@tangle-network/agent-runtime 0.48.0 → 0.50.0

package/dist/openai-tools-D4HLDWgw.d.ts

@@ -0,0 +1,45 @@
+import { c as OpenAIChatTool } from './types-BEQsBhOE.js';
+
+/**
+ * @experimental
+ *
+ * OpenAI Chat Completions `tools[]` projection of the 5 agent-runtime MCP
+ * delegation tools.
+ *
+ * Use when configuring `createOpenAICompatibleBackend({ tools: ... })` so the
+ * model can call `delegate_code`, `delegate_research`, `delegate_feedback`,
+ * `delegation_status`, and `delegation_history` through the OpenAI-compat
+ * transport (tcloud, OpenRouter, OpenAI direct, cli-bridge). The runtime
+ * surfaces tool calls as `tool_call` stream events — execution is the
+ * caller's responsibility (typically the parent sandbox runtime's MCP
+ * mount).
+ *
+ * Sandbox-SDK callers do NOT need this helper: the sandbox runtime mounts
+ * MCP servers natively and the in-sandbox harness discovers tools via the
+ * runtime, not via an OpenAI tools array.
+ *
+ * Tool name + description + JSON-schema are pulled from the canonical
+ * `DELEGATE_*` constants exported by `./tools/*` so the projection cannot
+ * drift from the server's own validators.
+ */
+
+/**
+ * @experimental
+ *
+ * Returns the 5 delegation tools projected into OpenAI Chat Completions
+ * `tools[]` shape. The order is stable: `delegate_code`,
+ * `delegate_research`, `delegate_feedback`, `delegation_status`,
+ * `delegation_history`.
+ */
+declare function mcpToolsForRuntimeMcp(): OpenAIChatTool[];
+/**
+ * @experimental
+ *
+ * Subset filter — return only the projected tools whose `function.name`
+ * appears in `names`. Useful for curated mounts (e.g. only the queue-bound
+ * delegation tools, omitting `delegate_feedback`). Unknown names are
+ * silently ignored; pass an empty array to get an empty result.
+ */
+declare function mcpToolsForRuntimeMcpSubset(names: ReadonlyArray<string>): OpenAIChatTool[];
+
+export { mcpToolsForRuntimeMcpSubset as a, mcpToolsForRuntimeMcp as m };

package/dist/platform.js

@@ -20,7 +20,7 @@ var PlatformAuthClient = class {
     if (!options.appId) throw new Error("PlatformAuthClient: appId is required");
     this.baseUrl = options.baseUrl.replace(/\/+$/, "");
     this.appId = options.appId;
-    this.fetchImpl = options.fetchImpl ?? fetch;
+    this.fetchImpl = options.fetchImpl ?? ((url, init) => fetch(url, init));
   }
   /**
    * Build the URL the user is redirected to in order to start SSO.
@@ -90,7 +90,7 @@ var PlatformHubClient = class {
     if (!options.bearer) throw new Error("PlatformHubClient: bearer is required");
     this.baseUrl = options.baseUrl.replace(/\/+$/, "");
     this.bearer = options.bearer;
-    this.fetchImpl = options.fetchImpl ?? fetch;
+    this.fetchImpl = options.fetchImpl ?? ((url, init) => fetch(url, init));
   }
   /** List the integration catalog (providers + connectors). */
   catalog() {

package/dist/platform.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/platform/auth.ts","../src/platform/integrations.ts"],"sourcesContent":["/**\n * Server-side client for the Tangle platform's cross-site SSO bridge.\n *\n * Consumer apps (gtm-agent, tax-agent, legal-agent, creative-agent, …)\n * use this to:\n *   1. Build an /authorize URL that lands the user on id.tangle.tools\n *      and brings them back with a single-use code.\n *   2. Exchange that code for an API key + the user's identity.\n *\n * The platform endpoint contract is documented in\n * `products/platform/api/src/routes/cross-site.ts`. This client only\n * speaks HTTP — no SDK weight, no transitive deps.\n */\n\nexport interface PlatformAuthClientOptions {\n  /** Platform base URL, e.g. `https://id.tangle.tools`. */\n  baseUrl: string\n  /** App id as registered in the platform's TRUSTED_APPS registry. */\n  appId: string\n  /** Override the global fetch (useful for tests + edge runtimes). */\n  fetchImpl?: typeof fetch\n}\n\nexport interface AuthorizeUrlOptions {\n  /** Required CSRF token; the consumer verifies it on the callback. */\n  state: string\n  /**\n   * Final redirect URI. Must be one of the URIs registered for `appId`\n   * on the platform. Omit to use the first registered URI.\n   */\n  redirectUri?: string\n  /** Force the login screen even if a session is already active. */\n  prompt?: 'login'\n  /** Pre-fill the email field on the login screen. */\n  email?: string\n}\n\nexport interface ExchangeCodeResult {\n  apiKey: string\n  user: {\n    id: string\n    email: string\n    name?: string\n  }\n  plan: {\n    tier: string\n  }\n}\n\nexport class PlatformAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number,\n    public readonly body: unknown,\n  ) {\n    super(message)\n    this.name = 'PlatformAuthError'\n  }\n}\n\nexport class PlatformAuthClient {\n  private readonly baseUrl: string\n  private readonly appId: string\n  private readonly fetchImpl: typeof fetch\n\n  constructor(options: PlatformAuthClientOptions) {\n    if (!options.baseUrl) throw new Error('PlatformAuthClient: baseUrl is required')\n    if (!options.appId) throw new Error('PlatformAuthClient: appId is required')\n    this.baseUrl = options.baseUrl.replace(/\\/+$/, '')\n    this.appId = options.appId\n    this.fetchImpl = options.fetchImpl ?? fetch\n  }\n\n  /**\n   * Build the URL the user is redirected to in order to start SSO.\n   * The platform redirects back to one of `appId`'s registered\n   * `redirectUris` with `?code=...&app=...&state=...`.\n   */\n  authorizeUrl(options: AuthorizeUrlOptions): string {\n    if (!options.state) {\n      throw new Error('PlatformAuthClient.authorizeUrl: state is required for CSRF')\n    }\n    const url = new URL('/cross-site/authorize', this.baseUrl)\n    url.searchParams.set('app', this.appId)\n    url.searchParams.set('state', options.state)\n    if (options.redirectUri) url.searchParams.set('redirect', options.redirectUri)\n    if (options.prompt) url.searchParams.set('prompt', options.prompt)\n    if (options.email) url.searchParams.set('email', options.email)\n    return url.toString()\n  }\n\n  /**\n   * Exchange a single-use auth code (delivered to the consumer's\n   * callback by the platform) for an API key + the user's identity.\n   * Codes are single-use and expire ~5 minutes after issue.\n   */\n  async exchange(code: string): Promise<ExchangeCodeResult> {\n    if (!code) throw new Error('PlatformAuthClient.exchange: code is required')\n    const res = await this.fetchImpl(`${this.baseUrl}/cross-site/exchange`, {\n      method: 'POST',\n      headers: { 'content-type': 'application/json' },\n      body: JSON.stringify({ code, app: this.appId }),\n    })\n    const body = await res.json().catch(() => null)\n    if (!res.ok) {\n      const message =\n        body && typeof body === 'object' && 'error' in body && typeof body.error === 'string'\n          ? body.error\n          : `Platform exchange failed (${res.status})`\n      throw new PlatformAuthError(message, res.status, body)\n    }\n    const result = body as Partial<ExchangeCodeResult>\n    if (!result.apiKey || !result.user?.id) {\n      throw new PlatformAuthError(\n        'Platform exchange response is missing apiKey or user',\n        res.status,\n        body,\n      )\n    }\n    return result as ExchangeCodeResult\n  }\n}\n","/**\n * Server-side client for the Tangle platform's integrations hub\n * (`/v1/integrations/*`). Consumer apps use this instead of rolling\n * their own OAuth + connection tables.\n *\n * Auth: the caller supplies a bearer (either the user's API key from\n * cross-site exchange, or a platform service token) on construction.\n * Per-request override via `headers` is supported.\n *\n * Endpoint contract: `products/platform/api/src/routes/integrations.ts`.\n */\n\nexport interface PlatformHubClientOptions {\n  /** Platform base URL, e.g. `https://id.tangle.tools`. */\n  baseUrl: string\n  /** Bearer credential — user API key or service token. */\n  bearer: string\n  /** Override fetch (tests + edge runtimes). */\n  fetchImpl?: typeof fetch\n}\n\nexport interface PlatformConnection {\n  id: string\n  providerId: string\n  connectorId: string\n  status: 'connected' | 'pending' | 'revoked' | 'expired' | string\n  grantedScopes?: string[]\n  account?: { identity?: string; displayName?: string } & Record<string, unknown>\n  metadata?: Record<string, unknown>\n  expiresAt?: string | null\n  createdAt?: string\n  updatedAt?: string\n}\n\nexport interface PlatformCatalogProvider {\n  providerId: string\n  displayName?: string\n  description?: string\n  authMode?: string\n  connectors?: PlatformCatalogConnector[]\n  [k: string]: unknown\n}\n\nexport interface PlatformCatalogConnector {\n  connectorId: string\n  displayName?: string\n  description?: string\n  scopes?: string[]\n  [k: string]: unknown\n}\n\nexport interface StartAuthInput {\n  providerId: string\n  connectorId: string\n  /** Where the platform redirects the user back to after OAuth. */\n  returnUrl: string\n  requestedScopes?: string[]\n  state?: string\n  metadata?: Record<string, unknown>\n  /** Required when the bearer is a service token impersonating a user. */\n  ownerUserId?: string\n}\n\nexport interface StartAuthResult {\n  authorizationUrl: string\n  state: string\n}\n\nexport interface BundleCapabilityInput {\n  manifestId?: string\n  grantIds?: string[]\n  subject: { type: 'user' | 'team' | 'app'; id: string }\n  ttlMs: number\n}\n\nexport interface BundleCapabilityResult {\n  bundle: Record<string, unknown>\n  env: Record<string, string>\n}\n\nexport interface HealthCheck {\n  connectionId: string\n  providerId: string\n  connectorId: string\n  status: 'ok' | 'degraded' | 'failing' | 'unknown' | string\n  checks?: Record<string, unknown>\n  checkedAt?: string\n}\n\nexport class PlatformHubError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number,\n    public readonly code: string | undefined,\n    public readonly body: unknown,\n  ) {\n    super(message)\n    this.name = 'PlatformHubError'\n  }\n}\n\ninterface PlatformEnvelope<T> {\n  success: boolean\n  data?: T\n  error?: { code?: string; message?: string } | string\n}\n\nexport class PlatformHubClient {\n  private readonly baseUrl: string\n  private readonly bearer: string\n  private readonly fetchImpl: typeof fetch\n\n  constructor(options: PlatformHubClientOptions) {\n    if (!options.baseUrl) throw new Error('PlatformHubClient: baseUrl is required')\n    if (!options.bearer) throw new Error('PlatformHubClient: bearer is required')\n    this.baseUrl = options.baseUrl.replace(/\\/+$/, '')\n    this.bearer = options.bearer\n    this.fetchImpl = options.fetchImpl ?? fetch\n  }\n\n  /** List the integration catalog (providers + connectors). */\n  catalog(): Promise<{ providers: PlatformCatalogProvider[] } & Record<string, unknown>> {\n    return this.request('GET', '/v1/integrations/catalog')\n  }\n\n  /** List the calling user's integration connections. */\n  async listConnections(): Promise<PlatformConnection[]> {\n    const data = await this.request<{ connections: PlatformConnection[] }>(\n      'GET',\n      '/v1/integrations/connections',\n    )\n    return data.connections\n  }\n\n  /** Revoke (and disable) a connection by id. */\n  revokeConnection(connectionId: string): Promise<{\n    connection: PlatformConnection\n    revokedGrants: unknown[]\n    providerRevocation: { ok: boolean }\n  }> {\n    return this.request(\n      'DELETE',\n      `/v1/integrations/connections/${encodeURIComponent(connectionId)}`,\n    )\n  }\n\n  /** Begin OAuth — returns the URL to send the user to. */\n  startAuth(input: StartAuthInput): Promise<StartAuthResult> {\n    return this.request('POST', '/v1/integrations/auth/start', input)\n  }\n\n  /** List connection healthchecks (last known state). */\n  async listHealthchecks(): Promise<HealthCheck[]> {\n    const data = await this.request<{ healthchecks: HealthCheck[] }>(\n      'GET',\n      '/v1/integrations/healthchecks',\n    )\n    return data.healthchecks\n  }\n\n  /** Trigger a fresh healthcheck pass. */\n  runHealthchecks(): Promise<{ scheduled: number }> {\n    return this.request('POST', '/v1/integrations/healthchecks/run', {})\n  }\n\n  /**\n   * Mint a sandbox-injectable capability bundle (env vars + scoped\n   * capability tokens) so a sandbox can invoke integrations on the\n   * user's behalf without seeing the underlying provider tokens.\n   */\n  bundleCapabilities(input: BundleCapabilityInput): Promise<BundleCapabilityResult> {\n    return this.request('POST', '/v1/integrations/capabilities/bundle', input)\n  }\n\n  private async request<T>(\n    method: 'GET' | 'POST' | 'DELETE' | 'PUT',\n    path: string,\n    body?: unknown,\n  ): Promise<T> {\n    const headers: Record<string, string> = {\n      authorization: `Bearer ${this.bearer}`,\n      accept: 'application/json',\n    }\n    if (body !== undefined) headers['content-type'] = 'application/json'\n\n    const res = await this.fetchImpl(`${this.baseUrl}${path}`, {\n      method,\n      headers,\n      body: body !== undefined ? JSON.stringify(body) : undefined,\n    })\n    const text = await res.text()\n    let parsed: PlatformEnvelope<T> | null = null\n    if (text) {\n      try {\n        parsed = JSON.parse(text)\n      } catch {\n        // fall through to error handling below\n      }\n    }\n    if (!res.ok || (parsed && parsed.success === false)) {\n      const code = parsed?.error && typeof parsed.error === 'object' ? parsed.error.code : undefined\n      const message =\n        (parsed?.error && typeof parsed.error === 'object' && parsed.error.message) ||\n        (typeof parsed?.error === 'string' ? parsed.error : `Platform hub error (${res.status})`)\n      throw new PlatformHubError(message, res.status, code, parsed ?? text)\n    }\n    if (!parsed) {\n      throw new PlatformHubError(\n        `Platform hub returned non-JSON success (${res.status})`,\n        res.status,\n        undefined,\n        text,\n      )\n    }\n    if (parsed.data === undefined) {\n      throw new PlatformHubError(\n        'Platform hub envelope missing `data`',\n        res.status,\n        undefined,\n        parsed,\n      )\n    }\n    return parsed.data\n  }\n}\n"],"mappings":";;;AAiDO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,QACA,MAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;AAEO,IAAM,qBAAN,MAAyB;AAAA,EACb;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAAoC;AAC9C,QAAI,CAAC,QAAQ,QAAS,OAAM,IAAI,MAAM,yCAAyC;AAC/E,QAAI,CAAC,QAAQ,MAAO,OAAM,IAAI,MAAM,uCAAuC;AAC3E,SAAK,UAAU,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACjD,SAAK,QAAQ,QAAQ;AACrB,SAAK,YAAY,QAAQ,aAAa;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,SAAsC;AACjD,QAAI,CAAC,QAAQ,OAAO;AAClB,YAAM,IAAI,MAAM,6DAA6D;AAAA,IAC/E;AACA,UAAM,MAAM,IAAI,IAAI,yBAAyB,KAAK,OAAO;AACzD,QAAI,aAAa,IAAI,OAAO,KAAK,KAAK;AACtC,QAAI,aAAa,IAAI,SAAS,QAAQ,KAAK;AAC3C,QAAI,QAAQ,YAAa,KAAI,aAAa,IAAI,YAAY,QAAQ,WAAW;AAC7E,QAAI,QAAQ,OAAQ,KAAI,aAAa,IAAI,UAAU,QAAQ,MAAM;AACjE,QAAI,QAAQ,MAAO,KAAI,aAAa,IAAI,SAAS,QAAQ,KAAK;AAC9D,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,MAA2C;AACxD,QAAI,CAAC,KAAM,OAAM,IAAI,MAAM,+CAA+C;AAC1E,UAAM,MAAM,MAAM,KAAK,UAAU,GAAG,KAAK,OAAO,wBAAwB;AAAA,MACtE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,MAAM,KAAK,KAAK,MAAM,CAAC;AAAA,IAChD,CAAC;AACD,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,UACJ,QAAQ,OAAO,SAAS,YAAY,WAAW,QAAQ,OAAO,KAAK,UAAU,WACzE,KAAK,QACL,6BAA6B,IAAI,MAAM;AAC7C,YAAM,IAAI,kBAAkB,SAAS,IAAI,QAAQ,IAAI;AAAA,IACvD;AACA,UAAM,SAAS;AACf,QAAI,CAAC,OAAO,UAAU,CAAC,OAAO,MAAM,IAAI;AACtC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;;;AChCO,IAAM,mBAAN,cAA+B,MAAM;AAAA,EAC1C,YACE,SACgB,QACA,MACA,MAChB;AACA,UAAM,OAAO;AAJG;AACA;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EANkB;AAAA,EACA;AAAA,EACA;AAKpB;AAQO,IAAM,oBAAN,MAAwB;AAAA,EACZ;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAAmC;AAC7C,QAAI,CAAC,QAAQ,QAAS,OAAM,IAAI,MAAM,wCAAwC;AAC9E,QAAI,CAAC,QAAQ,OAAQ,OAAM,IAAI,MAAM,uCAAuC;AAC5E,SAAK,UAAU,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACjD,SAAK,SAAS,QAAQ;AACtB,SAAK,YAAY,QAAQ,aAAa;AAAA,EACxC;AAAA;AAAA,EAGA,UAAuF;AACrF,WAAO,KAAK,QAAQ,OAAO,0BAA0B;AAAA,EACvD;AAAA;AAAA,EAGA,MAAM,kBAAiD;AACrD,UAAM,OAAO,MAAM,KAAK;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,iBAAiB,cAId;AACD,WAAO,KAAK;AAAA,MACV;AAAA,MACA,gCAAgC,mBAAmB,YAAY,CAAC;AAAA,IAClE;AAAA,EACF;AAAA;AAAA,EAGA,UAAU,OAAiD;AACzD,WAAO,KAAK,QAAQ,QAAQ,+BAA+B,KAAK;AAAA,EAClE;AAAA;AAAA,EAGA,MAAM,mBAA2C;AAC/C,UAAM,OAAO,MAAM,KAAK;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,kBAAkD;AAChD,WAAO,KAAK,QAAQ,QAAQ,qCAAqC,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAAmB,OAA+D;AAChF,WAAO,KAAK,QAAQ,QAAQ,wCAAwC,KAAK;AAAA,EAC3E;AAAA,EAEA,MAAc,QACZ,QACA,MACA,MACY;AACZ,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,MAAM;AAAA,MACpC,QAAQ;AAAA,IACV;AACA,QAAI,SAAS,OAAW,SAAQ,cAAc,IAAI;AAElD,UAAM,MAAM,MAAM,KAAK,UAAU,GAAG,KAAK,OAAO,GAAG,IAAI,IAAI;AAAA,MACzD;AAAA,MACA;AAAA,MACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,IACpD,CAAC;AACD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAI,SAAqC;AACzC,QAAI,MAAM;AACR,UAAI;AACF,iBAAS,KAAK,MAAM,IAAI;AAAA,MAC1B,QAAQ;AAAA,MAER;AAAA,IACF;AACA,QAAI,CAAC,IAAI,MAAO,UAAU,OAAO,YAAY,OAAQ;AACnD,YAAM,OAAO,QAAQ,SAAS,OAAO,OAAO,UAAU,WAAW,OAAO,MAAM,OAAO;AACrF,YAAM,UACH,QAAQ,SAAS,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,YAClE,OAAO,QAAQ,UAAU,WAAW,OAAO,QAAQ,uBAAuB,IAAI,MAAM;AACvF,YAAM,IAAI,iBAAiB,SAAS,IAAI,QAAQ,MAAM,UAAU,IAAI;AAAA,IACtE;AACA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI;AAAA,QACR,2CAA2C,IAAI,MAAM;AAAA,QACrD,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO,SAAS,QAAW;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AACF;","names":[]}
+{"version":3,"sources":["../src/platform/auth.ts","../src/platform/integrations.ts"],"sourcesContent":["/**\n * Server-side client for the Tangle platform's cross-site SSO bridge.\n *\n * Consumer apps (gtm-agent, tax-agent, legal-agent, creative-agent, …)\n * use this to:\n *   1. Build an /authorize URL that lands the user on id.tangle.tools\n *      and brings them back with a single-use code.\n *   2. Exchange that code for an API key + the user's identity.\n *\n * The platform endpoint contract is documented in\n * `products/platform/api/src/routes/cross-site.ts`. This client only\n * speaks HTTP — no SDK weight, no transitive deps.\n */\n\nexport interface PlatformAuthClientOptions {\n  /** Platform base URL, e.g. `https://id.tangle.tools`. */\n  baseUrl: string\n  /** App id as registered in the platform's TRUSTED_APPS registry. */\n  appId: string\n  /** Override the global fetch (useful for tests + edge runtimes). */\n  fetchImpl?: typeof fetch\n}\n\nexport interface AuthorizeUrlOptions {\n  /** Required CSRF token; the consumer verifies it on the callback. */\n  state: string\n  /**\n   * Final redirect URI. Must be one of the URIs registered for `appId`\n   * on the platform. Omit to use the first registered URI.\n   */\n  redirectUri?: string\n  /** Force the login screen even if a session is already active. */\n  prompt?: 'login'\n  /** Pre-fill the email field on the login screen. */\n  email?: string\n}\n\nexport interface ExchangeCodeResult {\n  apiKey: string\n  user: {\n    id: string\n    email: string\n    name?: string\n  }\n  plan: {\n    tier: string\n  }\n}\n\nexport class PlatformAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number,\n    public readonly body: unknown,\n  ) {\n    super(message)\n    this.name = 'PlatformAuthError'\n  }\n}\n\nexport class PlatformAuthClient {\n  private readonly baseUrl: string\n  private readonly appId: string\n  private readonly fetchImpl: typeof fetch\n\n  constructor(options: PlatformAuthClientOptions) {\n    if (!options.baseUrl) throw new Error('PlatformAuthClient: baseUrl is required')\n    if (!options.appId) throw new Error('PlatformAuthClient: appId is required')\n    this.baseUrl = options.baseUrl.replace(/\\/+$/, '')\n    this.appId = options.appId\n    this.fetchImpl =\n      options.fetchImpl ??\n      ((url: Parameters<typeof fetch>[0], init?: Parameters<typeof fetch>[1]) => fetch(url, init))\n  }\n\n  /**\n   * Build the URL the user is redirected to in order to start SSO.\n   * The platform redirects back to one of `appId`'s registered\n   * `redirectUris` with `?code=...&app=...&state=...`.\n   */\n  authorizeUrl(options: AuthorizeUrlOptions): string {\n    if (!options.state) {\n      throw new Error('PlatformAuthClient.authorizeUrl: state is required for CSRF')\n    }\n    const url = new URL('/cross-site/authorize', this.baseUrl)\n    url.searchParams.set('app', this.appId)\n    url.searchParams.set('state', options.state)\n    if (options.redirectUri) url.searchParams.set('redirect', options.redirectUri)\n    if (options.prompt) url.searchParams.set('prompt', options.prompt)\n    if (options.email) url.searchParams.set('email', options.email)\n    return url.toString()\n  }\n\n  /**\n   * Exchange a single-use auth code (delivered to the consumer's\n   * callback by the platform) for an API key + the user's identity.\n   * Codes are single-use and expire ~5 minutes after issue.\n   */\n  async exchange(code: string): Promise<ExchangeCodeResult> {\n    if (!code) throw new Error('PlatformAuthClient.exchange: code is required')\n    const res = await this.fetchImpl(`${this.baseUrl}/cross-site/exchange`, {\n      method: 'POST',\n      headers: { 'content-type': 'application/json' },\n      body: JSON.stringify({ code, app: this.appId }),\n    })\n    const body = await res.json().catch(() => null)\n    if (!res.ok) {\n      const message =\n        body && typeof body === 'object' && 'error' in body && typeof body.error === 'string'\n          ? body.error\n          : `Platform exchange failed (${res.status})`\n      throw new PlatformAuthError(message, res.status, body)\n    }\n    const result = body as Partial<ExchangeCodeResult>\n    if (!result.apiKey || !result.user?.id) {\n      throw new PlatformAuthError(\n        'Platform exchange response is missing apiKey or user',\n        res.status,\n        body,\n      )\n    }\n    return result as ExchangeCodeResult\n  }\n}\n","/**\n * Server-side client for the Tangle platform's integrations hub\n * (`/v1/integrations/*`). Consumer apps use this instead of rolling\n * their own OAuth + connection tables.\n *\n * Auth: the caller supplies a bearer (either the user's API key from\n * cross-site exchange, or a platform service token) on construction.\n * Per-request override via `headers` is supported.\n *\n * Endpoint contract: `products/platform/api/src/routes/integrations.ts`.\n */\n\nexport interface PlatformHubClientOptions {\n  /** Platform base URL, e.g. `https://id.tangle.tools`. */\n  baseUrl: string\n  /** Bearer credential — user API key or service token. */\n  bearer: string\n  /** Override fetch (tests + edge runtimes). */\n  fetchImpl?: typeof fetch\n}\n\nexport interface PlatformConnection {\n  id: string\n  providerId: string\n  connectorId: string\n  status: 'connected' | 'pending' | 'revoked' | 'expired' | string\n  grantedScopes?: string[]\n  account?: { identity?: string; displayName?: string } & Record<string, unknown>\n  metadata?: Record<string, unknown>\n  expiresAt?: string | null\n  createdAt?: string\n  updatedAt?: string\n}\n\nexport interface PlatformCatalogProvider {\n  providerId: string\n  displayName?: string\n  description?: string\n  authMode?: string\n  connectors?: PlatformCatalogConnector[]\n  [k: string]: unknown\n}\n\nexport interface PlatformCatalogConnector {\n  connectorId: string\n  displayName?: string\n  description?: string\n  scopes?: string[]\n  [k: string]: unknown\n}\n\nexport interface StartAuthInput {\n  providerId: string\n  connectorId: string\n  /** Where the platform redirects the user back to after OAuth. */\n  returnUrl: string\n  requestedScopes?: string[]\n  state?: string\n  metadata?: Record<string, unknown>\n  /** Required when the bearer is a service token impersonating a user. */\n  ownerUserId?: string\n}\n\nexport interface StartAuthResult {\n  authorizationUrl: string\n  state: string\n}\n\nexport interface BundleCapabilityInput {\n  manifestId?: string\n  grantIds?: string[]\n  subject: { type: 'user' | 'team' | 'app'; id: string }\n  ttlMs: number\n}\n\nexport interface BundleCapabilityResult {\n  bundle: Record<string, unknown>\n  env: Record<string, string>\n}\n\nexport interface HealthCheck {\n  connectionId: string\n  providerId: string\n  connectorId: string\n  status: 'ok' | 'degraded' | 'failing' | 'unknown' | string\n  checks?: Record<string, unknown>\n  checkedAt?: string\n}\n\nexport class PlatformHubError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number,\n    public readonly code: string | undefined,\n    public readonly body: unknown,\n  ) {\n    super(message)\n    this.name = 'PlatformHubError'\n  }\n}\n\ninterface PlatformEnvelope<T> {\n  success: boolean\n  data?: T\n  error?: { code?: string; message?: string } | string\n}\n\nexport class PlatformHubClient {\n  private readonly baseUrl: string\n  private readonly bearer: string\n  private readonly fetchImpl: typeof fetch\n\n  constructor(options: PlatformHubClientOptions) {\n    if (!options.baseUrl) throw new Error('PlatformHubClient: baseUrl is required')\n    if (!options.bearer) throw new Error('PlatformHubClient: bearer is required')\n    this.baseUrl = options.baseUrl.replace(/\\/+$/, '')\n    this.bearer = options.bearer\n    this.fetchImpl =\n      options.fetchImpl ??\n      ((url: Parameters<typeof fetch>[0], init?: Parameters<typeof fetch>[1]) => fetch(url, init))\n  }\n\n  /** List the integration catalog (providers + connectors). */\n  catalog(): Promise<{ providers: PlatformCatalogProvider[] } & Record<string, unknown>> {\n    return this.request('GET', '/v1/integrations/catalog')\n  }\n\n  /** List the calling user's integration connections. */\n  async listConnections(): Promise<PlatformConnection[]> {\n    const data = await this.request<{ connections: PlatformConnection[] }>(\n      'GET',\n      '/v1/integrations/connections',\n    )\n    return data.connections\n  }\n\n  /** Revoke (and disable) a connection by id. */\n  revokeConnection(connectionId: string): Promise<{\n    connection: PlatformConnection\n    revokedGrants: unknown[]\n    providerRevocation: { ok: boolean }\n  }> {\n    return this.request(\n      'DELETE',\n      `/v1/integrations/connections/${encodeURIComponent(connectionId)}`,\n    )\n  }\n\n  /** Begin OAuth — returns the URL to send the user to. */\n  startAuth(input: StartAuthInput): Promise<StartAuthResult> {\n    return this.request('POST', '/v1/integrations/auth/start', input)\n  }\n\n  /** List connection healthchecks (last known state). */\n  async listHealthchecks(): Promise<HealthCheck[]> {\n    const data = await this.request<{ healthchecks: HealthCheck[] }>(\n      'GET',\n      '/v1/integrations/healthchecks',\n    )\n    return data.healthchecks\n  }\n\n  /** Trigger a fresh healthcheck pass. */\n  runHealthchecks(): Promise<{ scheduled: number }> {\n    return this.request('POST', '/v1/integrations/healthchecks/run', {})\n  }\n\n  /**\n   * Mint a sandbox-injectable capability bundle (env vars + scoped\n   * capability tokens) so a sandbox can invoke integrations on the\n   * user's behalf without seeing the underlying provider tokens.\n   */\n  bundleCapabilities(input: BundleCapabilityInput): Promise<BundleCapabilityResult> {\n    return this.request('POST', '/v1/integrations/capabilities/bundle', input)\n  }\n\n  private async request<T>(\n    method: 'GET' | 'POST' | 'DELETE' | 'PUT',\n    path: string,\n    body?: unknown,\n  ): Promise<T> {\n    const headers: Record<string, string> = {\n      authorization: `Bearer ${this.bearer}`,\n      accept: 'application/json',\n    }\n    if (body !== undefined) headers['content-type'] = 'application/json'\n\n    const res = await this.fetchImpl(`${this.baseUrl}${path}`, {\n      method,\n      headers,\n      body: body !== undefined ? JSON.stringify(body) : undefined,\n    })\n    const text = await res.text()\n    let parsed: PlatformEnvelope<T> | null = null\n    if (text) {\n      try {\n        parsed = JSON.parse(text)\n      } catch {\n        // fall through to error handling below\n      }\n    }\n    if (!res.ok || (parsed && parsed.success === false)) {\n      const code = parsed?.error && typeof parsed.error === 'object' ? parsed.error.code : undefined\n      const message =\n        (parsed?.error && typeof parsed.error === 'object' && parsed.error.message) ||\n        (typeof parsed?.error === 'string' ? parsed.error : `Platform hub error (${res.status})`)\n      throw new PlatformHubError(message, res.status, code, parsed ?? text)\n    }\n    if (!parsed) {\n      throw new PlatformHubError(\n        `Platform hub returned non-JSON success (${res.status})`,\n        res.status,\n        undefined,\n        text,\n      )\n    }\n    if (parsed.data === undefined) {\n      throw new PlatformHubError(\n        'Platform hub envelope missing `data`',\n        res.status,\n        undefined,\n        parsed,\n      )\n    }\n    return parsed.data\n  }\n}\n"],"mappings":";;;AAiDO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,QACA,MAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;AAEO,IAAM,qBAAN,MAAyB;AAAA,EACb;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAAoC;AAC9C,QAAI,CAAC,QAAQ,QAAS,OAAM,IAAI,MAAM,yCAAyC;AAC/E,QAAI,CAAC,QAAQ,MAAO,OAAM,IAAI,MAAM,uCAAuC;AAC3E,SAAK,UAAU,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACjD,SAAK,QAAQ,QAAQ;AACrB,SAAK,YACH,QAAQ,cACP,CAAC,KAAkC,SAAuC,MAAM,KAAK,IAAI;AAAA,EAC9F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,SAAsC;AACjD,QAAI,CAAC,QAAQ,OAAO;AAClB,YAAM,IAAI,MAAM,6DAA6D;AAAA,IAC/E;AACA,UAAM,MAAM,IAAI,IAAI,yBAAyB,KAAK,OAAO;AACzD,QAAI,aAAa,IAAI,OAAO,KAAK,KAAK;AACtC,QAAI,aAAa,IAAI,SAAS,QAAQ,KAAK;AAC3C,QAAI,QAAQ,YAAa,KAAI,aAAa,IAAI,YAAY,QAAQ,WAAW;AAC7E,QAAI,QAAQ,OAAQ,KAAI,aAAa,IAAI,UAAU,QAAQ,MAAM;AACjE,QAAI,QAAQ,MAAO,KAAI,aAAa,IAAI,SAAS,QAAQ,KAAK;AAC9D,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,MAA2C;AACxD,QAAI,CAAC,KAAM,OAAM,IAAI,MAAM,+CAA+C;AAC1E,UAAM,MAAM,MAAM,KAAK,UAAU,GAAG,KAAK,OAAO,wBAAwB;AAAA,MACtE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,MAAM,KAAK,KAAK,MAAM,CAAC;AAAA,IAChD,CAAC;AACD,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,UACJ,QAAQ,OAAO,SAAS,YAAY,WAAW,QAAQ,OAAO,KAAK,UAAU,WACzE,KAAK,QACL,6BAA6B,IAAI,MAAM;AAC7C,YAAM,IAAI,kBAAkB,SAAS,IAAI,QAAQ,IAAI;AAAA,IACvD;AACA,UAAM,SAAS;AACf,QAAI,CAAC,OAAO,UAAU,CAAC,OAAO,MAAM,IAAI;AACtC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;;;AClCO,IAAM,mBAAN,cAA+B,MAAM;AAAA,EAC1C,YACE,SACgB,QACA,MACA,MAChB;AACA,UAAM,OAAO;AAJG;AACA;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EANkB;AAAA,EACA;AAAA,EACA;AAKpB;AAQO,IAAM,oBAAN,MAAwB;AAAA,EACZ;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAAmC;AAC7C,QAAI,CAAC,QAAQ,QAAS,OAAM,IAAI,MAAM,wCAAwC;AAC9E,QAAI,CAAC,QAAQ,OAAQ,OAAM,IAAI,MAAM,uCAAuC;AAC5E,SAAK,UAAU,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACjD,SAAK,SAAS,QAAQ;AACtB,SAAK,YACH,QAAQ,cACP,CAAC,KAAkC,SAAuC,MAAM,KAAK,IAAI;AAAA,EAC9F;AAAA;AAAA,EAGA,UAAuF;AACrF,WAAO,KAAK,QAAQ,OAAO,0BAA0B;AAAA,EACvD;AAAA;AAAA,EAGA,MAAM,kBAAiD;AACrD,UAAM,OAAO,MAAM,KAAK;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,iBAAiB,cAId;AACD,WAAO,KAAK;AAAA,MACV;AAAA,MACA,gCAAgC,mBAAmB,YAAY,CAAC;AAAA,IAClE;AAAA,EACF;AAAA;AAAA,EAGA,UAAU,OAAiD;AACzD,WAAO,KAAK,QAAQ,QAAQ,+BAA+B,KAAK;AAAA,EAClE;AAAA;AAAA,EAGA,MAAM,mBAA2C;AAC/C,UAAM,OAAO,MAAM,KAAK;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,kBAAkD;AAChD,WAAO,KAAK,QAAQ,QAAQ,qCAAqC,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAAmB,OAA+D;AAChF,WAAO,KAAK,QAAQ,QAAQ,wCAAwC,KAAK;AAAA,EAC3E;AAAA,EAEA,MAAc,QACZ,QACA,MACA,MACY;AACZ,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,MAAM;AAAA,MACpC,QAAQ;AAAA,IACV;AACA,QAAI,SAAS,OAAW,SAAQ,cAAc,IAAI;AAElD,UAAM,MAAM,MAAM,KAAK,UAAU,GAAG,KAAK,OAAO,GAAG,IAAI,IAAI;AAAA,MACzD;AAAA,MACA;AAAA,MACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,IACpD,CAAC;AACD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAI,SAAqC;AACzC,QAAI,MAAM;AACR,UAAI;AACF,iBAAS,KAAK,MAAM,IAAI;AAAA,MAC1B,QAAQ;AAAA,MAER;AAAA,IACF;AACA,QAAI,CAAC,IAAI,MAAO,UAAU,OAAO,YAAY,OAAQ;AACnD,YAAM,OAAO,QAAQ,SAAS,OAAO,OAAO,UAAU,WAAW,OAAO,MAAM,OAAO;AACrF,YAAM,UACH,QAAQ,SAAS,OAAO,OAAO,UAAU,YAAY,OAAO,MAAM,YAClE,OAAO,QAAQ,UAAU,WAAW,OAAO,QAAQ,uBAAuB,IAAI,MAAM;AACvF,YAAM,IAAI,iBAAiB,SAAS,IAAI,QAAQ,MAAM,UAAU,IAAI;AAAA,IACtE;AACA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI;AAAA,QACR,2CAA2C,IAAI,MAAM;AAAA,QACrD,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO,SAAS,QAAW;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AACF;","names":[]}

package/dist/profiles.d.ts

@@ -1,5 +1,5 @@
-export { C as CoderOutput, b as CoderProfileOptions, a as CoderTask, M as MultiHarnessCoderFanoutOptions, c as coderProfile, d as createCoderValidator, m as multiHarnessCoderFanout } from './coder-CVZNGbyg.js';
-import { S as SandboxClient, O as OutputAdapter, V as Validator, A as AgentRunSpec } from './types-nBMuollC.js';
+export { C as CoderOutput, a as CoderProfileOptions, b as CoderTask, M as MultiHarnessCoderFanoutOptions, c as coderProfile, d as createCoderValidator, m as multiHarnessCoderFanout } from './coder-_YCf3BAK.js';
+import { S as SandboxClient, O as OutputAdapter, V as Validator, A as AgentRunSpec } from './types-BEQsBhOE.js';
 import { a as UiLens, U as UiFinding } from './substrate-CUgk7F7s.js';
 export { b as UI_FINDING_SEVERITIES, c as UI_LENSES, d as UiFindingScreenshot, e as UiFindingSeverity } from './substrate-CUgk7F7s.js';
 import { SandboxEvent, AgentProfile } from '@tangle-network/sandbox';

package/dist/{run-loop-DvD4aGiE.d.ts → run-loop-BIineL1T.d.ts}

@@ -1,5 +1,5 @@
 import { SandboxInstance } from '@tangle-network/sandbox';
-import { D as Driver, A as AgentRunSpec, O as OutputAdapter, V as Validator, E as ExecCtx, I as Iteration, L as LoopWinner, a as LoopLineageOptions, S as SandboxClient, b as LoopResult } from './types-nBMuollC.js';
+import { D as Driver, A as AgentRunSpec, O as OutputAdapter, V as Validator, E as ExecCtx, I as Iteration, L as LoopWinner, a as LoopLineageOptions, S as SandboxClient, b as LoopResult } from './types-BEQsBhOE.js';
 
 /**
  * @experimental