antpath 0.1.0 → 0.2.0

package/README.md

@@ -1,67 +1,102 @@
----
-title: antpath
----
-
-# antpath
-
-antpath is a TypeScript-first SDK for running autonomous Claude Managed Agents sessions from code-defined, secret-free Templates.
-
-## MVP boundaries
-
-- SDK-only.
-- Claude Managed Agents only.
-- Caller-held provider key.
-- No stored provider keys, MCP credentials, or output file contents.
-- Manual cleanup by default.
-
-## Quickstart
-
-```ts
-import { AntpathClient, defineTemplate, string } from "antpath";
-
-const client = new AntpathClient({
-  anthropicApiKey: process.env.ANTHROPIC_API_KEY
-});
-
-const template = defineTemplate({
-  name: "hello",
-  model: "claude-haiku-4-5",
-  system: "You are a concise automation agent.",
-  messages: ["Write a short answer about {{topic}}."],
-  variables: {
-    topic: string()
-  }
-});
-
-const handle = await client.run(template, {
-  variables: { topic: "test-first SDK design" }
-});
-
-const result = await handle.wait();
-console.log(result.status, await handle.usage());
-await handle.downloadOutputs("./outputs");
-await handle.cleanup();
-```
-
-## Test commands
-
-```text
-npm run test:unit
-npm run test:integration:components
-npm run test:integration:api
-npm run test:e2e:live
-```
-
-Live e2e tests require `.env.local` and `RUN_LIVE_ANTPATH_TESTS=1`.
-
-## Guides
-
-- [Quickstart](docs/quickstart.md)
-- [Templates](docs/templates.md)
-- [Credentials](docs/credentials.md)
-- [MCP](docs/mcp.md)
-- [Skills](docs/skills.md)
-- [Outputs](docs/outputs.md)
-- [Cleanup](docs/cleanup.md)
-- [Testing](docs/testing.md)
-- [Release](docs/release.md)
+---
+title: antpath
+---
+
+# antpath
+
+antpath is a TypeScript-first SDK for running autonomous Claude Managed Agents sessions from code-defined, secret-free Templates.
+
+Everything ships from a single import path:
+
+```ts
+import {
+  AntpathClient,           // direct in-process Claude runs (caller-held key)
+  AntpathPlatformClient,   // submit durable runs to an antpath dashboard
+  defineTemplate,
+  string,
+  validateProxyAuth        // helper for per-run proxy endpoint auth
+} from "antpath";
+```
+
+There is no `antpath/platform`, `antpath/proxy`, or other sub-path. The two
+clients are distinct classes for distinct use cases but live behind the same
+single agent-visible surface — see [Agent-first surface design](../../references/development-principles.md#agent-first-surface-design).
+
+- **Direct (`AntpathClient`)** — runs Claude in your own process with a caller-held key. This README covers the direct surface.
+- **Platform (`AntpathPlatformClient`)** — submits durable runs to an antpath dashboard. Every submission carries an inline `secrets` bundle (Anthropic key, optional MCP credentials, optional skill references, and optional per-run proxy endpoint auth); the dashboard vaults the bundle for the lifetime of one run and deletes it at cleanup. Per-run named secrets accessed through the managed HTTP proxy are declared via the `proxyEndpoints` submission field and authenticated via `secrets.proxyEndpointAuth` — see [Credentials](docs/credentials.md). The same npm package also ships the `antpath` CLI as its `bin` entry; the worker mounts that CLI at `/antpath/antpath` in every run for skills to invoke (`node /antpath/antpath proxy …`).
+
+## MVP boundaries (direct SDK)
+
+- Claude Managed Agents only.
+- Caller-held provider key — the direct SDK never persists keys.
+- No SDK-side storage of provider keys, MCP credentials, or output file contents.
+- Manual cleanup by default.
+
+## Quickstart
+
+```ts
+import { AntpathClient, defineTemplate, string } from "antpath";
+
+const client = new AntpathClient({
+  anthropicApiKey: process.env.ANTHROPIC_API_KEY
+});
+
+const template = defineTemplate({
+  name: "hello",
+  model: "claude-haiku-4-5",
+  system: "You are a concise automation agent.",
+  messages: ["Write a short answer about {{topic}}."],
+  variables: {
+    topic: string()
+  }
+});
+
+const handle = await client.run(template, {
+  variables: { topic: "test-first SDK design" }
+});
+
+const result = await handle.wait();
+console.log(result.status, await handle.usage());
+await handle.downloadOutputs("./outputs");
+await handle.cleanup();
+```
+
+Observe events live by passing `onEvent` in `RunOptions`:
+
+```ts
+const handle = await client.run(template, {
+  onEvent: (event) => {
+    if (event.type === "provider.event") {
+      // event.event is a ProviderEvent (raw type stays `unknown`).
+    }
+  }
+});
+await handle.wait();
+```
+
+By the time `wait()` returns, every `onEvent` invocation triggered before
+terminal status has settled. See [Events](docs/events.md) for the full
+contract and a list of typed helpers.
+
+## Test commands
+
+```text
+npm run test:unit
+npm run test:unit:recorded
+npm run test:e2e:live
+```
+
+Unit tests are deterministic and may use fakes or sanitized recorded snapshots. Live e2e tests run when `pnpm test:e2e:live` is invoked with `.env.local` containing `ANTHROPIC_API_KEY`.
+
+## Guides
+
+- [Quickstart](docs/quickstart.md)
+- [Templates](docs/templates.md)
+- [Credentials](docs/credentials.md)
+- [MCP](docs/mcp.md)
+- [Skills](docs/skills.md)
+- [Outputs](docs/outputs.md)
+- [Events](docs/events.md)
+- [Cleanup](docs/cleanup.md)
+- [Testing](docs/testing.md)
+- [Release](docs/release.md)

package/dist/client.js

@@ -27,7 +27,10 @@ export class AntpathClient {
             cleanupPolicy: options.cleanupPolicy ?? this.#cleanupPolicy,
             timeoutMs: options.timeoutMs,
             signal: options.signal,
-            logger: options.logger
+            logger: options.logger,
+            onEvent: options.onEvent,
+            onEventAbortOnError: options.onEventAbortOnError ?? false,
+            sessionResources: options.sessionResources ?? []
         });
         await controller.start();
         return controller;

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,8BAA8B,EAAE,MAAM,mCAAmC,CAAC;AAEnF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAWzD,MAAM,OAAO,aAAa;IACf,SAAS,CAAuB;IAChC,cAAc,CAAgB;IAEvC,YAAY,OAA6B;QACvC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC;QACpC,CAAC;aAAM,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YACnC,IAAI,CAAC,SAAS,GAAG,IAAI,8BAA8B,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,aAAa,IAAI,QAAQ,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAA4B,EAAE,UAAsB,EAAE;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QACpE,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,aAAa,CAAC;YACnC,QAAQ,EAAE,IAAI,CAAC,SAAS;YACxB,QAAQ,EAAE,QAAQ;YAClB,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;YACtC,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC,cAAc;YAC3D,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,8BAA8B,EAAE,MAAM,mCAAmC,CAAC;AAEnF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAWzD,MAAM,OAAO,aAAa;IACf,SAAS,CAAuB;IAChC,cAAc,CAAgB;IAEvC,YAAY,OAA6B;QACvC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC;QACpC,CAAC;aAAM,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YACnC,IAAI,CAAC,SAAS,GAAG,IAAI,8BAA8B,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,aAAa,IAAI,QAAQ,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAA4B,EAAE,UAAsB,EAAE;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QACpE,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,aAAa,CAAC;YACnC,QAAQ,EAAE,IAAI,CAAC,SAAS;YACxB,QAAQ,EAAE,QAAQ;YAClB,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;YACtC,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC,cAAc;YAC3D,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB,IAAI,KAAK;YACzD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,EAAE;SACjD,CAAC,CAAC;QACH,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}

package/dist/credentials.js

@@ -2,9 +2,12 @@ import { CredentialValidationError } from "./errors.js";
 export function validateCredentials(template, credentials = {}) {
     for (const [key, requirement] of Object.entries(template.credentialRequirements)) {
         const credential = credentials[key];
-        if (!credential) {
+        if (credential === undefined) {
             throw new CredentialValidationError(`Missing credential for MCP server '${key}'`);
         }
+        if (!isRecord(credential)) {
+            throw new CredentialValidationError(`Credential for MCP server '${key}' must be an object`);
+        }
         if (credential.type !== requirement.type) {
             throw new CredentialValidationError(`Credential for MCP server '${key}' must be '${requirement.type}'`);
         }
@@ -17,11 +20,37 @@ export function validateCredentials(template, credentials = {}) {
     }
 }
 function validateCredentialValue(key, credential) {
-    if (credential.type === "static_bearer" && !credential.token) {
-        throw new CredentialValidationError(`Static bearer credential for '${key}' requires token`);
+    if (!isRecord(credential)) {
+        throw new CredentialValidationError(`Credential for MCP server '${key}' must be an object`);
+    }
+    if (credential.type === "static_bearer") {
+        assertAllowedFields(key, credential, ["type", "token"]);
+        if (typeof credential.token !== "string" || credential.token.length === 0) {
+            throw new CredentialValidationError(`Static bearer credential for '${key}' requires token`);
+        }
+        return;
     }
-    if (credential.type === "oauth_access_token" && !credential.accessToken) {
-        throw new CredentialValidationError(`OAuth credential for '${key}' requires accessToken`);
+    if (credential.type === "oauth_access_token") {
+        assertAllowedFields(key, credential, ["type", "accessToken", "expiresAt"]);
+        if (typeof credential.accessToken !== "string" || credential.accessToken.length === 0) {
+            throw new CredentialValidationError(`OAuth credential for '${key}' requires accessToken`);
+        }
+        if (credential.expiresAt !== undefined && (typeof credential.expiresAt !== "string" || credential.expiresAt.length === 0)) {
+            throw new CredentialValidationError(`OAuth credential for '${key}' has invalid expiresAt`);
+        }
+        return;
     }
+    throw new CredentialValidationError(`Credential for MCP server '${key}' has unsupported type`);
+}
+function assertAllowedFields(key, credential, allowed) {
+    const allowedSet = new Set(allowed);
+    for (const field of Object.keys(credential)) {
+        if (!allowedSet.has(field)) {
+            throw new CredentialValidationError(`Credential for MCP server '${key}' contains unsupported field '${field}'`);
+        }
+    }
+}
+function isRecord(input) {
+    return typeof input === "object" && input !== null && !Array.isArray(input);
 }
 //# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -1 +1 @@
-{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAIxD,MAAM,UAAU,mBAAmB,CAAC,QAA0B,EAAE,cAA+C,EAAE;IAC/G,KAAK,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QACjF,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,yBAAyB,CAAC,sCAAsC,GAAG,GAAG,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,cAAc,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC;QAC1G,CAAC;QACD,uBAAuB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,yBAAyB,CAAC,+CAA+C,GAAG,GAAG,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAW,EAAE,UAA2B;IACvE,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAC7D,MAAM,IAAI,yBAAyB,CAAC,iCAAiC,GAAG,kBAAkB,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,oBAAoB,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QACxE,MAAM,IAAI,yBAAyB,CAAC,yBAAyB,GAAG,wBAAwB,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC"}
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAIxD,MAAM,UAAU,mBAAmB,CAAC,QAA0B,EAAE,cAA+C,EAAE;IAC/G,KAAK,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QACjF,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAY,CAAC;QAC/C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,yBAAyB,CAAC,sCAAsC,GAAG,GAAG,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,qBAAqB,CAAC,CAAC;QAC9F,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,cAAc,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC;QAC1G,CAAC;QACD,uBAAuB,CAAC,GAAG,EAAE,UAA6B,CAAC,CAAC;IAC9D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,yBAAyB,CAAC,+CAA+C,GAAG,GAAG,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAW,EAAE,UAA2B;IACvE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,qBAAqB,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACxC,mBAAmB,CAAC,GAAG,EAAE,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACxD,IAAI,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,yBAAyB,CAAC,iCAAiC,GAAG,kBAAkB,CAAC,CAAC;QAC9F,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QAC7C,mBAAmB,CAAC,GAAG,EAAE,UAAU,EAAE,CAAC,MAAM,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;QAC3E,IAAI,OAAO,UAAU,CAAC,WAAW,KAAK,QAAQ,IAAI,UAAU,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtF,MAAM,IAAI,yBAAyB,CAAC,yBAAyB,GAAG,wBAAwB,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,OAAO,UAAU,CAAC,SAAS,KAAK,QAAQ,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;YAC1H,MAAM,IAAI,yBAAyB,CAAC,yBAAyB,GAAG,yBAAyB,CAAC,CAAC;QAC7F,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,wBAAwB,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW,EAAE,UAAmC,EAAE,OAA0B;IACvG,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,GAAG,iCAAiC,KAAK,GAAG,CAAC,CAAC;QAClH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC"}

package/dist/files/downloader.js

@@ -11,8 +11,16 @@ export async function downloadOutputs(provider, sessionId, options) {
         throw new Error(`Refusing to download ${totalBytes} bytes; maxTotalBytes exceeded`);
     }
     const manifest = { directory: options.directory, files: [] };
+    let downloadedBytes = 0;
     for (const file of files) {
         const content = await provider.downloadFile(file.id);
+        if (file.sizeBytes !== undefined && content.byteLength !== file.sizeBytes) {
+            throw new Error(`Downloaded byte size for ${file.id} did not match provider metadata`);
+        }
+        downloadedBytes += content.byteLength;
+        if (downloadedBytes > (options.maxTotalBytes ?? DEFAULT_MAX_BYTES)) {
+            throw new Error(`Downloaded outputs exceeded maxTotalBytes`);
+        }
         const localPath = await writeFileSafe(options.directory, file.filename, content);
         const entry = {
             providerFileId: file.id,

package/dist/files/downloader.js.map

@@ -1 +1 @@
-{"version":3,"file":"downloader.js","sourceRoot":"","sources":["../../src/files/downloader.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;AAE5C,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAA8B,EAC9B,SAAiB,EACjB,OAA+B;IAE/B,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;IACxE,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,wBAAwB,KAAK,CAAC,MAAM,2BAA2B,CAAC,CAAC;IACnF,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/E,IAAI,UAAU,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,iBAAiB,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,wBAAwB,UAAU,gCAAgC,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,QAAQ,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,EAAgD,EAAE,CAAC;IAC3G,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG;YACZ,cAAc,EAAE,IAAI,CAAC,EAAE;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS;SACV,CAAC;QACF,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IACtG,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,WAAW,CAAC,KAAqB,EAAE,OAA+B;IACzE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,YAAY,MAAM,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,YAAY,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1G,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC"}
+{"version":3,"file":"downloader.js","sourceRoot":"","sources":["../../src/files/downloader.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;AAE5C,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAA8B,EAC9B,SAAiB,EACjB,OAA+B;IAE/B,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;IACxE,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,wBAAwB,KAAK,CAAC,MAAM,2BAA2B,CAAC,CAAC;IACnF,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/E,IAAI,UAAU,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,iBAAiB,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,wBAAwB,UAAU,gCAAgC,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,QAAQ,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,EAAgD,EAAE,CAAC;IAC3G,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrD,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,UAAU,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,kCAAkC,CAAC,CAAC;QACzF,CAAC;QACD,eAAe,IAAI,OAAO,CAAC,UAAU,CAAC;QACtC,IAAI,eAAe,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,iBAAiB,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG;YACZ,cAAc,EAAE,IAAI,CAAC,EAAE;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS;SACV,CAAC;QACF,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IACtG,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,WAAW,CAAC,KAAqB,EAAE,OAA+B;IACzE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,YAAY,MAAM,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,YAAY,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1G,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,10 @@
 export { AntpathClient } from "./client.js";
-export { compileTemplate, defineTemplate, requiredOAuthAccessToken, requiredStaticBearer, string, type TemplateDefinition, type TemplateVariableDefinition } from "./template/index.js";
-export type { CleanupPolicy, CredentialInput, DownloadOutputsOptions, DownloadOutputsResult, Logger, OutputManifest, RunEvent, RunHandle, RunOptions, RunResult, RunStatus, UsageSummary } from "./types.js";
+export { AntpathPlatformClient, PlatformApiError, validateProxyAuth, buildPlatformAllowedHosts, resetDefaultSecretsDeprecationWarning } from "./platform/index.js";
+export type { PlatformEvent, PlatformOutput, PlatformRun, SignedOutputLink, PlatformInlineSecrets, PlatformRunSubmissionRequest, PlatformProxyEndpoint, PlatformProxyEndpointAuth, PlatformProxyAuthShape, PlatformProxyMethod, PlatformProxyResponseMode, AntpathPlatformClientOptions } from "./platform/index.js";
+export { AnthropicManagedAgentsProvider } from "./providers/anthropic/provider.js";
+export type { ManagedAgentProvider, ProviderSkillRef, SessionResourceInput, UploadFileInput } from "./providers/types.js";
+export { isAgentEvent, isAgentCustomToolUse, isAgentMcpToolResult, isAgentMcpToolUse, isAgentMessage, isAgentThinking, isAgentToolResult, isAgentToolUse, isSessionError, isSessionEvent, isSessionStatusIdle, isSessionStatusRescheduled, isSessionStatusRunning, isSessionStatusTerminated, isSpanEvent, isUserEvent, isUserMessage } from "./providers/known-events.js";
+export { compileTemplate, defineTemplate, requiredOAuthAccessToken, requiredStaticBearer, string, type EnvironmentDefinition, type ResolvedTemplate, type TemplateDefinition, type TemplateVariableDefinition } from "./template/index.js";
+export type { CleanupPolicy, CleanupResult, CredentialInput, DownloadOutputsOptions, DownloadOutputsResult, Logger, OutputManifest, ProviderEvent, ProviderFile, ProviderResourceIds, RunEvent, RunEventHandler, RunHandle, RunOptions, RunResult, RunStatus, SessionResourceUpload, UsageSummary } from "./types.js";
 export { SecretString, redactSecrets } from "./utils/secrets.js";
 export { AntpathError, CleanupError, CredentialValidationError, ProviderError, RunStateError, TemplateValidationError } from "./errors.js";

package/dist/index.js

@@ -1,4 +1,7 @@
 export { AntpathClient } from "./client.js";
+export { AntpathPlatformClient, PlatformApiError, validateProxyAuth, buildPlatformAllowedHosts, resetDefaultSecretsDeprecationWarning } from "./platform/index.js";
+export { AnthropicManagedAgentsProvider } from "./providers/anthropic/provider.js";
+export { isAgentEvent, isAgentCustomToolUse, isAgentMcpToolResult, isAgentMcpToolUse, isAgentMessage, isAgentThinking, isAgentToolResult, isAgentToolUse, isSessionError, isSessionEvent, isSessionStatusIdle, isSessionStatusRescheduled, isSessionStatusRunning, isSessionStatusTerminated, isSpanEvent, isUserEvent, isUserMessage } from "./providers/known-events.js";
 export { compileTemplate, defineTemplate, requiredOAuthAccessToken, requiredStaticBearer, string } from "./template/index.js";
 export { SecretString, redactSecrets } from "./utils/secrets.js";
 export { AntpathError, CleanupError, CredentialValidationError, ProviderError, RunStateError, TemplateValidationError } from "./errors.js";

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EACL,eAAe,EACf,cAAc,EACd,wBAAwB,EACxB,oBAAoB,EACpB,MAAM,EAGP,MAAM,qBAAqB,CAAC;AAe7B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,yBAAyB,EACzB,aAAa,EACb,aAAa,EACb,uBAAuB,EACxB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,qCAAqC,EACtC,MAAM,qBAAqB,CAAC;AAe7B,OAAO,EAAE,8BAA8B,EAAE,MAAM,mCAAmC,CAAC;AAEnF,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,0BAA0B,EAC1B,sBAAsB,EACtB,yBAAyB,EACzB,WAAW,EACX,WAAW,EACX,aAAa,EACd,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,eAAe,EACf,cAAc,EACd,wBAAwB,EACxB,oBAAoB,EACpB,MAAM,EAKP,MAAM,qBAAqB,CAAC;AAqB7B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,yBAAyB,EACzB,aAAa,EACb,aAAa,EACb,uBAAuB,EACxB,MAAM,aAAa,CAAC"}

package/dist/platform/client.d.ts

@@ -0,0 +1,204 @@
+type FetchLike = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
+export type PlatformJsonPrimitive = string | number | boolean | null;
+export type PlatformJsonValue = PlatformJsonPrimitive | readonly PlatformJsonValue[] | {
+    readonly [key: string]: PlatformJsonValue;
+};
+export interface PlatformTemplateSubmission {
+    readonly name: string;
+    readonly model: string;
+    readonly templateHash: string;
+    readonly system?: string;
+    readonly messages: readonly string[];
+    readonly metadata?: Record<string, PlatformJsonValue>;
+}
+export type PlatformClaudeSessionCleanup = "retain" | "delete";
+export interface PlatformCleanupPolicy {
+    readonly session?: PlatformClaudeSessionCleanup;
+    readonly claudeSession?: PlatformClaudeSessionCleanup;
+}
+export interface PlatformAnthropicSecrets {
+    readonly apiKey: string;
+    readonly baseUrl?: string;
+}
+export interface PlatformMcpServerSecret {
+    readonly name: string;
+    readonly url: string;
+    readonly headers?: Record<string, string>;
+}
+export interface PlatformSkillReference {
+    readonly skillId: string;
+    readonly version?: string;
+}
+export interface PlatformInlineSecrets {
+    readonly anthropic: PlatformAnthropicSecrets;
+    readonly mcpServers?: readonly PlatformMcpServerSecret[];
+    readonly skills?: readonly PlatformSkillReference[];
+    /**
+     * Auth values for proxy endpoints declared at the top level of the
+     * submission. Each entry's `name` must match a declared
+     * `proxyEndpoints[i].name` and its `value.type` must match the
+     * declared `authShape.type`. Validate eagerly with
+     * {@link validateProxyAuth}.
+     */
+    readonly proxyEndpointAuth?: readonly PlatformProxyEndpointAuth[];
+}
+/**
+ * Structural description of how the upstream endpoint expects auth.
+ * The actual value lives in {@link PlatformProxyEndpointAuth.value} and
+ * is supplied separately so it never enters the idempotency hash.
+ */
+export type PlatformProxyAuthShape = {
+    readonly type: "bearer";
+} | {
+    readonly type: "basic";
+} | {
+    readonly type: "header";
+    readonly name: string;
+} | {
+    readonly type: "query";
+    readonly name: string;
+};
+export type PlatformProxyMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+export type PlatformProxyResponseMode = "full" | "status_only" | "headers_only";
+export interface PlatformProxyEndpoint {
+    readonly name: string;
+    readonly baseUrl: string;
+    readonly authShape: PlatformProxyAuthShape;
+    readonly allowMethods: readonly PlatformProxyMethod[];
+    readonly allowPathPrefixes: readonly string[];
+    readonly allowHeaders?: readonly string[];
+    readonly responseMode?: PlatformProxyResponseMode;
+    readonly maxRequestBytes?: number;
+    readonly maxResponseBytes?: number;
+    readonly timeoutMs?: number;
+    readonly perCallBudget?: number;
+    readonly responseByteBudget?: number;
+}
+export interface PlatformProxyEndpointAuth {
+    readonly name: string;
+    readonly value: {
+        readonly type: "bearer";
+        readonly token: string;
+    } | {
+        readonly type: "basic";
+        readonly username: string;
+        readonly password: string;
+    } | {
+        readonly type: "header";
+        readonly value: string;
+    } | {
+        readonly type: "query";
+        readonly value: string;
+    };
+}
+/**
+ * Submission shape accepted by `AntpathPlatformClient.submitRun`. The `secrets`
+ * block may be omitted at the call site if a client-level default was provided
+ * to the constructor; the merged value is always sent on the wire.
+ */
+export interface PlatformRunSubmissionRequest {
+    readonly workspaceId: string;
+    readonly idempotencyKey: string;
+    readonly template: PlatformTemplateSubmission;
+    readonly variables?: Record<string, PlatformJsonValue>;
+    readonly cleanup?: PlatformCleanupPolicy;
+    readonly secrets?: PlatformInlineSecrets;
+    /**
+     * HTTP endpoints reachable via the antpath managed proxy during this
+     * run. Each entry declares the policy (URL, allow lists, caps); the
+     * corresponding auth value goes in
+     * `secrets.proxyEndpointAuth[i]` with a matching `name`.
+     *
+     * Empty / omitted → no proxy surface is provisioned (the in-container
+     * `/antpath/index.json` reports `endpoints: []`).
+     */
+    readonly proxyEndpoints?: readonly PlatformProxyEndpoint[];
+}
+export interface AntpathPlatformClientOptions {
+    readonly baseUrl: string;
+    readonly apiToken: string;
+    readonly fetch?: FetchLike;
+    /**
+     * Optional default secrets applied to every submission that does not
+     * override the `secrets` block per-call.
+     *
+     * @deprecated The agent-first invariant requires every secret-bearing
+     * field to be visible at the call site. Pass `secrets` explicitly on
+     * each `submitRun` call instead; this option will be removed in a
+     * future release. See
+     * `references/development-principles.md` (Agent-first surface design).
+     */
+    readonly defaultSecrets?: PlatformInlineSecrets;
+}
+export interface PlatformRun {
+    readonly id: string;
+    readonly status: string;
+    readonly [key: string]: unknown;
+}
+export interface PlatformEvent {
+    readonly id: string;
+    readonly [key: string]: unknown;
+}
+export interface PlatformOutput {
+    readonly id: string;
+    readonly [key: string]: unknown;
+}
+export interface SignedOutputLink {
+    readonly url: string;
+    readonly [key: string]: unknown;
+}
+export declare class PlatformApiError extends Error {
+    readonly status: number;
+    readonly details: unknown;
+    constructor(status: number, message: string, details: unknown);
+}
+export declare class AntpathPlatformClient {
+    private readonly baseUrl;
+    private readonly apiToken;
+    private readonly fetchImpl;
+    private readonly defaultSecrets?;
+    constructor(options: AntpathPlatformClientOptions);
+    submitRun(request: PlatformRunSubmissionRequest): Promise<PlatformRun>;
+    getRun(workspaceId: string, runId: string): Promise<PlatformRun>;
+    listRunEvents(workspaceId: string, runId: string): Promise<readonly PlatformEvent[]>;
+    listOutputs(workspaceId: string, runId: string): Promise<readonly PlatformOutput[]>;
+    createOutputLink(workspaceId: string, runId: string, outputId: string): Promise<SignedOutputLink>;
+    cancelRun(workspaceId: string, runId: string): Promise<void>;
+    deleteRun(workspaceId: string, runId: string): Promise<void>;
+    private request;
+}
+/**
+ * Test-only: reset the "warn once" guard for the `defaultSecrets`
+ * deprecation message. Production code should not call this.
+ *
+ * @internal
+ */
+export declare function resetDefaultSecretsDeprecationWarning(): void;
+/**
+ * Cross-validate a `proxyEndpoints` policy list against a
+ * `secrets.proxyEndpointAuth` value list. Throws on the first
+ * mismatch with an actionable, field-named error message.
+ *
+ * Mirrors the BFF's authoritative validator so misconfigured
+ * submissions fail fast in the SDK before going over the wire. Use it
+ * directly in tests or wrappers — `submitRun` already invokes it when
+ * `proxyEndpoints` is non-empty.
+ */
+export declare function validateProxyAuth(endpoints: readonly PlatformProxyEndpoint[], auth: readonly PlatformProxyEndpointAuth[] | undefined): void;
+/**
+ * Build an `allowedHosts` list for `environment.network` that includes
+ * the antpath proxy host (and optionally Anthropic's MCP host) when
+ * the caller is hand-rolling networking. The worker auto-injects the
+ * proxy host server-side when proxy endpoints are declared; use this
+ * helper when you also want client-side template validation parity
+ * (e.g. to assert at build time that a `limited` config can reach the
+ * surfaces you intended).
+ *
+ * The proxy host is derived from the dashboard URL. Pass the same
+ * value you used for the `AntpathPlatformClient` `baseUrl`.
+ */
+export declare function buildPlatformAllowedHosts(input: {
+    readonly dashboardBaseUrl: string;
+    readonly extraHosts?: readonly string[];
+}): readonly string[];
+export {};