antpath 0.6.2 → 0.8.0

package/dist/_shared/blueprint.d.ts

@@ -4,11 +4,16 @@
  * Concepts (mirrored in references/architecture-decisions.md):
  *
  *   - `SkillRef` is the wire-level reference to a skill — either an
- *     `skl_*` id pointing at a workspace-uploaded bundle, or a
- *     `{vendor, skillId, version}` reference to a provider built-in.
- *     The two shapes are discriminated by `kind` so consumers branch
- *     mechanically and providers can never accidentally be looked up
- *     in `skill_bundles`.
+ *     `skl_*` id pointing at a workspace-uploaded bundle, a
+ *     `{vendor, skillId, version}` reference to a provider built-in, or
+ *     a `{slot, name, contentHash}` reference to per-run bytes attached
+ *     as a multipart part on the submitRun call (and torn down at run
+ *     terminal). The three shapes are discriminated by `kind` so
+ *     consumers branch mechanically and providers can never accidentally
+ *     be looked up in `skill_bundles`. Transient refs do NOT round-trip
+ *     through JSON (bytes can't be serialised back); `parseBlueprint`
+ *     therefore rejects them while the BFF multipart submission parser
+ *     accepts them.
  *
  *   - `McpServerRef` is the non-secret part of an MCP server declaration:
  *     `name` and `url`. Bearer / cookie / per-request headers travel in
@@ -73,7 +78,7 @@ export declare const SKILL_BUNDLE_LIMITS: {
     /** Stored directory mode. */
     readonly defaultDirMode: 493;
 };
-export type SkillRef = WorkspaceSkillRef | ProviderSkillRef;
+export type SkillRef = WorkspaceSkillRef | ProviderSkillRef | TransientSkillRef;
 export interface WorkspaceSkillRef {
     readonly kind: "workspace";
     readonly id: string;
@@ -84,14 +89,68 @@ export interface ProviderSkillRef {
     readonly skillId: string;
     readonly version?: string;
 }
+/**
+ * Per-run, non-persistent skill. The bytes ride alongside the JSON
+ * submission as a `name="skill:<slot>"` multipart body part and are
+ * uploaded by the BFF directly to the provider's per-run file storage.
+ * No `skill_bundles` row, no `run_skill_snapshots` entry, no platform
+ * storage stop — the BFF tears the file down at run terminal.
+ *
+ * `slot` is an SDK-assigned local id that pairs this ref with its
+ * multipart part within a single `submitRun` call. The BFF rejects any
+ * submission where the set of `kind:"transient"` refs doesn't have a
+ * strict 1:1 match against `name="skill:<slot>"` body parts.
+ *
+ * `contentHash` is a client-side advisory hash of the canonicalised zip
+ * (`sha256:<64 hex>`). The BFF recomputes server-side and rejects on
+ * mismatch; the value is also used by the janitor for orphan
+ * reconciliation. It MUST be deterministic across retries so the
+ * idempotency hash converges.
+ *
+ * Transient refs DO NOT round-trip safely through JSON — the bytes are
+ * not in the JSON and cannot be reconstructed. `parseBlueprint` rejects
+ * them (Blueprints are JSON-persistable and bytes are gone by the time
+ * `run.json` is loaded). `parseFlatSkills` accepts them (the BFF
+ * multipart parser is the only place that carries the matching bytes).
+ */
+export interface TransientSkillRef {
+    readonly kind: "transient";
+    readonly slot: string;
+    readonly name: string;
+    readonly contentHash: string;
+}
+/**
+ * Slot id format: `^[a-z][a-z0-9_-]{0,63}$`. The SDK generates these
+ * positionally as `transient-0`, `transient-1`, … but any client may
+ * supply an explicit slot as long as it matches the pattern and is
+ * unique within the submission.
+ */
+export declare const TRANSIENT_SLOT_PATTERN: RegExp;
+/**
+ * Content-hash format: `^sha256:[0-9a-f]{64}$` (lowercase hex). The
+ * BFF accepts only this exact prefix; uppercase, base64, or any other
+ * digest is rejected so the wire form has one stable representation.
+ */
+export declare const TRANSIENT_CONTENT_HASH_PATTERN: RegExp;
 export declare function isWorkspaceSkillRef(ref: SkillRef): ref is WorkspaceSkillRef;
 export declare function isProviderSkillRef(ref: SkillRef): ref is ProviderSkillRef;
+export declare function isTransientSkillRef(ref: SkillRef): ref is TransientSkillRef;
+/**
+ * Options accepted by `parseSkillRef`. The default (`allowTransient: true`)
+ * is the BFF submission parser path. The Blueprint parser passes
+ * `allowTransient: false` because Blueprints can be persisted to disk
+ * (`antpath run --config run.json`) and the bytes carrying the
+ * transient slot would already be gone.
+ */
+export interface ParseSkillRefOptions {
+    readonly allowTransient?: boolean;
+}
 /**
  * Parse a `SkillRef` from untrusted input. Used by the BFF run parser
  * and by the operations module when deserialising API responses. Throws
  * with a precise path so the caller can surface a usable error.
  */
-export declare function parseSkillRef(input: unknown, path: string): SkillRef;
+export declare function parseSkillRef(input: unknown, path: string, options?: ParseSkillRefOptions): SkillRef;
 /**
  * Manifest entry persisted in `skill_bundles.manifest` and
  * `run_skill_snapshots.manifest`. `path` is forward-slash, relative,

package/dist/_shared/blueprint.js

@@ -4,11 +4,16 @@
  * Concepts (mirrored in references/architecture-decisions.md):
  *
  *   - `SkillRef` is the wire-level reference to a skill — either an
- *     `skl_*` id pointing at a workspace-uploaded bundle, or a
- *     `{vendor, skillId, version}` reference to a provider built-in.
- *     The two shapes are discriminated by `kind` so consumers branch
- *     mechanically and providers can never accidentally be looked up
- *     in `skill_bundles`.
+ *     `skl_*` id pointing at a workspace-uploaded bundle, a
+ *     `{vendor, skillId, version}` reference to a provider built-in, or
+ *     a `{slot, name, contentHash}` reference to per-run bytes attached
+ *     as a multipart part on the submitRun call (and torn down at run
+ *     terminal). The three shapes are discriminated by `kind` so
+ *     consumers branch mechanically and providers can never accidentally
+ *     be looked up in `skill_bundles`. Transient refs do NOT round-trip
+ *     through JSON (bytes can't be serialised back); `parseBlueprint`
+ *     therefore rejects them while the BFF multipart submission parser
+ *     accepts them.
  *
  *   - `McpServerRef` is the non-secret part of an MCP server declaration:
  *     `name` and `url`. Bearer / cookie / per-request headers travel in
@@ -78,18 +83,34 @@ export const SKILL_BUNDLE_LIMITS = {
     /** Stored directory mode. */
     defaultDirMode: 0o755
 };
+/**
+ * Slot id format: `^[a-z][a-z0-9_-]{0,63}$`. The SDK generates these
+ * positionally as `transient-0`, `transient-1`, … but any client may
+ * supply an explicit slot as long as it matches the pattern and is
+ * unique within the submission.
+ */
+export const TRANSIENT_SLOT_PATTERN = /^[a-z][a-z0-9_-]{0,63}$/;
+/**
+ * Content-hash format: `^sha256:[0-9a-f]{64}$` (lowercase hex). The
+ * BFF accepts only this exact prefix; uppercase, base64, or any other
+ * digest is rejected so the wire form has one stable representation.
+ */
+export const TRANSIENT_CONTENT_HASH_PATTERN = /^sha256:[0-9a-f]{64}$/;
 export function isWorkspaceSkillRef(ref) {
     return ref.kind === "workspace";
 }
 export function isProviderSkillRef(ref) {
     return ref.kind === "provider";
 }
+export function isTransientSkillRef(ref) {
+    return ref.kind === "transient";
+}
 /**
  * Parse a `SkillRef` from untrusted input. Used by the BFF run parser
  * and by the operations module when deserialising API responses. Throws
  * with a precise path so the caller can surface a usable error.
  */
-export function parseSkillRef(input, path) {
+export function parseSkillRef(input, path, options = {}) {
     if (input === null || typeof input !== "object" || Array.isArray(input)) {
         throw new Error(`${path} must be a SkillRef object`);
     }
@@ -132,7 +153,31 @@ export function parseSkillRef(input, path) {
             ...(version !== undefined ? { version } : {})
         };
     }
-    throw new Error(`${path}.kind must be 'workspace' or 'provider'`);
+    if (kind === "transient") {
+        if (options.allowTransient === false) {
+            throw new Error(`${path} carries a transient SkillRef, which cannot round-trip through JSON — ` +
+                `transient skills must be supplied at submitRun time with their bytes attached`);
+        }
+        for (const key of Object.keys(record)) {
+            if (key !== "kind" && key !== "slot" && key !== "name" && key !== "contentHash") {
+                throw new Error(`${path} contains unexpected field for transient SkillRef: ${key}`);
+            }
+        }
+        const slot = record.slot;
+        if (typeof slot !== "string" || !TRANSIENT_SLOT_PATTERN.test(slot)) {
+            throw new Error(`${path}.slot must match ${TRANSIENT_SLOT_PATTERN.source}`);
+        }
+        const name = record.name;
+        if (typeof name !== "string" || !SKILL_NAME_PATTERN.test(name)) {
+            throw new Error(`${path}.name must match ${SKILL_NAME_PATTERN.source}`);
+        }
+        const contentHash = record.contentHash;
+        if (typeof contentHash !== "string" || !TRANSIENT_CONTENT_HASH_PATTERN.test(contentHash)) {
+            throw new Error(`${path}.contentHash must match ${TRANSIENT_CONTENT_HASH_PATTERN.source}`);
+        }
+        return { kind: "transient", slot, name, contentHash };
+    }
+    throw new Error(`${path}.kind must be 'workspace', 'provider', or 'transient'`);
 }
 export class SkillBundleValidationError extends Error {
     constructor(message) {
@@ -466,7 +511,7 @@ function parseBlueprintSkills(value) {
     if (!Array.isArray(value)) {
         throw new Error("Blueprint.skills must be an array");
     }
-    return value.map((item, index) => parseSkillRef(item, `Blueprint.skills[${index}]`));
+    return value.map((item, index) => parseSkillRef(item, `Blueprint.skills[${index}]`, { allowTransient: false }));
 }
 function parseBlueprintMcpServers(value) {
     if (value === undefined) {

package/dist/_shared/operations.d.ts

@@ -22,7 +22,39 @@ export declare function createOutputLink(http: HttpClient, runId: string, output
 export declare function cancelRun(http: HttpClient, runId: string): Promise<void>;
 export declare function deleteRun(http: HttpClient, runId: string): Promise<void>;
 export declare function whoami(http: HttpClient): Promise<WhoAmI>;
+/**
+ * Stream the per-run archive zip from the BFF. Returns the raw
+ * `Response` so callers can pipe the body to disk without buffering
+ * the whole archive in memory.
+ *
+ * The archive lifecycle contract lives in
+ * `apps/dashboard/src/server/run-archive.ts` and
+ * `packages/sdk/docs/outputs.md`. Pre-session runs reject with HTTP
+ * 409 `run_not_started`; mid-session and terminal both produce the
+ * same archive layout and differ only in `manifest.json`'s `source`
+ * + `partial` fields.
+ */
+export declare function downloadRunArchive(http: HttpClient, runId: string): Promise<Response>;
 export declare function submitRunFlat(http: HttpClient, request: PlatformFlatRunSubmissionInput): Promise<Run>;
+/**
+ * Multipart variant of `submitRunFlat` for runs that carry transient
+ * (per-run) skill bundles. The JSON submission travels as the
+ * `submission` part; each `TransientSkillRef.slot` in
+ * `request.submission.skills` MUST be mirrored by exactly one
+ * `skill:<slot>` part with the bundle bytes.
+ *
+ * The BFF re-canonicalises and re-hashes each bundle; a `contentHash`
+ * mismatch between the JSON ref and the recomputed hash of the bytes
+ * is rejected with a deterministic error.
+ *
+ * Bytes never persist on antpath storage; the dashboard BFF uploads
+ * them straight to Anthropic Files for the lifetime of the run.
+ */
+export declare function submitRunFlatMultipart(http: HttpClient, request: PlatformFlatRunSubmissionInput, bundles: ReadonlyArray<{
+    readonly slot: string;
+    readonly bytes: Uint8Array;
+    readonly filename: string;
+}>): Promise<Run>;
 /**
  * Upload a workspace skill bundle as a zip blob. The dashboard BFF runs
  * the two-phase flow internally (insert pending row, stream bytes into
@@ -40,3 +72,23 @@ export declare function createSkillBundle(http: HttpClient, args: {
 export declare function listSkills(http: HttpClient): Promise<readonly Skill[]>;
 export declare function getSkill(http: HttpClient, skillId: string): Promise<Skill>;
 export declare function deleteSkill(http: HttpClient, skillId: string): Promise<void>;
+/**
+ * Lookup a live workspace skill by `(name, contentHash)`. Returns the
+ * matching `Skill` record or null when no live row carries that hash.
+ *
+ * `contentHash` is the wire format `sha256:<hex>` as returned by
+ * `hashSkillBundle`. This powers `Skill.uploadIfChanged` — the SDK
+ * computes the hash locally and calls this function to skip the upload
+ * when the bytes already exist.
+ */
+export declare function findSkillByHash(http: HttpClient, args: {
+    readonly name: string;
+    readonly contentHash: string;
+}): Promise<Skill | null>;
+/**
+ * Lookup a live workspace skill by `name`. Returns the matching `Skill`
+ * record or null when no live row carries that name. Implemented as a
+ * list-and-filter on the existing `/api/skills` endpoint — the
+ * indexed by-hash route is reserved for `uploadIfChanged`.
+ */
+export declare function findSkillByName(http: HttpClient, name: string): Promise<Skill | null>;

package/dist/_shared/operations.js

@@ -41,6 +41,22 @@ export async function deleteRun(http, runId) {
 export async function whoami(http) {
     return http.request("/api/whoami");
 }
+/**
+ * Stream the per-run archive zip from the BFF. Returns the raw
+ * `Response` so callers can pipe the body to disk without buffering
+ * the whole archive in memory.
+ *
+ * The archive lifecycle contract lives in
+ * `apps/dashboard/src/server/run-archive.ts` and
+ * `packages/sdk/docs/outputs.md`. Pre-session runs reject with HTTP
+ * 409 `run_not_started`; mid-session and terminal both produce the
+ * same archive layout and differ only in `manifest.json`'s `source`
+ * + `partial` fields.
+ */
+export async function downloadRunArchive(http, runId) {
+    const { response } = await http.download(`/api/runs/${encodeURIComponent(runId)}/download`);
+    return response;
+}
 // ===========================================================================
 // Flat (Skill / McpServer / Blueprint) operations
 // ===========================================================================
@@ -50,6 +66,46 @@ export async function submitRunFlat(http, request) {
         body: JSON.stringify(request)
     });
 }
+/**
+ * Multipart variant of `submitRunFlat` for runs that carry transient
+ * (per-run) skill bundles. The JSON submission travels as the
+ * `submission` part; each `TransientSkillRef.slot` in
+ * `request.submission.skills` MUST be mirrored by exactly one
+ * `skill:<slot>` part with the bundle bytes.
+ *
+ * The BFF re-canonicalises and re-hashes each bundle; a `contentHash`
+ * mismatch between the JSON ref and the recomputed hash of the bytes
+ * is rejected with a deterministic error.
+ *
+ * Bytes never persist on antpath storage; the dashboard BFF uploads
+ * them straight to Anthropic Files for the lifetime of the run.
+ */
+export async function submitRunFlatMultipart(http, request, bundles) {
+    if (!Array.isArray(bundles) || bundles.length === 0) {
+        throw new Error("submitRunFlatMultipart: bundles must be a non-empty array");
+    }
+    const form = new FormData();
+    // Submission rides as a typed JSON Blob so the BFF reads
+    // `multipart["submission"]` with the right content-type and never
+    // has to re-detect the body shape.
+    form.append("submission", new Blob([JSON.stringify(request)], { type: "application/json" }), "submission.json");
+    const seen = new Set();
+    for (const bundle of bundles) {
+        if (typeof bundle.slot !== "string" || !bundle.slot) {
+            throw new Error("submitRunFlatMultipart: each bundle must have a non-empty slot id");
+        }
+        if (seen.has(bundle.slot)) {
+            throw new Error(`submitRunFlatMultipart: duplicate transient skill slot "${bundle.slot}"`);
+        }
+        seen.add(bundle.slot);
+        const blob = toBlob(bundle.bytes, "application/zip");
+        form.append(`skill:${bundle.slot}`, blob, bundle.filename);
+    }
+    return http.request("/api/runs", {
+        method: "POST",
+        body: form
+    });
+}
 /**
  * Upload a workspace skill bundle as a zip blob. The dashboard BFF runs
  * the two-phase flow internally (insert pending row, stream bytes into
@@ -85,6 +141,33 @@ export async function deleteSkill(http, skillId) {
         method: "DELETE"
     });
 }
+/**
+ * Lookup a live workspace skill by `(name, contentHash)`. Returns the
+ * matching `Skill` record or null when no live row carries that hash.
+ *
+ * `contentHash` is the wire format `sha256:<hex>` as returned by
+ * `hashSkillBundle`. This powers `Skill.uploadIfChanged` — the SDK
+ * computes the hash locally and calls this function to skip the upload
+ * when the bytes already exist.
+ */
+export async function findSkillByHash(http, args) {
+    const params = new URLSearchParams({
+        name: args.name,
+        content_hash: args.contentHash
+    });
+    const result = await http.request(`/api/skills/by-hash?${params.toString()}`);
+    return result.skill ?? null;
+}
+/**
+ * Lookup a live workspace skill by `name`. Returns the matching `Skill`
+ * record or null when no live row carries that name. Implemented as a
+ * list-and-filter on the existing `/api/skills` endpoint — the
+ * indexed by-hash route is reserved for `uploadIfChanged`.
+ */
+export async function findSkillByName(http, name) {
+    const skills = await listSkills(http);
+    return skills.find((skill) => skill.name === name) ?? null;
+}
 function unwrapSkill(result) {
     if (result && typeof result === "object" && "skill" in result) {
         return result.skill;

package/dist/_shared/proxy-protocol.d.ts

@@ -67,8 +67,16 @@ export interface ProxyIndexEntry {
  * The actual auth value lives in the run's Vault bundle under
  * `secrets.proxyEndpointAuth[i].value` and is never reflected back
  * into the container or index file.
+ *
+ * The `none` variant declares an upstream that takes no auth (public
+ * APIs like Wikimedia Commons or NASA Images). It still routes through
+ * the proxy for unified egress, audit, and budget enforcement, but
+ * carries no `proxyEndpointAuth[]` entry and the BFF injects no
+ * header or query value.
  */
 export type ProxyAuthShape = {
+    readonly type: "none";
+} | {
     readonly type: "bearer";
 } | {
     readonly type: "basic";
@@ -82,7 +90,7 @@ export type ProxyAuthShape = {
 export type ProxyAuthType = ProxyAuthShape["type"];
 /**
  * Header name (lowercase) that an upstream auth shape uses as its
- * carrier. Returns `undefined` for query-based auth.
+ * carrier. Returns `undefined` for query-based and keyless auth.
  *
  * Used by the submission parser to forbid `allowHeaders` from listing
  * the auth header (avoids leaks via caller-supplied headers), and by
@@ -92,7 +100,7 @@ export type ProxyAuthType = ProxyAuthShape["type"];
 export declare function authShapeHeaderName(shape: ProxyAuthShape): string | undefined;
 /**
  * Query-string key that an upstream query-based auth shape uses as its
- * carrier. Returns `undefined` for non-query shapes.
+ * carrier. Returns `undefined` for non-query shapes (including "none").
  */
 export declare function authShapeQueryName(shape: ProxyAuthShape): string | undefined;
 /**

package/dist/_shared/proxy-protocol.js

@@ -66,7 +66,7 @@ export const PROXY_ERROR_CODES = [
 ];
 /**
  * Header name (lowercase) that an upstream auth shape uses as its
- * carrier. Returns `undefined` for query-based auth.
+ * carrier. Returns `undefined` for query-based and keyless auth.
  *
  * Used by the submission parser to forbid `allowHeaders` from listing
  * the auth header (avoids leaks via caller-supplied headers), and by
@@ -81,12 +81,13 @@ export function authShapeHeaderName(shape) {
         case "header":
             return shape.name.toLowerCase();
         case "query":
+        case "none":
             return undefined;
     }
 }
 /**
  * Query-string key that an upstream query-based auth shape uses as its
- * carrier. Returns `undefined` for non-query shapes.
+ * carrier. Returns `undefined` for non-query shapes (including "none").
  */
 export function authShapeQueryName(shape) {
     return shape.type === "query" ? shape.name : undefined;

package/dist/_shared/runtime-types.d.ts

@@ -71,6 +71,25 @@ export interface WhoAmI {
     readonly tokenId?: string;
     readonly tokenName?: string | null;
     readonly scopes?: readonly string[];
+    /**
+     * Workspace-level caps the BFF will enforce on subsequent calls.
+     * Surfaced so consumers (e.g. broll's app-side admission gate) can
+     * decide whether to keep their own gate or rely on platform headers.
+     * All fields optional — older BFFs may omit. Numbers are concrete
+     * snapshots at the time of the `whoami` call.
+     */
+    readonly caps?: {
+        /** Token-bucket cap on POST /api/runs per minute, per workspace. */
+        readonly runSubmitPerMinute?: number;
+        /** Hard cap on concurrent non-terminal runs the workspace may hold. */
+        readonly maxConcurrentRuns?: number;
+        /** Storage cap (bytes) on captured output objects, workspace-wide. */
+        readonly storageCapBytes?: number;
+        /** Current captured-output usage in bytes. */
+        readonly storageUsedBytes?: number;
+        /** Wall-clock ceiling on a single run before forced termination. */
+        readonly maxRunDurationMs?: number;
+    };
     readonly [key: string]: unknown;
 }
 /**

package/dist/_shared/submission.d.ts

@@ -175,6 +175,27 @@ export interface PlatformFlatSubmission {
     readonly mcpServers: readonly McpServerRef[];
     readonly environment?: PlatformTemplateEnvironment;
     readonly metadata?: Record<string, JsonValue>;
+    /**
+     * Opt-in container paths to capture as `output_objects` at session
+     * terminal. When omitted, the worker still persists run metadata
+     * (status, events, snapshots, cleanup state) but does not capture
+     * any container file bytes. When present, the worker drives a
+     * synthetic agent turn at session terminal that instructs the agent
+     * to register every file under these paths via the Anthropic Files
+     * API, then walks the resulting list and copies bytes into private
+     * Supabase Storage.
+     *
+     * Validation:
+     *   - Absolute UNIX paths only (starts with `/`).
+     *   - No `..` segments, no NUL bytes, no embedded newlines.
+     *   - Max 32 entries.
+     *   - Max 512 bytes per entry.
+     *
+     * Entries are normalised (collapse `/+`, drop trailing `/` except
+     * for `/`) and deduplicated. The normalised list is what travels in
+     * the idempotency hash and the run snapshot.
+     */
+    readonly outputDirs?: readonly string[];
 }
 export interface PlatformFlatRunSubmissionRequest {
     readonly workspaceId: string;

package/dist/_shared/submission.js

@@ -272,6 +272,9 @@ function parseProxyAuthShape(input, field) {
     const value = requireRecord(input, field);
     const type = requireString(value.type, `${field}.type`);
     switch (type) {
+        case "none":
+            assertOnlyKeys(value, field, ["type"]);
+            return { type: "none" };
         case "bearer":
             assertOnlyKeys(value, field, ["type"]);
             return { type: "bearer" };
@@ -293,7 +296,7 @@ function parseProxyAuthShape(input, field) {
             return { type: "query", name };
         }
         default:
-            throw new Error(`${field}.type must be one of: bearer, basic, header, query`);
+            throw new Error(`${field}.type must be one of: none, bearer, basic, header, query`);
     }
 }
 function parseProxyMethods(input, field) {
@@ -382,6 +385,16 @@ function crossValidateProxyEndpointsAndAuth(endpoints, auth) {
     const authByName = new Map(authList.map((a) => [a.name, a]));
     for (const endpoint of endpointsList) {
         const authEntry = authByName.get(endpoint.name);
+        if (endpoint.authShape.type === "none") {
+            // Keyless endpoints carry no auth value. Reject any matching
+            // auth entry so callers don't accidentally ship a secret bound
+            // to a "none" endpoint (which would be silently ignored at
+            // request time — confusing and a leak risk).
+            if (authEntry) {
+                throw new Error(`proxyEndpoints[${endpoint.name}] has authShape "none" but a matching secrets.proxyEndpointAuth entry was supplied; remove the auth entry`);
+            }
+            continue;
+        }
         if (!authEntry) {
             throw new Error(`proxyEndpoints[${endpoint.name}] has no matching secrets.proxyEndpointAuth entry`);
         }
@@ -742,7 +755,8 @@ function parseFlatSubmission(input) {
         "skills",
         "mcpServers",
         "environment",
-        "metadata"
+        "metadata",
+        "outputDirs"
     ]);
     for (const key of Object.keys(value)) {
         if (!allowed.has(key)) {
@@ -756,6 +770,7 @@ function parseFlatSubmission(input) {
     const mcpServers = parseFlatMcpServers(value.mcpServers);
     const environment = parseTemplateEnvironment(value.environment);
     const metadata = optionalJsonRecord(value.metadata, "submission.metadata");
+    const outputDirs = parseOutputDirs(value.outputDirs);
     return {
         model,
         ...(system ? { system } : {}),
@@ -763,9 +778,84 @@ function parseFlatSubmission(input) {
         skills,
         mcpServers,
         ...(environment ? { environment } : {}),
-        ...(metadata ? { metadata } : {})
+        ...(metadata ? { metadata } : {}),
+        ...(outputDirs ? { outputDirs } : {})
     };
 }
+/**
+ * Maximum number of `outputDirs` entries accepted per submission.
+ *
+ * 32 is enough room for the typical "one or two capture roots" pattern
+ * plus a generous margin for legitimate multi-root use cases (per-tool
+ * output directory + scratch state + logs, repeated across a few
+ * subdirectories), without inviting abuse of the synthetic-turn path
+ * the worker drives at session terminal.
+ */
+const MAX_OUTPUT_DIRS = 32;
+/**
+ * Maximum byte length of a single `outputDirs` entry (after UTF-8
+ * encoding). 512 bytes comfortably covers `/very/long/nested/path`
+ * style entries without letting a misuse smuggle large blobs through
+ * the field.
+ */
+const MAX_OUTPUT_DIR_BYTES = 512;
+function parseOutputDirs(input) {
+    if (input === undefined) {
+        return undefined;
+    }
+    if (!Array.isArray(input)) {
+        throw new Error("submission.outputDirs must be an array of absolute UNIX paths");
+    }
+    if (input.length === 0) {
+        // Treat an empty array as omission so the idempotency hash matches
+        // the "no outputDirs" case.
+        return undefined;
+    }
+    if (input.length > MAX_OUTPUT_DIRS) {
+        throw new Error(`submission.outputDirs has ${input.length} entries; max is ${MAX_OUTPUT_DIRS}`);
+    }
+    const seen = new Set();
+    const normalised = [];
+    for (let i = 0; i < input.length; i++) {
+        const item = input[i];
+        if (typeof item !== "string") {
+            throw new Error(`submission.outputDirs[${i}] must be a string`);
+        }
+        if (item.length === 0) {
+            throw new Error(`submission.outputDirs[${i}] must be a non-empty absolute UNIX path`);
+        }
+        const bytes = new TextEncoder().encode(item).length;
+        if (bytes > MAX_OUTPUT_DIR_BYTES) {
+            throw new Error(`submission.outputDirs[${i}] exceeds ${MAX_OUTPUT_DIR_BYTES} bytes (got ${bytes})`);
+        }
+        if (!item.startsWith("/")) {
+            throw new Error(`submission.outputDirs[${i}] must be an absolute UNIX path (start with '/')`);
+        }
+        if (item.includes("\0")) {
+            throw new Error(`submission.outputDirs[${i}] must not contain NUL bytes`);
+        }
+        if (item.includes("\n") || item.includes("\r")) {
+            throw new Error(`submission.outputDirs[${i}] must not contain newline characters`);
+        }
+        const segments = item.split("/");
+        if (segments.includes("..")) {
+            throw new Error(`submission.outputDirs[${i}] must not contain '..' segments`);
+        }
+        const collapsed = segments
+            .filter((seg, idx) => seg.length > 0 || idx === 0)
+            .join("/");
+        const stripped = collapsed.length > 1 && collapsed.endsWith("/")
+            ? collapsed.slice(0, -1)
+            : collapsed;
+        const canonical = stripped.length === 0 ? "/" : stripped;
+        if (seen.has(canonical)) {
+            continue;
+        }
+        seen.add(canonical);
+        normalised.push(canonical);
+    }
+    return normalised;
+}
 function parseFlatPrompt(input) {
     if (typeof input === "string") {
         if (input.length === 0) {
@@ -795,6 +885,7 @@ function parseFlatSkills(input) {
     }
     const seenWorkspace = new Set();
     const seenProvider = new Set();
+    const seenTransientSlot = new Set();
     return input.map((item, index) => {
         const ref = parseSkillRef(item, `submission.skills[${index}]`);
         if (ref.kind === "workspace") {
@@ -803,13 +894,20 @@ function parseFlatSkills(input) {
             }
             seenWorkspace.add(ref.id);
         }
-        else {
+        else if (ref.kind === "provider") {
             const key = `${ref.vendor}:${ref.skillId}:${ref.version ?? ""}`;
             if (seenProvider.has(key)) {
                 throw new Error(`submission.skills duplicate provider skill: ${ref.vendor}:${ref.skillId}${ref.version ? `:${ref.version}` : ""}`);
             }
             seenProvider.add(key);
         }
+        else {
+            // transient
+            if (seenTransientSlot.has(ref.slot)) {
+                throw new Error(`submission.skills duplicate transient slot: ${ref.slot}`);
+            }
+            seenTransientSlot.add(ref.slot);
+        }
         return ref;
     });
 }