archal 0.9.19 → 0.9.20

package/dist/vitest/chunk-6CBYFCFK.js

@@ -0,0 +1,4667 @@
+import {
+  DEFAULT_HOSTED_API_BASE_URL,
+  DEFAULT_READY_TIMEOUT_MS,
+  DEFAULT_RENEW_INTERVAL_MS,
+  DEFAULT_SESSION_TTL_SECONDS,
+  HostedSessionClient,
+  MIN_READY_TIMEOUT_MS,
+  MIN_RENEW_INTERVAL_MS,
+  createHostedAuthLease,
+  decodeConfig,
+  fileExists,
+  getSessionIdFilePath,
+  isProcessAlive,
+  loadFileSeedsIntoClones,
+  normalizeApiBaseUrl,
+  parsePositiveInteger,
+  redactSessionSnapshot,
+  requestedSeedsMatchSession,
+  sleep,
+  trimEnv
+} from "./chunk-ARVS45PP.js";
+
+// src/runtime-module-resolution.ts
+import { dirname, extname, isAbsolute, resolve } from "path";
+import { fileURLToPath } from "url";
+function resolveRuntimeModuleExtension(currentExtension, buildExtension) {
+  if (currentExtension === ".ts" || currentExtension === ".mts" || currentExtension === ".cts") {
+    return currentExtension;
+  }
+  return buildExtension ?? currentExtension ?? ".js";
+}
+function resolveRuntimeModuleFromFile(currentModuleFile, relativePath, buildExtension) {
+  const currentExtension = extname(currentModuleFile) || ".js";
+  const resolvedExtension = resolveRuntimeModuleExtension(currentExtension, buildExtension);
+  return resolve(dirname(currentModuleFile), relativePath.replace(/\.js$/, resolvedExtension));
+}
+function resolveRuntimeModule(relativePath, buildExtension) {
+  const currentModuleFile = typeof __filename === "string" && isAbsolute(__filename) ? __filename : fileURLToPath(import.meta.url);
+  return resolveRuntimeModuleFromFile(currentModuleFile, relativePath, buildExtension);
+}
+
+// src/runtime/session-snapshot.ts
+var ARCHAL_VITEST_CONFIG_ENV = "ARCHAL_VITEST_CONFIG";
+function readArchalVitestConfigFromEnv() {
+  const encoded = process.env[ARCHAL_VITEST_CONFIG_ENV];
+  if (!encoded) {
+    throw new Error(`Missing ${ARCHAL_VITEST_CONFIG_ENV}. archalVitestProject() must set worker config before bootstrap.`);
+  }
+  return readArchalVitestConfig(encoded);
+}
+function readArchalVitestConfig(encoded) {
+  if (!encoded) {
+    throw new Error(`Missing ${ARCHAL_VITEST_CONFIG_ENV}. archalVitestProject() must set worker config before bootstrap.`);
+  }
+  return decodeConfig(encoded);
+}
+
+// ../route-runtime-core/src/errors.ts
+var RouteRuntimePolicyError = class extends Error {
+  code;
+  service;
+  url;
+  constructor(input) {
+    super("Network request failed");
+    this.name = "TypeError";
+    Object.defineProperties(this, {
+      code: { value: input.code, enumerable: false },
+      service: { value: input.service, enumerable: false },
+      url: { value: input.url, enumerable: false },
+      policyMessage: { value: input.message, enumerable: false }
+    });
+  }
+};
+
+// ../route-runtime-core/src/runtime.ts
+import { createRequire } from "module";
+import { isAbsolute as isAbsolute2 } from "path";
+
+// ../../clones/core/src/errors.ts
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+// ../route-runtime-core/src/runtime-request.ts
+var DEFAULT_HTTP_PROTOCOL = "http:";
+var DEFAULT_HTTPS_PROTOCOL = "https:";
+function normalizeProtocol(protocol, fallback) {
+  if (!protocol) return fallback;
+  return protocol.endsWith(":") ? protocol : `${protocol}:`;
+}
+function normalizeHost(value) {
+  if (value.includes("://")) {
+    const parsed = new URL(value);
+    return {
+      hostname: parsed.hostname,
+      port: parsed.port || void 0
+    };
+  }
+  if (value.startsWith("[")) {
+    const closingBracketIndex = value.indexOf("]");
+    if (closingBracketIndex !== -1) {
+      const hostname = value.slice(1, closingBracketIndex);
+      const port = value.slice(closingBracketIndex + 1).replace(/^:/, "") || void 0;
+      return { hostname, port };
+    }
+  }
+  const lastColonIndex = value.lastIndexOf(":");
+  if (lastColonIndex === -1 || value.indexOf(":") !== lastColonIndex) {
+    return { hostname: value };
+  }
+  return {
+    hostname: value.slice(0, lastColonIndex),
+    port: value.slice(lastColonIndex + 1) || void 0
+  };
+}
+function buildUrlFromOptions(options, defaultProtocol) {
+  const protocol = normalizeProtocol(
+    typeof options.protocol === "string" ? options.protocol : void 0,
+    defaultProtocol
+  );
+  const rawHost = typeof options.hostname === "string" ? options.hostname : typeof options.host === "string" ? normalizeHost(options.host).hostname : "localhost";
+  const rawPort = options.port == null ? typeof options.host === "string" ? normalizeHost(options.host).port : void 0 : String(options.port);
+  const base = `${protocol}//${rawHost}${rawPort ? `:${rawPort}` : ""}`;
+  const path = typeof options.path === "string" && options.path.length > 0 ? options.path : "/";
+  return new URL(path, base);
+}
+function applyRequestOptionsToUrl(requestUrl, options, defaultProtocol) {
+  const effectiveUrl = new URL(requestUrl.toString());
+  const protocol = normalizeProtocol(
+    typeof options.protocol === "string" ? options.protocol : void 0,
+    effectiveUrl.protocol || defaultProtocol
+  );
+  effectiveUrl.protocol = protocol;
+  const normalizedHost = typeof options.hostname === "string" ? normalizeHost(options.hostname) : typeof options.host === "string" ? normalizeHost(options.host) : null;
+  if (normalizedHost) {
+    effectiveUrl.hostname = normalizedHost.hostname;
+    effectiveUrl.port = normalizedHost.port ?? "";
+  }
+  if (options.port != null) {
+    effectiveUrl.port = String(options.port);
+  }
+  if (typeof options.path === "string" && options.path.length > 0) {
+    const pathUrl = new URL(options.path, `${effectiveUrl.protocol}//${effectiveUrl.host}`);
+    effectiveUrl.pathname = pathUrl.pathname;
+    effectiveUrl.search = pathUrl.search;
+    effectiveUrl.hash = pathUrl.hash;
+  }
+  return effectiveUrl;
+}
+function normalizeHeaders(headers) {
+  if (!headers || Array.isArray(headers)) {
+    return headers;
+  }
+  const copy = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (value === void 0) continue;
+    copy[key] = value;
+  }
+  delete copy["host"];
+  delete copy["Host"];
+  return copy;
+}
+var ROUTE_CONTROL_AUTHORIZATION_HEADER = "x-route-authorization";
+var ROUTE_SERVICE_ORIGIN_HEADER = "x-route-service-origin";
+var ROUTED_CONTROL_HEADERS = /* @__PURE__ */ new Set([
+  ROUTE_CONTROL_AUTHORIZATION_HEADER,
+  ROUTE_SERVICE_ORIGIN_HEADER,
+  "proxy-authorization"
+]);
+function isArchalInternalHeaderName(name) {
+  const normalized = name.toLowerCase();
+  return normalized === "x-archal" || normalized.startsWith("x-archal-");
+}
+function sanitizeRoutedHeaders(headers, service) {
+  const originalAuthorization = headers.get("authorization");
+  for (const header of [...headers.keys()]) {
+    const normalized = header.toLowerCase();
+    if (isArchalInternalHeaderName(normalized) || ROUTED_CONTROL_HEADERS.has(normalized)) {
+      headers.delete(header);
+    }
+  }
+  if (service.forwardedAuthorizationHeader) {
+    headers.delete(service.forwardedAuthorizationHeader);
+  }
+  return originalAuthorization;
+}
+function applyRoutedHeaders(headers, service) {
+  const originalAuthorization = sanitizeRoutedHeaders(headers, service);
+  const routedRequestHeaders = typeof service.routedRequestHeaders === "function" ? service.routedRequestHeaders() : service.routedRequestHeaders;
+  for (const [name, value] of Object.entries(routedRequestHeaders ?? {})) {
+    headers.set(name, value);
+  }
+  if (!service.forwardedAuthorizationHeader) {
+    return;
+  }
+  if (originalAuthorization) {
+    headers.set(service.forwardedAuthorizationHeader, originalAuthorization);
+  }
+}
+function buildPatchedHeaders(headers, service) {
+  const normalizedHeaders = new Headers(normalizeHeaders(headers));
+  applyRoutedHeaders(normalizedHeaders, service);
+  const patchedHeaders = {};
+  for (const [name, value] of normalizedHeaders.entries()) {
+    patchedHeaders[name] = value;
+  }
+  return patchedHeaders;
+}
+function parseRequestArgs(defaultProtocol, args) {
+  let callback;
+  for (let index = args.length - 1; index >= 0; index -= 1) {
+    const candidate = args[index];
+    if (typeof candidate === "function") {
+      callback = candidate;
+      break;
+    }
+  }
+  const first = args[0];
+  const second = args[1];
+  if (first instanceof URL || typeof first === "string") {
+    const baseRequestUrl = first instanceof URL ? new URL(first.toString()) : new URL(first, `${defaultProtocol}//localhost`);
+    const options = second && typeof second === "object" && !(second instanceof URL) ? { ...second } : {};
+    return {
+      requestUrl: applyRequestOptionsToUrl(baseRequestUrl, options, defaultProtocol),
+      options,
+      callback
+    };
+  }
+  if (first && typeof first === "object") {
+    const options = { ...first };
+    return {
+      requestUrl: buildUrlFromOptions(options, defaultProtocol),
+      options,
+      callback
+    };
+  }
+  return {
+    requestUrl: new URL(`${defaultProtocol}//localhost/`),
+    options: {},
+    callback
+  };
+}
+function buildPatchedArgs(rewrittenUrl, options, service, sourceProtocol, callback) {
+  const patchedOptions = {
+    ...options,
+    protocol: rewrittenUrl.protocol,
+    hostname: rewrittenUrl.hostname,
+    port: rewrittenUrl.port ? Number(rewrittenUrl.port) : void 0,
+    path: `${rewrittenUrl.pathname}${rewrittenUrl.search}`,
+    headers: buildPatchedHeaders(options.headers, service)
+  };
+  delete patchedOptions.host;
+  if (sourceProtocol !== rewrittenUrl.protocol) {
+    delete patchedOptions.agent;
+    delete patchedOptions.createConnection;
+  }
+  if (callback) {
+    return [rewrittenUrl, patchedOptions, callback];
+  }
+  return [rewrittenUrl, patchedOptions];
+}
+function buildRoutedFetchRequest(request, targetUrl, service, init) {
+  const rewrittenRequest = new Request(targetUrl, request);
+  const headers = new Headers(rewrittenRequest.headers);
+  if (init?.headers) {
+    for (const [name, value] of new Headers(init.headers).entries()) {
+      headers.set(name, value);
+    }
+  }
+  applyRoutedHeaders(headers, service);
+  return new Request(rewrittenRequest, {
+    ...init,
+    headers
+  });
+}
+
+// ../route-runtime-core/src/service-profiles.ts
+function exactDomain(value) {
+  return { kind: "exact", value: value.toLowerCase() };
+}
+function suffixDomain(value) {
+  return { kind: "suffix", value: value.toLowerCase() };
+}
+function matchesDomainPattern(hostname, pattern) {
+  const normalizedHostname = hostname.toLowerCase();
+  if (pattern.kind === "exact") {
+    return normalizedHostname === pattern.value;
+  }
+  return normalizedHostname === pattern.value || normalizedHostname.endsWith(`.${pattern.value}`);
+}
+function classifyHostname(profile, hostname) {
+  if (profile.routeDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "route";
+  }
+  if (profile.hardFailDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "hard-fail";
+  }
+  if (profile.warningDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "warn";
+  }
+  return "ignore";
+}
+
+// ../route-runtime-core/src/manifests/discord.ts
+var discordRouteManifest = {
+  service: "discord",
+  manifestVersion: "2026-04-12.discord.v1",
+  baselineSeed: "small-server",
+  upstreamBasePath: "/api/v10",
+  routeDomains: [
+    exactDomain("discord.com"),
+    exactDomain("discordapp.com")
+  ],
+  // Discord's CDN and gateway surfaces are outside the approved Vitest route
+  // contract. Leaving them warning-only would create obvious exfil and
+  // network-escape channels once a test declares Discord route mode.
+  hardFailDomains: [
+    exactDomain("cdn.discordapp.com"),
+    exactDomain("media.discordapp.net"),
+    exactDomain("gateway.discord.gg")
+  ],
+  warningDomains: [
+    suffixDomain("discord.com"),
+    suffixDomain("discordapp.com"),
+    exactDomain("discord.gg")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Discord traffic to ${url}. Declare discord in archalVitestProject({ services: { discord: { mode: "route" } } }) before calling the Discord REST API in Vitest.`,
+    declaredEscape: ({ url }) => `Blocked Discord escape to ${url}. Discord route mode is configured, but this domain is outside the approved Discord REST route surface.`,
+    warning: ({ url }) => `Observed adjacent Discord domain ${url}. Archal did not reroute this request because it is outside the approved Discord REST route surface.`
+  },
+  sdkIdentifiers: ["discord.js", "@discordjs/rest"],
+  conformanceSuiteId: "discord-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/datadog.ts
+var datadogRouteManifest = {
+  service: "datadog",
+  manifestVersion: "2026-06-07.datadog.v1",
+  baselineSeed: "empty",
+  routeDomains: [exactDomain("api.datadoghq.com")],
+  hardFailDomains: [],
+  warningDomains: [suffixDomain("datadoghq.com")],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Datadog traffic to ${url}. Declare datadog before calling the Datadog API.`,
+    declaredEscape: ({ url }) => `Blocked Datadog escape to ${url}. Datadog route mode is configured, but this domain is outside the routed Datadog API surface.`,
+    warning: ({ url }) => `Observed adjacent Datadog domain ${url}. Archal did not reroute this request because it is outside the routed Datadog API surface.`
+  },
+  sdkIdentifiers: ["@datadog/datadog-api-client", "datadog-api-client"],
+  conformanceSuiteId: "datadog-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/github.ts
+function rewriteGitHubRawContentPath(sourceUrl) {
+  if (sourceUrl.hostname.toLowerCase() !== "raw.githubusercontent.com") {
+    return null;
+  }
+  const [owner, repo, branch, ...pathSegments] = sourceUrl.pathname.split("/").filter(Boolean);
+  if (!owner || !repo || !branch || pathSegments.length === 0) {
+    return null;
+  }
+  const searchParams = new URLSearchParams(sourceUrl.search);
+  searchParams.set("ref", decodeURIComponent(branch));
+  return {
+    pathname: `/raw/${owner}/${repo}/${branch}/${pathSegments.join("/")}`,
+    search: `?${searchParams.toString()}`
+  };
+}
+var githubRouteManifest = {
+  service: "github",
+  manifestVersion: "2026-04-02.github.v1",
+  baselineSeed: "small-project",
+  routeDomains: [
+    exactDomain("api.github.com"),
+    exactDomain("uploads.github.com"),
+    exactDomain("github.com"),
+    exactDomain("raw.githubusercontent.com")
+  ],
+  // Block adjacent GitHub-owned domains that tests don't need. Keep raw
+  // content routed because GitHub's contents API returns download_url values
+  // on raw.githubusercontent.com, and normal clients often follow them.
+  hardFailDomains: [
+    exactDomain("gist.github.com"),
+    exactDomain("objects.githubusercontent.com"),
+    exactDomain("codeload.github.com")
+  ],
+  routePathRewrite: rewriteGitHubRawContentPath,
+  warningDomains: [
+    suffixDomain("github.com"),
+    suffixDomain("githubusercontent.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked GitHub traffic to ${url}. Declare github in archalVitestProject({ services: { github: { mode: "route" } } }) before using the official GitHub SDK.`,
+    declaredEscape: ({ url }) => `Blocked GitHub escape to ${url}. GitHub route mode is configured, but this domain is outside the primary routed GitHub surface.`,
+    warning: ({ url }) => `Observed adjacent GitHub domain ${url}. Archal did not reroute this request because it is outside the primary GitHub API route surface.`
+  },
+  sdkIdentifiers: ["@octokit/rest"],
+  conformanceSuiteId: "github-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/gitlab.ts
+var gitlabRouteManifest = {
+  service: "gitlab",
+  manifestVersion: "2026-06-08.gitlab.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    // GitLab SaaS serves its REST API from the gitlab.com apex (/api/v4).
+    exactDomain("gitlab.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // docs.gitlab.com / about.gitlab.com are marketing/docs hosts, not the API
+    // surface — warn rather than reroute so a stray call stays observable.
+    suffixDomain("gitlab.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked GitLab traffic to ${url}. Declare gitlab in archalVitestProject({ services: { gitlab: { mode: "route" } } }) before calling the GitLab API.`,
+    declaredEscape: ({ url }) => `Blocked GitLab escape to ${url}. GitLab route mode is configured, but this domain is outside the routed GitLab API surface.`,
+    warning: ({ url }) => `Observed adjacent GitLab domain ${url}. Archal did not reroute this request because it is outside the routed GitLab API surface.`
+  },
+  sdkIdentifiers: ["@gitbeaker/rest"],
+  conformanceSuiteId: "gitlab-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/google-workspace.ts
+var googleWorkspaceRouteManifest = {
+  service: "google-workspace",
+  manifestVersion: "2026-04-01.google-workspace.v1",
+  baselineSeed: "assistant-baseline",
+  routeDomains: [
+    exactDomain("gmail.googleapis.com"),
+    exactDomain("drive.googleapis.com"),
+    exactDomain("calendar.googleapis.com"),
+    exactDomain("people.googleapis.com"),
+    exactDomain("sheets.googleapis.com"),
+    exactDomain("oauth2.googleapis.com"),
+    exactDomain("www.googleapis.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("google.com"),
+    suffixDomain("googleusercontent.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Google Workspace traffic to ${url}. Declare google-workspace in archalVitestProject({ services: { 'google-workspace': { mode: "route" } } }) before using the official Google client.`,
+    declaredEscape: ({ url }) => `Blocked Google Workspace escape to ${url}. Google Workspace route mode is configured, but this domain is outside the primary routed surface.`,
+    warning: ({ url }) => `Observed adjacent Google Workspace domain ${url}. Archal did not reroute this request because it is outside the primary Google Workspace API route surface.`
+  },
+  sdkIdentifiers: ["googleapis"],
+  conformanceSuiteId: "google-workspace-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/apify.ts
+var apifyRouteManifest = {
+  service: "apify",
+  manifestVersion: "2026-05-14.apify.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.apify.com"),
+    exactDomain("apify.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("apify.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Apify traffic to ${url}. Declare apify before using the official Apify client.`,
+    declaredEscape: ({ url }) => `Blocked Apify escape to ${url}. Apify route mode is configured, but this domain is outside the primary routed Apify API surface.`,
+    warning: ({ url }) => `Observed adjacent Apify domain ${url}. Archal did not reroute this request because it is outside the primary Apify API route surface.`
+  },
+  sdkIdentifiers: ["apify-client", "apify"],
+  conformanceSuiteId: "apify-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/calcom.ts
+var calcomRouteManifest = {
+  service: "calcom",
+  manifestVersion: "2026-06-08.calcom.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.cal.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // The bare cal.com is the marketing/app host, not the API surface — warn
+    // rather than reroute so a stray call is observable but not silently served.
+    suffixDomain("cal.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Cal.com traffic to ${url}. Declare calcom in archalVitestProject({ services: { calcom: { mode: "route" } } }) before calling the Cal.com API.`,
+    declaredEscape: ({ url }) => `Blocked Cal.com escape to ${url}. Cal.com route mode is configured, but this domain is outside the primary routed Cal.com API surface.`,
+    warning: ({ url }) => `Observed adjacent Cal.com domain ${url}. Archal did not reroute this request because it is outside the primary Cal.com API route surface.`
+  },
+  sdkIdentifiers: ["@calcom/api"],
+  conformanceSuiteId: "calcom-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/clickup.ts
+var clickupRouteManifest = {
+  service: "clickup",
+  manifestVersion: "2026-06-08.clickup.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.clickup.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // app.clickup.com is the web app host, not the API surface — warn rather
+    // than reroute so a stray call is observable but not silently served.
+    suffixDomain("clickup.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked ClickUp traffic to ${url}. Declare clickup in archalVitestProject({ services: { clickup: { mode: "route" } } }) before calling the ClickUp API.`,
+    declaredEscape: ({ url }) => `Blocked ClickUp escape to ${url}. ClickUp route mode is configured, but this domain is outside the routed ClickUp API surface.`,
+    warning: ({ url }) => `Observed adjacent ClickUp domain ${url}. Archal did not reroute this request because it is outside the routed ClickUp API surface.`
+  },
+  sdkIdentifiers: ["clickup"],
+  conformanceSuiteId: "clickup-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/customerio.ts
+var customerioRouteManifest = {
+  service: "customerio",
+  manifestVersion: "2026-06-08.customerio.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.customer.io")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // The bare customer.io is the marketing site and track.customer.io is the
+    // separate CDP/track ingest surface — neither is the App API this clone
+    // models. Warn rather than reroute so a stray call is observable.
+    suffixDomain("customer.io")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Customer.io traffic to ${url}. Declare customerio before calling the Customer.io API.`,
+    declaredEscape: ({ url }) => `Blocked Customer.io escape to ${url}. Customer.io route mode is configured, but this domain is outside the routed Customer.io App API surface.`,
+    warning: ({ url }) => `Observed adjacent Customer.io domain ${url}. Archal did not reroute this request because it is outside the routed Customer.io App API surface.`
+  },
+  sdkIdentifiers: ["customerio-node"],
+  conformanceSuiteId: "customerio-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/hubspot.ts
+var hubspotRouteManifest = {
+  service: "hubspot",
+  manifestVersion: "2026-06-10.hubspot.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.hubapi.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // Non-API hubapi.com hosts (forms.hubapi.com, track ingest) and the
+    // hubspot.com web UI (app.hubspot.com — twin payload URLs point at
+    // app-na2.hubspot.com) are adjacent surfaces, not the CRM API this clone
+    // models. Warn rather than reroute so a stray call is observable.
+    suffixDomain("hubapi.com"),
+    suffixDomain("hubspot.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked HubSpot traffic to ${url}. Declare hubspot before calling the HubSpot API.`,
+    declaredEscape: ({ url }) => `Blocked HubSpot escape to ${url}. HubSpot route mode is configured, but this domain is outside the routed HubSpot CRM API surface.`,
+    warning: ({ url }) => `Observed adjacent HubSpot domain ${url}. Archal did not reroute this request because it is outside the routed HubSpot CRM API surface.`
+  },
+  sdkIdentifiers: ["@hubspot/api-client"],
+  conformanceSuiteId: "hubspot-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/jira.ts
+var jiraRouteManifest = {
+  service: "jira",
+  manifestVersion: "2026-04-01.jira.v1",
+  baselineSeed: "small-project",
+  upstreamBasePathAliases: ["/ex/jira/:cloudId"],
+  routeDomains: [
+    suffixDomain("atlassian.net"),
+    exactDomain("api.atlassian.com"),
+    exactDomain("jira.atlassian.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("atlassian.com"),
+    exactDomain("jira.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Jira traffic to ${url}. Declare jira in archalVitestProject({ services: { jira: { mode: "route" } } }) before using the official Jira SDK.`,
+    declaredEscape: ({ url }) => `Blocked Jira escape to ${url}. Jira route mode is configured, but this domain is outside the primary routed Jira surface.`,
+    warning: ({ url }) => `Observed adjacent Jira domain ${url}. Archal did not reroute this request because it is outside the primary Jira route surface.`
+  },
+  sdkIdentifiers: ["jira.js"],
+  conformanceSuiteId: "jira-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/linear.ts
+var linearRouteManifest = {
+  service: "linear",
+  manifestVersion: "2026-04-19.linear.v1",
+  baselineSeed: "small-team",
+  routeDomains: [
+    exactDomain("api.linear.app")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("linear.app")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Linear traffic to ${url}. Declare linear in archalVitestProject({ services: { linear: { mode: "route" } } }) before using the official Linear SDK.`,
+    declaredEscape: ({ url }) => `Blocked Linear escape to ${url}. Linear route mode is configured, but this domain is outside the primary routed Linear API surface.`,
+    warning: ({ url }) => `Observed adjacent Linear domain ${url}. Archal did not reroute this request because it is outside the primary Linear API route surface.`
+  },
+  sdkIdentifiers: ["@linear/sdk"],
+  conformanceSuiteId: "linear-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/ownerrez.ts
+var ownerrezRouteManifest = {
+  service: "ownerrez",
+  manifestVersion: "2026-06-07.ownerrez.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.ownerrez.com"),
+    exactDomain("ownerrez.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("ownerrez.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked OwnerRez traffic to ${url}. Declare ownerrez before calling the OwnerRez API.`,
+    declaredEscape: ({ url }) => `Blocked OwnerRez escape to ${url}. OwnerRez route mode is configured, but this domain is outside the routed OwnerRez API surface.`,
+    warning: ({ url }) => `Observed adjacent OwnerRez domain ${url}. Archal did not reroute this request because it is outside the routed OwnerRez API surface.`
+  },
+  sdkIdentifiers: ["ownerrez"],
+  conformanceSuiteId: "ownerrez-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/pricelabs.ts
+var pricelabsRouteManifest = {
+  service: "pricelabs",
+  manifestVersion: "2026-06-07.pricelabs.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.pricelabs.co"),
+    exactDomain("pricelabs.co")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("pricelabs.co")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked PriceLabs traffic to ${url}. Declare pricelabs before calling the PriceLabs API.`,
+    declaredEscape: ({ url }) => `Blocked PriceLabs escape to ${url}. PriceLabs route mode is configured, but this domain is outside the routed PriceLabs API surface.`,
+    warning: ({ url }) => `Observed adjacent PriceLabs domain ${url}. Archal did not reroute this request because it is outside the routed PriceLabs API surface.`
+  },
+  sdkIdentifiers: ["pricelabs"],
+  conformanceSuiteId: "pricelabs-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/ramp.ts
+var rampRouteManifest = {
+  service: "ramp",
+  manifestVersion: "2026-04-19.ramp.v1",
+  baselineSeed: "default",
+  routeDomains: [
+    exactDomain("api.ramp.com"),
+    exactDomain("app.ramp.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("ramp.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Ramp traffic to ${url}. Declare ramp in archalVitestProject({ services: { ramp: { mode: "route" } } }) before using the official Ramp client.`,
+    declaredEscape: ({ url }) => `Blocked Ramp escape to ${url}. Ramp route mode is configured, but this domain is outside the primary routed Ramp API surface.`,
+    warning: ({ url }) => `Observed adjacent Ramp domain ${url}. Archal did not reroute this request because it is outside the primary Ramp API route surface.`
+  },
+  sdkIdentifiers: ["ramp"],
+  conformanceSuiteId: "ramp-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/sendgrid.ts
+var sendgridRouteManifest = {
+  service: "sendgrid",
+  manifestVersion: "2026-06-08.sendgrid.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.sendgrid.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // The bare sendgrid.com is the marketing site, not the API surface — warn
+    // rather than reroute so a stray call is observable but not silently served.
+    suffixDomain("sendgrid.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked SendGrid traffic to ${url}. Declare sendgrid before calling the SendGrid API.`,
+    declaredEscape: ({ url }) => `Blocked SendGrid escape to ${url}. SendGrid route mode is configured, but this domain is outside the routed SendGrid API surface.`,
+    warning: ({ url }) => `Observed adjacent SendGrid domain ${url}. Archal did not reroute this request because it is outside the routed SendGrid API surface.`
+  },
+  sdkIdentifiers: ["sendgrid", "@sendgrid/mail", "@sendgrid/client"],
+  conformanceSuiteId: "sendgrid-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/sentry.ts
+var sentryRouteManifest = {
+  service: "sentry",
+  manifestVersion: "2026-06-08.sentry.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("sentry.io")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    // *.sentry.io subdomains (docs/blog/app/regional) sit adjacent to the routed
+    // sentry.io API apex — warn rather than reroute. The exact apex above wins
+    // for sentry.io itself, so only subdomains fall through to this warning.
+    suffixDomain("sentry.io")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Sentry traffic to ${url}. Declare sentry in archalVitestProject({ services: { sentry: { mode: "route" } } }) before calling the Sentry API.`,
+    declaredEscape: ({ url }) => `Blocked Sentry escape to ${url}. Sentry route mode is configured, but this domain is outside the primary routed Sentry API surface.`,
+    warning: ({ url }) => `Observed adjacent Sentry domain ${url}. Archal did not reroute this request because it is outside the primary Sentry API route surface.`
+  },
+  sdkIdentifiers: ["@sentry/node", "@sentry/browser", "@sentry/core"],
+  conformanceSuiteId: "sentry-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/slack.ts
+var slackRouteManifest = {
+  service: "slack",
+  manifestVersion: "2026-04-02.slack.v1",
+  baselineSeed: "engineering-team",
+  routeDomains: [
+    exactDomain("slack.com"),
+    exactDomain("api.slack.com")
+  ],
+  upstreamBasePath: "/api",
+  // Block adjacent Slack-owned domains that tests don't need and that can be
+  // abused as data-exfiltration channels. hooks.slack.com and files.slack.com
+  // in particular are ideal POST targets for a malicious dependency trying to
+  // smuggle stolen tokens out through a domain the developer has already
+  // implicitly allow-listed.
+  hardFailDomains: [
+    exactDomain("hooks.slack.com"),
+    exactDomain("files.slack.com"),
+    exactDomain("edgeapi.slack.com"),
+    exactDomain("wss-primary.slack.com"),
+    exactDomain("wss-backup.slack.com")
+  ],
+  warningDomains: [
+    suffixDomain("slack.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Slack traffic to ${url}. Declare slack in archalVitestProject({ services: { slack: { mode: "route" } } }) before using the official Slack SDK.`,
+    declaredEscape: ({ url }) => `Blocked Slack escape to ${url}. Slack route mode is configured, but this domain is outside the primary routed Slack surface.`,
+    warning: ({ url }) => `Observed adjacent Slack domain ${url}. Archal did not reroute this request because it is outside the primary Slack API route surface.`
+  },
+  sdkIdentifiers: ["@slack/web-api"],
+  conformanceSuiteId: "slack-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/stripe.ts
+var stripeRuntimeResourcePolicy = [
+  {
+    resource: "customers",
+    commands: ["customers.create", "customers.update"],
+    events: ["customer.created", "customer.updated"]
+  },
+  {
+    resource: "payment_intents",
+    commands: ["paymentIntents.create", "paymentIntents.confirm"],
+    events: ["payment_intent.succeeded"]
+  },
+  { resource: "charges", events: ["charge.refunded"] },
+  { resource: "refunds", commands: ["refunds.create"] },
+  { resource: "products" },
+  { resource: "prices" },
+  {
+    resource: "subscriptions",
+    commands: ["subscriptions.create"],
+    events: ["customer.subscription.created", "customer.subscription.updated"]
+  },
+  {
+    resource: "invoices",
+    commands: ["invoices.create", "invoices.finalizeInvoice"],
+    events: ["invoice.finalized"]
+  },
+  { resource: "webhook_endpoints", commands: ["webhookEndpoints.create"] },
+  { resource: "events" }
+];
+function deriveStripeRuntimeSurface(policy) {
+  return {
+    resources: policy.map((entry) => entry.resource),
+    commands: policy.flatMap((entry) => entry.commands ?? []),
+    events: policy.flatMap((entry) => entry.events ?? [])
+  };
+}
+var stripeRuntimeSurface = deriveStripeRuntimeSurface(stripeRuntimeResourcePolicy);
+var stripeRouteManifest = {
+  service: "stripe",
+  manifestVersion: "2026-04-01.stripe.v1",
+  baselineSeed: "small-business",
+  routeDomains: [
+    exactDomain("api.stripe.com")
+  ],
+  hardFailDomains: [
+    exactDomain("files.stripe.com"),
+    exactDomain("uploads.stripe.com")
+  ],
+  warningDomains: [
+    exactDomain("billing.stripe.com"),
+    exactDomain("buy.stripe.com"),
+    exactDomain("checkout.stripe.com"),
+    exactDomain("connect.stripe.com"),
+    exactDomain("dashboard.stripe.com"),
+    exactDomain("invoice.stripe.com"),
+    exactDomain("pay.stripe.com"),
+    exactDomain("verify.stripe.com"),
+    suffixDomain("stripe.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Stripe traffic to ${url}. Declare stripe in archalVitestProject({ services: { stripe: { mode: "route" } } }) before using the official Stripe SDK.`,
+    declaredEscape: ({ url }) => `Blocked Stripe escape to ${url}. Stripe route mode is configured, but this Stripe-owned domain is outside the current routed surface.`,
+    warning: ({ url }) => `Observed adjacent Stripe domain ${url}. Archal did not reroute this request because it is outside the primary Stripe API route surface.`
+  },
+  runtimeSurface: stripeRuntimeSurface,
+  sdkIdentifiers: ["stripe"],
+  conformanceSuiteId: "stripe-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/supabase.ts
+var supabaseRouteManifest = {
+  service: "supabase",
+  manifestVersion: "2026-04-01.supabase.v1",
+  baselineSeed: "small-project",
+  routeDomains: [
+    suffixDomain("supabase.co"),
+    exactDomain("api.supabase.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("supabase.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Supabase traffic to ${url}. Declare supabase in archalVitestProject({ services: { supabase: { mode: "route" } } }) before using the official Supabase SDK.`,
+    declaredEscape: ({ url }) => `Blocked Supabase escape to ${url}. Supabase route mode is configured, but this domain is outside the primary routed Supabase surface.`,
+    warning: ({ url }) => `Observed adjacent Supabase domain ${url}. Archal did not reroute this request because it is outside the primary Supabase route surface.`
+  },
+  sdkIdentifiers: ["@supabase/supabase-js"],
+  conformanceSuiteId: "supabase-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/tavily.ts
+var tavilyRouteManifest = {
+  service: "tavily",
+  manifestVersion: "2026-05-14.tavily.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.tavily.com"),
+    exactDomain("tavily.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("tavily.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Tavily traffic to ${url}. Declare tavily before using the official Tavily client.`,
+    declaredEscape: ({ url }) => `Blocked Tavily escape to ${url}. Tavily route mode is configured, but this domain is outside the primary routed Tavily API surface.`,
+    warning: ({ url }) => `Observed adjacent Tavily domain ${url}. Archal did not reroute this request because it is outside the primary Tavily API route surface.`
+  },
+  sdkIdentifiers: ["@tavily/core", "tavily"],
+  conformanceSuiteId: "tavily-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/unipile.ts
+var unipileRouteManifest = {
+  service: "unipile",
+  manifestVersion: "2026-06-05.unipile.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.unipile.com"),
+    suffixDomain("unipile.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Unipile traffic to ${url}. Declare unipile before calling the Unipile API.`,
+    declaredEscape: ({ url }) => `Blocked Unipile escape to ${url}. Unipile route mode is configured, but this domain is outside the routed Unipile API surface.`,
+    warning: ({ url }) => `Observed adjacent Unipile domain ${url}. Archal did not reroute this request because it is outside the routed Unipile API surface.`
+  },
+  sdkIdentifiers: ["unipile"],
+  conformanceSuiteId: "unipile-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/webflow.ts
+var webflowRouteManifest = {
+  service: "webflow",
+  manifestVersion: "2026-06-07.webflow.v1",
+  baselineSeed: "empty",
+  routeDomains: [
+    exactDomain("api.webflow.com"),
+    exactDomain("webflow.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("webflow.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Webflow traffic to ${url}. Declare webflow before calling the Webflow API.`,
+    declaredEscape: ({ url }) => `Blocked Webflow escape to ${url}. Webflow route mode is configured, but this domain is outside the routed Webflow API surface.`,
+    warning: ({ url }) => `Observed adjacent Webflow domain ${url}. Archal did not reroute this request because it is outside the routed Webflow API surface.`
+  },
+  sdkIdentifiers: ["webflow-api", "webflow"],
+  conformanceSuiteId: "webflow-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests.ts
+var SHARED_ROUTE_MANIFESTS = [
+  discordRouteManifest,
+  datadogRouteManifest,
+  githubRouteManifest,
+  gitlabRouteManifest,
+  googleWorkspaceRouteManifest,
+  apifyRouteManifest,
+  calcomRouteManifest,
+  clickupRouteManifest,
+  customerioRouteManifest,
+  hubspotRouteManifest,
+  jiraRouteManifest,
+  linearRouteManifest,
+  ownerrezRouteManifest,
+  pricelabsRouteManifest,
+  rampRouteManifest,
+  sendgridRouteManifest,
+  sentryRouteManifest,
+  slackRouteManifest,
+  stripeRouteManifest,
+  supabaseRouteManifest,
+  tavilyRouteManifest,
+  unipileRouteManifest,
+  webflowRouteManifest
+];
+var SHARED_ROUTE_MANIFESTS_BY_SERVICE = new Map(
+  SHARED_ROUTE_MANIFESTS.map((manifest) => [manifest.service, manifest])
+);
+function listSharedRouteManifests() {
+  return [...SHARED_ROUTE_MANIFESTS];
+}
+function getSharedRouteManifest(service) {
+  return SHARED_ROUTE_MANIFESTS_BY_SERVICE.get(service);
+}
+function buildServiceCompatibilityProfile(manifest) {
+  return {
+    service: manifest.service,
+    upstreamBasePath: manifest.upstreamBasePath,
+    upstreamBasePathAliases: manifest.upstreamBasePathAliases,
+    routePathRewrite: manifest.routePathRewrite,
+    routeDomains: manifest.routeDomains,
+    hardFailDomains: manifest.hardFailDomains,
+    warningDomains: manifest.warningDomains,
+    diagnostics: manifest.diagnostics
+  };
+}
+
+// ../route-runtime-core/src/runtime.ts
+var require2 = createRequire(
+  typeof __filename === "string" && isAbsolute2(__filename) ? __filename : import.meta.url
+);
+var httpModule = require2("node:http");
+var httpsModule = require2("node:https");
+var SHARED_SERVICE_PROFILES = listSharedRouteManifests().map(buildServiceCompatibilityProfile);
+var CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE = "Network request failed";
+function createClientVisibleNetworkError() {
+  return new TypeError(CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE);
+}
+function sanitizeClientVisibleNetworkError(error) {
+  const visibleError = error;
+  for (const key of Reflect.ownKeys(error)) {
+    delete visibleError[key];
+  }
+  error.name = "TypeError";
+  error.message = CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE;
+  error.stack = `${error.name}: ${error.message}`;
+}
+function now() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function normalizePathPrefix(pathPrefix) {
+  const withLeadingSlash = pathPrefix.startsWith("/") ? pathPrefix : `/${pathPrefix}`;
+  return withLeadingSlash.replace(/\/+$/, "") || "/";
+}
+function matchPathPrefix(pathPrefix, pathname) {
+  const normalizedPrefix = normalizePathPrefix(pathPrefix);
+  const normalizedPathname = pathname.startsWith("/") ? pathname : `/${pathname}`;
+  if (normalizedPrefix === "/") {
+    return normalizedPathname;
+  }
+  const prefixSegments = normalizedPrefix.split("/").filter(Boolean);
+  const pathnameSegments = normalizedPathname.split("/").filter(Boolean);
+  if (prefixSegments.length > pathnameSegments.length) {
+    return null;
+  }
+  for (let index = 0; index < prefixSegments.length; index += 1) {
+    const expected = prefixSegments[index];
+    if (expected.startsWith(":")) {
+      continue;
+    }
+    if (expected !== pathnameSegments[index]) {
+      return null;
+    }
+  }
+  const remainingSegments = pathnameSegments.slice(prefixSegments.length);
+  return remainingSegments.length === 0 ? "/" : `/${remainingSegments.join("/")}`;
+}
+function resolveRoutedPathname(sourceUrl, service, profile, rewritten) {
+  if (rewritten) {
+    return rewritten.pathname;
+  }
+  const sourcePathname = sourceUrl.pathname || "/";
+  const pathPrefixes = [
+    service.upstreamBasePath,
+    profile.upstreamBasePath,
+    ...profile.upstreamBasePathAliases ?? []
+  ].filter((prefix) => typeof prefix === "string" && prefix.length > 0);
+  for (const pathPrefix of pathPrefixes) {
+    const normalizedPathname = matchPathPrefix(pathPrefix, sourcePathname);
+    if (normalizedPathname) {
+      return normalizedPathname;
+    }
+  }
+  return sourcePathname;
+}
+function mergeUrl(service, sourceUrl, profile) {
+  const rewritten = profile.routePathRewrite?.(sourceUrl);
+  const targetBaseUrl = new URL(service.baseUrl);
+  const targetPathname = targetBaseUrl.pathname.endsWith("/") ? targetBaseUrl.pathname.slice(0, -1) : targetBaseUrl.pathname;
+  targetBaseUrl.pathname = `${targetPathname}${resolveRoutedPathname(sourceUrl, service, profile, rewritten)}` || "/";
+  targetBaseUrl.search = rewritten?.search ?? sourceUrl.search;
+  targetBaseUrl.hash = sourceUrl.hash;
+  return targetBaseUrl;
+}
+function bridgeSecureConnectIfNeeded(request, sourceProtocol, targetProtocol) {
+  if (sourceProtocol !== DEFAULT_HTTPS_PROTOCOL || targetProtocol !== DEFAULT_HTTP_PROTOCOL) {
+    return request;
+  }
+  request.once("socket", (socket) => {
+    if (socket.connecting) {
+      socket.once("connect", () => {
+        socket.emit("secureConnect");
+      });
+      return;
+    }
+    queueMicrotask(() => {
+      socket.emit("secureConnect");
+    });
+  });
+  return request;
+}
+function blockedWarningCode(decision, servicesByName) {
+  return servicesByName.has(decision.service) ? "ARCHAL_DECLARED_SERVICE_ESCAPE" : "ARCHAL_UNDECLARED_SERVICE";
+}
+var CLIENT_VISIBLE_INTERNAL_RESPONSE_HEADERS = /* @__PURE__ */ new Set([
+  "proxy-authorization",
+  "x-route-authorization",
+  "x-route-service-origin",
+  "x-service-routing-scope"
+]);
+function isClientVisibleInternalHeaderName(name) {
+  const normalized = name.toLowerCase();
+  return normalized === "x-archal" || normalized.startsWith("x-archal-") || normalized.startsWith("x-route-") || CLIENT_VISIBLE_INTERNAL_RESPONSE_HEADERS.has(normalized);
+}
+function sanitizedFetchResponse(response) {
+  const headers = new Headers(response.headers);
+  let changed = false;
+  for (const header of [...headers.keys()]) {
+    if (!isClientVisibleInternalHeaderName(header)) {
+      continue;
+    }
+    headers.delete(header);
+    changed = true;
+  }
+  if (!changed) {
+    return response;
+  }
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers
+  });
+}
+function sanitizedRawHeaders(rawHeaders) {
+  const result = [];
+  for (let index = 0; index < rawHeaders.length; index += 2) {
+    const name = rawHeaders[index];
+    const value = rawHeaders[index + 1];
+    if (!name || isClientVisibleInternalHeaderName(name)) {
+      continue;
+    }
+    result.push(name);
+    if (value !== void 0) {
+      result.push(value);
+    }
+  }
+  return result;
+}
+function sanitizeIncomingResponseHeaders(response) {
+  for (const header of Object.keys(response.headers)) {
+    if (isClientVisibleInternalHeaderName(header)) {
+      delete response.headers[header];
+    }
+  }
+  if (Array.isArray(response.rawHeaders)) {
+    response.rawHeaders = sanitizedRawHeaders(response.rawHeaders);
+  }
+}
+function wrapRoutedResponseCallback(callback) {
+  if (!callback) {
+    return void 0;
+  }
+  return (response) => {
+    sanitizeIncomingResponseHeaders(response);
+    callback(response);
+  };
+}
+var NodeRouteRuntime = class {
+  profiles;
+  servicesByName;
+  events = [];
+  onEvent;
+  traceRecords = [];
+  traceEnabled;
+  onTrace;
+  started = false;
+  routingInstalled = false;
+  originalHttpRequest = httpModule.request;
+  originalHttpGet = httpModule.get;
+  originalHttpsRequest = httpsModule.request;
+  originalHttpsGet = httpsModule.get;
+  originalFetch = globalThis.fetch;
+  constructor(config) {
+    this.profiles = config.profiles;
+    this.servicesByName = new Map(config.services.map((service) => [service.name, service]));
+    this.onEvent = config.onEvent;
+    this.traceEnabled = config.trace?.enabled ?? false;
+    this.onTrace = config.trace?.onTrace;
+  }
+  async start() {
+    if (this.started) return;
+    this.started = true;
+    this.emit({ type: "runtime_started", timestamp: now() });
+  }
+  async reset() {
+    this.events.length = 0;
+    this.emit({ type: "runtime_reset", timestamp: now() });
+  }
+  async stop() {
+    this.uninstallRouting();
+    if (!this.started) return;
+    this.started = false;
+    this.emit({ type: "runtime_stopped", timestamp: now() });
+  }
+  installRouting() {
+    if (this.routingInstalled) return;
+    httpModule.request = ((...args) => this.dispatchRequest(this.originalHttpRequest, this.originalHttpsRequest, DEFAULT_HTTP_PROTOCOL, args));
+    httpModule.get = ((...args) => this.dispatchGet(this.originalHttpGet, this.originalHttpsGet, DEFAULT_HTTP_PROTOCOL, args));
+    httpsModule.request = ((...args) => this.dispatchRequest(this.originalHttpRequest, this.originalHttpsRequest, DEFAULT_HTTPS_PROTOCOL, args));
+    httpsModule.get = ((...args) => this.dispatchGet(this.originalHttpGet, this.originalHttpsGet, DEFAULT_HTTPS_PROTOCOL, args));
+    if (this.originalFetch) {
+      globalThis.fetch = (async (input, init) => {
+        const originalRequest = input instanceof Request ? input : void 0;
+        const sourceUrl = new URL(
+          originalRequest?.url ?? (input instanceof URL ? input.toString() : String(input))
+        );
+        const decision = this.evaluateRequest(sourceUrl);
+        const method = (originalRequest?.method ?? init?.method ?? "GET").toUpperCase();
+        if (decision.kind === "route") {
+          const service = this.servicesByName.get(decision.service);
+          if (!service) {
+            throw new Error(`Missing routed service config for ${decision.service}.`);
+          }
+          const targetUrl = decision.targetUrl.toString();
+          if (originalRequest) {
+            let response3;
+            try {
+              response3 = await this.originalFetch(
+                buildRoutedFetchRequest(originalRequest, decision.targetUrl, service, init)
+              );
+            } catch {
+              this.traceRequest({
+                method,
+                sourceUrl: sourceUrl.toString(),
+                manifestMatched: true,
+                service: decision.service,
+                target: "twin",
+                outcome: "failed",
+                reason: "network_error",
+                targetUrl,
+                error: CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE
+              });
+              throw createClientVisibleNetworkError();
+            }
+            this.traceRequest({
+              method,
+              sourceUrl: sourceUrl.toString(),
+              manifestMatched: true,
+              service: decision.service,
+              target: "twin",
+              outcome: "routed",
+              reason: "route",
+              targetUrl,
+              statusCode: response3.status,
+              statusText: response3.statusText
+            });
+            return sanitizedFetchResponse(response3);
+          }
+          const headers = new Headers(init?.headers);
+          applyRoutedHeaders(headers, service);
+          let response2;
+          try {
+            response2 = await this.originalFetch(new URL(targetUrl), {
+              ...init,
+              headers
+            });
+          } catch {
+            this.traceRequest({
+              method,
+              sourceUrl: sourceUrl.toString(),
+              manifestMatched: true,
+              service: decision.service,
+              target: "twin",
+              outcome: "failed",
+              reason: "network_error",
+              targetUrl,
+              error: CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE
+            });
+            throw createClientVisibleNetworkError();
+          }
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: true,
+            service: decision.service,
+            target: "twin",
+            outcome: "routed",
+            reason: "route",
+            targetUrl,
+            statusCode: response2.status,
+            statusText: response2.statusText
+          });
+          return sanitizedFetchResponse(response2);
+        }
+        if (decision.kind === "block") {
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: true,
+            service: decision.service,
+            target: "none",
+            outcome: "blocked",
+            reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+          });
+          throw new RouteRuntimePolicyError({
+            code: decision.code,
+            service: decision.service,
+            url: sourceUrl.toString(),
+            message: decision.message
+          });
+        }
+        if (decision.kind === "warn") {
+          const code = blockedWarningCode(decision, this.servicesByName);
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: true,
+            service: decision.service,
+            target: "none",
+            outcome: "blocked",
+            reason: code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+          });
+          throw new RouteRuntimePolicyError({
+            code,
+            service: decision.service,
+            url: sourceUrl.toString(),
+            message: decision.message
+          });
+        }
+        let response;
+        try {
+          response = await this.originalFetch(input, init);
+        } catch (error) {
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: false,
+            target: "upstream",
+            outcome: "failed",
+            reason: "network_error",
+            error: errorMessage(error)
+          });
+          throw error;
+        }
+        this.traceRequest({
+          method,
+          sourceUrl: sourceUrl.toString(),
+          manifestMatched: false,
+          target: "upstream",
+          outcome: "bypassed",
+          reason: "no_match",
+          statusCode: response.status,
+          statusText: response.statusText
+        });
+        return response;
+      });
+    }
+    this.routingInstalled = true;
+    this.emit({ type: "routing_installed", timestamp: now() });
+  }
+  uninstallRouting() {
+    if (!this.routingInstalled) return;
+    httpModule.request = this.originalHttpRequest;
+    httpModule.get = this.originalHttpGet;
+    httpsModule.request = this.originalHttpsRequest;
+    httpsModule.get = this.originalHttpsGet;
+    if (this.originalFetch) {
+      globalThis.fetch = this.originalFetch;
+    }
+    this.routingInstalled = false;
+    this.emit({ type: "routing_uninstalled", timestamp: now() });
+  }
+  getEvents() {
+    return [...this.events];
+  }
+  getTraceRecords() {
+    return [...this.traceRecords];
+  }
+  evaluateRequest(input) {
+    const sourceUrl = input instanceof URL ? input : new URL(input);
+    const hostname = sourceUrl.hostname.toLowerCase();
+    for (const profile of this.profiles) {
+      const classification = classifyHostname(profile, hostname);
+      if (classification === "ignore") {
+        continue;
+      }
+      const configuredService = this.servicesByName.get(profile.service);
+      const diagnosticsContext = {
+        service: profile.service,
+        hostname,
+        url: sourceUrl.toString(),
+        configuredBaseUrl: configuredService?.baseUrl
+      };
+      if (classification === "route") {
+        if (!configuredService) {
+          const message2 = profile.diagnostics.undeclared(diagnosticsContext);
+          this.emit({
+            type: "request_blocked",
+            timestamp: now(),
+            service: profile.service,
+            code: "ARCHAL_UNDECLARED_SERVICE",
+            url: sourceUrl.toString(),
+            message: message2
+          });
+          return {
+            kind: "block",
+            service: profile.service,
+            code: "ARCHAL_UNDECLARED_SERVICE",
+            message: message2
+          };
+        }
+        const targetUrl = mergeUrl(configuredService, sourceUrl, profile);
+        this.emit({
+          type: "request_routed",
+          timestamp: now(),
+          service: profile.service,
+          sourceUrl: sourceUrl.toString(),
+          targetUrl: targetUrl.toString()
+        });
+        return {
+          kind: "route",
+          service: profile.service,
+          targetUrl
+        };
+      }
+      if (classification === "hard-fail") {
+        const code = configuredService ? "ARCHAL_DECLARED_SERVICE_ESCAPE" : "ARCHAL_UNDECLARED_SERVICE";
+        const message2 = configuredService ? profile.diagnostics.declaredEscape(diagnosticsContext) : profile.diagnostics.undeclared(diagnosticsContext);
+        this.emit({
+          type: "request_blocked",
+          timestamp: now(),
+          service: profile.service,
+          code,
+          url: sourceUrl.toString(),
+          message: message2
+        });
+        return {
+          kind: "block",
+          service: profile.service,
+          code,
+          message: message2
+        };
+      }
+      const message = profile.diagnostics.warning(diagnosticsContext);
+      this.emit({
+        type: "request_warning",
+        timestamp: now(),
+        service: profile.service,
+        url: sourceUrl.toString(),
+        message
+      });
+      return {
+        kind: "warn",
+        service: profile.service,
+        message
+      };
+    }
+    for (const profile of SHARED_SERVICE_PROFILES) {
+      const classification = classifyHostname(profile, hostname);
+      if (classification === "ignore") {
+        continue;
+      }
+      const configuredService = this.servicesByName.get(profile.service);
+      const diagnosticsContext = {
+        service: profile.service,
+        hostname,
+        url: sourceUrl.toString(),
+        configuredBaseUrl: configuredService?.baseUrl
+      };
+      const code = configuredService ? "ARCHAL_DECLARED_SERVICE_ESCAPE" : "ARCHAL_UNDECLARED_SERVICE";
+      const message = configuredService ? profile.diagnostics.declaredEscape(diagnosticsContext) : profile.diagnostics.undeclared(diagnosticsContext);
+      this.emit({
+        type: "request_blocked",
+        timestamp: now(),
+        service: profile.service,
+        code,
+        url: sourceUrl.toString(),
+        message
+      });
+      return {
+        kind: "block",
+        service: profile.service,
+        code,
+        message
+      };
+    }
+    return { kind: "allow" };
+  }
+  dispatchRequest(originalHttpRequest, originalHttpsRequest, defaultProtocol, args) {
+    const { requestUrl, options, callback } = parseRequestArgs(defaultProtocol, args);
+    const decision = this.evaluateRequest(requestUrl);
+    const method = typeof options.method === "string" && options.method.trim().length > 0 ? options.method.trim().toUpperCase() : "GET";
+    if (decision.kind === "block") {
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code: decision.code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind === "warn") {
+      const code = blockedWarningCode(decision, this.servicesByName);
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind !== "route") {
+      const request = Reflect.apply(
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? originalHttpsRequest : originalHttpRequest,
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? httpsModule : httpModule,
+        args
+      );
+      return this.addTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: false,
+        target: "upstream",
+        outcome: "bypassed",
+        reason: "no_match"
+      });
+    }
+    const service = this.servicesByName.get(decision.service);
+    if (!service) {
+      throw new Error(`Missing routed service config for ${decision.service}.`);
+    }
+    const rewrittenArgs = buildPatchedArgs(
+      decision.targetUrl,
+      options,
+      service,
+      defaultProtocol,
+      wrapRoutedResponseCallback(callback)
+    );
+    if (decision.targetUrl.protocol === DEFAULT_HTTP_PROTOCOL) {
+      const request = bridgeSecureConnectIfNeeded(
+        Reflect.apply(originalHttpRequest, httpModule, rewrittenArgs),
+        defaultProtocol,
+        decision.targetUrl.protocol
+      );
+      return this.addTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      });
+    }
+    return this.addTraceListeners(
+      Reflect.apply(originalHttpsRequest, httpsModule, rewrittenArgs),
+      {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      }
+    );
+  }
+  dispatchGet(originalHttpGet, originalHttpsGet, defaultProtocol, args) {
+    const { requestUrl, options, callback } = parseRequestArgs(defaultProtocol, args);
+    const decision = this.evaluateRequest(requestUrl);
+    const method = typeof options.method === "string" && options.method.trim().length > 0 ? options.method.trim().toUpperCase() : "GET";
+    if (decision.kind === "block") {
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code: decision.code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind === "warn") {
+      const code = blockedWarningCode(decision, this.servicesByName);
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind !== "route") {
+      const request = Reflect.apply(
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? originalHttpsGet : originalHttpGet,
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? httpsModule : httpModule,
+        args
+      );
+      return this.addTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: false,
+        target: "upstream",
+        outcome: "bypassed",
+        reason: "no_match"
+      });
+    }
+    const service = this.servicesByName.get(decision.service);
+    if (!service) {
+      throw new Error(`Missing routed service config for ${decision.service}.`);
+    }
+    const rewrittenArgs = buildPatchedArgs(
+      decision.targetUrl,
+      options,
+      service,
+      defaultProtocol,
+      wrapRoutedResponseCallback(callback)
+    );
+    if (decision.targetUrl.protocol === DEFAULT_HTTP_PROTOCOL) {
+      const request = bridgeSecureConnectIfNeeded(
+        Reflect.apply(originalHttpGet, httpModule, rewrittenArgs),
+        defaultProtocol,
+        decision.targetUrl.protocol
+      );
+      return this.addTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      });
+    }
+    return this.addTraceListeners(
+      Reflect.apply(originalHttpsGet, httpsModule, rewrittenArgs),
+      {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      }
+    );
+  }
+  emit(event) {
+    this.events.push(event);
+    this.onEvent?.(event);
+  }
+  addTraceListeners(request, record) {
+    if (record.target === "twin") {
+      request.once("response", sanitizeIncomingResponseHeaders);
+    }
+    let settled = false;
+    if (this.traceEnabled) {
+      request.once("response", (response) => {
+        settled = true;
+        this.traceRequest({
+          ...record,
+          statusCode: response.statusCode,
+          statusText: response.statusMessage
+        });
+      });
+    }
+    request.once("error", (error) => {
+      if (this.traceEnabled && !settled) {
+        this.traceRequest({
+          ...record,
+          outcome: "failed",
+          reason: "network_error",
+          error: record.target === "twin" ? CLIENT_VISIBLE_BLOCKED_REQUEST_MESSAGE : error.message
+        });
+      }
+      if (record.target === "twin") {
+        sanitizeClientVisibleNetworkError(error);
+      }
+    });
+    return request;
+  }
+  traceRequest(record) {
+    if (!this.traceEnabled) {
+      return;
+    }
+    const traceRecord = {
+      timestamp: now(),
+      ...record,
+      method: record.method.toUpperCase()
+    };
+    this.traceRecords.push(traceRecord);
+    this.onTrace?.(traceRecord);
+  }
+};
+
+// ../route-runtime-core/src/routing-policy.ts
+import { isIP } from "net";
+var ROUTE_RUNTIME_PROXY_ROUTE_KINDS = [
+  "api",
+  "mcp",
+  "rest",
+  "state",
+  "trace",
+  "tools",
+  "health",
+  "events",
+  "webhooks",
+  "graphql"
+];
+var ROUTE_RUNTIME_PUBLIC_ROUTE_KINDS = [
+  "api",
+  "mcp",
+  "rest",
+  "graphql"
+];
+var ROUTE_RUNTIME_CONTROL_ROUTE_KINDS = [
+  "state",
+  "trace",
+  "tools",
+  "health",
+  "events",
+  "webhooks"
+];
+var ROUTE_RUNTIME_PROXY_ROUTE_KIND_SET = new Set(ROUTE_RUNTIME_PROXY_ROUTE_KINDS);
+var ROUTE_RUNTIME_PUBLIC_ROUTE_KIND_SET = new Set(ROUTE_RUNTIME_PUBLIC_ROUTE_KINDS);
+var ROUTE_RUNTIME_CONTROL_ROUTE_KIND_SET = new Set(ROUTE_RUNTIME_CONTROL_ROUTE_KINDS);
+var ROUTE_RUNTIME_DISPATCHING_ROUTE_KINDS = new Set(ROUTE_RUNTIME_PUBLIC_ROUTE_KINDS);
+
+// ../route-runtime-core/src/service-profiles/stripe.ts
+var stripeCompatibilityProfile = buildServiceCompatibilityProfile(stripeRouteManifest);
+
+// ../../clones/core/dist/chunk-FBW6QFHJ.js
+var manifest_default = [
+  {
+    name: "apify",
+    package: "@archal/clone-apify",
+    path: "clones/apify",
+    stage: "preview",
+    display: {
+      icon: "AP",
+      name: "Apify",
+      description: "Actors, runs, datasets, key-value stores, and request queues.",
+      toolCount: 59
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.apify.com"
+        },
+        {
+          domain: "apify.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Storage/admin state uses StateEngine, but REST behavior still depends on Apify-specific upstream envelopes, fixture fallbacks, and stateful storage projections owned by upstream.ts.",
+      domainPrimitives: [
+        "Apify upstream error and pagination envelopes",
+        "dataset, key-value store, and request-queue stateful projections",
+        "fixture-backed fallback semantics for uncovered REST paths"
+      ],
+      behaviorOwner: "src/upstream.ts"
+    }
+  },
+  {
+    name: "box",
+    package: "@archal/clone-box",
+    path: "clones/box",
+    stage: "internal",
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Current internal Box package is a bootstrap scaffold with no registered tools or REST behavior; promote to standard-core only after file/folder/admin handlers mutate StateEngine and sequence invariants land.",
+      domainPrimitives: [
+        "file and folder hierarchy state",
+        "shared-link and collaboration state",
+        "future change-stream behavior"
+      ],
+      promotionEvidence: [
+        "clones/box/SPEC.md tracks file/folder/admin handlers mutating StateEngine",
+        "clones/box/SPEC.md tracks create/read/update/delete/reset sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "calcom",
+    package: "@archal/clone-calcom",
+    path: "clones/calcom",
+    stage: "preview",
+    display: {
+      icon: "CC",
+      name: "Cal.com",
+      description: "Event types, schedules, availability slots, bookings, calendars, and webhooks.",
+      toolCount: 18
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.cal.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Cal.com relies on availability computation, booking lifecycle, calendar projection, and webhook lifecycle semantics beyond generic CRUD.",
+      domainPrimitives: [
+        "schedule and event-type availability projection",
+        "booking create, cancel, and reschedule lifecycle",
+        "host-wide busy interval and slot computation",
+        "webhook summary/detail lifecycle projection"
+      ],
+      behaviorOwner: "src/state/relationships.ts"
+    }
+  },
+  {
+    name: "clickup",
+    package: "@archal/clone-clickup",
+    path: "clones/clickup",
+    stage: "preview",
+    display: {
+      icon: "CU",
+      name: "ClickUp",
+      description: "Teams, spaces, folders, lists, tasks, comments, tags, time tracking, and checklists.",
+      toolCount: 40
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.clickup.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "standard-core",
+      summary: "Current task/project/comment workflows are modeled as mutable records plus relationships."
+    }
+  },
+  {
+    name: "customerio",
+    package: "@archal/clone-customerio",
+    path: "clones/customerio",
+    stage: "preview",
+    display: {
+      icon: "CI",
+      name: "Customer.io",
+      description: "Messaging automation across campaigns, broadcasts, transactional email, segments, customers, and message delivery.",
+      toolCount: 22
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.customer.io"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "standard-core",
+      summary: "Current preview slice models campaigns, broadcasts, segments, customers, triggers, and message delivery as deterministic StateEngine records; Track API, webhook delivery, and real audience projection are not claimed."
+    }
+  },
+  {
+    name: "datadog",
+    package: "@archal/clone-datadog",
+    path: "clones/datadog",
+    stage: "preview",
+    display: {
+      icon: "DD",
+      name: "Datadog",
+      description: "Observability REST API \u2014 metrics, logs, monitors, dashboards, SLOs, incidents, teams, users, and service definitions.",
+      toolCount: 63
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.datadoghq.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Observability behavior depends on time-windowed queries and monitor state, so REST routes must stay thin over DatadogSimulator.",
+      domainPrimitives: [
+        "time-series query windows",
+        "log query filtering",
+        "monitor evaluation and alert state"
+      ],
+      behaviorOwner: "src/domain/simulator.ts"
+    }
+  },
+  {
+    name: "discord",
+    package: "@archal/clone-discord",
+    path: "clones/discord",
+    stage: "preview",
+    display: {
+      icon: "DC",
+      name: "Discord",
+      description: "Guilds, channels, messages, webhooks, threads, commands, and interaction responses.",
+      toolCount: 67
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "discord.com"
+        },
+        {
+          domain: "discordapp.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-server"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Chat correctness depends on channel/message/thread ordering, membership visibility, and event delivery.",
+      domainPrimitives: [
+        "channel membership",
+        "message timeline ordering",
+        "thread and event delivery semantics"
+      ],
+      behaviorOwner: "src/domain/discord-simulator.ts"
+    },
+    inferenceKeywords: [
+      "discord",
+      "guild",
+      "text channel",
+      "thread",
+      "webhook",
+      "slash command"
+    ]
+  },
+  {
+    name: "dropbox",
+    package: "@archal/clone-dropbox",
+    path: "clones/dropbox",
+    stage: "internal",
+    transport: "mcp",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "A faithful Dropbox surface depends on file tree, revision, sharing, and delta/list-folder cursor semantics.",
+      domainPrimitives: [
+        "file tree and revisions",
+        "sharing permissions",
+        "delta/list-folder cursors"
+      ],
+      behaviorOwner: "src/domain/files.ts"
+    }
+  },
+  {
+    name: "figma",
+    package: "@archal/clone-figma",
+    path: "clones/figma",
+    stage: "internal",
+    transport: "mcp",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "standard-core",
+      summary: "Current internal Figma slice is treated as deterministic file/project records; live collaboration semantics are not claimed."
+    }
+  },
+  {
+    name: "firecrawl",
+    package: "@archal/clone-firecrawl",
+    path: "clones/firecrawl",
+    stage: "internal",
+    display: {
+      icon: "FC",
+      name: "Firecrawl",
+      description: "Scraping, crawling, mapping, search, and extraction.",
+      toolCount: 6
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Current Firecrawl surface is recorded-response replay with request-key matching; crawling engine behavior is not modeled yet.",
+      domainPrimitives: [
+        "recording-backed scrape/search/map response replay",
+        "request key canonicalization",
+        "future crawl/job lifecycle simulator"
+      ],
+      promotionEvidence: [
+        "clones/firecrawl/SPEC.md tracks crawl/job lifecycle state model",
+        "clones/firecrawl/SPEC.md tracks runtime recording-backed handlers replaced by state-derived crawl/job responses",
+        "clones/firecrawl/SPEC.md tracks status/progress/replay determinism invariants"
+      ]
+    }
+  },
+  {
+    name: "freshdesk",
+    package: "@archal/clone-freshdesk",
+    path: "clones/freshdesk",
+    stage: "internal",
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Current internal Freshdesk package is a bootstrap scaffold with no registered tools or REST behavior; promote to standard-core only after ticket/contact/conversation handlers mutate StateEngine and sequence invariants land.",
+      domainPrimitives: [
+        "ticket status transitions",
+        "contact and company records",
+        "conversation and note history"
+      ],
+      promotionEvidence: [
+        "clones/freshdesk/SPEC.md tracks runtime recording-backed handlers replaced by state-derived ticket/contact/conversation handlers",
+        "clones/freshdesk/SPEC.md tracks ticket/contact/conversation handlers mutating StateEngine",
+        "clones/freshdesk/SPEC.md tracks comment/status/read-after-write/reset sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "github",
+    package: "@archal/clone-github",
+    path: "clones/github",
+    stage: "public",
+    display: {
+      icon: "GH",
+      name: "GitHub",
+      description: "Repos, issues, pull requests, branches, and commits.",
+      toolCount: 26
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.github.com"
+        },
+        {
+          domain: "uploads.github.com"
+        },
+        {
+          domain: "github.com"
+        },
+        {
+          domain: "raw.githubusercontent.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-project"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "GitHub relies on repository, issue, pull-request, review, workflow, permission, and webhook semantics beyond generic CRUD.",
+      domainPrimitives: [
+        "repository branch, commit, tree, and diff projection",
+        "issue and pull-request lifecycle projection",
+        "review, comment, and status/check aggregation",
+        "permission-scoped reads and webhook event delivery"
+      ],
+      behaviorOwner: "src/state/transition-rules.ts"
+    },
+    inferenceKeywords: [
+      "github",
+      "repository",
+      "pull request",
+      "issue",
+      "create_issue",
+      "create_pull_request",
+      "merge_pull_request"
+    ]
+  },
+  {
+    name: "gitlab",
+    package: "@archal/clone-gitlab",
+    path: "clones/gitlab",
+    stage: "preview",
+    display: {
+      icon: "GL",
+      name: "GitLab",
+      description: "Projects, branches, commits, issues, merge requests, pipelines, labels, milestones, releases, and webhooks.",
+      toolCount: 46
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "gitlab.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Current GitLab workflows combine StateEngine records with GitLab-specific repository, issue, merge-request, note, webhook, and event-delivery semantics.",
+      domainPrimitives: [
+        "issue and merge-request state transitions",
+        "note/comment ordering and count projection",
+        "repository branch, commit, merge, and diff projection",
+        "GitLab webhook subscription, payload, and header emission"
+      ],
+      behaviorOwner: "src/state/webhook-delivery-config.ts"
+    }
+  },
+  {
+    name: "google-workspace",
+    package: "@archal/clone-google-workspace",
+    path: "clones/google-workspace",
+    stage: "preview",
+    display: {
+      icon: "GW",
+      name: "Google Workspace",
+      description: "Gmail, Calendar, Drive, Sheets, and Contacts.",
+      toolCount: 249
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "gmail.googleapis.com"
+        },
+        {
+          domain: "drive.googleapis.com"
+        },
+        {
+          domain: "calendar.googleapis.com"
+        },
+        {
+          domain: "people.googleapis.com"
+        },
+        {
+          domain: "sheets.googleapis.com"
+        },
+        {
+          domain: "oauth2.googleapis.com"
+        },
+        {
+          domain: "www.googleapis.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "assistant-baseline"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Gmail, Drive, Calendar, and watches rely on histories, change feeds, recurrence, sync tokens, and permission projection.",
+      domainPrimitives: [
+        "Gmail thread/history engine",
+        "Drive changes and permissions",
+        "Calendar recurrence and watch sync"
+      ],
+      behaviorOwner: "src/domain/google-workspace-simulator.ts"
+    },
+    inferenceKeywords: [
+      "google workspace",
+      "gmail",
+      "google calendar",
+      "calendar event",
+      "inbox",
+      "email draft",
+      "google drive",
+      "google sheet",
+      "google sheets",
+      "contacts"
+    ]
+  },
+  {
+    name: "hubspot",
+    package: "@archal/clone-hubspot",
+    path: "clones/hubspot",
+    stage: "preview",
+    display: {
+      icon: "HS",
+      name: "HubSpot",
+      description: "CRM contacts, companies, deals, tickets, and engagements.",
+      toolCount: 41
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.hubapi.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "HubSpot has a stateful CRM overlay, but the exported REST/MCP surface still includes broad runtime recording replay.",
+      domainPrimitives: [
+        "CRM object state and associations",
+        "Pipeline and property schema state",
+        "Recording-backed REST/MCP aliases awaiting stateful lift"
+      ],
+      promotionEvidence: [
+        "clones/hubspot/SPEC.md tracks runtime recording reads removed from exported handlers",
+        "clones/hubspot/SPEC.md tracks CRM alias and association sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "jira",
+    package: "@archal/clone-jira",
+    path: "clones/jira",
+    stage: "preview",
+    display: {
+      icon: "JR",
+      name: "Jira",
+      description: "Issues, projects, boards, sprints, and versions.",
+      toolCount: 49
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "atlassian.net",
+          matchSubdomains: true
+        },
+        {
+          domain: "api.atlassian.com"
+        },
+        {
+          domain: "jira.atlassian.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-project"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Jira relies on issue workflow, JQL/search, sprint/version timelines, permission projection, history, and webhook semantics beyond generic CRUD.",
+      domainPrimitives: [
+        "issue workflow transitions and mutation history",
+        "JQL/search and issue field projection",
+        "sprint, board, version, and SLA time-based transitions",
+        "permission-scoped reads and Jira webhook event delivery"
+      ],
+      behaviorOwner: "src/state/transition-rules.ts"
+    },
+    inferenceKeywords: [
+      "jira",
+      "jira sprint",
+      "jira epic",
+      "jira board",
+      "sprint",
+      "epic"
+    ]
+  },
+  {
+    name: "linear",
+    package: "@archal/clone-linear",
+    path: "clones/linear",
+    stage: "public",
+    display: {
+      icon: "LN",
+      name: "Linear",
+      description: "Issues, projects, teams, cycles, and workflows.",
+      toolCount: 50
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.linear.app"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-team"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Current Linear workflows combine deterministic records with Linear-specific GraphQL dispatch, validation, issue workflow transitions, comments, cycles, and derived projections.",
+      domainPrimitives: [
+        "GraphQL operation dispatch",
+        "issue workflow transitions",
+        "comment and history projection",
+        "cycle and project progress projection"
+      ],
+      behaviorOwner: "src/rest/graphql-dispatch.ts"
+    },
+    inferenceKeywords: [
+      "linear",
+      "linear ticket",
+      "linear project",
+      "linear cycle",
+      "cycle"
+    ]
+  },
+  {
+    name: "mailchimp",
+    package: "@archal/clone-mailchimp",
+    path: "clones/mailchimp",
+    stage: "internal",
+    transport: "mcp",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "standard-core",
+      summary: "Current internal Mailchimp slice models lists, members, merge fields, segments, campaign content, and campaign status as deterministic StateEngine records; send delivery, reports, and real audience activity history are not claimed."
+    }
+  },
+  {
+    name: "ownerrez",
+    package: "@archal/clone-ownerrez",
+    path: "clones/ownerrez",
+    stage: "preview",
+    display: {
+      icon: "OR",
+      name: "OwnerRez",
+      description: "Vacation-rental PMS \u2014 properties, bookings, guests, quotes, financial reads, tags, fields, and webhook subscriptions.",
+      toolCount: 25
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.ownerrez.com"
+        },
+        {
+          domain: "ownerrez.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "OwnerRez is primarily recording-replay backed with focused stateful overlays; it should not be treated as a general PMS simulator.",
+      domainPrimitives: [
+        "recording replay cursor",
+        "tag and guest stateful overlays",
+        "booking/payment read projections"
+      ],
+      promotionEvidence: [
+        "clones/ownerrez/SPEC.md tracks reservation or payment lifecycle state model",
+        "clones/ownerrez/SPEC.md tracks runtime recording-backed handlers replaced for the promoted reservation/payment slice",
+        "clones/ownerrez/SPEC.md tracks availability/payment invariants"
+      ]
+    }
+  },
+  {
+    name: "posthog",
+    package: "@archal/clone-posthog",
+    path: "clones/posthog",
+    stage: "internal",
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "redesign-before-expansion",
+      summary: "PostHog currently models admin resources and frozen insight/dashboard projections; event ingestion, query execution, and feature flag evaluation need a simulator contract before expansion.",
+      domainPrimitives: ["event ingestion", "query execution", "feature flag evaluation"],
+      redesignContract: "docs/internal/dev/clones/redesign-contracts/posthog.md"
+    }
+  },
+  {
+    name: "pricelabs",
+    package: "@archal/clone-pricelabs",
+    path: "clones/pricelabs",
+    stage: "preview",
+    display: {
+      icon: "PL",
+      name: "PriceLabs",
+      description: "Dynamic pricing \u2014 listings, overrides, neighborhood data, rate plans, and reservations.",
+      toolCount: 11
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.pricelabs.co"
+        },
+        {
+          domain: "pricelabs.co"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "PriceLabs remains a replay-shell-plus-overlay surface until pricing/listing/reservation state is fully modeled.",
+      domainPrimitives: [
+        "recording replay cursor",
+        "listing settings overlay",
+        "pricing and reservation projections"
+      ],
+      promotionEvidence: [
+        "clones/pricelabs/SPEC.md tracks pricing calendar or reservation lifecycle state model",
+        "clones/pricelabs/SPEC.md tracks runtime recording-backed handlers replaced for the promoted pricing/reservation slice",
+        "clones/pricelabs/SPEC.md tracks occupancy/rate/replay determinism invariants"
+      ]
+    }
+  },
+  {
+    name: "quickbooks",
+    package: "@archal/clone-quickbooks",
+    path: "clones/quickbooks",
+    stage: "internal",
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "QuickBooks serves a recording-backed REST/MCP surface; it cannot safely expand as CRUD because accounting correctness depends on ledgers, balances, and immutable audit history.",
+      domainPrimitives: [
+        "ledger entries",
+        "balance reconciliation",
+        "invoice/payment audit history",
+        "recording-backed REST/MCP surface awaiting stateful lift"
+      ],
+      promotionEvidence: [
+        "clones/quickbooks/SPEC.md tracks runtime recording reads removed from exported handlers",
+        "clones/quickbooks/SPEC.md tracks ledger -> balance and payment/refund -> reversal sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "ramp",
+    package: "@archal/clone-ramp",
+    path: "clones/ramp",
+    stage: "preview",
+    display: {
+      icon: "RP",
+      name: "Ramp",
+      description: "Cards, funds, expenses, reimbursements, bills, and travel.",
+      toolCount: 46
+    },
+    transport: "mcp",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.ramp.com"
+        },
+        {
+          domain: "app.ramp.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "default"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Ramp is CLI-native and fixture-scoped with seeded state overlays; it is not a broad state-derived Ramp or finance simulator.",
+      domainPrimitives: [
+        "checked-in Ramp CLI fixture corpus",
+        "CLI-native command routing",
+        "seeded approval and comment overlays"
+      ],
+      promotionEvidence: [
+        "clones/ramp/SPEC.md tracks state-derived Ramp vertical slice beyond fixture replay",
+        "clones/ramp/SPEC.md tracks approval/comment/CLI reset sequence invariants"
+      ]
+    },
+    inferenceKeywords: [
+      "ramp",
+      "bill",
+      "expense",
+      "reimbursement",
+      "fund",
+      "card spend"
+    ]
+  },
+  {
+    name: "sendgrid",
+    package: "@archal/clone-sendgrid",
+    path: "clones/sendgrid",
+    stage: "internal",
+    display: {
+      icon: "SG",
+      name: "SendGrid",
+      description: "Internal replay evidence for account, scopes, templates, suppressions, tracking, mail settings, alerts, and sender authentication.",
+      toolCount: 26
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.sendgrid.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "SendGrid is internal replay evidence only; send/event/suppression behavior and stateful account-setting invariants are not modeled yet.",
+      domainPrimitives: [
+        "recorded account and settings reads",
+        "mail send state",
+        "event and suppression history"
+      ],
+      promotionEvidence: [
+        "clones/sendgrid/SPEC.md tracks send/event/suppression state model",
+        "clones/sendgrid/SPEC.md tracks runtime recording-backed handlers replaced for send/event/suppression behavior",
+        "clones/sendgrid/SPEC.md tracks send-to-event and suppression replay invariants"
+      ]
+    }
+  },
+  {
+    name: "sentry",
+    package: "@archal/clone-sentry",
+    path: "clones/sentry",
+    stage: "preview",
+    display: {
+      icon: "SN",
+      name: "Sentry",
+      description: "Error monitoring across organizations, projects, teams, issues, events, releases, and DSN keys.",
+      toolCount: 25
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "sentry.io"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Error-monitoring behavior depends on event grouping, issue state, releases, and time-windowed queries.",
+      domainPrimitives: [
+        "event grouping",
+        "issue state transitions",
+        "release and time-window projections"
+      ],
+      behaviorOwner: "src/domain/sentry-simulator.ts"
+    }
+  },
+  {
+    name: "slack",
+    package: "@archal/clone-slack",
+    path: "clones/slack",
+    stage: "public",
+    display: {
+      icon: "SL",
+      name: "Slack",
+      description: "Channels, messages, threads, users, and reactions.",
+      toolCount: 9
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "slack.com"
+        },
+        {
+          domain: "api.slack.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "engineering-team"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Slack behavior depends on message timelines, threads, channel membership, permissions, and delivery semantics.",
+      domainPrimitives: [
+        "channel membership and visibility",
+        "message/thread ordering",
+        "event delivery semantics"
+      ],
+      behaviorOwner: "src/domain/slack-simulator.ts"
+    },
+    inferenceKeywords: [
+      "slack",
+      "slack channel",
+      "send_message",
+      "slack message",
+      "direct message"
+    ]
+  },
+  {
+    name: "stripe",
+    package: "@archal/clone-stripe",
+    path: "clones/stripe",
+    stage: "preview",
+    display: {
+      icon: "ST",
+      name: "Stripe",
+      description: "Customers, payments, subscriptions, invoices, and refunds.",
+      toolCount: 28
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.stripe.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-business"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Payment behavior depends on ledgers, object lifecycle, webhooks, balances, and idempotency semantics.",
+      domainPrimitives: [
+        "payment object lifecycle",
+        "balance and ledger projection",
+        "webhook/idempotency semantics"
+      ],
+      behaviorOwner: "src/domain/stripe-simulator.ts"
+    },
+    inferenceKeywords: [
+      "stripe",
+      "payment",
+      "refund",
+      "subscription",
+      "invoice",
+      "charge"
+    ]
+  },
+  {
+    name: "woocommerce",
+    package: "@archal/clone-woocommerce",
+    path: "clones/woocommerce",
+    stage: "internal",
+    display: {
+      icon: "WC",
+      name: "WooCommerce",
+      description: "Preview, coverage pending: products, customers, orders, coupons, categories, payment gateways, shipping zones, and taxes.",
+      toolCount: 24
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "demo"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "standard-core",
+      summary: "Current internal commerce slice is product/order/customer records; payment/fulfillment ledgers are not claimed."
+    }
+  },
+  {
+    name: "supabase",
+    package: "@archal/clone-supabase",
+    path: "clones/supabase",
+    stage: "public",
+    display: {
+      icon: "SB",
+      name: "Supabase",
+      description: "SQL, migrations, logs, branches, and project metadata.",
+      toolCount: 29
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "supabase.co",
+          matchSubdomains: true
+        },
+        {
+          domain: "api.supabase.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "small-project"
+    },
+    smoke: {
+      production: "health-and-seed"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Supabase already requires and uses a Postgres/query/realtime simulator beside clone-core.",
+      domainPrimitives: [
+        "Postgres schema and SQL execution",
+        "RLS and API projections",
+        "realtime row changes"
+      ],
+      behaviorOwner: "src/pg-engine.ts"
+    },
+    inferenceKeywords: [
+      "supabase",
+      "database",
+      "sql query",
+      "database table",
+      "sql"
+    ]
+  },
+  {
+    name: "tavily",
+    package: "@archal/clone-tavily",
+    path: "clones/tavily",
+    stage: "preview",
+    display: {
+      icon: "TV",
+      name: "Tavily",
+      description: "Search, extract, crawl, map, research, usage, and API key operations.",
+      toolCount: 11
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.tavily.com"
+        },
+        {
+          domain: "tavily.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Tavily mixes deterministic search/extract helpers with runtime recording replay for REST/tool parity; treat it as replay-backed until all supported responses are state-derived.",
+      domainPrimitives: [
+        "recording-backed REST/tool response replay",
+        "deterministic search/extract response helpers",
+        "research request state overlay"
+      ],
+      promotionEvidence: [
+        "clones/tavily/SPEC.md tracks state-derived response fixtures or query/result simulator",
+        "clones/tavily/SPEC.md tracks runtime recording-backed handlers replaced for the promoted search/extract/research surface",
+        "clones/tavily/SPEC.md tracks search/extract/research replay determinism invariants"
+      ]
+    }
+  },
+  {
+    name: "typeform",
+    package: "@archal/clone-typeform",
+    path: "clones/typeform",
+    stage: "internal",
+    display: {
+      icon: "TF",
+      name: "Typeform",
+      description: "Preview, coverage pending: forms, responses, workspaces, themes, and webhooks.",
+      toolCount: 22
+    },
+    transport: "mcp",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Typeform relies on form response projection, webhook subscription scoping, and signed delivery semantics beyond generic CRUD.",
+      domainPrimitives: [
+        "form response submission projection",
+        "webhook subscription scoping and signing",
+        "responses API and webhook payload consistency"
+      ],
+      behaviorOwner: "src/state/webhook-delivery-config.ts"
+    }
+  },
+  {
+    name: "telegram",
+    package: "@archal/clone-telegram",
+    path: "clones/telegram",
+    stage: "internal",
+    display: {
+      icon: "TG",
+      name: "Telegram",
+      description: "Bot messages, chats, updates, and webhooks.",
+      toolCount: 32
+    },
+    transport: "both",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "domain-simulator",
+      summary: "Telegram behavior depends on outbound message timelines, getUpdates ordering/filtering, bot configuration, and webhook registration state.",
+      domainPrimitives: [
+        "outbound message and update ordering",
+        "bot configuration state",
+        "webhook registration state"
+      ],
+      behaviorOwner: "src/domain/telegram-simulator.ts"
+    }
+  },
+  {
+    name: "twilio",
+    package: "@archal/clone-twilio",
+    path: "clones/twilio",
+    stage: "internal",
+    display: {
+      icon: "TW",
+      name: "Twilio",
+      description: "Messages, calls, phone numbers, and verifications.",
+      toolCount: 35
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: false,
+      bundleToolSnapshot: false
+    },
+    routeProxy: {
+      enabled: false,
+      domains: []
+    },
+    seeds: {
+      generatedCatalog: false,
+      default: "empty"
+    },
+    smoke: {
+      production: "none"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Twilio is still a recording-backed REST shell with a narrow stateful free-resource overlay, not a broad communications simulator.",
+      domainPrimitives: [
+        "recording-backed REST route replay",
+        "Keys, SigningKeys, Applications, and Queues overlay",
+        "future message/call/conversation lifecycle simulator"
+      ],
+      promotionEvidence: [
+        "clones/twilio/SPEC.md tracks message or call lifecycle state model",
+        "clones/twilio/SPEC.md tracks runtime recording-backed handlers replaced for the promoted message/call slice",
+        "clones/twilio/SPEC.md tracks delivery/status/webhook sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "unipile",
+    package: "@archal/clone-unipile",
+    path: "clones/unipile",
+    stage: "preview",
+    display: {
+      icon: "UP",
+      name: "Unipile",
+      description: "LinkedIn and email messaging, accounts, and chats.",
+      toolCount: 31
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.unipile.com"
+        },
+        {
+          domain: "unipile.com",
+          matchSubdomains: true
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Unipile is currently an authenticated REST replay surface with one approved stateful WhatsApp send mutation, not a broad provider messaging simulator.",
+      domainPrimitives: [
+        "authenticated account and chat reads",
+        "single WhatsApp send mutation",
+        "future account, chat, and webhook simulator"
+      ],
+      promotionEvidence: [
+        "clones/unipile/SPEC.md tracks chat timeline state model",
+        "clones/unipile/SPEC.md tracks runtime recording-backed handlers replaced for the promoted chat/provider surface",
+        "clones/unipile/SPEC.md tracks send/delivery/read/webhook sequence invariants"
+      ]
+    }
+  },
+  {
+    name: "webflow",
+    package: "@archal/clone-webflow",
+    path: "clones/webflow",
+    stage: "preview",
+    display: {
+      icon: "WF",
+      name: "Webflow",
+      description: "Sites, pages, CMS collections, items, assets, forms, and webhooks.",
+      toolCount: 19
+    },
+    transport: "rest",
+    hostedRuntime: {
+      enabled: true,
+      requiresDist: true,
+      requiresEmptySeed: true
+    },
+    cli: {
+      bundleAssets: true,
+      bundleToolSnapshot: true
+    },
+    routeProxy: {
+      enabled: true,
+      domains: [
+        {
+          domain: "api.webflow.com"
+        },
+        {
+          domain: "webflow.com"
+        }
+      ]
+    },
+    seeds: {
+      generatedCatalog: true,
+      default: "empty"
+    },
+    smoke: {
+      production: "clone-surface"
+    },
+    architecture: {
+      class: "replay-shell",
+      summary: "Webflow is recording-replay backed with focused CMS stateful overlays; it should not be treated as a full Webflow behavior engine.",
+      domainPrimitives: [
+        "recording replay cursor",
+        "CMS collection/item overlays",
+        "publish lifecycle captures"
+      ],
+      promotionEvidence: [
+        "clones/webflow/SPEC.md tracks staged/live publish projection state model",
+        "clones/webflow/SPEC.md tracks runtime recording-backed handlers replaced for the promoted publish/CMS surface",
+        "clones/webflow/SPEC.md tracks CMS publish/reset sequence invariants"
+      ]
+    }
+  }
+];
+var CLONE_MANIFEST = manifest_default;
+var CLONE_NAMES = CLONE_MANIFEST.map((t) => t.name);
+var CLONE_PACKAGES = CLONE_MANIFEST.map((t) => t.package);
+
+// ../../clones/core/dist/chunk-SXNWBK3S.js
+var CLONE_PREFIX_PATTERN = new RegExp(`^(${CLONE_NAMES.join("|")})_`, "i");
+
+// ../../clones/core/dist/chunk-EZKTFYZI.js
+var CLONE_STAGES = ["wip", "internal", "preview", "public", "retired"];
+var CLONE_TRANSPORTS = ["mcp", "rest", "both"];
+var CLONE_SMOKE_PROFILES = ["none", "health-and-seed", "clone-surface"];
+var STARTABLE_CLONE_STAGES = ["public", "preview"];
+var CATALOG_VISIBLE_CLONE_STAGES = ["public", "preview"];
+var CLONE_STAGE_SET = new Set(CLONE_STAGES);
+var CLONE_TRANSPORT_SET = new Set(CLONE_TRANSPORTS);
+var CLONE_SMOKE_PROFILE_SET = new Set(CLONE_SMOKE_PROFILES);
+var STARTABLE_CLONE_STAGE_SET = new Set(STARTABLE_CLONE_STAGES);
+var CATALOG_VISIBLE_CLONE_STAGE_SET = new Set(CATALOG_VISIBLE_CLONE_STAGES);
+
+// ../../clones/core/dist/chunk-ENO6SYMV.js
+var CLONE_ARCHITECTURE_CLASSES = [
+  "standard-core",
+  "domain-simulator",
+  "replay-shell",
+  "redesign-before-expansion"
+];
+var CLONE_ARCHITECTURE_PREVIEW_CLASSES = [
+  "replay-shell",
+  "redesign-before-expansion"
+];
+var CLONE_ARCHITECTURE_CLASS_SET = new Set(CLONE_ARCHITECTURE_CLASSES);
+var CLONE_ARCHITECTURE_PREVIEW_CLASS_SET = new Set(CLONE_ARCHITECTURE_PREVIEW_CLASSES);
+
+// ../../clones/core/dist/chunk-4B2Y764J.js
+var CLONE_RUNTIME_SOURCE_EXTENSIONS = Object.freeze([
+  ".cjs",
+  ".cts",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".mts",
+  ".ts",
+  ".tsx"
+]);
+var RUNTIME_SOURCE_EXTENSIONS = new Set(CLONE_RUNTIME_SOURCE_EXTENSIONS);
+
+// ../../clones/core/dist/chunk-CDEMQFER.js
+var FIELD_POLICY = {
+  behaviorOwner: {
+    required: /* @__PURE__ */ new Set(["domain-simulator"]),
+    allowed: /* @__PURE__ */ new Set(["domain-simulator"])
+  },
+  domainPrimitives: {
+    required: /* @__PURE__ */ new Set(["domain-simulator", "replay-shell", "redesign-before-expansion"]),
+    allowed: /* @__PURE__ */ new Set(["domain-simulator", "replay-shell", "redesign-before-expansion"])
+  },
+  promotionEvidence: {
+    required: /* @__PURE__ */ new Set(["replay-shell"]),
+    allowed: /* @__PURE__ */ new Set(["replay-shell"])
+  },
+  redesignContract: {
+    required: /* @__PURE__ */ new Set(["redesign-before-expansion"]),
+    allowed: /* @__PURE__ */ new Set(["redesign-before-expansion"])
+  }
+};
+var CLONE_ARCHITECTURE_POLICY_FIELDS = Object.freeze(Object.keys(FIELD_POLICY));
+var CLONE_ARCHITECTURE_MANIFEST_FIELDS = Object.freeze([
+  "class",
+  "summary",
+  ...CLONE_ARCHITECTURE_POLICY_FIELDS
+]);
+var CLONE_ARCHITECTURE_MANIFEST_FIELD_SET = new Set(CLONE_ARCHITECTURE_MANIFEST_FIELDS);
+
+// src/runtime/service-profiles.ts
+function unsupportedServiceMessage(unsupportedServices) {
+  const supportedServices = listSharedRouteManifests().map((manifest) => manifest.service).sort();
+  return [
+    `Unsupported route-mode service${unsupportedServices.length === 1 ? "" : "s"}: ${unsupportedServices.sort().join(", ")}.`,
+    `Supported services in this Vitest adapter: ${supportedServices.join(", ")}.`
+  ].join(" ");
+}
+function assertSupportedArchalVitestServices(services) {
+  const unsupportedServices = Object.entries(services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName).filter((serviceName) => !getSharedRouteManifest(serviceName));
+  if (unsupportedServices.length === 0) {
+    return;
+  }
+  throw new Error(unsupportedServiceMessage(unsupportedServices));
+}
+function resolveArchalVitestServiceProfiles(services) {
+  const declaredRouteServices = new Set(
+    Object.entries(services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName)
+  );
+  const profiles = listSharedRouteManifests().map((manifest) => ({
+    serviceName: manifest.service,
+    profile: buildServiceCompatibilityProfile(manifest)
+  }));
+  const declaredProfiles = profiles.filter(({ serviceName }) => declaredRouteServices.has(serviceName)).map(({ profile }) => profile);
+  const undeclaredEnforcementProfiles = profiles.filter(({ serviceName }) => !declaredRouteServices.has(serviceName)).map(({ profile }) => profile);
+  return [...declaredProfiles, ...undeclaredEnforcementProfiles];
+}
+
+// src/runtime/hosted-session-provider.ts
+import { createHash, randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { promises as fs } from "fs";
+import { join, resolve as resolve2 } from "path";
+import { tmpdir } from "os";
+
+// src/url-resolution.ts
+function readFirstConfiguredApiBaseUrl(envVars) {
+  for (const envVar of envVars) {
+    const configured = trimEnv(envVar);
+    if (!configured) {
+      continue;
+    }
+    return normalizeApiBaseUrl(configured);
+  }
+  return null;
+}
+function resolveArchalVitestApiBaseUrl(defaultBaseUrl) {
+  return readFirstConfiguredApiBaseUrl([
+    "ARCHAL_VITEST_API_URL",
+    "ARCHAL_API_URL",
+    "ARCHAL_API_BASE_URL",
+    "ARCHAL_AUTH_URL",
+    "ARCHAL_AUTH_BASE_URL"
+  ]) ?? defaultBaseUrl;
+}
+
+// src/runtime/hosted-session-provider.ts
+var COORDINATOR_LOCK_TIMEOUT_MS = 3e4;
+var COORDINATOR_STALE_LOCK_MS = COORDINATOR_LOCK_TIMEOUT_MS;
+var COORDINATOR_POLL_INTERVAL_MS = 50;
+var ROUTE_CONTROL_AUTHORIZATION_HEADER2 = "x-route-authorization";
+var ROUTE_SERVICE_ORIGIN_HEADER2 = "x-route-service-origin";
+var WORKER_ID_HEADER = "x-archal-worker-id";
+function currentVitestWorkerId() {
+  const raw = process.env["VITEST_WORKER_ID"];
+  if (!raw || typeof raw !== "string") return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  return `vitest-${trimmed}`;
+}
+function resolveWorkerId() {
+  const vitestWorkerId = trimEnv("VITEST_WORKER_ID");
+  return vitestWorkerId ? `vitest-worker-${vitestWorkerId}` : `pid-${process.pid}`;
+}
+function resolveRunnerPid(config) {
+  return typeof config.runnerPid === "number" && Number.isInteger(config.runnerPid) && config.runnerPid > 0 ? config.runnerPid : process.pid;
+}
+function toSafeCoordinatorDirectoryName(sessionKey) {
+  if (sessionKey !== "." && sessionKey !== ".." && /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/.test(sessionKey)) {
+    return sessionKey;
+  }
+  const slug = sessionKey.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^[.-]+|[.-]+$/g, "").slice(0, 48);
+  const hash = createHash("sha256").update(sessionKey).digest("hex").slice(0, 12);
+  return `${slug || "session"}-${hash}`;
+}
+function resolveCoordinatorPaths(config) {
+  const baseDirectory = resolve2(
+    trimEnv("ARCHAL_VITEST_COORDINATOR_DIR") ?? join(tmpdir(), "archal-vitest")
+  );
+  const sessionKey = config.sessionKey ?? `${config.projectName}-${randomUUID()}`;
+  const directory = resolve2(baseDirectory, toSafeCoordinatorDirectoryName(sessionKey));
+  return {
+    directory,
+    lockDirectory: join(directory, "lock"),
+    statePath: join(directory, "state.json"),
+    reaperPidPath: join(directory, "reaper.pid")
+  };
+}
+function shouldStopSessionOnRelease() {
+  const explicitSetting = trimEnv("ARCHAL_VITEST_STOP_SESSION_ON_RELEASE");
+  if (explicitSetting) {
+    return !/^(0|false)$/i.test(explicitSetting);
+  }
+  return trimEnv("CI") !== void 0 || trimEnv("GITHUB_ACTIONS") !== void 0;
+}
+async function resolveHostedSessionEnvironment() {
+  const apiBaseUrl = resolveArchalVitestApiBaseUrl(DEFAULT_HOSTED_API_BASE_URL);
+  const auth = await createHostedAuthLease(VITEST_AUTH_LEASE_OPTIONS);
+  const ttlFromMinutes = parsePositiveInteger(trimEnv("ARCHAL_SESSION_TTL_MINUTES"), 30, 1) * 60;
+  const ttlSeconds = parsePositiveInteger(
+    trimEnv("ARCHAL_VITEST_SESSION_TTL_SECONDS"),
+    ttlFromMinutes,
+    1
+  );
+  const readyTimeoutMs = Math.max(
+    MIN_READY_TIMEOUT_MS,
+    parsePositiveInteger(
+      trimEnv("ARCHAL_VITEST_SESSION_READY_TIMEOUT_MS") ?? trimEnv("ARCHAL_SESSION_READY_TIMEOUT_MS"),
+      DEFAULT_READY_TIMEOUT_MS,
+      1
+    )
+  );
+  const renewIntervalMs = Math.max(
+    MIN_RENEW_INTERVAL_MS,
+    parsePositiveInteger(
+      trimEnv("ARCHAL_VITEST_SESSION_RENEW_INTERVAL_MS"),
+      Math.min(Math.floor((ttlSeconds || DEFAULT_SESSION_TTL_SECONDS) * 500), DEFAULT_RENEW_INTERVAL_MS),
+      1
+    )
+  );
+  return {
+    auth,
+    apiBaseUrl,
+    ttlSeconds: ttlSeconds || DEFAULT_SESSION_TTL_SECONDS,
+    readyTimeoutMs,
+    renewIntervalMs
+  };
+}
+async function withCoordinatorLock(paths, lockTimeoutMs, action) {
+  await fs.mkdir(paths.directory, { recursive: true });
+  const deadline = Date.now() + resolveCoordinatorLockWaitTimeoutMs(lockTimeoutMs);
+  while (true) {
+    try {
+      await fs.mkdir(paths.lockDirectory);
+      break;
+    } catch (error) {
+      const code = error instanceof Error && "code" in error ? String(error.code) : "";
+      if (code !== "EEXIST") {
+        throw error;
+      }
+      const stale = await fs.stat(paths.lockDirectory).then((stats) => Date.now() - stats.mtimeMs >= COORDINATOR_STALE_LOCK_MS).catch(() => false);
+      if (stale) {
+        await fs.rm(paths.lockDirectory, { recursive: true, force: true }).catch(() => {
+        });
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(
+          `Timed out waiting for Archal Vitest session coordinator lock in ${paths.directory}.`
+        );
+      }
+      await sleep(COORDINATOR_POLL_INTERVAL_MS);
+    }
+  }
+  try {
+    const keepalive = setInterval(() => {
+      void fs.utimes(paths.lockDirectory, /* @__PURE__ */ new Date(), /* @__PURE__ */ new Date()).catch(() => void 0);
+    }, 1e3);
+    keepalive.unref();
+    try {
+      return await action();
+    } finally {
+      clearInterval(keepalive);
+    }
+  } finally {
+    await fs.rm(paths.lockDirectory, { recursive: true, force: true });
+  }
+}
+function resolveCoordinatorLockWaitTimeoutMs(readyTimeoutMs) {
+  return Math.max(COORDINATOR_LOCK_TIMEOUT_MS, readyTimeoutMs);
+}
+async function readCoordinatorState(paths) {
+  if (!await fileExists(paths.statePath)) {
+    return { kind: "missing" };
+  }
+  const raw = await fs.readFile(paths.statePath, "utf8");
+  try {
+    const normalizedState = normalizeCoordinatorState(JSON.parse(raw));
+    if (!normalizedState) {
+      await fs.rm(paths.statePath, { force: true }).catch(() => void 0);
+      return { kind: "corrupt" };
+    }
+    return {
+      kind: "ready",
+      state: normalizedState
+    };
+  } catch {
+    await fs.rm(paths.statePath, { force: true }).catch(() => void 0);
+    return { kind: "corrupt" };
+  }
+}
+function normalizeCoordinatorState(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const session = normalizeHostedSessionSnapshot(record["session"]);
+  if (!session) {
+    return null;
+  }
+  const leases = normalizeWorkerLeases(record["leases"]);
+  if (!leases) {
+    return null;
+  }
+  return { session, leases };
+}
+function normalizeHostedSessionSnapshot(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const sessionId = typeof record["sessionId"] === "string" ? record["sessionId"].trim() : "";
+  const apiBaseUrls = normalizeStringRecord(record["apiBaseUrls"]);
+  const resolvedRuntime = normalizeResolvedRuntime(record["resolvedRuntime"]);
+  if (!sessionId || !apiBaseUrls || !resolvedRuntime) {
+    return null;
+  }
+  return {
+    sessionId,
+    apiBaseUrls,
+    resolvedRuntime
+  };
+}
+function normalizeResolvedRuntime(input) {
+  if (input === void 0 || input === null) {
+    return null;
+  }
+  if (typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const resolvedServices = normalizeStringArray(record["resolvedServices"] ?? []);
+  const resolvedSeeds = normalizeStringRecord(record["resolvedSeeds"] ?? {});
+  const manifestVersions = normalizeStringRecord(record["manifestVersions"] ?? {});
+  if (!resolvedServices || !resolvedSeeds || !manifestVersions) {
+    return null;
+  }
+  const capabilityVersion = typeof record["capabilityVersion"] === "string" ? record["capabilityVersion"] : void 0;
+  const runtimeVersion = typeof record["runtimeVersion"] === "string" ? record["runtimeVersion"] : void 0;
+  if (resolvedServices.length === 0 && Object.keys(resolvedSeeds).length === 0 && Object.keys(manifestVersions).length === 0 && !capabilityVersion && !runtimeVersion) {
+    return null;
+  }
+  return {
+    resolvedServices,
+    resolvedSeeds,
+    manifestVersions,
+    ...capabilityVersion ? { capabilityVersion } : {},
+    ...runtimeVersion ? { runtimeVersion } : {}
+  };
+}
+function normalizeWorkerLeases(input) {
+  if (input === void 0) {
+    return [];
+  }
+  if (!Array.isArray(input)) {
+    return null;
+  }
+  return input.flatMap((lease) => {
+    if (!lease || typeof lease !== "object" || Array.isArray(lease)) {
+      return [];
+    }
+    const record = lease;
+    const workerId = typeof record["workerId"] === "string" ? record["workerId"].trim() : "";
+    const updatedAt = typeof record["updatedAt"] === "string" ? record["updatedAt"].trim() : "";
+    const pid = typeof record["pid"] === "number" ? record["pid"] : Number.NaN;
+    if (!workerId || !updatedAt || !Number.isInteger(pid) || pid <= 0) {
+      return [];
+    }
+    return [{
+      workerId,
+      pid,
+      updatedAt
+    }];
+  });
+}
+function normalizeStringArray(input) {
+  if (!Array.isArray(input)) {
+    return null;
+  }
+  const values = input.flatMap((value) => {
+    if (typeof value !== "string") {
+      return [];
+    }
+    const trimmed = value.trim();
+    return trimmed ? [trimmed] : [];
+  });
+  return values.length === input.length ? values : null;
+}
+function normalizeStringRecord(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const entries = Object.entries(record).flatMap(([key, value]) => {
+    if (typeof value !== "string") {
+      return [];
+    }
+    return [[key, value]];
+  });
+  return entries.length === Object.keys(record).length ? Object.fromEntries(entries) : null;
+}
+async function writeCoordinatorState(paths, state) {
+  await fs.writeFile(paths.statePath, JSON.stringify(state, null, 2) + "\n", "utf8");
+}
+async function clearCoordinatorState(paths) {
+  await Promise.all([
+    fs.rm(paths.statePath, { force: true }),
+    fs.rm(paths.reaperPidPath, { force: true })
+  ]);
+}
+async function readRunnerReaperState(paths) {
+  const raw = await fs.readFile(paths.reaperPidPath, "utf8").catch(() => null);
+  if (!raw) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed === "number") {
+      if (!Number.isInteger(parsed) || parsed <= 0) {
+        return null;
+      }
+      return {
+        pid: parsed,
+        sessionId: ""
+      };
+    }
+    if (!parsed || typeof parsed.pid !== "number" || !Number.isInteger(parsed.pid) || parsed.pid <= 0 || typeof parsed.sessionId !== "string" || parsed.sessionId.trim().length === 0) {
+      return null;
+    }
+    return {
+      pid: parsed.pid,
+      sessionId: parsed.sessionId
+    };
+  } catch {
+    const pid = Number.parseInt(raw.trim(), 10);
+    if (!Number.isInteger(pid) || pid <= 0) {
+      return null;
+    }
+    return {
+      pid,
+      sessionId: ""
+    };
+  }
+}
+async function writeRunnerReaperState(paths, state) {
+  await fs.writeFile(paths.reaperPidPath, JSON.stringify(state) + "\n", "utf8");
+}
+async function stopRunnerReaper(paths) {
+  const reaperState = await readRunnerReaperState(paths);
+  if (!reaperState) {
+    await fs.rm(paths.reaperPidPath, { force: true }).catch(() => void 0);
+    return;
+  }
+  if (isProcessAlive(reaperState.pid)) {
+    try {
+      process.kill(reaperState.pid, "SIGTERM");
+    } catch {
+    }
+  }
+  await fs.rm(paths.reaperPidPath, { force: true }).catch(() => void 0);
+}
+function pruneLeases(leases) {
+  return leases.filter((lease) => isProcessAlive(lease.pid));
+}
+function runnerIsAlive(runnerPid) {
+  return isProcessAlive(runnerPid);
+}
+function resolveRequestedSeeds(config, serviceNames) {
+  const fileSeedServices = new Set(Object.keys(config.fileSeedContents ?? {}));
+  const requestedSeeds = Object.fromEntries(
+    serviceNames.flatMap((serviceName) => {
+      if (fileSeedServices.has(serviceName)) return [];
+      const seed = config.services[serviceName]?.seed?.trim();
+      return seed ? [[serviceName, seed]] : [];
+    })
+  );
+  return Object.keys(requestedSeeds).length > 0 ? requestedSeeds : void 0;
+}
+function retainedSessionWithoutLeases(state) {
+  if (!state?.session) {
+    return null;
+  }
+  return pruneLeases(state.leases).length === 0 ? state.session : null;
+}
+function activeWorkerSession(state) {
+  if (!state?.session) {
+    return null;
+  }
+  const leases = pruneLeases(state.leases);
+  if (leases.length === 0) {
+    return null;
+  }
+  return {
+    session: state.session,
+    leases
+  };
+}
+var CoordinatedHostedSessionManager = class {
+  constructor(paths, client, environment, config) {
+    this.paths = paths;
+    this.client = client;
+    this.environment = environment;
+    this.config = config;
+  }
+  paths;
+  client;
+  environment;
+  config;
+  async acquire(serviceNames, requestedSeeds) {
+    const workerId = resolveWorkerId();
+    const runnerPid = resolveRunnerPid(this.config);
+    return await withCoordinatorLock(this.paths, this.environment.readyTimeoutMs, async () => {
+      const stateResult = await readCoordinatorState(this.paths);
+      const existingState = stateResult.kind === "ready" ? stateResult.state : null;
+      if (stateResult.kind === "corrupt") {
+        const recoveredSession = await this.recoverCorruptCoordinatorState(
+          serviceNames,
+          requestedSeeds,
+          workerId,
+          runnerPid
+        );
+        if (recoveredSession) {
+          return { session: recoveredSession, acquisition: "reused" };
+        }
+      }
+      const activeSession = activeWorkerSession(existingState);
+      if (activeSession && requestedSeedsMatchSession(requestedSeeds, activeSession.session)) {
+        const reusableSession = await this.tryReuseSession(
+          activeSession.session,
+          serviceNames
+        );
+        if (!reusableSession) {
+          await this.client.stop(activeSession.session.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else {
+          await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+          await writeCoordinatorState(this.paths, {
+            session: reusableSession,
+            leases: this.upsertLease(activeSession.leases, workerId)
+          });
+          return { session: reusableSession, acquisition: "reused" };
+        }
+      }
+      if (activeSession && !requestedSeedsMatchSession(requestedSeeds, activeSession.session)) {
+        await this.client.stop(activeSession.session.sessionId).catch(() => void 0);
+        await stopRunnerReaper(this.paths);
+        await clearCoordinatorState(this.paths);
+      }
+      const retainedSession = retainedSessionWithoutLeases(existingState);
+      if (retainedSession) {
+        if (!runnerIsAlive(runnerPid)) {
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else if (!requestedSeedsMatchSession(requestedSeeds, retainedSession)) {
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else {
+          const reusableSession = await this.tryReuseSession(retainedSession, serviceNames);
+          if (reusableSession) {
+            await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+            await writeCoordinatorState(this.paths, {
+              session: reusableSession,
+              leases: this.upsertLease([], workerId)
+            });
+            return { session: reusableSession, acquisition: "reused" };
+          }
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        }
+      }
+      const startedSession = await this.client.startRouteSession(serviceNames, requestedSeeds, {
+        source: "test"
+      });
+      await this.ensureRunnerReaper(startedSession.sessionId, runnerPid);
+      await writeCoordinatorState(this.paths, {
+        session: startedSession,
+        leases: this.upsertLease([], workerId)
+      });
+      return { session: startedSession, acquisition: "fresh" };
+    });
+  }
+  async release() {
+    const workerId = resolveWorkerId();
+    const runnerPid = resolveRunnerPid(this.config);
+    await withCoordinatorLock(this.paths, this.environment.readyTimeoutMs, async () => {
+      const stateResult = await readCoordinatorState(this.paths);
+      if (stateResult.kind !== "ready") {
+        return;
+      }
+      const existingState = stateResult.state;
+      const remainingLeases = pruneLeases(existingState.leases).filter((lease) => lease.workerId !== workerId);
+      if (remainingLeases.length > 0) {
+        await writeCoordinatorState(this.paths, {
+          session: existingState.session,
+          leases: remainingLeases
+        });
+        return;
+      }
+      const shouldRetainSession = runnerIsAlive(runnerPid) && !shouldStopSessionOnRelease();
+      if (shouldRetainSession) {
+        await writeCoordinatorState(this.paths, {
+          session: existingState.session,
+          leases: []
+        });
+        return;
+      }
+      await this.client.stop(existingState.session.sessionId);
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+    });
+  }
+  upsertLease(leases, workerId) {
+    const nextLease = {
+      workerId,
+      pid: process.pid,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const withoutExisting = leases.filter((lease) => lease.workerId !== workerId);
+    return [...withoutExisting, nextLease];
+  }
+  async recoverCorruptCoordinatorState(serviceNames, requestedSeeds, workerId, runnerPid) {
+    const reaperState = await readRunnerReaperState(this.paths);
+    if (!reaperState) {
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    if (!reaperState.sessionId) {
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    if (!runnerIsAlive(runnerPid)) {
+      await this.client.stop(reaperState.sessionId).catch(() => void 0);
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    const reusableSession = await this.client.reuseRouteSession(
+      {
+        sessionId: reaperState.sessionId,
+        apiBaseUrls: {},
+        resolvedRuntime: {
+          resolvedServices: [],
+          resolvedSeeds: {},
+          manifestVersions: {}
+        }
+      },
+      serviceNames
+    );
+    if (reusableSession && requestedSeedsMatchSession(requestedSeeds, reusableSession)) {
+      await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+      if (trimEnv("ARCHAL_VITEST_DISABLE_RUNNER_REAPER") === "1") {
+        await fs.rm(this.paths.reaperPidPath, { force: true }).catch(() => void 0);
+      }
+      await writeCoordinatorState(this.paths, {
+        session: reusableSession,
+        leases: this.upsertLease([], workerId)
+      });
+      return reusableSession;
+    }
+    await this.client.stop(reaperState.sessionId).catch(() => void 0);
+    await stopRunnerReaper(this.paths);
+    await clearCoordinatorState(this.paths);
+    return null;
+  }
+  async tryReuseSession(session, serviceNames) {
+    try {
+      return await this.client.reuseRouteSession(session, serviceNames);
+    } catch {
+      return null;
+    }
+  }
+  async ensureRunnerReaper(sessionId, runnerPid) {
+    if (trimEnv("ARCHAL_VITEST_DISABLE_RUNNER_REAPER") === "1") {
+      return;
+    }
+    const existingReaper = await readRunnerReaperState(this.paths);
+    if (existingReaper && isProcessAlive(existingReaper.pid)) {
+      if (existingReaper.sessionId === sessionId) {
+        return;
+      }
+      await stopRunnerReaper(this.paths);
+    }
+    const reaperPath = resolveRuntimeModule("./runtime/hosted-session-reaper.js");
+    const child = spawn(process.execPath, [reaperPath], {
+      detached: true,
+      stdio: "ignore",
+      env: {
+        ...process.env,
+        ARCHAL_VITEST_API_URL: this.environment.apiBaseUrl,
+        ARCHAL_VITEST_REAPER_API_BASE_URL: this.environment.apiBaseUrl,
+        ARCHAL_VITEST_REAPER_SESSION_ID: sessionId,
+        ARCHAL_VITEST_REAPER_RUNNER_PID: String(runnerPid),
+        ARCHAL_VITEST_REAPER_RENEW_INTERVAL_MS: String(this.environment.renewIntervalMs),
+        ARCHAL_VITEST_REAPER_COORDINATOR_DIR: this.paths.directory,
+        ARCHAL_VITEST_REAPER_LOCK_DIR: this.paths.lockDirectory,
+        ARCHAL_VITEST_REAPER_STATE_PATH: this.paths.statePath,
+        ARCHAL_VITEST_REAPER_PID_PATH: this.paths.reaperPidPath
+      }
+    });
+    child.unref();
+    if (!child.pid) {
+      throw new Error("Archal Vitest runner reaper failed to start.");
+    }
+    await writeRunnerReaperState(this.paths, { pid: child.pid, sessionId });
+  }
+};
+function buildNoSession() {
+  return {
+    sessionId: `archal-vitest-${randomUUID()}`,
+    services: [],
+    resolvedRuntime: {
+      resolvedServices: [],
+      resolvedSeeds: {},
+      manifestVersions: {}
+    },
+    // No hosted session was provisioned (route-mode config had no services)
+    // so there's no cold-start cost to report. Mark as `reused` so the
+    // bootstrap's clone-startup log treats this as zero-cost and stays quiet.
+    acquisition: "reused"
+  };
+}
+function buildRoutedServices(serviceNames, apiBaseUrls, environment) {
+  return serviceNames.map((serviceName) => {
+    const baseUrl = apiBaseUrls[serviceName];
+    if (!baseUrl) {
+      throw new Error(
+        `Hosted Vitest session did not return apiBaseUrls.${serviceName}.`
+      );
+    }
+    const manifest = getSharedRouteManifest(serviceName);
+    return {
+      name: serviceName,
+      mode: "route",
+      baseUrl,
+      upstreamBasePath: manifest?.upstreamBasePath,
+      routedRequestHeaders: () => {
+        const authorization = environment.auth.getAuthorizationHeader();
+        if (!authorization) {
+          throw new Error("Hosted Vitest routing auth is unavailable.");
+        }
+        const workerId = currentVitestWorkerId();
+        const headers = {
+          [ROUTE_CONTROL_AUTHORIZATION_HEADER2]: authorization,
+          [ROUTE_SERVICE_ORIGIN_HEADER2]: "1"
+        };
+        if (workerId) headers[WORKER_ID_HEADER] = workerId;
+        return headers;
+      }
+    };
+  });
+}
+async function startHostedArchalVitestSession(config) {
+  assertSupportedArchalVitestServices(config.services);
+  const routedServiceNames = Object.entries(config.services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName);
+  if (routedServiceNames.length === 0) {
+    return buildNoSession();
+  }
+  const requestedSeeds = resolveRequestedSeeds(config, routedServiceNames);
+  const environment = await resolveHostedSessionEnvironment();
+  const hostedClient = new HostedSessionClient(environment);
+  const coordinator = new CoordinatedHostedSessionManager(
+    resolveCoordinatorPaths(config),
+    hostedClient,
+    environment,
+    config
+  );
+  try {
+    const { session, acquisition } = await coordinator.acquire(routedServiceNames, requestedSeeds);
+    return {
+      sessionId: session.sessionId,
+      services: buildRoutedServices(routedServiceNames, session.apiBaseUrls, environment),
+      resolvedRuntime: session.resolvedRuntime,
+      acquisition,
+      stop: async () => {
+        try {
+          await coordinator.release();
+        } finally {
+          environment.auth.stop();
+        }
+      }
+    };
+  } catch (error) {
+    environment.auth.stop();
+    throw error;
+  }
+}
+var VITEST_AUTH_LEASE_OPTIONS = {
+  apiUrlEnvVar: "ARCHAL_VITEST_API_URL"
+};
+
+// src/runtime/bootstrap.ts
+var GLOBAL_RUNTIME_KEY = "__archalVitestRuntime";
+var GLOBAL_SESSION_KEY = "__archalVitestSession";
+var GLOBAL_CLEANUP_HANDLER_KEY = "__archalVitestRuntimeCleanupHandlerRegistered";
+var GLOBAL_BOOTSTRAP_PROMISE_KEY = "__archalVitestRuntimeBootstrapPromise";
+var GLOBAL_STOP_PROMISE_KEY = "__archalVitestRuntimeStopPromise";
+var ARCHAL_VITEST_ROUTE_TRACE_ENV = "ARCHAL_VITEST_ROUTE_TRACE";
+var activeFullSession;
+var baselineCloneStates = /* @__PURE__ */ new Map();
+var baselineCaptured = false;
+var sessionStartedAt;
+function emitUsageEstimate(services) {
+  if (sessionStartedAt === void 0 || services.length === 0) return;
+  if (process.env["ARCHAL_VITEST_QUIET_USAGE"] === "1") return;
+  const durationSec = (Date.now() - sessionStartedAt) / 1e3;
+  const cloneMinutes = Math.max(1, Math.ceil(durationSec / 60)) * services.length;
+  const cloneList = services.map((s) => s.name).sort().join(", ");
+  process.stderr.write(
+    `\x1B[2m[archal] ~${cloneMinutes} clone-minute${cloneMinutes === 1 ? "" : "s"} for this run (${durationSec.toFixed(1)}s x ${services.length} clone${services.length === 1 ? "" : "s"}: ${cloneList})\x1B[0m
+`
+  );
+}
+function cloneStateUrl(serviceBaseUrl) {
+  return `${cloneRootUrl(serviceBaseUrl)}/state`;
+}
+function resolveRoutedHeaders(service) {
+  try {
+    const headers = service.routedRequestHeaders;
+    if (typeof headers === "function") return headers();
+    return headers ?? {};
+  } catch (err) {
+    activeFullSession = void 0;
+    throw new Error(
+      `Archal auth expired mid-test-run for clone "${service.name}". Re-run tests to refresh. (${err instanceof Error ? err.message : String(err)})`
+    );
+  }
+}
+var WORKER_ID_HEADER2 = "x-archal-worker-id";
+var ROUTE_SERVICE_ORIGIN_HEADER3 = "x-route-service-origin";
+function resolveControlHeaders(service) {
+  const all = resolveRoutedHeaders(service);
+  const { [ROUTE_SERVICE_ORIGIN_HEADER3]: _discarded, ...rest } = all;
+  return rest;
+}
+function resolveDefaultScopeHeaders(service) {
+  const all = resolveControlHeaders(service);
+  const { [WORKER_ID_HEADER2]: _discarded, ...rest } = all;
+  return rest;
+}
+function cloneRootUrl(serviceBaseUrl) {
+  const trimmed = serviceBaseUrl.replace(/\/+$/, "");
+  if (/\/mcp$/i.test(trimmed)) {
+    return `${trimmed.slice(0, -4)}/api`;
+  }
+  if (/\/(?:api|rest)$/i.test(trimmed)) {
+    return trimmed;
+  }
+  try {
+    const parsed = new URL(trimmed);
+    if (/\/runtime\/[^/]+\/[^/]+$/i.test(parsed.pathname)) {
+      return `${trimmed}/api`;
+    }
+  } catch {
+  }
+  return trimmed;
+}
+async function fetchArchalClone(serviceName, path, init) {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error(
+      "Archal clone fetch called before the route runtime was installed. Ensure archalVitestProject() or withArchal() is wired into your vitest config, and that setup has completed."
+    );
+  }
+  const service = session.services.find((s) => s.name === serviceName);
+  if (!service) {
+    const available = session.services.map((s) => s.name).sort().join(", ") || "(none)";
+    throw new Error(`No clone named "${serviceName}" in this session. Available: ${available}.`);
+  }
+  const headers = resolveControlHeaders(service);
+  const suffix = path.startsWith("/") ? path : `/${path}`;
+  const url = `${cloneRootUrl(service.baseUrl)}${suffix}`;
+  const requestInit = {
+    ...init,
+    headers: { ...headers, ...init?.headers }
+  };
+  return fetch(url, requestInit);
+}
+async function fetchArchalCloneDefaultScope(serviceName, path, init) {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error("Archal clone fetch: no active session");
+  }
+  const service = session.services.find((s) => s.name === serviceName);
+  if (!service) {
+    throw new Error(`No clone "${serviceName}" in session`);
+  }
+  const headers = resolveDefaultScopeHeaders(service);
+  const suffix = path.startsWith("/") ? path : `/${path}`;
+  const url = `${cloneRootUrl(service.baseUrl)}${suffix}`;
+  return fetch(url, {
+    ...init,
+    headers: { ...headers, ...init?.headers }
+  });
+}
+async function captureBaselineCloneStates(session) {
+  baselineCloneStates.clear();
+  baselineCaptured = false;
+  await Promise.all(
+    session.services.map(async (service) => {
+      try {
+        const headers = resolveDefaultScopeHeaders(service);
+        const res = await fetch(cloneStateUrl(service.baseUrl), {
+          method: "GET",
+          headers: { ...headers, accept: "application/json" }
+        });
+        if (!res.ok) {
+          process.stderr.write(
+            `[archal] warning: failed to capture baseline for clone "${service.name}": ${res.status} ${res.statusText}
+`
+          );
+          return;
+        }
+        baselineCloneStates.set(service.name, await res.text());
+      } catch (err) {
+        process.stderr.write(
+          `[archal] warning: failed to capture baseline for clone "${service.name}": ${err instanceof Error ? err.message : String(err)}
+`
+        );
+      }
+    })
+  );
+  baselineCaptured = true;
+}
+async function resetArchalCloneState() {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error(
+      "resetArchalClones() called before the Archal route runtime was installed. Ensure archalVitestProject() or withArchal() is wired into your vitest config, and that setup has completed."
+    );
+  }
+  if (!baselineCaptured) {
+    throw new Error(
+      "resetArchalClones() called but baseline state was never captured. This usually means bootstrapArchalVitestRouting() has not completed."
+    );
+  }
+  await Promise.all(
+    session.services.map(async (service) => {
+      const baseline = baselineCloneStates.get(service.name);
+      if (baseline === void 0) {
+        throw new Error(
+          `No baseline state captured for clone "${service.name}". This usually means the clone was not reachable during setup.`
+        );
+      }
+      const stateUrl = cloneStateUrl(service.baseUrl);
+      const defaultHeaders = resolveDefaultScopeHeaders(service);
+      const defaultRes = await fetch(stateUrl, {
+        method: "PUT",
+        headers: { ...defaultHeaders, "content-type": "application/json" },
+        body: baseline
+      });
+      if (!defaultRes.ok) {
+        throw new Error(
+          `Failed to reset shared state for clone "${service.name}": ${defaultRes.status} ${defaultRes.statusText}`
+        );
+      }
+      const workerHeaders = resolveControlHeaders(service);
+      const workerRes = await fetch(stateUrl, {
+        method: "PUT",
+        headers: { ...workerHeaders, "content-type": "application/json" },
+        body: baseline
+      });
+      if (!workerRes.ok) {
+        throw new Error(
+          `Failed to reset per-worker state for clone "${service.name}": ${workerRes.status} ${workerRes.statusText}`
+        );
+      }
+      try {
+        const whRes = await fetch(`${cloneRootUrl(service.baseUrl)}/webhooks/pending`, {
+          method: "DELETE",
+          headers: workerHeaders
+        });
+        if (!whRes.ok && whRes.status !== 404) {
+          process.stderr.write(
+            `[archal] warning: failed to drain webhook queue for "${service.name}": ${whRes.status} ${whRes.statusText}
+`
+          );
+        }
+      } catch {
+      }
+    })
+  );
+}
+async function resetArchalClones() {
+  await resetArchalCloneState();
+}
+function emitManifestDriftWarning(session) {
+  if (process.env["ARCHAL_VITEST_QUIET_DRIFT"] === "1") return;
+  const serverVersions = session.resolvedRuntime?.manifestVersions ?? {};
+  const drifts = [];
+  for (const service of session.services) {
+    const serverVersion = serverVersions[service.name];
+    const local = getSharedRouteManifest(service.name);
+    if (!serverVersion || !local) continue;
+    if (local.manifestVersion !== serverVersion) {
+      drifts.push({
+        service: service.name,
+        server: serverVersion,
+        client: local.manifestVersion
+      });
+    }
+  }
+  if (drifts.length === 0) return;
+  const lines = drifts.map((d) => `  ${d.service}: client ${d.client} vs server ${d.server}`);
+  process.stderr.write(
+    "\x1B[33m[archal] manifest version drift - upgrade the `archal` package to match the hosted clones:\n" + lines.join("\n") + "\x1B[0m\n"
+  );
+}
+function emitProgressTicker(config) {
+  if (process.env["ARCHAL_VITEST_QUIET_PROGRESS"] === "1") {
+    return () => {
+    };
+  }
+  const serviceNames = Object.keys(config.services).sort();
+  const services = serviceNames.join(", ");
+  const cloneWord = serviceNames.length === 1 ? "clone" : "clones";
+  const start = Date.now();
+  const ticker = setInterval(() => {
+    const elapsed = Math.round((Date.now() - start) / 1e3);
+    if (elapsed >= 60) {
+      clearInterval(ticker);
+      return;
+    }
+    process.stderr.write(
+      `\x1B[2m[archal] provisioning ${services} ${cloneWord}... ${elapsed}s\x1B[0m
+`
+    );
+  }, 5e3);
+  ticker.unref();
+  return () => clearInterval(ticker);
+}
+function isTruthyEnv(value) {
+  if (!value) {
+    return false;
+  }
+  switch (value.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+function formatTraceRecord(record) {
+  const manifestStatus = record.manifestMatched ? `matched ${record.service ?? "manifest"}` : "no manifest match";
+  const destination = record.target === "twin" ? "service endpoint" : record.target === "upstream" ? "real upstream" : "blocked";
+  const status = record.statusCode === void 0 ? record.error ? `error=${record.error}` : "no status" : `${record.statusCode}${record.statusText ? ` ${record.statusText}` : ""}`;
+  return `\x1B[2m[archal:route] ${record.method} ${record.sourceUrl} | ${manifestStatus} | ${record.outcome} -> ${destination} | ${status}\x1B[0m
+`;
+}
+async function startSession(config) {
+  const stopTicker = emitProgressTicker(config);
+  try {
+    sessionStartedAt = Date.now();
+    return await startHostedArchalVitestSession(config);
+  } finally {
+    stopTicker();
+  }
+}
+var DEFAULT_STARTUP_LOG_MIN_MS = 3e3;
+function resolveStartupLogThresholdMs() {
+  const raw = process.env["ARCHAL_VITEST_STARTUP_LOG_MIN_MS"];
+  if (!raw) return DEFAULT_STARTUP_LOG_MIN_MS;
+  const parsed = Number.parseInt(raw.trim(), 10);
+  if (!Number.isFinite(parsed) || parsed < 0) return DEFAULT_STARTUP_LOG_MIN_MS;
+  return parsed;
+}
+function emitCloneStartupSummary(phases) {
+  if (process.env["ARCHAL_VITEST_QUIET_STARTUP"] === "1") return;
+  const threshold = resolveStartupLogThresholdMs();
+  if (phases.totalMs < threshold) return;
+  if (phases.cloneCount === 0) return;
+  const cloneLabel = phases.cloneCount === 1 ? "clone" : "clones";
+  const cloneList = phases.cloneNames.length > 0 ? ` [${phases.cloneNames.slice().sort().join(", ")}]` : "";
+  const parts = [];
+  if (phases.acquireMs >= 10) parts.push(`acquire=${phases.acquireMs}ms`);
+  if (phases.seedLoadMs >= 10) parts.push(`seed-load=${phases.seedLoadMs}ms`);
+  if (phases.baselineMs >= 10) parts.push(`baseline=${phases.baselineMs}ms`);
+  const breakdown = parts.length > 0 ? ` (${parts.join(", ")})` : "";
+  process.stderr.write(
+    `\x1B[2m[archal/vitest] Started ${phases.cloneCount} ${cloneLabel}${cloneList} in ${phases.totalMs}ms${breakdown}\x1B[0m
+`
+  );
+}
+var pendingStartupPhases;
+async function buildRuntimeConfig(scope) {
+  const config = readArchalVitestConfigFromEnv();
+  let acquireMs = 0;
+  let acquisition = "unknown";
+  let session = activeFullSession;
+  if (!session) {
+    const acquireStart = Date.now();
+    session = await startSession(config);
+    acquireMs = Date.now() - acquireStart;
+    acquisition = session.acquisition ?? "unknown";
+  } else {
+    acquisition = "reused";
+  }
+  activeFullSession = session;
+  pendingStartupPhases = {
+    acquireMs,
+    seedLoadMs: 0,
+    baselineMs: 0,
+    totalMs: acquireMs,
+    acquisition,
+    cloneCount: session.services.length,
+    cloneNames: session.services.map((s) => s.name)
+  };
+  scope[GLOBAL_SESSION_KEY] = redactSessionSnapshot(session);
+  try {
+    const { writeFileSync, mkdirSync } = await import("fs");
+    const { dirname: dirname2 } = await import("path");
+    const sessionIdPath = getSessionIdFilePath(config.sessionKey);
+    mkdirSync(dirname2(sessionIdPath), { recursive: true });
+    writeFileSync(sessionIdPath, session.sessionId, "utf-8");
+  } catch {
+  }
+  return {
+    profiles: resolveArchalVitestServiceProfiles(config.services),
+    services: session.services,
+    trace: isTruthyEnv(process.env[ARCHAL_VITEST_ROUTE_TRACE_ENV]) ? {
+      enabled: true,
+      onTrace: (record) => {
+        process.stderr.write(formatTraceRecord(record));
+      }
+    } : void 0
+  };
+}
+async function stopArchalVitestRouting() {
+  const scope = globalThis;
+  if (scope[GLOBAL_BOOTSTRAP_PROMISE_KEY]) {
+    await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY].catch(() => {
+    });
+  }
+  if (scope[GLOBAL_STOP_PROMISE_KEY]) {
+    await scope[GLOBAL_STOP_PROMISE_KEY];
+    return;
+  }
+  scope[GLOBAL_STOP_PROMISE_KEY] = (async () => {
+    const runtime = scope[GLOBAL_RUNTIME_KEY];
+    const session = activeFullSession;
+    const services = session?.services.map((s) => ({ name: s.name })) ?? [];
+    delete scope[GLOBAL_RUNTIME_KEY];
+    delete scope[GLOBAL_SESSION_KEY];
+    emitUsageEstimate(services);
+    sessionStartedAt = void 0;
+    activeFullSession = void 0;
+    baselineCloneStates.clear();
+    baselineCaptured = false;
+    await runtime?.stop();
+    await session?.stop?.();
+  })();
+  try {
+    await scope[GLOBAL_STOP_PROMISE_KEY];
+  } finally {
+    delete scope[GLOBAL_STOP_PROMISE_KEY];
+  }
+}
+async function bootstrapArchalVitestRouting() {
+  const scope = globalThis;
+  if (scope[GLOBAL_RUNTIME_KEY]) {
+    return scope[GLOBAL_RUNTIME_KEY];
+  }
+  if (scope[GLOBAL_BOOTSTRAP_PROMISE_KEY]) {
+    return await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  }
+  scope[GLOBAL_BOOTSTRAP_PROMISE_KEY] = (async () => {
+    const runtime = new NodeRouteRuntime(await buildRuntimeConfig(scope));
+    await runtime.start();
+    runtime.installRouting();
+    scope[GLOBAL_RUNTIME_KEY] = runtime;
+    const config = readArchalVitestConfigFromEnv();
+    if (config.fileSeedContents && Object.keys(config.fileSeedContents).length > 0) {
+      const seedStart = Date.now();
+      await loadFileSeedsIntoClones(config, fetchArchalCloneDefaultScope, {
+        timeoutEnvVar: "ARCHAL_VITEST_SEED_LOAD_TIMEOUT_MS",
+        ...activeFullSession?.sessionId ? { hostedSessionId: activeFullSession.sessionId } : {}
+      });
+      if (pendingStartupPhases) {
+        pendingStartupPhases.seedLoadMs = Date.now() - seedStart;
+      }
+    }
+    if (activeFullSession) {
+      emitManifestDriftWarning(activeFullSession);
+      const baselineStart = Date.now();
+      await captureBaselineCloneStates(activeFullSession);
+      if (pendingStartupPhases) {
+        pendingStartupPhases.baselineMs = Date.now() - baselineStart;
+      }
+    }
+    if (pendingStartupPhases) {
+      pendingStartupPhases.totalMs = pendingStartupPhases.acquireMs + pendingStartupPhases.seedLoadMs + pendingStartupPhases.baselineMs;
+      emitCloneStartupSummary(pendingStartupPhases);
+      pendingStartupPhases = void 0;
+    }
+    if (!scope[GLOBAL_CLEANUP_HANDLER_KEY]) {
+      const asyncCleanupAndExit = (exitCode) => {
+        void stopArchalVitestRouting().finally(() => {
+          process.exit(exitCode);
+        });
+      };
+      process.once("beforeExit", () => {
+        void stopArchalVitestRouting();
+      });
+      process.once("disconnect", () => {
+        void stopArchalVitestRouting();
+      });
+      process.once("SIGINT", () => asyncCleanupAndExit(130));
+      process.once("SIGTERM", () => asyncCleanupAndExit(143));
+      scope[GLOBAL_CLEANUP_HANDLER_KEY] = true;
+    }
+    return runtime;
+  })();
+  try {
+    return await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  } finally {
+    delete scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  }
+}
+function getInstalledArchalVitestRuntime() {
+  return globalThis[GLOBAL_RUNTIME_KEY];
+}
+function getInstalledArchalVitestSession() {
+  return globalThis[GLOBAL_SESSION_KEY];
+}
+
+export {
+  resolveRuntimeModule,
+  ARCHAL_VITEST_CONFIG_ENV,
+  readArchalVitestConfig,
+  assertSupportedArchalVitestServices,
+  fetchArchalClone,
+  resetArchalClones,
+  bootstrapArchalVitestRouting,
+  getInstalledArchalVitestRuntime,
+  getInstalledArchalVitestSession
+};