experimental-ash 0.25.0 → 0.25.2

package/dist/src/context/seed-keys.d.ts

@@ -9,7 +9,7 @@
  * ({@link import("./keys.js").SessionKey SessionKey}, etc.) live in
  * `context/keys.ts` which re-exports everything from this module.
  */
-import type { SessionAuthContext, SessionCapabilities, SessionParent } from "#channel/types.js";
+import type { SessionAuthContext, SessionCallback, SessionCapabilities, SessionParent } from "#channel/types.js";
 import type { RunMode } from "#shared/run-mode.js";
 import { ContextKey } from "#context/key.js";
 export declare const AuthKey: ContextKey<SessionAuthContext | null>;
@@ -24,6 +24,10 @@ export declare const ParentSessionKey: ContextKey<SessionParent>;
  * dispatch so HITL readiness flows through a conversation chain.
  */
 export declare const CapabilitiesKey: ContextKey<SessionCapabilities>;
+/**
+ * Optional framework-owned terminal callback metadata for this session.
+ */
+export declare const SessionCallbackKey: ContextKey<SessionCallback>;
 /**
  * Marker durable boolean set by the runtime **before** the
  * `lifecycle.session` hook chain runs. The runtime checks this flag at

package/dist/src/context/seed-keys.js

@@ -22,6 +22,10 @@ export const ParentSessionKey = new ContextKey("ash.parentSession");
  * dispatch so HITL readiness flows through a conversation chain.
  */
 export const CapabilitiesKey = new ContextKey("ash.capabilities");
+/**
+ * Optional framework-owned terminal callback metadata for this session.
+ */
+export const SessionCallbackKey = new ContextKey("ash.sessionCallback");
 /**
  * Marker durable boolean set by the runtime **before** the
  * `lifecycle.session` hook chain runs. The runtime checks this flag at

package/dist/src/evals/cli/eval.js

@@ -1 +1 @@
-import{n as e}from"../../chunks/paths-DNjq5JOy.js";import{loadDevelopmentEnvironmentFiles as t}from"../../cli/dev/environment.js";import{n,s as r,t as i}from"../../chunks/client-BShLWzR6.js";import{n as a}from"../../chunks/host-JVy7fewA.js";import{discoverAndImportSuites as o}from"../runner/discover.js";import{executeSuite as s}from"../runner/execute-suite.js";import{ConsoleReporter as c}from"../runner/reporters/console.js";var l=r();async function u(n,r){let i=e();t(i);let c=n.suite,l=await o(i,c);if(l.length===0){c&&c.length>0?r.error(`No suites found matching: ${c.join(`, `)}`):r.error(`No eval suites found. Create suite files under evals/ with the *.eval.ts extension.`),process.exitCode=1;return}let u,f;n.url?f={kind:`remote`,url:n.url}:(u=await a(i,{host:`127.0.0.1`,port:0}),f={kind:`local`,url:u.url});let p=d(f);try{let e=[];for(let t of l){let r=m(t,n),a=h(r,{json:n.json===!0,skipReport:n.skipReport===!0}),o=await s({suite:r,target:f,reporters:a,appRoot:i,client:p});e.push(o)}n.json&&r.log(JSON.stringify(e,null,2)),e.some(e=>e.errored>0)&&(process.exitCode=1)}finally{u&&await u.close()}process.exit(process.exitCode??0)}function d(e){if(e.kind===`local`)return new i({host:e.url});let t={},r=process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();return r&&(t[n]=r),new i({auth:f(),headers:Object.keys(t).length>0?t:void 0,host:e.url})}function f(){let e=process.env.ASH_EVAL_AUTH_TOKEN?.trim();return e?{bearer:e}:{bearer:p}}async function p(){try{let e=(await(0,l.getVercelOidcToken)()).trim();if(e.length>0)return e}catch{}return process.env.VERCEL_OIDC_TOKEN?.trim()??``}function m(e,t){let n=t.maxConcurrency?Number.parseInt(t.maxConcurrency,10):void 0,r=t.timeout?Number.parseInt(t.timeout,10):void 0;if(n===void 0&&r===void 0)return e;let i={...e};return n!==void 0&&(i.maxConcurrency=n),r!==void 0&&(i.timeoutMs=r),i}function h(e,t){let n=t.json?[]:[new c];return!t.skipReport&&e.reporters&&n.push(...e.reporters),n}export{u as runEvalCommand};
+import{n as e}from"../../chunks/paths-DnlVBqHu.js";import{loadDevelopmentEnvironmentFiles as t}from"../../cli/dev/environment.js";import{n,s as r,t as i}from"../../chunks/client-ZqNLLMZB.js";import{n as a}from"../../chunks/host-F-DkwYJK.js";import{discoverAndImportSuites as o}from"../runner/discover.js";import{executeSuite as s}from"../runner/execute-suite.js";import{ConsoleReporter as c}from"../runner/reporters/console.js";var l=r();async function u(n,r){let i=e();t(i);let c=n.suite,l=await o(i,c);if(l.length===0){c&&c.length>0?r.error(`No suites found matching: ${c.join(`, `)}`):r.error(`No eval suites found. Create suite files under evals/ with the *.eval.ts extension.`),process.exitCode=1;return}let u,f;n.url?f={kind:`remote`,url:n.url}:(u=await a(i,{host:`127.0.0.1`,port:0}),f={kind:`local`,url:u.url});let p=d(f);try{let e=[];for(let t of l){let r=m(t,n),a=h(r,{json:n.json===!0,skipReport:n.skipReport===!0}),o=await s({suite:r,target:f,reporters:a,appRoot:i,client:p});e.push(o)}n.json&&r.log(JSON.stringify(e,null,2)),e.some(e=>e.errored>0)&&(process.exitCode=1)}finally{u&&await u.close()}process.exit(process.exitCode??0)}function d(e){if(e.kind===`local`)return new i({host:e.url});let t={},r=process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();return r&&(t[n]=r),new i({auth:f(),headers:Object.keys(t).length>0?t:void 0,host:e.url})}function f(){let e=process.env.ASH_EVAL_AUTH_TOKEN?.trim();return e?{bearer:e}:{bearer:p}}async function p(){try{let e=(await(0,l.getVercelOidcToken)()).trim();if(e.length>0)return e}catch{}return process.env.VERCEL_OIDC_TOKEN?.trim()??``}function m(e,t){let n=t.maxConcurrency?Number.parseInt(t.maxConcurrency,10):void 0,r=t.timeout?Number.parseInt(t.timeout,10):void 0;if(n===void 0&&r===void 0)return e;let i={...e};return n!==void 0&&(i.maxConcurrency=n),r!==void 0&&(i.timeoutMs=r),i}function h(e,t){let n=t.json?[]:[new c];return!t.skipReport&&e.reporters&&n.push(...e.reporters),n}export{u as runEvalCommand};

package/dist/src/execution/await-authorization-orchestrator.d.ts

@@ -6,7 +6,6 @@
  * effects stay inside durable steps.
  */
 import type { HarnessSession } from "#harness/types.js";
-import type { PendingConnectionAuthorization } from "#runtime/framework-tools/connection-search.js";
 import type { PendingConnectionToolCall } from "#runtime/framework-tools/pending-connection-tool-calls.js";
 /**
  * Return value of {@link awaitAuthorizationAndResolve}. The workflow
@@ -33,7 +32,6 @@ export interface AwaitAuthorizationResolveResult {
 export declare function awaitAuthorizationAndResolve(input: {
     readonly parentWritable: WritableStream<Uint8Array>;
     readonly pendingToolCalls: readonly PendingConnectionToolCall[];
-    readonly pendingAuths: readonly PendingConnectionAuthorization[];
     readonly serializedContext: Record<string, unknown>;
     readonly session: HarnessSession;
 }): Promise<AwaitAuthorizationResolveResult>;

package/dist/src/execution/await-authorization-orchestrator.js

@@ -23,8 +23,8 @@ import { completeAuthorizationForConnectionStep, emitConnectionAuthorizationPend
  */
 export async function awaitAuthorizationAndResolve(input) {
     const emissionState = getHarnessEmissionState(input.session);
-    const authsWithPendingCalls = filterAuthorizationsWithPendingCalls(input.pendingAuths, input.pendingToolCalls);
-    if (authsWithPendingCalls.length === 0) {
+    const connectionNames = uniqueConnectionNames(input.pendingToolCalls);
+    if (connectionNames.length === 0) {
         return {
             serializedContext: input.serializedContext,
             session: input.session,
@@ -39,18 +39,18 @@ export async function awaitAuthorizationAndResolve(input) {
     // the IdP at Workflow's raw
     // `/.well-known/workflow/v1/webhook/:token` endpoint, we build a
     // namespaced Ash route at
-    // `/.well-known/ash/v1/connections/:name/callback/:token`. The
+    // `/ash/v1/connections/:name/callback/:token`. The
     // matching framework route handler projects the inbound request and
     // resumes this hook via `resumeHook(token, payload)`. Owning the
     // callback in Ash lets the framework decide delivery policy (auth,
     // throttling, logging) without leaking generic workflow primitives.
     const callbackBaseUrl = trimTrailingSlash(getWorkflowMetadata().url);
-    const hooks = authsWithPendingCalls.map((auth) => {
+    const hooks = connectionNames.map((name) => {
         const hook = createHook();
         return {
-            connectionName: auth.connectionName,
+            connectionName: name,
             hook,
-            webhookUrl: `${callbackBaseUrl}${createAshConnectionCallbackRoutePath(auth.connectionName, hook.token)}`,
+            webhookUrl: `${callbackBaseUrl}${createAshConnectionCallbackRoutePath(name, hook.token)}`,
         };
     });
     // Run every `startAuthorization` inside its own durable step,
@@ -157,23 +157,15 @@ export async function awaitAuthorizationAndResolve(input) {
         tokens,
     });
 }
-/**
- * Returns the subset of `pending` whose `connectionName` appears in at
- * least one entry of `pendingCalls`.
- */
-function filterAuthorizationsWithPendingCalls(pending, pendingCalls) {
-    const targetConnectionNames = new Set();
+function uniqueConnectionNames(pendingCalls) {
+    const seen = new Set();
     for (const call of pendingCalls) {
-        if (call.kind === "connection-execute") {
-            targetConnectionNames.add(call.connectionName);
-        }
-        else {
-            for (const name of call.connectionNames) {
-                targetConnectionNames.add(name);
-            }
+        const names = call.kind === "connection-execute" ? [call.connectionName] : call.connectionNames;
+        for (const name of names) {
+            seen.add(name);
         }
     }
-    return pending.filter((p) => targetConnectionNames.has(p.connectionName));
+    return [...seen];
 }
 /**
  * Awaits the first payload delivered to `hook` via `resumeHook`, using

package/dist/src/execution/connection-auth-steps.js

@@ -14,7 +14,7 @@ import { writeCachedToken } from "#runtime/connections/authorization-tokens.js";
 import { withConnectionPrincipalOverride } from "#runtime/connections/principal-context.js";
 import { principalKey, resolveConnectionPrincipal } from "#runtime/connections/principal.js";
 import { ConnectionRegistryImpl } from "#runtime/connections/registry.js";
-import { ConnectionRegistryKey, executeConnectionSearch, PendingConnectionAuthorizationsKey, } from "#runtime/framework-tools/connection-search.js";
+import { ConnectionRegistryKey, executeConnectionSearch, } from "#runtime/framework-tools/connection-search.js";
 import { isConnectionAuthorizationPlaceholder, PendingConnectionToolCallsKey, } from "#runtime/framework-tools/pending-connection-tool-calls.js";
 import { withDefaultAuthorizationInstructions } from "#execution/authorization-challenge-defaults.js";
 import { splicePendingToolResults } from "#execution/await-authorization-splice.js";
@@ -289,9 +289,6 @@ export async function resolvePendingToolCallsStep(input) {
         return names.some((name) => !resolvedSet.has(name) && input.failedConnections[name] === undefined);
     });
     ctx.set(PendingConnectionToolCallsKey, remainingPending);
-    const currentPendingAuths = ctx.get(PendingConnectionAuthorizationsKey) ?? [];
-    const remainingPendingAuths = currentPendingAuths.filter((p) => !resolvedSet.has(p.connectionName) && input.failedConnections[p.connectionName] === undefined);
-    ctx.set(PendingConnectionAuthorizationsKey, remainingPendingAuths);
     return {
         serializedContext: serializeContext(ctx),
         session: splicedSession,

package/dist/src/execution/node-step.js

@@ -116,6 +116,19 @@ function resolveHarnessToolDefinition(input) {
             },
         };
     }
+    if (input.tool.kind === "remote") {
+        return {
+            description: input.tool.description ?? "",
+            inputSchema: jsonSchema(input.tool.inputSchema ?? {}),
+            name: input.tool.name,
+            runtimeAction: {
+                kind: "remote-agent-call",
+                nodeId: input.tool.nodeId,
+                remoteAgentName: input.tool.name,
+                subagentName: input.tool.name,
+            },
+        };
+    }
     const registeredTool = findRegisteredRuntimeTool(input.node.toolRegistry, input.tool.name);
     if (registeredTool === null) {
         return null;

package/dist/src/execution/remote-agent-dispatch.d.ts

@@ -0,0 +1,15 @@
+import type { HarnessSession } from "#harness/types.js";
+import type { RuntimeRemoteAgentCallActionRequest } from "#runtime/actions/types.js";
+import type { RuntimeSubagentRegistry } from "#runtime/subagents/registry.js";
+import type { ResolvedRuntimeRemoteAgentNode } from "#runtime/types.js";
+export declare function startRemoteAgentSession(input: {
+    readonly action: RuntimeRemoteAgentCallActionRequest;
+    readonly callbackBaseUrl: string | undefined;
+    readonly remote: ResolvedRuntimeRemoteAgentNode;
+    readonly session: HarnessSession;
+}): Promise<string>;
+export declare function resolveRemoteAgentForAction(input: {
+    readonly nodeId: string;
+    readonly registry: RuntimeSubagentRegistry["subagentsByNodeId"];
+    readonly remoteAgentName: string;
+}): ResolvedRuntimeRemoteAgentNode;

package/dist/src/execution/remote-agent-dispatch.js

@@ -0,0 +1,79 @@
+import { ASH_SESSION_ID_HEADER } from "#protocol/message.js";
+import { createAshCallbackRoutePath } from "#protocol/routes.js";
+import { formatSubagentInvocation } from "#execution/subagent-invocation.js";
+export async function startRemoteAgentSession(input) {
+    const callbackToken = input.session.continuationToken;
+    if (!callbackToken) {
+        throw new Error("Cannot dispatch remote agent without a parent continuation token.");
+    }
+    if (!input.callbackBaseUrl) {
+        throw new Error("Cannot dispatch remote agent without a callback base URL.");
+    }
+    const headers = await resolveRemoteAgentRequestHeaders(input.remote);
+    const response = await fetch(createRemoteAgentSessionUrl(input.remote), {
+        body: JSON.stringify({
+            callback: {
+                callId: input.action.callId,
+                subagentName: input.action.remoteAgentName,
+                token: callbackToken,
+                url: `${input.callbackBaseUrl}${createAshCallbackRoutePath(callbackToken)}`,
+            },
+            message: formatRemoteAgentCallInputMessage(input.action),
+            mode: "task",
+        }),
+        headers: {
+            "content-type": "application/json",
+            ...headers,
+        },
+        method: "POST",
+    });
+    if (!response.ok) {
+        throw new Error(`Remote agent "${input.action.remoteAgentName}" create-session request failed with HTTP ${response.status}.`);
+    }
+    const sessionIdFromHeader = response.headers.get(ASH_SESSION_ID_HEADER);
+    if (sessionIdFromHeader !== null && sessionIdFromHeader.length > 0) {
+        return sessionIdFromHeader;
+    }
+    try {
+        const body = (await response.json());
+        if (typeof body.sessionId === "string" && body.sessionId.length > 0) {
+            return body.sessionId;
+        }
+    }
+    catch {
+        // Fall through to the generic error below.
+    }
+    throw new Error(`Remote agent "${input.action.remoteAgentName}" create-session response did not include a session id.`);
+}
+export function resolveRemoteAgentForAction(input) {
+    const registered = input.registry.get(input.nodeId);
+    const definition = registered?.definition;
+    if (definition?.kind !== "remote") {
+        throw new Error(`Missing remote agent "${input.remoteAgentName}" in runtime registry.`);
+    }
+    return definition;
+}
+function createRemoteAgentSessionUrl(remote) {
+    return new URL(remote.path, `${trimTrailingSlash(remote.url)}/`).toString();
+}
+async function resolveRemoteAgentRequestHeaders(remote) {
+    const headers = {};
+    if (remote.headers !== undefined) {
+        Object.assign(headers, typeof remote.headers === "function" ? await remote.headers() : remote.headers);
+    }
+    if (remote.auth !== undefined) {
+        Object.assign(headers, (await remote.auth()).headers);
+    }
+    return headers;
+}
+function formatRemoteAgentCallInputMessage(input) {
+    const message = typeof input.input.message === "string" ? input.input.message : "";
+    return formatSubagentInvocation({
+        description: input.description,
+        message,
+        name: input.remoteAgentName,
+    }).message;
+}
+function trimTrailingSlash(value) {
+    return value.endsWith("/") ? value.slice(0, -1) : value;
+}

package/dist/src/execution/runtime-context.js

@@ -1,5 +1,5 @@
 import { ContextContainer } from "#context/container.js";
-import { AuthKey, BundleKey, CapabilitiesKey, ChannelKey, ContinuationTokenKey, InitiatorAuthKey, ModeKey, ParentSessionKey, } from "#context/keys.js";
+import { AuthKey, BundleKey, CapabilitiesKey, ChannelKey, ContinuationTokenKey, InitiatorAuthKey, ModeKey, ParentSessionKey, SessionCallbackKey, } from "#context/keys.js";
 /**
  * Builds the bootstrap {@link ContextContainer} for one run.
  */
@@ -16,6 +16,9 @@ export function buildRunContext(input) {
     if (run.capabilities !== undefined) {
         ctx.set(CapabilitiesKey, run.capabilities);
     }
+    if (run.callback !== undefined) {
+        ctx.set(SessionCallbackKey, run.callback);
+    }
     if (run.parent !== undefined) {
         ctx.set(ParentSessionKey, run.parent);
     }

package/dist/src/execution/session-callback-step.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Sends the configured session terminal callback.
+ *
+ * Absence is a no-op. Once callback metadata is present, delivery is part of
+ * the remote delegation result path, so failures are logged and rethrown
+ * instead of being reported as a successful terminal step. Throwing is
+ * intentional: this function runs as a durable Workflow step, so rejection
+ * hands retry/failure policy back to the Workflow orchestrator rather than
+ * letting Ash falsely mark the callback delivery as complete.
+ */
+export declare function fireSessionCallbackStep(input: {
+    readonly error?: unknown;
+    readonly output?: string;
+    readonly serializedContext: Record<string, unknown>;
+    readonly status: "completed" | "failed";
+}): Promise<void>;

package/dist/src/execution/session-callback-step.js

@@ -0,0 +1,72 @@
+import { parseSessionCallback } from "#channel/session-callback.js";
+import { SessionCallbackKey } from "#context/keys.js";
+import { createLogger } from "#internal/logging.js";
+import { toErrorMessage } from "#shared/errors.js";
+const SESSION_CALLBACK_TIMEOUT_MS = 30_000;
+const log = createLogger("execution.session-callback");
+/**
+ * Sends the configured session terminal callback.
+ *
+ * Absence is a no-op. Once callback metadata is present, delivery is part of
+ * the remote delegation result path, so failures are logged and rethrown
+ * instead of being reported as a successful terminal step. Throwing is
+ * intentional: this function runs as a durable Workflow step, so rejection
+ * hands retry/failure policy back to the Workflow orchestrator rather than
+ * letting Ash falsely mark the callback delivery as complete.
+ */
+export async function fireSessionCallbackStep(input) {
+    "use step";
+    const sessionId = input.serializedContext["ash.sessionId"] ?? "";
+    const value = input.serializedContext[SessionCallbackKey.name];
+    if (value === undefined) {
+        return;
+    }
+    try {
+        const callback = parseSerializedSessionCallback(value);
+        const body = input.status === "completed"
+            ? {
+                callId: callback.callId,
+                kind: "session.completed",
+                output: input.output ?? "",
+                sessionId,
+                subagentName: callback.subagentName,
+            }
+            : {
+                callId: callback.callId,
+                error: {
+                    code: "SESSION_FAILED",
+                    message: toErrorMessage(input.error),
+                },
+                kind: "session.failed",
+                sessionId,
+                subagentName: callback.subagentName,
+            };
+        const response = await fetch(callback.url, {
+            body: JSON.stringify(body),
+            headers: {
+                "content-type": "application/json",
+            },
+            method: "POST",
+            signal: AbortSignal.timeout(SESSION_CALLBACK_TIMEOUT_MS),
+        });
+        if (!response.ok) {
+            throw new Error(`Session callback failed with HTTP ${response.status}.`);
+        }
+    }
+    catch (error) {
+        log.error("failed to post session callback", {
+            error,
+            sessionId,
+        });
+        throw error;
+    }
+}
+function parseSerializedSessionCallback(value) {
+    const parsed = parseSessionCallback(value);
+    if (!parsed.ok) {
+        throw new Error("Serialized session callback is invalid.", {
+            cause: parsed.cause,
+        });
+    }
+    return parsed.callback;
+}

package/dist/src/execution/subagent-invocation.d.ts

@@ -0,0 +1,16 @@
+import type { StepInput } from "#harness/types.js";
+/**
+ * Narrowed form of {@link StepInput} whose `message` is always a plain string.
+ * Delegated child runs receive a synthesized text-only prompt.
+ */
+export interface FormattedSubagentInvocation extends StepInput {
+    readonly message: string;
+}
+/**
+ * Formats the stable delegated input handed to one child agent invocation.
+ */
+export declare function formatSubagentInvocation(input: {
+    readonly description: string;
+    readonly message: string;
+    readonly name: string;
+}): FormattedSubagentInvocation;

package/dist/src/execution/subagent-invocation.js

@@ -0,0 +1,16 @@
+/**
+ * Formats the stable delegated input handed to one child agent invocation.
+ */
+export function formatSubagentInvocation(input) {
+    return {
+        message: [
+            `You are the subagent "${input.name}".`,
+            `Description: ${input.description}`,
+            "",
+            "The caller delegated the following task to you. Complete it and return the final result directly.",
+            "",
+            "Caller message:",
+            input.message,
+        ].join("\n"),
+    };
+}

package/dist/src/execution/subagent-tool.js

@@ -1,4 +1,5 @@
 import { SUBAGENT_ADAPTER_KIND } from "#execution/subagent-adapter.js";
+import { formatSubagentInvocation } from "#execution/subagent-invocation.js";
 import { mintSubagentContinuationToken } from "#execution/session.js";
 /**
  * Builds the {@link RunInput} for one delegated subagent child run.
@@ -39,13 +40,9 @@ export function buildSubagentRunInput(input) {
  */
 function formatSubagentCallInputMessage(action) {
     const { message } = action.input;
-    return [
-        `You are the subagent "${action.subagentName}".`,
-        `Description: ${action.description}`,
-        "",
-        "The caller delegated the following task to you. Complete it and return the final result directly.",
-        "",
-        "Caller message:",
+    return formatSubagentInvocation({
+        description: action.description,
         message,
-    ].join("\n");
+        name: action.subagentName,
+    }).message;
 }

package/dist/src/execution/turn-workflow.js

@@ -61,7 +61,6 @@ export async function turnWorkflow(input) {
             if (result.action === "await-authorization") {
                 const resolved = await awaitAuthorizationAndResolve({
                     parentWritable,
-                    pendingAuths: result.pendingAuths,
                     pendingToolCalls: result.pendingToolCalls,
                     serializedContext: currentSerializedContext,
                     session: currentSession,

package/dist/src/execution/workflow-entry.js

@@ -8,6 +8,7 @@ import { accumulateRuntimeActionResults, hasPendingRuntimeActionBatch, } from "#
 import { toErrorMessage } from "#shared/errors.js";
 import { normalizeSerializableError, rebuildSerializableError, } from "#execution/workflow-errors.js";
 import { createSessionStep, dispatchTurnStep, dispatchPendingRuntimeActionsStep, emitTerminalSessionFailureStep, routeProxiedDeliverStep, runProxyInputRequestStep, } from "#execution/workflow-steps.js";
+import { fireSessionCallbackStep } from "#execution/session-callback-step.js";
 /**
  * Long-lived workflow entrypoint for the durable runtime.
  *
@@ -64,6 +65,11 @@ export async function workflowEntry(input) {
             parentWritable: driverWritable,
             serializedContext: input.serializedContext,
         });
+        await fireSessionCallbackStep({
+            error: normalizeSerializableError(error),
+            serializedContext: input.serializedContext,
+            status: "failed",
+        });
         await notifyDelegatedParentStep({
             result: createDelegatedSubagentErrorResult(input.serializedContext, error),
             serializedContext: input.serializedContext,
@@ -88,6 +94,11 @@ async function runDriverLoop(input) {
     currentSession = currentResult.session;
     currentSerializedContext = currentResult.serializedContext;
     if (currentResult.action === "done") {
+        await fireSessionCallbackStep({
+            output: currentResult.output ?? "",
+            serializedContext: currentSerializedContext,
+            status: "completed",
+        });
         await notifyDelegatedParentStep({
             result: createDelegatedSubagentSuccessResult(currentSerializedContext, currentResult.output ?? ""),
             serializedContext: currentSerializedContext,
@@ -138,15 +149,18 @@ async function runDriverLoop(input) {
     try {
         while (true) {
             if (hasPendingRuntimeActionBatch(currentSession)) {
-                currentSession = await dispatchPendingRuntimeActionsStep({
+                const dispatchResult = await dispatchPendingRuntimeActionsStep({
+                    callbackBaseUrl: getWorkflowMetadata().url.replace(/\/$/, ""),
                     parentWritable: input.driverWritable,
                     serializedContext: currentSerializedContext,
                     session: currentSession,
                 });
+                currentSession = dispatchResult.session;
                 const runtimeResults = await waitForPendingRuntimeActionResults({
                     bufferedDeliveries,
                     getNextPromise,
                     consumeNext,
+                    initialResults: dispatchResult.results,
                     rekeyHook,
                     parentWritable: input.driverWritable,
                     serializedContext: currentSerializedContext,
@@ -207,6 +221,11 @@ async function runDriverLoop(input) {
             currentSession = currentResult.session;
             currentSerializedContext = currentResult.serializedContext;
             if (currentResult.action === "done") {
+                await fireSessionCallbackStep({
+                    output: currentResult.output ?? "",
+                    serializedContext: currentSerializedContext,
+                    status: "completed",
+                });
                 await notifyDelegatedParentStep({
                     result: createDelegatedSubagentSuccessResult(currentSerializedContext, currentResult.output ?? ""),
                     serializedContext: currentSerializedContext,
@@ -309,6 +328,7 @@ async function waitForPendingRuntimeActionResults(input) {
                 await input.rekeyHook(currentSession.continuationToken);
             }
         },
+        initialResults: input.initialResults,
         session: currentSession,
     });
     if (results === null) {

package/dist/src/execution/workflow-steps.d.ts

@@ -2,9 +2,9 @@ import type { DeliverPayload, HookPayload, SessionAuthContext, SubagentInputRequ
 import { deserializeContext } from "#context/serialize.js";
 import type { HarnessSession } from "#harness/types.js";
 import type { RuntimeCompiledArtifactsSource } from "#runtime/compiled-artifacts-source.js";
-import { type PendingConnectionAuthorization } from "#runtime/framework-tools/connection-search.js";
 import { type PendingConnectionToolCall } from "#runtime/framework-tools/pending-connection-tool-calls.js";
 import { type TurnWorkflowInput } from "#execution/turn-workflow.js";
+import type { RuntimeSubagentResultActionResult } from "#runtime/actions/types.js";
 /**
  * Serializable projection of a step result for workflow persistence.
  */
@@ -16,7 +16,6 @@ export type DurableStepResult = {
 } | {
     readonly action: "await-authorization";
     readonly pendingToolCalls: readonly PendingConnectionToolCall[];
-    readonly pendingAuths: readonly PendingConnectionAuthorization[];
     readonly serializedContext: Record<string, unknown>;
     readonly session: HarnessSession;
 };
@@ -57,10 +56,14 @@ export declare function reconcileSessionContinuationToken(ctx: Awaited<ReturnTyp
  * runs independently on its own public child stream.
  */
 export declare function dispatchPendingRuntimeActionsStep(input: {
+    readonly callbackBaseUrl?: string;
     readonly parentWritable: WritableStream<Uint8Array>;
     readonly serializedContext: Record<string, unknown>;
     readonly session: HarnessSession;
-}): Promise<HarnessSession>;
+}): Promise<{
+    readonly results: readonly RuntimeSubagentResultActionResult[];
+    readonly session: HarnessSession;
+}>;
 /**
  * Emits a terminal `session.failed` event and delivers it to the
  * adapter before the workflow run tears down.