@tokenfactory/acc-runner 0.4.1-internal → 0.5.0

package/dist/git.d.ts

@@ -7,5 +7,29 @@ export interface GitRunner {
     /** True when the working tree has no uncommitted changes. */
     isClean(repoPath: string): Promise<boolean>;
 }
+export type PushErrorKind = "transient" | "terminal";
+/**
+ * Classify a `git push` failure. Terminal = the operator has to fix
+ * something (credentials, permissions, branch protection). Transient =
+ * worth retrying (network drop, GitHub 5xx, TLS hiccup, RPC hangup).
+ *
+ * Heuristics walk stderr because git surfaces all of these as
+ * non-zero exits with explanatory text. We do not parse git's exit
+ * code — it's `1` for everything.
+ */
+export declare function classifyPushError(err: unknown): PushErrorKind;
+export interface PushRetryOptions {
+    attempts?: number;
+    /** Milliseconds between attempt N and N+1. Defaults to 1s/2s/4s. */
+    backoffMs?: readonly number[];
+    /** Test seam — overrides setTimeout. */
+    sleep?: (ms: number) => Promise<void>;
+}
+/**
+ * Run `pushFn` with up to N attempts and exponential backoff between
+ * attempts. Terminal errors short-circuit immediately so callers don't
+ * wait through three rejected pushes when the GitHub token expired.
+ */
+export declare function pushWithRetry(pushFn: () => Promise<void>, options?: PushRetryOptions): Promise<void>;
 export declare const git: GitRunner;
 //# sourceMappingURL=git.d.ts.map

package/dist/git.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,kBAAkB,QAAsC,CAAC;AAEtE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAEpE;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,6DAA6D;IAC7D,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7C;AAMD,eAAO,MAAM,GAAG,EAAE,SAejB,CAAC"}
+{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAcA,eAAO,MAAM,kBAAkB,QAAsC,CAAC;AAEtE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAEpE;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,6DAA6D;IAC7D,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7C;AAMD,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;AAErD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,GAAG,aAAa,CA0B7D;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,wCAAwC;IACxC,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAQD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EAC3B,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,eAAO,MAAM,GAAG,EAAE,SAiBjB,CAAC"}

package/dist/git.js

@@ -1,6 +1,11 @@
 /**
  * Thin git wrappers using execa. The CLI never edits the user's git
  * config — it relies on whatever credentials they already have set up.
+ *
+ * Push uses an exponential-backoff retry (v0.5.0+): three attempts with
+ * 1s/2s/4s sleeps in between. Transient failures (network, 5xx from
+ * GitHub, hangups) retry; terminal failures (auth, permission) fail
+ * fast so an operator can fix credentials without waiting 7s.
  */
 import { execa } from "execa";
 // Matches branches the runner should treat as ACC-owned, including the
@@ -13,6 +18,74 @@ export function isAccBranch(name) {
 async function run(repoPath, args) {
     return execa("git", args, { cwd: repoPath, env: process.env });
 }
+/**
+ * Classify a `git push` failure. Terminal = the operator has to fix
+ * something (credentials, permissions, branch protection). Transient =
+ * worth retrying (network drop, GitHub 5xx, TLS hiccup, RPC hangup).
+ *
+ * Heuristics walk stderr because git surfaces all of these as
+ * non-zero exits with explanatory text. We do not parse git's exit
+ * code — it's `1` for everything.
+ */
+export function classifyPushError(err) {
+    const e = err;
+    const stderr = typeof e?.stderr === "string" ? e.stderr : "";
+    const message = typeof e?.message === "string" ? e.message : "";
+    const haystack = `${stderr}\n${message}`.toLowerCase();
+    // Terminal — auth / permission / branch protection. No amount of
+    // retrying fixes any of these.
+    const terminalPatterns = [
+        "authentication failed",
+        "permission denied",
+        "remote: permission",
+        "could not read username",
+        "could not read password",
+        "403 forbidden",
+        "401 unauthorized",
+        "protected branch",
+        "gh auth login",
+        "support for password authentication was removed",
+    ];
+    if (terminalPatterns.some((p) => haystack.includes(p)))
+        return "terminal";
+    // Everything else (network errors, 5xx, RPC failures, generic hangups)
+    // is treated as transient so the retry loop gives the network a chance
+    // to recover.
+    return "transient";
+}
+const DEFAULT_BACKOFF_MS = [1_000, 2_000, 4_000];
+function defaultSleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Run `pushFn` with up to N attempts and exponential backoff between
+ * attempts. Terminal errors short-circuit immediately so callers don't
+ * wait through three rejected pushes when the GitHub token expired.
+ */
+export async function pushWithRetry(pushFn, options = {}) {
+    const attempts = options.attempts ?? 3;
+    const backoff = options.backoffMs ?? DEFAULT_BACKOFF_MS;
+    const sleep = options.sleep ?? defaultSleep;
+    let lastError = null;
+    for (let attempt = 1; attempt <= attempts; attempt++) {
+        try {
+            await pushFn();
+            return;
+        }
+        catch (err) {
+            lastError = err;
+            const kind = classifyPushError(err);
+            if (kind === "terminal")
+                throw err;
+            if (attempt === attempts)
+                break;
+            const wait = backoff[attempt - 1] ?? backoff[backoff.length - 1] ?? 0;
+            if (wait > 0)
+                await sleep(wait);
+        }
+    }
+    throw lastError;
+}
 export const git = {
     async fetch(repoPath) {
         await run(repoPath, ["fetch", "--prune", "--all"]);
@@ -22,7 +95,9 @@ export const git = {
         await run(repoPath, ["checkout", "-B", branch]);
     },
     async push(repoPath, branch) {
-        await run(repoPath, ["push", "-u", "origin", branch]);
+        await pushWithRetry(async () => {
+            await run(repoPath, ["push", "-u", "origin", branch]);
+        });
     },
     async isClean(repoPath) {
         const { stdout } = await run(repoPath, ["status", "--porcelain"]);

package/dist/git.js.map

@@ -1 +1 @@
-{"version":3,"file":"git.js","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,KAAK,EAA0B,MAAM,OAAO,CAAC;AAEtD,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,MAAM,CAAC,MAAM,kBAAkB,GAAG,mCAAmC,CAAC;AAEtE,MAAM,UAAU,WAAW,CAAC,IAA+B;IACzD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAUD,KAAK,UAAU,GAAG,CAAC,QAAgB,EAAE,IAAc;IACjD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAc;IAC5B,KAAK,CAAC,KAAK,CAAC,QAAQ;QAClB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM;QAC7B,qEAAqE;QACrE,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM;QACzB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,KAAK,CAAC,OAAO,CAAC,QAAQ;QACpB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC;IACpC,CAAC;CACF,CAAC"}
+{"version":3,"file":"git.js","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,KAAK,EAA2C,MAAM,OAAO,CAAC;AAEvE,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,MAAM,CAAC,MAAM,kBAAkB,GAAG,mCAAmC,CAAC;AAEtE,MAAM,UAAU,WAAW,CAAC,IAA+B;IACzD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAUD,KAAK,UAAU,GAAG,CAAC,QAAgB,EAAE,IAAc;IACjD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACjE,CAAC;AAID;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,MAAM,CAAC,GAAG,GAAoE,CAAC;IAC/E,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAChE,MAAM,QAAQ,GAAG,GAAG,MAAM,KAAK,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IAEvD,iEAAiE;IACjE,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG;QACvB,uBAAuB;QACvB,mBAAmB;QACnB,oBAAoB;QACpB,yBAAyB;QACzB,yBAAyB;QACzB,eAAe;QACf,kBAAkB;QAClB,kBAAkB;QAClB,eAAe;QACf,iDAAiD;KAClD,CAAC;IACF,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC;IAE1E,uEAAuE;IACvE,uEAAuE;IACvE,cAAc;IACd,OAAO,WAAW,CAAC;AACrB,CAAC;AAUD,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAU,CAAC;AAE1D,SAAS,YAAY,CAAC,EAAU;IAC9B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAA2B,EAC3B,UAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,YAAY,CAAC;IAE5C,IAAI,SAAS,GAAY,IAAI,CAAC;IAC9B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,MAAM,EAAE,CAAC;YACf,OAAO;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,GAAG,CAAC;YAChB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,IAAI,KAAK,UAAU;gBAAE,MAAM,GAAG,CAAC;YACnC,IAAI,OAAO,KAAK,QAAQ;gBAAE,MAAM;YAChC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;YACtE,IAAI,IAAI,GAAG,CAAC;gBAAE,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IACD,MAAM,SAAkB,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAc;IAC5B,KAAK,CAAC,KAAK,CAAC,QAAQ;QAClB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM;QAC7B,qEAAqE;QACrE,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM;QACzB,MAAM,aAAa,CAAC,KAAK,IAAI,EAAE;YAC7B,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC;IACD,KAAK,CAAC,OAAO,CAAC,QAAQ;QACpB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC;IACpC,CAAC;CACF,CAAC"}

package/dist/mcp-spawn.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-spawn.d.ts","sourceRoot":"","sources":["../src/mcp-spawn.ts"],"names":[],"mappings":"AAmBA,eAAO,MAAM,WAAW,QAAQ,CAAC;AAKjC,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,6EAA6E;IAC7E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAMD;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUtE;AAwED,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAClD;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,eAAe,EACrB,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CA4B3B"}
+{"version":3,"file":"mcp-spawn.d.ts","sourceRoot":"","sources":["../src/mcp-spawn.ts"],"names":[],"mappings":"AAmBA,eAAO,MAAM,WAAW,QAAQ,CAAC;AAKjC,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,6EAA6E;IAC7E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAMD;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUtE;AA+ED,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAClD;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,eAAe,EACrB,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CA4B3B"}

package/dist/mcp-spawn.js

@@ -51,6 +51,13 @@ function buildEnvBlock(opts) {
         // acc-mcp-server build.
         ACC_MCP_ACCESS_TOKEN: opts.accessToken,
         ACC_PUBLIC_URL: opts.publicUrl,
+        // Task + runner IDs are CLI-passed today (cli > env > default at
+        // the MCP server side) but we also surface them in the env block
+        // so any future env-only consumer reads the same coordinates we
+        // already record in argv. Cheap, forward-compatible, no behavior
+        // change in v0.4.x.
+        ACC_TASK_ID: opts.taskId,
+        ACC_RUNNER_ID: opts.runnerId,
     };
 }
 async function buildEntry(opts, which) {

package/dist/mcp-spawn.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-spawn.js","sourceRoot":"","sources":["../src/mcp-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAE9B,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,CAAC;AACjC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AACxC,MAAM,eAAe,GAAG,8BAA8B,CAAC;AACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC;AAqBrC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAqB;IAC1C,OAAO;QACL,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,iBAAiB,EAAE,IAAI,CAAC,eAAe;QACvC,gEAAgE;QAChE,gEAAgE;QAChE,wBAAwB;QACxB,oBAAoB,EAAE,IAAI,CAAC,WAAW;QACtC,cAAc,EAAE,IAAI,CAAC,SAAS;KAC/B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,IAAqB,EACrB,KAA+C;IAE/C,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE;gBACJ,WAAW;gBACX,IAAI,CAAC,MAAM;gBACX,aAAa;gBACb,IAAI,CAAC,QAAQ;gBACb,gBAAgB;gBAChB,IAAI,CAAC,WAAW;gBAChB,cAAc;gBACd,IAAI,CAAC,SAAS;aACf;YACD,GAAG,EAAE,aAAa,CAAC,IAAI,CAAC;SACzB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACJ,IAAI;YACJ,eAAe;YACf,WAAW;YACX,IAAI,CAAC,MAAM;YACX,aAAa;YACb,IAAI,CAAC,QAAQ;YACb,gBAAgB;YAChB,IAAI,CAAC,WAAW;YAChB,cAAc;YACd,IAAI,CAAC,SAAS;SACf;QACD,GAAG,EAAE,aAAa,CAAC,IAAI,CAAC;KACzB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;YAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,kEAAkE;YAClE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACtC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAqB,EACrB,OAA2B,EAAE;IAE7B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,WAAW,CAAC;IAExC,uEAAuE;IACvE,6DAA6D;IAC7D,MAAM,MAAM,GAAmB,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAA4B,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;IAC1E,OAAO,CAAC,WAAW,CAAC,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrD,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEtF,OAAO;QACL,KAAK,CAAC,OAAO;YACX,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC3B,4CAA4C;gBAC5C,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;oBACnC,kBAAkB;gBACpB,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,+DAA+D;YAC/D,gEAAgE;YAChE,8BAA8B;YAC9B,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"mcp-spawn.js","sourceRoot":"","sources":["../src/mcp-spawn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAE9B,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,CAAC;AACjC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AACxC,MAAM,eAAe,GAAG,8BAA8B,CAAC;AACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC;AAqBrC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAqB;IAC1C,OAAO;QACL,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,iBAAiB,EAAE,IAAI,CAAC,eAAe;QACvC,gEAAgE;QAChE,gEAAgE;QAChE,wBAAwB;QACxB,oBAAoB,EAAE,IAAI,CAAC,WAAW;QACtC,cAAc,EAAE,IAAI,CAAC,SAAS;QAC9B,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,iEAAiE;QACjE,oBAAoB;QACpB,WAAW,EAAE,IAAI,CAAC,MAAM;QACxB,aAAa,EAAE,IAAI,CAAC,QAAQ;KAC7B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,IAAqB,EACrB,KAA+C;IAE/C,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE;gBACJ,WAAW;gBACX,IAAI,CAAC,MAAM;gBACX,aAAa;gBACb,IAAI,CAAC,QAAQ;gBACb,gBAAgB;gBAChB,IAAI,CAAC,WAAW;gBAChB,cAAc;gBACd,IAAI,CAAC,SAAS;aACf;YACD,GAAG,EAAE,aAAa,CAAC,IAAI,CAAC;SACzB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACJ,IAAI;YACJ,eAAe;YACf,WAAW;YACX,IAAI,CAAC,MAAM;YACX,aAAa;YACb,IAAI,CAAC,QAAQ;YACb,gBAAgB;YAChB,IAAI,CAAC,WAAW;YAChB,cAAc;YACd,IAAI,CAAC,SAAS;SACf;QACD,GAAG,EAAE,aAAa,CAAC,IAAI,CAAC;KACzB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;YAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,kEAAkE;YAClE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACtC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAqB,EACrB,OAA2B,EAAE;IAE7B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,WAAW,CAAC;IAExC,uEAAuE;IACvE,6DAA6D;IAC7D,MAAM,MAAM,GAAmB,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAA4B,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;IAC1E,OAAO,CAAC,WAAW,CAAC,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrD,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEtF,OAAO;QACL,KAAK,CAAC,OAAO;YACX,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC3B,4CAA4C;gBAC5C,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;oBACnC,kBAAkB;gBACpB,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,+DAA+D;YAC/D,gEAAgE;YAChE,8BAA8B;YAC9B,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/runtime/expand-args.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Walks an arbitrary JSON value tree, expanding `{{secret:NAME}}`
+ * placeholders in any string leaf. Returns a structurally-identical
+ * copy with secrets expanded. Never mutates the input.
+ *
+ * Side-effect: returns the deduplicated list of secret names consumed.
+ * The caller logs the NAMES to telemetry, NOT the plaintexts.
+ *
+ * Integration point: the MCP dispatcher (added in v0.6-B) calls this
+ * AFTER approval but BEFORE spawning the MCP server stdio. The
+ * expanded args go to stdio; the pre-expansion args (still containing
+ * literal `{{secret:…}}`) go to telemetry. There is a regression test
+ * in packages/acc-runner/tests/expand-args.test.ts that asserts the
+ * plaintext of a tripwire secret never appears in captured telemetry.
+ */
+import { type SecretFetcher } from "../secrets/inject.js";
+export interface ExpandArgsResult {
+    expanded: unknown;
+    consumedSecrets: string[];
+}
+/**
+ * @param args      — the tool-call argument tree (any JSON-safe shape)
+ * @param agentId   — used as the v0.7-B grant + audit subject
+ * @param fetcher   — SecretFetcher; production uses makeHttpSecretFetcher
+ * @param toolName  — forwarded to fetch_secret_for_runtime for audit
+ */
+export declare function expandSecretsInArgs(args: unknown, agentId: string, fetcher: SecretFetcher, toolName?: string): Promise<ExpandArgsResult>;
+//# sourceMappingURL=expand-args.d.ts.map

package/dist/runtime/expand-args.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand-args.d.ts","sourceRoot":"","sources":["../../src/runtime/expand-args.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAyB,KAAK,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEjF,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,OAAO,EACb,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CA4B3B"}

package/dist/runtime/expand-args.js

@@ -0,0 +1,50 @@
+/**
+ * Walks an arbitrary JSON value tree, expanding `{{secret:NAME}}`
+ * placeholders in any string leaf. Returns a structurally-identical
+ * copy with secrets expanded. Never mutates the input.
+ *
+ * Side-effect: returns the deduplicated list of secret names consumed.
+ * The caller logs the NAMES to telemetry, NOT the plaintexts.
+ *
+ * Integration point: the MCP dispatcher (added in v0.6-B) calls this
+ * AFTER approval but BEFORE spawning the MCP server stdio. The
+ * expanded args go to stdio; the pre-expansion args (still containing
+ * literal `{{secret:…}}`) go to telemetry. There is a regression test
+ * in packages/acc-runner/tests/expand-args.test.ts that asserts the
+ * plaintext of a tripwire secret never appears in captured telemetry.
+ */
+import { expandSecretsInString } from "../secrets/inject.js";
+/**
+ * @param args      — the tool-call argument tree (any JSON-safe shape)
+ * @param agentId   — used as the v0.7-B grant + audit subject
+ * @param fetcher   — SecretFetcher; production uses makeHttpSecretFetcher
+ * @param toolName  — forwarded to fetch_secret_for_runtime for audit
+ */
+export async function expandSecretsInArgs(args, agentId, fetcher, toolName) {
+    const consumed = new Set();
+    const visit = async (v) => {
+        if (typeof v === "string") {
+            const { expanded, consumedSecrets } = await expandSecretsInString(v, agentId, fetcher, toolName);
+            consumedSecrets.forEach((n) => consumed.add(n));
+            return expanded;
+        }
+        if (Array.isArray(v)) {
+            const out = [];
+            for (const item of v) {
+                out.push(await visit(item));
+            }
+            return out;
+        }
+        if (v && typeof v === "object") {
+            const out = {};
+            for (const k of Object.keys(v)) {
+                out[k] = await visit(v[k]);
+            }
+            return out;
+        }
+        return v;
+    };
+    const expanded = await visit(args);
+    return { expanded, consumedSecrets: [...consumed] };
+}
+//# sourceMappingURL=expand-args.js.map

package/dist/runtime/expand-args.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand-args.js","sourceRoot":"","sources":["../../src/runtime/expand-args.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,qBAAqB,EAAsB,MAAM,sBAAsB,CAAC;AAOjF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAa,EACb,OAAe,EACf,OAAsB,EACtB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,MAAM,KAAK,GAAG,KAAK,EAAE,CAAU,EAAoB,EAAE;QACnD,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,MAAM,qBAAqB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,MAAM,GAAG,GAAc,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;gBACrB,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC9B,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC/B,MAAM,GAAG,GAA4B,EAAE,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,EAAE,CAAC;gBAC1D,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,KAAK,CAAE,CAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,GAAG,QAAQ,CAAC,EAAE,CAAC;AACtD,CAAC"}

package/dist/secrets/inject.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Runner-side `{{secret:NAME}}` placeholder expander.
+ *
+ * The runner never holds the service-role key (which would let it pull
+ * arbitrary plaintext from the vault). Instead, name→id resolution and
+ * decryption run server-side behind the user's JWT, and the runner POSTs
+ * to /api/runner/expand-secret for each unique name encountered in a
+ * tool-call argument tree.
+ *
+ * The plaintext flow is:
+ *
+ *   1. Runner extracts `{{secret:NAME}}` placeholders from the args.
+ *   2. For each unique NAME, runner POSTs `/api/runner/expand-secret`
+ *      with `{ name, agent_id, tool_name }`. The endpoint uses
+ *      `getAdminClient()` to call acc.resolve_secret_id_by_name (v0.7-D)
+ *      then acc.fetch_secret_for_runtime (v0.7-B, frozen).
+ *   3. Plaintext is held in memory ONLY for the duration of the tool
+ *      call. We never log it, never serialize it, never copy it to the
+ *      DB. The pre-expansion args (still containing the literal
+ *      `{{secret:…}}`) are what gets logged to telemetry.
+ *   4. Caller hands the expanded result to MCP stdio.
+ *
+ * Telemetry tripwire test: a fake secret named `TRIPWIRE_VALUE` with
+ * plaintext `tripwire-do-not-log-me` must NOT appear in any captured
+ * telemetry row. See packages/acc-runner/tests/expand-args.test.ts.
+ *
+ * Deviations from planning/v0.7-D-chat-encryption-and-visibility.md:
+ *   - The planning doc imagined `import { supabaseAdmin } from '../db'`
+ *     — a service-role client at the runner. That doesn't exist (and
+ *     shouldn't; the runner is end-user-deployed). The /api/runner/
+ *     expand-secret endpoint is the actual seam.
+ *   - The planning doc's single fetch_secret_for_runtime call is split
+ *     into resolve_secret_id_by_name → fetch_secret_for_runtime because
+ *     v0.7-B's frozen contract takes a uuid, not a name.
+ */
+export declare const SECRET_PATTERN: RegExp;
+/**
+ * Fetcher signature. Production wires this to an HTTP call against
+ * /api/runner/expand-secret; tests pass a stub.
+ *
+ * MUST throw on any failure (missing secret, locked vault, denied
+ * grant, rate-limit). MUST NOT include any secret-derived data in the
+ * error message.
+ */
+export type SecretFetcher = (name: string, agentId: string, toolName?: string) => Promise<string>;
+export interface ExpandResult {
+    expanded: string;
+    consumedSecrets: string[];
+}
+/**
+ * Expand `{{secret:NAME}}` placeholders in a single string. Returns the
+ * expanded string plus the list of secret names consumed (for telemetry
+ * of NAMES, never plaintexts). Throws if any required secret is
+ * unavailable — partial expansion is never returned (atomic).
+ */
+export declare function expandSecretsInString(raw: string, agentId: string, fetcher: SecretFetcher, toolName?: string): Promise<ExpandResult>;
+/**
+ * Build an HTTP-backed SecretFetcher pointing at the deployed
+ * /api/runner/expand-secret endpoint. The runner wires this at startup
+ * once it has its user JWT and config.
+ *
+ * The endpoint MUST NOT echo the plaintext into any error path; this
+ * helper trusts that contract.
+ */
+export declare function makeHttpSecretFetcher(opts: {
+    publicUrl: string;
+    jwt: string;
+    fetchImpl?: typeof fetch;
+}): SecretFetcher;
+//# sourceMappingURL=inject.d.ts.map

package/dist/secrets/inject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inject.d.ts","sourceRoot":"","sources":["../../src/secrets/inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,eAAO,MAAM,cAAc,QAAsC,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAElG,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B,GAAG,aAAa,CAwBhB"}

package/dist/secrets/inject.js

@@ -0,0 +1,102 @@
+/**
+ * Runner-side `{{secret:NAME}}` placeholder expander.
+ *
+ * The runner never holds the service-role key (which would let it pull
+ * arbitrary plaintext from the vault). Instead, name→id resolution and
+ * decryption run server-side behind the user's JWT, and the runner POSTs
+ * to /api/runner/expand-secret for each unique name encountered in a
+ * tool-call argument tree.
+ *
+ * The plaintext flow is:
+ *
+ *   1. Runner extracts `{{secret:NAME}}` placeholders from the args.
+ *   2. For each unique NAME, runner POSTs `/api/runner/expand-secret`
+ *      with `{ name, agent_id, tool_name }`. The endpoint uses
+ *      `getAdminClient()` to call acc.resolve_secret_id_by_name (v0.7-D)
+ *      then acc.fetch_secret_for_runtime (v0.7-B, frozen).
+ *   3. Plaintext is held in memory ONLY for the duration of the tool
+ *      call. We never log it, never serialize it, never copy it to the
+ *      DB. The pre-expansion args (still containing the literal
+ *      `{{secret:…}}`) are what gets logged to telemetry.
+ *   4. Caller hands the expanded result to MCP stdio.
+ *
+ * Telemetry tripwire test: a fake secret named `TRIPWIRE_VALUE` with
+ * plaintext `tripwire-do-not-log-me` must NOT appear in any captured
+ * telemetry row. See packages/acc-runner/tests/expand-args.test.ts.
+ *
+ * Deviations from planning/v0.7-D-chat-encryption-and-visibility.md:
+ *   - The planning doc imagined `import { supabaseAdmin } from '../db'`
+ *     — a service-role client at the runner. That doesn't exist (and
+ *     shouldn't; the runner is end-user-deployed). The /api/runner/
+ *     expand-secret endpoint is the actual seam.
+ *   - The planning doc's single fetch_secret_for_runtime call is split
+ *     into resolve_secret_id_by_name → fetch_secret_for_runtime because
+ *     v0.7-B's frozen contract takes a uuid, not a name.
+ */
+export const SECRET_PATTERN = /\{\{secret:([A-Z][A-Z0-9_]*)\}\}/g;
+/**
+ * Expand `{{secret:NAME}}` placeholders in a single string. Returns the
+ * expanded string plus the list of secret names consumed (for telemetry
+ * of NAMES, never plaintexts). Throws if any required secret is
+ * unavailable — partial expansion is never returned (atomic).
+ */
+export async function expandSecretsInString(raw, agentId, fetcher, toolName) {
+    const matches = [...raw.matchAll(SECRET_PATTERN)];
+    if (matches.length === 0) {
+        return { expanded: raw, consumedSecrets: [] };
+    }
+    const names = [...new Set(matches.map((m) => m[1]))];
+    const plaintexts = new Map();
+    for (const name of names) {
+        try {
+            const plaintext = await fetcher(name, agentId, toolName);
+            plaintexts.set(name, plaintext);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            throw new Error(`secret_unavailable: ${name}: ${message}`);
+        }
+    }
+    const expanded = raw.replace(SECRET_PATTERN, (_match, name) => {
+        const value = plaintexts.get(name);
+        if (value === undefined) {
+            throw new Error(`secret_unavailable: ${name}: missing after fetch`);
+        }
+        return value;
+    });
+    return { expanded, consumedSecrets: names };
+}
+/**
+ * Build an HTTP-backed SecretFetcher pointing at the deployed
+ * /api/runner/expand-secret endpoint. The runner wires this at startup
+ * once it has its user JWT and config.
+ *
+ * The endpoint MUST NOT echo the plaintext into any error path; this
+ * helper trusts that contract.
+ */
+export function makeHttpSecretFetcher(opts) {
+    const f = opts.fetchImpl ?? fetch;
+    const endpoint = `${opts.publicUrl.replace(/\/$/, "")}/api/runner/expand-secret`;
+    return async (name, agentId, toolName) => {
+        const res = await f(endpoint, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${opts.jwt}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ name, agent_id: agentId, tool_name: toolName ?? null }),
+        });
+        if (!res.ok) {
+            // Read body for the error reason, but the endpoint contract is
+            // that the body NEVER contains plaintext.
+            const text = await res.text().catch(() => "");
+            throw new Error(`expand-secret HTTP ${res.status}: ${text || res.statusText}`);
+        }
+        const data = (await res.json());
+        if (typeof data.plaintext !== "string") {
+            throw new Error("expand-secret response missing plaintext");
+        }
+        return data.plaintext;
+    };
+}
+//# sourceMappingURL=inject.js.map

package/dist/secrets/inject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inject.js","sourceRoot":"","sources":["../../src/secrets/inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,mCAAmC,CAAC;AAiBlE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,GAAW,EACX,OAAe,EACf,OAAsB,EACtB,QAAiB;IAEjB,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IAClD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzD,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,IAAY,EAAE,EAAE;QACpE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,uBAAuB,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAIrC;IACC,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,2BAA2B,CAAC;IACjF,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;QACvC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,QAAQ,EAAE;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE;gBACnC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI,IAAI,EAAE,CAAC;SAC/E,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,+DAA+D;YAC/D,0CAA0C;YAC1C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QACjF,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC3D,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -5,7 +5,7 @@
  * shape rather than importing it cross-workspace. v0.3 will dedupe via a
  * shared workspace package once the runner is published.
  */
-export declare const PROTOCOL_VERSION: "0.1.0";
+export declare const PROTOCOL_VERSION: "0.5.0";
 export declare const RUNNER_KEYCHAIN_SERVICE: "acc-runner";
 export interface DeviceCodeResponse {
     device_code: string;

package/dist/types.js

@@ -5,6 +5,6 @@
  * shape rather than importing it cross-workspace. v0.3 will dedupe via a
  * shared workspace package once the runner is published.
  */
-export const PROTOCOL_VERSION = "0.1.0";
+export const PROTOCOL_VERSION = "0.5.0";
 export const RUNNER_KEYCHAIN_SERVICE = "acc-runner";
 //# sourceMappingURL=types.js.map

package/dist/version-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"version-check.d.ts","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,UAAU,GAAG,aAAa,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,kBAAkB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEnE,iBAAS,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAUnD;AAED,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAuBjF;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"version-check.d.ts","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,UAAU,GAAG,aAAa,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,kBAAkB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEnE,iBAAS,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAUnD;AAED,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAoCjF;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/version-check.js

@@ -22,6 +22,22 @@ export async function checkVersion(publicUrl) {
     catch (err) {
         return { ok: false, reason: "unreachable", detail: err.message };
     }
+    // 426 Upgrade Required = server-side gate rejection (v0.5.0+).
+    // The body still carries min/current so we can surface them in the
+    // upgrade hint.
+    if (res.status === 426) {
+        let body = {};
+        try {
+            body = (await res.json());
+        }
+        catch { /* ignore */ }
+        return {
+            ok: false,
+            reason: "outdated",
+            serverMin: body.min_version,
+            serverCurrent: body.current_version,
+        };
+    }
     if (!res.ok) {
         return { ok: false, reason: "unreachable", detail: `HTTP ${res.status}` };
     }

package/dist/version-check.js.map

@@ -1 +1 @@
-{"version":3,"file":"version-check.js","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAkB9C,SAAS,aAAa,CAAC,CAAS,EAAE,CAAS;IACzC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,yBAAyB,CAAC;IACtE,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,OAAO,EAAE,EAAE,YAAY,EAAE,cAAc,gBAAgB,EAAE,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,IAAI,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC;AACxF,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"version-check.js","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAkB9C,SAAS,aAAa,CAAC,CAAS,EAAE,CAAS;IACzC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,yBAAyB,CAAC;IACtE,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,OAAO,EAAE,EAAE,YAAY,EAAE,cAAc,gBAAgB,EAAE,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC9E,CAAC;IACD,+DAA+D;IAC/D,mEAAmE;IACnE,gBAAgB;IAChB,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,IAAI,IAAI,GAAgC,EAAE,CAAC;QAC3C,IAAI,CAAC;YAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACxF,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,IAAI,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC;AACxF,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tokenfactory/acc-runner",
-  "version": "0.4.1-internal",
+  "version": "0.5.0",
   "description": "Agent Control Center local runner. Spawns Claude Code sessions assigned via ACC.",
   "license": "UNLICENSED",
   "private": false,