@zero-transfer/mft 0.4.7 → 0.4.8

package/README.md

@@ -20,7 +20,7 @@ import { MftRoute, RouteRegistry, runRoute } from "@zero-transfer/mft";
 
 ## Public surface
 
-This package publishes a narrowed surface of **30** exports. These symbols are also available from [`@zero-transfer/sdk`](https://www.npmjs.com/package/@zero-transfer/sdk); the table below links into the full API reference:
+This package publishes a narrowed surface of **31** exports. These symbols are also available from [`@zero-transfer/sdk`](https://www.npmjs.com/package/@zero-transfer/sdk); the table below links into the full API reference:
 
 | Symbol                                                                                                                          | Kind      | Notes              |
 | ------------------------------------------------------------------------------------------------------------------------------- | --------- | ------------------ |
@@ -54,6 +54,7 @@ This package publishes a narrowed surface of **30** exports. These symbols are a
 | [`ApprovalRegistry`](https://github.com/tonywied17/zero-transfer/blob/main/docs/api-md/classes/ApprovalRegistry.md)             | Class     | See API reference. |
 | [`createApprovalGate`](https://github.com/tonywied17/zero-transfer/blob/main/docs/api-md/functions/createApprovalGate.md)       | Function  | See API reference. |
 | [`ApprovalRejectedError`](https://github.com/tonywied17/zero-transfer/blob/main/docs/api-md/classes/ApprovalRejectedError.md)   | Class     | See API reference. |
+| [`ApprovalTimeoutError`](https://github.com/tonywied17/zero-transfer/blob/main/docs/api-md/classes/ApprovalTimeoutError.md)     | Class     | See API reference. |
 
 ## Examples
 

package/dist/index.cjs

@@ -33,6 +33,7 @@ __export(mft_exports, {
   AbortError: () => AbortError,
   ApprovalRegistry: () => ApprovalRegistry,
   ApprovalRejectedError: () => ApprovalRejectedError,
+  ApprovalTimeoutError: () => ApprovalTimeoutError,
   AuthenticationError: () => AuthenticationError,
   AuthorizationError: () => AuthorizationError,
   CLASSIC_PROVIDER_IDS: () => CLASSIC_PROVIDER_IDS,
@@ -70,6 +71,7 @@ __export(mft_exports, {
   createApprovalGate: () => createApprovalGate,
   createAtomicDeployPlan: () => createAtomicDeployPlan,
   createBandwidthThrottle: () => createBandwidthThrottle,
+  createDefaultRetryPolicy: () => createDefaultRetryPolicy,
   createInboxRoute: () => createInboxRoute,
   createJsonlAuditLog: () => createJsonlAuditLog,
   createLocalProviderFactory: () => createLocalProviderFactory,
@@ -117,8 +119,10 @@ __export(mft_exports, {
   parseRemoteManifest: () => parseRemoteManifest,
   redactCommand: () => redactCommand,
   redactConnectionProfile: () => redactConnectionProfile,
+  redactErrorForLogging: () => redactErrorForLogging,
   redactObject: () => redactObject,
   redactSecretSource: () => redactSecretSource,
+  redactUrlForLogging: () => redactUrlForLogging,
   redactValue: () => redactValue,
   resolveConnectionProfileSecrets: () => resolveConnectionProfileSecrets,
   resolveOpenSshHost: () => resolveOpenSshHost,
@@ -143,6 +147,68 @@ module.exports = __toCommonJS(mft_exports);
 // src/client/ZeroTransfer.ts
 var import_node_events = require("events");
 
+// src/logging/redaction.ts
+var REDACTED = "[REDACTED]";
+var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
+var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
+var URL_KEY_PATTERN = /(?:url|uri|href)$/i;
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
+}
+function redactCommand(command) {
+  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
+    return `${commandName.toUpperCase()} ${REDACTED}`;
+  });
+}
+function redactValue(value) {
+  if (typeof value === "string") {
+    return redactCommand(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactValue(item));
+  }
+  if (value !== null && typeof value === "object") {
+    return redactObject(value);
+  }
+  return value;
+}
+function redactObject(input) {
+  return Object.fromEntries(
+    Object.entries(input).map(([key, value]) => {
+      if (isSensitiveKey(key)) {
+        return [key, REDACTED];
+      }
+      if (URL_KEY_PATTERN.test(key) && typeof value === "string") {
+        return [key, redactUrlForLogging(value)];
+      }
+      return [key, redactValue(value)];
+    })
+  );
+}
+function redactUrlForLogging(url) {
+  let parsed;
+  try {
+    parsed = typeof url === "string" ? new URL(url) : url;
+  } catch {
+    return REDACTED;
+  }
+  const origin = parsed.host.length > 0 ? `${parsed.protocol}//${parsed.host}` : parsed.protocol;
+  const query = parsed.search.length > 0 ? `?${REDACTED}` : "";
+  return `${origin}${parsed.pathname}${query}`;
+}
+function redactErrorForLogging(error) {
+  if (error !== null && typeof error === "object") {
+    const candidate = error;
+    if (typeof candidate.toJSON === "function") {
+      return redactObject(candidate.toJSON());
+    }
+  }
+  if (error instanceof Error) {
+    return redactObject({ message: error.message, name: error.name });
+  }
+  return { message: redactValue(typeof error === "string" ? error : String(error)) };
+}
+
 // src/errors/ZeroTransferError.ts
 var ZeroTransferError = class extends Error {
   /** Stable machine-readable error code. */
@@ -184,6 +250,11 @@ var ZeroTransferError = class extends Error {
   /**
    * Serializes the error into a plain object suitable for logs or API responses.
    *
+   * `details` and `command` are passed through secret redaction so serialized
+   * errors never leak credentials, signed URLs, or raw protocol commands. The
+   * live {@link ZeroTransferError.details | details} property stays unredacted
+   * for programmatic consumers.
+   *
    * @returns A JSON-safe object containing public structured error fields.
    */
   toJSON() {
@@ -193,12 +264,12 @@ var ZeroTransferError = class extends Error {
       message: this.message,
       protocol: this.protocol,
       host: this.host,
-      command: this.command,
+      command: this.command === void 0 ? void 0 : redactCommand(this.command),
       ftpCode: this.ftpCode,
       sftpCode: this.sftpCode,
       path: this.path,
       retryable: this.retryable,
-      details: this.details
+      details: this.details === void 0 ? void 0 : redactObject(this.details)
     };
   }
 };
@@ -721,15 +792,20 @@ var ProviderRegistry = class {
 var TransferClient = class {
   /** Provider registry used by this client. */
   registry;
+  /** Execution defaults applied when call sites omit their own values. */
+  defaults;
   logger;
   /**
    * Creates a transfer client without opening any provider connections.
    *
-   * @param options - Optional registry, provider factories, and logger.
+   * @param options - Optional registry, provider factories, logger, and execution defaults.
    */
   constructor(options = {}) {
     this.registry = options.registry ?? new ProviderRegistry();
     this.logger = options.logger ?? noopLogger;
+    if (options.defaults !== void 0) {
+      this.defaults = { ...options.defaults };
+    }
     for (const provider of options.providers ?? []) {
       this.registry.register(provider);
     }
@@ -1302,18 +1378,25 @@ var TransferEngine = class {
       for (let attemptNumber = 1; attemptNumber <= maxAttempts; attemptNumber += 1) {
         this.throwIfAborted(abortScope.signal, job);
         const attemptStartedAt = this.now();
+        const attemptScope = createAttemptScope(
+          abortScope.signal,
+          options.timeout,
+          job,
+          attemptNumber
+        );
         const context = this.createExecutionContext(
           job,
           attemptNumber,
           attemptStartedAt,
           options,
-          abortScope.signal,
+          attemptScope.signal,
           (bytesTransferred) => {
             latestBytesTransferred = bytesTransferred;
-          }
+          },
+          attemptScope.notifyProgress
         );
         try {
-          const result = await runExecutor(executor, context, abortScope.signal, job);
+          const result = await runExecutor(executor, context, attemptScope.signal, job);
           context.throwIfAborted();
           latestBytesTransferred = result.bytesTransferred;
           const completedAt = this.now();
@@ -1331,16 +1414,27 @@ var TransferEngine = class {
             summarizeError(error)
           );
           attempts.push(attempt);
-          if (error instanceof AbortError || error instanceof TimeoutError) {
+          if (error instanceof AbortError || abortScope.signal?.aborted === true) {
             throw error;
           }
-          const retryInput = { attempt: attemptNumber, error, job };
+          const retryInput = {
+            attempt: attemptNumber,
+            elapsedMs: Math.max(0, completedAt.getTime() - startedAt.getTime()),
+            error,
+            job
+          };
           const shouldRetry = attemptNumber < maxAttempts && (options.retry?.shouldRetry?.(retryInput) ?? isRetryable(error));
           if (shouldRetry) {
             options.retry?.onRetry?.(retryInput);
+            const delayMs = normalizeDelayMs(options.retry?.getDelayMs?.(retryInput));
+            if (delayMs > 0) {
+              await sleepWithAbort(delayMs, abortScope.signal, job);
+            }
             continue;
           }
           throw createTransferFailure(job, error, attempts);
+        } finally {
+          attemptScope.dispose();
         }
       }
       throw createTransferFailure(job, void 0, attempts);
@@ -1348,12 +1442,13 @@ var TransferEngine = class {
       abortScope.dispose();
     }
   }
-  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred) {
+  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred, notifyProgress) {
     const context = {
       attempt,
       job,
       reportProgress: (bytesTransferred, totalBytes) => {
         this.throwIfAborted(signal, job);
+        notifyProgress();
         updateBytesTransferred(bytesTransferred);
         const progressInput = {
           bytesTransferred,
@@ -1422,6 +1517,96 @@ function createAbortScope(parentSignal, timeout, job) {
     signal: controller.signal
   };
 }
+function createAttemptScope(parentSignal, timeout, job, attempt) {
+  const attemptTimeoutMs = normalizeTimeoutMs(timeout?.attemptTimeoutMs);
+  const stallTimeoutMs = normalizeTimeoutMs(timeout?.stallTimeoutMs);
+  if (attemptTimeoutMs === void 0 && stallTimeoutMs === void 0) {
+    const scope = {
+      dispose: () => void 0,
+      notifyProgress: () => void 0
+    };
+    if (parentSignal !== void 0) scope.signal = parentSignal;
+    return scope;
+  }
+  const controller = new AbortController();
+  const retryable = timeout?.retryable ?? true;
+  const abortFromParent = () => controller.abort(parentSignal?.reason);
+  if (parentSignal?.aborted === true) {
+    abortFromParent();
+  } else {
+    parentSignal?.addEventListener("abort", abortFromParent, { once: true });
+  }
+  const attemptTimer = attemptTimeoutMs === void 0 ? void 0 : setTimeout(() => {
+    controller.abort(
+      new TimeoutError({
+        details: { attempt, attemptTimeoutMs, jobId: job.id, operation: job.operation },
+        message: `Transfer attempt ${String(attempt)} timed out after ${String(attemptTimeoutMs)}ms: ${job.id}`,
+        retryable
+      })
+    );
+  }, attemptTimeoutMs);
+  let stallTimer;
+  const armStallWatchdog = () => {
+    if (stallTimeoutMs === void 0 || controller.signal.aborted) return;
+    if (stallTimer !== void 0) clearTimeout(stallTimer);
+    stallTimer = setTimeout(() => {
+      controller.abort(
+        new TimeoutError({
+          details: { attempt, jobId: job.id, operation: job.operation, stallTimeoutMs },
+          message: `Transfer attempt ${String(attempt)} stalled (no progress for ${String(stallTimeoutMs)}ms): ${job.id}`,
+          retryable
+        })
+      );
+    }, stallTimeoutMs);
+  };
+  armStallWatchdog();
+  return {
+    dispose: () => {
+      if (attemptTimer !== void 0) clearTimeout(attemptTimer);
+      if (stallTimer !== void 0) clearTimeout(stallTimer);
+      parentSignal?.removeEventListener("abort", abortFromParent);
+    },
+    notifyProgress: armStallWatchdog,
+    signal: controller.signal
+  };
+}
+function sleepWithAbort(delayMs, signal, job) {
+  return new Promise((resolve, reject) => {
+    if (signal === void 0) {
+      setTimeout(resolve, delayMs);
+      return;
+    }
+    if (signal.aborted) {
+      reject(toAbortFailure(signal, job));
+      return;
+    }
+    const rejectAbort = () => {
+      clearTimeout(timer);
+      reject(toAbortFailure(signal, job));
+    };
+    const timer = setTimeout(() => {
+      signal.removeEventListener("abort", rejectAbort);
+      resolve();
+    }, delayMs);
+    signal.addEventListener("abort", rejectAbort, { once: true });
+  });
+}
+function toAbortFailure(signal, job) {
+  if (signal.reason instanceof ZeroTransferError) {
+    return signal.reason;
+  }
+  return new AbortError({
+    details: { jobId: job.id, operation: job.operation },
+    message: `Transfer job aborted: ${job.id}`,
+    retryable: false
+  });
+}
+function normalizeDelayMs(value) {
+  if (value === void 0 || !Number.isFinite(value) || value <= 0) {
+    return 0;
+  }
+  return Math.floor(value);
+}
 function normalizeTimeoutMs(value) {
   if (value === void 0 || !Number.isFinite(value) || value <= 0) {
     return void 0;
@@ -1590,7 +1775,7 @@ async function runRoute(options) {
     const executor = createProviderTransferExecutor({
       resolveSession: ({ role }) => sessions.get(role)
     });
-    return await engine.execute(job, executor, buildExecuteOptions(options));
+    return await engine.execute(job, executor, buildExecuteOptions(options, client));
   } finally {
     if (destinationSession !== void 0) {
       await destinationSession.disconnect();
@@ -1627,12 +1812,14 @@ function defaultJobId(route, now) {
   const timestamp = (now?.() ?? /* @__PURE__ */ new Date()).getTime();
   return `route:${route.id}:${timestamp.toString(36)}`;
 }
-function buildExecuteOptions(options) {
+function buildExecuteOptions(options, client) {
   const execute = {};
+  const retry = options.retry ?? client.defaults?.retry;
+  const timeout = options.timeout ?? client.defaults?.timeout;
   if (options.signal !== void 0) execute.signal = options.signal;
-  if (options.retry !== void 0) execute.retry = options.retry;
+  if (retry !== void 0) execute.retry = retry;
   if (options.onProgress !== void 0) execute.onProgress = options.onProgress;
-  if (options.timeout !== void 0) execute.timeout = options.timeout;
+  if (timeout !== void 0) execute.timeout = timeout;
   if (options.bandwidthLimit !== void 0) execute.bandwidthLimit = options.bandwidthLimit;
   return execute;
 }
@@ -1689,41 +1876,6 @@ function defaultRouteSuffix(source, destination) {
   return `${source}->${destination}`;
 }
 
-// src/logging/redaction.ts
-var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
-var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
-function isSensitiveKey(key) {
-  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
-}
-function redactCommand(command) {
-  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
-    return `${commandName.toUpperCase()} ${REDACTED}`;
-  });
-}
-function redactValue(value) {
-  if (typeof value === "string") {
-    return redactCommand(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((item) => redactValue(item));
-  }
-  if (value !== null && typeof value === "object") {
-    return redactObject(value);
-  }
-  return value;
-}
-function redactObject(input) {
-  return Object.fromEntries(
-    Object.entries(input).map(([key, value]) => {
-      if (isSensitiveKey(key)) {
-        return [key, REDACTED];
-      }
-      return [key, redactValue(value)];
-    })
-  );
-}
-
 // src/profiles/SecretSource.ts
 var import_node_buffer2 = require("buffer");
 var import_promises = require("fs/promises");
@@ -2095,11 +2247,11 @@ var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"));
 
 // src/utils/path.ts
-var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n]/;
+var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n\0]/;
 function assertSafeFtpArgument(value, label = "path") {
   if (UNSAFE_FTP_ARGUMENT_PATTERN.test(value)) {
     throw new ConfigurationError({
-      message: `Unsafe FTP ${label}: CR and LF characters are not allowed`,
+      message: `Unsafe FTP ${label}: CR, LF, and NUL characters are not allowed`,
       retryable: false,
       details: {
         label
@@ -3401,7 +3553,6 @@ function expandAlgorithms(values) {
 }
 
 // src/profiles/importers/FileZillaImporter.ts
-var import_node_buffer5 = require("buffer");
 function importFileZillaSites(xml) {
   const events = tokenizeXml(xml);
   if (events.length === 0) {
@@ -3417,7 +3568,6 @@ function importFileZillaSites(xml) {
   const folderNamePending = [];
   let inServer = false;
   let serverFields = {};
-  let serverPasswordEncoding;
   let activeTag;
   let captureFolderName = false;
   for (const event of events) {
@@ -3430,13 +3580,9 @@ function importFileZillaSites(xml) {
       if (event.name === "Server") {
         inServer = true;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         continue;
       }
       activeTag = event.name;
-      if (event.name === "Pass" && inServer) {
-        serverPasswordEncoding = event.attributes["encoding"];
-      }
       if (event.name === "Name" && !inServer && folderNamePending.length > 0) {
         captureFolderName = true;
       }
@@ -3462,7 +3608,7 @@ function importFileZillaSites(xml) {
       }
       if (event.name === "Server") {
         const folder = folderStack.filter((segment) => segment !== "");
-        const result = buildSiteFromFields(serverFields, serverPasswordEncoding);
+        const result = buildSiteFromFields(serverFields);
         if (result.kind === "site") {
           sites.push({ ...result.site, folder });
         } else {
@@ -3474,7 +3620,6 @@ function importFileZillaSites(xml) {
         }
         inServer = false;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         activeTag = void 0;
         continue;
       }
@@ -3483,7 +3628,7 @@ function importFileZillaSites(xml) {
   }
   return { sites, skipped };
 }
-function buildSiteFromFields(fields, passwordEncoding) {
+function buildSiteFromFields(fields) {
   const name = (fields["Name"] ?? fields["Host"] ?? "Untitled").trim();
   const host = (fields["Host"] ?? "").trim();
   if (host === "") return { kind: "skipped", name };
@@ -3502,18 +3647,9 @@ function buildSiteFromFields(fields, passwordEncoding) {
   }
   const user = fields["User"]?.trim();
   if (user !== void 0 && user !== "") profile.username = { value: user };
-  let password;
   const rawPass = fields["Pass"];
-  if (rawPass !== void 0 && rawPass !== "") {
-    if (passwordEncoding === "base64") {
-      password = import_node_buffer5.Buffer.from(rawPass, "base64").toString("utf8");
-    } else {
-      password = rawPass;
-    }
-    if (password !== void 0 && password !== "") profile.password = { value: password };
-  }
-  const site = { name, profile };
-  if (password !== void 0) site.password = password;
+  const hasStoredPassword = rawPass !== void 0 && rawPass !== "";
+  const site = { hasStoredPassword, name, profile };
   const logonText = fields["Logontype"];
   if (logonText !== void 0) {
     const logonType = Number.parseInt(logonText.trim(), 10);
@@ -3756,6 +3892,62 @@ function mapFtp550(details) {
   return new PermissionDeniedError(details);
 }
 
+// src/transfers/createDefaultRetryPolicy.ts
+var DEFAULT_MAX_ATTEMPTS = 4;
+var DEFAULT_BASE_DELAY_MS = 250;
+var DEFAULT_MAX_DELAY_MS = 3e4;
+var DEFAULT_MAX_ELAPSED_MS = 3e5;
+function createDefaultRetryPolicy(options = {}) {
+  const maxAttempts = normalizePositiveInteger(options.maxAttempts, DEFAULT_MAX_ATTEMPTS);
+  const baseDelayMs = normalizeNonNegative(options.baseDelayMs, DEFAULT_BASE_DELAY_MS);
+  const maxDelayMs = normalizeNonNegative(options.maxDelayMs, DEFAULT_MAX_DELAY_MS);
+  const maxElapsedMs = normalizeNonNegative(options.maxElapsedMs, DEFAULT_MAX_ELAPSED_MS);
+  const random = options.random ?? Math.random;
+  return {
+    getDelayMs(input) {
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0) {
+        return retryAfterMs;
+      }
+      const exponentialMs = baseDelayMs * 2 ** (input.attempt - 1);
+      const cappedMs = Math.min(maxDelayMs, exponentialMs);
+      return Math.floor(random() * cappedMs);
+    },
+    maxAttempts,
+    shouldRetry(input) {
+      if (!(input.error instanceof ZeroTransferError) || !input.error.retryable) {
+        return false;
+      }
+      if (input.elapsedMs >= maxElapsedMs) {
+        return false;
+      }
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0 && input.elapsedMs + retryAfterMs > maxElapsedMs) {
+        return false;
+      }
+      return true;
+    }
+  };
+}
+function readRetryAfterMs(error) {
+  if (!(error instanceof ZeroTransferError)) return void 0;
+  const value = error.details?.["retryAfterMs"];
+  if (typeof value !== "number" || !Number.isFinite(value) || value < 0) return void 0;
+  return Math.floor(value);
+}
+function normalizePositiveInteger(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 1) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function normalizeNonNegative(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+
 // src/transfers/TransferPlan.ts
 function createTransferPlan(input) {
   const plan = {
@@ -3853,8 +4045,8 @@ var TransferQueue = class {
     this.concurrency = normalizeConcurrency(options.concurrency);
     this.defaultExecutor = options.executor;
     this.resolveExecutor = options.resolveExecutor;
-    this.retry = options.retry;
-    this.timeout = options.timeout;
+    this.retry = options.retry ?? options.client?.defaults?.retry;
+    this.timeout = options.timeout ?? options.client?.defaults?.timeout;
     this.bandwidthLimit = options.bandwidthLimit;
     this.onProgress = options.onProgress;
     this.onReceipt = options.onReceipt;
@@ -5267,6 +5459,7 @@ async function dispatchWebhook(options) {
   return { attempts: attempt, delivered: false, status: lastStatus };
 }
 function createWebhookAuditLog(options) {
+  validateTarget(options.target);
   return {
     list: () => Promise.resolve([]),
     record: async (entry) => {
@@ -5289,6 +5482,24 @@ function validateTarget(target) {
       retryable: false
     });
   }
+  let parsed;
+  try {
+    parsed = new URL(target.url);
+  } catch (error) {
+    throw new ConfigurationError({
+      cause: error,
+      details: { url: target.url },
+      message: "Webhook target url must be an absolute URL",
+      retryable: false
+    });
+  }
+  if (parsed.protocol === "https:") return;
+  if (parsed.protocol === "http:" && target.allowInsecureUrl === true) return;
+  throw new ConfigurationError({
+    details: { protocol: parsed.protocol, url: target.url },
+    message: parsed.protocol === "http:" ? "Webhook target url must use https; set allowInsecureUrl: true to permit cleartext http delivery" : `Webhook target url must use https, got "${parsed.protocol}"`,
+    retryable: false
+  });
 }
 function normalizeRetry(retry) {
   return {
@@ -5325,6 +5536,26 @@ var ApprovalRejectedError = class _ApprovalRejectedError extends ZeroTransferErr
   }
   request;
 };
+var ApprovalTimeoutError = class _ApprovalTimeoutError extends ZeroTransferError {
+  /**
+   * Creates an approval timeout error.
+   *
+   * @param request - The approval request that timed out while pending.
+   * @param timeoutMs - Configured timeout window in milliseconds.
+   */
+  constructor(request, timeoutMs) {
+    super({
+      code: "approval_timeout",
+      details: { approvalId: request.id, routeId: request.routeId, timeoutMs },
+      message: `Approval "${request.id}" for route "${request.routeId}" timed out after ${String(timeoutMs)}ms`,
+      retryable: false
+    });
+    this.request = request;
+    Object.setPrototypeOf(this, _ApprovalTimeoutError.prototype);
+    this.name = "ApprovalTimeoutError";
+  }
+  request;
+};
 var ApprovalRegistry = class {
   requests = /* @__PURE__ */ new Map();
   pending = /* @__PURE__ */ new Map();
@@ -5450,9 +5681,27 @@ function createApprovalGate(options) {
     };
     if (input.signal.aborted) onAbort();
     input.signal.addEventListener("abort", onAbort);
+    let timeoutTimer;
+    const timeoutMs = options.timeoutMs;
+    const pendingPromises = [settled];
+    if (timeoutMs !== void 0) {
+      pendingPromises.push(
+        new Promise((_resolve, reject) => {
+          timeoutTimer = setTimeout(() => {
+            const current = options.registry.get(approvalId) ?? request;
+            reject(new ApprovalTimeoutError(current, timeoutMs));
+            if (current.status === "pending") {
+              settled.catch(() => void 0);
+              options.registry.reject(approvalId, { reason: "timeout" }, now());
+            }
+          }, timeoutMs);
+        })
+      );
+    }
     try {
-      await settled;
+      await Promise.race(pendingPromises);
     } finally {
+      if (timeoutTimer !== void 0) clearTimeout(timeoutTimer);
       input.signal.removeEventListener("abort", onAbort);
     }
     return options.runner(input);
@@ -5812,6 +6061,7 @@ var defaultRunner = ({ client, route, signal }) => {
   AbortError,
   ApprovalRegistry,
   ApprovalRejectedError,
+  ApprovalTimeoutError,
   AuthenticationError,
   AuthorizationError,
   CLASSIC_PROVIDER_IDS,
@@ -5849,6 +6099,7 @@ var defaultRunner = ({ client, route, signal }) => {
   createApprovalGate,
   createAtomicDeployPlan,
   createBandwidthThrottle,
+  createDefaultRetryPolicy,
   createInboxRoute,
   createJsonlAuditLog,
   createLocalProviderFactory,
@@ -5896,8 +6147,10 @@ var defaultRunner = ({ client, route, signal }) => {
   parseRemoteManifest,
   redactCommand,
   redactConnectionProfile,
+  redactErrorForLogging,
   redactObject,
   redactSecretSource,
+  redactUrlForLogging,
   redactValue,
   resolveConnectionProfileSecrets,
   resolveOpenSshHost,