cool-workflow 0.1.79 → 0.1.81

package/dist/dispatch.js

@@ -32,6 +32,12 @@ function createDispatchManifest(run, limit, options = {}) {
     const requestedSandboxProfileId = options.sandboxProfileId || options.sandbox;
     const sandboxProfileId = String(requestedSandboxProfileId || sandbox_profile_1.DEFAULT_SANDBOX_PROFILE_ID);
     (0, sandbox_profile_1.resolveSandboxProfileById)(sandboxProfileId, (0, sandbox_profile_1.sandboxContextForValidation)(run.cwd));
+    // H7: if the requested profile is a CUSTOM profile loaded from a FILE (non-bundled,
+    // existing file), persist its DEFINITION on run.customSandboxProfiles keyed by the
+    // definition's logical id. This makes the custom profile durable with run state so a
+    // worker boundary can re-resolve it by logical id after a scope snapshot is lost
+    // (re-resolving against the worker context, not the dispatch-time file path).
+    persistCustomSandboxProfile(run, sandboxProfileId);
     // Resolve the execution backend once (mechanism vs policy): the kernel records
     // WHICH backend was selected; it never branches on which one. Defaults to node
     // (behavior-preserving) when no `--backend` flag / CW_BACKEND env is set.
@@ -199,3 +205,32 @@ function createDispatchId() {
     const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
     return `dispatch-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
 }
+// H7: persist a CUSTOM sandbox profile DEFINITION (loaded from a FILE at dispatch)
+// onto run.customSandboxProfiles, keyed by the definition's logical id. Only fires
+// for a non-bundled id that resolves to a readable, valid profile file. The
+// resolveSandboxProfileById call above has already validated the file (it throws on
+// invalid), so this re-parses only to recover the raw DEFINITION — we store the
+// definition (not a resolved policy) so worker-specific path tokens re-bind to the
+// correct worker context on every later re-resolve. Bundled ids and unknown ids are
+// left untouched, so this never shadows a bundled profile or masks a fail-closed.
+function persistCustomSandboxProfile(run, requested) {
+    if (!requested || (0, sandbox_profile_1.isBundledSandboxProfileId)(requested))
+        return;
+    const absolute = node_path_1.default.resolve(requested);
+    if (!node_fs_1.default.existsSync(absolute) || !node_fs_1.default.statSync(absolute).isFile())
+        return;
+    const validation = (0, sandbox_profile_1.validateSandboxProfileFile)(requested, (0, sandbox_profile_1.sandboxContextForValidation)(run.cwd));
+    if (!validation.valid || !validation.profile)
+        return;
+    let definition;
+    try {
+        definition = JSON.parse(node_fs_1.default.readFileSync(absolute, "utf8"));
+    }
+    catch {
+        return;
+    }
+    if (!definition || typeof definition !== "object" || typeof definition.id !== "string" || !definition.id)
+        return;
+    run.customSandboxProfiles = run.customSandboxProfiles || {};
+    run.customSandboxProfiles[definition.id] = definition;
+}

package/dist/drive.js

@@ -31,12 +31,15 @@ exports.driveConcurrentRound = driveConcurrentRound;
 exports.drive = drive;
 exports.drivePreview = drivePreview;
 const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
 const dispatch_1 = require("./dispatch");
 const execution_backend_1 = require("./execution-backend");
 const worker_isolation_1 = require("./worker-isolation");
 const agent_config_1 = require("./agent-config");
 const scheduling_1 = require("./scheduling");
 const observability_1 = require("./observability");
+const state_1 = require("./state");
+const compare_1 = require("./compare");
 exports.DRIVE_SCHEMA_VERSION = 1;
 /** The task the next drive step would advance: a RUNNING (already-dispatched,
  *  awaiting fulfillment / retry) task first, else the next PENDING task in the
@@ -198,21 +201,39 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
     // Progress BEFORE the (possibly multi-minute) agent spawn, so a live drive shows
     // immediate activity instead of a long silence on the first worker. task.label
     // is the human-facing display name; the id stays the stable reference.
-    emitProgress(`→ ${selected.label || selected.id} (${selected.phase}) — ${dispatched ? "dispatched, " : ""}spawning agent, may take minutes…`);
     const promptDigest = node_fs_1.default.existsSync(manifest.inputPath) ? (0, execution_backend_1.sha256)(node_fs_1.default.readFileSync(manifest.inputPath, "utf8")) : (0, execution_backend_1.sha256)(manifest.prompt || "");
+    const cachePath = resultCachePath(run, selected, (0, execution_backend_1.sha256)(selected.prompt));
+    if (cachePath && node_fs_1.default.existsSync(cachePath)) {
+        emitProgress(`↺ ${selected.label || selected.id} (${selected.phase}) — accepting cached result`);
+        try {
+            node_fs_1.default.writeFileSync(manifest.resultPath, node_fs_1.default.readFileSync(cachePath, "utf8"), "utf8");
+            runner.recordWorkerOutput(runId, workerId, manifest.resultPath, {});
+        }
+        catch (error) {
+            return handleHop(ctx, selected, workerId, `result cache rejected: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return step("accept", "ok", {
+            runId,
+            taskId: selected.id,
+            phase: selected.phase,
+            handleKind: "result-cache",
+            reason: "result cache hit"
+        });
+    }
+    emitProgress(`→ ${selected.label || selected.id} (${selected.phase}) — ${dispatched ? "dispatched, " : ""}spawning agent, may take minutes…`);
     const envelope = (0, execution_backend_1.runBackend)(buildAgentRequest(ctx, run, selected, manifest, preparedOutcome));
     const handle = envelope.provenance.handle;
     const reportedModel = handle?.metadata?.reportedModel || "unreported";
     const reportedUsage = handle?.metadata?.reportedUsage;
     const usageSignature = handle?.metadata?.usageSignature;
     if (envelope.status !== "completed") {
-        return handleHop(ctx, selected, workerId, `agent hop ${envelope.status}: ${envelope.result.summary}`, dispatched);
+        return handleHop(ctx, selected, workerId, `agent hop ${envelope.status}: ${envelope.result.summary}`);
     }
     // 3. ACCEPT — the SEPARATE recordWorkerOutput layer validates + records result.md.
     //    A missing result.md is a failed hop (pre-checked so no terminal side effect);
     //    an invalid result.md throws at validation BEFORE any state mutation.
     if (!manifest.resultPath || !node_fs_1.default.existsSync(manifest.resultPath)) {
-        return handleHop(ctx, selected, workerId, "agent produced no result.md", dispatched);
+        return handleHop(ctx, selected, workerId, "agent produced no result.md");
     }
     try {
         runner.recordWorkerOutput(runId, workerId, manifest.resultPath, {
@@ -234,7 +255,10 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
         });
     }
     catch (error) {
-        return handleHop(ctx, selected, workerId, `result.md rejected: ${error instanceof Error ? error.message : String(error)}`, dispatched);
+        return handleHop(ctx, selected, workerId, `result.md rejected: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    if (cachePath && manifest.resultPath && node_fs_1.default.existsSync(manifest.resultPath)) {
+        writeResultCache(cachePath, node_fs_1.default.readFileSync(manifest.resultPath, "utf8"));
     }
     return step("accept", "ok", {
         runId,
@@ -245,6 +269,53 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
         reportedModel
     });
 }
+function resultCachePath(run, task, promptDigest) {
+    const policy = task.resultCache;
+    if (!policy || policy.mode !== "read-write")
+        return undefined;
+    const keyInput = policy.keyInput;
+    const keyValue = keyInput ? String(run.inputs[keyInput] || "").trim() : "";
+    if (!keyInput || !keyValue)
+        return undefined;
+    const completedResultsDigest = completedResultsCacheDigest(run, task);
+    if (completedResultsDigest === undefined)
+        return undefined;
+    const digest = (0, execution_backend_1.sha256)(JSON.stringify({
+        schemaVersion: 1,
+        workflowId: run.workflow.id,
+        taskId: task.id,
+        keyInput,
+        keyValue,
+        promptDigest,
+        completedResultsDigest
+    })).replace(/^sha256:/, "");
+    return node_path_1.default.join(run.cwd, ".cw", "cache", "worker-results", (0, state_1.safeFileName)(run.workflow.id), `${(0, state_1.safeFileName)(task.id)}-${digest.slice(0, 32)}.md`);
+}
+function completedResultsCacheDigest(run, task) {
+    if (task.resultCache?.includeCompletedResults !== "previous-phases")
+        return "";
+    const phaseIndex = run.phases.findIndex((phase) => phase.name === task.phase || phase.id === task.phase);
+    if (phaseIndex < 0)
+        return undefined;
+    const previousTaskIds = new Set(run.phases.slice(0, phaseIndex).flatMap((phase) => phase.taskIds));
+    const records = run.tasks
+        .filter((candidate) => previousTaskIds.has(candidate.id))
+        .sort((a, b) => (0, compare_1.compareBytes)(a.id, b.id))
+        .map((candidate) => {
+        if (candidate.status !== "completed" || !candidate.resultPath || !node_fs_1.default.existsSync(candidate.resultPath))
+            return undefined;
+        return [candidate.id, (0, execution_backend_1.sha256)(node_fs_1.default.readFileSync(candidate.resultPath, "utf8"))];
+    });
+    if (records.some((record) => record === undefined))
+        return undefined;
+    return (0, execution_backend_1.sha256)(JSON.stringify(records));
+}
+function writeResultCache(file, content) {
+    node_fs_1.default.mkdirSync(node_path_1.default.dirname(file), { recursive: true });
+    const tmp = `${file}.${process.pid}.tmp`;
+    node_fs_1.default.writeFileSync(tmp, content, "utf8");
+    node_fs_1.default.renameSync(tmp, file);
+}
 /** Advance ONE concurrent ROUND: fulfill up to `limit` ready tasks in the first
  *  runnable phase as a single batch, recording results in DETERMINISTIC task
  *  order (the existing phase/dispatch order) regardless of completion order — so
@@ -322,6 +393,9 @@ function prepareConcurrentOutcomes(ctx, batch) {
             continue;
         }
         const manifest = runner.showWorkerManifest(runId, workerId);
+        const cachePath = resultCachePath(run, task, (0, execution_backend_1.sha256)(task.prompt));
+        if (cachePath && node_fs_1.default.existsSync(cachePath))
+            continue;
         const job = (0, execution_backend_1.prepareAgentSpawn)(buildAgentRequest(ctx, run, task, manifest));
         if (job) {
             jobs.push(job);
@@ -338,7 +412,7 @@ function prepareConcurrentOutcomes(ctx, batch) {
 }
 /** A failed agent hop: charge one attempt and (reuse v0.1.37 retryOrPark) either
  *  retry on the SAME worker scope next step, or PARK past the retry budget. */
-function handleHop(ctx, task, workerId, reason, dispatched) {
+function handleHop(ctx, task, workerId, reason) {
     const persisted = ctx.runner.showWorker(ctx.runId, workerId).retryCount || 0;
     const prior = Math.max(ctx.attempts.get(task.id) || 0, persisted);
     const entry = {
@@ -371,7 +445,6 @@ function handleHop(ctx, task, workerId, reason, dispatched) {
         });
     }
     // Retryable: leave the task running (scope reused) for the next step.
-    void dispatched;
     (0, worker_isolation_1.recordWorkerRetryAttempt)(ctx.runner.loadRun(ctx.runId), workerId, decided.attempts || prior + 1, reason);
     return step("fulfill", "failed", {
         runId: ctx.runId,

package/dist/error-feedback.js

@@ -97,7 +97,7 @@ function recordFeedback(run, input, options = {}) {
     const now = new Date().toISOString();
     const record = {
         schemaVersion: exports.ERROR_FEEDBACK_SCHEMA_VERSION,
-        id: createFeedbackId(classification),
+        id: createFeedbackId(run, classification),
         runId: run.id,
         createdAt: now,
         updatedAt: now,
@@ -357,9 +357,13 @@ function formatEvidence(evidence) {
         return ["No evidence recorded."];
     return evidence.map((entry) => `- ${entry.id}: ${entry.locator || entry.path || entry.summary || entry.source || ""}`);
 }
-function createFeedbackId(classification) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `feedback-${classification}-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
+// Deterministic feedback id (FreeBSD-audit L12/L13): the feedback record's
+// POSITION in the run's append-only feedback log, qualified by classification for
+// readability. recordFeedback dedups identical errors before minting, so the
+// sequence is stable and collision-free across replays — no clock, no PRNG.
+function createFeedbackId(run, classification) {
+    const seq = (run.feedback || []).length + 1;
+    return `feedback-${classification}-${String(seq).padStart(4, "0")}`;
 }
 function feedbackKey(value) {
     return [

package/dist/evidence-reasoning.js

@@ -343,7 +343,7 @@ function deriveCounterfactuals(run, scores) {
             forSelectionGate.push({
                 ref: candidate.id,
                 kind: "candidate",
-                status: candidate.status === "failed" ? "rejected" : "rejected",
+                status: "rejected",
                 reason: candidate.feedbackIds[0] ? `see feedback ${candidate.feedbackIds[0]}` : `candidate ${candidate.id} ${candidate.status}`
             });
             for (const scoreId of candidate.scores || []) {
@@ -389,11 +389,11 @@ function deriveCounterfactuals(run, scores) {
 // node. This returns the operator-graph node ids backing every decision-bearing
 // reasoning step of an adopted chain, so state-explosion can protect them.
 // ---------------------------------------------------------------------------
-function reasoningCriticalNodeIds(run) {
+function reasoningCriticalNodeIds(run, operator = (0, multi_agent_operator_ux_1.summarizeMultiAgentOperator)(run)) {
     const ids = new Set();
     const faninIds = new Set((run.multiAgent?.fanins || []).map((entry) => entry.id));
     const commitById = new Map((run.commits || []).map((commit) => [commit.id, commit]));
-    for (const evidence of (0, multi_agent_operator_ux_1.summarizeMultiAgentOperator)(run).evidence) {
+    for (const evidence of operator.evidence) {
         if (evidence.status !== "adopted")
             continue;
         for (const id of evidence.candidateIds)

package/dist/execution-backend/agent.js

@@ -0,0 +1,331 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentInvocation = resolveAgentInvocation;
+exports.stripSecretArgs = stripSecretArgs;
+exports.parseAgentReport = parseAgentReport;
+exports.agentSubstitutions = agentSubstitutions;
+exports.substituteAgentArg = substituteAgentArg;
+exports.recordedAgentHandle = recordedAgentHandle;
+exports.extractEndpointResult = extractEndpointResult;
+exports.agentHandle = agentHandle;
+exports.prepareAgentSpawn = prepareAgentSpawn;
+exports.runAgentBatchOutcomes = runAgentBatchOutcomes;
+// Agent-delegation pure helpers + concurrent batch fulfillment for the
+// execution-backend driver layer. Carved out of execution-backend.ts
+// (FreeBSD-audit god-module carve) so the driver layer no longer bundles the
+// agent sub-domain's data-transform helpers; the stateful runners
+// (runAgentProcess / runAgentEndpoint) that build refusal/delegated envelopes
+// stay in the parent and import these. The parent re-exports the public surface
+// (stripSecretArgs, AgentSpawnJob, prepareAgentSpawn, runAgentBatchOutcomes) so
+// every importer is byte-unchanged.
+//
+// BEHAVIOR-PRESERVING — pure code movement, zero logic change. Every function
+// here is a pure function of its inputs (request/env/argv → resolved data); none
+// reaches back into the parent's envelope builders, so there is no runtime cycle.
+// Matches the existing router pattern (orchestrator/*-operations.ts,
+// run-registry/derive.ts).
+//
+// agent — the v0.1.38 delegating driver. Spawns an EXTERNAL agent process per
+// worker (claude -p / codex exec / …) argv-style (shell:false), or POSTs the
+// manifest to a configured HTTP agent endpoint. The agent reads the worker
+// input/manifest and writes the worker's result.md out-of-process; CW captures
+// the agent CHILD's command + exit + stdout digest as the canonical evidence
+// triple (NEVER the result.md — that is the separate recordWorkerOutput layer)
+// and records the kind:process handle + agent-reported model in provenance.
+//
+// THE RED LINE: CW spawns the agent and records its attested output. It NEVER
+// imports a model SDK, holds an API key, or constructs a model API request. Any
+// API key flows from the agent's OWN inherited env; CW never reads or records it.
+// The operator-chosen CW_AGENT_MODEL is interpolated into `{{model}}` as policy
+// and recorded ONLY in secret-stripped args — it is NEVER the attested model id.
+const node_path_1 = __importDefault(require("node:path"));
+const node_child_process_1 = require("node:child_process");
+const util_1 = require("./util");
+/** Resolve the agent invocation from the request delegation > env. Vendor-neutral;
+ *  the durable file config is folded in by the drive layer before this point. */
+function resolveAgentInvocation(request) {
+    const delegation = request.delegation || {};
+    const envCommand = (process.env.CW_AGENT_COMMAND || "").trim();
+    const endpoint = delegation.endpoint || (process.env.CW_AGENT_ENDPOINT || "").trim() || undefined;
+    const model = delegation.model || (process.env.CW_AGENT_MODEL || "").trim() || undefined;
+    // Accept the invocation via delegation (preferred) OR the top-level command/args.
+    let binary = delegation.command || request.command || undefined;
+    let rawArgs = delegation.args ? [...delegation.args] : request.args ? [...request.args] : [];
+    // An env-string command ("claude -p --output-format json {{manifest}}") is split
+    // into a binary + discrete argv template — NEVER shell-interpreted.
+    if (!binary && envCommand) {
+        const parts = envCommand.split(/\s+/).filter(Boolean);
+        binary = parts[0];
+        if (!delegation.args)
+            rawArgs = parts.slice(1);
+    }
+    else if (binary && !delegation.args && /\s/.test(binary)) {
+        const parts = binary.split(/\s+/).filter(Boolean);
+        binary = parts[0];
+        rawArgs = parts.slice(1);
+    }
+    return { binary, rawArgs, endpoint, model, timeoutMs: request.timeoutMs };
+}
+const AGENT_SECRET_FLAGS = new Set(["--api-key", "--apikey", "--token", "--key", "--secret", "--password", "--auth", "--bearer"]);
+/** Redact secrets from recorded agent args: a value FOLLOWING a known secret flag,
+ *  an `--x-key=...` inline value, or a token that LOOKS like a credential. Never
+ *  record a raw secret in provenance/evidence. Exported so the durable config
+ *  surface strips the SAME way before persisting/showing a command template. */
+function stripSecretArgs(args) {
+    const out = [];
+    for (let i = 0; i < args.length; i++) {
+        const arg = String(args[i]);
+        if (AGENT_SECRET_FLAGS.has(arg.toLowerCase())) {
+            out.push(arg);
+            if (i + 1 < args.length) {
+                out.push("<redacted>");
+                i++;
+            }
+            continue;
+        }
+        const inline = arg.match(/^(--?[A-Za-z][\w-]*(?:key|token|secret|password|auth|bearer)[\w-]*)=.*/i);
+        if (inline) {
+            out.push(`${inline[1]}=<redacted>`);
+            continue;
+        }
+        // Bare credential-looking token: a known provider prefix, or a long high-entropy
+        // run with NO path separators (so file paths / {{...}} substitutions survive as
+        // useful provenance). Over-redaction is safe; leaking a key is not.
+        if (/^(sk-|ghp_|gho_|github_pat_|xox[abpr]-|Bearer\s)/.test(arg) || (arg.length >= 32 && /^[A-Za-z0-9_\-]{32,}$/.test(arg))) {
+            out.push("<redacted>");
+            continue;
+        }
+        out.push(arg);
+    }
+    return out;
+}
+/** Best-effort parse of the AGENT-reported model id from its stdout. SOLELY the
+ *  agent's own report — `unreported` when absent. Never CW_AGENT_MODEL. */
+function parseAgentReport(stdout) {
+    const text = String(stdout || "").trim();
+    if (!text)
+        return {};
+    const tryObj = (value) => {
+        try {
+            const parsed = JSON.parse(value);
+            return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : undefined;
+        }
+        catch {
+            return undefined;
+        }
+    };
+    let obj = tryObj(text);
+    if (!obj) {
+        const line = text
+            .split(/\r?\n/)
+            .reverse()
+            .find((entry) => entry.trim().startsWith("{") && entry.trim().endsWith("}"));
+        if (line)
+            obj = tryObj(line.trim());
+    }
+    if (!obj)
+        return {};
+    const usage = obj.usage && typeof obj.usage === "object" ? obj.usage : undefined;
+    let model = typeof obj.model === "string"
+        ? obj.model
+        : usage && typeof usage.model === "string"
+            ? usage.model
+            : typeof obj.modelId === "string"
+                ? obj.modelId
+                : undefined;
+    // Some agents (e.g. `claude -p --output-format json`) report no top-level model;
+    // the model id(s) appear as KEYS of a `modelUsage` object. Pick the primary model
+    // (the one with the most input tokens). Still SOLELY the agent's own report.
+    if (!model && obj.modelUsage && typeof obj.modelUsage === "object" && !Array.isArray(obj.modelUsage)) {
+        const entries = Object.entries(obj.modelUsage);
+        if (entries.length) {
+            const tokensOf = (value) => {
+                const record = value && typeof value === "object" ? value : {};
+                const input = Number(record.inputTokens ?? record.input_tokens ?? 0);
+                return Number.isFinite(input) ? input : 0;
+            };
+            entries.sort((left, right) => tokensOf(right[1]) - tokensOf(left[1]));
+            model = entries[0][0];
+        }
+    }
+    // Track 1: the executor's detached signature over its usage report, if it signs.
+    // SOLELY the agent's own field — CW verifies it later against the trust key.
+    const usageSignature = typeof obj.usageSignature === "string"
+        ? obj.usageSignature
+        : typeof obj.usage_signature === "string"
+            ? obj.usage_signature
+            : undefined;
+    return { model, usage, usageSignature };
+}
+function agentSubstitutions(request, model) {
+    const manifest = request.manifest;
+    const workerDir = manifest?.workerDir || request.cwd || "";
+    return {
+        manifest: manifest?.manifestPath || (workerDir ? node_path_1.default.join(workerDir, "manifest.json") : ""),
+        input: manifest?.inputPath || "",
+        result: manifest?.resultPath || "",
+        workerDir,
+        model: model || "",
+        prompt: manifest?.prompt || ""
+    };
+}
+function substituteAgentArg(arg, subst) {
+    return arg.replace(/\{\{(\w+)\}\}/g, (_, key) => (key in subst ? subst[key] : `{{${key}}}`));
+}
+/** Build the recorded process handle for the envelope — secret-stripped + the
+ *  agent-reported model. Same SHAPE that lands in provenance, never in evidence. */
+function recordedAgentHandle(binary, endpoint, recordedArgs, model, reportedModel, reportedUsage, usageSignature) {
+    const ref = binary ? [binary, ...recordedArgs].join(" ") : endpoint || "";
+    return {
+        kind: "process",
+        ref,
+        endpoint,
+        metadata: {
+            mode: binary ? "command" : "endpoint",
+            command: binary,
+            args: recordedArgs,
+            model,
+            reportedModel,
+            // Telemetry thread-back: the agent's OWN self-reported token usage (parsed
+            // from its stdout by parseAgentReport). ATTESTED, never measured by CW —
+            // same red-line posture as reportedModel. Lands in provenance, never in the
+            // byte-stable evidence triple. Absent when the agent reported no usage.
+            ...(reportedUsage ? { reportedUsage } : {}),
+            // Track 1: the executor's detached signature over its usage report. CW
+            // verifies it against the operator trust key at output intake.
+            ...(usageSignature ? { usageSignature } : {})
+        }
+    };
+}
+function extractEndpointResult(stdout) {
+    const text = String(stdout || "").trim();
+    if (!text)
+        return undefined;
+    try {
+        const parsed = JSON.parse(text);
+        if (parsed && typeof parsed === "object") {
+            if (typeof parsed.result === "string")
+                return parsed.result;
+            if (typeof parsed.resultMarkdown === "string")
+                return parsed.resultMarkdown;
+        }
+    }
+    catch {
+        /* not JSON — treat the raw text as the result body */
+        return text;
+    }
+    return undefined;
+}
+function agentHandle(request) {
+    // The agent invocation is POLICY-as-DATA, resolved flags(delegation) > env. The
+    // handle records ONLY secret-stripped provenance; the raw template is re-resolved
+    // inside runAgentProcess for substitution + spawning so no secret ever lands in
+    // a recorded handle/evidence entry.
+    const resolved = resolveAgentInvocation(request);
+    if (!resolved.binary && !resolved.endpoint)
+        return undefined;
+    const strippedArgs = stripSecretArgs(resolved.rawArgs);
+    const ref = resolved.binary ? [resolved.binary, ...strippedArgs].join(" ") : resolved.endpoint || "";
+    return {
+        kind: "process",
+        ref,
+        endpoint: resolved.endpoint,
+        metadata: {
+            mode: resolved.binary ? "command" : "endpoint",
+            command: resolved.binary,
+            args: strippedArgs,
+            model: resolved.model
+        }
+    };
+}
+/** Resolve a request to a spawn-style batch job, or undefined when the agent is
+ *  endpoint-configured/unconfigured (those settle through the serial path). */
+function prepareAgentSpawn(request) {
+    const resolved = resolveAgentInvocation(request);
+    if (!resolved.binary)
+        return undefined;
+    const subst = agentSubstitutions(request, resolved.model);
+    return {
+        binary: resolved.binary,
+        args: resolved.rawArgs.map((arg) => substituteAgentArg(arg, subst)),
+        cwd: request.cwd,
+        timeoutMs: resolved.timeoutMs || 600000
+    };
+}
+// Reads jobs JSON on stdin, spawns ALL concurrently (shell:false, inherited env —
+// the agent's own credentials resolve; CW never reads them), per-job SIGTERM at
+// timeoutMs + SIGKILL at +5s, caps each captured stdout at 32MB, and prints the
+// outcome array when every job has settled. stderr is drained (a full pipe must
+// never wedge a child). A kill yields exitCode null — the no-exit-code refusal.
+const BATCH_DELEGATE_CHILD = `
+const { spawn } = require("node:child_process");
+let raw = "";
+process.stdin.setEncoding("utf8");
+process.stdin.on("data", (d) => (raw += d));
+process.stdin.on("end", () => {
+  const jobs = JSON.parse(raw);
+  if (!jobs.length) { process.stdout.write("[]"); return; }
+  const out = new Array(jobs.length);
+  let pending = jobs.length;
+  const CAP = 32 * 1024 * 1024;
+  jobs.forEach((job, i) => {
+    let stdout = "";
+    let settled = false;
+    const settle = (o) => {
+      if (settled) return;
+      settled = true;
+      out[i] = o;
+      if (--pending === 0) process.stdout.write(JSON.stringify(out));
+    };
+    let child;
+    try {
+      child = spawn(job.binary, job.args, { cwd: job.cwd, env: process.env, shell: false });
+    } catch (error) {
+      settle({ spawnError: String((error && error.message) || error), exitCode: null, stdout: "" });
+      return;
+    }
+    const term = setTimeout(() => { try { child.kill("SIGTERM"); } catch {} }, job.timeoutMs);
+    const kill = setTimeout(() => { try { child.kill("SIGKILL"); } catch {} }, job.timeoutMs + 5000);
+    child.stdout.on("data", (d) => { if (stdout.length < CAP) stdout += d; });
+    child.stderr.on("data", () => {});
+    child.on("error", (error) => {
+      clearTimeout(term); clearTimeout(kill);
+      settle({ spawnError: String((error && error.message) || error), exitCode: null, stdout });
+    });
+    child.on("close", (code) => {
+      clearTimeout(term); clearTimeout(kill);
+      settle({ exitCode: typeof code === "number" ? code : null, stdout });
+    });
+  });
+});
+`;
+/** Run a batch of agent spawns concurrently; outcomes index-align with jobs. The
+ *  parent backstop timeout (max job timeout + 30s) means even a wedged delegate
+ *  child cannot deadlock the drive: on any batch-level failure EVERY job settles
+ *  as a fail-closed spawn refusal — never a fabricated completion, never a hang. */
+function runAgentBatchOutcomes(jobs) {
+    if (!jobs.length)
+        return [];
+    const maxTimeout = Math.max(...jobs.map((job) => job.timeoutMs));
+    const child = (0, node_child_process_1.spawnSync)(process.execPath, ["-e", BATCH_DELEGATE_CHILD], {
+        input: JSON.stringify(jobs),
+        encoding: "utf8",
+        maxBuffer: 33 * 1024 * 1024 * jobs.length,
+        timeout: maxTimeout + 30000
+    });
+    if (!child.error && typeof child.status === "number" && child.status === 0) {
+        try {
+            const parsed = JSON.parse(String(child.stdout || ""));
+            if (Array.isArray(parsed) && parsed.length === jobs.length)
+                return parsed;
+        }
+        catch {
+            // fall through to the fail-closed mapping below
+        }
+    }
+    const reason = child.error ? (0, util_1.messageOf)(child.error) : `batch delegate exited ${child.status === null ? "without an exit code (timed out or killed)" : `with ${child.status}`}`;
+    return jobs.map(() => ({ spawnError: `batch delegate failed: ${reason}`, exitCode: null, stdout: "" }));
+}