@tokenfactory/acc-runner 0.4.2-internal → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/dist/git.d.ts +24 -0
  2. package/dist/git.d.ts.map +1 -1
  3. package/dist/git.js +76 -1
  4. package/dist/git.js.map +1 -1
  5. package/dist/runtime/expand-args.d.ts +28 -0
  6. package/dist/runtime/expand-args.d.ts.map +1 -0
  7. package/dist/runtime/expand-args.js +50 -0
  8. package/dist/runtime/expand-args.js.map +1 -0
  9. package/dist/secrets/inject.d.ts +70 -0
  10. package/dist/secrets/inject.d.ts.map +1 -0
  11. package/dist/secrets/inject.js +102 -0
  12. package/dist/secrets/inject.js.map +1 -0
  13. package/dist/types.d.ts +1 -1
  14. package/dist/types.js +1 -1
  15. package/dist/version-check.d.ts.map +1 -1
  16. package/dist/version-check.js +16 -0
  17. package/dist/version-check.js.map +1 -1
  18. package/package.json +1 -1
package/dist/git.d.ts CHANGED
@@ -7,5 +7,29 @@ export interface GitRunner {
7
7
  /** True when the working tree has no uncommitted changes. */
8
8
  isClean(repoPath: string): Promise<boolean>;
9
9
  }
10
+ export type PushErrorKind = "transient" | "terminal";
11
+ /**
12
+ * Classify a `git push` failure. Terminal = the operator has to fix
13
+ * something (credentials, permissions, branch protection). Transient =
14
+ * worth retrying (network drop, GitHub 5xx, TLS hiccup, RPC hangup).
15
+ *
16
+ * Heuristics walk stderr because git surfaces all of these as
17
+ * non-zero exits with explanatory text. We do not parse git's exit
18
+ * code — it's `1` for everything.
19
+ */
20
+ export declare function classifyPushError(err: unknown): PushErrorKind;
21
+ export interface PushRetryOptions {
22
+ attempts?: number;
23
+ /** Milliseconds between attempt N and N+1. Defaults to 1s/2s/4s. */
24
+ backoffMs?: readonly number[];
25
+ /** Test seam — overrides setTimeout. */
26
+ sleep?: (ms: number) => Promise<void>;
27
+ }
28
+ /**
29
+ * Run `pushFn` with up to N attempts and exponential backoff between
30
+ * attempts. Terminal errors short-circuit immediately so callers don't
31
+ * wait through three rejected pushes when the GitHub token expired.
32
+ */
33
+ export declare function pushWithRetry(pushFn: () => Promise<void>, options?: PushRetryOptions): Promise<void>;
10
34
  export declare const git: GitRunner;
11
35
  //# sourceMappingURL=git.d.ts.map
package/dist/git.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,kBAAkB,QAAsC,CAAC;AAEtE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAEpE;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,6DAA6D;IAC7D,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7C;AAMD,eAAO,MAAM,GAAG,EAAE,SAejB,CAAC"}
1
+ {"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAcA,eAAO,MAAM,kBAAkB,QAAsC,CAAC;AAEtE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAEpE;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,6DAA6D;IAC7D,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7C;AAMD,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;AAErD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,GAAG,aAAa,CA0B7D;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,wCAAwC;IACxC,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAQD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EAC3B,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,eAAO,MAAM,GAAG,EAAE,SAiBjB,CAAC"}
package/dist/git.js CHANGED
@@ -1,6 +1,11 @@
1
1
  /**
2
2
  * Thin git wrappers using execa. The CLI never edits the user's git
3
3
  * config — it relies on whatever credentials they already have set up.
4
+ *
5
+ * Push uses an exponential-backoff retry (v0.5.0+): three attempts with
6
+ * 1s/2s/4s sleeps in between. Transient failures (network, 5xx from
7
+ * GitHub, hangups) retry; terminal failures (auth, permission) fail
8
+ * fast so an operator can fix credentials without waiting 7s.
4
9
  */
5
10
  import { execa } from "execa";
6
11
  // Matches branches the runner should treat as ACC-owned, including the
@@ -13,6 +18,74 @@ export function isAccBranch(name) {
13
18
  async function run(repoPath, args) {
14
19
  return execa("git", args, { cwd: repoPath, env: process.env });
15
20
  }
21
+ /**
22
+ * Classify a `git push` failure. Terminal = the operator has to fix
23
+ * something (credentials, permissions, branch protection). Transient =
24
+ * worth retrying (network drop, GitHub 5xx, TLS hiccup, RPC hangup).
25
+ *
26
+ * Heuristics walk stderr because git surfaces all of these as
27
+ * non-zero exits with explanatory text. We do not parse git's exit
28
+ * code — it's `1` for everything.
29
+ */
30
+ export function classifyPushError(err) {
31
+ const e = err;
32
+ const stderr = typeof e?.stderr === "string" ? e.stderr : "";
33
+ const message = typeof e?.message === "string" ? e.message : "";
34
+ const haystack = `${stderr}\n${message}`.toLowerCase();
35
+ // Terminal — auth / permission / branch protection. No amount of
36
+ // retrying fixes any of these.
37
+ const terminalPatterns = [
38
+ "authentication failed",
39
+ "permission denied",
40
+ "remote: permission",
41
+ "could not read username",
42
+ "could not read password",
43
+ "403 forbidden",
44
+ "401 unauthorized",
45
+ "protected branch",
46
+ "gh auth login",
47
+ "support for password authentication was removed",
48
+ ];
49
+ if (terminalPatterns.some((p) => haystack.includes(p)))
50
+ return "terminal";
51
+ // Everything else (network errors, 5xx, RPC failures, generic hangups)
52
+ // is treated as transient so the retry loop gives the network a chance
53
+ // to recover.
54
+ return "transient";
55
+ }
56
+ const DEFAULT_BACKOFF_MS = [1_000, 2_000, 4_000];
57
+ function defaultSleep(ms) {
58
+ return new Promise((resolve) => setTimeout(resolve, ms));
59
+ }
60
+ /**
61
+ * Run `pushFn` with up to N attempts and exponential backoff between
62
+ * attempts. Terminal errors short-circuit immediately so callers don't
63
+ * wait through three rejected pushes when the GitHub token expired.
64
+ */
65
+ export async function pushWithRetry(pushFn, options = {}) {
66
+ const attempts = options.attempts ?? 3;
67
+ const backoff = options.backoffMs ?? DEFAULT_BACKOFF_MS;
68
+ const sleep = options.sleep ?? defaultSleep;
69
+ let lastError = null;
70
+ for (let attempt = 1; attempt <= attempts; attempt++) {
71
+ try {
72
+ await pushFn();
73
+ return;
74
+ }
75
+ catch (err) {
76
+ lastError = err;
77
+ const kind = classifyPushError(err);
78
+ if (kind === "terminal")
79
+ throw err;
80
+ if (attempt === attempts)
81
+ break;
82
+ const wait = backoff[attempt - 1] ?? backoff[backoff.length - 1] ?? 0;
83
+ if (wait > 0)
84
+ await sleep(wait);
85
+ }
86
+ }
87
+ throw lastError;
88
+ }
16
89
  export const git = {
17
90
  async fetch(repoPath) {
18
91
  await run(repoPath, ["fetch", "--prune", "--all"]);
@@ -22,7 +95,9 @@ export const git = {
22
95
  await run(repoPath, ["checkout", "-B", branch]);
23
96
  },
24
97
  async push(repoPath, branch) {
25
- await run(repoPath, ["push", "-u", "origin", branch]);
98
+ await pushWithRetry(async () => {
99
+ await run(repoPath, ["push", "-u", "origin", branch]);
100
+ });
26
101
  },
27
102
  async isClean(repoPath) {
28
103
  const { stdout } = await run(repoPath, ["status", "--porcelain"]);
package/dist/git.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"git.js","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,KAAK,EAA0B,MAAM,OAAO,CAAC;AAEtD,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,MAAM,CAAC,MAAM,kBAAkB,GAAG,mCAAmC,CAAC;AAEtE,MAAM,UAAU,WAAW,CAAC,IAA+B;IACzD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAUD,KAAK,UAAU,GAAG,CAAC,QAAgB,EAAE,IAAc;IACjD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAc;IAC5B,KAAK,CAAC,KAAK,CAAC,QAAQ;QAClB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM;QAC7B,qEAAqE;QACrE,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM;QACzB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,KAAK,CAAC,OAAO,CAAC,QAAQ;QACpB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC;IACpC,CAAC;CACF,CAAC"}
1
+ {"version":3,"file":"git.js","sourceRoot":"","sources":["../src/git.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,KAAK,EAA2C,MAAM,OAAO,CAAC;AAEvE,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,MAAM,CAAC,MAAM,kBAAkB,GAAG,mCAAmC,CAAC;AAEtE,MAAM,UAAU,WAAW,CAAC,IAA+B;IACzD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAUD,KAAK,UAAU,GAAG,CAAC,QAAgB,EAAE,IAAc;IACjD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACjE,CAAC;AAID;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,MAAM,CAAC,GAAG,GAAoE,CAAC;IAC/E,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAChE,MAAM,QAAQ,GAAG,GAAG,MAAM,KAAK,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IAEvD,iEAAiE;IACjE,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG;QACvB,uBAAuB;QACvB,mBAAmB;QACnB,oBAAoB;QACpB,yBAAyB;QACzB,yBAAyB;QACzB,eAAe;QACf,kBAAkB;QAClB,kBAAkB;QAClB,eAAe;QACf,iDAAiD;KAClD,CAAC;IACF,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC;IAE1E,uEAAuE;IACvE,uEAAuE;IACvE,cAAc;IACd,OAAO,WAAW,CAAC;AACrB,CAAC;AAUD,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAU,CAAC;AAE1D,SAAS,YAAY,CAAC,EAAU;IAC9B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAA2B,EAC3B,UAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,YAAY,CAAC;IAE5C,IAAI,SAAS,GAAY,IAAI,CAAC;IAC9B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,MAAM,EAAE,CAAC;YACf,OAAO;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,GAAG,CAAC;YAChB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,IAAI,KAAK,UAAU;gBAAE,MAAM,GAAG,CAAC;YACnC,IAAI,OAAO,KAAK,QAAQ;gBAAE,MAAM;YAChC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;YACtE,IAAI,IAAI,GAAG,CAAC;gBAAE,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IACD,MAAM,SAAkB,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAc;IAC5B,KAAK,CAAC,KAAK,CAAC,QAAQ;QAClB,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM;QAC7B,qEAAqE;QACrE,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM;QACzB,MAAM,aAAa,CAAC,KAAK,IAAI,EAAE;YAC7B,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC;IACD,KAAK,CAAC,OAAO,CAAC,QAAQ;QACpB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC;IACpC,CAAC;CACF,CAAC"}
package/dist/runtime/expand-args.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ /**
2
+ * Walks an arbitrary JSON value tree, expanding `{{secret:NAME}}`
3
+ * placeholders in any string leaf. Returns a structurally-identical
4
+ * copy with secrets expanded. Never mutates the input.
5
+ *
6
+ * Side-effect: returns the deduplicated list of secret names consumed.
7
+ * The caller logs the NAMES to telemetry, NOT the plaintexts.
8
+ *
9
+ * Integration point: the MCP dispatcher (added in v0.6-B) calls this
10
+ * AFTER approval but BEFORE spawning the MCP server stdio. The
11
+ * expanded args go to stdio; the pre-expansion args (still containing
12
+ * literal `{{secret:…}}`) go to telemetry. There is a regression test
13
+ * in packages/acc-runner/tests/expand-args.test.ts that asserts the
14
+ * plaintext of a tripwire secret never appears in captured telemetry.
15
+ */
16
+ import { type SecretFetcher } from "../secrets/inject.js";
17
+ export interface ExpandArgsResult {
18
+ expanded: unknown;
19
+ consumedSecrets: string[];
20
+ }
21
+ /**
22
+ * @param args — the tool-call argument tree (any JSON-safe shape)
23
+ * @param agentId — used as the v0.7-B grant + audit subject
24
+ * @param fetcher — SecretFetcher; production uses makeHttpSecretFetcher
25
+ * @param toolName — forwarded to fetch_secret_for_runtime for audit
26
+ */
27
+ export declare function expandSecretsInArgs(args: unknown, agentId: string, fetcher: SecretFetcher, toolName?: string): Promise<ExpandArgsResult>;
28
+ //# sourceMappingURL=expand-args.d.ts.map
package/dist/runtime/expand-args.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"expand-args.d.ts","sourceRoot":"","sources":["../../src/runtime/expand-args.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAyB,KAAK,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEjF,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,OAAO,EACb,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CA4B3B"}
package/dist/runtime/expand-args.js ADDED
@@ -0,0 +1,50 @@
1
+ /**
2
+ * Walks an arbitrary JSON value tree, expanding `{{secret:NAME}}`
3
+ * placeholders in any string leaf. Returns a structurally-identical
4
+ * copy with secrets expanded. Never mutates the input.
5
+ *
6
+ * Side-effect: returns the deduplicated list of secret names consumed.
7
+ * The caller logs the NAMES to telemetry, NOT the plaintexts.
8
+ *
9
+ * Integration point: the MCP dispatcher (added in v0.6-B) calls this
10
+ * AFTER approval but BEFORE spawning the MCP server stdio. The
11
+ * expanded args go to stdio; the pre-expansion args (still containing
12
+ * literal `{{secret:…}}`) go to telemetry. There is a regression test
13
+ * in packages/acc-runner/tests/expand-args.test.ts that asserts the
14
+ * plaintext of a tripwire secret never appears in captured telemetry.
15
+ */
16
+ import { expandSecretsInString } from "../secrets/inject.js";
17
+ /**
18
+ * @param args — the tool-call argument tree (any JSON-safe shape)
19
+ * @param agentId — used as the v0.7-B grant + audit subject
20
+ * @param fetcher — SecretFetcher; production uses makeHttpSecretFetcher
21
+ * @param toolName — forwarded to fetch_secret_for_runtime for audit
22
+ */
23
+ export async function expandSecretsInArgs(args, agentId, fetcher, toolName) {
24
+ const consumed = new Set();
25
+ const visit = async (v) => {
26
+ if (typeof v === "string") {
27
+ const { expanded, consumedSecrets } = await expandSecretsInString(v, agentId, fetcher, toolName);
28
+ consumedSecrets.forEach((n) => consumed.add(n));
29
+ return expanded;
30
+ }
31
+ if (Array.isArray(v)) {
32
+ const out = [];
33
+ for (const item of v) {
34
+ out.push(await visit(item));
35
+ }
36
+ return out;
37
+ }
38
+ if (v && typeof v === "object") {
39
+ const out = {};
40
+ for (const k of Object.keys(v)) {
41
+ out[k] = await visit(v[k]);
42
+ }
43
+ return out;
44
+ }
45
+ return v;
46
+ };
47
+ const expanded = await visit(args);
48
+ return { expanded, consumedSecrets: [...consumed] };
49
+ }
50
+ //# sourceMappingURL=expand-args.js.map
package/dist/runtime/expand-args.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"expand-args.js","sourceRoot":"","sources":["../../src/runtime/expand-args.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,qBAAqB,EAAsB,MAAM,sBAAsB,CAAC;AAOjF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAa,EACb,OAAe,EACf,OAAsB,EACtB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,MAAM,KAAK,GAAG,KAAK,EAAE,CAAU,EAAoB,EAAE;QACnD,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,MAAM,qBAAqB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,MAAM,GAAG,GAAc,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;gBACrB,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC9B,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC/B,MAAM,GAAG,GAA4B,EAAE,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,EAAE,CAAC;gBAC1D,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,KAAK,CAAE,CAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,GAAG,QAAQ,CAAC,EAAE,CAAC;AACtD,CAAC"}
package/dist/secrets/inject.d.ts ADDED
@@ -0,0 +1,70 @@
1
+ /**
2
+ * Runner-side `{{secret:NAME}}` placeholder expander.
3
+ *
4
+ * The runner never holds the service-role key (which would let it pull
5
+ * arbitrary plaintext from the vault). Instead, name→id resolution and
6
+ * decryption run server-side behind the user's JWT, and the runner POSTs
7
+ * to /api/runner/expand-secret for each unique name encountered in a
8
+ * tool-call argument tree.
9
+ *
10
+ * The plaintext flow is:
11
+ *
12
+ * 1. Runner extracts `{{secret:NAME}}` placeholders from the args.
13
+ * 2. For each unique NAME, runner POSTs `/api/runner/expand-secret`
14
+ * with `{ name, agent_id, tool_name }`. The endpoint uses
15
+ * `getAdminClient()` to call acc.resolve_secret_id_by_name (v0.7-D)
16
+ * then acc.fetch_secret_for_runtime (v0.7-B, frozen).
17
+ * 3. Plaintext is held in memory ONLY for the duration of the tool
18
+ * call. We never log it, never serialize it, never copy it to the
19
+ * DB. The pre-expansion args (still containing the literal
20
+ * `{{secret:…}}`) are what gets logged to telemetry.
21
+ * 4. Caller hands the expanded result to MCP stdio.
22
+ *
23
+ * Telemetry tripwire test: a fake secret named `TRIPWIRE_VALUE` with
24
+ * plaintext `tripwire-do-not-log-me` must NOT appear in any captured
25
+ * telemetry row. See packages/acc-runner/tests/expand-args.test.ts.
26
+ *
27
+ * Deviations from planning/v0.7-D-chat-encryption-and-visibility.md:
28
+ * - The planning doc imagined `import { supabaseAdmin } from '../db'`
29
+ * — a service-role client at the runner. That doesn't exist (and
30
+ * shouldn't; the runner is end-user-deployed). The /api/runner/
31
+ * expand-secret endpoint is the actual seam.
32
+ * - The planning doc's single fetch_secret_for_runtime call is split
33
+ * into resolve_secret_id_by_name → fetch_secret_for_runtime because
34
+ * v0.7-B's frozen contract takes a uuid, not a name.
35
+ */
36
+ export declare const SECRET_PATTERN: RegExp;
37
+ /**
38
+ * Fetcher signature. Production wires this to an HTTP call against
39
+ * /api/runner/expand-secret; tests pass a stub.
40
+ *
41
+ * MUST throw on any failure (missing secret, locked vault, denied
42
+ * grant, rate-limit). MUST NOT include any secret-derived data in the
43
+ * error message.
44
+ */
45
+ export type SecretFetcher = (name: string, agentId: string, toolName?: string) => Promise<string>;
46
+ export interface ExpandResult {
47
+ expanded: string;
48
+ consumedSecrets: string[];
49
+ }
50
+ /**
51
+ * Expand `{{secret:NAME}}` placeholders in a single string. Returns the
52
+ * expanded string plus the list of secret names consumed (for telemetry
53
+ * of NAMES, never plaintexts). Throws if any required secret is
54
+ * unavailable — partial expansion is never returned (atomic).
55
+ */
56
+ export declare function expandSecretsInString(raw: string, agentId: string, fetcher: SecretFetcher, toolName?: string): Promise<ExpandResult>;
57
+ /**
58
+ * Build an HTTP-backed SecretFetcher pointing at the deployed
59
+ * /api/runner/expand-secret endpoint. The runner wires this at startup
60
+ * once it has its user JWT and config.
61
+ *
62
+ * The endpoint MUST NOT echo the plaintext into any error path; this
63
+ * helper trusts that contract.
64
+ */
65
+ export declare function makeHttpSecretFetcher(opts: {
66
+ publicUrl: string;
67
+ jwt: string;
68
+ fetchImpl?: typeof fetch;
69
+ }): SecretFetcher;
70
+ //# sourceMappingURL=inject.d.ts.map
package/dist/secrets/inject.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"inject.d.ts","sourceRoot":"","sources":["../../src/secrets/inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,eAAO,MAAM,cAAc,QAAsC,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAElG,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B,GAAG,aAAa,CAwBhB"}
package/dist/secrets/inject.js ADDED
@@ -0,0 +1,102 @@
1
+ /**
2
+ * Runner-side `{{secret:NAME}}` placeholder expander.
3
+ *
4
+ * The runner never holds the service-role key (which would let it pull
5
+ * arbitrary plaintext from the vault). Instead, name→id resolution and
6
+ * decryption run server-side behind the user's JWT, and the runner POSTs
7
+ * to /api/runner/expand-secret for each unique name encountered in a
8
+ * tool-call argument tree.
9
+ *
10
+ * The plaintext flow is:
11
+ *
12
+ * 1. Runner extracts `{{secret:NAME}}` placeholders from the args.
13
+ * 2. For each unique NAME, runner POSTs `/api/runner/expand-secret`
14
+ * with `{ name, agent_id, tool_name }`. The endpoint uses
15
+ * `getAdminClient()` to call acc.resolve_secret_id_by_name (v0.7-D)
16
+ * then acc.fetch_secret_for_runtime (v0.7-B, frozen).
17
+ * 3. Plaintext is held in memory ONLY for the duration of the tool
18
+ * call. We never log it, never serialize it, never copy it to the
19
+ * DB. The pre-expansion args (still containing the literal
20
+ * `{{secret:…}}`) are what gets logged to telemetry.
21
+ * 4. Caller hands the expanded result to MCP stdio.
22
+ *
23
+ * Telemetry tripwire test: a fake secret named `TRIPWIRE_VALUE` with
24
+ * plaintext `tripwire-do-not-log-me` must NOT appear in any captured
25
+ * telemetry row. See packages/acc-runner/tests/expand-args.test.ts.
26
+ *
27
+ * Deviations from planning/v0.7-D-chat-encryption-and-visibility.md:
28
+ * - The planning doc imagined `import { supabaseAdmin } from '../db'`
29
+ * — a service-role client at the runner. That doesn't exist (and
30
+ * shouldn't; the runner is end-user-deployed). The /api/runner/
31
+ * expand-secret endpoint is the actual seam.
32
+ * - The planning doc's single fetch_secret_for_runtime call is split
33
+ * into resolve_secret_id_by_name → fetch_secret_for_runtime because
34
+ * v0.7-B's frozen contract takes a uuid, not a name.
35
+ */
36
+ export const SECRET_PATTERN = /\{\{secret:([A-Z][A-Z0-9_]*)\}\}/g;
37
+ /**
38
+ * Expand `{{secret:NAME}}` placeholders in a single string. Returns the
39
+ * expanded string plus the list of secret names consumed (for telemetry
40
+ * of NAMES, never plaintexts). Throws if any required secret is
41
+ * unavailable — partial expansion is never returned (atomic).
42
+ */
43
+ export async function expandSecretsInString(raw, agentId, fetcher, toolName) {
44
+ const matches = [...raw.matchAll(SECRET_PATTERN)];
45
+ if (matches.length === 0) {
46
+ return { expanded: raw, consumedSecrets: [] };
47
+ }
48
+ const names = [...new Set(matches.map((m) => m[1]))];
49
+ const plaintexts = new Map();
50
+ for (const name of names) {
51
+ try {
52
+ const plaintext = await fetcher(name, agentId, toolName);
53
+ plaintexts.set(name, plaintext);
54
+ }
55
+ catch (err) {
56
+ const message = err instanceof Error ? err.message : String(err);
57
+ throw new Error(`secret_unavailable: ${name}: ${message}`);
58
+ }
59
+ }
60
+ const expanded = raw.replace(SECRET_PATTERN, (_match, name) => {
61
+ const value = plaintexts.get(name);
62
+ if (value === undefined) {
63
+ throw new Error(`secret_unavailable: ${name}: missing after fetch`);
64
+ }
65
+ return value;
66
+ });
67
+ return { expanded, consumedSecrets: names };
68
+ }
69
+ /**
70
+ * Build an HTTP-backed SecretFetcher pointing at the deployed
71
+ * /api/runner/expand-secret endpoint. The runner wires this at startup
72
+ * once it has its user JWT and config.
73
+ *
74
+ * The endpoint MUST NOT echo the plaintext into any error path; this
75
+ * helper trusts that contract.
76
+ */
77
+ export function makeHttpSecretFetcher(opts) {
78
+ const f = opts.fetchImpl ?? fetch;
79
+ const endpoint = `${opts.publicUrl.replace(/\/$/, "")}/api/runner/expand-secret`;
80
+ return async (name, agentId, toolName) => {
81
+ const res = await f(endpoint, {
82
+ method: "POST",
83
+ headers: {
84
+ Authorization: `Bearer ${opts.jwt}`,
85
+ "Content-Type": "application/json",
86
+ },
87
+ body: JSON.stringify({ name, agent_id: agentId, tool_name: toolName ?? null }),
88
+ });
89
+ if (!res.ok) {
90
+ // Read body for the error reason, but the endpoint contract is
91
+ // that the body NEVER contains plaintext.
92
+ const text = await res.text().catch(() => "");
93
+ throw new Error(`expand-secret HTTP ${res.status}: ${text || res.statusText}`);
94
+ }
95
+ const data = (await res.json());
96
+ if (typeof data.plaintext !== "string") {
97
+ throw new Error("expand-secret response missing plaintext");
98
+ }
99
+ return data.plaintext;
100
+ };
101
+ }
102
+ //# sourceMappingURL=inject.js.map
package/dist/secrets/inject.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"inject.js","sourceRoot":"","sources":["../../src/secrets/inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,mCAAmC,CAAC;AAiBlE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,GAAW,EACX,OAAe,EACf,OAAsB,EACtB,QAAiB;IAEjB,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IAClD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzD,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,IAAY,EAAE,EAAE;QACpE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,uBAAuB,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAIrC;IACC,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,2BAA2B,CAAC;IACjF,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;QACvC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,QAAQ,EAAE;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE;gBACnC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI,IAAI,EAAE,CAAC;SAC/E,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,+DAA+D;YAC/D,0CAA0C;YAC1C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QACjF,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC3D,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC,CAAC;AACJ,CAAC"}
package/dist/types.d.ts CHANGED
@@ -5,7 +5,7 @@
5
5
  * shape rather than importing it cross-workspace. v0.3 will dedupe via a
6
6
  * shared workspace package once the runner is published.
7
7
  */
8
- export declare const PROTOCOL_VERSION: "0.1.0";
8
+ export declare const PROTOCOL_VERSION: "0.5.0";
9
9
  export declare const RUNNER_KEYCHAIN_SERVICE: "acc-runner";
10
10
  export interface DeviceCodeResponse {
11
11
  device_code: string;
package/dist/types.js CHANGED
@@ -5,6 +5,6 @@
5
5
  * shape rather than importing it cross-workspace. v0.3 will dedupe via a
6
6
  * shared workspace package once the runner is published.
7
7
  */
8
- export const PROTOCOL_VERSION = "0.1.0";
8
+ export const PROTOCOL_VERSION = "0.5.0";
9
9
  export const RUNNER_KEYCHAIN_SERVICE = "acc-runner";
10
10
  //# sourceMappingURL=types.js.map
package/dist/version-check.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"version-check.d.ts","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,UAAU,GAAG,aAAa,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,kBAAkB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEnE,iBAAS,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAUnD;AAED,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAuBjF;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
1
+ {"version":3,"file":"version-check.d.ts","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,UAAU,GAAG,aAAa,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,kBAAkB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEnE,iBAAS,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAUnD;AAED,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAoCjF;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
package/dist/version-check.js CHANGED
@@ -22,6 +22,22 @@ export async function checkVersion(publicUrl) {
22
22
  catch (err) {
23
23
  return { ok: false, reason: "unreachable", detail: err.message };
24
24
  }
25
+ // 426 Upgrade Required = server-side gate rejection (v0.5.0+).
26
+ // The body still carries min/current so we can surface them in the
27
+ // upgrade hint.
28
+ if (res.status === 426) {
29
+ let body = {};
30
+ try {
31
+ body = (await res.json());
32
+ }
33
+ catch { /* ignore */ }
34
+ return {
35
+ ok: false,
36
+ reason: "outdated",
37
+ serverMin: body.min_version,
38
+ serverCurrent: body.current_version,
39
+ };
40
+ }
25
41
  if (!res.ok) {
26
42
  return { ok: false, reason: "unreachable", detail: `HTTP ${res.status}` };
27
43
  }
package/dist/version-check.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"version-check.js","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAkB9C,SAAS,aAAa,CAAC,CAAS,EAAE,CAAS;IACzC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,yBAAyB,CAAC;IACtE,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,OAAO,EAAE,EAAE,YAAY,EAAE,cAAc,gBAAgB,EAAE,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,IAAI,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC;AACxF,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
1
+ {"version":3,"file":"version-check.js","sourceRoot":"","sources":["../src/version-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAkB9C,SAAS,aAAa,CAAC,CAAS,EAAE,CAAS;IACzC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,yBAAyB,CAAC;IACtE,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,OAAO,EAAE,EAAE,YAAY,EAAE,cAAc,gBAAgB,EAAE,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC9E,CAAC;IACD,+DAA+D;IAC/D,mEAAmE;IACnE,gBAAgB;IAChB,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,IAAI,IAAI,GAAgC,EAAE,CAAC;QAC3C,IAAI,CAAC;YAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACxF,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC5E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,IAAI,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,aAAa,EAAE,IAAI,CAAC,eAAe;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC;AACxF,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tokenfactory/acc-runner",
3
- "version": "0.4.2-internal",
3
+ "version": "0.5.0",
4
4
  "description": "Agent Control Center local runner. Spawns Claude Code sessions assigned via ACC.",
5
5
  "license": "UNLICENSED",
6
6
  "private": false,