archal 0.9.8 → 0.9.9

package/dist/vitest/chunk-RKYS44AS.js

@@ -0,0 +1,2216 @@
+import {
+  DEFAULT_HOSTED_API_BASE_URL,
+  DEFAULT_READY_TIMEOUT_MS,
+  DEFAULT_RENEW_INTERVAL_MS,
+  DEFAULT_SESSION_TTL_SECONDS,
+  HostedSessionClient,
+  MIN_READY_TIMEOUT_MS,
+  MIN_RENEW_INTERVAL_MS,
+  createHostedAuthLease,
+  decodeConfig,
+  fileExists,
+  getSessionIdFilePath,
+  isProcessAlive,
+  loadFileSeedsIntoTwins,
+  normalizeApiBaseUrl,
+  parsePositiveInteger,
+  redactSessionSnapshot,
+  requestedSeedsMatchSession,
+  sleep,
+  trimEnv
+} from "./chunk-YV6BH6DO.js";
+
+// src/runtime-module-resolution.ts
+import { dirname, extname, resolve } from "path";
+import { fileURLToPath } from "url";
+function resolveRuntimeModuleExtension(currentExtension, buildExtension) {
+  if (currentExtension === ".ts" || currentExtension === ".mts" || currentExtension === ".cts") {
+    return currentExtension;
+  }
+  return buildExtension ?? currentExtension ?? ".js";
+}
+function resolveRuntimeModuleFromFile(currentModuleFile, relativePath, buildExtension) {
+  const currentExtension = extname(currentModuleFile) || ".js";
+  const resolvedExtension = resolveRuntimeModuleExtension(currentExtension, buildExtension);
+  return resolve(dirname(currentModuleFile), relativePath.replace(/\.js$/, resolvedExtension));
+}
+function resolveRuntimeModule(relativePath, buildExtension) {
+  const currentModuleFile = typeof __filename === "string" ? __filename : fileURLToPath(import.meta.url);
+  return resolveRuntimeModuleFromFile(currentModuleFile, relativePath, buildExtension);
+}
+
+// src/runtime/session-snapshot.ts
+var ARCHAL_VITEST_CONFIG_ENV = "ARCHAL_VITEST_CONFIG";
+function readArchalVitestConfigFromEnv() {
+  const encoded = process.env[ARCHAL_VITEST_CONFIG_ENV];
+  if (!encoded) {
+    throw new Error(`Missing ${ARCHAL_VITEST_CONFIG_ENV}. archalVitestProject() must set worker config before bootstrap.`);
+  }
+  return readArchalVitestConfig(encoded);
+}
+function readArchalVitestConfig(encoded) {
+  if (!encoded) {
+    throw new Error(`Missing ${ARCHAL_VITEST_CONFIG_ENV}. archalVitestProject() must set worker config before bootstrap.`);
+  }
+  return decodeConfig(encoded);
+}
+
+// ../route-runtime-core/src/errors.ts
+var RouteRuntimePolicyError = class extends Error {
+  code;
+  service;
+  url;
+  constructor(input) {
+    super(input.message);
+    this.name = "RouteRuntimePolicyError";
+    this.code = input.code;
+    this.service = input.service;
+    this.url = input.url;
+  }
+};
+
+// ../route-runtime-core/src/runtime.ts
+import { createRequire } from "module";
+
+// ../route-runtime-core/src/runtime-request.ts
+var DEFAULT_HTTP_PROTOCOL = "http:";
+var DEFAULT_HTTPS_PROTOCOL = "https:";
+function normalizeProtocol(protocol, fallback) {
+  if (!protocol) return fallback;
+  return protocol.endsWith(":") ? protocol : `${protocol}:`;
+}
+function normalizeHost(value) {
+  if (value.includes("://")) {
+    const parsed = new URL(value);
+    return {
+      hostname: parsed.hostname,
+      port: parsed.port || void 0
+    };
+  }
+  if (value.startsWith("[")) {
+    const closingBracketIndex = value.indexOf("]");
+    if (closingBracketIndex !== -1) {
+      const hostname = value.slice(1, closingBracketIndex);
+      const port = value.slice(closingBracketIndex + 1).replace(/^:/, "") || void 0;
+      return { hostname, port };
+    }
+  }
+  const lastColonIndex = value.lastIndexOf(":");
+  if (lastColonIndex === -1 || value.indexOf(":") !== lastColonIndex) {
+    return { hostname: value };
+  }
+  return {
+    hostname: value.slice(0, lastColonIndex),
+    port: value.slice(lastColonIndex + 1) || void 0
+  };
+}
+function buildUrlFromOptions(options, defaultProtocol) {
+  const protocol = normalizeProtocol(
+    typeof options.protocol === "string" ? options.protocol : void 0,
+    defaultProtocol
+  );
+  const rawHost = typeof options.hostname === "string" ? options.hostname : typeof options.host === "string" ? normalizeHost(options.host).hostname : "localhost";
+  const rawPort = options.port == null ? typeof options.host === "string" ? normalizeHost(options.host).port : void 0 : String(options.port);
+  const base = `${protocol}//${rawHost}${rawPort ? `:${rawPort}` : ""}`;
+  const path = typeof options.path === "string" && options.path.length > 0 ? options.path : "/";
+  return new URL(path, base);
+}
+function applyRequestOptionsToUrl(requestUrl, options, defaultProtocol) {
+  const effectiveUrl = new URL(requestUrl.toString());
+  const protocol = normalizeProtocol(
+    typeof options.protocol === "string" ? options.protocol : void 0,
+    effectiveUrl.protocol || defaultProtocol
+  );
+  effectiveUrl.protocol = protocol;
+  const normalizedHost = typeof options.hostname === "string" ? normalizeHost(options.hostname) : typeof options.host === "string" ? normalizeHost(options.host) : null;
+  if (normalizedHost) {
+    effectiveUrl.hostname = normalizedHost.hostname;
+    effectiveUrl.port = normalizedHost.port ?? "";
+  }
+  if (options.port != null) {
+    effectiveUrl.port = String(options.port);
+  }
+  if (typeof options.path === "string" && options.path.length > 0) {
+    const pathUrl = new URL(options.path, `${effectiveUrl.protocol}//${effectiveUrl.host}`);
+    effectiveUrl.pathname = pathUrl.pathname;
+    effectiveUrl.search = pathUrl.search;
+    effectiveUrl.hash = pathUrl.hash;
+  }
+  return effectiveUrl;
+}
+function normalizeHeaders(headers) {
+  if (!headers || Array.isArray(headers)) {
+    return headers;
+  }
+  const copy = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (value === void 0) continue;
+    copy[key] = value;
+  }
+  delete copy["host"];
+  delete copy["Host"];
+  return copy;
+}
+function applyRoutedHeaders(headers, service) {
+  const originalAuthorization = headers.get("authorization");
+  const routedRequestHeaders = typeof service.routedRequestHeaders === "function" ? service.routedRequestHeaders() : service.routedRequestHeaders;
+  for (const [name, value] of Object.entries(routedRequestHeaders ?? {})) {
+    headers.set(name, value);
+  }
+  if (!service.forwardedAuthorizationHeader) {
+    return;
+  }
+  if (originalAuthorization) {
+    headers.set(service.forwardedAuthorizationHeader, originalAuthorization);
+  }
+}
+function buildPatchedHeaders(headers, service) {
+  const normalizedHeaders = new Headers(normalizeHeaders(headers));
+  normalizedHeaders.delete("x-archal-original-authorization");
+  normalizedHeaders.delete("x-archal-original-bearer-token");
+  if (service.forwardedAuthorizationHeader) {
+    normalizedHeaders.delete(service.forwardedAuthorizationHeader);
+  }
+  applyRoutedHeaders(normalizedHeaders, service);
+  const patchedHeaders = {};
+  for (const [name, value] of normalizedHeaders.entries()) {
+    patchedHeaders[name] = value;
+  }
+  return patchedHeaders;
+}
+function parseRequestArgs(defaultProtocol, args) {
+  let callback;
+  for (let index = args.length - 1; index >= 0; index -= 1) {
+    const candidate = args[index];
+    if (typeof candidate === "function") {
+      callback = candidate;
+      break;
+    }
+  }
+  const first = args[0];
+  const second = args[1];
+  if (first instanceof URL || typeof first === "string") {
+    const baseRequestUrl = first instanceof URL ? new URL(first.toString()) : new URL(first, `${defaultProtocol}//localhost`);
+    const options = second && typeof second === "object" && !(second instanceof URL) ? { ...second } : {};
+    return {
+      requestUrl: applyRequestOptionsToUrl(baseRequestUrl, options, defaultProtocol),
+      options,
+      callback
+    };
+  }
+  if (first && typeof first === "object") {
+    const options = { ...first };
+    return {
+      requestUrl: buildUrlFromOptions(options, defaultProtocol),
+      options,
+      callback
+    };
+  }
+  return {
+    requestUrl: new URL(`${defaultProtocol}//localhost/`),
+    options: {},
+    callback
+  };
+}
+function buildPatchedArgs(rewrittenUrl, options, service, sourceProtocol, callback) {
+  const patchedOptions = {
+    ...options,
+    protocol: rewrittenUrl.protocol,
+    hostname: rewrittenUrl.hostname,
+    port: rewrittenUrl.port ? Number(rewrittenUrl.port) : void 0,
+    path: `${rewrittenUrl.pathname}${rewrittenUrl.search}`,
+    headers: buildPatchedHeaders(options.headers, service)
+  };
+  delete patchedOptions.host;
+  if (sourceProtocol !== rewrittenUrl.protocol) {
+    delete patchedOptions.agent;
+    delete patchedOptions.createConnection;
+  }
+  if (callback) {
+    return [rewrittenUrl, patchedOptions, callback];
+  }
+  return [rewrittenUrl, patchedOptions];
+}
+function buildRoutedFetchRequest(request, targetUrl, service, init) {
+  const rewrittenRequest = new Request(targetUrl, request);
+  const headers = new Headers(rewrittenRequest.headers);
+  if (init?.headers) {
+    for (const [name, value] of new Headers(init.headers).entries()) {
+      headers.set(name, value);
+    }
+  }
+  headers.delete("x-archal-original-authorization");
+  headers.delete("x-archal-original-bearer-token");
+  if (service.forwardedAuthorizationHeader) {
+    headers.delete(service.forwardedAuthorizationHeader);
+  }
+  applyRoutedHeaders(headers, service);
+  return new Request(rewrittenRequest, {
+    ...init,
+    headers
+  });
+}
+
+// ../route-runtime-core/src/service-profiles.ts
+function exactDomain(value) {
+  return { kind: "exact", value: value.toLowerCase() };
+}
+function suffixDomain(value) {
+  return { kind: "suffix", value: value.toLowerCase() };
+}
+function matchesDomainPattern(hostname, pattern) {
+  const normalizedHostname = hostname.toLowerCase();
+  if (pattern.kind === "exact") {
+    return normalizedHostname === pattern.value;
+  }
+  return normalizedHostname === pattern.value || normalizedHostname.endsWith(`.${pattern.value}`);
+}
+function classifyHostname(profile, hostname) {
+  if (profile.routeDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "route";
+  }
+  if (profile.hardFailDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "hard-fail";
+  }
+  if (profile.warningDomains.some((pattern) => matchesDomainPattern(hostname, pattern))) {
+    return "warn";
+  }
+  return "ignore";
+}
+
+// ../route-runtime-core/src/runtime.ts
+var require2 = createRequire(typeof __filename === "string" ? __filename : import.meta.url);
+var httpModule = require2("node:http");
+var httpsModule = require2("node:https");
+function now() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function normalizePathPrefix(pathPrefix) {
+  const withLeadingSlash = pathPrefix.startsWith("/") ? pathPrefix : `/${pathPrefix}`;
+  return withLeadingSlash.replace(/\/+$/, "") || "/";
+}
+function resolveRoutedPathname(sourceUrl, service) {
+  const sourcePathname = sourceUrl.pathname || "/";
+  if (!service.upstreamBasePath) {
+    return sourcePathname;
+  }
+  const normalizedUpstreamBasePath = normalizePathPrefix(service.upstreamBasePath);
+  if (normalizedUpstreamBasePath === "/") {
+    return sourcePathname;
+  }
+  if (sourcePathname === normalizedUpstreamBasePath) {
+    return "/";
+  }
+  if (sourcePathname.startsWith(`${normalizedUpstreamBasePath}/`)) {
+    return sourcePathname.slice(normalizedUpstreamBasePath.length) || "/";
+  }
+  return sourcePathname;
+}
+function mergeUrl(service, sourceUrl) {
+  const targetBaseUrl = new URL(service.baseUrl);
+  const targetPathname = targetBaseUrl.pathname.endsWith("/") ? targetBaseUrl.pathname.slice(0, -1) : targetBaseUrl.pathname;
+  targetBaseUrl.pathname = `${targetPathname}${resolveRoutedPathname(sourceUrl, service)}` || "/";
+  targetBaseUrl.search = sourceUrl.search;
+  targetBaseUrl.hash = sourceUrl.hash;
+  return targetBaseUrl;
+}
+function bridgeSecureConnectIfNeeded(request, sourceProtocol, targetProtocol) {
+  if (sourceProtocol !== DEFAULT_HTTPS_PROTOCOL || targetProtocol !== DEFAULT_HTTP_PROTOCOL) {
+    return request;
+  }
+  request.once("socket", (socket) => {
+    if (socket.connecting) {
+      socket.once("connect", () => {
+        socket.emit("secureConnect");
+      });
+      return;
+    }
+    queueMicrotask(() => {
+      socket.emit("secureConnect");
+    });
+  });
+  return request;
+}
+var NodeRouteRuntime = class {
+  profiles;
+  servicesByName;
+  events = [];
+  onEvent;
+  traceRecords = [];
+  traceEnabled;
+  onTrace;
+  started = false;
+  routingInstalled = false;
+  originalHttpRequest = httpModule.request;
+  originalHttpGet = httpModule.get;
+  originalHttpsRequest = httpsModule.request;
+  originalHttpsGet = httpsModule.get;
+  originalFetch = globalThis.fetch;
+  constructor(config) {
+    this.profiles = config.profiles;
+    this.servicesByName = new Map(config.services.map((service) => [service.name, service]));
+    this.onEvent = config.onEvent;
+    this.traceEnabled = config.trace?.enabled ?? false;
+    this.onTrace = config.trace?.onTrace;
+  }
+  async start() {
+    if (this.started) return;
+    this.started = true;
+    this.emit({ type: "runtime_started", timestamp: now() });
+  }
+  async reset() {
+    this.events.length = 0;
+    this.emit({ type: "runtime_reset", timestamp: now() });
+  }
+  async stop() {
+    this.uninstallRouting();
+    if (!this.started) return;
+    this.started = false;
+    this.emit({ type: "runtime_stopped", timestamp: now() });
+  }
+  installRouting() {
+    if (this.routingInstalled) return;
+    httpModule.request = ((...args) => this.dispatchRequest(this.originalHttpRequest, this.originalHttpsRequest, DEFAULT_HTTP_PROTOCOL, args));
+    httpModule.get = ((...args) => this.dispatchGet(this.originalHttpGet, this.originalHttpsGet, DEFAULT_HTTP_PROTOCOL, args));
+    httpsModule.request = ((...args) => this.dispatchRequest(this.originalHttpRequest, this.originalHttpsRequest, DEFAULT_HTTPS_PROTOCOL, args));
+    httpsModule.get = ((...args) => this.dispatchGet(this.originalHttpGet, this.originalHttpsGet, DEFAULT_HTTPS_PROTOCOL, args));
+    if (this.originalFetch) {
+      globalThis.fetch = (async (input, init) => {
+        const originalRequest = input instanceof Request ? input : void 0;
+        const sourceUrl = new URL(
+          originalRequest?.url ?? (input instanceof URL ? input.toString() : String(input))
+        );
+        const decision = this.evaluateRequest(sourceUrl);
+        const method = (originalRequest?.method ?? init?.method ?? "GET").toUpperCase();
+        if (decision.kind === "route") {
+          const service = this.servicesByName.get(decision.service);
+          if (!service) {
+            throw new Error(`Missing routed service config for ${decision.service}.`);
+          }
+          const targetUrl = decision.targetUrl.toString();
+          if (originalRequest) {
+            let response3;
+            try {
+              response3 = await this.originalFetch(
+                buildRoutedFetchRequest(originalRequest, decision.targetUrl, service, init)
+              );
+            } catch (error) {
+              this.traceRequest({
+                method,
+                sourceUrl: sourceUrl.toString(),
+                manifestMatched: true,
+                service: decision.service,
+                target: "twin",
+                outcome: "failed",
+                reason: "network_error",
+                targetUrl,
+                error: error instanceof Error ? error.message : String(error)
+              });
+              throw error;
+            }
+            this.traceRequest({
+              method,
+              sourceUrl: sourceUrl.toString(),
+              manifestMatched: true,
+              service: decision.service,
+              target: "twin",
+              outcome: "routed",
+              reason: "route",
+              targetUrl,
+              statusCode: response3.status,
+              statusText: response3.statusText
+            });
+            return response3;
+          }
+          const headers = new Headers(init?.headers);
+          applyRoutedHeaders(headers, service);
+          let response2;
+          try {
+            response2 = await this.originalFetch(new URL(targetUrl), {
+              ...init,
+              headers
+            });
+          } catch (error) {
+            this.traceRequest({
+              method,
+              sourceUrl: sourceUrl.toString(),
+              manifestMatched: true,
+              service: decision.service,
+              target: "twin",
+              outcome: "failed",
+              reason: "network_error",
+              targetUrl,
+              error: error instanceof Error ? error.message : String(error)
+            });
+            throw error;
+          }
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: true,
+            service: decision.service,
+            target: "twin",
+            outcome: "routed",
+            reason: "route",
+            targetUrl,
+            statusCode: response2.status,
+            statusText: response2.statusText
+          });
+          return response2;
+        }
+        if (decision.kind === "block") {
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: true,
+            service: decision.service,
+            target: "none",
+            outcome: "blocked",
+            reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+          });
+          throw new RouteRuntimePolicyError({
+            code: decision.code,
+            service: decision.service,
+            url: sourceUrl.toString(),
+            message: decision.message
+          });
+        }
+        let response;
+        try {
+          response = await this.originalFetch(input, init);
+        } catch (error) {
+          this.traceRequest({
+            method,
+            sourceUrl: sourceUrl.toString(),
+            manifestMatched: decision.kind === "warn",
+            service: decision.kind === "warn" ? decision.service : void 0,
+            target: "upstream",
+            outcome: "failed",
+            reason: "network_error",
+            error: error instanceof Error ? error.message : String(error)
+          });
+          throw error;
+        }
+        this.traceRequest({
+          method,
+          sourceUrl: sourceUrl.toString(),
+          manifestMatched: decision.kind === "warn",
+          service: decision.kind === "warn" ? decision.service : void 0,
+          target: "upstream",
+          outcome: "bypassed",
+          reason: decision.kind === "warn" ? "warning" : "no_match",
+          statusCode: response.status,
+          statusText: response.statusText
+        });
+        return response;
+      });
+    }
+    this.routingInstalled = true;
+    this.emit({ type: "routing_installed", timestamp: now() });
+  }
+  uninstallRouting() {
+    if (!this.routingInstalled) return;
+    httpModule.request = this.originalHttpRequest;
+    httpModule.get = this.originalHttpGet;
+    httpsModule.request = this.originalHttpsRequest;
+    httpsModule.get = this.originalHttpsGet;
+    if (this.originalFetch) {
+      globalThis.fetch = this.originalFetch;
+    }
+    this.routingInstalled = false;
+    this.emit({ type: "routing_uninstalled", timestamp: now() });
+  }
+  getEvents() {
+    return [...this.events];
+  }
+  getTraceRecords() {
+    return [...this.traceRecords];
+  }
+  evaluateRequest(input) {
+    const sourceUrl = input instanceof URL ? input : new URL(input);
+    const hostname = sourceUrl.hostname.toLowerCase();
+    for (const profile of this.profiles) {
+      const classification = classifyHostname(profile, hostname);
+      if (classification === "ignore") {
+        continue;
+      }
+      const configuredService = this.servicesByName.get(profile.service);
+      const diagnosticsContext = {
+        service: profile.service,
+        hostname,
+        url: sourceUrl.toString(),
+        configuredBaseUrl: configuredService?.baseUrl
+      };
+      if (classification === "route") {
+        if (!configuredService) {
+          const message2 = profile.diagnostics.undeclared(diagnosticsContext);
+          this.emit({
+            type: "request_blocked",
+            timestamp: now(),
+            service: profile.service,
+            code: "ARCHAL_UNDECLARED_SERVICE",
+            url: sourceUrl.toString(),
+            message: message2
+          });
+          return {
+            kind: "block",
+            service: profile.service,
+            code: "ARCHAL_UNDECLARED_SERVICE",
+            message: message2
+          };
+        }
+        const targetUrl = mergeUrl(configuredService, sourceUrl);
+        this.emit({
+          type: "request_routed",
+          timestamp: now(),
+          service: profile.service,
+          sourceUrl: sourceUrl.toString(),
+          targetUrl: targetUrl.toString()
+        });
+        return {
+          kind: "route",
+          service: profile.service,
+          targetUrl
+        };
+      }
+      if (classification === "hard-fail") {
+        const code = configuredService ? "ARCHAL_DECLARED_SERVICE_ESCAPE" : "ARCHAL_UNDECLARED_SERVICE";
+        const message2 = configuredService ? profile.diagnostics.declaredEscape(diagnosticsContext) : profile.diagnostics.undeclared(diagnosticsContext);
+        this.emit({
+          type: "request_blocked",
+          timestamp: now(),
+          service: profile.service,
+          code,
+          url: sourceUrl.toString(),
+          message: message2
+        });
+        return {
+          kind: "block",
+          service: profile.service,
+          code,
+          message: message2
+        };
+      }
+      const message = profile.diagnostics.warning(diagnosticsContext);
+      this.emit({
+        type: "request_warning",
+        timestamp: now(),
+        service: profile.service,
+        url: sourceUrl.toString(),
+        message
+      });
+      return {
+        kind: "warn",
+        service: profile.service,
+        message
+      };
+    }
+    return { kind: "allow" };
+  }
+  dispatchRequest(originalHttpRequest, originalHttpsRequest, defaultProtocol, args) {
+    const { requestUrl, options, callback } = parseRequestArgs(defaultProtocol, args);
+    const decision = this.evaluateRequest(requestUrl);
+    const method = typeof options.method === "string" && options.method.trim().length > 0 ? options.method.trim().toUpperCase() : "GET";
+    if (decision.kind === "block") {
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code: decision.code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind !== "route") {
+      const request = Reflect.apply(
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? originalHttpsRequest : originalHttpRequest,
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? httpsModule : httpModule,
+        args
+      );
+      return this.attachTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: decision.kind === "warn",
+        service: decision.kind === "warn" ? decision.service : void 0,
+        target: "upstream",
+        outcome: "bypassed",
+        reason: decision.kind === "warn" ? "warning" : "no_match"
+      });
+    }
+    const service = this.servicesByName.get(decision.service);
+    if (!service) {
+      throw new Error(`Missing routed service config for ${decision.service}.`);
+    }
+    const rewrittenArgs = buildPatchedArgs(
+      decision.targetUrl,
+      options,
+      service,
+      defaultProtocol,
+      callback
+    );
+    if (decision.targetUrl.protocol === DEFAULT_HTTP_PROTOCOL) {
+      const request = bridgeSecureConnectIfNeeded(
+        Reflect.apply(originalHttpRequest, httpModule, rewrittenArgs),
+        defaultProtocol,
+        decision.targetUrl.protocol
+      );
+      return this.attachTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      });
+    }
+    return this.attachTraceListeners(
+      Reflect.apply(originalHttpsRequest, httpsModule, rewrittenArgs),
+      {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      }
+    );
+  }
+  dispatchGet(originalHttpGet, originalHttpsGet, defaultProtocol, args) {
+    const { requestUrl, options, callback } = parseRequestArgs(defaultProtocol, args);
+    const decision = this.evaluateRequest(requestUrl);
+    const method = typeof options.method === "string" && options.method.trim().length > 0 ? options.method.trim().toUpperCase() : "GET";
+    if (decision.kind === "block") {
+      this.traceRequest({
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "none",
+        outcome: "blocked",
+        reason: decision.code === "ARCHAL_UNDECLARED_SERVICE" ? "blocked_undeclared" : "blocked_escape"
+      });
+      throw new RouteRuntimePolicyError({
+        code: decision.code,
+        service: decision.service,
+        url: requestUrl.toString(),
+        message: decision.message
+      });
+    }
+    if (decision.kind !== "route") {
+      const request = Reflect.apply(
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? originalHttpsGet : originalHttpGet,
+        defaultProtocol === DEFAULT_HTTPS_PROTOCOL ? httpsModule : httpModule,
+        args
+      );
+      return this.attachTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: decision.kind === "warn",
+        service: decision.kind === "warn" ? decision.service : void 0,
+        target: "upstream",
+        outcome: "bypassed",
+        reason: decision.kind === "warn" ? "warning" : "no_match"
+      });
+    }
+    const service = this.servicesByName.get(decision.service);
+    if (!service) {
+      throw new Error(`Missing routed service config for ${decision.service}.`);
+    }
+    const rewrittenArgs = buildPatchedArgs(
+      decision.targetUrl,
+      options,
+      service,
+      defaultProtocol,
+      callback
+    );
+    if (decision.targetUrl.protocol === DEFAULT_HTTP_PROTOCOL) {
+      const request = bridgeSecureConnectIfNeeded(
+        Reflect.apply(originalHttpGet, httpModule, rewrittenArgs),
+        defaultProtocol,
+        decision.targetUrl.protocol
+      );
+      return this.attachTraceListeners(request, {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      });
+    }
+    return this.attachTraceListeners(
+      Reflect.apply(originalHttpsGet, httpsModule, rewrittenArgs),
+      {
+        method,
+        sourceUrl: requestUrl.toString(),
+        manifestMatched: true,
+        service: decision.service,
+        target: "twin",
+        outcome: "routed",
+        reason: "route",
+        targetUrl: decision.targetUrl.toString()
+      }
+    );
+  }
+  emit(event) {
+    this.events.push(event);
+    this.onEvent?.(event);
+  }
+  attachTraceListeners(request, record) {
+    if (!this.traceEnabled) {
+      return request;
+    }
+    let settled = false;
+    request.once("response", (response) => {
+      settled = true;
+      this.traceRequest({
+        ...record,
+        statusCode: response.statusCode,
+        statusText: response.statusMessage
+      });
+    });
+    request.once("error", (error) => {
+      if (settled) {
+        return;
+      }
+      this.traceRequest({
+        ...record,
+        outcome: "failed",
+        reason: "network_error",
+        error: error.message
+      });
+    });
+    return request;
+  }
+  traceRequest(record) {
+    if (!this.traceEnabled) {
+      return;
+    }
+    const traceRecord = {
+      timestamp: now(),
+      ...record,
+      method: record.method.toUpperCase()
+    };
+    this.traceRecords.push(traceRecord);
+    this.onTrace?.(traceRecord);
+  }
+};
+
+// ../route-runtime-core/src/manifests/discord.ts
+var discordRouteManifest = {
+  service: "discord",
+  manifestVersion: "2026-04-12.discord.v1",
+  baselineSeed: "small-server",
+  upstreamBasePath: "/api/v10",
+  routeDomains: [
+    exactDomain("discord.com"),
+    exactDomain("discordapp.com")
+  ],
+  // Discord's CDN and gateway surfaces are outside the approved Vitest route
+  // contract. Leaving them warning-only would create obvious exfil and
+  // network-escape channels once a test declares Discord route mode.
+  hardFailDomains: [
+    exactDomain("cdn.discordapp.com"),
+    exactDomain("media.discordapp.net"),
+    exactDomain("gateway.discord.gg")
+  ],
+  warningDomains: [
+    suffixDomain("discord.com"),
+    suffixDomain("discordapp.com"),
+    exactDomain("discord.gg")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Discord traffic to ${url}. Declare discord in archalVitestProject({ services: { discord: { mode: "route" } } }) before calling the Discord REST API in Vitest.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Discord escape to ${url}. Discord route mode is configured, but this domain is outside the approved Discord REST route surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Discord domain ${url}. Archal did not reroute this request because it is outside the approved Discord REST route surface.`
+  },
+  sdkIdentifiers: ["discord.js", "@discordjs/rest"],
+  conformanceSuiteId: "discord-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/github.ts
+var githubRouteManifest = {
+  service: "github",
+  manifestVersion: "2026-04-02.github.v1",
+  baselineSeed: "small-project",
+  routeDomains: [
+    exactDomain("api.github.com"),
+    exactDomain("uploads.github.com")
+  ],
+  // Block adjacent GitHub-owned domains that tests don't need. Integration
+  // tests for GitHub APIs should never hit raw.githubusercontent.com or
+  // gist.github.com — and leaving them as warning-only creates an
+  // exfiltration channel: a malicious dependency can POST stolen data to any
+  // GitHub-controlled endpoint (Gist creation, raw content retrieval with
+  // crafted paths, etc.) through a domain the developer has implicitly
+  // allow-listed by declaring `github: { mode: 'route' }`.
+  hardFailDomains: [
+    exactDomain("gist.github.com"),
+    exactDomain("raw.githubusercontent.com"),
+    exactDomain("objects.githubusercontent.com"),
+    exactDomain("codeload.github.com")
+  ],
+  warningDomains: [
+    suffixDomain("github.com"),
+    suffixDomain("githubusercontent.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked GitHub traffic to ${url}. Declare github in archalVitestProject({ services: { github: { mode: "route" } } }) before using the official GitHub SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked GitHub escape to ${url}. GitHub route mode is configured, but this domain is outside the primary routed GitHub surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent GitHub domain ${url}. Archal did not reroute this request because it is outside the primary GitHub API route surface.`
+  },
+  sdkIdentifiers: ["@octokit/rest"],
+  conformanceSuiteId: "github-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/google-workspace.ts
+var googleWorkspaceRouteManifest = {
+  service: "google-workspace",
+  manifestVersion: "2026-04-01.google-workspace.v1",
+  baselineSeed: "assistant-baseline",
+  routeDomains: [
+    exactDomain("gmail.googleapis.com"),
+    exactDomain("drive.googleapis.com"),
+    exactDomain("calendar.googleapis.com"),
+    exactDomain("people.googleapis.com"),
+    exactDomain("sheets.googleapis.com"),
+    exactDomain("oauth2.googleapis.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("google.com"),
+    suffixDomain("googleusercontent.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Google Workspace traffic to ${url}. Declare google-workspace in archalVitestProject({ services: { 'google-workspace': { mode: "route" } } }) before using the official Google client.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Google Workspace escape to ${url}. Google Workspace route mode is configured, but this domain is outside the primary routed surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Google Workspace domain ${url}. Archal did not reroute this request because it is outside the primary Google Workspace API route surface.`
+  },
+  sdkIdentifiers: ["googleapis"],
+  conformanceSuiteId: "google-workspace-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/jira.ts
+var jiraRouteManifest = {
+  service: "jira",
+  manifestVersion: "2026-04-01.jira.v1",
+  baselineSeed: "small-project",
+  routeDomains: [
+    suffixDomain("atlassian.net"),
+    exactDomain("api.atlassian.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("atlassian.com"),
+    exactDomain("jira.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Jira traffic to ${url}. Declare jira in archalVitestProject({ services: { jira: { mode: "route" } } }) before using the official Jira SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Jira escape to ${url}. Jira route mode is configured, but this domain is outside the primary routed Jira surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Jira domain ${url}. Archal did not reroute this request because it is outside the primary Jira route surface.`
+  },
+  sdkIdentifiers: ["jira.js"],
+  conformanceSuiteId: "jira-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/linear.ts
+var linearRouteManifest = {
+  service: "linear",
+  manifestVersion: "2026-04-19.linear.v1",
+  baselineSeed: "small-team",
+  routeDomains: [
+    exactDomain("api.linear.app")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("linear.app")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Linear traffic to ${url}. Declare linear in archalVitestProject({ services: { linear: { mode: "route" } } }) before using the official Linear SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Linear escape to ${url}. Linear route mode is configured, but this domain is outside the primary routed Linear API surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Linear domain ${url}. Archal did not reroute this request because it is outside the primary Linear API route surface.`
+  },
+  sdkIdentifiers: ["@linear/sdk"],
+  conformanceSuiteId: "linear-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/ramp.ts
+var rampRouteManifest = {
+  service: "ramp",
+  manifestVersion: "2026-04-19.ramp.v1",
+  baselineSeed: "default",
+  routeDomains: [
+    exactDomain("api.ramp.com")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    exactDomain("app.ramp.com"),
+    suffixDomain("ramp.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Ramp traffic to ${url}. Declare ramp in archalVitestProject({ services: { ramp: { mode: "route" } } }) before using the official Ramp client.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Ramp escape to ${url}. Ramp route mode is configured, but this domain is outside the primary routed Ramp API surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Ramp domain ${url}. Archal did not reroute this request because it is outside the primary Ramp API route surface.`
+  },
+  sdkIdentifiers: ["ramp"],
+  conformanceSuiteId: "ramp-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/slack.ts
+var slackRouteManifest = {
+  service: "slack",
+  manifestVersion: "2026-04-02.slack.v1",
+  baselineSeed: "engineering-team",
+  routeDomains: [
+    exactDomain("slack.com")
+  ],
+  // Block adjacent Slack-owned domains that tests don't need and that can be
+  // abused as data-exfiltration channels. hooks.slack.com and files.slack.com
+  // in particular are ideal POST targets for a malicious dependency trying to
+  // smuggle stolen tokens out through a domain the developer has already
+  // implicitly allow-listed.
+  hardFailDomains: [
+    exactDomain("hooks.slack.com"),
+    exactDomain("files.slack.com"),
+    exactDomain("edgeapi.slack.com"),
+    exactDomain("wss-primary.slack.com"),
+    exactDomain("wss-backup.slack.com")
+  ],
+  warningDomains: [
+    suffixDomain("slack.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Slack traffic to ${url}. Declare slack in archalVitestProject({ services: { slack: { mode: "route" } } }) before using the official Slack SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Slack escape to ${url}. Slack route mode is configured, but this domain is outside the primary routed Slack surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Slack domain ${url}. Archal did not reroute this request because it is outside the primary Slack API route surface.`
+  },
+  sdkIdentifiers: ["@slack/web-api"],
+  conformanceSuiteId: "slack-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/stripe.ts
+var stripeRouteManifest = {
+  service: "stripe",
+  manifestVersion: "2026-04-01.stripe.v1",
+  baselineSeed: "small-business",
+  routeDomains: [
+    exactDomain("api.stripe.com")
+  ],
+  hardFailDomains: [
+    exactDomain("files.stripe.com"),
+    exactDomain("uploads.stripe.com")
+  ],
+  warningDomains: [
+    exactDomain("billing.stripe.com"),
+    exactDomain("buy.stripe.com"),
+    exactDomain("checkout.stripe.com"),
+    exactDomain("connect.stripe.com"),
+    exactDomain("dashboard.stripe.com"),
+    exactDomain("invoice.stripe.com"),
+    exactDomain("pay.stripe.com"),
+    exactDomain("verify.stripe.com"),
+    suffixDomain("stripe.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Stripe traffic to ${url}. Declare stripe in archalVitestProject({ services: { stripe: { mode: "route" } } }) before using the official Stripe SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Stripe escape to ${url}. Stripe route mode is configured, but this Stripe-owned domain is outside the current routed surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Stripe domain ${url}. Archal did not reroute this request because it is outside the primary Stripe API route surface.`
+  },
+  sdkIdentifiers: ["stripe"],
+  conformanceSuiteId: "stripe-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests/supabase.ts
+var supabaseRouteManifest = {
+  service: "supabase",
+  manifestVersion: "2026-04-01.supabase.v1",
+  baselineSeed: "small-project",
+  routeDomains: [
+    suffixDomain("supabase.co")
+  ],
+  hardFailDomains: [],
+  warningDomains: [
+    suffixDomain("supabase.com")
+  ],
+  diagnostics: {
+    undeclared: ({ url }) => `Blocked Supabase traffic to ${url}. Declare supabase in archalVitestProject({ services: { supabase: { mode: "route" } } }) before using the official Supabase SDK.`,
+    declaredEscape: ({ url, configuredBaseUrl }) => `Blocked Supabase escape to ${url}. Supabase route mode is configured, but this domain is outside the primary routed Supabase surface. Configured twin base URL: ${configuredBaseUrl ?? "unknown"}.`,
+    warning: ({ url }) => `Observed adjacent Supabase domain ${url}. Archal did not reroute this request because it is outside the primary Supabase route surface.`
+  },
+  sdkIdentifiers: ["@supabase/supabase-js"],
+  conformanceSuiteId: "supabase-hosted-route"
+};
+
+// ../route-runtime-core/src/manifests.ts
+var SHARED_ROUTE_MANIFESTS = [
+  discordRouteManifest,
+  githubRouteManifest,
+  googleWorkspaceRouteManifest,
+  jiraRouteManifest,
+  linearRouteManifest,
+  rampRouteManifest,
+  slackRouteManifest,
+  stripeRouteManifest,
+  supabaseRouteManifest
+];
+var SHARED_ROUTE_MANIFESTS_BY_SERVICE = new Map(
+  SHARED_ROUTE_MANIFESTS.map((manifest) => [manifest.service, manifest])
+);
+function listSharedRouteManifests() {
+  return [...SHARED_ROUTE_MANIFESTS];
+}
+function getSharedRouteManifest(service) {
+  return SHARED_ROUTE_MANIFESTS_BY_SERVICE.get(service);
+}
+function buildServiceCompatibilityProfile(manifest) {
+  return {
+    service: manifest.service,
+    routeDomains: manifest.routeDomains,
+    hardFailDomains: manifest.hardFailDomains,
+    warningDomains: manifest.warningDomains,
+    diagnostics: manifest.diagnostics
+  };
+}
+
+// ../route-runtime-core/src/service-profiles/stripe.ts
+var stripeCompatibilityProfile = buildServiceCompatibilityProfile(stripeRouteManifest);
+
+// ../route-runtime-core/src/hosted-capabilities.ts
+import { createHash } from "crypto";
+
+// src/runtime/service-profiles.ts
+function unsupportedServiceMessage(unsupportedServices) {
+  const supportedServices = listSharedRouteManifests().map((manifest) => manifest.service).sort();
+  return [
+    `Unsupported route-mode service${unsupportedServices.length === 1 ? "" : "s"}: ${unsupportedServices.sort().join(", ")}.`,
+    `Supported services in this Vitest adapter: ${supportedServices.join(", ")}.`
+  ].join(" ");
+}
+function assertSupportedArchalVitestServices(services) {
+  const unsupportedServices = Object.entries(services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName).filter((serviceName) => !getSharedRouteManifest(serviceName));
+  if (unsupportedServices.length === 0) {
+    return;
+  }
+  throw new Error(unsupportedServiceMessage(unsupportedServices));
+}
+function resolveArchalVitestServiceProfiles(services) {
+  const declaredRouteServices = new Set(
+    Object.entries(services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName)
+  );
+  const profiles = listSharedRouteManifests().map((manifest) => ({
+    serviceName: manifest.service,
+    profile: buildServiceCompatibilityProfile(manifest)
+  }));
+  const declaredProfiles = profiles.filter(({ serviceName }) => declaredRouteServices.has(serviceName)).map(({ profile }) => profile);
+  const undeclaredEnforcementProfiles = profiles.filter(({ serviceName }) => !declaredRouteServices.has(serviceName)).map(({ profile }) => profile);
+  return [...declaredProfiles, ...undeclaredEnforcementProfiles];
+}
+
+// src/runtime/hosted-session-provider.ts
+import { createHash as createHash2, randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { promises as fs } from "fs";
+import { join, resolve as resolve2 } from "path";
+import { tmpdir } from "os";
+
+// src/url-resolution.ts
+function readFirstConfiguredApiBaseUrl(envVars) {
+  for (const envVar of envVars) {
+    const configured = trimEnv(envVar);
+    if (!configured) {
+      continue;
+    }
+    return normalizeApiBaseUrl(configured);
+  }
+  return null;
+}
+function resolveArchalVitestApiBaseUrl(defaultBaseUrl) {
+  return readFirstConfiguredApiBaseUrl([
+    "ARCHAL_VITEST_API_URL",
+    "ARCHAL_API_URL",
+    "ARCHAL_API_BASE_URL",
+    "ARCHAL_AUTH_URL",
+    "ARCHAL_AUTH_BASE_URL"
+  ]) ?? defaultBaseUrl;
+}
+
+// src/runtime/hosted-session-provider.ts
+var COORDINATOR_LOCK_TIMEOUT_MS = 3e4;
+var COORDINATOR_STALE_LOCK_MS = COORDINATOR_LOCK_TIMEOUT_MS;
+var COORDINATOR_POLL_INTERVAL_MS = 50;
+var FORWARDED_AUTHORIZATION_HEADER = "x-archal-upstream-authorization";
+var WORKER_ID_HEADER = "x-archal-worker-id";
+function currentVitestWorkerId() {
+  const raw = process.env["VITEST_WORKER_ID"];
+  if (!raw || typeof raw !== "string") return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  return `vitest-${trimmed}`;
+}
+function resolveWorkerId() {
+  const vitestWorkerId = trimEnv("VITEST_WORKER_ID");
+  return vitestWorkerId ? `vitest-worker-${vitestWorkerId}` : `pid-${process.pid}`;
+}
+function resolveRunnerPid(config) {
+  return typeof config.runnerPid === "number" && Number.isInteger(config.runnerPid) && config.runnerPid > 0 ? config.runnerPid : process.pid;
+}
+function toSafeCoordinatorDirectoryName(sessionKey) {
+  if (sessionKey !== "." && sessionKey !== ".." && /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/.test(sessionKey)) {
+    return sessionKey;
+  }
+  const slug = sessionKey.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^[.-]+|[.-]+$/g, "").slice(0, 48);
+  const hash = createHash2("sha256").update(sessionKey).digest("hex").slice(0, 12);
+  return `${slug || "session"}-${hash}`;
+}
+function resolveCoordinatorPaths(config) {
+  const baseDirectory = resolve2(
+    trimEnv("ARCHAL_VITEST_COORDINATOR_DIR") ?? join(tmpdir(), "archal-vitest")
+  );
+  const sessionKey = config.sessionKey ?? `${config.projectName}-${randomUUID()}`;
+  const directory = resolve2(baseDirectory, toSafeCoordinatorDirectoryName(sessionKey));
+  return {
+    directory,
+    lockDirectory: join(directory, "lock"),
+    statePath: join(directory, "state.json"),
+    reaperPidPath: join(directory, "reaper.pid")
+  };
+}
+function shouldStopSessionOnRelease() {
+  const explicitSetting = trimEnv("ARCHAL_VITEST_STOP_SESSION_ON_RELEASE");
+  if (explicitSetting) {
+    return !/^(0|false)$/i.test(explicitSetting);
+  }
+  return trimEnv("CI") !== void 0 || trimEnv("GITHUB_ACTIONS") !== void 0;
+}
+async function resolveHostedSessionEnvironment() {
+  const apiBaseUrl = resolveArchalVitestApiBaseUrl(DEFAULT_HOSTED_API_BASE_URL);
+  const auth = await createHostedAuthLease(VITEST_AUTH_LEASE_OPTIONS);
+  const ttlFromMinutes = parsePositiveInteger(trimEnv("ARCHAL_SESSION_TTL_MINUTES"), 30, 1) * 60;
+  const ttlSeconds = parsePositiveInteger(
+    trimEnv("ARCHAL_VITEST_SESSION_TTL_SECONDS"),
+    ttlFromMinutes,
+    1
+  );
+  const readyTimeoutMs = Math.max(
+    MIN_READY_TIMEOUT_MS,
+    parsePositiveInteger(
+      trimEnv("ARCHAL_VITEST_SESSION_READY_TIMEOUT_MS") ?? trimEnv("ARCHAL_SESSION_READY_TIMEOUT_MS"),
+      DEFAULT_READY_TIMEOUT_MS,
+      1
+    )
+  );
+  const renewIntervalMs = Math.max(
+    MIN_RENEW_INTERVAL_MS,
+    parsePositiveInteger(
+      trimEnv("ARCHAL_VITEST_SESSION_RENEW_INTERVAL_MS"),
+      Math.min(Math.floor((ttlSeconds || DEFAULT_SESSION_TTL_SECONDS) * 500), DEFAULT_RENEW_INTERVAL_MS),
+      1
+    )
+  );
+  return {
+    auth,
+    apiBaseUrl,
+    ttlSeconds: ttlSeconds || DEFAULT_SESSION_TTL_SECONDS,
+    readyTimeoutMs,
+    renewIntervalMs
+  };
+}
+async function withCoordinatorLock(paths, lockTimeoutMs, action) {
+  await fs.mkdir(paths.directory, { recursive: true });
+  const deadline = Date.now() + resolveCoordinatorLockWaitTimeoutMs(lockTimeoutMs);
+  while (true) {
+    try {
+      await fs.mkdir(paths.lockDirectory);
+      break;
+    } catch (error) {
+      const code = error instanceof Error && "code" in error ? String(error.code) : "";
+      if (code !== "EEXIST") {
+        throw error;
+      }
+      const stale = await fs.stat(paths.lockDirectory).then((stats) => Date.now() - stats.mtimeMs >= COORDINATOR_STALE_LOCK_MS).catch(() => false);
+      if (stale) {
+        await fs.rm(paths.lockDirectory, { recursive: true, force: true }).catch(() => {
+        });
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(
+          `Timed out waiting for Archal Vitest session coordinator lock in ${paths.directory}.`
+        );
+      }
+      await sleep(COORDINATOR_POLL_INTERVAL_MS);
+    }
+  }
+  try {
+    const keepalive = setInterval(() => {
+      void fs.utimes(paths.lockDirectory, /* @__PURE__ */ new Date(), /* @__PURE__ */ new Date()).catch(() => void 0);
+    }, 1e3);
+    keepalive.unref();
+    try {
+      return await action();
+    } finally {
+      clearInterval(keepalive);
+    }
+  } finally {
+    await fs.rm(paths.lockDirectory, { recursive: true, force: true });
+  }
+}
+function resolveCoordinatorLockWaitTimeoutMs(readyTimeoutMs) {
+  return Math.max(COORDINATOR_LOCK_TIMEOUT_MS, readyTimeoutMs);
+}
+async function readCoordinatorState(paths) {
+  if (!await fileExists(paths.statePath)) {
+    return { kind: "missing" };
+  }
+  const raw = await fs.readFile(paths.statePath, "utf8");
+  try {
+    const normalizedState = normalizeCoordinatorState(JSON.parse(raw));
+    if (!normalizedState) {
+      await fs.rm(paths.statePath, { force: true }).catch(() => void 0);
+      return { kind: "corrupt" };
+    }
+    return {
+      kind: "ready",
+      state: normalizedState
+    };
+  } catch {
+    await fs.rm(paths.statePath, { force: true }).catch(() => void 0);
+    return { kind: "corrupt" };
+  }
+}
+function normalizeCoordinatorState(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const session = normalizeHostedSessionSnapshot(record["session"]);
+  if (!session) {
+    return null;
+  }
+  const leases = normalizeWorkerLeases(record["leases"]);
+  if (!leases) {
+    return null;
+  }
+  return { session, leases };
+}
+function normalizeHostedSessionSnapshot(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const sessionId = typeof record["sessionId"] === "string" ? record["sessionId"].trim() : "";
+  const apiBaseUrls = normalizeStringRecord(record["apiBaseUrls"]);
+  const resolvedRuntime = normalizeResolvedRuntime(record["resolvedRuntime"]);
+  if (!sessionId || !apiBaseUrls || !resolvedRuntime) {
+    return null;
+  }
+  return {
+    sessionId,
+    apiBaseUrls,
+    resolvedRuntime
+  };
+}
+function normalizeResolvedRuntime(input) {
+  if (input === void 0 || input === null) {
+    return null;
+  }
+  if (typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const resolvedServices = normalizeStringArray(record["resolvedServices"] ?? []);
+  const resolvedSeeds = normalizeStringRecord(record["resolvedSeeds"] ?? {});
+  const manifestVersions = normalizeStringRecord(record["manifestVersions"] ?? {});
+  if (!resolvedServices || !resolvedSeeds || !manifestVersions) {
+    return null;
+  }
+  const capabilityVersion = typeof record["capabilityVersion"] === "string" ? record["capabilityVersion"] : void 0;
+  const runtimeVersion = typeof record["runtimeVersion"] === "string" ? record["runtimeVersion"] : void 0;
+  if (resolvedServices.length === 0 && Object.keys(resolvedSeeds).length === 0 && Object.keys(manifestVersions).length === 0 && !capabilityVersion && !runtimeVersion) {
+    return null;
+  }
+  return {
+    resolvedServices,
+    resolvedSeeds,
+    manifestVersions,
+    ...capabilityVersion ? { capabilityVersion } : {},
+    ...runtimeVersion ? { runtimeVersion } : {}
+  };
+}
+function normalizeWorkerLeases(input) {
+  if (input === void 0) {
+    return [];
+  }
+  if (!Array.isArray(input)) {
+    return null;
+  }
+  return input.flatMap((lease) => {
+    if (!lease || typeof lease !== "object" || Array.isArray(lease)) {
+      return [];
+    }
+    const record = lease;
+    const workerId = typeof record["workerId"] === "string" ? record["workerId"].trim() : "";
+    const updatedAt = typeof record["updatedAt"] === "string" ? record["updatedAt"].trim() : "";
+    const pid = typeof record["pid"] === "number" ? record["pid"] : Number.NaN;
+    if (!workerId || !updatedAt || !Number.isInteger(pid) || pid <= 0) {
+      return [];
+    }
+    return [{
+      workerId,
+      pid,
+      updatedAt
+    }];
+  });
+}
+function normalizeStringArray(input) {
+  if (!Array.isArray(input)) {
+    return null;
+  }
+  const values = input.flatMap((value) => {
+    if (typeof value !== "string") {
+      return [];
+    }
+    const trimmed = value.trim();
+    return trimmed ? [trimmed] : [];
+  });
+  return values.length === input.length ? values : null;
+}
+function normalizeStringRecord(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return null;
+  }
+  const record = input;
+  const entries = Object.entries(record).flatMap(([key, value]) => {
+    if (typeof value !== "string") {
+      return [];
+    }
+    return [[key, value]];
+  });
+  return entries.length === Object.keys(record).length ? Object.fromEntries(entries) : null;
+}
+async function writeCoordinatorState(paths, state) {
+  await fs.writeFile(paths.statePath, JSON.stringify(state, null, 2) + "\n", "utf8");
+}
+async function clearCoordinatorState(paths) {
+  await Promise.all([
+    fs.rm(paths.statePath, { force: true }),
+    fs.rm(paths.reaperPidPath, { force: true })
+  ]);
+}
+async function readRunnerReaperState(paths) {
+  const raw = await fs.readFile(paths.reaperPidPath, "utf8").catch(() => null);
+  if (!raw) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed === "number") {
+      if (!Number.isInteger(parsed) || parsed <= 0) {
+        return null;
+      }
+      return {
+        pid: parsed,
+        sessionId: ""
+      };
+    }
+    if (!parsed || typeof parsed.pid !== "number" || !Number.isInteger(parsed.pid) || parsed.pid <= 0 || typeof parsed.sessionId !== "string" || parsed.sessionId.trim().length === 0) {
+      return null;
+    }
+    return {
+      pid: parsed.pid,
+      sessionId: parsed.sessionId
+    };
+  } catch {
+    const pid = Number.parseInt(raw.trim(), 10);
+    if (!Number.isInteger(pid) || pid <= 0) {
+      return null;
+    }
+    return {
+      pid,
+      sessionId: ""
+    };
+  }
+}
+async function writeRunnerReaperState(paths, state) {
+  await fs.writeFile(paths.reaperPidPath, JSON.stringify(state) + "\n", "utf8");
+}
+async function stopRunnerReaper(paths) {
+  const reaperState = await readRunnerReaperState(paths);
+  if (!reaperState) {
+    await fs.rm(paths.reaperPidPath, { force: true }).catch(() => void 0);
+    return;
+  }
+  if (isProcessAlive(reaperState.pid)) {
+    try {
+      process.kill(reaperState.pid, "SIGTERM");
+    } catch {
+    }
+  }
+  await fs.rm(paths.reaperPidPath, { force: true }).catch(() => void 0);
+}
+function pruneLeases(leases) {
+  return leases.filter((lease) => isProcessAlive(lease.pid));
+}
+function runnerIsAlive(runnerPid) {
+  return isProcessAlive(runnerPid);
+}
+function resolveRequestedSeeds(config, serviceNames) {
+  const fileSeedServices = new Set(Object.keys(config.fileSeedContents ?? {}));
+  const requestedSeeds = Object.fromEntries(
+    serviceNames.flatMap((serviceName) => {
+      if (fileSeedServices.has(serviceName)) return [];
+      const seed = config.services[serviceName]?.seed?.trim();
+      return seed ? [[serviceName, seed]] : [];
+    })
+  );
+  return Object.keys(requestedSeeds).length > 0 ? requestedSeeds : void 0;
+}
+function retainedSessionWithoutLeases(state) {
+  if (!state?.session) {
+    return null;
+  }
+  return pruneLeases(state.leases).length === 0 ? state.session : null;
+}
+function activeWorkerSession(state) {
+  if (!state?.session) {
+    return null;
+  }
+  const leases = pruneLeases(state.leases);
+  if (leases.length === 0) {
+    return null;
+  }
+  return {
+    session: state.session,
+    leases
+  };
+}
+var CoordinatedHostedSessionManager = class {
+  constructor(paths, client, environment, config) {
+    this.paths = paths;
+    this.client = client;
+    this.environment = environment;
+    this.config = config;
+  }
+  async acquire(serviceNames, requestedSeeds) {
+    const workerId = resolveWorkerId();
+    const runnerPid = resolveRunnerPid(this.config);
+    return await withCoordinatorLock(this.paths, this.environment.readyTimeoutMs, async () => {
+      const stateResult = await readCoordinatorState(this.paths);
+      const existingState = stateResult.kind === "ready" ? stateResult.state : null;
+      if (stateResult.kind === "corrupt") {
+        const recoveredSession = await this.recoverCorruptCoordinatorState(
+          serviceNames,
+          requestedSeeds,
+          workerId,
+          runnerPid
+        );
+        if (recoveredSession) {
+          return { session: recoveredSession, acquisition: "reused" };
+        }
+      }
+      const activeSession = activeWorkerSession(existingState);
+      if (activeSession && requestedSeedsMatchSession(requestedSeeds, activeSession.session)) {
+        const reusableSession = await this.tryReuseSession(
+          activeSession.session,
+          serviceNames
+        );
+        if (!reusableSession) {
+          await this.client.stop(activeSession.session.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else {
+          await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+          await writeCoordinatorState(this.paths, {
+            session: reusableSession,
+            leases: this.upsertLease(activeSession.leases, workerId)
+          });
+          return { session: reusableSession, acquisition: "reused" };
+        }
+      }
+      if (activeSession && !requestedSeedsMatchSession(requestedSeeds, activeSession.session)) {
+        await this.client.stop(activeSession.session.sessionId).catch(() => void 0);
+        await stopRunnerReaper(this.paths);
+        await clearCoordinatorState(this.paths);
+      }
+      const retainedSession = retainedSessionWithoutLeases(existingState);
+      if (retainedSession) {
+        if (!runnerIsAlive(runnerPid)) {
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else if (!requestedSeedsMatchSession(requestedSeeds, retainedSession)) {
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        } else {
+          const reusableSession = await this.tryReuseSession(retainedSession, serviceNames);
+          if (reusableSession) {
+            await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+            await writeCoordinatorState(this.paths, {
+              session: reusableSession,
+              leases: this.upsertLease([], workerId)
+            });
+            return { session: reusableSession, acquisition: "reused" };
+          }
+          await this.client.stop(retainedSession.sessionId).catch(() => void 0);
+          await stopRunnerReaper(this.paths);
+          await clearCoordinatorState(this.paths);
+        }
+      }
+      const startedSession = await this.client.startRouteSession(serviceNames, requestedSeeds, {
+        source: "test"
+      });
+      await this.ensureRunnerReaper(startedSession.sessionId, runnerPid);
+      await writeCoordinatorState(this.paths, {
+        session: startedSession,
+        leases: this.upsertLease([], workerId)
+      });
+      return { session: startedSession, acquisition: "fresh" };
+    });
+  }
+  async release() {
+    const workerId = resolveWorkerId();
+    const runnerPid = resolveRunnerPid(this.config);
+    await withCoordinatorLock(this.paths, this.environment.readyTimeoutMs, async () => {
+      const stateResult = await readCoordinatorState(this.paths);
+      if (stateResult.kind !== "ready") {
+        return;
+      }
+      const existingState = stateResult.state;
+      const remainingLeases = pruneLeases(existingState.leases).filter((lease) => lease.workerId !== workerId);
+      if (remainingLeases.length > 0) {
+        await writeCoordinatorState(this.paths, {
+          session: existingState.session,
+          leases: remainingLeases
+        });
+        return;
+      }
+      const shouldRetainSession = runnerIsAlive(runnerPid) && !shouldStopSessionOnRelease();
+      if (shouldRetainSession) {
+        await writeCoordinatorState(this.paths, {
+          session: existingState.session,
+          leases: []
+        });
+        return;
+      }
+      await this.client.stop(existingState.session.sessionId);
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+    });
+  }
+  upsertLease(leases, workerId) {
+    const nextLease = {
+      workerId,
+      pid: process.pid,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const withoutExisting = leases.filter((lease) => lease.workerId !== workerId);
+    return [...withoutExisting, nextLease];
+  }
+  async recoverCorruptCoordinatorState(serviceNames, requestedSeeds, workerId, runnerPid) {
+    const reaperState = await readRunnerReaperState(this.paths);
+    if (!reaperState) {
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    if (!reaperState.sessionId) {
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    if (!runnerIsAlive(runnerPid)) {
+      await this.client.stop(reaperState.sessionId).catch(() => void 0);
+      await stopRunnerReaper(this.paths);
+      await clearCoordinatorState(this.paths);
+      return null;
+    }
+    const reusableSession = await this.client.reuseRouteSession(
+      {
+        sessionId: reaperState.sessionId,
+        apiBaseUrls: {},
+        resolvedRuntime: {
+          resolvedServices: [],
+          resolvedSeeds: {},
+          manifestVersions: {}
+        }
+      },
+      serviceNames
+    );
+    if (reusableSession && requestedSeedsMatchSession(requestedSeeds, reusableSession)) {
+      await this.ensureRunnerReaper(reusableSession.sessionId, runnerPid);
+      if (trimEnv("ARCHAL_VITEST_DISABLE_RUNNER_REAPER") === "1") {
+        await fs.rm(this.paths.reaperPidPath, { force: true }).catch(() => void 0);
+      }
+      await writeCoordinatorState(this.paths, {
+        session: reusableSession,
+        leases: this.upsertLease([], workerId)
+      });
+      return reusableSession;
+    }
+    await this.client.stop(reaperState.sessionId).catch(() => void 0);
+    await stopRunnerReaper(this.paths);
+    await clearCoordinatorState(this.paths);
+    return null;
+  }
+  async tryReuseSession(session, serviceNames) {
+    try {
+      return await this.client.reuseRouteSession(session, serviceNames);
+    } catch {
+      return null;
+    }
+  }
+  async ensureRunnerReaper(sessionId, runnerPid) {
+    if (trimEnv("ARCHAL_VITEST_DISABLE_RUNNER_REAPER") === "1") {
+      return;
+    }
+    const existingReaper = await readRunnerReaperState(this.paths);
+    if (existingReaper && isProcessAlive(existingReaper.pid)) {
+      if (existingReaper.sessionId === sessionId) {
+        return;
+      }
+      await stopRunnerReaper(this.paths);
+    }
+    const reaperPath = resolveRuntimeModule("./runtime/hosted-session-reaper.js");
+    const child = spawn(process.execPath, [reaperPath], {
+      detached: true,
+      stdio: "ignore",
+      env: {
+        ...process.env,
+        ARCHAL_VITEST_API_URL: this.environment.apiBaseUrl,
+        ARCHAL_VITEST_REAPER_API_BASE_URL: this.environment.apiBaseUrl,
+        ARCHAL_VITEST_REAPER_SESSION_ID: sessionId,
+        ARCHAL_VITEST_REAPER_RUNNER_PID: String(runnerPid),
+        ARCHAL_VITEST_REAPER_RENEW_INTERVAL_MS: String(this.environment.renewIntervalMs),
+        ARCHAL_VITEST_REAPER_COORDINATOR_DIR: this.paths.directory,
+        ARCHAL_VITEST_REAPER_LOCK_DIR: this.paths.lockDirectory,
+        ARCHAL_VITEST_REAPER_STATE_PATH: this.paths.statePath,
+        ARCHAL_VITEST_REAPER_PID_PATH: this.paths.reaperPidPath
+      }
+    });
+    child.unref();
+    if (!child.pid) {
+      throw new Error("Archal Vitest runner reaper failed to start.");
+    }
+    await writeRunnerReaperState(this.paths, { pid: child.pid, sessionId });
+  }
+};
+function buildNoSession() {
+  return {
+    sessionId: `archal-vitest-${randomUUID()}`,
+    services: [],
+    resolvedRuntime: {
+      resolvedServices: [],
+      resolvedSeeds: {},
+      manifestVersions: {}
+    },
+    // No hosted session was provisioned (route-mode config had no services)
+    // so there's no cold-start cost to report. Mark as `reused` so the
+    // bootstrap's twin-startup log treats this as zero-cost and stays quiet.
+    acquisition: "reused"
+  };
+}
+function buildRoutedServices(serviceNames, apiBaseUrls, environment) {
+  return serviceNames.map((serviceName) => {
+    const baseUrl = apiBaseUrls[serviceName];
+    if (!baseUrl) {
+      throw new Error(
+        `Hosted Vitest session did not return apiBaseUrls.${serviceName}.`
+      );
+    }
+    const manifest = getSharedRouteManifest(serviceName);
+    return {
+      name: serviceName,
+      mode: "route",
+      baseUrl,
+      upstreamBasePath: manifest?.upstreamBasePath,
+      routedRequestHeaders: () => {
+        const authorization = environment.auth.getAuthorizationHeader();
+        if (!authorization) {
+          throw new Error("Hosted Vitest routing auth is unavailable.");
+        }
+        const workerId = currentVitestWorkerId();
+        const headers = { authorization };
+        if (workerId) headers[WORKER_ID_HEADER] = workerId;
+        return headers;
+      },
+      forwardedAuthorizationHeader: FORWARDED_AUTHORIZATION_HEADER
+    };
+  });
+}
+async function startHostedArchalVitestSession(config) {
+  assertSupportedArchalVitestServices(config.services);
+  const routedServiceNames = Object.entries(config.services).filter(([, serviceConfig]) => serviceConfig.mode === "route").map(([serviceName]) => serviceName);
+  if (routedServiceNames.length === 0) {
+    return buildNoSession();
+  }
+  const requestedSeeds = resolveRequestedSeeds(config, routedServiceNames);
+  const environment = await resolveHostedSessionEnvironment();
+  const hostedClient = new HostedSessionClient(environment);
+  const coordinator = new CoordinatedHostedSessionManager(
+    resolveCoordinatorPaths(config),
+    hostedClient,
+    environment,
+    config
+  );
+  try {
+    const { session, acquisition } = await coordinator.acquire(routedServiceNames, requestedSeeds);
+    return {
+      sessionId: session.sessionId,
+      services: buildRoutedServices(routedServiceNames, session.apiBaseUrls, environment),
+      resolvedRuntime: session.resolvedRuntime,
+      acquisition,
+      stop: async () => {
+        try {
+          await coordinator.release();
+        } finally {
+          environment.auth.stop();
+        }
+      }
+    };
+  } catch (error) {
+    environment.auth.stop();
+    throw error;
+  }
+}
+var VITEST_AUTH_LEASE_OPTIONS = {
+  apiUrlEnvVar: "ARCHAL_VITEST_API_URL"
+};
+
+// src/runtime/bootstrap.ts
+var GLOBAL_RUNTIME_KEY = "__archalVitestRuntime";
+var GLOBAL_SESSION_KEY = "__archalVitestSession";
+var GLOBAL_CLEANUP_HANDLER_KEY = "__archalVitestRuntimeCleanupHandlerRegistered";
+var GLOBAL_BOOTSTRAP_PROMISE_KEY = "__archalVitestRuntimeBootstrapPromise";
+var GLOBAL_STOP_PROMISE_KEY = "__archalVitestRuntimeStopPromise";
+var ARCHAL_VITEST_ROUTE_TRACE_ENV = "ARCHAL_VITEST_ROUTE_TRACE";
+var activeFullSession;
+var baselineTwinStates = /* @__PURE__ */ new Map();
+var baselineCaptured = false;
+var sessionStartedAt;
+function emitUsageEstimate(services) {
+  if (sessionStartedAt === void 0 || services.length === 0) return;
+  if (process.env["ARCHAL_VITEST_QUIET_USAGE"] === "1") return;
+  const durationSec = (Date.now() - sessionStartedAt) / 1e3;
+  const twinMinutes = Math.max(1, Math.ceil(durationSec / 60)) * services.length;
+  const twinList = services.map((s) => s.name).sort().join(", ");
+  process.stderr.write(
+    `\x1B[2m[archal] ~${twinMinutes} twin-minute${twinMinutes === 1 ? "" : "s"} for this run (${durationSec.toFixed(1)}s \xD7 ${services.length} twin${services.length === 1 ? "" : "s"}: ${twinList})\x1B[0m
+`
+  );
+}
+function twinStateUrl(serviceBaseUrl) {
+  return serviceBaseUrl.replace(/\/api\/?$/, "/state");
+}
+function resolveRoutedHeaders(service) {
+  try {
+    const headers = service.routedRequestHeaders;
+    if (typeof headers === "function") return headers();
+    return headers ?? {};
+  } catch (err) {
+    activeFullSession = void 0;
+    throw new Error(
+      `Archal auth expired mid-test-run for twin "${service.name}". Re-run tests to refresh. (${err instanceof Error ? err.message : String(err)})`
+    );
+  }
+}
+var WORKER_ID_HEADER2 = "x-archal-worker-id";
+function resolveDefaultScopeHeaders(service) {
+  const all = resolveRoutedHeaders(service);
+  const { [WORKER_ID_HEADER2]: _discarded, ...rest } = all;
+  return rest;
+}
+function twinRootUrl(serviceBaseUrl) {
+  return serviceBaseUrl.replace(/\/api\/?$/, "");
+}
+async function fetchArchalTwin(serviceName, path, init) {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error(
+      "fetchArchalTwin() called before the Archal route runtime was installed. Ensure archalVitestProject() or withArchal() is wired into your vitest config, and that setup has completed."
+    );
+  }
+  const service = session.services.find((s) => s.name === serviceName);
+  if (!service) {
+    const available = session.services.map((s) => s.name).sort().join(", ") || "(none)";
+    throw new Error(
+      `No twin named "${serviceName}" in this session. Available: ${available}.`
+    );
+  }
+  const headers = resolveRoutedHeaders(service);
+  const suffix = path.startsWith("/") ? path : `/${path}`;
+  const url = `${twinRootUrl(service.baseUrl)}${suffix}`;
+  const requestInit = {
+    ...init,
+    headers: { ...headers, ...init?.headers ?? {} }
+  };
+  return fetch(url, requestInit);
+}
+async function fetchArchalTwinDefaultScope(serviceName, path, init) {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error("fetchArchalTwinDefaultScope: no active session");
+  }
+  const service = session.services.find((s) => s.name === serviceName);
+  if (!service) {
+    throw new Error(`No twin "${serviceName}" in session`);
+  }
+  const headers = resolveDefaultScopeHeaders(service);
+  const suffix = path.startsWith("/") ? path : `/${path}`;
+  const url = `${twinRootUrl(service.baseUrl)}${suffix}`;
+  return fetch(url, {
+    ...init,
+    headers: { ...headers, ...init?.headers ?? {} }
+  });
+}
+async function captureBaselineTwinStates(session) {
+  baselineTwinStates.clear();
+  baselineCaptured = false;
+  await Promise.all(session.services.map(async (service) => {
+    try {
+      const headers = resolveDefaultScopeHeaders(service);
+      const res = await fetch(twinStateUrl(service.baseUrl), {
+        method: "GET",
+        headers: { ...headers, accept: "application/json" }
+      });
+      if (!res.ok) {
+        process.stderr.write(
+          `[archal] warning: failed to capture baseline for twin "${service.name}": ${res.status} ${res.statusText}
+`
+        );
+        return;
+      }
+      baselineTwinStates.set(service.name, await res.text());
+    } catch (err) {
+      process.stderr.write(
+        `[archal] warning: failed to capture baseline for twin "${service.name}": ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
+  }));
+  baselineCaptured = true;
+}
+async function resetArchalTwins() {
+  const session = activeFullSession;
+  if (!session) {
+    throw new Error(
+      "resetArchalTwins() called before the Archal route runtime was installed. Ensure archalVitestProject() or withArchal() is wired into your vitest config, and that setup has completed."
+    );
+  }
+  if (!baselineCaptured) {
+    throw new Error(
+      "resetArchalTwins() called but baseline state was never captured. This usually means bootstrapArchalVitestRouting() has not completed."
+    );
+  }
+  await Promise.all(session.services.map(async (service) => {
+    const baseline = baselineTwinStates.get(service.name);
+    if (baseline === void 0) {
+      throw new Error(
+        `No baseline state captured for twin "${service.name}". This usually means the twin was not reachable during setup.`
+      );
+    }
+    const stateUrl = twinStateUrl(service.baseUrl);
+    const defaultHeaders = resolveDefaultScopeHeaders(service);
+    const defaultRes = await fetch(stateUrl, {
+      method: "PUT",
+      headers: { ...defaultHeaders, "content-type": "application/json" },
+      body: baseline
+    });
+    if (!defaultRes.ok) {
+      throw new Error(
+        `Failed to reset shared state for twin "${service.name}": ${defaultRes.status} ${defaultRes.statusText}`
+      );
+    }
+    const workerHeaders = resolveRoutedHeaders(service);
+    const workerRes = await fetch(stateUrl, {
+      method: "PUT",
+      headers: { ...workerHeaders, "content-type": "application/json" },
+      body: baseline
+    });
+    if (!workerRes.ok) {
+      throw new Error(
+        `Failed to reset per-worker state for twin "${service.name}": ${workerRes.status} ${workerRes.statusText}`
+      );
+    }
+    try {
+      const whRes = await fetch(`${twinRootUrl(service.baseUrl)}/webhooks/pending`, {
+        method: "DELETE",
+        headers: workerHeaders
+      });
+      if (!whRes.ok && whRes.status !== 404) {
+        process.stderr.write(
+          `[archal] warning: failed to drain webhook queue for "${service.name}": ${whRes.status} ${whRes.statusText}
+`
+        );
+      }
+    } catch {
+    }
+  }));
+}
+function emitManifestDriftWarning(session) {
+  if (process.env["ARCHAL_VITEST_QUIET_DRIFT"] === "1") return;
+  const serverVersions = session.resolvedRuntime?.manifestVersions ?? {};
+  const drifts = [];
+  for (const service of session.services) {
+    const serverVersion = serverVersions[service.name];
+    const local = getSharedRouteManifest(service.name);
+    if (!serverVersion || !local) continue;
+    if (local.manifestVersion !== serverVersion) {
+      drifts.push({
+        service: service.name,
+        server: serverVersion,
+        client: local.manifestVersion
+      });
+    }
+  }
+  if (drifts.length === 0) return;
+  const lines = drifts.map(
+    (d) => `  ${d.service}: client ${d.client} vs server ${d.server}`
+  );
+  process.stderr.write(
+    "\x1B[33m[archal] manifest version drift \u2014 upgrade the `archal` package to match the hosted twins:\n" + lines.join("\n") + "\x1B[0m\n"
+  );
+}
+function emitProgressTicker(config) {
+  if (process.env["ARCHAL_VITEST_QUIET_PROGRESS"] === "1") {
+    return () => {
+    };
+  }
+  const serviceNames = Object.keys(config.services).sort();
+  const services = serviceNames.join(", ");
+  const twinWord = serviceNames.length === 1 ? "twin" : "twins";
+  const start = Date.now();
+  const ticker = setInterval(() => {
+    const elapsed = Math.round((Date.now() - start) / 1e3);
+    if (elapsed >= 60) {
+      clearInterval(ticker);
+      return;
+    }
+    process.stderr.write(
+      `\x1B[2m[archal] provisioning ${services} ${twinWord}... ${elapsed}s\x1B[0m
+`
+    );
+  }, 5e3);
+  ticker.unref();
+  return () => clearInterval(ticker);
+}
+function isTruthyEnv(value) {
+  if (!value) {
+    return false;
+  }
+  switch (value.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+function formatTraceRecord(record) {
+  const manifestStatus = record.manifestMatched ? `matched ${record.service ?? "manifest"}` : "no manifest match";
+  const destination = record.target === "twin" ? `twin${record.targetUrl ? ` ${record.targetUrl}` : ""}` : record.target === "upstream" ? "real upstream" : "blocked";
+  const status = record.statusCode === void 0 ? record.error ? `error=${record.error}` : "no status" : `${record.statusCode}${record.statusText ? ` ${record.statusText}` : ""}`;
+  return `\x1B[2m[archal:route] ${record.method} ${record.sourceUrl} | ${manifestStatus} | ${record.outcome} -> ${destination} | ${status}\x1B[0m
+`;
+}
+async function startSession(config) {
+  const stopTicker = emitProgressTicker(config);
+  try {
+    sessionStartedAt = Date.now();
+    return await startHostedArchalVitestSession(config);
+  } finally {
+    stopTicker();
+  }
+}
+var DEFAULT_STARTUP_LOG_MIN_MS = 3e3;
+function resolveStartupLogThresholdMs() {
+  const raw = process.env["ARCHAL_VITEST_STARTUP_LOG_MIN_MS"];
+  if (!raw) return DEFAULT_STARTUP_LOG_MIN_MS;
+  const parsed = Number.parseInt(raw.trim(), 10);
+  if (!Number.isFinite(parsed) || parsed < 0) return DEFAULT_STARTUP_LOG_MIN_MS;
+  return parsed;
+}
+function emitTwinStartupSummary(phases) {
+  if (process.env["ARCHAL_VITEST_QUIET_STARTUP"] === "1") return;
+  const threshold = resolveStartupLogThresholdMs();
+  if (phases.totalMs < threshold) return;
+  if (phases.twinCount === 0) return;
+  const twinLabel = phases.twinCount === 1 ? "twin" : "twins";
+  const twinList = phases.twinNames.length > 0 ? ` [${phases.twinNames.slice().sort().join(", ")}]` : "";
+  const mode = phases.acquisition === "unknown" ? "" : ` (${phases.acquisition})`;
+  const parts = [];
+  if (phases.acquireMs >= 10) parts.push(`acquire=${phases.acquireMs}ms`);
+  if (phases.seedLoadMs >= 10) parts.push(`seed-load=${phases.seedLoadMs}ms`);
+  if (phases.baselineMs >= 10) parts.push(`baseline=${phases.baselineMs}ms`);
+  const breakdown = parts.length > 0 ? ` (${parts.join(", ")})` : "";
+  process.stderr.write(
+    `\x1B[2m[archal/vitest] twin-startup${mode}: ${phases.totalMs}ms for ${phases.twinCount} ${twinLabel}${twinList}${breakdown}\x1B[0m
+`
+  );
+}
+var pendingStartupPhases;
+async function buildRuntimeConfig(scope) {
+  const config = readArchalVitestConfigFromEnv();
+  let acquireMs = 0;
+  let acquisition = "unknown";
+  let session = activeFullSession;
+  if (!session) {
+    const acquireStart = Date.now();
+    session = await startSession(config);
+    acquireMs = Date.now() - acquireStart;
+    acquisition = session.acquisition ?? "unknown";
+  } else {
+    acquisition = "reused";
+  }
+  activeFullSession = session;
+  pendingStartupPhases = {
+    acquireMs,
+    seedLoadMs: 0,
+    baselineMs: 0,
+    totalMs: acquireMs,
+    acquisition,
+    twinCount: session.services.length,
+    twinNames: session.services.map((s) => s.name)
+  };
+  scope[GLOBAL_SESSION_KEY] = redactSessionSnapshot(session);
+  try {
+    const { writeFileSync, mkdirSync } = await import("fs");
+    const { dirname: dirname2 } = await import("path");
+    const sessionIdPath = getSessionIdFilePath(config.sessionKey);
+    mkdirSync(dirname2(sessionIdPath), { recursive: true });
+    writeFileSync(sessionIdPath, session.sessionId, "utf-8");
+  } catch {
+  }
+  return {
+    profiles: resolveArchalVitestServiceProfiles(config.services),
+    services: session.services,
+    trace: isTruthyEnv(process.env[ARCHAL_VITEST_ROUTE_TRACE_ENV]) ? {
+      enabled: true,
+      onTrace: (record) => {
+        process.stderr.write(formatTraceRecord(record));
+      }
+    } : void 0
+  };
+}
+async function stopArchalVitestRouting() {
+  const scope = globalThis;
+  if (scope[GLOBAL_BOOTSTRAP_PROMISE_KEY]) {
+    await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY].catch(() => {
+    });
+  }
+  if (scope[GLOBAL_STOP_PROMISE_KEY]) {
+    await scope[GLOBAL_STOP_PROMISE_KEY];
+    return;
+  }
+  scope[GLOBAL_STOP_PROMISE_KEY] = (async () => {
+    const runtime = scope[GLOBAL_RUNTIME_KEY];
+    const session = activeFullSession;
+    const services = session?.services.map((s) => ({ name: s.name })) ?? [];
+    delete scope[GLOBAL_RUNTIME_KEY];
+    delete scope[GLOBAL_SESSION_KEY];
+    emitUsageEstimate(services);
+    sessionStartedAt = void 0;
+    activeFullSession = void 0;
+    baselineTwinStates.clear();
+    baselineCaptured = false;
+    await runtime?.stop();
+    await session?.stop?.();
+  })();
+  try {
+    await scope[GLOBAL_STOP_PROMISE_KEY];
+  } finally {
+    delete scope[GLOBAL_STOP_PROMISE_KEY];
+  }
+}
+async function bootstrapArchalVitestRouting() {
+  const scope = globalThis;
+  if (scope[GLOBAL_RUNTIME_KEY]) {
+    return scope[GLOBAL_RUNTIME_KEY];
+  }
+  if (scope[GLOBAL_BOOTSTRAP_PROMISE_KEY]) {
+    return await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  }
+  scope[GLOBAL_BOOTSTRAP_PROMISE_KEY] = (async () => {
+    const runtime = new NodeRouteRuntime(await buildRuntimeConfig(scope));
+    await runtime.start();
+    runtime.installRouting();
+    scope[GLOBAL_RUNTIME_KEY] = runtime;
+    const config = readArchalVitestConfigFromEnv();
+    if (config.fileSeedContents && Object.keys(config.fileSeedContents).length > 0) {
+      const seedStart = Date.now();
+      await loadFileSeedsIntoTwins(config, fetchArchalTwinDefaultScope, {
+        timeoutEnvVar: "ARCHAL_VITEST_SEED_LOAD_TIMEOUT_MS"
+      });
+      if (pendingStartupPhases) {
+        pendingStartupPhases.seedLoadMs = Date.now() - seedStart;
+      }
+    }
+    if (activeFullSession) {
+      emitManifestDriftWarning(activeFullSession);
+      const baselineStart = Date.now();
+      await captureBaselineTwinStates(activeFullSession);
+      if (pendingStartupPhases) {
+        pendingStartupPhases.baselineMs = Date.now() - baselineStart;
+      }
+    }
+    if (pendingStartupPhases) {
+      pendingStartupPhases.totalMs = pendingStartupPhases.acquireMs + pendingStartupPhases.seedLoadMs + pendingStartupPhases.baselineMs;
+      emitTwinStartupSummary(pendingStartupPhases);
+      pendingStartupPhases = void 0;
+    }
+    if (!scope[GLOBAL_CLEANUP_HANDLER_KEY]) {
+      const asyncCleanupAndExit = (exitCode) => {
+        void stopArchalVitestRouting().finally(() => {
+          process.exit(exitCode);
+        });
+      };
+      process.once("beforeExit", () => {
+        void stopArchalVitestRouting();
+      });
+      process.once("disconnect", () => {
+        void stopArchalVitestRouting();
+      });
+      process.once("SIGINT", () => asyncCleanupAndExit(130));
+      process.once("SIGTERM", () => asyncCleanupAndExit(143));
+      scope[GLOBAL_CLEANUP_HANDLER_KEY] = true;
+    }
+    return runtime;
+  })();
+  try {
+    return await scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  } finally {
+    delete scope[GLOBAL_BOOTSTRAP_PROMISE_KEY];
+  }
+}
+function getInstalledArchalVitestRuntime() {
+  return globalThis[GLOBAL_RUNTIME_KEY];
+}
+function getInstalledArchalVitestSession() {
+  return globalThis[GLOBAL_SESSION_KEY];
+}
+
+export {
+  resolveRuntimeModule,
+  ARCHAL_VITEST_CONFIG_ENV,
+  readArchalVitestConfig,
+  assertSupportedArchalVitestServices,
+  fetchArchalTwin,
+  resetArchalTwins,
+  bootstrapArchalVitestRouting,
+  getInstalledArchalVitestRuntime,
+  getInstalledArchalVitestSession
+};