npm - airaknit - Versions diffs - 1.1.2-rc.9 - Mend

airaknit 1.1.2-rc.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (440) hide show

package/LICENSE +84 -0
package/README.md +202 -0
package/bin/airaknit +9 -0
package/bin/airaknit-project +14 -0
package/bin/kanna +9 -0
package/dist/client/assets/CompactSummaryMessage-Yw0BDWEJ.js +1 -0
package/dist/client/assets/ExitPlanModeMessage-DIdkQ4uF.js +1 -0
package/dist/client/assets/LocalFilePreviewDialog-DQx2eiCc.js +3 -0
package/dist/client/assets/LocalProjectsSection-C4xlWkgS.js +1 -0
package/dist/client/assets/TextMessage-B5G39DEJ.js +1 -0
package/dist/client/assets/UserMessage-CIkWk-0L.js +1 -0
package/dist/client/assets/_basePickBy-CVrAFfnZ.js +1 -0
package/dist/client/assets/_baseUniq-JL-aaF4P.js +1 -0
package/dist/client/assets/arc-B07zg7ol.js +1 -0
package/dist/client/assets/architecture-YZFGNWBL-PSLVJL3p.js +1 -0
package/dist/client/assets/architectureDiagram-Q4EWVU46-DfWIF1G_.js +36 -0
package/dist/client/assets/array-BGFCBI0e.js +1 -0
package/dist/client/assets/blockDiagram-DXYQGD6D-CzwIeo_B.js +132 -0
package/dist/client/assets/bundle-mjs-BDE2gWbQ.js +1 -0
package/dist/client/assets/button-DO50qOGv.js +1 -0
package/dist/client/assets/c4Diagram-AHTNJAMY-CR8DCQRE.js +10 -0
package/dist/client/assets/channel-Dj-UUfaF.js +1 -0
package/dist/client/assets/chunk-2KRD3SAO-dznP-cn8.js +1 -0
package/dist/client/assets/chunk-336JU56O-Dqss5Vu6.js +2 -0
package/dist/client/assets/chunk-426QAEUC-CEKis_0_.js +1 -0
package/dist/client/assets/chunk-4BX2VUAB-BYOv0Gm1.js +1 -0
package/dist/client/assets/chunk-4TB4RGXK-BxzubH5S.js +206 -0
package/dist/client/assets/chunk-55IACEB6-BSlTj03a.js +1 -0
package/dist/client/assets/chunk-5FUZZQ4R-9Au93Bi1.js +62 -0
package/dist/client/assets/chunk-5PVQY5BW-BhksHFEZ.js +2 -0
package/dist/client/assets/chunk-67CJDMHE-BFwhz-8t.js +1 -0
package/dist/client/assets/chunk-7N4EOEYR-BDUPds87.js +1 -0
package/dist/client/assets/chunk-AA7GKIK3-CEWTdyXO.js +1 -0
package/dist/client/assets/chunk-BO2N2NFS-D0LvxnhU.js +103 -0
package/dist/client/assets/chunk-BSJP7CBP-BNJnK6sq.js +1 -0
package/dist/client/assets/chunk-Bj-mKKzh.js +1 -0
package/dist/client/assets/chunk-CIAEETIT-CYhfoCeN.js +1 -0
package/dist/client/assets/chunk-EDXVE4YY-C5ovJLc0.js +1 -0
package/dist/client/assets/chunk-ENJZ2VHE-HOhYaeGr.js +10 -0
package/dist/client/assets/chunk-FMBD7UC4-BLCiKcAQ.js +15 -0
package/dist/client/assets/chunk-FOC6F5B3-B6GtY2ek.js +1 -0
package/dist/client/assets/chunk-ICPOFSXX-DPoIZoC5.js +122 -0
package/dist/client/assets/chunk-K5T4RW27-BsKN63rv.js +94 -0
package/dist/client/assets/chunk-KGLVRYIC-BUGn9uuY.js +1 -0
package/dist/client/assets/chunk-LIHQZDEY-DhaZyo03.js +1 -0
package/dist/client/assets/chunk-ORNJ4GCN-DlpeeJyi.js +1 -0
package/dist/client/assets/chunk-OYMX7WX6-Dc9q7aYA.js +231 -0
package/dist/client/assets/chunk-QZHKN3VN-BEdrPoSb.js +1 -0
package/dist/client/assets/chunk-U2HBQHQK-CIB3Bjjd.js +70 -0
package/dist/client/assets/chunk-X2U36JSP-CtB-o8Yp.js +1 -0
package/dist/client/assets/chunk-XPW4576I-C6iHhX_8.js +32 -0
package/dist/client/assets/chunk-YZCP3GAM-CTmKr6ZH.js +1 -0
package/dist/client/assets/chunk-ZZ45TVLE-BgU8A2RF.js +1 -0
package/dist/client/assets/classDiagram-6PBFFD2Q-Bqk5e679.js +1 -0
package/dist/client/assets/classDiagram-v2-HSJHXN6E-6pSaZOkC.js +1 -0
package/dist/client/assets/client-BrKWI4CM.js +1 -0
package/dist/client/assets/client-CGgNRU9w.js +1 -0
package/dist/client/assets/client-DMSLRzg9.js +6 -0
package/dist/client/assets/clone-DWcL7whJ.js +1 -0
package/dist/client/assets/cose-bilkent-S5V4N54A-CrV5wsV_.js +1 -0
package/dist/client/assets/cytoscape.esm--aLzKuep.js +321 -0
package/dist/client/assets/dagre-CuRxWcrj.js +1 -0
package/dist/client/assets/dagre-KV5264BT-BIDiVnkA.js +4 -0
package/dist/client/assets/defaultLocale-CRZydyG6.js +1 -0
package/dist/client/assets/diagram-5BDNPKRD-i1kjKRCB.js +10 -0
package/dist/client/assets/diagram-G4DWMVQ6-9ZSLuhbl.js +24 -0
package/dist/client/assets/diagram-MMDJMWI5-B4_CUjgv.js +43 -0
package/dist/client/assets/diagram-TYMM5635-Ct5eTGS8.js +24 -0
package/dist/client/assets/dist-CuB4kiSK.js +1 -0
package/dist/client/assets/erDiagram-SMLLAGMA-Cy38ercc.js +85 -0
package/dist/client/assets/flowDiagram-DWJPFMVM-CZKuYl0V.js +162 -0
package/dist/client/assets/ganttDiagram-T4ZO3ILL-DLPjCh7a.js +292 -0
package/dist/client/assets/gitGraph-7Q5UKJZL-DqbrtEp9.js +1 -0
package/dist/client/assets/gitGraphDiagram-UUTBAWPF-BoRBkDhQ.js +106 -0
package/dist/client/assets/graphlib-BcQ6qlQh.js +1 -0
package/dist/client/assets/highlighted-body-OFNGDK62-BEpBVDTX.js +1 -0
package/dist/client/assets/index-CetCiuqP.js +105 -0
package/dist/client/assets/index-N29Mip7A.css +1 -0
package/dist/client/assets/info-OMHHGYJF-D98DRBJX.js +1 -0
package/dist/client/assets/infoDiagram-42DDH7IO-BAcdTWbt.js +2 -0
package/dist/client/assets/init-B8gtcn7T.js +1 -0
package/dist/client/assets/isArrayLikeObject-D8SJFmkN.js +1 -0
package/dist/client/assets/isEmpty-BF3YX5Jk.js +1 -0
package/dist/client/assets/ishikawaDiagram-UXIWVN3A-Ynu2VKdC.js +70 -0
package/dist/client/assets/journeyDiagram-VCZTEJTY-BjfhQaN3.js +139 -0
package/dist/client/assets/jsx-runtime-CyI9ICYU.js +1 -0
package/dist/client/assets/kanban-definition-6JOO6SKY-JLXH9zUJ.js +89 -0
package/dist/client/assets/katex-B94qP8b6.js +265 -0
package/dist/client/assets/lib--QVjyxmL.js +29 -0
package/dist/client/assets/lib-B6rgJiZ9.js +1 -0
package/dist/client/assets/line-DCrYfLBn.js +1 -0
package/dist/client/assets/linear-_4upLmeo.js +1 -0
package/dist/client/assets/mermaid-GHXKKRXX-rwJHYUmW.js +1 -0
package/dist/client/assets/mermaid-parser.core-KZinfW8o.js +4 -0
package/dist/client/assets/mermaid.core-QqY9gSNe.js +11 -0
package/dist/client/assets/mindmap-definition-QFDTVHPH-TWgHDAzp.js +96 -0
package/dist/client/assets/ordinal-CCj7PWgZ.js +1 -0
package/dist/client/assets/packet-4T2RLAQJ-DEvfkn3F.js +1 -0
package/dist/client/assets/path-DZF-JdEe.js +1 -0
package/dist/client/assets/pie-ZZUOXDRM-72e6WVjb.js +1 -0
package/dist/client/assets/pieDiagram-DEJITSTG-Cl8PCsoj.js +30 -0
package/dist/client/assets/preload-helper-rov5CBGT.js +1 -0
package/dist/client/assets/pty-client-DZ27IS00.js +1 -0
package/dist/client/assets/ptyInstancesStore-D9ag7SYd.js +1 -0
package/dist/client/assets/quadrantDiagram-34T5L4WZ-CHyVGp9E.js +7 -0
package/dist/client/assets/radar-PYXPWWZC-Cp7xd_EY.js +1 -0
package/dist/client/assets/react-CClhXMB2.js +1 -0
package/dist/client/assets/react-Dd6D81m0.js +1 -0
package/dist/client/assets/react-dom--G6_6fQ_.js +1 -0
package/dist/client/assets/requirementDiagram-MS252O5E-DaanG2iM.js +84 -0
package/dist/client/assets/rough.esm-BsmKo2S5.js +1 -0
package/dist/client/assets/sankeyDiagram-XADWPNL6-B_fhLY36.js +10 -0
package/dist/client/assets/sequenceDiagram-FGHM5R23-C5FNrveI.js +157 -0
package/dist/client/assets/src-DeTlMJAU.js +1 -0
package/dist/client/assets/stateDiagram-FHFEXIEX-nTTcdjjQ.js +1 -0
package/dist/client/assets/stateDiagram-v2-QKLJ7IA2-Dw0632j_.js +1 -0
package/dist/client/assets/timeline-definition-GMOUNBTQ-DkQV1yP8.js +120 -0
package/dist/client/assets/treeView-SZITEDCU-ZLIgC7_K.js +1 -0
package/dist/client/assets/treemap-W4RFUUIX-BqaMbB6N.js +1 -0
package/dist/client/assets/uiIdentityOverlay-Ba7GNj7m.js +1 -0
package/dist/client/assets/vennDiagram-DHZGUBPP-DbZ2xgs6.js +34 -0
package/dist/client/assets/wardley-RL74JXVD-DXQS8zf4.js +1 -0
package/dist/client/assets/wardleyDiagram-NUSXRM2D-BzCJ6MAu.js +20 -0
package/dist/client/assets/xychartDiagram-5P7HB3ND-BSlFecop.js +7 -0
package/dist/client/favicon.png +0 -0
package/dist/client/favicon.svg +15 -0
package/dist/client/fonts/body-medium.woff2 +0 -0
package/dist/client/fonts/body-regular-italic.woff2 +0 -0
package/dist/client/fonts/body-regular.woff2 +0 -0
package/dist/client/fonts/body-semibold.woff2 +0 -0
package/dist/client/index.html +31 -0
package/dist/client/manifest.webmanifest +12 -0
package/dist/client/sw.js +32 -0
package/package.json +122 -0
package/src/nats/auth-callout/callout-config.test.ts +93 -0
package/src/nats/auth-callout/callout-config.ts +109 -0
package/src/nats/auth-callout/callout.integration.test.ts +332 -0
package/src/nats/auth-callout/keys.ts +103 -0
package/src/nats/auth-callout/responder.ts +241 -0
package/src/nats/auth-callout/scope-policy.test.ts +159 -0
package/src/nats/auth-callout/scope-policy.ts +210 -0
package/src/nats/auth-callout/token.test.ts +163 -0
package/src/nats/auth-callout/token.ts +157 -0
package/src/nats/nats-daemon-callout.ts +194 -0
package/src/nats/nats-daemon.test.ts +77 -0
package/src/nats/nats-daemon.ts +50 -0
package/src/nats/nats-token.test.ts +61 -0
package/src/nats/nats-token.ts +59 -0
package/src/runner/coordination-mcp-integration.test.ts +134 -0
package/src/runner/nats-coordination-client.test.ts +49 -0
package/src/runner/nats-coordination-client.ts +94 -0
package/src/runner/runner-agent.test.ts +469 -0
package/src/runner/runner-agent.ts +453 -0
package/src/runner/runner-credential.test.ts +93 -0
package/src/runner/runner-credential.ts +82 -0
package/src/runner/runner-nats.test.ts +495 -0
package/src/runner/runner-nats.ts +323 -0
package/src/runner/runner-pair.test.ts +107 -0
package/src/runner/runner-pair.ts +81 -0
package/src/runner/runner.test.ts +135 -0
package/src/runner/runner.ts +212 -0
package/src/runner/turn-factories.test.ts +97 -0
package/src/runner/turn-factories.ts +475 -0
package/src/server/agent-config-journey.test.ts +106 -0
package/src/server/agent.ts +8 -0
package/src/server/auto-continue/auth-error-detector.ts +66 -0
package/src/server/auto-continue/limit-detector.ts +194 -0
package/src/server/bm25.test.ts +92 -0
package/src/server/bm25.ts +101 -0
package/src/server/chat-events-jetstream.test.ts +135 -0
package/src/server/claude-harness.ts +360 -0
package/src/server/claude-pty/agent-normalizers.ts +309 -0
package/src/server/claude-pty/auth.test.ts +38 -0
package/src/server/claude-pty/auth.ts +32 -0
package/src/server/claude-pty/claude-session-registry.adapter.ts +81 -0
package/src/server/claude-pty/claude-session-registry.test.ts +149 -0
package/src/server/claude-pty/driver.test.ts +902 -0
package/src/server/claude-pty/driver.ts +807 -0
package/src/server/claude-pty/jsonl-path.adapter.ts +57 -0
package/src/server/claude-pty/jsonl-path.test.ts +114 -0
package/src/server/claude-pty/jsonl-to-event.test.ts +241 -0
package/src/server/claude-pty/jsonl-to-event.ts +174 -0
package/src/server/claude-pty/output-ring.test.ts +35 -0
package/src/server/claude-pty/output-ring.ts +25 -0
package/src/server/claude-pty/parity-matrix.test.ts +227 -0
package/src/server/claude-pty/pid-registry.adapter.ts +135 -0
package/src/server/claude-pty/pid-registry.test.ts +122 -0
package/src/server/claude-pty/preflight/binary-fingerprint.adapter.ts +20 -0
package/src/server/claude-pty/preflight/binary-fingerprint.test.ts +32 -0
package/src/server/claude-pty/pty-instance-registry.test.ts +177 -0
package/src/server/claude-pty/pty-instance-registry.ts +166 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.test.ts +103 -0
package/src/server/claude-pty/pty-memory-sampler.adapter.ts +85 -0
package/src/server/claude-pty/pty-process.adapter.ts +66 -0
package/src/server/claude-pty/pty-process.test.ts +49 -0
package/src/server/claude-pty/resolve-binary.adapter.ts +106 -0
package/src/server/claude-pty/resolve-binary.test.ts +118 -0
package/src/server/claude-pty/runtime-dir.adapter.ts +19 -0
package/src/server/claude-pty/settings-writer.adapter.ts +27 -0
package/src/server/claude-pty/settings-writer.test.ts +22 -0
package/src/server/claude-pty/smoke-test-io.adapter.ts +28 -0
package/src/server/claude-pty/smoke-test.test.ts +191 -0
package/src/server/claude-pty/smoke-test.ts +185 -0
package/src/server/claude-pty/subagent-orchestrator.ts +887 -0
package/src/server/claude-pty/tool-callback.ts +274 -0
package/src/server/claude-pty/tui-control.test.ts +272 -0
package/src/server/claude-pty/tui-control.ts +182 -0
package/src/server/claude-pty/tui-source.adapter.test.ts +360 -0
package/src/server/claude-pty/tui-source.adapter.ts +343 -0
package/src/server/claude-pty/tunnel-gateway.ts +12 -0
package/src/server/claude-pty-mcp/canonical-args.ts +15 -0
package/src/server/claude-pty-mcp/fs-stat.adapter.ts +8 -0
package/src/server/claude-pty-mcp/history-primer.ts +90 -0
package/src/server/claude-pty-mcp/http-server.adapter.ts +33 -0
package/src/server/claude-pty-mcp/mcp-http.ts +177 -0
package/src/server/claude-pty-mcp/mcp.ts +412 -0
package/src/server/claude-pty-mcp/mention-parser.ts +25 -0
package/src/server/claude-pty-mcp/paths.ts +24 -0
package/src/server/claude-pty-mcp/permission-gate.ts +243 -0
package/src/server/claude-pty-mcp/terminal-pid-registry.adapter.ts +107 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.test.ts +119 -0
package/src/server/claude-pty-mcp/tools/ask-user-question.ts +61 -0
package/src/server/claude-pty-mcp/tools/bash.adapter.ts +76 -0
package/src/server/claude-pty-mcp/tools/bash.test.ts +56 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.test.ts +155 -0
package/src/server/claude-pty-mcp/tools/delegate-subagent.ts +111 -0
package/src/server/claude-pty-mcp/tools/edit.adapter.ts +95 -0
package/src/server/claude-pty-mcp/tools/edit.test.ts +93 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/exit-plan-mode.ts +50 -0
package/src/server/claude-pty-mcp/tools/glob.adapter.ts +86 -0
package/src/server/claude-pty-mcp/tools/glob.test.ts +61 -0
package/src/server/claude-pty-mcp/tools/grep.adapter.ts +126 -0
package/src/server/claude-pty-mcp/tools/grep.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/read.adapter.ts +58 -0
package/src/server/claude-pty-mcp/tools/read.test.ts +62 -0
package/src/server/claude-pty-mcp/tools/tool-callback-shim.ts +42 -0
package/src/server/claude-pty-mcp/tools/webfetch.test.ts +81 -0
package/src/server/claude-pty-mcp/tools/webfetch.ts +82 -0
package/src/server/claude-pty-mcp/tools/websearch.test.ts +40 -0
package/src/server/claude-pty-mcp/tools/websearch.ts +42 -0
package/src/server/claude-pty-mcp/tools/write.adapter.ts +60 -0
package/src/server/claude-pty-mcp/tools/write.test.ts +52 -0
package/src/server/claude-pty-mcp/uploads.adapter.ts +98 -0
package/src/server/claude-pty-mcp/uploads.ts +38 -0
package/src/server/claude-turn.test.ts +176 -0
package/src/server/cli-runtime.test.ts +456 -0
package/src/server/cli-runtime.ts +374 -0
package/src/server/cli-supervisor.ts +81 -0
package/src/server/cli.ts +78 -0
package/src/server/client-log-forwarder.test.ts +74 -0
package/src/server/client-log-forwarder.ts +75 -0
package/src/server/codex-app-server-protocol.ts +449 -0
package/src/server/codex-app-server.test.ts +2990 -0
package/src/server/codex-app-server.ts +1713 -0
package/src/server/coordination-integration.test.ts +63 -0
package/src/server/coordination-mcp.test.ts +149 -0
package/src/server/coordination-mcp.ts +197 -0
package/src/server/delegation-coordinator.test.ts +675 -0
package/src/server/delegation-coordinator.ts +454 -0
package/src/server/discovery.test.ts +211 -0
package/src/server/discovery.ts +301 -0
package/src/server/event-store-agent-config.test.ts +124 -0
package/src/server/event-store-coordination.test.ts +149 -0
package/src/server/event-store-profile.test.ts +132 -0
package/src/server/event-store-repo.test.ts +154 -0
package/src/server/event-store-runner-team.test.ts +104 -0
package/src/server/event-store.test.ts +342 -0
package/src/server/event-store.ts +2208 -0
package/src/server/events.ts +379 -0
package/src/server/extension-router.test.ts +183 -0
package/src/server/extension-router.ts +114 -0
package/src/server/extensions/agents/server.test.ts +191 -0
package/src/server/extensions/agents/server.ts +108 -0
package/src/server/extensions/c3/server.test.ts +284 -0
package/src/server/extensions/c3/server.ts +212 -0
package/src/server/extensions/code/server.test.ts +200 -0
package/src/server/extensions/code/server.ts +150 -0
package/src/server/extensions.config.ts +10 -0
package/src/server/external-open.ts +69 -0
package/src/server/generate-fork-context.ts +58 -0
package/src/server/generate-merge-context.test.ts +290 -0
package/src/server/generate-merge-context.ts +141 -0
package/src/server/generate-title.ts +36 -0
package/src/server/git-clone-policy.test.ts +138 -0
package/src/server/git-clone-policy.ts +27 -0
package/src/server/harness-types.ts +1 -0
package/src/server/journey-verification.test.ts +640 -0
package/src/server/journey-verification.ts +195 -0
package/src/server/machine-name.ts +22 -0
package/src/server/nats-auth.test.ts +92 -0
package/src/server/nats-auth.ts +6 -0
package/src/server/nats-bind-guard.test.ts +71 -0
package/src/server/nats-bind-guard.ts +42 -0
package/src/server/nats-bridge.test.ts +141 -0
package/src/server/nats-bridge.ts +111 -0
package/src/server/nats-connector.test.ts +56 -0
package/src/server/nats-connector.ts +71 -0
package/src/server/nats-daemon-manager.test.ts +76 -0
package/src/server/nats-daemon-manager.ts +174 -0
package/src/server/nats-publisher.test.ts +356 -0
package/src/server/nats-publisher.ts +271 -0
package/src/server/nats-responders.test.ts +1018 -0
package/src/server/nats-responders.ts +925 -0
package/src/server/nats-streams.test.ts +112 -0
package/src/server/nats-streams.ts +129 -0
package/src/server/oauth-pool/oauth-responders.ts +185 -0
package/src/server/oauth-pool/oauth-settings-store.ts +173 -0
package/src/server/oauth-pool/oauth-token-pool.ts +303 -0
package/src/server/orchestration.test.ts +1063 -0
package/src/server/orchestration.ts +716 -0
package/src/server/pairing-endpoints.test.ts +171 -0
package/src/server/pairing-store.test.ts +154 -0
package/src/server/pairing-store.ts +124 -0
package/src/server/paths.ts +27 -0
package/src/server/pr3-liveness.test.ts +252 -0
package/src/server/process-utils.ts +10 -0
package/src/server/project-cli.ts +180 -0
package/src/server/provider-catalog.test.ts +177 -0
package/src/server/provider-catalog.ts +146 -0
package/src/server/pty-responders.ts +345 -0
package/src/server/push-notifications.test.ts +234 -0
package/src/server/push-notifications.ts +188 -0
package/src/server/quick-response.test.ts +196 -0
package/src/server/quick-response.ts +154 -0
package/src/server/read-models-agent-config.test.ts +59 -0
package/src/server/read-models-coordination.test.ts +69 -0
package/src/server/read-models.test.ts +332 -0
package/src/server/read-models.ts +258 -0
package/src/server/repo-journey.test.ts +96 -0
package/src/server/repo-manager.test.ts +118 -0
package/src/server/repo-manager.ts +97 -0
package/src/server/repo-status.test.ts +54 -0
package/src/server/repo-status.ts +82 -0
package/src/server/restart.test.ts +27 -0
package/src/server/restart.ts +30 -0
package/src/server/runner-incompatible-gate.test.ts +383 -0
package/src/server/runner-manager.test.ts +72 -0
package/src/server/runner-manager.ts +312 -0
package/src/server/runner-pairing-urls.test.ts +59 -0
package/src/server/runner-pairing-urls.ts +67 -0
package/src/server/runner-proxy.test.ts +456 -0
package/src/server/runner-proxy.ts +494 -0
package/src/server/runner-router.test.ts +429 -0
package/src/server/runner-router.ts +212 -0
package/src/server/runner-routing.test.ts +584 -0
package/src/server/runtime-registry.test.ts +436 -0
package/src/server/runtime-registry.ts +307 -0
package/src/server/sandbox-health.test.ts +127 -0
package/src/server/sandbox-health.ts +94 -0
package/src/server/sandbox-journey.test.ts +232 -0
package/src/server/sandbox-manager.test.ts +146 -0
package/src/server/sandbox-manager.ts +159 -0
package/src/server/server.test.ts +287 -0
package/src/server/server.ts +1108 -0
package/src/server/session-discovery.test.ts +129 -0
package/src/server/session-discovery.ts +475 -0
package/src/server/session-index.test.ts +362 -0
package/src/server/session-index.ts +119 -0
package/src/server/session-seed.ts +288 -0
package/src/server/share.test.ts +108 -0
package/src/server/share.ts +113 -0
package/src/server/skill-discovery.test.ts +201 -0
package/src/server/skill-discovery.ts +77 -0
package/src/server/storage/test-helpers.ts +67 -0
package/src/server/terminal-manager.test.ts +309 -0
package/src/server/terminal-manager.ts +354 -0
package/src/server/transcript-consumer.test.ts +339 -0
package/src/server/transcript-consumer.ts +162 -0
package/src/server/transcript-search.test.ts +193 -0
package/src/server/transcript-search.ts +83 -0
package/src/server/transcript-utils.ts +52 -0
package/src/server/update-manager.test.ts +107 -0
package/src/server/update-manager.ts +230 -0
package/src/server/workflow-engine.test.ts +251 -0
package/src/server/workflow-engine.ts +169 -0
package/src/server/workflow-mcp.ts +49 -0
package/src/server/workflow-store.test.ts +155 -0
package/src/server/workflow-store.ts +139 -0
package/src/server/workspace-agent-integration.test.ts +167 -0
package/src/server/workspace-agent-routes.test.ts +127 -0
package/src/server/workspace-agent-routes.ts +89 -0
package/src/server/workspace-agent.test.ts +103 -0
package/src/server/workspace-agent.ts +102 -0
package/src/server/workspace-cli.test.ts +79 -0
package/src/server/workspace-config-manager.test.ts +109 -0
package/src/server/workspace-config-manager.ts +83 -0
package/src/server/workspace-directory-policy.test.ts +109 -0
package/src/server/workspace-directory-policy.ts +56 -0
package/src/shared/agent-config-types.ts +25 -0
package/src/shared/branding.test.ts +42 -0
package/src/shared/branding.ts +54 -0
package/src/shared/compression.test.ts +85 -0
package/src/shared/compression.ts +42 -0
package/src/shared/coordination-store.test.ts +24 -0
package/src/shared/coordination-store.ts +26 -0
package/src/shared/dev-ports.test.ts +84 -0
package/src/shared/dev-ports.ts +100 -0
package/src/shared/extension-types.ts +45 -0
package/src/shared/fork-presets.ts +54 -0
package/src/shared/harness-types.test.ts +15 -0
package/src/shared/harness-types.ts +21 -0
package/src/shared/log-sink.test.ts +112 -0
package/src/shared/log-sink.ts +185 -0
package/src/shared/mention-pattern.ts +7 -0
package/src/shared/merge-presets.ts +41 -0
package/src/shared/nats-subjects.test.ts +61 -0
package/src/shared/nats-subjects.ts +131 -0
package/src/shared/permission-policy.ts +136 -0
package/src/shared/ports.ts +3 -0
package/src/shared/preset-types.ts +15 -0
package/src/shared/profile-types.ts +49 -0
package/src/shared/projectFileUrl.ts +36 -0
package/src/shared/protocol.ts +153 -0
package/src/shared/pty-instance.ts +43 -0
package/src/shared/puggy/diagnostics/result.ts +18 -0
package/src/shared/puggy/expressions/evaluate.ts +292 -0
package/src/shared/puggy/index.test.ts +101 -0
package/src/shared/puggy/index.ts +69 -0
package/src/shared/puggy/parser/ast.ts +110 -0
package/src/shared/puggy/parser/parser.ts +624 -0
package/src/shared/puggy/renderer/html.ts +447 -0
package/src/shared/runner-protocol.test.ts +277 -0
package/src/shared/runner-protocol.ts +210 -0
package/src/shared/runner-team-types.ts +73 -0
package/src/shared/runtime-types.ts +48 -0
package/src/shared/sandbox-types.ts +53 -0
package/src/shared/tailwind-build.test.ts +12 -0
package/src/shared/tinkaria-system-prompt.ts +101 -0
package/src/shared/tools.test.ts +335 -0
package/src/shared/tools.ts +397 -0
package/src/shared/transcript-entries.ts +27 -0
package/src/shared/transcript-render.test.ts +225 -0
package/src/shared/transcript-render.ts +467 -0
package/src/shared/types.ts +1031 -0
package/src/shared/vite-config.test.ts +47 -0
package/src/shared/web-context.test.ts +110 -0
package/src/shared/web-context.ts +76 -0
package/src/shared/workflow-types.ts +51 -0
package/src/shared/workspace-types.ts +100 -0

package/src/runner/runner-agent.ts ADDED Viewed

@@ -0,0 +1,453 @@
+import { jetstream, type JetStream } from "@nats-io/jetstream"
+import type { NatsConnection } from "@nats-io/transport-node"
+import { existsSync } from "node:fs"
+import { LOG_PREFIX } from "../shared/branding"
+import type { HarnessToolRequest, HarnessTurn } from "../shared/harness-types"
+import {
+  runnerEventsSubject,
+  type RunnerTurnEvent,
+  type StartTurnCommand,
+} from "../shared/runner-protocol"
+import type {
+  AgentProvider,
+  NormalizedToolCall,
+  PendingToolSnapshot,
+  SessionStatus,
+  TranscriptEntry,
+} from "../shared/types"
+import { timestamped, discardedToolResult } from "../shared/transcript-entries"
+import type { CoordinationStore } from "../shared/coordination-store"
+const encoder = new TextEncoder()
+const CANCEL_INTERRUPT_TIMEOUT_MS = 2_000
+// ── Types ───────────────────────────────────────────────────────────
+export type TurnFactory = (args: {
+  provider: AgentProvider
+  content: string
+  localPath: string
+  model: string
+  effort?: string
+  serviceTier?: "fast"
+  planMode: boolean
+  sessionToken: string | null
+  onToolRequest: (request: HarnessToolRequest) => Promise<unknown>
+  chatId: string
+  store?: CoordinationStore
+  extraEnv?: Record<string, string>
+}) => Promise<HarnessTurn>
+function buildHarnessInput(cmd: StartTurnCommand): string {
+  if (!cmd.delegatedContext?.trim()) {
+    return cmd.content
+  }
+  return `${cmd.delegatedContext}\n\nNew task:\n${cmd.content}`
+}
+interface PendingToolRequest {
+  toolUseId: string
+  tool: NormalizedToolCall & { toolKind: "ask_user_question" | "exit_plan_mode" }
+  resolve: (result: unknown) => void
+}
+interface ActiveTurn {
+  chatId: string
+  provider: AgentProvider
+  turn: HarnessTurn
+  model: string
+  effort?: string
+  serviceTier?: "fast"
+  planMode: boolean
+  status: SessionStatus
+  pendingTool: PendingToolRequest | null
+  postToolFollowUp: { content: string; planMode: boolean } | null
+  hasFinalResult: boolean
+  cancelRequested: boolean
+  cancelRecorded: boolean
+  /** Preserved from the original StartTurnCommand for follow-up turns */
+  originalCmd: StartTurnCommand
+}
+export interface RunnerAgentOptions {
+  nc: NatsConnection
+  createTurn: TurnFactory
+  generateTitle?: (content: string, cwd: string) => Promise<string | null>
+  coordinationStore?: CoordinationStore
+  /**
+   * Hook the runner calls when a chat is being torn down (cancel without
+   * active turn, chat.delete). Implementation closes any live claude-pty
+   * session for the chat. Wired from runner.ts to turn-factories.ts.
+   */
+  stopClaudePtySession?: (chatId: string) => void
+}
+// ── RunnerAgent ─────────────────────────────────────────────────────
+export class RunnerAgent {
+  private readonly js: JetStream
+  private readonly nc: NatsConnection
+  private readonly createTurn: TurnFactory
+  private readonly generateTitle: ((content: string, cwd: string) => Promise<string | null>) | undefined
+  private readonly coordinationStore: CoordinationStore | undefined
+  private readonly stopClaudePtySessionFn: ((chatId: string) => void) | undefined
+  readonly activeTurns = new Map<string, ActiveTurn>()
+  constructor(options: RunnerAgentOptions) {
+    this.nc = options.nc
+    this.js = jetstream(options.nc)
+    this.createTurn = options.createTurn
+    this.generateTitle = options.generateTitle
+    this.coordinationStore = options.coordinationStore
+    this.stopClaudePtySessionFn = options.stopClaudePtySession
+  }
+  // ── Publishing ──────────────────────────────────────────────────
+  private publishEvent(chatId: string, event: RunnerTurnEvent): void {
+    const subject = runnerEventsSubject(chatId)
+    void this.js.publish(subject, encoder.encode(JSON.stringify(event))).catch((error) => {
+      const message = error instanceof Error ? error.message : String(error)
+      console.warn(LOG_PREFIX, `JetStream publish failed on ${subject}: ${message}`)
+    })
+  }
+  private publishTranscript(chatId: string, entry: TranscriptEntry): void {
+    this.publishEvent(chatId, { type: "transcript", chatId, entry })
+  }
+  // ── Public API ────────────────────────────────────────────────────
+  getActiveStatuses(): Map<string, SessionStatus> {
+    const statuses = new Map<string, SessionStatus>()
+    for (const [chatId, turn] of this.activeTurns.entries()) {
+      statuses.set(chatId, turn.status)
+    }
+    return statuses
+  }
+  getPendingTool(chatId: string): PendingToolSnapshot | null {
+    const pending = this.activeTurns.get(chatId)?.pendingTool
+    if (!pending) return null
+    return { toolUseId: pending.toolUseId, toolKind: pending.tool.toolKind }
+  }
+  async startTurn(cmd: StartTurnCommand): Promise<void> {
+    if (this.activeTurns.has(cmd.chatId)) {
+      throw new Error("Chat is already running")
+    }
+    // Fail fast (instead of a silent 10s timeout) when the chat's workspace does
+    // not exist on THIS runner — e.g. a remote runner handed a server-only path.
+    // Launching the agent with a nonexistent cwd hangs the spawn, so the start_turn
+    // request never gets a reply. Surface a clear, actionable error instead.
+    if (cmd.workspaceLocalPath && !existsSync(cmd.workspaceLocalPath)) {
+      throw new Error(
+        `Workspace "${cmd.workspaceLocalPath}" does not exist on this runner machine. ` +
+        `The workspace must exist on the runner to run a turn here — pick a runner that ` +
+        `has this path, or make the path available on the runner.`,
+      )
+    }
+    const shouldGenerateTitle =
+      cmd.appendUserPrompt &&
+      cmd.chatTitle === "New Chat" &&
+      cmd.existingMessageCount === 0
+    // Publish user prompt
+    if (cmd.appendUserPrompt) {
+      this.publishTranscript(
+        cmd.chatId,
+        timestamped({ kind: "user_prompt", content: cmd.content })
+      )
+    }
+    // Create tool request handler
+    const onToolRequest = async (request: HarnessToolRequest): Promise<unknown> => {
+      const active = this.activeTurns.get(cmd.chatId)
+      if (!active) throw new Error("Chat turn ended unexpectedly")
+      active.status = "waiting_for_user"
+      this.publishEvent(cmd.chatId, {
+        type: "status_change",
+        chatId: cmd.chatId,
+        status: "waiting_for_user",
+      })
+      this.publishEvent(cmd.chatId, {
+        type: "pending_tool",
+        chatId: cmd.chatId,
+        tool: { toolUseId: request.tool.toolId, toolKind: request.tool.toolKind },
+      })
+      return new Promise<unknown>((resolve) => {
+        active.pendingTool = {
+          toolUseId: request.tool.toolId,
+          tool: request.tool,
+          resolve,
+        }
+      })
+    }
+    // Start the harness turn — binary resolution is done inside each factory
+    const turn = await this.createTurn({
+      provider: cmd.provider,
+      content: buildHarnessInput(cmd),
+      localPath: cmd.workspaceLocalPath,
+      model: cmd.model,
+      planMode: cmd.planMode,
+      sessionToken: cmd.sessionToken,
+      onToolRequest,
+      chatId: cmd.chatId,
+      store: this.coordinationStore,
+      extraEnv: cmd.extraEnv,
+    })
+    const active: ActiveTurn = {
+      chatId: cmd.chatId,
+      provider: cmd.provider,
+      turn,
+      model: cmd.model,
+      planMode: cmd.planMode,
+      status: "starting",
+      pendingTool: null,
+      postToolFollowUp: null,
+      hasFinalResult: false,
+      cancelRequested: false,
+      cancelRecorded: false,
+      originalCmd: cmd,
+    }
+    this.activeTurns.set(cmd.chatId, active)
+    this.publishEvent(cmd.chatId, {
+      type: "status_change",
+      chatId: cmd.chatId,
+      status: "starting",
+    })
+    // Background: title generation
+    if (shouldGenerateTitle) {
+      void this.generateTitleInBackground(cmd.chatId, cmd.content, cmd.workspaceLocalPath)
+    }
+    // Run the turn asynchronously
+    void this.runTurn(active)
+  }
+  async cancel(chatId: string): Promise<void> {
+    const active = this.activeTurns.get(chatId)
+    if (!active) {
+      // No active turn but a long-lived claude-pty session may still own a
+      // claude CLI child, MCP HTTP server, file watcher, sampler interval,
+      // and an OAuth pool reservation. Closing the session here matches
+      // kanna's `closeChat` discipline — cancel of an idle chat must release
+      // the PTY, not silently no-op.
+      this.stopClaudePtySessionFn?.(chatId)
+      return
+    }
+    active.cancelRequested = true
+    const pendingTool = active.pendingTool
+    active.pendingTool = null
+    if (pendingTool) {
+      const result = discardedToolResult(pendingTool.tool)
+      this.publishTranscript(
+        chatId,
+        timestamped({ kind: "tool_result", toolId: pendingTool.toolUseId, content: result })
+      )
+      if (active.provider === "codex" && pendingTool.tool.toolKind === "exit_plan_mode") {
+        pendingTool.resolve(result)
+      }
+    }
+    this.publishTranscript(chatId, timestamped({ kind: "interrupted" }))
+    this.publishEvent(chatId, { type: "turn_cancelled", chatId })
+    active.cancelRecorded = true
+    active.hasFinalResult = true
+    this.activeTurns.delete(chatId)
+    void this.interruptTurnAfterCancel(active).catch(() => {})
+  }
+  /**
+   * Tear down any live claude-pty session for the chat unconditionally.
+   * Called from RunnerProxy.disposeChat after a separate `cancel_turn`
+   * has interrupted any in-flight turn. Always safe — no-op when the chat
+   * has no session.
+   */
+  stopChatPty(chatId: string): void {
+    this.stopClaudePtySessionFn?.(chatId)
+  }
+  async respondTool(chatId: string, toolUseId: string, result: unknown): Promise<void> {
+    const active = this.activeTurns.get(chatId)
+    if (!active?.pendingTool) throw new Error("No pending tool request")
+    if (active.pendingTool.toolUseId !== toolUseId) throw new Error("Tool response does not match active request")
+    const pending = active.pendingTool
+    this.publishTranscript(
+      chatId,
+      timestamped({ kind: "tool_result", toolId: toolUseId, content: result })
+    )
+    active.pendingTool = null
+    active.status = "running"
+    this.publishEvent(chatId, { type: "pending_tool", chatId, tool: null })
+    this.publishEvent(chatId, { type: "status_change", chatId, status: "running" })
+    // Handle exit_plan_mode follow-up for Codex
+    if (pending.tool.toolKind === "exit_plan_mode") {
+      const res = (result ?? {}) as { confirmed?: boolean; clearContext?: boolean; message?: string }
+      if (res.confirmed && res.clearContext) {
+        this.publishEvent(chatId, { type: "session_token", chatId, sessionToken: "" })
+        this.publishTranscript(chatId, timestamped({ kind: "context_cleared" }))
+      }
+      if (active.provider === "codex") {
+        active.postToolFollowUp = res.confirmed
+          ? {
+              content: res.message
+                ? `Proceed with the approved plan. Additional guidance: ${res.message}`
+                : "Proceed with the approved plan.",
+              planMode: false,
+            }
+          : {
+              content: res.message
+                ? `Revise the plan using this feedback: ${res.message}`
+                : "Revise the plan using this feedback.",
+              planMode: true,
+            }
+      }
+    }
+    pending.resolve(result)
+  }
+  // ── Private ───────────────────────────────────────────────────────
+  private async generateTitleInBackground(chatId: string, content: string, cwd: string): Promise<void> {
+    if (!this.generateTitle) return
+    try {
+      const title = await this.generateTitle(content, cwd)
+      if (!title) return
+      this.publishEvent(chatId, { type: "title_generated", chatId, title })
+    } catch (_error) {
+      // Ignore background title generation failures
+    }
+  }
+  private async interruptTurnAfterCancel(active: ActiveTurn): Promise<void> {
+    let timeoutId: ReturnType<typeof setTimeout> | null = null
+    let timedOut = false
+    let failed = false
+    try {
+      await Promise.race([
+        active.turn.interrupt(),
+        new Promise<void>((resolve) => {
+          timeoutId = setTimeout(() => {
+            timedOut = true
+            resolve()
+          }, CANCEL_INTERRUPT_TIMEOUT_MS)
+        }),
+      ])
+    } catch (_error) {
+      failed = true
+    } finally {
+      if (timeoutId !== null) clearTimeout(timeoutId)
+      if (timedOut || failed) {
+        active.turn.close()
+      }
+    }
+  }
+  private async runTurn(active: ActiveTurn): Promise<void> {
+    try {
+      for await (const event of active.turn.stream) {
+        if (active.cancelRequested) {
+          continue
+        }
+        if (event.type === "session_token" && event.sessionToken) {
+          this.publishEvent(active.chatId, {
+            type: "session_token",
+            chatId: active.chatId,
+            sessionToken: event.sessionToken,
+          })
+          continue
+        }
+        if (!event.entry) continue
+        this.publishTranscript(active.chatId, event.entry)
+        if (event.entry.kind === "system_init") {
+          active.status = "running"
+          this.publishEvent(active.chatId, {
+            type: "status_change",
+            chatId: active.chatId,
+            status: "running",
+          })
+        }
+        if (event.entry.kind === "result") {
+          active.hasFinalResult = true
+          if (event.entry.isError) {
+            this.publishEvent(active.chatId, {
+              type: "turn_failed",
+              chatId: active.chatId,
+              error: event.entry.result || "Turn failed",
+            })
+          } else if (!active.cancelRequested) {
+            this.publishEvent(active.chatId, {
+              type: "turn_finished",
+              chatId: active.chatId,
+            })
+          }
+        }
+      }
+    } catch (error) {
+      if (!active.cancelRequested) {
+        const message = error instanceof Error ? error.message : String(error)
+        this.publishTranscript(
+          active.chatId,
+          timestamped({ kind: "result", subtype: "error", isError: true, durationMs: 0, result: message })
+        )
+        this.publishEvent(active.chatId, {
+          type: "turn_failed",
+          chatId: active.chatId,
+          error: message,
+        })
+      }
+    } finally {
+      if (active.cancelRequested && !active.cancelRecorded) {
+        this.publishEvent(active.chatId, { type: "turn_cancelled", chatId: active.chatId })
+      }
+      this.activeTurns.delete(active.chatId)
+      // Handle follow-up turn (Codex exit_plan_mode) — close() deferred so
+      // the follow-up can reuse the live session (avoids re-spawn cost).
+      if (active.postToolFollowUp && !active.cancelRequested) {
+        try {
+          await this.startTurn({
+            ...active.originalCmd,
+            content: active.postToolFollowUp.content,
+            planMode: active.postToolFollowUp.planMode,
+            appendUserPrompt: false,
+          })
+        } catch (error) {
+          active.turn.close()
+          const message = error instanceof Error ? error.message : String(error)
+          this.publishTranscript(
+            active.chatId,
+            timestamped({ kind: "result", subtype: "error", isError: true, durationMs: 0, result: message })
+          )
+          this.publishEvent(active.chatId, { type: "turn_failed", chatId: active.chatId, error: message })
+        }
+      } else {
+        active.turn.close()
+      }
+    }
+  }
+}

package/src/runner/runner-credential.test.ts ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Tests for the runner credential store (PR2 Stage 2).
+ *
+ * Covers:
+ *  - write→read round-trip; shape is preserved.
+ *  - credential file is written with mode 0600.
+ *  - TINKARIA_RUNNER_HOME overrides the default ~/.tinkaria directory.
+ *  - missing file returns null (not throw).
+ *  - second write overwrites cleanly.
+ */
+import { afterEach, beforeEach, describe, expect, test } from "bun:test"
+import { mkdtempSync, rmSync, statSync } from "node:fs"
+import { join } from "node:path"
+import { tmpdir } from "node:os"
+import { writeRunnerCredential, readRunnerCredential, type RunnerCredential } from "./runner-credential"
+const SAMPLE: RunnerCredential = {
+  runnerId: "runner-1234567890-999",
+  token: "eytest.token.value",
+  natsUrl: "nats://127.0.0.1:4222",
+  natsWsUrl: "ws://127.0.0.1:8222",
+  pairedAt: 1700000000000,
+}
+let tmpDir: string
+let savedRunnerHome: string | undefined
+beforeEach(() => {
+  tmpDir = mkdtempSync(join(tmpdir(), "pr2-cred-test-"))
+  savedRunnerHome = process.env.TINKARIA_RUNNER_HOME
+  process.env.TINKARIA_RUNNER_HOME = tmpDir
+})
+afterEach(() => {
+  rmSync(tmpDir, { recursive: true, force: true })
+  if (savedRunnerHome === undefined) {
+    delete process.env.TINKARIA_RUNNER_HOME
+  } else {
+    process.env.TINKARIA_RUNNER_HOME = savedRunnerHome
+  }
+})
+describe("runner-credential", () => {
+  test("write then read round-trips all fields", async () => {
+    await writeRunnerCredential(SAMPLE)
+    const got = await readRunnerCredential()
+    expect(got).toEqual(SAMPLE)
+  })
+  test("credential file is written with mode 0600", async () => {
+    await writeRunnerCredential(SAMPLE)
+    // The file lives at <TINKARIA_RUNNER_HOME>/runner-secret.json
+    const filePath = join(tmpDir, "runner-secret.json")
+    const mode = statSync(filePath).mode & 0o777
+    expect(mode).toBe(0o600)
+  })
+  test("TINKARIA_RUNNER_HOME is honoured", async () => {
+    const altDir = mkdtempSync(join(tmpdir(), "pr2-cred-alt-"))
+    try {
+      process.env.TINKARIA_RUNNER_HOME = altDir
+      await writeRunnerCredential(SAMPLE)
+      // Original tmpDir should have nothing.
+      const inOriginal = await readRunnerCredential()
+      // readRunnerCredential also reads from TINKARIA_RUNNER_HOME (already set to altDir)
+      expect(inOriginal).toEqual(SAMPLE)
+      const filePath = join(altDir, "runner-secret.json")
+      const mode = statSync(filePath).mode & 0o777
+      expect(mode).toBe(0o600)
+    } finally {
+      process.env.TINKARIA_RUNNER_HOME = tmpDir
+      rmSync(altDir, { recursive: true, force: true })
+    }
+  })
+  test("missing file returns null", async () => {
+    const result = await readRunnerCredential()
+    expect(result).toBeNull()
+  })
+  test("second write overwrites the first", async () => {
+    await writeRunnerCredential(SAMPLE)
+    const updated: RunnerCredential = { ...SAMPLE, runnerId: "runner-updated-42", pairedAt: 9999999999999 }
+    await writeRunnerCredential(updated)
+    const got = await readRunnerCredential()
+    expect(got).toEqual(updated)
+    // Mode preserved after overwrite
+    const filePath = join(tmpDir, "runner-secret.json")
+    const mode = statSync(filePath).mode & 0o777
+    expect(mode).toBe(0o600)
+  })
+})

package/src/runner/runner-credential.ts ADDED Viewed

@@ -0,0 +1,82 @@
+/**
+ * Runner credential store (PR2 Stage 2).
+ *
+ * Reads and writes the durable runner credential to
+ * `<TINKARIA_RUNNER_HOME>/runner-secret.json` (default: `~/.tinkaria/`).
+ * The file is written atomically (tmp + rename) with mode 0600.
+ *
+ * The credential is a PR1 callout token minted at pairing time:
+ *   { runnerId, token, natsUrl, natsWsUrl, pairedAt }
+ *
+ * Env-var TINKARIA_RUNNER_HOME overrides the default directory so that
+ * tests and multiple local runners can use isolated locations.
+ */
+import { join, resolve } from "node:path"
+import { chmodSync, mkdirSync, renameSync } from "node:fs"
+import { homedir } from "node:os"
+export interface RunnerCredential {
+  runnerId: string
+  /** PR1 callout credential token (long-lived, self-verifying). Never log in full. */
+  token: string
+  natsUrl: string
+  natsWsUrl: string
+  /**
+   * WebSocket URL of the server's `/nats-ws` proxy (through the tunneled HTTP
+   * port), derived from the server URL the runner paired against. Preferred over
+   * the raw `natsUrl` TCP path: the raw NATS port is often not the tunneled one,
+   * and direct tailnet connections can fail to receive server-initiated pushes.
+   * Optional for backward compat — older credentials only have natsUrl (TCP).
+   */
+  natsWsProxyUrl?: string
+  /** Unix epoch ms when the runner was paired. */
+  pairedAt: number
+}
+const CREDENTIAL_FILE = "runner-secret.json"
+/**
+ * Resolve the runner home directory (overridable via TINKARIA_RUNNER_HOME).
+ * The env var is operator-controlled config (like HOME) — it may legitimately
+ * point anywhere, so we don't restrict it; we normalize it to an absolute path
+ * for predictability. The directory is created 0700 (see writeRunnerCredential)
+ * so the secret file's parent isn't world-traversable.
+ */
+function runnerHomeDir(): string {
+  const raw = process.env.TINKARIA_RUNNER_HOME ?? join(homedir(), ".tinkaria")
+  return resolve(raw)
+}
+function credentialPath(): string {
+  return join(runnerHomeDir(), CREDENTIAL_FILE)
+}
+/**
+ * Write the runner credential to disk atomically with mode 0600.
+ * Creates the directory if it does not exist.
+ */
+export async function writeRunnerCredential(cred: RunnerCredential): Promise<void> {
+  const dir = runnerHomeDir()
+  mkdirSync(dir, { recursive: true, mode: 0o700 })
+  const dest = credentialPath()
+  const tmp = `${dest}.tmp.${process.pid}`
+  await Bun.write(tmp, JSON.stringify(cred, null, 2) + "\n")
+  chmodSync(tmp, 0o600)
+  renameSync(tmp, dest)
+  // chmod again after rename in case umask widened it on some platforms
+  chmodSync(dest, 0o600)
+}
+/**
+ * Read the runner credential from disk.
+ * Returns null if the file does not exist (runner not yet paired).
+ */
+export async function readRunnerCredential(): Promise<RunnerCredential | null> {
+  const file = Bun.file(credentialPath())
+  if (!(await file.exists())) return null
+  const text = await file.text()
+  return JSON.parse(text) as RunnerCredential
+}