antpath 0.4.1 → 0.6.1

package/dist/_shared/blueprint.js

@@ -291,6 +291,13 @@ export function parseMcpServerRef(input, path) {
         if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
             throw new Error(`${path}.url must use http or https (got ${parsed.protocol})`);
         }
+        // Auth belongs in `secrets.mcpServers[i].headers`, never in the URL
+        // itself. A `https://user:pass@host` style URL would be persisted in
+        // the non-secret run snapshot and hashed into the idempotency key —
+        // both unacceptable for credential material.
+        if (parsed.username !== "" || parsed.password !== "") {
+            throw new Error(`${path}.url must not contain userinfo (username/password); use secrets.mcpServers[].headers for auth`);
+        }
     }
     catch (cause) {
         if (cause instanceof Error && cause.message.startsWith(path)) {

package/dist/_shared/operations.js

@@ -63,10 +63,11 @@ export async function createSkillBundle(http, args) {
     form.append("name", args.name);
     const blobBody = toBlob(args.body, args.contentType ?? "application/zip");
     form.append("bundle", blobBody, args.filename ?? `${args.name}.zip`);
-    return http.request("/api/skills", {
+    const result = await http.request("/api/skills", {
         method: "POST",
         body: form
     });
+    return unwrapSkill(result);
 }
 export async function listSkills(http) {
     const result = await http.request("/api/skills");
@@ -76,13 +77,20 @@ export async function listSkills(http) {
     return result.skills;
 }
 export async function getSkill(http, skillId) {
-    return http.request(`/api/skills/${encodeURIComponent(skillId)}`);
+    const result = await http.request(`/api/skills/${encodeURIComponent(skillId)}`);
+    return unwrapSkill(result);
 }
 export async function deleteSkill(http, skillId) {
     await http.request(`/api/skills/${encodeURIComponent(skillId)}`, {
         method: "DELETE"
     });
 }
+function unwrapSkill(result) {
+    if (result && typeof result === "object" && "skill" in result) {
+        return result.skill;
+    }
+    return result;
+}
 function toBlob(input, contentType) {
     if (input instanceof Blob) {
         return input;

package/dist/_shared/submission.js

@@ -793,7 +793,25 @@ function parseFlatSkills(input) {
     if (!Array.isArray(input)) {
         throw new Error("submission.skills must be an array of SkillRef objects");
     }
-    return input.map((item, index) => parseSkillRef(item, `submission.skills[${index}]`));
+    const seenWorkspace = new Set();
+    const seenProvider = new Set();
+    return input.map((item, index) => {
+        const ref = parseSkillRef(item, `submission.skills[${index}]`);
+        if (ref.kind === "workspace") {
+            if (seenWorkspace.has(ref.id)) {
+                throw new Error(`submission.skills duplicate workspace skill id: ${ref.id}`);
+            }
+            seenWorkspace.add(ref.id);
+        }
+        else {
+            const key = `${ref.vendor}:${ref.skillId}:${ref.version ?? ""}`;
+            if (seenProvider.has(key)) {
+                throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
+            }
+            seenProvider.add(key);
+        }
+        return ref;
+    });
 }
 function parseFlatMcpServers(input) {
     if (input === undefined) {

package/dist/blueprint.d.ts

@@ -0,0 +1,33 @@
+import type { JsonValue, PlatformCleanupPolicy, PlatformProxyEndpoint, PlatformTemplateEnvironment } from "./_shared/index.js";
+import type { McpServer } from "./mcp-server.js";
+import type { Skill } from "./skill.js";
+/**
+ * SDK-side blueprint. Mirrors the shared `Blueprint` shape but uses the
+ * SDK's `Skill` and `McpServer` classes so call sites can write
+ * `skills: [rules]` and `mcpServers: [gh]` instead of repeating the
+ * underlying wire types. The `submitRun` method normalises these into
+ * the wire submission + secrets bag before sending.
+ *
+ * `Blueprint` is intentionally `Omit<SubmitRunOptions, "secrets" |
+ * "idempotencyKey" | "signal">` so it can be embedded as a reusable,
+ * credential-free fragment via `defineRun`.
+ */
+export interface Blueprint {
+    readonly model: string;
+    readonly system?: string;
+    readonly prompt: string | readonly string[];
+    readonly skills?: readonly Skill[];
+    readonly mcpServers?: readonly McpServer[];
+    readonly environment?: PlatformTemplateEnvironment;
+    readonly cleanup?: PlatformCleanupPolicy;
+    readonly proxyEndpoints?: readonly PlatformProxyEndpoint[];
+    readonly metadata?: Record<string, JsonValue>;
+}
+/**
+ * Wrap a `(params) => Blueprint` factory. The wrapper is identity at
+ * runtime; the value of `defineRun` is purely the type boundary it
+ * imposes — it forces the producer to return a `Blueprint` (no
+ * `secrets`, no `idempotencyKey`, no `signal`) so callers cannot
+ * accidentally bake credentials into a reusable artifact.
+ */
+export declare function defineRun<TParams>(producer: (params: TParams) => Blueprint): (params: TParams) => Blueprint;

package/dist/blueprint.js

@@ -0,0 +1,14 @@
+/**
+ * Wrap a `(params) => Blueprint` factory. The wrapper is identity at
+ * runtime; the value of `defineRun` is purely the type boundary it
+ * imposes — it forces the producer to return a `Blueprint` (no
+ * `secrets`, no `idempotencyKey`, no `signal`) so callers cannot
+ * accidentally bake credentials into a reusable artifact.
+ */
+export function defineRun(producer) {
+    if (typeof producer !== "function") {
+        throw new TypeError("defineRun expects a function");
+    }
+    return (params) => producer(params);
+}
+//# sourceMappingURL=blueprint.js.map

package/dist/blueprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blueprint.js","sourceRoot":"","sources":["../src/blueprint.ts"],"names":[],"mappings":"AAgCA;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAU,QAAwC;IACzE,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,CAAC,MAAe,EAAa,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}

package/dist/bundle.d.ts

@@ -0,0 +1,18 @@
+/**
+ * In-memory skill bundle: a flat path -> bytes map and the
+ * deterministically-zipped representation.
+ *
+ * The SDK runs only the cheap, safety-critical checks here
+ * (`validateSkillBundleEntry`: no `..`, no absolute paths, no Windows
+ * backslashes, depth/length limits). The BFF re-canonicalises and
+ * recomputes the canonical hash on receipt — SDK-side hashing is NOT
+ * part of any contract, so we don't expose one.
+ */
+export interface BundledSkill {
+    readonly zip: Uint8Array;
+    readonly fileCount: number;
+    readonly compressedSize: number;
+}
+/** Inline files map: path -> contents (UTF-8 string or raw bytes). */
+export type SkillFiles = Readonly<Record<string, string | Uint8Array>>;
+export declare function bundleSkillFiles(files: SkillFiles): BundledSkill;

package/dist/bundle.js

@@ -0,0 +1,55 @@
+import { zipSync } from "fflate";
+import { SKILL_BUNDLE_LIMITS, validateSkillBundleEntry } from "./_shared/index.js";
+const TEXT = new TextEncoder();
+export function bundleSkillFiles(files) {
+    if (!files || typeof files !== "object") {
+        throw new Error("Skill files map is required");
+    }
+    const entries = Object.entries(files);
+    if (entries.length === 0) {
+        throw new Error("Skill files map cannot be empty");
+    }
+    if (entries.length > SKILL_BUNDLE_LIMITS.maxFiles) {
+        throw new Error(`Skill bundle exceeds ${SKILL_BUNDLE_LIMITS.maxFiles} file limit (got ${entries.length})`);
+    }
+    const collected = new Map();
+    let hasSkillMd = false;
+    let totalDecompressed = 0;
+    for (const [rawPath, contents] of entries) {
+        const bytes = typeof contents === "string" ? TEXT.encode(contents) : contents;
+        if (!(bytes instanceof Uint8Array)) {
+            throw new Error(`Skill file "${rawPath}" must be a string or Uint8Array`);
+        }
+        const entry = validateSkillBundleEntry({ path: rawPath, size: bytes.byteLength });
+        if (entry.path === "SKILL.md") {
+            hasSkillMd = true;
+        }
+        totalDecompressed += bytes.byteLength;
+        if (totalDecompressed > SKILL_BUNDLE_LIMITS.maxDecompressedBytes) {
+            throw new Error(`Skill bundle exceeds decompressed cap of ${SKILL_BUNDLE_LIMITS.maxDecompressedBytes} bytes`);
+        }
+        if (collected.has(entry.path)) {
+            throw new Error(`Skill bundle contains duplicate path: ${entry.path}`);
+        }
+        collected.set(entry.path, bytes);
+    }
+    if (!hasSkillMd) {
+        throw new Error('Skill bundle must contain a "SKILL.md" file at the root');
+    }
+    // Sort entries and pin every mtime to the epoch so the byte output is
+    // identical across machines and re-runs (the BFF re-canonicalises and
+    // recomputes the canonical hash, so this is for retry-safety / debug
+    // reproducibility rather than a wire-shape contract).
+    const sorted = [...collected.entries()].sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0));
+    const zippable = {};
+    for (const [path, bytes] of sorted) {
+        zippable[path] = [bytes, { mtime: ZIP_EPOCH }];
+    }
+    const zip = zipSync(zippable, { level: 6 });
+    if (zip.byteLength > SKILL_BUNDLE_LIMITS.maxCompressedBytes) {
+        throw new Error(`Skill bundle exceeds compressed cap of ${SKILL_BUNDLE_LIMITS.maxCompressedBytes} bytes (got ${zip.byteLength})`);
+    }
+    return { zip, fileCount: entries.length, compressedSize: zip.byteLength };
+}
+const ZIP_EPOCH = new Date(Date.UTC(1980, 0, 1));
+//# sourceMappingURL=bundle.js.map

package/dist/bundle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC;AAkBhF,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAK/B,MAAM,UAAU,gBAAgB,CAAC,KAAiB;IAChD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,mBAAmB,CAAC,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,wBAAwB,mBAAmB,CAAC,QAAQ,oBAAoB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,GAAG,EAAsB,CAAC;IAChD,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAE1B,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC9E,IAAI,CAAC,CAAC,KAAK,YAAY,UAAU,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,eAAe,OAAO,kCAAkC,CAAC,CAAC;QAC5E,CAAC;QACD,MAAM,KAAK,GAAG,wBAAwB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;QAClF,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC9B,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;QACD,iBAAiB,IAAI,KAAK,CAAC,UAAU,CAAC;QACtC,IAAI,iBAAiB,GAAG,mBAAmB,CAAC,oBAAoB,EAAE,CAAC;YACjE,MAAM,IAAI,KAAK,CACb,4CAA4C,mBAAmB,CAAC,oBAAoB,QAAQ,CAC7F,CAAC;QACJ,CAAC;QACD,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,yCAAyC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IAED,sEAAsE;IACtE,sEAAsE;IACtE,qEAAqE;IACrE,sDAAsD;IACtD,MAAM,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjG,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;QACnC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5C,IAAI,GAAG,CAAC,UAAU,GAAG,mBAAmB,CAAC,kBAAkB,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,0CAA0C,mBAAmB,CAAC,kBAAkB,eAAe,GAAG,CAAC,UAAU,GAAG,CACjH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC;AAC5E,CAAC;AAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC"}