git-doc-mcp 0.1.0

package/dist/manifest/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/manifest/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,eAAO,MAAM,mBAAmB,aAAiC,CAAC;AAElE;;;GAGG;AACH,eAAO,MAAM,iBAAiB,aAAoB,CAAC;AAEnD;;GAEG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;EAQvB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;EAMhC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAK5B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQrB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;EAKzB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;EAI1B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;EAGlC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAOtC,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAG9B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAG9B,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAMvB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAUzB,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEtD;;GAEG;AACH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;GAEG;AACH,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAE9C;;GAEG;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEtD;;GAEG;AACH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,GAAG,QAAQ,CAGpG;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,GAAG,QAAQ,CAE5D"}

package/dist/manifest/schema.js

@@ -0,0 +1,148 @@
+/**
+ * Zod schema for git-doc-mcp manifest files.
+ * @module manifest/schema
+ */
+import { z } from 'zod';
+/**
+ * Schema version for future compatibility.
+ */
+export const SchemaVersionSchema = z.string().regex(/^\d+\.\d+$/);
+/**
+ * Secret scope pattern for URL validation.
+ * Examples: "https://api.github.com/*", "https://raw.githubusercontent.com"
+ */
+export const SecretScopeSchema = z.string().min(1);
+/**
+ * Secret declaration in a manifest.
+ */
+export const SecretSchema = z.object({
+    name: z.string().min(1),
+    description: z.string().optional(),
+    scope: z.union([
+        SecretScopeSchema,
+        z.array(SecretScopeSchema).min(1),
+    ]),
+    required: z.boolean().default(false),
+});
+/**
+ * Tool annotation hints for MCP clients.
+ */
+export const ToolAnnotationsSchema = z.object({
+    title: z.string().optional(),
+    readOnlyHint: z.boolean().default(false),
+    destructiveHint: z.boolean().default(false),
+    idempotentHint: z.boolean().default(false),
+    openWorldHint: z.boolean().default(false),
+});
+/**
+ * JSON Schema for tool input validation.
+ */
+export const InputSchemaSchema = z.object({
+    type: z.literal('object'),
+    properties: z.record(z.unknown()),
+    required: z.array(z.string()).optional(),
+    additionalProperties: z.boolean().optional(),
+});
+/**
+ * Tool definition in a manifest.
+ */
+export const ToolSchema = z.object({
+    name: z.string().min(1).max(64).regex(/^[a-zA-Z0-9_-]+$/),
+    title: z.string().optional(),
+    description: z.string().min(1),
+    inputSchema: InputSchemaSchema,
+    action: z.string().url(),
+    actionHash: z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    annotations: ToolAnnotationsSchema.optional(),
+});
+/**
+ * Resource definition in a manifest.
+ */
+export const ResourceSchema = z.object({
+    name: z.string().min(1),
+    uri: z.string().url(),
+    description: z.string().optional(),
+    mimeType: z.string().optional(),
+});
+/**
+ * Prompt argument definition.
+ */
+export const PromptArgSchema = z.object({
+    name: z.string().min(1),
+    description: z.string().optional(),
+    required: z.boolean().default(false),
+});
+/**
+ * Text content in a prompt message (MCP TextContent).
+ */
+export const PromptTextContentSchema = z.object({
+    type: z.literal('text'),
+    text: z.string().min(1),
+});
+/**
+ * Embedded resource content in a prompt message (MCP EmbeddedResource).
+ */
+export const PromptResourceContentSchema = z.object({
+    type: z.literal('resource'),
+    resource: z.object({
+        uri: z.string().min(1),
+        text: z.string().optional(),
+        mimeType: z.string().optional(),
+    }),
+});
+/**
+ * Content block in a prompt message.
+ * Matches MCP ContentBlock subset relevant for declarative prompts.
+ */
+export const PromptContentSchema = z.discriminatedUnion('type', [
+    PromptTextContentSchema,
+    PromptResourceContentSchema,
+]);
+/**
+ * A message in a prompt template (MCP PromptMessage).
+ */
+export const PromptMessageSchema = z.object({
+    role: z.enum(['user', 'assistant']),
+    content: PromptContentSchema,
+});
+/**
+ * Prompt definition in a manifest.
+ *
+ * When `messages` is provided, they are returned directly (with {{arg}} substitution).
+ * When omitted, a single user message is built from `description` + args.
+ */
+export const PromptSchema = z.object({
+    name: z.string().min(1).max(64).regex(/^[a-zA-Z0-9_-]+$/),
+    title: z.string().optional(),
+    description: z.string().min(1),
+    args: z.array(PromptArgSchema).optional(),
+    messages: z.array(PromptMessageSchema).min(1).optional(),
+});
+/**
+ * Complete manifest schema.
+ */
+export const ManifestSchema = z.object({
+    schemaVersion: SchemaVersionSchema,
+    name: z.string().min(1).max(64),
+    version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.]+)?$/),
+    description: z.string().optional(),
+    instructions: z.string().optional(),
+    secrets: z.array(SecretSchema).optional(),
+    tools: z.array(ToolSchema).min(1),
+    resources: z.array(ResourceSchema).optional(),
+    prompts: z.array(PromptSchema).optional(),
+});
+/**
+ * Parse and validate a manifest from YAML content.
+ */
+export function parseManifest(yamlContent, parseYaml) {
+    const raw = parseYaml(yamlContent);
+    return ManifestSchema.parse(raw);
+}
+/**
+ * Validate a manifest object.
+ */
+export function validateManifest(manifest) {
+    return ManifestSchema.parse(manifest);
+}
+//# sourceMappingURL=schema.js.map

package/dist/manifest/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/manifest/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;AAElE;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEnD;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC;QACb,iBAAiB;QACjB,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;KAClC,CAAC;IACF,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACrC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACxC,eAAe,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC3C,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAC1C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACjC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxC,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC7C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC;IACzD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,WAAW,EAAE,iBAAiB;IAC9B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAuB,CAAC;IACrD,WAAW,EAAE,qBAAqB,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACrC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC3B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACtB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC;CACH,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC9D,uBAAuB;IACvB,2BAA2B;CAC5B,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACnC,OAAO,EAAE,mBAAmB;CAC7B,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC;IACzD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACzD,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,aAAa,EAAE,mBAAmB;IAClC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,kCAAkC,CAAC;IAC7D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE;IACzC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACjC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IAC7C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AA0CH;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,WAAmB,EAAE,SAAuC;IACxF,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;IACnC,OAAO,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAiB;IAChD,OAAO,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;AACxC,CAAC"}

package/dist/rate-limit/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Rate limiting module.
+ * @module rate-limit
+ */
+export { RateLimiter } from './limiter.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/rate-limit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rate-limit/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}

package/dist/rate-limit/index.js

@@ -0,0 +1,6 @@
+/**
+ * Rate limiting module.
+ * @module rate-limit
+ */
+export { RateLimiter } from './limiter.js';
+//# sourceMappingURL=index.js.map

package/dist/rate-limit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rate-limit/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}

package/dist/rate-limit/limiter.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Sliding-window rate limiter.
+ * @module rate-limit/limiter
+ */
+/**
+ * A simple sliding-window rate limiter.
+ *
+ * Tracks call timestamps in an array and prunes entries
+ * outside the sliding window on each acquire attempt.
+ *
+ * @example
+ * ```typescript
+ * const limiter = new RateLimiter(60, 60_000); // 60 calls per minute
+ * if (!limiter.tryAcquire()) {
+ *   // Rate limited
+ * }
+ * ```
+ */
+export declare class RateLimiter {
+    private readonly maxCalls;
+    private readonly windowMs;
+    private timestamps;
+    /**
+     * @param maxCalls - Maximum number of calls allowed in the window
+     * @param windowMs - Window size in milliseconds
+     */
+    constructor(maxCalls?: number, windowMs?: number);
+    /**
+     * Try to acquire a rate limit slot.
+     * @returns true if the call is allowed, false if rate limited
+     */
+    tryAcquire(): boolean;
+    /**
+     * Get the current number of calls in the window.
+     */
+    get currentCount(): number;
+}
+//# sourceMappingURL=limiter.d.ts.map

package/dist/rate-limit/limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"limiter.d.ts","sourceRoot":"","sources":["../../src/rate-limit/limiter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;;;;;;;;GAaG;AACH,qBAAa,WAAW;IAQpB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAR3B,OAAO,CAAC,UAAU,CAAgB;IAElC;;;OAGG;gBAEgB,QAAQ,GAAE,MAAW,EACrB,QAAQ,GAAE,MAAe;IAG5C;;;OAGG;IACH,UAAU,IAAI,OAAO;IAerB;;OAEG;IACH,IAAI,YAAY,IAAI,MAAM,CAIzB;CACF"}

package/dist/rate-limit/limiter.js

@@ -0,0 +1,55 @@
+/**
+ * Sliding-window rate limiter.
+ * @module rate-limit/limiter
+ */
+/**
+ * A simple sliding-window rate limiter.
+ *
+ * Tracks call timestamps in an array and prunes entries
+ * outside the sliding window on each acquire attempt.
+ *
+ * @example
+ * ```typescript
+ * const limiter = new RateLimiter(60, 60_000); // 60 calls per minute
+ * if (!limiter.tryAcquire()) {
+ *   // Rate limited
+ * }
+ * ```
+ */
+export class RateLimiter {
+    maxCalls;
+    windowMs;
+    timestamps = [];
+    /**
+     * @param maxCalls - Maximum number of calls allowed in the window
+     * @param windowMs - Window size in milliseconds
+     */
+    constructor(maxCalls = 60, windowMs = 60_000) {
+        this.maxCalls = maxCalls;
+        this.windowMs = windowMs;
+    }
+    /**
+     * Try to acquire a rate limit slot.
+     * @returns true if the call is allowed, false if rate limited
+     */
+    tryAcquire() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Prune expired timestamps
+        this.timestamps = this.timestamps.filter(t => t > windowStart);
+        if (this.timestamps.length >= this.maxCalls) {
+            return false;
+        }
+        this.timestamps.push(now);
+        return true;
+    }
+    /**
+     * Get the current number of calls in the window.
+     */
+    get currentCount() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        return this.timestamps.filter(t => t > windowStart).length;
+    }
+}
+//# sourceMappingURL=limiter.js.map

package/dist/rate-limit/limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"limiter.js","sourceRoot":"","sources":["../../src/rate-limit/limiter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,WAAW;IAQH;IACA;IARX,UAAU,GAAa,EAAE,CAAC;IAElC;;;OAGG;IACH,YACmB,WAAmB,EAAE,EACrB,WAAmB,MAAM;QADzB,aAAQ,GAAR,QAAQ,CAAa;QACrB,aAAQ,GAAR,QAAQ,CAAiB;IACzC,CAAC;IAEJ;;;OAGG;IACH,UAAU;QACR,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAExC,2BAA2B;QAC3B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC;QAE/D,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,IAAI,YAAY;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,MAAM,CAAC;IAC7D,CAAC;CACF"}

package/dist/sandbox/context.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Action execution context.
+ * @module sandbox/context
+ */
+import { Manifest } from '../manifest/schema.js';
+import type { AuditLogger } from '../audit/logger.js';
+/**
+ * Simplified manifest for context (only needed fields).
+ */
+export interface SimplifiedManifest {
+    name: string;
+    version: string;
+}
+/**
+ * Action context passed to action scripts.
+ */
+export interface ActionContext {
+    /** Manifest metadata */
+    manifest: SimplifiedManifest;
+    /**
+     * Scoped fetch function.
+     * - Validates URL for SSRF
+     * - Re-validates redirect URLs
+     * - Resolves relative redirects
+     * - Logs all requests for audit
+     */
+    fetch: (url: string, options?: FetchOptions) => Promise<Response>;
+    /**
+     * Get a secret value with URL scope validation.
+     * Returns the secret value if the URL matches the secret's scope,
+     * or undefined if the secret doesn't exist or the URL is out of scope.
+     */
+    getSecret: (name: string, url: string) => string | undefined;
+    /**
+     * Logging function.
+     */
+    log: (level: 'debug' | 'info' | 'warn' | 'error', message: string) => void;
+}
+/**
+ * Fetch options for ctx.fetch.
+ */
+export interface FetchOptions extends RequestInit {
+    /** Maximum response size in bytes */
+    maxSize?: number;
+}
+/**
+ * Options for creating action context.
+ */
+export interface CreateContextOptions {
+    manifest: SimplifiedManifest | Manifest;
+    secrets: Record<string, string>;
+    /** Secret scopes: secret name -> patterns */
+    secretScopes: Record<string, string[]>;
+    /** Maximum response size (default: 10MB) */
+    maxResponseSize?: number;
+    /** Maximum redirects (default: 5) */
+    maxRedirects?: number;
+    /** Logger function */
+    logger?: (level: string, message: string) => void;
+    /** Request timeout in ms */
+    timeout?: number;
+    /** Optional audit logger for structured event logging */
+    auditLogger?: AuditLogger;
+}
+/**
+ * Create action context for isolated execution.
+ */
+export declare function createActionContext(options: CreateContextOptions): ActionContext;
+//# sourceMappingURL=context.d.ts.map

package/dist/sandbox/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../src/sandbox/context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAGjD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAGtD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,QAAQ,EAAE,kBAAkB,CAAC;IAE7B;;;;;;OAMG;IACH,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElE;;;;OAIG;IACH,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;IAE7D;;OAEG;IACH,GAAG,EAAE,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CAC5E;AAED;;GAEG;AACH,MAAM,WAAW,YAAa,SAAQ,WAAW;IAC/C,qCAAqC;IACrC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,kBAAkB,GAAG,QAAQ,CAAC;IACxC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,6CAA6C;IAC7C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACvC,4CAA4C;IAC5C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qCAAqC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sBAAsB;IACtB,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAClD,4BAA4B;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB,GAAG,aAAa,CAwJhF"}

package/dist/sandbox/context.js

@@ -0,0 +1,134 @@
+/**
+ * Action execution context.
+ * @module sandbox/context
+ */
+import { validateUrl, validateRedirect } from './url-validator.js';
+import { validateUrlScope } from '../secrets/patterns.js';
+import { stripCrossOriginHeaders } from '../http/redirect-utils.js';
+/**
+ * Create action context for isolated execution.
+ */
+export function createActionContext(options) {
+    const { manifest, secrets, secretScopes, maxResponseSize = 10 * 1024 * 1024, // 10MB
+    maxRedirects = 5, logger = console.error, auditLogger, } = options;
+    const log = (level, message) => {
+        logger(level, `[${manifest.name}] ${message}`);
+        auditLogger?.logActionLog(level, message, manifest.name);
+    };
+    /**
+     * Get a secret with URL scope validation (AC2-AC4).
+     * The inverted scope logic is removed (AC5) — scope validation only
+     * applies when a secret is explicitly accessed via getSecret.
+     */
+    const getSecret = (name, url) => {
+        const value = secrets[name];
+        if (!value)
+            return undefined;
+        const patterns = secretScopes[name];
+        if (!patterns)
+            return undefined;
+        try {
+            validateUrlScope(url, patterns);
+            auditLogger?.logSecretAccess(name, url, true, manifest.name);
+            return value;
+        }
+        catch {
+            auditLogger?.logSecretAccess(name, url, false, manifest.name);
+            return undefined;
+        }
+    };
+    const scopedFetch = async (url, init = {}) => {
+        const maxSize = init.maxSize ?? maxResponseSize;
+        // Remove maxSize from init before passing to native fetch
+        let { maxSize: _, ...fetchInit } = init;
+        // Pre-fetch audit log: always fires as an attempt signal
+        auditLogger?.logFetch(url, undefined, undefined, manifest.name);
+        const startTime = Date.now();
+        let responseStatus;
+        try {
+            // Validate URL for SSRF inside try/finally so DNS failures are also audit-logged (AC25)
+            await validateUrl(url, { maxRedirects });
+            // Execute fetch with redirect validation
+            let currentUrl = url;
+            let redirectCount = 0;
+            while (redirectCount < maxRedirects) {
+                const response = await fetch(currentUrl, {
+                    ...fetchInit,
+                    redirect: 'manual',
+                });
+                // Handle redirect
+                if (response.status >= 300 && response.status < 400) {
+                    const rawRedirectUrl = response.headers.get('location');
+                    if (!rawRedirectUrl) {
+                        throw new Error(`Redirect without location header from ${currentUrl}`);
+                    }
+                    redirectCount++;
+                    // Resolve relative redirect URLs against current URL (AC11, AC12)
+                    const resolvedRedirectUrl = new URL(rawRedirectUrl, currentUrl).href;
+                    // Validate redirect URL for SSRF (AC13)
+                    await validateRedirect(resolvedRedirectUrl, currentUrl, { maxRedirects });
+                    // Strip sensitive headers on cross-origin redirect
+                    // Pass headers directly — stripCrossOriginHeaders normalizes HeadersInit (Headers, tuples, objects)
+                    const safeHeaders = stripCrossOriginHeaders(fetchInit.headers ?? {}, currentUrl, resolvedRedirectUrl);
+                    fetchInit = { ...fetchInit, headers: safeHeaders };
+                    auditLogger?.logRedirect(currentUrl, resolvedRedirectUrl, manifest.name);
+                    currentUrl = resolvedRedirectUrl;
+                    continue;
+                }
+                // Record the final HTTP status for the post-fetch audit log
+                responseStatus = response.status;
+                // Check response size
+                const contentLength = response.headers.get('content-length');
+                if (contentLength && parseInt(contentLength, 10) > maxSize) {
+                    throw new Error(`Response too large: ${contentLength} bytes (max: ${maxSize})`);
+                }
+                // Actually enforce size by reading with limit
+                const reader = response.body?.getReader();
+                if (reader) {
+                    const chunks = [];
+                    let totalSize = 0;
+                    while (true) {
+                        const { done, value } = await reader.read();
+                        if (done)
+                            break;
+                        totalSize += value.length;
+                        if (totalSize > maxSize) {
+                            reader.cancel();
+                            throw new Error(`Response body too large: ${totalSize} bytes (max: ${maxSize})`);
+                        }
+                        chunks.push(value);
+                    }
+                    // Reconstruct response with the body
+                    const body = new Uint8Array(totalSize);
+                    let offset = 0;
+                    for (const chunk of chunks) {
+                        body.set(chunk, offset);
+                        offset += chunk.length;
+                    }
+                    // Return a new response with the read body
+                    return new Response(body, {
+                        status: response.status,
+                        statusText: response.statusText,
+                        headers: response.headers,
+                    });
+                }
+                return response;
+            }
+            throw new Error(`Too many redirects (max: ${maxRedirects})`);
+        }
+        finally {
+            // Post-fetch audit log: fires on success and error paths (AC25)
+            auditLogger?.logFetch(url, responseStatus, Date.now() - startTime, manifest.name);
+        }
+    };
+    return {
+        manifest: {
+            name: manifest.name,
+            version: manifest.version,
+        },
+        fetch: scopedFetch,
+        getSecret,
+        log,
+    };
+}
+//# sourceMappingURL=context.js.map

package/dist/sandbox/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../src/sandbox/context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAmEpE;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAA6B;IAC/D,MAAM,EACJ,QAAQ,EACR,OAAO,EACP,YAAY,EACZ,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;IAC3C,YAAY,GAAG,CAAC,EAChB,MAAM,GAAG,OAAO,CAAC,KAAK,EACtB,WAAW,GACZ,GAAG,OAAO,CAAC;IAEZ,MAAM,GAAG,GAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,MAAM,CAAC,KAAK,EAAE,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAC/C,WAAW,EAAE,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC,CAAC;IAEF;;;;OAIG;IACH,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,GAAW,EAAsB,EAAE;QAClE,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,QAAQ;YAAE,OAAO,SAAS,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAChC,WAAW,EAAE,eAAe,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7D,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,EAAE,eAAe,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9D,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,WAAW,GAA2B,KAAK,EAAE,GAAG,EAAE,IAAI,GAAG,EAAE,EAAE,EAAE;QACnE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;QAChD,0DAA0D;QAC1D,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,SAAS,EAAE,GAAG,IAAI,CAAC;QAExC,yDAAyD;QACzD,WAAW,EAAE,QAAQ,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEhE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,cAAkC,CAAC;QAEvC,IAAI,CAAC;YACH,wFAAwF;YACxF,MAAM,WAAW,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;YAEzC,yCAAyC;YACzC,IAAI,UAAU,GAAG,GAAG,CAAC;YACrB,IAAI,aAAa,GAAG,CAAC,CAAC;YAEtB,OAAO,aAAa,GAAG,YAAY,EAAE,CAAC;gBACpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;oBACvC,GAAG,SAAS;oBACZ,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;gBAEH,kBAAkB;gBAClB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBACpD,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;oBACxD,IAAI,CAAC,cAAc,EAAE,CAAC;wBACpB,MAAM,IAAI,KAAK,CAAC,yCAAyC,UAAU,EAAE,CAAC,CAAC;oBACzE,CAAC;oBAED,aAAa,EAAE,CAAC;oBAEhB,kEAAkE;oBAClE,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC;oBAErE,wCAAwC;oBACxC,MAAM,gBAAgB,CAAC,mBAAmB,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;oBAE1E,mDAAmD;oBACnD,oGAAoG;oBACpG,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,EAAE,UAAU,EAAE,mBAAmB,CAAC,CAAC;oBACtG,SAAS,GAAG,EAAE,GAAG,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;oBAEnD,WAAW,EAAE,WAAW,CAAC,UAAU,EAAE,mBAAmB,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACzE,UAAU,GAAG,mBAAmB,CAAC;oBACjC,SAAS;gBACX,CAAC;gBAED,4DAA4D;gBAC5D,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC;gBAEjC,sBAAsB;gBACtB,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC7D,IAAI,aAAa,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC;oBAC3D,MAAM,IAAI,KAAK,CACb,uBAAuB,aAAa,gBAAgB,OAAO,GAAG,CAC/D,CAAC;gBACJ,CAAC;gBAED,8CAA8C;gBAC9C,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;gBAC1C,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,MAAM,GAAiB,EAAE,CAAC;oBAChC,IAAI,SAAS,GAAG,CAAC,CAAC;oBAElB,OAAO,IAAI,EAAE,CAAC;wBACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;wBAC5C,IAAI,IAAI;4BAAE,MAAM;wBAEhB,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;wBAC1B,IAAI,SAAS,GAAG,OAAO,EAAE,CAAC;4BACxB,MAAM,CAAC,MAAM,EAAE,CAAC;4BAChB,MAAM,IAAI,KAAK,CACb,4BAA4B,SAAS,gBAAgB,OAAO,GAAG,CAChE,CAAC;wBACJ,CAAC;wBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACrB,CAAC;oBAED,qCAAqC;oBACrC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;oBACvC,IAAI,MAAM,GAAG,CAAC,CAAC;oBACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;wBAC3B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC;oBACzB,CAAC;oBAED,2CAA2C;oBAC3C,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;wBACxB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;wBAC/B,OAAO,EAAE,QAAQ,CAAC,OAAO;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,GAAG,CAAC,CAAC;QAC/D,CAAC;gBAAS,CAAC;YACT,gEAAgE;YAChE,WAAW,EAAE,QAAQ,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACpF,CAAC;IACH,CAAC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;SAC1B;QACD,KAAK,EAAE,WAAW;QAClB,SAAS;QACT,GAAG;KACJ,CAAC;AACJ,CAAC"}

package/dist/sandbox/executor.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Sandbox executor using isolated-vm.
+ * @module sandbox/executor
+ */
+import { CreateContextOptions } from './context.js';
+/**
+ * Sandbox executor options.
+ */
+export interface SandboxOptions {
+    /** Memory limit in bytes (default: 128MB) */
+    memoryLimit?: number;
+    /** CPU time limit in ms (default: 30000) */
+    cpuTimeLimit?: number;
+    /** Wall time limit in ms (default: 60000) */
+    wallTimeLimit?: number;
+}
+/**
+ * Tool result from action execution.
+ */
+export interface ToolResult {
+    content: Array<{
+        type: 'text';
+        text: string;
+    } | {
+        type: 'image';
+        data: string;
+        mimeType: string;
+    }>;
+    isError?: boolean;
+}
+/**
+ * Validate and truncate result if too large.
+ */
+export declare function validateResultSize(result: ToolResult): ToolResult;
+/**
+ * Transform ES module action code to CommonJS-style for isolated-vm.
+ */
+export declare function transformActionCode(code: string): string;
+/**
+ * Execute an action script in an isolated sandbox.
+ *
+ * The action code should export a default async function:
+ * ```javascript
+ * export default async function myAction(input, ctx) {
+ *   return { content: [{ type: 'text', text: 'Result' }] };
+ * }
+ * ```
+ */
+export declare function executeAction(actionCode: string, input: unknown, contextOptions: CreateContextOptions, sandboxOptions?: SandboxOptions): Promise<ToolResult>;
+//# sourceMappingURL=executor.d.ts.map

package/dist/sandbox/executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/sandbox/executor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAuB,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAEzE;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAiBD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnG,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,CA6BjE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsDxD;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,OAAO,EACd,cAAc,EAAE,oBAAoB,EACpC,cAAc,GAAE,cAAmB,GAClC,OAAO,CAAC,UAAU,CAAC,CAuKrB"}