@ytinnovation/harness-core 0.0.0

package/dist/gateway/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/gateway/auth.ts"],"names":[],"mappings":""}

package/dist/gateway/client.d.ts

@@ -0,0 +1,65 @@
+import type { GatewayAuthError, GatewayRequestContext, GatewayTokenProvider } from './auth.js';
+export interface GatewayRequestMetadata {
+    targetModel: string;
+    operation: string;
+    requestSizeBytes?: number;
+}
+export interface GatewayPreparedRequest {
+    context: GatewayRequestContext;
+    metadata: GatewayRequestMetadata;
+    accessToken: string;
+    authHeader: string;
+}
+export interface GatewayAuditSuccessSummary {
+    status: 'success';
+    tokenExpiresAt: string;
+    scopeCount: number;
+}
+export interface GatewayAuditAuthFailureSummary {
+    status: 'auth_failure';
+    failureType: GatewayAuthError['failureType'];
+    code: GatewayAuthError['code'];
+    message: string;
+}
+export type GatewayAuditResultSummary = GatewayAuditSuccessSummary | GatewayAuditAuthFailureSummary;
+export interface GatewayAuditRecord {
+    requestId: string;
+    actorId: string;
+    userId: string;
+    projectId: string;
+    projectName: string;
+    workspaceRoot: string;
+    commandName?: string;
+    toolName?: string;
+    occurredAt: string;
+    requestTime: string;
+    targetModel: string;
+    resultStatus: GatewayAuditResultSummary['status'];
+    errorSummary?: string;
+    result: GatewayAuditResultSummary;
+}
+export interface GatewayAuditRecorder {
+    record(entry: GatewayAuditRecord): Promise<void> | void;
+}
+export interface GatewayPrepareRequestSuccess {
+    status: 'success';
+    request: GatewayPreparedRequest;
+    audit: GatewayAuditRecord;
+}
+export interface GatewayPrepareRequestFailure {
+    status: 'error';
+    error: GatewayAuthError;
+    audit: GatewayAuditRecord;
+}
+export type GatewayPrepareRequestResult = GatewayPrepareRequestSuccess | GatewayPrepareRequestFailure;
+export interface GatewayClient {
+    prepareRequest(context: GatewayRequestContext, metadata: GatewayRequestMetadata): Promise<GatewayPrepareRequestResult>;
+}
+export interface CreateGatewayClientOptions {
+    tokenProvider: GatewayTokenProvider;
+    auditRecorder?: GatewayAuditRecorder;
+    onAuditSinkError?: (error: unknown, entry: GatewayAuditRecord) => void;
+    now?: () => Date;
+}
+export declare function createGatewayClient(options: CreateGatewayClientOptions): GatewayClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/gateway/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/gateway/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAG/F,MAAM,WAAW,sBAAsB;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,qBAAqB,CAAC;IAC/B,QAAQ,EAAE,sBAAsB,CAAC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,SAAS,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,8BAA8B;IAC7C,MAAM,EAAE,cAAc,CAAC;IACvB,WAAW,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAC7C,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,yBAAyB,GACjC,0BAA0B,GAC1B,8BAA8B,CAAC;AAEnC,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,yBAAyB,CAAC;CACnC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACzD;AAED,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,sBAAsB,CAAC;IAChC,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,gBAAgB,CAAC;IACxB,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED,MAAM,MAAM,2BAA2B,GAAG,4BAA4B,GAAG,4BAA4B,CAAC;AAEtG,MAAM,WAAW,aAAa;IAC5B,cAAc,CACZ,OAAO,EAAE,qBAAqB,EAC9B,QAAQ,EAAE,sBAAsB,GAC/B,OAAO,CAAC,2BAA2B,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,oBAAoB,CAAC;IACpC,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,KAAK,IAAI,CAAC;IACvE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAClB;AAoCD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,0BAA0B,GAAG,aAAa,CAiHtF"}

package/dist/gateway/client.js

@@ -0,0 +1,133 @@
+import { basename } from 'node:path';
+function createExpiredCredentialFailure() {
+    return {
+        status: 'error',
+        failureType: 'refreshable',
+        code: 'GATEWAY_AUTH_EXPIRED',
+        message: 'Short-lived gateway credential is already expired.',
+        action: 'refresh-token',
+        guidance: 'Refresh your SSO token with `harness auth refresh` and retry.',
+    };
+}
+async function emitAudit(recorder, onAuditSinkError, entry) {
+    if (!recorder) {
+        return;
+    }
+    try {
+        await recorder.record(entry);
+    }
+    catch (error) {
+        onAuditSinkError?.(error, entry);
+    }
+}
+function deriveProjectIdentity(context) {
+    const fallbackName = basename(context.workspaceRoot) || context.workspaceRoot;
+    return {
+        projectId: context.projectId?.trim() || fallbackName,
+        projectName: context.projectName?.trim() || fallbackName,
+    };
+}
+export function createGatewayClient(options) {
+    const now = options.now ?? (() => new Date());
+    return {
+        async prepareRequest(context, metadata) {
+            const occurredAt = now().toISOString();
+            const tokenResult = await options.tokenProvider.resolveToken(context);
+            if (tokenResult.status === 'error') {
+                const project = deriveProjectIdentity(context);
+                const audit = {
+                    requestId: context.requestId,
+                    actorId: context.actorId,
+                    userId: context.actorId,
+                    projectId: project.projectId,
+                    projectName: project.projectName,
+                    workspaceRoot: context.workspaceRoot,
+                    commandName: context.commandName,
+                    toolName: context.toolName,
+                    occurredAt,
+                    requestTime: occurredAt,
+                    targetModel: metadata.targetModel,
+                    resultStatus: 'auth_failure',
+                    errorSummary: `${tokenResult.code}: ${tokenResult.message}`,
+                    result: {
+                        status: 'auth_failure',
+                        failureType: tokenResult.failureType,
+                        code: tokenResult.code,
+                        message: tokenResult.message,
+                    },
+                };
+                await emitAudit(options.auditRecorder, options.onAuditSinkError, audit);
+                return {
+                    status: 'error',
+                    error: tokenResult,
+                    audit,
+                };
+            }
+            const tokenExpiry = Date.parse(tokenResult.token.expiresAt);
+            if (!Number.isFinite(tokenExpiry) || tokenExpiry <= Date.parse(occurredAt)) {
+                const expiredError = createExpiredCredentialFailure();
+                const project = deriveProjectIdentity(context);
+                const audit = {
+                    requestId: context.requestId,
+                    actorId: context.actorId,
+                    userId: context.actorId,
+                    projectId: project.projectId,
+                    projectName: project.projectName,
+                    workspaceRoot: context.workspaceRoot,
+                    commandName: context.commandName,
+                    toolName: context.toolName,
+                    occurredAt,
+                    requestTime: occurredAt,
+                    targetModel: metadata.targetModel,
+                    resultStatus: 'auth_failure',
+                    errorSummary: `${expiredError.code}: ${expiredError.message}`,
+                    result: {
+                        status: 'auth_failure',
+                        failureType: expiredError.failureType,
+                        code: expiredError.code,
+                        message: expiredError.message,
+                    },
+                };
+                await emitAudit(options.auditRecorder, options.onAuditSinkError, audit);
+                return {
+                    status: 'error',
+                    error: expiredError,
+                    audit,
+                };
+            }
+            const request = {
+                context,
+                metadata,
+                accessToken: tokenResult.token.value,
+                authHeader: `Bearer ${tokenResult.token.value}`,
+            };
+            const project = deriveProjectIdentity(context);
+            const audit = {
+                requestId: context.requestId,
+                actorId: context.actorId,
+                userId: context.actorId,
+                projectId: project.projectId,
+                projectName: project.projectName,
+                workspaceRoot: context.workspaceRoot,
+                commandName: context.commandName,
+                toolName: context.toolName,
+                occurredAt,
+                requestTime: occurredAt,
+                targetModel: metadata.targetModel,
+                resultStatus: 'success',
+                result: {
+                    status: 'success',
+                    tokenExpiresAt: tokenResult.token.expiresAt,
+                    scopeCount: tokenResult.token.scopes.length,
+                },
+            };
+            await emitAudit(options.auditRecorder, options.onAuditSinkError, audit);
+            return {
+                status: 'success',
+                request,
+                audit,
+            };
+        },
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/gateway/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/gateway/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAiFrC,SAAS,8BAA8B;IACrC,OAAO;QACL,MAAM,EAAE,OAAO;QACf,WAAW,EAAE,aAAa;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,oDAAoD;QAC7D,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE,+DAA+D;KAC1E,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,QAA0C,EAC1C,gBAAgE,EAChE,KAAyB;IAEzB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,gBAAgB,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,OAA8B;IAC3D,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,aAAa,CAAC;IAC9E,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,YAAY;QACpD,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,YAAY;KACzD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAmC;IACrE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAE9C,OAAO;QACL,KAAK,CAAC,cAAc,CAClB,OAA8B,EAC9B,QAAgC;YAEhC,MAAM,UAAU,GAAG,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAEtE,IAAI,WAAW,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBACnC,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;gBAC/C,MAAM,KAAK,GAAuB;oBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,OAAO;oBACvB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU;oBACV,WAAW,EAAE,UAAU;oBACvB,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,YAAY,EAAE,cAAc;oBAC5B,YAAY,EAAE,GAAG,WAAW,CAAC,IAAI,KAAK,WAAW,CAAC,OAAO,EAAE;oBAC3D,MAAM,EAAE;wBACN,MAAM,EAAE,cAAc;wBACtB,WAAW,EAAE,WAAW,CAAC,WAAW;wBACpC,IAAI,EAAE,WAAW,CAAC,IAAI;wBACtB,OAAO,EAAE,WAAW,CAAC,OAAO;qBAC7B;iBACF,CAAC;gBAEF,MAAM,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;gBACxE,OAAO;oBACL,MAAM,EAAE,OAAO;oBACf,KAAK,EAAE,WAAW;oBAClB,KAAK;iBACN,CAAC;YACJ,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3E,MAAM,YAAY,GAAG,8BAA8B,EAAE,CAAC;gBACtD,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;gBAC/C,MAAM,KAAK,GAAuB;oBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,OAAO;oBACvB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU;oBACV,WAAW,EAAE,UAAU;oBACvB,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,YAAY,EAAE,cAAc;oBAC5B,YAAY,EAAE,GAAG,YAAY,CAAC,IAAI,KAAK,YAAY,CAAC,OAAO,EAAE;oBAC7D,MAAM,EAAE;wBACN,MAAM,EAAE,cAAc;wBACtB,WAAW,EAAE,YAAY,CAAC,WAAW;wBACrC,IAAI,EAAE,YAAY,CAAC,IAAI;wBACvB,OAAO,EAAE,YAAY,CAAC,OAAO;qBAC9B;iBACF,CAAC;gBAEF,MAAM,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;gBACxE,OAAO;oBACL,MAAM,EAAE,OAAO;oBACf,KAAK,EAAE,YAAY;oBACnB,KAAK;iBACN,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAA2B;gBACtC,OAAO;gBACP,QAAQ;gBACR,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC,KAAK;gBACpC,UAAU,EAAE,UAAU,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE;aAChD,CAAC;YAEF,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,KAAK,GAAuB;gBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,MAAM,EAAE,OAAO,CAAC,OAAO;gBACvB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,UAAU;gBACV,WAAW,EAAE,UAAU;gBACvB,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,YAAY,EAAE,SAAS;gBACvB,MAAM,EAAE;oBACN,MAAM,EAAE,SAAS;oBACjB,cAAc,EAAE,WAAW,CAAC,KAAK,CAAC,SAAS;oBAC3C,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM;iBAC5C;aACF,CAAC;YAEF,MAAM,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;YACxE,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,OAAO;gBACP,KAAK;aACN,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/gateway/command.d.ts

@@ -0,0 +1,4 @@
+import type { CommandRouter } from '../kernel/router.js';
+export declare function runGatewayCommand(args: string[]): Promise<number>;
+export declare function registerGatewayCommand(router: CommandRouter): void;
+//# sourceMappingURL=command.d.ts.map

package/dist/gateway/command.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../../src/gateway/command.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAiIzD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAmGvE;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAElE"}

package/dist/gateway/command.js

@@ -0,0 +1,213 @@
+import { randomUUID } from 'node:crypto';
+import { userInfo } from 'node:os';
+import { basename, resolve } from 'node:path';
+import { HarnessError } from '../contracts/errors.js';
+import { resolveHarnessServiceBaseUrl } from '../cloud/harness-service-url.js';
+import { createHarnessServiceGatewayHttpExchange } from './service-http-exchange.js';
+import { renderErrorBlock, renderJson, renderSuccessBlock } from '../cli-output/renderers.js';
+function renderGatewayHelp(programName = 'harness') {
+    return [
+        '与 harness-service LLM Gateway 契约交互。',
+        '',
+        '用法：',
+        `  ${programName} gateway token [--cwd <path>] [--actor-id <id>] [--project-id <id>] [--session-id <id>] [--json]`,
+        '',
+        '选项：',
+        '  --cwd <path>        工作区根目录，默认当前目录。',
+        '  --actor-id <id>     调用方身份，默认 HARNESS_ACTOR_ID 或系统用户名。',
+        '  --project-id <id>   可选项目标识。',
+        '  --session-id <id>   可选会话标识。',
+        '  --show-token        成功时显示原始 token，避免写入日志或截图。',
+        '  --json              输出机器可读 JSON。',
+        '  -h, --help          查看帮助。',
+        '',
+        '环境变量：',
+        '  服务地址：HARNESS_SERVICE_URL 优先，其次 HARNESS_CLOUD_BASE_URL。',
+        '  可选鉴权：HARNESS_SERVICE_BEARER_TOKEN。',
+        '',
+        '退出码：',
+        '  0：获取短期凭证成功。',
+        '  1：缺少配置、网络/鉴权失败，或首期 GATEWAY_NOT_CONFIGURED 响应。',
+    ].join('\n');
+}
+function parseGatewayTokenArgs(args) {
+    let cwd = process.cwd();
+    let actorId = '';
+    let projectId;
+    let sessionId;
+    let showToken = false;
+    let json = false;
+    let help = false;
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (arg === '--help' || arg === '-h') {
+            help = true;
+            continue;
+        }
+        if (arg === '--show-token') {
+            showToken = true;
+            continue;
+        }
+        if (arg === '--json') {
+            json = true;
+            continue;
+        }
+        if (arg === '--cwd') {
+            const value = args[index + 1];
+            if (!value || value.startsWith('--')) {
+                throw new HarnessError('GATEWAY_CLI_INVALID_ARGS', 'Missing value for --cwd.');
+            }
+            cwd = resolve(value);
+            index += 1;
+            continue;
+        }
+        if (arg === '--actor-id') {
+            const value = args[index + 1];
+            if (!value || value.startsWith('--')) {
+                throw new HarnessError('GATEWAY_CLI_INVALID_ARGS', 'Missing value for --actor-id.');
+            }
+            actorId = value.trim();
+            index += 1;
+            continue;
+        }
+        if (arg === '--project-id') {
+            const value = args[index + 1];
+            if (!value || value.startsWith('--')) {
+                throw new HarnessError('GATEWAY_CLI_INVALID_ARGS', 'Missing value for --project-id.');
+            }
+            projectId = value.trim();
+            index += 1;
+            continue;
+        }
+        if (arg === '--session-id') {
+            const value = args[index + 1];
+            if (!value || value.startsWith('--')) {
+                throw new HarnessError('GATEWAY_CLI_INVALID_ARGS', 'Missing value for --session-id.');
+            }
+            sessionId = value.trim();
+            index += 1;
+            continue;
+        }
+        throw new HarnessError('GATEWAY_CLI_INVALID_ARGS', `Unknown gateway token option: ${arg}`);
+    }
+    return {
+        cwd,
+        actorId,
+        projectId,
+        sessionId,
+        showToken,
+        json,
+        help,
+    };
+}
+function resolveDefaultActorId(parsed) {
+    const trimmed = parsed.actorId.trim();
+    if (trimmed.length > 0) {
+        return trimmed;
+    }
+    const envActor = process.env.HARNESS_ACTOR_ID?.trim();
+    if (envActor) {
+        return envActor;
+    }
+    try {
+        return userInfo().username || 'harness-cli';
+    }
+    catch {
+        return 'harness-cli';
+    }
+}
+export async function runGatewayCommand(args) {
+    if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+        console.log(renderGatewayHelp());
+        return 0;
+    }
+    const subcommand = args[0];
+    if (subcommand !== 'token') {
+        console.error(`Unknown gateway subcommand: ${subcommand}\n\n${renderGatewayHelp()}`);
+        return 1;
+    }
+    const options = parseGatewayTokenArgs(args.slice(1));
+    if (options.help) {
+        console.log(renderGatewayHelp());
+        return 0;
+    }
+    const baseUrl = resolveHarnessServiceBaseUrl();
+    if (!baseUrl) {
+        const payload = {
+            status: 'error',
+            errorCode: 'HARNESS_SERVICE_URL_MISSING',
+            message: 'HARNESS_SERVICE_URL is not configured (HARNESS_CLOUD_BASE_URL fallback also empty). Export one before gateway exchange.',
+            actionableHints: [
+                'Example: export HARNESS_SERVICE_URL=https://harness-service.example.com',
+                'Local flows never persist static provider API keys in Harness files — keep secrets in your shell or secret manager.',
+            ],
+        };
+        console.log(options.json ? renderJson(payload) : renderErrorBlock({
+            title: 'Gateway Token 获取失败',
+            message: '未配置 HARNESS_SERVICE_URL，且 HARNESS_CLOUD_BASE_URL 也为空。',
+            code: payload.errorCode,
+            suggestions: ['export HARNESS_SERVICE_URL=https://harness-service.example.com'],
+        }));
+        return 1;
+    }
+    const actorId = resolveDefaultActorId(options);
+    const resolvedProjectId = options.projectId?.trim() || process.env.HARNESS_PROJECT_ID?.trim() || basename(options.cwd);
+    const resolvedSessionId = options.sessionId?.trim() ||
+        process.env.HARNESS_GATEWAY_SESSION_ID?.trim() ||
+        process.env.HARNESS_SESSION_ID?.trim();
+    const exchange = createHarnessServiceGatewayHttpExchange({
+        baseUrl,
+        authorizationBearer: process.env.HARNESS_SERVICE_BEARER_TOKEN?.trim(),
+    });
+    const result = await exchange.exchange({
+        workspaceRoot: options.cwd,
+        actorId,
+        requestId: randomUUID(),
+        projectId: resolvedProjectId,
+        ...(resolvedSessionId ? { sessionId: resolvedSessionId } : {}),
+        commandName: 'harness gateway token',
+    });
+    if (result.status === 'success') {
+        const payload = {
+            status: 'success',
+            serviceUrl: baseUrl,
+            expiresAt: result.token.expiresAt,
+            scopes: result.token.scopes,
+        };
+        if (options.showToken) {
+            payload.accessToken = result.token.value;
+        }
+        else {
+            payload.accessTokenRedacted = true;
+            payload.accessTokenPreview =
+                result.token.value.length <= 8 ? '***' : `${result.token.value.slice(0, 4)}…${result.token.value.slice(-4)}`;
+        }
+        console.log(options.json ? renderJson(payload) : renderSuccessBlock('Gateway Token 获取成功', [
+            ['服务地址', baseUrl],
+            ['过期时间', result.token.expiresAt],
+            ['Scopes', result.token.scopes.join(', ')],
+            ['Token', options.showToken ? result.token.value : String(payload.accessTokenPreview)],
+        ]));
+        return 0;
+    }
+    const payload = {
+        status: 'error',
+        serviceUrl: baseUrl,
+        failureType: result.failureType,
+        errorCode: result.code,
+        message: result.message,
+        recommendedAction: result.action,
+        guidance: result.guidance,
+    };
+    console.log(options.json ? renderJson(payload) : renderErrorBlock({
+        title: 'Gateway Token 获取失败',
+        message: result.message,
+        code: result.code,
+        suggestions: [result.action, ...result.guidance],
+    }));
+    return 1;
+}
+export function registerGatewayCommand(router) {
+    router.register('gateway', runGatewayCommand);
+}
+//# sourceMappingURL=command.js.map

package/dist/gateway/command.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command.js","sourceRoot":"","sources":["../../src/gateway/command.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAE/E,OAAO,EAAE,uCAAuC,EAAE,MAAM,4BAA4B,CAAC;AACrF,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAY9F,SAAS,iBAAiB,CAAC,WAAW,GAAG,SAAS;IAChD,OAAO;QACL,qCAAqC;QACrC,EAAE;QACF,KAAK;QACL,KAAK,WAAW,kGAAkG;QAClH,EAAE;QACF,KAAK;QACL,sCAAsC;QACtC,yDAAyD;QACzD,+BAA+B;QAC/B,+BAA+B;QAC/B,gDAAgD;QAChD,oCAAoC;QACpC,6BAA6B;QAC7B,EAAE;QACF,OAAO;QACP,0DAA0D;QAC1D,sCAAsC;QACtC,EAAE;QACF,MAAM;QACN,eAAe;QACf,iDAAiD;KAClD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAc;IAC3C,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACxB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,SAA6B,CAAC;IAClC,IAAI,SAA6B,CAAC;IAClC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACrC,IAAI,GAAG,IAAI,CAAC;YACZ,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YAC3B,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,IAAI,GAAG,IAAI,CAAC;YACZ,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,YAAY,CAAC,0BAA0B,EAAE,0BAA0B,CAAC,CAAC;YACjF,CAAC;YACD,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;YACrB,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,YAAY,CAAC,0BAA0B,EAAE,+BAA+B,CAAC,CAAC;YACtF,CAAC;YACD,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YACvB,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,YAAY,CAAC,0BAA0B,EAAE,iCAAiC,CAAC,CAAC;YACxF,CAAC;YACD,SAAS,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YACzB,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,YAAY,CAAC,0BAA0B,EAAE,iCAAiC,CAAC,CAAC;YACxF,CAAC;YACD,SAAS,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YACzB,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,MAAM,IAAI,YAAY,CAAC,0BAA0B,EAAE,iCAAiC,GAAG,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,OAAO;QACL,GAAG;QACH,OAAO;QACP,SAAS;QACT,SAAS;QACT,SAAS;QACT,IAAI;QACJ,IAAI;KACL,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,MAA8B;IAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACtC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,CAAC;IACtD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,IAAI,CAAC;QACH,OAAO,QAAQ,EAAE,CAAC,QAAQ,IAAI,aAAa,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC;IACvB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,IAAc;IACpD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,CAAC,+BAA+B,UAAU,OAAO,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACrF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,4BAA4B,EAAE,CAAC;IAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,OAAO;YACf,SAAS,EAAE,6BAA6B;YACxC,OAAO,EACL,yHAAyH;YAC3H,eAAe,EAAE;gBACf,yEAAyE;gBACzE,qHAAqH;aACtH;SACF,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;YAChE,KAAK,EAAE,oBAAoB;YAC3B,OAAO,EAAE,uDAAuD;YAChE,IAAI,EAAE,OAAO,CAAC,SAAS;YACvB,WAAW,EAAE,CAAC,gEAAgE,CAAC;SAChF,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,iBAAiB,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvH,MAAM,iBAAiB,GACrB,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE;QACzB,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE;QAC9C,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IAEzC,MAAM,QAAQ,GAAG,uCAAuC,CAAC;QACvD,OAAO;QACP,mBAAmB,EAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,IAAI,EAAE;KACtE,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC;QACrC,aAAa,EAAE,OAAO,CAAC,GAAG;QAC1B,OAAO;QACP,SAAS,EAAE,UAAU,EAAE;QACvB,SAAS,EAAE,iBAAiB;QAC5B,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,WAAW,EAAE,uBAAuB;KACrC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,OAAO,GAA4B;YACvC,MAAM,EAAE,SAAS;YACjB,UAAU,EAAE,OAAO;YACnB,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS;YACjC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;SAC5B,CAAC;QACF,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,CAAC,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACnC,OAAO,CAAC,kBAAkB;gBACxB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,oBAAoB,EAAE;YACxF,CAAC,MAAM,EAAE,OAAO,CAAC;YACjB,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC;YAChC,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;SACvF,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG;QACd,MAAM,EAAE,OAAO;QACf,UAAU,EAAE,OAAO;QACnB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS,EAAE,MAAM,CAAC,IAAI;QACtB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,iBAAiB,EAAE,MAAM,CAAC,MAAM;QAChC,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAChE,KAAK,EAAE,oBAAoB;QAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;KACjD,CAAC,CAAC,CAAC;IACJ,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAqB;IAC1D,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;AAChD,CAAC"}

package/dist/gateway/service-http-exchange.d.ts

@@ -0,0 +1,17 @@
+import type { GatewayTokenExchangeClient } from './token-exchange.js';
+export interface CreateHarnessServiceGatewayHttpExchangeOptions {
+    baseUrl: string;
+    fetchImpl?: typeof fetch;
+    /**
+     * Optional bearer token for the current shell session (e.g. refreshed SSO access token).
+     * Prefer environment injection over committing secrets; phase-1 gateway stubs ignore this header.
+     */
+    authorizationBearer?: string;
+    defaultScopes?: string[];
+}
+/**
+ * Calls harness-service `POST /gateway/token` and maps responses into {@link GatewayTokenExchangeResult}.
+ * Phase-1 services return `GATEWAY_NOT_CONFIGURED`; enabled gateways may return a short-lived credential.
+ */
+export declare function createHarnessServiceGatewayHttpExchange(options: CreateHarnessServiceGatewayHttpExchangeOptions): GatewayTokenExchangeClient;
+//# sourceMappingURL=service-http-exchange.d.ts.map

package/dist/gateway/service-http-exchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-http-exchange.d.ts","sourceRoot":"","sources":["../../src/gateway/service-http-exchange.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAA2D,MAAM,qBAAqB,CAAC;AAE/H,MAAM,WAAW,8CAA8C;IAC7D,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAkBD;;;GAGG;AACH,wBAAgB,uCAAuC,CACrD,OAAO,EAAE,8CAA8C,GACtD,0BAA0B,CAyL5B"}

package/dist/gateway/service-http-exchange.js

@@ -0,0 +1,183 @@
+function isRecord(value) {
+    return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+async function readJson(response) {
+    const text = await response.text();
+    if (!text.trim()) {
+        return {};
+    }
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Calls harness-service `POST /gateway/token` and maps responses into {@link GatewayTokenExchangeResult}.
+ * Phase-1 services return `GATEWAY_NOT_CONFIGURED`; enabled gateways may return a short-lived credential.
+ */
+export function createHarnessServiceGatewayHttpExchange(options) {
+    const fetchFn = options.fetchImpl ?? globalThis.fetch;
+    const base = options.baseUrl.replace(/\/$/, '');
+    const defaultScopes = options.defaultScopes ?? ['gateway:invoke'];
+    return {
+        async exchange(context) {
+            const url = `${base}/gateway/token`;
+            const headers = {
+                'Content-Type': 'application/json',
+            };
+            const bearer = options.authorizationBearer?.trim();
+            if (bearer) {
+                headers.Authorization = bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`;
+            }
+            const body = {
+                actorId: context.actorId,
+                scopes: defaultScopes,
+            };
+            const projectId = context.projectId?.trim();
+            if (projectId) {
+                body.projectId = projectId;
+            }
+            const sessionId = context.sessionId?.trim();
+            if (sessionId) {
+                body.sessionId = sessionId;
+            }
+            let response;
+            try {
+                response = await fetchFn(url, {
+                    method: 'POST',
+                    headers,
+                    body: JSON.stringify(body),
+                });
+            }
+            catch (error) {
+                const detail = error instanceof Error ? error.message : String(error);
+                return {
+                    status: 'error',
+                    failureType: 'refreshable',
+                    code: 'GATEWAY_AUTH_UNAVAILABLE',
+                    message: `Cannot reach harness-service gateway: ${detail}`,
+                    action: 'retry-later',
+                    guidance: 'Verify HARNESS_SERVICE_URL / network. Fix VPN or TLS requirements if your operator requires them, then retry.',
+                };
+            }
+            const payload = await readJson(response);
+            if (response.status === 401) {
+                return {
+                    status: 'error',
+                    failureType: 'refreshable',
+                    code: 'GATEWAY_AUTH_UNAVAILABLE',
+                    message: isRecord(payload) && typeof payload.message === 'string'
+                        ? payload.message
+                        : 'Gateway token exchange rejected credentials (HTTP 401).',
+                    action: 'refresh-token',
+                    guidance: 'Refresh your enterprise session token or re-authenticate, then retry. Optional: export HARNESS_SERVICE_BEARER_TOKEN only for the current shell (never commit it).',
+                };
+            }
+            if (response.status === 403) {
+                return {
+                    status: 'error',
+                    failureType: 'authorization',
+                    code: 'GATEWAY_AUTH_FORBIDDEN',
+                    message: isRecord(payload) && typeof payload.message === 'string'
+                        ? payload.message
+                        : 'Gateway token exchange forbidden (HTTP 403).',
+                    action: 'request-access',
+                    guidance: 'Request gateway invoke permission from your platform administrator.',
+                };
+            }
+            if (!response.ok) {
+                const errorCode = isRecord(payload) && typeof payload.errorCode === 'string' ? payload.errorCode : 'GATEWAY_REQUEST_FAILED';
+                const message = isRecord(payload) && typeof payload.message === 'string'
+                    ? payload.message
+                    : `harness-service returned HTTP ${response.status}`;
+                return {
+                    status: 'error',
+                    failureType: 'refreshable',
+                    code: 'GATEWAY_AUTH_UNAVAILABLE',
+                    message,
+                    action: 'retry-later',
+                    guidance: errorCode === 'GATEWAY_REQUEST_INVALID'
+                        ? 'Fix actorId / scopes parameters and retry.'
+                        : 'Inspect harness-service logs or retry later.',
+                };
+            }
+            if (!isRecord(payload)) {
+                return {
+                    status: 'error',
+                    failureType: 'refreshable',
+                    code: 'GATEWAY_AUTH_UNAVAILABLE',
+                    message: 'Gateway token exchange returned a non-object JSON body.',
+                    action: 'retry-later',
+                    guidance: 'Upgrade CLI and harness-service to compatible gateway contract versions.',
+                };
+            }
+            if (payload.enabled === true) {
+                const tokenValue = typeof payload.accessToken === 'string'
+                    ? payload.accessToken
+                    : typeof payload.token === 'string'
+                        ? payload.token
+                        : '';
+                const expiresAt = typeof payload.expiresAt === 'string'
+                    ? payload.expiresAt
+                    : typeof payload.tokenExpiresAt === 'string'
+                        ? payload.tokenExpiresAt
+                        : '';
+                const scopeList = Array.isArray(payload.scopes)
+                    ? payload.scopes.filter((scope) => typeof scope === 'string')
+                    : defaultScopes;
+                const expiryMs = Date.parse(expiresAt);
+                if (!tokenValue || !Number.isFinite(expiryMs) || expiryMs <= Date.now()) {
+                    return {
+                        status: 'error',
+                        failureType: 'refreshable',
+                        code: 'GATEWAY_AUTH_UNAVAILABLE',
+                        message: 'Gateway enabled response did not include a usable short-lived credential.',
+                        action: 'retry-later',
+                        guidance: 'Contact operators — forwarding may be partially configured.',
+                    };
+                }
+                return {
+                    status: 'success',
+                    token: {
+                        value: tokenValue,
+                        expiresAt,
+                        scopes: scopeList.length > 0 ? scopeList : defaultScopes,
+                    },
+                };
+            }
+            if (payload.errorCode === 'GATEWAY_NOT_CONFIGURED') {
+                const hints = Array.isArray(payload.actionableHints)
+                    ? payload.actionableHints.filter((hint) => typeof hint === 'string')
+                    : [];
+                const hintText = hints.length > 0 ? hints.join(' ') : '';
+                const message = typeof payload.message === 'string'
+                    ? payload.message
+                    : 'LLM gateway is not configured on this harness-service instance.';
+                return {
+                    status: 'error',
+                    failureType: 'refreshable',
+                    code: 'GATEWAY_AUTH_UNAVAILABLE',
+                    message,
+                    action: 'retry-later',
+                    guidance: [
+                        hintText,
+                        'until forwarding ships on harness-service (HARNESS_GATEWAY_* variables). MCP stays local-only unless HARNESS_GATEWAY_TOKEN_ENFORCE=true.',
+                    ]
+                        .filter(Boolean)
+                        .join(' '),
+                };
+            }
+            return {
+                status: 'error',
+                failureType: 'refreshable',
+                code: 'GATEWAY_AUTH_UNAVAILABLE',
+                message: typeof payload.message === 'string' ? payload.message : 'Unexpected gateway token exchange response shape.',
+                action: 'retry-later',
+                guidance: 'Inspect harness-service gateway logs for malformed payloads.',
+            };
+        },
+    };
+}
+//# sourceMappingURL=service-http-exchange.js.map