@tangle-network/sandbox 0.1.2 → 0.2.1

package/dist/openai/index.js

@@ -0,0 +1,1721 @@
+//#region src/openai/hooks.ts
+/**
+* Sequential hook composer. Hooks run in registration order; `block` and
+* `terminate` short-circuit. `rewrite` and `override` thread their
+* mutated payloads through to the remaining hooks so subsequent hooks
+* observe the rewritten args / overridden result.
+*/
+var HookChain = class {
+	hooks;
+	constructor(hooks = []) {
+		this.hooks = hooks;
+	}
+	/** Number of hooks in the chain. */
+	get size() {
+		return this.hooks.length;
+	}
+	/**
+	* Run every `beforeToolCall` in registration order. Returns the first
+	* non-`allow` outcome (block/rewrite), or `allow` if the chain ran
+	* clean. `rewrite` outcomes are threaded forward so later hooks see
+	* the mutated args.
+	*/
+	async runBefore(ctx) {
+		let current = ctx;
+		let lastRewrite = null;
+		for (const hook of this.hooks) {
+			if (!hook.beforeToolCall) continue;
+			const outcome = await hook.beforeToolCall(current);
+			if (outcome.action === "block") return outcome;
+			if (outcome.action === "rewrite") {
+				current = {
+					...current,
+					args: outcome.args
+				};
+				lastRewrite = outcome;
+			}
+		}
+		return lastRewrite ?? { action: "allow" };
+	}
+	/**
+	* Run every `afterToolCall` in registration order. Returns the first
+	* `terminate` outcome immediately. `override` outcomes are threaded
+	* forward so later hooks see the mutated result; the final result is
+	* surfaced as the last `override`, or `pass` if no hook overrode.
+	*/
+	async runAfter(ctx, result) {
+		let current = result;
+		let lastOverride = null;
+		for (const hook of this.hooks) {
+			if (!hook.afterToolCall) continue;
+			const outcome = await hook.afterToolCall(ctx, current);
+			if (outcome.action === "terminate") return outcome;
+			if (outcome.action === "override") {
+				current = outcome.result;
+				lastOverride = outcome;
+			}
+		}
+		return lastOverride ?? { action: "pass" };
+	}
+};
+/**
+* Emits a structured `AuditEvent` for every tool call (before + after).
+* Default sink is `console.info`. The route layer swaps the sink for
+* the eval-runs DuckDB writer.
+*/
+function auditLogHook(opts = {}) {
+	const sink = opts.sink ?? ((event) => {
+		console.info("[audit]", event);
+	});
+	return {
+		async beforeToolCall(ctx) {
+			await sink({
+				phase: "before",
+				runId: ctx.runId,
+				threadId: ctx.threadId,
+				partnerId: ctx.partnerId,
+				toolName: ctx.toolName,
+				callId: ctx.callId,
+				timestamp: ctx.timestamp,
+				args: ctx.args
+			});
+			return { action: "allow" };
+		},
+		async afterToolCall(ctx, result) {
+			await sink({
+				phase: "after",
+				runId: ctx.runId,
+				threadId: ctx.threadId,
+				partnerId: ctx.partnerId,
+				toolName: ctx.toolName,
+				callId: ctx.callId,
+				timestamp: ctx.timestamp,
+				result
+			});
+			return { action: "pass" };
+		}
+	};
+}
+const NETWORK_TOOL_REGEX = /^(fetch|http|https|browser|playwright|curl|wget|computer-use:click|computer-use:type)/i;
+const URL_FIELD_NAMES = new Set([
+	"url",
+	"uri",
+	"endpoint",
+	"href",
+	"src",
+	"target",
+	"address"
+]);
+function extractUrlsFromArgs(args) {
+	const out = [];
+	const visit = (val) => {
+		if (typeof val === "string") {
+			if (/^https?:\/\//i.test(val)) try {
+				const u = new URL(val);
+				out.push({
+					raw: val,
+					host: u.host
+				});
+			} catch {
+				out.push({
+					raw: val,
+					host: null
+				});
+			}
+			return;
+		}
+		if (val === null || typeof val !== "object") return;
+		if (Array.isArray(val)) {
+			for (const item of val) visit(item);
+			return;
+		}
+		for (const [k, v] of Object.entries(val)) {
+			if (URL_FIELD_NAMES.has(k.toLowerCase()) && typeof v === "string") {
+				try {
+					const u = new URL(v);
+					out.push({
+						raw: v,
+						host: u.host
+					});
+				} catch {
+					out.push({
+						raw: v,
+						host: null
+					});
+				}
+				continue;
+			}
+			visit(v);
+		}
+	};
+	visit(args);
+	return out;
+}
+function isNetworkLike(ctx, urls) {
+	if (NETWORK_TOOL_REGEX.test(ctx.toolName)) return true;
+	return urls.length > 0;
+}
+function hostMatches(host, pattern) {
+	if (pattern === host) return true;
+	if (pattern.startsWith("*.")) {
+		const suffix = pattern.slice(1);
+		return host.endsWith(suffix);
+	}
+	return false;
+}
+/**
+* Best-effort allow/deny filter for tool-call URLs.
+*
+* Block tool calls that look network-ish (toolName matches the network
+* regex OR args contain url-like fields) when the resolved host hits
+* the deny list. The allow list is treated as an explicit allowance —
+* when set, only listed hosts pass; unmatched hosts are blocked.
+* `allowFn` overrides both lists when present.
+*
+* **What this hook does NOT catch.** It inspects URL-shaped strings in
+* the tool-call arguments only. The following bypass it silently:
+*
+*   - URLs encoded as base64 / hex / `Buffer.from(...)` literals
+*   - URLs assembled at execution time from string fragments
+*   - URLs reached via redirects, DNS rebinding, or proxy hosts that
+*     match the allow list but forward to denied destinations
+*   - Network calls made by spawned subprocesses, generated code, or
+*     tools whose argument schema does not name a URL field
+*
+* Treat this hook as a UX guardrail (clearer error messages,
+* short-circuiting obvious mistakes) on top of a real egress boundary
+* — not as one. When egress containment is a security requirement
+* (exfil prevention, data residency), enforce it at the runtime
+* sandbox layer (egress firewall, CNI policy, outbound proxy with
+* mTLS) where the agent cannot evade it.
+*/
+function egressPolicyHook(opts = {}) {
+	const denyList = opts.denyList ?? [];
+	const allowList = opts.allowList;
+	return { async beforeToolCall(ctx) {
+		const urls = extractUrlsFromArgs(ctx.args);
+		if (!isNetworkLike(ctx, urls)) return { action: "allow" };
+		if (opts.allowFn) return await opts.allowFn(ctx) ? { action: "allow" } : {
+			action: "block",
+			reason: "egress denied by allowFn"
+		};
+		for (const u of urls) {
+			if (!u.host) continue;
+			for (const pat of denyList) if (hostMatches(u.host, pat)) return {
+				action: "block",
+				reason: `egress denied: host "${u.host}" matches deny pattern "${pat}"`
+			};
+		}
+		if (allowList && allowList.length > 0) for (const u of urls) {
+			const host = u.host;
+			if (!host) return {
+				action: "block",
+				reason: "egress denied: unparseable url"
+			};
+			if (!allowList.some((pat) => hostMatches(host, pat))) return {
+				action: "block",
+				reason: `egress denied: host "${host}" is not on the allow list`
+			};
+		}
+		return { action: "allow" };
+	} };
+}
+/**
+* Terminates the run when the partner's accumulated cost is at or
+* above `ceiling`. The cost lookup is injected so any usage ledger can
+* back it.
+*/
+function costCapHook(opts) {
+	const getCurrentCost = opts.getCurrentCost ?? (async () => 0);
+	return {
+		async beforeToolCall(ctx) {
+			const current = await getCurrentCost(ctx.partnerId);
+			if (current >= opts.ceiling) return {
+				action: "block",
+				reason: `cost cap reached: ${current} >= ${opts.ceiling}`
+			};
+			return { action: "allow" };
+		},
+		async afterToolCall(ctx) {
+			const current = await getCurrentCost(ctx.partnerId);
+			if (current >= opts.ceiling) return {
+				action: "terminate",
+				reason: `cost cap reached after tool call: ${current} >= ${opts.ceiling}`
+			};
+			return { action: "pass" };
+		}
+	};
+}
+/**
+* Token-bucket rate limiter scoped per session id (`runId`) over
+* `computer-use:*` tool calls. Excess calls are blocked with a clear
+* reason. Non-`computer-use` tools pass through untouched.
+*/
+function actionRateLimitHook(opts) {
+	const now = opts.now ?? Date.now;
+	const capacity = Math.max(1, Math.floor(opts.perSecondPerSession));
+	const refillPerMs = opts.perSecondPerSession / 1e3;
+	const buckets = /* @__PURE__ */ new Map();
+	return { async beforeToolCall(ctx) {
+		if (!ctx.toolName.startsWith("computer-use:")) return { action: "allow" };
+		const key = ctx.runId;
+		const t = now();
+		const bucket = buckets.get(key) ?? {
+			tokens: capacity,
+			lastRefillMs: t
+		};
+		const elapsed = Math.max(0, t - bucket.lastRefillMs);
+		bucket.tokens = Math.min(capacity, bucket.tokens + elapsed * refillPerMs);
+		bucket.lastRefillMs = t;
+		if (bucket.tokens < 1) {
+			buckets.set(key, bucket);
+			return {
+				action: "block",
+				reason: `action rate limit exceeded: ${opts.perSecondPerSession}/s`
+			};
+		}
+		bucket.tokens -= 1;
+		buckets.set(key, bucket);
+		return { action: "allow" };
+	} };
+}
+function readScreenshotPayload(result) {
+	const candidates = [
+		result.content,
+		result.details?.screenshot,
+		result.details
+	];
+	for (const c of candidates) if (c && typeof c === "object") {
+		if (typeof c.pngBase64 === "string") return c;
+	}
+	return null;
+}
+/**
+* Applied AFTER `computer-use:screenshot`. v1 ships without the
+* `sharp` dependency: when regions are configured, we surface a warning
+* exactly once per process and pass the screenshot through untouched.
+* Pixel-blur lands in a follow-up that introduces `sharp` deliberately.
+*/
+function screenshotRedactionHook(opts = {}) {
+	const warn = opts.warn ?? ((msg) => console.warn(msg));
+	const hasRegions = (opts.regions?.length ?? 0) > 0;
+	let warned = false;
+	return { async afterToolCall(ctx, result) {
+		if (ctx.toolName !== "computer-use:screenshot") return { action: "pass" };
+		if (!hasRegions) return { action: "pass" };
+		if (!readScreenshotPayload(result)) return { action: "pass" };
+		if (!warned) {
+			warned = true;
+			warn("[screenshotRedactionHook] regions configured but `sharp` is not a dependency in v1; passing screenshot through unmodified");
+		}
+		return { action: "pass" };
+	} };
+}
+const TYPE_TEXT_FIELDS = [
+	"text",
+	"value",
+	"input",
+	"query"
+];
+const CLICK_LABEL_FIELDS = [
+	"label",
+	"alt",
+	"title",
+	"ariaLabel",
+	"near"
+];
+function readStringField(args, fields) {
+	if (!args || typeof args !== "object") return null;
+	const a = args;
+	for (const f of fields) {
+		const v = a[f];
+		if (typeof v === "string" && v.length > 0) return v;
+	}
+	return null;
+}
+/**
+* Block before-execute when a `computer-use:type` text or
+* `computer-use:click` label matches any deny pattern. Mitigates
+* destructive-action sequences (e.g. "delete account", "wire transfer")
+* before they hit the OS.
+*/
+function destructiveActionGuardHook(opts) {
+	const patterns = opts.denyPatterns;
+	return { async beforeToolCall(ctx) {
+		let candidate = null;
+		if (ctx.toolName === "computer-use:type") candidate = readStringField(ctx.args, TYPE_TEXT_FIELDS);
+		else if (ctx.toolName === "computer-use:click") candidate = readStringField(ctx.args, CLICK_LABEL_FIELDS);
+		else return { action: "allow" };
+		if (!candidate) return { action: "allow" };
+		for (const re of patterns) if (re.test(candidate)) return {
+			action: "block",
+			reason: `destructive action denied: input matches ${re.toString()}`
+		};
+		return { action: "allow" };
+	} };
+}
+//#endregion
+//#region src/openai/responses-store.ts
+var InMemoryResponseStore = class {
+	chains = /* @__PURE__ */ new Map();
+	async getPriorTurns(responseId) {
+		const turns = this.chains.get(responseId);
+		return turns ? turns.map((t) => ({ ...t })) : null;
+	}
+	async putPriorTurns(responseId, priorTurns) {
+		this.chains.set(responseId, priorTurns.map((t) => ({ ...t })));
+	}
+	/** Convenience accessor for tests / debug; not part of `ResponseStore`. */
+	size() {
+		return this.chains.size;
+	}
+	/** Drop a chain. */
+	delete(responseId) {
+		return this.chains.delete(responseId);
+	}
+	/** Drop everything. Useful between test cases. */
+	clear() {
+		this.chains.clear();
+	}
+};
+//#endregion
+//#region src/openai/runs.ts
+const TERMINAL_STATUSES = new Set([
+	"completed",
+	"failed",
+	"cancelled",
+	"expired"
+]);
+function isTerminal(status) {
+	return TERMINAL_STATUSES.has(status);
+}
+/**
+* Pure async iterator over the underlying source. No state, no
+* buffering. Iteration ends when the source closes or yields a
+* terminal frame; the iterator itself does not classify frames.
+*/
+async function* runEvents(threadId, runId, source) {
+	for await (const event of source.open(threadId, runId)) yield event;
+}
+function readToolCallFromFrame(event) {
+	if (event.type === "requires_action" || event.type === "tool_call_requested") {
+		const data = event.data ?? event;
+		const id = String(data.callId ?? data.call_id ?? data.id ?? "");
+		const name = String(data.toolName ?? data.tool_name ?? data.name ?? "");
+		if (!id || !name) return null;
+		return {
+			callId: id,
+			toolName: name,
+			args: data.args ?? data.arguments ?? data.input ?? {},
+			requiresAction: true
+		};
+	}
+	if (event.type !== "raw") return null;
+	const data = event.data ?? event;
+	const inner = typeof data.type === "string" ? data.type : "";
+	if (!(inner === "tool-invocation" || inner === "tool_call" || inner === "computer-use" || inner === "computer_call")) return null;
+	const ti = data.toolInvocation ?? data.tool_invocation ?? data.computerUse ?? data.computer_use ?? data;
+	const id = String(ti.toolCallId ?? ti.tool_call_id ?? ti.callId ?? ti.id ?? "");
+	const name = inner === "computer-use" || inner === "computer_call" ? `computer-use:${String(ti.action?.type ?? "action")}` : String(ti.toolName ?? ti.tool_name ?? ti.name ?? "");
+	if (!id || !name) return null;
+	return {
+		callId: id,
+		toolName: name,
+		args: ti.args ?? ti.arguments ?? ti.input ?? {},
+		requiresAction: false
+	};
+}
+function readTerminal(event) {
+	if (event.type === "done") {
+		const outcome = typeof event.outcome === "string" && event.outcome || "success";
+		if (outcome === "success" || outcome === "completed" || outcome === "succeeded" || outcome === "done") return { status: "completed" };
+		return {
+			status: "failed",
+			reason: typeof event.error === "string" ? event.error : outcome
+		};
+	}
+	if (event.type === "error") return {
+		status: "failed",
+		reason: typeof event.message === "string" && event.message || typeof event.error === "string" && event.error || "stream error"
+	};
+	return null;
+}
+/**
+* Internal queue helper: an async iterable backed by a bounded
+* pending-list with a settle promise that resolves whenever a new
+* event lands or the queue closes.
+*
+* Each iterator returned by `iterator()` shares the queue's buffer
+* and waiter list. Two concurrent iterators would therefore steal
+* events from each other (whichever called `next()` first wins),
+* which silently drops events for the second consumer. Because there
+* is only ever one consumer of `Run.events()` by design, this class
+* enforces single-consumption explicitly: a second `iterator()` call
+* throws so the contract violation is loud rather than silent.
+*/
+var EventQueue = class {
+	buffer = [];
+	waiters = [];
+	closed = false;
+	iteratorCreated = false;
+	push(value) {
+		if (this.closed) return;
+		const w = this.waiters.shift();
+		if (w) {
+			w({
+				value,
+				done: false
+			});
+			return;
+		}
+		this.buffer.push(value);
+	}
+	close() {
+		if (this.closed) return;
+		this.closed = true;
+		while (this.waiters.length > 0) this.waiters.shift()?.({
+			value: void 0,
+			done: true
+		});
+	}
+	iterator() {
+		if (this.iteratorCreated) throw new Error("Run.events() may only be consumed once. Multiple iterators on the same Run share state and would interleave/steal events.");
+		this.iteratorCreated = true;
+		const self = this;
+		return {
+			[Symbol.asyncIterator]() {
+				return this;
+			},
+			next() {
+				if (self.buffer.length > 0) {
+					const value = self.buffer.shift();
+					return Promise.resolve({
+						value,
+						done: false
+					});
+				}
+				if (self.closed) return Promise.resolve({
+					value: void 0,
+					done: true
+				});
+				return new Promise((resolve) => {
+					self.waiters.push(resolve);
+				});
+			},
+			return() {
+				self.close();
+				return Promise.resolve({
+					value: void 0,
+					done: true
+				});
+			}
+		};
+	}
+};
+/**
+* High-level `Run`. Drives the underlying `RunEventSource`, manages
+* status transitions, dispatches tool calls through the hook chain,
+* and surfaces a typed `RunEvent` stream to consumers.
+*/
+var Run = class {
+	id;
+	threadId;
+	partnerId;
+	_status = "queued";
+	source;
+	hooks;
+	executeTool;
+	onStatusChange;
+	queue = new EventQueue();
+	startPromise = null;
+	pendingCalls = /* @__PURE__ */ new Map();
+	cancelRequested = false;
+	constructor(opts) {
+		this.id = opts.id;
+		this.threadId = opts.threadId;
+		this.partnerId = opts.partnerId;
+		this.source = opts.source;
+		this.hooks = opts.hooks;
+		this.executeTool = opts.executeTool;
+		this.onStatusChange = opts.onStatusChange;
+	}
+	get status() {
+		return this._status;
+	}
+	/**
+	* Subscribe to typed events. May only be consumed once per Run.
+	*
+	* The single-consumer constraint is permanent for the lifetime of
+	* the Run instance, including AFTER the run completes — calling
+	* `events()` a second time always throws, even if the first
+	* consumer drained the iterator to completion. This is intentional:
+	* the queue is a one-shot stream, not a re-readable buffer, and
+	* events are dropped after delivery to avoid unbounded retention.
+	* Callers that need to revisit terminal state should keep a handle
+	* to the original iterator's drained values, or use the Run's
+	* status/result accessors.
+	*/
+	events() {
+		return this.queue.iterator();
+	}
+	/**
+	* Drive the underlying stream to completion. Idempotent: subsequent
+	* calls return the same in-flight promise.
+	*/
+	start() {
+		if (this.startPromise) return this.startPromise;
+		this.startPromise = this.driveStream();
+		return this.startPromise;
+	}
+	/**
+	* Cancel an in-flight run. Sets status to `cancelled` and closes
+	* the event queue. Tries the source-level cancel hint as a
+	* best-effort heads-up to the upstream stream.
+	*/
+	async cancel(reason) {
+		if (isTerminal(this._status)) return;
+		this.cancelRequested = true;
+		if (this.source.cancel) try {
+			await this.source.cancel(this.threadId, this.id);
+		} catch {}
+		this.transition("cancelled");
+		this.queue.push({
+			type: "cancelled",
+			reason
+		});
+		this.queue.close();
+	}
+	/**
+	* Append a user message to the thread and restart the stream. The
+	* source's `steer` hook is invoked when present; otherwise we throw
+	* because a stateless source cannot honor a steer.
+	*/
+	async steer(message) {
+		if (!this.source.steer) throw new Error("RunEventSource does not support steer");
+		if (isTerminal(this._status)) throw new Error(`cannot steer a ${this._status} run`);
+		await this.source.steer(this.threadId, this.id, message);
+		if (this._status === "requires_action") this.transition("in_progress");
+		this.startPromise = this.driveStream();
+		await this.startPromise;
+	}
+	/**
+	* Resume a `requires_action` run by submitting tool outputs. The
+	* outputs are forwarded to the source so the upstream agent can
+	* continue. Status transitions back to `in_progress`.
+	*/
+	async submitToolOutputs(outputs) {
+		if (this._status !== "requires_action") throw new Error(`cannot submit tool outputs in status ${this._status}`);
+		if (!this.source.submitToolOutputs) throw new Error("RunEventSource does not support submitToolOutputs");
+		for (const o of outputs) this.pendingCalls.delete(o.toolCallId);
+		await this.source.submitToolOutputs(this.threadId, this.id, outputs);
+		this.transition("in_progress");
+		this.startPromise = this.driveStream();
+		await this.startPromise;
+	}
+	/** Externally drive the run into the `expired` terminal status. */
+	expire() {
+		if (isTerminal(this._status)) return;
+		this.transition("expired");
+		this.queue.push({
+			type: "failed",
+			reason: "expired"
+		});
+		this.queue.close();
+	}
+	transition(next) {
+		if (this._status === next) return;
+		const prev = this._status;
+		this._status = next;
+		this.queue.push({
+			type: "status",
+			status: next,
+			previous: prev
+		});
+		this.onStatusChange?.(next, prev);
+	}
+	async driveStream() {
+		try {
+			for await (const event of runEvents(this.threadId, this.id, this.source)) {
+				if (this.cancelRequested) return;
+				if (this._status === "queued") this.transition("in_progress");
+				this.queue.push({
+					type: "stream",
+					event
+				});
+				const tool = readToolCallFromFrame(event);
+				if (tool) {
+					const handled = await this.handleToolCall(tool);
+					if (handled === "terminate") return;
+					if (handled === "requires_action") return;
+					continue;
+				}
+				const terminal = readTerminal(event);
+				if (terminal) {
+					if (terminal.status === "completed") {
+						this.transition("completed");
+						this.queue.push({ type: "completed" });
+					} else {
+						this.transition("failed");
+						this.queue.push({
+							type: "failed",
+							reason: terminal.reason ?? "unknown failure"
+						});
+					}
+					this.queue.close();
+					return;
+				}
+			}
+			if (!isTerminal(this._status)) {
+				this.transition("completed");
+				this.queue.push({ type: "completed" });
+				this.queue.close();
+			}
+		} catch (err) {
+			if (isTerminal(this._status)) return;
+			const reason = err instanceof Error ? err.message : String(err);
+			this.transition("failed");
+			this.queue.push({
+				type: "failed",
+				reason
+			});
+			this.queue.close();
+		}
+	}
+	async handleToolCall(tool) {
+		const ctx = {
+			runId: this.id,
+			threadId: this.threadId,
+			partnerId: this.partnerId,
+			toolName: tool.toolName,
+			args: tool.args,
+			callId: tool.callId,
+			timestamp: Date.now()
+		};
+		let dispatchCtx = ctx;
+		if (this.hooks && this.hooks.size > 0) {
+			const before = await this.hooks.runBefore(ctx);
+			if (before.action === "block") {
+				const blockedResult = {
+					content: { error: before.reason },
+					isError: true,
+					details: { blockedBy: "beforeToolCall" }
+				};
+				this.queue.push({
+					type: "tool_blocked",
+					ctx,
+					reason: before.reason
+				});
+				this.queue.push({
+					type: "tool_result",
+					ctx,
+					result: blockedResult
+				});
+				if (tool.requiresAction) {
+					this.pendingCalls.set(tool.callId, ctx);
+					this.transition("requires_action");
+					this.queue.push({
+						type: "requires_action",
+						pendingCallIds: Array.from(this.pendingCalls.keys())
+					});
+					return "requires_action";
+				}
+				return "continue";
+			}
+			if (before.action === "rewrite") dispatchCtx = {
+				...ctx,
+				args: before.args
+			};
+		}
+		if (tool.requiresAction) {
+			this.pendingCalls.set(tool.callId, dispatchCtx);
+			this.transition("requires_action");
+			this.queue.push({
+				type: "tool_call",
+				ctx: dispatchCtx
+			});
+			this.queue.push({
+				type: "requires_action",
+				pendingCallIds: Array.from(this.pendingCalls.keys())
+			});
+			return "requires_action";
+		}
+		if (!this.executeTool) {
+			this.queue.push({
+				type: "tool_call",
+				ctx: dispatchCtx
+			});
+			return "continue";
+		}
+		this.queue.push({
+			type: "tool_call",
+			ctx: dispatchCtx
+		});
+		let result;
+		try {
+			result = await this.executeTool(dispatchCtx);
+		} catch (err) {
+			result = {
+				content: { error: err instanceof Error ? err.message : String(err) },
+				isError: true
+			};
+		}
+		let finalResult = result;
+		if (this.hooks && this.hooks.size > 0) {
+			const after = await this.hooks.runAfter(dispatchCtx, result);
+			if (after.action === "terminate") {
+				this.queue.push({
+					type: "tool_result",
+					ctx: dispatchCtx,
+					result
+				});
+				this.transition("failed");
+				this.queue.push({
+					type: "failed",
+					reason: after.reason
+				});
+				this.queue.close();
+				return "terminate";
+			}
+			if (after.action === "override") finalResult = after.result;
+		}
+		this.queue.push({
+			type: "tool_result",
+			ctx: dispatchCtx,
+			result: finalResult
+		});
+		return "continue";
+	}
+};
+//#endregion
+//#region src/openai/translate/finish-reason.ts
+function outcomeToFinishReason(outcome, hasToolCall) {
+	switch (outcome) {
+		case "success":
+		case "succeeded":
+		case "completed":
+		case "done": return hasToolCall ? "tool_calls" : "stop";
+		case "length_exceeded":
+		case "length":
+		case "max_tokens": return "length";
+		case "content_filtered":
+		case "content_filter":
+		case "filtered": return "content_filter";
+		default: return "stop";
+	}
+}
+//#endregion
+//#region src/openai/translate/chunks.ts
+/**
+* Read the text token from a `token` event. Tangle emits the delta as
+* either `delta`, `text`, or `token`; tolerate all three so the
+* translator stays decoupled from minor runtime variations.
+*/
+function readTokenDelta(event) {
+	if (typeof event.delta === "string") return event.delta;
+	if (typeof event.text === "string") return event.text;
+	if (typeof event.token === "string") return event.token;
+	return null;
+}
+function readToolInvocation(event) {
+	if (event.type !== "raw") return null;
+	const data = event.data ?? event;
+	const inner = typeof data.type === "string" ? data.type : typeof event.type === "string" ? event.type : "";
+	if (!(inner === "tool-invocation" || inner === "tool_call" || typeof data.toolInvocation === "object" || typeof data.tool_invocation === "object")) return null;
+	const ti = data.toolInvocation ?? data.tool_invocation ?? data;
+	const id = typeof ti.toolCallId === "string" ? ti.toolCallId : typeof ti.tool_call_id === "string" ? ti.tool_call_id : typeof ti.id === "string" ? ti.id : typeof ti.callId === "string" ? ti.callId : "";
+	const name = typeof ti.toolName === "string" ? ti.toolName : typeof ti.tool_name === "string" ? ti.tool_name : typeof ti.name === "string" ? ti.name : "";
+	const args = ti.args ?? ti.arguments ?? ti.input ?? {};
+	if (!id || !name) return null;
+	return {
+		id,
+		name,
+		arguments: typeof args === "string" ? args : JSON.stringify(args)
+	};
+}
+/**
+* Read a usage payload from a `done` event. The runtime emits usage
+* either at the top level or under a `usage` key; try both.
+*/
+function readUsage(event) {
+	const u = event.usage ?? event;
+	const prompt = Number(u.prompt_tokens ?? u.input_tokens ?? u.inputTokens ?? 0);
+	const completion = Number(u.completion_tokens ?? u.output_tokens ?? u.outputTokens ?? 0);
+	if (prompt === 0 && completion === 0) return null;
+	return {
+		prompt_tokens: prompt,
+		completion_tokens: completion,
+		total_tokens: Number(u.total_tokens ?? prompt + completion)
+	};
+}
+function readOutcome(event) {
+	if (typeof event.outcome === "string") return event.outcome;
+	if (typeof event.status === "string") return event.status;
+	if (event.success === false) return "failure";
+	return "success";
+}
+function chatBaseChunk(ctx) {
+	ctx.chunkIndex += 1;
+	return {
+		id: ctx.runId,
+		created: ctx.createdAt,
+		model: ctx.modelId,
+		object: "chat.completion.chunk"
+	};
+}
+function sandboxEventToChatChunk(event, ctx) {
+	switch (event.type) {
+		case "start": return null;
+		case "execution.started": return null;
+		case "status": return null;
+		case "session.updated": return null;
+		case "message.part.updated": return null;
+		case "token": {
+			const delta = readTokenDelta(event);
+			if (delta == null || delta.length === 0) return null;
+			return {
+				...chatBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					delta: {
+						role: "assistant",
+						content: delta
+					},
+					finish_reason: null
+				}]
+			};
+		}
+		case "raw": {
+			const tool = readToolInvocation(event);
+			if (!tool) return null;
+			const existing = ctx.toolCallBuffer.get(tool.id);
+			const index = existing ? existing.index : ctx.toolCallBuffer.size;
+			ctx.toolCallBuffer.set(tool.id, {
+				index,
+				id: tool.id,
+				name: tool.name,
+				arguments: tool.arguments
+			});
+			return {
+				...chatBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					delta: {
+						role: "assistant",
+						tool_calls: [{
+							index,
+							id: tool.id,
+							type: "function",
+							function: {
+								name: tool.name,
+								arguments: tool.arguments
+							}
+						}]
+					},
+					finish_reason: null
+				}]
+			};
+		}
+		case "error": {
+			const hasToolCall = ctx.toolCallBuffer.size > 0;
+			return {
+				...chatBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					delta: {},
+					finish_reason: outcomeToFinishReason("error", hasToolCall)
+				}]
+			};
+		}
+		case "done": {
+			const hasToolCall = ctx.toolCallBuffer.size > 0;
+			const finish = outcomeToFinishReason(readOutcome(event), hasToolCall);
+			const usage = readUsage(event);
+			const chunk = {
+				...chatBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					delta: {},
+					finish_reason: finish
+				}]
+			};
+			if (usage) chunk.usage = usage;
+			return chunk;
+		}
+		default: return null;
+	}
+}
+function completionBaseChunk(ctx) {
+	ctx.chunkIndex += 1;
+	return {
+		id: ctx.runId,
+		created: ctx.createdAt,
+		model: ctx.modelId,
+		object: "text_completion"
+	};
+}
+function sandboxEventToCompletionChunk(event, ctx) {
+	switch (event.type) {
+		case "start":
+		case "execution.started":
+		case "status":
+		case "session.updated":
+		case "message.part.updated":
+		case "raw":
+			if (event.type === "raw") {
+				const tool = readToolInvocation(event);
+				if (tool) {
+					const existing = ctx.toolCallBuffer.get(tool.id);
+					const index = existing ? existing.index : ctx.toolCallBuffer.size;
+					ctx.toolCallBuffer.set(tool.id, {
+						index,
+						id: tool.id,
+						name: tool.name,
+						arguments: tool.arguments
+					});
+				}
+			}
+			return null;
+		case "token": {
+			const delta = readTokenDelta(event);
+			if (delta == null || delta.length === 0) return null;
+			return {
+				...completionBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					text: delta,
+					finish_reason: null,
+					logprobs: null
+				}]
+			};
+		}
+		case "error":
+		case "done": {
+			const finish = outcomeToFinishReason(event.type === "error" ? "error" : readOutcome(event), false);
+			const reason = finish === "tool_calls" ? "stop" : finish;
+			const usage = readUsage(event);
+			const chunk = {
+				...completionBaseChunk(ctx),
+				choices: [{
+					index: 0,
+					text: "",
+					finish_reason: reason,
+					logprobs: null
+				}]
+			};
+			if (usage) chunk.usage = usage;
+			return chunk;
+		}
+		default: return null;
+	}
+}
+function getResponsesExtras(ctx) {
+	const slot = ctx;
+	if (!slot.__responsesExtras) slot.__responsesExtras = {
+		sequence: 0,
+		toolOutputIndex: /* @__PURE__ */ new Map()
+	};
+	return slot.__responsesExtras;
+}
+function nextSeq(extras) {
+	extras.sequence += 1;
+	return extras.sequence;
+}
+function emptyResponseUsage() {
+	return {
+		input_tokens: 0,
+		output_tokens: 0,
+		total_tokens: 0,
+		input_tokens_details: { cached_tokens: 0 },
+		output_tokens_details: { reasoning_tokens: 0 }
+	};
+}
+function usageFromTokens(usage) {
+	return {
+		input_tokens: usage.prompt_tokens,
+		output_tokens: usage.completion_tokens,
+		total_tokens: usage.total_tokens,
+		input_tokens_details: { cached_tokens: 0 },
+		output_tokens_details: { reasoning_tokens: 0 }
+	};
+}
+function sandboxEventToResponsesEvent(event, ctx) {
+	const extras = getResponsesExtras(ctx);
+	switch (event.type) {
+		case "start": return null;
+		case "execution.started": return null;
+		case "status": return null;
+		case "session.updated": return null;
+		case "message.part.updated": return null;
+		case "token": {
+			const delta = readTokenDelta(event);
+			if (delta == null || delta.length === 0) return null;
+			ctx.chunkIndex += 1;
+			if (extras.messageOutputIndex === void 0) extras.messageOutputIndex = ctx.toolCallBuffer.size;
+			return {
+				type: "response.output_text.delta",
+				content_index: 0,
+				delta,
+				item_id: `msg_${ctx.runId}`,
+				logprobs: [],
+				output_index: extras.messageOutputIndex,
+				sequence_number: nextSeq(extras)
+			};
+		}
+		case "raw": {
+			const tool = readToolInvocation(event);
+			if (!tool) return null;
+			ctx.chunkIndex += 1;
+			const existing = ctx.toolCallBuffer.get(tool.id);
+			const index = existing ? existing.index : ctx.toolCallBuffer.size;
+			ctx.toolCallBuffer.set(tool.id, {
+				index,
+				id: tool.id,
+				name: tool.name,
+				arguments: tool.arguments
+			});
+			const outputIndex = extras.toolOutputIndex.get(tool.id) ?? extras.toolOutputIndex.size;
+			extras.toolOutputIndex.set(tool.id, outputIndex);
+			return {
+				type: "response.output_item.added",
+				item: {
+					type: "function_call",
+					id: `fc_${tool.id}`,
+					call_id: tool.id,
+					name: tool.name,
+					arguments: tool.arguments,
+					status: "completed"
+				},
+				output_index: outputIndex,
+				sequence_number: nextSeq(extras)
+			};
+		}
+		case "error": {
+			const outputIndex = extras.messageOutputIndex ?? 0;
+			return {
+				type: "response.output_item.done",
+				item: {
+					type: "message",
+					id: `msg_${ctx.runId}`,
+					role: "assistant",
+					status: "incomplete",
+					content: []
+				},
+				output_index: outputIndex,
+				sequence_number: nextSeq(extras)
+			};
+		}
+		case "done": {
+			const tokens = readUsage(event);
+			const usage = tokens ? usageFromTokens(tokens) : emptyResponseUsage();
+			return {
+				type: "response.completed",
+				sequence_number: nextSeq(extras),
+				response: {
+					id: ctx.runId,
+					object: "response",
+					created_at: ctx.createdAt,
+					output_text: "",
+					error: null,
+					incomplete_details: null,
+					instructions: null,
+					metadata: null,
+					model: ctx.modelId,
+					output: [],
+					parallel_tool_calls: false,
+					temperature: null,
+					tool_choice: "auto",
+					tools: [],
+					top_p: null,
+					status: "completed",
+					usage
+				}
+			};
+		}
+		default: return null;
+	}
+}
+//#endregion
+//#region src/openai/translate/embeddings.ts
+/**
+* Error shape used for rejecting embedding requests. The route layer
+* lifts these into OpenAI's `{ error: { type, code, message } }` body.
+*/
+var EmbeddingValidationError = class extends Error {
+	type = "invalid_request_error";
+	code;
+	param;
+	constructor(message, code, param) {
+		super(message);
+		this.name = "EmbeddingValidationError";
+		this.code = code;
+		this.param = param;
+	}
+};
+const MAX_BATCH = 2048;
+function reject(message, code, param) {
+	throw new EmbeddingValidationError(message, code, param);
+}
+function normalizeInput(input) {
+	if (typeof input === "string") {
+		if (input.length === 0) reject("Input string must not be empty", "empty_input", "input");
+		return {
+			kind: "text",
+			values: [input]
+		};
+	}
+	if (!Array.isArray(input)) reject("Input must be a string, array of strings, or array of token arrays", "invalid_input_type", "input");
+	if (input.length === 0) reject("Input array must not be empty", "empty_input", "input");
+	if (input.length > MAX_BATCH) reject(`Input array exceeds maximum batch size of ${MAX_BATCH}`, "batch_too_large", "input");
+	const first = input[0];
+	if (typeof first === "string") {
+		const values = [];
+		for (let i = 0; i < input.length; i++) {
+			const v = input[i];
+			if (typeof v !== "string") reject(`Input array must be homogeneous; index ${i} is not a string`, "mixed_input_types", "input");
+			if (v.length === 0) reject(`Input string at index ${i} must not be empty`, "empty_input", "input");
+			values.push(v);
+		}
+		return {
+			kind: "text",
+			values
+		};
+	}
+	if (typeof first === "number") {
+		for (let i = 0; i < input.length; i++) if (typeof input[i] !== "number") reject(`Token array must contain only numbers; index ${i} is ${typeof input[i]}`, "invalid_token_type", "input");
+		return {
+			kind: "tokens",
+			values: [input]
+		};
+	}
+	if (Array.isArray(first)) {
+		const values = [];
+		for (let i = 0; i < input.length; i++) {
+			const row = input[i];
+			if (!Array.isArray(row)) reject(`Input array must be homogeneous; index ${i} is not an array`, "mixed_input_types", "input");
+			if (row.length === 0) reject(`Token array at index ${i} must not be empty`, "empty_input", "input");
+			for (let j = 0; j < row.length; j++) if (typeof row[j] !== "number") reject(`Token array at index ${i} must contain only numbers; element ${j} is ${typeof row[j]}`, "invalid_token_type", "input");
+			values.push(row);
+		}
+		return {
+			kind: "tokens",
+			values
+		};
+	}
+	reject("Input must be a string, array of strings, or array of token arrays", "invalid_input_type", "input");
+}
+/**
+* Validate and normalize an embedding request. Throws
+* `EmbeddingValidationError` on any rejection.
+*/
+function validateEmbeddingRequest(req) {
+	if (!req || typeof req !== "object") reject("Request body must be an object", "invalid_request", void 0);
+	if (typeof req.model !== "string" || req.model.length === 0) reject("Model is required", "model_required", "model");
+	if (req.dimensions !== void 0) {
+		if (typeof req.dimensions !== "number" || !Number.isInteger(req.dimensions) || req.dimensions <= 0) reject("Dimensions must be a positive integer", "invalid_dimensions", "dimensions");
+	}
+	const encodingFormat = req.encoding_format ?? "float";
+	if (encodingFormat !== "float" && encodingFormat !== "base64") reject("encoding_format must be 'float' or 'base64'", "invalid_encoding_format", "encoding_format");
+	const input = normalizeInput(req.input);
+	const out = {
+		model: req.model,
+		input,
+		encodingFormat
+	};
+	if (req.dimensions !== void 0) out.dimensions = req.dimensions;
+	if (req.user !== void 0) out.user = req.user;
+	return out;
+}
+//#endregion
+//#region src/openai/translate/messages.ts
+/**
+* Strip the leading `tangle/` namespace from a model id and split off an
+* optional variant. Examples:
+*   - `tangle/claude-code`        → `{ provider: "claude-code" }`
+*   - `tangle/opencode/sonnet`    → `{ provider: "opencode", variant: "sonnet" }`
+*   - `claude-code`               → `{ provider: "claude-code" }` (no prefix)
+*/
+function resolveProviderId(model) {
+	const trimmed = model.trim();
+	const withoutPrefix = trimmed.startsWith("tangle/") ? trimmed.slice(7) : trimmed;
+	if (!withoutPrefix) throw new Error(`Invalid model id: ${JSON.stringify(model)}`);
+	const slash = withoutPrefix.indexOf("/");
+	if (slash === -1) return { provider: withoutPrefix };
+	const provider = withoutPrefix.slice(0, slash);
+	const variant = withoutPrefix.slice(slash + 1);
+	if (!provider || !variant) throw new Error(`Invalid model id: ${JSON.stringify(model)}`);
+	return {
+		provider,
+		variant
+	};
+}
+/**
+* Coerce an OpenAI chat content field into a normalized text + parts pair.
+* Refusal parts are dropped — they only appear on assistant turns and the
+* sandbox runtime does not consume them; assistant text is the only field
+* we need from the assistant side.
+*/
+function normalizeContent(content) {
+	if (content == null) return {
+		text: "",
+		parts: []
+	};
+	if (typeof content === "string") return {
+		text: content,
+		parts: []
+	};
+	const parts = [];
+	const textPieces = [];
+	for (const part of content) if (part.type === "text") {
+		textPieces.push(part.text);
+		parts.push({
+			type: "text",
+			text: part.text
+		});
+	} else if (part.type === "image_url") parts.push({
+		type: "image_url",
+		image_url: {
+			url: part.image_url.url,
+			detail: part.image_url.detail
+		}
+	});
+	else if (part.type === "input_audio") parts.push({
+		type: "input_audio",
+		input_audio: {
+			data: part.input_audio.data,
+			format: part.input_audio.format
+		}
+	});
+	return {
+		text: textPieces.join("\n"),
+		parts
+	};
+}
+/**
+* Read assistant text content. Assistant messages can carry an array of
+* text + refusal parts; refusal text is preserved as plain text so the
+* provider sees the full assistant turn.
+*/
+function readAssistantText(content) {
+	if (content == null) return "";
+	if (typeof content === "string") return content;
+	const pieces = [];
+	for (const part of content) if (part.type === "text") pieces.push(part.text);
+	else if (part.type === "refusal") pieces.push(part.refusal);
+	return pieces.join("\n");
+}
+/** Read tool message content (string or array of text parts). */
+function readToolContent(content) {
+	if (typeof content === "string") return content;
+	return content.map((p) => p.text).join("\n");
+}
+/**
+* Convert an OpenAI tool-spec array into the SDK's internal forwarding
+* shape. Custom (non-function) tools are dropped at this layer because
+* downstream providers only accept function-shaped tools; the route
+* layer is responsible for surfacing a 400 if the caller requested
+* something the provider can't run.
+*/
+function convertTools(tools) {
+	if (!tools || tools.length === 0) return void 0;
+	const out = [];
+	for (const tool of tools) if (tool.type === "function") out.push({
+		type: "function",
+		function: {
+			name: tool.function.name,
+			description: tool.function.description,
+			parameters: tool.function.parameters ?? null,
+			strict: tool.function.strict ?? null
+		}
+	});
+	return out.length > 0 ? out : void 0;
+}
+/**
+* Translate an OpenAI chat-shape message thread into a SandboxRunInput.
+*
+* @param messages  Ordered messages as the OpenAI client would send them.
+* @param tools     Optional function tool descriptors to forward unchanged.
+* @param model     Caller-supplied model id (`tangle/<provider>[/<variant>]`).
+*
+* @throws when the resolved provider id is empty, when the message thread
+*         lacks any user message, or when an `assistant` `tool_calls` item
+*         is malformed (missing id/name/arguments).
+*/
+function openaiMessagesToSandboxInput(messages, tools, model) {
+	const { provider, variant } = resolveProviderId(model);
+	const instructionsPieces = [];
+	const userPieces = [];
+	const priorTurns = [];
+	let pendingTurn = null;
+	let pendingUserParts = [];
+	let trailingUserParts = [];
+	let multimodal = false;
+	const flushPending = () => {
+		if (pendingTurn) {
+			priorTurns.push(pendingTurn);
+			pendingTurn = null;
+		}
+	};
+	let lastUserIndex = -1;
+	for (let i = messages.length - 1; i >= 0; i--) if (messages[i].role === "user") {
+		lastUserIndex = i;
+		break;
+	}
+	if (lastUserIndex === -1) throw new Error("openaiMessagesToSandboxInput: messages must contain at least one user message");
+	for (let i = 0; i < messages.length; i++) {
+		const msg = messages[i];
+		switch (msg.role) {
+			case "system":
+			case "developer": {
+				const { text } = normalizeContent(msg.content);
+				if (text) instructionsPieces.push(text);
+				break;
+			}
+			case "user": {
+				const { text, parts } = normalizeContent(msg.content);
+				if (parts.some((p) => p.type !== "text")) multimodal = true;
+				if (i === lastUserIndex) {
+					userPieces.push(text);
+					if (parts.length > 0) trailingUserParts = parts;
+				} else {
+					flushPending();
+					if (parts.length > 0) {
+						pendingTurn = { userParts: parts };
+						pendingUserParts = parts;
+					} else {
+						pendingTurn = {};
+						pendingUserParts = [];
+					}
+					if (text) userPieces.push(text);
+				}
+				break;
+			}
+			case "assistant": {
+				if (!pendingTurn) pendingTurn = {};
+				const text = readAssistantText(msg.content);
+				if (text) pendingTurn.assistantText = text;
+				if (msg.tool_calls && msg.tool_calls.length > 0) {
+					const calls = [];
+					for (const call of msg.tool_calls) {
+						if (call.type !== "function") continue;
+						if (!call.id || !call.function?.name || typeof call.function.arguments !== "string") throw new Error(`openaiMessagesToSandboxInput: malformed assistant tool_call at index ${i}`);
+						calls.push({
+							id: call.id,
+							name: call.function.name,
+							arguments: call.function.arguments
+						});
+					}
+					if (calls.length > 0) pendingTurn.toolCalls = calls;
+				}
+				if (pendingUserParts.length > 0 && !pendingTurn.userParts) pendingTurn.userParts = pendingUserParts;
+				break;
+			}
+			case "tool": {
+				const result = {
+					toolCallId: msg.tool_call_id,
+					content: readToolContent(msg.content)
+				};
+				let attached = false;
+				if (pendingTurn?.toolCalls?.some((c) => c.id === msg.tool_call_id)) {
+					if (!pendingTurn.toolResults) pendingTurn.toolResults = [];
+					pendingTurn.toolResults.push(result);
+					attached = true;
+				} else for (let j = priorTurns.length - 1; j >= 0; j--) {
+					const turn = priorTurns[j];
+					if (turn.toolCalls?.some((c) => c.id === msg.tool_call_id)) {
+						if (!turn.toolResults) turn.toolResults = [];
+						turn.toolResults.push(result);
+						attached = true;
+						break;
+					}
+				}
+				if (!attached) throw new Error(`openaiMessagesToSandboxInput: tool message references unknown tool_call_id ${msg.tool_call_id}`);
+				break;
+			}
+			case "function": break;
+		}
+		if (i === lastUserIndex) flushPending();
+	}
+	flushPending();
+	const result = {
+		provider,
+		task: userPieces.join("\n\n")
+	};
+	if (variant) result.variant = variant;
+	const instructions = instructionsPieces.join("\n\n");
+	if (instructions) result.instructions = instructions;
+	if (trailingUserParts.length > 0) result.taskParts = trailingUserParts;
+	if (priorTurns.length > 0) result.priorTurns = priorTurns;
+	const toolSpecs = convertTools(tools);
+	if (toolSpecs) result.tools = toolSpecs;
+	if (multimodal) result.multimodal = true;
+	return result;
+}
+//#endregion
+//#region src/openai/translate/responses.ts
+/**
+* Resolve a `previous_response_id` into the prior-turns prefix that
+* gets prepended to the new request. Throws when the id is supplied but
+* unknown — silently dropping it would corrupt conversation continuity.
+*/
+async function resolvePreviousResponseId(prevId, store) {
+	if (!prevId) return { priorTurns: [] };
+	const turns = await store.getPriorTurns(prevId);
+	if (turns === null) throw new Error(`Unknown previous_response_id: ${prevId}`);
+	return { priorTurns: turns };
+}
+function emptyUsage() {
+	return {
+		input_tokens: 0,
+		output_tokens: 0,
+		total_tokens: 0,
+		input_tokens_details: { cached_tokens: 0 },
+		output_tokens_details: { reasoning_tokens: 0 }
+	};
+}
+function readUsageFromEvent(event) {
+	const u = event.usage ?? event;
+	const input = Number(u.input_tokens ?? u.prompt_tokens ?? u.inputTokens ?? 0);
+	const output = Number(u.output_tokens ?? u.completion_tokens ?? u.outputTokens ?? 0);
+	if (input === 0 && output === 0 && !("total_tokens" in u)) return null;
+	const total = Number(u.total_tokens ?? input + output);
+	const cached = Number(u.input_tokens_details?.cached_tokens ?? u.cached_tokens ?? 0);
+	const reasoning = Number(u.output_tokens_details?.reasoning_tokens ?? u.reasoning_tokens ?? 0);
+	return {
+		input_tokens: input,
+		output_tokens: output,
+		total_tokens: total,
+		input_tokens_details: { cached_tokens: cached },
+		output_tokens_details: { reasoning_tokens: reasoning }
+	};
+}
+function readToolInvocationFromRaw(event) {
+	if (event.type !== "raw") return null;
+	const data = event.data ?? event;
+	const inner = typeof data.type === "string" ? data.type : "";
+	const isComputerUse = inner === "computer-use" || inner === "computer_call" || typeof data.computerUse === "object" || typeof data.computer_use === "object";
+	if (!(inner === "tool-invocation" || inner === "tool_call" || typeof data.toolInvocation === "object" || typeof data.tool_invocation === "object") && !isComputerUse) return null;
+	const ti = data.toolInvocation ?? data.tool_invocation ?? data.computerUse ?? data.computer_use ?? data;
+	const id = typeof ti.toolCallId === "string" ? ti.toolCallId : typeof ti.tool_call_id === "string" ? ti.tool_call_id : typeof ti.id === "string" ? ti.id : typeof ti.callId === "string" ? ti.callId : "";
+	const name = isComputerUse ? "computer_use" : typeof ti.toolName === "string" ? ti.toolName : typeof ti.tool_name === "string" ? ti.tool_name : typeof ti.name === "string" ? ti.name : "";
+	const args = ti.args ?? ti.arguments ?? ti.input ?? {};
+	if (!id || !name) return null;
+	return {
+		id,
+		name,
+		arguments: typeof args === "string" ? args : JSON.stringify(args),
+		isComputerUse,
+		computerAction: isComputerUse ? ti.action ?? void 0 : void 0
+	};
+}
+function readReasoningFromPart(event) {
+	if (event.type !== "message.part.updated") return null;
+	const part = event.part ?? event;
+	if (part.type !== "reasoning" && part.type !== "thinking") return null;
+	if (typeof part.text === "string") return part.text;
+	if (typeof part.content === "string") return part.content;
+	return null;
+}
+/**
+* Aggregate a Tangle SSE event sequence into the Responses-API output[]
+* array plus a usage envelope. This is the non-streaming path: callers
+* collect every event, hand them all in, and get back a settled response
+* payload ready to return as JSON.
+*/
+function assembleResponseOutput(events) {
+	const accum = {
+		textPieces: [],
+		toolCalls: /* @__PURE__ */ new Map(),
+		toolCallOrder: [],
+		computerCalls: [],
+		reasoningPieces: [],
+		usage: emptyUsage(),
+		hasUsage: false
+	};
+	for (const event of events) switch (event.type) {
+		case "token": {
+			const delta = typeof event.delta === "string" && event.delta || typeof event.text === "string" && event.text || typeof event.token === "string" && event.token || "";
+			if (delta) accum.textPieces.push(delta);
+			break;
+		}
+		case "raw": {
+			const tool = readToolInvocationFromRaw(event);
+			if (!tool) break;
+			if (tool.isComputerUse) accum.computerCalls.push({
+				type: "computer_call",
+				id: `cc_${tool.id}`,
+				call_id: tool.id,
+				status: "completed",
+				pending_safety_checks: [],
+				...tool.computerAction ? { action: tool.computerAction } : {}
+			});
+			else {
+				if (!accum.toolCalls.has(tool.id)) accum.toolCallOrder.push(tool.id);
+				accum.toolCalls.set(tool.id, {
+					type: "function_call",
+					id: `fc_${tool.id}`,
+					call_id: tool.id,
+					name: tool.name,
+					arguments: tool.arguments,
+					status: "completed"
+				});
+			}
+			break;
+		}
+		case "message.part.updated": {
+			const reasoning = readReasoningFromPart(event);
+			if (reasoning) accum.reasoningPieces.push(reasoning);
+			break;
+		}
+		case "done": {
+			const usage = readUsageFromEvent(event);
+			if (usage) {
+				accum.usage = foldUsage(accum.usage, usage);
+				accum.hasUsage = true;
+			}
+			break;
+		}
+	}
+	const output = [];
+	if (accum.reasoningPieces.length > 0) {
+		const reasoning = {
+			type: "reasoning",
+			id: "rs_0",
+			summary: [],
+			content: accum.reasoningPieces.map((text) => ({
+				type: "reasoning_text",
+				text
+			})),
+			status: "completed"
+		};
+		output.push(reasoning);
+	}
+	if (accum.textPieces.length > 0) {
+		const message = {
+			type: "message",
+			id: "msg_0",
+			role: "assistant",
+			status: "completed",
+			content: [{
+				type: "output_text",
+				text: accum.textPieces.join(""),
+				annotations: []
+			}]
+		};
+		output.push(message);
+	}
+	for (const id of accum.toolCallOrder) {
+		const call = accum.toolCalls.get(id);
+		if (call) output.push(call);
+	}
+	for (const cc of accum.computerCalls) output.push(cc);
+	return {
+		output,
+		usage: accum.usage
+	};
+}
+function foldUsage(a, b) {
+	return {
+		input_tokens: a.input_tokens + b.input_tokens,
+		output_tokens: a.output_tokens + b.output_tokens,
+		total_tokens: a.total_tokens + b.total_tokens,
+		input_tokens_details: { cached_tokens: a.input_tokens_details.cached_tokens + b.input_tokens_details.cached_tokens },
+		output_tokens_details: { reasoning_tokens: a.output_tokens_details.reasoning_tokens + b.output_tokens_details.reasoning_tokens }
+	};
+}
+/**
+* Fold every usage frame in a Tangle event sequence into a single
+* ResponseUsage envelope. Multiple `done` events are tolerated (e.g.
+* during retries) by summing.
+*/
+function usageFromEvents(events) {
+	let total = emptyUsage();
+	for (const event of events) {
+		if (event.type !== "done") continue;
+		const u = readUsageFromEvent(event);
+		if (u) total = foldUsage(total, u);
+	}
+	return total;
+}
+const SUPPORTED_TOOL_TYPES = new Set([
+	"function",
+	"computer_use_preview",
+	"code_interpreter"
+]);
+const REJECTED_TOOL_TYPES = new Set([
+	"web_search",
+	"web_search_preview",
+	"file_search"
+]);
+var ResponsesValidationError = class extends Error {
+	type = "invalid_request_error";
+	code;
+	param;
+	constructor(message, code, param) {
+		super(message);
+		this.name = "ResponsesValidationError";
+		this.code = code;
+		this.param = param;
+	}
+};
+/**
+* Reject Responses requests that ask for tool types Tangle cannot
+* service. Function tools, the OpenAI computer-use preview tool, and
+* the code interpreter (every Tangle sandbox can run code) are
+* accepted; web_search and file_search are explicitly rejected with
+* the OpenAI error shape.
+*/
+function validateResponsesRequest(req) {
+	const tools = req.tools;
+	if (!tools || tools.length === 0) return;
+	for (let i = 0; i < tools.length; i++) {
+		const type = tools[i].type;
+		if (typeof type !== "string") throw new ResponsesValidationError(`tools[${i}] is missing a type discriminator`, "invalid_tool", `tools[${i}].type`);
+		if (REJECTED_TOOL_TYPES.has(type)) throw new ResponsesValidationError(`Tool type "${type}" is not supported by this endpoint`, "unsupported_tool", `tools[${i}].type`);
+		if (!SUPPORTED_TOOL_TYPES.has(type)) throw new ResponsesValidationError(`Tool type "${type}" is not recognized`, "unsupported_tool", `tools[${i}].type`);
+	}
+}
+/**
+* Build a settled `Response` shell from an aggregated output + usage.
+* Caller fills in the runtime-specific fields (id, model, created_at,
+* status, instructions, etc.) to avoid having to re-derive them inside
+* the translator.
+*/
+function buildResponseShell(args) {
+	const outputText = args.output.filter((item) => item.type === "message").flatMap((m) => m.content).filter((c) => c.type === "output_text").map((c) => c.text).join("");
+	return {
+		id: args.id,
+		object: "response",
+		created_at: args.createdAt,
+		output_text: outputText,
+		error: null,
+		incomplete_details: null,
+		instructions: args.instructions ?? null,
+		metadata: null,
+		model: args.model,
+		output: args.output,
+		parallel_tool_calls: false,
+		temperature: null,
+		tool_choice: "auto",
+		tools: [],
+		top_p: null,
+		status: "completed",
+		usage: args.usage,
+		previous_response_id: args.previousResponseId ?? null
+	};
+}
+//#endregion
+//#region src/openai/types.ts
+/**
+* Construct a fresh translator context. The factory is deliberately tiny
+* — call sites that need to override fields can do so via the partial.
+*/
+function createTranslatorContext(init) {
+	return {
+		chunkIndex: 0,
+		toolCallBuffer: /* @__PURE__ */ new Map(),
+		createdAt: Math.floor(Date.now() / 1e3),
+		...init
+	};
+}
+//#endregion
+export { EmbeddingValidationError, HookChain, InMemoryResponseStore, ResponsesValidationError, Run, actionRateLimitHook, assembleResponseOutput, auditLogHook, buildResponseShell, costCapHook, createTranslatorContext, destructiveActionGuardHook, egressPolicyHook, openaiMessagesToSandboxInput, outcomeToFinishReason, resolvePreviousResponseId, runEvents, sandboxEventToChatChunk, sandboxEventToCompletionChunk, sandboxEventToResponsesEvent, screenshotRedactionHook, usageFromEvents, validateEmbeddingRequest, validateResponsesRequest };