spawnfile 0.1.4 → 0.1.6

package/dist/compiler/buildCompilePlanTraversal.js

@@ -0,0 +1,214 @@
+import { getCanonicalManifestPath, getManifestPath, resolveProjectPath } from "../filesystem/index.js";
+import { isAgentManifest, isTeamManifest, mergeExecution } from "../manifest/index.js";
+import { SpawnfileError } from "../shared/index.js";
+import { getAgentFingerprint, getMcpNames, getTeamFingerprint, validateEffectiveSkillRequirements } from "./compilePlanHelpers.js";
+import { resolveAgentSurfaces } from "./agentSurfaces.js";
+import { mergeResolvedSkills, loadResolvedSkills } from "./surfaces.js";
+import { assertRuntimeSupportsExecutionModelAuth } from "./modelAuth.js";
+import { assertRuntimeSupportsAgentSurfaces } from "./surfaceSupport.js";
+import { applyExecutionDefaults } from "./executionDefaults.js";
+import { normalizeDescription, resolveDescription, resolveRuntime } from "./buildCompilePlanRuntime.js";
+import { resolveTeamExternalIds, resolveTeamNetworks, validateTeamNetworkRooms } from "./buildCompilePlanTeams.js";
+import { mergeWorkspaceResources } from "./workspaceResources.js";
+import { DEFAULT_POLICY_MODE, DEFAULT_POLICY_ON_DEGRADE, mergeResolvedDocuments, resolveEffectiveEnvironment } from "./buildCompilePlanTraversalHelpers.js";
+export const createCompilePlanTraversal = ({ getLoadedManifest, nodeCache, fingerprintCache, edges, memberships }) => {
+    const visitStack = [];
+    const visitAgent = async (manifestPath, context) => {
+        const canonicalPath = getCanonicalManifestPath(manifestPath);
+        if (visitStack.includes(canonicalPath)) {
+            throw new SpawnfileError("compile_error", `Cycle detected while visiting ${canonicalPath}`);
+        }
+        const loadedManifest = await getLoadedManifest(canonicalPath);
+        if (!isAgentManifest(loadedManifest.manifest)) {
+            throw new SpawnfileError("compile_error", `Expected agent manifest, got ${loadedManifest.manifest.kind} at ${canonicalPath}`);
+        }
+        const runtime = await resolveRuntime(loadedManifest.manifest, context);
+        const execution = applyExecutionDefaults(context.isSubagent
+            ? mergeExecution(context.inheritedExecution, loadedManifest.manifest.execution)
+            : loadedManifest.manifest.execution);
+        assertRuntimeSupportsExecutionModelAuth(runtime.name, execution, loadedManifest.manifest.name);
+        const environment = resolveEffectiveEnvironment(context.inheritedShared?.surface?.environment, loadedManifest.manifest.environment);
+        const inheritedSkills = context.inheritedShared
+            ? await loadResolvedSkills(context.inheritedShared.manifestPath, context.inheritedShared.surface?.workspace?.skills)
+            : [];
+        const localSkills = await loadResolvedSkills(canonicalPath, loadedManifest.manifest.workspace?.skills);
+        const skills = mergeResolvedSkills(inheritedSkills, localSkills);
+        validateEffectiveSkillRequirements(loadedManifest.manifest.name, getMcpNames(environment.mcpServers), skills);
+        const docs = await mergeResolvedDocuments(canonicalPath, loadedManifest.manifest.workspace?.docs, context.inheritedShared?.manifestPath, context.inheritedShared?.surface?.workspace?.docs);
+        const workspaceResources = mergeWorkspaceResources(context.inheritedResources, loadedManifest.manifest.workspace?.resources, loadedManifest.manifest.name, {
+            kind: "agent",
+            key: canonicalPath,
+            name: loadedManifest.manifest.name
+        });
+        const candidate = {
+            description: resolveDescription(loadedManifest.manifest.description, docs),
+            docs,
+            env: environment.env,
+            execution,
+            expose: loadedManifest.manifest.expose ?? false,
+            kind: "agent",
+            mcpServers: environment.mcpServers,
+            name: loadedManifest.manifest.name,
+            policyMode: loadedManifest.manifest.policy?.mode ?? DEFAULT_POLICY_MODE,
+            policyOnDegrade: loadedManifest.manifest.policy?.on_degrade ?? DEFAULT_POLICY_ON_DEGRADE,
+            runtime,
+            schedule: loadedManifest.manifest.schedule,
+            secrets: environment.secrets,
+            packages: environment.packages,
+            skills,
+            source: canonicalPath,
+            surfaces: resolveAgentSurfaces(loadedManifest.manifest.surfaces),
+            subagents: [],
+            workspaceResources
+        };
+        assertRuntimeSupportsAgentSurfaces(runtime.name, candidate.surfaces, loadedManifest.manifest.name);
+        const fingerprint = getAgentFingerprint(candidate);
+        const existingFingerprint = fingerprintCache.get(canonicalPath);
+        if (existingFingerprint && existingFingerprint !== fingerprint) {
+            throw new SpawnfileError("compile_error", `Manifest ${canonicalPath} resolves differently across compile contexts`);
+        }
+        const cachedNode = nodeCache.get(canonicalPath);
+        if (cachedNode) {
+            return cachedNode.value;
+        }
+        fingerprintCache.set(canonicalPath, fingerprint);
+        nodeCache.set(canonicalPath, {
+            runtimeName: runtime.name,
+            source: canonicalPath,
+            value: candidate
+        });
+        visitStack.push(canonicalPath);
+        for (const subagent of loadedManifest.manifest.subagents ?? []) {
+            const childManifestPath = getManifestPath(resolveProjectPath(canonicalPath, subagent.ref));
+            const resolvedSubagent = await visitAgent(childManifestPath, {
+                inheritedExecution: execution,
+                inheritedResources: candidate.workspaceResources,
+                inheritedRuntime: runtime,
+                isSubagent: true
+            });
+            candidate.subagents.push({
+                id: subagent.id,
+                nodeSource: resolvedSubagent.source
+            });
+            edges.push({
+                from: canonicalPath,
+                kind: "subagent",
+                label: subagent.id,
+                to: resolvedSubagent.source
+            });
+        }
+        visitStack.pop();
+        return candidate;
+    };
+    const visitTeam = async (manifestPath, inheritedResources = []) => {
+        const canonicalPath = getCanonicalManifestPath(manifestPath);
+        if (visitStack.includes(canonicalPath)) {
+            throw new SpawnfileError("compile_error", `Cycle detected while visiting ${canonicalPath}`);
+        }
+        const loadedManifest = await getLoadedManifest(canonicalPath);
+        if (!isTeamManifest(loadedManifest.manifest)) {
+            throw new SpawnfileError("compile_error", `Expected team manifest, got ${loadedManifest.manifest.kind} at ${canonicalPath}`);
+        }
+        const manifest = loadedManifest.manifest;
+        const sharedWorkspace = manifest.shared?.workspace;
+        const sharedEnvironment = manifest.shared?.environment;
+        const sharedSkills = await loadResolvedSkills(canonicalPath, sharedWorkspace?.skills);
+        validateEffectiveSkillRequirements(loadedManifest.manifest.name, getMcpNames(sharedEnvironment?.mcp_servers ?? []), sharedSkills);
+        const resolvedExternal = resolveTeamExternalIds(manifest);
+        const docs = await mergeResolvedDocuments(canonicalPath, sharedWorkspace?.docs, undefined, undefined);
+        const workspaceResources = mergeWorkspaceResources(inheritedResources, sharedWorkspace?.resources, manifest.name, {
+            kind: "team",
+            key: canonicalPath,
+            name: manifest.name
+        });
+        const candidate = {
+            description: manifest.description ? normalizeDescription(manifest.description) : "",
+            docs,
+            external: resolvedExternal,
+            externalExplicit: manifest.external !== undefined,
+            kind: "team",
+            lead: manifest.lead ?? null,
+            members: [],
+            mode: manifest.mode,
+            name: manifest.name,
+            networks: resolveTeamNetworks(manifest),
+            policyMode: manifest.policy?.mode ?? DEFAULT_POLICY_MODE,
+            policyOnDegrade: manifest.policy?.on_degrade ?? DEFAULT_POLICY_ON_DEGRADE,
+            workspaceResources,
+            shared: {
+                env: sharedEnvironment?.env ?? {},
+                mcpServers: sharedEnvironment?.mcp_servers ?? [],
+                packages: sharedEnvironment?.packages,
+                secrets: sharedEnvironment?.secrets ?? [],
+                skills: sharedSkills
+            },
+            source: canonicalPath,
+        };
+        const fingerprint = getTeamFingerprint(candidate);
+        const existingFingerprint = fingerprintCache.get(canonicalPath);
+        if (existingFingerprint && existingFingerprint !== fingerprint) {
+            throw new SpawnfileError("compile_error", `Team manifest ${canonicalPath} resolves differently across compile contexts`);
+        }
+        const cachedNode = nodeCache.get(canonicalPath);
+        if (cachedNode) {
+            return cachedNode.value;
+        }
+        fingerprintCache.set(canonicalPath, fingerprint);
+        nodeCache.set(canonicalPath, {
+            runtimeName: null,
+            source: canonicalPath,
+            value: candidate
+        });
+        visitStack.push(canonicalPath);
+        for (const member of loadedManifest.manifest.members) {
+            const childManifestPath = getManifestPath(resolveProjectPath(canonicalPath, member.ref));
+            const childManifest = await getLoadedManifest(childManifestPath);
+            let resolvedMember;
+            if (isAgentManifest(childManifest.manifest)) {
+                const resolvedAgent = await visitAgent(childManifestPath, {
+                    inheritedShared: {
+                        manifestPath: canonicalPath,
+                        surface: loadedManifest.manifest.shared
+                    },
+                    inheritedResources: candidate.workspaceResources,
+                    isSubagent: false
+                });
+                resolvedMember = {
+                    id: member.id,
+                    kind: "agent",
+                    nodeSource: resolvedAgent.source,
+                    runtimeName: resolvedAgent.runtime.name
+                };
+                memberships.set(`${canonicalPath}::${member.id}::${resolvedAgent.source}`, {
+                    agentSource: resolvedAgent.source,
+                    memberId: member.id,
+                    teamName: candidate.name,
+                    teamSource: canonicalPath
+                });
+            }
+            else {
+                const resolvedTeam = await visitTeam(childManifestPath, candidate.workspaceResources);
+                resolvedMember = {
+                    id: member.id,
+                    kind: "team",
+                    nodeSource: resolvedTeam.source,
+                    runtimeName: null
+                };
+            }
+            candidate.members.push(resolvedMember);
+            edges.push({
+                from: canonicalPath,
+                kind: "team_member",
+                label: member.id,
+                to: resolvedMember.nodeSource
+            });
+        }
+        validateTeamNetworkRooms(candidate);
+        visitStack.pop();
+        return candidate;
+    };
+    return {
+        visitAgent,
+        visitTeam
+    };
+};

package/dist/compiler/buildCompilePlanTraversalHelpers.d.ts

@@ -0,0 +1,18 @@
+import { type Environment, type McpServer, type Secret, type TeamWorkspace } from "../manifest/index.js";
+import { ResolvedDocument, ResolvedPackage, ResolvedAgentNode, ResolvedTeamNode } from "./types.js";
+export declare const DEFAULT_POLICY_MODE = "warn";
+export declare const DEFAULT_POLICY_ON_DEGRADE = "warn";
+export type InternalNode = {
+    runtimeName: string | null;
+    source: string;
+    value: ResolvedAgentNode | ResolvedTeamNode;
+};
+type ResolvedPackageArray = ResolvedPackage[] | undefined;
+export declare const mergeResolvedDocuments: (primaryPath: string, primaryDocs: TeamWorkspace["docs"] | undefined, fallbackPath: string | undefined, fallbackDocs: TeamWorkspace["docs"] | undefined) => Promise<ResolvedDocument[]>;
+export declare const resolveEffectiveEnvironment: (sharedEnvironment: Environment | undefined, localEnvironment: Environment | undefined) => {
+    env: Record<string, string>;
+    mcpServers: McpServer[];
+    packages: ResolvedPackageArray;
+    secrets: Secret[];
+};
+export {};

package/dist/compiler/buildCompilePlanTraversalHelpers.js

@@ -0,0 +1,22 @@
+import { loadResolvedDocuments, mergeEnv, mergeMcpServers, mergePackages, mergeSecrets } from "./surfaces.js";
+export const DEFAULT_POLICY_MODE = "warn";
+export const DEFAULT_POLICY_ON_DEGRADE = "warn";
+export const mergeResolvedDocuments = async (primaryPath, primaryDocs, fallbackPath, fallbackDocs) => {
+    const fallbackResolved = fallbackPath && fallbackDocs
+        ? await loadResolvedDocuments(fallbackPath, fallbackDocs)
+        : [];
+    const primaryResolved = await loadResolvedDocuments(primaryPath, primaryDocs);
+    const merged = new Map(primaryResolved.map((doc) => [doc.role, doc]));
+    for (const doc of fallbackResolved) {
+        if (!merged.has(doc.role)) {
+            merged.set(doc.role, doc);
+        }
+    }
+    return [...merged.values()];
+};
+export const resolveEffectiveEnvironment = (sharedEnvironment, localEnvironment) => ({
+    env: mergeEnv(sharedEnvironment?.env, localEnvironment?.env),
+    mcpServers: mergeMcpServers(sharedEnvironment?.mcp_servers, localEnvironment?.mcp_servers),
+    packages: mergePackages(sharedEnvironment?.packages, localEnvironment?.packages),
+    secrets: mergeSecrets(sharedEnvironment?.secrets, localEnvironment?.secrets)
+});

package/dist/compiler/compilePlanHelpers.d.ts

@@ -1,7 +1,9 @@
-import type { ResolvedAgentNode, ResolvedSkill, ResolvedTeamNode } from "./types.js";
+export { mergePackages } from "./surfaces.js";
+import type { CompilePlanNode, ResolvedAgentNode, ResolvedSkill, ResolvedTeamNode } from "./types.js";
 export declare const getMcpNames: (servers: Array<{
     name: string;
 }>) => Set<string>;
 export declare const validateEffectiveSkillRequirements: (nodeName: string, mcpNames: Set<string>, skills: ResolvedSkill[]) => void;
 export declare const getAgentFingerprint: (node: ResolvedAgentNode) => string;
 export declare const getTeamFingerprint: (node: ResolvedTeamNode) => string;
+export declare const listMoltnetNetworkSecretNames: (nodes: CompilePlanNode[]) => string[];

package/dist/compiler/compilePlanHelpers.js

@@ -1,5 +1,6 @@
 import { SpawnfileError } from "../shared/index.js";
 import { stableStringify } from "./helpers.js";
+export { mergePackages } from "./surfaces.js";
 export const getMcpNames = (servers) => new Set(servers.map((server) => server.name));
 export const validateEffectiveSkillRequirements = (nodeName, mcpNames, skills) => {
     for (const skill of skills) {
@@ -15,13 +16,16 @@ export const getAgentFingerprint = (node) => stableStringify({
     execution: node.execution,
     mcpServers: node.mcpServers,
     runtime: node.runtime,
+    schedule: node.schedule,
+    packages: node.packages,
     secrets: node.secrets,
     skills: node.skills.map((skill) => ({
         name: skill.name,
         ref: skill.ref,
         requiresMcp: skill.requiresMcp
     })),
-    surfaces: node.surfaces
+    surfaces: node.surfaces,
+    workspaceResources: node.workspaceResources
 });
 export const getTeamFingerprint = (node) => stableStringify({
     members: node.members,
@@ -29,9 +33,11 @@ export const getTeamFingerprint = (node) => stableStringify({
     lead: node.lead,
     external: node.external,
     networks: node.networks ?? [],
+    workspaceResources: node.workspaceResources,
     shared: {
         env: node.shared.env,
         mcpServers: node.shared.mcpServers,
+        packages: node.shared.packages,
         secrets: node.shared.secrets,
         skills: node.shared.skills.map((skill) => ({
             name: skill.name,
@@ -40,3 +46,33 @@ export const getTeamFingerprint = (node) => stableStringify({
         }))
     }
 });
+const collectMoltnetSecretNames = (server, secretNames) => {
+    for (const token of server.auth.tokens ?? []) {
+        secretNames.add(token.secret);
+    }
+    if (server.mode === "managed") {
+        for (const pairing of server.pairings ?? []) {
+            secretNames.add(pairing.token_secret);
+        }
+        if (server.store.kind === "postgres") {
+            secretNames.add(server.store.dsn_secret);
+        }
+    }
+    if (server.auth.client?.token_env) {
+        secretNames.add(server.auth.client.token_env);
+    }
+};
+export const listMoltnetNetworkSecretNames = (nodes) => {
+    const secretNames = new Set();
+    for (const node of nodes) {
+        if (node.value.kind !== "team" || !node.value.networks) {
+            continue;
+        }
+        for (const network of node.value.networks) {
+            if (network.server) {
+                collectMoltnetSecretNames(network.server, secretNames);
+            }
+        }
+    }
+    return [...secretNames].sort();
+};

package/dist/compiler/compileProject.js

@@ -136,11 +136,17 @@ const enforcePolicy = (nodeReport, policyMode, onDegrade) => {
             if (policyMode === "strict") {
                 throw new Error(`Policy violation: ${capability.key} is unsupported for ${nodeReport.id} (strict mode)${capability.message ? `: ${capability.message}` : ""}`);
             }
+            if (policyMode === "warn") {
+                nodeReport.diagnostics.push(createDiagnostic("warn", `Policy warning: ${capability.key} is unsupported for ${nodeReport.id}${capability.message ? `: ${capability.message}` : ""}`));
+            }
         }
         if (capability.outcome === "degraded") {
             if (onDegrade === "error") {
                 throw new Error(`Policy violation: ${capability.key} is degraded for ${nodeReport.id} (on_degrade: error)${capability.message ? `: ${capability.message}` : ""}`);
             }
+            if (onDegrade === "warn") {
+                nodeReport.diagnostics.push(createDiagnostic("warn", `Policy warning: ${capability.key} is degraded for ${nodeReport.id}${capability.message ? `: ${capability.message}` : ""}`));
+            }
         }
     }
 };
@@ -174,8 +180,16 @@ const createIdentityCapabilities = (node) => [
             }]
         : [])
 ];
+const createWorkspaceResourceCapabilities = (node) => (node.workspaceResources?.length ?? 0) > 0
+    ? [{
+            key: "workspace.resources",
+            message: `${node.workspaceResources?.length ?? 0} workspace resource(s) will be prepared at startup`,
+            outcome: "supported"
+        }]
+    : [];
 const augmentNodeReports = (compiledNodes, support) => {
     for (const compiled of compiledNodes) {
+        compiled.report.capabilities.push(...createWorkspaceResourceCapabilities(compiled.value));
         if (compiled.value.kind === "team") {
             compiled.report.capabilities.push(...(support.capabilitiesByTeamSource.get(compiled.value.source) ?? []));
             compiled.report.diagnostics.push(...(support.diagnosticsByTeamSource.get(compiled.value.source) ?? []));

package/dist/compiler/containerArtifacts.js

@@ -30,7 +30,7 @@ export const createContainerArtifacts = async (plan, compiledNodes, options = {}
             content: renderEntrypoint(runtimePlans, requiredSecrets.filter((secretName) => !modelSecretsRequired.includes(secretName)), {
                 moltnet: options.moltnet
                     ? {
-                        bridgePlans: options.moltnet.bridgePlans,
+                        nodePlans: options.moltnet.nodePlans,
                         serverPlans: options.moltnet.serverPlans
                     }
                     : undefined
@@ -59,13 +59,27 @@ export const createContainerArtifacts = async (plan, compiledNodes, options = {}
     }))
         .sort((left, right) => left.id.localeCompare(right.id));
     const runtimesInstalled = [...new Set(runtimePlans.map((plan) => plan.runtimeName))].sort();
+    const workspaceResources = [
+        ...new Map(runtimePlans.flatMap((plan) => (plan.resources ?? []).map((resource) => [
+            `${resource.kind}:${resource.id}:${resource.linkPath}`,
+            {
+                backing_path: resource.backingPath,
+                id: resource.id,
+                kind: resource.kind,
+                link_path: resource.linkPath,
+                mode: resource.mode,
+                mount: resource.mount,
+                sharing: resource.sharing
+            }
+        ]))).values()
+    ].sort((left, right) => left.link_path.localeCompare(right.link_path) || left.id.localeCompare(right.id));
     return {
         executablePaths: ["entrypoint.sh"],
         files,
         ...(options.moltnet
             ? {
                 moltnet: {
-                    bridgePlans: options.moltnet.bridgePlans,
+                    nodePlans: options.moltnet.nodePlans,
                     serverPlans: options.moltnet.serverPlans
                 }
             }
@@ -80,7 +94,8 @@ export const createContainerArtifacts = async (plan, compiledNodes, options = {}
             runtime_homes: runtimeHomes,
             runtime_secrets_required: runtimeSecretsRequired,
             runtimes_installed: runtimesInstalled,
-            secrets_required: requiredSecrets
+            secrets_required: requiredSecrets,
+            ...(workspaceResources.length > 0 ? { workspace_resources: workspaceResources } : {})
         }
     };
 };

package/dist/compiler/containerArtifactsPlans.js

@@ -3,6 +3,7 @@ import { createRuntimeInstallRecipe, getRuntimeAdapter } from "../runtime/index.
 import { SpawnfileError } from "../shared/index.js";
 import { listAgentSurfaceSecretNames } from "./agentSurfaces.js";
 import { listExecutionModelSecretNames, resolveExecutionModelAuthMethods } from "./modelEnv.js";
+import { resolveTargetResources } from "./containerTargetResources.js";
 const CONFIG_FILE_PLACEHOLDER = "<config-file>";
 const INSTANCE_ROOT_PLACEHOLDER = "<instance-root>";
 const createDefaultTargets = (inputs) => inputs.map((input) => ({
@@ -20,6 +21,34 @@ const assertTargetHasConfig = (runtimeName, targetId, meta, files) => {
         throw new SpawnfileError("runtime_error", `Container target ${targetId} for ${runtimeName} is missing ${meta.configFileName}`);
     }
 };
+const createPackageIdentity = (pkg) => `${pkg.manager}\u0000${pkg.name}\u0000${pkg.version ?? ""}\u0000${pkg.scope ?? ""}`;
+const createPackageConflictIdentity = (pkg) => `${pkg.manager}\u0000${pkg.name}`;
+const createPackageLabel = (pkg) => `${pkg.manager} package ${pkg.name}`;
+const resolveTargetPackages = (target, inputs) => {
+    const sourceIds = new Set(target.sourceIds ?? []);
+    if (sourceIds.size === 0) {
+        return [];
+    }
+    const byIdentity = new Map();
+    for (const input of inputs) {
+        if (!sourceIds.has(input.id) || input.value.kind !== "agent") {
+            continue;
+        }
+        const candidatePackages = input.value.packages ?? [];
+        for (const currentPackage of candidatePackages) {
+            const conflictIdentity = createPackageConflictIdentity(currentPackage);
+            const existingPackage = byIdentity.get(conflictIdentity);
+            if (!existingPackage) {
+                byIdentity.set(conflictIdentity, currentPackage);
+                continue;
+            }
+            if (createPackageIdentity(existingPackage) !== createPackageIdentity(currentPackage)) {
+                throw new SpawnfileError("validation_error", `Container target ${target.id} declares conflicting package definitions for ${createPackageLabel(currentPackage)}`);
+            }
+        }
+    }
+    return [...byIdentity.values()].sort((left, right) => createPackageIdentity(left).localeCompare(createPackageIdentity(right)));
+};
 const replaceContainerPathTemplate = (template, instanceRoot, configFileName) => template
     .replaceAll(INSTANCE_ROOT_PLACEHOLDER, instanceRoot)
     .replaceAll(CONFIG_FILE_PLACEHOLDER, configFileName);
@@ -30,6 +59,7 @@ const resolveInstancePaths = (runtimeName, targetId, meta) => {
         homePath: meta.instancePaths.homePathTemplate
             ? replaceContainerPathTemplate(meta.instancePaths.homePathTemplate, instanceRoot, meta.configFileName)
             : undefined,
+        instanceRoot,
         workspacePath: replaceContainerPathTemplate(meta.instancePaths.workspacePathTemplate, instanceRoot, meta.configFileName)
     };
 };
@@ -149,6 +179,7 @@ export const createRuntimeTargetPlans = async (plan, compiledNodes) => {
             runtimePlans.push({
                 configEnvBindings: resolveTargetConfigEnvBindings(adapter.container, target) ?? [],
                 envFiles: resolveTargetEnvFiles(instancePaths.configPath, target),
+                packages: resolveTargetPackages(target, targetInputs),
                 id: target.id,
                 instancePaths,
                 meta: adapter.container,
@@ -158,6 +189,7 @@ export const createRuntimeTargetPlans = async (plan, compiledNodes) => {
                 publishedPort: resolveTargetExposure(target, targetInputs) && adapter.container.port
                     ? adapter.container.port + (index * portStride)
                     : undefined,
+                resources: resolveTargetResources(target, targetInputs, instancePaths, adapter.container),
                 runtimeName,
                 runtimeRoot: recipe.runtimeRoot,
                 targetConfigEnvBindings: target.configEnvBindings,

package/dist/compiler/containerArtifactsRender.js

@@ -11,6 +11,70 @@ const shellQuote = (value) => `'${value.replace(/'/g, `'\"'\"'`)}'`;
 const extractNodeMajorVersion = (image) => Number(image.match(/^node:(\d+)/)?.[1] ?? "0");
 const createPackageInstallCommand = (packages) => `RUN apt-get update && apt-get install -y --no-install-recommends ${packages.join(" ")} && rm -rf /var/lib/apt/lists/*`;
 const createNpmPackageInstallCommand = (packages) => `RUN npm install -g --omit=dev --no-fund --no-audit ${packages.join(" ")}`;
+const createPipxPackageInstallCommand = (packages) => `RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install ${packages.join(" ")}`;
+const dedupePackages = (packages) => {
+    const seen = new Map();
+    for (const currentPackage of packages) {
+        seen.set(`${currentPackage.manager}\u0000${currentPackage.name}\u0000${currentPackage.version ?? ""}\u0000${currentPackage.scope ?? ""}`, currentPackage);
+    }
+    return [...seen.values()].sort((left, right) => `${left.manager}\u0000${left.name}\u0000${left.version ?? ""}\u0000${left.scope ?? ""}`.localeCompare(`${right.manager}\u0000${right.name}\u0000${right.version ?? ""}\u0000${right.scope ?? ""}`));
+};
+const createPackageIdentity = (pkg) => `${pkg.manager}\u0000${pkg.name}\u0000${pkg.version ?? ""}\u0000${pkg.scope ?? ""}`;
+const createPackageConflictIdentity = (pkg) => `${pkg.manager}\u0000${pkg.name}`;
+const assertImagePackageCompatibility = (packages) => {
+    const byName = new Map();
+    for (const currentPackage of packages) {
+        const conflictIdentity = createPackageConflictIdentity(currentPackage);
+        const existingPackage = byName.get(conflictIdentity);
+        if (!existingPackage) {
+            byName.set(conflictIdentity, currentPackage);
+            continue;
+        }
+        if (createPackageIdentity(existingPackage) !== createPackageIdentity(currentPackage)) {
+            throw new SpawnfileError("validation_error", `Generated container declares conflicting package definitions for ${currentPackage.manager} package ${currentPackage.name}`);
+        }
+    }
+};
+const createAptPackageInstallItem = (pkg) => pkg.version ? `${pkg.name}=${pkg.version}` : pkg.name;
+const createNpmPackageInstallItem = (pkg) => pkg.version ? `${pkg.name}@${pkg.version}` : pkg.name;
+const createPipxPackageInstallItem = (pkg) => pkg.version ? `${pkg.name}==${pkg.version}` : pkg.name;
+const getNpmInstallItemName = (item) => {
+    if (!item.startsWith("@")) {
+        const versionMarker = item.indexOf("@");
+        return versionMarker === -1 ? item : item.slice(0, versionMarker);
+    }
+    const slashIndex = item.indexOf("/");
+    if (slashIndex === -1) {
+        return item;
+    }
+    const versionMarker = item.indexOf("@", slashIndex);
+    return versionMarker === -1 ? item : item.slice(0, versionMarker);
+};
+const collectPackagesByManager = (runtimePlans) => {
+    const packagesByManager = {
+        apt: [],
+        npm: [],
+        pipx: []
+    };
+    const imagePackages = runtimePlans.flatMap((plan) => plan.packages ?? []);
+    assertImagePackageCompatibility(imagePackages);
+    const resolvedPackages = dedupePackages(imagePackages);
+    for (const packageConfig of resolvedPackages) {
+        if (packageConfig.manager === "apt") {
+            packagesByManager.apt.push(packageConfig);
+            continue;
+        }
+        if (packageConfig.manager === "npm") {
+            packagesByManager.npm.push(packageConfig);
+            continue;
+        }
+        if (packageConfig.manager === "pipx") {
+            packagesByManager.pipx.push(packageConfig);
+            continue;
+        }
+    }
+    return packagesByManager;
+};
 const selectBaseImage = (runtimePlans) => {
     const firstRuntimeMeta = runtimePlans[0]?.meta;
     if (runtimePlans.length <= 1) {
@@ -52,30 +116,49 @@ export const renderDockerfile = async (runtimePlans, options = {}) => {
     const runtimeRecipes = await Promise.all(runtimeNames.map((runtimeName) => createRuntimeInstallRecipe(runtimeName)));
     const baseImage = selectBaseImage(runtimePlans);
     const needsJsonEnvWriter = runtimePlans.some((plan) => (plan.configEnvBindings?.length ?? 0) > 0);
+    const needsGit = runtimePlans.some((plan) => (plan.resources ?? []).some((resource) => resource.kind === "git"));
     const systemDeps = [
         ...new Set([
             ...runtimePlans.flatMap((plan) => plan.meta.systemDeps),
+            ...(needsGit ? ["git"] : []),
             ...(options.hasMoltnet && !options.hasStagedMoltnetBinaries
                 ? ["ca-certificates", "curl", "tar"]
                 : []),
             ...(needsJsonEnvWriter ? ["python3"] : [])
         ])
     ].sort();
+    const { apt: aptPackages, npm: npmPackages, pipx: pipxPackages } = collectPackagesByManager(runtimePlans);
+    const aptDependencies = [
+        ...systemDeps,
+        ...aptPackages.map((pkg) => createAptPackageInstallItem(pkg)),
+        ...(pipxPackages.length > 0 ? ["pipx"] : [])
+    ];
+    const aptInstallPackages = [...new Set(aptDependencies)].sort();
+    const projectNpmPackages = npmPackages.map((pkg) => createNpmPackageInstallItem(pkg));
+    const projectNpmPackageNames = new Set(projectNpmPackages.map(getNpmInstallItemName));
+    const runtimeNpmPackages = runtimePlans
+        .flatMap((plan) => plan.meta.globalNpmPackages ?? [])
+        .filter((pkg) => !projectNpmPackageNames.has(getNpmInstallItemName(pkg)));
     const globalNpmPackages = [
-        ...new Set(runtimePlans.flatMap((plan) => plan.meta.globalNpmPackages ?? []))
+        ...new Set([...runtimeNpmPackages, ...projectNpmPackages])
     ].sort();
+    const pipxInstallPackages = [...new Set(pipxPackages.map((pkg) => createPipxPackageInstallItem(pkg)))]
+        .sort();
     const runtimePorts = runtimePlans.flatMap((plan) => plan.publishedPort ? [plan.publishedPort] : []);
     const moltnetPorts = options.moltnetPublishedPorts ?? [];
     const exposedPorts = [...new Set([...runtimePorts, ...moltnetPorts])].sort((left, right) => left - right);
     const lines = [];
     lines.push(`FROM ${baseImage}`);
     lines.push("USER root", "", "WORKDIR /opt/spawnfile");
-    if (systemDeps.length > 0) {
-        lines.push(createPackageInstallCommand(systemDeps), "");
+    if (aptInstallPackages.length > 0) {
+        lines.push(createPackageInstallCommand(aptInstallPackages), "");
     }
     if (globalNpmPackages.length > 0) {
         lines.push(createNpmPackageInstallCommand(globalNpmPackages), "");
     }
+    if (pipxInstallPackages.length > 0) {
+        lines.push(createPipxPackageInstallCommand(pipxInstallPackages), "");
+    }
     if (options.hasMoltnet && options.hasStagedMoltnetBinaries) {
         lines.push(`COPY ${MOLTNET_BIN_DIRECTORY}/ /usr/local/bin/`, `RUN chmod +x ${MOLTNET_BINARY_NAMES.map((binaryName) => `/usr/local/bin/${binaryName}`).join(" ")}`, "");
     }

package/dist/compiler/containerArtifactsTypes.d.ts

@@ -1,8 +1,9 @@
 import type { ContainerReport } from "../report/index.js";
 import type { EmittedFile, RuntimeContainerConfigEnvBinding, RuntimeContainerMeta } from "../runtime/index.js";
 import type { ModelAuthMethod } from "../shared/index.js";
-import type { ResolvedAgentNode, ResolvedTeamNode } from "./types.js";
-import type { MoltnetBridgePlan, MoltnetServerPlan } from "./moltnetArtifacts.js";
+import type { ResolvedAgentNode, ResolvedPackage, ResolvedTeamNode } from "./types.js";
+import type { MoltnetNodePlan, MoltnetServerPlan } from "./moltnetArtifacts.js";
+import type { WorkspaceResourcePlan } from "./workspaceResources.js";
 export interface ContainerEnvVariable {
     categories: Array<"model" | "project" | "runtime" | "surface">;
     description: string;
@@ -11,6 +12,7 @@ export interface ContainerEnvVariable {
 }
 export interface RuntimeTargetPlan {
     configEnvBindings?: RuntimeContainerConfigEnvBinding[];
+    packages?: ResolvedPackage[];
     envFiles: Array<{
         envName: string;
         filePath: string;
@@ -19,6 +21,7 @@ export interface RuntimeTargetPlan {
     instancePaths: {
         configPath: string;
         homePath?: string;
+        instanceRoot?: string;
         workspacePath: string;
     };
     meta: RuntimeContainerMeta;
@@ -26,6 +29,7 @@ export interface RuntimeTargetPlan {
     modelSecretsRequired: string[];
     port?: number;
     publishedPort?: number;
+    resources?: WorkspaceResourcePlan[];
     runtimeName: string;
     runtimeRoot: string;
     targetConfigEnvBindings?: RuntimeContainerConfigEnvBinding[];
@@ -42,7 +46,7 @@ export interface GeneratedContainerArtifacts {
     executablePaths: string[];
     files: EmittedFile[];
     moltnet?: {
-        bridgePlans: MoltnetBridgePlan[];
+        nodePlans: MoltnetNodePlan[];
         serverPlans: MoltnetServerPlan[];
     };
     report: ContainerReport;