cool-workflow 0.1.79 → 0.1.81

package/dist/execution-backend.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.BackendError = exports.SANDBOX_DIMENSIONS = exports.DEFAULT_BACKEND_ID = exports.EXECUTION_BACKEND_SCHEMA_VERSION = void 0;
+exports.BackendError = exports.SANDBOX_DIMENSIONS = exports.DEFAULT_BACKEND_ID = exports.EXECUTION_BACKEND_SCHEMA_VERSION = exports.runAgentBatchOutcomes = exports.prepareAgentSpawn = exports.stripSecretArgs = exports.sha256 = void 0;
 exports.registerBackend = registerBackend;
 exports.getBackendDriver = getBackendDriver;
 exports.listBackendDescriptors = listBackendDescriptors;
@@ -39,21 +39,32 @@ exports.requiredSandboxDimensions = requiredSandboxDimensions;
 exports.attestSandbox = attestSandbox;
 exports.probeBackend = probeBackend;
 exports.runBackend = runBackend;
-exports.stripSecretArgs = stripSecretArgs;
-exports.prepareAgentSpawn = prepareAgentSpawn;
-exports.runAgentBatchOutcomes = runAgentBatchOutcomes;
 exports.createExecutionBackend = createExecutionBackend;
 exports.listExecutionBackends = listExecutionBackends;
 exports.backendListPayload = backendListPayload;
 exports.backendShowPayload = backendShowPayload;
 exports.backendProbePayload = backendProbePayload;
 exports.buildChildEnv = buildChildEnv;
-exports.sha256 = sha256;
 exports.clearProbeCache = clearProbeCache;
-const node_crypto_1 = __importDefault(require("node:crypto"));
 const node_fs_1 = __importDefault(require("node:fs"));
-const node_path_1 = __importDefault(require("node:path"));
 const node_child_process_1 = require("node:child_process");
+// Pure leaf helpers — carved into ./execution-backend/util.ts (god-module carve).
+// `sha256` is re-exported below to keep the public surface byte-identical.
+const util_1 = require("./execution-backend/util");
+// Per-backend readiness probe bodies — carved into ./execution-backend/probes.ts.
+const probes_1 = require("./execution-backend/probes");
+// Agent-delegation pure helpers + concurrent batch — carved into
+// ./execution-backend/agent.ts. The public symbols (stripSecretArgs,
+// AgentSpawnJob, prepareAgentSpawn, runAgentBatchOutcomes) are re-exported below.
+const agent_1 = require("./execution-backend/agent");
+// Re-export the carved public surface so every importer of "./execution-backend"
+// is byte-unchanged (no public signature changed; pure code movement).
+var util_2 = require("./execution-backend/util");
+Object.defineProperty(exports, "sha256", { enumerable: true, get: function () { return util_2.sha256; } });
+var agent_2 = require("./execution-backend/agent");
+Object.defineProperty(exports, "stripSecretArgs", { enumerable: true, get: function () { return agent_2.stripSecretArgs; } });
+Object.defineProperty(exports, "prepareAgentSpawn", { enumerable: true, get: function () { return agent_2.prepareAgentSpawn; } });
+Object.defineProperty(exports, "runAgentBatchOutcomes", { enumerable: true, get: function () { return agent_2.runAgentBatchOutcomes; } });
 exports.EXECUTION_BACKEND_SCHEMA_VERSION = 1;
 exports.DEFAULT_BACKEND_ID = "node";
 exports.SANDBOX_DIMENSIONS = ["read", "write", "command", "network", "env"];
@@ -204,21 +215,21 @@ function getBackendDescriptor(id) {
 // — no central switch to edit. Function declarations below are hoisted, so the
 // closures resolve at call time.
 const BUILTIN_DRIVER_BEHAVIORS = {
-    node: { spawnStyle: "direct", runtimeNote: () => "node", probe: probeNodeBackend },
+    node: { spawnStyle: "direct", runtimeNote: () => "node", probe: probes_1.probeNodeBackend },
     bun: {
         spawnStyle: "direct",
-        runtimeNote: () => (hasExecutable("bun") ? "bun (node-compatible execution)" : "node-compatible (bun not installed)"),
-        probe: probeBunBackend
+        runtimeNote: () => ((0, util_1.hasExecutable)("bun") ? "bun (node-compatible execution)" : "node-compatible (bun not installed)"),
+        probe: probes_1.probeBunBackend
     },
-    shell: { spawnStyle: "shell", runtimeNote: () => "posix-shell", probe: probeShellBackend },
-    container: { delegateRun: ctxDelegate(runContainer), buildHandle: containerHandle, probe: probeContainerBackend },
-    remote: { delegateRun: ctxDelegate(runHttpDelegation), buildHandle: remoteHandle, probe: probeRemoteBackend },
-    ci: { delegateRun: ctxDelegate(runHttpDelegation), buildHandle: ciHandle, probe: probeCiBackend },
+    shell: { spawnStyle: "shell", runtimeNote: () => "posix-shell", probe: probes_1.probeShellBackend },
+    container: { delegateRun: ctxDelegate(runContainer), buildHandle: containerHandle, probe: probes_1.probeContainerBackend },
+    remote: { delegateRun: ctxDelegate(runHttpDelegation), buildHandle: remoteHandle, probe: probes_1.probeRemoteBackend },
+    ci: { delegateRun: ctxDelegate(runHttpDelegation), buildHandle: ciHandle, probe: probes_1.probeCiBackend },
     agent: {
         delegateRun: ctxDelegate(runAgentProcess),
-        buildHandle: agentHandle,
+        buildHandle: agent_1.agentHandle,
         commandlessDelegate: true,
-        probe: probeAgentBackend
+        probe: probes_1.probeAgentBackend
     }
 };
 for (const spec of DRIVER_SPECS) {
@@ -254,7 +265,7 @@ function resolveBackendSelection(requested, env = process.env) {
     return { backendId: exports.DEFAULT_BACKEND_ID, source: "default" };
 }
 function backendSelectionFrom(args, env = process.env) {
-    const requested = firstString(args.backend, args.backendId, args.executionBackend);
+    const requested = (0, util_1.firstString)(args.backend, args.backendId, args.executionBackend);
     return resolveBackendSelection(requested, env);
 }
 // ---------------------------------------------------------------------------
@@ -340,77 +351,6 @@ function probeBackend(id, context = {}) {
         reason: body.reason
     };
 }
-function probeNodeBackend() {
-    const ok = hasExecutable("node");
-    return {
-        checks: [{ name: "node-runtime", ok, detail: ok ? "node on PATH" : "node not found on PATH" }],
-        readiness: ok ? "ready" : "unavailable",
-        reason: ok ? undefined : "node runtime not found on PATH"
-    };
-}
-function probeShellBackend() {
-    const ok = hasExecutable("sh") || node_fs_1.default.existsSync("/bin/sh");
-    return {
-        checks: [{ name: "posix-shell", ok, detail: ok ? "sh available" : "no POSIX shell found" }],
-        readiness: ok ? "ready" : "unavailable",
-        reason: ok ? undefined : "POSIX shell not found"
-    };
-}
-function probeBunBackend() {
-    const bun = hasExecutable("bun");
-    const node = hasExecutable("node");
-    return {
-        checks: [
-            { name: "bun-runtime", ok: bun, detail: bun ? "bun on PATH" : "bun not found; node-compatible fallback" },
-            { name: "node-compatible-fallback", ok: node, detail: node ? "node on PATH" : "node not found on PATH" }
-        ],
-        readiness: bun || node ? "ready" : "unavailable",
-        reason: !bun && node ? "bun not installed; executing via node-compatible runtime" : !bun && !node ? "neither bun nor node found on PATH" : undefined
-    };
-}
-function probeContainerBackend() {
-    const docker = hasExecutable("docker");
-    const podman = hasExecutable("podman");
-    return {
-        checks: [
-            { name: "docker", ok: docker, detail: docker ? "docker on PATH" : "docker not found" },
-            { name: "podman", ok: podman, detail: podman ? "podman on PATH" : "podman not found" }
-        ],
-        readiness: docker || podman ? "ready" : "unavailable",
-        reason: docker || podman ? undefined : "no container runtime (docker/podman) found; supply --image to delegate explicitly"
-    };
-}
-function probeRemoteBackend() {
-    const endpoint = (process.env.CW_REMOTE_ENDPOINT || "").trim();
-    return {
-        checks: [{ name: "endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_REMOTE_ENDPOINT configured" : "CW_REMOTE_ENDPOINT not set" }],
-        readiness: endpoint ? "ready" : "unverified",
-        reason: endpoint ? undefined : "no remote endpoint configured (set CW_REMOTE_ENDPOINT or pass --endpoint)"
-    };
-}
-function probeCiBackend() {
-    const endpoint = (process.env.CW_CI_ENDPOINT || "").trim();
-    return {
-        checks: [{ name: "ci-endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_CI_ENDPOINT configured" : "CW_CI_ENDPOINT not set" }],
-        readiness: endpoint ? "ready" : "unverified",
-        reason: endpoint ? undefined : "no CI job target configured (set CW_CI_ENDPOINT or pass --job)"
-    };
-}
-function probeAgentBackend() {
-    // Mirrors remote/ci EXACTLY: unconfigured ⇒ `unverified` (NOT a hard refusal),
-    // configured ⇒ `ready`. "Configured" = a command-template or endpoint is set.
-    const command = (process.env.CW_AGENT_COMMAND || "").trim();
-    const endpoint = (process.env.CW_AGENT_ENDPOINT || "").trim();
-    const configured = Boolean(command || endpoint);
-    return {
-        checks: [
-            { name: "agent-command", ok: Boolean(command), detail: command ? "CW_AGENT_COMMAND configured" : "CW_AGENT_COMMAND not set" },
-            { name: "agent-endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_AGENT_ENDPOINT configured" : "CW_AGENT_ENDPOINT not set" }
-        ],
-        readiness: configured ? "ready" : "unverified",
-        reason: configured ? undefined : "no agent configured (set CW_AGENT_COMMAND or CW_AGENT_ENDPOINT, or pass --agent-command/--agent-endpoint)"
-    };
-}
 // ---------------------------------------------------------------------------
 // The run entry. Refuses (fail closed) when the sandbox cannot be honored, the
 // command is denied by policy, or the backend is not ready. Local drivers spawn a
@@ -474,9 +414,9 @@ function executeLocal(descriptor, policy, request, label, attestation) {
         ? (0, node_child_process_1.spawnSync)([command, ...args].join(" "), { ...options, shell: true })
         : (0, node_child_process_1.spawnSync)(command, args, { ...options, shell: false });
     const exitCode = typeof result.status === "number" ? result.status : null;
-    const spawnError = result.error ? messageOf(result.error) : undefined;
+    const spawnError = result.error ? (0, util_1.messageOf)(result.error) : undefined;
     const stdout = String(result.stdout || "");
-    const digest = sha256(stdout);
+    const digest = (0, util_1.sha256)(stdout);
     const status = spawnError ? "failed" : exitCode === 0 ? "completed" : "failed";
     const evidence = [
         `command:${[command, ...args].join(" ")}`,
@@ -502,7 +442,7 @@ function executeLocal(descriptor, policy, request, label, attestation) {
             backendId: descriptor.id,
             locality: descriptor.locality,
             kind: descriptor.kind,
-            attestation: { ...attestation, status: status === "completed" ? attestation.status : attestation.status, notes }
+            attestation: { ...attestation, status: attestation.status, notes }
         }
     };
 }
@@ -544,7 +484,7 @@ function delegate(descriptor, policy, request, label, probe) {
  *  identical to executeLocal's, so evidence is byte-stable across backends. The
  *  handle is recorded in provenance only. */
 function delegatedEnvelope(descriptor, label, handle, attestation, command, args, exitCode, stdout) {
-    const digest = sha256(stdout);
+    const digest = (0, util_1.sha256)(stdout);
     const status = exitCode === 0 ? "completed" : "failed";
     const evidence = [
         `command:${[command, ...args].join(" ")}`,
@@ -573,7 +513,7 @@ function delegatedEnvelope(descriptor, label, handle, attestation, command, args
  *  closed when no runtime is on PATH, the daemon is unreachable, or the runtime
  *  itself errors (exit 125) — distinct from the command's own non-zero exit. */
 function runContainer(descriptor, policy, request, label, handle, attestation) {
-    const runtime = hasExecutable("docker") ? "docker" : hasExecutable("podman") ? "podman" : undefined;
+    const runtime = (0, util_1.hasExecutable)("docker") ? "docker" : (0, util_1.hasExecutable)("podman") ? "podman" : undefined;
     if (!runtime) {
         return refusedEnvelope(descriptor, policy, label, "runtime-unavailable", "no container runtime (docker/podman) on PATH", {
             attestation
@@ -622,7 +562,7 @@ function runContainer(descriptor, policy, request, label, handle, attestation) {
         maxBuffer: 32 * 1024 * 1024
     });
     if (result.error) {
-        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `${runtime} run failed: ${messageOf(result.error)}`, {
+        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `${runtime} run failed: ${(0, util_1.messageOf)(result.error)}`, {
             attestation
         });
     }
@@ -696,7 +636,7 @@ function runHttpDelegation(descriptor, policy, request, label, handle, attestati
         maxBuffer: 32 * 1024 * 1024
     });
     if (child.error) {
-        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `${descriptor.id} delegation failed: ${messageOf(child.error)}`, {
+        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `${descriptor.id} delegation failed: ${(0, util_1.messageOf)(child.error)}`, {
             attestation
         });
     }
@@ -714,168 +654,31 @@ function runHttpDelegation(descriptor, policy, request, label, handle, attestati
     }
     return delegatedEnvelope(descriptor, label, handle, attestation, command, args, parsed.exitCode, String(parsed.stdout || ""));
 }
-/** Resolve the agent invocation from the request delegation > env. Vendor-neutral;
- *  the durable file config is folded in by the drive layer before this point. */
-function resolveAgentInvocation(request) {
-    const delegation = request.delegation || {};
-    const envCommand = (process.env.CW_AGENT_COMMAND || "").trim();
-    const endpoint = delegation.endpoint || (process.env.CW_AGENT_ENDPOINT || "").trim() || undefined;
-    const model = delegation.model || (process.env.CW_AGENT_MODEL || "").trim() || undefined;
-    // Accept the invocation via delegation (preferred) OR the top-level command/args.
-    let binary = delegation.command || request.command || undefined;
-    let rawArgs = delegation.args ? [...delegation.args] : request.args ? [...request.args] : [];
-    // An env-string command ("claude -p --output-format json {{manifest}}") is split
-    // into a binary + discrete argv template — NEVER shell-interpreted.
-    if (!binary && envCommand) {
-        const parts = envCommand.split(/\s+/).filter(Boolean);
-        binary = parts[0];
-        if (!delegation.args)
-            rawArgs = parts.slice(1);
-    }
-    else if (binary && !delegation.args && /\s/.test(binary)) {
-        const parts = binary.split(/\s+/).filter(Boolean);
-        binary = parts[0];
-        rawArgs = parts.slice(1);
-    }
-    return { binary, rawArgs, endpoint, model, timeoutMs: request.timeoutMs };
-}
-const AGENT_SECRET_FLAGS = new Set(["--api-key", "--apikey", "--token", "--key", "--secret", "--password", "--auth", "--bearer"]);
-/** Redact secrets from recorded agent args: a value FOLLOWING a known secret flag,
- *  an `--x-key=...` inline value, or a token that LOOKS like a credential. Never
- *  record a raw secret in provenance/evidence. Exported so the durable config
- *  surface strips the SAME way before persisting/showing a command template. */
-function stripSecretArgs(args) {
-    const out = [];
-    for (let i = 0; i < args.length; i++) {
-        const arg = String(args[i]);
-        if (AGENT_SECRET_FLAGS.has(arg.toLowerCase())) {
-            out.push(arg);
-            if (i + 1 < args.length) {
-                out.push("<redacted>");
-                i++;
-            }
-            continue;
-        }
-        const inline = arg.match(/^(--?[A-Za-z][\w-]*(?:key|token|secret|password|auth|bearer)[\w-]*)=.*/i);
-        if (inline) {
-            out.push(`${inline[1]}=<redacted>`);
-            continue;
-        }
-        // Bare credential-looking token: a known provider prefix, or a long high-entropy
-        // run with NO path separators (so file paths / {{...}} substitutions survive as
-        // useful provenance). Over-redaction is safe; leaking a key is not.
-        if (/^(sk-|ghp_|gho_|github_pat_|xox[abpr]-|Bearer\s)/.test(arg) || (arg.length >= 32 && /^[A-Za-z0-9_\-]{32,}$/.test(arg))) {
-            out.push("<redacted>");
-            continue;
-        }
-        out.push(arg);
-    }
-    return out;
-}
-/** Best-effort parse of the AGENT-reported model id from its stdout. SOLELY the
- *  agent's own report — `unreported` when absent. Never CW_AGENT_MODEL. */
-function parseAgentReport(stdout) {
-    const text = String(stdout || "").trim();
-    if (!text)
-        return {};
-    const tryObj = (value) => {
-        try {
-            const parsed = JSON.parse(value);
-            return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : undefined;
-        }
-        catch {
-            return undefined;
-        }
-    };
-    let obj = tryObj(text);
-    if (!obj) {
-        const line = text
-            .split(/\r?\n/)
-            .reverse()
-            .find((entry) => entry.trim().startsWith("{") && entry.trim().endsWith("}"));
-        if (line)
-            obj = tryObj(line.trim());
-    }
-    if (!obj)
-        return {};
-    const usage = obj.usage && typeof obj.usage === "object" ? obj.usage : undefined;
-    let model = typeof obj.model === "string"
-        ? obj.model
-        : usage && typeof usage.model === "string"
-            ? usage.model
-            : typeof obj.modelId === "string"
-                ? obj.modelId
-                : undefined;
-    // Some agents (e.g. `claude -p --output-format json`) report no top-level model;
-    // the model id(s) appear as KEYS of a `modelUsage` object. Pick the primary model
-    // (the one with the most input tokens). Still SOLELY the agent's own report.
-    if (!model && obj.modelUsage && typeof obj.modelUsage === "object" && !Array.isArray(obj.modelUsage)) {
-        const entries = Object.entries(obj.modelUsage);
-        if (entries.length) {
-            const tokensOf = (value) => {
-                const record = value && typeof value === "object" ? value : {};
-                const input = Number(record.inputTokens ?? record.input_tokens ?? 0);
-                return Number.isFinite(input) ? input : 0;
-            };
-            entries.sort((left, right) => tokensOf(right[1]) - tokensOf(left[1]));
-            model = entries[0][0];
-        }
-    }
-    // Track 1: the executor's detached signature over its usage report, if it signs.
-    // SOLELY the agent's own field — CW verifies it later against the trust key.
-    const usageSignature = typeof obj.usageSignature === "string"
-        ? obj.usageSignature
-        : typeof obj.usage_signature === "string"
-            ? obj.usage_signature
-            : undefined;
-    return { model, usage, usageSignature };
-}
-function agentSubstitutions(request, model) {
-    const manifest = request.manifest;
-    const workerDir = manifest?.workerDir || request.cwd || "";
-    return {
-        manifest: manifest?.manifestPath || (workerDir ? node_path_1.default.join(workerDir, "manifest.json") : ""),
-        input: manifest?.inputPath || "",
-        result: manifest?.resultPath || "",
-        workerDir,
-        model: model || "",
-        prompt: manifest?.prompt || ""
-    };
-}
-function substituteAgentArg(arg, subst) {
-    return arg.replace(/\{\{(\w+)\}\}/g, (_, key) => (key in subst ? subst[key] : `{{${key}}}`));
-}
-/** Build the recorded process handle for the envelope — secret-stripped + the
- *  agent-reported model. Same SHAPE that lands in provenance, never in evidence. */
-function recordedAgentHandle(binary, endpoint, recordedArgs, model, reportedModel, reportedUsage, usageSignature) {
-    const ref = binary ? [binary, ...recordedArgs].join(" ") : endpoint || "";
-    return {
-        kind: "process",
-        ref,
-        endpoint,
-        metadata: {
-            mode: binary ? "command" : "endpoint",
-            command: binary,
-            args: recordedArgs,
-            model,
-            reportedModel,
-            // Telemetry thread-back: the agent's OWN self-reported token usage (parsed
-            // from its stdout by parseAgentReport). ATTESTED, never measured by CW —
-            // same red-line posture as reportedModel. Lands in provenance, never in the
-            // byte-stable evidence triple. Absent when the agent reported no usage.
-            ...(reportedUsage ? { reportedUsage } : {}),
-            // Track 1: the executor's detached signature over its usage report. CW
-            // verifies it against the operator trust key at output intake.
-            ...(usageSignature ? { usageSignature } : {})
-        }
-    };
-}
+// ---------------------------------------------------------------------------
+// agent — the v0.1.38 delegating driver. Spawns an EXTERNAL agent process per
+// worker (claude -p / codex exec / …) argv-style (shell:false), or POSTs the
+// manifest to a configured HTTP agent endpoint. The agent reads the worker
+// input/manifest and writes the worker's result.md out-of-process; CW captures
+// the agent CHILD's command + exit + stdout digest as the canonical evidence
+// triple (NEVER the result.md — that is the separate recordWorkerOutput layer)
+// and records the kind:process handle + agent-reported model in provenance.
+//
+// THE RED LINE: CW spawns the agent and records its attested output. It NEVER
+// imports a model SDK, holds an API key, or constructs a model API request. Any
+// API key flows from the agent's OWN inherited env; CW never reads or records it.
+// The operator-chosen CW_AGENT_MODEL is interpolated into `{{model}}` as policy
+// and recorded ONLY in secret-stripped args — it is NEVER the attested model id.
+//
+// The pure agent helpers (resolveAgentInvocation, stripSecretArgs, parseAgentReport,
+// agentSubstitutions, substituteAgentArg, recordedAgentHandle, extractEndpointResult,
+// agentHandle) and the concurrent batch live in ./execution-backend/agent.ts; the
+// stateful runners below build the refusal/delegated envelopes and stay here.
 function runAgentProcess(descriptor, policy, request, label, handle, attestation) {
-    const resolved = resolveAgentInvocation(request);
-    const subst = agentSubstitutions(request, resolved.model);
+    const resolved = (0, agent_1.resolveAgentInvocation)(request);
+    const subst = (0, agent_1.agentSubstitutions)(request, resolved.model);
     if (resolved.binary) {
-        const realArgs = resolved.rawArgs.map((arg) => substituteAgentArg(arg, subst));
-        const recordedArgs = stripSecretArgs(realArgs);
+        const realArgs = resolved.rawArgs.map((arg) => (0, agent_1.substituteAgentArg)(arg, subst));
+        const recordedArgs = (0, agent_1.stripSecretArgs)(realArgs);
         // Spawn the agent argv-style — shell:false, never a shell-interpreted string.
         // The agent inherits the host env so ITS OWN credentials resolve; CW neither
         // reads nor records them. CW enforces only the exact argv it spawns.
@@ -887,31 +690,36 @@ function runAgentProcess(descriptor, policy, request, label, handle, attestation
             outcome = request.preparedAgentOutcome;
         }
         else {
+            // Live output is opt-in (POLA): stdout is always captured as data, while
+            // stderr is forwarded only when the operator explicitly asks for a stream
+            // and this process is attached to a terminal. CI/pipes stay silent.
+            const streamStderr = process.env.CW_AGENT_STREAM === "1" && Boolean(process.stderr.isTTY) && process.env.CW_NO_STREAM !== "1";
             const child = (0, node_child_process_1.spawnSync)(resolved.binary, realArgs, {
                 cwd: request.cwd,
                 env: { ...process.env },
                 encoding: "utf8",
                 timeout: resolved.timeoutMs || 600000,
                 maxBuffer: 32 * 1024 * 1024,
-                shell: false
+                shell: false,
+                stdio: ["ignore", "pipe", streamStderr ? "inherit" : "pipe"]
             });
             outcome = {
-                ...(child.error ? { spawnError: messageOf(child.error) } : {}),
+                ...(child.error ? { spawnError: (0, util_1.messageOf)(child.error) } : {}),
                 exitCode: typeof child.status === "number" ? child.status : null,
                 stdout: String(child.stdout || "")
             };
         }
         if (outcome.spawnError) {
-            const handleOut = recordedAgentHandle(resolved.binary, undefined, recordedArgs, resolved.model, "unreported");
+            const handleOut = (0, agent_1.recordedAgentHandle)(resolved.binary, undefined, recordedArgs, resolved.model, "unreported");
             return refusedEnvelope(descriptor, policy, label, "delegation-failed", `agent process failed to spawn: ${outcome.spawnError}`, {
                 attestation: { ...attestation, handle: handleOut }
             });
         }
         const exitCode = outcome.exitCode;
         const stdout = outcome.stdout;
-        const report = parseAgentReport(stdout);
+        const report = (0, agent_1.parseAgentReport)(stdout);
         const reportedModel = report.model && report.model.trim() ? report.model.trim() : "unreported";
-        const handleOut = recordedAgentHandle(resolved.binary, undefined, recordedArgs, resolved.model, reportedModel, report.usage, report.usageSignature);
+        const handleOut = (0, agent_1.recordedAgentHandle)(resolved.binary, undefined, recordedArgs, resolved.model, reportedModel, report.usage, report.usageSignature);
         if (exitCode === null) {
             // No exit code (timeout/killed) ⇒ fail closed, never a fabricated completion.
             return refusedEnvelope(descriptor, policy, label, "delegation-failed", `agent process returned no exit code (timed out or killed)`, {
@@ -929,94 +737,6 @@ function runAgentProcess(descriptor, policy, request, label, handle, attestation
         attestation
     });
 }
-/** Resolve a request to a spawn-style batch job, or undefined when the agent is
- *  endpoint-configured/unconfigured (those settle through the serial path). */
-function prepareAgentSpawn(request) {
-    const resolved = resolveAgentInvocation(request);
-    if (!resolved.binary)
-        return undefined;
-    const subst = agentSubstitutions(request, resolved.model);
-    return {
-        binary: resolved.binary,
-        args: resolved.rawArgs.map((arg) => substituteAgentArg(arg, subst)),
-        cwd: request.cwd,
-        timeoutMs: resolved.timeoutMs || 600000
-    };
-}
-// Reads jobs JSON on stdin, spawns ALL concurrently (shell:false, inherited env —
-// the agent's own credentials resolve; CW never reads them), per-job SIGTERM at
-// timeoutMs + SIGKILL at +5s, caps each captured stdout at 32MB, and prints the
-// outcome array when every job has settled. stderr is drained (a full pipe must
-// never wedge a child). A kill yields exitCode null — the no-exit-code refusal.
-const BATCH_DELEGATE_CHILD = `
-const { spawn } = require("node:child_process");
-let raw = "";
-process.stdin.setEncoding("utf8");
-process.stdin.on("data", (d) => (raw += d));
-process.stdin.on("end", () => {
-  const jobs = JSON.parse(raw);
-  if (!jobs.length) { process.stdout.write("[]"); return; }
-  const out = new Array(jobs.length);
-  let pending = jobs.length;
-  const CAP = 32 * 1024 * 1024;
-  jobs.forEach((job, i) => {
-    let stdout = "";
-    let settled = false;
-    const settle = (o) => {
-      if (settled) return;
-      settled = true;
-      out[i] = o;
-      if (--pending === 0) process.stdout.write(JSON.stringify(out));
-    };
-    let child;
-    try {
-      child = spawn(job.binary, job.args, { cwd: job.cwd, env: process.env, shell: false });
-    } catch (error) {
-      settle({ spawnError: String((error && error.message) || error), exitCode: null, stdout: "" });
-      return;
-    }
-    const term = setTimeout(() => { try { child.kill("SIGTERM"); } catch {} }, job.timeoutMs);
-    const kill = setTimeout(() => { try { child.kill("SIGKILL"); } catch {} }, job.timeoutMs + 5000);
-    child.stdout.on("data", (d) => { if (stdout.length < CAP) stdout += d; });
-    child.stderr.on("data", () => {});
-    child.on("error", (error) => {
-      clearTimeout(term); clearTimeout(kill);
-      settle({ spawnError: String((error && error.message) || error), exitCode: null, stdout });
-    });
-    child.on("close", (code) => {
-      clearTimeout(term); clearTimeout(kill);
-      settle({ exitCode: typeof code === "number" ? code : null, stdout });
-    });
-  });
-});
-`;
-/** Run a batch of agent spawns concurrently; outcomes index-align with jobs. The
- *  parent backstop timeout (max job timeout + 30s) means even a wedged delegate
- *  child cannot deadlock the drive: on any batch-level failure EVERY job settles
- *  as a fail-closed spawn refusal — never a fabricated completion, never a hang. */
-function runAgentBatchOutcomes(jobs) {
-    if (!jobs.length)
-        return [];
-    const maxTimeout = Math.max(...jobs.map((job) => job.timeoutMs));
-    const child = (0, node_child_process_1.spawnSync)(process.execPath, ["-e", BATCH_DELEGATE_CHILD], {
-        input: JSON.stringify(jobs),
-        encoding: "utf8",
-        maxBuffer: 33 * 1024 * 1024 * jobs.length,
-        timeout: maxTimeout + 30000
-    });
-    if (!child.error && typeof child.status === "number" && child.status === 0) {
-        try {
-            const parsed = JSON.parse(String(child.stdout || ""));
-            if (Array.isArray(parsed) && parsed.length === jobs.length)
-                return parsed;
-        }
-        catch {
-            // fall through to the fail-closed mapping below
-        }
-    }
-    const reason = child.error ? messageOf(child.error) : `batch delegate exited ${child.status === null ? "without an exit code (timed out or killed)" : `with ${child.status}`}`;
-    return jobs.map(() => ({ spawnError: `batch delegate failed: ${reason}`, exitCode: null, stdout: "" }));
-}
 /** Agent HTTP endpoint variant — POSTs the worker manifest/prompt to a configured
  *  agent endpoint via the shared Node delegate child; if the endpoint returns a
  *  `result` body, CW writes it to the worker's result.md (the endpoint agent is the
@@ -1039,9 +759,9 @@ function runAgentEndpoint(descriptor, policy, request, label, resolved, attestat
         timeout: resolved.timeoutMs || 600000,
         maxBuffer: 32 * 1024 * 1024
     });
-    const baseHandle = recordedAgentHandle(undefined, endpoint, [], resolved.model, "unreported");
+    const baseHandle = (0, agent_1.recordedAgentHandle)(undefined, endpoint, [], resolved.model, "unreported");
     if (child.error) {
-        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `agent endpoint delegation failed: ${messageOf(child.error)}`, {
+        return refusedEnvelope(descriptor, policy, label, "delegation-failed", `agent endpoint delegation failed: ${(0, util_1.messageOf)(child.error)}`, {
             attestation: { ...attestation, handle: baseHandle }
         });
     }
@@ -1062,9 +782,9 @@ function runAgentEndpoint(descriptor, policy, request, label, resolved, attestat
     const stdout = String(parsed.stdout || "");
     // If the endpoint agent returned the result body, CW (as transport) writes it to
     // the worker's result.md for the separate recordWorkerOutput layer to accept.
-    const report = parseAgentReport(stdout);
+    const report = (0, agent_1.parseAgentReport)(stdout);
     if (manifest?.resultPath && report.usage === undefined) {
-        const body = extractEndpointResult(stdout);
+        const body = (0, agent_1.extractEndpointResult)(stdout);
         if (body && !node_fs_1.default.existsSync(manifest.resultPath)) {
             try {
                 node_fs_1.default.writeFileSync(manifest.resultPath, body, "utf8");
@@ -1075,28 +795,9 @@ function runAgentEndpoint(descriptor, policy, request, label, resolved, attestat
         }
     }
     const reportedModel = report.model && report.model.trim() ? report.model.trim() : "unreported";
-    const handleOut = recordedAgentHandle(undefined, endpoint, [], resolved.model, reportedModel, report.usage, report.usageSignature);
+    const handleOut = (0, agent_1.recordedAgentHandle)(undefined, endpoint, [], resolved.model, reportedModel, report.usage, report.usageSignature);
     return delegatedEnvelope(descriptor, label, handleOut, { ...attestation, handle: handleOut }, "agent-endpoint", [endpoint], parsed.exitCode, stdout);
 }
-function extractEndpointResult(stdout) {
-    const text = String(stdout || "").trim();
-    if (!text)
-        return undefined;
-    try {
-        const parsed = JSON.parse(text);
-        if (parsed && typeof parsed === "object") {
-            if (typeof parsed.result === "string")
-                return parsed.result;
-            if (typeof parsed.resultMarkdown === "string")
-                return parsed.resultMarkdown;
-        }
-    }
-    catch {
-        /* not JSON — treat the raw text as the result body */
-        return text;
-    }
-    return undefined;
-}
 function delegationHandle(descriptor, request) {
     return getBackendDriver(descriptor.id)?.buildHandle?.(request);
 }
@@ -1127,28 +828,6 @@ function ciHandle(request) {
     const ref = endpoint && jobId ? `${endpoint}#${jobId}` : jobId || endpoint || "";
     return { kind: "ci", ref, endpoint, jobId };
 }
-function agentHandle(request) {
-    // The agent invocation is POLICY-as-DATA, resolved flags(delegation) > env. The
-    // handle records ONLY secret-stripped provenance; the raw template is re-resolved
-    // inside runAgentProcess for substitution + spawning so no secret ever lands in
-    // a recorded handle/evidence entry.
-    const resolved = resolveAgentInvocation(request);
-    if (!resolved.binary && !resolved.endpoint)
-        return undefined;
-    const strippedArgs = stripSecretArgs(resolved.rawArgs);
-    const ref = resolved.binary ? [resolved.binary, ...strippedArgs].join(" ") : resolved.endpoint || "";
-    return {
-        kind: "process",
-        ref,
-        endpoint: resolved.endpoint,
-        metadata: {
-            mode: resolved.binary ? "command" : "endpoint",
-            command: resolved.binary,
-            args: strippedArgs,
-            model: resolved.model
-        }
-    };
-}
 function refusedEnvelope(descriptor, policy, label, code, reason, options = {}) {
     const attestation = options.attestation
         ? { ...options.attestation, status: "refused", notes: [...(options.attestation.notes || []), `refused: ${code}`] }
@@ -1237,33 +916,6 @@ function commandDenied(policy, command) {
 function runtimeNote(descriptor) {
     return getBackendDriver(descriptor.id)?.runtimeNote?.() ?? "node";
 }
-function hasExecutable(name) {
-    const dirs = (process.env.PATH || "").split(node_path_1.default.delimiter).filter(Boolean);
-    for (const dir of dirs) {
-        const candidate = node_path_1.default.join(dir, name);
-        try {
-            if (node_fs_1.default.existsSync(candidate) && node_fs_1.default.statSync(candidate).isFile())
-                return true;
-        }
-        catch {
-            // ignore unreadable PATH entries
-        }
-    }
-    return false;
-}
-function sha256(value) {
-    return `sha256:${node_crypto_1.default.createHash("sha256").update(value, "utf8").digest("hex")}`;
-}
-function firstString(...values) {
-    for (const value of values) {
-        if (typeof value === "string" && value.trim())
-            return value.trim();
-    }
-    return undefined;
-}
-function messageOf(error) {
-    return error instanceof Error ? error.message : String(error);
-}
 // ---- Probe cache (v0.1.60) — mechanism, not policy -----------------------
 const _probeCache = new Map();
 const PROBE_CACHE_TTL_MS = 60_000; // 60s