npm - airaknit - Versions diffs - 1.1.2-rc.9 - Mend

airaknit 1.1.2-rc.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (440) hide show

package/LICENSE +84 -0
package/README.md +202 -0
package/bin/airaknit +9 -0
package/bin/airaknit-project +14 -0
package/bin/kanna +9 -0
package/dist/client/assets/CompactSummaryMessage-Yw0BDWEJ.js +1 -0
package/dist/client/assets/ExitPlanModeMessage-DIdkQ4uF.js +1 -0
package/dist/client/assets/LocalFilePreviewDialog-DQx2eiCc.js +3 -0
package/dist/client/assets/LocalProjectsSection-C4xlWkgS.js +1 -0
package/dist/client/assets/TextMessage-B5G39DEJ.js +1 -0
package/dist/client/assets/UserMessage-CIkWk-0L.js +1 -0
package/dist/client/assets/_basePickBy-CVrAFfnZ.js +1 -0
package/dist/client/assets/_baseUniq-JL-aaF4P.js +1 -0
package/dist/client/assets/arc-B07zg7ol.js +1 -0
package/dist/client/assets/architecture-YZFGNWBL-PSLVJL3p.js +1 -0
package/dist/client/assets/architectureDiagram-Q4EWVU46-DfWIF1G_.js +36 -0
package/dist/client/assets/array-BGFCBI0e.js +1 -0
package/dist/client/assets/blockDiagram-DXYQGD6D-CzwIeo_B.js +132 -0
package/dist/client/assets/bundle-mjs-BDE2gWbQ.js +1 -0
package/dist/client/assets/button-DO50qOGv.js +1 -0
package/dist/client/assets/c4Diagram-AHTNJAMY-CR8DCQRE.js +10 -0
package/dist/client/assets/channel-Dj-UUfaF.js +1 -0
package/dist/client/assets/chunk-2KRD3SAO-dznP-cn8.js +1 -0
package/dist/client/assets/chunk-336JU56O-Dqss5Vu6.js +2 -0
package/dist/client/assets/chunk-426QAEUC-CEKis_0_.js +1 -0
package/dist/client/assets/chunk-4BX2VUAB-BYOv0Gm1.js +1 -0
package/dist/client/assets/chunk-4TB4RGXK-BxzubH5S.js +206 -0
package/dist/client/assets/chunk-55IACEB6-BSlTj03a.js +1 -0
package/dist/client/assets/chunk-5FUZZQ4R-9Au93Bi1.js +62 -0
package/dist/client/assets/chunk-5PVQY5BW-BhksHFEZ.js +2 -0
package/dist/client/assets/chunk-67CJDMHE-BFwhz-8t.js +1 -0
package/dist/client/assets/chunk-7N4EOEYR-BDUPds87.js +1 -0
package/dist/client/assets/chunk-AA7GKIK3-CEWTdyXO.js +1 -0
package/dist/client/assets/chunk-BO2N2NFS-D0LvxnhU.js +103 -0
package/dist/client/assets/chunk-BSJP7CBP-BNJnK6sq.js +1 -0
package/dist/client/assets/chunk-Bj-mKKzh.js +1 -0
package/dist/client/assets/chunk-CIAEETIT-CYhfoCeN.js +1 -0
package/dist/client/assets/chunk-EDXVE4YY-C5ovJLc0.js +1 -0
package/dist/client/assets/chunk-ENJZ2VHE-HOhYaeGr.js +10 -0
package/dist/client/assets/chunk-FMBD7UC4-BLCiKcAQ.js +15 -0
package/dist/client/assets/chunk-FOC6F5B3-B6GtY2ek.js +1 -0
package/dist/client/assets/chunk-ICPOFSXX-DPoIZoC5.js +122 -0
package/dist/client/assets/chunk-K5T4RW27-BsKN63rv.js +94 -0
package/dist/client/assets/chunk-KGLVRYIC-BUGn9uuY.js +1 -0
package/dist/client/assets/chunk-LIHQZDEY-DhaZyo03.js +1 -0
package/dist/client/assets/chunk-ORNJ4GCN-DlpeeJyi.js +1 -0
package/dist/client/assets/chunk-OYMX7WX6-Dc9q7aYA.js +231 -0
package/dist/client/assets/chunk-QZHKN3VN-BEdrPoSb.js +1 -0
package/dist/client/assets/chunk-U2HBQHQK-CIB3Bjjd.js +70 -0
package/dist/client/assets/chunk-X2U36JSP-CtB-o8Yp.js +1 -0
package/dist/client/assets/chunk-XPW4576I-C6iHhX_8.js +32 -0
package/dist/client/assets/chunk-YZCP3GAM-CTmKr6ZH.js +1 -0
package/dist/client/assets/chunk-ZZ45TVLE-BgU8A2RF.js +1 -0
package/dist/client/assets/classDiagram-6PBFFD2Q-Bqk5e679.js +1 -0
package/dist/client/assets/classDiagram-v2-HSJHXN6E-6pSaZOkC.js +1 -0
package/dist/client/assets/client-BrKWI4CM.js +1 -0
package/dist/client/assets/client-CGgNRU9w.js +1 -0
package/dist/client/assets/client-DMSLRzg9.js +6 -0
package/dist/client/assets/clone-DWcL7whJ.js +1 -0
package/dist/client/assets/cose-bilkent-S5V4N54A-CrV5wsV_.js +1 -0
package/dist/client/assets/cytoscape.esm--aLzKuep.js +321 -0
package/dist/client/assets/dagre-CuRxWcrj.js +1 -0
package/dist/client/assets/dagre-KV5264BT-BIDiVnkA.js +4 -0
package/dist/client/assets/defaultLocale-CRZydyG6.js +1 -0
package/dist/client/assets/diagram-5BDNPKRD-i1kjKRCB.js +10 -0
package/dist/client/assets/diagram-G4DWMVQ6-9ZSLuhbl.js +24 -0
package/dist/client/assets/diagram-MMDJMWI5-B4_CUjgv.js +43 -0
package/dist/client/assets/diagram-TYMM5635-Ct5eTGS8.js +24 -0
package/dist/client/assets/dist-CuB4kiSK.js +1 -0
package/dist/client/assets/erDiagram-SMLLAGMA-Cy38ercc.js +85 -0
package/dist/client/assets/flowDiagram-DWJPFMVM-CZKuYl0V.js +162 -0
package/dist/client/assets/ganttDiagram-T4ZO3ILL-DLPjCh7a.js +292 -0
package/dist/client/assets/gitGraph-7Q5UKJZL-DqbrtEp9.js +1 -0
package/dist/client/assets/gitGraphDiagram-UUTBAWPF-BoRBkDhQ.js +106 -0
package/dist/client/assets/graphlib-BcQ6qlQh.js +1 -0
package/dist/client/assets/highlighted-body-OFNGDK62-BEpBVDTX.js +1 -0
package/dist/client/assets/index-CetCiuqP.js +105 -0
package/dist/client/assets/index-N29Mip7A.css +1 -0
package/dist/client/assets/info-OMHHGYJF-D98DRBJX.js +1 -0
package/dist/client/assets/infoDiagram-42DDH7IO-BAcdTWbt.js +2 -0
package/dist/client/assets/init-B8gtcn7T.js +1 -0
package/dist/client/assets/isArrayLikeObject-D8SJFmkN.js +1 -0
package/dist/client/assets/isEmpty-BF3YX5Jk.js +1 -0
package/dist/client/assets/ishikawaDiagram-UXIWVN3A-Ynu2VKdC.js +70 -0
package/dist/client/assets/journeyDiagram-VCZTEJTY-BjfhQaN3.js +139 -0
package/dist/client/assets/jsx-runtime-CyI9ICYU.js +1 -0
package/dist/client/assets/kanban-definition-6JOO6SKY-JLXH9zUJ.js +89 -0
package/dist/client/assets/katex-B94qP8b6.js +265 -0
package/dist/client/assets/lib--QVjyxmL.js +29 -0
package/dist/client/assets/lib-B6rgJiZ9.js +1 -0
package/dist/client/assets/line-DCrYfLBn.js +1 -0
package/dist/client/assets/linear-_4upLmeo.js +1 -0
package/dist/client/assets/mermaid-GHXKKRXX-rwJHYUmW.js +1 -0
package/dist/client/assets/mermaid-parser.core-KZinfW8o.js +4 -0
package/dist/client/assets/mermaid.core-QqY9gSNe.js +11 -0
package/dist/client/assets/mindmap-definition-QFDTVHPH-TWgHDAzp.js +96 -0
package/dist/client/assets/ordinal-CCj7PWgZ.js +1 -0
package/dist/client/assets/packet-4T2RLAQJ-DEvfkn3F.js +1 -0
package/dist/client/assets/path-DZF-JdEe.js +1 -0
package/dist/client/assets/pie-ZZUOXDRM-72e6WVjb.js +1 -0
package/dist/client/assets/pieDiagram-DEJITSTG-Cl8PCsoj.js +30 -0
package/dist/client/assets/preload-helper-rov5CBGT.js +1 -0
package/dist/client/assets/pty-client-DZ27IS00.js +1 -0
package/dist/client/assets/ptyInstancesStore-D9ag7SYd.js +1 -0
package/dist/client/assets/quadrantDiagram-34T5L4WZ-CHyVGp9E.js +7 -0
package/dist/client/assets/radar-PYXPWWZC-Cp7xd_EY.js +1 -0
package/dist/client/assets/react-CClhXMB2.js +1 -0
package/dist/client/assets/react-Dd6D81m0.js +1 -0
package/dist/client/assets/react-dom--G6_6fQ_.js +1 -0
package/dist/client/assets/requirementDiagram-MS252O5E-DaanG2iM.js +84 -0
package/dist/client/assets/rough.esm-BsmKo2S5.js +1 -0
package/dist/client/assets/sankeyDiagram-XADWPNL6-B_fhLY36.js +10 -0
package/dist/client/assets/sequenceDiagram-FGHM5R23-C5FNrveI.js +157 -0
package/dist/client/assets/src-DeTlMJAU.js +1 -0
package/dist/client/assets/stateDiagram-FHFEXIEX-nTTcdjjQ.js +1 -0
package/dist/client/assets/stateDiagram-v2-QKLJ7IA2-Dw0632j_.js +1 -0
package/dist/client/assets/timeline-definition-GMOUNBTQ-DkQV1yP8.js +120 -0
package/dist/client/assets/treeView-SZITEDCU-ZLIgC7_K.js +1 -0
package/dist/client/assets/treemap-W4RFUUIX-BqaMbB6N.js +1 -0
package/dist/client/assets/uiIdentityOverlay-Ba7GNj7m.js +1 -0
package/dist/client/assets/vennDiagram-DHZGUBPP-DbZ2xgs6.js +34 -0
package/dist/client/assets/wardley-RL74JXVD-DXQS8zf4.js +1 -0
package/dist/client/assets/wardleyDiagram-NUSXRM2D-BzCJ6MAu.js +20 -0
package/dist/client/assets/xychartDiagram-5P7HB3ND-BSlFecop.js +7 -0
package/dist/client/favicon.png +0 -0
package/dist/client/favicon.svg +15 -0
package/dist/client/fonts/body-medium.woff2 +0 -0
package/dist/client/fonts/body-regular-italic.woff2 +0 -0
package/dist/client/fonts/body-regular.woff2 +0 -0
package/dist/client/fonts/body-semibold.woff2 +0 -0
package/dist/client/index.html +31 -0
package/dist/client/manifest.webmanifest +12 -0
package/dist/client/sw.js +32 -0
package/package.json +122 -0
package/src/nats/auth-callout/callout-config.test.ts +93 -0
package/src/nats/auth-callout/callout-config.ts +109 -0
package/src/nats/auth-callout/callout.integration.test.ts +332 -0
package/src/nats/auth-callout/keys.ts +103 -0
package/src/nats/auth-callout/responder.ts +241 -0
package/src/nats/auth-callout/scope-policy.test.ts +159 -0
package/src/nats/auth-callout/scope-policy.ts +210 -0
package/src/nats/auth-callout/token.test.ts +163 -0
package/src/nats/auth-callout/token.ts +157 -0
package/src/nats/nats-daemon-callout.ts +194 -0
package/src/nats/nats-daemon.test.ts +77 -0
package/src/nats/nats-daemon.ts +50 -0
package/src/nats/nats-token.test.ts +61 -0
package/src/nats/nats-token.ts +59 -0
package/src/runner/coordination-mcp-integration.test.ts +134 -0
package/src/runner/nats-coordination-client.test.ts +49 -0
package/src/runner/nats-coordination-client.ts +94 -0
package/src/runner/runner-agent.test.ts +469 -0
package/src/runner/runner-agent.ts +453 -0
package/src/runner/runner-credential.test.ts +93 -0
package/src/runner/runner-credential.ts +82 -0
package/src/runner/runner-nats.test.ts +495 -0
package/src/runner/runner-nats.ts +323 -0
package/src/runner/runner-pair.test.ts +107 -0
package/src/runner/runner-pair.ts +81 -0
package/src/runner/runner.test.ts +135 -0
package/src/runner/runner.ts +212 -0
package/src/runner/turn-factories.test.ts +97 -0
package/src/runner/turn-factories.ts +475 -0
package/src/server/agent-config-journey.test.ts +106 -0
package/src/server/agent.ts +8 -0
package/src/server/auto-continue/auth-error-detector.ts +66 -0
package/src/server/auto-continue/limit-detector.ts +194 -0
package/src/server/bm25.test.ts +92 -0
package/src/server/bm25.ts +101 -0
package/src/server/chat-events-jetstream.test.ts +135 -0
package/src/server/claude-harness.ts +360 -0
package/src/server/claude-pty/agent-normalizers.ts +309 -0
package/src/server/claude-pty/auth.test.ts +38 -0
package/src/server/claude-pty/auth.ts +32 -0
package/src/server/claude-pty/claude-session-registry.adapter.ts +81 -0
package/src/server/claude-pty/claude-session-registry.test.ts +149 -0
package/src/server/claude-pty/driver.test.ts +902 -0
package/src/server/claude-pty/driver.ts +807 -0
package/src/server/claude-pty/jsonl-path.adapter.ts +57 -0
package/src/server/claude-pty/jsonl-path.test.ts +114 -0
package/src/server/claude-pty/jsonl-to-event.test.ts +241 -0
package/src/server/claude-pty/jsonl-to-event.ts +174 -0
package/src/server/claude-pty/output-ring.test.ts +35 -0
package/src/server/claude-pty/output-ring.ts +25 -0
package/src/server/claude-pty/parity-matrix.test.ts +227 -0
package/src/server/claude-pty/pid-registry.adapter.ts +135 -0
package/src/server/claude-pty/pid-registry.test.ts +122 -0
package/src/server/claude-pty/preflight/binary-fingerprint.adapter.ts +20 -0
package/src/server/claude-pty/preflight/binary-fingerprint.test.ts +32 -0
package/src/server/claude-pty/pty-instance-registry.test.ts +177 -0
package/src/server/claude-pty/pty-instance-registry.ts +166 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.test.ts +103 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.ts +85 -0
package/src/server/claude-pty/pty-process.adapter.ts +66 -0
package/src/server/claude-pty/pty-process.test.ts +49 -0
package/src/server/claude-pty/resolve-binary.adapter.ts +106 -0
package/src/server/claude-pty/resolve-binary.test.ts +118 -0
package/src/server/claude-pty/runtime-dir.adapter.ts +19 -0
package/src/server/claude-pty/settings-writer.adapter.ts +27 -0
package/src/server/claude-pty/settings-writer.test.ts +22 -0
package/src/server/claude-pty/smoke-test-io.adapter.ts +28 -0
package/src/server/claude-pty/smoke-test.test.ts +191 -0
package/src/server/claude-pty/smoke-test.ts +185 -0
package/src/server/claude-pty/subagent-orchestrator.ts +887 -0
package/src/server/claude-pty/tool-callback.ts +274 -0
package/src/server/claude-pty/tui-control.test.ts +272 -0
package/src/server/claude-pty/tui-control.ts +182 -0
package/src/server/claude-pty/tui-source.adapter.test.ts +360 -0
package/src/server/claude-pty/tui-source.adapter.ts +343 -0
package/src/server/claude-pty/tunnel-gateway.ts +12 -0
package/src/server/claude-pty-mcp/canonical-args.ts +15 -0
package/src/server/claude-pty-mcp/fs-stat.adapter.ts +8 -0
package/src/server/claude-pty-mcp/history-primer.ts +90 -0
package/src/server/claude-pty-mcp/http-server.adapter.ts +33 -0
package/src/server/claude-pty-mcp/mcp-http.ts +177 -0
package/src/server/claude-pty-mcp/mcp.ts +412 -0
package/src/server/claude-pty-mcp/mention-parser.ts +25 -0
package/src/server/claude-pty-mcp/paths.ts +24 -0
package/src/server/claude-pty-mcp/permission-gate.ts +243 -0
package/src/server/claude-pty-mcp/terminal-pid-registry.adapter.ts +107 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.test.ts +119 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.ts +61 -0
package/src/server/claude-pty-mcp/tools/bash.adapter.ts +76 -0
package/src/server/claude-pty-mcp/tools/bash.test.ts +56 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.test.ts +155 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.ts +111 -0
package/src/server/claude-pty-mcp/tools/edit.adapter.ts +95 -0
package/src/server/claude-pty-mcp/tools/edit.test.ts +93 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.ts +50 -0
package/src/server/claude-pty-mcp/tools/glob.adapter.ts +86 -0
package/src/server/claude-pty-mcp/tools/glob.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/grep.adapter.ts +126 -0
package/src/server/claude-pty-mcp/tools/grep.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/read.adapter.ts +58 -0
package/src/server/claude-pty-mcp/tools/read.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/tool-callback-shim.ts +42 -0
package/src/server/claude-pty-mcp/tools/webfetch.test.ts +81 -0
package/src/server/claude-pty-mcp/tools/webfetch.ts +82 -0
package/src/server/claude-pty-mcp/tools/websearch.test.ts +40 -0
package/src/server/claude-pty-mcp/tools/websearch.ts +42 -0
package/src/server/claude-pty-mcp/tools/write.adapter.ts +60 -0
package/src/server/claude-pty-mcp/tools/write.test.ts +52 -0
package/src/server/claude-pty-mcp/uploads.adapter.ts +98 -0
package/src/server/claude-pty-mcp/uploads.ts +38 -0
package/src/server/claude-turn.test.ts +176 -0
package/src/server/cli-runtime.test.ts +456 -0
package/src/server/cli-runtime.ts +374 -0
package/src/server/cli-supervisor.ts +81 -0
package/src/server/cli.ts +78 -0
package/src/server/client-log-forwarder.test.ts +74 -0
package/src/server/client-log-forwarder.ts +75 -0
package/src/server/codex-app-server-protocol.ts +449 -0
package/src/server/codex-app-server.test.ts +2990 -0
package/src/server/codex-app-server.ts +1713 -0
package/src/server/coordination-integration.test.ts +63 -0
package/src/server/coordination-mcp.test.ts +149 -0
package/src/server/coordination-mcp.ts +197 -0
package/src/server/delegation-coordinator.test.ts +675 -0
package/src/server/delegation-coordinator.ts +454 -0
package/src/server/discovery.test.ts +211 -0
package/src/server/discovery.ts +301 -0
package/src/server/event-store-agent-config.test.ts +124 -0
package/src/server/event-store-coordination.test.ts +149 -0
package/src/server/event-store-profile.test.ts +132 -0
package/src/server/event-store-repo.test.ts +154 -0
package/src/server/event-store-runner-team.test.ts +104 -0
package/src/server/event-store.test.ts +342 -0
package/src/server/event-store.ts +2208 -0
package/src/server/events.ts +379 -0
package/src/server/extension-router.test.ts +183 -0
package/src/server/extension-router.ts +114 -0
package/src/server/extensions/agents/server.test.ts +191 -0
package/src/server/extensions/agents/server.ts +108 -0
package/src/server/extensions/c3/server.test.ts +284 -0
package/src/server/extensions/c3/server.ts +212 -0
package/src/server/extensions/code/server.test.ts +200 -0
package/src/server/extensions/code/server.ts +150 -0
package/src/server/extensions.config.ts +10 -0
package/src/server/external-open.ts +69 -0
package/src/server/generate-fork-context.ts +58 -0
package/src/server/generate-merge-context.test.ts +290 -0
package/src/server/generate-merge-context.ts +141 -0
package/src/server/generate-title.ts +36 -0
package/src/server/git-clone-policy.test.ts +138 -0
package/src/server/git-clone-policy.ts +27 -0
package/src/server/harness-types.ts +1 -0
package/src/server/journey-verification.test.ts +640 -0
package/src/server/journey-verification.ts +195 -0
package/src/server/machine-name.ts +22 -0
package/src/server/nats-auth.test.ts +92 -0
package/src/server/nats-auth.ts +6 -0
package/src/server/nats-bind-guard.test.ts +71 -0
package/src/server/nats-bind-guard.ts +42 -0
package/src/server/nats-bridge.test.ts +141 -0
package/src/server/nats-bridge.ts +111 -0
package/src/server/nats-connector.test.ts +56 -0
package/src/server/nats-connector.ts +71 -0
package/src/server/nats-daemon-manager.test.ts +76 -0
package/src/server/nats-daemon-manager.ts +174 -0
package/src/server/nats-publisher.test.ts +356 -0
package/src/server/nats-publisher.ts +271 -0
package/src/server/nats-responders.test.ts +1018 -0
package/src/server/nats-responders.ts +925 -0
package/src/server/nats-streams.test.ts +112 -0
package/src/server/nats-streams.ts +129 -0
package/src/server/oauth-pool/oauth-responders.ts +185 -0
package/src/server/oauth-pool/oauth-settings-store.ts +173 -0
package/src/server/oauth-pool/oauth-token-pool.ts +303 -0
package/src/server/orchestration.test.ts +1063 -0
package/src/server/orchestration.ts +716 -0
package/src/server/pairing-endpoints.test.ts +171 -0
package/src/server/pairing-store.test.ts +154 -0
package/src/server/pairing-store.ts +124 -0
package/src/server/paths.ts +27 -0
package/src/server/pr3-liveness.test.ts +252 -0
package/src/server/process-utils.ts +10 -0
package/src/server/project-cli.ts +180 -0
package/src/server/provider-catalog.test.ts +177 -0
package/src/server/provider-catalog.ts +146 -0
package/src/server/pty-responders.ts +345 -0
package/src/server/push-notifications.test.ts +234 -0
package/src/server/push-notifications.ts +188 -0
package/src/server/quick-response.test.ts +196 -0
package/src/server/quick-response.ts +154 -0
package/src/server/read-models-agent-config.test.ts +59 -0
package/src/server/read-models-coordination.test.ts +69 -0
package/src/server/read-models.test.ts +332 -0
package/src/server/read-models.ts +258 -0
package/src/server/repo-journey.test.ts +96 -0
package/src/server/repo-manager.test.ts +118 -0
package/src/server/repo-manager.ts +97 -0
package/src/server/repo-status.test.ts +54 -0
package/src/server/repo-status.ts +82 -0
package/src/server/restart.test.ts +27 -0
package/src/server/restart.ts +30 -0
package/src/server/runner-incompatible-gate.test.ts +383 -0
package/src/server/runner-manager.test.ts +72 -0
package/src/server/runner-manager.ts +312 -0
package/src/server/runner-pairing-urls.test.ts +59 -0
package/src/server/runner-pairing-urls.ts +67 -0
package/src/server/runner-proxy.test.ts +456 -0
package/src/server/runner-proxy.ts +494 -0
package/src/server/runner-router.test.ts +429 -0
package/src/server/runner-router.ts +212 -0
package/src/server/runner-routing.test.ts +584 -0
package/src/server/runtime-registry.test.ts +436 -0
package/src/server/runtime-registry.ts +307 -0
package/src/server/sandbox-health.test.ts +127 -0
package/src/server/sandbox-health.ts +94 -0
package/src/server/sandbox-journey.test.ts +232 -0
package/src/server/sandbox-manager.test.ts +146 -0
package/src/server/sandbox-manager.ts +159 -0
package/src/server/server.test.ts +287 -0
package/src/server/server.ts +1108 -0
package/src/server/session-discovery.test.ts +129 -0
package/src/server/session-discovery.ts +475 -0
package/src/server/session-index.test.ts +362 -0
package/src/server/session-index.ts +119 -0
package/src/server/session-seed.ts +288 -0
package/src/server/share.test.ts +108 -0
package/src/server/share.ts +113 -0
package/src/server/skill-discovery.test.ts +201 -0
package/src/server/skill-discovery.ts +77 -0
package/src/server/storage/test-helpers.ts +67 -0
package/src/server/terminal-manager.test.ts +309 -0
package/src/server/terminal-manager.ts +354 -0
package/src/server/transcript-consumer.test.ts +339 -0
package/src/server/transcript-consumer.ts +162 -0
package/src/server/transcript-search.test.ts +193 -0
package/src/server/transcript-search.ts +83 -0
package/src/server/transcript-utils.ts +52 -0
package/src/server/update-manager.test.ts +107 -0
package/src/server/update-manager.ts +230 -0
package/src/server/workflow-engine.test.ts +251 -0
package/src/server/workflow-engine.ts +169 -0
package/src/server/workflow-mcp.ts +49 -0
package/src/server/workflow-store.test.ts +155 -0
package/src/server/workflow-store.ts +139 -0
package/src/server/workspace-agent-integration.test.ts +167 -0
package/src/server/workspace-agent-routes.test.ts +127 -0
package/src/server/workspace-agent-routes.ts +89 -0
package/src/server/workspace-agent.test.ts +103 -0
package/src/server/workspace-agent.ts +102 -0
package/src/server/workspace-cli.test.ts +79 -0
package/src/server/workspace-config-manager.test.ts +109 -0
package/src/server/workspace-config-manager.ts +83 -0
package/src/server/workspace-directory-policy.test.ts +109 -0
package/src/server/workspace-directory-policy.ts +56 -0
package/src/shared/agent-config-types.ts +25 -0
package/src/shared/branding.test.ts +42 -0
package/src/shared/branding.ts +54 -0
package/src/shared/compression.test.ts +85 -0
package/src/shared/compression.ts +42 -0
package/src/shared/coordination-store.test.ts +24 -0
package/src/shared/coordination-store.ts +26 -0
package/src/shared/dev-ports.test.ts +84 -0
package/src/shared/dev-ports.ts +100 -0
package/src/shared/extension-types.ts +45 -0
package/src/shared/fork-presets.ts +54 -0
package/src/shared/harness-types.test.ts +15 -0
package/src/shared/harness-types.ts +21 -0
package/src/shared/log-sink.test.ts +112 -0
package/src/shared/log-sink.ts +185 -0
package/src/shared/mention-pattern.ts +7 -0
package/src/shared/merge-presets.ts +41 -0
package/src/shared/nats-subjects.test.ts +61 -0
package/src/shared/nats-subjects.ts +131 -0
package/src/shared/permission-policy.ts +136 -0
package/src/shared/ports.ts +3 -0
package/src/shared/preset-types.ts +15 -0
package/src/shared/profile-types.ts +49 -0
package/src/shared/projectFileUrl.ts +36 -0
package/src/shared/protocol.ts +153 -0
package/src/shared/pty-instance.ts +43 -0
package/src/shared/puggy/diagnostics/result.ts +18 -0
package/src/shared/puggy/expressions/evaluate.ts +292 -0
package/src/shared/puggy/index.test.ts +101 -0
package/src/shared/puggy/index.ts +69 -0
package/src/shared/puggy/parser/ast.ts +110 -0
package/src/shared/puggy/parser/parser.ts +624 -0
package/src/shared/puggy/renderer/html.ts +447 -0
package/src/shared/runner-protocol.test.ts +277 -0
package/src/shared/runner-protocol.ts +210 -0
package/src/shared/runner-team-types.ts +73 -0
package/src/shared/runtime-types.ts +48 -0
package/src/shared/sandbox-types.ts +53 -0
package/src/shared/tailwind-build.test.ts +12 -0
package/src/shared/tinkaria-system-prompt.ts +101 -0
package/src/shared/tools.test.ts +335 -0
package/src/shared/tools.ts +397 -0
package/src/shared/transcript-entries.ts +27 -0
package/src/shared/transcript-render.test.ts +225 -0
package/src/shared/transcript-render.ts +467 -0
package/src/shared/types.ts +1031 -0
package/src/shared/vite-config.test.ts +47 -0
package/src/shared/web-context.test.ts +110 -0
package/src/shared/web-context.ts +76 -0
package/src/shared/workflow-types.ts +51 -0
package/src/shared/workspace-types.ts +100 -0

package/package.json ADDED Viewed

@@ -0,0 +1,122 @@
+{
+  "name": "airaknit",
+  "type": "module",
+  "version": "1.1.2-rc.9",
+  "description": "A playful web workbench for Claude Code and Codex",
+  "license": "MIT",
+  "keywords": [
+    "claude",
+    "claude-code",
+    "ai",
+    "chat",
+    "ui",
+    "agent",
+    "anthropic",
+    "bun",
+    "react"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lagz0ne/tinkaria.git"
+  },
+  "bin": {
+    "airaknit": "bin/airaknit",
+    "airaknit-project": "bin/airaknit-project"
+  },
+  "packageManager": "bun@1.3.11",
+  "files": [
+    "bin/",
+    "src/nats/",
+    "src/runner/",
+    "src/server/",
+    "src/shared/",
+    "dist/client/"
+  ],
+  "engines": {
+    "bun": ">=1.3.5"
+  },
+  "scripts": {
+    "build": "vite build",
+    "check": "bunx @typescript/native-preview --noEmit -p tsconfig.json && vite build",
+    "lint:rules": "bash .git/hooks/pre-commit --all",
+    "dev": "bun run ./scripts/dev.ts",
+    "dev:client": "vite --host 0.0.0.0 --port 5174",
+    "dev:server": "bun run ./scripts/dev-server.ts --no-open --port 5175",
+    "install:dev": "bun install && bun run build && bun install -g .",
+    "start": "bun run ./src/server/cli.ts",
+    "test": "bun test",
+    "verify:journey": "bun run ./scripts/verify-journey.ts",
+    "copy:legacy-transcripts": "bun run ./scripts/copy-legacy-transcripts.ts",
+    "prepublishOnly": "vite build"
+  },
+  "dependencies": {
+    "@anthropic-ai/claude-agent-sdk": "^0.2.91",
+    "@chenglou/pretext": "^0.0.4",
+    "@lagz0ne/nats-embedded": "^0.3.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "@nats-io/jetstream": "^3.3.1",
+    "@nats-io/jwt": "^0.0.10-5",
+    "@nats-io/kv": "^3.3.1",
+    "@nats-io/nats-core": "^3.3.1",
+    "@nats-io/transport-node": "^3.3.1",
+    "@radix-ui/react-alert-dialog": "^1.1.15",
+    "@radix-ui/react-context-menu": "^2.2.16",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-select": "^2.2.6",
+    "@tanstack/react-virtual": "^3.13.23",
+    "@xterm/addon-fit": "^0.11.0",
+    "@xterm/addon-serialize": "^0.14.0",
+    "@xterm/addon-web-links": "^0.12.0",
+    "@xterm/headless": "^6.0.0",
+    "@xterm/xterm": "^6.0.0",
+    "cloudflared": "^0.7.1",
+    "default-shell": "^2.2.0",
+    "diff": "^8.0.4",
+    "file-type": "^22.0.1",
+    "js-yaml": "^4.1.1",
+    "mermaid": "^11.14.0",
+    "minimatch": "^10.2.5",
+    "qrcode": "^1.5.4",
+    "react-resizable-panels": "^4.9.0",
+    "shell-quote": "^1.8.4",
+    "sonner": "^2.0.7",
+    "sugar-high": "^1.0.0",
+    "web-push": "^3.6.7",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-popover": "^1.1.15",
+    "@radix-ui/react-tooltip": "^1.2.8",
+    "@resvg/resvg-js": "^2.6.2",
+    "@tailwindcss/postcss": "^4.2.2",
+    "@tailwindcss/typography": "^0.5.19",
+    "@types/bun": "^1.3.11",
+    "@types/diff": "^8.0.0",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^25.5.0",
+    "@types/qrcode": "^1.5.6",
+    "@types/react": "19.2.14",
+    "@types/react-dom": "19.2.3",
+    "@types/shell-quote": "^1.7.5",
+    "@types/web-push": "^3.6.4",
+    "@vitejs/plugin-react": "6.0.1",
+    "autoprefixer": "^10.4.27",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^1.7.0",
+    "png-to-ico": "^3.0.1",
+    "react": "19.2.4",
+    "react-dom": "19.2.4",
+    "react-markdown": "^10.1.0",
+    "react-router-dom": "^7.14.0",
+    "remark-gfm": "^4.0.1",
+    "sharp": "^0.34.5",
+    "streamdown": "^2.5.0",
+    "tailwind-merge": "^3.5.0",
+    "tailwindcss": "^4.2.2",
+    "typescript": "6.0.2",
+    "vite": "^8.0.3",
+    "zustand": "^5.0.12"
+  }
+}

package/src/nats/auth-callout/callout-config.test.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { describe, test, expect } from "bun:test"
+import { buildCalloutConfig, validateCalloutConfigShape } from "./callout-config"
+const FAKE_ACCOUNT_KEY = "ACPJ3QKPKLBKL6X4FAKEACCOUNTPUBLIC"
+const FAKE_AUTH_USER_KEY = "UDXFAKEUSERKEY3FAKEAUTHUSERPUBLIC"
+describe("buildCalloutConfig", () => {
+  test("includes required auth_callout block with provided keys", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+    })
+    expect(config).toContain("auth_callout")
+    expect(config).toContain(`issuer: "${FAKE_ACCOUNT_KEY}"`)
+    expect(config).toContain(`"${FAKE_AUTH_USER_KEY}"`)
+    expect(config).toContain("jetstream")
+    expect(config).toContain("websocket")
+    expect(config).toContain("no_tls: true")
+  })
+  test("uses default host 127.0.0.1 when not specified", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+    })
+    expect(config).toContain('"127.0.0.1"')
+  })
+  test("uses provided host", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+      host: "100.64.1.1",
+    })
+    expect(config).toContain('"100.64.1.1"')
+  })
+  test("includes storeDir when provided", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+      storeDir: "/tmp/nats-test-store",
+    })
+    expect(config).toContain('store_dir: "/tmp/nats-test-store"')
+  })
+  test("uses provided port", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+      port: 4567,
+      wsPort: 4568,
+    })
+    expect(config).toContain("port: 4567")
+    expect(config).toContain("port: 4568")
+  })
+  test("uses custom account name when provided", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+      accountName: "MY_ACCOUNT",
+    })
+    expect(config).toContain("MY_ACCOUNT")
+  })
+  test("no include directives (avoids wrapper mis-resolution bug)", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+    })
+    expect(config).not.toContain("include")
+  })
+})
+describe("validateCalloutConfigShape", () => {
+  test("passes for a valid config", () => {
+    const config = buildCalloutConfig({
+      accountPublicKey: FAKE_ACCOUNT_KEY,
+      authUserPublicKey: FAKE_AUTH_USER_KEY,
+    })
+    const { ok, missing } = validateCalloutConfigShape(config)
+    expect(ok).toBe(true)
+    expect(missing).toHaveLength(0)
+  })
+  test("fails when sections are missing", () => {
+    const { ok, missing } = validateCalloutConfigShape("just some text")
+    expect(ok).toBe(false)
+    expect(missing.length).toBeGreaterThan(0)
+  })
+})

package/src/nats/auth-callout/callout-config.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Generate a self-contained nats-server config string for auth-callout mode
+ * (Stage A, PR1).
+ *
+ * Key points mirroring the spike caveat in decision 0007:
+ * - We do NOT use the wrapper's websocket+config combination (causes include
+ *   mis-resolution). This config is written to a temp file and passed via -c
+ *   to the binary directly.
+ * - The config includes the websocket{} block, JetStream, and the full
+ *   accounts + authorization { auth_callout { … } } block.
+ */
+export interface CalloutConfigOptions {
+  /** TCP listen port; -1 = nats-server picks a random one. */
+  port?: number
+  /** WebSocket listen port; -1 = nats-server picks a random one. */
+  wsPort?: number
+  /** Host to bind. Default: 127.0.0.1 */
+  host?: string
+  /** JetStream store directory. */
+  storeDir?: string
+  /**
+   * Optional HTTP monitoring port (bound to 127.0.0.1 only). When set, enables
+   * the nats-server monitoring endpoints (/connz, /subsz, /varz) for diagnostics.
+   * Localhost-only — never exposed beyond the server host. Off when undefined.
+   */
+  monitorPort?: number
+  /** Public key of the callout issuer account. */
+  accountPublicKey: string
+  /** Public key of the auth-service user (bypasses the callout). */
+  authUserPublicKey: string
+  /** Name used for the callout account and auth_users entry. */
+  accountName?: string
+}
+/**
+ * Return a complete nats-server configuration string for callout mode.
+ * The config is self-contained (no `include` directives) so it can be written
+ * to any path and passed to nats-server via `-c`.
+ */
+export function buildCalloutConfig(opts: CalloutConfigOptions): string {
+  const host = opts.host ?? "127.0.0.1"
+  const port = opts.port ?? -1
+  const wsPort = opts.wsPort ?? -1
+  const accountName = opts.accountName ?? "CALLOUT_ACCOUNT"
+  const lines: string[] = [
+    `# nats-server config — auth-callout mode (generated by Tinkaria)`,
+    `host: "${host}"`,
+    `port: ${port}`,
+    ``,
+    `# JetStream`,
+    `jetstream: true`,
+    ...(opts.storeDir ? [`store_dir: "${opts.storeDir}"`] : []),
+    ``,
+    // HTTP monitoring (diagnostics only, localhost-bound). Enables /connz, /subsz,
+    // /varz so we can inspect connections + per-connection subscriptions. Off
+    // unless monitorPort is provided.
+    ...(opts.monitorPort ? [`http: "127.0.0.1:${opts.monitorPort}"`, ``] : []),
+    `# WebSocket`,
+    `websocket {`,
+    `  host: "${host}"`,
+    `  port: ${wsPort}`,
+    `  no_tls: true`,
+    `}`,
+    ``,
+    `# Accounts — one account holds all connections`,
+    `accounts {`,
+    `  ${accountName} {`,
+    `    jetstream: enabled`,
+    `    users [`,
+    `      # auth_users: this user bypasses the callout (the responder itself)`,
+    `      { nkey: "${opts.authUserPublicKey}" }`,
+    `    ]`,
+    `  }`,
+    `}`,
+    ``,
+    `# Auth-callout — delegate authorization to the responder`,
+    `authorization {`,
+    `  auth_callout {`,
+    `    issuer: "${opts.accountPublicKey}"`,
+    `    auth_users: [ "${opts.authUserPublicKey}" ]`,
+    `    account: "${accountName}"`,
+    `  }`,
+    `}`,
+  ]
+  return lines.join("\n") + "\n"
+}
+/**
+ * Validate the generated config shape by checking for required sections.
+ * Used in tests; not called in production code.
+ */
+export function validateCalloutConfigShape(config: string): {
+  ok: boolean
+  missing: string[]
+} {
+  const required = [
+    "auth_callout",
+    "issuer:",
+    "auth_users:",
+    "account:",
+    "websocket",
+    "jetstream",
+  ]
+  const missing = required.filter((s) => !config.includes(s))
+  return { ok: missing.length === 0, missing }
+}

package/src/nats/auth-callout/callout.integration.test.ts ADDED Viewed

@@ -0,0 +1,332 @@
+/**
+ * Integration test — auth-callout isolation (Stage B, PR1).
+ *
+ * Proves:
+ *  1. A runner-A credential connects and can pub/sub its own scoped subjects.
+ *  2. The same runner-A credential is DENIED (permissions violation) on
+ *     runtime.runner.cmd.B.> — the subject scoped to runner-B.
+ *  3. The same runner-A credential is DENIED on runner-B's KV registry key.
+ *  4. A ui-client credential is denied on any runtime.runner.cmd subject.
+ *  5. Unknown/garbage token is refused at connect time.
+ *
+ * Stage B: credentials are minted via mintCredentialToken (stateless HMAC-signed
+ * tokens) rather than registered in the in-memory registry. All isolation
+ * assertions are preserved unchanged.
+ */
+import { describe, test, expect, afterAll, beforeAll } from "bun:test"
+import { spawn, type ChildProcess } from "node:child_process"
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs"
+import { join } from "node:path"
+import { tmpdir } from "node:os"
+import { connect, tokenAuthenticator } from "@nats-io/transport-node"
+import { nkeyAuthenticator } from "@nats-io/nats-core"
+import type { NatsConnection } from "@nats-io/transport-node"
+import { resolveBinary } from "@lagz0ne/nats-embedded"
+import { ensureCalloutKeys } from "./keys"
+import { buildCalloutConfig } from "./callout-config"
+import { CalloutResponder } from "./responder"
+import { runnerKvKeySubject } from "./scope-policy"
+import { mintCredentialToken } from "./token"
+// ── Test setup ────────────────────────────────────────────────────────────────
+const RUNNER_A = "runner-A"
+const RUNNER_B = "runner-B"
+// Tokens are minted from the shared secret in startCalloutServer(); declared
+// here so tests can reference them after setup.
+let SERVER_ADMIN_TOKEN: string
+let UI_CLIENT_TOKEN: string
+let RUNNER_A_TOKEN: string
+let RUNNER_B_TOKEN: string
+interface ServerInfo {
+  natsUrl: string
+  wsUrl: string
+  wsPort: number
+  tcpPort: number
+}
+let serverProcess: ChildProcess | null = null
+let responder: CalloutResponder | null = null
+let configDir: string | null = null
+let serverInfo: ServerInfo | null = null
+async function startCalloutServer(): Promise<ServerInfo> {
+  const dataDir = mkdtempSync(join(tmpdir(), "nats-callout-test-data-"))
+  configDir = mkdtempSync(join(tmpdir(), "nats-callout-test-conf-"))
+  const keys = await ensureCalloutKeys(dataDir)
+  // Stage B: mint stateless signed tokens — no registration needed.
+  SERVER_ADMIN_TOKEN = await mintCredentialToken({ class: "server-admin" }, keys.tokenSecret)
+  UI_CLIENT_TOKEN = await mintCredentialToken({ class: "ui-client" }, keys.tokenSecret)
+  RUNNER_A_TOKEN = await mintCredentialToken({ class: "runner", runnerId: RUNNER_A }, keys.tokenSecret)
+  RUNNER_B_TOKEN = await mintCredentialToken({ class: "runner", runnerId: RUNNER_B }, keys.tokenSecret)
+  const config = buildCalloutConfig({
+    host: "127.0.0.1",
+    port: -1,  // random
+    wsPort: -1, // random
+    accountPublicKey: keys.accountPublicKey,
+    authUserPublicKey: keys.authUserPublicKey,
+  })
+  const configPath = join(configDir, "test-callout.conf")
+  writeFileSync(configPath, config)
+  const binaryPath = resolveBinary()
+  return new Promise<ServerInfo>((resolve, reject) => {
+    const proc = spawn(binaryPath, ["-c", configPath], {
+      stdio: ["ignore", "ignore", "pipe"],
+    })
+    serverProcess = proc
+    const timeout = setTimeout(() => {
+      proc.kill("SIGKILL")
+      reject(new Error("nats-server did not start within 10s"))
+    }, 10_000)
+    proc.on("error", (err) => { clearTimeout(timeout); reject(err) })
+    proc.on("exit", (code) => {
+      clearTimeout(timeout)
+      reject(new Error(`nats-server exited early with code ${code}`))
+    })
+    let tcpPort: number | null = null
+    let wsPort: number | null = null
+    let buffer = ""
+    proc.stderr!.on("data", (chunk: Buffer) => {
+      buffer += chunk.toString()
+      const lines = buffer.split("\n")
+      buffer = lines.pop() ?? ""
+      for (const line of lines) {
+        const tcpMatch = line.match(/Listening for client connections on .+:(\d+)/)
+        if (tcpMatch) tcpPort = Number(tcpMatch[1])
+        const wsMatch = line.match(/Listening for websocket clients on .+:(\d+)/)
+        if (wsMatch) wsPort = Number(wsMatch[1])
+        if (tcpPort !== null && wsPort !== null) {
+          clearTimeout(timeout)
+          proc.removeAllListeners("exit")
+          const natsUrl = `nats://127.0.0.1:${tcpPort}`
+          resolve({ natsUrl, wsUrl: `ws://127.0.0.1:${wsPort}`, wsPort, tcpPort })
+          return
+        }
+      }
+    })
+  }).then(async (info) => {
+    // Start the responder — tokenSecret is sufficient; no registration step.
+    responder = new CalloutResponder({
+      natsUrl: info.natsUrl,
+      authUserKp: keys.authUserKp,
+      accountKp: keys.accountKp,
+      accountPublicKey: keys.accountPublicKey,
+      accountName: "CALLOUT_ACCOUNT",
+      tokenSecret: keys.tokenSecret,
+    })
+    await responder.start()
+    // Brief settle for the responder subscription to be active
+    await new Promise((r) => setTimeout(r, 100))
+    return info
+  })
+}
+async function connectWithToken(natsUrl: string, token: string): Promise<NatsConnection> {
+  return connect({
+    servers: natsUrl,
+    authenticator: tokenAuthenticator(token),
+    // Short timeout so permission errors surface quickly
+    timeout: 5000,
+  })
+}
+// ── Lifecycle ─────────────────────────────────────────────────────────────────
+beforeAll(async () => {
+  serverInfo = await startCalloutServer()
+}, 15_000)
+afterAll(async () => {
+  await responder?.stop()
+  serverProcess?.kill("SIGTERM")
+  if (configDir) {
+    try { rmSync(configDir, { recursive: true }) } catch { /* best-effort */ }
+  }
+})
+// ── Tests ─────────────────────────────────────────────────────────────────────
+describe("auth-callout isolation", () => {
+  // ── Happy path ──────────────────────────────────────────────────────────────
+  test("runner-A connects with scoped credential", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, RUNNER_A_TOKEN)
+    expect(nc.isClosed()).toBe(false)
+    await nc.drain()
+  })
+  test("runner-A can publish its own heartbeat", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, RUNNER_A_TOKEN)
+    // If the subject is not allowed, NATS will close the connection with a
+    // permissions violation. No error here = allowed.
+    nc.publish(`runtime.runner.heartbeat.${RUNNER_A}`, new TextEncoder().encode("hb"))
+    await nc.flush()
+    await nc.drain()
+  })
+  test("runner-A can subscribe to its own cmd subject", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, RUNNER_A_TOKEN)
+    const sub = nc.subscribe(`runtime.runner.cmd.${RUNNER_A}.>`)
+    expect(sub).toBeDefined()
+    sub.unsubscribe()
+    await nc.drain()
+  })
+  test("ui-client connects and can subscribe to runner events", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, UI_CLIENT_TOKEN)
+    const sub = nc.subscribe("runtime.runner.evt.>")
+    expect(sub).toBeDefined()
+    sub.unsubscribe()
+    await nc.drain()
+  })
+  // ── Negative — the decisive isolation assertions ────────────────────────────
+  test("runner-A is DENIED on runtime.runner.cmd.B.> (permissions violation)", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, RUNNER_A_TOKEN)
+    // Collect status events and the closed reason.
+    const statusEvents: string[] = []
+    let closedError: Error | null = null
+    // Subscribe before triggering the violation.
+    void (async () => {
+      for await (const s of nc.status()) {
+        statusEvents.push(`${s.type}:${String(s.data)}`)
+      }
+    })()
+    const closedPromise = nc.closed().then((err) => {
+      closedError = err instanceof Error ? err : new Error(String(err ?? "connection closed"))
+    })
+    // Attempt to publish to runner-B's command subject (not in runner-A's pub allow list).
+    // NATS sends -ERR 'Permissions Violation for Publish' and closes the connection.
+    nc.publish(`runtime.runner.cmd.${RUNNER_B}.start`, new TextEncoder().encode("{}"))
+    await nc.flush().catch(() => { /* may fail if already closing */ })
+    // Wait for the connection to be closed (NATS closes it on permissions violation).
+    await Promise.race([
+      closedPromise,
+      new Promise((r) => setTimeout(r, 4000)),
+    ])
+    // Drain/close cleanup (may already be closed)
+    try { await nc.drain() } catch { /* expected */ }
+    // The decisive assertion: NATS must have closed the connection after the
+    // permissions violation, or we must have received a permissionsError status.
+    const hasPermissionsViolation =
+      closedError !== null ||
+      statusEvents.some((s) =>
+        s.toLowerCase().includes("permission") || s.toLowerCase().includes("violation")
+      )
+    const evidenceMsg = closedError
+      ? `connection closed by NATS: ${closedError.message}`
+      : `status events: ${statusEvents.join(", ")}`
+    console.log(`[TEST] runner-A denied on runtime.runner.cmd.${RUNNER_B}.start — ${evidenceMsg}`)
+    expect(hasPermissionsViolation).toBe(true)
+  }, 10_000)
+  test("runner-A is DENIED on runner-B KV registry key", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, RUNNER_A_TOKEN)
+    let denied = false
+    const errorPromise = new Promise<void>((resolve) => {
+      void (async () => {
+        for await (const s of nc.status()) {
+          if (s.type === "permissionsError" || String(s.data).includes("Permissions Violation")) {
+            denied = true
+            resolve()
+            return
+          }
+        }
+      })()
+      nc.closed().then(() => { denied = true; resolve() })
+    })
+    // Attempt to write runner-B's KV key directly via NATS publish.
+    const runnerBKvSubject = runnerKvKeySubject(RUNNER_B)
+    nc.publish(runnerBKvSubject, new TextEncoder().encode("{}"))
+    await Promise.race([
+      errorPromise,
+      nc.closed(),
+      new Promise((r) => setTimeout(r, 3000)),
+    ])
+    try { await nc.drain() } catch { /* expected */ }
+    expect(denied).toBe(true)
+    console.log(`[TEST] runner-A denied on runner-B KV subject (${runnerBKvSubject})`)
+  }, 10_000)
+  test("ui-client is DENIED on runtime.runner.cmd subject", async () => {
+    const nc = await connectWithToken(serverInfo!.natsUrl, UI_CLIENT_TOKEN)
+    let denied = false
+    const errorPromise = new Promise<void>((resolve) => {
+      void (async () => {
+        for await (const s of nc.status()) {
+          if (s.type === "permissionsError" || String(s.data).includes("Permissions Violation")) {
+            denied = true
+            resolve()
+            return
+          }
+        }
+      })()
+      nc.closed().then(() => { denied = true; resolve() })
+    })
+    nc.publish(`runtime.runner.cmd.${RUNNER_A}.start`, new TextEncoder().encode("{}"))
+    await Promise.race([
+      errorPromise,
+      nc.closed(),
+      new Promise((r) => setTimeout(r, 3000)),
+    ])
+    try { await nc.drain() } catch { /* expected */ }
+    expect(denied).toBe(true)
+    console.log("[TEST] ui-client denied on runtime.runner.cmd")
+  }, 10_000)
+  // ── Unknown credential is rejected at connect ──────────────────────────────
+  test("unknown token is refused at connect time", async () => {
+    let connectError: Error | null = null
+    try {
+      const nc = await connectWithToken(serverInfo!.natsUrl, "bogus-token-not-registered")
+      await nc.drain()
+    } catch (err) {
+      connectError = err instanceof Error ? err : new Error(String(err))
+    }
+    expect(connectError).not.toBeNull()
+    console.log("[TEST] unknown credential refused:", connectError?.message)
+  }, 10_000)
+})