@zonko-ai/harbor 0.1.0

package/dist/api.js

@@ -0,0 +1,842 @@
+import { userInfo } from 'node:os';
+import { detectLocalHostCliAuthReferences, detectLocalSecretBindings } from './local-config.js';
+import { ensureLocalRuntime, persistLocalProfileSessionState, requestLocalApiViaDaemon } from './local-daemon.js';
+import { detectClaimPlatform, serializeRuntimeAttributionHeader } from './runtime-attribution.js';
+import { buildFingerprint, findWorkspaceRoot, getCatalog, getProfile, isDaemonManagedProfile, isLocalProfile, saveCatalog, saveProfile } from './state.js';
+export class ApiError extends Error {
+    status;
+    code;
+    payload;
+    constructor(status, code, message, payload) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.payload = payload;
+    }
+}
+const withTimeout = (ms) => AbortSignal.timeout(ms);
+const parseBody = async (response) => {
+    const contentType = response.headers.get('content-type') ?? '';
+    if (contentType.includes('application/json')) {
+        return response.json();
+    }
+    const text = await response.text();
+    if (!text) {
+        return null;
+    }
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+};
+let claimAutoRestoreInFlight = null;
+const isExpired = (value, skewMs = 30_000) => {
+    if (!value) {
+        return true;
+    }
+    const expiresAt = Date.parse(value);
+    if (Number.isNaN(expiresAt)) {
+        return true;
+    }
+    return expiresAt <= Date.now() + skewMs;
+};
+const buildDevOwnerIdentity = () => {
+    const profile = getProfile();
+    const username = userInfo().username.trim().replace(/[^a-zA-Z0-9._+-]+/g, '-').replace(/^-+|-+$/g, '') || 'local';
+    return {
+        email: profile.owner ?? process.env.HARBOR_DEV_OWNER_EMAIL ?? `${username}@harbor.local`,
+        display_name: profile.owner_display_name ?? process.env.HARBOR_DEV_OWNER_NAME ?? userInfo().username,
+    };
+};
+const tokenForAuthMode = (auth) => {
+    const profile = getProfile();
+    if (auth === 'agent') {
+        return !isExpired(profile.token_expires_at) ? profile.agent_token : null;
+    }
+    if (auth === 'owner') {
+        return !isExpired(profile.owner_token_expires_at) ? profile.owner_token : null;
+    }
+    if (auth === 'session') {
+        if (profile.agent_token && !isExpired(profile.token_expires_at)) {
+            return profile.agent_token;
+        }
+        if (profile.owner_token && !isExpired(profile.owner_token_expires_at)) {
+            return profile.owner_token;
+        }
+    }
+    return null;
+};
+const buildHeaders = (auth, extraHeaders) => {
+    const headers = {
+        Accept: 'application/json',
+        ...extraHeaders,
+    };
+    const token = tokenForAuthMode(auth);
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    return headers;
+};
+const resolveApiUrl = async () => {
+    const profile = getProfile();
+    if (isDaemonManagedProfile(profile)) {
+        await ensureLocalRuntime();
+    }
+    const resolvedProfile = getProfile(profile.profile_slug);
+    if (!resolvedProfile.api_url) {
+        throw new ApiError(0, 'profile_missing', isDaemonManagedProfile(resolvedProfile)
+            ? 'Local Harbor is not ready. Start it with `harbor dev up`.'
+            : 'No Harbor API is configured for this profile.');
+    }
+    return resolvedProfile.api_url;
+};
+const tryAutoRestoreApprovedClaim = async () => {
+    if (claimAutoRestoreInFlight) {
+        return await claimAutoRestoreInFlight;
+    }
+    claimAutoRestoreInFlight = (async () => {
+        const profile = getProfile();
+        const displayName = profile.pending_claim_display_name;
+        if (!displayName || profile.agent_token) {
+            return false;
+        }
+        try {
+            const claim = await claimAgent(displayName);
+            return claim.result === 'claimed' || claim.result === 'restored';
+        }
+        catch {
+            return false;
+        }
+        finally {
+            claimAutoRestoreInFlight = null;
+        }
+    })();
+    return await claimAutoRestoreInFlight;
+};
+export const request = async (method, path, body, timeoutMs = 10_000, extraHeaders, auth = 'session') => {
+    if ((auth === 'agent' || auth === 'session') && !tokenForAuthMode(auth)) {
+        await tryAutoRestoreApprovedClaim();
+    }
+    const profile = getProfile();
+    const headers = {
+        ...buildHeaders(auth, extraHeaders),
+        ...(body ? { 'Content-Type': 'application/json' } : {}),
+    };
+    if (method.toUpperCase() === 'POST' && !headers['Idempotency-Key'] && !headers['idempotency-key']) {
+        headers['Idempotency-Key'] = crypto.randomUUID();
+    }
+    let status = 0;
+    let payload;
+    let statusText = 'Request failed';
+    if (isDaemonManagedProfile(profile)) {
+        await ensureLocalRuntime();
+        const proxied = await requestLocalApiViaDaemon(method, path, body, headers, auth, timeoutMs);
+        status = proxied.status;
+        payload = proxied.body;
+    }
+    else {
+        const apiUrl = await resolveApiUrl();
+        const response = await fetch(`${apiUrl}${path}`, {
+            method,
+            headers,
+            body: body ? JSON.stringify(body) : undefined,
+            signal: withTimeout(timeoutMs),
+        });
+        status = response.status;
+        statusText = response.statusText;
+        payload = await parseBody(response);
+    }
+    if (status < 200 || status >= 300) {
+        const record = pickRecord(payload);
+        const errorRecord = pickRecord(record.error);
+        const message = pickString(record.message, errorRecord.message, typeof record.error === 'string' ? record.error : null, statusText) ?? 'Request failed';
+        const code = pickString(record.code, errorRecord.code) ?? `http_${status}`;
+        throw new ApiError(status, code, message, payload);
+    }
+    return payload;
+};
+const pickRecord = (value) => {
+    if (typeof value === 'object' && value !== null) {
+        return value;
+    }
+    return {};
+};
+const pickString = (...values) => {
+    for (const value of values) {
+        if (typeof value === 'string' && value.length > 0) {
+            return value;
+        }
+    }
+    return null;
+};
+const pickNumber = (...values) => {
+    for (const value of values) {
+        if (typeof value === 'number' && Number.isFinite(value)) {
+            return value;
+        }
+    }
+    return null;
+};
+const pickBoolean = (...values) => {
+    for (const value of values) {
+        if (typeof value === 'boolean') {
+            return value;
+        }
+    }
+    return null;
+};
+const normalizeJsonSchema = (value) => {
+    const record = pickRecord(value);
+    return Object.keys(record).length > 0 ? record : undefined;
+};
+const RUNTIME_INJECTION_KINDS = new Set([
+    'owner_identity',
+    'agent_identity',
+    'execution_context',
+    'service_connection',
+    'service_lookup',
+    'service_route',
+]);
+const RUNTIME_INJECTION_ROUTE_FALLBACKS = new Set([
+    'agent',
+    'owner',
+    'single_active_account',
+]);
+const normalizeRuntimeInjectionRequirement = (value) => {
+    const record = pickRecord(value);
+    const name = pickString(record.name);
+    const kind = pickString(record.kind);
+    if (!name || !kind || !RUNTIME_INJECTION_KINDS.has(kind)) {
+        return null;
+    }
+    return {
+        name,
+        kind: kind,
+        required: pickBoolean(record.required) ?? undefined,
+        service: pickString(record.service) ?? undefined,
+        lookup: pickString(record.lookup) ?? undefined,
+        input_path: pickString(record.input_path) ?? undefined,
+        selector_template: Object.keys(pickRecord(record.selector_template)).length > 0 ? pickRecord(record.selector_template) : undefined,
+        compatibility_template: Object.keys(pickRecord(record.compatibility_template)).length > 0 ? pickRecord(record.compatibility_template) : undefined,
+        fallback_order: Array.isArray(record.fallback_order)
+            ? record.fallback_order.filter((entry) => typeof entry === 'string' && RUNTIME_INJECTION_ROUTE_FALLBACKS.has(entry))
+            : undefined,
+        secret_refs: Array.isArray(record.secret_refs)
+            ? record.secret_refs.filter((entry) => typeof entry === 'string' && entry.length > 0)
+            : undefined,
+    };
+};
+const normalizeRuntimeInjection = (value) => {
+    const record = pickRecord(value);
+    const requirements = Array.isArray(record.requirements)
+        ? record.requirements.flatMap((requirement) => {
+            const normalized = normalizeRuntimeInjectionRequirement(requirement);
+            return normalized ? [normalized] : [];
+        })
+        : [];
+    const exports = typeof record.exports === 'object' && record.exports !== null
+        ? Object.fromEntries(Object.entries(record.exports).filter((entry) => typeof entry[1] === 'string' && entry[1].length > 0))
+        : undefined;
+    const auditContextKeys = Array.isArray(pickRecord(record.audit).context_keys)
+        ? pickRecord(record.audit).context_keys.filter((entry) => typeof entry === 'string' && entry.length > 0)
+        : undefined;
+    if (requirements.length === 0 && !exports && !auditContextKeys?.length) {
+        return undefined;
+    }
+    return {
+        requirements,
+        exports,
+        audit: auditContextKeys?.length ? { context_keys: auditContextKeys } : undefined,
+    };
+};
+const normalizeSnapshot = (value) => {
+    const record = pickRecord(value);
+    const capabilityRecord = pickRecord(record.capability);
+    const slug = pickString(record.slug, record.capability_slug, capabilityRecord.slug);
+    if (!slug) {
+        return null;
+    }
+    const cliSurface = pickRecord(pickRecord(record.surface).cli);
+    const policy = pickRecord(record.policy);
+    const binding = pickRecord(record.binding);
+    const contract = pickRecord(record.contract);
+    const runtimeInjection = normalizeRuntimeInjection(record.runtime_injection);
+    return {
+        snapshot_id: pickString(record.snapshot_id) ?? undefined,
+        version_id: pickString(record.version_id) ?? undefined,
+        capability: {
+            slug,
+            title: pickString(capabilityRecord.title, record.title) ?? undefined,
+            description: pickString(capabilityRecord.description, record.description, cliSurface.summary) ?? undefined,
+            category: pickString(capabilityRecord.category, record.category, slug.split('.')[0]) ?? undefined,
+        },
+        contract: {
+            input_schema: normalizeJsonSchema(contract.input_schema ?? record.input_schema),
+            output_schema: normalizeJsonSchema(contract.output_schema ?? record.output_schema),
+            execution_mode: pickString(contract.execution_mode, record.execution_mode) ?? undefined,
+        },
+        binding: {
+            adapter_type: pickString(binding.adapter_type, record.adapter_type) ?? undefined,
+            adapter_operation: pickString(binding.adapter_operation) ?? undefined,
+            provider_ref: pickString(binding.provider_ref) ?? undefined,
+            config: pickRecord(binding.config),
+        },
+        policy: {
+            grant_required: pickBoolean(policy.grant_required) ?? undefined,
+            approval_mode: pickString(policy.approval_mode) ?? undefined,
+            authorization: {
+                mode: pickString(pickRecord(policy.authorization).mode) ?? undefined,
+                subject: pickString(pickRecord(policy.authorization).subject) ?? undefined,
+                owner_scope_field: pickString(pickRecord(policy.authorization).owner_scope_field) ?? undefined,
+                agent_field: pickString(pickRecord(policy.authorization).agent_field) ?? undefined,
+            },
+            constraint_shape: pickRecord(policy.constraint_shape),
+        },
+        secrets: {
+            required_refs: Array.isArray(pickRecord(record.secrets).required_refs)
+                ? pickRecord(record.secrets).required_refs.flatMap((secret) => {
+                    const name = pickString(secret.name);
+                    const kind = pickString(secret.kind);
+                    const purpose = pickString(secret.purpose);
+                    return name && kind && purpose ? [{ name, kind, purpose }] : [];
+                })
+                : [],
+        },
+        runtime_injection: runtimeInjection,
+        surface: {
+            cli: {
+                display_name: pickString(cliSurface.display_name) ?? undefined,
+                summary: pickString(cliSurface.summary, capabilityRecord.description, record.description) ?? undefined,
+                args: Array.isArray(cliSurface.args)
+                    ? cliSurface.args.map((arg) => {
+                        const argRecord = pickRecord(arg);
+                        return {
+                            name: pickString(argRecord.name) ?? '',
+                            type: pickString(argRecord.type) ?? undefined,
+                            required: pickBoolean(argRecord.required) ?? undefined,
+                            positional: pickBoolean(argRecord.positional) ?? undefined,
+                            description: pickString(argRecord.description) ?? undefined,
+                        };
+                    }).filter((arg) => arg.name)
+                    : [],
+                examples: Array.isArray(cliSurface.examples)
+                    ? cliSurface.examples.filter((example) => typeof example === 'string')
+                    : [],
+                plain_output_keys: Array.isArray(cliSurface.plain_output_keys)
+                    ? cliSurface.plain_output_keys.filter((key) => typeof key === 'string')
+                    : [],
+            },
+        },
+        published_at: pickString(record.published_at) ?? undefined,
+    };
+};
+const normalizeCapabilitySummary = (value) => {
+    const record = pickRecord(value);
+    const snapshot = normalizeSnapshot(record.snapshot ?? value);
+    const slug = pickString(record.slug, record.name, record.capability_slug, snapshot?.capability.slug);
+    if (!slug) {
+        return null;
+    }
+    const granted = pickBoolean(record.granted);
+    const defaultState = snapshot
+        ? granted === true
+            ? 'ready'
+            : snapshot.policy?.grant_required
+                ? 'approval_required'
+                : 'published'
+        : 'unknown';
+    return {
+        slug,
+        state: pickString(record.state, record.status) ?? defaultState,
+        summary: pickString(record.summary, snapshot?.surface?.cli?.summary, snapshot?.capability.description) ?? '',
+        granted,
+        missing_secret_refs: Array.isArray(record.missing_secret_refs)
+            ? record.missing_secret_refs.filter((entry) => typeof entry === 'string' && entry.length > 0)
+            : undefined,
+        service_state: pickString(record.service_state) === 'linked' || pickString(record.service_state) === 'unlinked'
+            ? pickString(record.service_state)
+            : undefined,
+        snapshot,
+    };
+};
+export const normalizeCatalog = (payload) => {
+    const record = pickRecord(payload);
+    const items = Array.isArray(payload)
+        ? payload
+        : Array.isArray(record.capabilities)
+            ? record.capabilities
+            : Array.isArray(record.items)
+                ? record.items
+                : [];
+    return items.flatMap((item) => {
+        const normalized = normalizeCapabilitySummary(item);
+        return normalized ? [normalized] : [];
+    });
+};
+export const fetchCatalog = async (timeoutMs = 2_500) => {
+    const profile = getProfile();
+    const cachedCatalog = getCatalog();
+    const requestHeaders = buildHeaders('session', cachedCatalog?.etag ? { 'If-None-Match': cachedCatalog.etag } : undefined);
+    let status = 0;
+    let payload;
+    let etag = null;
+    let statusText = 'Request failed';
+    if (isDaemonManagedProfile(profile)) {
+        await ensureLocalRuntime();
+        const proxied = await requestLocalApiViaDaemon('GET', '/v1/capabilities', undefined, requestHeaders, 'session', timeoutMs);
+        status = proxied.status;
+        payload = proxied.body;
+        etag = pickString(proxied.headers.etag, proxied.headers.ETag);
+    }
+    else {
+        const apiUrl = await resolveApiUrl();
+        const response = await fetch(`${apiUrl}/v1/capabilities`, {
+            method: 'GET',
+            headers: requestHeaders,
+            signal: withTimeout(timeoutMs),
+        });
+        status = response.status;
+        statusText = response.statusText;
+        etag = response.headers.get('etag');
+        payload = await parseBody(response);
+    }
+    if (status === 304 && cachedCatalog) {
+        return cachedCatalog.capabilities;
+    }
+    if (status < 200 || status >= 300) {
+        const record = pickRecord(payload);
+        const errorRecord = pickRecord(record.error);
+        const message = pickString(record.message, errorRecord.message, typeof record.error === 'string' ? record.error : null, statusText) ?? 'Request failed';
+        const code = pickString(record.code, errorRecord.code) ?? `http_${status}`;
+        throw new ApiError(status, code, message, payload);
+    }
+    const capabilities = normalizeCatalog(payload);
+    saveCatalog(capabilities, etag);
+    return capabilities;
+};
+export const fetchCapability = async (slug) => {
+    const payload = await request('GET', `/v1/capabilities/${encodeURIComponent(slug)}`);
+    const record = pickRecord(payload);
+    const snapshot = normalizeSnapshot(record.snapshot ?? payload) ?? normalizeSnapshot(record.capability);
+    if (!snapshot) {
+        throw new ApiError(500, 'invalid_capability', `Capability payload for ${slug} is invalid`, payload);
+    }
+    return snapshot;
+};
+export const createDevOwnerSession = async () => {
+    const profile = getProfile();
+    const identity = buildDevOwnerIdentity();
+    const payload = await request('POST', '/v1/auth/dev-owner-sessions', {
+        email: identity.email,
+        display_name: identity.display_name,
+    }, 10_000, undefined, 'none');
+    const record = pickRecord(payload);
+    const ownerRecord = pickRecord(record.owner);
+    const normalized = {
+        owner_scope_id: pickString(ownerRecord.owner_id),
+        owner: pickString(ownerRecord.email, identity.email),
+        owner_display_name: pickString(ownerRecord.display_name, identity.display_name),
+        owner_token: pickString(record.owner_token),
+        expires_at: pickString(record.expires_at),
+    };
+    if (!normalized.owner_scope_id || !normalized.owner_token) {
+        throw new ApiError(500, 'invalid_owner_session', 'Dev owner session response is invalid', payload);
+    }
+    if (!(await persistLocalProfileSessionState({
+        profile_slug: profile.profile_slug,
+        owner_scope_id: normalized.owner_scope_id,
+        owner: normalized.owner,
+        owner_display_name: normalized.owner_display_name,
+        owner_token: normalized.owner_token,
+        owner_token_expires_at: normalized.expires_at,
+    }))) {
+        saveProfile({
+            profile_slug: profile.profile_slug,
+            owner_scope_id: normalized.owner_scope_id,
+            owner: normalized.owner,
+            owner_display_name: normalized.owner_display_name,
+            owner_token: normalized.owner_token,
+            owner_token_expires_at: normalized.expires_at,
+        });
+    }
+    return normalized;
+};
+export const ensureLocalOwnerSession = async () => {
+    const profile = getProfile();
+    if (!isLocalProfile(profile)) {
+        return null;
+    }
+    if (profile.owner_token && !isExpired(profile.owner_token_expires_at)) {
+        try {
+            await request('GET', '/v1/auth/whoami', undefined, 5_000, undefined, 'owner');
+            return {
+                owner_scope_id: profile.owner_scope_id,
+                owner: profile.owner,
+                owner_display_name: profile.owner_display_name,
+                owner_token: profile.owner_token,
+                expires_at: profile.owner_token_expires_at,
+            };
+        }
+        catch (error) {
+            if (!(error instanceof ApiError) || (error.status !== 401 && error.status !== 403)) {
+                throw error;
+            }
+        }
+    }
+    return createDevOwnerSession();
+};
+export const syncLocalSecretReferences = async () => {
+    const profile = getProfile();
+    if (!isLocalProfile(profile)) {
+        return;
+    }
+    await request('POST', '/v1/secret-references/host-cli-sync', {
+        refs: [
+            ...detectLocalSecretBindings(findWorkspaceRoot()),
+            ...detectLocalHostCliAuthReferences(findWorkspaceRoot()),
+        ],
+    }, 10_000, undefined, 'session');
+};
+export const claimAgent = async (displayName = 'Harbor CLI') => {
+    const profile = getProfile();
+    const payload = await request('POST', '/v1/auth/agent/claim-intents', {
+        profile_slug: profile.profile_slug,
+        display_name: displayName,
+        platform: detectClaimPlatform(),
+        fingerprint: buildFingerprint(),
+        workspace_root: findWorkspaceRoot(),
+        restore_token: null,
+    }, 10_000, undefined, tokenForAuthMode('owner') ? 'owner' : 'none');
+    const record = pickRecord(payload);
+    const result = pickString(record.result);
+    if (result !== 'claimed' && result !== 'restored' && result !== 'approval_required') {
+        throw new ApiError(500, 'invalid_claim_result', 'Claim response is missing a valid result', payload);
+    }
+    const normalized = {
+        result,
+        owner_scope_id: pickString(record.owner_scope_id),
+        agent_id: pickString(record.agent_id),
+        agent_display_name: pickString(record.agent_display_name),
+        approval_id: pickString(record.approval_id),
+        approval_url: pickString(record.approval_url),
+        owner: pickString(record.owner, record.owner_email, profile.owner),
+        profile_slug: pickString(record.profile_slug),
+        agent_token: pickString(record.agent_token),
+        expires_at: pickString(record.expires_at),
+    };
+    if (normalized.agent_token) {
+        if (!(await persistLocalProfileSessionState({
+            profile_slug: profile.profile_slug,
+            agent_id: normalized.agent_id,
+            owner_scope_id: normalized.owner_scope_id,
+            owner: normalized.owner,
+            agent_token: normalized.agent_token,
+            agent_token_expires_at: normalized.expires_at,
+            pending_claim_display_name: null,
+            pending_claim_approval_id: null,
+        }))) {
+            saveProfile({
+                profile_slug: profile.profile_slug,
+                agent_id: normalized.agent_id,
+                owner_scope_id: normalized.owner_scope_id,
+                owner: normalized.owner,
+                agent_token: normalized.agent_token,
+                token_expires_at: normalized.expires_at,
+                pending_claim_display_name: null,
+                pending_claim_approval_id: null,
+            });
+        }
+        void syncLocalSecretReferences().catch(() => undefined);
+    }
+    else if (normalized.result === 'approval_required') {
+        if (!(await persistLocalProfileSessionState({
+            profile_slug: profile.profile_slug,
+            pending_claim_display_name: displayName,
+            pending_claim_approval_id: normalized.approval_id,
+        }))) {
+            saveProfile({
+                profile_slug: profile.profile_slug,
+                pending_claim_display_name: displayName,
+                pending_claim_approval_id: normalized.approval_id,
+            });
+        }
+    }
+    return normalized;
+};
+export const fetchWhoAmI = async () => {
+    const payload = await request('GET', '/v1/auth/whoami');
+    const record = pickRecord(payload);
+    const ownerRecord = pickRecord(record.owner);
+    const agentRecord = pickRecord(record.agent);
+    return {
+        principal: pickString(record.principal) === 'owner' || pickString(record.principal) === 'agent'
+            ? pickString(record.principal)
+            : null,
+        profile_slug: pickString(record.profile_slug, record.profile, agentRecord.profile_slug),
+        owner_scope_id: pickString(record.owner_scope_id, ownerRecord.owner_id, agentRecord.owner_scope_id),
+        owner: pickString(record.owner, record.owner_email, ownerRecord.email, pickRecord(record.owner_identity).email),
+        owner_display_name: pickString(ownerRecord.display_name),
+        agent_id: pickString(record.agent_id, agentRecord.agent_id),
+        agent_display_name: pickString(record.agent_display_name, agentRecord.display_name),
+    };
+};
+export const fetchHealth = async () => {
+    const payload = await request('GET', '/v1/health', undefined, 10_000, undefined, 'none');
+    const record = pickRecord(payload);
+    return {
+        reachable: true,
+        status: pickString(record.status, record.health) ?? 'ok',
+        api_url: pickString(record.api_url, record.url),
+        auth_url: pickString(record.auth_url, record.app_url),
+        published_capabilities: pickNumber(record.published_capabilities, pickRecord(record.summary).published_capabilities),
+        queued_executions: pickNumber(record.queued_executions, pickRecord(record.summary).queued_executions),
+        pending_approvals: pickNumber(record.pending_approvals, pickRecord(record.summary).pending_approvals),
+        recent_executions: pickNumber(record.recent_executions, pickRecord(record.summary).recent_executions),
+    };
+};
+export const approveRequest = async (approvalId) => {
+    await ensureLocalOwnerSession();
+    const payload = await request('POST', `/v1/approvals/${encodeURIComponent(approvalId)}/approve`, undefined, 10_000, undefined, 'owner');
+    return pickRecord(payload);
+};
+export const listSecretReferences = async () => {
+    await ensureLocalOwnerSession();
+    const payload = await request('GET', '/v1/secret-references', undefined, 10_000, undefined, 'owner');
+    const record = pickRecord(payload);
+    const items = Array.isArray(record.secret_references) ? record.secret_references : [];
+    return items.map((item) => normalizeSecretReference(item));
+};
+export const getSecretReference = async (name) => {
+    await ensureLocalOwnerSession();
+    const payload = await request('GET', `/v1/secret-references/${encodeURIComponent(name)}`, undefined, 10_000, undefined, 'owner');
+    return normalizeSecretReference(payload);
+};
+export const setSecretReference = async (name, value, options) => {
+    await ensureLocalOwnerSession();
+    const payload = await request('PUT', `/v1/secret-references/${encodeURIComponent(name)}`, {
+        value,
+        ...(options?.display_name ? { display_name: options.display_name } : {}),
+        ...(options?.kind ? { kind: options.kind } : {}),
+    }, 10_000, undefined, 'owner');
+    return normalizeSecretReference(payload);
+};
+export const deleteSecretReference = async (name) => {
+    await ensureLocalOwnerSession();
+    const payload = await request('DELETE', `/v1/secret-references/${encodeURIComponent(name)}`, undefined, 10_000, undefined, 'owner');
+    const record = pickRecord(payload);
+    return {
+        ok: pickBoolean(record.ok) ?? false,
+    };
+};
+const normalizeSecretReference = (value) => {
+    const record = pickRecord(value);
+    const name = pickString(record.name);
+    const displayName = pickString(record.display_name);
+    const kind = pickString(record.kind);
+    const resolverKind = pickString(record.resolver_kind);
+    const status = pickString(record.status);
+    const createdAt = pickString(record.created_at);
+    const updatedAt = pickString(record.updated_at);
+    if (!name || !displayName || !kind || !resolverKind || !status || !createdAt || !updatedAt) {
+        throw new ApiError(500, 'invalid_secret_reference', 'Secret reference payload is invalid', value);
+    }
+    return {
+        secret_ref_id: pickString(record.secret_ref_id) ?? undefined,
+        name,
+        display_name: displayName,
+        kind,
+        resolver_kind: resolverKind,
+        status,
+        backend_locator: pickRecord(record.backend_locator),
+        managed_by: pickString(record.managed_by) ?? 'owner',
+        rotated_at: pickString(record.rotated_at),
+        created_at: createdAt,
+        updated_at: updatedAt,
+        stored_material_present: pickBoolean(record.stored_material_present) ?? undefined,
+    };
+};
+const normalizeComposioLinkSession = (value) => {
+    const record = pickRecord(value);
+    const linkSessionId = pickString(record.link_session_id);
+    const status = pickString(record.status);
+    if (!linkSessionId || !status) {
+        throw new ApiError(500, 'invalid_composio_link_session', 'Composio link session payload is invalid', value);
+    }
+    const subjectKind = pickString(record.subject_kind);
+    return {
+        link_session_id: linkSessionId,
+        owner_scope_id: pickString(record.owner_scope_id),
+        subject_kind: subjectKind === 'owner' || subjectKind === 'agent' ? subjectKind : undefined,
+        subject_id: pickString(record.subject_id),
+        toolkit_slug: pickString(record.toolkit_slug),
+        auth_config_id: pickString(record.auth_config_id),
+        connected_account_id: pickString(record.connected_account_id),
+        redirect_url: pickString(record.redirect_url),
+        status,
+        expires_at: pickString(record.expires_at),
+        completed_at: pickString(record.completed_at),
+    };
+};
+const normalizeComposioRoute = (value) => {
+    const record = pickRecord(value);
+    const routeId = pickString(record.route_id);
+    const subjectKind = pickString(record.subject_kind);
+    const subjectId = pickString(record.subject_id);
+    const toolkitSlug = pickString(record.toolkit_slug);
+    const authConfigId = pickString(record.auth_config_id);
+    const connectedAccountId = pickString(record.connected_account_id);
+    const status = pickString(record.status);
+    if (!routeId || (subjectKind !== 'owner' && subjectKind !== 'agent') || !subjectId || !toolkitSlug || !authConfigId || !connectedAccountId || !status) {
+        throw new ApiError(500, 'invalid_composio_route', 'Composio route payload is invalid', value);
+    }
+    return {
+        route_id: routeId,
+        owner_scope_id: pickString(record.owner_scope_id),
+        subject_kind: subjectKind,
+        subject_id: subjectId,
+        toolkit_slug: toolkitSlug,
+        auth_config_id: authConfigId,
+        connected_account_id: connectedAccountId,
+        status,
+        created_at: pickString(record.created_at),
+        updated_at: pickString(record.updated_at),
+    };
+};
+export const createComposioLinkSession = async (params) => {
+    await ensureLocalOwnerSession();
+    await syncLocalSecretReferences();
+    const payload = await request('POST', '/v1/services/composio/link-sessions', params, 20_000, undefined, 'owner');
+    return normalizeComposioLinkSession(payload);
+};
+export const fetchComposioService = async () => {
+    await ensureLocalOwnerSession();
+    const payload = await request('GET', '/v1/services/composio', undefined, 10_000, undefined, 'owner');
+    const record = pickRecord(payload);
+    const principalRecord = pickRecord(record.principal);
+    const principalId = pickString(principalRecord.principal_id);
+    return {
+        principal: principalId
+            ? {
+                principal_id: principalId,
+                owner_scope_id: pickString(principalRecord.owner_scope_id) ?? '',
+                composio_user_id: pickString(principalRecord.composio_user_id) ?? '',
+                status: pickString(principalRecord.status) ?? 'unknown',
+                created_at: pickString(principalRecord.created_at),
+                updated_at: pickString(principalRecord.updated_at),
+            }
+            : null,
+        routes: Array.isArray(record.routes) ? record.routes.map((route) => normalizeComposioRoute(route)) : [],
+        link_sessions: Array.isArray(record.link_sessions) ? record.link_sessions.map((session) => normalizeComposioLinkSession(session)) : [],
+    };
+};
+export const fetchComposioLinkSession = async (linkSessionId) => {
+    await ensureLocalOwnerSession();
+    const payload = await request('GET', `/v1/services/composio/link-sessions/${encodeURIComponent(linkSessionId)}`, undefined, 15_000, undefined, 'owner');
+    return normalizeComposioLinkSession(payload);
+};
+export const setComposioServiceRoute = async (params) => {
+    await ensureLocalOwnerSession();
+    await syncLocalSecretReferences();
+    const payload = await request('POST', '/v1/services/composio/routes', params, 15_000, undefined, 'owner');
+    return normalizeComposioRoute(payload);
+};
+export const deleteComposioServiceRoute = async (params) => {
+    await ensureLocalOwnerSession();
+    const search = new URLSearchParams();
+    if (params.route_id)
+        search.set('route_id', params.route_id);
+    if (params.subject_kind)
+        search.set('subject_kind', params.subject_kind);
+    if (params.subject_id)
+        search.set('subject_id', params.subject_id);
+    if (params.toolkit_slug)
+        search.set('toolkit_slug', params.toolkit_slug);
+    if (params.auth_config_id)
+        search.set('auth_config_id', params.auth_config_id);
+    const suffix = search.size > 0 ? `?${search.toString()}` : '';
+    const payload = await request('DELETE', `/v1/services/composio/routes${suffix}`, undefined, 15_000, undefined, 'owner');
+    return normalizeComposioRoute(payload);
+};
+export const startExecution = async (capabilitySlug, input, approvalId, timeoutMs = 30_000) => {
+    try {
+        await syncLocalSecretReferences();
+        const body = {
+            capability_slug: capabilitySlug,
+            input,
+        };
+        if (approvalId) {
+            body.approval_id = approvalId;
+        }
+        const runtimeAttributionHeader = serializeRuntimeAttributionHeader();
+        const payload = await request('POST', '/v1/executions', body, timeoutMs, {
+            'X-Harbor-Current-Dir': process.cwd(),
+            ...(runtimeAttributionHeader ? { 'X-Harbor-Runtime-Attribution': runtimeAttributionHeader } : {}),
+        }, 'agent');
+        const record = pickRecord(payload);
+        return {
+            status: pickString(record.status, record.result) ?? 'accepted',
+            execution_id: pickString(record.execution_id),
+            capability: pickString(record.capability, record.capability_slug, capabilitySlug),
+            state: pickString(record.state) ?? null,
+            approval_id: pickString(record.approval_id),
+            approval_url: pickString(record.approval_url),
+            reason: pickString(record.reason, record.message),
+        };
+    }
+    catch (error) {
+        if (error instanceof ApiError && error.code === 'approval_required') {
+            const payload = pickRecord(error.payload);
+            const errorRecord = pickRecord(payload.error);
+            const details = pickRecord(errorRecord.details);
+            return {
+                status: 'approval_required',
+                execution_id: null,
+                capability: capabilitySlug,
+                state: null,
+                approval_id: pickString(payload.approval_id, errorRecord.approval_id, details.approval_id),
+                approval_url: pickString(payload.approval_url, errorRecord.approval_url, details.approval_url),
+                reason: pickString(payload.reason, errorRecord.message, details.reason, error.message),
+            };
+        }
+        throw error;
+    }
+};
+export const fetchExecutionLogs = async (executionId, follow = false, afterSequence, waitMs) => {
+    const search = new URLSearchParams();
+    if (follow) {
+        search.set('follow', 'true');
+    }
+    if (typeof afterSequence === 'number' && Number.isFinite(afterSequence) && afterSequence >= 0) {
+        search.set('after', String(afterSequence));
+    }
+    if (typeof waitMs === 'number' && Number.isFinite(waitMs) && waitMs > 0) {
+        search.set('wait_ms', String(Math.floor(waitMs)));
+    }
+    const suffix = search.size > 0 ? `?${search.toString()}` : '';
+    const timeoutMs = typeof waitMs === 'number' && waitMs > 0 ? Math.max(10_000, Math.floor(waitMs) + 5_000) : 10_000;
+    const payload = await request('GET', `/v1/executions/${encodeURIComponent(executionId)}/logs${suffix}`, undefined, timeoutMs, undefined, 'agent');
+    const record = pickRecord(payload);
+    const events = Array.isArray(record.events) ? record.events : [];
+    return {
+        execution_id: pickString(record.execution_id, executionId) ?? executionId,
+        state: pickString(record.state, record.status),
+        exit_code: pickNumber(record.exit_code),
+        started_at: pickString(record.started_at),
+        completed_at: pickString(record.completed_at),
+        error_code: pickString(record.error_code),
+        error_message: pickString(record.error_message),
+        events: events.map((event) => {
+            const eventRecord = pickRecord(event);
+            return {
+                sequence: pickNumber(eventRecord.sequence) ?? undefined,
+                kind: pickString(eventRecord.kind) ?? undefined,
+                message: pickString(eventRecord.message) ?? '',
+                payload_json: eventRecord.payload_json,
+                occurred_at: pickString(eventRecord.occurred_at) ?? undefined,
+            };
+        }),
+    };
+};
+//# sourceMappingURL=api.js.map