antpath 0.10.15 → 0.11.4

package/dist/_shared/submission.js

@@ -1,6 +1,77 @@
 import { authShapeHeaderName, PROXY_ALLOWED_METHODS, PROXY_RESPONSE_MODES } from "./proxy-protocol.js";
-import { parseMcpServerRef, parseSkillRef } from "./blueprint.js";
-import { TRANSIENT_CONTENT_HASH_PATTERN, TRANSIENT_SLOT_PATTERN } from "./blueprint.js";
+import { parseMcpServerRef, parseR2RefFields, parseSkillRef } from "./blueprint.js";
+/**
+ * Reserved prefix for antpath-set runtime env vars (`ANTPATH_OUTPUTS`,
+ * `ANTPATH_CLI`, …). Customer `environment.envVars` keys carrying this
+ * prefix are rejected at submission parse time so platform-set values
+ * cannot be silently overwritten.
+ */
+export const ANTPATH_RESERVED_ENV_PREFIX = "ANTPATH_";
+/**
+ * Maximum number of `environment.envVars` entries accepted per
+ * submission. Picked to be generous for real customer config bags
+ * (the broll case ships a handful — `BROLL_STORE`, `BROLL_OUTPUTS`,
+ * `BROLL_MODE`, …) while still bounding the size of every RUNTIME
+ * file we mount into the container.
+ */
+export const ENV_VARS_MAX_ENTRIES = 64;
+/** Maximum byte length of a single `environment.envVars` value. */
+export const ENV_VARS_MAX_VALUE_BYTES = 4096;
+/** Maximum total byte length of all `environment.envVars` keys+values combined. */
+export const ENV_VARS_MAX_TOTAL_BYTES = 65536;
+/**
+ * POSIX-shell-portable env var key: starts with `A-Z` or `_`, body is
+ * `A-Z`, `0-9`, `_`. We deliberately reject lowercase to keep
+ * `RUNTIME.env` readable and consistent with platform conventions; if
+ * a customer has lowercase keys today, they uppercase them at the
+ * call site.
+ */
+const ENV_VAR_KEY_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+/**
+ * Run-time provider selector. Antpath exposes one customer interface
+ * for every provider; the runtime that backs each provider is decided
+ * by {@link selectRuntime}.
+ *
+ *   - `anthropic` — defaults to the Anthropic Native runtime (Anthropic
+ *                   Managed Agents API). Customers can opt into the
+ *                   Goose Managed runtime via `runtime: "managed"`.
+ *   - `deepseek` | `openai` | `gemini` | `mistral` — only the Goose
+ *                   Managed runtime is supported (LiteLLM-gateway'd
+ *                   call into the upstream).
+ *
+ * See `references/platform-rebuild-2026.md`.
+ */
+export const RUN_PROVIDERS = [
+    "anthropic",
+    "deepseek",
+    "openai",
+    "gemini",
+    "mistral"
+];
+export const DEFAULT_RUN_PROVIDER = "anthropic";
+/**
+ * Customer-facing runtime selector. Optional on the wire — absent means
+ * "let the dispatcher route based on provider" ({@link selectRuntime}).
+ *
+ *   - `native`  — Anthropic Native runtime. Only valid for
+ *                 `provider: "anthropic"`. Routes through Anthropic's
+ *                 Managed Agents API.
+ *   - `managed` — Goose Managed runtime. The only option for
+ *                 non-Anthropic providers; also available as an opt-out
+ *                 for `provider: "anthropic"` when the customer wants
+ *                 cross-provider parity.
+ *
+ * Stored verbatim in `runs.runtime`. See
+ * `references/platform-rebuild-2026.md` (Runtime dispatcher logic).
+ */
+export const RUNTIME_KINDS = ["native", "managed"];
+/**
+ * Providers whose runtime is implemented by Anthropic Native. Every
+ * other provider in {@link RUN_PROVIDERS} routes through Goose Managed.
+ * Kept as a constant so the dispatcher logic and the validation tests
+ * share one source of truth.
+ */
+export const NATIVE_RUNTIME_PROVIDERS = ["anthropic"];
 const SECRETS_KEY = "secrets";
 /**
  * Default caps for a proxy endpoint when the submission doesn't specify
@@ -49,86 +120,105 @@ const deniedSecretFields = new Set([
     "mcpCredentials",
     "credentials"
 ]);
-export function parseRunSubmissionRequest(input) {
-    const value = requireRecord(input, "submission");
-    // The `secrets` block at the top level is the single allowlisted carrier
-    // for credential material. Every other top-level field is recursively
-    // scanned for secret-bearing keys; the `secrets` block has its own strict
-    // schema (no unknown keys, no nested credential leakage).
-    for (const [key, fieldValue] of Object.entries(value)) {
-        if (key === SECRETS_KEY) {
-            continue;
-        }
-        if (deniedSecretFields.has(key)) {
-            throw new Error(`Secret-bearing field is not allowed in platform submission: ${key}`);
-        }
-        assertNoSecretBearingFields(fieldValue, [key]);
-    }
-    const variables = optionalJsonRecord(value.variables, "variables");
-    const cleanup = parseCleanupPolicy(value.cleanup);
-    const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
-    const secrets = parseInlineSecrets(value.secrets);
-    crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
-    return {
-        workspaceId: requireString(value.workspaceId, "workspaceId"),
-        idempotencyKey: requireString(value.idempotencyKey, "idempotencyKey"),
-        template: parseTemplate(value.template),
-        ...(variables ? { variables } : {}),
-        ...(cleanup ? { cleanup } : {}),
-        ...(proxyEndpoints ? { proxyEndpoints } : {}),
-        secrets
-    };
-}
-function parseTemplate(input) {
-    const value = requireRecord(input, "template");
-    const system = optionalString(value.system, "template.system");
-    const metadata = optionalJsonRecord(value.metadata, "template.metadata");
-    const environment = parseTemplateEnvironment(value.environment);
-    return {
-        name: requireString(value.name, "template.name"),
-        model: requireString(value.model, "template.model"),
-        templateHash: requireString(value.templateHash, "template.templateHash"),
-        messages: requireStringArray(value.messages, "template.messages"),
-        ...(system ? { system } : {}),
-        ...(metadata ? { metadata } : {}),
-        ...(environment ? { environment } : {})
-    };
-}
-function parseTemplateEnvironment(input) {
+function parseEnvironment(input) {
     if (input === undefined) {
         return undefined;
     }
-    const value = requireRecord(input, "template.environment");
-    const allowed = new Set(["networking", "packages"]);
+    const value = requireRecord(input, "submission.environment");
+    const allowed = new Set(["networking", "packages", "envVars"]);
     for (const key of Object.keys(value)) {
         if (!allowed.has(key)) {
-            throw new Error(`template.environment.${key} is not an allowed field; permitted: networking, packages`);
+            throw new Error(`submission.environment.${key} is not an allowed field; permitted: networking, packages, envVars`);
         }
     }
-    const networking = parseTemplateNetworking(value.networking);
-    const packages = parseTemplatePackages(value.packages);
-    if (!networking && !packages) {
+    const networking = parseNetworking(value.networking);
+    const packages = parsePackages(value.packages);
+    const envVars = parseEnvVars(value.envVars);
+    if (!networking && !packages && !envVars) {
         return undefined;
     }
     return {
         ...(networking ? { networking } : {}),
-        ...(packages ? { packages } : {})
+        ...(packages ? { packages } : {}),
+        ...(envVars ? { envVars } : {})
     };
 }
-function parseTemplateNetworking(input) {
+/**
+ * Validate a customer-supplied `environment.envVars` map. Returns a
+ * frozen copy with keys in insertion order, or `undefined` when the
+ * input is absent / an empty object (treated as not supplied so the
+ * worker can omit the field from the parsed snapshot).
+ *
+ * Rules:
+ *   - Must be a JSON object whose values are all strings.
+ *   - Keys match `[A-Z_][A-Z0-9_]*` (POSIX-shell portable, uppercase
+ *     only — keeps RUNTIME.env readable, matches platform convention).
+ *   - Keys MUST NOT start with the reserved `ANTPATH_` prefix; that
+ *     prefix is owned by platform-set runtime keys and a collision
+ *     would silently mask `__ANTPATH_OUTPUTS__` etc. substitution
+ *     targets.
+ *   - Bounded: max ENV_VARS_MAX_ENTRIES entries, max
+ *     ENV_VARS_MAX_VALUE_BYTES per value, max ENV_VARS_MAX_TOTAL_BYTES
+ *     overall. The caps stop a runaway customer from making the
+ *     mounted RUNTIME files unbounded.
+ *   - Values are arbitrary UTF-8 strings, EXCEPT NUL bytes are
+ *     rejected (NUL terminates C-strings and breaks env-var
+ *     transport even inside the container).
+ */
+function parseEnvVars(input) {
     if (input === undefined) {
         return undefined;
     }
-    const value = requireRecord(input, "template.environment.networking");
+    const value = requireRecord(input, "submission.environment.envVars");
+    const keys = Object.keys(value);
+    if (keys.length === 0) {
+        return undefined;
+    }
+    if (keys.length > ENV_VARS_MAX_ENTRIES) {
+        throw new Error(`submission.environment.envVars has ${keys.length} entries; maximum is ${ENV_VARS_MAX_ENTRIES}`);
+    }
+    const out = {};
+    let totalBytes = 0;
+    for (const key of keys) {
+        if (!ENV_VAR_KEY_PATTERN.test(key)) {
+            throw new Error(`submission.environment.envVars.${key} key must match /^[A-Z_][A-Z0-9_]*$/`);
+        }
+        if (key.startsWith(ANTPATH_RESERVED_ENV_PREFIX)) {
+            throw new Error(`submission.environment.envVars.${key} uses reserved prefix "${ANTPATH_RESERVED_ENV_PREFIX}" (set by antpath runtime)`);
+        }
+        const raw = value[key];
+        if (typeof raw !== "string") {
+            throw new Error(`submission.environment.envVars.${key} must be a string`);
+        }
+        if (raw.includes("\0")) {
+            throw new Error(`submission.environment.envVars.${key} must not contain NUL bytes`);
+        }
+        const valueBytes = Buffer.byteLength(raw, "utf8");
+        if (valueBytes > ENV_VARS_MAX_VALUE_BYTES) {
+            throw new Error(`submission.environment.envVars.${key} value is ${valueBytes} bytes; maximum is ${ENV_VARS_MAX_VALUE_BYTES}`);
+        }
+        totalBytes += Buffer.byteLength(key, "utf8") + valueBytes;
+        if (totalBytes > ENV_VARS_MAX_TOTAL_BYTES) {
+            throw new Error(`submission.environment.envVars total byte size exceeds maximum ${ENV_VARS_MAX_TOTAL_BYTES}`);
+        }
+        out[key] = raw;
+    }
+    return Object.freeze(out);
+}
+function parseNetworking(input) {
+    if (input === undefined) {
+        return undefined;
+    }
+    const value = requireRecord(input, "submission.environment.networking");
     const allowed = new Set(["mode", "allowedHosts"]);
     for (const key of Object.keys(value)) {
         if (!allowed.has(key)) {
-            throw new Error(`template.environment.networking.${key} is not an allowed field; permitted: mode, allowedHosts`);
+            throw new Error(`submission.environment.networking.${key} is not an allowed field; permitted: mode, allowedHosts`);
         }
     }
-    const mode = optionalEnum(value.mode, "template.environment.networking.mode", ["limited", "open"]);
+    const mode = optionalEnum(value.mode, "submission.environment.networking.mode", ["limited", "open"]);
     if (!mode) {
-        throw new Error("template.environment.networking.mode is required when networking is provided");
+        throw new Error("submission.environment.networking.mode is required when networking is provided");
     }
     const allowedHosts = parseAllowedHosts(value.allowedHosts);
     return allowedHosts ? { mode, allowedHosts } : { mode };
@@ -138,38 +228,38 @@ function parseAllowedHosts(input) {
         return undefined;
     }
     if (!Array.isArray(input)) {
-        throw new Error("template.environment.networking.allowedHosts must be an array of strings");
+        throw new Error("submission.environment.networking.allowedHosts must be an array of strings");
     }
     const seen = new Set();
     return input.map((entry, index) => {
         if (typeof entry !== "string" || entry.length === 0) {
-            throw new Error(`template.environment.networking.allowedHosts[${index}] must be a non-empty string`);
+            throw new Error(`submission.environment.networking.allowedHosts[${index}] must be a non-empty string`);
         }
         const lower = entry.toLowerCase();
         if (seen.has(lower)) {
-            throw new Error(`template.environment.networking.allowedHosts duplicate entry: ${entry}`);
+            throw new Error(`submission.environment.networking.allowedHosts duplicate entry: ${entry}`);
         }
         seen.add(lower);
         return lower;
     });
 }
-function parseTemplatePackages(input) {
+function parsePackages(input) {
     if (input === undefined) {
         return undefined;
     }
     if (!Array.isArray(input)) {
-        throw new Error("template.environment.packages must be an array");
+        throw new Error("submission.environment.packages must be an array");
     }
     return input.map((entry, index) => {
-        const value = requireRecord(entry, `template.environment.packages[${index}]`);
+        const value = requireRecord(entry, `submission.environment.packages[${index}]`);
         const allowed = new Set(["name", "version"]);
         for (const key of Object.keys(value)) {
             if (!allowed.has(key)) {
-                throw new Error(`template.environment.packages[${index}].${key} is not an allowed field; permitted: name, version`);
+                throw new Error(`submission.environment.packages[${index}].${key} is not an allowed field; permitted: name, version`);
             }
         }
-        const name = requireString(value.name, `template.environment.packages[${index}].name`);
-        const version = optionalString(value.version, `template.environment.packages[${index}].version`);
+        const name = requireString(value.name, `submission.environment.packages[${index}].name`);
+        const version = optionalString(value.version, `submission.environment.packages[${index}].version`);
         return version ? { name, version } : { name };
     });
 }
@@ -415,23 +505,19 @@ function parseCleanupPolicy(input) {
     }
     const value = requireRecord(input, "cleanup");
     const session = optionalEnum(value.session, "cleanup.session", ["retain", "delete"]);
-    const claudeSession = optionalEnum(value.claudeSession, "cleanup.claudeSession", ["retain", "delete"]);
-    if (session !== undefined && claudeSession !== undefined && session !== claudeSession) {
-        throw new Error("cleanup.session and cleanup.claudeSession must agree; cleanup.claudeSession is deprecated");
-    }
-    const resolved = session ?? claudeSession;
-    if (resolved === undefined) {
+    if (session === undefined) {
         return undefined;
     }
-    const policy = { session: resolved };
-    if (claudeSession !== undefined) {
-        return { ...policy, claudeSession: resolved };
-    }
-    return policy;
+    return { session };
 }
+const PROVIDER_SECRET_KEYS = ["anthropic", "deepseek", "openai", "gemini", "mistral"];
 function parseInlineSecrets(input) {
     const value = requireRecord(input, "secrets");
-    const allowedTopLevel = new Set(["anthropic", "mcpServers", "skills", "proxyEndpointAuth"]);
+    const allowedTopLevel = new Set([
+        ...PROVIDER_SECRET_KEYS,
+        "mcpServers",
+        "proxyEndpointAuth"
+    ]);
     for (const key of Object.keys(value)) {
         if (key.startsWith("__antpath_")) {
             // Platform-internal namespace (e.g. __antpath_proxy_token). The BFF
@@ -441,33 +527,49 @@ function parseInlineSecrets(input) {
             throw new Error(`secrets.${key} uses the platform-internal __antpath_ namespace and may not be set by callers`);
         }
         if (!allowedTopLevel.has(key)) {
-            throw new Error(`secrets.${key} is not an allowed field; permitted: anthropic, mcpServers, skills, proxyEndpointAuth`);
+            throw new Error(`secrets.${key} is not an allowed field; permitted: ${[...allowedTopLevel].join(", ")}`);
         }
     }
-    const anthropic = parseAnthropicSecret(value.anthropic);
-    const mcpServers = parseMcpServers(value.mcpServers);
-    const skills = parseSkills(value.skills);
+    const anthropic = value.anthropic !== undefined ? parseProviderSecret(value.anthropic, "anthropic") : undefined;
+    const deepseek = value.deepseek !== undefined ? parseProviderSecret(value.deepseek, "deepseek") : undefined;
+    const openai = value.openai !== undefined ? parseProviderSecret(value.openai, "openai") : undefined;
+    const gemini = value.gemini !== undefined ? parseProviderSecret(value.gemini, "gemini") : undefined;
+    const mistral = value.mistral !== undefined ? parseProviderSecret(value.mistral, "mistral") : undefined;
+    const mcpServers = parseMcpServerSecrets(value.mcpServers);
     const proxyEndpointAuth = parseProxyEndpointAuth(value.proxyEndpointAuth);
     return {
-        anthropic,
+        ...(anthropic ? { anthropic } : {}),
+        ...(deepseek ? { deepseek } : {}),
+        ...(openai ? { openai } : {}),
+        ...(gemini ? { gemini } : {}),
+        ...(mistral ? { mistral } : {}),
         ...(mcpServers ? { mcpServers } : {}),
-        ...(skills ? { skills } : {}),
         ...(proxyEndpointAuth ? { proxyEndpointAuth } : {})
     };
 }
-function parseAnthropicSecret(input) {
-    const value = requireRecord(input, "secrets.anthropic");
+function parseProviderSecret(input, provider) {
+    const field = `secrets.${provider}`;
+    const value = requireRecord(input, field);
     const allowed = new Set(["apiKey", "baseUrl"]);
     for (const key of Object.keys(value)) {
         if (!allowed.has(key)) {
-            throw new Error(`secrets.anthropic.${key} is not an allowed field; permitted: apiKey, baseUrl`);
+            throw new Error(`${field}.${key} is not an allowed field; permitted: apiKey, baseUrl`);
         }
     }
-    const apiKey = requireString(value.apiKey, "secrets.anthropic.apiKey");
-    const baseUrl = optionalString(value.baseUrl, "secrets.anthropic.baseUrl");
-    return baseUrl ? { apiKey, baseUrl } : { apiKey };
+    const apiKey = requireString(value.apiKey, `${field}.apiKey`);
+    const rawBaseUrl = optionalString(value.baseUrl, `${field}.baseUrl`);
+    if (rawBaseUrl === undefined) {
+        return { apiKey };
+    }
+    // Reuse the proxy-endpoint URL guard so provider baseUrl gets the
+    // same protection: https-only, no credentials, no query/fragment.
+    // The provider-proxy in the dashboard forwards a customer-controlled
+    // baseUrl to the upstream — accepting http:// (or a userinfo-laden
+    // URL) here is an SSRF / credential-leak vector.
+    const baseUrl = parseProxyBaseUrl(rawBaseUrl, `${field}.baseUrl`);
+    return { apiKey, baseUrl };
 }
-function parseMcpServers(input) {
+function parseMcpServerSecrets(input) {
     if (input === undefined) {
         return undefined;
     }
@@ -476,7 +578,7 @@ function parseMcpServers(input) {
     }
     const seen = new Set();
     return input.map((entry, index) => {
-        const parsed = parseMcpServer(entry, `secrets.mcpServers[${index}]`);
+        const parsed = parseMcpServerSecret(entry, `secrets.mcpServers[${index}]`);
         if (seen.has(parsed.name)) {
             throw new Error(`secrets.mcpServers duplicate name: ${parsed.name}`);
         }
@@ -484,7 +586,7 @@ function parseMcpServers(input) {
         return parsed;
     });
 }
-function parseMcpServer(input, path) {
+function parseMcpServerSecret(input, path) {
     const value = requireRecord(input, path);
     const allowed = new Set(["name", "url", "headers"]);
     for (const key of Object.keys(value)) {
@@ -497,27 +599,6 @@ function parseMcpServer(input, path) {
     const headers = optionalStringRecord(value.headers, `${path}.headers`);
     return headers ? { name, url, headers } : { name, url };
 }
-function parseSkills(input) {
-    if (input === undefined) {
-        return undefined;
-    }
-    if (!Array.isArray(input)) {
-        throw new Error("secrets.skills must be an array");
-    }
-    return input.map((entry, index) => parseSkill(entry, `secrets.skills[${index}]`));
-}
-function parseSkill(input, path) {
-    const value = requireRecord(input, path);
-    const allowed = new Set(["skillId", "version"]);
-    for (const key of Object.keys(value)) {
-        if (!allowed.has(key)) {
-            throw new Error(`${path}.${key} is not an allowed field; permitted: skillId, version`);
-        }
-    }
-    const skillId = requireString(value.skillId, `${path}.skillId`);
-    const version = optionalString(value.version, `${path}.version`);
-    return version ? { skillId, version } : { skillId };
-}
 function parseProxyEndpointAuth(input) {
     if (input === undefined) {
         return undefined;
@@ -701,10 +782,10 @@ function isJsonValue(input) {
     }
     return false;
 }
-export function parseFlatRunSubmissionRequest(input) {
+export function parseRunSubmissionRequest(input) {
     const value = requireRecord(input, "submission");
     // Defence in depth: scan every non-secrets field for credential-named
-    // keys, exactly like `parseRunSubmissionRequest`. The `secrets` key is
+    // keys. The `secrets` key is
     // the only allow-listed home for credential material.
     for (const [key, fieldValue] of Object.entries(value)) {
         if (key === SECRETS_KEY) {
@@ -715,11 +796,19 @@ export function parseFlatRunSubmissionRequest(input) {
         }
         assertNoSecretBearingFields(fieldValue, [key]);
     }
+    const provider = parseRunProvider(value.provider);
+    const runtime = parseRuntimeKind(value.runtime);
+    // Cross-field validation: native is only valid for the
+    // Anthropic-native-capable providers.
+    if (runtime === "native" && !isNativeRuntimeProvider(provider)) {
+        throw new RuntimeValidationError("runtime_native_unsupported", `runtime: "native" is only supported for provider: ${formatProviderList(NATIVE_RUNTIME_PROVIDERS)} (got provider: "${provider}")`);
+    }
     const cleanup = parseCleanupPolicy(value.cleanup);
     const proxyEndpoints = parseProxyEndpoints(value.proxyEndpoints);
     const secrets = parseInlineSecrets(value.secrets);
+    enforceProviderSecretCoupling(provider, secrets);
     crossValidateProxyEndpointsAndAuth(proxyEndpoints, secrets.proxyEndpointAuth);
-    const submission = parseFlatSubmission(value.submission);
+    const submission = parseSubmission(value.submission);
     // mcpServers names must agree across the submission half and the
     // secrets half — every secrets.mcpServers[i].name MUST resolve to a
     // submission.mcpServers entry (no orphan secrets) AND the URL must
@@ -738,16 +827,89 @@ export function parseFlatRunSubmissionRequest(input) {
             }
         }
     }
+    // Cross-field feature/runtime validation. When the caller explicitly
+    // opted into runtime: "managed", they must not also request any
+    // native-only feature (provider built-in skills, etc.). Done HERE in
+    // the parser so every entry-point (Worker, dashboard BFF, SDK) gets
+    // the same fail-closed behaviour. Previously this lived only in the
+    // separately-invokable selectRuntime() — and the dashboard BFF
+    // forgot to invoke it, letting incoherent runs land in the DB.
+    if (runtime === "managed") {
+        const candidate = {
+            workspaceId: "",
+            idempotencyKey: "",
+            provider,
+            runtime,
+            submission,
+            secrets
+        };
+        const nativeOnly = collectNativeOnlyFeatures(candidate);
+        if (nativeOnly.length > 0) {
+            throw new RuntimeValidationError("feature_runtime_mismatch", `runtime: "managed" rejects the following features: ${nativeOnly.join(", ")}. ` +
+                `Remove them or switch to runtime: "native".`);
+        }
+    }
     return {
         workspaceId: requireString(value.workspaceId, "workspaceId"),
         idempotencyKey: requireString(value.idempotencyKey, "idempotencyKey"),
+        provider,
+        ...(runtime ? { runtime } : {}),
         submission,
         ...(cleanup ? { cleanup } : {}),
         ...(proxyEndpoints ? { proxyEndpoints } : {}),
         secrets
     };
 }
-function parseFlatSubmission(input) {
+function parseRuntimeKind(input) {
+    if (input === undefined) {
+        return undefined;
+    }
+    if (typeof input !== "string" || !RUNTIME_KINDS.includes(input)) {
+        throw new Error(`runtime must be one of: ${RUNTIME_KINDS.join(", ")} (got ${JSON.stringify(input)})`);
+    }
+    return input;
+}
+function isNativeRuntimeProvider(provider) {
+    return NATIVE_RUNTIME_PROVIDERS.includes(provider);
+}
+function formatProviderList(providers) {
+    return providers.map((p) => `"${p}"`).join(", ");
+}
+function parseRunProvider(input) {
+    if (input === undefined) {
+        return DEFAULT_RUN_PROVIDER;
+    }
+    if (typeof input !== "string" || !RUN_PROVIDERS.includes(input)) {
+        throw new Error(`provider must be one of: ${RUN_PROVIDERS.join(", ")} (got ${JSON.stringify(input)})`);
+    }
+    return input;
+}
+/**
+ * Cross-check the chosen provider against the supplied secrets bundle.
+ *
+ *  - The matching provider's apiKey MUST be present.
+ *  - Every OTHER provider's secret block MUST be absent (cross-provider
+ *    secrets are explicitly rejected, not silently dropped — they are
+ *    almost always a copy-paste mistake or a confused caller, and we
+ *    want to fail loud).
+ *  - MCP / proxy endpoint auth carry across providers and are not
+ *    checked here.
+ */
+function enforceProviderSecretCoupling(provider, secrets) {
+    const required = secrets[provider];
+    if (!required?.apiKey) {
+        throw new Error(`secrets.${provider}.apiKey is required when provider is ${provider}`);
+    }
+    for (const other of PROVIDER_SECRET_KEYS) {
+        if (other === provider) {
+            continue;
+        }
+        if (secrets[other] !== undefined) {
+            throw new Error(`secrets.${other} is not allowed when provider is ${provider}; remove it or set provider to ${other}`);
+        }
+    }
+}
+function parseSubmission(input) {
     const value = requireRecord(input, "submission.submission");
     const allowed = new Set([
         "model",
@@ -759,7 +921,8 @@ function parseFlatSubmission(input) {
         "mcpServers",
         "environment",
         "metadata",
-        "outputDirs"
+        "outputDirs",
+        "builtins"
     ]);
     for (const key of Object.keys(value)) {
         if (!allowed.has(key)) {
@@ -768,14 +931,15 @@ function parseFlatSubmission(input) {
     }
     const model = requireString(value.model, "submission.model");
     const system = optionalString(value.system, "submission.system");
-    const prompt = parseFlatPrompt(value.prompt);
-    const skills = parseFlatSkills(value.skills);
-    const agentsMd = parseFlatAgentsMd(value.agentsMd);
-    const files = parseFlatFiles(value.files);
-    const mcpServers = parseFlatMcpServers(value.mcpServers);
-    const environment = parseTemplateEnvironment(value.environment);
+    const prompt = parsePrompt(value.prompt);
+    const skills = parseSkills(value.skills);
+    const agentsMd = parseAgentsMd(value.agentsMd);
+    const files = parseFiles(value.files);
+    const mcpServers = parseMcpServers(value.mcpServers);
+    const environment = parseEnvironment(value.environment);
     const metadata = optionalJsonRecord(value.metadata, "submission.metadata");
     const outputDirs = parseOutputDirs(value.outputDirs);
+    const builtins = parseBuiltins(value.builtins);
     return {
         model,
         ...(system ? { system } : {}),
@@ -786,9 +950,38 @@ function parseFlatSubmission(input) {
         mcpServers,
         ...(environment ? { environment } : {}),
         ...(metadata ? { metadata } : {}),
-        ...(outputDirs ? { outputDirs } : {})
+        ...(outputDirs ? { outputDirs } : {}),
+        ...(builtins !== undefined ? { builtins } : {})
     };
 }
+const BUILTIN_NAME_PATTERN = /^[a-z][a-z0-9_-]{0,63}$/;
+const MAX_BUILTINS = 16;
+function parseBuiltins(input) {
+    if (input === undefined || input === null)
+        return undefined;
+    if (!Array.isArray(input)) {
+        throw new Error("submission.builtins must be an array of strings");
+    }
+    if (input.length > MAX_BUILTINS) {
+        throw new Error(`submission.builtins exceeds the max of ${MAX_BUILTINS} entries`);
+    }
+    const seen = new Set();
+    const out = [];
+    for (let i = 0; i < input.length; i++) {
+        const v = input[i];
+        if (typeof v !== "string") {
+            throw new Error(`submission.builtins[${i}] must be a string`);
+        }
+        if (!BUILTIN_NAME_PATTERN.test(v)) {
+            throw new Error(`submission.builtins[${i}] (${JSON.stringify(v)}) is not a valid Goose builtin name; expected /^[a-z][a-z0-9_-]{0,63}$/`);
+        }
+        if (seen.has(v))
+            continue; // dedupe silently
+        seen.add(v);
+        out.push(v);
+    }
+    return out;
+}
 /**
  * Maximum number of `outputDirs` entries accepted per submission.
  *
@@ -863,7 +1056,7 @@ function parseOutputDirs(input) {
     }
     return normalised;
 }
-function parseFlatPrompt(input) {
+function parsePrompt(input) {
     if (typeof input === "string") {
         if (input.length === 0) {
             throw new Error("submission.prompt must be non-empty");
@@ -883,138 +1076,87 @@ function parseFlatPrompt(input) {
         return item;
     });
 }
-function parseFlatSkills(input) {
+function parseSkills(input) {
     if (input === undefined) {
         return [];
     }
     if (!Array.isArray(input)) {
         throw new Error("submission.skills must be an array of SkillRef objects");
     }
-    const seenWorkspace = new Set();
     const seenProvider = new Set();
-    const seenTransientSlot = new Set();
+    const seenR2Path = new Set();
     return input.map((item, index) => {
         const ref = parseSkillRef(item, `submission.skills[${index}]`);
-        if (ref.kind === "workspace") {
-            if (seenWorkspace.has(ref.id)) {
-                throw new Error(`submission.skills duplicate workspace skill id: ${ref.id}`);
-            }
-            seenWorkspace.add(ref.id);
-        }
-        else if (ref.kind === "provider") {
+        if (ref.kind === "provider") {
             const key = `${ref.vendor}:${ref.skillId}:${ref.version ?? ""}`;
             if (seenProvider.has(key)) {
                 throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
             }
             seenProvider.add(key);
         }
-        else {
-            // transient
-            if (seenTransientSlot.has(ref.slot)) {
-                throw new Error(`submission.skills duplicate transient slot: ${ref.slot}`);
+        else if (ref.kind === "r2") {
+            if (seenR2Path.has(ref.path)) {
+                throw new Error(`submission.skills duplicate r2 path: ${ref.path}`);
             }
-            seenTransientSlot.add(ref.slot);
+            seenR2Path.add(ref.path);
         }
         return ref;
     });
 }
-// Validation shared between AgentsMd and File refs since the wire
-// shape of an inline-supplied ref is identical (slot, name,
-// contentHash). The discriminator (`kind`) differs by call site.
-const WORKSPACE_NAME_PATTERN = /^[a-z0-9][a-z0-9-]{0,62}[a-z0-9]$/;
-function parseTransientWireFields(raw, path) {
-    const slot = raw.slot;
-    if (typeof slot !== "string" || !TRANSIENT_SLOT_PATTERN.test(slot)) {
-        throw new Error(`${path}.slot must match ${TRANSIENT_SLOT_PATTERN.source}`);
-    }
-    const name = raw.name;
-    if (typeof name !== "string" || !WORKSPACE_NAME_PATTERN.test(name)) {
-        throw new Error(`${path}.name must match ${WORKSPACE_NAME_PATTERN.source}`);
-    }
-    const contentHash = raw.contentHash;
-    if (typeof contentHash !== "string" || !TRANSIENT_CONTENT_HASH_PATTERN.test(contentHash)) {
-        throw new Error(`${path}.contentHash must match ${TRANSIENT_CONTENT_HASH_PATTERN.source}`);
-    }
-    return { slot, name, contentHash };
-}
-function parseFlatAgentsMd(input) {
+function parseAgentsMd(input) {
     if (input === undefined)
         return [];
     if (!Array.isArray(input)) {
         throw new Error("submission.agentsMd must be an array of AgentsMdRef objects");
     }
-    const seenWorkspace = new Set();
-    const seenTransientSlot = new Set();
+    const seenR2Path = new Set();
     return input.map((item, index) => {
         const path = `submission.agentsMd[${index}]`;
         if (!item || typeof item !== "object" || Array.isArray(item)) {
             throw new Error(`${path} must be an AgentsMdRef object`);
         }
         const raw = item;
-        if (raw.kind === "workspace_agentsmd") {
-            if (typeof raw.id !== "string" || raw.id.length === 0) {
-                throw new Error(`${path}.id must be a non-empty string`);
-            }
-            if (seenWorkspace.has(raw.id)) {
-                throw new Error(`submission.agentsMd duplicate workspace id: ${raw.id}`);
-            }
-            seenWorkspace.add(raw.id);
-            return { kind: "workspace_agentsmd", id: raw.id };
+        if (raw.kind !== "r2") {
+            throw new Error(`${path}.kind must be 'r2' (got ${JSON.stringify(raw.kind)})`);
         }
-        if (raw.kind === "transient_agentsmd") {
-            const fields = parseTransientWireFields(raw, path);
-            if (seenTransientSlot.has(fields.slot)) {
-                throw new Error(`submission.agentsMd duplicate transient slot: ${fields.slot}`);
-            }
-            seenTransientSlot.add(fields.slot);
-            return { kind: "transient_agentsmd", ...fields };
+        const fields = parseR2RefFields(raw, path);
+        if (seenR2Path.has(fields.path)) {
+            throw new Error(`submission.agentsMd duplicate r2 path: ${fields.path}`);
         }
-        throw new Error(`${path}.kind must be 'workspace_agentsmd' or 'transient_agentsmd' (got ${JSON.stringify(raw.kind)})`);
+        seenR2Path.add(fields.path);
+        return { kind: "r2", path: fields.path, hash: fields.hash, sizeBytes: fields.sizeBytes, name: fields.name };
     });
 }
-function parseFlatFiles(input) {
+function parseFiles(input) {
     if (input === undefined)
         return [];
     if (!Array.isArray(input)) {
         throw new Error("submission.files must be an array of FileRef objects");
     }
-    const seenWorkspace = new Set();
-    const seenTransientSlot = new Set();
+    const seenR2Path = new Set();
     return input.map((item, index) => {
         const path = `submission.files[${index}]`;
         if (!item || typeof item !== "object" || Array.isArray(item)) {
             throw new Error(`${path} must be a FileRef object`);
         }
         const raw = item;
-        if (raw.kind === "workspace_file") {
-            if (typeof raw.id !== "string" || raw.id.length === 0) {
-                throw new Error(`${path}.id must be a non-empty string`);
-            }
-            if (seenWorkspace.has(raw.id)) {
-                throw new Error(`submission.files duplicate workspace id: ${raw.id}`);
-            }
-            seenWorkspace.add(raw.id);
-            return { kind: "workspace_file", id: raw.id };
+        if (raw.kind !== "r2") {
+            throw new Error(`${path}.kind must be 'r2' (got ${JSON.stringify(raw.kind)})`);
         }
-        if (raw.kind === "transient_file") {
-            const fields = parseTransientWireFields(raw, path);
-            if (seenTransientSlot.has(fields.slot)) {
-                throw new Error(`submission.files duplicate transient slot: ${fields.slot}`);
-            }
-            seenTransientSlot.add(fields.slot);
-            const mountPath = raw.mountPath;
-            if (mountPath !== undefined) {
-                if (typeof mountPath !== "string" || !mountPath.startsWith("/") || mountPath.length === 0) {
-                    throw new Error(`${path}.mountPath must be a non-empty absolute path starting with '/'`);
-                }
-                return { kind: "transient_file", ...fields, mountPath };
-            }
-            return { kind: "transient_file", ...fields };
+        const fields = parseR2RefFields(raw, path);
+        if (seenR2Path.has(fields.path)) {
+            throw new Error(`submission.files duplicate r2 path: ${fields.path}`);
+        }
+        seenR2Path.add(fields.path);
+        if (fields.mountPath !== undefined && !fields.mountPath.startsWith("/")) {
+            throw new Error(`${path}.mountPath must start with '/' if provided`);
         }
-        throw new Error(`${path}.kind must be 'workspace_file' or 'transient_file' (got ${JSON.stringify(raw.kind)})`);
+        return fields.mountPath !== undefined
+            ? { kind: "r2", path: fields.path, hash: fields.hash, sizeBytes: fields.sizeBytes, name: fields.name, mountPath: fields.mountPath }
+            : { kind: "r2", path: fields.path, hash: fields.hash, sizeBytes: fields.sizeBytes, name: fields.name };
     });
 }
-function parseFlatMcpServers(input) {
+function parseMcpServers(input) {
     if (input === undefined) {
         return [];
     }
@@ -1031,4 +1173,92 @@ function parseFlatMcpServers(input) {
         return ref;
     });
 }
+// ===========================================================================
+// Runtime dispatcher
+// ===========================================================================
+/**
+ * Codes the dispatcher emits when a submission can't be served by the
+ * selected runtime. Surfaced both at parse time (cross-field shape
+ * mismatch) and at dispatch time (feature mismatch). Code values are
+ * stable so dashboard / SDK error rendering can branch on them.
+ */
+export const RUNTIME_VALIDATION_CODES = [
+    "runtime_native_unsupported",
+    "feature_runtime_mismatch"
+];
+/**
+ * Thrown by `parseRunSubmissionRequest` (wire-shape mismatch) and by
+ * `selectRuntime` (feature mismatch) when the submitted run cannot be
+ * served by the chosen runtime. The `code` field is part of the public
+ * contract — keep it stable when phrasings change.
+ */
+export class RuntimeValidationError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "RuntimeValidationError";
+        this.code = code;
+    }
+}
+/**
+ * Walk the parsed submission and collect every feature that **only**
+ * works on the Anthropic Native runtime. Today the only such feature
+ * is a provider built-in skill ref (`Skill.provider(...)` — the
+ * Anthropic Skills API is the resolver). Adding a new native-only
+ * feature means extending this function AND the matching error string
+ * in {@link selectRuntime}.
+ *
+ * Exported because Phase 5's runtime dispatcher route handler reuses
+ * it to format the API error body and the dashboard reuses it to point
+ * the user at the offending submission field.
+ */
+export function collectNativeOnlyFeatures(req) {
+    const features = [];
+    for (const skill of req.submission.skills) {
+        if (skill.kind === "provider") {
+            const versionSuffix = skill.version ? `, "${skill.version}"` : "";
+            features.push(`Skill.provider("${skill.vendor}", "${skill.skillId}"${versionSuffix})`);
+        }
+    }
+    return features;
+}
+/**
+ * The runtime dispatcher. Pure function with no I/O — call it after
+ * `parseRunSubmissionRequest` to decide which Workflow class consumes
+ * the run.
+ *
+ *   1. If the customer set `runtime` explicitly, validate that choice
+ *      against the submission's provider and feature set. Reject with
+ *      a typed error on mismatch — no silent re-routing.
+ *   2. Otherwise auto-route: `provider: "anthropic"` → `"native"` (the
+ *      cheapest + fastest path for Anthropic runs); everything else →
+ *      `"managed"`.
+ *
+ * Returns the resolved {@link RuntimeKind}; the Workflow dispatcher
+ * (Phase 5) maps that 1:1 to the matching `WorkflowEntrypoint` class.
+ * See `references/platform-rebuild-2026.md` (Runtime dispatcher logic).
+ */
+export function selectRuntime(req) {
+    if (req.runtime === "native") {
+        if (!isNativeRuntimeProvider(req.provider)) {
+            throw new RuntimeValidationError("runtime_native_unsupported", `runtime: "native" is only supported for provider: ${formatProviderList(NATIVE_RUNTIME_PROVIDERS)} (got provider: "${req.provider}")`);
+        }
+        return "native";
+    }
+    if (req.runtime === "managed") {
+        const features = collectNativeOnlyFeatures(req);
+        if (features.length > 0) {
+            throw new RuntimeValidationError("feature_runtime_mismatch", `runtime: "managed" rejects the following features: ${features.join(", ")}. ` +
+                `Remove them or switch to runtime: "native".`);
+        }
+        return "managed";
+    }
+    // Auto-routing — no explicit `runtime` on the submission. Anthropic
+    // gets the Native runtime by default (cheaper + faster for Anthropic
+    // runs); everything else routes to the Goose Managed runtime.
+    if (isNativeRuntimeProvider(req.provider)) {
+        return "native";
+    }
+    return "managed";
+}
 //# sourceMappingURL=submission.js.map