npm - airaknit - Versions diffs - 1.1.2-rc.9 - Mend

airaknit 1.1.2-rc.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (440) hide show

package/LICENSE +84 -0
package/README.md +202 -0
package/bin/airaknit +9 -0
package/bin/airaknit-project +14 -0
package/bin/kanna +9 -0
package/dist/client/assets/CompactSummaryMessage-Yw0BDWEJ.js +1 -0
package/dist/client/assets/ExitPlanModeMessage-DIdkQ4uF.js +1 -0
package/dist/client/assets/LocalFilePreviewDialog-DQx2eiCc.js +3 -0
package/dist/client/assets/LocalProjectsSection-C4xlWkgS.js +1 -0
package/dist/client/assets/TextMessage-B5G39DEJ.js +1 -0
package/dist/client/assets/UserMessage-CIkWk-0L.js +1 -0
package/dist/client/assets/_basePickBy-CVrAFfnZ.js +1 -0
package/dist/client/assets/_baseUniq-JL-aaF4P.js +1 -0
package/dist/client/assets/arc-B07zg7ol.js +1 -0
package/dist/client/assets/architecture-YZFGNWBL-PSLVJL3p.js +1 -0
package/dist/client/assets/architectureDiagram-Q4EWVU46-DfWIF1G_.js +36 -0
package/dist/client/assets/array-BGFCBI0e.js +1 -0
package/dist/client/assets/blockDiagram-DXYQGD6D-CzwIeo_B.js +132 -0
package/dist/client/assets/bundle-mjs-BDE2gWbQ.js +1 -0
package/dist/client/assets/button-DO50qOGv.js +1 -0
package/dist/client/assets/c4Diagram-AHTNJAMY-CR8DCQRE.js +10 -0
package/dist/client/assets/channel-Dj-UUfaF.js +1 -0
package/dist/client/assets/chunk-2KRD3SAO-dznP-cn8.js +1 -0
package/dist/client/assets/chunk-336JU56O-Dqss5Vu6.js +2 -0
package/dist/client/assets/chunk-426QAEUC-CEKis_0_.js +1 -0
package/dist/client/assets/chunk-4BX2VUAB-BYOv0Gm1.js +1 -0
package/dist/client/assets/chunk-4TB4RGXK-BxzubH5S.js +206 -0
package/dist/client/assets/chunk-55IACEB6-BSlTj03a.js +1 -0
package/dist/client/assets/chunk-5FUZZQ4R-9Au93Bi1.js +62 -0
package/dist/client/assets/chunk-5PVQY5BW-BhksHFEZ.js +2 -0
package/dist/client/assets/chunk-67CJDMHE-BFwhz-8t.js +1 -0
package/dist/client/assets/chunk-7N4EOEYR-BDUPds87.js +1 -0
package/dist/client/assets/chunk-AA7GKIK3-CEWTdyXO.js +1 -0
package/dist/client/assets/chunk-BO2N2NFS-D0LvxnhU.js +103 -0
package/dist/client/assets/chunk-BSJP7CBP-BNJnK6sq.js +1 -0
package/dist/client/assets/chunk-Bj-mKKzh.js +1 -0
package/dist/client/assets/chunk-CIAEETIT-CYhfoCeN.js +1 -0
package/dist/client/assets/chunk-EDXVE4YY-C5ovJLc0.js +1 -0
package/dist/client/assets/chunk-ENJZ2VHE-HOhYaeGr.js +10 -0
package/dist/client/assets/chunk-FMBD7UC4-BLCiKcAQ.js +15 -0
package/dist/client/assets/chunk-FOC6F5B3-B6GtY2ek.js +1 -0
package/dist/client/assets/chunk-ICPOFSXX-DPoIZoC5.js +122 -0
package/dist/client/assets/chunk-K5T4RW27-BsKN63rv.js +94 -0
package/dist/client/assets/chunk-KGLVRYIC-BUGn9uuY.js +1 -0
package/dist/client/assets/chunk-LIHQZDEY-DhaZyo03.js +1 -0
package/dist/client/assets/chunk-ORNJ4GCN-DlpeeJyi.js +1 -0
package/dist/client/assets/chunk-OYMX7WX6-Dc9q7aYA.js +231 -0
package/dist/client/assets/chunk-QZHKN3VN-BEdrPoSb.js +1 -0
package/dist/client/assets/chunk-U2HBQHQK-CIB3Bjjd.js +70 -0
package/dist/client/assets/chunk-X2U36JSP-CtB-o8Yp.js +1 -0
package/dist/client/assets/chunk-XPW4576I-C6iHhX_8.js +32 -0
package/dist/client/assets/chunk-YZCP3GAM-CTmKr6ZH.js +1 -0
package/dist/client/assets/chunk-ZZ45TVLE-BgU8A2RF.js +1 -0
package/dist/client/assets/classDiagram-6PBFFD2Q-Bqk5e679.js +1 -0
package/dist/client/assets/classDiagram-v2-HSJHXN6E-6pSaZOkC.js +1 -0
package/dist/client/assets/client-BrKWI4CM.js +1 -0
package/dist/client/assets/client-CGgNRU9w.js +1 -0
package/dist/client/assets/client-DMSLRzg9.js +6 -0
package/dist/client/assets/clone-DWcL7whJ.js +1 -0
package/dist/client/assets/cose-bilkent-S5V4N54A-CrV5wsV_.js +1 -0
package/dist/client/assets/cytoscape.esm--aLzKuep.js +321 -0
package/dist/client/assets/dagre-CuRxWcrj.js +1 -0
package/dist/client/assets/dagre-KV5264BT-BIDiVnkA.js +4 -0
package/dist/client/assets/defaultLocale-CRZydyG6.js +1 -0
package/dist/client/assets/diagram-5BDNPKRD-i1kjKRCB.js +10 -0
package/dist/client/assets/diagram-G4DWMVQ6-9ZSLuhbl.js +24 -0
package/dist/client/assets/diagram-MMDJMWI5-B4_CUjgv.js +43 -0
package/dist/client/assets/diagram-TYMM5635-Ct5eTGS8.js +24 -0
package/dist/client/assets/dist-CuB4kiSK.js +1 -0
package/dist/client/assets/erDiagram-SMLLAGMA-Cy38ercc.js +85 -0
package/dist/client/assets/flowDiagram-DWJPFMVM-CZKuYl0V.js +162 -0
package/dist/client/assets/ganttDiagram-T4ZO3ILL-DLPjCh7a.js +292 -0
package/dist/client/assets/gitGraph-7Q5UKJZL-DqbrtEp9.js +1 -0
package/dist/client/assets/gitGraphDiagram-UUTBAWPF-BoRBkDhQ.js +106 -0
package/dist/client/assets/graphlib-BcQ6qlQh.js +1 -0
package/dist/client/assets/highlighted-body-OFNGDK62-BEpBVDTX.js +1 -0
package/dist/client/assets/index-CetCiuqP.js +105 -0
package/dist/client/assets/index-N29Mip7A.css +1 -0
package/dist/client/assets/info-OMHHGYJF-D98DRBJX.js +1 -0
package/dist/client/assets/infoDiagram-42DDH7IO-BAcdTWbt.js +2 -0
package/dist/client/assets/init-B8gtcn7T.js +1 -0
package/dist/client/assets/isArrayLikeObject-D8SJFmkN.js +1 -0
package/dist/client/assets/isEmpty-BF3YX5Jk.js +1 -0
package/dist/client/assets/ishikawaDiagram-UXIWVN3A-Ynu2VKdC.js +70 -0
package/dist/client/assets/journeyDiagram-VCZTEJTY-BjfhQaN3.js +139 -0
package/dist/client/assets/jsx-runtime-CyI9ICYU.js +1 -0
package/dist/client/assets/kanban-definition-6JOO6SKY-JLXH9zUJ.js +89 -0
package/dist/client/assets/katex-B94qP8b6.js +265 -0
package/dist/client/assets/lib--QVjyxmL.js +29 -0
package/dist/client/assets/lib-B6rgJiZ9.js +1 -0
package/dist/client/assets/line-DCrYfLBn.js +1 -0
package/dist/client/assets/linear-_4upLmeo.js +1 -0
package/dist/client/assets/mermaid-GHXKKRXX-rwJHYUmW.js +1 -0
package/dist/client/assets/mermaid-parser.core-KZinfW8o.js +4 -0
package/dist/client/assets/mermaid.core-QqY9gSNe.js +11 -0
package/dist/client/assets/mindmap-definition-QFDTVHPH-TWgHDAzp.js +96 -0
package/dist/client/assets/ordinal-CCj7PWgZ.js +1 -0
package/dist/client/assets/packet-4T2RLAQJ-DEvfkn3F.js +1 -0
package/dist/client/assets/path-DZF-JdEe.js +1 -0
package/dist/client/assets/pie-ZZUOXDRM-72e6WVjb.js +1 -0
package/dist/client/assets/pieDiagram-DEJITSTG-Cl8PCsoj.js +30 -0
package/dist/client/assets/preload-helper-rov5CBGT.js +1 -0
package/dist/client/assets/pty-client-DZ27IS00.js +1 -0
package/dist/client/assets/ptyInstancesStore-D9ag7SYd.js +1 -0
package/dist/client/assets/quadrantDiagram-34T5L4WZ-CHyVGp9E.js +7 -0
package/dist/client/assets/radar-PYXPWWZC-Cp7xd_EY.js +1 -0
package/dist/client/assets/react-CClhXMB2.js +1 -0
package/dist/client/assets/react-Dd6D81m0.js +1 -0
package/dist/client/assets/react-dom--G6_6fQ_.js +1 -0
package/dist/client/assets/requirementDiagram-MS252O5E-DaanG2iM.js +84 -0
package/dist/client/assets/rough.esm-BsmKo2S5.js +1 -0
package/dist/client/assets/sankeyDiagram-XADWPNL6-B_fhLY36.js +10 -0
package/dist/client/assets/sequenceDiagram-FGHM5R23-C5FNrveI.js +157 -0
package/dist/client/assets/src-DeTlMJAU.js +1 -0
package/dist/client/assets/stateDiagram-FHFEXIEX-nTTcdjjQ.js +1 -0
package/dist/client/assets/stateDiagram-v2-QKLJ7IA2-Dw0632j_.js +1 -0
package/dist/client/assets/timeline-definition-GMOUNBTQ-DkQV1yP8.js +120 -0
package/dist/client/assets/treeView-SZITEDCU-ZLIgC7_K.js +1 -0
package/dist/client/assets/treemap-W4RFUUIX-BqaMbB6N.js +1 -0
package/dist/client/assets/uiIdentityOverlay-Ba7GNj7m.js +1 -0
package/dist/client/assets/vennDiagram-DHZGUBPP-DbZ2xgs6.js +34 -0
package/dist/client/assets/wardley-RL74JXVD-DXQS8zf4.js +1 -0
package/dist/client/assets/wardleyDiagram-NUSXRM2D-BzCJ6MAu.js +20 -0
package/dist/client/assets/xychartDiagram-5P7HB3ND-BSlFecop.js +7 -0
package/dist/client/favicon.png +0 -0
package/dist/client/favicon.svg +15 -0
package/dist/client/fonts/body-medium.woff2 +0 -0
package/dist/client/fonts/body-regular-italic.woff2 +0 -0
package/dist/client/fonts/body-regular.woff2 +0 -0
package/dist/client/fonts/body-semibold.woff2 +0 -0
package/dist/client/index.html +31 -0
package/dist/client/manifest.webmanifest +12 -0
package/dist/client/sw.js +32 -0
package/package.json +122 -0
package/src/nats/auth-callout/callout-config.test.ts +93 -0
package/src/nats/auth-callout/callout-config.ts +109 -0
package/src/nats/auth-callout/callout.integration.test.ts +332 -0
package/src/nats/auth-callout/keys.ts +103 -0
package/src/nats/auth-callout/responder.ts +241 -0
package/src/nats/auth-callout/scope-policy.test.ts +159 -0
package/src/nats/auth-callout/scope-policy.ts +210 -0
package/src/nats/auth-callout/token.test.ts +163 -0
package/src/nats/auth-callout/token.ts +157 -0
package/src/nats/nats-daemon-callout.ts +194 -0
package/src/nats/nats-daemon.test.ts +77 -0
package/src/nats/nats-daemon.ts +50 -0
package/src/nats/nats-token.test.ts +61 -0
package/src/nats/nats-token.ts +59 -0
package/src/runner/coordination-mcp-integration.test.ts +134 -0
package/src/runner/nats-coordination-client.test.ts +49 -0
package/src/runner/nats-coordination-client.ts +94 -0
package/src/runner/runner-agent.test.ts +469 -0
package/src/runner/runner-agent.ts +453 -0
package/src/runner/runner-credential.test.ts +93 -0
package/src/runner/runner-credential.ts +82 -0
package/src/runner/runner-nats.test.ts +495 -0
package/src/runner/runner-nats.ts +323 -0
package/src/runner/runner-pair.test.ts +107 -0
package/src/runner/runner-pair.ts +81 -0
package/src/runner/runner.test.ts +135 -0
package/src/runner/runner.ts +212 -0
package/src/runner/turn-factories.test.ts +97 -0
package/src/runner/turn-factories.ts +475 -0
package/src/server/agent-config-journey.test.ts +106 -0
package/src/server/agent.ts +8 -0
package/src/server/auto-continue/auth-error-detector.ts +66 -0
package/src/server/auto-continue/limit-detector.ts +194 -0
package/src/server/bm25.test.ts +92 -0
package/src/server/bm25.ts +101 -0
package/src/server/chat-events-jetstream.test.ts +135 -0
package/src/server/claude-harness.ts +360 -0
package/src/server/claude-pty/agent-normalizers.ts +309 -0
package/src/server/claude-pty/auth.test.ts +38 -0
package/src/server/claude-pty/auth.ts +32 -0
package/src/server/claude-pty/claude-session-registry.adapter.ts +81 -0
package/src/server/claude-pty/claude-session-registry.test.ts +149 -0
package/src/server/claude-pty/driver.test.ts +902 -0
package/src/server/claude-pty/driver.ts +807 -0
package/src/server/claude-pty/jsonl-path.adapter.ts +57 -0
package/src/server/claude-pty/jsonl-path.test.ts +114 -0
package/src/server/claude-pty/jsonl-to-event.test.ts +241 -0
package/src/server/claude-pty/jsonl-to-event.ts +174 -0
package/src/server/claude-pty/output-ring.test.ts +35 -0
package/src/server/claude-pty/output-ring.ts +25 -0
package/src/server/claude-pty/parity-matrix.test.ts +227 -0
package/src/server/claude-pty/pid-registry.adapter.ts +135 -0
package/src/server/claude-pty/pid-registry.test.ts +122 -0
package/src/server/claude-pty/preflight/binary-fingerprint.adapter.ts +20 -0
package/src/server/claude-pty/preflight/binary-fingerprint.test.ts +32 -0
package/src/server/claude-pty/pty-instance-registry.test.ts +177 -0
package/src/server/claude-pty/pty-instance-registry.ts +166 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.test.ts +103 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.ts +85 -0
package/src/server/claude-pty/pty-process.adapter.ts +66 -0
package/src/server/claude-pty/pty-process.test.ts +49 -0
package/src/server/claude-pty/resolve-binary.adapter.ts +106 -0
package/src/server/claude-pty/resolve-binary.test.ts +118 -0
package/src/server/claude-pty/runtime-dir.adapter.ts +19 -0
package/src/server/claude-pty/settings-writer.adapter.ts +27 -0
package/src/server/claude-pty/settings-writer.test.ts +22 -0
package/src/server/claude-pty/smoke-test-io.adapter.ts +28 -0
package/src/server/claude-pty/smoke-test.test.ts +191 -0
package/src/server/claude-pty/smoke-test.ts +185 -0
package/src/server/claude-pty/subagent-orchestrator.ts +887 -0
package/src/server/claude-pty/tool-callback.ts +274 -0
package/src/server/claude-pty/tui-control.test.ts +272 -0
package/src/server/claude-pty/tui-control.ts +182 -0
package/src/server/claude-pty/tui-source.adapter.test.ts +360 -0
package/src/server/claude-pty/tui-source.adapter.ts +343 -0
package/src/server/claude-pty/tunnel-gateway.ts +12 -0
package/src/server/claude-pty-mcp/canonical-args.ts +15 -0
package/src/server/claude-pty-mcp/fs-stat.adapter.ts +8 -0
package/src/server/claude-pty-mcp/history-primer.ts +90 -0
package/src/server/claude-pty-mcp/http-server.adapter.ts +33 -0
package/src/server/claude-pty-mcp/mcp-http.ts +177 -0
package/src/server/claude-pty-mcp/mcp.ts +412 -0
package/src/server/claude-pty-mcp/mention-parser.ts +25 -0
package/src/server/claude-pty-mcp/paths.ts +24 -0
package/src/server/claude-pty-mcp/permission-gate.ts +243 -0
package/src/server/claude-pty-mcp/terminal-pid-registry.adapter.ts +107 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.test.ts +119 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.ts +61 -0
package/src/server/claude-pty-mcp/tools/bash.adapter.ts +76 -0
package/src/server/claude-pty-mcp/tools/bash.test.ts +56 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.test.ts +155 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.ts +111 -0
package/src/server/claude-pty-mcp/tools/edit.adapter.ts +95 -0
package/src/server/claude-pty-mcp/tools/edit.test.ts +93 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.ts +50 -0
package/src/server/claude-pty-mcp/tools/glob.adapter.ts +86 -0
package/src/server/claude-pty-mcp/tools/glob.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/grep.adapter.ts +126 -0
package/src/server/claude-pty-mcp/tools/grep.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/read.adapter.ts +58 -0
package/src/server/claude-pty-mcp/tools/read.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/tool-callback-shim.ts +42 -0
package/src/server/claude-pty-mcp/tools/webfetch.test.ts +81 -0
package/src/server/claude-pty-mcp/tools/webfetch.ts +82 -0
package/src/server/claude-pty-mcp/tools/websearch.test.ts +40 -0
package/src/server/claude-pty-mcp/tools/websearch.ts +42 -0
package/src/server/claude-pty-mcp/tools/write.adapter.ts +60 -0
package/src/server/claude-pty-mcp/tools/write.test.ts +52 -0
package/src/server/claude-pty-mcp/uploads.adapter.ts +98 -0
package/src/server/claude-pty-mcp/uploads.ts +38 -0
package/src/server/claude-turn.test.ts +176 -0
package/src/server/cli-runtime.test.ts +456 -0
package/src/server/cli-runtime.ts +374 -0
package/src/server/cli-supervisor.ts +81 -0
package/src/server/cli.ts +78 -0
package/src/server/client-log-forwarder.test.ts +74 -0
package/src/server/client-log-forwarder.ts +75 -0
package/src/server/codex-app-server-protocol.ts +449 -0
package/src/server/codex-app-server.test.ts +2990 -0
package/src/server/codex-app-server.ts +1713 -0
package/src/server/coordination-integration.test.ts +63 -0
package/src/server/coordination-mcp.test.ts +149 -0
package/src/server/coordination-mcp.ts +197 -0
package/src/server/delegation-coordinator.test.ts +675 -0
package/src/server/delegation-coordinator.ts +454 -0
package/src/server/discovery.test.ts +211 -0
package/src/server/discovery.ts +301 -0
package/src/server/event-store-agent-config.test.ts +124 -0
package/src/server/event-store-coordination.test.ts +149 -0
package/src/server/event-store-profile.test.ts +132 -0
package/src/server/event-store-repo.test.ts +154 -0
package/src/server/event-store-runner-team.test.ts +104 -0
package/src/server/event-store.test.ts +342 -0
package/src/server/event-store.ts +2208 -0
package/src/server/events.ts +379 -0
package/src/server/extension-router.test.ts +183 -0
package/src/server/extension-router.ts +114 -0
package/src/server/extensions/agents/server.test.ts +191 -0
package/src/server/extensions/agents/server.ts +108 -0
package/src/server/extensions/c3/server.test.ts +284 -0
package/src/server/extensions/c3/server.ts +212 -0
package/src/server/extensions/code/server.test.ts +200 -0
package/src/server/extensions/code/server.ts +150 -0
package/src/server/extensions.config.ts +10 -0
package/src/server/external-open.ts +69 -0
package/src/server/generate-fork-context.ts +58 -0
package/src/server/generate-merge-context.test.ts +290 -0
package/src/server/generate-merge-context.ts +141 -0
package/src/server/generate-title.ts +36 -0
package/src/server/git-clone-policy.test.ts +138 -0
package/src/server/git-clone-policy.ts +27 -0
package/src/server/harness-types.ts +1 -0
package/src/server/journey-verification.test.ts +640 -0
package/src/server/journey-verification.ts +195 -0
package/src/server/machine-name.ts +22 -0
package/src/server/nats-auth.test.ts +92 -0
package/src/server/nats-auth.ts +6 -0
package/src/server/nats-bind-guard.test.ts +71 -0
package/src/server/nats-bind-guard.ts +42 -0
package/src/server/nats-bridge.test.ts +141 -0
package/src/server/nats-bridge.ts +111 -0
package/src/server/nats-connector.test.ts +56 -0
package/src/server/nats-connector.ts +71 -0
package/src/server/nats-daemon-manager.test.ts +76 -0
package/src/server/nats-daemon-manager.ts +174 -0
package/src/server/nats-publisher.test.ts +356 -0
package/src/server/nats-publisher.ts +271 -0
package/src/server/nats-responders.test.ts +1018 -0
package/src/server/nats-responders.ts +925 -0
package/src/server/nats-streams.test.ts +112 -0
package/src/server/nats-streams.ts +129 -0
package/src/server/oauth-pool/oauth-responders.ts +185 -0
package/src/server/oauth-pool/oauth-settings-store.ts +173 -0
package/src/server/oauth-pool/oauth-token-pool.ts +303 -0
package/src/server/orchestration.test.ts +1063 -0
package/src/server/orchestration.ts +716 -0
package/src/server/pairing-endpoints.test.ts +171 -0
package/src/server/pairing-store.test.ts +154 -0
package/src/server/pairing-store.ts +124 -0
package/src/server/paths.ts +27 -0
package/src/server/pr3-liveness.test.ts +252 -0
package/src/server/process-utils.ts +10 -0
package/src/server/project-cli.ts +180 -0
package/src/server/provider-catalog.test.ts +177 -0
package/src/server/provider-catalog.ts +146 -0
package/src/server/pty-responders.ts +345 -0
package/src/server/push-notifications.test.ts +234 -0
package/src/server/push-notifications.ts +188 -0
package/src/server/quick-response.test.ts +196 -0
package/src/server/quick-response.ts +154 -0
package/src/server/read-models-agent-config.test.ts +59 -0
package/src/server/read-models-coordination.test.ts +69 -0
package/src/server/read-models.test.ts +332 -0
package/src/server/read-models.ts +258 -0
package/src/server/repo-journey.test.ts +96 -0
package/src/server/repo-manager.test.ts +118 -0
package/src/server/repo-manager.ts +97 -0
package/src/server/repo-status.test.ts +54 -0
package/src/server/repo-status.ts +82 -0
package/src/server/restart.test.ts +27 -0
package/src/server/restart.ts +30 -0
package/src/server/runner-incompatible-gate.test.ts +383 -0
package/src/server/runner-manager.test.ts +72 -0
package/src/server/runner-manager.ts +312 -0
package/src/server/runner-pairing-urls.test.ts +59 -0
package/src/server/runner-pairing-urls.ts +67 -0
package/src/server/runner-proxy.test.ts +456 -0
package/src/server/runner-proxy.ts +494 -0
package/src/server/runner-router.test.ts +429 -0
package/src/server/runner-router.ts +212 -0
package/src/server/runner-routing.test.ts +584 -0
package/src/server/runtime-registry.test.ts +436 -0
package/src/server/runtime-registry.ts +307 -0
package/src/server/sandbox-health.test.ts +127 -0
package/src/server/sandbox-health.ts +94 -0
package/src/server/sandbox-journey.test.ts +232 -0
package/src/server/sandbox-manager.test.ts +146 -0
package/src/server/sandbox-manager.ts +159 -0
package/src/server/server.test.ts +287 -0
package/src/server/server.ts +1108 -0
package/src/server/session-discovery.test.ts +129 -0
package/src/server/session-discovery.ts +475 -0
package/src/server/session-index.test.ts +362 -0
package/src/server/session-index.ts +119 -0
package/src/server/session-seed.ts +288 -0
package/src/server/share.test.ts +108 -0
package/src/server/share.ts +113 -0
package/src/server/skill-discovery.test.ts +201 -0
package/src/server/skill-discovery.ts +77 -0
package/src/server/storage/test-helpers.ts +67 -0
package/src/server/terminal-manager.test.ts +309 -0
package/src/server/terminal-manager.ts +354 -0
package/src/server/transcript-consumer.test.ts +339 -0
package/src/server/transcript-consumer.ts +162 -0
package/src/server/transcript-search.test.ts +193 -0
package/src/server/transcript-search.ts +83 -0
package/src/server/transcript-utils.ts +52 -0
package/src/server/update-manager.test.ts +107 -0
package/src/server/update-manager.ts +230 -0
package/src/server/workflow-engine.test.ts +251 -0
package/src/server/workflow-engine.ts +169 -0
package/src/server/workflow-mcp.ts +49 -0
package/src/server/workflow-store.test.ts +155 -0
package/src/server/workflow-store.ts +139 -0
package/src/server/workspace-agent-integration.test.ts +167 -0
package/src/server/workspace-agent-routes.test.ts +127 -0
package/src/server/workspace-agent-routes.ts +89 -0
package/src/server/workspace-agent.test.ts +103 -0
package/src/server/workspace-agent.ts +102 -0
package/src/server/workspace-cli.test.ts +79 -0
package/src/server/workspace-config-manager.test.ts +109 -0
package/src/server/workspace-config-manager.ts +83 -0
package/src/server/workspace-directory-policy.test.ts +109 -0
package/src/server/workspace-directory-policy.ts +56 -0
package/src/shared/agent-config-types.ts +25 -0
package/src/shared/branding.test.ts +42 -0
package/src/shared/branding.ts +54 -0
package/src/shared/compression.test.ts +85 -0
package/src/shared/compression.ts +42 -0
package/src/shared/coordination-store.test.ts +24 -0
package/src/shared/coordination-store.ts +26 -0
package/src/shared/dev-ports.test.ts +84 -0
package/src/shared/dev-ports.ts +100 -0
package/src/shared/extension-types.ts +45 -0
package/src/shared/fork-presets.ts +54 -0
package/src/shared/harness-types.test.ts +15 -0
package/src/shared/harness-types.ts +21 -0
package/src/shared/log-sink.test.ts +112 -0
package/src/shared/log-sink.ts +185 -0
package/src/shared/mention-pattern.ts +7 -0
package/src/shared/merge-presets.ts +41 -0
package/src/shared/nats-subjects.test.ts +61 -0
package/src/shared/nats-subjects.ts +131 -0
package/src/shared/permission-policy.ts +136 -0
package/src/shared/ports.ts +3 -0
package/src/shared/preset-types.ts +15 -0
package/src/shared/profile-types.ts +49 -0
package/src/shared/projectFileUrl.ts +36 -0
package/src/shared/protocol.ts +153 -0
package/src/shared/pty-instance.ts +43 -0
package/src/shared/puggy/diagnostics/result.ts +18 -0
package/src/shared/puggy/expressions/evaluate.ts +292 -0
package/src/shared/puggy/index.test.ts +101 -0
package/src/shared/puggy/index.ts +69 -0
package/src/shared/puggy/parser/ast.ts +110 -0
package/src/shared/puggy/parser/parser.ts +624 -0
package/src/shared/puggy/renderer/html.ts +447 -0
package/src/shared/runner-protocol.test.ts +277 -0
package/src/shared/runner-protocol.ts +210 -0
package/src/shared/runner-team-types.ts +73 -0
package/src/shared/runtime-types.ts +48 -0
package/src/shared/sandbox-types.ts +53 -0
package/src/shared/tailwind-build.test.ts +12 -0
package/src/shared/tinkaria-system-prompt.ts +101 -0
package/src/shared/tools.test.ts +335 -0
package/src/shared/tools.ts +397 -0
package/src/shared/transcript-entries.ts +27 -0
package/src/shared/transcript-render.test.ts +225 -0
package/src/shared/transcript-render.ts +467 -0
package/src/shared/types.ts +1031 -0
package/src/shared/vite-config.test.ts +47 -0
package/src/shared/web-context.test.ts +110 -0
package/src/shared/web-context.ts +76 -0
package/src/shared/workflow-types.ts +51 -0
package/src/shared/workspace-types.ts +100 -0

package/src/nats/auth-callout/keys.ts ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * Callout signing-key management (Stage A, PR1).
+ *
+ * The auth-callout requires two nkey pairs:
+ *   - An **account key pair** — the callout issuer account (public key goes into
+ *     the nats-server config; the seed is held by the responder to sign user JWTs).
+ *   - An **auth-service key pair** — the user listed in `auth_users` whose
+ *     connection bypasses the callout (required by NATS auth-callout spec).
+ *
+ * Both seeds are stored alongside `nats.token` in NATS_DATA_DIR (same on-disk
+ * trust boundary; gitignored). The server reads them at startup; key rotation
+ * is a documented follow-up.
+ */
+import { join } from "node:path"
+import { mkdirSync, renameSync, chmodSync } from "node:fs"
+import { createAccount, createUser, fromSeed } from "@nats-io/nkeys"
+import type { KeyPair } from "@nats-io/nkeys"
+const ACCOUNT_SEED_FILE = "nats.callout-account.seed"
+const AUTH_USER_SEED_FILE = "nats.callout-auth-user.seed"
+const TOKEN_SECRET_FILE = "nats.callout-token.secret"
+/** Loaded callout key material. */
+export interface CalloutKeys {
+  /** KeyPair for the callout issuer account (signs user JWTs). */
+  accountKp: KeyPair
+  /** Public key of the account (goes into nats-server config). */
+  accountPublicKey: string
+  /** KeyPair for the auth-service user (bypasses callout). */
+  authUserKp: KeyPair
+  /** Public key of the auth-service user (goes into nats-server config). */
+  authUserPublicKey: string
+  /**
+   * 32-byte shared secret used to mint and verify stateless credential tokens
+   * (Stage B). Both the server process and the daemon child load this from disk.
+   */
+  tokenSecret: Uint8Array
+}
+async function readOrCreateSeed(
+  seedPath: string,
+  generator: () => KeyPair
+): Promise<string> {
+  const file = Bun.file(seedPath)
+  if (await file.exists()) {
+    const seed = (await file.text()).trim()
+    if (seed.length > 0) return seed
+  }
+  const kp = generator()
+  const seed = Buffer.from(kp.getSeed()).toString()
+  const tmp = `${seedPath}.tmp.${process.pid}`
+  await Bun.write(tmp, seed + "\n")
+  renameSync(tmp, seedPath) // atomic
+  chmodSync(seedPath, 0o600) // owner-read/write only
+  return seed
+}
+async function readOrCreateTokenSecret(secretPath: string): Promise<Uint8Array> {
+  const file = Bun.file(secretPath)
+  if (await file.exists()) {
+    const hex = (await file.text()).trim()
+    if (hex.length === 64) return new Uint8Array(Buffer.from(hex, "hex"))
+  }
+  const secret = new Uint8Array(32)
+  crypto.getRandomValues(secret)
+  const hex = Buffer.from(secret).toString("hex")
+  const tmp = `${secretPath}.tmp.${process.pid}`
+  await Bun.write(tmp, hex + "\n")
+  renameSync(tmp, secretPath) // atomic
+  chmodSync(secretPath, 0o600) // owner-read/write only
+  return secret
+}
+/**
+ * Ensure callout key material exists in `dataDir`.
+ * Generates both pairs and the token secret on first call; subsequent calls load from disk.
+ * Safe for single-writer use (the NATS daemon); not safe for concurrent writers.
+ */
+export async function ensureCalloutKeys(dataDir: string): Promise<CalloutKeys> {
+  mkdirSync(dataDir, { recursive: true })
+  const accountSeedPath = join(dataDir, ACCOUNT_SEED_FILE)
+  const authUserSeedPath = join(dataDir, AUTH_USER_SEED_FILE)
+  const tokenSecretPath = join(dataDir, TOKEN_SECRET_FILE)
+  const accountSeed = await readOrCreateSeed(accountSeedPath, createAccount)
+  const authUserSeed = await readOrCreateSeed(authUserSeedPath, createUser)
+  const tokenSecret = await readOrCreateTokenSecret(tokenSecretPath)
+  const accountKp = fromSeed(Buffer.from(accountSeed.trim()))
+  const authUserKp = fromSeed(Buffer.from(authUserSeed.trim()))
+  return {
+    accountKp,
+    accountPublicKey: accountKp.getPublicKey(),
+    authUserKp,
+    authUserPublicKey: authUserKp.getPublicKey(),
+    tokenSecret,
+  }
+}

package/src/nats/auth-callout/responder.ts ADDED Viewed

@@ -0,0 +1,241 @@
+/**
+ * Auth-callout responder (Stage B, PR1).
+ *
+ * Subscribes to $SYS.REQ.USER.AUTH. For each request:
+ *  1. Decode the AuthorizationRequest JWT from NATS.
+ *  2. Validate the credential in connect_opts.auth_token via verifyCredentialToken.
+ *  3. Resolve the connection class (and runnerId for runner class).
+ *  4. Mint a scoped user JWT and respond with a signed AuthorizationResponse.
+ *  5. Audit every decision (grant/deny).
+ *
+ * The responding connection itself uses the auth-service nkey (authUserKp) and
+ * bypasses the callout, per the NATS auth_callout spec.
+ *
+ * Stage B: replaced in-memory credential registry with stateless HMAC-signed
+ * tokens (verifyCredentialToken). No registration step; both the server process
+ * (issuer) and this daemon child (verifier) share only the on-disk token secret.
+ */
+import { connect, type NatsConnection, type Subscription } from "@nats-io/transport-node"
+import { nkeyAuthenticator } from "@nats-io/nats-core"
+import {
+  encodeUser,
+  encodeAuthorizationResponse,
+  decode,
+  Algorithms,
+  fromPublic,
+  createUser,
+} from "@nats-io/jwt"
+import type { AuthorizationRequest } from "@nats-io/jwt"
+import type { KeyPair } from "@nats-io/nkeys"
+import { permissionsFor } from "./scope-policy"
+import type { ResolvedIdentity } from "./scope-policy"
+import { verifyCredentialToken } from "./token"
+const CALLOUT_SUBJECT = "$SYS.REQ.USER.AUTH"
+// ── Responder ─────────────────────────────────────────────────────────────────
+export interface ResponderOptions {
+  /** NATS URL to connect to (TCP). */
+  natsUrl: string
+  /** KeyPair for the auth-service user (bypasses callout). */
+  authUserKp: KeyPair
+  /** KeyPair for the callout issuer account (signs user JWTs). */
+  accountKp: KeyPair
+  /** Public key of the callout account (needed for encodeUser issuer_account). */
+  accountPublicKey: string
+  /**
+   * Account name as declared in the nats-server config accounts block.
+   * This becomes the `aud` (audience) of the issued user JWT so NATS knows
+   * which account to place the connection in.
+   */
+  accountName?: string
+  /**
+   * 32-byte shared secret loaded from NATS_DATA_DIR by the daemon child.
+   * Used to verify stateless credential tokens without any in-memory registry.
+   */
+  tokenSecret: Uint8Array
+}
+export class CalloutResponder {
+  private nc: NatsConnection | null = null
+  private sub: Subscription | null = null
+  private readonly opts: ResponderOptions
+  constructor(opts: ResponderOptions) {
+    this.opts = opts
+  }
+  /**
+   * Connect to NATS as the auth-service user (bypasses callout) and
+   * start the subscription loop.
+   */
+  async start(): Promise<void> {
+    const { authUserKp, natsUrl } = this.opts
+    // Connect using the auth-service nkey (bypasses the callout per NATS spec).
+    // nkeyAuthenticator takes the seed bytes; the server verifies the public key
+    // against auth_users in the config.
+    this.nc = await connect({
+      servers: natsUrl,
+      authenticator: nkeyAuthenticator(authUserKp.getSeed()),
+    })
+    this.sub = this.nc.subscribe(CALLOUT_SUBJECT)
+    void this.listenLoop().catch((err) => {
+      console.error("[nats-callout] listenLoop fatal:", err)
+    })
+  }
+  /** Stop the responder and drain the NATS connection. */
+  async stop(): Promise<void> {
+    this.sub?.unsubscribe()
+    if (this.nc) {
+      try { await this.nc.drain() } catch { /* ignore drain errors on shutdown */ }
+      this.nc = null
+    }
+  }
+  private async listenLoop(): Promise<void> {
+    if (!this.sub) return
+    for await (const msg of this.sub) {
+      await this.handleCallout(msg)
+    }
+  }
+  private async handleCallout(msg: { data: Uint8Array; respond: (data: Uint8Array) => void }): Promise<void> {
+    const { accountKp, accountPublicKey, accountName = "CALLOUT_ACCOUNT" } = this.opts
+    // The callout request body is a JWT (not plain JSON).
+    // Decode it to get the AuthorizationRequest payload from the `nats` claim.
+    let req: AuthorizationRequest
+    try {
+      const jwt = new TextDecoder().decode(msg.data)
+      const claims = decode<AuthorizationRequest>(jwt)
+      req = claims.nats as unknown as AuthorizationRequest
+    } catch (err) {
+      this.audit("deny", "unparseable-request", null, `decode error: ${err}`)
+      await this.respondError(msg, accountKp, null, "invalid authorization request")
+      return
+    }
+    const userNkey = req.user_nkey
+    const serverNkey = req.server_id.id
+    const presentedToken = req.connect_opts?.auth_token
+    // Verify the stateless signed credential token.
+    const identity = await verifyCredentialToken(presentedToken, this.opts.tokenSecret)
+    if (!identity) {
+      this.audit("deny", userNkey, null, "unknown or invalid credential")
+      await this.respondError(msg, accountKp, serverNkey, "unknown credential")
+      return
+    }
+    const scope = permissionsFor(identity)
+    // Mint a fresh user keypair for this connection (the JWT subject).
+    // The user nkey from the request is the connecting client's key;
+    // we use fromPublic to get a Key that encodeUser can use as ukp.
+    let userKey: ReturnType<typeof fromPublic>
+    try {
+      userKey = fromPublic(userNkey)
+    } catch (err) {
+      this.audit("deny", userNkey, identity, `invalid user nkey: ${err}`)
+      await this.respondError(msg, accountKp, serverNkey, "invalid user nkey")
+      return
+    }
+    // Encode the scoped user JWT.
+    // The `aud` field must be the account name from the nats-server config so
+    // NATS knows which account to place this connection in.
+    let userJwt: string
+    try {
+      userJwt = await encodeUser(
+        connectionClassName(identity),
+        userKey,
+        accountKp, // issuer — the account key pair
+        {
+          pub: scope.pub,
+          sub: scope.sub,
+        },
+        { algorithm: Algorithms.v2, aud: accountName }
+      )
+    } catch (err) {
+      this.audit("deny", userNkey, identity, `jwt encode failed: ${err}`)
+      await this.respondError(msg, accountKp, serverNkey, "internal error minting JWT")
+      return
+    }
+    // Build and sign the authorization response.
+    try {
+      const serverKp = fromPublic(serverNkey)
+      const responseJwt = await encodeAuthorizationResponse(
+        userKey,
+        serverKp,
+        accountKp,
+        { jwt: userJwt },
+        { algorithm: Algorithms.v2 }
+      )
+      this.audit("grant", userNkey, identity, "ok")
+      msg.respond(new TextEncoder().encode(responseJwt))
+    } catch (err) {
+      this.audit("deny", userNkey, identity, `response encode failed: ${err}`)
+      await this.respondError(msg, accountKp, serverNkey, "internal error building response")
+    }
+  }
+  private async respondError(
+    msg: { respond: (data: Uint8Array) => void },
+    accountKp: KeyPair,
+    serverNkey: string | null,
+    reason: string
+  ): Promise<void> {
+    try {
+      // For error responses we need a server key; if we don't have one, create
+      // a throwaway keypair (NATS only needs a valid structure for the error path).
+      const serverKp = serverNkey
+        ? fromPublic(serverNkey)
+        : createUser()
+      // The user key in an error response is also a throwaway.
+      const throwawayUser = createUser()
+      const responseJwt = await encodeAuthorizationResponse(
+        throwawayUser,
+        serverKp,
+        accountKp,
+        { error: reason },
+        { algorithm: Algorithms.v2 }
+      )
+      msg.respond(new TextEncoder().encode(responseJwt))
+    } catch {
+      // Last resort: send empty bytes; NATS will treat as rejection.
+      msg.respond(new Uint8Array(0))
+    }
+  }
+  private audit(
+    decision: "grant" | "deny",
+    userNkey: string | null,
+    identity: ResolvedIdentity | null,
+    detail: string
+  ): void {
+    const ts = new Date().toISOString()
+    const cls = identity ? connectionClassName(identity) : "unknown"
+    const rid = identity?.class === "runner" ? identity.runnerId : "-"
+    console.warn(
+      `[nats-callout] ${ts} decision=${decision} class=${cls} runnerId=${rid}`,
+      `nkey=${userNkey?.slice(0, 12) ?? "?"}… detail=${detail}`
+    )
+  }
+}
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function connectionClassName(identity: ResolvedIdentity): string {
+  return identity.class === "runner"
+    ? `runner:${identity.runnerId}`
+    : identity.class
+}

package/src/nats/auth-callout/scope-policy.test.ts ADDED Viewed

@@ -0,0 +1,159 @@
+import { describe, test, expect } from "bun:test"
+import { permissionsFor, runnerKvKeySubject, runnerCmdWildcard } from "./scope-policy"
+// Helper: check whether a subject is covered by an allow list.
+// NATS uses prefix-match with ">" wildcard and exact ">" suffix.
+function matchesAny(subject: string, patterns: string[]): boolean {
+  for (const pattern of patterns) {
+    if (matchesNats(subject, pattern)) return true
+  }
+  return false
+}
+function matchesNats(subject: string, pattern: string): boolean {
+  if (pattern === subject) return true
+  if (pattern.endsWith(".>")) {
+    const prefix = pattern.slice(0, -1) // "foo.>"  -> "foo."
+    if (subject.startsWith(prefix)) return true
+  }
+  return false
+}
+// ── server-admin ──────────────────────────────────────────────────────────────
+describe("server-admin scope", () => {
+  const scope = permissionsFor({ class: "server-admin" })
+  test("may publish to runtime.>", () => {
+    expect(matchesAny("runtime.runner.cmd.A.start", scope.pub.allow)).toBe(true)
+  })
+  test("may publish JetStream ACKs (regression: $JS.ACK is a separate tree from $JS.API)", () => {
+    expect(matchesAny("$JS.ACK.KANNA_RUNNER_EVENTS.consumer.1.1.1.1.0", scope.pub.allow)).toBe(true)
+  })
+  test("may publish to JetStream API", () => {
+    expect(matchesAny("$JS.API.STREAM.INFO", scope.pub.allow)).toBe(true)
+  })
+  test("may publish to KV", () => {
+    expect(matchesAny("$KV.runtime_runner_registry.someRunner", scope.pub.allow)).toBe(true)
+  })
+  test("may subscribe to callout subject", () => {
+    expect(matchesAny("$SYS.REQ.USER.AUTH", scope.sub.allow)).toBe(true)
+  })
+  test("no deny rules", () => {
+    expect(scope.pub.deny).toHaveLength(0)
+    expect(scope.sub.deny).toHaveLength(0)
+  })
+})
+// ── ui-client ─────────────────────────────────────────────────────────────────
+describe("ui-client scope", () => {
+  const scope = permissionsFor({ class: "ui-client" })
+  test("may publish to runtime.cmd.>", () => {
+    expect(matchesAny("runtime.cmd.someCommand", scope.pub.allow)).toBe(true)
+  })
+  test("may subscribe to runner events", () => {
+    expect(matchesAny("runtime.runner.evt.chat123", scope.sub.allow)).toBe(true)
+  })
+  test("may pull chat messages via JS CONSUMER.MSG.NEXT (regression: was denied)", () => {
+    // The browser uses a pull consumer; without this it got Publish Violations
+    // and could not read chat messages. See intake #21.
+    expect(
+      matchesAny("$JS.API.CONSUMER.MSG.NEXT.KANNA_CHAT_MESSAGE_EVENTS.someConsumer_1", scope.pub.allow),
+    ).toBe(true)
+  })
+  test("pull fetch is still scoped to the chat stream only (not other streams)", () => {
+    expect(
+      matchesAny("$JS.API.CONSUMER.MSG.NEXT.KANNA_RUNNER_EVENTS.c", scope.pub.allow),
+    ).toBe(false)
+  })
+  test("may subscribe to snapshots", () => {
+    expect(matchesAny("runtime.snap.chat.abc", scope.sub.allow)).toBe(true)
+  })
+  test("runtime.runner.cmd.> is NOT in pub allow list (excluded by default)", () => {
+    // NATS: not in allow list means denied. No explicit deny needed.
+    expect(matchesAny("runtime.runner.cmd.A.start", scope.pub.allow)).toBe(false)
+  })
+  test("may NOT subscribe to runner cmd subjects (not in allow list)", () => {
+    expect(matchesAny("runtime.runner.cmd.A.>", scope.sub.allow)).toBe(false)
+  })
+  test("no deny rules (allow-only policy)", () => {
+    expect(scope.pub.deny).toHaveLength(0)
+    expect(scope.sub.deny).toHaveLength(0)
+  })
+})
+// ── runner (per-runnerId) ─────────────────────────────────────────────────────
+describe("runner scope", () => {
+  const runnerId = "runner-A"
+  const otherRunnerId = "runner-B"
+  const scope = permissionsFor({ class: "runner", runnerId })
+  test("may subscribe to its own cmd subject", () => {
+    expect(matchesAny(runnerCmdWildcard(runnerId), scope.sub.allow)).toBe(true)
+    expect(matchesAny(`runtime.runner.cmd.${runnerId}.start`, scope.sub.allow)).toBe(true)
+  })
+  test("another runner cmd subject is NOT in sub allow (excluded by default)", () => {
+    // NATS: not in allow list means denied. No explicit deny needed.
+    expect(matchesAny(runnerCmdWildcard(otherRunnerId), scope.sub.allow)).toBe(false)
+    expect(matchesAny(`runtime.runner.cmd.${otherRunnerId}.start`, scope.sub.allow)).toBe(false)
+  })
+  test("may publish its own heartbeat", () => {
+    expect(matchesAny(`runtime.runner.heartbeat.${runnerId}`, scope.pub.allow)).toBe(true)
+  })
+  test("another runner heartbeat is NOT in pub allow (excluded by default)", () => {
+    expect(matchesAny(`runtime.runner.heartbeat.${otherRunnerId}`, scope.pub.allow)).toBe(false)
+  })
+  test("may publish runner events", () => {
+    expect(matchesAny("runtime.runner.evt.chat1", scope.pub.allow)).toBe(true)
+  })
+  test("may publish its own KV registry key", () => {
+    const ownKey = runnerKvKeySubject(runnerId)
+    expect(matchesAny(ownKey, scope.pub.allow)).toBe(true)
+  })
+  test("another runner KV key is NOT in pub allow (excluded by default)", () => {
+    // NATS: not in allow means denied. We use specific-allow only (no wildcard allow,
+    // no deny list) so other keys are automatically excluded.
+    const foreignKey = runnerKvKeySubject(otherRunnerId)
+    expect(matchesAny(foreignKey, scope.pub.allow)).toBe(false)
+  })
+  test("no deny rules (allow-only policy)", () => {
+    expect(scope.pub.deny).toHaveLength(0)
+    expect(scope.sub.deny).toHaveLength(0)
+  })
+})
+// ── runnerKvKeySubject helper ─────────────────────────────────────────────────
+describe("runnerKvKeySubject", () => {
+  test("returns expected KV subject", () => {
+    expect(runnerKvKeySubject("abc")).toBe("$KV.runtime_runner_registry.abc")
+  })
+})
+describe("runnerCmdWildcard", () => {
+  test("returns expected wildcard", () => {
+    expect(runnerCmdWildcard("xyz")).toBe("runtime.runner.cmd.xyz.>")
+  })
+})