t3code-cli 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/README.md +1 -1
  2. package/dist/bin.js +412 -87
  3. package/dist/index.js +1 -1
  4. package/dist/{runtime-CMPZpQaG.js → runtime-Cq64iuZr.js} +4768 -2040
  5. package/dist/src/application/layer.d.ts +3 -3
  6. package/dist/src/application/models.d.ts +1 -1
  7. package/dist/src/application/projects.d.ts +1 -1
  8. package/dist/src/application/threads.d.ts +1 -1
  9. package/dist/src/auth/error.d.ts +20 -1
  10. package/dist/src/auth/layer.d.ts +9 -22
  11. package/dist/src/auth/local.d.ts +23 -15
  12. package/dist/src/auth/pairing.d.ts +20 -2
  13. package/dist/src/auth/schema.d.ts +25 -34
  14. package/dist/src/auth/service.d.ts +2 -2
  15. package/dist/src/auth/transport.d.ts +13 -20
  16. package/dist/src/auth/type.d.ts +0 -1
  17. package/dist/src/domain/model-config.d.ts +3 -3
  18. package/dist/src/orchestration/layer.d.ts +3 -3
  19. package/dist/src/rpc/layer.d.ts +6 -6
  20. package/dist/src/rpc/ws-group.d.ts +3 -3
  21. package/dist/src/runtime.d.ts +2 -2
  22. package/dist/src/sql/node-sqlite-client.d.ts +10 -0
  23. package/dist/src/sql/service.d.ts +17 -0
  24. package/dist/upstream-t3code/packages/contracts/src/auth.d.ts +14 -12
  25. package/dist/upstream-t3code/packages/contracts/src/environmentHttp.d.ts +167 -7
  26. package/dist/upstream-t3code/packages/contracts/src/index.d.ts +1 -0
  27. package/dist/upstream-t3code/packages/contracts/src/ipc.d.ts +24 -0
  28. package/dist/upstream-t3code/packages/contracts/src/providerRuntime.d.ts +90 -0
  29. package/dist/upstream-t3code/packages/contracts/src/relay.d.ts +1262 -0
  30. package/dist/upstream-t3code/packages/contracts/src/relayClient.d.ts +48 -0
  31. package/dist/upstream-t3code/packages/contracts/src/rpc.d.ts +78 -9
  32. package/dist/upstream-t3code/packages/contracts/src/server.d.ts +3 -3
  33. package/package.json +3 -3
  34. package/src/auth/error.ts +33 -1
  35. package/src/auth/layer.ts +11 -76
  36. package/src/auth/local.ts +342 -208
  37. package/src/auth/pairing.ts +44 -2
  38. package/src/auth/schema.ts +21 -28
  39. package/src/auth/service.ts +2 -2
  40. package/src/auth/transport.ts +59 -22
  41. package/src/auth/type.ts +0 -1
  42. package/src/cli/auth.ts +1 -3
  43. package/src/rpc/layer.ts +2 -2
  44. package/src/runtime.ts +14 -1
  45. package/src/sql/node-sqlite-client.ts +141 -0
  46. package/src/sql/service.ts +21 -0
package/dist/upstream-t3code/packages/contracts/src/auth.d.ts CHANGED
@@ -52,8 +52,10 @@ export type ServerAuthBootstrapMethod = typeof ServerAuthBootstrapMethod.Type;
52
52
  * app after bootstrap/pairing
53
53
  * - `bearer-access-token`: scoped token suitable for non-cookie or
54
54
  * non-browser clients
55
+ * - `dpop-access-token`: scoped proof-of-possession token used by managed
56
+ * relay connections
55
57
  */
56
- export declare const ServerAuthSessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
58
+ export declare const ServerAuthSessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
57
59
  export type ServerAuthSessionMethod = typeof ServerAuthSessionMethod.Type;
58
60
  export declare const AuthOrchestrationReadScope: "orchestration:read";
59
61
  export declare const AuthOrchestrationOperateScope: "orchestration:operate";
@@ -95,7 +97,7 @@ export declare const AuthEnvironmentBootstrapTokenType: "urn:t3:params:oauth:tok
95
97
  export declare const ServerAuthDescriptor: Schema.Struct<{
96
98
  readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
97
99
  readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
98
- readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
100
+ readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
99
101
  readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
100
102
  }>;
101
103
  export type ServerAuthDescriptor = typeof ServerAuthDescriptor.Type;
@@ -106,7 +108,7 @@ export type AuthBrowserSessionRequest = typeof AuthBrowserSessionRequest.Type;
106
108
  export declare const AuthBrowserSessionResult: Schema.Struct<{
107
109
  readonly authenticated: Schema.Literal<true>;
108
110
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
109
- readonly sessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
111
+ readonly sessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
110
112
  readonly expiresAt: Schema.DateTimeUtc;
111
113
  }>;
112
114
  export type AuthBrowserSessionResult = typeof AuthBrowserSessionResult.Type;
@@ -132,7 +134,7 @@ export type AuthTokenExchangeRequest = typeof AuthTokenExchangeRequest.Type;
132
134
  export declare const AuthAccessTokenResult: Schema.Struct<{
133
135
  readonly access_token: Schema.decodeTo<Schema.String, Schema.String, never, never>;
134
136
  readonly issued_token_type: Schema.Literal<"urn:ietf:params:oauth:token-type:access_token">;
135
- readonly token_type: Schema.Literal<"Bearer">;
137
+ readonly token_type: Schema.Literals<readonly ["Bearer", "DPoP"]>;
136
138
  readonly expires_in: Schema.Number;
137
139
  readonly scope: Schema.decodeTo<Schema.String, Schema.String, never, never>;
138
140
  }>;
@@ -172,7 +174,7 @@ export declare const AuthClientSession: Schema.Struct<{
172
174
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
173
175
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
174
176
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
175
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
177
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
176
178
  readonly client: Schema.Struct<{
177
179
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
178
180
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -202,7 +204,7 @@ export declare const AuthAccessSnapshot: Schema.Struct<{
202
204
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
203
205
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
204
206
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
205
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
207
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
206
208
  readonly client: Schema.Struct<{
207
209
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
208
210
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -237,7 +239,7 @@ export declare const AuthAccessStreamSnapshotEvent: Schema.Struct<{
237
239
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
238
240
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
239
241
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
240
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
242
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
241
243
  readonly client: Schema.Struct<{
242
244
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
243
245
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -298,7 +300,7 @@ export declare const AuthAccessStreamClientUpsertedEvent: Schema.Struct<{
298
300
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
299
301
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
300
302
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
301
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
303
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
302
304
  readonly client: Schema.Struct<{
303
305
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
304
306
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -342,7 +344,7 @@ export declare const AuthAccessStreamEvent: Schema.Union<readonly [Schema.Struct
342
344
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
343
345
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
344
346
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
345
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
347
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
346
348
  readonly client: Schema.Struct<{
347
349
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
348
350
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -386,7 +388,7 @@ export declare const AuthAccessStreamEvent: Schema.Union<readonly [Schema.Struct
386
388
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
387
389
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
388
390
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
389
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
391
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
390
392
  readonly client: Schema.Struct<{
391
393
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
392
394
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -428,11 +430,11 @@ export declare const AuthSessionState: Schema.Struct<{
428
430
  readonly auth: Schema.Struct<{
429
431
  readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
430
432
  readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
431
- readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
433
+ readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
432
434
  readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
433
435
  }>;
434
436
  readonly scopes: Schema.optionalKey<Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>>;
435
- readonly sessionMethod: Schema.optionalKey<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
437
+ readonly sessionMethod: Schema.optionalKey<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
436
438
  readonly expiresAt: Schema.optionalKey<Schema.DateTimeUtc>;
437
439
  }>;
438
440
  export type AuthSessionState = typeof AuthSessionState.Type;
package/dist/upstream-t3code/packages/contracts/src/environmentHttp.d.ts CHANGED
@@ -59,11 +59,49 @@ export declare class EnvironmentInternalError extends EnvironmentInternalError_b
59
59
  }
60
60
  export declare const EnvironmentHttpCommonError: Schema.Union<readonly [typeof EnvironmentRequestInvalidError, typeof EnvironmentAuthInvalidError, typeof EnvironmentScopeRequiredError, typeof EnvironmentOperationForbiddenError, typeof EnvironmentInternalError]>;
61
61
  export type EnvironmentHttpCommonError = typeof EnvironmentHttpCommonError.Type;
62
+ declare const EnvironmentHttpBadRequestError_base: Schema.Class<EnvironmentHttpBadRequestError, Schema.TaggedStruct<"EnvironmentHttpBadRequestError", {
63
+ readonly message: Schema.String;
64
+ }>, import("effect/Cause").YieldableError>;
65
+ export declare class EnvironmentHttpBadRequestError extends EnvironmentHttpBadRequestError_base {
66
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
67
+ }
68
+ declare const EnvironmentHttpUnauthorizedError_base: Schema.Class<EnvironmentHttpUnauthorizedError, Schema.TaggedStruct<"EnvironmentHttpUnauthorizedError", {
69
+ readonly message: Schema.String;
70
+ }>, import("effect/Cause").YieldableError>;
71
+ export declare class EnvironmentHttpUnauthorizedError extends EnvironmentHttpUnauthorizedError_base {
72
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
73
+ }
74
+ declare const EnvironmentHttpForbiddenError_base: Schema.Class<EnvironmentHttpForbiddenError, Schema.TaggedStruct<"EnvironmentHttpForbiddenError", {
75
+ readonly message: Schema.String;
76
+ }>, import("effect/Cause").YieldableError>;
77
+ export declare class EnvironmentHttpForbiddenError extends EnvironmentHttpForbiddenError_base {
78
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
79
+ }
80
+ declare const EnvironmentHttpInternalServerError_base: Schema.Class<EnvironmentHttpInternalServerError, Schema.TaggedStruct<"EnvironmentHttpInternalServerError", {
81
+ readonly message: Schema.String;
82
+ }>, import("effect/Cause").YieldableError>;
83
+ export declare class EnvironmentHttpInternalServerError extends EnvironmentHttpInternalServerError_base {
84
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
85
+ }
86
+ declare const EnvironmentHttpConflictError_base: Schema.Class<EnvironmentHttpConflictError, Schema.TaggedStruct<"EnvironmentHttpConflictError", {
87
+ readonly message: Schema.String;
88
+ }>, import("effect/Cause").YieldableError>;
89
+ export declare class EnvironmentHttpConflictError extends EnvironmentHttpConflictError_base {
90
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
91
+ }
92
+ declare const EnvironmentCloudEndpointUnavailableError_base: Schema.Class<EnvironmentCloudEndpointUnavailableError, Schema.TaggedStruct<"EnvironmentCloudEndpointUnavailableError", {
93
+ readonly message: Schema.String;
94
+ readonly endpointRuntimeStatus: Schema.Unknown;
95
+ }>, import("effect/Cause").YieldableError>;
96
+ export declare class EnvironmentCloudEndpointUnavailableError extends EnvironmentCloudEndpointUnavailableError_base {
97
+ [HttpServerRespondable.symbol](): import("effect/Effect").Effect<HttpServerResponse.HttpServerResponse, import("effect/unstable/http/HttpBody").HttpBodyError, never>;
98
+ }
62
99
  export interface EnvironmentSessionPrincipalShape {
63
100
  readonly sessionId: AuthSessionId;
64
101
  readonly subject: string;
65
102
  readonly method: ServerAuthSessionMethod;
66
103
  readonly scopes: ReadonlySet<AuthEnvironmentScope>;
104
+ readonly proofKeyThumbprint?: string;
67
105
  readonly expiresAt?: DateTime.DateTime;
68
106
  }
69
107
  declare const EnvironmentAuthenticatedPrincipal_base: Context.ServiceClass<EnvironmentAuthenticatedPrincipal, "@t3tools/contracts/environmentHttp/EnvironmentAuthenticatedPrincipal", EnvironmentSessionPrincipalShape>;
@@ -79,6 +117,23 @@ declare const EnvironmentAuthenticatedAuth_base: HttpApiMiddleware.ServiceClass<
79
117
  }, HttpApiMiddleware.HttpApiMiddleware<EnvironmentAuthenticatedPrincipal, readonly [typeof EnvironmentAuthInvalidError, typeof EnvironmentInternalError], never>>;
80
118
  export declare class EnvironmentAuthenticatedAuth extends EnvironmentAuthenticatedAuth_base {
81
119
  }
120
+ export declare const EnvironmentCloudRelayConfigResult: Schema.Struct<{
121
+ readonly ok: Schema.Boolean;
122
+ readonly endpointRuntimeStatus: Schema.Unknown;
123
+ }>;
124
+ export type EnvironmentCloudRelayConfigResult = typeof EnvironmentCloudRelayConfigResult.Type;
125
+ export declare const EnvironmentCloudLinkStateResult: Schema.Struct<{
126
+ readonly linked: Schema.Boolean;
127
+ readonly cloudUserId: Schema.NullOr<Schema.String>;
128
+ readonly relayUrl: Schema.NullOr<Schema.String>;
129
+ readonly relayIssuer: Schema.NullOr<Schema.String>;
130
+ readonly publishAgentActivity: Schema.Boolean;
131
+ }>;
132
+ export type EnvironmentCloudLinkStateResult = typeof EnvironmentCloudLinkStateResult.Type;
133
+ export declare const EnvironmentCloudPreferencesRequest: Schema.Struct<{
134
+ readonly publishAgentActivity: Schema.Boolean;
135
+ }>;
136
+ export type EnvironmentCloudPreferencesRequest = typeof EnvironmentCloudPreferencesRequest.Type;
82
137
  export declare const AuthPairingLinkRevokeResult: Schema.Struct<{
83
138
  readonly revoked: Schema.Boolean;
84
139
  }>;
@@ -107,23 +162,24 @@ export declare class EnvironmentMetadataHttpApi extends EnvironmentMetadataHttpA
107
162
  }
108
163
  declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", HttpApiEndpoint.HttpApiEndpoint<"session", "GET", "/api/auth/session", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
109
164
  readonly authorization: Schema.optionalKey<Schema.String>;
165
+ readonly dpop: Schema.optionalKey<Schema.String>;
110
166
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
111
167
  readonly authenticated: Schema.Boolean;
112
168
  readonly auth: Schema.Struct<{
113
169
  readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
114
170
  readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
115
- readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
171
+ readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
116
172
  readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
117
173
  }>;
118
174
  readonly scopes: Schema.optionalKey<Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>>;
119
- readonly sessionMethod: Schema.optionalKey<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>>;
175
+ readonly sessionMethod: Schema.optionalKey<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
120
176
  readonly expiresAt: Schema.optionalKey<Schema.DateTimeUtc>;
121
177
  }>>, HttpApiEndpoint.Json<typeof EnvironmentInternalError>, never, never> | HttpApiEndpoint.HttpApiEndpoint<"browserSession", "POST", "/api/auth/browser-session", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
122
178
  readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
123
179
  }>>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
124
180
  readonly authenticated: Schema.Literal<true>;
125
181
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
126
- readonly sessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
182
+ readonly sessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
127
183
  readonly expiresAt: Schema.DateTimeUtc;
128
184
  }>>, HttpApiEndpoint.Json<typeof EnvironmentAuthInvalidError | typeof EnvironmentInternalError>, never, never> | HttpApiEndpoint.HttpApiEndpoint<"token", "POST", "/oauth/token", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
129
185
  readonly grant_type: Schema.Literal<"urn:ietf:params:oauth:grant-type:token-exchange">;
@@ -134,14 +190,17 @@ declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", Htt
134
190
  readonly client_label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
135
191
  readonly client_device_type: Schema.optionalKey<Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>>;
136
192
  readonly client_os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
137
- }>>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
193
+ }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
194
+ readonly dpop: Schema.optionalKey<Schema.String>;
195
+ }>>, HttpApiEndpoint.Json<Schema.Struct<{
138
196
  readonly access_token: Schema.decodeTo<Schema.String, Schema.String, never, never>;
139
197
  readonly issued_token_type: Schema.Literal<"urn:ietf:params:oauth:token-type:access_token">;
140
- readonly token_type: Schema.Literal<"Bearer">;
198
+ readonly token_type: Schema.Literals<readonly ["Bearer", "DPoP"]>;
141
199
  readonly expires_in: Schema.Number;
142
200
  readonly scope: Schema.decodeTo<Schema.String, Schema.String, never, never>;
143
201
  }>>, HttpApiEndpoint.Json<typeof EnvironmentRequestInvalidError | typeof EnvironmentAuthInvalidError | typeof EnvironmentInternalError>, never, never> | HttpApiEndpoint.HttpApiEndpoint<"webSocketTicket", "POST", "/api/auth/websocket-ticket", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
144
202
  readonly authorization: Schema.optionalKey<Schema.String>;
203
+ readonly dpop: Schema.optionalKey<Schema.String>;
145
204
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
146
205
  readonly ticket: Schema.decodeTo<Schema.String, Schema.String, never, never>;
147
206
  readonly expiresAt: Schema.DateTimeUtc;
@@ -150,6 +209,7 @@ declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", Htt
150
209
  readonly scopes: Schema.optionalKey<Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>>;
151
210
  }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
152
211
  readonly authorization: Schema.optionalKey<Schema.String>;
212
+ readonly dpop: Schema.optionalKey<Schema.String>;
153
213
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
154
214
  readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
155
215
  readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -157,6 +217,7 @@ declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", Htt
157
217
  readonly expiresAt: Schema.DateTimeUtc;
158
218
  }>>, HttpApiEndpoint.Json<typeof EnvironmentRequestInvalidError | typeof EnvironmentScopeRequiredError | typeof EnvironmentInternalError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"pairingLinks", "GET", "/api/auth/pairing-links", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
159
219
  readonly authorization: Schema.optionalKey<Schema.String>;
220
+ readonly dpop: Schema.optionalKey<Schema.String>;
160
221
  }>>, HttpApiEndpoint.Json<Schema.$Array<Schema.Struct<{
161
222
  readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
162
223
  readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
@@ -169,15 +230,17 @@ declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", Htt
169
230
  readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
170
231
  }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
171
232
  readonly authorization: Schema.optionalKey<Schema.String>;
233
+ readonly dpop: Schema.optionalKey<Schema.String>;
172
234
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
173
235
  readonly revoked: Schema.Boolean;
174
236
  }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentInternalError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"clients", "GET", "/api/auth/clients", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
175
237
  readonly authorization: Schema.optionalKey<Schema.String>;
238
+ readonly dpop: Schema.optionalKey<Schema.String>;
176
239
  }>>, HttpApiEndpoint.Json<Schema.$Array<Schema.Struct<{
177
240
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
178
241
  readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
179
242
  readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
180
- readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token"]>;
243
+ readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
181
244
  readonly client: Schema.Struct<{
182
245
  readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
183
246
  readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
@@ -195,10 +258,12 @@ declare const EnvironmentAuthHttpApi_base: HttpApiGroup.HttpApiGroup<"auth", Htt
195
258
  readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
196
259
  }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
197
260
  readonly authorization: Schema.optionalKey<Schema.String>;
261
+ readonly dpop: Schema.optionalKey<Schema.String>;
198
262
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
199
263
  readonly revoked: Schema.Boolean;
200
264
  }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentOperationForbiddenError | typeof EnvironmentInternalError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"revokeOtherClients", "POST", "/api/auth/clients/revoke-others", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
201
265
  readonly authorization: Schema.optionalKey<Schema.String>;
266
+ readonly dpop: Schema.optionalKey<Schema.String>;
202
267
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
203
268
  readonly revokedCount: Schema.Number;
204
269
  }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentInternalError>, EnvironmentAuthenticatedAuth, never>, false>;
@@ -206,6 +271,7 @@ export declare class EnvironmentAuthHttpApi extends EnvironmentAuthHttpApi_base
206
271
  }
207
272
  declare const EnvironmentOrchestrationHttpApi_base: HttpApiGroup.HttpApiGroup<"orchestration", HttpApiEndpoint.HttpApiEndpoint<"snapshot", "GET", "/api/orchestration/snapshot", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
208
273
  readonly authorization: Schema.optionalKey<Schema.String>;
274
+ readonly dpop: Schema.optionalKey<Schema.String>;
209
275
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
210
276
  readonly snapshotSequence: Schema.Int;
211
277
  readonly projects: Schema.$Array<Schema.Struct<{
@@ -591,12 +657,106 @@ declare const EnvironmentOrchestrationHttpApi_base: HttpApiGroup.HttpApiGroup<"o
591
657
  readonly createdAt: Schema.String;
592
658
  }>]>>, HttpApiEndpoint.StringTree<Schema.Struct<{
593
659
  readonly authorization: Schema.optionalKey<Schema.String>;
660
+ readonly dpop: Schema.optionalKey<Schema.String>;
594
661
  }>>, HttpApiEndpoint.Json<Schema.Struct<{
595
662
  readonly sequence: Schema.Int;
596
663
  }>>, HttpApiEndpoint.Json<typeof EnvironmentRequestInvalidError | typeof EnvironmentScopeRequiredError | typeof EnvironmentInternalError>, EnvironmentAuthenticatedAuth, never>, false>;
597
664
  export declare class EnvironmentOrchestrationHttpApi extends EnvironmentOrchestrationHttpApi_base {
598
665
  }
599
- declare const EnvironmentHttpApi_base: HttpApi.HttpApi<"environment", typeof EnvironmentMetadataHttpApi | typeof EnvironmentAuthHttpApi | typeof EnvironmentOrchestrationHttpApi>;
666
+ declare const EnvironmentCloudHttpApi_base: HttpApiGroup.HttpApiGroup<"cloud", HttpApiEndpoint.HttpApiEndpoint<"linkProof", "POST", "/api/cloud/link-proof", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
667
+ readonly challenge: Schema.String;
668
+ readonly relayIssuer: Schema.String;
669
+ readonly endpoint: Schema.Struct<{
670
+ readonly httpBaseUrl: Schema.decodeTo<Schema.String, Schema.String, never, never>;
671
+ readonly wsBaseUrl: Schema.decodeTo<Schema.String, Schema.String, never, never>;
672
+ readonly providerKind: Schema.Literals<readonly ["manual", "cloudflare_tunnel", "t3_relay"]>;
673
+ }>;
674
+ readonly origin: Schema.Struct<{
675
+ readonly localHttpHost: Schema.decodeTo<Schema.String, Schema.String, never, never>;
676
+ readonly localHttpPort: Schema.Int;
677
+ }>;
678
+ }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
679
+ readonly authorization: Schema.optionalKey<Schema.String>;
680
+ readonly dpop: Schema.optionalKey<Schema.String>;
681
+ }>>, HttpApiEndpoint.Json<Schema.decodeTo<Schema.String, Schema.String, never, never>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"relayConfig", "POST", "/api/cloud/relay-config", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
682
+ readonly relayUrl: Schema.String;
683
+ readonly relayIssuer: Schema.optional<Schema.String>;
684
+ readonly cloudUserId: Schema.String;
685
+ readonly environmentCredential: Schema.String;
686
+ readonly cloudMintPublicKey: Schema.String;
687
+ readonly endpointRuntime: Schema.NullOr<Schema.Struct<{
688
+ readonly providerKind: Schema.Literals<readonly ["manual", "cloudflare_tunnel", "t3_relay"]>;
689
+ readonly connectorToken: Schema.decodeTo<Schema.String, Schema.String, never, never>;
690
+ readonly tunnelId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
691
+ readonly tunnelName: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
692
+ }>>;
693
+ }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
694
+ readonly authorization: Schema.optionalKey<Schema.String>;
695
+ readonly dpop: Schema.optionalKey<Schema.String>;
696
+ }>>, HttpApiEndpoint.Json<Schema.Struct<{
697
+ readonly ok: Schema.Boolean;
698
+ readonly endpointRuntimeStatus: Schema.Unknown;
699
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError | typeof EnvironmentCloudEndpointUnavailableError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"linkState", "GET", "/api/cloud/link-state", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
700
+ readonly authorization: Schema.optionalKey<Schema.String>;
701
+ readonly dpop: Schema.optionalKey<Schema.String>;
702
+ }>>, HttpApiEndpoint.Json<Schema.Struct<{
703
+ readonly linked: Schema.Boolean;
704
+ readonly cloudUserId: Schema.NullOr<Schema.String>;
705
+ readonly relayUrl: Schema.NullOr<Schema.String>;
706
+ readonly relayIssuer: Schema.NullOr<Schema.String>;
707
+ readonly publishAgentActivity: Schema.Boolean;
708
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"unlink", "POST", "/api/cloud/unlink", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<never>, HttpApiEndpoint.StringTree<Schema.Struct<{
709
+ readonly authorization: Schema.optionalKey<Schema.String>;
710
+ readonly dpop: Schema.optionalKey<Schema.String>;
711
+ }>>, HttpApiEndpoint.Json<Schema.Struct<{
712
+ readonly ok: Schema.Boolean;
713
+ readonly endpointRuntimeStatus: Schema.Unknown;
714
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"preferences", "POST", "/api/cloud/preferences", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
715
+ readonly publishAgentActivity: Schema.Boolean;
716
+ }>>, HttpApiEndpoint.StringTree<Schema.Struct<{
717
+ readonly authorization: Schema.optionalKey<Schema.String>;
718
+ readonly dpop: Schema.optionalKey<Schema.String>;
719
+ }>>, HttpApiEndpoint.Json<Schema.Struct<{
720
+ readonly linked: Schema.Boolean;
721
+ readonly cloudUserId: Schema.NullOr<Schema.String>;
722
+ readonly relayUrl: Schema.NullOr<Schema.String>;
723
+ readonly relayIssuer: Schema.NullOr<Schema.String>;
724
+ readonly publishAgentActivity: Schema.Boolean;
725
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, EnvironmentAuthenticatedAuth, never> | HttpApiEndpoint.HttpApiEndpoint<"health", "POST", "/api/t3-cloud/health", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
726
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
727
+ }>>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
728
+ readonly environmentId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EnvironmentId">;
729
+ readonly status: Schema.Literal<"online">;
730
+ readonly descriptor: Schema.Struct<{
731
+ readonly environmentId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EnvironmentId">;
732
+ readonly label: Schema.decodeTo<Schema.String, Schema.String, never, never>;
733
+ readonly platform: Schema.Struct<{
734
+ readonly os: Schema.Literals<readonly ["darwin", "linux", "windows", "unknown"]>;
735
+ readonly arch: Schema.Literals<readonly ["arm64", "x64", "other"]>;
736
+ }>;
737
+ readonly serverVersion: Schema.decodeTo<Schema.String, Schema.String, never, never>;
738
+ readonly capabilities: Schema.Struct<{
739
+ readonly repositoryIdentity: Schema.withDecodingDefault<Schema.Boolean, never>;
740
+ }>;
741
+ }>;
742
+ readonly checkedAt: Schema.decodeTo<Schema.String, Schema.String, never, never>;
743
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
744
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, never, never> | HttpApiEndpoint.HttpApiEndpoint<"mintCredential", "POST", "/api/cloud/mint-credential", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
745
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
746
+ }>>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
747
+ readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
748
+ readonly expiresAt: Schema.decodeTo<Schema.String, Schema.String, never, never>;
749
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
750
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, never, never> | HttpApiEndpoint.HttpApiEndpoint<"t3MintCredential", "POST", "/api/t3-cloud/mint-credential", HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
751
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
752
+ }>>, HttpApiEndpoint.StringTree<never>, HttpApiEndpoint.Json<Schema.Struct<{
753
+ readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
754
+ readonly expiresAt: Schema.decodeTo<Schema.String, Schema.String, never, never>;
755
+ readonly proof: Schema.decodeTo<Schema.String, Schema.String, never, never>;
756
+ }>>, HttpApiEndpoint.Json<typeof EnvironmentScopeRequiredError | typeof EnvironmentHttpBadRequestError | typeof EnvironmentHttpUnauthorizedError | typeof EnvironmentHttpForbiddenError | typeof EnvironmentHttpInternalServerError | typeof EnvironmentHttpConflictError>, never, never>, false>;
757
+ export declare class EnvironmentCloudHttpApi extends EnvironmentCloudHttpApi_base {
758
+ }
759
+ declare const EnvironmentHttpApi_base: HttpApi.HttpApi<"environment", typeof EnvironmentMetadataHttpApi | typeof EnvironmentAuthHttpApi | typeof EnvironmentOrchestrationHttpApi | typeof EnvironmentCloudHttpApi>;
600
760
  export declare class EnvironmentHttpApi extends EnvironmentHttpApi_base {
601
761
  }
602
762
  export {};
package/dist/upstream-t3code/packages/contracts/src/index.d.ts CHANGED
@@ -2,6 +2,7 @@ export * from "./baseSchemas.ts";
2
2
  export * from "./auth.ts";
3
3
  export * from "./environment.ts";
4
4
  export * from "./environmentHttp.ts";
5
+ export * from "./relayClient.ts";
5
6
  export * from "./desktopBootstrap.ts";
6
7
  export * from "./remoteAccess.ts";
7
8
  export * from "./ipc.ts";
package/dist/upstream-t3code/packages/contracts/src/ipc.d.ts CHANGED
@@ -269,6 +269,9 @@ export declare const PersistedSavedEnvironmentRecordSchema: Schema.Struct<{
269
269
  readonly username: Schema.NullOr<Schema.String>;
270
270
  readonly port: Schema.NullOr<Schema.Number>;
271
271
  }>>;
272
+ readonly relayManaged: Schema.optionalKey<Schema.Struct<{
273
+ readonly relayUrl: Schema.String;
274
+ }>>;
272
275
  }>;
273
276
  export type PersistedSavedEnvironmentRecord = typeof PersistedSavedEnvironmentRecordSchema.Type;
274
277
  export type DesktopServerExposureMode = "local-only" | "network-accessible";
@@ -293,6 +296,21 @@ export interface PickFolderOptions {
293
296
  export declare const PickFolderOptionsSchema: Schema.Struct<{
294
297
  readonly initialPath: Schema.optionalKey<Schema.NullOr<Schema.String>>;
295
298
  }>;
299
+ export declare const DesktopCloudAuthFetchInputSchema: Schema.Struct<{
300
+ readonly url: Schema.String;
301
+ readonly method: Schema.optionalKey<Schema.String>;
302
+ readonly headers: Schema.$Record<Schema.String, Schema.String>;
303
+ readonly body: Schema.optionalKey<Schema.String>;
304
+ }>;
305
+ export type DesktopCloudAuthFetchInput = typeof DesktopCloudAuthFetchInputSchema.Type;
306
+ export declare const DesktopCloudAuthFetchResultSchema: Schema.Struct<{
307
+ readonly ok: Schema.Boolean;
308
+ readonly status: Schema.Number;
309
+ readonly statusText: Schema.String;
310
+ readonly headers: Schema.$Record<Schema.String, Schema.String>;
311
+ readonly body: Schema.String;
312
+ }>;
313
+ export type DesktopCloudAuthFetchResult = typeof DesktopCloudAuthFetchResultSchema.Type;
296
314
  export interface DesktopBridge {
297
315
  getAppBranding: () => DesktopAppBranding | null;
298
316
  getLocalEnvironmentBootstrap: () => DesktopEnvironmentBootstrap | null;
@@ -329,6 +347,12 @@ export interface DesktopBridge {
329
347
  y: number;
330
348
  }) => Promise<T | null>;
331
349
  openExternal: (url: string) => Promise<boolean>;
350
+ createCloudAuthRequest: () => Promise<string>;
351
+ getCloudAuthToken: () => Promise<string | null>;
352
+ setCloudAuthToken: (token: string) => Promise<boolean>;
353
+ clearCloudAuthToken: () => Promise<void>;
354
+ fetchCloudAuth: (input: DesktopCloudAuthFetchInput) => Promise<DesktopCloudAuthFetchResult>;
355
+ onCloudAuthCallback: (listener: (rawUrl: string) => void) => () => void;
332
356
  onMenuAction: (listener: (action: string) => void) => () => void;
333
357
  getUpdateState: () => Promise<DesktopUpdateState>;
334
358
  setUpdateChannel: (channel: DesktopUpdateChannel) => Promise<DesktopUpdateState>;
package/dist/upstream-t3code/packages/contracts/src/providerRuntime.d.ts CHANGED
@@ -368,6 +368,13 @@ declare const FilesPersistedPayload: Schema.Struct<{
368
368
  }>>>;
369
369
  }>;
370
370
  export type FilesPersistedPayload = typeof FilesPersistedPayload.Type;
371
+ declare const ToolDeniedPayload: Schema.Struct<{
372
+ readonly toolName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
373
+ readonly toolUseId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
374
+ readonly reason: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
375
+ readonly agentId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
376
+ }>;
377
+ export type ToolDeniedPayload = typeof ToolDeniedPayload.Type;
371
378
  declare const RuntimeWarningPayload: Schema.Struct<{
372
379
  readonly message: Schema.decodeTo<Schema.String, Schema.String, never, never>;
373
380
  readonly detail: Schema.optional<Schema.Unknown>;
@@ -1650,6 +1657,35 @@ declare const ProviderRuntimeFilesPersistedEvent: Schema.Struct<{
1650
1657
  }>>;
1651
1658
  }>;
1652
1659
  export type ProviderRuntimeFilesPersistedEvent = typeof ProviderRuntimeFilesPersistedEvent.Type;
1660
+ declare const ProviderRuntimeToolDeniedEvent: Schema.Struct<{
1661
+ readonly type: Schema.Literal<"tool.denied">;
1662
+ readonly payload: Schema.Struct<{
1663
+ readonly toolName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
1664
+ readonly toolUseId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1665
+ readonly reason: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1666
+ readonly agentId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1667
+ }>;
1668
+ readonly eventId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EventId">;
1669
+ readonly provider: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderDriverKind">;
1670
+ readonly providerInstanceId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderInstanceId">>;
1671
+ readonly threadId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ThreadId">;
1672
+ readonly createdAt: Schema.String;
1673
+ readonly turnId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "TurnId">>;
1674
+ readonly itemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeItemId">>;
1675
+ readonly requestId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeRequestId">>;
1676
+ readonly providerRefs: Schema.optional<Schema.Struct<{
1677
+ readonly providerTurnId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1678
+ readonly providerItemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderItemId">>;
1679
+ readonly providerRequestId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1680
+ }>>;
1681
+ readonly raw: Schema.optional<Schema.Struct<{
1682
+ readonly source: Schema.Union<readonly [Schema.Literal<"codex.app-server.notification">, Schema.Literal<"codex.app-server.request">, Schema.Literal<"codex.eventmsg">, Schema.Literal<"claude.sdk.message">, Schema.Literal<"claude.sdk.permission">, Schema.Literal<"codex.sdk.thread-event">, Schema.Literal<"opencode.sdk.event">, Schema.Literal<"acp.jsonrpc">, Schema.TemplateLiteral<readonly ["acp.", Schema.String, ".extension"]>]>;
1683
+ readonly method: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1684
+ readonly messageType: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
1685
+ readonly payload: Schema.Unknown;
1686
+ }>>;
1687
+ }>;
1688
+ export type ProviderRuntimeToolDeniedEvent = typeof ProviderRuntimeToolDeniedEvent.Type;
1653
1689
  declare const ProviderRuntimeWarningEvent: Schema.Struct<{
1654
1690
  readonly type: Schema.Literal<"runtime.warning">;
1655
1691
  readonly payload: Schema.Struct<{
@@ -2886,6 +2922,33 @@ export declare const ProviderRuntimeEventV2: Schema.Union<readonly [Schema.Struc
2886
2922
  readonly messageType: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2887
2923
  readonly payload: Schema.Unknown;
2888
2924
  }>>;
2925
+ }>, Schema.Struct<{
2926
+ readonly type: Schema.Literal<"tool.denied">;
2927
+ readonly payload: Schema.Struct<{
2928
+ readonly toolName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
2929
+ readonly toolUseId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2930
+ readonly reason: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2931
+ readonly agentId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2932
+ }>;
2933
+ readonly eventId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EventId">;
2934
+ readonly provider: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderDriverKind">;
2935
+ readonly providerInstanceId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderInstanceId">>;
2936
+ readonly threadId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ThreadId">;
2937
+ readonly createdAt: Schema.String;
2938
+ readonly turnId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "TurnId">>;
2939
+ readonly itemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeItemId">>;
2940
+ readonly requestId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeRequestId">>;
2941
+ readonly providerRefs: Schema.optional<Schema.Struct<{
2942
+ readonly providerTurnId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2943
+ readonly providerItemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderItemId">>;
2944
+ readonly providerRequestId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2945
+ }>>;
2946
+ readonly raw: Schema.optional<Schema.Struct<{
2947
+ readonly source: Schema.Union<readonly [Schema.Literal<"codex.app-server.notification">, Schema.Literal<"codex.app-server.request">, Schema.Literal<"codex.eventmsg">, Schema.Literal<"claude.sdk.message">, Schema.Literal<"claude.sdk.permission">, Schema.Literal<"codex.sdk.thread-event">, Schema.Literal<"opencode.sdk.event">, Schema.Literal<"acp.jsonrpc">, Schema.TemplateLiteral<readonly ["acp.", Schema.String, ".extension"]>]>;
2948
+ readonly method: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2949
+ readonly messageType: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
2950
+ readonly payload: Schema.Unknown;
2951
+ }>>;
2889
2952
  }>, Schema.Struct<{
2890
2953
  readonly type: Schema.Literal<"runtime.warning">;
2891
2954
  readonly payload: Schema.Struct<{
@@ -4120,6 +4183,33 @@ export declare const ProviderRuntimeEvent: Schema.Union<readonly [Schema.Struct<
4120
4183
  readonly messageType: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4121
4184
  readonly payload: Schema.Unknown;
4122
4185
  }>>;
4186
+ }>, Schema.Struct<{
4187
+ readonly type: Schema.Literal<"tool.denied">;
4188
+ readonly payload: Schema.Struct<{
4189
+ readonly toolName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
4190
+ readonly toolUseId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4191
+ readonly reason: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4192
+ readonly agentId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4193
+ }>;
4194
+ readonly eventId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EventId">;
4195
+ readonly provider: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderDriverKind">;
4196
+ readonly providerInstanceId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderInstanceId">>;
4197
+ readonly threadId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ThreadId">;
4198
+ readonly createdAt: Schema.String;
4199
+ readonly turnId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "TurnId">>;
4200
+ readonly itemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeItemId">>;
4201
+ readonly requestId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeRequestId">>;
4202
+ readonly providerRefs: Schema.optional<Schema.Struct<{
4203
+ readonly providerTurnId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4204
+ readonly providerItemId: Schema.optional<Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderItemId">>;
4205
+ readonly providerRequestId: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4206
+ }>>;
4207
+ readonly raw: Schema.optional<Schema.Struct<{
4208
+ readonly source: Schema.Union<readonly [Schema.Literal<"codex.app-server.notification">, Schema.Literal<"codex.app-server.request">, Schema.Literal<"codex.eventmsg">, Schema.Literal<"claude.sdk.message">, Schema.Literal<"claude.sdk.permission">, Schema.Literal<"codex.sdk.thread-event">, Schema.Literal<"opencode.sdk.event">, Schema.Literal<"acp.jsonrpc">, Schema.TemplateLiteral<readonly ["acp.", Schema.String, ".extension"]>]>;
4209
+ readonly method: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4210
+ readonly messageType: Schema.optional<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
4211
+ readonly payload: Schema.Unknown;
4212
+ }>>;
4123
4213
  }>, Schema.Struct<{
4124
4214
  readonly type: Schema.Literal<"runtime.warning">;
4125
4215
  readonly payload: Schema.Struct<{