@xemahq/kernel-contracts 0.22.2 → 0.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent-workspace/awp-spec.json +0 -1
- package/dist/agent-workspace/lib/workspace-layout.d.ts.map +1 -1
- package/dist/agent-workspace/lib/workspace-layout.js.map +1 -1
- package/dist/biome/lib/biome-manifest.d.ts +0 -8
- package/dist/biome/lib/biome-manifest.d.ts.map +1 -1
- package/dist/biome/lib/biome-manifest.js +4 -50
- package/dist/biome/lib/biome-manifest.js.map +1 -1
- package/dist/capability/lib/errors.d.ts.map +1 -1
- package/dist/capability/lib/errors.js.map +1 -1
- package/dist/capability/lib/meta-tool.d.ts.map +1 -1
- package/dist/capability/lib/meta-tool.js.map +1 -1
- package/dist/connector/index.d.ts +2 -0
- package/dist/connector/index.d.ts.map +1 -1
- package/dist/connector/index.js +2 -0
- package/dist/connector/index.js.map +1 -1
- package/dist/connector/lib/connector-descriptor.d.ts +13 -0
- package/dist/connector/lib/connector-descriptor.d.ts.map +1 -0
- package/dist/connector/lib/connector-descriptor.js +3 -0
- package/dist/connector/lib/connector-descriptor.js.map +1 -0
- package/dist/connector/lib/credential-kind.d.ts.map +1 -1
- package/dist/connector/lib/credential-kind.js.map +1 -1
- package/dist/connector/lib/filter-expr.js +6 -0
- package/dist/connector/lib/filter-expr.js.map +1 -1
- package/dist/connector/lib/provider-descriptor.d.ts +37 -0
- package/dist/connector/lib/provider-descriptor.d.ts.map +1 -0
- package/dist/connector/lib/provider-descriptor.js +26 -0
- package/dist/connector/lib/provider-descriptor.js.map +1 -0
- package/dist/contribution/lib/contribution-kind.d.ts.map +1 -1
- package/dist/contribution/lib/contribution-kind.js.map +1 -1
- package/dist/contribution/lib/contribution-source.d.ts.map +1 -1
- package/dist/contribution/lib/contribution-source.js.map +1 -1
- package/dist/contribution/lib/contribution.d.ts.map +1 -1
- package/dist/contribution/lib/contribution.js.map +1 -1
- package/dist/document-render/lib/render-enums.d.ts.map +1 -1
- package/dist/document-render/lib/render-enums.js.map +1 -1
- package/dist/execution-context/lib/execution-context.d.ts.map +1 -1
- package/dist/execution-context/lib/execution-context.js.map +1 -1
- package/dist/execution-environment/lib/built-in-environments.d.ts.map +1 -1
- package/dist/execution-environment/lib/built-in-environments.js.map +1 -1
- package/dist/execution-environment/lib/execution-environment.d.ts.map +1 -1
- package/dist/execution-environment/lib/execution-environment.js +1 -1
- package/dist/execution-environment/lib/execution-environment.js.map +1 -1
- package/dist/inquiry/index.d.ts.map +1 -1
- package/dist/inquiry/index.js.map +1 -1
- package/dist/object/lib/object-lifecycle.d.ts.map +1 -1
- package/dist/object/lib/object-lifecycle.js.map +1 -1
- package/dist/policy/lib/obligations.d.ts.map +1 -1
- package/dist/policy/lib/obligations.js.map +1 -1
- package/dist/policy/lib/policy.d.ts +2 -1
- package/dist/policy/lib/policy.d.ts.map +1 -1
- package/dist/policy/lib/policy.js +1 -0
- package/dist/policy/lib/policy.js.map +1 -1
- package/dist/runner/lib/runner-registration.d.ts.map +1 -1
- package/dist/runner/lib/runner-registration.js.map +1 -1
- package/dist/service-registry/lib/service-names.generated.d.ts.map +1 -1
- package/dist/service-registry/lib/service-names.generated.js.map +1 -1
- package/dist/space/lib/space.d.ts.map +1 -1
- package/dist/space/lib/space.js.map +1 -1
- package/dist/workflow/index.d.ts.map +1 -1
- package/dist/workflow/index.js.map +1 -1
- package/dist/workflow/lib/activity-outputs.d.ts.map +1 -1
- package/package.json +28 -19
- package/src/agent-composition/lib/agent-workspace-config.ts +3 -3
- package/src/agent-composition/lib/capability-layer.ts +2 -2
- package/src/agent-composition/lib/intrinsic-floor.ts +1 -1
- package/src/agent-session/lib/participant.ts +1 -1
- package/src/agent-workspace/lib/context-json.ts +1 -1
- package/src/agent-workspace/lib/mount-apply.ts +2 -2
- package/src/agent-workspace/lib/workspace-layout.ts +2 -4
- package/src/app-runtime/lib/app-client.ts +1 -1
- package/src/app-runtime/lib/app-lockfile.ts +2 -2
- package/src/app-runtime/lib/app.ts +4 -4
- package/src/app-runtime/lib/audience-policy.ts +2 -2
- package/src/app-runtime/lib/biome-install.ts +3 -3
- package/src/app-runtime/lib/branding-config.ts +1 -1
- package/src/app-runtime/lib/delegated-session.ts +1 -1
- package/src/app-runtime/lib/external-subject.ts +1 -1
- package/src/biome/lib/biome-capability-refs.ts +3 -3
- package/src/biome/lib/biome-engines.ts +2 -2
- package/src/biome/lib/biome-lifecycle-hooks.ts +1 -1
- package/src/biome/lib/biome-lifecycle.ts +3 -3
- package/src/biome/lib/biome-manifest.ts +68 -122
- package/src/biome/lib/biome-permissions.ts +2 -2
- package/src/biome/lib/biome-scope.ts +2 -2
- package/src/biome/lib/biome-trust-tier.ts +1 -1
- package/src/biome/lib/trust-tier-policies.ts +2 -2
- package/src/biome-availability/lib/biome-availability.ts +1 -1
- package/src/capability/lib/capability-contribution.ts +3 -3
- package/src/capability/lib/capability-grant.ts +5 -5
- package/src/capability/lib/capability-policy.ts +2 -2
- package/src/capability/lib/capability-ref.ts +4 -4
- package/src/capability/lib/errors.ts +4 -10
- package/src/capability/lib/meta-tool.ts +2 -5
- package/src/capability/lib/permission-profile.ts +7 -7
- package/src/capability/lib/shell-command-descriptor.ts +3 -3
- package/src/connector/index.ts +2 -0
- package/src/connector/lib/adapter-kind.ts +1 -1
- package/src/connector/lib/capability-refs.ts +1 -1
- package/src/connector/lib/connector-descriptor.ts +67 -0
- package/src/connector/lib/credential-kind.ts +3 -4
- package/src/connector/lib/envelope-schema.ts +2 -2
- package/src/connector/lib/filter-expr-validate.ts +1 -1
- package/src/connector/lib/filter-expr.ts +8 -0
- package/src/connector/lib/provider-descriptor.ts +181 -0
- package/src/contribution/lib/contribution-kind.ts +11 -12
- package/src/contribution/lib/contribution-source.ts +1 -2
- package/src/contribution/lib/contribution.ts +3 -6
- package/src/document-render/lib/render-enums.ts +1 -2
- package/src/execution-context/lib/caller.ts +2 -2
- package/src/execution-context/lib/execution-context.ts +12 -18
- package/src/execution-environment/lib/approval-rule.ts +2 -2
- package/src/execution-environment/lib/built-in-environments.ts +9 -11
- package/src/execution-environment/lib/execution-environment.ts +25 -26
- package/src/inquiry/index.ts +1 -2
- package/src/invocation/lib/invocation-mode.ts +1 -1
- package/src/invocation/lib/invocation-record.ts +1 -1
- package/src/invocation/lib/isolation-level.ts +1 -1
- package/src/kernel-state/lib/adapter-kind.ts +3 -3
- package/src/kernel-state/lib/kernel-state.ts +1 -1
- package/src/kernel-state/lib/key-grammar.ts +1 -1
- package/src/mcp-tool/lib/tool-selection.ts +1 -1
- package/src/object/lib/object-lifecycle.ts +1 -2
- package/src/object/lib/xema-object-kind.ts +1 -1
- package/src/object/lib/xema-object-ref.ts +2 -2
- package/src/org-database/lib/db-result-event.ts +3 -3
- package/src/policy/lib/obligations.ts +5 -6
- package/src/policy/lib/policy.ts +17 -8
- package/src/policy/lib/route-hints.ts +1 -1
- package/src/provisioning/index.ts +1 -1
- package/src/provisioning/lib/provisioning.ts +4 -4
- package/src/resource/lib/resource-ownership-contribution.ts +2 -2
- package/src/runner/lib/dispatch.ts +5 -5
- package/src/runner/lib/job-token.ts +2 -2
- package/src/runner/lib/runner-attestation.ts +2 -2
- package/src/runner/lib/runner-job.ts +2 -2
- package/src/runner/lib/runner-mode.ts +1 -1
- package/src/runner/lib/runner-plane.ts +2 -2
- package/src/runner/lib/runner-registration.ts +9 -10
- package/src/runner/lib/runner.ts +7 -7
- package/src/runner-input-hash/lib/input-hash.ts +2 -2
- package/src/service-registry/lib/service-descriptor.ts +1 -1
- package/src/service-registry/lib/service-names.generated.ts +1 -3
- package/src/space/lib/space-ref-parser.ts +1 -1
- package/src/space/lib/space.ts +4 -5
- package/src/widget/lib/chat-widget-envelope.ts +1 -1
- package/src/worker-runtime/lib/capabilities.ts +1 -1
- package/src/workflow/index.ts +2 -3
- package/src/workflow/lib/activity-outputs.ts +3 -4
- package/src/workflow/lib/agent-role.ts +5 -5
- package/src/workflow/lib/artifact-ref.ts +1 -1
- package/src/workflow/lib/compiled-run.ts +2 -2
- package/src/workflow/lib/compiled-workspace-manifest.ts +2 -2
- package/src/workflow/lib/enums.ts +4 -4
- package/src/workflow/lib/errors.ts +1 -1
- package/src/workflow/lib/model-ref.ts +1 -1
- package/src/workflow/lib/mount-plan.ts +1 -1
- package/src/workflow/lib/platform-task-queue.ts +3 -3
- package/src/workflow/lib/role-capability.ts +1 -1
- package/src/workflow/lib/run-progress.ts +2 -2
- package/src/workflow/lib/trigger-payload.ts +2 -2
- package/src/workflow/lib/variable-requirement.ts +1 -1
- package/src/workflow/lib/workspace-manifest-enums.ts +1 -1
- package/src/workspace-storage/lib/types.ts +1 -1
- package/LICENSE +0 -176
|
@@ -3,13 +3,12 @@ import { z } from 'zod';
|
|
|
3
3
|
/**
|
|
4
4
|
* Closed set of built-in Execution Environment kinds.
|
|
5
5
|
*
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
9
|
-
* hatch).
|
|
6
|
+
* There are eight built-in environments that cover every story we have
|
|
7
|
+
* today, plus the `trusted-dev` environment — the developer escape
|
|
8
|
+
* hatch.
|
|
10
9
|
*
|
|
11
10
|
* v1 ships ONLY these built-ins; custom environments are an explicit v2
|
|
12
|
-
* extension
|
|
11
|
+
* extension. The downstream `ExecutionEnvironment.scope` type
|
|
13
12
|
* intentionally widens to `ExecutionEnvironmentKind | string` for future-
|
|
14
13
|
* proofing, but at v1 the only legal scope values are members of this
|
|
15
14
|
* enum — see `isExecutionEnvironmentKind`.
|
|
@@ -40,7 +39,7 @@ export enum ExecutionEnvironmentKind {
|
|
|
40
39
|
/** Biome inspected for publication; no real org data access. */
|
|
41
40
|
StoreReview = 'store-review',
|
|
42
41
|
/**
|
|
43
|
-
* Local-dev / personal-sandbox environment
|
|
42
|
+
* Local-dev / personal-sandbox environment. Inside it the
|
|
44
43
|
* Capability Gateway grants every capability the biome *declared* in
|
|
45
44
|
* its manifest, no resource glob, no rate limit, no human approval.
|
|
46
45
|
* Audit-log still records every call so devs can inspect what their
|
|
@@ -55,12 +54,11 @@ export const ExecutionEnvironmentKindSchema = z.nativeEnum(ExecutionEnvironmentK
|
|
|
55
54
|
|
|
56
55
|
/**
|
|
57
56
|
* Stable, ordered list of every built-in environment slug. Seeded at
|
|
58
|
-
* boot by `authorization-api` / `object-registry-api
|
|
59
|
-
* step 1.
|
|
57
|
+
* boot by `authorization-api` / `object-registry-api`.
|
|
60
58
|
*
|
|
61
59
|
* Ordering is intentional (system → org → project → app → session →
|
|
62
|
-
* sandbox → public → store-review → trusted-dev)
|
|
63
|
-
*
|
|
60
|
+
* sandbox → public → store-review → trusted-dev) — the built-in
|
|
61
|
+
* environments followed by the dev escape hatch. Do not reorder
|
|
64
62
|
* without a coordinated migration of any consumer that relies on
|
|
65
63
|
* positional iteration.
|
|
66
64
|
*/
|
|
@@ -79,7 +77,7 @@ export const BUILT_IN_ENVIRONMENT_SLUGS: readonly ExecutionEnvironmentKind[] = [
|
|
|
79
77
|
/**
|
|
80
78
|
* Narrowing guard: returns `true` iff `slug` is one of the built-in
|
|
81
79
|
* environment slugs. Used by `ExecutionEnvironmentSchema` and the
|
|
82
|
-
* authorization-api to refuse custom-scoped environments at v1 (
|
|
80
|
+
* authorization-api to refuse custom-scoped environments at v1 (a
|
|
83
81
|
* non-goal).
|
|
84
82
|
*/
|
|
85
83
|
export function isExecutionEnvironmentKind(
|
|
@@ -13,7 +13,7 @@ import {
|
|
|
13
13
|
import { ApprovalRuleSchema, type ApprovalRule } from './approval-rule';
|
|
14
14
|
|
|
15
15
|
/**
|
|
16
|
-
* Canonical Execution Environment Reference grammar
|
|
16
|
+
* Canonical Execution Environment Reference grammar:
|
|
17
17
|
*
|
|
18
18
|
* `environment:<slug>`
|
|
19
19
|
*
|
|
@@ -22,7 +22,7 @@ import { ApprovalRuleSchema, type ApprovalRule } from './approval-rule';
|
|
|
22
22
|
* silently absorb a free-form string.
|
|
23
23
|
*
|
|
24
24
|
* v1 only mints refs whose slug is an `ExecutionEnvironmentKind` value
|
|
25
|
-
* (
|
|
25
|
+
* (custom environments are forbidden at v1). The type still validates the
|
|
26
26
|
* *grammar* — semantic "built-in-only" enforcement lives one layer up
|
|
27
27
|
* in `authorization-api`, which calls
|
|
28
28
|
* `isExecutionEnvironmentKind(parseEnvironmentRef(ref).slug)`.
|
|
@@ -127,8 +127,8 @@ export const BUILT_IN_ENVIRONMENT_REFS: Record<
|
|
|
127
127
|
);
|
|
128
128
|
|
|
129
129
|
/**
|
|
130
|
-
* Runtime budget caps the environment advertises to the gateway
|
|
131
|
-
* `ExecutionEnvironment.runtimeLimits`). All fields are optional — omitted means
|
|
130
|
+
* Runtime budget caps the environment advertises to the gateway
|
|
131
|
+
* (`ExecutionEnvironment.runtimeLimits`). All fields are optional — omitted means
|
|
132
132
|
* "no cap from the environment", but the gateway may still apply org- or
|
|
133
133
|
* grant-level caps. None of these fields fall back to a hidden default.
|
|
134
134
|
*/
|
|
@@ -147,13 +147,13 @@ export const RuntimeLimitsSchema = z.object({
|
|
|
147
147
|
}) as z.ZodType<RuntimeLimits>;
|
|
148
148
|
|
|
149
149
|
/**
|
|
150
|
-
* Allow-list of knowledge scope refs reachable from this environment
|
|
151
|
-
* `ExecutionEnvironment.allowedKnowledgeScopes`).
|
|
150
|
+
* Allow-list of knowledge scope refs reachable from this environment
|
|
151
|
+
* (`ExecutionEnvironment.allowedKnowledgeScopes`).
|
|
152
152
|
*
|
|
153
153
|
* v1 keeps the shape minimal — the ref string is sufficient for the
|
|
154
|
-
* sandbox→prod boundary check
|
|
155
|
-
* sub-schemas (e.g. spaces, page subtrees, redaction rules) are
|
|
156
|
-
*
|
|
154
|
+
* planned sandbox→prod boundary check. Detailed per-scope
|
|
155
|
+
* sub-schemas (e.g. spaces, page subtrees, redaction rules) are deferred
|
|
156
|
+
* to a later phase.
|
|
157
157
|
*/
|
|
158
158
|
export interface KnowledgePolicy {
|
|
159
159
|
allowedRefs: readonly string[];
|
|
@@ -164,13 +164,13 @@ export const KnowledgePolicySchema = z.object({
|
|
|
164
164
|
}) as z.ZodType<KnowledgePolicy>;
|
|
165
165
|
|
|
166
166
|
/**
|
|
167
|
-
* Allow-list of connector binding refs reachable from this environment
|
|
168
|
-
* `ExecutionEnvironment.allowedConnectors`).
|
|
167
|
+
* Allow-list of connector binding refs reachable from this environment
|
|
168
|
+
* (`ExecutionEnvironment.allowedConnectors`).
|
|
169
169
|
*
|
|
170
170
|
* v1 keeps the shape minimal — the ref string is sufficient for the
|
|
171
|
-
* sandbox→prod boundary check
|
|
171
|
+
* planned sandbox→prod boundary check. Per-connector
|
|
172
172
|
* permission detail (per-repo globs, per-tracker projects, etc.) is
|
|
173
|
-
*
|
|
173
|
+
* deferred to a later phase.
|
|
174
174
|
*/
|
|
175
175
|
export interface ConnectorPolicy {
|
|
176
176
|
allowedRefs: readonly string[];
|
|
@@ -181,13 +181,13 @@ export const ConnectorPolicySchema = z.object({
|
|
|
181
181
|
}) as z.ZodType<ConnectorPolicy>;
|
|
182
182
|
|
|
183
183
|
/**
|
|
184
|
-
* Allow-list of biome refs that may run inside this environment
|
|
185
|
-
* `ExecutionEnvironment.allowedBiomes`).
|
|
184
|
+
* Allow-list of biome refs that may run inside this environment
|
|
185
|
+
* (`ExecutionEnvironment.allowedBiomes`).
|
|
186
186
|
*
|
|
187
187
|
* v1 keeps the shape minimal — the ref string is sufficient for the
|
|
188
|
-
* built-in-environment install policy
|
|
189
|
-
* stage restrictions (draft / published / archived) are
|
|
190
|
-
*
|
|
188
|
+
* planned built-in-environment install policy. Lifecycle-
|
|
189
|
+
* stage restrictions (draft / published / archived) are deferred to a
|
|
190
|
+
* later phase.
|
|
191
191
|
*/
|
|
192
192
|
export interface BiomePolicy {
|
|
193
193
|
allowedRefs: readonly string[];
|
|
@@ -198,13 +198,12 @@ export const BiomePolicySchema = z.object({
|
|
|
198
198
|
}) as z.ZodType<BiomePolicy>;
|
|
199
199
|
|
|
200
200
|
/**
|
|
201
|
-
* Allow-list of mount-source refs reachable from this environment
|
|
202
|
-
* `ExecutionEnvironment.allowedMounts`).
|
|
201
|
+
* Allow-list of mount-source refs reachable from this environment
|
|
202
|
+
* (`ExecutionEnvironment.allowedMounts`).
|
|
203
203
|
*
|
|
204
204
|
* v1 keeps the shape minimal — the ref string is sufficient for the
|
|
205
|
-
* XVFS read/write boundary check
|
|
206
|
-
* read/write splitting and path globs are
|
|
207
|
-
* companion plan.
|
|
205
|
+
* planned XVFS read/write boundary check. Per-mount
|
|
206
|
+
* read/write splitting and path globs are deferred to a later phase.
|
|
208
207
|
*/
|
|
209
208
|
export interface MountPolicy {
|
|
210
209
|
allowedRefs: readonly string[];
|
|
@@ -215,7 +214,7 @@ export const MountPolicySchema = z.object({
|
|
|
215
214
|
}) as z.ZodType<MountPolicy>;
|
|
216
215
|
|
|
217
216
|
/**
|
|
218
|
-
* `ExecutionEnvironment` — the canonical permission-plane object
|
|
217
|
+
* `ExecutionEnvironment` — the canonical permission-plane object.
|
|
219
218
|
*
|
|
220
219
|
* An environment declares the capability surface, knowledge/connector/biome/mount
|
|
221
220
|
* allow-lists, approval rules, and runtime budget that apply to every
|
|
@@ -232,7 +231,7 @@ export interface ExecutionEnvironment {
|
|
|
232
231
|
/**
|
|
233
232
|
* The environment's logical scope. v1 only accepts
|
|
234
233
|
* `ExecutionEnvironmentKind` slugs; the string-side of the union is
|
|
235
|
-
* reserved for v2 custom environments (
|
|
234
|
+
* reserved for v2 custom environments (a non-goal at v1).
|
|
236
235
|
*/
|
|
237
236
|
scope: ExecutionEnvironmentKind | string;
|
|
238
237
|
allowedCapabilities: CapabilityPolicy[];
|
|
@@ -250,7 +249,7 @@ export const ExecutionEnvironmentSchema = z.object({
|
|
|
250
249
|
(s) => isExecutionEnvironmentKind(s),
|
|
251
250
|
{
|
|
252
251
|
message:
|
|
253
|
-
'ExecutionEnvironment.scope must be an ExecutionEnvironmentKind slug at v1; custom environments are a v2 extension
|
|
252
|
+
'ExecutionEnvironment.scope must be an ExecutionEnvironmentKind slug at v1; custom environments are a v2 extension.',
|
|
254
253
|
},
|
|
255
254
|
),
|
|
256
255
|
allowedCapabilities: z.array(CapabilityPolicySchema),
|
package/src/inquiry/index.ts
CHANGED
|
@@ -6,8 +6,7 @@
|
|
|
6
6
|
// kind-specific schema, aggregate per a policy, return a verdict."
|
|
7
7
|
//
|
|
8
8
|
// Runtime-agnostic. Pure types + Zod schemas. Zero framework / persistence /
|
|
9
|
-
// workflow-runtime imports.
|
|
10
|
-
// .claude/plans/i-think-what-we-ve-transient-zebra.md.
|
|
9
|
+
// workflow-runtime imports.
|
|
11
10
|
//
|
|
12
11
|
// Per-kind prompt + reply Zod schemas live in their own contract packages
|
|
13
12
|
// (`@xemahq/decision-gate-contracts`, `@xemahq/agent-tool-inquiry-
|
|
@@ -7,7 +7,7 @@ import { z } from 'zod';
|
|
|
7
7
|
* hint a mode via `ExecutionRequirements.mode`, but policy may override it.
|
|
8
8
|
*
|
|
9
9
|
* - `Sync` — the caller holds the request open until the composition produces
|
|
10
|
-
* its root structured output. The smallest correct slice
|
|
10
|
+
* its root structured output. The smallest correct slice.
|
|
11
11
|
* - `Async` — the runtime returns immediately with a `Queued`/`Running`
|
|
12
12
|
* invocation; the caller polls the Invocation record for the terminal state.
|
|
13
13
|
* - `Event` — the runtime returns without an `output`; the result is delivered
|
|
@@ -11,7 +11,7 @@ import {
|
|
|
11
11
|
* per invocation. This is the source of truth for an invocation's lifecycle
|
|
12
12
|
* (never the underlying session).
|
|
13
13
|
*
|
|
14
|
-
* `inputRef`/`outputRef` are blob/JSON references (inline JSON
|
|
14
|
+
* `inputRef`/`outputRef` are blob/JSON references (inline JSON initially,
|
|
15
15
|
* artifact-store refs once payloads grow). Timestamps are ISO-8601 strings.
|
|
16
16
|
*/
|
|
17
17
|
export interface InvocationRecord {
|
|
@@ -7,7 +7,7 @@ import { z } from 'zod';
|
|
|
7
7
|
* default for mail (org+mailbox+emailThreadId): thread context is NEVER
|
|
8
8
|
* reused across unrelated emails.
|
|
9
9
|
* - `PooledThread` — reuse a warm thread within the same `threadKey` (a warm
|
|
10
|
-
* session-pool optimization; future
|
|
10
|
+
* session-pool optimization; a future step).
|
|
11
11
|
*
|
|
12
12
|
* Closed set on purpose — both levels are honored by the runtime's pool/thread
|
|
13
13
|
* management; adding a level is a coordinated kernel change.
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* KernelState adapter kinds
|
|
2
|
+
* KernelState adapter kinds.
|
|
3
3
|
*
|
|
4
|
-
* The
|
|
4
|
+
* The set is explicitly closed to TWO adapters. There is no
|
|
5
5
|
* Postgres adapter for KernelState; Postgres is reserved for service
|
|
6
6
|
* domain data. Two DB engines max in any deployment is a load-bearing
|
|
7
|
-
* invariant — do NOT extend this enum
|
|
7
|
+
* invariant — do NOT extend this enum.
|
|
8
8
|
*
|
|
9
9
|
* - `Sqlite` — file at `~/.xema/dev/kernel-state.sqlite` (dev) or
|
|
10
10
|
* `/var/lib/xema/kernel-state.sqlite` (single-instance). Advisory
|
|
@@ -11,7 +11,7 @@ import { ToolProviderKind, toolProviderKindSchema } from './provider-kind';
|
|
|
11
11
|
* or BiomeInstallation.id) depending on `providerKind`. Cross-org
|
|
12
12
|
* misuse is blocked at every layer (selection PATCH validation,
|
|
13
13
|
* resolver scope binding, bridge token scope, data-layer WHERE
|
|
14
|
-
* clauses)
|
|
14
|
+
* clauses).
|
|
15
15
|
*
|
|
16
16
|
* `toolName` is the canonical MCP tool name as exposed by the
|
|
17
17
|
* provider's `listTools` (NOT a slug; the value MCP clients invoke).
|
|
@@ -4,8 +4,7 @@ import { z } from 'zod';
|
|
|
4
4
|
* Lifecycle every versioned XemaObject moves through. Mirrors
|
|
5
5
|
* `AgentLifecycle` from `@xemahq/agent-composition-contracts` —
|
|
6
6
|
* the two enums MUST stay value-identical (one ownership model across
|
|
7
|
-
* the four primitives + every other XemaObject kind
|
|
8
|
-
* `.claude/rules/skills-and-composition.md`).
|
|
7
|
+
* the four primitives + every other XemaObject kind).
|
|
9
8
|
*
|
|
10
9
|
* - `Draft` — internal revision; never resolved, never installable,
|
|
11
10
|
* never referenced by a lockfile.
|
|
@@ -66,7 +66,7 @@ export enum XemaObjectKind {
|
|
|
66
66
|
// Contribution registry (self-referential)
|
|
67
67
|
ContributionEntry = 'contribution-entry',
|
|
68
68
|
|
|
69
|
-
// Concept registry — self-describing OS documentation objects
|
|
69
|
+
// Concept registry — self-describing OS documentation objects
|
|
70
70
|
Concept = 'concept',
|
|
71
71
|
}
|
|
72
72
|
|
|
@@ -3,8 +3,8 @@ import { SpaceRef, SpaceKind, spaceRefToPath } from '../../space';
|
|
|
3
3
|
import { XemaObjectKind, XemaObjectKindSchema } from './xema-object-kind';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
|
-
* Stable wire shape for every XemaObject address (XSI plane 1
|
|
7
|
-
*
|
|
6
|
+
* Stable wire shape for every XemaObject address (XSI plane 1). The
|
|
7
|
+
* grammar is:
|
|
8
8
|
*
|
|
9
9
|
* `xema://<scope-path>/<kind>/<slug>[@<version>]`
|
|
10
10
|
*
|
|
@@ -30,12 +30,12 @@ export interface DbColumnMeta {
|
|
|
30
30
|
|
|
31
31
|
/**
|
|
32
32
|
* Surface event payload emitted when the database explorer executes a SQL
|
|
33
|
-
* statement on behalf of an agent tool call.
|
|
33
|
+
* statement on behalf of an agent tool call.
|
|
34
34
|
*
|
|
35
35
|
* `rows` carries the actual row data — it MUST go to the frontend only and
|
|
36
36
|
* MUST never be passed back into LLM context. Producers route it through
|
|
37
|
-
* the agent-session SSE channel
|
|
38
|
-
* caller
|
|
37
|
+
* the agent-session SSE channel where available, or return it inline to the
|
|
38
|
+
* caller when no SSE bridge exists yet.
|
|
39
39
|
*
|
|
40
40
|
* `statement` is the SQL string the agent supplied. It is shown in the UI
|
|
41
41
|
* as a reference for the user; it is NOT a secret. Audit logs hash the
|
|
@@ -2,7 +2,7 @@ import { z } from 'zod';
|
|
|
2
2
|
import { DataClassificationSchema } from '../../space';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
|
-
* Closed obligation taxonomy
|
|
5
|
+
* Closed obligation taxonomy.
|
|
6
6
|
*
|
|
7
7
|
* Every `PolicyObligation` carries one of these `kind` discriminants;
|
|
8
8
|
* the wire payload is a discriminated union (see `PolicyObligation`).
|
|
@@ -33,8 +33,7 @@ export const PolicyObligationKindSchema = z.nativeEnum(PolicyObligationKind);
|
|
|
33
33
|
|
|
34
34
|
/**
|
|
35
35
|
* Closed runner-kind set referenced by `PolicyObligation`
|
|
36
|
-
* (`require-runner-kind`) and by `RouteHint.preferredRunnerKind
|
|
37
|
-
* v4.3 §2 / §A.4).
|
|
36
|
+
* (`require-runner-kind`) and by `RouteHint.preferredRunnerKind`.
|
|
38
37
|
*
|
|
39
38
|
* This is the canonical `RunnerKind` — the policy decision layer is its
|
|
40
39
|
* primary author (policy selects on it to route an invocation), so it lives
|
|
@@ -50,7 +49,7 @@ export enum RunnerKind {
|
|
|
50
49
|
Sandbox = 'sandbox',
|
|
51
50
|
CI = 'ci',
|
|
52
51
|
/**
|
|
53
|
-
*
|
|
52
|
+
* External MCP server bridged through `mcp-gateway-api`'s
|
|
54
53
|
* external-bridge. The router resolves capability refs of the form
|
|
55
54
|
* `<provider-slug>:<tool-name>@1` to this runner kind, then forwards
|
|
56
55
|
* the invoke envelope to the bridge which translates back to an MCP
|
|
@@ -63,7 +62,7 @@ export const RunnerKindSchema = z.nativeEnum(RunnerKind);
|
|
|
63
62
|
|
|
64
63
|
/**
|
|
65
64
|
* Closed data-residency tag set referenced by `PolicyObligation`
|
|
66
|
-
* (`data-residency`)
|
|
65
|
+
* (`data-residency`).
|
|
67
66
|
*
|
|
68
67
|
* `customer-private` is the customer-edge tenancy class used when the
|
|
69
68
|
* org runs its own runner in a private network. Add new regions by
|
|
@@ -195,7 +194,7 @@ export type EgressAllowlistObligation = z.infer<
|
|
|
195
194
|
>;
|
|
196
195
|
|
|
197
196
|
/**
|
|
198
|
-
* `PolicyObligation` — closed discriminated union
|
|
197
|
+
* `PolicyObligation` — closed discriminated union.
|
|
199
198
|
*
|
|
200
199
|
* Producers MUST construct one of the typed variants above; consumers
|
|
201
200
|
* MUST switch on `kind` and handle every variant explicitly. The kernel
|
package/src/policy/lib/policy.ts
CHANGED
|
@@ -10,11 +10,11 @@ import {
|
|
|
10
10
|
import { RouteHintSchema, type RouteHint } from './route-hints';
|
|
11
11
|
|
|
12
12
|
/**
|
|
13
|
-
* Closed decision set
|
|
13
|
+
* Closed decision set.
|
|
14
14
|
*
|
|
15
15
|
* `needs_approval` is its own outcome — never collapsed into `allow`
|
|
16
16
|
* with an obligation; the router suspends the invocation when it sees
|
|
17
|
-
* this kind and emits `approval.requested.v1
|
|
17
|
+
* this kind and emits `approval.requested.v1`.
|
|
18
18
|
*/
|
|
19
19
|
export enum PolicyDecisionKind {
|
|
20
20
|
Allow = 'allow',
|
|
@@ -26,21 +26,30 @@ export const PolicyDecisionKindSchema = z.nativeEnum(PolicyDecisionKind);
|
|
|
26
26
|
|
|
27
27
|
/**
|
|
28
28
|
* Which precedence tier supplied the `credentialBindingId` on an `allow`
|
|
29
|
-
* decision
|
|
29
|
+
* decision. Closed set — the PDP applies a fixed
|
|
30
30
|
* priority ladder and records the winning tier so the Studio debugger (and
|
|
31
31
|
* audit) can explain WHY a given binding was selected, without re-deriving it.
|
|
32
32
|
*
|
|
33
33
|
* Priority, highest wins:
|
|
34
34
|
* `explicit` (a grant names the binding) > `capability_default`
|
|
35
35
|
* (the descriptor's `defaultCredentialBindingRef`) > `project_default` >
|
|
36
|
-
* `org_default
|
|
37
|
-
*
|
|
36
|
+
* `org_default` > `platform_default` (a deployment-wide default an org may
|
|
37
|
+
* override — the Provider–Credential framework's platform tier). No match ⇒
|
|
38
|
+
* the PDP emits NO binding and denies with `MISSING_CREDENTIAL_BINDING`
|
|
39
|
+
* (never a silent fallback).
|
|
38
40
|
*/
|
|
39
41
|
export enum CredentialPrecedenceSource {
|
|
40
42
|
Explicit = 'explicit',
|
|
41
43
|
CapabilityDefault = 'capability_default',
|
|
42
44
|
ProjectDefault = 'project_default',
|
|
43
45
|
OrgDefault = 'org_default',
|
|
46
|
+
/**
|
|
47
|
+
* A deployment-wide platform default provision (broadest tier, below org).
|
|
48
|
+
* An org-scoped default always overrides it. Used by `authorization-api`'s
|
|
49
|
+
* credential-precedence resolver once this kernel change is published +
|
|
50
|
+
* consumed.
|
|
51
|
+
*/
|
|
52
|
+
PlatformDefault = 'platform_default',
|
|
44
53
|
}
|
|
45
54
|
|
|
46
55
|
export const CredentialPrecedenceSourceSchema = z.nativeEnum(
|
|
@@ -49,7 +58,7 @@ export const CredentialPrecedenceSourceSchema = z.nativeEnum(
|
|
|
49
58
|
|
|
50
59
|
/**
|
|
51
60
|
* `PolicyRequest` — the input shape `authorization-api.policyCheck`
|
|
52
|
-
* accepts
|
|
61
|
+
* accepts.
|
|
53
62
|
*
|
|
54
63
|
* Currently a type alias for `ExecutionContext` because every field
|
|
55
64
|
* policy needs is already on the envelope. Kept as a separate name so a
|
|
@@ -63,7 +72,7 @@ export const PolicyRequestSchema: z.ZodType<PolicyRequest> =
|
|
|
63
72
|
|
|
64
73
|
/**
|
|
65
74
|
* `PolicyDecision` — the output shape `authorization-api.policyCheck`
|
|
66
|
-
* returns
|
|
75
|
+
* returns.
|
|
67
76
|
*
|
|
68
77
|
* `kind` is the verdict; `obligations` is a CLOSED discriminated union
|
|
69
78
|
* (see `PolicyObligation`); `routeHints` carries runner-selection
|
|
@@ -77,7 +86,7 @@ export interface PolicyDecision {
|
|
|
77
86
|
routeHints?: RouteHint;
|
|
78
87
|
/**
|
|
79
88
|
* The credential binding the executing gateway MUST use to resolve the
|
|
80
|
-
* external credential for this invocation
|
|
89
|
+
* external credential for this invocation. Present
|
|
81
90
|
* ONLY on an `allow` decision for a capability that declares an
|
|
82
91
|
* `externalServiceRef`. The PDP is the single authority that selects it via
|
|
83
92
|
* the deterministic precedence ladder; the router passes ONLY this opaque id
|
|
@@ -3,7 +3,7 @@ import { RunnerKind, RunnerKindSchema } from './obligations';
|
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* `RouteHint` — runner-selection guidance emitted alongside a
|
|
6
|
-
* `PolicyDecision
|
|
6
|
+
* `PolicyDecision`.
|
|
7
7
|
*
|
|
8
8
|
* The capability router consults this AFTER policy returns `allow`, to
|
|
9
9
|
* pick a runner that satisfies all hints. Hints are PREFERENCES unless
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
2
2
|
// @xemahq/provisioning-contracts — Workspace Provisioning wire contracts.
|
|
3
3
|
//
|
|
4
|
-
// Pure types + Zod schemas for the `provision` lifecycle phase
|
|
4
|
+
// Pure types + Zod schemas for the `provision` lifecycle phase: the
|
|
5
5
|
// deterministic, guard-gated `SCAFFOLD` / `EQUIP` steps that prepare a
|
|
6
6
|
// session's repo content. agent-session-api's `provisioning-plan-resolver`
|
|
7
7
|
// RESOLVES a plan from biome manifests; workspace-proxy's
|
|
@@ -140,7 +140,7 @@ export type ProvisioningAgentInstruction = z.infer<
|
|
|
140
140
|
>;
|
|
141
141
|
|
|
142
142
|
/**
|
|
143
|
-
* Presigned-URL pair for the content-addressed scaffold cache
|
|
143
|
+
* Presigned-URL pair for the content-addressed scaffold cache.
|
|
144
144
|
* agent-session-api mints these from a step's `cacheKey`; workspace-proxy
|
|
145
145
|
* GETs `getUrl` to probe for a hit, and on a miss PUTs the built tar to
|
|
146
146
|
* `putUrl` (write-through). `getHeaders` / `putHeaders` are the headers the
|
|
@@ -194,7 +194,7 @@ export const ResolvedProvisioningStepSchema = z
|
|
|
194
194
|
targetDir: z.string().min(1),
|
|
195
195
|
cacheKey: z.string().min(1).nullable(),
|
|
196
196
|
/**
|
|
197
|
-
* Presigned scaffold-cache URLs derived from `cacheKey
|
|
197
|
+
* Presigned scaffold-cache URLs derived from `cacheKey`.
|
|
198
198
|
* Present only on a cacheable step whose URLs were minted at resolve
|
|
199
199
|
* time; absent ⇒ the executor builds locally with no cache.
|
|
200
200
|
*/
|
|
@@ -231,7 +231,7 @@ export type ResolvedProvisioningPlan = z.infer<
|
|
|
231
231
|
* A `built` step that had a `cache` ref and is eligible for an out-of-band
|
|
232
232
|
* cache write. The executor no longer writes the cache inline; instead it
|
|
233
233
|
* surfaces the pending write here, and the caller (agent-session-api)
|
|
234
|
-
* dispatches `writeScaffoldCacheWorkflow` per entry
|
|
234
|
+
* dispatches `writeScaffoldCacheWorkflow` per entry.
|
|
235
235
|
*
|
|
236
236
|
* `cacheRef` is the SAME ref the plan carried in — re-passed to keep the
|
|
237
237
|
* activity stateless (workspace-proxy doesn't have to retain a presigned
|
|
@@ -257,7 +257,7 @@ export const ProvisioningStepResultSchema = z
|
|
|
257
257
|
/**
|
|
258
258
|
* Non-empty only on a `built` step whose plan carried a `cache` ref.
|
|
259
259
|
* The caller dispatches `writeScaffoldCacheWorkflow` per entry — the
|
|
260
|
-
* executor never writes the cache itself
|
|
260
|
+
* executor never writes the cache itself.
|
|
261
261
|
*/
|
|
262
262
|
pendingCacheWrite: ProvisioningPendingCacheWriteSchema.optional(),
|
|
263
263
|
})
|
|
@@ -19,7 +19,7 @@ const RESOURCE_PRINCIPALS_MAX = 100;
|
|
|
19
19
|
|
|
20
20
|
/**
|
|
21
21
|
* `ResourceVisibilityPattern` — the closed set of ownership/visibility shapes a
|
|
22
|
-
* biome may declare for a resource instance it contributes
|
|
22
|
+
* biome may declare for a resource instance it contributes.
|
|
23
23
|
*
|
|
24
24
|
* Precedence is NOT encoded here — this enum only names HOW a resource is
|
|
25
25
|
* shared; the PDP in `authorization-api` derives the effective verdict from the
|
|
@@ -78,7 +78,7 @@ export const ExplicitShareRefSchema: z.ZodType<ExplicitShareRef> = z.object({
|
|
|
78
78
|
|
|
79
79
|
/**
|
|
80
80
|
* Manifest shape carried by every `ContributionKind.ResourceOwnership`
|
|
81
|
-
* envelope
|
|
81
|
+
* envelope. One contribution = one resource instance's
|
|
82
82
|
* ownership/visibility declaration.
|
|
83
83
|
*
|
|
84
84
|
* Mirrors `CapabilityContributionManifest` precisely: a value-identical subset
|
|
@@ -5,8 +5,8 @@ import {
|
|
|
5
5
|
} from '../../execution-context';
|
|
6
6
|
|
|
7
7
|
/**
|
|
8
|
-
* CloudEvent type emitted on the dispatch fan-out channel (
|
|
9
|
-
*
|
|
8
|
+
* CloudEvent type emitted on the dispatch fan-out channel (Push
|
|
9
|
+
* transport). Pull-mode runners receive the same envelope as the
|
|
10
10
|
* body of `POST /runners/<id>/pull-work`.
|
|
11
11
|
*
|
|
12
12
|
* Constant, not enum — there is exactly one dispatch type today.
|
|
@@ -16,13 +16,13 @@ import {
|
|
|
16
16
|
export const RUNNER_DISPATCH_CLOUDEVENT_TYPE = 'xema.runner.dispatch.v1' as const;
|
|
17
17
|
|
|
18
18
|
/**
|
|
19
|
-
* `RunnerDispatch`
|
|
19
|
+
* `RunnerDispatch` — superset of the legacy
|
|
20
20
|
* `RunnerJobDispatch` shape. This v1 envelope carries the full
|
|
21
21
|
* `ExecutionContext` so the runner can re-validate the policy decision
|
|
22
22
|
* locally before invoking the capability.
|
|
23
23
|
*
|
|
24
24
|
* `tokenJwt` is the compact-JWS form of the RS256 `JobToken` minted by
|
|
25
|
-
* the kernel-server
|
|
25
|
+
* the kernel-server, aligned with `RunnerJobDispatch.tokenJwt`.
|
|
26
26
|
* The runner MUST verify the signature + claims against the kernel-server
|
|
27
27
|
* JWKS before touching the dispatch.
|
|
28
28
|
*/
|
|
@@ -33,7 +33,7 @@ export interface RunnerDispatch {
|
|
|
33
33
|
executionContext: ExecutionContext;
|
|
34
34
|
/**
|
|
35
35
|
* The capability invocation input, carried by value so the runner has the
|
|
36
|
-
* actual arguments to execute with
|
|
36
|
+
* actual arguments to execute with. The `ExecutionContext`
|
|
37
37
|
* carries only an `inputHash` fingerprint — not the payload — so without
|
|
38
38
|
* this field the runner could verify identity but had nothing to run.
|
|
39
39
|
*
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import type { RunnerId } from './runner';
|
|
2
2
|
|
|
3
3
|
/**
|
|
4
|
-
* Signed job token
|
|
4
|
+
* Signed job token.
|
|
5
5
|
*
|
|
6
6
|
* Kernel-server mints an RS256 token with a hard ceiling of 60 seconds
|
|
7
7
|
* per invocation. The runner MUST verify signature + scope before
|
|
@@ -37,7 +37,7 @@ export interface JobToken {
|
|
|
37
37
|
subjectId: string;
|
|
38
38
|
/**
|
|
39
39
|
* `canonicalCapabilityInputHash` of the dispatched invocation input
|
|
40
|
-
*
|
|
40
|
+
* Binds the unsigned `RunnerDispatch.input` to this signed
|
|
41
41
|
* token so the runner can detect input tampering before executing.
|
|
42
42
|
*/
|
|
43
43
|
inputHash: string;
|
|
@@ -12,14 +12,14 @@ export const RUNNER_ATTESTATION_REJECTED_CLOUDEVENT_TYPE =
|
|
|
12
12
|
'xema.runner.attestation.rejected.v1' as const;
|
|
13
13
|
|
|
14
14
|
/**
|
|
15
|
-
* Runner attestation
|
|
15
|
+
* Runner attestation.
|
|
16
16
|
*
|
|
17
17
|
* Carried by a runner on every `register` against the kernel-server.
|
|
18
18
|
* The kernel-server validates:
|
|
19
19
|
* - `identityJwt` is signed by the trusted Keycloak realm and the
|
|
20
20
|
* subject is a service-account claim of kind `runner`.
|
|
21
21
|
* - `allowedEnvironments` is countersigned by an org-admin role
|
|
22
|
-
* (validated via OpenFGA / OPA
|
|
22
|
+
* (validated via OpenFGA / OPA).
|
|
23
23
|
* - `signedAt` is within the configured attestation freshness window.
|
|
24
24
|
*
|
|
25
25
|
* Any validation failure is fail-fast — the runner is rejected and the
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
2
|
|
|
3
3
|
/**
|
|
4
|
-
* `RunnerJob` lifecycle state machine
|
|
4
|
+
* `RunnerJob` lifecycle state machine.
|
|
5
5
|
*
|
|
6
6
|
* Pending → Dispatched → Accepted → Running → Succeeded (terminal)
|
|
7
7
|
* ↘ Failed (terminal)
|
|
@@ -64,7 +64,7 @@ export const RUNNER_JOB_COMPLETED_CLOUDEVENT_TYPE =
|
|
|
64
64
|
|
|
65
65
|
/**
|
|
66
66
|
* Report-back envelope a runner emits on accept / progress / completion
|
|
67
|
-
*
|
|
67
|
+
* `workload-runtime` keys idempotent state transitions on
|
|
68
68
|
* `(jobId, state)`; `output` is present only on a `Succeeded` report and
|
|
69
69
|
* `error` only on a `Failed` report.
|
|
70
70
|
*/
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Runner-plane registry conventions
|
|
2
|
+
* Runner-plane registry conventions.
|
|
3
3
|
*
|
|
4
4
|
* Runners do not have a bespoke registry; they publish ordinary
|
|
5
5
|
* `ServiceDescriptor`s to the Service Registry under ONE well-known
|
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
* the `ServiceDescriptor` type is in scope).
|
|
12
12
|
*
|
|
13
13
|
* Keeping the name + label keys here — in the kernel leaf both the
|
|
14
|
-
* runner producers
|
|
14
|
+
* runner producers and the router selector consume —
|
|
15
15
|
* guarantees producer/consumer agreement without a second contracts
|
|
16
16
|
* package. Adding/renaming a key is a coordinated kernel change.
|
|
17
17
|
*/
|