npm - @viewportai/daemon - Versions diffs - 0.20.1 → 0.22.0 - Mend

@viewportai/daemon 0.20.1 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/README.md +34 -0
package/dist/adapters/claude.d.ts +7 -1
package/dist/adapters/claude.d.ts.map +1 -1
package/dist/adapters/claude.js +71 -0
package/dist/adapters/claude.js.map +1 -1
package/dist/adapters/codex-event-normalizers.d.ts.map +1 -1
package/dist/adapters/codex-event-normalizers.js +55 -2
package/dist/adapters/codex-event-normalizers.js.map +1 -1
package/dist/adapters/codex.d.ts +2 -1
package/dist/adapters/codex.d.ts.map +1 -1
package/dist/adapters/codex.js +35 -0
package/dist/adapters/codex.js.map +1 -1
package/dist/adapters/gemini-cli.d.ts +2 -1
package/dist/adapters/gemini-cli.d.ts.map +1 -1
package/dist/adapters/gemini-cli.js +24 -0
package/dist/adapters/gemini-cli.js.map +1 -1
package/dist/adapters/pty.d.ts +2 -1
package/dist/adapters/pty.d.ts.map +1 -1
package/dist/adapters/pty.js +26 -1
package/dist/adapters/pty.js.map +1 -1
package/dist/cli/args.d.ts.map +1 -1
package/dist/cli/args.js +7 -3
package/dist/cli/args.js.map +1 -1
package/dist/cli/commands.d.ts +3 -0
package/dist/cli/commands.d.ts.map +1 -1
package/dist/cli/commands.js +3 -0
package/dist/cli/commands.js.map +1 -1
package/dist/cli/context-command.js +2 -0
package/dist/cli/context-command.js.map +1 -1
package/dist/cli/context-sync-target.d.ts +2 -0
package/dist/cli/context-sync-target.d.ts.map +1 -1
package/dist/cli/context-sync-target.js +4 -0
package/dist/cli/context-sync-target.js.map +1 -1
package/dist/cli/daemon-client.d.ts +1 -0
package/dist/cli/daemon-client.d.ts.map +1 -1
package/dist/cli/daemon-client.js +13 -1
package/dist/cli/daemon-client.js.map +1 -1
package/dist/cli/global-flags.d.ts.map +1 -1
package/dist/cli/global-flags.js +3 -2
package/dist/cli/global-flags.js.map +1 -1
package/dist/cli/hook-command.d.ts +7 -0
package/dist/cli/hook-command.d.ts.map +1 -1
package/dist/cli/hook-command.js +35 -20
package/dist/cli/hook-command.js.map +1 -1
package/dist/cli/install-command.d.ts +5 -1
package/dist/cli/install-command.d.ts.map +1 -1
package/dist/cli/install-command.js +37 -28
package/dist/cli/install-command.js.map +1 -1
package/dist/cli/lifecycle-commands.d.ts.map +1 -1
package/dist/cli/lifecycle-commands.js +5 -2
package/dist/cli/lifecycle-commands.js.map +1 -1
package/dist/cli/lifecycle-pair-command.d.ts.map +1 -1
package/dist/cli/lifecycle-pair-command.js +51 -6
package/dist/cli/lifecycle-pair-command.js.map +1 -1
package/dist/cli/lifecycle-pair-server.d.ts +2 -0
package/dist/cli/lifecycle-pair-server.d.ts.map +1 -1
package/dist/cli/lifecycle-pair-server.js.map +1 -1
package/dist/cli/lifecycle-status-command.d.ts.map +1 -1
package/dist/cli/lifecycle-status-command.js +43 -0
package/dist/cli/lifecycle-status-command.js.map +1 -1
package/dist/cli/setup-command.d.ts.map +1 -1
package/dist/cli/setup-command.js +8 -8
package/dist/cli/setup-command.js.map +1 -1
package/dist/cli/team-resource-command.d.ts +2 -0
package/dist/cli/team-resource-command.d.ts.map +1 -0
package/dist/cli/team-resource-command.js +364 -0
package/dist/cli/team-resource-command.js.map +1 -0
package/dist/cli/watch-command.d.ts +3 -0
package/dist/cli/watch-command.d.ts.map +1 -0
package/dist/cli/watch-command.js +42 -0
package/dist/cli/watch-command.js.map +1 -0
package/dist/cli/worker-command.d.ts +3 -0
package/dist/cli/worker-command.d.ts.map +1 -0
package/dist/cli/worker-command.js +132 -0
package/dist/cli/worker-command.js.map +1 -0
package/dist/cli/worker-profile.d.ts +65 -0
package/dist/cli/worker-profile.d.ts.map +1 -0
package/dist/cli/worker-profile.js +228 -0
package/dist/cli/worker-profile.js.map +1 -0
package/dist/cli/worker-runtime.d.ts +19 -0
package/dist/cli/worker-runtime.d.ts.map +1 -0
package/dist/cli/worker-runtime.js +606 -0
package/dist/cli/worker-runtime.js.map +1 -0
package/dist/cli/workflow-managed-worker-format.d.ts +4 -3
package/dist/cli/workflow-managed-worker-format.d.ts.map +1 -1
package/dist/cli/workflow-managed-worker-format.js +71 -10
package/dist/cli/workflow-managed-worker-format.js.map +1 -1
package/dist/cli/workflow-managed-worker-types.d.ts +17 -0
package/dist/cli/workflow-managed-worker-types.d.ts.map +1 -1
package/dist/cli/workflow-managed-worker.d.ts.map +1 -1
package/dist/cli/workflow-managed-worker.js +568 -39
package/dist/cli/workflow-managed-worker.js.map +1 -1
package/dist/config-resolution/provider-defaults.d.ts.map +1 -1
package/dist/config-resolution/provider-defaults.js +4 -0
package/dist/config-resolution/provider-defaults.js.map +1 -1
package/dist/config-resolution/schema.d.ts +2 -0
package/dist/config-resolution/schema.d.ts.map +1 -1
package/dist/config-resolution/schema.js +2 -0
package/dist/config-resolution/schema.js.map +1 -1
package/dist/config-resolution/types.d.ts +1 -1
package/dist/config-resolution/types.d.ts.map +1 -1
package/dist/context/local-edge-sync.d.ts +2 -0
package/dist/context/local-edge-sync.d.ts.map +1 -1
package/dist/context/local-edge-sync.js +2 -0
package/dist/context/local-edge-sync.js.map +1 -1
package/dist/context-providers/confluence-provider.d.ts +3 -0
package/dist/context-providers/confluence-provider.d.ts.map +1 -0
package/dist/context-providers/confluence-provider.js +170 -0
package/dist/context-providers/confluence-provider.js.map +1 -0
package/dist/context-providers/notion-provider.d.ts +3 -0
package/dist/context-providers/notion-provider.d.ts.map +1 -0
package/dist/context-providers/notion-provider.js +157 -0
package/dist/context-providers/notion-provider.js.map +1 -0
package/dist/context-providers/registry.d.ts.map +1 -1
package/dist/context-providers/registry.js +9 -1
package/dist/context-providers/registry.js.map +1 -1
package/dist/context-providers/types.d.ts +18 -0
package/dist/context-providers/types.d.ts.map +1 -1
package/dist/core/config-schema.d.ts +96 -3
package/dist/core/config-schema.d.ts.map +1 -1
package/dist/core/config-schema.js +53 -0
package/dist/core/config-schema.js.map +1 -1
package/dist/core/config.d.ts +88 -0
package/dist/core/config.d.ts.map +1 -1
package/dist/core/config.js +6 -0
package/dist/core/config.js.map +1 -1
package/dist/core/daemon.d.ts +5 -1
package/dist/core/daemon.d.ts.map +1 -1
package/dist/core/daemon.js +8 -0
package/dist/core/daemon.js.map +1 -1
package/dist/core/interfaces.d.ts +137 -1
package/dist/core/interfaces.d.ts.map +1 -1
package/dist/core/permission-coordinator.d.ts.map +1 -1
package/dist/core/permission-coordinator.js +4 -2
package/dist/core/permission-coordinator.js.map +1 -1
package/dist/core/session-manager.d.ts.map +1 -1
package/dist/core/session-manager.js +47 -20
package/dist/core/session-manager.js.map +1 -1
package/dist/core/types.d.ts +31 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/core/types.js.map +1 -1
package/dist/discovery/watcher.d.ts.map +1 -1
package/dist/discovery/watcher.js +51 -8
package/dist/discovery/watcher.js.map +1 -1
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +12 -1
package/dist/index.js.map +1 -1
package/dist/plugins/loader.d.ts.map +1 -1
package/dist/plugins/loader.js +10 -1
package/dist/plugins/loader.js.map +1 -1
package/dist/security/child-env.d.ts +3 -0
package/dist/security/child-env.d.ts.map +1 -0
package/dist/security/child-env.js +44 -0
package/dist/security/child-env.js.map +1 -0
package/dist/server/http-request-schemas.d.ts +6 -0
package/dist/server/http-request-schemas.d.ts.map +1 -1
package/dist/server/http-request-schemas.js +15 -0
package/dist/server/http-request-schemas.js.map +1 -1
package/dist/server/http-server.d.ts.map +1 -1
package/dist/server/http-server.js +4 -2
package/dist/server/http-server.js.map +1 -1
package/dist/workflows/action-adapters.d.ts.map +1 -1
package/dist/workflows/action-adapters.js +42 -0
package/dist/workflows/action-adapters.js.map +1 -1
package/dist/workflows/action-provider-adapters.d.ts.map +1 -1
package/dist/workflows/action-provider-adapters.js +156 -13
package/dist/workflows/action-provider-adapters.js.map +1 -1
package/dist/workflows/action-provider-utils.d.ts +6 -0
package/dist/workflows/action-provider-utils.d.ts.map +1 -1
package/dist/workflows/action-provider-utils.js +21 -0
package/dist/workflows/action-provider-utils.js.map +1 -1
package/dist/workflows/approval-actor.d.ts +6 -0
package/dist/workflows/approval-actor.d.ts.map +1 -0
package/dist/workflows/approval-actor.js +27 -0
package/dist/workflows/approval-actor.js.map +1 -0
package/dist/workflows/approval-on-reject.js +1 -0
package/dist/workflows/approval-on-reject.js.map +1 -1
package/dist/workflows/checkout-node.d.ts +21 -0
package/dist/workflows/checkout-node.d.ts.map +1 -0
package/dist/workflows/checkout-node.js +181 -0
package/dist/workflows/checkout-node.js.map +1 -0
package/dist/workflows/context-node-resolver.d.ts +48 -1
package/dist/workflows/context-node-resolver.d.ts.map +1 -1
package/dist/workflows/context-node-resolver.js +405 -8
package/dist/workflows/context-node-resolver.js.map +1 -1
package/dist/workflows/context-update-targets.d.ts +12 -0
package/dist/workflows/context-update-targets.d.ts.map +1 -0
package/dist/workflows/context-update-targets.js +52 -0
package/dist/workflows/context-update-targets.js.map +1 -0
package/dist/workflows/daemon-session.d.ts +11 -0
package/dist/workflows/daemon-session.d.ts.map +1 -1
package/dist/workflows/daemon-session.js +168 -6
package/dist/workflows/daemon-session.js.map +1 -1
package/dist/workflows/event-types.d.ts +1 -1
package/dist/workflows/event-types.d.ts.map +1 -1
package/dist/workflows/expression.d.ts +4 -0
package/dist/workflows/expression.d.ts.map +1 -1
package/dist/workflows/expression.js +1 -1
package/dist/workflows/expression.js.map +1 -1
package/dist/workflows/git-publish-node.d.ts +23 -0
package/dist/workflows/git-publish-node.d.ts.map +1 -0
package/dist/workflows/git-publish-node.js +237 -0
package/dist/workflows/git-publish-node.js.map +1 -0
package/dist/workflows/inline-agent-types.d.ts +7 -0
package/dist/workflows/inline-agent-types.d.ts.map +1 -1
package/dist/workflows/inline-agents.d.ts +4 -1
package/dist/workflows/inline-agents.d.ts.map +1 -1
package/dist/workflows/inline-agents.js +24 -1
package/dist/workflows/inline-agents.js.map +1 -1
package/dist/workflows/loop-executor.js +1 -0
package/dist/workflows/loop-executor.js.map +1 -1
package/dist/workflows/node-executor.d.ts +7 -0
package/dist/workflows/node-executor.d.ts.map +1 -1
package/dist/workflows/node-executor.js +135 -7
package/dist/workflows/node-executor.js.map +1 -1
package/dist/workflows/node-registry.d.ts.map +1 -1
package/dist/workflows/node-registry.js +553 -4
package/dist/workflows/node-registry.js.map +1 -1
package/dist/workflows/parser.d.ts.map +1 -1
package/dist/workflows/parser.js +70 -5
package/dist/workflows/parser.js.map +1 -1
package/dist/workflows/platform-command-applier.d.ts.map +1 -1
package/dist/workflows/platform-command-applier.js +5 -14
package/dist/workflows/platform-command-applier.js.map +1 -1
package/dist/workflows/platform-context-client.d.ts +74 -0
package/dist/workflows/platform-context-client.d.ts.map +1 -0
package/dist/workflows/platform-context-client.js +228 -0
package/dist/workflows/platform-context-client.js.map +1 -0
package/dist/workflows/platform-sync-format.d.ts +1 -1
package/dist/workflows/platform-sync-format.d.ts.map +1 -1
package/dist/workflows/platform-sync-format.js +3 -1
package/dist/workflows/platform-sync-format.js.map +1 -1
package/dist/workflows/platform-sync-payload.d.ts +1 -0
package/dist/workflows/platform-sync-payload.d.ts.map +1 -1
package/dist/workflows/platform-sync-payload.js +160 -8
package/dist/workflows/platform-sync-payload.js.map +1 -1
package/dist/workflows/platform-sync.d.ts.map +1 -1
package/dist/workflows/platform-sync.js +10 -1
package/dist/workflows/platform-sync.js.map +1 -1
package/dist/workflows/plugin-loader.d.ts.map +1 -1
package/dist/workflows/plugin-loader.js +3 -0
package/dist/workflows/plugin-loader.js.map +1 -1
package/dist/workflows/preflight.d.ts.map +1 -1
package/dist/workflows/preflight.js +9 -1
package/dist/workflows/preflight.js.map +1 -1
package/dist/workflows/prompt-output.d.ts +6 -2
package/dist/workflows/prompt-output.d.ts.map +1 -1
package/dist/workflows/prompt-output.js +8 -2
package/dist/workflows/prompt-output.js.map +1 -1
package/dist/workflows/run-preparation.d.ts +24 -0
package/dist/workflows/run-preparation.d.ts.map +1 -0
package/dist/workflows/run-preparation.js +258 -0
package/dist/workflows/run-preparation.js.map +1 -0
package/dist/workflows/run-types.d.ts +11 -0
package/dist/workflows/run-types.d.ts.map +1 -1
package/dist/workflows/runner-scheduler.d.ts +2 -0
package/dist/workflows/runner-scheduler.d.ts.map +1 -1
package/dist/workflows/runner-scheduler.js +35 -4
package/dist/workflows/runner-scheduler.js.map +1 -1
package/dist/workflows/runner-shared.d.ts.map +1 -1
package/dist/workflows/runner-shared.js +9 -0
package/dist/workflows/runner-shared.js.map +1 -1
package/dist/workflows/runner.d.ts +2 -0
package/dist/workflows/runner.d.ts.map +1 -1
package/dist/workflows/runner.js +171 -6
package/dist/workflows/runner.js.map +1 -1
package/dist/workflows/runtime-helpers.d.ts +20 -1
package/dist/workflows/runtime-helpers.d.ts.map +1 -1
package/dist/workflows/runtime-helpers.js +98 -3
package/dist/workflows/runtime-helpers.js.map +1 -1
package/dist/workflows/session-output.d.ts +9 -0
package/dist/workflows/session-output.d.ts.map +1 -1
package/dist/workflows/session-output.js +156 -0
package/dist/workflows/session-output.js.map +1 -1
package/dist/workflows/session-policy.d.ts +30 -0
package/dist/workflows/session-policy.d.ts.map +1 -0
package/dist/workflows/session-policy.js +45 -0
package/dist/workflows/session-policy.js.map +1 -0
package/dist/workflows/structured-outputs.d.ts +5 -0
package/dist/workflows/structured-outputs.d.ts.map +1 -1
package/dist/workflows/structured-outputs.js +82 -3
package/dist/workflows/structured-outputs.js.map +1 -1
package/dist/workflows/subflow-executor.js +5 -1
package/dist/workflows/subflow-executor.js.map +1 -1
package/dist/workflows/types.d.ts +107 -4
package/dist/workflows/types.d.ts.map +1 -1
package/dist/workflows/workflow-authority-contract.d.ts +25 -0
package/dist/workflows/workflow-authority-contract.d.ts.map +1 -0
package/dist/workflows/workflow-authority-contract.js +366 -0
package/dist/workflows/workflow-authority-contract.js.map +1 -0
package/dist/workflows/workflow-executor-schema.d.ts +1 -1
package/dist/workflows/workflow-production-schema.d.ts +62 -10
package/dist/workflows/workflow-production-schema.d.ts.map +1 -1
package/dist/workflows/workflow-production-schema.js +63 -4
package/dist/workflows/workflow-production-schema.js.map +1 -1
package/dist/workflows/workflow-production-types.d.ts +42 -3
package/dist/workflows/workflow-production-types.d.ts.map +1 -1
package/dist/workflows/workflow-schema-common.d.ts +248 -2
package/dist/workflows/workflow-schema-common.d.ts.map +1 -1
package/dist/workflows/workflow-schema-common.js +58 -2
package/dist/workflows/workflow-schema-common.js.map +1 -1
package/dist/workflows/workflow-schema.d.ts +1966 -16
package/dist/workflows/workflow-schema.d.ts.map +1 -1
package/dist/workflows/workflow-schema.js +97 -3
package/dist/workflows/workflow-schema.js.map +1 -1
package/docs/releasing.md +4 -1
package/node_modules/@viewportai/context-engine/schemas/context_event_v1.schema.json +2 -0
package/node_modules/@viewportai/context-engine/src/repo/candidates.js +2 -0
package/node_modules/@viewportai/context-engine/src/repo/events.js +15 -1
package/node_modules/@viewportai/context-engine/src/repo/vault.js +18 -2
package/package.json +2 -2

package/dist/workflows/node-registry.js CHANGED Viewed

@@ -1,10 +1,17 @@
+import { createHash } from 'node:crypto';
+import path from 'node:path';
 import { executeLoopNode } from './loop-executor.js';
 import { executeContextNode } from './context-node-resolver.js';
 import { executeActionAdapter, WorkflowActionError } from './action-adapters.js';
-import { addEvent, renderOptionalTemplate, renderTemplate, resolveNodeCwd, runShellNode, } from './runtime-helpers.js';
+import { addEvent, renderOptionalTemplate, runArgvNode, renderShellCommandTemplate, renderTemplate, resolveNodeCwd, runShellNode, ShellNodeError, } from './runtime-helpers.js';
+import { envNameForCredentialRef } from './action-provider-utils.js';
 import { executeSubflowNode } from './subflow-executor.js';
 import { buildExpressionContext, evaluateConditionExpression } from './expression.js';
 import { sanitizePlanProposalMetadata } from '../hooks/plan-extractor.js';
+import { readPromptNodeOutput } from './prompt-output.js';
+import { shellAuthorityDenial } from './workflow-authority-contract.js';
+import { checkoutAuthorityDenial, executeCheckoutNode } from './checkout-node.js';
+import { executeGitPublishNode, gitPublishAuthorityDenial } from './git-publish-node.js';
 /**
  * Mutable registry of node executors keyed by `node.type`. Built-ins are
  * registered at module load (immediately below); the plugin loader extends
@@ -13,20 +20,224 @@ import { sanitizePlanProposalMetadata } from '../hooks/plan-extractor.js';
  * is one entry, not five files.
  */
 export const NODE_EXECUTORS = new Map();
+const SECRET_LIKE_ENV_NAME_PATTERN = /(^|_)(AUTHORIZATION|CREDENTIAL|PASSWORD|PASSWD|PRIVATE_KEY|SECRET|TOKEN|API_KEY)(_|$)/i;
+function isSecretLikeEnvName(name) {
+    return SECRET_LIKE_ENV_NAME_PATTERN.test(name);
+}
 export function registerNodeExecutor(type, executor) {
     NODE_EXECUTORS.set(type, executor);
 }
 const BUILTIN_NODE_EXECUTORS = {
+    checkout: async (context, run, nodeId, node) => {
+        if (node.type !== 'checkout')
+            return { result: 'completed' };
+        const state = run.nodes[nodeId];
+        const renderedNode = {
+            ...node,
+            repository: await renderTemplate(node.repository, run),
+            ...(node.remote ? { remote: await renderTemplate(node.remote, run) } : {}),
+            ...(node.path ? { path: await renderTemplate(node.path, run) } : {}),
+            ...(node.ref ? { ref: await renderTemplate(node.ref, run) } : {}),
+            ...(node.branch ? { branch: await renderTemplate(node.branch, run) } : {}),
+        };
+        const denial = checkoutAuthorityDenial(run, nodeId, renderedNode);
+        if (denial) {
+            addEvent(run, 'checkout-blocked', denial.detail, { workflow_authority_denial: denial }, nodeId);
+            throw new Error(denial.detail);
+        }
+        const credentialRef = node.credentialRef;
+        const credential = credentialRef && credentialRef.trim() !== ''
+            ? {
+                envName: envNameForCredentialRef(credentialRef),
+                secret: context.runtimeSecretEnv?.[envNameForCredentialRef(credentialRef)] ??
+                    process.env[envNameForCredentialRef(credentialRef)],
+            }
+            : undefined;
+        const result = await executeCheckoutNode(run, renderedNode, credential);
+        if (state) {
+            state.output = JSON.stringify(result);
+            state.worktreePath = result.path;
+            state.outputs = {
+                ...(state.outputs ?? {}),
+                repository: result.repository,
+                path: result.path,
+                ref: result.ref,
+                branch: result.branch,
+                commit: result.commit,
+                sourceCategory: result.sourceCategory,
+                readWriteMode: result.readWriteMode,
+            };
+            state.metadata = {
+                ...(state.metadata ?? {}),
+                checkout: {
+                    schema: 'viewport.checkout_receipt/v1',
+                    repository: result.repository,
+                    remote: result.remote,
+                    path: result.path,
+                    source_category: result.sourceCategory,
+                    read_write_mode: result.readWriteMode,
+                    requested_ref: result.ref,
+                    requested_branch: result.branch,
+                    ref: result.ref,
+                    branch: result.branch,
+                    exact_commit: result.commit,
+                    commit: result.commit,
+                    credentialMode: result.credentialMode,
+                    credentialRef: result.credentialRef,
+                },
+            };
+        }
+        addEvent(run, 'checkout-completed', `Checked out ${result.repository}`, {
+            repository: result.repository,
+            remote: result.remote,
+            path: result.path,
+            source_category: result.sourceCategory,
+            read_write_mode: result.readWriteMode,
+            ref: result.ref,
+            branch: result.branch,
+            exact_commit: result.commit,
+            commit: result.commit,
+        }, nodeId);
+        return { result: 'completed', artifactCwd: result.path };
+    },
+    git_publish: async (context, run, nodeId, node) => {
+        if (node.type !== 'git_publish')
+            return { result: 'completed' };
+        const state = run.nodes[nodeId];
+        const renderedNode = {
+            ...node,
+            repository: await renderTemplate(node.repository, run),
+            ...(node.credentialRef
+                ? { credentialRef: await renderTemplate(node.credentialRef, run) }
+                : {}),
+            ...(node.paths
+                ? { paths: await Promise.all(node.paths.map((entry) => renderTemplate(entry, run))) }
+                : {}),
+        };
+        const input = {
+            cwd: resolveNodeCwd(run.directoryPath, await renderOptionalTemplate(node.cwd, run)),
+            branch: await renderTemplate(node.branch, run),
+            message: await renderTemplate(node.message, run),
+        };
+        const denial = await gitPublishAuthorityDenial(run, nodeId, renderedNode, input);
+        if (denial) {
+            addEvent(run, 'git-publish-blocked', denial.detail, { workflow_authority_denial: denial }, nodeId);
+            throw new Error(denial.detail);
+        }
+        const credentialRef = renderedNode.credentialRef;
+        const credential = credentialRef && credentialRef.trim() !== ''
+            ? {
+                envName: envNameForCredentialRef(credentialRef),
+                secret: context.runtimeSecretEnv?.[envNameForCredentialRef(credentialRef)] ??
+                    process.env[envNameForCredentialRef(credentialRef)],
+            }
+            : undefined;
+        const result = await executeGitPublishNode(renderedNode, input, credential);
+        if (state) {
+            state.output = JSON.stringify(result);
+            state.outputs = {
+                ...(state.outputs ?? {}),
+                repository: result.repository,
+                branch: result.branch,
+                commit: result.commit,
+                pushed: result.pushed,
+                changed: result.changed,
+            };
+            state.metadata = {
+                ...(state.metadata ?? {}),
+                git_publish: {
+                    schema: 'viewport.git_publish_receipt/v1',
+                    repository: result.repository,
+                    branch: result.branch,
+                    commit: result.commit,
+                    pushed: result.pushed,
+                    changed: result.changed,
+                    credentialMode: result.credentialMode,
+                    credentialRef: result.credentialRef,
+                },
+            };
+        }
+        addEvent(run, 'git-publish-completed', `Published ${result.repository} branch ${result.branch}`, { ...result }, nodeId);
+        return { result: 'completed', artifactCwd: input.cwd };
+    },
     shell: async (context, run, nodeId, node) => {
         if (node.type !== 'shell')
             return { result: 'completed' };
         const state = run.nodes[nodeId];
+        const startedAt = Date.now();
         const artifactCwd = resolveNodeCwd(run.directoryPath, await renderOptionalTemplate(node.cwd, run));
+        const invocation = await renderShellInvocation(node, run);
+        const env = await resolveNodeEnv(context, run, node);
+        if (state) {
+            state.metadata = {
+                ...(state.metadata ?? {}),
+                shell_execution: buildShellExecutionReceipt({
+                    run,
+                    nodeId,
+                    commandDigestMaterial: invocation.digestMaterial,
+                    executor: invocation.executor,
+                    cwd: artifactCwd,
+                    env,
+                    timeoutSeconds: node.timeoutSeconds,
+                    startedAt,
+                    status: 'preflight',
+                }),
+            };
+        }
+        const workspaceDenial = shellWorkspaceCwdDenial(run, nodeId, artifactCwd);
+        if (workspaceDenial) {
+            if (state) {
+                state.metadata = {
+                    ...(state.metadata ?? {}),
+                    shell_execution: buildShellExecutionReceipt({
+                        run,
+                        nodeId,
+                        commandDigestMaterial: invocation.digestMaterial,
+                        executor: invocation.executor,
+                        cwd: artifactCwd,
+                        env,
+                        timeoutSeconds: node.timeoutSeconds,
+                        startedAt,
+                        completedAt: Date.now(),
+                        status: 'denied',
+                        denial: workspaceDenial,
+                    }),
+                };
+            }
+            addEvent(run, 'shell-blocked', workspaceDenial.detail, { workflow_authority_denial: workspaceDenial }, nodeId);
+            throw new Error(workspaceDenial.detail);
+        }
+        const denial = shellAuthorityDenial(run, nodeId, invocation.authorityCommand, artifactCwd, {
+            executorKind: typeof invocation.executor.kind === 'string' ? invocation.executor.kind : undefined,
+        });
+        if (denial) {
+            if (state) {
+                state.metadata = {
+                    ...(state.metadata ?? {}),
+                    shell_execution: buildShellExecutionReceipt({
+                        run,
+                        nodeId,
+                        commandDigestMaterial: invocation.digestMaterial,
+                        executor: invocation.executor,
+                        cwd: artifactCwd,
+                        env,
+                        timeoutSeconds: node.timeoutSeconds,
+                        startedAt,
+                        completedAt: Date.now(),
+                        status: 'denied',
+                        denial,
+                    }),
+                };
+            }
+            addEvent(run, 'shell-blocked', denial.detail, { workflow_authority_denial: denial }, nodeId);
+            throw new Error(denial.detail);
+        }
         const abort = context.shellAbortRegistry.create(run.id, `node:${nodeId}`);
         let result;
         try {
-            result = await runShellNode(await renderTemplate(node.command, run), {
+            result = await invocation.run({
                 cwd: artifactCwd,
+                env,
                 timeoutSeconds: node.timeoutSeconds,
                 signal: abort.signal,
                 onOutput: ({ source, chunk, output }) => {
@@ -36,12 +247,55 @@ const BUILTIN_NODE_EXECUTORS = {
                 },
             });
         }
+        catch (error) {
+            if (state) {
+                if (error instanceof ShellNodeError) {
+                    state.output = error.output || state.output;
+                    state.exitCode = error.exitCode ?? undefined;
+                }
+                state.metadata = {
+                    ...(state.metadata ?? {}),
+                    shell_execution: buildShellExecutionReceipt({
+                        run,
+                        nodeId,
+                        commandDigestMaterial: invocation.digestMaterial,
+                        executor: invocation.executor,
+                        cwd: artifactCwd,
+                        env,
+                        timeoutSeconds: node.timeoutSeconds,
+                        startedAt,
+                        completedAt: Date.now(),
+                        status: error instanceof ShellNodeError && error.message.includes('canceled')
+                            ? 'canceled'
+                            : 'failed',
+                        exitCode: error instanceof ShellNodeError ? error.exitCode : null,
+                    }),
+                };
+            }
+            throw error;
+        }
         finally {
             abort.dispose();
         }
         if (state) {
             state.output = result.output;
             state.exitCode = result.exitCode;
+            state.metadata = {
+                ...(state.metadata ?? {}),
+                shell_execution: buildShellExecutionReceipt({
+                    run,
+                    nodeId,
+                    commandDigestMaterial: invocation.digestMaterial,
+                    executor: invocation.executor,
+                    cwd: artifactCwd,
+                    env,
+                    timeoutSeconds: node.timeoutSeconds,
+                    startedAt,
+                    completedAt: Date.now(),
+                    status: 'completed',
+                    exitCode: result.exitCode,
+                }),
+            };
         }
         addEvent(run, 'node-output', `Node ${nodeId} produced shell output`, { output: result.output, exitCode: result.exitCode }, nodeId);
         return { result: 'completed', artifactCwd };
@@ -50,7 +304,8 @@ const BUILTIN_NODE_EXECUTORS = {
         if (node.type !== 'prompt')
             return { result: 'completed' };
         await helpers.executePromptNode(context, run, nodeId, node);
-        return { result: 'completed' };
+        const artifactCwd = run.nodes[nodeId]?.worktreePath;
+        return artifactCwd ? { result: 'completed', artifactCwd } : { result: 'completed' };
     },
     agent: async (context, run, nodeId, node, helpers) => {
         if (node.type !== 'agent')
@@ -63,7 +318,8 @@ const BUILTIN_NODE_EXECUTORS = {
         if (node.handoff) {
             addEvent(run, 'node-output', `Agent node ${nodeId} prepared handoff metadata`, { handoff: node.handoff }, nodeId);
         }
-        return { result: 'completed' };
+        const artifactCwd = run.nodes[nodeId]?.worktreePath;
+        return artifactCwd ? { result: 'completed', artifactCwd } : { result: 'completed' };
     },
     approval: async (context, run, nodeId, node, helpers) => {
         if (node.type !== 'approval')
@@ -83,6 +339,86 @@ const BUILTIN_NODE_EXECUTORS = {
         await executeContextNode(run, nodeId, node);
         return { result: 'completed' };
     },
+    context_update: async (context, run, nodeId, node) => {
+        if (node.type !== 'context_update')
+            return { result: 'completed' };
+        const state = run.nodes[nodeId];
+        const targetRef = await renderTemplate(node.targetRef, run);
+        const title = await renderTemplate(node.title, run);
+        const summary = await renderOptionalTemplate(node.summary, run);
+        const idempotencyKey = await renderOptionalTemplate(node.idempotencyKey, run);
+        const patch = await renderContextUpdatePatch(node.patch, run);
+        try {
+            const proposal = await context.platformContextClient?.proposeContextUpdate({
+                run,
+                nodeId,
+                targetRef,
+                title,
+                summary,
+                patch,
+                idempotencyKey,
+            });
+            const output = proposal?.proposalId
+                ? `Context update proposal ${proposal.proposalId}`
+                : `Context update proposal prepared for ${targetRef}`;
+            if (state) {
+                state.output = output;
+                state.outputs = {
+                    ...(state.outputs ?? {}),
+                    target_ref: targetRef,
+                    proposal_id: proposal?.proposalId ?? null,
+                    inbox_item_id: proposal?.inboxItemId ?? null,
+                    status: proposal?.status ?? 'prepared',
+                };
+                state.metadata = {
+                    ...(state.metadata ?? {}),
+                    context_update: {
+                        target_ref: targetRef,
+                        title,
+                        summary: summary ?? null,
+                        patch: redactedContextUpdatePatch(patch),
+                        patch_digest: patchDigest(patch),
+                        idempotency_key: idempotencyKey ?? null,
+                        proposal_id: proposal?.proposalId ?? null,
+                        inbox_item_id: proposal?.inboxItemId ?? null,
+                        status: proposal?.status ?? 'prepared',
+                        plaintext_patch_persisted: false,
+                    },
+                };
+            }
+            addEvent(run, 'context-update-proposed', proposal?.proposalId
+                ? `Context update proposal ${proposal.proposalId} created for ${targetRef}`
+                : `Context update proposal prepared for ${targetRef}`, {
+                targetRef,
+                title,
+                proposalId: proposal?.proposalId ?? null,
+                inboxItemId: proposal?.inboxItemId ?? null,
+                status: proposal?.status ?? 'prepared',
+                patchDigest: patchDigest(patch),
+            }, nodeId);
+            return { result: 'completed' };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            if (state) {
+                state.output = `Context update proposal failed: ${message}`;
+                state.metadata = {
+                    ...(state.metadata ?? {}),
+                    context_update: {
+                        target_ref: targetRef,
+                        title,
+                        status: 'failed',
+                        error: message,
+                        patch: redactedContextUpdatePatch(patch),
+                        patch_digest: patchDigest(patch),
+                        plaintext_patch_persisted: false,
+                    },
+                };
+            }
+            addEvent(run, 'context-update-proposal-failed', `Context update proposal failed for ${targetRef}: ${message}`, { targetRef, title, error: message, patchDigest: patchDigest(patch) }, nodeId);
+            throw error;
+        }
+    },
     condition: async (_context, run, nodeId, node) => {
         if (node.type !== 'condition')
             return { result: 'completed' };
@@ -191,6 +527,7 @@ const BUILTIN_NODE_EXECUTORS = {
         if (node.type !== 'plan')
             return { result: 'completed' };
         const state = run.nodes[nodeId];
+        await backfillPromptDependencyOutputs(run, node.needs);
         const title = await renderTemplate(node.title ?? nodeId, run);
         const body = await renderTemplate(node.body, run);
         const summary = await renderOptionalTemplate(node.summary, run);
@@ -205,6 +542,8 @@ const BUILTIN_NODE_EXECUTORS = {
                     body,
                     source: node.source ?? 'workflow',
                     sourceRef: sourceRef || `viewport://workflow-runs/${run.id}/nodes/${nodeId}`,
+                    ...(node.recipients ? { recipients: node.recipients } : {}),
+                    ...(node.revision ? { revision: node.revision } : {}),
                 },
             };
         }
@@ -231,8 +570,218 @@ const BUILTIN_NODE_EXECUTORS = {
         return { result: 'blocked' };
     },
 };
+async function backfillPromptDependencyOutputs(run, needs) {
+    for (const dependencyId of needs ?? []) {
+        const dependency = run.nodes[dependencyId];
+        if (!dependency || dependency.type !== 'prompt' || dependency.output)
+            continue;
+        const output = await readPromptNodeOutput(run, dependency);
+        if (output)
+            dependency.output = output;
+    }
+}
 // Seed the mutable registry with built-ins. Plugin entries register at boot.
 for (const [type, executor] of Object.entries(BUILTIN_NODE_EXECUTORS)) {
     NODE_EXECUTORS.set(type, executor);
 }
+async function resolveNodeEnv(context, run, node) {
+    if (!node.env || Object.keys(node.env).length === 0)
+        return undefined;
+    const env = {};
+    for (const [name, value] of Object.entries(node.env)) {
+        if (value.value !== undefined) {
+            if (isSecretLikeEnvName(name)) {
+                throw new Error(`Env ${name} looks secret-like and must use a credential secret handle instead of a literal value.`);
+            }
+            env[name] = await renderTemplate(value.value, run);
+            continue;
+        }
+        if (!value.secret)
+            continue;
+        const envName = envNameForCredentialRef(value.secret);
+        const material = context.runtimeSecretEnv?.[envName] ?? process.env[envName];
+        if (!material) {
+            throw new Error(`Secret binding ${value.secret} was not materialized for env ${name}. Select it in the workflow/profile and keep runner-local material in ${envName} when using BYO secrets.`);
+        }
+        env[name] = material;
+    }
+    return env;
+}
+async function renderContextUpdatePatch(patch, run) {
+    if (!patch)
+        return undefined;
+    const textDigest = patch.text ? digest(await renderTemplate(patch.text, run)) : undefined;
+    const files = patch.files
+        ? await Promise.all(patch.files.map(async (file) => {
+            const path = await renderTemplate(file.path, run);
+            const operation = file.operation ? await renderTemplate(file.operation, run) : undefined;
+            const artifactRef = file.artifact_ref
+                ? await renderTemplate(file.artifact_ref, run)
+                : undefined;
+            const beforeDigest = file.before_digest
+                ? await renderTemplate(file.before_digest, run)
+                : undefined;
+            const afterDigest = file.after_digest
+                ? await renderTemplate(file.after_digest, run)
+                : undefined;
+            const patchDigest = file.patch_digest
+                ? await renderTemplate(file.patch_digest, run)
+                : digest(JSON.stringify({
+                    path,
+                    operation,
+                    artifactRef,
+                    beforeDigest,
+                    afterDigest,
+                    textDigest,
+                }));
+            return {
+                path,
+                ...(operation ? { operation } : {}),
+                ...(artifactRef ? { artifact_ref: artifactRef } : {}),
+                ...(beforeDigest ? { before_digest: beforeDigest } : {}),
+                ...(afterDigest ? { after_digest: afterDigest } : {}),
+                patch_digest: patchDigest,
+            };
+        }))
+        : undefined;
+    return {
+        ...(patch.mode ? { mode: patch.mode } : {}),
+        ...(textDigest ? { text_digest: textDigest } : {}),
+        ...(patch.digest ? { digest: await renderTemplate(patch.digest, run) } : {}),
+        ...(patch.operation ? { operation: await renderTemplate(patch.operation, run) } : {}),
+        ...(files ? { files } : {}),
+    };
+}
+function patchDigest(patch) {
+    if (!patch)
+        return null;
+    return digest(JSON.stringify(patch));
+}
+function redactedContextUpdatePatch(patch) {
+    if (!patch)
+        return null;
+    return {
+        ...(typeof patch.mode === 'string' ? { mode: patch.mode } : {}),
+        ...(typeof patch.operation === 'string' ? { operation: patch.operation } : {}),
+        ...(typeof patch.digest === 'string' ? { digest: patch.digest } : {}),
+        ...(typeof patch.text_digest === 'string' ? { text_digest: patch.text_digest } : {}),
+        ...(Array.isArray(patch.files) ? { files: patch.files } : {}),
+        plaintext_patch_persisted: false,
+    };
+}
+async function renderShellInvocation(node, run) {
+    if (node.argv && node.argv.length > 0) {
+        const argv = await Promise.all(node.argv.map((entry) => renderTemplate(entry, run)));
+        return {
+            authorityCommand: argv.join(' '),
+            digestMaterial: JSON.stringify({ argv }),
+            executor: {
+                kind: 'argv',
+                command: argv[0] ?? null,
+                args_count: Math.max(0, argv.length - 1),
+                raw_args_persisted: false,
+            },
+            run: (options) => runArgvNode(argv, options),
+        };
+    }
+    if (!node.command) {
+        throw new Error(`Shell node must set command or argv.`);
+    }
+    const command = await renderShellCommandTemplate(node.command, run);
+    return {
+        authorityCommand: command,
+        digestMaterial: command,
+        executor: {
+            kind: 'shell',
+            command: 'sh',
+            args: ['-lc'],
+        },
+        run: (options) => runShellNode(command, options),
+    };
+}
+function buildShellExecutionReceipt(input) {
+    const durationMs = input.completedAt !== undefined ? Math.max(0, input.completedAt - input.startedAt) : null;
+    return {
+        schema: 'viewport.shell_execution_receipt/v1',
+        node_id: input.nodeId,
+        status: input.status,
+        executor: input.executor,
+        command_digest: digest(input.commandDigestMaterial),
+        command_persisted: false,
+        cwd: input.cwd,
+        cwd_digest: digest(input.cwd),
+        env_keys: Object.keys(input.env ?? {}).sort(),
+        env_values_persisted: false,
+        timeout_seconds: input.timeoutSeconds ?? null,
+        authority: shellAuthorityReceipt(input.run),
+        started_at: new Date(input.startedAt).toISOString(),
+        completed_at: input.completedAt !== undefined ? new Date(input.completedAt).toISOString() : null,
+        duration_ms: durationMs,
+        exit_code: input.exitCode ?? null,
+        denial: input.denial
+            ? {
+                reason: input.denial.reason,
+                detail: input.denial.detail,
+            }
+            : null,
+    };
+}
+function shellWorkspaceCwdDenial(run, nodeId, cwd) {
+    if (isPathWithin(cwd, run.directoryPath))
+        return null;
+    return {
+        schema: 'viewport.workflow_authority_denial/v1',
+        reason: 'shell_cwd_outside_run_workspace',
+        runId: run.id,
+        nodeId,
+        detail: `Shell cwd ${cwd} is outside the run worktree.`,
+    };
+}
+function shellAuthorityReceipt(run) {
+    const contract = run.workflowAuthorityContract;
+    if (!contract || typeof contract !== 'object') {
+        return {
+            source: 'legacy_local',
+            shell_policy: 'legacy',
+            authority_contract_present: false,
+        };
+    }
+    const shellPolicy = authorityShellPolicy(contract);
+    return {
+        source: 'workflow_authority_contract',
+        shell_policy: shellPolicy ?? null,
+        legacy_command_allowed: authorityLegacyShellCommandAllowed(contract),
+        authority_contract_present: true,
+        authority_contract_digest: typeof contract.digest === 'string' ? contract.digest : null,
+    };
+}
+function authorityShellPolicy(contract) {
+    const nested = contract['shell'];
+    if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+        const policy = nested['policy'];
+        if (typeof policy === 'string' && policy.trim() !== '')
+            return policy;
+    }
+    const flat = contract['shell_policy'];
+    if (typeof flat === 'string' && flat.trim() !== '')
+        return flat;
+    return null;
+}
+function authorityLegacyShellCommandAllowed(contract) {
+    const nested = contract['shell'];
+    if (nested && typeof nested === 'object' && !Array.isArray(nested)) {
+        const allowed = nested['allow_legacy_command'];
+        if (typeof allowed === 'boolean')
+            return allowed;
+    }
+    const flat = contract['shell_allow_legacy_command'];
+    return typeof flat === 'boolean' ? flat : false;
+}
+function isPathWithin(candidate, root) {
+    const relative = path.relative(path.resolve(root), path.resolve(candidate));
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+function digest(value) {
+    return `sha256:${createHash('sha256').update(value).digest('hex')}`;
+}
 //# sourceMappingURL=node-registry.js.map