@skaile/workspaces 0.21.0 → 0.22.0-beta.1

package/dist/chunk-6E6PKKAD.js

@@ -0,0 +1,161 @@
+import * as z from 'zod';
+
+// plugin-registry/src/errors.ts
+var RegistrationError = class extends Error {
+  constructor(kind, id) {
+    super(`A "${kind}" target with id "${id}" is already registered.`);
+    this.name = "RegistrationError";
+  }
+};
+var MissingTargetError = class extends Error {
+  constructor(kind, id) {
+    super(`No "${kind}" target registered with id "${id}".`);
+    this.name = "MissingTargetError";
+  }
+};
+var ApiVersionMismatchError = class extends Error {
+  constructor(kind, id, got) {
+    super(
+      `Target "${id}" (kind "${kind}") declares apiVersion ${String(got)}; registry requires apiVersion 1.`
+    );
+    this.name = "ApiVersionMismatchError";
+  }
+};
+var DeployTargetNotFoundError = class extends Error {
+  constructor(id) {
+    super(`No deploy target registered with id "${id}".`);
+    this.name = "DeployTargetNotFoundError";
+  }
+};
+
+// plugin-registry/src/internal.ts
+var MapPluginRegistry = class {
+  apiVersion = 1;
+  // One Map per kind keeps lookups kind-scoped — a driver and a connector may
+  // share an id without colliding.
+  stores = {
+    driver: /* @__PURE__ */ new Map(),
+    connector: /* @__PURE__ */ new Map(),
+    deployTarget: /* @__PURE__ */ new Map()
+  };
+  register(kind, target) {
+    const t = target;
+    if (t.apiVersion !== 1) {
+      throw new ApiVersionMismatchError(kind, t.id, t.apiVersion);
+    }
+    const store = this.stores[kind];
+    if (store.has(t.id)) {
+      throw new RegistrationError(kind, t.id);
+    }
+    store.set(t.id, t);
+  }
+  unregister(kind, id) {
+    return this.stores[kind].delete(id);
+  }
+  get(kind, id) {
+    return this.stores[kind].get(id);
+  }
+  list(kind) {
+    return [...this.stores[kind].values()].map((t) => ({
+      id: t.id,
+      displayName: t.displayName
+    }));
+  }
+};
+function createPluginRegistry() {
+  return new MapPluginRegistry();
+}
+var pluginRegistry = createPluginRegistry();
+
+// plugin-registry/src/deploy-handle.ts
+function listDeployTargets(registry = pluginRegistry) {
+  return registry.list("deployTarget");
+}
+function getDeployTarget(id, registry = pluginRegistry) {
+  return registry.get("deployTarget", id);
+}
+async function resolveDeployTarget(yaml, override, registry = pluginRegistry) {
+  if (override) {
+    const target2 = registry.get("deployTarget", override.target);
+    if (!target2) throw new DeployTargetNotFoundError(override.target);
+    return {
+      target: target2,
+      config: target2.configSchema.parse(override.config ?? {}),
+      provenance: { source: "override", reason: override.reason }
+    };
+  }
+  if (yaml.deploy) {
+    const target2 = registry.get("deployTarget", yaml.deploy.target);
+    if (!target2) throw new DeployTargetNotFoundError(yaml.deploy.target);
+    return {
+      target: target2,
+      config: target2.configSchema.parse(yaml.deploy.config ?? {}),
+      provenance: { source: "yaml" }
+    };
+  }
+  const target = registry.get("deployTarget", "local");
+  if (!target) throw new DeployTargetNotFoundError("local");
+  return {
+    target,
+    config: target.configSchema.parse({}),
+    provenance: { source: "default" }
+  };
+}
+var buildStrategySchema = z.enum(["local", "remote", "managed"]);
+async function sleep(ms, signal) {
+  return await new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      signal.removeEventListener("abort", onAbort);
+      resolve();
+    }, ms);
+    const onAbort = () => {
+      clearTimeout(timer);
+      reject(new Error("aborted while polling"));
+    };
+    if (signal.aborted) onAbort();
+    else signal.addEventListener("abort", onAbort);
+  });
+}
+async function pollUntil(opts) {
+  const deadline = Date.now() + opts.timeoutMs;
+  for (; ; ) {
+    if (await opts.check()) return;
+    if (Date.now() > deadline) {
+      throw new Error(opts.timeoutMessage ?? "timed out");
+    }
+    await sleep(opts.intervalMs, opts.signal);
+  }
+}
+function makeDeployHandle(opts) {
+  let state = opts.initialState;
+  const handle = {
+    wsUrl: opts.wsUrl,
+    wsAuth: opts.ctx.wsAuth ? "<redacted>" : void 0,
+    get state() {
+      return state;
+    },
+    payload: opts.payload,
+    async waitReady(timeoutMs) {
+      const effective = timeoutMs ?? opts.defaultReadyTimeoutMs;
+      try {
+        await opts.ready(effective, opts.ctx.signal);
+        state = "ready";
+      } catch (err) {
+        state = "errored";
+        throw err;
+      }
+    },
+    health: opts.health,
+    async stop() {
+      state = "stopping";
+      await opts.stop();
+      state = "stopped";
+    }
+  };
+  if (opts.logs) handle.logs = opts.logs;
+  return handle;
+}
+
+export { ApiVersionMismatchError, DeployTargetNotFoundError, MissingTargetError, RegistrationError, buildStrategySchema, createPluginRegistry, getDeployTarget, listDeployTargets, makeDeployHandle, pluginRegistry, pollUntil, resolveDeployTarget, sleep };
+//# sourceMappingURL=chunk-6E6PKKAD.js.map
+//# sourceMappingURL=chunk-6E6PKKAD.js.map

package/dist/chunk-6E6PKKAD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../plugin-registry/src/errors.ts","../plugin-registry/src/internal.ts","../plugin-registry/src/deploy-handle.ts","../plugin-registry/src/deploy-helpers.ts"],"names":["target"],"mappings":";;;AAQO,IAAM,iBAAA,GAAN,cAAgC,KAAA,CAAM;AAAA,EAC3C,WAAA,CAAY,MAAc,EAAA,EAAY;AACpC,IAAA,KAAA,CAAM,CAAA,GAAA,EAAM,IAAI,CAAA,kBAAA,EAAqB,EAAE,CAAA,wBAAA,CAA0B,CAAA;AACjE,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF;AAGO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EAC5C,WAAA,CAAY,MAAc,EAAA,EAAY;AACpC,IAAA,KAAA,CAAM,CAAA,IAAA,EAAO,IAAI,CAAA,6BAAA,EAAgC,EAAE,CAAA,EAAA,CAAI,CAAA;AACvD,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AAAA,EACd;AACF;AAGO,IAAM,uBAAA,GAAN,cAAsC,KAAA,CAAM;AAAA,EACjD,WAAA,CAAY,IAAA,EAAc,EAAA,EAAY,GAAA,EAAc;AAClD,IAAA,KAAA;AAAA,MACE,WAAW,EAAE,CAAA,SAAA,EAAY,IAAI,CAAA,uBAAA,EAA0B,MAAA,CAAO,GAAG,CAAC,CAAA,iCAAA;AAAA,KACpE;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,yBAAA;AAAA,EACd;AACF;AAGO,IAAM,yBAAA,GAAN,cAAwC,KAAA,CAAM;AAAA,EACnD,YAAY,EAAA,EAAY;AACtB,IAAA,KAAA,CAAM,CAAA,qCAAA,EAAwC,EAAE,CAAA,EAAA,CAAI,CAAA;AACpD,IAAA,IAAA,CAAK,IAAA,GAAO,2BAAA;AAAA,EACd;AACF;;;AC1BA,IAAM,oBAAN,MAAkD;AAAA,EACvC,UAAA,GAAa,CAAA;AAAA;AAAA;AAAA,EAIL,MAAA,GAAqD;AAAA,IACpE,MAAA,sBAAY,GAAA,EAAI;AAAA,IAChB,SAAA,sBAAe,GAAA,EAAI;AAAA,IACnB,YAAA,sBAAkB,GAAA;AAAI,GACxB;AAAA,EAEA,QAAA,CAA+B,MAAS,MAAA,EAAyB;AAC/D,IAAA,MAAM,CAAA,GAAI,MAAA;AACV,IAAA,IAAI,CAAA,CAAE,eAAe,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,uBAAA,CAAwB,IAAA,EAAM,CAAA,CAAE,EAAA,EAAI,EAAE,UAAU,CAAA;AAAA,IAC5D;AACA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA;AAC9B,IAAA,IAAI,KAAA,CAAM,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,EAAG;AACnB,MAAA,MAAM,IAAI,iBAAA,CAAkB,IAAA,EAAM,CAAA,CAAE,EAAE,CAAA;AAAA,IACxC;AACA,IAAA,KAAA,CAAM,GAAA,CAAI,CAAA,CAAE,EAAA,EAAI,CAAC,CAAA;AAAA,EACnB;AAAA,EAEA,UAAA,CAAiC,MAAS,EAAA,EAAqB;AAC7D,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAE,OAAO,EAAE,CAAA;AAAA,EACpC;AAAA,EAEA,GAAA,CAA0B,MAAS,EAAA,EAAmC;AACpE,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAE,IAAI,EAAE,CAAA;AAAA,EACjC;AAAA,EAEA,KAA2B,IAAA,EAAgC;AACzD,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAE,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACjD,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,aAAa,CAAA,CAAE;AAAA,KACjB,CAAE,CAAA;AAAA,EACJ;AACF,CAAA;AAGO,SAAS,oBAAA,GAAuC;AACrD,EAAA,OAAO,IAAI,iBAAA,EAAkB;AAC/B;AAGO,IAAM,iBAAiC,oBAAA;;;ACpBvC,SAAS,iBAAA,CACd,WAA2B,cAAA,EACJ;AACvB,EAAA,OAAO,QAAA,CAAS,KAAK,cAAc,CAAA;AACrC;AAQO,SAAS,eAAA,CACd,EAAA,EACA,QAAA,GAA2B,cAAA,EACD;AAC1B,EAAA,OAAO,QAAA,CAAS,GAAA,CAAI,cAAA,EAAgB,EAAE,CAAA;AACxC;AAeA,eAAsB,mBAAA,CACpB,IAAA,EACA,QAAA,EACA,QAAA,GAA2B,cAAA,EACA;AAC3B,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAMA,OAAAA,GAAS,QAAA,CAAS,GAAA,CAAI,cAAA,EAAgB,SAAS,MAAM,CAAA;AAC3D,IAAA,IAAI,CAACA,OAAAA,EAAQ,MAAM,IAAI,yBAAA,CAA0B,SAAS,MAAM,CAAA;AAChE,IAAA,OAAO;AAAA,MACL,MAAA,EAAAA,OAAAA;AAAA,MACA,QAAQA,OAAAA,CAAO,YAAA,CAAa,MAAM,QAAA,CAAS,MAAA,IAAU,EAAE,CAAA;AAAA,MACvD,YAAY,EAAE,MAAA,EAAQ,UAAA,EAAY,MAAA,EAAQ,SAAS,MAAA;AAAO,KAC5D;AAAA,EACF;AACA,EAAA,IAAI,KAAK,MAAA,EAAQ;AACf,IAAA,MAAMA,UAAS,QAAA,CAAS,GAAA,CAAI,cAAA,EAAgB,IAAA,CAAK,OAAO,MAAM,CAAA;AAC9D,IAAA,IAAI,CAACA,OAAAA,EAAQ,MAAM,IAAI,yBAAA,CAA0B,IAAA,CAAK,OAAO,MAAM,CAAA;AACnE,IAAA,OAAO;AAAA,MACL,MAAA,EAAAA,OAAAA;AAAA,MACA,MAAA,EAAQA,QAAO,YAAA,CAAa,KAAA,CAAM,KAAK,MAAA,CAAO,MAAA,IAAU,EAAE,CAAA;AAAA,MAC1D,UAAA,EAAY,EAAE,MAAA,EAAQ,MAAA;AAAO,KAC/B;AAAA,EACF;AACA,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AACnD,EAAA,IAAI,CAAC,MAAA,EAAQ,MAAM,IAAI,0BAA0B,OAAO,CAAA;AACxD,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,MAAA,EAAQ,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,EAAE,CAAA;AAAA,IACpC,UAAA,EAAY,EAAE,MAAA,EAAQ,SAAA;AAAU,GAClC;AACF;ACnFO,IAAM,sBAAwB,CAAA,CAAA,IAAA,CAAK,CAAC,OAAA,EAAS,QAAA,EAAU,SAAS,CAAC;AAQxE,eAAsB,KAAA,CAAM,IAAY,MAAA,EAAoC;AAC1E,EAAA,OAAO,MAAM,IAAI,OAAA,CAAc,CAAC,SAAS,MAAA,KAAW;AAClD,IAAA,MAAM,KAAA,GAAQ,WAAW,MAAM;AAC7B,MAAA,MAAA,CAAO,mBAAA,CAAoB,SAAS,OAAO,CAAA;AAC3C,MAAA,OAAA,EAAQ;AAAA,IACV,GAAG,EAAE,CAAA;AACL,IAAA,MAAM,UAAU,MAAM;AACpB,MAAA,YAAA,CAAa,KAAK,CAAA;AAClB,MAAA,MAAA,CAAO,IAAI,KAAA,CAAM,uBAAuB,CAAC,CAAA;AAAA,IAC3C,CAAA;AACA,IAAA,IAAI,MAAA,CAAO,SAAS,OAAA,EAAQ;AAAA,SACvB,MAAA,CAAO,gBAAA,CAAiB,OAAA,EAAS,OAAO,CAAA;AAAA,EAC/C,CAAC,CAAA;AACH;AAoBA,eAAsB,UAAU,IAAA,EAAuC;AACrE,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,SAAA;AACnC,EAAA,WAAS;AACP,IAAA,IAAI,MAAM,IAAA,CAAK,KAAA,EAAM,EAAG;AACxB,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,QAAA,EAAU;AACzB,MAAA,MAAM,IAAI,KAAA,CAAM,IAAA,CAAK,cAAA,IAAkB,WAAW,CAAA;AAAA,IACpD;AACA,IAAA,MAAM,KAAA,CAAM,IAAA,CAAK,UAAA,EAAY,IAAA,CAAK,MAAM,CAAA;AAAA,EAC1C;AACF;AAuBO,SAAS,iBAAoB,IAAA,EAAmD;AACrF,EAAA,IAAI,QAA+B,IAAA,CAAK,YAAA;AACxC,EAAA,MAAM,MAAA,GAA0B;AAAA,IAC9B,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAA,EAAQ,IAAA,CAAK,GAAA,CAAI,MAAA,GAAS,YAAA,GAAe,MAAA;AAAA,IACzC,IAAI,KAAA,GAAQ;AACV,MAAA,OAAO,KAAA;AAAA,IACT,CAAA;AAAA,IACA,SAAS,IAAA,CAAK,OAAA;AAAA,IACd,MAAM,UAAU,SAAA,EAAoB;AAClC,MAAA,MAAM,SAAA,GAAY,aAAa,IAAA,CAAK,qBAAA;AACpC,MAAA,IAAI;AACF,QAAA,MAAM,IAAA,CAAK,KAAA,CAAM,SAAA,EAAW,IAAA,CAAK,IAAI,MAAM,CAAA;AAC3C,QAAA,KAAA,GAAQ,OAAA;AAAA,MACV,SAAS,GAAA,EAAK;AACZ,QAAA,KAAA,GAAQ,SAAA;AACR,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF,CAAA;AAAA,IACA,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,MAAM,IAAA,GAAO;AACX,MAAA,KAAA,GAAQ,UAAA;AACR,MAAA,MAAM,KAAK,IAAA,EAAK;AAChB,MAAA,KAAA,GAAQ,SAAA;AAAA,IACV;AAAA,GACF;AACA,EAAA,IAAI,IAAA,CAAK,IAAA,EAAM,MAAA,CAAO,IAAA,GAAO,IAAA,CAAK,IAAA;AAClC,EAAA,OAAO,MAAA;AACT","file":"chunk-6E6PKKAD.js","sourcesContent":["/**\n * Error types thrown by the plugin registry and deploy resolution.\n *\n * Each carries a stable `.name` so callers can branch on identity without\n * importing the class (cross-package / cross-bundle `instanceof` is unreliable).\n */\n\n/** Thrown by `register()` when a target id is already registered for its kind. */\nexport class RegistrationError extends Error {\n  constructor(kind: string, id: string) {\n    super(`A \"${kind}\" target with id \"${id}\" is already registered.`);\n    this.name = \"RegistrationError\";\n  }\n}\n\n/** Thrown when a lookup by id finds no registered target for the given kind. */\nexport class MissingTargetError extends Error {\n  constructor(kind: string, id: string) {\n    super(`No \"${kind}\" target registered with id \"${id}\".`);\n    this.name = \"MissingTargetError\";\n  }\n}\n\n/** Thrown by `register()` when a target declares an unsupported `apiVersion`. */\nexport class ApiVersionMismatchError extends Error {\n  constructor(kind: string, id: string, got: unknown) {\n    super(\n      `Target \"${id}\" (kind \"${kind}\") declares apiVersion ${String(got)}; registry requires apiVersion 1.`,\n    );\n    this.name = \"ApiVersionMismatchError\";\n  }\n}\n\n/** Thrown by `resolveDeployTarget()` when the requested deploy target id is unknown. */\nexport class DeployTargetNotFoundError extends Error {\n  constructor(id: string) {\n    super(`No deploy target registered with id \"${id}\".`);\n    this.name = \"DeployTargetNotFoundError\";\n  }\n}\n","/**\n * Map-backed `PluginRegistry` implementation + the process-wide singleton.\n *\n * Storage is one Map per kind. Registration rejects duplicate ids\n * (`RegistrationError`) and any target not on `apiVersion: 1`\n * (`ApiVersionMismatchError`).\n */\n\nimport { ApiVersionMismatchError, RegistrationError } from \"./errors.js\";\nimport type { PluginRegistry, Target, TargetKind, TargetMeta } from \"./registry.js\";\n\ntype AnyTarget = { id: string; displayName: string; apiVersion: unknown };\n\nclass MapPluginRegistry implements PluginRegistry {\n  readonly apiVersion = 1 as const;\n\n  // One Map per kind keeps lookups kind-scoped — a driver and a connector may\n  // share an id without colliding.\n  private readonly stores: Record<TargetKind, Map<string, AnyTarget>> = {\n    driver: new Map(),\n    connector: new Map(),\n    deployTarget: new Map(),\n  };\n\n  register<K extends TargetKind>(kind: K, target: Target<K>): void {\n    const t = target as unknown as AnyTarget;\n    if (t.apiVersion !== 1) {\n      throw new ApiVersionMismatchError(kind, t.id, t.apiVersion);\n    }\n    const store = this.stores[kind];\n    if (store.has(t.id)) {\n      throw new RegistrationError(kind, t.id);\n    }\n    store.set(t.id, t);\n  }\n\n  unregister<K extends TargetKind>(kind: K, id: string): boolean {\n    return this.stores[kind].delete(id);\n  }\n\n  get<K extends TargetKind>(kind: K, id: string): Target<K> | undefined {\n    return this.stores[kind].get(id) as Target<K> | undefined;\n  }\n\n  list<K extends TargetKind>(kind: K): readonly TargetMeta[] {\n    return [...this.stores[kind].values()].map((t) => ({\n      id: t.id,\n      displayName: t.displayName,\n    }));\n  }\n}\n\n/** Create a fresh, isolated registry — used by tests so cases never share state. */\nexport function createPluginRegistry(): PluginRegistry {\n  return new MapPluginRegistry();\n}\n\n/** Process-wide default registry. Built-ins and loaded plugins register here. */\nexport const pluginRegistry: PluginRegistry = createPluginRegistry();\n","/**\n * Deploy handle contract + the `resolveDeployTarget` precedence resolver.\n *\n * A `DeployHandle` is the live, restorable result of standing up a workspace on\n * a deploy target. `resolveDeployTarget` picks which target+config to use with\n * an explicit override > yaml > default chain.\n */\n\nimport { DeployTargetNotFoundError } from \"./errors.js\";\nimport { pluginRegistry } from \"./internal.js\";\nimport type { PluginRegistry, TargetMeta } from \"./registry.js\";\nimport type { DeployTarget } from \"./targets.js\";\n\n/**\n * Live handle to a deployed workspace. `payload` is the target's own opaque\n * persistence slice (written to `.skaile/deploy/handle.json` and fed back into\n * `restore()`); the registry wrapper never inspects it.\n */\nexport interface DeployHandle<S = unknown> {\n  readonly wsUrl: string;\n  /** Redacted form of the auth token, safe to log. */\n  readonly wsAuth?: string;\n  readonly state: \"starting\" | \"ready\" | \"stopping\" | \"stopped\" | \"errored\";\n  readonly payload: S;\n  waitReady(timeoutMs?: number): Promise<void>;\n  health(): Promise<{ healthy: boolean; detail?: string }>;\n  logs?(opts?: { sinceMs?: number; follow?: boolean }): AsyncIterable<{ ts: number; line: string }>;\n  stop(): Promise<void>;\n}\n\n/**\n * List the registered deploy targets as lightweight `{ id, displayName }` rows,\n * the symmetric counterpart to `listDrivers()` / `listConnectors()`. Reads the\n * process-wide `pluginRegistry` by default, so call\n * `registerBuiltinDeployTargets()` (and load any plugins) first — unregistered\n * targets do not appear. Enough to populate a target picker without resolving a\n * config; use `getDeployTarget(id)` for the full target.\n */\nexport function listDeployTargets(\n  registry: PluginRegistry = pluginRegistry,\n): readonly TargetMeta[] {\n  return registry.list(\"deployTarget\");\n}\n\n/**\n * Look up a single registered deploy target by id, or `undefined` if none is\n * registered under that id. Thin wrapper over `pluginRegistry.get`, mirroring\n * `getConnector()`; unlike `resolveDeployTarget` it neither applies the\n * override/yaml/default precedence nor parses a config.\n */\nexport function getDeployTarget(\n  id: string,\n  registry: PluginRegistry = pluginRegistry,\n): DeployTarget | undefined {\n  return registry.get(\"deployTarget\", id);\n}\n\n/** Outcome of `resolveDeployTarget`: the chosen target, its parsed config, and where it came from. */\nexport interface DeployResolution {\n  target: DeployTarget;\n  config: unknown;\n  provenance: { source: \"default\" | \"yaml\" | \"override\"; reason?: string };\n}\n\n/**\n * Resolve which deploy target + config to use, with explicit precedence:\n * CLI override > `skaile.yaml` `deploy:` block > the built-in `local` default.\n * Config is parsed through the chosen target's `configSchema`, so validation\n * failures propagate to the caller.\n */\nexport async function resolveDeployTarget(\n  yaml: { deploy?: { target: string; config?: unknown } },\n  override?: { target: string; config?: unknown; reason: string },\n  registry: PluginRegistry = pluginRegistry,\n): Promise<DeployResolution> {\n  if (override) {\n    const target = registry.get(\"deployTarget\", override.target);\n    if (!target) throw new DeployTargetNotFoundError(override.target);\n    return {\n      target,\n      config: target.configSchema.parse(override.config ?? {}),\n      provenance: { source: \"override\", reason: override.reason },\n    };\n  }\n  if (yaml.deploy) {\n    const target = registry.get(\"deployTarget\", yaml.deploy.target);\n    if (!target) throw new DeployTargetNotFoundError(yaml.deploy.target);\n    return {\n      target,\n      config: target.configSchema.parse(yaml.deploy.config ?? {}),\n      provenance: { source: \"yaml\" },\n    };\n  }\n  const target = registry.get(\"deployTarget\", \"local\");\n  if (!target) throw new DeployTargetNotFoundError(\"local\");\n  return {\n    target,\n    config: target.configSchema.parse({}),\n    provenance: { source: \"default\" },\n  };\n}\n","/**\n * Shared building blocks for `DeployTarget` implementations.\n *\n * These lift the byte-for-byte duplication that had accumulated across the\n * provider packages (the `buildStrategy` enum, an abort-aware `sleep`, the\n * poll-until-ready loop, and the `DeployHandle` wrapper) into one authoritative\n * place — the package that already owns the `DeployHandle` contract.\n */\n\nimport * as z from \"zod\";\nimport type { DeployContext } from \"./context.js\";\nimport type { DeployHandle } from \"./deploy-handle.js\";\n\n/**\n * The authoritative build-strategy enum shared by every deploy target.\n * `local`/`managed` need an operator-supplied image; `remote` builds one.\n */\nexport const buildStrategySchema = z.enum([\"local\", \"remote\", \"managed\"]);\n\nexport type BuildStrategy = z.infer<typeof buildStrategySchema>;\n\n/**\n * Abort-aware sleep. Resolves after `ms`, or rejects immediately if `signal`\n * aborts first (so a cancelled deploy stops polling promptly).\n */\nexport async function sleep(ms: number, signal: AbortSignal): Promise<void> {\n  return await new Promise<void>((resolve, reject) => {\n    const timer = setTimeout(() => {\n      signal.removeEventListener(\"abort\", onAbort);\n      resolve();\n    }, ms);\n    const onAbort = () => {\n      clearTimeout(timer);\n      reject(new Error(\"aborted while polling\"));\n    };\n    if (signal.aborted) onAbort();\n    else signal.addEventListener(\"abort\", onAbort);\n  });\n}\n\n/** Options for {@link pollUntil}. */\nexport interface PollUntilOptions {\n  /** Predicate polled until it returns true. */\n  check: () => Promise<boolean>;\n  /** Deadline relative to `Date.now()` at the first failing check. */\n  timeoutMs: number;\n  /** Delay between attempts, via the abort-aware {@link sleep}. */\n  intervalMs: number;\n  signal: AbortSignal;\n  /** Descriptive message for the timeout error; defaults to \"timed out\". */\n  timeoutMessage?: string;\n}\n\n/**\n * Poll `check()` until it returns true. Sleeps `intervalMs` between attempts\n * and throws once `Date.now()` passes the deadline. Generalizes the readiness\n * loops the deploy providers each re-implemented.\n */\nexport async function pollUntil(opts: PollUntilOptions): Promise<void> {\n  const deadline = Date.now() + opts.timeoutMs;\n  for (;;) {\n    if (await opts.check()) return;\n    if (Date.now() > deadline) {\n      throw new Error(opts.timeoutMessage ?? \"timed out\");\n    }\n    await sleep(opts.intervalMs, opts.signal);\n  }\n}\n\n/** Options for {@link makeDeployHandle}. */\nexport interface MakeDeployHandleOptions<S> {\n  wsUrl: string;\n  /** Source of `wsAuth` redaction and the abort `signal` for the ready routine. */\n  ctx: DeployContext;\n  payload: S;\n  initialState: DeployHandle[\"state\"];\n  /** Timeout passed to `ready` when `waitReady` is called without one. */\n  defaultReadyTimeoutMs: number;\n  /** Readiness routine; receives the EFFECTIVE timeout (caller's or the default). */\n  ready: (timeoutMs: number, signal: AbortSignal) => Promise<void>;\n  health: () => Promise<{ healthy: boolean; detail?: string }>;\n  stop: () => Promise<void>;\n  logs?: DeployHandle<S>[\"logs\"];\n}\n\n/**\n * Build a `DeployHandle` from per-target seams, replacing the wrapper each\n * provider had copy-pasted. Unlike those wrappers, `waitReady(timeoutMs)`\n * forwards the caller's timeout to `ready` instead of discarding it.\n */\nexport function makeDeployHandle<S>(opts: MakeDeployHandleOptions<S>): DeployHandle<S> {\n  let state: DeployHandle[\"state\"] = opts.initialState;\n  const handle: DeployHandle<S> = {\n    wsUrl: opts.wsUrl,\n    wsAuth: opts.ctx.wsAuth ? \"<redacted>\" : undefined,\n    get state() {\n      return state;\n    },\n    payload: opts.payload,\n    async waitReady(timeoutMs?: number) {\n      const effective = timeoutMs ?? opts.defaultReadyTimeoutMs;\n      try {\n        await opts.ready(effective, opts.ctx.signal);\n        state = \"ready\";\n      } catch (err) {\n        state = \"errored\";\n        throw err;\n      }\n    },\n    health: opts.health,\n    async stop() {\n      state = \"stopping\";\n      await opts.stop();\n      state = \"stopped\";\n    },\n  };\n  if (opts.logs) handle.logs = opts.logs;\n  return handle;\n}\n"]}

package/dist/{chunk-4ACWI5YT.js → chunk-6VTG73UY.js}

@@ -1,3 +1,4 @@
+import { pluginRegistry } from './chunk-6E6PKKAD.js';
 import { createLogger } from './chunk-24UIWON4.js';
 import { EventEmitter } from 'events';
 
@@ -119,8 +120,7 @@ var AgentDriver = class extends EventEmitter {
 // bridge/src/registry.ts
 var INCLUDE_CLAUDE_SDK = typeof __INCLUDE_CLAUDE_SDK__ === "undefined" ? true : __INCLUDE_CLAUDE_SDK__;
 var INCLUDE_CODEX = typeof __INCLUDE_CODEX__ === "undefined" ? true : __INCLUDE_CODEX__;
-var driverRegistry = /* @__PURE__ */ new Map();
-var DRIVER_CATALOG = {
+var BUILTIN_DRIVER_CATALOG = {
   omp: {
     id: "omp",
     name: "omp (oh-my-pi)",
@@ -146,56 +146,68 @@ var DRIVER_CATALOG = {
     supportsInBandAbort: false
   }
 };
-function registerDriver(id, factory, info) {
-  driverRegistry.set(id, { factory, info });
-}
-async function loadDriver(id) {
-  switch (id) {
-    case "omp":
-      await import('./bridge/drivers/omp.js');
-      break;
-    case "echo":
-      await import('./bridge/drivers/echo.js');
-      break;
-    case "claude-sdk":
-      if (INCLUDE_CLAUDE_SDK) await import('./bridge/drivers/claude-sdk.js');
-      break;
-    case "codex":
-      if (INCLUDE_CODEX) await import('./bridge/drivers/codex.js');
-      break;
+var DRIVER_CATALOG = BUILTIN_DRIVER_CATALOG;
+var _driversRegistered = false;
+async function registerBuiltinDrivers(registry = pluginRegistry) {
+  if (registry === pluginRegistry && _driversRegistered) return;
+  if (!registry.get("driver", "omp")) {
+    const m = await import('./bridge/drivers/omp.js');
+    registry.register("driver", m.ompDriverTarget);
+  }
+  if (!registry.get("driver", "echo")) {
+    const m = await import('./bridge/drivers/echo.js');
+    registry.register("driver", m.echoDriverTarget);
+  }
+  if (INCLUDE_CLAUDE_SDK && !registry.get("driver", "claude-sdk")) {
+    const m = await import('./bridge/drivers/claude-sdk.js');
+    registry.register("driver", m.claudeSdkDriverTarget);
+  }
+  if (INCLUDE_CODEX && !registry.get("driver", "codex")) {
+    const m = await import('./bridge/drivers/codex.js');
+    registry.register("driver", m.codexDriverTarget);
   }
+  if (registry === pluginRegistry) _driversRegistered = true;
 }
-async function createDriver(id, config) {
-  await loadDriver(id);
-  const entry = driverRegistry.get(id);
-  if (!entry) {
-    if (id in DRIVER_CATALOG) {
+async function createDriver(id, config, ctx) {
+  const target = await resolveDriverTarget(id);
+  return target.create(config, ctx ?? {});
+}
+async function resolveDriverTarget(id) {
+  await registerBuiltinDrivers();
+  const target = pluginRegistry.get("driver", id);
+  if (!target) {
+    if (id in BUILTIN_DRIVER_CATALOG) {
       throw new Error(`Agent driver "${id}" is not bundled in this build.`);
     }
     throw new Error(
       `Unknown agent driver: "${id}". Available: ${listDrivers().map((d) => d.id).join(", ")}`
     );
   }
-  return entry.factory(config);
+  return target;
 }
 function listDrivers() {
   const merged = /* @__PURE__ */ new Map();
-  for (const info of Object.values(DRIVER_CATALOG)) {
+  for (const info of Object.values(BUILTIN_DRIVER_CATALOG)) {
     merged.set(info.id, info);
   }
-  for (const { info } of driverRegistry.values()) {
-    if (!merged.has(info.id)) merged.set(info.id, info);
+  for (const meta of pluginRegistry.list("driver")) {
+    if (!merged.has(meta.id)) {
+      const target = pluginRegistry.get("driver", meta.id);
+      merged.set(meta.id, {
+        id: meta.id,
+        name: meta.displayName,
+        modelAgnostic: target?.modelAgnostic ?? false,
+        supportsInBandAbort: target?.supportsInBandAbort ?? false
+      });
+    }
   }
   return [...merged.values()];
 }
 async function listModelsForDriver(driverId, apiKeys) {
-  await loadDriver(driverId);
-  const entry = driverRegistry.get(driverId);
-  if (!entry) return [];
-  const driver = entry.factory({ cwd: process.cwd(), sessionId: "model-list", apiKeys });
-  return driver.listModels();
+  const target = await resolveDriverTarget(driverId);
+  return await target.listModels?.(apiKeys) ?? [];
 }
 
-export { AgentDriver, DRIVER_CATALOG, createDriver, getBridgeLogger, listDrivers, listModelsForDriver, loadDriver, registerDriver };
-//# sourceMappingURL=chunk-4ACWI5YT.js.map
-//# sourceMappingURL=chunk-4ACWI5YT.js.map
+export { AgentDriver, BUILTIN_DRIVER_CATALOG, DRIVER_CATALOG, createDriver, getBridgeLogger, listDrivers, listModelsForDriver, registerBuiltinDrivers };
+//# sourceMappingURL=chunk-6VTG73UY.js.map
+//# sourceMappingURL=chunk-6VTG73UY.js.map

package/dist/chunk-6VTG73UY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../bridge/src/logger.ts","../bridge/src/types.ts","../bridge/src/registry.ts"],"names":[],"mappings":";;;;;AAuBO,SAAS,gBAAgB,OAAA,EAAyB;AACvD,EAAA,OAAO,YAAA,CAAa,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,CAAA;AACjD;AC4ZO,IAAe,WAAA,GAAf,cAAmC,YAAA,CAAa;AAAA;AAAA,EA0CrD,IAAI,gBAAA,GAAuC;AACzC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA,EAGA,gBAAA,GAAuC;AACrC,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,YAAY,KAAA,EAA0E;AAE/E,EACP;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAA,GAA+B;AAC7B,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,aAAA,GAAmC;AACjC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAA,GAAkC;AAChC,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,UAAA,GAAoC;AACxC,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA,EAWU,UAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACF,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMR,YAAA,CAAa,UAA6B,KAAA,EAAoB;AAC5D,IAAA,IAAA,CAAK,UAAA,GAAa,QAAA;AAClB,IAAA,IAAA,CAAK,YAAA,GAAe,KAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAA,CACE,QACA,KAAA,EACkB;AAClB,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,IAAc,CAAC,IAAA,CAAK,cAAc,OAAO,MAAA;AACnD,IAAA,IAAA,CAAK,cAAA,GAAiB,KAAK,GAAA,EAAI;AAC/B,IAAA,IAAA,CAAK,kBAAkB,IAAA,CAAK,UAAA,CAAW,SAAA,CAAU,MAAA,IAAU,KAAK,YAAA,EAAc;AAAA,MAC5E,IAAA,EAAM,gBAAA;AAAA,MACN,IAAA,EAAM,gBAAA;AAAA,MACN,UAAA,EAAY;AAAA,KACb,CAAA;AACD,IAAA,OAAO,IAAA,CAAK,eAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,MAAA,EAOH;AACP,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,IAAc,CAAC,KAAK,eAAA,EAAiB;AAC/C,IAAA,MAAM,aAAa,IAAA,CAAK,cAAA,GAAiB,KAAK,GAAA,EAAI,GAAI,KAAK,cAAA,GAAiB,CAAA;AAE5E,IAAA,IAAI,MAAA,EAAQ,WAAA,KAAgB,MAAA,IAAa,MAAA,EAAQ,iBAAiB,MAAA,EAAW;AAC3E,MAAA,IAAA,CAAK,UAAA,CAAW,aAAA,CAAc,IAAA,CAAK,eAAA,EAAiB;AAAA,QAClD,KAAA,EAAO,QAAQ,KAAA,IAAS,SAAA;AAAA,QACxB,QAAA,EAAU,QAAQ,QAAA,IAAY,SAAA;AAAA,QAC9B,aAAa,MAAA,CAAO,WAAA;AAAA,QACpB,cAAc,MAAA,CAAO,YAAA;AAAA,QACrB,UAAA;AAAA,QACA,YAAY,MAAA,CAAO;AAAA,OACpB,CAAA;AAAA,IACH;AAEA,IAAA,IAAA,CAAK,UAAA,CAAW,OAAA,CAAQ,IAAA,CAAK,eAAA,EAAiB;AAAA,MAC5C,MAAA,EAAQ,MAAA,EAAQ,KAAA,GAAQ,OAAA,GAAU,IAAA;AAAA,MAClC,OAAO,MAAA,EAAQ,KAAA;AAAA,MACf,UAAA,EAAY,EAAE,yBAAA,EAA2B,UAAA;AAAW,KACrD,CAAA;AAED,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AACvB,IAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AAAA,EACxB;AACF;;;ACjmBA,IAAM,kBAAA,GACJ,OAAO,sBAAA,KAA2B,WAAA,GAAc,IAAA,GAAO,sBAAA;AACzD,IAAM,aAAA,GAAgB,OAAO,iBAAA,KAAsB,WAAA,GAAc,IAAA,GAAO,iBAAA;AAajE,IAAM,sBAAA,GAAqD;AAAA,EAChE,GAAA,EAAK;AAAA,IACH,EAAA,EAAI,KAAA;AAAA,IACJ,IAAA,EAAM,gBAAA;AAAA,IACN,aAAA,EAAe,IAAA;AAAA,IACf,mBAAA,EAAqB;AAAA,GACvB;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,EAAA,EAAI,YAAA;AAAA,IACJ,IAAA,EAAM,kBAAA;AAAA,IACN,aAAA,EAAe,KAAA;AAAA,IACf,mBAAA,EAAqB;AAAA,GACvB;AAAA,EACA,KAAA,EAAO;AAAA,IACL,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,cAAA;AAAA,IACN,aAAA,EAAe,KAAA;AAAA,IACf,mBAAA,EAAqB;AAAA,GACvB;AAAA,EACA,IAAA,EAAM;AAAA,IACJ,EAAA,EAAI,MAAA;AAAA,IACJ,IAAA,EAAM,iBAAA;AAAA,IACN,aAAA,EAAe,IAAA;AAAA,IACf,mBAAA,EAAqB;AAAA;AAEzB;AAQO,IAAM,cAAA,GAAiB;AAE9B,IAAI,kBAAA,GAAqB,KAAA;AAsBzB,eAAsB,sBAAA,CACpB,WAA2B,cAAA,EACZ;AACf,EAAA,IAAI,QAAA,KAAa,kBAAkB,kBAAA,EAAoB;AAEvD,EAAA,IAAI,CAAC,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA,EAAG;AAClC,IAAA,MAAM,CAAA,GAAI,MAAM,OAAO,yBAAgC,CAAA;AACvD,IAAA,QAAA,CAAS,QAAA,CAAS,QAAA,EAAU,CAAA,CAAE,eAAe,CAAA;AAAA,EAC/C;AACA,EAAA,IAAI,CAAC,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA,EAAG;AACnC,IAAA,MAAM,CAAA,GAAI,MAAM,OAAO,0BAAiC,CAAA;AACxD,IAAA,QAAA,CAAS,QAAA,CAAS,QAAA,EAAU,CAAA,CAAE,gBAAgB,CAAA;AAAA,EAChD;AACA,EAAA,IAAI,sBAAsB,CAAC,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,YAAY,CAAA,EAAG;AAC/D,IAAA,MAAM,CAAA,GAAI,MAAM,OAAO,gCAAuC,CAAA;AAC9D,IAAA,QAAA,CAAS,QAAA,CAAS,QAAA,EAAU,CAAA,CAAE,qBAAqB,CAAA;AAAA,EACrD;AACA,EAAA,IAAI,iBAAiB,CAAC,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,OAAO,CAAA,EAAG;AACrD,IAAA,MAAM,CAAA,GAAI,MAAM,OAAO,2BAAkC,CAAA;AACzD,IAAA,QAAA,CAAS,QAAA,CAAS,QAAA,EAAU,CAAA,CAAE,iBAAiB,CAAA;AAAA,EACjD;AAEA,EAAA,IAAI,QAAA,KAAa,gBAAgB,kBAAA,GAAqB,IAAA;AACxD;AAkBA,eAAsB,YAAA,CACpB,EAAA,EACA,MAAA,EACA,GAAA,EACsB;AACtB,EAAA,MAAM,MAAA,GAAS,MAAM,mBAAA,CAAoB,EAAE,CAAA;AAC3C,EAAA,OAAO,MAAA,CAAO,MAAA,CAAO,MAAA,EAAQ,GAAA,IAAO,EAAE,CAAA;AACxC;AAWA,eAAe,oBAAoB,EAAA,EAAY;AAC7C,EAAA,MAAM,sBAAA,EAAuB;AAC7B,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,GAAA,CAAI,QAAA,EAAU,EAAE,CAAA;AAC9C,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,IAAI,MAAM,sBAAA,EAAwB;AAChC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,cAAA,EAAiB,EAAE,CAAA,+BAAA,CAAiC,CAAA;AAAA,IACtE;AACA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,uBAAA,EAA0B,EAAE,CAAA,cAAA,EAAiB,WAAA,EAAY,CACtD,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,EAAE,CAAA,CACf,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KACf;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAaO,SAAS,WAAA,GAA4B;AAC1C,EAAA,MAAM,MAAA,uBAAa,GAAA,EAAwB;AAC3C,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,MAAA,CAAO,sBAAsB,CAAA,EAAG;AACxD,IAAA,MAAA,CAAO,GAAA,CAAI,IAAA,CAAK,EAAA,EAAI,IAAI,CAAA;AAAA,EAC1B;AACA,EAAA,KAAA,MAAW,IAAA,IAAQ,cAAA,CAAe,IAAA,CAAK,QAAQ,CAAA,EAAG;AAChD,IAAA,IAAI,CAAC,MAAA,CAAO,GAAA,CAAI,IAAA,CAAK,EAAE,CAAA,EAAG;AAIxB,MAAA,MAAM,MAAA,GAAS,cAAA,CAAe,GAAA,CAAI,QAAA,EAAU,KAAK,EAAE,CAAA;AACnD,MAAA,MAAA,CAAO,GAAA,CAAI,KAAK,EAAA,EAAI;AAAA,QAClB,IAAI,IAAA,CAAK,EAAA;AAAA,QACT,MAAM,IAAA,CAAK,WAAA;AAAA,QACX,aAAA,EAAe,QAAQ,aAAA,IAAiB,KAAA;AAAA,QACxC,mBAAA,EAAqB,QAAQ,mBAAA,IAAuB;AAAA,OACrD,CAAA;AAAA,IACH;AAAA,EACF;AACA,EAAA,OAAO,CAAC,GAAG,MAAA,CAAO,MAAA,EAAQ,CAAA;AAC5B;AAiBA,eAAsB,mBAAA,CACpB,UACA,OAAA,EACuB;AACvB,EAAA,MAAM,MAAA,GAAS,MAAM,mBAAA,CAAoB,QAAQ,CAAA;AACjD,EAAA,OAAQ,MAAM,MAAA,CAAO,UAAA,GAAa,OAAO,KAAM,EAAC;AAClD","file":"chunk-6VTG73UY.js","sourcesContent":["/**\n * Bridge-layer logger factory.\n *\n * Each driver creates its own Logger via `getBridgeLogger(subkind)` at\n * construction time. Falls back to an off-mode Logger (stdout only) when\n * no LogStore is registered — see @skaile/workspaces/core/logging for details.\n */\n\nimport { createLogger } from \"@skaile/workspaces/core/logging\";\nimport type { Logger } from \"@skaile/workspaces/types\";\n\n/**\n * Construct a bridge-scoped Logger for a given driver subkind.\n *\n * Creates a `Logger` with `kind: \"bridge\"` and the specified `subkind`. Falls back to\n * an off-mode Logger (stdout only) when no `LogStore` is registered — see\n * `@skaile/workspaces/core/logging` for details. Each driver calls this once at construction\n * time; never re-construct per call.\n *\n * @param subkind - Driver id, e.g. `\"claude-sdk\"`, `\"omp\"`, `\"echo\"`, `\"codex\"`.\n * @returns A `Logger` scoped to `bridge:<subkind>`.\n * @docLink packages/bridge/api-reference#logger\n */\nexport function getBridgeLogger(subkind: string): Logger {\n  return createLogger({ kind: \"bridge\", subkind });\n}\n","import { EventEmitter } from \"node:events\";\nimport type { Span, TelemetryProvider, Trace } from \"@skaile/workspaces/telemetry\";\nimport type {\n  Capability,\n  CredentialMint,\n  RenderInvokedEvent,\n  TokenUsage,\n} from \"@skaile/workspaces/types\";\nimport type { ModelEntry } from \"./models.js\";\n\n/**\n * Minimal LLM tool descriptor used by the capability dispatch path. Mirrors\n * the runner's `LLMTool` shape so drivers can consume registry output without\n * importing `@skaile/workspaces/runner` (which would create a circular dep).\n *\n * @category Capabilities\n * @since 2.0.0\n * @docLink packages/bridge/concepts#bridge-capability-tool\n */\nexport interface BridgeCapabilityTool {\n  /** Capability name; used as the LLM-visible tool name. */\n  name: string;\n  /** Human/LLM-readable description. */\n  description: string;\n  /** JSON Schema for the tool's input parameters. */\n  parameters: Record<string, unknown>;\n}\n\n/**\n * Render-cap event emission callback used by the bridge when the LLM invokes\n * a capability that carries a `render` spec. The runner provides the actual\n * sink (transport.send / sendEvent); the bridge only emits.\n *\n * @category Capabilities\n * @since 2.0.0\n * @docLink packages/bridge/concepts#bridge-render-emit\n */\nexport type BridgeRenderEmit = (event: RenderInvokedEvent) => void;\n\n/**\n * Text-event emission callback for render-capability fallbacks. When a\n * `RenderCapability` carries `render.fallback` and the LLM invokes it, the\n * bridge substitutes `{{prop}}` placeholders (top-level keys of `props`,\n * optional dotted-path traversal `{{user.name}}`) and pushes the rendered\n * string through this callback so clients without a render layer still see\n * a textual representation. No-op when `fallback` is absent.\n *\n * @category Capabilities\n * @since 2.0.0\n * @docLink packages/bridge/concepts#bridge-text-emit\n */\nexport type BridgeTextEmit = (text: string) => void;\n\n/**\n * Bundle of capability dispatch hooks. Registered into the driver via\n * `AgentConfig.capabilities`; the driver routes registered LLM tool calls\n * back into `invoke()` instead of using its native dispatch path.\n *\n * The runner constructs this from a `CapabilityRegistry` instance and threads\n * it through `createAgentSession()`. Drivers that don't yet implement\n * capability dispatch ignore the field — legacy v1 paths stay intact.\n *\n * @category Capabilities\n * @since 2.0.0\n * @docLink packages/bridge/concepts#bridge-capability-hooks\n */\nexport interface BridgeCapabilityHooks {\n  /** Build the LLM tool descriptor list from the registry. Called per turn so registration changes take effect. */\n  composeTools(): BridgeCapabilityTool[];\n  /** Resolve a wire-format Capability descriptor by name. Used by the bridge to inspect `fireAndForget` / `render`. */\n  resolve(name: string): Capability | null;\n  /** Validate input + dispatch through the registry. Logging is wired by the registry. */\n  invoke(name: string, input: unknown): Promise<unknown>;\n  /** Emit a render-invoked event. The runner forwards via the WebSocket transport. */\n  emitRender?: BridgeRenderEmit;\n  /** Emit a text fallback for render capabilities with `render.fallback`. */\n  emitText?: BridgeTextEmit;\n  /** Session id passed through to the runner's per-handler logger. */\n  sessionId: string;\n}\n\n/**\n * Static metadata for a registered agent driver backend.\n *\n * Returned by {@link listDrivers} and exposed on every {@link AgentDriver} instance\n * via `driverInfo`.\n *\n * @docLink packages/bridge/concepts#driver-info\n */\nexport interface DriverInfo {\n  /** Stable machine identifier used to look up the driver in the registry (e.g. `\"omp\"`, `\"claude-sdk\"`). */\n  id: string;\n  /** Human-readable display name shown in UIs and logs. */\n  name: string;\n  /** `true` when the driver can target any LLM provider; `false` for Anthropic-only drivers. */\n  modelAgnostic: boolean;\n  /**\n   * `true` when the driver supports mid-stream abort via `abort()` without killing the process.\n   * Drivers that return `false` can only be stopped via `kill()`.\n   */\n  supportsInBandAbort: boolean;\n}\n\n/**\n * Codex-specific tuning options passed through `DriverOptions.codex`.\n *\n * @remarks These are forwarded verbatim to the Codex driver and have no effect on other drivers.\n * @docLink packages/bridge/concepts#codex-driver-options\n */\nexport interface CodexDriverOptions {\n  /** Controls whether Codex may auto-apply edits without user approval. */\n  approvalPolicy?: \"never\" | \"on-request\" | \"on-failure\" | \"untrusted\";\n  /** Filesystem sandbox level for the Codex process. */\n  sandboxMode?: \"read-only\" | \"workspace-write\" | \"danger-full-access\";\n  /** Reasoning budget passed to the model. */\n  reasoningEffort?: \"minimal\" | \"low\" | \"medium\" | \"high\" | \"xhigh\";\n  /** When `true`, the Codex sandbox is allowed to make outbound network requests. */\n  networkAccessEnabled?: boolean;\n  /** Extra directories made accessible to the Codex sandbox in addition to `cwd`. */\n  additionalDirectories?: string[];\n}\n\n/**\n * Driver-specific configuration bag.\n *\n * Fields are keyed by driver ID so that callers can pass driver-specific options\n * through the common {@link AgentConfig} without breaking other drivers.\n *\n * @docLink packages/bridge/concepts#driver-options\n */\nexport interface DriverOptions {\n  /** Codex-specific options. Ignored by all other drivers. */\n  codex?: CodexDriverOptions;\n}\n\n/**\n * Configuration passed to a driver when it is created via {@link createDriver}.\n *\n * All fields are shared across drivers; driver-specific behaviour is documented\n * per field. Fields that are silently ignored by a driver are marked accordingly.\n *\n * @docLink packages/bridge/concepts#agent-config\n */\nexport interface AgentConfig {\n  /** Absolute path to the working directory the agent operates in. */\n  cwd: string;\n  /**\n   * LLM provider name (e.g. `\"anthropic\"`, `\"openai\"`, `\"google\"`).\n   * Combined with `model` as `provider/model` for omp's `--model` flag.\n   * Ignored by claude-sdk (always Anthropic).\n   */\n  provider?: string;\n  /**\n   * LLM model identifier (e.g. `\"claude-sonnet-4-5\"`, `\"gpt-4o\"`).\n   * For omp: passed as `--model [provider/]model`.\n   * For claude-sdk: passed as the `model` query option.\n   */\n  model?: string;\n  /**\n   * Provider API keys keyed by provider name (e.g. `{ anthropic: \"sk-...\" }`).\n   * Drivers inject the relevant key into the environment or SDK options.\n   */\n  apiKeys?: Record<string, string>;\n  /**\n   * Additional environment variables merged into the child process environment.\n   * For omp: merged with `process.env` before spawn. For claude-sdk: accessed\n   * via `env.ANTHROPIC_API_KEY` as an alternative to `apiKeys.anthropic`.\n   */\n  env?: Record<string, string>;\n  /** Inline system prompt — written to .omp/system.md and passed via --append-system-prompt (omp driver) */\n  systemPrompt?: string;\n  /** Path to project .omp/ directory (PI_CODING_AGENT_DIR for omp driver) */\n  agentDir?: string;\n  /** SSH key path — injected as GIT_SSH_COMMAND */\n  sshKeyPath?: string;\n  /** Pre-assign a UUID as the session ID for a new session (claude-sdk: passed as sessionId option) */\n  sessionId?: string;\n  /** Resume this specific past session by UUID instead of starting fresh (claude-sdk: passed as resume option) */\n  resumeSessionId?: string;\n  /** Maximum agentic turns per query (claude-sdk: passed as maxTurns option) */\n  maxTurns?: number;\n  /** Agent name — selects a deployed sub-agent definition as the main agent identity.\n   *  claude-sdk: passed as `agent` option to query() → reads .claude/agents/<name>.md natively.\n   *  omp: ignored (omp uses agentDir/PI_CODING_AGENT_DIR instead). */\n  agentName?: string;\n  /** In-process SDK MCP servers for custom tool injection (Claude SDK only, ignored by other drivers) */\n  mcpServers?: Record<string, unknown>;\n  /** Tool restrictions from agent.yaml — applied to the main agent session */\n  tools?: {\n    /** Tool names that the agent is allowed to invoke. An empty array means no restriction. */\n    allowed?: string[];\n    /** Tool names that the agent is explicitly forbidden from invoking. */\n    denied?: string[];\n  };\n  /** Thinking mode for Claude models: adaptive (Claude decides), enabled (always think), disabled (no thinking). */\n  thinking?: \"adaptive\" | \"enabled\" | \"disabled\";\n  /** Reasoning effort level for Claude models. */\n  effort?: \"low\" | \"medium\" | \"high\" | \"max\";\n  /** Driver-specific configuration bag. */\n  driverOptions?: DriverOptions;\n  /**\n   * Protocol v2 capability dispatch hooks. When present, the driver uses the\n   * registry as the source of LLM tool definitions and routes invocations\n   * through `capabilities.invoke()`. Absent → legacy v1 path (existing\n   * mcpServers / native dispatch).\n   *\n   * @since 2.0.0\n   */\n  capabilities?: BridgeCapabilityHooks;\n  /**\n   * The platform's `AIProviderConfig.id` for the AI credential currently\n   * provisioned into this driver. The runner reads this off `AgentConfig`\n   * during 401 mediation and passes it as `configId` in\n   * `request_access_token { kind: 'ai-credentials' }`. The driver itself\n   * does not consume this field — only the runner uses it.\n   *\n   * Set by the platform agent-gateway in `ConfigureCommandV2` for mediated\n   * sessions. Standalone runners (CLI / forge / Claude plugin) leave it\n   * undefined; the runner falls back to surfacing the auth error to the\n   * user without mediating.\n   *\n   * Spec: `_devlog/specs/2026-05-07-unified-credential-mediation.md`\n   * § \"Wire `aiProviderConfigId` end-to-end\".\n   *\n   * @since 3.3.0\n   */\n  aiProviderConfigId?: string;\n  /**\n   * Optional callback invoked by the driver when the underlying agent\n   * surfaces an `authentication_error`. In Protocol v3 the runner mediates\n   * the refresh via the `host.refresh_credential` capability and returns a\n   * typed {@link CredentialMint}. The driver inspects the discriminator:\n   *\n   *   - `mint.ok === true`: a fresh credential is now provisioned. The\n   *     driver re-attempts the in-flight prompt once.\n   *   - `mint.ok === false`: refresh failed (`code` carries a stable reason\n   *     such as `revoked`, `not-configured`, `provider-error`,\n   *     `backend-error`). The driver surfaces the original `AuthError` to\n   *     the caller.\n   *\n   * `args.configId` carries the platform `AIProviderConfig.id` the driver\n   * was provisioned with (mirrors {@link AgentConfig.aiProviderConfigId}).\n   * The runner uses it to scope the refresh to the correct AI credential.\n   *\n   * When omitted, the driver throws `AuthError` immediately as before\n   * (standalone CLI / forge mode — there is no platform mediator to ask).\n   *\n   * Centralising auth-retry inside the driver means every consumer of\n   * `driver.prompt(...)` (serve handler, compaction orchestrator, flow\n   * orchestrator, …) gets self-healing for free — there is no per-call-site\n   * wrapping.\n   *\n   * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`\n   * § \"host.refresh_credential capability\".\n   *\n   * @since 3.4.0\n   */\n  onAuthError?: (args: { configId: string }) => Promise<CredentialMint>;\n}\n\n/**\n * A single message in an agent conversation.\n *\n * Emitted as part of {@link AgentEvent} variants (`message_start`, `message_update`, `message_end`).\n *\n * @docLink packages/bridge/concepts#agent-message\n */\nexport interface AgentMessage {\n  /** Originator of the message. */\n  role: \"user\" | \"assistant\" | \"tool\";\n  /** Message body — either a plain string or a list of typed content blocks. */\n  content: string | ContentBlock[];\n  /** Tool invocations made by the assistant in this message. */\n  toolCalls?: ToolCall[];\n  /** For `role === \"tool\"`: the name of the tool whose result this message carries. */\n  toolName?: string;\n  /** For `role === \"tool\"`: `true` when the tool returned an error. */\n  isError?: boolean;\n  /** Optional structured payload for tool results. */\n  data?: unknown;\n}\n\n/**\n * A typed block within an {@link AgentMessage}'s content array.\n *\n * Mirrors the Anthropic content block schema but is driver-agnostic.\n *\n * @docLink packages/bridge/concepts#content-block\n */\nexport interface ContentBlock {\n  /** Block discriminant. */\n  type: \"text\" | \"tool_use\" | \"tool_result\" | \"thinking\";\n  /** Present for `text` and `thinking` blocks. */\n  text?: string;\n  /** Tool use / tool result correlation ID. */\n  id?: string;\n  /** Tool name (present on `tool_use` blocks). */\n  name?: string;\n  /** Tool input arguments (present on `tool_use` blocks). */\n  input?: any;\n  /** Serialised tool result content (present on `tool_result` blocks). */\n  content?: string;\n}\n\n/**\n * A single tool invocation made by the agent within a message.\n *\n * @docLink packages/bridge/concepts#tool-call\n */\nexport interface ToolCall {\n  /** Correlation ID used to match the call with its result. */\n  id: string;\n  /** Name of the tool being invoked. */\n  name: string;\n  /** Arguments passed to the tool. */\n  input: any;\n}\n\n/**\n * Error classification for agent failures.\n *\n * Used to determine whether a failure is retryable and to surface actionable\n * hints to the user. See `bridge/CLAUDE.md` for the full category-to-behaviour matrix.\n *\n * @see AgentError\n * @docLink packages/bridge/concepts#error-category\n */\nexport type ErrorCategory =\n  | \"auth\"\n  | \"rate_limit\"\n  | \"model\"\n  | \"network\"\n  | \"config\"\n  | \"process\"\n  | \"validation\"\n  | \"unknown\";\n\n/**\n * Structured error payload emitted inside the `error` {@link AgentEvent}.\n *\n * Consumers should inspect `retryable` before deciding to surface a retry button,\n * and `hint` to provide an actionable message to the user.\n *\n * @docLink packages/bridge/concepts#agent-error\n */\nexport interface AgentError {\n  /** Human-readable error description. */\n  message: string;\n  /** Coarse failure classification used for retry logic and telemetry. */\n  category: ErrorCategory;\n  /** HTTP status code if the error originated from an API response. */\n  statusCode?: number;\n  /** `true` when the caller may safely retry the same operation. */\n  retryable: boolean;\n  /** Short actionable advice suitable for display in the UI. */\n  hint?: string;\n}\n\n/**\n * Metadata for a slash command exposed by the active agent runtime.\n *\n * @docLink packages/bridge/concepts#slash-command-info\n */\nexport interface SlashCommandInfo {\n  /** Command name without the leading slash (e.g. `\"compact\"`). */\n  name: string;\n  /** One-line description shown in command pickers. */\n  description: string;\n  /** Placeholder text describing what argument the command expects. */\n  argumentHint?: string;\n}\n\n/**\n * Discriminated union of all events emitted by a driver on the `'agent-event'` channel.\n *\n * @remarks\n * Consumers listen via `driver.on('agent-event', (event: AgentEvent) => ...)`.\n * The `[k: string]: any` index signature on most variants allows drivers to attach\n * driver-specific fields (e.g. `_textDelta`) without breaking the union.\n *\n * @docLink packages/bridge/concepts#agent-event\n */\nexport type AgentEvent =\n  | { type: \"message_start\"; message: AgentMessage; [k: string]: any }\n  | { type: \"message_update\"; message: AgentMessage; [k: string]: any }\n  | { type: \"message_end\"; message: AgentMessage; [k: string]: any }\n  | { type: \"turn_end\"; toolResults?: AgentMessage[]; [k: string]: any }\n  | { type: \"agent_end\"; [k: string]: any }\n  | {\n      type: \"result\";\n      subtype: string;\n      summary?: string;\n      costUsd?: number;\n      /** Per-turn token usage when the driver tracks it. Added in 3.1.0. */\n      tokens?: TokenUsage;\n      errors?: string[];\n      [k: string]: any;\n    }\n  | { type: \"error\"; error: string; detail?: AgentError; fatal?: boolean; [k: string]: any }\n  | { type: \"tool_call\"; name?: string; tool?: { name: string }; [k: string]: any }\n  | { type: \"tool_execution_end\"; toolName?: string; [k: string]: any }\n  | { type: \"commands_available\"; commands: SlashCommandInfo[] }\n  | { type: \"session_info\"; driverSessionId: string; sessionFile?: string }\n  | { type: \"ui_render\"; [k: string]: any }\n  | { type: \"ui_render_update\"; [k: string]: any }\n  | { type: \"ui_clear\"; [k: string]: any }\n  // Phase 3 (resume cascade) — driver-emitted resume outcome.\n  | {\n      type: \"resume_failed\";\n      resumeSessionId: string;\n      reason: \"signature_mismatch\" | \"model_mismatch\" | \"jsonl_lost\" | \"jsonl_poisoned\";\n      [k: string]: any;\n    };\n\n/**\n * Abstract base class for agent driver backends.\n *\n * Wraps an LLM coding agent behind a single `prompt()` interface.\n * All drivers emit `'agent-event'` with {@link AgentEvent} payloads.\n *\n * @remarks\n * Subclasses must implement `start`, `prompt`, `abort`, `kill`, and `isRunning`.\n * Implementations should never emit an event name other than `'agent-event'` as\n * the public streaming channel — internal events (`'ready'`, `'exit'`, etc.) are\n * driver-private.\n *\n * @example\n * ```ts\n * const driver = createDriver('omp', config);\n * driver.on('agent-event', (event) => console.log(event.type));\n * await driver.start();\n * await driver.prompt('Refactor the auth module');\n * driver.kill();\n * ```\n *\n * @docLink packages/bridge/concepts#agent-driver\n */\nexport abstract class AgentDriver extends EventEmitter {\n  /** Static metadata describing this driver's capabilities. */\n  abstract readonly driverInfo: DriverInfo;\n\n  /**\n   * Initialises the driver backend — spawns the child process (omp) or loads\n   * the SDK module (claude-sdk). Resolves when the backend is ready to accept\n   * prompts. Idempotent: calling `start()` on an already-running driver is a no-op.\n   *\n   * @throws {Error} When the backend binary is missing or the SDK cannot be loaded.\n   */\n  abstract start(): Promise<void>;\n\n  /**\n   * Sends a user message to the agent and resolves when the agent's turn completes\n   * (i.e. after the `agent_end` event has been emitted).\n   *\n   * @param message - Plain-text user prompt to send to the agent.\n   * @throws {Error} When the driver is not running or the underlying backend reports a fatal error.\n   */\n  abstract prompt(message: string): Promise<void>;\n\n  /**\n   * Sends an in-band abort signal to the agent, requesting it to stop the current\n   * turn without terminating the process. The driver remains usable after `abort()`.\n   *\n   * @remarks Only meaningful when `driverInfo.supportsInBandAbort` is `true`.\n   *   For other drivers, prefer `kill()` followed by creating a new driver instance.\n   */\n  abstract abort(): Promise<void>;\n\n  /**\n   * Terminates the agent backend immediately (SIGTERM for subprocess drivers,\n   * `close()` for in-process drivers). The driver instance must not be reused\n   * after `kill()`.\n   */\n  abstract kill(): void;\n\n  /** `true` when the backend is alive and able to accept new prompts. */\n  abstract get isRunning(): boolean;\n\n  /** Optional provider-native session/thread identifier for resume support. */\n  get runtimeSessionId(): string | undefined {\n    return undefined;\n  }\n\n  /** Slash commands discovered from the agent runtime. Override in drivers that support introspection. */\n  getSlashCommands(): SlashCommandInfo[] {\n    return [];\n  }\n\n  // ── Live reconfiguration ────────────────────────────────────────────────\n\n  /**\n   * Live-update driver configuration. The new values take effect on the next\n   * prompt() call. Only model/thinking/effort are reconfigurable mid-session.\n   *\n   * Subclasses that store config locally should override this to apply the\n   * patch to their own config field. The base implementation is a no-op.\n   */\n  reconfigure(patch: Partial<Pick<AgentConfig, \"model\" | \"thinking\" | \"effort\">>): void {\n    // No-op — subclasses override to apply to their own config.\n    void patch;\n  }\n\n  /**\n   * Returns the model identifier currently configured on this driver.\n   * Subclasses that store config locally should override this.\n   */\n  getModel(): string | undefined {\n    return undefined;\n  }\n\n  // ── Compaction support ──────────────────────────────────────────────────\n\n  /**\n   * Returns the token usage from the most recent completed turn.\n   * Returns `null` if usage data is unavailable (e.g. driver doesn't track it).\n   *\n   * Widened in 3.1.0 to return the full `TokenUsage` shape (input / output /\n   * cache-read / cache-creation / reasoning). All fields are optional so\n   * drivers can populate just what their provider reports. Existing callers\n   * that read only `inputTokens` / `outputTokens` keep working — those fields\n   * are still present and carry the same semantics as before.\n   */\n  getTokenUsage(): TokenUsage | null {\n    return null;\n  }\n\n  /**\n   * Returns the model's context window size in tokens.\n   * Returns `null` if unknown.\n   */\n  getContextWindow(): number | null {\n    return null;\n  }\n\n  /**\n   * Returns the list of models available to this driver without starting a session.\n   * Drivers that can enumerate their own models override this method.\n   * Returns an empty array by default.\n   */\n  async listModels(): Promise<ModelEntry[]> {\n    return [];\n  }\n\n  /**\n   * Closes the current conversation session and prepares for a fresh start.\n   * The next `prompt()` call will begin a new session without prior history.\n   * The driver remains usable after `resetSession()`.\n   */\n  abstract resetSession(): Promise<void>;\n\n  // ── Telemetry ─────────────────────────────────────────────────────────────\n\n  protected _telemetry?: TelemetryProvider;\n  protected _activeTrace?: Trace;\n  protected _activeTurnSpan?: Span;\n  private _turnStartTime?: number;\n\n  /**\n   * Attach a telemetry provider and active trace to this driver.\n   * Called by the runner after creating the driver but before start().\n   */\n  setTelemetry(provider: TelemetryProvider, trace: Trace): void {\n    this._telemetry = provider;\n    this._activeTrace = trace;\n  }\n\n  /**\n   * Begin a turn span. Called by the runner before prompt().\n   * Pass a parent span (e.g. the turn span from the orchestrator) for nesting.\n   * Returns the span so the runner can annotate it further.\n   */\n  beginTurnSpan(\n    parent?: Trace | Span,\n    attrs?: Record<string, string | number | boolean>,\n  ): Span | undefined {\n    if (!this._telemetry || !this._activeTrace) return undefined;\n    this._turnStartTime = Date.now();\n    this._activeTurnSpan = this._telemetry.startSpan(parent ?? this._activeTrace, {\n      name: \"llm_generation\",\n      kind: \"llm_generation\",\n      attributes: attrs,\n    });\n    return this._activeTurnSpan;\n  }\n\n  /**\n   * End the current turn span with generation data.\n   * Called by the runner after agent_end. Model and provider are passed\n   * explicitly — the driver base class does not access config directly.\n   */\n  endTurnSpan(result?: {\n    model?: string;\n    provider?: string;\n    inputTokens?: number;\n    outputTokens?: number;\n    stopReason?: string;\n    error?: string;\n  }): void {\n    if (!this._telemetry || !this._activeTurnSpan) return;\n    const durationMs = this._turnStartTime ? Date.now() - this._turnStartTime : 0;\n\n    if (result?.inputTokens !== undefined || result?.outputTokens !== undefined) {\n      this._telemetry.logGeneration(this._activeTurnSpan, {\n        model: result?.model ?? \"unknown\",\n        provider: result?.provider ?? \"unknown\",\n        inputTokens: result.inputTokens,\n        outputTokens: result.outputTokens,\n        durationMs,\n        stopReason: result.stopReason,\n      });\n    }\n\n    this._telemetry.endSpan(this._activeTurnSpan, {\n      status: result?.error ? \"error\" : \"ok\",\n      error: result?.error,\n      attributes: { \"skaile.turn.duration_ms\": durationMs },\n    });\n\n    this._activeTurnSpan = undefined;\n    this._turnStartTime = undefined;\n  }\n}\n\n/**\n * Factory function signature registered in the driver registry.\n *\n * @param config - Configuration for the new driver instance.\n * @returns A freshly constructed (not yet started) {@link AgentDriver}.\n * @docLink packages/bridge/concepts#driver-factory\n */\nexport type DriverFactory = (config: AgentConfig) => AgentDriver;\n","import type { DriverContext } from \"@skaile/workspaces/plugin-registry\";\nimport { type PluginRegistry, pluginRegistry } from \"@skaile/workspaces/plugin-registry\";\nimport type { ModelEntry } from \"./models.js\";\nimport type { AgentConfig, AgentDriver, DriverInfo } from \"./types.js\";\n\n// Build-time backend gating. `bun build --compile --define:__INCLUDE_*__=...`\n// folds these to literal booleans so an excluded backend's driver module and\n// its SDK are dead-code-stripped from the binary. Under tsup / vitest / bun\n// run-on-source no `--define` runs and the `typeof` guard defaults to `true` —\n// every backend is available (the SDKs stay optional peers).\ndeclare const __INCLUDE_CLAUDE_SDK__: boolean;\ndeclare const __INCLUDE_CODEX__: boolean;\nconst INCLUDE_CLAUDE_SDK =\n  typeof __INCLUDE_CLAUDE_SDK__ === \"undefined\" ? true : __INCLUDE_CLAUDE_SDK__;\nconst INCLUDE_CODEX = typeof __INCLUDE_CODEX__ === \"undefined\" ? true : __INCLUDE_CODEX__;\n\n/**\n * Static capability metadata for every built-in backend.\n *\n * Pure data — this object imports no driver module and references no backend\n * SDK. {@link listDrivers} returns it (merged with any third-party drivers)\n * so selection UIs can enumerate every backend without loading a single\n * driver module. The matching driver module's `DriverTarget` is registered\n * into the plugin registry by {@link registerBuiltinDrivers}.\n *\n * @docLink packages/bridge/api-reference#registry\n */\nexport const BUILTIN_DRIVER_CATALOG: Record<string, DriverInfo> = {\n  omp: {\n    id: \"omp\",\n    name: \"omp (oh-my-pi)\",\n    modelAgnostic: true,\n    supportsInBandAbort: true,\n  },\n  \"claude-sdk\": {\n    id: \"claude-sdk\",\n    name: \"Claude Agent SDK\",\n    modelAgnostic: false,\n    supportsInBandAbort: true,\n  },\n  codex: {\n    id: \"codex\",\n    name: \"OpenAI Codex\",\n    modelAgnostic: false,\n    supportsInBandAbort: true,\n  },\n  echo: {\n    id: \"echo\",\n    name: \"Echo (E2E mock)\",\n    modelAgnostic: true,\n    supportsInBandAbort: false,\n  },\n};\n\n/**\n * Back-compat alias for {@link BUILTIN_DRIVER_CATALOG}. Consumers and tests that\n * predate the plugin-registry refactor still import `DRIVER_CATALOG`.\n *\n * @docLink packages/bridge/api-reference#registry\n */\nexport const DRIVER_CATALOG = BUILTIN_DRIVER_CATALOG;\n\nlet _driversRegistered = false;\n\n/**\n * Register every built-in driver's `DriverTarget` into the plugin registry.\n *\n * This is the single id → module map in bridge core. Every specifier is a\n * literal string so `bun --compile` can statically bundle the driver module\n * (and, transitively, its SDK). The in-process-SDK backends (`claude-sdk`,\n * `codex`) are wrapped in build-constant guards so an excluded backend's\n * `await import` folds to dead code in the compiled binary. `omp` and `echo`\n * carry no SDK weight and are always available.\n *\n * **Static import discipline.** Every `import()` specifier below must be a\n * string literal — never aliased through a variable. Indirection defeats\n * `bun --compile`'s static analysis and silently drops the module from the\n * binary.\n *\n * Idempotent: guarded by a module flag so a second call is a no-op (a duplicate\n * `register` would otherwise throw `RegistrationError`).\n *\n * @docLink packages/bridge/api-reference#registry\n */\nexport async function registerBuiltinDrivers(\n  registry: PluginRegistry = pluginRegistry,\n): Promise<void> {\n  if (registry === pluginRegistry && _driversRegistered) return;\n\n  if (!registry.get(\"driver\", \"omp\")) {\n    const m = await import(\"@skaile/workspaces/drivers/omp\");\n    registry.register(\"driver\", m.ompDriverTarget);\n  }\n  if (!registry.get(\"driver\", \"echo\")) {\n    const m = await import(\"@skaile/workspaces/drivers/echo\");\n    registry.register(\"driver\", m.echoDriverTarget);\n  }\n  if (INCLUDE_CLAUDE_SDK && !registry.get(\"driver\", \"claude-sdk\")) {\n    const m = await import(\"@skaile/workspaces/drivers/claude-sdk\");\n    registry.register(\"driver\", m.claudeSdkDriverTarget);\n  }\n  if (INCLUDE_CODEX && !registry.get(\"driver\", \"codex\")) {\n    const m = await import(\"@skaile/workspaces/drivers/codex\");\n    registry.register(\"driver\", m.codexDriverTarget);\n  }\n\n  if (registry === pluginRegistry) _driversRegistered = true;\n}\n\n/**\n * Creates a new driver instance for the given backend id.\n *\n * Ensures the built-in driver targets are registered (idempotent), then looks\n * up the target in the plugin registry and calls its `create()`. The returned\n * driver has not been started yet — call `driver.start()` before sending\n * prompts.\n *\n * @param id - Registered driver identifier (e.g. `\"omp\"`, `\"claude-sdk\"`).\n * @param config - Configuration forwarded to the driver constructor.\n * @param ctx - Optional driver context (logger / abort signal). Defaults to `{}`.\n * @returns A freshly constructed (not yet started) {@link AgentDriver}.\n * @throws {Error} When `id` is a known backend excluded from this build, or\n *   when `id` does not match any registered driver at all.\n * @docLink packages/bridge/api-reference#registry\n */\nexport async function createDriver(\n  id: string,\n  config: AgentConfig,\n  ctx?: DriverContext,\n): Promise<AgentDriver> {\n  const target = await resolveDriverTarget(id);\n  return target.create(config, ctx ?? {});\n}\n\n/**\n * Resolve a registered driver target by id, ensuring the built-ins are\n * registered first. Throws the canonical \"not bundled\" / \"unknown driver\"\n * errors so every caller (`createDriver`, `listModelsForDriver`) reports an\n * unrecognized id the same way instead of silently degrading.\n *\n * @throws {Error} When `id` is a known backend excluded from this build, or\n *   when `id` does not match any registered driver at all.\n */\nasync function resolveDriverTarget(id: string) {\n  await registerBuiltinDrivers();\n  const target = pluginRegistry.get(\"driver\", id);\n  if (!target) {\n    if (id in BUILTIN_DRIVER_CATALOG) {\n      throw new Error(`Agent driver \"${id}\" is not bundled in this build.`);\n    }\n    throw new Error(\n      `Unknown agent driver: \"${id}\". Available: ${listDrivers()\n        .map((d) => d.id)\n        .join(\", \")}`,\n    );\n  }\n  return target;\n}\n\n/**\n * Returns the capability metadata for every available driver.\n *\n * Enumerates every built-in backend from {@link BUILTIN_DRIVER_CATALOG} without\n * loading a single driver module or backend SDK, then merges in any third-party\n * driver targets registered into the plugin registry that are not already in\n * the catalog. Use this to populate driver selection UIs.\n *\n * @returns Array of {@link DriverInfo} objects, one per available driver.\n * @docLink packages/bridge/api-reference#registry\n */\nexport function listDrivers(): DriverInfo[] {\n  const merged = new Map<string, DriverInfo>();\n  for (const info of Object.values(BUILTIN_DRIVER_CATALOG)) {\n    merged.set(info.id, info);\n  }\n  for (const meta of pluginRegistry.list(\"driver\")) {\n    if (!merged.has(meta.id)) {\n      // Third-party drivers carry no DriverInfo row; read the capability flags\n      // off the registered target (defaulting to conservative false) so a\n      // model-agnostic / in-band-abort backend can still advertise them.\n      const target = pluginRegistry.get(\"driver\", meta.id);\n      merged.set(meta.id, {\n        id: meta.id,\n        name: meta.displayName,\n        modelAgnostic: target?.modelAgnostic ?? false,\n        supportsInBandAbort: target?.supportsInBandAbort ?? false,\n      });\n    }\n  }\n  return [...merged.values()];\n}\n\n/**\n * List models available to a specific driver without starting a full agent session.\n *\n * Ensures the built-in driver targets are registered (idempotent), then\n * delegates to the target's optional `listModels()`. API keys are forwarded so\n * drivers can authenticate against provider REST APIs if needed. Throws on an\n * unknown / not-bundled id (same contract as {@link createDriver}); returns `[]`\n * only when the target exists but exposes no `listModels`.\n *\n * @param driverId - Registered driver id (e.g. `\"omp\"`, `\"claude-sdk\"`, `\"codex\"`).\n * @param apiKeys - Provider API keys keyed by provider name (e.g. `{ anthropic: \"sk-...\" }`).\n *   Pass `settings.apiKeys ?? {}` from forge-assistant's resolved settings.\n * @throws {Error} When `driverId` is unknown or excluded from this build.\n * @docLink packages/bridge/api-reference#registry\n */\nexport async function listModelsForDriver(\n  driverId: string,\n  apiKeys: Record<string, string>,\n): Promise<ModelEntry[]> {\n  const target = await resolveDriverTarget(driverId);\n  return (await target.listModels?.(apiKeys)) ?? [];\n}\n"]}

package/dist/{chunk-H45ANMIU.js → chunk-APAOQLPT.js}

@@ -1,4 +1,4 @@
-import { resolveSkWorkspaceConfig } from './chunk-5QNQLSBW.js';
+import { resolveSkWorkspaceConfig } from './chunk-J3VKAEQP.js';
 import { createLogger } from './chunk-24UIWON4.js';
 
 // connectors/src/secrets.ts
@@ -302,5 +302,5 @@ function resolveAuthRef(auth, mountId) {
 }
 
 export { EnvSecretProvider, ForgeSecretProvider, InMemorySecretProvider, LegacyAuthGrammarError, LockedSecretProvider, OAuthRequiredError, PreMintedSecretProvider, SecretProviderChain, createCliSecretProviderChain, createForgeSecretProviderChain, loadConnectorDeclarations, resolveAuth, resolveAuthRef, resolveBackendAuthFor };
-//# sourceMappingURL=chunk-H45ANMIU.js.map
-//# sourceMappingURL=chunk-H45ANMIU.js.map
+//# sourceMappingURL=chunk-APAOQLPT.js.map
+//# sourceMappingURL=chunk-APAOQLPT.js.map

package/dist/{chunk-H45ANMIU.js.map → chunk-APAOQLPT.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../connectors/src/secrets.ts","../connectors/src/config.ts"],"names":[],"mappings":";;;;AAUA,IAAM,MAAM,YAAA,CAAa,EAAE,MAAM,WAAA,EAAa,OAAA,EAAS,WAAW,CAAA;AAqD3D,IAAM,yBAAN,MAAoE;AAAA,EACxD,KAAA,uBAAY,GAAA,EAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC9D,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAEhE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AACjC,IAAA,IAAI,MAAA,KAAW,QAAW,OAAO,MAAA;AACjC,IAAA,OAAO,GAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACrD;AACF;AASO,IAAM,oBAAN,MAAkD;AAAA,EACvD,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,QAAQ,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC3D,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,CAAE,IAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AA0CO,IAAM,0BAAN,MAAwD;AAAA,EAC5C,KAAA,uBAAY,GAAA,EAAiC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9D,YAAY,WAAA,EAGT;AACD,IAAA,IAAI,CAAC,WAAA,EAAa;AAClB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,MAAA,IAAU,EAAE,CAAA,EAAG;AACjE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,MAAA,EAAS,EAAE,IAAI,IAAI,CAAA;AAAA,IACpC;AACA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,UAAA,IAAc,EAAE,CAAA,EAAG;AACrE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,UAAA,EAAa,EAAE,IAAI,IAAI,CAAA;AAAA,IACxC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,GAAA,CAAI,IAAA,EAA6B,EAAA,EAAY,IAAA,EAAiC;AAC5E,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,IAAI,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,CAAM,MAA6B,EAAA,EAAqB;AACtD,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,CAAQ,MAA6B,EAAA,EAA6C;AAChF,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EACvC;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,EAAE,IAAI,UAAA,CAAW,QAAQ,KAAK,GAAA,CAAI,UAAA,CAAW,YAAY,CAAA,CAAA,EAAI,OAAO,MAAA;AACxE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,OAAO,IAAA,EAAM,EAAA,GAAK,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,EACjC;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA,CAAE,OAAO,CAAC,GAAG,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA,CAAE,IAAI,CAAC,CAAC,CAAC,CAAA,KAAM,CAAC,CAAA;AAAA,EACzE;AACF;AAQO,IAAM,sBAAN,MAAiE;AAAA,EACrD,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAEjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAChE,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,MAAA,EAAS,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AAOO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EACnC,QAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOT,WAAA,CAAY,QAAA,EAAkB,OAAA,EAAiB,KAAA,EAAe;AAC5D,IAAA,KAAA,CAAM,CAAA,iCAAA,EAAoC,QAAQ,CAAA,CAAE,CAAA;AACpD,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF;AA+CO,IAAe,uBAAf,MAA8D;AAAA,EACnE,MAAA,GAAS,IAAA;AAAA,EACU,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAGnD,MAAM,OAAO,UAAA,EAAmC;AAC9C,IAAA,MAAM,IAAA,CAAK,SAAS,UAAU,CAAA;AAC9B,IAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AAAA,EAChB;AAAA,EAIA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,IAAA,CAAK,QAAQ,OAAO,MAAA;AACxB,IAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,IAAA,CAAK,MAAM,GAAG,OAAO,MAAA;AACzC,IAAA,OAAO,IAAA,CAAK,MAAM,GAAA,CAAI,GAAA,CAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,EACrD;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,OAAO,EAAC;AACzB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,MAAM,CAAA,CAAE,GAAA,CAAI,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,CAAC,CAAA,CAAE,CAAA;AAAA,EAC/D;AACF;AAIA,IAAM,cAAA,GAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,OAAO,KAAA,EAAO,QAAA,EAAU,UAAU,YAAY,CAAA;AAExF,SAAS,UAAU,GAAA,EAAiC;AAClD,EAAA,OAAO,eAAe,IAAA,CAAK,CAAC,MAAM,GAAA,CAAI,UAAA,CAAW,CAAC,CAAC,CAAA;AACrD;AASO,IAAM,sBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA,EAKzD,YAA6B,SAAA,EAA6B;AAA7B,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EAA8B;AAAA,EAA9B,SAAA;AAAA,EAE7B,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAC5B,IAAA,GAAA,CAAI,MAAM,gBAAA,EAAkB,EAAE,KAAK,MAAA,EAAQ,MAAA,IAAU,UAAU,CAAA;AAC/D,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,QAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,MAChC;AACA,MAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,MAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,IAChC;AACA,IAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,MAAM,GAAA,GAAM,KAAK,SAAA,CAAU,OAAA,CAAQ,CAAC,CAAA,KAAM,CAAA,CAAE,cAAc,CAAA;AAC1D,IAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,EACzB;AAAA;AAAA,EAGA,YAAY,GAAA,EAAyC;AACnD,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,IAAI,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA,KAAM,QAAW,OAAO,CAAA;AAAA,IAC3C;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,WAAW,GAAA,EAA4B;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,GAAG,CAAA;AAClC,IAAA,IACE,SACA,aAAA,IAAiB,KAAA,IACjB,OAAQ,KAAA,CAA8B,gBAAgB,UAAA,EACtD;AACA,MAAA,IAAI;AACF,QAAA,MAAO,KAAA,CAA8B,YAAY,GAAG,CAAA;AAAA,MACtD,SAAS,GAAA,EAAK;AACZ,QAAA,GAAA,CAAI,KAAA,CAAM,oCAAA,EAAsC,GAAA,EAAK,EAAE,KAAK,CAAA;AAC5D,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;AChaO,SAAS,0BAA0B,UAAA,EAA4C;AACpF,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAGlD,EAAA,IAAI,MAAA,CAAO,MAAA,IAAU,MAAA,CAAO,MAAA,CAAO,SAAS,CAAA,EAAG;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,OAAO,UAAA,IAAc,MAAA,CAAO,WAAW,MAAA,KAAW,CAAA,SAAU,EAAC;AAClE,EAAA,OAAO,MAAA,CAAO,UAAA,CAAW,GAAA,CAAI,+BAA+B,CAAA;AAC9D;AAEA,SAAS,gCAAgC,CAAA,EAA6C;AACpF,EAAA,MAAM,IAAA,GAA6B;AAAA,IACjC,IAAI,CAAA,CAAE,EAAA;AAAA,IACN,QAAQ,CAAA,CAAE,MAAA;AAAA,IACV,MAAA,EAAQ,EAAE,MAAA,IAAU,WAAA;AAAA,IACpB,MAAM,CAAA,CAAE,IAAA;AAAA,IACR,SAAS,CAAA,CAAE;AAAA,GACb;AAGA,EAAA,IAAI,EAAE,KAAA,EAAO;AACX,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,KAAA,EAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACf,iBAAA,EAAmB,EAAE,KAAA,CAAM,iBAAA;AAAA,MAC3B,cAAA,EAAgB,EAAE,KAAA,CAAM;AAAA,KAC1B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAcO,SAAS,8BAAA,CACd,aAAA,EACA,cAAA,GAAmC,EAAC,EACf;AACrB,EAAA,OAAO,IAAI,oBAAoB,CAAC,GAAG,gBAAgB,aAAA,EAAe,IAAI,iBAAA,EAAmB,CAAC,CAAA;AAC5F;AASO,SAAS,4BAAA,CACd,YAAA,GAAuC,EAAC,EACnB;AACrB,EAAA,MAAM,GAAA,GAAM,IAAI,sBAAA,EAAuB;AACvC,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,EAC5B;AACA,EAAA,OAAO,IAAI,mBAAA,CAAoB,CAAC,IAAI,iBAAA,EAAkB,EAAG,GAAG,CAAC,CAAA;AAC/D;AAWO,SAAS,WAAA,CACd,MACA,OAAA,EACoB;AACpB,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAClB,EAAA,IAAI,OAAA,EAAS,OAAO,OAAA,CAAQ,OAAA,CAAQ,IAAI,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAC3B,IAAA,OAAO,OAAA,CAAQ,IAAI,MAAM,CAAA;AAAA,EAC3B;AACA,EAAA,OAAO,IAAA;AACT;AA0CO,IAAM,sBAAA,GAAN,cAAqC,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EACT,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,MAAM,KAAA,GAAQ,OAAA,GAAU,CAAA,WAAA,EAAc,OAAO,CAAA,CAAA,CAAA,GAAM,EAAA;AACnD,IAAA,KAAA;AAAA,MACE,CAAA,mCAAA,EAAsC,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA;AAAA;AAAA;AAAA,4DAAA;AAAA,KAKvD;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAmBO,SAAS,qBAAA,CACd,IAAA,EACA,EAAA,EACA,KAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAO,OAAO,MAAA;AACnB,EAAA,OAAO,MAAM,OAAA,CAAQ,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AACtC;AAmBO,SAAS,cAAA,CACd,MACA,OAAA,EAC0B;AAC1B,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAElB,EAAA,IAAI,SAAS,SAAA,EAAW;AACtB,IAAA,OAAO,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,EAAA,EAAI,KAAK,IAAA,EAAK;AAAA,EACjD;AACA,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,KAAA,EAAO,IAAA,CAAK,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,IAAA,EAAK;AAAA,EACpE;AAIA,EAAA,MAAM,IAAI,sBAAA,CAAuB,IAAA,EAAM,OAAO,CAAA;AAChD","file":"chunk-H45ANMIU.js","sourcesContent":["/**\n * Secret provider abstraction.\n *\n * Decouples credential resolution from process.env so secrets can be\n * provisioned over the transport bridge instead of living in the\n * container's environment.\n */\n\nimport { createLogger } from \"@skaile/workspaces/core/logging\";\n\nconst log = createLogger({ kind: \"connector\", subkind: \"secrets\" });\n\n// ── Interfaces ──────────────────────────────────────────────────────────────\n\n/**\n * Read-only secret resolution. Adapters receive this interface.\n * @docLink packages/connectors/api-reference#secret-provider\n */\nexport interface SecretProvider {\n  /**\n   * Resolve a credential reference.\n   *\n   * @param ref - Credential reference such as \"env:GIT_TOKEN\",\n   *   \"oauth:google:user@example.com\", or an inline literal.\n   * @returns The resolved secret value or undefined if not found.\n   */\n  resolve(ref: string): string | undefined;\n  /**\n   * Check whether a reference can be resolved.\n   *\n   * @param ref - Reference to check.\n   * @returns True if resolve(ref) would return a non-undefined value.\n   */\n  has(ref: string): boolean;\n  /**\n   * Return all ref strings this provider can currently resolve.\n   *\n   * @returns All resolvable refs (used by forge UI and ConnectorFieldMissingError).\n   */\n  capabilities(): string[];\n}\n\n/**\n * Extends `SecretProvider` with the ability to load secrets at runtime via `provision()`.\n * @docLink packages/connectors/api-reference#provisionable-secret-provider\n */\nexport interface ProvisionableSecretProvider extends SecretProvider {\n  /** Store a batch of key-value secrets. Keys are bare names (no prefix). */\n  provision(secrets: Record<string, string>): void;\n}\n\n// ── Implementations ─────────────────────────────────────────────────────────\n\n/**\n * In-memory secret store. Secrets are provisioned over the transport bridge\n * and stored in a private Map — never touching the filesystem or process.env.\n *\n * Supports ref prefixes:\n *   `\"env:KEY\"`   — looks up KEY in the store\n *   `\"vault:KEY\"` — looks up KEY in the store (future vault compat)\n *   (no prefix)   — returned as an inline value (backwards compat for non-chain usages)\n * @docLink packages/connectors/api-reference#in-memory-secret-provider\n */\nexport class InMemorySecretProvider implements ProvisionableSecretProvider {\n  private readonly store = new Map<string, string>();\n\n  /**\n   * Store a batch of key-value secrets.\n   *\n   * @param secrets - Key-value map of secret names to values. Keys are bare names (no prefix).\n   */\n  provision(secrets: Record<string, string>): void {\n    for (const [key, value] of Object.entries(secrets)) {\n      this.store.set(key, value);\n    }\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"env:\")) return this.store.get(ref.slice(4));\n    if (ref.startsWith(\"vault:\")) return this.store.get(ref.slice(6));\n    // Bare key: check store first, then fall back to inline literal\n    const stored = this.store.get(ref);\n    if (stored !== undefined) return stored;\n    return ref;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.store.keys()].map((k) => `env:${k}`);\n  }\n}\n\n/**\n * Delegates to `process.env`. Used in CLI/standalone mode.\n * Does NOT pass through inline literals — returns `undefined` for any ref\n * that does not start with `\"env:\"`. Use `InMemorySecretProvider` for inline\n * literals in non-chain contexts.\n * @docLink packages/connectors/api-reference#env-secret-provider\n */\nexport class EnvSecretProvider implements SecretProvider {\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"env:\")) return process.env[ref.slice(4)];\n    return undefined; // no inline passthrough\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return Object.keys(process.env).map((k) => `env:${k}`);\n  }\n}\n\n/**\n * Pre-minted credential entry. Mirrors the discriminated `CredentialMint`\n * shape from `@skaile/workspaces/types` but redeclared here to keep this package\n * free of cross-package type dependencies.\n *\n * The failure branch carries the platform-side `code` + `message` so the\n * `ConnectorManager`'s wrapped mediator can surface the real reason instead of\n * a generic \"no pre-mint\" placeholder when a mint comes back as `ok: false`.\n */\nexport type PreMintedCredential =\n  | { ok: true; token: string; expiresAt: string | null; mintedAt?: string }\n  | {\n      ok: false;\n      code?: \"not-configured\" | \"revoked\" | \"provider-error\" | \"backend-error\";\n      message?: string;\n    };\n\n/**\n * Pre-minted credential store. Holds short-lived tokens delivered upfront in\n * the v3 `session_init` envelope so the runner never has to call back to the\n * platform during mount setup.\n *\n * Resolves refs of the form `mount:<id>` and `connector:<id>`. Returns\n * `undefined` for any other ref so the chain falls through to the next\n * provider (`EnvSecretProvider` for `pat:env:NAME`, etc.).\n *\n * Tokens can be added/removed at runtime via {@link set} / {@link unset} so\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capabilities stay strictly in-process — no round trip to the platform to\n * mint while the mount is hot-attached.\n *\n * For callers that need the full mint metadata (expiry timestamp, mintedAt\n * audit fields), use {@link mintFor} instead of the bare `resolve`. The\n * `ConnectorManager` consults this for the `auth: backend` initial-mint path so\n * the driver retains the original expiry semantics.\n *\n * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`.\n *\n * @docLink packages/connectors/api-reference#pre-minted-secret-provider\n */\nexport class PreMintedSecretProvider implements SecretProvider {\n  private readonly mints = new Map<string, PreMintedCredential>();\n\n  /**\n   * Seed pre-minted credentials from the v3 `session_init.credentials` map.\n   *\n   * Failed mints (`ok: false`) are stored too so callers can distinguish\n   * \"not pre-minted\" from \"pre-minted but failed\"; {@link resolve} treats\n   * both as `undefined`.\n   *\n   * @param credentials Optional initial `{ mounts, connectors }` map.\n   */\n  constructor(credentials?: {\n    mounts?: Record<string, PreMintedCredential>;\n    connectors?: Record<string, PreMintedCredential>;\n  }) {\n    if (!credentials) return;\n    for (const [id, mint] of Object.entries(credentials.mounts ?? {})) {\n      this.mints.set(`mount:${id}`, mint);\n    }\n    for (const [id, mint] of Object.entries(credentials.connectors ?? {})) {\n      this.mints.set(`connector:${id}`, mint);\n    }\n  }\n\n  /**\n   * Insert (or replace) a pre-minted credential. Used by\n   * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n   * capability handlers when the platform delivers new credentials\n   * mid-session.\n   */\n  set(kind: \"mount\" | \"connector\", id: string, mint: PreMintedCredential): void {\n    this.mints.set(`${kind}:${id}`, mint);\n  }\n\n  /**\n   * Remove a stored pre-minted credential. Used by the\n   * `runner.remove_resource` capability handler.\n   */\n  unset(kind: \"mount\" | \"connector\", id: string): boolean {\n    return this.mints.delete(`${kind}:${id}`);\n  }\n\n  /**\n   * Look up the full {@link PreMintedCredential} for a `mount:` /\n   * `connector:` keyed entry. Callers that only need the token use\n   * {@link resolve} via the chain; callers that need expiry / audit\n   * metadata (e.g. ConnectorManager) use this entry point.\n   */\n  mintFor(kind: \"mount\" | \"connector\", id: string): PreMintedCredential | undefined {\n    return this.mints.get(`${kind}:${id}`);\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (!(ref.startsWith(\"mount:\") || ref.startsWith(\"connector:\"))) return undefined;\n    const mint = this.mints.get(ref);\n    return mint?.ok ? mint.token : undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.mints.entries()].filter(([, m]) => m.ok).map(([k]) => k);\n  }\n}\n\n/**\n * Forge session secret provider. Secrets are provisioned from the Forge settings\n * panel over the transport bridge. Only handles `\"forge:\"` prefixed refs — returns\n * `undefined` for all others.\n * @docLink packages/connectors/api-reference#forge-secret-provider\n */\nexport class ForgeSecretProvider implements ProvisionableSecretProvider {\n  private readonly store = new Map<string, string>();\n\n  provision(secrets: Record<string, string>): void {\n    for (const [key, value] of Object.entries(secrets)) {\n      this.store.set(key, value);\n    }\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"forge:\")) return this.store.get(ref.slice(6));\n    return undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.store.keys()].map((k) => `forge:${k}`);\n  }\n}\n\n/**\n * Thrown when an OAuth-secured connector field requires user authorization before\n * it can be resolved. Contains the redirect URL to open in the user's browser.\n * @docLink packages/connectors/api-reference#o-auth-required-error\n */\nexport class OAuthRequiredError extends Error {\n  readonly oauthRef: string;\n  readonly authUrl: string;\n  readonly state: string;\n\n  /**\n   * @param oauthRef - The 'oauth:<service>:<account>' ref that triggered the error\n   * @param authUrl - Browser URL to open for OAuth authorization\n   * @param state - OAuth state token for CSRF protection and callback correlation\n   */\n  constructor(oauthRef: string, authUrl: string, state: string) {\n    super(`OAuth authorization required for ${oauthRef}`);\n    this.name = \"OAuthRequiredError\";\n    this.oauthRef = oauthRef;\n    this.authUrl = authUrl;\n    this.state = state;\n  }\n}\n\n/**\n * Shape of an OAuth token bundle stored by `OAuthSecretProvider`.\n * @docLink packages/connectors/api-reference#o-auth-token-bundle\n */\nexport interface OAuthTokenBundle {\n  accessToken: string;\n  refreshToken?: string;\n  /** Unix timestamp in ms */\n  expiry?: number;\n}\n\n/**\n * Return value of `OAuthSecretProvider.initiateFlow()`. Contains the URL and CSRF state token.\n * @docLink packages/connectors/api-reference#o-auth-flow-request\n */\nexport interface OAuthFlowRequest {\n  authUrl: string;\n  state: string;\n}\n\n/**\n * OAuth token provider. Handles `\"oauth:<service>:<account>\"` refs.\n * Callers must call `chain.prepareRef()` before `chain.resolve()` for `oauth:` refs.\n * @docLink packages/connectors/api-reference#o-auth-secret-provider\n */\nexport interface OAuthSecretProvider extends SecretProvider {\n  /**\n   * Ensure the token for this ref is fresh.\n   * Refreshes if expired.\n   * Throws OAuthRequiredError if no token exists and user authorization is needed.\n   */\n  ensureFresh(ref: string): Promise<void>;\n\n  /** Initiate the OAuth authorization flow. Returns URL to open in the user's browser. */\n  initiateFlow(oauthService: string, account: string): Promise<OAuthFlowRequest>;\n\n  /** Exchange authorization code for tokens and store the bundle. */\n  completeFlow(state: string, code: string): Promise<void>;\n}\n\n/**\n * Abstract base for vault-backed secret providers (1Password, KeePass). Subclasses\n * implement `prefix` and `loadKeys()`. Locked until `unlock(credential)` is called.\n * @docLink packages/connectors/api-reference#locked-secret-provider\n */\nexport abstract class LockedSecretProvider implements SecretProvider {\n  locked = true;\n  protected readonly store = new Map<string, string>();\n  abstract readonly prefix: string;\n\n  async unlock(credential: string): Promise<void> {\n    await this.loadKeys(credential);\n    this.locked = false;\n  }\n\n  protected abstract loadKeys(credential: string): Promise<void>;\n\n  resolve(ref: string): string | undefined {\n    if (this.locked) return undefined;\n    if (!ref.startsWith(this.prefix)) return undefined;\n    return this.store.get(ref.slice(this.prefix.length));\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    if (this.locked) return [];\n    return [...this.store.keys()].map((k) => `${this.prefix}${k}`);\n  }\n}\n\n// ── Known provider prefixes ──────────────────────────────────────────────────\n\nconst KNOWN_PREFIXES = [\"env:\", \"forge:\", \"op:\", \"kp:\", \"oauth:\", \"mount:\", \"connector:\"] as const;\n\nfunction getPrefix(ref: string): string | undefined {\n  return KNOWN_PREFIXES.find((p) => ref.startsWith(p));\n}\n\n/**\n * Chains multiple `SecretProvider` instances into a single resolver.\n * - Prefixed refs (`env:`, `forge:`, `op:`, `kp:`, `oauth:`) are routed to the first provider that can resolve them.\n * - Bare refs waterfall through all providers in order.\n * - Plain literals in `skaile.yaml` options are NOT passed to the chain; `ConnectorManager` handles them before calling `resolve()`.\n * @docLink packages/connectors/api-reference#secret-provider-chain\n */\nexport class SecretProviderChain implements SecretProvider {\n  /**\n   * @param providers - Ordered list of providers. For prefixed refs, the first\n   *   provider that can resolve wins. For bare refs, waterfall through all in order.\n   */\n  constructor(private readonly providers: SecretProvider[]) {}\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    const prefix = getPrefix(ref);\n    log.debug(\"resolve secret\", { ref, prefix: prefix ?? \"(bare)\" });\n    if (prefix) {\n      for (const p of this.providers) {\n        const val = p.resolve(ref);\n        if (val !== undefined) return val;\n      }\n      log.warn(\"secret not resolvable\", { ref });\n      return undefined;\n    }\n    // Waterfall for bare refs\n    for (const p of this.providers) {\n      const val = p.resolve(ref);\n      if (val !== undefined) return val;\n    }\n    log.warn(\"secret not resolvable\", { ref });\n    return undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    const all = this.providers.flatMap((p) => p.capabilities());\n    return [...new Set(all)];\n  }\n\n  /** Returns the first provider that can resolve this ref. */\n  providerFor(ref: string): SecretProvider | undefined {\n    for (const p of this.providers) {\n      if (p.resolve(ref) !== undefined) return p;\n    }\n    return undefined;\n  }\n\n  /**\n   * Calls ensureFresh(ref) on the owning provider if it implements OAuthSecretProvider.\n   * No-op for providers that don't have ensureFresh().\n   *\n   * @param ref - Must be an \"oauth:\" prefixed ref for this to have any effect.\n   *   Calls ensureFresh() on the owning OAuthSecretProvider.\n   */\n  async prepareRef(ref: string): Promise<void> {\n    const owner = this.providerFor(ref);\n    if (\n      owner &&\n      \"ensureFresh\" in owner &&\n      typeof (owner as OAuthSecretProvider).ensureFresh === \"function\"\n    ) {\n      try {\n        await (owner as OAuthSecretProvider).ensureFresh(ref);\n      } catch (err) {\n        log.error(\"secret provider ensureFresh failed\", err, { ref });\n        throw err;\n      }\n    }\n  }\n}\n","/**\n * Load connector declarations from skaile.yaml.\n *\n * The top-level `mounts:` key is no longer accepted (hard cut as of Task 11).\n * Filesystem-projected backends must be declared under `connectors:` with a\n * `mount:` sub-block. See `docs/migration-mounts-to-connectors.md`.\n */\n\nimport type { ConnectorDeclaration as WorkspaceConnector } from \"@skaile/workspaces/core\";\nimport { resolveSkWorkspaceConfig } from \"@skaile/workspaces/core\";\nimport type { ConnectorDeclaration } from \"./connector-types.js\";\n\n/**\n * Read `skaile.yaml` in `projectDir` and return all declared connectors as `ConnectorDeclaration[]`.\n *\n * Throws a migration error when the legacy top-level `mounts:` key is present.\n *\n * @param projectDir - Root of the workspace (directory containing `skaile.yaml`).\n * @returns Array of connector declarations, or an empty array if none are declared.\n * @docLink packages/connectors/api-reference#load-connector-declarations\n */\nexport function loadConnectorDeclarations(projectDir: string): ConnectorDeclaration[] {\n  const config = resolveSkWorkspaceConfig(projectDir);\n\n  // Hard cut: reject legacy top-level `mounts:` key with an actionable message.\n  if (config.mounts && config.mounts.length > 0) {\n    throw new Error(\n      \"'mounts:' is no longer supported — move entries under 'connectors:' with a 'mount:' sub-block. See docs/migration-mounts-to-connectors.md\",\n    );\n  }\n\n  if (!config.connectors || config.connectors.length === 0) return [];\n  return config.connectors.map(workspaceConnectorToDeclaration);\n}\n\nfunction workspaceConnectorToDeclaration(c: WorkspaceConnector): ConnectorDeclaration {\n  const decl: ConnectorDeclaration = {\n    id: c.id,\n    driver: c.driver,\n    access: c.access ?? \"read-only\",\n    auth: c.auth,\n    options: c.options,\n  };\n\n  // Map the optional mount sub-block when present.\n  if (c.mount) {\n    decl.mount = {\n      source: c.mount.source,\n      target: c.mount.target,\n      watch: c.mount.watch,\n      exposeAccessToken: c.mount.exposeAccessToken,\n      accessTokenTTL: c.mount.accessTokenTTL,\n    };\n  }\n\n  return decl;\n}\n\nimport type { ForgeSecretProvider, SecretProvider } from \"./secrets.js\";\nimport { EnvSecretProvider, InMemorySecretProvider, SecretProviderChain } from \"./secrets.js\";\n\n/**\n * Build a `SecretProviderChain` for Forge session context.\n * `OAuthSecretProvider` is not wired here — it must be provided externally\n * (the Forge session manager constructs it and passes it in).\n * @param forgeProvider - The Forge-provisioned secret store.\n * @param extraProviders - Additional providers prepended to the chain (e.g. an OAuth provider).\n * @returns A chain that routes `forge:` refs to the Forge store and `env:` refs to process.env.\n * @docLink packages/connectors/api-reference#create-forge-secret-provider-chain\n */\nexport function createForgeSecretProviderChain(\n  forgeProvider: ForgeSecretProvider,\n  extraProviders: SecretProvider[] = [],\n): SecretProviderChain {\n  return new SecretProviderChain([...extraProviders, forgeProvider, new EnvSecretProvider()]);\n}\n\n/**\n * Build a `SecretProviderChain` for CLI/standalone context.\n * `EnvSecretProvider` takes priority; `extraSecrets` are loaded into an `InMemorySecretProvider`.\n * @param extraSecrets - Inline secrets injected into memory (e.g. tokens passed via CLI flags).\n * @returns A chain that resolves `env:` refs from process.env plus any inline extras.\n * @docLink packages/connectors/api-reference#create-cli-secret-provider-chain\n */\nexport function createCliSecretProviderChain(\n  extraSecrets: Record<string, string> = {},\n): SecretProviderChain {\n  const mem = new InMemorySecretProvider();\n  if (Object.keys(extraSecrets).length > 0) {\n    mem.provision(extraSecrets);\n  }\n  return new SecretProviderChain([new EnvSecretProvider(), mem]);\n}\n\n/**\n * Resolve a credential reference using a `SecretProvider`, or fall back to `env:NAME` lookup.\n * @param auth - Credential reference (e.g. `\"env:GIT_TOKEN\"`).\n * @param secrets - Optional provider; falls back to `process.env` if omitted.\n * @returns Resolved secret value or `undefined`.\n * @deprecated Use `SecretProviderChain.resolve()` instead.\n * @docLink packages/connectors/api-reference#resolve-auth\n */\n// @TODO: Code-Review: deprecated shim kept for backward compat — remove once all callers migrate to SecretProviderChain.resolve()\nexport function resolveAuth(\n  auth: string | undefined,\n  secrets?: import(\"./secrets.js\").SecretProvider,\n): string | undefined {\n  if (!auth) return undefined;\n  if (secrets) return secrets.resolve(auth);\n  if (auth.startsWith(\"env:\")) {\n    const envVar = auth.slice(4);\n    return process.env[envVar];\n  }\n  return auth;\n}\n\n// ── Auth grammar (mount-side, Tier 2 credential tiers) ───────────────────────\n\n/**\n * Provider kind for a mount auth ref.\n *\n * Two values are accepted:\n *   - `pat`     — static personal access token resolved via the secrets chain\n *                 (standalone CLI / non-platform contexts).\n *   - `backend` — token minted by the platform's credential mediator over the\n *                 transport (`request_access_token` round-trip). Provider\n *                 dispatch (OAuth, GitHub App, ...) lives backend-side; the\n *                 runner stays provider-agnostic.\n *\n * @docLink packages/connectors/api-reference#mount-auth-kind\n */\nexport type MountAuthKind = \"pat\" | \"backend\";\n\n/**\n * Parsed mount `auth:` field.\n *\n *   - `pat`     → `value` is the inner secret ref (e.g. `env:NAME`).\n *   - `backend` → `value` is empty (sentinel only); the runner asks the\n *                 backend for tokens via `request_access_token`.\n *\n * @docLink packages/connectors/api-reference#mount-auth-ref\n */\nexport interface MountAuthRef {\n  kind: MountAuthKind;\n  /** Prefix-stripped payload — see kind for shape. Empty for `backend`. */\n  value: string;\n  /** Original auth string from the declaration, kept for diagnostics. */\n  raw: string;\n}\n\n/**\n * Thrown when a mount declaration's `auth:` field uses the legacy bare `env:NAME` grammar\n * or any other unrecognized form. Migrate to `pat:env:NAME` (standalone) or `backend`\n * (platform-mediated).\n * @docLink packages/connectors/api-reference#legacy-auth-grammar-error\n */\nexport class LegacyAuthGrammarError extends Error {\n  readonly auth: string;\n  constructor(auth: string, mountId?: string) {\n    const where = mountId ? ` on mount '${mountId}'` : \"\";\n    super(\n      `Legacy or unrecognized auth grammar${where} ('${auth}'). ` +\n        `Replace with one of:\\n` +\n        `  - backend                  (platform-mediated, recommended)\\n` +\n        `  - pat:env:NAME             (standalone CLI / static token)\\n` +\n        `See _devlog/specs/2026-05-06-tier-2-credential-mediation.md.`,\n    );\n    this.name = \"LegacyAuthGrammarError\";\n    this.auth = auth;\n  }\n}\n\n/**\n * Resolve the `auth: backend` initial mint for a given mount or connector id\n * by querying the secrets chain with a `${kind}:${id}` ref. Returns the\n * resolved bearer token or `undefined` if no pre-minted credential is\n * available.\n *\n * Used by the runner when wiring `ConnectorManager` to\n * answer initial-mint requests from `PreMintedSecretProvider` without\n * round-tripping to the platform. Drivers continue to receive a\n * `tokenMediator` for refresh + retry-401 paths.\n *\n * @param kind Resource family (`mount` or `connector`).\n * @param id Resource declaration id.\n * @param chain Secrets chain. Pass `undefined` to return `undefined`.\n * @returns The pre-minted token, or `undefined` if not stored on the chain.\n * @docLink packages/connectors/api-reference#resolve-backend-auth-for\n */\nexport function resolveBackendAuthFor(\n  kind: \"mount\" | \"connector\",\n  id: string,\n  chain: import(\"./secrets.js\").SecretProvider | undefined,\n): string | undefined {\n  if (!chain) return undefined;\n  return chain.resolve(`${kind}:${id}`);\n}\n\n/**\n * Parse a mount-side auth ref into a typed `MountAuthRef`.\n *\n * Accepted forms:\n *   - `backend`      — platform-mediated mint via `request_access_token`.\n *   - `pat:env:NAME` — static PAT resolved from the secrets chain.\n *\n * Rejects bare `env:NAME` (legacy) and provider-prefixed grammars (`oauth:`,\n * `github-app:`) — those moved backend-side as part of Tier-2 mediation.\n * Returns `undefined` when `auth` is absent or empty.\n *\n * @param auth - Raw `auth:` value from the mount declaration.\n * @param mountId - Optional mount id included in error messages.\n * @returns Parsed `MountAuthRef` or `undefined`.\n * @throws {LegacyAuthGrammarError} for any unrecognized grammar.\n * @docLink packages/connectors/api-reference#resolve-auth-ref\n */\nexport function resolveAuthRef(\n  auth: string | undefined,\n  mountId?: string,\n): MountAuthRef | undefined {\n  if (!auth) return undefined;\n\n  if (auth === \"backend\") {\n    return { kind: \"backend\", value: \"\", raw: auth };\n  }\n  if (auth.startsWith(\"pat:\")) {\n    return { kind: \"pat\", value: auth.slice(\"pat:\".length), raw: auth };\n  }\n\n  // Legacy bare `env:NAME` and the deprecated provider-prefixed grammars\n  // (`oauth:`, `github-app:`) all land here.\n  throw new LegacyAuthGrammarError(auth, mountId);\n}\n"]}
+{"version":3,"sources":["../connectors/src/secrets.ts","../connectors/src/config.ts"],"names":[],"mappings":";;;;AAUA,IAAM,MAAM,YAAA,CAAa,EAAE,MAAM,WAAA,EAAa,OAAA,EAAS,WAAW,CAAA;AAqD3D,IAAM,yBAAN,MAAoE;AAAA,EACxD,KAAA,uBAAY,GAAA,EAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC9D,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAEhE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AACjC,IAAA,IAAI,MAAA,KAAW,QAAW,OAAO,MAAA;AACjC,IAAA,OAAO,GAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACrD;AACF;AASO,IAAM,oBAAN,MAAkD;AAAA,EACvD,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG,OAAO,QAAQ,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAC3D,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,CAAE,IAAI,CAAC,CAAA,KAAM,CAAA,IAAA,EAAO,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AA0CO,IAAM,0BAAN,MAAwD;AAAA,EAC5C,KAAA,uBAAY,GAAA,EAAiC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9D,YAAY,WAAA,EAGT;AACD,IAAA,IAAI,CAAC,WAAA,EAAa;AAClB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,MAAA,IAAU,EAAE,CAAA,EAAG;AACjE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,MAAA,EAAS,EAAE,IAAI,IAAI,CAAA;AAAA,IACpC;AACA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,MAAA,CAAO,QAAQ,WAAA,CAAY,UAAA,IAAc,EAAE,CAAA,EAAG;AACrE,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,UAAA,EAAa,EAAE,IAAI,IAAI,CAAA;AAAA,IACxC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,GAAA,CAAI,IAAA,EAA6B,EAAA,EAAY,IAAA,EAAiC;AAC5E,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,IAAI,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAA,CAAM,MAA6B,EAAA,EAAqB;AACtD,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,CAAQ,MAA6B,EAAA,EAA6C;AAChF,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,GAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AAAA,EACvC;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,EAAE,IAAI,UAAA,CAAW,QAAQ,KAAK,GAAA,CAAI,UAAA,CAAW,YAAY,CAAA,CAAA,EAAI,OAAO,MAAA;AACxE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,OAAO,IAAA,EAAM,EAAA,GAAK,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,EACjC;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA,CAAE,OAAO,CAAC,GAAG,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA,CAAE,IAAI,CAAC,CAAC,CAAC,CAAA,KAAM,CAAC,CAAA;AAAA,EACzE;AACF;AAQO,IAAM,sBAAN,MAAiE;AAAA,EACrD,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAEjD,UAAU,OAAA,EAAuC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAChE,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,MAAA,EAAS,CAAC,CAAA,CAAE,CAAA;AAAA,EACvD;AACF;AAOO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EACnC,QAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOT,WAAA,CAAY,QAAA,EAAkB,OAAA,EAAiB,KAAA,EAAe;AAC5D,IAAA,KAAA,CAAM,CAAA,iCAAA,EAAoC,QAAQ,CAAA,CAAE,CAAA;AACpD,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF;AA+CO,IAAe,uBAAf,MAA8D;AAAA,EACnE,MAAA,GAAS,IAAA;AAAA,EACU,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAGnD,MAAM,OAAO,UAAA,EAAmC;AAC9C,IAAA,MAAM,IAAA,CAAK,SAAS,UAAU,CAAA;AAC9B,IAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AAAA,EAChB;AAAA,EAIA,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,IAAA,CAAK,QAAQ,OAAO,MAAA;AACxB,IAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,IAAA,CAAK,MAAM,GAAG,OAAO,MAAA;AACzC,IAAA,OAAO,IAAA,CAAK,MAAM,GAAA,CAAI,GAAA,CAAI,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,EACrD;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,OAAO,EAAC;AACzB,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,KAAA,CAAM,MAAM,CAAA,CAAE,GAAA,CAAI,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,CAAC,CAAA,CAAE,CAAA;AAAA,EAC/D;AACF;AAIA,IAAM,cAAA,GAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,OAAO,KAAA,EAAO,QAAA,EAAU,UAAU,YAAY,CAAA;AAExF,SAAS,UAAU,GAAA,EAAiC;AAClD,EAAA,OAAO,eAAe,IAAA,CAAK,CAAC,MAAM,GAAA,CAAI,UAAA,CAAW,CAAC,CAAC,CAAA;AACrD;AASO,IAAM,sBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA,EAKzD,YAA6B,SAAA,EAA6B;AAA7B,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EAA8B;AAAA,EAA9B,SAAA;AAAA,EAE7B,QAAQ,GAAA,EAAiC;AACvC,IAAA,IAAI,CAAC,KAAK,OAAO,MAAA;AACjB,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAC5B,IAAA,GAAA,CAAI,MAAM,gBAAA,EAAkB,EAAE,KAAK,MAAA,EAAQ,MAAA,IAAU,UAAU,CAAA;AAC/D,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,QAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,MAChC;AACA,MAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,MAAM,GAAA,GAAM,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA;AACzB,MAAA,IAAI,GAAA,KAAQ,QAAW,OAAO,GAAA;AAAA,IAChC;AACA,IAAA,GAAA,CAAI,IAAA,CAAK,uBAAA,EAAyB,EAAE,GAAA,EAAK,CAAA;AACzC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,IAAI,GAAA,EAAsB;AACxB,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA,KAAM,MAAA;AAAA,EAC/B;AAAA,EAEA,YAAA,GAAyB;AACvB,IAAA,MAAM,GAAA,GAAM,KAAK,SAAA,CAAU,OAAA,CAAQ,CAAC,CAAA,KAAM,CAAA,CAAE,cAAc,CAAA;AAC1D,IAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,EACzB;AAAA;AAAA,EAGA,YAAY,GAAA,EAAyC;AACnD,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,SAAA,EAAW;AAC9B,MAAA,IAAI,CAAA,CAAE,OAAA,CAAQ,GAAG,CAAA,KAAM,QAAW,OAAO,CAAA;AAAA,IAC3C;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,WAAW,GAAA,EAA4B;AAC3C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,GAAG,CAAA;AAClC,IAAA,IACE,SACA,aAAA,IAAiB,KAAA,IACjB,OAAQ,KAAA,CAA8B,gBAAgB,UAAA,EACtD;AACA,MAAA,IAAI;AACF,QAAA,MAAO,KAAA,CAA8B,YAAY,GAAG,CAAA;AAAA,MACtD,SAAS,GAAA,EAAK;AACZ,QAAA,GAAA,CAAI,KAAA,CAAM,oCAAA,EAAsC,GAAA,EAAK,EAAE,KAAK,CAAA;AAC5D,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;AChaO,SAAS,0BAA0B,UAAA,EAA4C;AACpF,EAAA,MAAM,MAAA,GAAS,yBAAyB,UAAU,CAAA;AAGlD,EAAA,IAAI,MAAA,CAAO,MAAA,IAAU,MAAA,CAAO,MAAA,CAAO,SAAS,CAAA,EAAG;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,OAAO,UAAA,IAAc,MAAA,CAAO,WAAW,MAAA,KAAW,CAAA,SAAU,EAAC;AAClE,EAAA,OAAO,MAAA,CAAO,UAAA,CAAW,GAAA,CAAI,+BAA+B,CAAA;AAC9D;AAEA,SAAS,gCAAgC,CAAA,EAA6C;AACpF,EAAA,MAAM,IAAA,GAA6B;AAAA,IACjC,IAAI,CAAA,CAAE,EAAA;AAAA,IACN,QAAQ,CAAA,CAAE,MAAA;AAAA,IACV,MAAA,EAAQ,EAAE,MAAA,IAAU,WAAA;AAAA,IACpB,MAAM,CAAA,CAAE,IAAA;AAAA,IACR,SAAS,CAAA,CAAE;AAAA,GACb;AAGA,EAAA,IAAI,EAAE,KAAA,EAAO;AACX,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,KAAA,CAAM,MAAA;AAAA,MAChB,KAAA,EAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACf,iBAAA,EAAmB,EAAE,KAAA,CAAM,iBAAA;AAAA,MAC3B,cAAA,EAAgB,EAAE,KAAA,CAAM;AAAA,KAC1B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAcO,SAAS,8BAAA,CACd,aAAA,EACA,cAAA,GAAmC,EAAC,EACf;AACrB,EAAA,OAAO,IAAI,oBAAoB,CAAC,GAAG,gBAAgB,aAAA,EAAe,IAAI,iBAAA,EAAmB,CAAC,CAAA;AAC5F;AASO,SAAS,4BAAA,CACd,YAAA,GAAuC,EAAC,EACnB;AACrB,EAAA,MAAM,GAAA,GAAM,IAAI,sBAAA,EAAuB;AACvC,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,EAC5B;AACA,EAAA,OAAO,IAAI,mBAAA,CAAoB,CAAC,IAAI,iBAAA,EAAkB,EAAG,GAAG,CAAC,CAAA;AAC/D;AAWO,SAAS,WAAA,CACd,MACA,OAAA,EACoB;AACpB,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAClB,EAAA,IAAI,OAAA,EAAS,OAAO,OAAA,CAAQ,OAAA,CAAQ,IAAI,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAC3B,IAAA,OAAO,OAAA,CAAQ,IAAI,MAAM,CAAA;AAAA,EAC3B;AACA,EAAA,OAAO,IAAA;AACT;AA0CO,IAAM,sBAAA,GAAN,cAAqC,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EACT,WAAA,CAAY,MAAc,OAAA,EAAkB;AAC1C,IAAA,MAAM,KAAA,GAAQ,OAAA,GAAU,CAAA,WAAA,EAAc,OAAO,CAAA,CAAA,CAAA,GAAM,EAAA;AACnD,IAAA,KAAA;AAAA,MACE,CAAA,mCAAA,EAAsC,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA;AAAA;AAAA;AAAA,4DAAA;AAAA,KAKvD;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,EACd;AACF;AAmBO,SAAS,qBAAA,CACd,IAAA,EACA,EAAA,EACA,KAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAO,OAAO,MAAA;AACnB,EAAA,OAAO,MAAM,OAAA,CAAQ,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,EAAE,CAAA,CAAE,CAAA;AACtC;AAmBO,SAAS,cAAA,CACd,MACA,OAAA,EAC0B;AAC1B,EAAA,IAAI,CAAC,MAAM,OAAO,MAAA;AAElB,EAAA,IAAI,SAAS,SAAA,EAAW;AACtB,IAAA,OAAO,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,EAAA,EAAI,KAAK,IAAA,EAAK;AAAA,EACjD;AACA,EAAA,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EAAG;AAC3B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,KAAA,EAAO,IAAA,CAAK,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,GAAA,EAAK,IAAA,EAAK;AAAA,EACpE;AAIA,EAAA,MAAM,IAAI,sBAAA,CAAuB,IAAA,EAAM,OAAO,CAAA;AAChD","file":"chunk-APAOQLPT.js","sourcesContent":["/**\n * Secret provider abstraction.\n *\n * Decouples credential resolution from process.env so secrets can be\n * provisioned over the transport bridge instead of living in the\n * container's environment.\n */\n\nimport { createLogger } from \"@skaile/workspaces/core/logging\";\n\nconst log = createLogger({ kind: \"connector\", subkind: \"secrets\" });\n\n// ── Interfaces ──────────────────────────────────────────────────────────────\n\n/**\n * Read-only secret resolution. Adapters receive this interface.\n * @docLink packages/connectors/api-reference#secret-provider\n */\nexport interface SecretProvider {\n  /**\n   * Resolve a credential reference.\n   *\n   * @param ref - Credential reference such as \"env:GIT_TOKEN\",\n   *   \"oauth:google:user@example.com\", or an inline literal.\n   * @returns The resolved secret value or undefined if not found.\n   */\n  resolve(ref: string): string | undefined;\n  /**\n   * Check whether a reference can be resolved.\n   *\n   * @param ref - Reference to check.\n   * @returns True if resolve(ref) would return a non-undefined value.\n   */\n  has(ref: string): boolean;\n  /**\n   * Return all ref strings this provider can currently resolve.\n   *\n   * @returns All resolvable refs (used by forge UI and ConnectorFieldMissingError).\n   */\n  capabilities(): string[];\n}\n\n/**\n * Extends `SecretProvider` with the ability to load secrets at runtime via `provision()`.\n * @docLink packages/connectors/api-reference#provisionable-secret-provider\n */\nexport interface ProvisionableSecretProvider extends SecretProvider {\n  /** Store a batch of key-value secrets. Keys are bare names (no prefix). */\n  provision(secrets: Record<string, string>): void;\n}\n\n// ── Implementations ─────────────────────────────────────────────────────────\n\n/**\n * In-memory secret store. Secrets are provisioned over the transport bridge\n * and stored in a private Map — never touching the filesystem or process.env.\n *\n * Supports ref prefixes:\n *   `\"env:KEY\"`   — looks up KEY in the store\n *   `\"vault:KEY\"` — looks up KEY in the store (future vault compat)\n *   (no prefix)   — returned as an inline value (backwards compat for non-chain usages)\n * @docLink packages/connectors/api-reference#in-memory-secret-provider\n */\nexport class InMemorySecretProvider implements ProvisionableSecretProvider {\n  private readonly store = new Map<string, string>();\n\n  /**\n   * Store a batch of key-value secrets.\n   *\n   * @param secrets - Key-value map of secret names to values. Keys are bare names (no prefix).\n   */\n  provision(secrets: Record<string, string>): void {\n    for (const [key, value] of Object.entries(secrets)) {\n      this.store.set(key, value);\n    }\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"env:\")) return this.store.get(ref.slice(4));\n    if (ref.startsWith(\"vault:\")) return this.store.get(ref.slice(6));\n    // Bare key: check store first, then fall back to inline literal\n    const stored = this.store.get(ref);\n    if (stored !== undefined) return stored;\n    return ref;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.store.keys()].map((k) => `env:${k}`);\n  }\n}\n\n/**\n * Delegates to `process.env`. Used in CLI/standalone mode.\n * Does NOT pass through inline literals — returns `undefined` for any ref\n * that does not start with `\"env:\"`. Use `InMemorySecretProvider` for inline\n * literals in non-chain contexts.\n * @docLink packages/connectors/api-reference#env-secret-provider\n */\nexport class EnvSecretProvider implements SecretProvider {\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"env:\")) return process.env[ref.slice(4)];\n    return undefined; // no inline passthrough\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return Object.keys(process.env).map((k) => `env:${k}`);\n  }\n}\n\n/**\n * Pre-minted credential entry. Mirrors the discriminated `CredentialMint`\n * shape from `@skaile/workspaces/types` but redeclared here to keep this package\n * free of cross-package type dependencies.\n *\n * The failure branch carries the platform-side `code` + `message` so the\n * `ConnectorManager`'s wrapped mediator can surface the real reason instead of\n * a generic \"no pre-mint\" placeholder when a mint comes back as `ok: false`.\n */\nexport type PreMintedCredential =\n  | { ok: true; token: string; expiresAt: string | null; mintedAt?: string }\n  | {\n      ok: false;\n      code?: \"not-configured\" | \"revoked\" | \"provider-error\" | \"backend-error\";\n      message?: string;\n    };\n\n/**\n * Pre-minted credential store. Holds short-lived tokens delivered upfront in\n * the v3 `session_init` envelope so the runner never has to call back to the\n * platform during mount setup.\n *\n * Resolves refs of the form `mount:<id>` and `connector:<id>`. Returns\n * `undefined` for any other ref so the chain falls through to the next\n * provider (`EnvSecretProvider` for `pat:env:NAME`, etc.).\n *\n * Tokens can be added/removed at runtime via {@link set} / {@link unset} so\n * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n * capabilities stay strictly in-process — no round trip to the platform to\n * mint while the mount is hot-attached.\n *\n * For callers that need the full mint metadata (expiry timestamp, mintedAt\n * audit fields), use {@link mintFor} instead of the bare `resolve`. The\n * `ConnectorManager` consults this for the `auth: backend` initial-mint path so\n * the driver retains the original expiry semantics.\n *\n * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`.\n *\n * @docLink packages/connectors/api-reference#pre-minted-secret-provider\n */\nexport class PreMintedSecretProvider implements SecretProvider {\n  private readonly mints = new Map<string, PreMintedCredential>();\n\n  /**\n   * Seed pre-minted credentials from the v3 `session_init.credentials` map.\n   *\n   * Failed mints (`ok: false`) are stored too so callers can distinguish\n   * \"not pre-minted\" from \"pre-minted but failed\"; {@link resolve} treats\n   * both as `undefined`.\n   *\n   * @param credentials Optional initial `{ mounts, connectors }` map.\n   */\n  constructor(credentials?: {\n    mounts?: Record<string, PreMintedCredential>;\n    connectors?: Record<string, PreMintedCredential>;\n  }) {\n    if (!credentials) return;\n    for (const [id, mint] of Object.entries(credentials.mounts ?? {})) {\n      this.mints.set(`mount:${id}`, mint);\n    }\n    for (const [id, mint] of Object.entries(credentials.connectors ?? {})) {\n      this.mints.set(`connector:${id}`, mint);\n    }\n  }\n\n  /**\n   * Insert (or replace) a pre-minted credential. Used by\n   * `runner.add_mount` / `runner.add_connector` / `runner.update_credential`\n   * capability handlers when the platform delivers new credentials\n   * mid-session.\n   */\n  set(kind: \"mount\" | \"connector\", id: string, mint: PreMintedCredential): void {\n    this.mints.set(`${kind}:${id}`, mint);\n  }\n\n  /**\n   * Remove a stored pre-minted credential. Used by the\n   * `runner.remove_resource` capability handler.\n   */\n  unset(kind: \"mount\" | \"connector\", id: string): boolean {\n    return this.mints.delete(`${kind}:${id}`);\n  }\n\n  /**\n   * Look up the full {@link PreMintedCredential} for a `mount:` /\n   * `connector:` keyed entry. Callers that only need the token use\n   * {@link resolve} via the chain; callers that need expiry / audit\n   * metadata (e.g. ConnectorManager) use this entry point.\n   */\n  mintFor(kind: \"mount\" | \"connector\", id: string): PreMintedCredential | undefined {\n    return this.mints.get(`${kind}:${id}`);\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (!(ref.startsWith(\"mount:\") || ref.startsWith(\"connector:\"))) return undefined;\n    const mint = this.mints.get(ref);\n    return mint?.ok ? mint.token : undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.mints.entries()].filter(([, m]) => m.ok).map(([k]) => k);\n  }\n}\n\n/**\n * Forge session secret provider. Secrets are provisioned from the Forge settings\n * panel over the transport bridge. Only handles `\"forge:\"` prefixed refs — returns\n * `undefined` for all others.\n * @docLink packages/connectors/api-reference#forge-secret-provider\n */\nexport class ForgeSecretProvider implements ProvisionableSecretProvider {\n  private readonly store = new Map<string, string>();\n\n  provision(secrets: Record<string, string>): void {\n    for (const [key, value] of Object.entries(secrets)) {\n      this.store.set(key, value);\n    }\n  }\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    if (ref.startsWith(\"forge:\")) return this.store.get(ref.slice(6));\n    return undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    return [...this.store.keys()].map((k) => `forge:${k}`);\n  }\n}\n\n/**\n * Thrown when an OAuth-secured connector field requires user authorization before\n * it can be resolved. Contains the redirect URL to open in the user's browser.\n * @docLink packages/connectors/api-reference#o-auth-required-error\n */\nexport class OAuthRequiredError extends Error {\n  readonly oauthRef: string;\n  readonly authUrl: string;\n  readonly state: string;\n\n  /**\n   * @param oauthRef - The 'oauth:<service>:<account>' ref that triggered the error\n   * @param authUrl - Browser URL to open for OAuth authorization\n   * @param state - OAuth state token for CSRF protection and callback correlation\n   */\n  constructor(oauthRef: string, authUrl: string, state: string) {\n    super(`OAuth authorization required for ${oauthRef}`);\n    this.name = \"OAuthRequiredError\";\n    this.oauthRef = oauthRef;\n    this.authUrl = authUrl;\n    this.state = state;\n  }\n}\n\n/**\n * Shape of an OAuth token bundle stored by `OAuthSecretProvider`.\n * @docLink packages/connectors/api-reference#o-auth-token-bundle\n */\nexport interface OAuthTokenBundle {\n  accessToken: string;\n  refreshToken?: string;\n  /** Unix timestamp in ms */\n  expiry?: number;\n}\n\n/**\n * Return value of `OAuthSecretProvider.initiateFlow()`. Contains the URL and CSRF state token.\n * @docLink packages/connectors/api-reference#o-auth-flow-request\n */\nexport interface OAuthFlowRequest {\n  authUrl: string;\n  state: string;\n}\n\n/**\n * OAuth token provider. Handles `\"oauth:<service>:<account>\"` refs.\n * Callers must call `chain.prepareRef()` before `chain.resolve()` for `oauth:` refs.\n * @docLink packages/connectors/api-reference#o-auth-secret-provider\n */\nexport interface OAuthSecretProvider extends SecretProvider {\n  /**\n   * Ensure the token for this ref is fresh.\n   * Refreshes if expired.\n   * Throws OAuthRequiredError if no token exists and user authorization is needed.\n   */\n  ensureFresh(ref: string): Promise<void>;\n\n  /** Initiate the OAuth authorization flow. Returns URL to open in the user's browser. */\n  initiateFlow(oauthService: string, account: string): Promise<OAuthFlowRequest>;\n\n  /** Exchange authorization code for tokens and store the bundle. */\n  completeFlow(state: string, code: string): Promise<void>;\n}\n\n/**\n * Abstract base for vault-backed secret providers (1Password, KeePass). Subclasses\n * implement `prefix` and `loadKeys()`. Locked until `unlock(credential)` is called.\n * @docLink packages/connectors/api-reference#locked-secret-provider\n */\nexport abstract class LockedSecretProvider implements SecretProvider {\n  locked = true;\n  protected readonly store = new Map<string, string>();\n  abstract readonly prefix: string;\n\n  async unlock(credential: string): Promise<void> {\n    await this.loadKeys(credential);\n    this.locked = false;\n  }\n\n  protected abstract loadKeys(credential: string): Promise<void>;\n\n  resolve(ref: string): string | undefined {\n    if (this.locked) return undefined;\n    if (!ref.startsWith(this.prefix)) return undefined;\n    return this.store.get(ref.slice(this.prefix.length));\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    if (this.locked) return [];\n    return [...this.store.keys()].map((k) => `${this.prefix}${k}`);\n  }\n}\n\n// ── Known provider prefixes ──────────────────────────────────────────────────\n\nconst KNOWN_PREFIXES = [\"env:\", \"forge:\", \"op:\", \"kp:\", \"oauth:\", \"mount:\", \"connector:\"] as const;\n\nfunction getPrefix(ref: string): string | undefined {\n  return KNOWN_PREFIXES.find((p) => ref.startsWith(p));\n}\n\n/**\n * Chains multiple `SecretProvider` instances into a single resolver.\n * - Prefixed refs (`env:`, `forge:`, `op:`, `kp:`, `oauth:`) are routed to the first provider that can resolve them.\n * - Bare refs waterfall through all providers in order.\n * - Plain literals in `skaile.yaml` options are NOT passed to the chain; `ConnectorManager` handles them before calling `resolve()`.\n * @docLink packages/connectors/api-reference#secret-provider-chain\n */\nexport class SecretProviderChain implements SecretProvider {\n  /**\n   * @param providers - Ordered list of providers. For prefixed refs, the first\n   *   provider that can resolve wins. For bare refs, waterfall through all in order.\n   */\n  constructor(private readonly providers: SecretProvider[]) {}\n\n  resolve(ref: string): string | undefined {\n    if (!ref) return undefined;\n    const prefix = getPrefix(ref);\n    log.debug(\"resolve secret\", { ref, prefix: prefix ?? \"(bare)\" });\n    if (prefix) {\n      for (const p of this.providers) {\n        const val = p.resolve(ref);\n        if (val !== undefined) return val;\n      }\n      log.warn(\"secret not resolvable\", { ref });\n      return undefined;\n    }\n    // Waterfall for bare refs\n    for (const p of this.providers) {\n      const val = p.resolve(ref);\n      if (val !== undefined) return val;\n    }\n    log.warn(\"secret not resolvable\", { ref });\n    return undefined;\n  }\n\n  has(ref: string): boolean {\n    return this.resolve(ref) !== undefined;\n  }\n\n  capabilities(): string[] {\n    const all = this.providers.flatMap((p) => p.capabilities());\n    return [...new Set(all)];\n  }\n\n  /** Returns the first provider that can resolve this ref. */\n  providerFor(ref: string): SecretProvider | undefined {\n    for (const p of this.providers) {\n      if (p.resolve(ref) !== undefined) return p;\n    }\n    return undefined;\n  }\n\n  /**\n   * Calls ensureFresh(ref) on the owning provider if it implements OAuthSecretProvider.\n   * No-op for providers that don't have ensureFresh().\n   *\n   * @param ref - Must be an \"oauth:\" prefixed ref for this to have any effect.\n   *   Calls ensureFresh() on the owning OAuthSecretProvider.\n   */\n  async prepareRef(ref: string): Promise<void> {\n    const owner = this.providerFor(ref);\n    if (\n      owner &&\n      \"ensureFresh\" in owner &&\n      typeof (owner as OAuthSecretProvider).ensureFresh === \"function\"\n    ) {\n      try {\n        await (owner as OAuthSecretProvider).ensureFresh(ref);\n      } catch (err) {\n        log.error(\"secret provider ensureFresh failed\", err, { ref });\n        throw err;\n      }\n    }\n  }\n}\n","/**\n * Load connector declarations from skaile.yaml.\n *\n * The top-level `mounts:` key is no longer accepted (hard cut as of Task 11).\n * Filesystem-projected backends must be declared under `connectors:` with a\n * `mount:` sub-block. See `docs/migration-mounts-to-connectors.md`.\n */\n\nimport type { ConnectorDeclaration as WorkspaceConnector } from \"@skaile/workspaces/core\";\nimport { resolveSkWorkspaceConfig } from \"@skaile/workspaces/core\";\nimport type { ConnectorDeclaration } from \"./connector-types.js\";\n\n/**\n * Read `skaile.yaml` in `projectDir` and return all declared connectors as `ConnectorDeclaration[]`.\n *\n * Throws a migration error when the legacy top-level `mounts:` key is present.\n *\n * @param projectDir - Root of the workspace (directory containing `skaile.yaml`).\n * @returns Array of connector declarations, or an empty array if none are declared.\n * @docLink packages/connectors/api-reference#load-connector-declarations\n */\nexport function loadConnectorDeclarations(projectDir: string): ConnectorDeclaration[] {\n  const config = resolveSkWorkspaceConfig(projectDir);\n\n  // Hard cut: reject legacy top-level `mounts:` key with an actionable message.\n  if (config.mounts && config.mounts.length > 0) {\n    throw new Error(\n      \"'mounts:' is no longer supported — move entries under 'connectors:' with a 'mount:' sub-block. See docs/migration-mounts-to-connectors.md\",\n    );\n  }\n\n  if (!config.connectors || config.connectors.length === 0) return [];\n  return config.connectors.map(workspaceConnectorToDeclaration);\n}\n\nfunction workspaceConnectorToDeclaration(c: WorkspaceConnector): ConnectorDeclaration {\n  const decl: ConnectorDeclaration = {\n    id: c.id,\n    driver: c.driver,\n    access: c.access ?? \"read-only\",\n    auth: c.auth,\n    options: c.options,\n  };\n\n  // Map the optional mount sub-block when present.\n  if (c.mount) {\n    decl.mount = {\n      source: c.mount.source,\n      target: c.mount.target,\n      watch: c.mount.watch,\n      exposeAccessToken: c.mount.exposeAccessToken,\n      accessTokenTTL: c.mount.accessTokenTTL,\n    };\n  }\n\n  return decl;\n}\n\nimport type { ForgeSecretProvider, SecretProvider } from \"./secrets.js\";\nimport { EnvSecretProvider, InMemorySecretProvider, SecretProviderChain } from \"./secrets.js\";\n\n/**\n * Build a `SecretProviderChain` for Forge session context.\n * `OAuthSecretProvider` is not wired here — it must be provided externally\n * (the Forge session manager constructs it and passes it in).\n * @param forgeProvider - The Forge-provisioned secret store.\n * @param extraProviders - Additional providers prepended to the chain (e.g. an OAuth provider).\n * @returns A chain that routes `forge:` refs to the Forge store and `env:` refs to process.env.\n * @docLink packages/connectors/api-reference#create-forge-secret-provider-chain\n */\nexport function createForgeSecretProviderChain(\n  forgeProvider: ForgeSecretProvider,\n  extraProviders: SecretProvider[] = [],\n): SecretProviderChain {\n  return new SecretProviderChain([...extraProviders, forgeProvider, new EnvSecretProvider()]);\n}\n\n/**\n * Build a `SecretProviderChain` for CLI/standalone context.\n * `EnvSecretProvider` takes priority; `extraSecrets` are loaded into an `InMemorySecretProvider`.\n * @param extraSecrets - Inline secrets injected into memory (e.g. tokens passed via CLI flags).\n * @returns A chain that resolves `env:` refs from process.env plus any inline extras.\n * @docLink packages/connectors/api-reference#create-cli-secret-provider-chain\n */\nexport function createCliSecretProviderChain(\n  extraSecrets: Record<string, string> = {},\n): SecretProviderChain {\n  const mem = new InMemorySecretProvider();\n  if (Object.keys(extraSecrets).length > 0) {\n    mem.provision(extraSecrets);\n  }\n  return new SecretProviderChain([new EnvSecretProvider(), mem]);\n}\n\n/**\n * Resolve a credential reference using a `SecretProvider`, or fall back to `env:NAME` lookup.\n * @param auth - Credential reference (e.g. `\"env:GIT_TOKEN\"`).\n * @param secrets - Optional provider; falls back to `process.env` if omitted.\n * @returns Resolved secret value or `undefined`.\n * @deprecated Use `SecretProviderChain.resolve()` instead.\n * @docLink packages/connectors/api-reference#resolve-auth\n */\n// @TODO: Code-Review: deprecated shim kept for backward compat — remove once all callers migrate to SecretProviderChain.resolve()\nexport function resolveAuth(\n  auth: string | undefined,\n  secrets?: import(\"./secrets.js\").SecretProvider,\n): string | undefined {\n  if (!auth) return undefined;\n  if (secrets) return secrets.resolve(auth);\n  if (auth.startsWith(\"env:\")) {\n    const envVar = auth.slice(4);\n    return process.env[envVar];\n  }\n  return auth;\n}\n\n// ── Auth grammar (mount-side, Tier 2 credential tiers) ───────────────────────\n\n/**\n * Provider kind for a mount auth ref.\n *\n * Two values are accepted:\n *   - `pat`     — static personal access token resolved via the secrets chain\n *                 (standalone CLI / non-platform contexts).\n *   - `backend` — token minted by the platform's credential mediator over the\n *                 transport (`request_access_token` round-trip). Provider\n *                 dispatch (OAuth, GitHub App, ...) lives backend-side; the\n *                 runner stays provider-agnostic.\n *\n * @docLink packages/connectors/api-reference#mount-auth-kind\n */\nexport type MountAuthKind = \"pat\" | \"backend\";\n\n/**\n * Parsed mount `auth:` field.\n *\n *   - `pat`     → `value` is the inner secret ref (e.g. `env:NAME`).\n *   - `backend` → `value` is empty (sentinel only); the runner asks the\n *                 backend for tokens via `request_access_token`.\n *\n * @docLink packages/connectors/api-reference#mount-auth-ref\n */\nexport interface MountAuthRef {\n  kind: MountAuthKind;\n  /** Prefix-stripped payload — see kind for shape. Empty for `backend`. */\n  value: string;\n  /** Original auth string from the declaration, kept for diagnostics. */\n  raw: string;\n}\n\n/**\n * Thrown when a mount declaration's `auth:` field uses the legacy bare `env:NAME` grammar\n * or any other unrecognized form. Migrate to `pat:env:NAME` (standalone) or `backend`\n * (platform-mediated).\n * @docLink packages/connectors/api-reference#legacy-auth-grammar-error\n */\nexport class LegacyAuthGrammarError extends Error {\n  readonly auth: string;\n  constructor(auth: string, mountId?: string) {\n    const where = mountId ? ` on mount '${mountId}'` : \"\";\n    super(\n      `Legacy or unrecognized auth grammar${where} ('${auth}'). ` +\n        `Replace with one of:\\n` +\n        `  - backend                  (platform-mediated, recommended)\\n` +\n        `  - pat:env:NAME             (standalone CLI / static token)\\n` +\n        `See _devlog/specs/2026-05-06-tier-2-credential-mediation.md.`,\n    );\n    this.name = \"LegacyAuthGrammarError\";\n    this.auth = auth;\n  }\n}\n\n/**\n * Resolve the `auth: backend` initial mint for a given mount or connector id\n * by querying the secrets chain with a `${kind}:${id}` ref. Returns the\n * resolved bearer token or `undefined` if no pre-minted credential is\n * available.\n *\n * Used by the runner when wiring `ConnectorManager` to\n * answer initial-mint requests from `PreMintedSecretProvider` without\n * round-tripping to the platform. Drivers continue to receive a\n * `tokenMediator` for refresh + retry-401 paths.\n *\n * @param kind Resource family (`mount` or `connector`).\n * @param id Resource declaration id.\n * @param chain Secrets chain. Pass `undefined` to return `undefined`.\n * @returns The pre-minted token, or `undefined` if not stored on the chain.\n * @docLink packages/connectors/api-reference#resolve-backend-auth-for\n */\nexport function resolveBackendAuthFor(\n  kind: \"mount\" | \"connector\",\n  id: string,\n  chain: import(\"./secrets.js\").SecretProvider | undefined,\n): string | undefined {\n  if (!chain) return undefined;\n  return chain.resolve(`${kind}:${id}`);\n}\n\n/**\n * Parse a mount-side auth ref into a typed `MountAuthRef`.\n *\n * Accepted forms:\n *   - `backend`      — platform-mediated mint via `request_access_token`.\n *   - `pat:env:NAME` — static PAT resolved from the secrets chain.\n *\n * Rejects bare `env:NAME` (legacy) and provider-prefixed grammars (`oauth:`,\n * `github-app:`) — those moved backend-side as part of Tier-2 mediation.\n * Returns `undefined` when `auth` is absent or empty.\n *\n * @param auth - Raw `auth:` value from the mount declaration.\n * @param mountId - Optional mount id included in error messages.\n * @returns Parsed `MountAuthRef` or `undefined`.\n * @throws {LegacyAuthGrammarError} for any unrecognized grammar.\n * @docLink packages/connectors/api-reference#resolve-auth-ref\n */\nexport function resolveAuthRef(\n  auth: string | undefined,\n  mountId?: string,\n): MountAuthRef | undefined {\n  if (!auth) return undefined;\n\n  if (auth === \"backend\") {\n    return { kind: \"backend\", value: \"\", raw: auth };\n  }\n  if (auth.startsWith(\"pat:\")) {\n    return { kind: \"pat\", value: auth.slice(\"pat:\".length), raw: auth };\n  }\n\n  // Legacy bare `env:NAME` and the deprecated provider-prefixed grammars\n  // (`oauth:`, `github-app:`) all land here.\n  throw new LegacyAuthGrammarError(auth, mountId);\n}\n"]}

package/dist/{chunk-4S4TZDCD.js → chunk-D7K72XEY.js}

@@ -1,5 +1,5 @@
 import { AssetKindRegistryFrozenError, AssetKindConflictError, AssetKindPatternConflictError, AssetKindPathAmbiguityError } from './chunk-OKRUTSG7.js';
-import { parseFrontmatter } from './chunk-FRPKLIEZ.js';
+import { parseFrontmatter } from './chunk-4AZKT2BU.js';
 import { validatePersona, validateRuleset, validateSkill, validateAgent, validateConnector, validateMcpServer, validateContract, validatePrompt, validatePreset } from './chunk-NELZIQ2E.js';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -1524,5 +1524,5 @@ function validateRequiresSyntax2(requires) {
 var VERSION = "0.0.0";
 
 export { AssetKindRegistry, BUILTIN_PROVIDERS, SEMVER_RE, SourceConfigSchema, VERSION, agentProvider, buildRequiresGraph, computeDeterministicHash, computeDeterministicHashDetailed, connectorProvider, contractProvider, createDefaultRegistry, detectCycles, discoverAssetsInTree, discoverAssetsInTreeEntries, discoverFromManifest, extractRequires, isExcludedDevPath, isManifestMode, loadMergedSourceConfig, loadSourceConfig, mcpServerProvider, mergeSourceConfigs, parseSourceConfig, personaProvider, presetProvider, promptProvider, rulesetProvider, skillProvider, validateSourceConfig };
-//# sourceMappingURL=chunk-4S4TZDCD.js.map
-//# sourceMappingURL=chunk-4S4TZDCD.js.map
+//# sourceMappingURL=chunk-D7K72XEY.js.map
+//# sourceMappingURL=chunk-D7K72XEY.js.map