spawnfile 0.1.0

package/dist/compiler/containerArtifactsTypes.d.ts

@@ -0,0 +1,42 @@
+import type { ContainerReport } from "../report/index.js";
+import type { EmittedFile, RuntimeContainerConfigEnvBinding, RuntimeContainerMeta } from "../runtime/index.js";
+import type { ModelAuthMethod } from "../shared/index.js";
+import type { ResolvedAgentNode, ResolvedTeamNode } from "./types.js";
+export interface ContainerEnvVariable {
+    categories: Array<"model" | "project" | "runtime" | "surface">;
+    description: string;
+    name: string;
+    required: boolean;
+}
+export interface RuntimeTargetPlan {
+    configEnvBindings?: RuntimeContainerConfigEnvBinding[];
+    envFiles: Array<{
+        envName: string;
+        filePath: string;
+    }>;
+    id: string;
+    instancePaths: {
+        configPath: string;
+        homePath?: string;
+        workspacePath: string;
+    };
+    meta: RuntimeContainerMeta;
+    modelAuthMethods: Record<string, ModelAuthMethod>;
+    modelSecretsRequired: string[];
+    port?: number;
+    runtimeName: string;
+    runtimeRoot: string;
+    targetFiles: EmittedFile[];
+}
+export interface CompiledNodeArtifact {
+    emittedFiles: EmittedFile[];
+    kind: "agent" | "team";
+    runtimeName: string | null;
+    slug: string;
+    value: ResolvedAgentNode | ResolvedTeamNode;
+}
+export interface GeneratedContainerArtifacts {
+    executablePaths: string[];
+    files: EmittedFile[];
+    report: ContainerReport;
+}

package/dist/compiler/containerArtifactsTypes.js

@@ -0,0 +1 @@
+export {};

package/dist/compiler/discordSurface.d.ts

@@ -0,0 +1,4 @@
+import { SurfacesBlock } from "../manifest/index.js";
+import type { ResolvedAgentSurfaces } from "./types.js";
+export declare const resolveAgentSurfaces: (surfaces: SurfacesBlock | undefined) => ResolvedAgentSurfaces | undefined;
+export declare const listAgentSurfaceSecretNames: (surfaces: ResolvedAgentSurfaces | undefined) => string[];

package/dist/compiler/discordSurface.js

@@ -0,0 +1,28 @@
+import { DEFAULT_DISCORD_BOT_TOKEN_SECRET } from "../shared/index.js";
+export const resolveAgentSurfaces = (surfaces) => {
+    if (!surfaces?.discord) {
+        return undefined;
+    }
+    return {
+        discord: {
+            ...(surfaces.discord.access
+                ? {
+                    access: {
+                        channels: [...(surfaces.discord.access.channels ?? [])],
+                        guilds: [...(surfaces.discord.access.guilds ?? [])],
+                        mode: surfaces.discord.access.mode ??
+                            "allowlist",
+                        users: [...(surfaces.discord.access.users ?? [])]
+                    }
+                }
+                : {}),
+            botTokenSecret: surfaces.discord.bot_token_secret ?? DEFAULT_DISCORD_BOT_TOKEN_SECRET
+        }
+    };
+};
+export const listAgentSurfaceSecretNames = (surfaces) => {
+    if (!surfaces?.discord) {
+        return [];
+    }
+    return [surfaces.discord.botTokenSecret];
+};

package/dist/compiler/executionDefaults.d.ts

@@ -0,0 +1,2 @@
+import type { ExecutionBlock } from "../manifest/index.js";
+export declare const applyExecutionDefaults: (execution: ExecutionBlock | undefined) => ExecutionBlock;

package/dist/compiler/executionDefaults.js

@@ -0,0 +1,9 @@
+export const applyExecutionDefaults = (execution) => ({
+    model: execution?.model,
+    sandbox: execution?.sandbox ?? {
+        mode: "workspace"
+    },
+    workspace: execution?.workspace ?? {
+        isolation: "isolated"
+    }
+});

package/dist/compiler/helpers.d.ts

@@ -0,0 +1,7 @@
+import { CompilePlanNode } from "./types.js";
+export declare const createShortHash: (value: string) => string;
+export declare const slugify: (value: string) => string;
+export declare const stableStringify: (value: unknown) => string;
+export declare const assignStableNodeIds: (nodes: Array<Omit<CompilePlanNode, "id"> & {
+    source: string;
+}>) => CompilePlanNode[];

package/dist/compiler/helpers.js

@@ -0,0 +1,35 @@
+import { createHash } from "node:crypto";
+export const createShortHash = (value) => createHash("sha1").update(value).digest("hex").slice(0, 8);
+export const slugify = (value) => value
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "");
+export const stableStringify = (value) => {
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+    }
+    if (value && typeof value === "object") {
+        return `{${Object.entries(value)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([key, item]) => `${JSON.stringify(key)}:${stableStringify(item)}`)
+            .join(",")}}`;
+    }
+    return JSON.stringify(value);
+};
+export const assignStableNodeIds = (nodes) => {
+    const counts = new Map();
+    return nodes.map((node) => {
+        const baseId = `${node.kind}:${node.value.name}`;
+        const seen = counts.get(baseId) ?? 0;
+        counts.set(baseId, seen + 1);
+        const id = seen === 0 ? baseId : `${baseId}#${createShortHash(node.source)}`;
+        const slug = seen === 0 ? slugify(node.value.name) : `${slugify(node.value.name)}-${createShortHash(node.source)}`;
+        return {
+            id,
+            kind: node.kind,
+            runtimeName: node.runtimeName,
+            slug,
+            value: node.value
+        };
+    });
+};

package/dist/compiler/index.d.ts

@@ -0,0 +1,9 @@
+export * from "./addProjectNode.js";
+export * from "./buildCompilePlan.js";
+export * from "./buildProject.js";
+export * from "./compileProject.js";
+export * from "./initProject.js";
+export * from "./runProject.js";
+export * from "./syncProjectAuth.js";
+export * from "./types.js";
+export * from "./updateProjectModels.js";

package/dist/compiler/index.js

@@ -0,0 +1,9 @@
+export * from "./addProjectNode.js";
+export * from "./buildCompilePlan.js";
+export * from "./buildProject.js";
+export * from "./compileProject.js";
+export * from "./initProject.js";
+export * from "./runProject.js";
+export * from "./syncProjectAuth.js";
+export * from "./types.js";
+export * from "./updateProjectModels.js";

package/dist/compiler/initProject.d.ts

@@ -0,0 +1,9 @@
+export interface InitProjectOptions {
+    directory?: string;
+    runtime?: string;
+    team?: boolean;
+}
+export declare const initProject: (options?: InitProjectOptions) => Promise<{
+    createdFiles: string[];
+    directory: string;
+}>;

package/dist/compiler/initProject.js

@@ -0,0 +1,46 @@
+import path from "node:path";
+import { ensureDirectory, ensureGitignoreEntry, fileExists, writeUtf8File } from "../filesystem/index.js";
+import { createTeamScaffoldManifest, renderSpawnfile } from "../manifest/index.js";
+import { getRuntimeAdapter } from "../runtime/index.js";
+import { DEFAULT_OUTPUT_DIRECTORY, SpawnfileError } from "../shared/index.js";
+const DEFAULT_AGENT_RUNTIME = "openclaw";
+export const initProject = async (options = {}) => {
+    const directory = path.resolve(options.directory ?? process.cwd());
+    const manifestPath = path.join(directory, "Spawnfile");
+    const runtimeName = options.runtime ?? DEFAULT_AGENT_RUNTIME;
+    if (await fileExists(manifestPath)) {
+        throw new SpawnfileError("io_error", `Refusing to overwrite existing Spawnfile at ${manifestPath}`);
+    }
+    if (options.team && options.runtime) {
+        throw new SpawnfileError("validation_error", "Team scaffolds do not accept --runtime");
+    }
+    await ensureDirectory(directory);
+    const createdFiles = [manifestPath];
+    const gitignorePath = path.join(directory, ".gitignore");
+    const hadGitignore = await fileExists(gitignorePath);
+    if ((await ensureGitignoreEntry(directory, `${DEFAULT_OUTPUT_DIRECTORY}/`)) && !hadGitignore) {
+        createdFiles.push(path.join(directory, ".gitignore"));
+    }
+    if (options.team) {
+        const teamDocPath = path.join(directory, "TEAM.md");
+        await writeUtf8File(manifestPath, renderSpawnfile(createTeamScaffoldManifest()));
+        await writeUtf8File(teamDocPath, "# Team Instructions\n");
+        createdFiles.push(teamDocPath);
+    }
+    else {
+        const scaffold = getRuntimeAdapter(runtimeName).scaffoldAgentProject?.();
+        if (!scaffold) {
+            throw new SpawnfileError("runtime_error", `Runtime ${runtimeName} does not provide an init scaffold`);
+        }
+        await writeUtf8File(manifestPath, renderSpawnfile(scaffold.manifest));
+        for (const file of scaffold.files) {
+            const targetPath = path.join(directory, file.path);
+            await writeUtf8File(targetPath, file.content);
+            createdFiles.push(targetPath);
+        }
+    }
+    return {
+        createdFiles,
+        directory
+    };
+};

package/dist/compiler/modelAuth.d.ts

@@ -0,0 +1,2 @@
+import type { ExecutionBlock } from "../manifest/index.js";
+export declare const assertRuntimeSupportsExecutionModelAuth: (runtimeName: string, execution: ExecutionBlock | undefined, nodeName: string) => void;

package/dist/compiler/modelAuth.js

@@ -0,0 +1,17 @@
+import { getRuntimeAdapter } from "../runtime/index.js";
+import { listEffectiveExecutionModelTargets } from "./modelEnv.js";
+export const assertRuntimeSupportsExecutionModelAuth = (runtimeName, execution, nodeName) => {
+    const adapter = getRuntimeAdapter(runtimeName);
+    const modelTargets = listEffectiveExecutionModelTargets(execution);
+    for (const target of modelTargets) {
+        try {
+            adapter.assertSupportedModelTarget(target);
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                error.message = `${error.message} on ${nodeName}`;
+            }
+            throw error;
+        }
+    }
+};

package/dist/compiler/modelEnv.d.ts

@@ -0,0 +1,10 @@
+import type { ExecutionBlock, ModelTarget } from "../manifest/index.js";
+import { type ModelAuthMethod } from "../shared/index.js";
+import type { EffectiveModelTarget } from "./types.js";
+export declare const resolveModelProviderEnvName: (provider: string) => string;
+export declare const listExecutionModelTargets: (execution: ExecutionBlock | undefined) => ModelTarget[];
+export declare const resolveEffectiveModelTarget: (target: ModelTarget, execution: ExecutionBlock | undefined) => EffectiveModelTarget;
+export declare const listEffectiveExecutionModelTargets: (execution: ExecutionBlock | undefined) => EffectiveModelTarget[];
+export declare const listExecutionModelProviders: (execution: ExecutionBlock | undefined) => string[];
+export declare const resolveExecutionModelAuthMethods: (execution: ExecutionBlock | undefined) => Record<string, ModelAuthMethod>;
+export declare const listExecutionModelSecretNames: (execution: ExecutionBlock | undefined) => string[];

package/dist/compiler/modelEnv.js

@@ -0,0 +1,97 @@
+import { SpawnfileError } from "../shared/index.js";
+const MODEL_PROVIDER_ENV_VARS = new Map([
+    ["anthropic", "ANTHROPIC_API_KEY"],
+    ["google", "GOOGLE_API_KEY"],
+    ["groq", "GROQ_API_KEY"],
+    ["mistral", "MISTRAL_API_KEY"],
+    ["openai", "OPENAI_API_KEY"],
+    ["openrouter", "OPENROUTER_API_KEY"],
+    ["xai", "XAI_API_KEY"]
+]);
+const resolveLegacyModelAuthMethod = (execution, provider) => {
+    const auth = execution?.model?.auth;
+    if (!auth) {
+        return undefined;
+    }
+    if (auth.method) {
+        return auth.method;
+    }
+    return auth.methods?.[provider];
+};
+export const resolveModelProviderEnvName = (provider) => MODEL_PROVIDER_ENV_VARS.get(provider) ??
+    `${provider.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}_API_KEY`;
+export const listExecutionModelTargets = (execution) => {
+    if (!execution?.model?.primary) {
+        return [];
+    }
+    return [execution.model.primary, ...(execution.model.fallback ?? [])];
+};
+const resolveDefaultModelAuthMethod = (target) => {
+    if (target.provider === "local") {
+        return "none";
+    }
+    if (target.provider === "custom") {
+        return undefined;
+    }
+    return "api_key";
+};
+export const resolveEffectiveModelTarget = (target, execution) => {
+    const method = target.auth?.method ??
+        resolveLegacyModelAuthMethod(execution, target.provider) ??
+        resolveDefaultModelAuthMethod(target);
+    if (!method) {
+        throw new SpawnfileError("validation_error", `Model ${target.provider}/${target.name} must declare auth.method`);
+    }
+    if (target.auth?.key && method !== "api_key") {
+        throw new SpawnfileError("validation_error", `Model ${target.provider}/${target.name} can only declare auth.key with api_key auth`);
+    }
+    if ((target.provider === "custom" || target.provider === "local") &&
+        !target.endpoint) {
+        throw new SpawnfileError("validation_error", `Model ${target.provider}/${target.name} must declare endpoint`);
+    }
+    if (target.endpoint &&
+        target.provider !== "custom" &&
+        target.provider !== "local") {
+        throw new SpawnfileError("validation_error", `Model ${target.provider}/${target.name} cannot declare endpoint`);
+    }
+    if (method === "api_key" &&
+        (target.provider === "custom" || target.provider === "local") &&
+        !target.auth?.key) {
+        throw new SpawnfileError("validation_error", `Model ${target.provider}/${target.name} must declare auth.key for api_key auth`);
+    }
+    return {
+        auth: {
+            ...(target.auth?.key ? { key: target.auth.key } : {}),
+            method
+        },
+        ...(target.endpoint ? { endpoint: target.endpoint } : {}),
+        name: target.name,
+        provider: target.provider
+    };
+};
+export const listEffectiveExecutionModelTargets = (execution) => listExecutionModelTargets(execution).map((target) => resolveEffectiveModelTarget(target, execution));
+export const listExecutionModelProviders = (execution) => {
+    const providers = listEffectiveExecutionModelTargets(execution).map((target) => target.provider);
+    return providers.filter((provider, index) => providers.indexOf(provider) === index).sort();
+};
+export const resolveExecutionModelAuthMethods = (execution) => {
+    const methods = new Map();
+    for (const target of listEffectiveExecutionModelTargets(execution)) {
+        const existingMethod = methods.get(target.provider);
+        if (existingMethod && existingMethod !== target.auth.method) {
+            throw new SpawnfileError("validation_error", `Execution model declares conflicting auth methods for provider ${target.provider}`);
+        }
+        methods.set(target.provider, target.auth.method);
+    }
+    return Object.fromEntries([...methods.entries()].sort(([left], [right]) => left.localeCompare(right)));
+};
+export const listExecutionModelSecretNames = (execution) => {
+    const secretNames = new Set();
+    for (const target of listEffectiveExecutionModelTargets(execution)) {
+        if (target.auth.method !== "api_key") {
+            continue;
+        }
+        secretNames.add(target.auth.key ?? resolveModelProviderEnvName(target.provider));
+    }
+    return [...secretNames].sort();
+};

package/dist/compiler/runProject.d.ts

@@ -0,0 +1,34 @@
+import { type ResolvedAuthProfile } from "../auth/index.js";
+import { type CompileProjectOptions, type CompileProjectResult } from "./compileProject.js";
+export interface DockerRunInvocation {
+    args: string[];
+    command: string;
+    containerName: string | null;
+    cwd: string;
+    detach: boolean;
+    envFilePath: string;
+    imageTag: string;
+    supportDirectory: string;
+}
+export type DockerRunRunner = (invocation: DockerRunInvocation) => Promise<void>;
+export interface RunProjectOptions extends CompileProjectOptions {
+    authProfile?: string;
+    containerName?: string;
+    detach?: boolean;
+    dockerCommand?: string;
+    imageTag?: string;
+    runRunner?: DockerRunRunner;
+}
+export interface RunProjectResult extends CompileProjectResult {
+    authProfileName: string | null;
+    containerName: string | null;
+    imageTag: string;
+}
+export declare const createDockerRunInvocation: (compileResult: CompileProjectResult, imageTag: string, options?: {
+    authProfile?: ResolvedAuthProfile | null;
+    containerName?: string;
+    detach?: boolean;
+    dockerCommand?: string;
+}) => Promise<DockerRunInvocation>;
+export declare const runDockerContainer: DockerRunRunner;
+export declare const runProject: (inputPath: string, options?: RunProjectOptions) => Promise<RunProjectResult>;

package/dist/compiler/runProject.js

@@ -0,0 +1,197 @@
+import os from "node:os";
+import path from "node:path";
+import { mkdtemp } from "node:fs/promises";
+import { randomBytes } from "node:crypto";
+import { spawn } from "node:child_process";
+import { requireAuthProfile } from "../auth/index.js";
+import { ensureDirectory, fileExists, removeDirectory, writeUtf8File } from "../filesystem/index.js";
+import { SpawnfileError } from "../shared/index.js";
+import { compileProject } from "./compileProject.js";
+import { createDefaultImageTag } from "./buildProject.js";
+import { slugify } from "./helpers.js";
+import { assertDeclaredModelAuthSatisfied, prepareRuntimeAuthMounts } from "./runProjectAuth.js";
+const resolveImageTagRoot = (inputPath) => {
+    const resolvedPath = path.resolve(inputPath);
+    return path.basename(resolvedPath).toLowerCase() === "spawnfile"
+        ? path.dirname(resolvedPath)
+        : resolvedPath;
+};
+const createDefaultContainerName = (imageTag) => {
+    const containerName = slugify(imageTag.replaceAll("/", "-").replaceAll(":", "-"));
+    return containerName || "spawnfile-run";
+};
+const getImportMountTargetName = (kind) => kind === "claude-code" ? ".claude" : ".codex";
+const createGeneratedRuntimeSecret = (secretName) => {
+    if (secretName === "OPENCLAW_GATEWAY_TOKEN") {
+        return randomBytes(24).toString("hex");
+    }
+    return null;
+};
+const hasEnvValue = (env, name) => typeof env[name] === "string" && env[name].length > 0;
+const collectMissingRequiredSecrets = (containerReport, env, coveredModelSecrets) => {
+    const missing = new Set();
+    for (const secretName of containerReport.secrets_required) {
+        if (hasEnvValue(env, secretName)) {
+            continue;
+        }
+        if (!containerReport.model_secrets_required.includes(secretName)) {
+            missing.add(secretName);
+            continue;
+        }
+        const requiredInstances = (containerReport.runtime_instances ?? []).filter((instance) => instance.model_secrets_required.includes(secretName));
+        const isCoveredEverywhere = requiredInstances.length > 0 &&
+            requiredInstances.every((instance) => coveredModelSecrets.has(`${instance.id}:${secretName}`));
+        if (!isCoveredEverywhere) {
+            missing.add(secretName);
+        }
+    }
+    return [...missing].sort();
+};
+const resolveRunEnvironment = (containerReport, authProfile) => {
+    const env = {
+        ...(authProfile?.env ?? {})
+    };
+    for (const name of new Set([...Object.keys(env), ...containerReport.secrets_required])) {
+        const processValue = process.env[name];
+        if (typeof processValue === "string" && processValue.length > 0) {
+            env[name] = processValue;
+        }
+    }
+    for (const name of containerReport.runtime_secrets_required) {
+        if (hasEnvValue(env, name)) {
+            continue;
+        }
+        const generatedValue = createGeneratedRuntimeSecret(name);
+        if (generatedValue) {
+            env[name] = generatedValue;
+        }
+    }
+    for (const [name, value] of Object.entries(env)) {
+        if (value.includes("\n")) {
+            throw new SpawnfileError("validation_error", `Env value for ${name} contains a newline and cannot be written to a Docker env file`);
+        }
+    }
+    return env;
+};
+const assertRunEnvironmentSatisfied = (containerReport, env, coveredModelSecrets) => {
+    const missing = collectMissingRequiredSecrets(containerReport, env, coveredModelSecrets);
+    if (missing.length > 0) {
+        throw new SpawnfileError("validation_error", `Missing required runtime env: ${missing.sort().join(", ")}`);
+    }
+};
+const renderDockerEnvFile = (env) => `${Object.entries(env)
+    .sort(([left], [right]) => left.localeCompare(right))
+    .map(([name, value]) => `${name}=${value}`)
+    .join("\n")}\n`;
+const resolveAuthMountArgs = async (containerReport, authProfile) => {
+    if (!authProfile || containerReport.runtime_homes.length === 0) {
+        return [];
+    }
+    const args = [];
+    for (const [kind, entry] of Object.entries(authProfile.imports)) {
+        if (!entry) {
+            continue;
+        }
+        if (!(await fileExists(entry.path))) {
+            throw new SpawnfileError("validation_error", `Imported auth path for ${kind} does not exist: ${entry.path}`);
+        }
+        for (const runtimeHome of containerReport.runtime_homes) {
+            args.push("-v", `${entry.path}:${path.posix.join(runtimeHome, getImportMountTargetName(kind))}`);
+        }
+    }
+    return args;
+};
+export const createDockerRunInvocation = async (compileResult, imageTag, options = {}) => {
+    const containerReport = compileResult.report.container;
+    if (!containerReport) {
+        throw new SpawnfileError("runtime_error", "Compile output did not include container metadata");
+    }
+    const supportDirectory = await mkdtemp(path.join(os.tmpdir(), "spawnfile-run-"));
+    const envFilePath = path.join(supportDirectory, "run.env");
+    try {
+        assertDeclaredModelAuthSatisfied(containerReport, options.authProfile ?? null);
+        const env = resolveRunEnvironment(containerReport, options.authProfile ?? null);
+        const preparedRuntimeAuth = await prepareRuntimeAuthMounts(compileResult.outputDirectory, containerReport, options.authProfile ?? null, env, supportDirectory);
+        assertRunEnvironmentSatisfied(containerReport, env, preparedRuntimeAuth.coveredModelSecrets);
+        await ensureDirectory(supportDirectory);
+        await writeUtf8File(envFilePath, renderDockerEnvFile(env));
+        const containerName = options.containerName ?? createDefaultContainerName(imageTag);
+        const args = ["run"];
+        if (options.detach) {
+            args.push("-d");
+        }
+        else {
+            args.push("--rm");
+        }
+        args.push("--name", containerName);
+        for (const port of containerReport.ports) {
+            args.push("-p", `${port}:${port}`);
+        }
+        args.push("--env-file", envFilePath);
+        args.push(...(await resolveAuthMountArgs(containerReport, options.authProfile ?? null)));
+        args.push(...preparedRuntimeAuth.mountArgs);
+        args.push(imageTag);
+        return {
+            args,
+            command: options.dockerCommand ?? "docker",
+            containerName,
+            cwd: compileResult.outputDirectory,
+            detach: options.detach ?? false,
+            envFilePath,
+            imageTag,
+            supportDirectory
+        };
+    }
+    catch (error) {
+        await removeDirectory(supportDirectory);
+        throw error;
+    }
+};
+export const runDockerContainer = async (invocation) => new Promise((resolve, reject) => {
+    const child = spawn(invocation.command, invocation.args, {
+        cwd: invocation.cwd,
+        stdio: "inherit"
+    });
+    child.once("error", (error) => {
+        reject(new SpawnfileError("runtime_error", `Unable to start docker run for ${invocation.imageTag}: ${error.message}`));
+    });
+    child.once("exit", (code, signal) => {
+        if (code === 0) {
+            resolve();
+            return;
+        }
+        reject(new SpawnfileError("runtime_error", signal
+            ? `Docker run for ${invocation.imageTag} exited from signal ${signal}`
+            : `Docker run for ${invocation.imageTag} failed with exit code ${code ?? "unknown"}`));
+    });
+});
+export const runProject = async (inputPath, options = {}) => {
+    const compileResult = await compileProject(inputPath, {
+        clean: options.clean,
+        outputDirectory: options.outputDirectory
+    });
+    const imageTag = options.imageTag ?? createDefaultImageTag(resolveImageTagRoot(inputPath));
+    const authProfile = options.authProfile
+        ? await requireAuthProfile(options.authProfile)
+        : null;
+    const invocation = await createDockerRunInvocation(compileResult, imageTag, {
+        authProfile,
+        containerName: options.containerName,
+        detach: options.detach,
+        dockerCommand: options.dockerCommand
+    });
+    try {
+        await (options.runRunner ?? runDockerContainer)(invocation);
+    }
+    finally {
+        if (!invocation.detach) {
+            await removeDirectory(invocation.supportDirectory);
+        }
+    }
+    return {
+        ...compileResult,
+        authProfileName: authProfile?.name ?? null,
+        containerName: invocation.containerName,
+        imageTag
+    };
+};

package/dist/compiler/runProjectAuth.d.ts

@@ -0,0 +1,9 @@
+import type { ResolvedAuthProfile } from "../auth/index.js";
+import type { ContainerReport } from "../report/index.js";
+interface PreparedRunAuth {
+    coveredModelSecrets: Set<string>;
+    mountArgs: string[];
+}
+export declare const prepareRuntimeAuthMounts: (outputDirectory: string, containerReport: ContainerReport, authProfile: ResolvedAuthProfile | null, env: Record<string, string>, tempRoot: string) => Promise<PreparedRunAuth>;
+export declare const assertDeclaredModelAuthSatisfied: (containerReport: ContainerReport, authProfile: ResolvedAuthProfile | null) => void;
+export {};

package/dist/compiler/runProjectAuth.js

@@ -0,0 +1,59 @@
+import { SpawnfileError } from "../shared/index.js";
+import { getRuntimeAdapter } from "../runtime/index.js";
+const MODEL_AUTH_IMPORT_KINDS = {
+    api_key: null,
+    "claude-code": "claude-code",
+    codex: "codex",
+    none: null
+};
+const addCoveredModelSecrets = (coveredModelSecrets, instanceId, secretNames) => {
+    for (const secretName of secretNames) {
+        coveredModelSecrets.add(`${instanceId}:${secretName}`);
+    }
+};
+export const prepareRuntimeAuthMounts = async (outputDirectory, containerReport, authProfile, env, tempRoot) => {
+    if (!authProfile) {
+        return { coveredModelSecrets: new Set(), mountArgs: [] };
+    }
+    const coveredModelSecrets = new Set();
+    const mountArgs = [];
+    for (const instance of containerReport.runtime_instances) {
+        const adapter = getRuntimeAdapter(instance.runtime);
+        if (!adapter.prepareRuntimeAuth) {
+            continue;
+        }
+        const prepared = await adapter.prepareRuntimeAuth({
+            authProfile,
+            env,
+            instance,
+            outputDirectory,
+            tempRoot
+        });
+        addCoveredModelSecrets(coveredModelSecrets, instance.id, prepared.coveredModelSecrets);
+        mountArgs.push(...prepared.mountArgs);
+    }
+    return { coveredModelSecrets, mountArgs };
+};
+export const assertDeclaredModelAuthSatisfied = (containerReport, authProfile) => {
+    const requiredImportKinds = new Set();
+    for (const instance of containerReport.runtime_instances) {
+        for (const method of Object.values(instance.model_auth_methods)) {
+            const importKind = MODEL_AUTH_IMPORT_KINDS[method];
+            if (importKind) {
+                requiredImportKinds.add(importKind);
+            }
+        }
+    }
+    if (requiredImportKinds.size === 0) {
+        return;
+    }
+    if (!authProfile) {
+        throw new SpawnfileError("validation_error", `Auth profile is required for declared model auth methods: ${[...requiredImportKinds].sort().join(", ")}`);
+    }
+    const missingImportKinds = [...requiredImportKinds]
+        .filter((kind) => !authProfile.imports[kind])
+        .sort();
+    if (missingImportKinds.length > 0) {
+        throw new SpawnfileError("validation_error", `Auth profile ${authProfile.name} is missing required auth imports: ${missingImportKinds.join(", ")}`);
+    }
+};

package/dist/compiler/surfaceSupport.d.ts

@@ -0,0 +1,2 @@
+import type { ResolvedAgentSurfaces } from "./types.js";
+export declare const assertRuntimeSupportsAgentSurfaces: (runtimeName: string, surfaces: ResolvedAgentSurfaces | undefined, nodeName: string) => void;