archal 0.9.19 → 0.9.20

package/dist/vitest/chunk-ARVS45PP.js

@@ -0,0 +1,2764 @@
+// ../runtime/src/session-provider.ts
+import { promises as fs } from "fs";
+
+// ../retry/dist/index.js
+function abortReason(signal) {
+  return signal.reason instanceof Error ? signal.reason : new DOMException("The operation was aborted.", "AbortError");
+}
+function sleep(ms, options) {
+  const signal = options?.signal;
+  if (signal?.aborted) {
+    return Promise.reject(abortReason(signal));
+  }
+  if (ms <= 0) {
+    return Promise.resolve();
+  }
+  if (!signal) {
+    return new Promise((resolve) => {
+      setTimeout(resolve, ms);
+    });
+  }
+  const abortSignal = signal;
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      abortSignal.removeEventListener("abort", onAbort);
+      resolve();
+    }, ms);
+    function onAbort() {
+      clearTimeout(timeout);
+      reject(abortReason(abortSignal));
+    }
+    abortSignal.addEventListener("abort", onAbort, { once: true });
+  });
+}
+
+// ../runtime/src/hosted-auth-errors.ts
+var NON_REFRESHABLE_HOSTED_AUTH_CODES = /* @__PURE__ */ new Set([
+  "CLONE_ACCESS_DENIED",
+  "TWIN_ACCESS_DENIED",
+  "TWIN_SELECTION_REQUIRED"
+]);
+function normalizeErrorCode(value) {
+  return typeof value === "string" && value.trim() ? value.trim().toUpperCase() : null;
+}
+function extractErrorCode(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return normalizeErrorCode(value);
+  }
+  const record = value;
+  return normalizeErrorCode(record["code"]) ?? normalizeErrorCode(record["errno"]) ?? normalizeErrorCode(record["error"]) ?? extractErrorCode(record["cause"]);
+}
+function parseHostedAuthErrorCode(rawText) {
+  if (!rawText.trim()) return null;
+  try {
+    return extractErrorCode(JSON.parse(rawText));
+  } catch {
+    return null;
+  }
+}
+function shouldValidateHostedAuth(status, errorCode) {
+  if (status === 401) {
+    return true;
+  }
+  if (status !== 403) {
+    return false;
+  }
+  return !errorCode || !NON_REFRESHABLE_HOSTED_AUTH_CODES.has(errorCode);
+}
+function isTerminalHostedAuthFailure(status) {
+  return status === 401 || status === 403;
+}
+
+// ../runtime/src/session-provider.ts
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+var DEFAULT_HOSTED_API_BASE_URL = "https://api.archal.ai";
+var DEFAULT_REQUEST_TIMEOUT_MS = 8e3;
+var DEFAULT_SESSION_CREATE_REQUEST_TIMEOUT_MS = 3e4;
+var DEFAULT_SESSION_TTL_SECONDS = 30 * 60;
+var DEFAULT_READY_TIMEOUT_MS = 3e5;
+var DEFAULT_RENEW_INTERVAL_MS = 5 * 6e4;
+var MIN_RENEW_INTERVAL_MS = 3e4;
+var MIN_READY_TIMEOUT_MS = 12e4;
+var SESSION_POLL_INTERVAL_MS = 2e3;
+var SESSION_CREATE_MAX_ATTEMPTS = 4;
+var SESSION_CREATE_RETRY_DELAYS_MS = [500, 1e3, 2e3];
+var SESSION_STOP_CONFIRM_POLL_INTERVAL_MS = 250;
+var SESSION_STOP_CONFIRM_MAX_ATTEMPTS = 40;
+var ARCHAL_WORKSPACE_HEADER = "x-archal-workspace";
+var SESSION_RESPONSE_SCOPE_HEADER = "x-archal-session-response";
+var CLI_SESSION_TRANSPORT_SCOPE = "cli-transport";
+var INFRASTRUCTURE_DETAIL_PATTERN = /(?:archal[-_\s]?(?:proxy|runtime|control[-_\s]?plane|service[-_\s]?gateway|openclaw[-_\s]?gateway)|control[-_\s]?plane|CLI_JWT_SECRET|CONTROL_PLANE|JWT_SECRET|ARCHAL_|runtime provider|runtime\/session|worker[-_\s]?endpoint|x[-_]?archal|service[-_\s]?gateway|service[-_\s]?runtime|provider[-_\s]?gateway|graphql[-_\s]?gateway|workflow[-_\s]?(?:runtime|harness|session)|harness[-_\s]?bootstrap|service_mcp_servers|\/service-gateway|tls intercept|sidecar|openclaw[-_\s]?gateway|credential_issuance_seed|hosted\s+clone|cloud(?:Clone|Twin)Urls|(?:clone|twin)[-_]access[-_]denied|twin[-_]not[-_]in[-_]catalog|pre[-_\s]?migration|stale[-_\s]?data)/i;
+function publicHostedSessionDetail(detail) {
+  if (!detail?.trim()) {
+    return "";
+  }
+  return INFRASTRUCTURE_DETAIL_PATTERN.test(detail) ? "service routing failed to prepare the requested services." : detail;
+}
+function hostedSessionRequestErrorMessage(method, path, status, detail) {
+  const publicDetail = publicHostedSessionDetail(detail);
+  return `Hosted session request failed (${method} ${path}, HTTP ${status}${publicDetail ? `: ${publicDetail}` : ""}).`;
+}
+var HostedSessionRequestError = class extends Error {
+  constructor(method, path, status, detail) {
+    super(hostedSessionRequestErrorMessage(method, path, status, detail));
+    this.method = method;
+    this.path = path;
+    this.status = status;
+    this.name = "HostedSessionRequestError";
+    this.detail = publicHostedSessionDetail(detail);
+    Object.defineProperty(this, "internalDetail", {
+      value: detail,
+      enumerable: false,
+      configurable: false,
+      writable: false
+    });
+  }
+  method;
+  path;
+  status;
+  detail;
+  internalDetail;
+  /** @internal */
+  getInternalDetailForRetry() {
+    return this.internalDetail;
+  }
+};
+function trimEnv(name) {
+  const value = process.env[name]?.trim();
+  return value ? value : void 0;
+}
+function parsePositiveInteger(rawValue, fallback, minimum = 1) {
+  if (!rawValue) return fallback;
+  const normalized = rawValue.trim();
+  if (!/^[1-9]\d*$/.test(normalized)) return fallback;
+  const parsed = Number(normalized);
+  return Number.isSafeInteger(parsed) && parsed >= minimum ? parsed : fallback;
+}
+function normalizeApiBaseUrl(value) {
+  if (!value) return null;
+  const normalized = value.trim().replace(/\/+$/, "");
+  if (!normalized) return null;
+  let parsed;
+  try {
+    parsed = new URL(normalized);
+  } catch {
+    throw new Error(`Invalid ARCHAL_API_URL: "${normalized}" is not a valid URL`);
+  }
+  const isLocalhostHttp = parsed.protocol === "http:" && (parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1");
+  if (parsed.protocol !== "https:" && !isLocalhostHttp) {
+    throw new Error(`Hosted API URL must use HTTPS (or localhost HTTP). Received ${normalized}.`);
+  }
+  const pathname = parsed.pathname.replace(/\/+$/, "");
+  parsed.pathname = pathname.endsWith("/api") ? pathname.slice(0, -4) || "/" : pathname || "/";
+  parsed.search = "";
+  parsed.hash = "";
+  return parsed.toString().replace(/\/$/, "");
+}
+function resolveHostedWorkspaceHeader() {
+  return trimEnv("ARCHAL_WORKSPACE_ID");
+}
+async function readJsonResponse(response) {
+  if (response.status === 204) return void 0;
+  return await response.json();
+}
+async function requestJson(environment, method, path, body, options) {
+  const wantsSessionTransportResponse = method === "POST" && path === "/api/sessions" || method === "GET" && /^\/api\/sessions\/[^/?#]+$/.test(path);
+  const sendRequest = async (forceValidation = false) => {
+    await environment.auth.ensureFresh(forceValidation);
+    const authorization = environment.auth.getAuthorizationHeader();
+    if (!authorization) {
+      throw new Error("Hosted session auth is unavailable.");
+    }
+    const headers = {
+      authorization,
+      "content-type": "application/json"
+    };
+    if (wantsSessionTransportResponse) {
+      headers[SESSION_RESPONSE_SCOPE_HEADER] = CLI_SESSION_TRANSPORT_SCOPE;
+    }
+    const requestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(options?.timeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS)
+    };
+    const workspaceHeader = resolveHostedWorkspaceHeader();
+    if (workspaceHeader) {
+      headers[ARCHAL_WORKSPACE_HEADER] = workspaceHeader;
+    }
+    if (body !== void 0) {
+      if (method === "GET") {
+        throw new Error(`session-provider request: GET ${path} cannot carry a body \u2014 pass query params via the URL instead.`);
+      }
+      requestInit.body = JSON.stringify(body);
+    }
+    return await fetch(`${environment.apiBaseUrl}${path}`, requestInit);
+  };
+  let response = await sendRequest();
+  const responseErrorCode = response.ok ? null : parseHostedAuthErrorCode(
+    await response.clone().text().catch(() => "")
+  );
+  if (shouldValidateHostedAuth(response.status, responseErrorCode)) {
+    response = await sendRequest(true);
+  }
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    throw new HostedSessionRequestError(method, path, response.status, detail);
+  }
+  return await readJsonResponse(response);
+}
+var TRANSIENT_HOSTED_SESSION_DETAIL_PATTERNS = [
+  /session_provision_failed/i,
+  /\btimed?\s*out\b/i,
+  /\btimeout\b/i,
+  /(HTTP |status[=:]\s*)50[234]\b/i,
+  // upstream 502/503/504 (anchored to canonical HTTP/status prefixes)
+  /upstream\s+returned\s+50[234]\b/i,
+  // legacy phrasing in some emitters
+  /\bECONNRESET\b/i,
+  /\bECONNREFUSED\b/i,
+  /\bETIMEDOUT\b/i,
+  /\bEAI_AGAIN\b/i,
+  /network\s+(error|failure)/i
+];
+function detailLooksTransient(detail) {
+  return TRANSIENT_HOSTED_SESSION_DETAIL_PATTERNS.some((pattern) => pattern.test(detail));
+}
+var TERMINAL_HOSTED_WORKER_STATES = /* @__PURE__ */ new Set(["dead", "failed"]);
+function serviceWorkerEntries(workerStates, services) {
+  if (!workerStates) {
+    return [];
+  }
+  return services.map((service) => {
+    const state = workerStates[service];
+    return typeof state === "string" ? [service, state] : null;
+  }).filter((entry) => entry !== null);
+}
+function hasTerminalWorkerState(workerStates, services) {
+  return serviceWorkerEntries(workerStates, services).some(
+    ([, state]) => TERMINAL_HOSTED_WORKER_STATES.has(state.toLowerCase())
+  );
+}
+function formatServiceWorkerStateMap(workerStates, services) {
+  const entries = serviceWorkerEntries(workerStates, services);
+  if (entries.length === 0) {
+    return "none";
+  }
+  return entries.map(([service, state]) => `${service}:${state}`).join(", ");
+}
+function formatWorkerFailureDetail(failure) {
+  const parts = [
+    failure.lastStatus,
+    failure.stopCode ? `stopCode=${failure.stopCode}` : void 0,
+    typeof failure.containerExitCode === "number" ? `exit=${failure.containerExitCode}` : void 0,
+    failure.stoppedReason ? `reason=${publicHostedSessionDetail(failure.stoppedReason)}` : void 0,
+    failure.containerReason ? `container=${publicHostedSessionDetail(failure.containerReason)}` : void 0
+  ].filter((part) => Boolean(part));
+  return `${failure.twinName ?? "worker"}:${parts.join(",") || "failed"}`;
+}
+function formatWorkerFailureDetails(failures) {
+  if (!failures?.length) {
+    return void 0;
+  }
+  return failures.slice(0, 5).map(formatWorkerFailureDetail).join(", ");
+}
+var HostedSessionReadinessError = class extends Error {
+  lastError;
+  status;
+  hasTerminalWorkerState;
+  allRequestedWorkersTerminal;
+  requestedServiceCount;
+  retryableFailure;
+  internalLastError;
+  constructor(status, health, statusWorkerStates, services) {
+    const healthFailureReason = health.failure?.reason?.trim() || null;
+    const internalLastError = status.lastError?.trim() || healthFailureReason;
+    const publicLastError = publicHostedSessionDetail(internalLastError) || null;
+    const healthWorkerStates = toWorkerStates(health.clones);
+    const workerFailureDetails = formatWorkerFailureDetails(health.failure?.workerFailures);
+    const stateSummary = [
+      `status=${status.status}`,
+      `status.alive=${status.alive ?? "unknown"}`,
+      `workers=${formatServiceWorkerStateMap(statusWorkerStates, services)}`,
+      `health.alive=${health.alive}`,
+      `health.clones=${formatServiceWorkerStateMap(healthWorkerStates, services)}`,
+      workerFailureDetails ? `worker.failures=${workerFailureDetails}` : void 0
+    ].filter((part) => Boolean(part)).join("; ");
+    super(
+      `Hosted session ${status.status}${publicLastError ? `: ${publicLastError}` : ""} (${stateSummary})`
+    );
+    this.name = "HostedSessionReadinessError";
+    this.lastError = publicLastError;
+    this.status = status.status;
+    this.internalLastError = internalLastError;
+    this.retryableFailure = health.failure?.retryable;
+    this.requestedServiceCount = services.length;
+    this.hasTerminalWorkerState = hasTerminalWorkerState(statusWorkerStates, services) || hasTerminalWorkerState(healthWorkerStates, services);
+    this.allRequestedWorkersTerminal = services.length > 0 && services.every((service) => {
+      const state = statusWorkerStates?.[service] ?? healthWorkerStates?.[service];
+      return typeof state === "string" && TERMINAL_HOSTED_WORKER_STATES.has(state.toLowerCase());
+    });
+  }
+  /** @internal */
+  getInternalDetailForRetry() {
+    return this.internalLastError ?? "";
+  }
+};
+function isTransientHostedSessionStartError(error) {
+  if (error instanceof HostedSessionReadinessError) {
+    if (error.retryableFailure === true) {
+      return true;
+    }
+    if (error.retryableFailure === false) {
+      return false;
+    }
+    const retryDetail = error.getInternalDetailForRetry() || error.lastError;
+    if (retryDetail) {
+      return detailLooksTransient(retryDetail);
+    }
+    if (error.hasTerminalWorkerState) {
+      return error.allRequestedWorkersTerminal && error.requestedServiceCount > 1;
+    }
+    return error.status === "failed";
+  }
+  if (error instanceof HostedSessionRequestError) {
+    if (error.status === 401 || error.status === 429 || error.status === 500 || error.status === 502 || error.status === 503 || error.status === 504) {
+      return true;
+    }
+    return detailLooksTransient(error.getInternalDetailForRetry());
+  }
+  if (error instanceof Error) {
+    if (error.message.startsWith("Hosted session timed out waiting for readiness")) {
+      return true;
+    }
+    if (error.message.startsWith("Hosted session failed:")) {
+      const detail = error.message.slice("Hosted session failed:".length).trim();
+      return detailLooksTransient(detail);
+    }
+    if (error.message === "Hosted session failed") {
+      return true;
+    }
+    return error.name === "AbortError" || error.name === "TimeoutError" || error.name === "TypeError";
+  }
+  return false;
+}
+function describeUnknownError(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+function buildHostedSessionCleanupError(sessionId, startError, cleanupError) {
+  return new AggregateError(
+    [startError, cleanupError],
+    `Hosted session ${sessionId} failed readiness and cleanup failed: ${describeUnknownError(cleanupError)}`
+  );
+}
+function isHostedSessionAlreadyGoneError(error) {
+  return error instanceof HostedSessionRequestError && error.method === "DELETE" && (error.status === 404 || error.status === 410);
+}
+async function fileExists(path) {
+  try {
+    await fs.access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function toWorkerStates(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return void 0;
+  }
+  const entries = Object.entries(value).filter(([, status]) => typeof status === "string");
+  if (entries.length === 0) {
+    return void 0;
+  }
+  return Object.fromEntries(entries);
+}
+function workersReady(workerStates, services) {
+  if (!workerStates) return false;
+  return services.every((service) => workerStates[service] === "ready");
+}
+function buildResolvedRuntime(serviceNames, source) {
+  return {
+    resolvedServices: source?.resolvedServices?.length ? [...source.resolvedServices] : [...serviceNames],
+    resolvedSeeds: { ...source?.resolvedSeeds },
+    manifestVersions: { ...source?.manifestVersions },
+    capabilityVersion: source?.capabilityVersion,
+    runtimeVersion: source?.runtimeVersion
+  };
+}
+function hasNonEmptyApiBaseUrls(value) {
+  if (!value) {
+    return false;
+  }
+  return Object.values(value).some((entry) => typeof entry === "string" && entry.trim().length > 0);
+}
+function coalesceApiBaseUrls(primary, fallback) {
+  if (hasNonEmptyApiBaseUrls(primary)) {
+    return primary;
+  }
+  if (hasNonEmptyApiBaseUrls(fallback)) {
+    return fallback;
+  }
+  return {};
+}
+function isTerminalHostedSessionStatus(status) {
+  return status === "failed" || status === "expired" || status === "completed" || status === "ended" || status === "tearing_down";
+}
+function hasResolvedRuntimeMetadata(value) {
+  const hasResolvedServices = Array.isArray(value?.resolvedServices) && value.resolvedServices.some((service) => typeof service === "string" && service.trim().length > 0);
+  const hasResolvedSeeds = Boolean(
+    value?.resolvedSeeds && Object.keys(value.resolvedSeeds).some((service) => {
+      const seed = value.resolvedSeeds?.[service];
+      return typeof service === "string" && service.trim().length > 0 && typeof seed === "string" && seed.trim().length > 0;
+    })
+  );
+  const hasManifestVersions = Boolean(
+    value?.manifestVersions && Object.keys(value.manifestVersions).some((service) => {
+      const version = value.manifestVersions?.[service];
+      return typeof service === "string" && service.trim().length > 0 && typeof version === "string" && version.trim().length > 0;
+    })
+  );
+  return hasResolvedServices || hasResolvedSeeds || hasManifestVersions || value?.capabilityVersion !== void 0 || value?.runtimeVersion !== void 0;
+}
+function requestedSeedsMatchSession(requestedSeeds, session) {
+  if (!requestedSeeds) {
+    return true;
+  }
+  const resolvedSeeds = session.resolvedRuntime?.resolvedSeeds;
+  return Object.entries(requestedSeeds).every(
+    ([serviceName, requestedSeed]) => resolvedSeeds?.[serviceName] === requestedSeed
+  );
+}
+async function readHostedSessionStatus(environment, sessionId) {
+  try {
+    return await requestJson(
+      environment,
+      "GET",
+      `/api/sessions/${encodeURIComponent(sessionId)}`
+    ) ?? null;
+  } catch (error) {
+    const message = errorMessage(error);
+    if (message.includes("HTTP 401") || message.includes("HTTP 403") || message.includes("HTTP 404")) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function confirmHostedSessionStopped(environment, sessionId) {
+  const statusPath = `/api/sessions/${encodeURIComponent(sessionId)}`;
+  for (let attempt = 1; attempt <= SESSION_STOP_CONFIRM_MAX_ATTEMPTS; attempt += 1) {
+    try {
+      const status = await requestJson(
+        environment,
+        "GET",
+        statusPath
+      );
+      if (status && isTerminalHostedSessionStatus(status.status)) {
+        return true;
+      }
+    } catch (error) {
+      if (error instanceof HostedSessionRequestError && error.method === "GET" && error.path === statusPath && (error.status === 404 || error.status === 410)) {
+        return true;
+      }
+    }
+    if (attempt < SESSION_STOP_CONFIRM_MAX_ATTEMPTS) {
+      await sleep(SESSION_STOP_CONFIRM_POLL_INTERVAL_MS);
+    }
+  }
+  return false;
+}
+async function readHostedSessionHealth(environment, sessionId) {
+  try {
+    return await requestJson(
+      environment,
+      "GET",
+      `/api/sessions/${encodeURIComponent(sessionId)}/health`
+    ) ?? null;
+  } catch (error) {
+    const message = errorMessage(error);
+    if (message.includes("HTTP 401") || message.includes("HTTP 403") || message.includes("HTTP 404")) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function resolveReusableSession(environment, session, serviceNames) {
+  const [status, health] = await Promise.all([
+    readHostedSessionStatus(environment, session.sessionId),
+    readHostedSessionHealth(environment, session.sessionId)
+  ]);
+  if (!status || !health) {
+    return null;
+  }
+  if (isTerminalHostedSessionStatus(status.status)) {
+    return null;
+  }
+  const workerStates = toWorkerStates(status.workers) ?? toWorkerStates(status.clones);
+  const statusWorkersReady = workerStates ? workersReady(workerStates, serviceNames) : true;
+  if (!health.alive || !status.alive && status.status !== "ready" && status.status !== "running" || !statusWorkersReady || !workersReady(health.clones, serviceNames)) {
+    return null;
+  }
+  return {
+    sessionId: session.sessionId,
+    apiBaseUrls: coalesceApiBaseUrls(status.apiBaseUrls, session.apiBaseUrls),
+    resolvedRuntime: buildResolvedRuntime(
+      serviceNames,
+      hasResolvedRuntimeMetadata(status) ? status : session.resolvedRuntime
+    )
+  };
+}
+async function waitForHostedSessionReady(environment, sessionId, serviceNames) {
+  const deadline = Date.now() + environment.readyTimeoutMs;
+  let lastIssue = "session still starting";
+  while (Date.now() < deadline) {
+    let status;
+    let health;
+    try {
+      [status, health] = await Promise.all([
+        requestJson(
+          environment,
+          "GET",
+          `/api/sessions/${encodeURIComponent(sessionId)}`
+        ),
+        requestJson(
+          environment,
+          "GET",
+          `/api/sessions/${encodeURIComponent(sessionId)}/health`
+        )
+      ]);
+    } catch (error) {
+      if (!isTransientHostedSessionStartError(error)) {
+        throw error;
+      }
+      lastIssue = errorMessage(error);
+      await sleep(SESSION_POLL_INTERVAL_MS);
+      continue;
+    }
+    if (!status || !health) {
+      await sleep(SESSION_POLL_INTERVAL_MS);
+      continue;
+    }
+    const statusWorkerStates = toWorkerStates(status.workers) ?? toWorkerStates(status.clones);
+    const healthWorkerStates = toWorkerStates(health.clones);
+    if (isTerminalHostedSessionStatus(status.status) || hasTerminalWorkerState(statusWorkerStates, serviceNames) || hasTerminalWorkerState(healthWorkerStates, serviceNames)) {
+      throw new HostedSessionReadinessError(status, health, statusWorkerStates, serviceNames);
+    }
+    const statusWorkersReady = statusWorkerStates ? workersReady(statusWorkerStates, serviceNames) : true;
+    if (health.alive && (status.alive || status.status === "ready") && statusWorkersReady && workersReady(health.clones, serviceNames)) {
+      return status;
+    }
+    const workerSummary = Object.entries(statusWorkerStates ?? {}).map(([service, state]) => `${service}:${state}`).join(", ");
+    lastIssue = workerSummary ? `workers not ready (${workerSummary})` : `status=${status.status}`;
+    await sleep(SESSION_POLL_INTERVAL_MS);
+  }
+  throw new Error(`Hosted session timed out waiting for readiness (${lastIssue}).`);
+}
+var HostedSessionClient = class {
+  constructor(environment) {
+    this.environment = environment;
+  }
+  environment;
+  async reuseRouteSession(session, serviceNames) {
+    return await resolveReusableSession(this.environment, session, serviceNames);
+  }
+  async startRouteSession(serviceNames, requestedSeeds, options) {
+    const requestBody = {
+      clones: serviceNames,
+      transport: "cloud",
+      routing: {
+        mode: "route",
+        services: serviceNames,
+        requestedSeeds
+      },
+      ttlSeconds: this.environment.ttlSeconds,
+      cloneReadyTimeoutMs: this.environment.readyTimeoutMs,
+      ...requestedSeeds ? { seeds: requestedSeeds } : {},
+      ...options?.source ? { source: options.source } : {}
+    };
+    let lastError;
+    for (let attempt = 1; attempt <= SESSION_CREATE_MAX_ATTEMPTS; attempt += 1) {
+      let started;
+      try {
+        started = await requestJson(
+          this.environment,
+          "POST",
+          "/api/sessions",
+          requestBody,
+          { timeoutMs: DEFAULT_SESSION_CREATE_REQUEST_TIMEOUT_MS }
+        );
+        if (!started) {
+          throw new Error("Hosted session failed to start.");
+        }
+        const ready = await waitForHostedSessionReady(this.environment, started.sessionId, serviceNames);
+        return {
+          sessionId: started.sessionId,
+          apiBaseUrls: coalesceApiBaseUrls(ready.apiBaseUrls, started.apiBaseUrls),
+          resolvedRuntime: buildResolvedRuntime(
+            serviceNames,
+            hasResolvedRuntimeMetadata(ready) ? ready : started
+          )
+        };
+      } catch (error) {
+        lastError = error;
+        if (started?.sessionId) {
+          try {
+            await this.stop(started.sessionId);
+          } catch (cleanupError) {
+            throw buildHostedSessionCleanupError(started.sessionId, error, cleanupError);
+          }
+        }
+        if (attempt >= SESSION_CREATE_MAX_ATTEMPTS || !isTransientHostedSessionStartError(error)) {
+          throw error;
+        }
+        await sleep(
+          SESSION_CREATE_RETRY_DELAYS_MS[attempt - 1] ?? SESSION_CREATE_RETRY_DELAYS_MS.at(-1) ?? 2e3
+        );
+      }
+    }
+    throw lastError instanceof Error ? lastError : new Error("Hosted session failed to start.");
+  }
+  async stop(sessionId) {
+    try {
+      await requestJson(
+        this.environment,
+        "DELETE",
+        `/api/sessions/${encodeURIComponent(sessionId)}`
+      );
+    } catch (error) {
+      if (isHostedSessionAlreadyGoneError(error)) {
+        return;
+      }
+      if (await confirmHostedSessionStopped(this.environment, sessionId)) {
+        return;
+      }
+      throw error;
+    }
+  }
+};
+
+// ../runtime/src/auth-lease.ts
+import { promises as fs2 } from "fs";
+import { join as join2 } from "path";
+
+// ../node-auth/src/constants.ts
+var CREDENTIALS_FILE = "credentials.json";
+var CREDENTIALS_KEY_FILE = "credentials.key";
+var AUTH_TOKEN_ENV_VAR = "ARCHAL_TOKEN";
+var TOKEN_ENCRYPTION_PREFIX = "enc-v1";
+var CREDENTIALS_MASTER_KEY_ENV_VAR = "ARCHAL_CREDENTIALS_MASTER_KEY";
+var KEYCHAIN_SERVICE = "archal-cli";
+var KEYCHAIN_ACCOUNT = "credentials-master-key";
+var HOSTED_DEFAULT_AUTH_BASE_URL = "https://www.archal.ai";
+var STRICT_ENDPOINTS_ENV_VAR = "ARCHAL_STRICT_ENDPOINTS";
+var REQUEST_TIMEOUT_MS = 8e3;
+var ENV_TOKEN_FALLBACK_TTL_SECONDS = 24 * 60 * 60;
+
+// ../node-auth/src/types.ts
+function isPlan(value) {
+  return value === "free" || value === "pro" || value === "enterprise";
+}
+
+// ../node-auth/src/errors.ts
+function errorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+// ../node-auth/src/credential-store.ts
+import { spawnSync } from "child_process";
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from "crypto";
+import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync } from "fs";
+import { homedir, tmpdir } from "os";
+import { dirname, join } from "path";
+
+// ../clone-catalog/dist/index.js
+var GENERATED_CLONE_CATALOG = [
+  {
+    id: "apify",
+    icon: "AP",
+    name: "Apify",
+    description: "Actors, runs, datasets, key-value stores, and request queues.",
+    stage: "preview",
+    toolCount: 59,
+    transport: "rest",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "Apify upstream error and pagination envelopes",
+      "dataset, key-value store, and request-queue stateful projections",
+      "fixture-backed fallback semantics for uncovered REST paths"
+    ],
+    behaviorOwner: "src/upstream.ts",
+    opsCoverage: null
+  },
+  {
+    id: "calcom",
+    icon: "CC",
+    name: "Cal.com",
+    description: "Event types, schedules, availability slots, bookings, calendars, and webhooks.",
+    stage: "preview",
+    toolCount: 18,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "schedule and event-type availability projection",
+      "booking create, cancel, and reschedule lifecycle",
+      "host-wide busy interval and slot computation",
+      "webhook summary/detail lifecycle projection"
+    ],
+    behaviorOwner: "src/state/relationships.ts",
+    opsCoverage: null
+  },
+  {
+    id: "clickup",
+    icon: "CU",
+    name: "ClickUp",
+    description: "Teams, spaces, folders, lists, tasks, comments, tags, time tracking, and checklists.",
+    stage: "preview",
+    toolCount: 40,
+    transport: "both",
+    architectureClass: "standard-core",
+    domainPrimitives: [],
+    behaviorOwner: null,
+    opsCoverage: null
+  },
+  {
+    id: "customerio",
+    icon: "CI",
+    name: "Customer.io",
+    description: "Messaging automation across campaigns, broadcasts, transactional email, segments, customers, and message delivery.",
+    stage: "preview",
+    toolCount: 22,
+    transport: "rest",
+    architectureClass: "standard-core",
+    domainPrimitives: [],
+    behaviorOwner: null,
+    opsCoverage: null
+  },
+  {
+    id: "datadog",
+    icon: "DD",
+    name: "Datadog",
+    description: "Observability REST API \u2014 metrics, logs, monitors, dashboards, SLOs, incidents, teams, users, and service definitions.",
+    stage: "preview",
+    toolCount: 63,
+    transport: "rest",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "time-series query windows",
+      "log query filtering",
+      "monitor evaluation and alert state"
+    ],
+    behaviorOwner: "src/domain/simulator.ts",
+    opsCoverage: null
+  },
+  {
+    id: "discord",
+    icon: "DC",
+    name: "Discord",
+    description: "Guilds, channels, messages, webhooks, threads, commands, and interaction responses.",
+    stage: "preview",
+    toolCount: 67,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "channel membership",
+      "message timeline ordering",
+      "thread and event delivery semantics"
+    ],
+    behaviorOwner: "src/domain/discord-simulator.ts",
+    opsCoverage: 14
+  },
+  {
+    id: "github",
+    icon: "GH",
+    name: "GitHub",
+    description: "Repos, issues, pull requests, branches, and commits.",
+    stage: "public",
+    toolCount: 26,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "repository branch, commit, tree, and diff projection",
+      "issue and pull-request lifecycle projection",
+      "review, comment, and status/check aggregation",
+      "permission-scoped reads and webhook event delivery"
+    ],
+    behaviorOwner: "src/state/transition-rules.ts",
+    opsCoverage: 96
+  },
+  {
+    id: "gitlab",
+    icon: "GL",
+    name: "GitLab",
+    description: "Projects, branches, commits, issues, merge requests, pipelines, labels, milestones, releases, and webhooks.",
+    stage: "preview",
+    toolCount: 46,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "issue and merge-request state transitions",
+      "note/comment ordering and count projection",
+      "repository branch, commit, merge, and diff projection",
+      "GitLab webhook subscription, payload, and header emission"
+    ],
+    behaviorOwner: "src/state/webhook-delivery-config.ts",
+    opsCoverage: null
+  },
+  {
+    id: "google-workspace",
+    icon: "GW",
+    name: "Google Workspace",
+    description: "Gmail, Calendar, Drive, Sheets, and Contacts.",
+    stage: "preview",
+    toolCount: 249,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "Gmail thread/history engine",
+      "Drive changes and permissions",
+      "Calendar recurrence and watch sync"
+    ],
+    behaviorOwner: "src/domain/google-workspace-simulator.ts",
+    opsCoverage: 64
+  },
+  {
+    id: "hubspot",
+    icon: "HS",
+    name: "HubSpot",
+    description: "CRM contacts, companies, deals, tickets, and engagements.",
+    stage: "preview",
+    toolCount: 41,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "CRM object state and associations",
+      "Pipeline and property schema state",
+      "Recording-backed REST/MCP aliases awaiting stateful lift"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 99
+  },
+  {
+    id: "jira",
+    icon: "JR",
+    name: "Jira",
+    description: "Issues, projects, boards, sprints, and versions.",
+    stage: "preview",
+    toolCount: 49,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "issue workflow transitions and mutation history",
+      "JQL/search and issue field projection",
+      "sprint, board, version, and SLA time-based transitions",
+      "permission-scoped reads and Jira webhook event delivery"
+    ],
+    behaviorOwner: "src/state/transition-rules.ts",
+    opsCoverage: 80
+  },
+  {
+    id: "linear",
+    icon: "LN",
+    name: "Linear",
+    description: "Issues, projects, teams, cycles, and workflows.",
+    stage: "public",
+    toolCount: 50,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "GraphQL operation dispatch",
+      "issue workflow transitions",
+      "comment and history projection",
+      "cycle and project progress projection"
+    ],
+    behaviorOwner: "src/rest/graphql-dispatch.ts",
+    opsCoverage: 98
+  },
+  {
+    id: "ownerrez",
+    icon: "OR",
+    name: "OwnerRez",
+    description: "Vacation-rental PMS \u2014 properties, bookings, guests, quotes, financial reads, tags, fields, and webhook subscriptions.",
+    stage: "preview",
+    toolCount: 25,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "recording replay cursor",
+      "tag and guest stateful overlays",
+      "booking/payment read projections"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 100
+  },
+  {
+    id: "pricelabs",
+    icon: "PL",
+    name: "PriceLabs",
+    description: "Dynamic pricing \u2014 listings, overrides, neighborhood data, rate plans, and reservations.",
+    stage: "preview",
+    toolCount: 11,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "recording replay cursor",
+      "listing settings overlay",
+      "pricing and reservation projections"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 100
+  },
+  {
+    id: "ramp",
+    icon: "RP",
+    name: "Ramp",
+    description: "Cards, funds, expenses, reimbursements, bills, and travel.",
+    stage: "preview",
+    toolCount: 46,
+    transport: "mcp",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "checked-in Ramp CLI fixture corpus",
+      "CLI-native command routing",
+      "seeded approval and comment overlays"
+    ],
+    behaviorOwner: null,
+    opsCoverage: null
+  },
+  {
+    id: "sentry",
+    icon: "SN",
+    name: "Sentry",
+    description: "Error monitoring across organizations, projects, teams, issues, events, releases, and DSN keys.",
+    stage: "preview",
+    toolCount: 25,
+    transport: "rest",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "event grouping",
+      "issue state transitions",
+      "release and time-window projections"
+    ],
+    behaviorOwner: "src/domain/sentry-simulator.ts",
+    opsCoverage: null
+  },
+  {
+    id: "slack",
+    icon: "SL",
+    name: "Slack",
+    description: "Channels, messages, threads, users, and reactions.",
+    stage: "public",
+    toolCount: 9,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "channel membership and visibility",
+      "message/thread ordering",
+      "event delivery semantics"
+    ],
+    behaviorOwner: "src/domain/slack-simulator.ts",
+    opsCoverage: 100
+  },
+  {
+    id: "stripe",
+    icon: "ST",
+    name: "Stripe",
+    description: "Customers, payments, subscriptions, invoices, and refunds.",
+    stage: "preview",
+    toolCount: 28,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "payment object lifecycle",
+      "balance and ledger projection",
+      "webhook/idempotency semantics"
+    ],
+    behaviorOwner: "src/domain/stripe-simulator.ts",
+    opsCoverage: null
+  },
+  {
+    id: "supabase",
+    icon: "SB",
+    name: "Supabase",
+    description: "SQL, migrations, logs, branches, and project metadata.",
+    stage: "public",
+    toolCount: 29,
+    transport: "both",
+    architectureClass: "domain-simulator",
+    domainPrimitives: [
+      "Postgres schema and SQL execution",
+      "RLS and API projections",
+      "realtime row changes"
+    ],
+    behaviorOwner: "src/pg-engine.ts",
+    opsCoverage: 100
+  },
+  {
+    id: "tavily",
+    icon: "TV",
+    name: "Tavily",
+    description: "Search, extract, crawl, map, research, usage, and API key operations.",
+    stage: "preview",
+    toolCount: 11,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "recording-backed REST/tool response replay",
+      "deterministic search/extract response helpers",
+      "research request state overlay"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 100
+  },
+  {
+    id: "unipile",
+    icon: "UP",
+    name: "Unipile",
+    description: "LinkedIn and email messaging, accounts, and chats.",
+    stage: "preview",
+    toolCount: 31,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "authenticated account and chat reads",
+      "single WhatsApp send mutation",
+      "future account, chat, and webhook simulator"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 100
+  },
+  {
+    id: "webflow",
+    icon: "WF",
+    name: "Webflow",
+    description: "Sites, pages, CMS collections, items, assets, forms, and webhooks.",
+    stage: "preview",
+    toolCount: 19,
+    transport: "rest",
+    architectureClass: "replay-shell",
+    domainPrimitives: [
+      "recording replay cursor",
+      "CMS collection/item overlays",
+      "publish lifecycle captures"
+    ],
+    behaviorOwner: null,
+    opsCoverage: 100
+  }
+];
+var GENERATED_STARTABLE_CLONE_IDS = [
+  "apify",
+  "calcom",
+  "clickup",
+  "customerio",
+  "datadog",
+  "discord",
+  "github",
+  "gitlab",
+  "google-workspace",
+  "hubspot",
+  "jira",
+  "linear",
+  "ownerrez",
+  "pricelabs",
+  "ramp",
+  "sentry",
+  "slack",
+  "stripe",
+  "supabase",
+  "tavily",
+  "unipile",
+  "webflow"
+];
+var CLONE_ARCHITECTURE_CLASSES = [
+  "standard-core",
+  "domain-simulator",
+  "replay-shell",
+  "redesign-before-expansion"
+];
+var CLONE_ARCHITECTURE_PREVIEW_CLASSES = [
+  "replay-shell",
+  "redesign-before-expansion"
+];
+var CLONE_ARCHITECTURE_CLASS_SET = new Set(CLONE_ARCHITECTURE_CLASSES);
+var CLONE_ARCHITECTURE_PREVIEW_CLASS_SET = new Set(CLONE_ARCHITECTURE_PREVIEW_CLASSES);
+var CLONE_RUNTIME_SOURCE_EXTENSIONS = Object.freeze([
+  ".cjs",
+  ".cts",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".mts",
+  ".ts",
+  ".tsx"
+]);
+var RUNTIME_SOURCE_EXTENSIONS = new Set(CLONE_RUNTIME_SOURCE_EXTENSIONS);
+var FIELD_POLICY = {
+  behaviorOwner: {
+    required: /* @__PURE__ */ new Set(["domain-simulator"]),
+    allowed: /* @__PURE__ */ new Set(["domain-simulator"])
+  },
+  domainPrimitives: {
+    required: /* @__PURE__ */ new Set(["domain-simulator", "replay-shell", "redesign-before-expansion"]),
+    allowed: /* @__PURE__ */ new Set(["domain-simulator", "replay-shell", "redesign-before-expansion"])
+  },
+  promotionEvidence: {
+    required: /* @__PURE__ */ new Set(["replay-shell"]),
+    allowed: /* @__PURE__ */ new Set(["replay-shell"])
+  },
+  redesignContract: {
+    required: /* @__PURE__ */ new Set(["redesign-before-expansion"]),
+    allowed: /* @__PURE__ */ new Set(["redesign-before-expansion"])
+  }
+};
+var CLONE_ARCHITECTURE_POLICY_FIELDS = Object.freeze(Object.keys(FIELD_POLICY));
+var CLONE_ARCHITECTURE_MANIFEST_FIELDS = Object.freeze([
+  "class",
+  "summary",
+  ...CLONE_ARCHITECTURE_POLICY_FIELDS
+]);
+var CLONE_ARCHITECTURE_MANIFEST_FIELD_SET = new Set(CLONE_ARCHITECTURE_MANIFEST_FIELDS);
+var CLONE_STAGES = ["wip", "internal", "preview", "public", "retired"];
+var CLONE_TRANSPORTS = ["mcp", "rest", "both"];
+var CLONE_SMOKE_PROFILES = ["none", "health-and-seed", "clone-surface"];
+var STARTABLE_CLONE_STAGES = ["public", "preview"];
+var CATALOG_VISIBLE_CLONE_STAGES = ["public", "preview"];
+var CLONE_STAGE_SET = new Set(CLONE_STAGES);
+var CLONE_TRANSPORT_SET = new Set(CLONE_TRANSPORTS);
+var CLONE_SMOKE_PROFILE_SET = new Set(CLONE_SMOKE_PROFILES);
+var STARTABLE_CLONE_STAGE_SET = new Set(STARTABLE_CLONE_STAGES);
+var CATALOG_VISIBLE_CLONE_STAGE_SET = new Set(CATALOG_VISIBLE_CLONE_STAGES);
+var CLONE_CATALOG = GENERATED_CLONE_CATALOG;
+var ALL_CLONE_IDS = CLONE_CATALOG.map((entry) => entry.id);
+var ALL_STARTABLE_CLONE_IDS = [...GENERATED_STARTABLE_CLONE_IDS];
+var CLONE_ID_SET = new Set(ALL_CLONE_IDS);
+var STARTABLE_CLONE_ID_SET = new Set(ALL_STARTABLE_CLONE_IDS);
+var STARTABLE_CLONE_CATALOG = CLONE_CATALOG.filter(
+  (entry) => STARTABLE_CLONE_ID_SET.has(entry.id)
+);
+
+// ../billing-constants/src/credit-catalog.ts
+var CREDIT_COGS_MARKUP = 3;
+var CREDIT_TARGET_GROSS_MARGIN_PERCENT = Math.round(
+  (1 - 1 / CREDIT_COGS_MARKUP) * 100
+);
+
+// ../billing-constants/src/index.ts
+var PLAN_MONTHLY_TWIN_MINUTE_LIMITS = {
+  free: 500,
+  pro: 5e3,
+  enterprise: null
+};
+var PLAN_CONCURRENT_SESSION_LIMITS = {
+  free: 3,
+  pro: 10,
+  enterprise: 50
+};
+var FREE_WORKSPACE_MEMBER_LIMIT = 2;
+var PRO_PLAN_PRICE_USD = 199;
+function formatMinutesLabel(minutes) {
+  return minutes.toLocaleString("en-US");
+}
+var FREE_MINUTES = PLAN_MONTHLY_TWIN_MINUTE_LIMITS.free;
+var PRO_MINUTES = PLAN_MONTHLY_TWIN_MINUTE_LIMITS.pro;
+if (FREE_MINUTES == null || PRO_MINUTES == null) {
+  throw new Error("PLAN_MONTHLY_TWIN_MINUTE_LIMITS: free and pro must be non-null");
+}
+var PRO_EVALS_PER_SEAT = 500;
+var PRO_SESSION_MINUTES_PER_SEAT = 5e3;
+var PRO_MAX_SEATS = 5;
+var FREE_EVALS_PER_MONTH = 100;
+var PLAN_DISPLAY = {
+  free: {
+    tag: "Free",
+    priceLabel: "$0",
+    periodLabel: "",
+    included: [
+      `${formatMinutesLabel(FREE_MINUTES)} session-minutes / account`,
+      `${FREE_EVALS_PER_MONTH} evals / account`,
+      `1 workspace (${FREE_WORKSPACE_MEMBER_LIMIT} users max)`,
+      `${PLAN_CONCURRENT_SESSION_LIMITS.free} concurrent sessions / workspace`,
+      "All clones included"
+    ]
+  },
+  pro: {
+    tag: "Pro",
+    priceLabel: `$${PRO_PLAN_PRICE_USD}`,
+    periodLabel: "/mo per seat",
+    included: [
+      `${formatMinutesLabel(PRO_SESSION_MINUTES_PER_SEAT)} session-minutes / seat / month`,
+      `${PRO_EVALS_PER_SEAT} evals / seat / month`,
+      "All clones included",
+      `${PLAN_CONCURRENT_SESSION_LIMITS.pro} concurrent sessions / workspace`,
+      `1 workspace, up to ${PRO_MAX_SEATS} seats with pooled usage`
+    ]
+  },
+  enterprise: {
+    tag: "Enterprise",
+    priceLabel: "Contact us",
+    periodLabel: "",
+    included: [
+      "Unlimited session-minutes",
+      "Unlimited seats per workspace",
+      "Unlimited workspaces",
+      `${PLAN_CONCURRENT_SESSION_LIMITS.enterprise} concurrent sessions / workspace`,
+      "SSO / SAML",
+      "SOC 2 (in progress)",
+      "Custom clones & eval support",
+      "Dedicated onboarding & support"
+    ]
+  }
+};
+var PLAN_MAX_SESSION_TTL_SECONDS = {
+  free: 30 * 60,
+  // 30 minutes
+  pro: 60 * 60,
+  // 60 minutes
+  enterprise: 90 * 60
+  // 90 minutes
+};
+var MAX_ABSOLUTE_SESSION_LIFETIME_SECONDS = 4 * 60 * 60;
+var LIFETIME_PERIOD_RESETS_AT = new Date(Date.UTC(9999, 11, 31));
+var ALL_ENTITLED_CLONES = ALL_STARTABLE_CLONE_IDS;
+var SCENARIO_USAGE_WINDOW_DAYS = 7;
+var SCENARIO_USAGE_WINDOW_MS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60 * 1e3;
+var SCENARIO_USAGE_WINDOW_SECONDS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60;
+var LLM_PRICING_USD_PER_M_TOKENS = {
+  // Google Gemini (verified 2026-05-05, standard tier <=200K input tokens)
+  "gemini-2.5-pro": { input: 1.25, output: 10 },
+  "gemini-2.5-flash": { input: 0.3, output: 2.5 },
+  // OpenAI flagship text models (verified 2026-05-21, standard short-context tier)
+  "gpt-5.5": { input: 5, output: 30 },
+  "gpt-5.5-pro": { input: 30, output: 180 },
+  "gpt-5.4": { input: 2.5, output: 15 },
+  "gpt-5.4-mini": { input: 0.75, output: 4.5 },
+  "gpt-5.4-nano": { input: 0.2, output: 1.25 },
+  "gpt-5.4-pro": { input: 30, output: 180 },
+  "gpt-4o-mini": { input: 0.15, output: 0.6 },
+  "gpt-4o": { input: 2.5, output: 10 },
+  "gpt-4.1-mini": { input: 0.4, output: 1.6 },
+  "gpt-4.1-nano": { input: 0.1, output: 0.4 },
+  "gpt-4.1": { input: 2, output: 8 },
+  // DeepSeek (verified 2026-05-05; legacy names map to v4-flash per vendor)
+  "deepseek-chat": { input: 0.14, output: 0.28 },
+  "deepseek-reasoner": { input: 0.14, output: 0.28 },
+  "deepseek-v4-flash": { input: 0.14, output: 0.28 }
+};
+var LLM_PRICING_FAMILY_RATES = [
+  { match: /^gemini-2\.5-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gemini-2.5-pro"] },
+  { match: /^gemini-2\.5-flash/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gemini-2.5-flash"] },
+  { match: /^gpt-5\.5-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.5-pro"] },
+  { match: /^gpt-5\.5/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.5"] },
+  { match: /^gpt-5\.4-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-pro"] },
+  { match: /^gpt-5\.4-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-mini"] },
+  { match: /^gpt-5\.4-nano/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-nano"] },
+  { match: /^gpt-5\.4/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4"] },
+  { match: /^gpt-4o-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4o-mini"] },
+  { match: /^gpt-4o(?!-mini)/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4o"] },
+  { match: /^gpt-4\.1-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1-mini"] },
+  { match: /^gpt-4\.1-nano/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1-nano"] },
+  { match: /^gpt-4\.1(?!-mini|-nano)/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1"] },
+  // Anthropic Claude 4.x list prices (verified 2026): Opus $5/$25, Sonnet
+  // $3/$15, Haiku 4.5 $1/$5 per 1M tokens (input/output).
+  { match: /^claude-opus-/i, rate: { input: 5, output: 25 } },
+  { match: /^claude-haiku-/i, rate: { input: 1, output: 5 } },
+  { match: /^claude-sonnet-/i, rate: { input: 3, output: 15 } },
+  { match: /^opus-/i, rate: { input: 5, output: 25 } },
+  { match: /^haiku-/i, rate: { input: 1, output: 5 } },
+  { match: /^sonnet-/i, rate: { input: 3, output: 15 } },
+  { match: /^deepseek-chat/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-chat"] },
+  { match: /^deepseek-reasoner/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-reasoner"] },
+  { match: /^deepseek-v4-flash/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-v4-flash"] }
+];
+
+// ../node-auth/src/clone-entitlements.ts
+var ENTITLED_CLONE_SET = new Set(ALL_ENTITLED_CLONES);
+function normalizeEntitledCloneIds(cloneIds) {
+  if (!cloneIds) {
+    return [];
+  }
+  const normalized = /* @__PURE__ */ new Set();
+  for (const cloneId of cloneIds) {
+    if (typeof cloneId !== "string") {
+      continue;
+    }
+    const trimmed = cloneId.trim();
+    if (ENTITLED_CLONE_SET.has(trimmed)) {
+      normalized.add(trimmed);
+    }
+  }
+  return [...normalized];
+}
+
+// ../node-auth/src/credential-store.ts
+var KEYCHAIN_COMMAND_TIMEOUT_MS = 1500;
+var ARCHAL_DIR_NAME = ".archal";
+var TEST_SANDBOX_ID_ENV_VAR = "ARCHAL_TEST_SANDBOX_ID";
+var VITEST_CONFIG_ENV_VAR = "ARCHAL_VITEST_CONFIG";
+function debug(message) {
+  if (process.env["ARCHAL_DEBUG"] !== "1") {
+    return;
+  }
+  process.stderr.write(`[archal-node-auth] ${message}
+`);
+}
+function getWarn(options) {
+  return options?.warn ?? console.warn;
+}
+function isExpired(expiresAt) {
+  return expiresAt <= Math.floor(Date.now() / 1e3);
+}
+function isRunningUnderTests() {
+  return process.env["VITEST"] === "true" || process.env["VITEST_WORKER_ID"] !== void 0 || process.env["JEST_WORKER_ID"] !== void 0 || process.env["NODE_TEST_CONTEXT"] !== void 0;
+}
+function getRealArchalDir() {
+  return join(homedir(), ARCHAL_DIR_NAME);
+}
+function normalizeSandboxId(raw) {
+  const trimmed = raw.trim();
+  if (/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) {
+    return trimmed;
+  }
+  return createHash("sha256").update(trimmed).digest("hex").slice(0, 16);
+}
+function getTestSandboxDir() {
+  const sharedSandboxId = process.env[VITEST_CONFIG_ENV_VAR]?.trim() || process.env[TEST_SANDBOX_ID_ENV_VAR]?.trim();
+  if (sharedSandboxId) {
+    return join(tmpdir(), `archal-test-sandbox-${normalizeSandboxId(sharedSandboxId)}`);
+  }
+  const workerId = process.env["VITEST_WORKER_ID"] ?? process.env["JEST_WORKER_ID"] ?? String(process.pid);
+  return join(tmpdir(), `archal-test-sandbox-${workerId}-${process.pid}`);
+}
+var seededSandboxes = /* @__PURE__ */ new Set();
+function seedSandboxFromRealHomeOnce(sandboxDir) {
+  try {
+    if (seededSandboxes.has(sandboxDir)) {
+      const credsIntact = existsSync(join(sandboxDir, CREDENTIALS_FILE));
+      if (credsIntact) return;
+      seededSandboxes.delete(sandboxDir);
+    }
+    const realDir = getRealArchalDir();
+    if (!existsSync(realDir)) {
+      seededSandboxes.add(sandboxDir);
+      return;
+    }
+    if (!existsSync(sandboxDir)) {
+      mkdirSync(sandboxDir, { recursive: true, mode: 448 });
+    }
+    for (const filename of [CREDENTIALS_FILE, CREDENTIALS_KEY_FILE]) {
+      const realPath = join(realDir, filename);
+      const sandboxPath = join(sandboxDir, filename);
+      if (!existsSync(realPath) || existsSync(sandboxPath)) continue;
+      const contents = readFileSync(realPath);
+      writeFileSync(sandboxPath, contents, { mode: 384 });
+      try {
+        chmodSync(sandboxPath, 384);
+      } catch {
+      }
+    }
+    seededSandboxes.add(sandboxDir);
+  } catch (err) {
+    debug(`Sandbox seed skipped: ${errorMessage2(err)}`);
+  }
+}
+function getArchalDir() {
+  const explicit = process.env["ARCHAL_HOME"];
+  if (explicit) {
+    return explicit;
+  }
+  if (isRunningUnderTests()) {
+    return getTestSandboxDir();
+  }
+  return getRealArchalDir();
+}
+function getCredentialsPath() {
+  return join(getArchalDir(), CREDENTIALS_FILE);
+}
+function ensureDir(dir) {
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+    debug(`Created archal directory at ${dir}`);
+  }
+  return dir;
+}
+function getCredentialsPathForDir(dir) {
+  return join(dir, CREDENTIALS_FILE);
+}
+function getCredentialsKeyPathForDir(dir) {
+  return join(dir, CREDENTIALS_KEY_FILE);
+}
+function readCredentialsKeyFromEnv() {
+  const raw = process.env[CREDENTIALS_MASTER_KEY_ENV_VAR]?.trim();
+  if (!raw) {
+    return null;
+  }
+  if (/^[a-fA-F0-9]{64}$/.test(raw)) {
+    return Buffer.from(raw, "hex");
+  }
+  try {
+    const decoded = Buffer.from(raw, "base64");
+    if (decoded.length === 32) {
+      return decoded;
+    }
+  } catch (err) {
+    debug(`Base64 master key decode failed: ${errorMessage2(err)}`);
+  }
+  return createHash("sha256").update(raw, "utf8").digest();
+}
+function readCredentialsKeyFromMacKeychain() {
+  if (process.platform !== "darwin") return null;
+  try {
+    const result = spawnSync(
+      "security",
+      ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-a", KEYCHAIN_ACCOUNT, "-w"],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (!result || result.error || result.status !== 0 || typeof result.stdout !== "string" || result.stdout.length === 0) {
+      if (result?.error) {
+        debug(`Keychain lookup failed: ${result.error.message}`);
+      }
+      return null;
+    }
+    const raw = result.stdout.trim();
+    if (!/^[a-fA-F0-9]{64}$/.test(raw)) {
+      return null;
+    }
+    return Buffer.from(raw, "hex");
+  } catch (err) {
+    debug(`Keychain lookup threw: ${errorMessage2(err)}`);
+    return null;
+  }
+}
+function readCredentialsKeyFromFile(dir = getArchalDir()) {
+  const keyPath = getCredentialsKeyPathForDir(dir);
+  if (!existsSync(keyPath)) {
+    return null;
+  }
+  try {
+    const raw = readFileSync(keyPath, "utf-8").trim();
+    const key = Buffer.from(raw, "hex");
+    if (key.length === 32) {
+      return key;
+    }
+  } catch (err) {
+    debug(`Failed to read credentials key file: ${errorMessage2(err)}`);
+  }
+  return null;
+}
+function collectCredentialKeysForDecrypt(dir = getArchalDir()) {
+  const keys = [];
+  for (const candidate of [
+    readCredentialsKeyFromEnv(),
+    readCredentialsKeyFromMacKeychain(),
+    readCredentialsKeyFromFile(dir)
+  ]) {
+    if (!candidate) continue;
+    if (!keys.some((entry) => entry.equals(candidate))) {
+      keys.push(candidate);
+    }
+  }
+  return keys;
+}
+function writeCredentialsKeyToMacKeychain(key) {
+  if (process.platform !== "darwin") return false;
+  try {
+    const result = spawnSync(
+      "security",
+      [
+        "add-generic-password",
+        "-U",
+        "-s",
+        KEYCHAIN_SERVICE,
+        "-a",
+        KEYCHAIN_ACCOUNT,
+        "-w",
+        key.toString("hex")
+      ],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (result?.error) {
+      debug(`Keychain write failed: ${result.error.message}`);
+    }
+    return !!result && !result.error && result.status === 0;
+  } catch (err) {
+    debug(`Keychain write threw: ${errorMessage2(err)}`);
+    return false;
+  }
+}
+function getOrCreateCredentialsKey(dir = getArchalDir()) {
+  const envKey = readCredentialsKeyFromEnv();
+  if (envKey) {
+    return envKey;
+  }
+  const keychainKey = readCredentialsKeyFromMacKeychain();
+  if (keychainKey) {
+    return keychainKey;
+  }
+  const fileKey = readCredentialsKeyFromFile(dir);
+  if (fileKey) {
+    if (writeCredentialsKeyToMacKeychain(fileKey)) {
+      try {
+        unlinkSync(getCredentialsKeyPathForDir(dir));
+      } catch {
+      }
+    }
+    return fileKey;
+  }
+  const generated = randomBytes(32);
+  if (!writeCredentialsKeyToMacKeychain(generated)) {
+    ensureDir(dir);
+    writeFileSync(getCredentialsKeyPathForDir(dir), `${generated.toString("hex")}
+`, {
+      encoding: "utf-8",
+      mode: 384
+    });
+  }
+  return generated;
+}
+function encryptToken(token, dir = getArchalDir()) {
+  const key = getOrCreateCredentialsKey(dir);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(token, "utf-8"), cipher.final()]);
+  return `${TOKEN_ENCRYPTION_PREFIX}:${iv.toString("hex")}:${cipher.getAuthTag().toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decryptToken(ciphertext, dir = getArchalDir()) {
+  const parts = ciphertext.split(":");
+  if (parts.length !== 4 || parts[0] !== TOKEN_ENCRYPTION_PREFIX) {
+    return null;
+  }
+  const [, ivHex, tagHex, dataHex] = parts;
+  if (!ivHex || !tagHex || !dataHex) {
+    return null;
+  }
+  const iv = Buffer.from(ivHex, "hex");
+  const tag = Buffer.from(tagHex, "hex");
+  const data = Buffer.from(dataHex, "hex");
+  const keys = collectCredentialKeysForDecrypt(dir);
+  for (const key of keys) {
+    try {
+      const decipher = createDecipheriv("aes-256-gcm", key, iv);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf-8");
+    } catch {
+    }
+  }
+  debug("Token decryption failed with all available credential keys.");
+  return null;
+}
+function decodeJwtPayload(token) {
+  try {
+    const payloadPart = token.split(".")[1];
+    if (!payloadPart) return null;
+    const normalized = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
+    return JSON.parse(Buffer.from(padded, "base64").toString("utf-8"));
+  } catch (err) {
+    debug(`JWT payload decode failed (expected for non-JWT tokens): ${errorMessage2(err)}`);
+    return null;
+  }
+}
+function hasValidSelectedClones(value) {
+  return value === void 0 || Array.isArray(value) && value.every((twin) => typeof twin === "string");
+}
+function resolveStoredToken(parsed, dir = getArchalDir()) {
+  if (typeof parsed.token === "string") {
+    const token = parsed.token.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.accessToken === "string") {
+    const token = parsed.accessToken.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.tokenEncrypted === "string") {
+    const token = decryptToken(parsed.tokenEncrypted, dir)?.trim() || null;
+    return { token: token?.length ? token : null, source: "encrypted" };
+  }
+  return { token: null, source: "legacy" };
+}
+function resolveStoredRefreshToken(parsed, dir = getArchalDir()) {
+  if (typeof parsed.refreshTokenEncrypted === "string") {
+    const refreshToken = decryptToken(parsed.refreshTokenEncrypted, dir)?.trim() || null;
+    if (refreshToken !== null) {
+      return { refreshToken, source: "encrypted" };
+    }
+    if (typeof parsed.refreshToken === "string") {
+      return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+    }
+    return { refreshToken: null, source: "encrypted" };
+  }
+  if (typeof parsed.refreshToken === "string") {
+    return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+  }
+  return { refreshToken: "", source: "none" };
+}
+function buildStoredCredentials(parsed, path, warn, options) {
+  const dir = dirname(path);
+  const { token, source: tokenSource } = resolveStoredToken(parsed, dir);
+  const { refreshToken, source: refreshTokenSource } = resolveStoredRefreshToken(parsed, dir);
+  if (token === null || refreshToken === null || parsed.refreshToken !== void 0 && typeof parsed.refreshToken !== "string" || parsed.refreshTokenEncrypted !== void 0 && typeof parsed.refreshTokenEncrypted !== "string" || !hasValidSelectedClones(parsed.selectedCloneIds)) {
+    warn(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const { email, plan, expiresAt } = parsed;
+  if (typeof email !== "string" || !isPlan(plan) || typeof expiresAt !== "number") {
+    warn(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const creds = {
+    token,
+    refreshToken,
+    email,
+    plan,
+    selectedCloneIds: normalizeEntitledCloneIds(parsed.selectedCloneIds),
+    expiresAt
+  };
+  if (options?.migrateLegacyCredentials && (tokenSource === "legacy" || refreshTokenSource === "legacy")) {
+    try {
+      writeCredentialsAtPath(path, creds);
+    } catch (err) {
+      debug(`Credential migration failed: ${errorMessage2(err)}`);
+    }
+  }
+  return creds;
+}
+function readCredentialsFileAtPath(path, options) {
+  if (!existsSync(path)) {
+    return null;
+  }
+  try {
+    const warn = getWarn(options);
+    const parsed = JSON.parse(readFileSync(path, "utf-8"));
+    return buildStoredCredentials(parsed, path, warn, options);
+  } catch {
+    const warn = getWarn(options);
+    warn(
+      `Credentials file at ${path} exists but could not be parsed. Delete it and run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+}
+function readCredentialsFile(options) {
+  return readCredentialsFileAtPath(getCredentialsPath(), options);
+}
+function isWorkspaceApiKey(token) {
+  return token.startsWith("archal_ws_") || token.startsWith("archal_") && !token.includes(".");
+}
+function getStoredCredentials(options) {
+  const creds = readCredentialsFile(options);
+  if (!creds) {
+    return null;
+  }
+  if (options?.includeExpired) {
+    return creds;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function getRealHomeStoredCredentials(options) {
+  const creds = readCredentialsFileAtPath(getCredentialsPathForDir(getRealArchalDir()), options);
+  if (!creds) {
+    return null;
+  }
+  if (options?.includeExpired) {
+    return creds;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function seedTestSandboxCredentialsFromRealHome() {
+  if (!isRunningUnderTests() || process.env["ARCHAL_HOME"]) {
+    return;
+  }
+  seedSandboxFromRealHomeOnce(getTestSandboxDir());
+}
+function writeCredentialsAtPath(path, creds) {
+  const dir = dirname(path);
+  ensureDir(dir);
+  const payload = {
+    email: creds.email,
+    plan: creds.plan,
+    selectedCloneIds: normalizeEntitledCloneIds(creds.selectedCloneIds),
+    expiresAt: creds.expiresAt,
+    tokenEncrypted: encryptToken(creds.token.trim(), dir),
+    refreshTokenEncrypted: creds.refreshToken.trim().length > 0 ? encryptToken(creds.refreshToken.trim(), dir) : void 0
+  };
+  const tmpPath = `${path}.${randomBytes(4).toString("hex")}.tmp`;
+  writeFileSync(tmpPath, `${JSON.stringify(payload, null, 2)}
+`, {
+    encoding: "utf-8",
+    mode: 384
+  });
+  renameSync(tmpPath, path);
+}
+function saveCredentials(creds) {
+  writeCredentialsAtPath(getCredentialsPath(), creds);
+}
+
+// ../node-auth/src/loopback.ts
+import { isIP } from "net";
+function normalizeHostname(hostname) {
+  const trimmed = hostname.trim().toLowerCase();
+  if (trimmed.startsWith("[") && trimmed.endsWith("]")) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+function isLoopbackHostname(hostname) {
+  const normalized = normalizeHostname(hostname);
+  if (normalized === "localhost" || normalized === "::1") {
+    return true;
+  }
+  if (isIP(normalized) === 4) {
+    return normalized.startsWith("127.");
+  }
+  return false;
+}
+function isLoopbackHttpUrl(rawUrl) {
+  try {
+    const parsed = new URL(rawUrl);
+    return parsed.protocol === "http:" && isLoopbackHostname(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+
+// ../node-auth/src/url-resolver.ts
+function getWarn2(options) {
+  return options?.warn ?? console.warn;
+}
+function stripUrlCredentials(url) {
+  try {
+    const parsed = new URL(url);
+    parsed.username = "";
+    parsed.password = "";
+    return parsed.toString();
+  } catch {
+    const atIndex = url.indexOf("@");
+    return atIndex >= 0 ? url.slice(atIndex + 1) : url;
+  }
+}
+function normalizeAuthUrl(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim().replace(/\/+$/, "");
+  if (trimmed.length === 0) {
+    return null;
+  }
+  const normalized = trimmed.endsWith("/api") ? trimmed.slice(0, -4) : trimmed;
+  if (normalized.length === 0) {
+    return null;
+  }
+  const parsed = new URL(normalized);
+  if (parsed.protocol === "https:") {
+    return normalized;
+  }
+  const isLocalHttp = isLoopbackHttpUrl(normalized);
+  if (!isLocalHttp) {
+    throw new Error(
+      `Auth URL must use HTTPS (got ${stripUrlCredentials(normalized)}). HTTP is only allowed for loopback hosts.`
+    );
+  }
+  return normalized;
+}
+function parseBooleanEnvFlag(value) {
+  if (typeof value !== "string") {
+    return false;
+  }
+  switch (value.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+function isStrictEndpointModeEnabled() {
+  return parseBooleanEnvFlag(process.env[STRICT_ENDPOINTS_ENV_VAR]);
+}
+function readConfiguredUrl(options, ...envKeys) {
+  for (const key of envKeys) {
+    try {
+      const value = normalizeAuthUrl(process.env[key]);
+      if (value) {
+        return value;
+      }
+    } catch (err) {
+      getWarn2(options)(
+        `Ignoring invalid ${key}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  return null;
+}
+function getConfiguredAuthBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_AUTH_URL", "ARCHAL_AUTH_BASE_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_AUTH_BASE_URL;
+}
+
+// ../node-auth/src/request-metadata.ts
+function buildAuthRequestHeaders(metadata, includeContentType = false) {
+  const headers = {};
+  if (includeContentType) {
+    headers["content-type"] = "application/json";
+  }
+  if (metadata?.userAgent) {
+    headers["user-agent"] = metadata.userAgent;
+  }
+  if (metadata?.cliVersion) {
+    headers["x-archal-cli-version"] = metadata.cliVersion;
+  }
+  return headers;
+}
+
+// ../node-auth/src/entitlements.ts
+function getAuthBaseUrl(metadata) {
+  const configured = metadata?.authBaseUrl?.trim();
+  if (configured) {
+    return configured.replace(/\/+$/, "");
+  }
+  return getConfiguredAuthBaseUrl();
+}
+async function readFailureDetail(response) {
+  const contentType = response.headers.get("content-type")?.toLowerCase() ?? "";
+  if (!contentType.includes("application/json")) {
+    return null;
+  }
+  try {
+    const payload = await response.json();
+    const error = typeof payload.error === "string" ? payload.error.trim() : "";
+    const message = typeof payload.message === "string" ? payload.message.trim() : "";
+    if (error && message) return `${error}: ${message}`;
+    if (message) return message;
+    if (error) return error;
+  } catch {
+    return null;
+  }
+  return null;
+}
+async function validateTokenWithServer(creds, metadata) {
+  const authBaseUrl = getAuthBaseUrl(metadata);
+  if (!authBaseUrl) {
+    return {
+      ok: false,
+      code: "no_auth_url",
+      status: null,
+      reason: "no auth URL configured"
+    };
+  }
+  try {
+    const response = await fetch(`${authBaseUrl}/auth/me`, {
+      method: "GET",
+      headers: {
+        authorization: `Bearer ${creds.token}`,
+        ...buildAuthRequestHeaders(metadata, false)
+      },
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+    if (!response.ok) {
+      const detail = await readFailureDetail(response);
+      return {
+        ok: false,
+        code: response.status === 401 ? "auth_rejected" : "http_error",
+        status: response.status,
+        reason: detail ? `HTTP ${response.status} ${detail}` : `HTTP ${response.status}`
+      };
+    }
+    let data;
+    try {
+      data = await response.json();
+    } catch {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    if (typeof data.email !== "string" || !isPlan(data.plan)) {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    const selectedCloneIds = Array.isArray(data.selectedCloneIds) ? normalizeEntitledCloneIds(data.selectedCloneIds) : normalizeEntitledCloneIds(creds.selectedCloneIds);
+    const updated = {
+      ...creds,
+      email: data.email,
+      plan: data.plan,
+      selectedCloneIds
+    };
+    if ((updated.email !== creds.email || updated.plan !== creds.plan || JSON.stringify(updated.selectedCloneIds) !== JSON.stringify(creds.selectedCloneIds)) && !process.env[AUTH_TOKEN_ENV_VAR]) {
+      saveCredentials(updated);
+    }
+    return { ok: true, credentials: updated };
+  } catch (error) {
+    return {
+      ok: false,
+      code: "network_error",
+      status: null,
+      reason: errorMessage2(error)
+    };
+  }
+}
+async function validateAuthWithServerResult(creds, metadata) {
+  const result = await validateTokenWithServer(creds, metadata);
+  if (result.ok) {
+    return {
+      credentials: result.credentials,
+      validation: result
+    };
+  }
+  return {
+    credentials: creds,
+    validation: result
+  };
+}
+
+// ../node-auth/src/secure-token.ts
+import { createHash as createHash2, timingSafeEqual } from "crypto";
+
+// ../runtime/src/auth-lease.ts
+var STORED_CREDENTIALS_LOCK_TIMEOUT_MS = 3e4;
+var STORED_CREDENTIALS_STALE_LOCK_MS = STORED_CREDENTIALS_LOCK_TIMEOUT_MS;
+var STORED_CREDENTIALS_LOCK_POLL_INTERVAL_MS = 50;
+var DEFAULT_AUTH_BASE_URL = "https://www.archal.ai";
+var WORKSPACE_API_KEY_EXPIRES_SECONDS = 365 * 24 * 60 * 60;
+function readFirstConfiguredBaseUrl(envVars) {
+  for (const envVar of envVars) {
+    const configured = trimEnv(envVar);
+    if (!configured) {
+      continue;
+    }
+    const normalized = normalizeApiBaseUrl(configured);
+    if (normalized) {
+      return normalized;
+    }
+  }
+  return null;
+}
+function resolveHostedAuthBaseUrl(options) {
+  const authUrlEnvVar = options.authUrlEnvVar ?? "ARCHAL_AUTH_URL";
+  const apiUrlEnvVar = options.apiUrlEnvVar ?? "ARCHAL_API_URL";
+  const envVars = [.../* @__PURE__ */ new Set([
+    apiUrlEnvVar,
+    authUrlEnvVar,
+    "ARCHAL_AUTH_URL",
+    "ARCHAL_AUTH_BASE_URL",
+    "ARCHAL_API_URL",
+    "ARCHAL_API_BASE_URL"
+  ])];
+  return readFirstConfiguredBaseUrl(envVars) ?? DEFAULT_AUTH_BASE_URL;
+}
+function isImplicitTestSandboxFlow() {
+  if (trimEnv("ARCHAL_HOME")) {
+    return false;
+  }
+  return process.env["VITEST"] === "true" || process.env["VITEST_WORKER_ID"] !== void 0 || process.env["JEST_WORKER_ID"] !== void 0 || process.env["NODE_TEST_CONTEXT"] !== void 0;
+}
+function preferNewerCredentials(primary, candidate) {
+  if (!primary) return candidate;
+  if (!candidate) return primary;
+  return candidate.expiresAt > primary.expiresAt ? candidate : primary;
+}
+function readExplicitEnvCredentials(envName) {
+  const token = trimEnv(envName);
+  if (!token) {
+    return { kind: "missing" };
+  }
+  const claims = decodeJwtPayload(token);
+  const nowSeconds = Math.floor(Date.now() / 1e3);
+  if (claims === null) {
+    if (isWorkspaceApiKey(token)) {
+      return {
+        kind: "valid",
+        credentials: {
+          token,
+          refreshToken: "",
+          email: "(workspace-api-key)",
+          plan: "pro",
+          selectedCloneIds: [],
+          expiresAt: nowSeconds + WORKSPACE_API_KEY_EXPIRES_SECONDS
+        }
+      };
+    }
+    return {
+      kind: "invalid",
+      message: `${envName} must be a JWT with valid plan and exp claims or a workspace API key (archal_ws_...).`
+    };
+  }
+  const email = typeof claims["email"] === "string" ? claims["email"] : `(from ${envName})`;
+  if (!isPlan(claims["plan"])) {
+    return {
+      kind: "invalid",
+      message: `${envName} JWT does not contain a valid plan claim.`
+    };
+  }
+  const plan = claims["plan"];
+  if (typeof claims["exp"] !== "number" || !Number.isFinite(claims["exp"])) {
+    return {
+      kind: "invalid",
+      message: `${envName} JWT does not contain a valid exp claim.`
+    };
+  }
+  const expiresAt = claims["exp"];
+  if (expiresAt <= nowSeconds) {
+    return {
+      kind: "invalid",
+      message: `${envName} is expired. Remove it or replace it with a valid token.`
+    };
+  }
+  return {
+    kind: "valid",
+    credentials: {
+      token,
+      refreshToken: "",
+      email,
+      plan,
+      selectedCloneIds: [],
+      expiresAt
+    }
+  };
+}
+function readStoredCredentials(includeExpired = false) {
+  prepareStoredCredentialSources();
+  const sandboxCredentials = getStoredCredentials({ includeExpired });
+  if (!isImplicitTestSandboxFlow()) {
+    return sandboxCredentials;
+  }
+  const realHomeCredentials = getRealHomeStoredCredentials({ includeExpired });
+  return preferNewerCredentials(sandboxCredentials, realHomeCredentials);
+}
+function resolveCredentialsWithSource(tokenEnvVar, includeExpiredStored = false) {
+  const explicitCredentials = readExplicitEnvCredentials(tokenEnvVar);
+  if (explicitCredentials.kind === "invalid") {
+    throw new Error(explicitCredentials.message);
+  }
+  if (explicitCredentials.kind === "valid") {
+    return { credentials: explicitCredentials.credentials, source: "explicit_token" };
+  }
+  const archalCredentials = readExplicitEnvCredentials("ARCHAL_TOKEN");
+  if (archalCredentials.kind === "invalid") {
+    throw new Error(archalCredentials.message);
+  }
+  if (archalCredentials.kind === "valid") {
+    return { credentials: archalCredentials.credentials, source: "archal_token" };
+  }
+  const storedCredentials = readStoredCredentials(includeExpiredStored);
+  if (!storedCredentials) {
+    return null;
+  }
+  return { credentials: storedCredentials, source: "stored" };
+}
+function resolveHostedCredentials(tokenEnvVar = "ARCHAL_TOKEN") {
+  return resolveCredentialsWithSource(tokenEnvVar)?.credentials ?? null;
+}
+function getCredentials2(tokenEnvVar = "ARCHAL_TOKEN") {
+  const credentials = resolveHostedCredentials(tokenEnvVar);
+  if (!credentials) {
+    return null;
+  }
+  return credentials.expiresAt > Math.floor(Date.now() / 1e3) ? credentials : null;
+}
+function prepareStoredCredentialSources() {
+  if (isImplicitTestSandboxFlow()) {
+    seedTestSandboxCredentialsFromRealHome();
+  }
+}
+function credentialsMatch(left, right) {
+  return left.token === right.token && left.refreshToken === right.refreshToken && left.expiresAt === right.expiresAt;
+}
+function adoptLatestStoredCredentials(credentials) {
+  const latest = readStoredCredentials(true);
+  if (!latest) {
+    return credentials;
+  }
+  return credentialsMatch(latest, credentials) ? credentials : latest;
+}
+async function withStoredCredentialsLock(action) {
+  const archalDir = getArchalDir();
+  const lockDirectory = join2(archalDir, "archal-auth-validation.lock");
+  const deadline = Date.now() + STORED_CREDENTIALS_LOCK_TIMEOUT_MS;
+  await fs2.mkdir(archalDir, { recursive: true });
+  while (true) {
+    try {
+      await fs2.mkdir(lockDirectory);
+      break;
+    } catch (error) {
+      const code = error instanceof Error && "code" in error ? String(error.code) : "";
+      if (code !== "EEXIST") {
+        throw error;
+      }
+      const stale = await fs2.stat(lockDirectory).then((stats) => Date.now() - stats.mtimeMs >= STORED_CREDENTIALS_STALE_LOCK_MS).catch(() => false);
+      if (stale) {
+        await fs2.rm(lockDirectory, { recursive: true, force: true });
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(`Timed out waiting for stored Archal credential lock in ${archalDir}.`);
+      }
+      await sleep(STORED_CREDENTIALS_LOCK_POLL_INTERVAL_MS);
+    }
+  }
+  const keepalive = setInterval(() => {
+    void fs2.utimes(lockDirectory, /* @__PURE__ */ new Date(), /* @__PURE__ */ new Date()).catch(() => void 0);
+  }, 1e3);
+  keepalive.unref();
+  try {
+    return await action();
+  } finally {
+    clearInterval(keepalive);
+    await fs2.rm(lockDirectory, { recursive: true, force: true });
+  }
+}
+async function resolveCurrentCredentials(credentials, source, forceValidation, authBaseUrl) {
+  if (source !== "stored") {
+    return credentials;
+  }
+  let candidate = adoptLatestStoredCredentials(credentials);
+  if (!forceValidation) {
+    return candidate;
+  }
+  return await withStoredCredentialsLock(async () => {
+    candidate = adoptLatestStoredCredentials(candidate);
+    const validation = await validateAuthWithServerResult(candidate, { authBaseUrl });
+    if (validation.validation.ok) {
+      return validation.credentials;
+    }
+    if (validation.validation.code === "auth_rejected") {
+      const reloaded = adoptLatestStoredCredentials(candidate);
+      if (!credentialsMatch(reloaded, candidate)) {
+        const reloadedValidation = await validateAuthWithServerResult(reloaded, {
+          authBaseUrl
+        });
+        if (reloadedValidation.validation.ok) {
+          return reloadedValidation.credentials;
+        }
+        candidate = reloadedValidation.credentials;
+      }
+    }
+    if (validation.validation.code === "auth_rejected") {
+      throw new Error(`Authentication failed. ${validation.validation.reason}`);
+    }
+    return candidate;
+  });
+}
+async function createHostedAuthLease(options = {}) {
+  const tokenEnvVar = options.tokenEnvVar ?? "ARCHAL_TOKEN";
+  const authBaseUrl = resolveHostedAuthBaseUrl(options);
+  const resolved = resolveCredentialsWithSource(tokenEnvVar, true);
+  if (!resolved) {
+    const tokenSources = Array.from(/* @__PURE__ */ new Set([tokenEnvVar, "ARCHAL_TOKEN"])).join(", ");
+    throw new Error(
+      `Hosted routing requires ${tokenSources} or stored credentials from \`archal login\`.`
+    );
+  }
+  let current = resolved.credentials;
+  let stopped = false;
+  let refreshInFlight;
+  let refreshInFlightValidates = false;
+  let validated = resolved.source !== "stored";
+  const refreshNow = async (forceValidation = false) => {
+    if (stopped) {
+      return current;
+    }
+    if (refreshInFlight) {
+      const inFlight = refreshInFlight;
+      const inFlightValidates = refreshInFlightValidates;
+      const next = await inFlight;
+      if (!forceValidation || inFlightValidates) {
+        return next;
+      }
+    }
+    const shouldValidate = forceValidation || !validated;
+    refreshInFlightValidates = shouldValidate;
+    refreshInFlight = (async () => {
+      current = await resolveCurrentCredentials(
+        current,
+        resolved.source,
+        shouldValidate,
+        authBaseUrl
+      );
+      if (shouldValidate) {
+        validated = true;
+      }
+      return current;
+    })().finally(() => {
+      refreshInFlight = void 0;
+      refreshInFlightValidates = false;
+    });
+    return await refreshInFlight;
+  };
+  current = await refreshNow(true);
+  return {
+    getCredentials: () => stopped ? null : current,
+    getAuthorizationHeader: () => stopped ? null : `Bearer ${current.token}`,
+    ensureFresh: refreshNow,
+    stop: () => {
+      stopped = true;
+    }
+  };
+}
+
+// ../runtime/src/session-reaper.ts
+import { promises as fs3 } from "fs";
+
+// ../runtime/src/process-liveness.ts
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (error) {
+    return error instanceof Error && "code" in error && error.code === "EPERM";
+  }
+}
+
+// ../runtime/src/session-reaper.ts
+var REQUEST_TIMEOUT_MS2 = 8e3;
+var LOCK_TIMEOUT_MS = 3e4;
+var STALE_LOCK_MS = LOCK_TIMEOUT_MS;
+var POLL_INTERVAL_MS = 250;
+async function withLock(lockDirectory, action) {
+  const deadline = Date.now() + LOCK_TIMEOUT_MS;
+  while (true) {
+    try {
+      await fs3.mkdir(lockDirectory);
+      break;
+    } catch (error) {
+      const code = error instanceof Error && "code" in error ? String(error.code) : "";
+      if (code !== "EEXIST") {
+        throw error;
+      }
+      const stale = await fs3.stat(lockDirectory).then((stats) => Date.now() - stats.mtimeMs >= STALE_LOCK_MS).catch(() => false);
+      if (stale) {
+        await fs3.rm(lockDirectory, { recursive: true, force: true });
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(`Timed out waiting for hosted-session reaper lock at ${lockDirectory}.`);
+      }
+      await sleep(POLL_INTERVAL_MS);
+    }
+  }
+  try {
+    const keepalive = setInterval(() => {
+      void fs3.utimes(lockDirectory, /* @__PURE__ */ new Date(), /* @__PURE__ */ new Date()).catch(() => void 0);
+    }, 1e3);
+    keepalive.unref();
+    try {
+      await action();
+    } finally {
+      clearInterval(keepalive);
+    }
+  } finally {
+    await fs3.rm(lockDirectory, { recursive: true, force: true });
+  }
+}
+async function stopHostedSession(apiBaseUrl, auth, sessionId, fetchFn = fetch) {
+  const response = await requestHostedSession(auth, fetchFn, `${apiBaseUrl}/api/sessions/${encodeURIComponent(sessionId)}`, {
+    method: "DELETE"
+  });
+  if (!response.ok && response.status !== 404) {
+    const detail = await response.text().catch(() => "");
+    throw new Error(
+      `Hosted-session reaper failed to stop ${sessionId} (HTTP ${response.status}${detail ? `: ${detail}` : ""}).`
+    );
+  }
+}
+async function renewHostedSession(apiBaseUrl, auth, sessionId, fetchFn = fetch) {
+  const response = await requestHostedSession(
+    auth,
+    fetchFn,
+    `${apiBaseUrl}/api/sessions/${encodeURIComponent(sessionId)}/renew`,
+    {
+      method: "POST",
+      body: JSON.stringify({})
+    }
+  );
+  if (response.ok) {
+    return "renewed";
+  }
+  if (response.status === 404 || response.status === 409 || response.status === 410) {
+    return "missing";
+  }
+  if (isTerminalHostedAuthFailure(response.status)) {
+    return "terminal_auth_failure";
+  }
+  const detail = await response.text().catch(() => "");
+  throw new Error(
+    `Hosted-session reaper failed to renew ${sessionId} (HTTP ${response.status}${detail ? `: ${detail}` : ""}).`
+  );
+}
+async function requestHostedSession(auth, fetchFn, url, init) {
+  const sendRequest = async (forceValidation = false) => {
+    await auth.ensureFresh(forceValidation);
+    const authorization = auth.getAuthorizationHeader();
+    if (!authorization) {
+      throw new Error("Hosted-session reaper auth is unavailable.");
+    }
+    return await fetchFn(url, {
+      method: init.method,
+      headers: {
+        authorization,
+        "content-type": "application/json"
+      },
+      body: init.body,
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS2)
+    });
+  };
+  let response = await sendRequest();
+  const responseErrorCode = response.ok ? null : parseHostedAuthErrorCode(await response.clone().text().catch(() => ""));
+  if (shouldValidateHostedAuth(response.status, responseErrorCode)) {
+    response = await sendRequest(true);
+  }
+  return response;
+}
+async function removeCoordinatorState(coordinatorDirectory, statePath, pidPath) {
+  await fs3.rm(statePath, { force: true }).catch(() => void 0);
+  await fs3.rm(pidPath, { force: true }).catch(() => void 0);
+  await fs3.rmdir(coordinatorDirectory).catch(() => void 0);
+}
+async function runHostedSessionReaper({
+  apiBaseUrl,
+  auth,
+  sessionId,
+  runnerPid,
+  renewIntervalMs,
+  coordinatorDirectory,
+  lockDirectory,
+  statePath,
+  pidPath,
+  fetchFn = fetch,
+  isRunnerAlive = isProcessAlive,
+  sleepFn = sleep
+}) {
+  let nextRenewAt = Date.now() + renewIntervalMs;
+  while (isRunnerAlive(runnerPid)) {
+    if (Date.now() >= nextRenewAt) {
+      const stateExists = await fs3.access(statePath).then(() => true).catch(() => false);
+      if (!stateExists) {
+        await fs3.rm(pidPath, { force: true }).catch(() => void 0);
+        await fs3.rmdir(coordinatorDirectory).catch(() => void 0);
+        return;
+      }
+      try {
+        const renewResult = await renewHostedSession(apiBaseUrl, auth, sessionId, fetchFn);
+        if (renewResult === "missing" || renewResult === "terminal_auth_failure") {
+          await stopHostedSession(apiBaseUrl, auth, sessionId, fetchFn).catch(() => void 0);
+          await removeCoordinatorState(coordinatorDirectory, statePath, pidPath);
+          return;
+        }
+      } catch {
+      }
+      nextRenewAt = Date.now() + renewIntervalMs;
+    }
+    await sleepFn(POLL_INTERVAL_MS);
+  }
+  await withLock(lockDirectory, async () => {
+    const stateExists = await fs3.access(statePath).then(() => true).catch(() => false);
+    if (!stateExists) {
+      return;
+    }
+    await stopHostedSession(apiBaseUrl, auth, sessionId, fetchFn);
+    await fs3.rm(statePath, { force: true });
+  });
+  await fs3.rm(pidPath, { force: true }).catch(() => void 0);
+  await fs3.rmdir(coordinatorDirectory).catch(() => void 0);
+}
+
+// ../runtime/src/types.ts
+import { Buffer as Buffer2 } from "buffer";
+function redactSessionSnapshot(session) {
+  return {
+    sessionId: session.sessionId,
+    services: session.services.map((service) => ({
+      name: service.name,
+      mode: service.mode,
+      baseUrl: service.baseUrl
+    })),
+    resolvedRuntime: session.resolvedRuntime
+  };
+}
+function encodeConfig(config) {
+  return Buffer2.from(JSON.stringify(config), "utf8").toString("base64");
+}
+function decodeConfig(encoded) {
+  return JSON.parse(Buffer2.from(encoded, "base64").toString("utf8"));
+}
+
+// ../runtime/src/seed-loader.ts
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, rmSync, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2 } from "path";
+
+// ../runtime/src/temp-artifacts.ts
+import { join as join3 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+function normalizeSessionKey(sessionKey) {
+  const value = sessionKey?.trim() || "default";
+  return value.replace(/[^A-Za-z0-9._-]+/g, "_");
+}
+function getSessionIdFilePath(sessionKey) {
+  return join3(tmpdir2(), "archal-runtime", "sessions", `${normalizeSessionKey(sessionKey)}.session-id`);
+}
+function getSeedLoadingMarkerPath(sessionKey) {
+  return join3(tmpdir2(), "archal-runtime-seed-markers", `${normalizeSessionKey(sessionKey)}.loading`);
+}
+function getSeedLoadedMarkerPath(sessionKey) {
+  return join3(tmpdir2(), "archal-runtime-seed-markers", `${normalizeSessionKey(sessionKey)}.seeded`);
+}
+
+// ../runtime/src/seed-loader.ts
+var SeedLoadError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+  }
+  status;
+  get transient() {
+    return this.status === 0 || isTransientSeedLoadStatus(this.status);
+  }
+};
+async function loadFileSeedsIntoClones(config, fetchClone2, options = {}) {
+  const contents = config.fileSeedContents;
+  const formats = config.fileSeedFormats;
+  if (!contents || !formats) return;
+  const services = Object.keys(contents);
+  if (services.length === 0) return;
+  const sessionKey = config.sessionKey;
+  const loadingMarkerPath = getSeedLoadingMarkerPath(sessionKey);
+  const loadedMarkerPath = getSeedLoadedMarkerPath(sessionKey);
+  const markerDir = dirname2(loadedMarkerPath);
+  const forceReload = options.forceReload === true;
+  mkdirSync2(markerDir, { recursive: true, mode: 448 });
+  if (forceReload) {
+    rmSync(loadedMarkerPath, { force: true });
+  }
+  while (true) {
+    if (existsSync2(loadedMarkerPath)) {
+      return;
+    }
+    try {
+      writeFileSync2(loadingMarkerPath, String(process.pid), { flag: "wx" });
+      break;
+    } catch {
+      await waitForSeedLoad(loadingMarkerPath, loadedMarkerPath, options);
+    }
+  }
+  try {
+    const parsedJsonSeeds = {};
+    for (const serviceName of services) {
+      const content = contents[serviceName] ?? "";
+      const format = formats[serviceName] ?? "json";
+      if (format !== "json") continue;
+      try {
+        parsedJsonSeeds[serviceName] = JSON.stringify(JSON.parse(content));
+      } catch (parseErr) {
+        const msg = parseErr instanceof Error ? parseErr.message : String(parseErr);
+        throw new Error(`Invalid JSON in seed file for ${serviceName}: ${msg}`);
+      }
+    }
+    const snapshots = await snapshotSeedTargets(services, fetchClone2);
+    const committed = [];
+    try {
+      for (const serviceName of services) {
+        const content = contents[serviceName] ?? "";
+        const format = formats[serviceName] ?? "json";
+        if (format === "json") {
+          process.stderr.write(`Seed: loading ${serviceName} state from JSON file
+`);
+          await loadSeedStateWithRetry(
+            serviceName,
+            fetchClone2,
+            snapshots,
+            parsedJsonSeeds[serviceName] ?? "{}",
+            "application/json"
+          );
+          committed.push(serviceName);
+          continue;
+        }
+        if (format === "sql") {
+          process.stderr.write(`Seed: loading ${serviceName} state from SQL file
+`);
+          await loadSeedStateWithRetry(serviceName, fetchClone2, snapshots, content, "text/sql");
+          committed.push(serviceName);
+          continue;
+        }
+        throw new Error(`Unsupported seed file format for ${serviceName}: ${format}`);
+      }
+    } catch (error) {
+      const seedError = error instanceof Error ? error : new Error(String(error));
+      try {
+        await restoreSeedTargets(committed, snapshots, fetchClone2);
+      } catch (rollbackError) {
+        const rollbackMessage = rollbackError instanceof Error ? rollbackError.message : String(rollbackError);
+        throw new Error(
+          `${seedError.message}
+Rollback failed after partial seed load: ${rollbackMessage}`
+        );
+      }
+      throw seedError;
+    }
+    writeFileSync2(loadedMarkerPath, String(process.pid), { flag: "w" });
+  } finally {
+    rmSync(loadingMarkerPath, { force: true });
+  }
+}
+async function loadSeedStateWithRetry(serviceName, fetchClone2, snapshots, body, contentType, options = {}) {
+  const maxAttempts = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_MAX_ATTEMPTS", 8);
+  const baseDelayMs = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_RETRY_BASE_DELAY_MS", 1e3);
+  const deadlineAt = Date.now() + positiveIntegerFromEnv("ARCHAL_SEED_LOAD_TIMEOUT_MS", 12e4);
+  let lastError = null;
+  for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+    try {
+      await loadSeedState(serviceName, fetchClone2, body, contentType);
+      return;
+    } catch (error) {
+      const seedError = error instanceof Error ? error : new Error(String(error));
+      lastError = seedError;
+      if (!(seedError instanceof SeedLoadError)) {
+        throw seedError;
+      }
+      if (options.restoreOnFailure !== false && shouldRestoreFailedSeedLoad(seedError.status)) {
+        await restoreSeedTargets([serviceName], snapshots, fetchClone2);
+      }
+      if (!seedError.transient || attempt === maxAttempts || Date.now() >= deadlineAt) {
+        throw seedError;
+      }
+      await waitForSeedLoadRetry(baseDelayMs, attempt, deadlineAt);
+    }
+  }
+  throw lastError ?? new Error(`Failed to load seed into ${serviceName} service.`);
+}
+async function snapshotSeedTargets(services, fetchClone2) {
+  const snapshots = /* @__PURE__ */ new Map();
+  await Promise.all(
+    services.map(async (serviceName) => {
+      snapshots.set(serviceName, await fetchSeedStateSnapshot(serviceName, fetchClone2));
+    })
+  );
+  return snapshots;
+}
+async function fetchSeedStateSnapshot(serviceName, fetchClone2) {
+  const maxAttempts = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_MAX_ATTEMPTS", 8);
+  const baseDelayMs = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_RETRY_BASE_DELAY_MS", 1e3);
+  const totalTimeoutMs = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_TIMEOUT_MS", 12e4);
+  const requestTimeoutMs = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_REQUEST_TIMEOUT_MS", 3e4);
+  const deadlineAt = Date.now() + totalTimeoutMs;
+  let lastStatus = 0;
+  let lastDetail = "";
+  for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+    const remainingMs = deadlineAt - Date.now();
+    if (remainingMs <= 0) {
+      lastDetail = `state snapshot exceeded ${totalTimeoutMs}ms total timeout`;
+      break;
+    }
+    const controller = new AbortController();
+    const requestTimer = setTimeout(
+      () => controller.abort(),
+      Math.min(requestTimeoutMs, remainingMs)
+    );
+    let res;
+    try {
+      res = await fetchClone2(serviceName, "/state", {
+        method: "GET",
+        headers: { accept: "application/json" },
+        signal: controller.signal
+      });
+    } catch (err) {
+      lastStatus = 0;
+      lastDetail = controller.signal.aborted ? `state snapshot request exceeded ${Math.min(requestTimeoutMs, remainingMs)}ms request timeout` : err instanceof Error ? err.message : String(err);
+      if (attempt === maxAttempts || Date.now() >= deadlineAt) break;
+      await waitForSeedLoadRetry(baseDelayMs, attempt, deadlineAt);
+      continue;
+    } finally {
+      clearTimeout(requestTimer);
+    }
+    if (res.ok) return res.text();
+    lastStatus = res.status;
+    lastDetail = await res.text().catch(() => "");
+    if (!isTransientSeedLoadStatus(res.status) || attempt === maxAttempts) break;
+    await waitForSeedLoadRetry(baseDelayMs, attempt, deadlineAt);
+  }
+  throw new Error(
+    `Failed to snapshot ${serviceName} before loading seed (${lastStatus}).${lastDetail ? ` ${lastDetail.slice(0, 200)}` : ""}`
+  );
+}
+async function restoreSeedTargets(services, snapshots, fetchClone2) {
+  const failures = [];
+  for (const serviceName of services) {
+    const snapshot = snapshots.get(serviceName);
+    if (snapshot === void 0) {
+      failures.push(`${serviceName}: missing snapshot`);
+      continue;
+    }
+    try {
+      await loadSeedStateWithRetry(
+        serviceName,
+        fetchClone2,
+        /* @__PURE__ */ new Map(),
+        snapshot,
+        "application/json",
+        {
+          restoreOnFailure: false
+        }
+      );
+    } catch (error) {
+      failures.push(`${serviceName}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  if (failures.length > 0) {
+    throw new Error(`Seed load failed and rollback also failed: ${failures.join("; ")}`);
+  }
+}
+async function waitForSeedLoad(loadingMarkerPath, loadedMarkerPath, options = {}) {
+  const envVar = options.timeoutEnvVar ?? "ARCHAL_SEED_LOAD_TIMEOUT_MS";
+  const timeoutMs = Number(process.env[envVar]) || 12e4;
+  const timeoutAt = Date.now() + timeoutMs;
+  while (Date.now() < timeoutAt) {
+    if (existsSync2(loadedMarkerPath) || !existsSync2(loadingMarkerPath)) {
+      return;
+    }
+    if (isStaleSeedLoadingMarker(loadingMarkerPath)) {
+      rmSync(loadingMarkerPath, { force: true });
+      return;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 25));
+  }
+  throw new Error("Timed out waiting for another worker to finish loading seed files.");
+}
+function isStaleSeedLoadingMarker(loadingMarkerPath) {
+  let rawPid = "";
+  try {
+    rawPid = readFileSync2(loadingMarkerPath, "utf8").trim();
+  } catch {
+    return false;
+  }
+  const pid = Number(rawPid);
+  if (!Number.isInteger(pid) || pid <= 0) {
+    return true;
+  }
+  if (pid === process.pid) {
+    return false;
+  }
+  try {
+    process.kill(pid, 0);
+    return false;
+  } catch (error) {
+    const code = error && typeof error === "object" && "code" in error ? String(error.code) : "";
+    return code === "ESRCH";
+  }
+}
+async function loadSeedState(serviceName, fetchClone2, body, contentType) {
+  const requestTimeoutMs = positiveIntegerFromEnv("ARCHAL_SEED_LOAD_REQUEST_TIMEOUT_MS", 3e4);
+  let lastStatus = 0;
+  let lastDetail = "";
+  let lastServerDetail = "";
+  const controller = new AbortController();
+  const requestTimer = setTimeout(() => controller.abort(), requestTimeoutMs);
+  let res;
+  try {
+    res = await fetchClone2(serviceName, "/state", {
+      method: "PUT",
+      body,
+      headers: { "content-type": contentType },
+      signal: controller.signal
+    });
+  } catch (err) {
+    lastStatus = 0;
+    lastDetail = controller.signal.aborted ? `state load request exceeded ${requestTimeoutMs}ms request timeout` : err instanceof Error ? err.message : String(err);
+    throw new SeedLoadError(
+      formatSeedLoadFailure(serviceName, lastStatus, {
+        detail: lastDetail,
+        lastServerDetail
+      }),
+      lastStatus
+    );
+  } finally {
+    clearTimeout(requestTimer);
+  }
+  if (res.ok) {
+    process.stderr.write(`Seed: ${serviceName} state loaded
+`);
+    return;
+  }
+  lastStatus = res.status;
+  lastDetail = await res.text().catch(() => "");
+  if (lastDetail) {
+    lastServerDetail = lastDetail;
+  }
+  throw new SeedLoadError(
+    formatSeedLoadFailure(serviceName, lastStatus, {
+      detail: lastDetail,
+      lastServerDetail
+    }),
+    lastStatus
+  );
+}
+function formatSeedLoadFailure(serviceName, status, diagnostics) {
+  const lines = [`Failed to load seed into ${serviceName} service (${status}).`];
+  if (isTransientSeedLoadStatus(status)) {
+    lines.push(
+      "  The clone control endpoint did not accept seed state before the seed-load budget expired.",
+      "  This usually indicates hosted clone/proxy/worker infrastructure, not seed schema."
+    );
+  } else {
+    lines.push("  The seed structure may not match the service state schema.");
+  }
+  if (diagnostics.detail) {
+    lines.push(`  Server response: ${diagnostics.detail.slice(0, 200)}`);
+  }
+  if (diagnostics.lastServerDetail && diagnostics.lastServerDetail !== diagnostics.detail) {
+    lines.push(`  Last upstream response: ${diagnostics.lastServerDetail.slice(0, 200)}`);
+  }
+  return lines.join("\n");
+}
+async function waitForSeedLoadRetry(baseDelayMs, attempt, deadlineAt) {
+  const delayMs = Math.min(baseDelayMs * attempt, Math.max(0, deadlineAt - Date.now()));
+  if (delayMs > 0) await new Promise((resolve) => setTimeout(resolve, delayMs));
+}
+function isTransientSeedLoadStatus(status) {
+  return status === 502 || status === 503 || status === 504;
+}
+function shouldRestoreFailedSeedLoad(status) {
+  return status === 0 || status >= 500;
+}
+function positiveIntegerFromEnv(name, fallback) {
+  const value = Number(process.env[name]);
+  return Number.isInteger(value) && value > 0 ? value : fallback;
+}
+
+export {
+  sleep,
+  DEFAULT_HOSTED_API_BASE_URL,
+  DEFAULT_SESSION_TTL_SECONDS,
+  DEFAULT_READY_TIMEOUT_MS,
+  DEFAULT_RENEW_INTERVAL_MS,
+  MIN_RENEW_INTERVAL_MS,
+  MIN_READY_TIMEOUT_MS,
+  trimEnv,
+  parsePositiveInteger,
+  normalizeApiBaseUrl,
+  fileExists,
+  requestedSeedsMatchSession,
+  HostedSessionClient,
+  getCredentials2 as getCredentials,
+  createHostedAuthLease,
+  getSessionIdFilePath,
+  loadFileSeedsIntoClones,
+  isProcessAlive,
+  runHostedSessionReaper,
+  redactSessionSnapshot,
+  encodeConfig,
+  decodeConfig
+};