaration> | undefined,\n): Record<string, RepositoryDeclaration> {\n const result: Record<string, RepositoryDeclaration> = { ...(declared ?? {}) };\n if (!result[BASE_ASSETS_REPO_NAME]) {\n try {\n const baseDir = resolveBaseAssetsRoot();\n result[BASE_ASSETS_REPO_NAME] = { path: baseDir };\n } catch (err) {\n // Surface as a warning during scan rather than throwing here — let the\n // caller decide whether base-assets is required for this project.\n // We re-discover the failure in resolveRepoDir() and emit there.\n result[BASE_ASSETS_REPO_NAME] = { path: \"\" };\n }\n }\n return result;\n}\n\n/**\n * Resolve a repository declaration to an on-disk directory. Order:\n * 1. Linked override (`.skaile/links.yaml`).\n * 2. Local `path` — relative to `projectDir`.\n * 3. Cloned URL repo at `.skaile/repos/<name>/` (must already exist).\n *\n * Returns `null` when none of these resolve. Does not clone.\n */\nfunction resolveRepoDir(\n name: string,\n decl: RepositoryDeclaration,\n projectDir: string,\n links: Record<string, string>,\n): string | null {\n // 1. Linked override\n const linked = links[name];\n if (linked && existsSync(linked)) return linked;\n\n // 2. Local path\n if (decl.path) {\n const resolved = resolvePath(projectDir, decl.path);\n return existsSync(resolved) ? resolved : null;\n }\n\n // 3. URL repo cloned to project's .skaile/repos/<name>\n if (decl.url) {\n const projectDest = join(projectDir, \".skaile\", \"repos\", name);\n if (existsSync(projectDest)) {\n // Either a real directory or a symlink to the global cache.\n try {\n return lstatSync(projectDest).isSymbolicLink() ? projectDest : projectDest;\n } catch {\n return null;\n }\n }\n return null;\n }\n\n return null;\n}\n\nfunction repoUnavailableMessage(name: string, decl: RepositoryDeclaration): string {\n if (name === BASE_ASSETS_REPO_NAME && !decl.path && !decl.url) {\n return (\n `Cannot resolve @skaile/base-assets. ` +\n `Set SKAILE_BASE_ASSETS_DIR or ensure the package is installed.`\n );\n }\n if (decl.url) {\n return `Repository \"${name}\" (${decl.url}) is not available. Register it as a Library Source via \\`skaile source add\\`.`;\n }\n if (decl.path) {\n return `Repository \"${name}\" path not found: ${decl.path}`;\n }\n return `Repository \"${name}\" has neither url nor path.`;\n}\n\nfunction findCatalogEntry(\n entries: RuntimeCatalogEntry[],\n query: { kind?: \"connector\"; name: string },\n): RuntimeCatalogEntry | undefined {\n if (query.kind) {\n return entries.find((e) => e.kind === query.kind && e.name === query.name);\n }\n const matches = entries.filter((e) => e.name === query.name);\n if (matches.length === 1) return matches[0];\n // 0 or >1 with no kind — caller must disambiguate.\n return undefined;\n}\n"]}
package/dist/cli/index.js CHANGED
@@ -1,18 +1,18 @@
1
1
  #!/usr/bin/env node
2
- import { openCatalogSource, openLibrary, createFullRegistry, openLibraryManager } from '../chunk-IY4X7PZN.js';
2
+ import { openCatalogSource, openLibrary, createFullRegistry, openLibraryManager } from '../chunk-PBBGKI3L.js';
3
3
  import { logErr, S, logOk, colorRef, logInfo, logWarn, kindColorPad, kindColor, formatRelativeTime } from '../chunk-4NDWKA64.js';
4
- import { getStoreConfig, storeFetch, saveStoreTokens, clearStoreTokens, isStoreAuthenticated } from '../chunk-SMFZFFIZ.js';
4
+ import { getStoreConfig, storeFetch, saveStoreTokens, clearStoreTokens, isStoreAuthenticated } from '../chunk-FVWBLAXL.js';
5
5
  import { AI_RESOURCES } from '../chunk-2M3XTMOL.js';
6
6
  import { LocalSecretsProvider } from '../chunk-JDX54X4Y.js';
7
- import { resolveLibraryDir, LocalCatalogSource, skaileHomeDir } from '../chunk-FNCYNUGS.js';
7
+ import { resolveLibraryDir, LocalCatalogSource, skaileHomeDir } from '../chunk-B3XHLXGD.js';
8
8
  import '../chunk-R7FOF242.js';
9
- import '../chunk-GKIA2PU5.js';
9
+ import '../chunk-2GX7BE7Q.js';
10
10
  import '../chunk-OKRUTSG7.js';
11
- import { runFlow, resumeFlow } from '../chunk-ALJM24WL.js';
11
+ import { runFlow, resumeFlow } from '../chunk-G5E44VG7.js';
12
12
  import '../chunk-GCJXPUHG.js';
13
13
  import { validateFlowVersions, parseSkillFrontmatter } from '../chunk-IPUYL6TD.js';
14
- import { runAgentChat, loadSessionById, loadSession, listSessions, setCurrentSession, deleteSession, clearSession, loadAgentManifest, compileComposition, MarkdownStreamer, resolveMixin } from '../chunk-75M5W7FX.js';
15
- import { buildClaudePluginFiles } from '../chunk-ZUQXHBEH.js';
14
+ import { runAgentChat, loadSessionById, loadSession, listSessions, setCurrentSession, deleteSession, clearSession, loadAgentManifest, compileComposition, MarkdownStreamer, resolveMixin } from '../chunk-RVPZOFSQ.js';
15
+ import { buildClaudePluginFiles } from '../chunk-D6GE2WA2.js';
16
16
  import '../chunk-X5YPJV4N.js';
17
17
  import '../chunk-O7SG5PC2.js';
18
18
  import '../chunk-W2O5LWYU.js';
@@ -25,23 +25,23 @@ import '../chunk-DQWREFRQ.js';
25
25
  import '../chunk-KOVLSBXK.js';
26
26
  import '../chunk-RRVQAE5D.js';
27
27
  import '../chunk-4ACWI5YT.js';
28
- import '../chunk-YW36VEVN.js';
29
- import '../chunk-KJ2LLWRF.js';
28
+ import '../chunk-JMB6VR3I.js';
29
+ import '../chunk-VMUQAISH.js';
30
30
  import '../chunk-6MB7CRME.js';
31
31
  import '../chunk-QAVZOJCV.js';
32
32
  import { loadAllFlows } from '../chunk-ICS76R4T.js';
33
33
  import '../chunk-GZWJGNNN.js';
34
34
  import '../chunk-FVTV7M76.js';
35
- import { AssetManager } from '../chunk-YMMWP3YL.js';
36
- import '../chunk-42YLNYFK.js';
37
- import { readLock, resolveSettings, globalSettingsPath, projectSettingsPath, loadSettings, saveSettings, portableSpawn, portableSpawnSync, WorkspaceYamlEditor } from '../chunk-4BRSVK7Q.js';
35
+ import { AssetManager } from '../chunk-F6RXWVRE.js';
36
+ import '../chunk-KIGZYGCM.js';
37
+ import { readLock, resolveSettings, globalSettingsPath, projectSettingsPath, loadSettings, saveSettings, portableSpawn, portableSpawnSync, WorkspaceYamlEditor } from '../chunk-ATTIX7H2.js';
38
38
  import '../chunk-JKNWJ64A.js';
39
39
  import { SUPPORTED_DRIVER_TARGETS } from '../chunk-O4JH3KUE.js';
40
40
  import { DRIVER_DEFAULTS } from '../chunk-K5GBV4SA.js';
41
41
  import '../chunk-KLNL7QHN.js';
42
- import '../chunk-3DS5VIQP.js';
43
- import { resolveSkWorkspaceConfig, resolveAgentDir, findWorkspaceRoot, workspaceConfigFilename } from '../chunk-SOQMVRQL.js';
44
- import '../chunk-ZHLRRT5D.js';
42
+ import '../chunk-WGPT6FV6.js';
43
+ import { resolveSkWorkspaceConfig, resolveAgentDir, findWorkspaceRoot, workspaceConfigFilename } from '../chunk-N2C3A5PS.js';
44
+ import '../chunk-FRPKLIEZ.js';
45
45
  import { ASSET_KINDS } from '../chunk-37JKX6D7.js';
46
46
  import { openSqlite } from '../chunk-24UIWON4.js';
47
47
  import '../chunk-KTBKW2FI.js';
@@ -308,7 +308,7 @@ function makeSearchCommand() {
308
308
  }
309
309
  if (showStore) {
310
310
  try {
311
- const { getStoreConfig: getStoreConfig2, storeFetch: storeFetch2 } = await import('../store-client-FLD3XUY7.js');
311
+ const { getStoreConfig: getStoreConfig2, storeFetch: storeFetch2 } = await import('../store-client-TZ4L73TH.js');
312
312
  const config = getStoreConfig2();
313
313
  const params = {};
314
314
  if (query) params.q = query;
@@ -470,7 +470,7 @@ function makeCatalogCommand() {
470
470
  const cfg = resolveConfig({ projectDir });
471
471
  const baseUrl = opts.url ?? cfg.catalog.url;
472
472
  if (isLocalCatalogUrl(baseUrl)) {
473
- const { resolveCatalogSource } = await import('../open-library-T6RXQJTQ.js');
473
+ const { resolveCatalogSource } = await import('../open-library-ICKZYC5K.js');
474
474
  let resolved;
475
475
  try {
476
476
  resolved = await resolveCatalogSource({ projectDir: opts.projectDir });
@@ -2039,12 +2039,35 @@ var state = {
2039
2039
  function buildVisibleRows(rows, collapsedSources, collapsedDomains) {
2040
2040
  return rows.filter((row) => {
2041
2041
  if (row.type === "source-header") return true;
2042
- if (row.type === "header") return !collapsedSources.has(row.source);
2043
- const source = row.entry?.repository ?? "other";
2044
- const domain = row.entry?.domain ?? "other";
2045
- return !collapsedSources.has(source) && !collapsedDomains.has(`${source}:${domain}`);
2042
+ if (row.type === "header") {
2043
+ if (collapsedSources.has(row.source)) return false;
2044
+ return !hasCollapsedAncestor(row.source, row.domain, collapsedDomains, true);
2045
+ }
2046
+ const source = row.entry?.repository || "other";
2047
+ const domain = row.entry?.domain || "other";
2048
+ if (collapsedSources.has(source)) return false;
2049
+ return !hasCollapsedAncestor(source, domain, collapsedDomains, false);
2046
2050
  });
2047
2051
  }
2052
+ function compareDomainPaths(a, b) {
2053
+ const A = a.split("/");
2054
+ const B = b.split("/");
2055
+ const len = Math.min(A.length, B.length);
2056
+ for (let i = 0; i < len; i++) {
2057
+ const c = A[i].localeCompare(B[i]);
2058
+ if (c !== 0) return c;
2059
+ }
2060
+ return A.length - B.length;
2061
+ }
2062
+ function hasCollapsedAncestor(source, domain, collapsedDomains, strict) {
2063
+ const segs = domain.split("/");
2064
+ const upper = strict ? segs.length : segs.length + 1;
2065
+ for (let i = 1; i < upper; i++) {
2066
+ const prefix = segs.slice(0, i).join("/");
2067
+ if (collapsedDomains.has(`${source}:${prefix}`)) return true;
2068
+ }
2069
+ return false;
2070
+ }
2048
2071
  function domainAssetRefs(rows, source, domain) {
2049
2072
  return rows.filter((r) => isAsset(r) && inDomain(r, source, domain)).map((r) => assetRefOf(r));
2050
2073
  }
@@ -2055,10 +2078,12 @@ function isAsset(r) {
2055
2078
  return r.type === "asset";
2056
2079
  }
2057
2080
  function inSource(r, source) {
2058
- return (r.entry?.repository ?? "other") === source;
2081
+ return (r.entry?.repository || "other") === source;
2059
2082
  }
2060
2083
  function inDomain(r, source, domain) {
2061
- return inSource(r, source) && (r.entry?.domain ?? "other") === domain;
2084
+ if (!inSource(r, source)) return false;
2085
+ const d = r.entry?.domain || "other";
2086
+ return d === domain || d.startsWith(`${domain}/`);
2062
2087
  }
2063
2088
  function assetRefOf(r) {
2064
2089
  if (!isAsset(r) || !r.entry) return null;
@@ -2111,7 +2136,7 @@ function actOnHeader(row, action) {
2111
2136
  return false;
2112
2137
  }
2113
2138
  async function loadAssets() {
2114
- const { gatherAssetFeeds } = await import('../asset-feeds-L4ROBIAZ.js');
2139
+ const { gatherAssetFeeds } = await import('../asset-feeds-CQU46DYQ.js');
2115
2140
  const { entries, notes } = await gatherAssetFeeds(am, am.projectDir);
2116
2141
  if (notes.length > 0) {
2117
2142
  state.message = notes.map((n) => `[${n.feed}] ${n.message}`).join(" \u2022 ");
@@ -2119,8 +2144,8 @@ async function loadAssets() {
2119
2144
  const installed = new Set(am.listDeployed().map((e) => `${e.kind}:${e.name}`));
2120
2145
  const bySource = /* @__PURE__ */ new Map();
2121
2146
  for (const e of entries) {
2122
- const source = e.repository ?? "other";
2123
- const domain = e.domain ?? "other";
2147
+ const source = e.repository || "other";
2148
+ const domain = e.domain || "other";
2124
2149
  if (!bySource.has(source)) bySource.set(source, /* @__PURE__ */ new Map());
2125
2150
  const domainMap = bySource.get(source);
2126
2151
  if (!domainMap.has(domain)) domainMap.set(domain, []);
@@ -2131,10 +2156,17 @@ async function loadAssets() {
2131
2156
  (a, b) => a[0].localeCompare(b[0])
2132
2157
  )) {
2133
2158
  rows.push({ type: "source-header", source });
2159
+ const emittedHeaders = /* @__PURE__ */ new Set();
2134
2160
  for (const [domain, items] of [...domainMap.entries()].sort(
2135
- (a, b) => a[0].localeCompare(b[0])
2161
+ (a, b) => compareDomainPaths(a[0], b[0])
2136
2162
  )) {
2137
- rows.push({ type: "header", source, domain });
2163
+ const segs = domain.split("/");
2164
+ for (let i = 1; i <= segs.length; i++) {
2165
+ const prefix = segs.slice(0, i).join("/");
2166
+ if (emittedHeaders.has(prefix)) continue;
2167
+ rows.push({ type: "header", source, domain: prefix, depth: i });
2168
+ emittedHeaders.add(prefix);
2169
+ }
2138
2170
  items.sort(
2139
2171
  (a, b) => a.kind !== b.kind ? a.kind.localeCompare(b.kind) : a.name.localeCompare(b.name)
2140
2172
  );
@@ -2161,7 +2193,7 @@ async function loadAssets() {
2161
2193
  async function loadSourcesAndLibraries() {
2162
2194
  try {
2163
2195
  const [{ openLibraryManager: openLibraryManager2 }, { skaileHomeDir: skaileHomeDir2 }] = await Promise.all([
2164
- import('../open-library-T6RXQJTQ.js'),
2196
+ import('../open-library-ICKZYC5K.js'),
2165
2197
  import('../library/index.js')
2166
2198
  ]);
2167
2199
  const { manager, library, close } = await openLibraryManager2();
@@ -2319,12 +2351,15 @@ function renderAssetRow(row, selected) {
2319
2351
  });
2320
2352
  }
2321
2353
  if (row.type === "header") {
2354
+ const depth2 = row.depth ?? 1;
2355
+ const segs = row.domain.split("/");
2356
+ const segment = segs[segs.length - 1];
2322
2357
  return renderHeaderLine({
2323
- indent: " ",
2358
+ indent: " ".repeat(1 + depth2 * 2),
2324
2359
  collapsed: state.collapsedDomains.has(`${row.source}:${row.domain}`),
2325
2360
  match: (r) => isAsset(r) && inDomain(r, row.source, row.domain),
2326
2361
  refs: domainAssetRefs(state.assetRows, row.source, row.domain),
2327
- label: pc5.bold(row.domain),
2362
+ label: pc5.bold(segment),
2328
2363
  selected
2329
2364
  });
2330
2365
  }
@@ -2338,7 +2373,9 @@ function renderAssetRow(row, selected) {
2338
2373
  const kind = kindColorPad(e.kind, 8);
2339
2374
  const name = e.name.padEnd(30);
2340
2375
  const desc = e.description?.slice(0, state.cols - 52) ?? "";
2341
- const line = ` ${status4} ${kind} ${name} ${pc5.dim(desc)}`;
2376
+ const depth = (e.domain || "other").split("/").length;
2377
+ const indent = " ".repeat(1 + (depth + 1) * 2);
2378
+ const line = `${indent}${status4} ${kind} ${name} ${pc5.dim(desc)}`;
2342
2379
  return selected ? pc5.inverse(line.padEnd(state.cols)) : line;
2343
2380
  }
2344
2381
  function renderSourceRow(row, selected) {
@@ -3640,7 +3677,7 @@ function makeInstallCommand() {
3640
3677
  const spinner6 = p5.spinner();
3641
3678
  spinner6.start(`Installing ${ref}`);
3642
3679
  try {
3643
- const { openCatalogSource: openCatalogSource2, openLibrary: openLibrary2 } = await import('../open-library-T6RXQJTQ.js');
3680
+ const { openCatalogSource: openCatalogSource2, openLibrary: openLibrary2 } = await import('../open-library-ICKZYC5K.js');
3644
3681
  const catalog = await openCatalogSource2({ projectDir: path15__default.resolve(opts.projectDir) });
3645
3682
  if (!supportsInstallManifest(catalog)) {
3646
3683
  throw new Error(
@@ -3672,7 +3709,7 @@ function makeInstallCommand() {
3672
3709
  }
3673
3710
  const projectDir = path15__default.resolve(opts.projectDir);
3674
3711
  try {
3675
- const { ensureSourcesCloned } = await import('../ensure-sources-V26CZNJF.js');
3712
+ const { ensureSourcesCloned } = await import('../ensure-sources-HA6L3FBS.js');
3676
3713
  const hydrate = ensureSourcesCloned(projectDir, { quiet: true });
3677
3714
  if (hydrate.cloned.length > 0) {
3678
3715
  logOk(`Cloned source(s): ${hydrate.cloned.join(", ")}`);
@@ -6014,7 +6051,7 @@ program.command("init [project-dir]").description("Initialize a project director
6014
6051
  );
6015
6052
  }
6016
6053
  try {
6017
- const { ensureSourcesCloned } = await import('../ensure-sources-V26CZNJF.js');
6054
+ const { ensureSourcesCloned } = await import('../ensure-sources-HA6L3FBS.js');
6018
6055
  const hydrate = ensureSourcesCloned(resolved, { quiet: true });
6019
6056
  for (const n of hydrate.cloned) created.push(`~/.skaile/sources/${n}/`);
6020
6057
  if (hydrate.failed.length > 0) {
@@ -6041,7 +6078,7 @@ program.command("init [project-dir]").description("Initialize a project director
6041
6078
  }
6042
6079
  );
6043
6080
  program.command("setup").description("Interactive provider setup wizard").action(async () => {
6044
- const { cmdSetup } = await import('../setup-R6VWIPLL.js');
6081
+ const { cmdSetup } = await import('../setup-DT4VSWSM.js');
6045
6082
  await cmdSetup([], { projectDir: process.cwd() });
6046
6083
  });
6047
6084
  program.addCommand(makeInstallCommand());