spell-runtime 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Koichi Nishizuka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,136 @@
+# Spell Runtime v1
+
+Minimal CLI runtime for SpellBundle v1.
+
+## Setup
+
+- Node.js >= 20
+- npm
+
+```bash
+npm i
+npm run build
+npm test
+```
+
+Local dev:
+
+```bash
+npm run dev -- --help
+```
+
+## Install as CLI
+
+Global install:
+
+```bash
+npm i -g spell-runtime
+spell --help
+```
+
+Run with npx:
+
+```bash
+npx --yes --package spell-runtime spell --help
+```
+
+Local package smoke checks:
+
+```bash
+npm run smoke:link
+npm run smoke:npx
+```
+
+## Commands
+
+- `spell install <local-path>`
+- `spell list`
+- `spell inspect <id> [--version x.y.z]`
+- `spell cast <id> [--version x.y.z] [-p key=value ...] [--input input.json] [--dry-run] [--yes] [--allow-billing] [--verbose] [--profile <name>]`
+- `spell log <execution-id>`
+
+## Storage Layout
+
+- Spells: `~/.spell/spells/<id_key>/<version>/`
+- ID index: `~/.spell/spells/<id_key>/spell.id.txt`
+- Logs: `~/.spell/logs/<timestamp>_<id>_<version>.json`
+
+`id_key` is fixed as `base64url(utf8(id))`.
+
+- `id` is the logical identifier (display, package identity).
+- `id_key` is only for safe filesystem storage.
+
+Consistency rule:
+
+- `install` checks `spell.yaml` id against `spell.id.txt` when `spell.id.txt` already exists.
+- mismatch is treated as an error.
+
+## Cast Preflight
+
+`cast` performs these checks before execution:
+
+- bundle resolution by id (and optional version)
+- input assembly (`--input` + `-p` overrides)
+- JSON Schema validation by Ajv
+- platform guard
+- risk guard (`high`/`critical` requires `--yes`)
+- billing guard (`billing.enabled` requires `--allow-billing`)
+- connector token guard (`CONNECTOR_<NAME>_TOKEN`)
+- execution summary output
+
+If `--dry-run` is set, command exits after summary and validation.
+
+## Runtime Model
+
+v1 supports host execution only.
+
+- host: steps run in order, shell/http supported.
+- docker: explicitly unsupported in v1 and fails with a clear error.
+
+Future docker direction:
+
+- docker image contains `spell-runner` and executes bundle in container.
+
+## Windows Policy
+
+- host mode does not assume bash/sh.
+- shell step expects executable files (`.js`/`.exe`/`.cmd`/`.ps1` etc).
+- process spawn uses `shell=false`.
+- for strict cross-OS reproducibility, docker mode is the long-term recommended path.
+
+## Effects Vocabulary (Recommended)
+
+Use these `effect.type` words where possible:
+
+- `create`
+- `update`
+- `delete`
+- `deploy`
+- `notify`
+
+## v1 Limitations (Intentionally Not Implemented)
+
+- name search or ambiguous resolution (id only)
+- registry/marketplace/signature enforcement/license verification
+- real billing execution (Stripe)
+- DAG/parallel/rollback/self-healing
+- advanced templating language (only `{{INPUT.*}}` and `{{ENV.*}}`)
+- docker step execution runtime
+
+## Example Flow
+
+```bash
+spell install ./fixtures/spells/hello-host
+spell list
+spell inspect fixtures/hello-host
+spell cast fixtures/hello-host --dry-run -p name=world
+spell cast fixtures/hello-host -p name=world
+spell log <execution-id>
+```
+
+## UI Connection Spec
+
+- Decision-complete button integration spec:
+  - `/Users/koichinishizuka/spell-runtime/docs/ui-connection-spec-v1.md`
+- Sample button registry:
+  - `/Users/koichinishizuka/spell-runtime/examples/button-registry.v1.json`

package/README.txt

@@ -0,0 +1,126 @@
+Spell Runtime v1
+
+Minimal CLI runtime for SpellBundle v1.
+
+1. Setup
+- Node.js >= 20
+- npm
+
+Install dependencies:
+  npm i
+
+Build:
+  npm run build
+
+Test:
+  npm test
+
+Local dev:
+  npm run dev -- --help
+
+Binary smoke checks:
+  npm run smoke:link
+  npm run smoke:npx
+
+Manual link:
+  npm link
+  spell --help
+
+Manual npx (local package):
+  npx --yes --package file:. spell --help
+
+2. CLI commands
+- spell install <local-path>
+- spell list
+- spell inspect <id> [--version x.y.z]
+- spell cast <id> [--version x.y.z] [-p key=value ...] [--input input.json] [--dry-run] [--yes] [--allow-billing] [--verbose] [--profile <name>]
+- spell log <execution-id>
+
+3. Storage layout
+- Spells: ~/.spell/spells/<id_key>/<version>/
+- ID index: ~/.spell/spells/<id_key>/spell.id.txt
+- Logs: ~/.spell/logs/<timestamp>_<id>_<version>.json
+
+id_key is fixed as base64url(utf8(id)).
+- id is the logical identifier (display, package identity).
+- id_key is only for safe filesystem storage.
+
+Consistency rule:
+- install checks spell.yaml id against spell.id.txt when spell.id.txt already exists.
+- mismatch is treated as an error.
+
+4. Cast preflight (always)
+Cast performs these checks before execution:
+- Bundle resolution by id (and optional version)
+- Input assembly (--input + -p overrides)
+- JSON Schema validation by Ajv
+- Platform guard
+- Risk guard (high/critical requires --yes)
+- Billing guard (billing.enabled requires --allow-billing)
+- Connector token guard (CONNECTOR_<NAME>_TOKEN)
+- Execution summary output
+
+If --dry-run is set, command exits after summary and validation.
+
+5. Runtime model
+v1 supports host execution only.
+- host: steps run in order, shell/http supported.
+- docker: explicitly unsupported in v1 and fails with a clear error.
+
+Future docker direction:
+- docker image contains spell-runner and executes bundle in container.
+
+6. Windows policy
+- host mode does not assume bash/sh.
+- shell step expects executable files (.js/.exe/.cmd/.ps1 etc).
+- process spawn uses shell=false.
+- for strict cross-OS reproducibility, docker mode is the long-term recommended path.
+
+7. Effects vocabulary (recommended)
+Use these effect.type words where possible:
+- create
+- update
+- delete
+- deploy
+- notify
+
+8. v1 limitations (intentionally not implemented)
+- name search or ambiguous resolution (id only)
+- registry/marketplace/signature enforcement/license verification
+- real billing execution (Stripe)
+- DAG/parallel/rollback/self-healing
+- advanced templating language (only {{INPUT.*}} and {{ENV.*}})
+- docker step execution runtime
+
+9. Example flow
+1) Install a local fixture
+  spell install ./fixtures/spells/hello-host
+
+2) List installed spells
+  spell list
+
+3) Inspect by id
+  spell inspect fixtures/hello-host
+
+4) Dry run cast
+  spell cast fixtures/hello-host --dry-run -p name=world
+
+5) Execute cast
+  spell cast fixtures/hello-host -p name=world
+
+6) Show execution log
+  spell log <execution-id>
+
+10. UI connection spec
+- Decision-complete button integration spec:
+  /Users/koichinishizuka/spell-runtime/docs/ui-connection-spec-v1.md
+- Sample button registry:
+  /Users/koichinishizuka/spell-runtime/examples/button-registry.v1.json
+
+11. Install from npm
+Global install:
+  npm i -g spell-runtime
+  spell --help
+
+Run with npx:
+  npx --yes --package spell-runtime spell --help

package/dist/bundle/install.d.ts

@@ -0,0 +1,7 @@
+export interface InstallResult {
+    id: string;
+    version: string;
+    idKey: string;
+    destination: string;
+}
+export declare function installBundle(localPath: string): Promise<InstallResult>;

package/dist/bundle/install.js

@@ -0,0 +1,99 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.installBundle = installBundle;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = __importDefault(require("node:path"));
+const idKey_1 = require("../util/idKey");
+const paths_1 = require("../util/paths");
+const errors_1 = require("../util/errors");
+const manifest_1 = require("./manifest");
+async function installBundle(localPath) {
+    const sourcePath = node_path_1.default.resolve(localPath);
+    const sourceRoot = await (0, promises_1.realpath)(sourcePath);
+    const sourceStat = await (0, promises_1.stat)(sourceRoot);
+    if (!sourceStat.isDirectory()) {
+        throw new errors_1.SpellError(`bundle path must be a directory: ${localPath}`);
+    }
+    const { manifest, schemaPath } = await (0, manifest_1.loadManifestFromDir)(sourceRoot);
+    const idKey = (0, idKey_1.toIdKey)(manifest.id);
+    await (0, paths_1.ensureSpellDirs)();
+    const targetRoot = node_path_1.default.join((0, paths_1.spellsRoot)(), idKey);
+    const targetVersionPath = node_path_1.default.join(targetRoot, manifest.version);
+    await (0, promises_1.mkdir)(targetRoot, { recursive: true });
+    const idFilePath = node_path_1.default.join(targetRoot, "spell.id.txt");
+    const idFileExists = await exists(idFilePath);
+    if (idFileExists) {
+        const existingId = (await (0, promises_1.readFile)(idFilePath, "utf8")).trim();
+        if (existingId !== manifest.id) {
+            throw new errors_1.SpellError(`spell.id.txt mismatch for ${idKey}: expected '${existingId}', got '${manifest.id}'`);
+        }
+    }
+    else {
+        await (0, promises_1.writeFile)(idFilePath, `${manifest.id}\n`, "utf8");
+    }
+    if (await exists(targetVersionPath)) {
+        throw new errors_1.SpellError(`already installed: ${manifest.id}@${manifest.version}`);
+    }
+    await (0, promises_1.mkdir)(targetVersionPath, { recursive: false });
+    const srcManifestPath = node_path_1.default.join(sourceRoot, "spell.yaml");
+    const srcSchemaPath = schemaPath;
+    const srcStepsPath = node_path_1.default.join(sourceRoot, "steps");
+    await assertPathWithinSource(sourceRoot, srcManifestPath);
+    await assertPathWithinSource(sourceRoot, srcSchemaPath);
+    await assertPathWithinSource(sourceRoot, srcStepsPath);
+    await (0, promises_1.copyFile)(srcManifestPath, node_path_1.default.join(targetVersionPath, "spell.yaml"));
+    await (0, promises_1.copyFile)(srcSchemaPath, node_path_1.default.join(targetVersionPath, "schema.json"));
+    const targetStepsPath = node_path_1.default.join(targetVersionPath, "steps");
+    await copyDirectorySafe(srcStepsPath, targetStepsPath, sourceRoot);
+    await (0, promises_1.access)(node_path_1.default.join(targetVersionPath, "spell.yaml"));
+    await (0, promises_1.access)(node_path_1.default.join(targetVersionPath, "schema.json"));
+    await (0, promises_1.access)(node_path_1.default.join(targetVersionPath, "steps"));
+    return {
+        id: manifest.id,
+        version: manifest.version,
+        idKey,
+        destination: targetVersionPath
+    };
+}
+async function copyDirectorySafe(sourceDir, targetDir, sourceRoot) {
+    await (0, promises_1.mkdir)(targetDir, { recursive: true });
+    const entries = await (0, promises_1.readdir)(sourceDir, { withFileTypes: true });
+    for (const entry of entries) {
+        const srcPath = node_path_1.default.join(sourceDir, entry.name);
+        const dstPath = node_path_1.default.join(targetDir, entry.name);
+        await assertPathWithinSource(sourceRoot, srcPath);
+        const info = await (0, promises_1.lstat)(srcPath);
+        if (info.isSymbolicLink()) {
+            throw new errors_1.SpellError(`symlink is not allowed in steps/: ${srcPath}`);
+        }
+        if (info.isDirectory()) {
+            await copyDirectorySafe(srcPath, dstPath, sourceRoot);
+            continue;
+        }
+        if (info.isFile()) {
+            await (0, promises_1.copyFile)(srcPath, dstPath);
+            continue;
+        }
+        throw new errors_1.SpellError(`unsupported file type in steps/: ${srcPath}`);
+    }
+}
+async function assertPathWithinSource(sourceRoot, candidatePath) {
+    const candidateReal = await (0, promises_1.realpath)(candidatePath);
+    const rel = node_path_1.default.relative(sourceRoot, candidateReal);
+    if (rel.startsWith("..") || node_path_1.default.isAbsolute(rel)) {
+        throw new errors_1.SpellError(`path escapes bundle root: ${candidatePath}`);
+    }
+}
+async function exists(p) {
+    try {
+        await (0, promises_1.access)(p);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=install.js.map

package/dist/bundle/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/bundle/install.ts"],"names":[],"mappings":";;;;;AAcA,sCA6DC;AA3ED,+CAAgH;AAChH,0DAA6B;AAC7B,yCAAwC;AACxC,yCAA4D;AAC5D,2CAA4C;AAC5C,yCAAiD;AAS1C,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,UAAU,GAAG,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,MAAM,IAAA,mBAAQ,EAAC,UAAU,CAAC,CAAC;IAE9C,MAAM,UAAU,GAAG,MAAM,IAAA,eAAI,EAAC,UAAU,CAAC,CAAC;IAC1C,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,mBAAU,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,8BAAmB,EAAC,UAAU,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAA,eAAO,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAEnC,MAAM,IAAA,uBAAe,GAAE,CAAC;IAExB,MAAM,UAAU,GAAG,mBAAI,CAAC,IAAI,CAAC,IAAA,kBAAU,GAAE,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,iBAAiB,GAAG,mBAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,IAAA,gBAAK,EAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE7C,MAAM,UAAU,GAAG,mBAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,UAAU,GAAG,CAAC,MAAM,IAAA,mBAAQ,EAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/D,IAAI,UAAU,KAAK,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,mBAAU,CAClB,6BAA6B,KAAK,eAAe,UAAU,WAAW,QAAQ,CAAC,EAAE,GAAG,CACrF,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAA,oBAAS,EAAC,UAAU,EAAE,GAAG,QAAQ,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,MAAM,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,mBAAU,CAAC,sBAAsB,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,MAAM,IAAA,gBAAK,EAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IAErD,MAAM,eAAe,GAAG,mBAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAC5D,MAAM,aAAa,GAAG,UAAU,CAAC;IACjC,MAAM,YAAY,GAAG,mBAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAEpD,MAAM,sBAAsB,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;IAC1D,MAAM,sBAAsB,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IACxD,MAAM,sBAAsB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAEvD,MAAM,IAAA,mBAAQ,EAAC,eAAe,EAAE,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC,CAAC;IAC5E,MAAM,IAAA,mBAAQ,EAAC,aAAa,EAAE,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC,CAAC;IAE3E,MAAM,eAAe,GAAG,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;IAC9D,MAAM,iBAAiB,CAAC,YAAY,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;IAEnE,MAAM,IAAA,iBAAM,EAAC,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC,CAAC;IACzD,MAAM,IAAA,iBAAM,EAAC,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC,CAAC;IAC1D,MAAM,IAAA,iBAAM,EAAC,mBAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,CAAC;IAEpD,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,KAAK;QACL,WAAW,EAAE,iBAAiB;KAC/B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,SAAiB,EAAE,SAAiB,EAAE,UAAkB;IACvF,MAAM,IAAA,gBAAK,EAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAO,EAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAElE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,mBAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,mBAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEjD,MAAM,sBAAsB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAElD,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAK,EAAC,OAAO,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,mBAAU,CAAC,qCAAqC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;YACtD,SAAS;QACX,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YAClB,MAAM,IAAA,mBAAQ,EAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACjC,SAAS;QACX,CAAC;QAED,MAAM,IAAI,mBAAU,CAAC,oCAAoC,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,UAAkB,EAAE,aAAqB;IAC7E,MAAM,aAAa,GAAG,MAAM,IAAA,mBAAQ,EAAC,aAAa,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,mBAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IACrD,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,mBAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,mBAAU,CAAC,6BAA6B,aAAa,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,CAAS;IAC7B,IAAI,CAAC;QACH,MAAM,IAAA,iBAAM,EAAC,CAAC,CAAC,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/bundle/manifest.d.ts

@@ -0,0 +1,5 @@
+import { SpellBundleManifest } from "../types";
+export declare function loadManifestFromDir(bundlePath: string): Promise<{
+    manifest: SpellBundleManifest;
+    schemaPath: string;
+}>;

package/dist/bundle/manifest.js

@@ -0,0 +1,267 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadManifestFromDir = loadManifestFromDir;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = __importDefault(require("node:path"));
+const js_yaml_1 = require("js-yaml");
+const errors_1 = require("../util/errors");
+const RISK_VALUES = new Set(["low", "medium", "high", "critical"]);
+const EXECUTION_VALUES = new Set(["host", "docker"]);
+const STEP_VALUES = new Set(["shell", "http"]);
+const CHECK_VALUES = new Set(["exit_code", "file_exists", "http_status", "jsonpath_equals"]);
+const BILLING_MODES = new Set(["none", "upfront", "on_success", "subscription"]);
+async function loadManifestFromDir(bundlePath) {
+    const manifestPath = node_path_1.default.join(bundlePath, "spell.yaml");
+    let rawYaml;
+    try {
+        rawYaml = await (0, promises_1.readFile)(manifestPath, "utf8");
+    }
+    catch {
+        throw new errors_1.SpellError(`spell.yaml not found: ${manifestPath}`);
+    }
+    let parsed;
+    try {
+        parsed = (0, js_yaml_1.load)(rawYaml);
+    }
+    catch (error) {
+        throw new errors_1.SpellError(`failed to parse spell.yaml: ${error.message}`);
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new errors_1.SpellError("spell.yaml must be a mapping object");
+    }
+    const manifest = parsed;
+    const id = readRequiredString(manifest, "id");
+    const version = readRequiredString(manifest, "version");
+    const name = readRequiredString(manifest, "name");
+    const summary = readRequiredString(manifest, "summary");
+    const inputsSchema = readRequiredString(manifest, "inputs_schema");
+    validateId(id);
+    validateVersion(version);
+    const risk = readRequiredString(manifest, "risk");
+    if (!RISK_VALUES.has(risk)) {
+        throw new errors_1.SpellError(`invalid risk: ${risk}`);
+    }
+    const permissionsRaw = readRequiredArray(manifest, "permissions");
+    const permissions = permissionsRaw.map((entry, idx) => {
+        if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            throw new errors_1.SpellError(`permissions[${idx}] must be an object`);
+        }
+        const obj = entry;
+        const connector = readRequiredString(obj, "connector");
+        const scopes = readRequiredArray(obj, "scopes").map((scope, scopeIdx) => {
+            if (typeof scope !== "string" || !scope.trim()) {
+                throw new errors_1.SpellError(`permissions[${idx}].scopes[${scopeIdx}] must be a non-empty string`);
+            }
+            return scope;
+        });
+        if (scopes.length === 0) {
+            throw new errors_1.SpellError(`permissions[${idx}].scopes must not be empty`);
+        }
+        return { connector, scopes };
+    });
+    const effectsRaw = readRequiredArray(manifest, "effects");
+    const effects = effectsRaw.map((entry, idx) => {
+        if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            throw new errors_1.SpellError(`effects[${idx}] must be an object`);
+        }
+        const obj = entry;
+        const type = readRequiredString(obj, "type");
+        const target = readRequiredString(obj, "target");
+        const mutates = readRequiredBoolean(obj, "mutates");
+        return { type, target, mutates };
+    });
+    const billingRaw = readRequiredObject(manifest, "billing");
+    const billingEnabled = readRequiredBoolean(billingRaw, "enabled");
+    const billingMode = readRequiredString(billingRaw, "mode");
+    const currency = readRequiredString(billingRaw, "currency");
+    const maxAmount = readRequiredNumber(billingRaw, "max_amount");
+    if (!BILLING_MODES.has(billingMode)) {
+        throw new errors_1.SpellError(`invalid billing.mode: ${billingMode}`);
+    }
+    const runtimeRaw = readRequiredObject(manifest, "runtime");
+    const execution = readRequiredString(runtimeRaw, "execution");
+    if (!EXECUTION_VALUES.has(execution)) {
+        throw new errors_1.SpellError(`invalid runtime.execution: ${execution}`);
+    }
+    const platforms = readRequiredArray(runtimeRaw, "platforms").map((platformValue, idx) => {
+        if (typeof platformValue !== "string" || !platformValue.trim()) {
+            throw new errors_1.SpellError(`runtime.platforms[${idx}] must be a non-empty string`);
+        }
+        return platformValue;
+    });
+    const dockerImageRaw = runtimeRaw["docker_image"];
+    const dockerImage = typeof dockerImageRaw === "string" && dockerImageRaw.trim() ? dockerImageRaw : undefined;
+    if (execution === "docker" && !dockerImage) {
+        throw new errors_1.SpellError("runtime.docker_image is required when runtime.execution=docker");
+    }
+    const steps = parseSteps(readRequiredArray(manifest, "steps"));
+    const checks = parseChecks(readRequiredArray(manifest, "checks"));
+    const schemaPath = resolveInputsSchema(bundlePath, inputsSchema);
+    await (0, promises_1.access)(schemaPath);
+    await (0, promises_1.access)(node_path_1.default.join(bundlePath, "schema.json"));
+    const stepsDirPath = node_path_1.default.join(bundlePath, "steps");
+    const stepsDirStat = await (0, promises_1.stat)(stepsDirPath);
+    if (!stepsDirStat.isDirectory()) {
+        throw new errors_1.SpellError("steps/ must be a directory");
+    }
+    for (const step of steps) {
+        const runPath = node_path_1.default.resolve(bundlePath, step.run);
+        ensurePathWithin(bundlePath, runPath, `step '${step.name}' run path`);
+        await (0, promises_1.access)(runPath);
+    }
+    const typedManifest = {
+        id,
+        version,
+        name,
+        summary,
+        inputs_schema: inputsSchema,
+        risk: risk,
+        permissions,
+        effects,
+        billing: {
+            enabled: billingEnabled,
+            mode: billingMode,
+            currency,
+            max_amount: maxAmount
+        },
+        runtime: {
+            execution: execution,
+            platforms,
+            docker_image: dockerImage
+        },
+        steps,
+        checks
+    };
+    return { manifest: typedManifest, schemaPath };
+}
+function parseSteps(rawSteps) {
+    if (rawSteps.length === 0) {
+        throw new errors_1.SpellError("steps must not be empty");
+    }
+    const seenNames = new Set();
+    return rawSteps.map((entry, idx) => {
+        if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            throw new errors_1.SpellError(`steps[${idx}] must be an object`);
+        }
+        const obj = entry;
+        const uses = readRequiredString(obj, "uses");
+        if (!STEP_VALUES.has(uses)) {
+            throw new errors_1.SpellError(`invalid steps[${idx}].uses: ${uses}`);
+        }
+        const name = readRequiredString(obj, "name");
+        if (seenNames.has(name)) {
+            throw new errors_1.SpellError(`duplicate step name: ${name}`);
+        }
+        seenNames.add(name);
+        const run = readRequiredString(obj, "run");
+        return {
+            uses: uses,
+            name,
+            run
+        };
+    });
+}
+function parseChecks(rawChecks) {
+    if (rawChecks.length === 0) {
+        throw new errors_1.SpellError("checks must not be empty");
+    }
+    return rawChecks.map((entry, idx) => {
+        if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            throw new errors_1.SpellError(`checks[${idx}] must be an object`);
+        }
+        const obj = entry;
+        const type = readRequiredString(obj, "type");
+        if (!CHECK_VALUES.has(type)) {
+            throw new errors_1.SpellError(`invalid checks[${idx}].type: ${type}`);
+        }
+        const paramsRaw = obj["params"];
+        const params = paramsRaw && typeof paramsRaw === "object" && !Array.isArray(paramsRaw)
+            ? paramsRaw
+            : {};
+        return {
+            type: type,
+            params
+        };
+    });
+}
+function resolveInputsSchema(bundlePath, inputSchemaPath) {
+    if (!inputSchemaPath.trim()) {
+        throw new errors_1.SpellError("inputs_schema must not be empty");
+    }
+    const resolved = node_path_1.default.resolve(bundlePath, inputSchemaPath);
+    ensurePathWithin(bundlePath, resolved, "inputs_schema");
+    if (node_path_1.default.basename(resolved) !== "schema.json") {
+        throw new errors_1.SpellError("inputs_schema must point to schema.json in v1");
+    }
+    return resolved;
+}
+function ensurePathWithin(root, target, label) {
+    const rel = node_path_1.default.relative(node_path_1.default.resolve(root), target);
+    if (rel.startsWith("..") || node_path_1.default.isAbsolute(rel)) {
+        throw new errors_1.SpellError(`${label} escapes bundle root`);
+    }
+}
+function validateId(id) {
+    if (!id.trim()) {
+        throw new errors_1.SpellError("id must not be empty");
+    }
+    if (id.length > 200) {
+        throw new errors_1.SpellError("id must be <= 200 characters");
+    }
+    if (/[\x00-\x1F\x7F]/.test(id)) {
+        throw new errors_1.SpellError("id must not contain control characters");
+    }
+}
+function validateVersion(version) {
+    if (!version.trim()) {
+        throw new errors_1.SpellError("version must not be empty");
+    }
+    if (version.length > 50) {
+        throw new errors_1.SpellError("version must be <= 50 characters");
+    }
+    if (/[\x00-\x1F\x7F]/.test(version)) {
+        throw new errors_1.SpellError("version must not contain control characters");
+    }
+}
+function readRequiredString(obj, key) {
+    const value = obj[key];
+    if (typeof value !== "string") {
+        throw new errors_1.SpellError(`missing or invalid string field: ${key}`);
+    }
+    if (!value.trim()) {
+        throw new errors_1.SpellError(`field must not be empty: ${key}`);
+    }
+    return value;
+}
+function readRequiredNumber(obj, key) {
+    const value = obj[key];
+    if (typeof value !== "number" || Number.isNaN(value)) {
+        throw new errors_1.SpellError(`missing or invalid number field: ${key}`);
+    }
+    return value;
+}
+function readRequiredBoolean(obj, key) {
+    const value = obj[key];
+    if (typeof value !== "boolean") {
+        throw new errors_1.SpellError(`missing or invalid boolean field: ${key}`);
+    }
+    return value;
+}
+function readRequiredArray(obj, key) {
+    const value = obj[key];
+    if (!Array.isArray(value)) {
+        throw new errors_1.SpellError(`missing or invalid array field: ${key}`);
+    }
+    return value;
+}
+function readRequiredObject(obj, key) {
+    const value = obj[key];
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new errors_1.SpellError(`missing or invalid object field: ${key}`);
+    }
+    return value;
+}
+//# sourceMappingURL=manifest.js.map