takos-runtime-service 1.0.0

package/src/app.ts

@@ -0,0 +1,245 @@
+import { Hono } from 'hono';
+import { serve } from '@hono/node-server';
+import { randomUUID } from 'node:crypto';
+import {
+  PORT,
+  JWT_PUBLIC_KEY,
+  RATE_LIMIT_WINDOW_MS,
+  RATE_LIMIT_EXEC_MAX,
+  RATE_LIMIT_SESSION_MAX,
+  RATE_LIMIT_SNAPSHOT_MAX,
+  RATE_LIMIT_ACTIONS_MAX,
+  RATE_LIMIT_GIT_MAX,
+  RATE_LIMIT_REPOS_MAX,
+  RATE_LIMIT_CLI_PROXY_MAX,
+} from './shared/config.js';
+import {
+  createServiceTokenMiddleware,
+  getServiceTokenFromHeader,
+  createErrorHandler,
+  notFoundHandler,
+  forbidden,
+} from 'takos-common/middleware/hono';
+import { createRateLimiter } from './middleware/rate-limit.js';
+import execRoutes from './routes/runtime/exec.js';
+import toolsRoutes from './routes/runtime/tools.js';
+import sessionExecutionRoutes from './routes/sessions/execution.js';
+import sessionFilesRoutes from './routes/sessions/files.js';
+import sessionSnapshotRoutes from './routes/sessions/snapshot.js';
+import sessionSessionsRoutes from './routes/sessions/session-routes.js';
+import repoReadRoutes from './routes/repos/read.js';
+import repoWriteRoutes from './routes/repos/write.js';
+import {
+  enforceSpaceScopeMiddleware,
+  getSpaceIdFromBody,
+  getSpaceIdFromPath,
+} from './middleware/space-scope.js';
+import gitInitRoutes from './routes/git/init.js';
+import gitHttpRoutes from './routes/git/http.js';
+import actionsRoutes from './routes/actions/index.js';
+import { jobManager } from './runtime/actions/job-manager.js';
+import cliProxyRoutes from './routes/cli/proxy.js';
+import { isR2Configured } from './storage/r2.js';
+import { sessionStore } from './routes/sessions/storage.js';
+import { createLogger } from 'takos-common/logger';
+
+export type RuntimeServiceOptions = {
+  port?: number;
+  serviceName?: string;
+  isProduction?: boolean;
+  isContainerEnvironment?: boolean;
+};
+
+function isLoopbackAddress(addr: string): boolean {
+  return addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1';
+}
+
+function isLocalCliProxyBypassRequest(c: import('hono').Context): boolean {
+  if (!c.req.path.startsWith('/cli-proxy/')) {
+    return false;
+  }
+  if (getServiceTokenFromHeader(c)) {
+    return false;
+  }
+
+  const sessionId = c.req.header('X-Takos-Session-Id');
+  const addr =
+    c.req.header('x-forwarded-for')?.split(',')[0]?.trim()
+    || c.req.header('x-real-ip')
+    || '';
+  return Boolean(sessionId) && isLoopbackAddress(addr);
+}
+
+export function createRuntimeServiceApp(options: RuntimeServiceOptions = {}): Hono {
+  const requireServiceToken = createServiceTokenMiddleware({
+    jwtPublicKey: JWT_PUBLIC_KEY,
+    expectedIssuer: 'takos-control',
+    expectedAudience: 'takos-runtime',
+    skipPaths: ['/health'],
+    clockToleranceSeconds: 30,
+  });
+
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === 'production';
+  const isContainerEnvironment = options.isContainerEnvironment ?? !!process.env.CF_CONTAINER;
+  const logger = createLogger({ service: options.serviceName ?? 'takos-runtime' });
+  const app = new Hono();
+
+  app.use(async (c, next) => {
+    const id = c.req.header('x-request-id') || randomUUID();
+    const log = logger.child({ requestId: id });
+    c.set('requestId', id);
+    c.set('log', log);
+    c.header('x-request-id', id);
+    const start = Date.now();
+    log.info('Request', { method: c.req.method, path: c.req.path });
+    await next();
+    log.info('Response', {
+      method: c.req.method,
+      path: c.req.path,
+      status: c.res.status,
+      duration: Date.now() - start,
+    });
+  });
+
+  app.use(async (c, next): Promise<Response | void> => {
+    if (isProduction && !isContainerEnvironment && c.req.header('X-Forwarded-Proto') !== 'https') {
+      return forbidden(c, 'HTTPS required');
+    }
+    await next();
+  });
+
+  app.use(async (c, next) => {
+    c.header('X-Content-Type-Options', 'nosniff');
+    if (isProduction) {
+      c.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+    }
+    await next();
+  });
+
+  app.get('/ping', (c) => c.text('pong', 200));
+  app.get('/health', (c) => c.json({ ok: true }, 200));
+
+  app.use('/cli-proxy/*', async (c, next) => {
+    if (getServiceTokenFromHeader(c)) {
+      await next();
+      return;
+    }
+
+    if (isLocalCliProxyBypassRequest(c)) {
+      await next();
+      return;
+    }
+
+    return forbidden(c, 'Authorization header required');
+  });
+
+  app.use(async (c, next) => {
+    if (isLocalCliProxyBypassRequest(c)) {
+      await next();
+      return;
+    }
+    return requireServiceToken(c, next);
+  });
+
+  app.use(async (c, next) => {
+    const ct = c.req.header('content-type') || '';
+    if (c.req.method !== 'GET' && c.req.method !== 'HEAD' && ct.includes('application/json')) {
+      try {
+        const body = await c.req.json();
+        c.set('parsedBody', body);
+      } catch {
+        // Ignore malformed JSON; downstream handlers surface validation errors.
+      }
+    }
+    await next();
+  });
+
+  const execRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_EXEC_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const sessionRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_SESSION_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const snapshotRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_SNAPSHOT_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const actionsRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_ACTIONS_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const gitRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_GIT_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const reposRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_REPOS_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+  const cliProxyRateLimiter = createRateLimiter({ maxRequests: RATE_LIMIT_CLI_PROXY_MAX, windowMs: RATE_LIMIT_WINDOW_MS });
+
+  app.use('/exec/*', execRateLimiter);
+  app.use('/session/exec/*', execRateLimiter);
+  app.use('/session/snapshot/*', snapshotRateLimiter);
+  app.use('/session/*', sessionRateLimiter);
+  app.use('/sessions/*', sessionRateLimiter);
+  app.use('/actions/*', actionsRateLimiter);
+  app.use('/git/*', gitRateLimiter);
+  app.use('/repos/*', reposRateLimiter);
+  app.use('/cli-proxy/*', cliProxyRateLimiter);
+
+  const sessionSpaceScope = enforceSpaceScopeMiddleware((c) => [
+    getSpaceIdFromBody(c, 'space_id'),
+  ]);
+  const repoSpaceScope = enforceSpaceScopeMiddleware((c) => [
+    getSpaceIdFromBody(c, 'spaceId'),
+    getSpaceIdFromPath(c),
+  ]);
+  app.use('/session/*', sessionSpaceScope);
+  app.use('/sessions/*', sessionSpaceScope);
+  app.use('/repos/*', repoSpaceScope);
+
+  app.route('/', cliProxyRoutes);
+  app.route('/', execRoutes);
+  app.route('/', toolsRoutes);
+  app.route('/', sessionExecutionRoutes);
+  app.route('/', sessionFilesRoutes);
+  app.route('/', sessionSnapshotRoutes);
+  app.route('/', sessionSessionsRoutes);
+  app.route('/', repoReadRoutes);
+  app.route('/', repoWriteRoutes);
+  app.route('/', gitInitRoutes);
+  app.route('/', gitHttpRoutes);
+  app.route('/', actionsRoutes);
+
+  app.notFound(notFoundHandler);
+  app.onError(createErrorHandler({ includeStack: !isProduction }));
+  return app;
+}
+
+export function startRuntimeService(options: RuntimeServiceOptions = {}) {
+  const logger = createLogger({ service: options.serviceName ?? 'takos-runtime' });
+  const port = options.port ?? PORT;
+  const app = createRuntimeServiceApp(options);
+
+  sessionStore.startCleanup();
+  jobManager.startCleanup();
+
+  const server = serve({ fetch: app.fetch, port }, () => {
+    logger.info(`Takos runtime listening on port ${port}`);
+    logger.info(`R2 configured: ${isR2Configured()}`);
+  });
+
+  let shuttingDown = false;
+  function shutdown(signal: NodeJS.Signals): void {
+    if (shuttingDown) return;
+    shuttingDown = true;
+
+    logger.info('Shutdown signal received', { signal });
+    sessionStore.stopCleanup();
+    jobManager.stopCleanup();
+
+    server.close((err) => {
+      if (err) {
+        logger.error('Error while closing HTTP server', { signal, error: err });
+        process.exit(1);
+        return;
+      }
+      process.exit(0);
+    });
+
+    setTimeout(() => {
+      logger.error('Forced shutdown timeout reached', { signal });
+      process.exit(1);
+    }, 10_000).unref();
+  }
+
+  process.once('SIGTERM', () => shutdown('SIGTERM'));
+  process.once('SIGINT', () => shutdown('SIGINT'));
+
+  return { app, server };
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * from './app.js';

package/src/middleware/rate-limit.ts

@@ -0,0 +1,91 @@
+import type { Context, Next } from 'hono';
+
+interface RateLimitEntry {
+  count: number;
+  resetAt: number;
+}
+
+interface RateLimitOptions {
+  maxRequests: number;
+  windowMs: number;
+  keyFn?: (c: Context) => string;
+  maxKeys?: number;
+}
+
+export function createRateLimiter(options: RateLimitOptions) {
+  const { maxRequests, windowMs, maxKeys = 10000 } = options;
+  const store = new Map<string, RateLimitEntry>();
+
+  const cleanupInterval = Math.min(windowMs, 60_000);
+  const cleanupTimer = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of store.entries()) {
+      if (now >= entry.resetAt) {
+        store.delete(key);
+      }
+    }
+  }, cleanupInterval);
+  if (cleanupTimer.unref) {
+    cleanupTimer.unref();
+  }
+
+  const defaultKeyFn = (c: Context): string => {
+    // In Hono with @hono/node-server, use the client's IP from the
+    // incoming connection info or forwarded header.
+    const ip =
+      c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+      c.req.header('x-real-ip') ||
+      'unknown';
+    const spaceId = c.req.header('X-Takos-Space-Id') || '';
+    return spaceId ? `${ip}:${spaceId}` : ip;
+  };
+
+  const keyFn = options.keyFn || defaultKeyFn;
+
+  return async (c: Context, next: Next): Promise<Response | void> => {
+    const key = keyFn(c);
+    const now = Date.now();
+    let entry = store.get(key);
+
+    if (!entry || now >= entry.resetAt) {
+      if (!entry && store.size >= maxKeys) {
+        let evicted = false;
+        for (const [k, e] of store.entries()) {
+          if (now >= e.resetAt) {
+            store.delete(k);
+            evicted = true;
+            break;
+          }
+        }
+        if (!evicted && store.size >= maxKeys) {
+          const retryAfter = Math.ceil(windowMs / 1000);
+          c.header('Retry-After', String(retryAfter));
+          return c.json({
+            error: 'Rate limiter capacity reached. Please try again later.',
+            retry_after_seconds: retryAfter,
+          }, 429);
+        }
+      }
+      entry = { count: 0, resetAt: now + windowMs };
+      store.set(key, entry);
+    }
+
+    entry.count++;
+
+    const remaining = Math.max(0, maxRequests - entry.count);
+    c.header('X-RateLimit-Limit', String(maxRequests));
+    c.header('X-RateLimit-Remaining', String(remaining));
+    c.header('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+
+    if (entry.count > maxRequests) {
+      const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+      c.header('Retry-After', String(retryAfter));
+      return c.json({
+        error: 'Too many requests. Please try again later.',
+        retry_after_seconds: retryAfter,
+      }, 429);
+    }
+
+    await next();
+  };
+}

package/src/middleware/space-scope.ts

@@ -0,0 +1,95 @@
+import type { Context, Next } from 'hono';
+import { forbidden } from 'takos-common/middleware/hono';
+
+export const SPACE_SCOPE_MISMATCH_ERROR = 'Token workspace scope does not match requested workspace';
+
+export function getSpaceIdFromPath(c: Context): string | null {
+  const pathParts = c.req.path.split('/').filter(Boolean);
+  if (pathParts[0] !== 'repos' || pathParts.length < 3) {
+    return null;
+  }
+  const spaceId = pathParts[1];
+  if (typeof spaceId !== 'string' || spaceId.length === 0) {
+    return null;
+  }
+  return spaceId;
+}
+
+function isProvidedSpaceId(spaceId: unknown): boolean {
+  return spaceId !== undefined && spaceId !== null && spaceId !== '';
+}
+
+function isNonEmptyString(value: unknown): value is string {
+  return typeof value === 'string' && value.length > 0;
+}
+
+export function getSpaceIdFromBody(c: Context, field: 'spaceId' | 'space_id'): string | null {
+  const body = c.get('parsedBody') as Record<string, unknown> | undefined;
+  const spaceId = body?.[field];
+  return isNonEmptyString(spaceId) ? spaceId : null;
+}
+
+export function collectRequestedSpaceIds(spaceIds: readonly unknown[]): string[] {
+  return [...new Set(spaceIds.filter(isNonEmptyString))];
+}
+
+export function getScopedSpaceId(c: Context): string | undefined {
+  const payload = c.get('serviceToken');
+  if (!payload) {
+    return undefined;
+  }
+  return typeof payload.scope_space_id === 'string'
+    ? payload.scope_space_id
+    : undefined;
+}
+
+export function hasSpaceScopeMismatch(c: Context, spaceId: unknown): boolean {
+  if (!isProvidedSpaceId(spaceId)) {
+    return false;
+  }
+  const scopedSpaceId = getScopedSpaceId(c);
+  return typeof scopedSpaceId === 'string' && scopedSpaceId !== spaceId;
+}
+
+export function hasAnySpaceScopeMismatch(c: Context, spaceIds: readonly unknown[]): boolean {
+  for (const spaceId of spaceIds) {
+    if (hasSpaceScopeMismatch(c, spaceId)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Creates a Hono middleware that enforces space scope by extracting
+ * space IDs from the context using the provided extractor function.
+ *
+ * If a single non-empty space ID is found and it mismatches the token scope,
+ * the request is rejected with 403. If multiple conflicting space IDs are
+ * found, the request is also rejected.
+ *
+ * Note: expects the request body to already be parsed and stored in
+ * c.get('parsedBody') by an upstream middleware (see index.ts).
+ */
+export function enforceSpaceScopeMiddleware(
+  extractSpaceIds: (c: Context) => readonly unknown[]
+): (c: Context, next: Next) => Promise<Response | void> {
+  return async (c: Context, next: Next): Promise<Response | void> => {
+    const spaceIds = collectRequestedSpaceIds(extractSpaceIds(c));
+
+    if (spaceIds.length === 0) {
+      await next();
+      return;
+    }
+
+    if (new Set(spaceIds).size > 1) {
+      return forbidden(c, 'Conflicting workspace identifiers in request');
+    }
+
+    if (hasAnySpaceScopeMismatch(c, spaceIds)) {
+      return forbidden(c, SPACE_SCOPE_MISMATCH_ERROR);
+    }
+
+    await next();
+  };
+}

package/src/routes/actions/action-types.ts

@@ -0,0 +1,20 @@
+export interface StartJobRequest {
+  space_id?: string;
+  repoId: string;
+  ref: string;
+  sha: string;
+  workflowPath: string;
+  jobName: string;
+  steps: Array<{
+    name?: string;
+    run?: string;
+    uses?: string;
+    with?: Record<string, unknown>;
+    env?: Record<string, string>;
+    if?: string;
+    'continue-on-error'?: boolean;
+    'timeout-minutes'?: number;
+  }>;
+  env?: Record<string, string>;
+  secrets?: Record<string, string>;
+}

package/src/routes/actions/execution.ts

@@ -0,0 +1,229 @@
+import { Hono } from 'hono';
+import * as fs from 'fs/promises';
+import { StepExecutor, type ExecutorStepResult } from '../../runtime/actions/executor.js';
+import { SANDBOX_LIMITS } from '../../shared/config.js';
+import { shouldBlockForSecretExposure, mightExposeSecrets } from '../../runtime/actions/secrets.js';
+import { pushLog } from '../../runtime/logging.js';
+import { cloneAndCheckout } from '../../runtime/git.js';
+import { resolvePathWithin } from '../../runtime/paths.js';
+import { GIT_ENDPOINT_URL } from '../../shared/config.js';
+import { collectSensitiveEnvValues } from '../../runtime/actions/secrets.js';
+
+interface ExecuteStepRequest {
+  run?: string;
+  uses?: string;
+  with?: Record<string, unknown>;
+  env?: Record<string, string>;
+  name?: string;
+  shell?: string;
+  'working-directory'?: string;
+  'continue-on-error'?: boolean;
+  'timeout-minutes'?: number;
+}
+import {
+  jobManager,
+  sanitizeOutputs,
+} from '../../runtime/actions/job-manager.js';
+import { internalError } from 'takos-common/middleware/hono';
+
+const app = new Hono();
+
+// ---------------------------------------------------------------------------
+// checkout
+// ---------------------------------------------------------------------------
+
+app.post('/actions/jobs/:jobId/checkout', async (c) => {
+  const jobId = c.req.param('jobId');
+  const { repoUrl, ref, path: checkoutPath } = await c.req.json() as {
+    repoUrl?: string;
+    ref?: string;
+    path?: string;
+  };
+
+  try {
+    const job = jobManager.jobs.get(jobId);
+    if (!job || job.status !== 'running') return c.json({ error: 'Job not found or not running' }, 404);
+
+    const targetPath = checkoutPath
+      ? resolvePathWithin(job.workspacePath, checkoutPath, 'checkout path', true)
+      : job.workspacePath;
+
+    await fs.mkdir(targetPath, { recursive: true });
+
+    pushLog(job.logs, `Checking out repository...`);
+
+    // Validate repoUrl to prevent SSRF — only allow the configured git endpoint or default
+    if (repoUrl && !repoUrl.startsWith(GIT_ENDPOINT_URL)) {
+      return c.json({ error: 'Invalid repoUrl: must use the configured git endpoint' }, 400);
+    }
+    const gitUrl = repoUrl || `${GIT_ENDPOINT_URL}/${job.repoId}.git`;
+    const gitRef = ref || job.ref;
+    const cloneResult = await cloneAndCheckout({
+      repoUrl: gitUrl,
+      targetDir: targetPath,
+      ref: gitRef,
+      shallow: true,
+      env: job.env,
+    });
+
+    if (!cloneResult.success) {
+      pushLog(job.logs, `Checkout failed: ${cloneResult.output}`);
+      return c.json({
+        error: 'Checkout failed',
+        output: cloneResult.output,
+      }, 500);
+    }
+
+    pushLog(job.logs, 'Checkout completed successfully');
+
+    return c.json({
+      success: true,
+      path: targetPath,
+    });
+  } catch (err) {
+    c.get('log')?.error('Error during checkout', { jobId, error: err });
+    return internalError(c, 'Checkout failed');
+  }
+});
+
+// ---------------------------------------------------------------------------
+// step execution
+// ---------------------------------------------------------------------------
+
+app.post('/actions/jobs/:jobId/step/:stepNumber', async (c) => {
+  const jobId = c.req.param('jobId');
+  const stepNumber = c.req.param('stepNumber');
+  const body = (await c.req.json().catch(() => ({}))) as ExecuteStepRequest;
+
+  try {
+    const job = jobManager.jobs.get(jobId);
+    if (!job || job.status !== 'running') return c.json({ error: 'Job not found or not running' }, 404);
+
+    const stepNum = parseInt(stepNumber, 10);
+    if (!Number.isFinite(stepNum) || stepNum < 0) {
+      return c.json({ error: 'Invalid step number' }, 400);
+    }
+
+    const elapsedMs = Date.now() - job.startedAt;
+    const remainingBudgetMs = SANDBOX_LIMITS.maxJobDuration - elapsedMs;
+    if (remainingBudgetMs <= 0) {
+      await jobManager.failCloseJob(
+        jobId,
+        job,
+        `Job exceeded max duration (${SANDBOX_LIMITS.maxJobDuration}ms)`,
+      );
+      return c.json({
+        error: 'Job exceeded maximum duration',
+        elapsedMs,
+        maxDurationMs: SANDBOX_LIMITS.maxJobDuration,
+      }, 408);
+    }
+
+    const stepEnv = {
+      ...job.env,
+      ...body.env,
+    };
+
+    for (const [key, value] of Object.entries(job.secrets)) {
+      stepEnv[`GITHUB_SECRET_${key}`] = value;
+    }
+
+    const sensitiveStepValues = collectSensitiveEnvValues(stepEnv);
+    if (sensitiveStepValues.length > 0) {
+      job.secretsSanitizer.registerSecretValues(sensitiveStepValues);
+    }
+
+    const stepName = body.name || `Step ${stepNum}`;
+    pushLog(job.logs, `\n=== ${stepName} ===`, job.secretsSanitizer);
+
+    const workingDirectory = body['working-directory']
+      ? resolvePathWithin(job.workspacePath, body['working-directory'], 'working directory', true)
+      : job.workspacePath;
+    const executor = new StepExecutor(job.workspacePath, stepEnv);
+
+    const requestedTimeoutMs = body['timeout-minutes']
+      ? body['timeout-minutes'] * 60 * 1000
+      : SANDBOX_LIMITS.maxExecutionTime;
+    const timeoutMs = Math.max(
+      1,
+      Math.min(requestedTimeoutMs, SANDBOX_LIMITS.maxExecutionTime, remainingBudgetMs)
+    );
+
+    let result: ExecutorStepResult;
+
+    if (body.run) {
+      // Block commands that would dump all environment variables (secrets included)
+      if (shouldBlockForSecretExposure(body.run)) {
+        const reason = mightExposeSecrets(body.run);
+        pushLog(job.logs, `[SECURITY] Command blocked: ${reason ?? 'may expose secrets'}`, job.secretsSanitizer);
+        return c.json({
+          error: `Command blocked for security: ${reason ?? 'may expose environment secrets'}`,
+        }, 400);
+      }
+
+      pushLog(
+        job.logs,
+        `Run: ${body.run.substring(0, 100)}${body.run.length > 100 ? '...' : ''}`,
+        job.secretsSanitizer
+      );
+      result = await executor.executeRun(body.run, timeoutMs, {
+        shell: body.shell,
+        workingDirectory,
+      });
+    } else if (body.uses) {
+      pushLog(job.logs, `Uses: ${body.uses}`, job.secretsSanitizer);
+      result = await executor.executeAction(
+        body.uses,
+        (body.with || {}) as Record<string, unknown>,
+        timeoutMs
+      );
+    } else {
+      return c.json({ error: 'Step must have either "run" or "uses"' }, 400);
+    }
+
+    const sanitizedStdout = job.secretsSanitizer.sanitize(result.stdout);
+    const sanitizedStderr = job.secretsSanitizer.sanitize(result.stderr);
+
+    if (sanitizedStdout) {
+      for (const line of sanitizedStdout.split('\n')) {
+        pushLog(job.logs, line, job.secretsSanitizer);
+      }
+    }
+    if (sanitizedStderr) {
+      for (const line of sanitizedStderr.split('\n')) {
+        pushLog(job.logs, `[stderr] ${line}`, job.secretsSanitizer);
+      }
+    }
+
+    const continueOnError = body['continue-on-error'] === true;
+    const { conclusion } = result;
+
+    if (conclusion === 'failure' && !continueOnError) {
+      pushLog(job.logs, `Step failed with exit code ${result.exitCode}`, job.secretsSanitizer);
+    } else if (conclusion === 'failure' && continueOnError) {
+      pushLog(job.logs, `Step failed but continuing (continue-on-error: true)`, job.secretsSanitizer);
+    } else {
+      pushLog(job.logs, `Step completed successfully`, job.secretsSanitizer);
+    }
+
+    const sanitizedOutputsMap = sanitizeOutputs(result.outputs, job.secretsSanitizer);
+    for (const [key, value] of Object.entries(sanitizedOutputsMap)) {
+      job.outputs[`step_${stepNum}_${key}`] = value;
+    }
+
+    job.currentStep = stepNum + 1;
+
+    return c.json({
+      exitCode: result.exitCode,
+      stdout: sanitizedStdout,
+      stderr: sanitizedStderr,
+      outputs: sanitizedOutputsMap,
+      conclusion: continueOnError && conclusion === 'failure' ? 'success' : conclusion,
+    });
+  } catch (err) {
+    c.get('log')?.error('Error executing step', { jobId, stepNumber, error: err });
+    return internalError(c, 'Step execution failed');
+  }
+});
+
+export default app;