npm - @viewportai/daemon - Versions diffs - 0.25.3 → 0.25.5 - Mend

@viewportai/daemon 0.25.3 → 0.25.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/dist/adapters/claude.js +6 -0
package/dist/adapters/claude.js.map +1 -1
package/dist/cli/worker-runtime.d.ts.map +1 -1
package/dist/cli/worker-runtime.js +123 -0
package/dist/cli/worker-runtime.js.map +1 -1
package/dist/cli/workflow-managed-worker-types.d.ts +10 -0
package/dist/cli/workflow-managed-worker-types.d.ts.map +1 -1
package/dist/cli/workflow-managed-worker.d.ts.map +1 -1
package/dist/cli/workflow-managed-worker.js +333 -49
package/dist/cli/workflow-managed-worker.js.map +1 -1
package/dist/server/http-request-schemas.d.ts +4 -0
package/dist/server/http-request-schemas.d.ts.map +1 -1
package/dist/server/http-request-schemas.js +10 -0
package/dist/server/http-request-schemas.js.map +1 -1
package/dist/server/http-server.d.ts.map +1 -1
package/dist/server/http-server.js +17 -0
package/dist/server/http-server.js.map +1 -1
package/dist/workflows/action-adapters.d.ts +2 -0
package/dist/workflows/action-adapters.d.ts.map +1 -1
package/dist/workflows/action-adapters.js +2 -0
package/dist/workflows/action-adapters.js.map +1 -1
package/dist/workflows/action-provider-adapters.d.ts +6 -2
package/dist/workflows/action-provider-adapters.d.ts.map +1 -1
package/dist/workflows/action-provider-adapters.js +49 -3
package/dist/workflows/action-provider-adapters.js.map +1 -1
package/dist/workflows/action-provider-utils.d.ts +4 -1
package/dist/workflows/action-provider-utils.d.ts.map +1 -1
package/dist/workflows/action-provider-utils.js +22 -2
package/dist/workflows/action-provider-utils.js.map +1 -1
package/dist/workflows/approval-on-reject.js +1 -0
package/dist/workflows/approval-on-reject.js.map +1 -1
package/dist/workflows/daemon-session.js +1 -0
package/dist/workflows/daemon-session.js.map +1 -1
package/dist/workflows/expression.d.ts +3 -0
package/dist/workflows/expression.d.ts.map +1 -1
package/dist/workflows/expression.js +18 -1
package/dist/workflows/expression.js.map +1 -1
package/dist/workflows/inline-agents.d.ts.map +1 -1
package/dist/workflows/inline-agents.js +1 -5
package/dist/workflows/inline-agents.js.map +1 -1
package/dist/workflows/loop-executor.js +1 -0
package/dist/workflows/loop-executor.js.map +1 -1
package/dist/workflows/node-executor.d.ts +6 -0
package/dist/workflows/node-executor.d.ts.map +1 -1
package/dist/workflows/node-executor.js +24 -2
package/dist/workflows/node-executor.js.map +1 -1
package/dist/workflows/node-registry.d.ts.map +1 -1
package/dist/workflows/node-registry.js +25 -6
package/dist/workflows/node-registry.js.map +1 -1
package/dist/workflows/platform-command-applier.d.ts +3 -1
package/dist/workflows/platform-command-applier.d.ts.map +1 -1
package/dist/workflows/platform-command-applier.js +77 -1
package/dist/workflows/platform-command-applier.js.map +1 -1
package/dist/workflows/platform-runtime-command.d.ts +18 -1
package/dist/workflows/platform-runtime-command.d.ts.map +1 -1
package/dist/workflows/platform-runtime-command.js +36 -3
package/dist/workflows/platform-runtime-command.js.map +1 -1
package/dist/workflows/run-types.d.ts +9 -0
package/dist/workflows/run-types.d.ts.map +1 -1
package/dist/workflows/runner-scheduler.d.ts +1 -0
package/dist/workflows/runner-scheduler.d.ts.map +1 -1
package/dist/workflows/runner-scheduler.js +1 -0
package/dist/workflows/runner-scheduler.js.map +1 -1
package/dist/workflows/runner.d.ts +7 -0
package/dist/workflows/runner.d.ts.map +1 -1
package/dist/workflows/runner.js +113 -7
package/dist/workflows/runner.js.map +1 -1
package/dist/workflows/subflow-executor.js +1 -1
package/dist/workflows/subflow-executor.js.map +1 -1
package/dist/workflows/workflow-production-schema.d.ts +12 -0
package/dist/workflows/workflow-production-schema.d.ts.map +1 -1
package/dist/workflows/workflow-production-schema.js +9 -0
package/dist/workflows/workflow-production-schema.js.map +1 -1
package/dist/workflows/workflow-production-types.d.ts +6 -0
package/dist/workflows/workflow-production-types.d.ts.map +1 -1
package/dist/workflows/workflow-schema.d.ts +12 -0
package/dist/workflows/workflow-schema.d.ts.map +1 -1
package/package.json +1 -1

package/dist/cli/workflow-managed-worker.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { constants, createHash, generateKeyPairSync, privateDecrypt, randomUUID,
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
+import YAML from 'yaml';
 import { getArgs, getFlag, hasFlag } from './args.js';
 import { daemonFetch, isDaemonRunning } from './daemon-client.js';
 import { isJsonMode, printJson } from './command-shared.js';
@@ -247,6 +248,7 @@ function resolveWorkerOptions() {
             registrationProfile?.runnerProfile ??
             undefined,
         runnerPosture: registrationProfile?.runnerPosture,
+        workerSessionId: randomUUID(),
         runnerKeyPair,
         signingIdentity,
         runnerPool: getFlag('runner-pool') ??
@@ -531,7 +533,10 @@ async function heartbeat(options, status, healthStatus) {
                 ...recordValue(options.runnerPosture?.['transport']),
                 mode: options.accessMode,
             },
-            execution: recordValue(options.runnerPosture?.['execution']) ?? { kind: 'customer-managed' },
+            execution: {
+                ...(recordValue(options.runnerPosture?.['execution']) ?? { kind: 'customer-managed' }),
+                worker_session_id: options.workerSessionId,
+            },
             secrets: {
                 ...recordValue(options.runnerPosture?.['secrets']),
                 modes: [
@@ -597,11 +602,12 @@ function managedWorkerAccessMode(value) {
 async function claimAssignment(options) {
     const response = await platformFetch(options, 'POST', 'claim', {
         lease_seconds: options.leaseSeconds,
+        worker_session_id: options.workerSessionId,
     });
     if (response.status === 204)
         return null;
     const body = await responseJson(response);
-    return dataFrom(body);
+    return assignmentFrom(body);
 }
 async function claimActionReplay(options) {
     if ((!options.capabilities.actionCommand && !options.capabilities.providerActions) ||
@@ -734,12 +740,13 @@ function normalizeReplayAction(adapter, action) {
     return action;
 }
 function replayProviderReference(response) {
-    return (stringField(response ?? null, 'htmlUrl') ??
-        stringField(response ?? null, 'apiUrl') ??
-        stringField(response ?? null, 'url') ??
-        stringField(response ?? null, 'channel') ??
+    return (numberField(response ?? null, 'number')?.toString() ??
         stringField(response ?? null, 'ts') ??
-        numberField(response ?? null, 'number')?.toString());
+        stringField(response ?? null, 'id') ??
+        stringField(response ?? null, 'channel') ??
+        stringField(response ?? null, 'htmlUrl') ??
+        stringField(response ?? null, 'apiUrl') ??
+        stringField(response ?? null, 'url'));
 }
 function replayProviderUrl(response) {
     return (stringField(response ?? null, 'htmlUrl') ??
@@ -896,38 +903,46 @@ async function runAssignmentLocally(options, assignment) {
     const existingRun = await readExistingLocalRun(assignment.runtime_run_id);
     if (existingRun) {
         if (existingRun.status === 'running' || existingRun.status === 'queued') {
-            return pollLocalRun(existingRun.id, async (run) => {
+            const completed = await pollLocalRun(existingRun.id, async (run) => {
                 await syncLocalRun(options, assignment.id, run, assignment.assignment_claim_token);
             }, progressSyncEveryMs(options.leaseSeconds));
+            if (terminalRunStatus(completed.status)) {
+                clearRunCredentialMaterial(assignment.id);
+            }
+            return completed;
+        }
+        if (terminalRunStatus(existingRun.status)) {
+            clearRunCredentialMaterial(assignment.id);
         }
         return existingRun;
     }
     const directory = await ensureDirectory(options.workdir ?? assignment.directory_path ?? process.cwd());
-    const material = await materializeRunCredentials(options, assignment);
+    const material = await materializeAndCacheRunCredentials(options, assignment);
     const started = await daemonJson('POST', '/api/workflows/runs', {
         workflowYaml: assignment.yaml_snapshot,
         workflowSourceRef: assignment.source_ref ?? `viewport://managed-executor/${assignment.id}`,
         directoryId: directory.id,
-        inputs: assignmentInputs(assignment, material.metadata),
+        inputs: assignmentInputs(assignment, material),
         runtimeSecretEnv: material.runtimeSecretEnv,
+        runtimeSecretFiles: material.runtimeSecretFiles,
         resourceId: options.workspaceId,
         runtimeTargetId: assignment.runtime_target_id ?? undefined,
         platformRunId: assignment.id,
-        resourceManifest: assignment.resource_manifest ?? undefined,
-        workflowAuthorityContract: assignment.workflow_authority_contract ??
-            recordChildValue(assignment.route_snapshot, 'workflow_authority_contract') ??
-            recordChildValue(assignment.execution_profile_snapshot, 'workflow_authority_contract') ??
-            recordChildValue(assignment.workflow_snapshot, 'workflow_authority_contract') ??
-            recordChildValue(assignment.runner_workspace_snapshot, 'workflow_authority_contract') ??
+        resourceManifest: assignmentResourceManifest(assignment) ?? undefined,
+        workflowAuthorityContract: assignmentWorkflowAuthorityContract(assignment) ??
             recordChildValue(recordChildValue(assignment.input_snapshot, 'viewport'), 'workflowAuthorityContract') ??
             undefined,
         initiation: 'cli',
         dataCapturePolicy: assignment.data_capture_policy ?? undefined,
     });
     const runId = readRun(started).id;
-    return pollLocalRun(runId, async (run) => {
+    const completed = await pollLocalRun(runId, async (run) => {
         await syncLocalRun(options, assignment.id, run, assignment.assignment_claim_token);
     }, progressSyncEveryMs(options.leaseSeconds));
+    if (terminalRunStatus(completed.status)) {
+        clearRunCredentialMaterial(assignment.id);
+    }
+    return completed;
 }
 function recordChildValue(value, key) {
     if (!value || typeof value !== 'object' || Array.isArray(value))
@@ -937,26 +952,88 @@ function recordChildValue(value, key) {
         return undefined;
     return entry;
 }
-function assignmentInputs(assignment, credentialMetadata = []) {
+function assignmentInputs(assignment, material = {
+    runtimeSecretEnv: {},
+    runtimeSecretFiles: {},
+    metadata: [],
+}) {
     const inputs = { ...(assignment.input_snapshot ?? {}) };
     inputs['viewport'] = {
         ...(isRecord(inputs['viewport']) ? inputs['viewport'] : {}),
         platformRunId: assignment.id,
         schemaVersions: assignment.schema_versions ?? null,
-        route: assignment.route_snapshot ?? null,
-        executionProfile: assignment.execution_profile_snapshot ?? null,
-        workflow: assignment.workflow_snapshot ?? null,
-        runnerWorkspace: assignment.runner_workspace_snapshot ?? null,
-        contextReceipts: assignment.context_receipts_snapshot ?? null,
-        credentials: credentialMetadata,
+        target: assignmentTargetSnapshot(assignment) ?? null,
+        route: assignmentRouteSnapshot(assignment) ?? null,
+        executionProfile: assignmentExecutionProfileSnapshot(assignment) ?? null,
+        workflow: assignmentWorkflowSnapshot(assignment) ?? null,
+        runnerWorkspace: assignmentRunnerWorkspaceSnapshot(assignment) ?? null,
+        contextReceipts: assignmentContextReceiptsSnapshot(assignment) ?? null,
+        credentials: material.metadata,
     };
     return inputs;
 }
+const runCredentialMaterialCache = new Map();
+const runCredentialProcessEnvCache = new Map();
+function terminalRunStatus(status) {
+    return status === 'completed' || status === 'failed' || status === 'canceled';
+}
+async function materializeAndCacheRunCredentials(options, assignment) {
+    const material = await materializeRunCredentials(options, assignment);
+    runCredentialMaterialCache.set(assignment.id, material);
+    installRunCredentialProcessEnv(assignment.id, material.runtimeSecretEnv);
+    return material;
+}
+function installRunCredentialProcessEnv(runId, runtimeSecretEnv) {
+    const entries = Object.entries(runtimeSecretEnv);
+    if (entries.length === 0)
+        return;
+    const previous = runCredentialProcessEnvCache.get(runId) ?? {};
+    for (const [key, value] of entries) {
+        if (!(key in previous)) {
+            previous[key] = process.env[key];
+        }
+        process.env[key] = value;
+    }
+    runCredentialProcessEnvCache.set(runId, previous);
+}
+function clearRunCredentialMaterial(runId) {
+    const material = runCredentialMaterialCache.get(runId);
+    runCredentialMaterialCache.delete(runId);
+    if (material) {
+        for (const filePath of Object.values(material.runtimeSecretFiles)) {
+            try {
+                fs.rmSync(filePath, { force: true });
+            }
+            catch {
+                // Best-effort cleanup; the run-scoped directory is removed next.
+            }
+        }
+    }
+    try {
+        fs.rmSync(path.join(process.env['VIEWPORT_HOME'] ?? path.join(os.homedir(), '.viewport'), 'run-secrets', runId), { recursive: true, force: true });
+    }
+    catch {
+        // Best-effort cleanup.
+    }
+    const previous = runCredentialProcessEnvCache.get(runId);
+    if (!previous)
+        return;
+    for (const [key, value] of Object.entries(previous)) {
+        if (value === undefined) {
+            delete process.env[key];
+        }
+        else {
+            process.env[key] = value;
+        }
+    }
+    runCredentialProcessEnvCache.delete(runId);
+}
 async function materializeRunCredentials(options, assignment) {
     const handles = collectCredentialHandles(assignment);
     if (handles.length === 0)
-        return { runtimeSecretEnv: {}, metadata: [] };
+        return { runtimeSecretEnv: {}, runtimeSecretFiles: {}, metadata: [] };
     const runtimeSecretEnv = {};
+    const runtimeSecretFiles = {};
     const metadata = [];
     for (const handle of handles) {
         const response = await materializeCredential(options, assignment, handle);
@@ -964,10 +1041,13 @@ async function materializeRunCredentials(options, assignment) {
         const secret = stringField(response, 'secret');
         if (secret) {
             runtimeSecretEnv[envName] = secret;
+            runtimeSecretFiles[envName] = await writeRunCredentialSecretFile(assignment.id, envName, secret);
         }
         const wrappedSecret = recordField(response, 'wrapped_secret');
         if (wrappedSecret) {
-            runtimeSecretEnv[envName] = decryptRunnerWrappedSecret(options.runnerKeyPair, wrappedSecret);
+            const decrypted = decryptRunnerWrappedSecret(options.runnerKeyPair, wrappedSecret);
+            runtimeSecretEnv[envName] = decrypted;
+            runtimeSecretFiles[envName] = await writeRunCredentialSecretFile(assignment.id, envName, decrypted);
         }
         metadata.push({
             handle,
@@ -975,13 +1055,26 @@ async function materializeRunCredentials(options, assignment) {
             kind: stringField(response, 'kind') ?? null,
             storagePosture: stringField(response, 'storage_posture') ?? null,
             materialAvailable: response['material_available'] === true,
+            runtimeSecretAvailable: typeof runtimeSecretEnv[envName] === 'string',
             runnerLocalRequired: response['runner_local_required'] === true,
             provider: stringField(response, 'provider') ?? null,
             credentialId: stringField(response, 'credential_id') ?? numberField(response, 'credential_id') ?? null,
             scopes: response['scopes'],
         });
     }
-    return { runtimeSecretEnv, metadata };
+    const missingRuntimeSecrets = metadata.filter((entry) => entry.materialAvailable && !entry.runnerLocalRequired && !entry.runtimeSecretAvailable);
+    if (missingRuntimeSecrets.length > 0) {
+        const handles = missingRuntimeSecrets.map((entry) => entry.handle).join(', ');
+        throw new Error(`Credential materialization for ${assignment.id} returned material_available without runtime secret material for: ${handles}`);
+    }
+    return { runtimeSecretEnv, runtimeSecretFiles, metadata };
+}
+async function writeRunCredentialSecretFile(runId, envName, secret) {
+    const root = path.join(process.env['VIEWPORT_HOME'] ?? path.join(os.homedir(), '.viewport'), 'run-secrets', runId);
+    await fs.promises.mkdir(root, { recursive: true, mode: 0o700 });
+    const filePath = path.join(root, envName);
+    await fs.promises.writeFile(filePath, secret, { mode: 0o600 });
+    return filePath;
 }
 async function materializeCredential(options, assignment, handle) {
     if (!assignment.assignment_claim_token) {
@@ -999,6 +1092,9 @@ async function materializeCredential(options, assignment, handle) {
     return data;
 }
 function repositoryForCredentialMaterialization(assignment, handle) {
+    const actionRepository = repositoryFromActionCredentialRef(assignment, handle);
+    if (actionRepository)
+        return { repository: actionRepository };
     const checkoutEntries = [
         ...credentialEntriesFrom(pathValue(asRecord(assignment.execution_profile_snapshot), ['credentials', 'repo_checkout'])),
         ...credentialEntriesFrom(pathValue(asRecord(assignment.workflow_snapshot), ['credentials', 'repo_checkout'])),
@@ -1020,19 +1116,7 @@ function repositoryForCredentialMaterialization(assignment, handle) {
     return allowed.length === 1 && allowed[0] ? { repository: allowed[0] } : {};
 }
 function allowedRepositoriesFromAssignment(assignment) {
-    const candidates = [
-        pathValue(assignment.workflow_authority_contract ?? {}, ['repos', 'allowed']),
-        pathValue(recordChildValue(assignment.route_snapshot, 'workflow_authority_contract') ?? {}, [
-            'repos',
-            'allowed',
-        ]),
-        pathValue(recordChildValue(assignment.execution_profile_snapshot, 'workflow_authority_contract') ?? {}, ['repos', 'allowed']),
-        pathValue(recordChildValue(assignment.workflow_snapshot, 'workflow_authority_contract') ?? {}, [
-            'repos',
-            'allowed',
-        ]),
-        pathValue(recordChildValue(assignment.runner_workspace_snapshot, 'workflow_authority_contract') ?? {}, ['repos', 'allowed']),
-    ];
+    const candidates = assignmentWorkflowAuthorityContracts(assignment).map((contract) => pathValue(contract, ['repos', 'allowed']));
     return [
         ...new Set(candidates
             .flatMap((value) => (Array.isArray(value) ? value : []))
@@ -1061,20 +1145,47 @@ function decryptRunnerWrappedSecret(keyPair, wrapped) {
     }, Buffer.from(ciphertext, 'base64')).toString('utf8');
 }
 function collectCredentialHandles(assignment) {
-    const snapshots = [assignment.execution_profile_snapshot, assignment.workflow_snapshot].filter(isRecord);
+    const snapshots = [
+        assignmentTargetSnapshot(assignment),
+        assignmentExecutionProfileSnapshot(assignment),
+        assignmentWorkflowSnapshot(assignment),
+        yamlSnapshotDocument(assignment),
+    ].filter(isRecord);
     const handles = new Set();
     for (const snapshot of snapshots) {
         for (const handle of [
             ...credentialRefsFrom(pathValue(snapshot, ['credentials', 'include'])),
             ...credentialRefsFrom(pathValue(snapshot, ['credentials', 'repo_checkout'])),
             ...credentialRefsFrom(pathValue(snapshot, ['credentials', 'mcp_api'])),
+            ...credentialRefsFromCredentialMap(snapshot['credentials']),
             ...credentialRefsFrom(snapshot['credential_refs']),
+            ...actionCredentialRefs(snapshot['nodes']),
         ]) {
             handles.add(handle);
         }
     }
+    for (const contract of assignmentWorkflowAuthorityContracts(assignment)) {
+        for (const handle of credentialRefsFrom(pathValue(asRecord(contract), ['credentials', 'provider_actions']))) {
+            handles.add(handle);
+        }
+    }
     return [...handles].sort();
 }
+function credentialRefsFromCredentialMap(entries) {
+    if (!isRecord(entries))
+        return [];
+    return Object.values(entries).flatMap((entry) => {
+        if (!isRecord(entry))
+            return [];
+        const mode = stringField(entry, 'mode') ?? stringField(entry, 'storage_posture');
+        if (mode && !['viewport_brokered', 'viewport_managed'].includes(mode))
+            return [];
+        const handle = stringField(entry, 'handle') ??
+            stringField(entry, 'ref') ??
+            stringField(entry, 'credential_ref');
+        return handle ? [handle] : [];
+    });
+}
 function credentialRefsFrom(entries) {
     return credentialEntriesFrom(entries).flatMap((entry) => {
         if (typeof entry === 'string' && entry.trim() !== '')
@@ -1092,6 +1203,59 @@ function credentialRefsFrom(entries) {
 function credentialEntriesFrom(entries) {
     return Array.isArray(entries) ? entries : [];
 }
+function actionCredentialRefs(nodes) {
+    if (!isRecord(nodes))
+        return [];
+    return Object.values(nodes).flatMap((node) => {
+        if (!isRecord(node) || stringField(node, 'type') !== 'action')
+            return [];
+        const withValue = isRecord(node['with']) ? node['with'] : {};
+        const credentialRef = stringField(withValue, 'credential_ref') ?? stringField(withValue, 'credentialRef');
+        return credentialRef ? [credentialRef] : [];
+    });
+}
+function repositoryFromActionCredentialRef(assignment, handle) {
+    const workflow = yamlSnapshotDocument(assignment);
+    const nodes = isRecord(workflow) ? workflow['nodes'] : undefined;
+    if (!isRecord(nodes))
+        return null;
+    for (const node of Object.values(nodes)) {
+        if (!isRecord(node) || stringField(node, 'type') !== 'action')
+            continue;
+        const withValue = isRecord(node['with']) ? node['with'] : {};
+        const credentialRef = stringField(withValue, 'credential_ref') ?? stringField(withValue, 'credentialRef');
+        if (credentialRef !== handle)
+            continue;
+        const repository = stringField(withValue, 'repository') ?? stringField(withValue, 'repo');
+        const rendered = renderCredentialTemplate(repository, assignment);
+        if (rendered)
+            return rendered;
+    }
+    return null;
+}
+function renderCredentialTemplate(value, assignment) {
+    if (!value)
+        return null;
+    const inputs = isRecord(assignment.input_snapshot) ? assignment.input_snapshot : {};
+    const rendered = value.replace(/\{\{\s*inputs\.([A-Za-z0-9_]+)\s*\}\}/g, (_match, key) => {
+        const input = inputs[key];
+        return typeof input === 'string' || typeof input === 'number' || typeof input === 'boolean'
+            ? String(input)
+            : '';
+    });
+    const trimmed = rendered.trim();
+    return trimmed === '' || trimmed.includes('{{') ? null : trimmed;
+}
+function yamlSnapshotDocument(assignment) {
+    if (!assignment.yaml_snapshot)
+        return null;
+    try {
+        return YAML.parse(assignment.yaml_snapshot);
+    }
+    catch {
+        return null;
+    }
+}
 function asRecord(value) {
     return isRecord(value) ? value : {};
 }
@@ -1125,6 +1289,13 @@ async function waitForApprovalAndResume(options, platformRunId, localRunId, assi
     while (true) {
         await heartbeat(options, 'online', 'busy');
         const assignment = await getAssignment(options, platformRunId, assignmentClaimToken);
+        const commandRun = await applyBrokerActionCompletedCommands(options, platformRunId, assignment, localRunId, assignmentClaimToken);
+        if (commandRun) {
+            if (commandRun.status !== 'blocked')
+                return commandRun;
+            await delay(options.commandSleepSeconds * 1000);
+            continue;
+        }
         const approved = await approvedNodeForAssignment(options, platformRunId, assignmentClaimToken, localRunId);
         if (approved) {
             const resumed = await resumeApprovedLocalRun(options, platformRunId, localRunId, approved, assignmentClaimToken);
@@ -1156,9 +1327,39 @@ async function waitForApprovalAndResume(options, platformRunId, localRunId, assi
             await syncLocalRun(options, platformRunId, run, assignmentClaimToken);
             return run;
         }
+        const current = await readExistingLocalRun(localRunId);
+        if (current) {
+            await syncLocalRun(options, platformRunId, current, assignmentClaimToken);
+        }
         await delay(options.commandSleepSeconds * 1000);
     }
 }
+async function applyBrokerActionCompletedCommands(options, platformRunId, assignment, localRunId, assignmentClaimToken) {
+    const localRun = await readExistingLocalRun(localRunId);
+    const commands = (assignment.runtime_commands ?? []).filter((command) => command['type'] === 'workflow.action_completed' &&
+        !brokerActionCommandAlreadyApplied(localRun, command));
+    if (commands.length === 0)
+        return null;
+    const response = await daemonJson('POST', `/api/workflows/runs/${encodeURIComponent(localRunId)}/runtime-commands`, { runtime_commands: commands });
+    const run = readRun(response);
+    await syncLocalRun(options, platformRunId, run, assignmentClaimToken);
+    if (terminalRunStatus(run.status)) {
+        clearRunCredentialMaterial(platformRunId);
+    }
+    return run;
+}
+function brokerActionCommandAlreadyApplied(run, command) {
+    const nodeKey = stringValue(command['workflow_node_id']);
+    if (!nodeKey)
+        return false;
+    const node = run?.nodes?.[nodeKey];
+    if (!node || node.status !== 'completed')
+        return false;
+    const receipt = recordValue(node.metadata?.['executionReceipt']);
+    const receiptKey = stringValue(receipt?.['receipt_key']);
+    const commandReceiptKey = stringValue(command['receipt_key']);
+    return Boolean(receiptKey && commandReceiptKey && receiptKey === commandReceiptKey);
+}
 const alreadyResolvedApprovalRuns = new WeakSet();
 async function approvedNodeForAssignment(options, platformRunId, assignmentClaimToken, localRunId) {
     const assignment = await getAssignment(options, platformRunId, assignmentClaimToken);
@@ -1219,6 +1420,18 @@ function blockedNodeIds(run) {
         .map((node) => node.id));
 }
 async function resumeApprovedLocalRun(options, platformRunId, localRunId, approved, assignmentClaimToken) {
+    const assignment = await getAssignment(options, platformRunId, assignmentClaimToken);
+    const localRun = await readExistingLocalRun(localRunId);
+    const materialAssignment = localRun
+        ? assignmentWithLocalRunSnapshot(assignment, localRun, assignmentClaimToken)
+        : {
+            ...assignment,
+            assignment_claim_token: assignment.assignment_claim_token ?? assignmentClaimToken ?? null,
+        };
+    const cachedMaterial = runCredentialMaterialCache.get(platformRunId);
+    const material = cachedMaterial && hasRuntimeSecrets(cachedMaterial)
+        ? cachedMaterial
+        : await materializeAndCacheRunCredentials(options, materialAssignment);
     try {
         await daemonJson('POST', `/api/workflows/runs/${encodeURIComponent(localRunId)}/approvals/${encodeURIComponent(approved.node_key)}`, {
             approved: managedApprovalApproved(approved),
@@ -1228,6 +1441,8 @@ async function resumeApprovedLocalRun(options, platformRunId, localRunId, approv
             expectedActionDigest: approvalExpectedActionDigest(approved),
             executionGrant: approvalExecutionGrant(approved),
             feedback: approvalFeedback(approved),
+            runtimeSecretEnv: material.runtimeSecretEnv,
+            runtimeSecretFiles: material.runtimeSecretFiles,
         });
     }
     catch (error) {
@@ -1244,14 +1459,75 @@ async function resumeApprovedLocalRun(options, platformRunId, localRunId, approv
         await syncLocalRun(options, platformRunId, run, assignmentClaimToken);
     }, progressSyncEveryMs(options.leaseSeconds));
     await syncLocalRun(options, platformRunId, resumed, assignmentClaimToken);
+    if (terminalRunStatus(resumed.status)) {
+        clearRunCredentialMaterial(platformRunId);
+    }
     return resumed;
 }
+function hasRuntimeSecrets(material) {
+    return Object.keys(material.runtimeSecretEnv).length > 0;
+}
+function assignmentWithLocalRunSnapshot(assignment, localRun, assignmentClaimToken) {
+    return {
+        ...assignment,
+        assignment_claim_token: assignment.assignment_claim_token ?? assignmentClaimToken ?? null,
+        yaml_snapshot: localRun.yamlSnapshot || assignment.yaml_snapshot,
+        directory_path: localRun.directoryPath || assignment.directory_path,
+        input_snapshot: localRun.inputs ?? assignment.input_snapshot,
+        resource_manifest: localRun.resourceManifest ?? assignmentResourceManifest(assignment),
+        workflow_authority_contract: localRun.workflowAuthorityContract ??
+            assignmentWorkflowAuthorityContract(assignment) ??
+            undefined,
+    };
+}
+function assignmentTargetSnapshot(assignment) {
+    return assignment.target_snapshot ?? assignment.targetSnapshot ?? null;
+}
+function assignmentRouteSnapshot(assignment) {
+    return assignment.route_snapshot ?? assignment.routeSnapshot ?? null;
+}
+function assignmentExecutionProfileSnapshot(assignment) {
+    return assignment.execution_profile_snapshot ?? assignment.executionProfileSnapshot ?? null;
+}
+function assignmentWorkflowSnapshot(assignment) {
+    return assignment.workflow_snapshot ?? assignment.workflowSnapshot ?? null;
+}
+function assignmentRunnerWorkspaceSnapshot(assignment) {
+    return assignment.runner_workspace_snapshot ?? assignment.runnerWorkspaceSnapshot ?? null;
+}
+function assignmentResourceManifest(assignment) {
+    return assignment.resource_manifest ?? assignment.resourceManifest ?? null;
+}
+function assignmentContextReceiptsSnapshot(assignment) {
+    return assignment.context_receipts_snapshot ?? assignment.contextReceiptsSnapshot ?? null;
+}
+function assignmentWorkflowAuthorityContract(assignment) {
+    return assignmentWorkflowAuthorityContracts(assignment)[0] ?? null;
+}
+function assignmentWorkflowAuthorityContracts(assignment) {
+    return [
+        assignment.workflow_authority_contract ?? null,
+        assignment.workflowAuthorityContract ?? null,
+        recordChildValue(assignmentTargetSnapshot(assignment), 'workflow_authority_contract'),
+        recordChildValue(assignmentTargetSnapshot(assignment), 'workflowAuthorityContract'),
+        recordChildValue(assignmentRouteSnapshot(assignment), 'workflow_authority_contract'),
+        recordChildValue(assignmentRouteSnapshot(assignment), 'workflowAuthorityContract'),
+        recordChildValue(assignmentExecutionProfileSnapshot(assignment), 'workflow_authority_contract'),
+        recordChildValue(assignmentExecutionProfileSnapshot(assignment), 'workflowAuthorityContract'),
+        recordChildValue(assignmentWorkflowSnapshot(assignment), 'workflow_authority_contract'),
+        recordChildValue(assignmentWorkflowSnapshot(assignment), 'workflowAuthorityContract'),
+        recordChildValue(assignmentRunnerWorkspaceSnapshot(assignment), 'workflow_authority_contract'),
+        recordChildValue(assignmentRunnerWorkspaceSnapshot(assignment), 'workflowAuthorityContract'),
+        recordChildValue(recordChildValue(asRecord(assignment.input_snapshot), 'viewport'), 'workflow_authority_contract'),
+        recordChildValue(recordChildValue(asRecord(assignment.input_snapshot), 'viewport'), 'workflowAuthorityContract'),
+    ].filter(isRecord);
+}
 function isAlreadyResolvedApprovalError(error) {
     const message = error instanceof Error ? error.message : String(error);
     return message.includes('Workflow node is not awaiting approval');
 }
 function isResolvedManagedGateNode(node) {
-    if (!['approval', 'gate', 'plan', 'action'].includes(String(node.type ?? '')))
+    if (!['approval', 'gate', 'plan'].includes(String(node.type ?? '')))
         return false;
     if (node.status === 'completed')
         return true;
@@ -1263,11 +1539,7 @@ function isResolvedManagedGateNode(node) {
         'approved' in approval) {
         return true;
     }
-    if (node.type !== 'action' || node.status !== 'queued')
-        return false;
-    return (!!approval &&
-        typeof approval === 'object' &&
-        approval.approved === true);
+    return false;
 }
 function managedApprovalApproved(node) {
     const approval = node.metadata?.['approval'];
@@ -1291,11 +1563,23 @@ function managedApprovalDecision(node) {
 }
 async function getAssignment(options, platformRunId, assignmentClaimToken) {
     const body = await platformJson(options, 'GET', `workflow-runs/${encodeURIComponent(platformRunId)}`, undefined, assignmentClaimToken);
-    return dataFrom(body);
+    return assignmentFrom(body);
 }
 async function syncLocalRun(options, platformRunId, run, assignmentClaimToken) {
     const body = await platformJson(options, 'PATCH', `workflow-runs/${encodeURIComponent(platformRunId)}/sync`, localRunToSyncPayload(run, { includeApprovalDecisions: false }), assignmentClaimToken);
-    return dataFrom(body);
+    return assignmentFrom(body);
+}
+function assignmentFrom(body) {
+    const data = dataFrom(body);
+    if (!isRecord(data))
+        return data;
+    if (isRecord(body) && Array.isArray(body['runtime_commands'])) {
+        return {
+            ...data,
+            runtime_commands: body['runtime_commands'],
+        };
+    }
+    return data;
 }
 async function ensureDirectory(directoryPath) {
     const resolvedPath = path.resolve(directoryPath);