zidane 5.13.13 → 5.13.15

package/dist/contexts-BebciJyQ.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contexts-BebciJyQ.js","names":[],"sources":["../src/contexts/process.ts","../src/contexts/types.ts"],"sourcesContent":["/**\n * In-process execution context.\n *\n * Runs everything in the current Node/Bun process.\n * No isolation — fastest, used as the default.\n */\n\nimport type { Buffer } from 'node:buffer'\nimport type { ChildProcess } from 'node:child_process'\nimport type { WriteStream } from 'node:fs'\nimport type { ContextCapabilities, ExecResult, ExecutionContext, ExecutionHandle, ListFilesEntry, SpawnConfig, TaskEntry, TaskExitInfo, TaskHandle, TaskStallInfo } from './types'\nimport { createWriteStream } from 'node:fs'\nimport { mkdir, readdir, readFile, realpath, stat, writeFile } from 'node:fs/promises'\nimport { dirname, isAbsolute, relative, resolve } from 'node:path'\nimport { lazyAsync } from '../lazy'\nimport { globFilesLocal, globLiteralPrefix } from './glob'\n\n/**\n * Lazily load `node:child_process`'s `spawn` (memoized after first use).\n *\n * Deliberately NOT a static top-level import. `createAgent` pulls this module\n * into the graph as the default execution context, so a static\n * `import … from 'node:child_process'` would make merely importing zidane\n * depend on subprocess support. Runtimes that gate that builtin at import time\n * — Supabase Edge Functions, Cloudflare `nodejs_compat`, other shell-less V8\n * isolates — would then fail to load the package at all. Deferring the import\n * to the first `exec` keeps `import 'zidane'` + the provider loop runnable\n * there; only actually invoking a shell command touches subprocess, which is\n * exactly where an unsupported host should fail (the agent loop turns that\n * throw into a clean tool-result error).\n */\nconst loadSpawn = lazyAsync(async () => (await import('node:child_process')).spawn)\n\n/**\n * Whether the host supports POSIX process groups (the `detached: true` +\n * `process.kill(-pid)` combination). Windows doesn't — its job-object\n * model is shaped differently — so on win32 we fall back to killing the\n * shell wrapper alone (matches pre-fix behavior; better than nothing).\n */\nconst SUPPORTS_PROCESS_GROUPS = process.platform !== 'win32'\n\n/**\n * Default cap on captured stdout / stderr per child. Matches the\n * pre-fix `child_process.exec` setting so existing callers see the\n * same buffer envelope. Output beyond this is truncated and a\n * marker is appended to stderr.\n */\nconst DEFAULT_MAX_BUFFER = 10 * 1024 * 1024\n\n/**\n * How long `destroy()` waits for a SIGTERM'd background task to settle\n * before escalating to SIGKILL and abandoning the wait. Matches the MCP\n * connection's default `closeTimeout` so `agent.destroy()` stays bounded\n * by a single grace period regardless of which leg is slowest.\n */\nconst DESTROY_SIGTERM_GRACE_MS = 5_000\n\n/**\n * How long after the child's `exit` event we keep waiting for `close`\n * before settling with the output collected so far.\n *\n * `close` fires only once every stdio pipe has closed — and a\n * daemonized grandchild that inherited stdout/stderr (a dev server\n * started with `&`, `nohup` without redirection, simulator helpers, …)\n * keeps those pipes open indefinitely. Pre-fix, a foreground `exec`\n * whose command finished in milliseconds would hang until its timeout,\n * then `killProcessGroup` took the intentionally-backgrounded daemon\n * down with it. The process itself is done at `exit`; this grace only\n * exists to let normally-closing pipes flush their tail bytes.\n */\nconst EXIT_PIPE_DRAIN_GRACE_MS = 1_500\n\n/**\n * Sanitize a task id before it's joined into a filesystem path.\n *\n * We mint `bash_<n>` ids ourselves (no user input flows into the path\n * for `ProcessContext`), so this is defensive — but third-party contexts\n * MAY accept caller-provided ids, so the helper exists for them too.\n * Anything that doesn't match the expected shape is rejected — never\n * coerced — so the call site sees a clear error rather than a\n * traversal-shaped path.\n */\nconst TASK_ID_RE = /^[a-z][\\w-]*$/i\n\nfunction assertSafeTaskId(taskId: string): void {\n  if (!TASK_ID_RE.test(taskId))\n    throw new Error(`Invalid task id \"${taskId}\" — must match ${TASK_ID_RE}.`)\n}\n\n/**\n * Format `date` as `YYYYMMDD-HHMMSS-mmm` in UTC.\n *\n * Pinned to UTC so the lexical sort of two timestamps always matches\n * their chronological order (local time + DST does not). Used as the\n * per-context suffix on background-task log filenames; see the field\n * doc on `contextTimestamp` for the why.\n */\nexport function formatContextTimestamp(date: Date): string {\n  const pad2 = (n: number): string => n.toString().padStart(2, '0')\n  const pad3 = (n: number): string => n.toString().padStart(3, '0')\n  const y = date.getUTCFullYear()\n  const M = pad2(date.getUTCMonth() + 1)\n  const d = pad2(date.getUTCDate())\n  const h = pad2(date.getUTCHours())\n  const m = pad2(date.getUTCMinutes())\n  const s = pad2(date.getUTCSeconds())\n  const ms = pad3(date.getUTCMilliseconds())\n  return `${y}${M}${d}-${h}${m}${s}-${ms}`\n}\n\n/** Pattern of a background-task log filename. Used by tests + tooling. */\nexport const TASK_LOG_FILENAME_RE = /^(bash_\\d+)\\.(\\d{8}-\\d{6}-\\d{3})\\.log$/\n\n/** Copy only the named keys (when present) from an env object. */\nfunction pickEnv(env: NodeJS.ProcessEnv, keys: string[]): NodeJS.ProcessEnv {\n  const out: NodeJS.ProcessEnv = {}\n  for (const key of keys) {\n    if (env[key] !== undefined)\n      out[key] = env[key]\n  }\n  return out\n}\n\nexport function createProcessContext(config?: SpawnConfig): ExecutionContext {\n  let counter = 0\n  const handles = new Map<string, ExecutionHandle>()\n  const defaultCwd = config?.cwd ?? process.cwd()\n  const defaultEnv = config?.env\n  const destroyGraceMs = config?.destroyGraceMs ?? DESTROY_SIGTERM_GRACE_MS\n\n  // Base environment children inherit. Defaults to the full parent env\n  // (back-compat); when `inheritEnv: false`, only a minimal allow-list is\n  // forwarded so parent secrets (e.g. API keys Bun loaded from `.env`) aren't\n  // exposed to tool commands. Explicit `env` / per-call env always apply on top.\n  const baseEnv: NodeJS.ProcessEnv = config?.inheritEnv === false\n    ? pickEnv(process.env, ['PATH', 'HOME', 'SHELL', 'LANG', 'LC_ALL', 'USER', 'TERM', 'TMPDIR'])\n    : process.env\n\n  // Optional workspace containment for the file methods. Unset = no checks.\n  const workspaceRoot = config?.workspaceRoot !== undefined\n    ? resolve(defaultCwd, config.workspaceRoot)\n    : undefined\n\n  /** True when `target` is the root itself or lives under it. */\n  function isWithinRoot(root: string, target: string): boolean {\n    const rel = relative(root, target)\n    return rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))\n  }\n\n  /**\n   * Resolve `path` against the handle cwd and, when a `workspaceRoot` is\n   * configured, reject anything that escapes it. Uses `realpath` on the\n   * nearest existing ancestor so symlink escapes (and `..`) are caught for\n   * both existing and not-yet-created targets.\n   */\n  async function resolveContained(handle: ExecutionHandle, path: string): Promise<string> {\n    const full = resolve(handle.cwd, path)\n    if (workspaceRoot === undefined)\n      return full\n\n    // Canonicalize the deepest existing ancestor to defeat symlink escapes;\n    // the non-existent tail (for writes) is appended back verbatim.\n    let existing = full\n    const tail: string[] = []\n    while (true) {\n      try {\n        existing = await realpath(existing)\n        break\n      }\n      catch {\n        const parent = dirname(existing)\n        if (parent === existing) {\n          // Reached the filesystem root without an existing ancestor.\n          existing = parent\n          break\n        }\n        // `relative` (not slice) so the segment is correct even on Windows\n        // drive roots where `dirname('C:\\\\foo')` is `C:\\\\` (no 1-char sep).\n        tail.unshift(relative(parent, existing))\n        existing = parent\n      }\n    }\n    const canonical = tail.length ? resolve(existing, ...tail) : existing\n    const canonicalRoot = await realpath(workspaceRoot).catch(() => workspaceRoot)\n    if (!isWithinRoot(canonicalRoot, canonical)) {\n      throw new Error(\n        `Path escapes the workspace root: ${path} (resolved outside ${canonicalRoot})`,\n      )\n    }\n    return full\n  }\n\n  /**\n   * Per-context background-task registry. Entries live for the context's\n   * lifetime — even after the child exits — so the model can read output\n   * of completed tasks until `destroy()` tears everything down. Kept as\n   * a plain Map (not a class) per code-quality checklist #7: no premature\n   * abstraction. The state and the operations on it live inline.\n   */\n  const tasks = new Map<string, TaskState>()\n  let taskCounter = 0\n\n  /**\n   * Per-context UTC timestamp segment baked into every background task's\n   * log filename. Same `taskCounter` value across two contexts (e.g. a\n   * TUI restart) would otherwise re-open the SAME `bash_<n>.log` file —\n   * we open with `flags: 'a'` so the new task would APPEND into the old\n   * log, producing scrambled output. The timestamp guarantees each\n   * context owns a distinct log filename without forcing the\n   * model-facing task id (`bash_<n>`) to grow longer.\n   *\n   * Format: `YYYYMMDD-HHMMSS-mmm` in UTC.\n   *   - Sortable (lexical sort = chronological sort).\n   *   - Unambiguous (UTC sidesteps DST / locale shifts).\n   *   - Filesystem-safe (digits + hyphens only).\n   *   - Millisecond precision avoids same-second-restart collisions.\n   *\n   * The timestamp is computed once per context, NOT per task — all of a\n   * context's tasks share the same suffix so a directory listing groups\n   * cleanly by \"which run produced these\".\n   */\n  const contextTimestamp = formatContextTimestamp(new Date())\n\n  /**\n   * Last-resort orphan reaper. With `detached: true`, background tasks\n   * are in their OWN process group — when the parent (zidane TUI) dies,\n   * the OS does NOT send them SIGHUP and they keep running indefinitely.\n   * The user's \"Ctrl+C the TUI\" intent is \"stop everything I started\",\n   * not \"leak a `sleep 60` into the background\".\n   *\n   * `process.on('exit')` fires SYNCHRONOUSLY on `process.exit()` AND on\n   * natural shutdown — exactly the seam we need. The handler can only\n   * do synchronous work (Node ignores async), but `process.kill` IS\n   * synchronous, so a SIGTERM-the-group sweep lands cleanly. The kill\n   * is best-effort: already-dead children throw ESRCH (swallowed).\n   *\n   * Registered lazily on first `execBackground` so contexts that never\n   * background a task don't pay the listener cost. Deregistered in\n   * `destroy()` so reconstructed contexts don't accumulate listeners\n   * (Node warns past 10 — a long-running session that switches sessions\n   * frequently would otherwise hit that).\n   */\n  let exitHandlerRegistered = false\n  const exitHandler = (): void => {\n    for (const task of tasks.values()) {\n      if (task.status !== 'running')\n        continue\n      const pid = task.child.pid\n      if (pid === undefined)\n        continue\n      try {\n        if (SUPPORTS_PROCESS_GROUPS)\n          process.kill(-pid, 'SIGTERM')\n        else\n          process.kill(pid, 'SIGTERM')\n      }\n      catch {\n        // ESRCH (already dead) / EPERM (lost ownership). Swallow —\n        // the process either won't kill cleanly OR is already gone,\n        // both acceptable at shutdown.\n      }\n    }\n  }\n\n  return {\n    type: 'process',\n\n    capabilities: {\n      shell: true,\n      filesystem: true,\n      glob: true,\n      network: true,\n      gpu: false,\n      // Background tasks are OS children of this process's machine —\n      // they survive `agent.destroy()` reassignment games but NOT a\n      // host machine reboot, and the orphan reaper kills them on\n      // process exit. That's the 'process-lifetime' tier.\n      detachedTasks: 'process-lifetime',\n    } satisfies ContextCapabilities,\n\n    async spawn(overrides?: SpawnConfig): Promise<ExecutionHandle> {\n      const id = `process-${++counter}`\n      const cwd = overrides?.cwd ?? defaultCwd\n\n      // Only create `cwd` when it is genuinely missing. An unconditional\n      // `mkdir(cwd, { recursive: true })` on an already-existing directory is a\n      // wasted write that needlessly demands FS-write permission — which breaks\n      // read-only / no-write runtimes (Supabase Edge Functions write only to\n      // `/tmp`; Deno edge isolates) where the cwd already exists. `stat` is a\n      // read (permitted there); the write is attempted only on a confirmed\n      // ENOENT. Any other stat failure (e.g. EACCES on a sandbox-restricted\n      // path) must NOT escalate to a mkdir we'd also be denied — assume present\n      // and let a later file op surface a precise error if it truly isn't.\n      let needsCreate = false\n      try {\n        await stat(cwd)\n      }\n      catch (err) {\n        needsCreate = (err as NodeJS.ErrnoException)?.code === 'ENOENT'\n      }\n      if (needsCreate)\n        await mkdir(cwd, { recursive: true })\n\n      const handle: ExecutionHandle = { id, type: 'process', cwd }\n      handles.set(id, handle)\n      return handle\n    },\n\n    async exec(\n      handle: ExecutionHandle,\n      command: string,\n      options?: { cwd?: string, env?: Record<string, string>, timeout?: number, signal?: AbortSignal },\n    ): Promise<ExecResult> {\n      const cwd = options?.cwd ? resolve(handle.cwd, options.cwd) : handle.cwd\n\n      // Pre-aborted fast path: skip the spawn entirely and synthesize a\n      // killed-by-signal result. Saves a spawn round-trip + dodges Node\n      // emitting an immediate `AbortError`.\n      if (options?.signal?.aborted) {\n        return { stdout: '', stderr: 'aborted by signal before spawn', exitCode: 143 }\n      }\n\n      const timeoutMs = (options?.timeout ?? config?.limits?.timeout ?? 30) * 1000\n      const maxBuffer = DEFAULT_MAX_BUFFER\n\n      // Lazy subprocess load (see `loadSpawn`) — awaited before the Promise\n      // executor so the spawn primitive is ready synchronously inside it.\n      const spawnChild = await loadSpawn()\n\n      return new Promise<ExecResult>((resolveP) => {\n        // Spawn as a NEW process group leader so we can kill the whole\n        // subtree on abort. Without `detached: true`, sending SIGTERM to\n        // the shell's pid only kills the shell wrapper — its child\n        // processes (the actual `sleep`, `npm`, `python`, …) get\n        // reparented to init and keep running. `process.kill(-pid, …)`\n        // with a NEGATIVE pid targets the whole process group; that's\n        // the POSIX idiom for \"shut down everything I started\".\n        //\n        // On Windows there are no process groups in the POSIX sense, so\n        // we leave `detached` off and accept the shell-only kill — the\n        // platform's job-object machinery is the path forward there if\n        // we ever need it, but it's not the bug zidane's users are\n        // hitting today.\n        const child = spawnChild('/bin/sh', ['-c', command], {\n          cwd,\n          env: { ...baseEnv, ...defaultEnv, ...options?.env },\n          stdio: ['ignore', 'pipe', 'pipe'],\n          detached: SUPPORTS_PROCESS_GROUPS,\n        })\n\n        let stdout = ''\n        let stderr = ''\n        // Byte accounting per slot. `maxBuffer` is a BYTE budget — comparing\n        // it against the accumulated string's UTF-16 `.length` undercounts\n        // multi-byte UTF-8 (overshooting the budget) and slicing the Buffer\n        // at a char-derived offset can split a codepoint mid-sequence.\n        let stdoutBytes = 0\n        let stderrBytes = 0\n        let bufferTruncated = false\n        let timedOut = false\n        let killedByAbort = false\n        let settled = false\n\n        const appendCapped = (slot: 'stdout' | 'stderr', chunk: Buffer): void => {\n          const used = slot === 'stdout' ? stdoutBytes : stderrBytes\n          if (used >= maxBuffer) {\n            // Buffer filled exactly on a prior chunk boundary — this chunk\n            // is data we're dropping, so it still counts as truncation.\n            if (!bufferTruncated) {\n              bufferTruncated = true\n              killProcessGroup(child, 'SIGTERM')\n            }\n            return\n          }\n          const room = maxBuffer - used\n          let piece = chunk\n          if (chunk.length > room) {\n            // Cut on a UTF-8 codepoint boundary: if the byte right after the\n            // cut is a continuation byte (0b10xxxxxx), the cut would land\n            // mid-codepoint — back off until it doesn't.\n            let end = room\n            while (end > 0 && (chunk[end] & 0xC0) === 0x80)\n              end--\n            piece = chunk.subarray(0, end)\n          }\n          if (slot === 'stdout') {\n            stdout += piece.toString('utf8')\n            stdoutBytes += piece.length\n          }\n          else {\n            stderr += piece.toString('utf8')\n            stderrBytes += piece.length\n          }\n          if (chunk.length > room) {\n            bufferTruncated = true\n            // Kill on overflow — matches `execAsync`'s `maxBuffer`\n            // behavior (which kills the child and surfaces an error).\n            killProcessGroup(child, 'SIGTERM')\n          }\n        }\n\n        child.stdout?.on('data', chunk => appendCapped('stdout', chunk as Buffer))\n        child.stderr?.on('data', chunk => appendCapped('stderr', chunk as Buffer))\n\n        const timeoutTimer = timeoutMs > 0\n          ? setTimeout(() => {\n              timedOut = true\n              killProcessGroup(child, 'SIGTERM')\n            }, timeoutMs)\n          : undefined\n\n        const onAbort = (): void => {\n          killedByAbort = true\n          killProcessGroup(child, 'SIGTERM')\n        }\n        const userSignal = options?.signal\n        if (userSignal)\n          userSignal.addEventListener('abort', onAbort, { once: true })\n\n        let exitGraceTimer: NodeJS.Timeout | undefined\n\n        const settle = (exitCode: number, extraStderr?: string): void => {\n          if (settled)\n            return\n          settled = true\n          if (timeoutTimer)\n            clearTimeout(timeoutTimer)\n          if (exitGraceTimer)\n            clearTimeout(exitGraceTimer)\n          if (userSignal)\n            userSignal.removeEventListener('abort', onAbort)\n          const finalStderr = extraStderr\n            ? (stderr ? `${stderr}\\n${extraStderr}` : extraStderr)\n            : stderr\n          resolveP({ stdout, stderr: finalStderr, exitCode })\n        }\n\n        // Shared classification ladder for `close` (fast path: pipes\n        // drained normally) and the post-`exit` grace (pipes held open\n        // by a daemonized grandchild). Order matters: killed-by-our-\n        // abort wins over timeout wins over natural exit, because the\n        // abort listener fires first when the user cancels mid-\n        // timeout-window.\n        const settleFromStatus = (code: number | null, signal: NodeJS.Signals | null): void => {\n          if (killedByAbort) {\n            settle(143, 'aborted by signal')\n            return\n          }\n          if (timedOut) {\n            settle(124, `command timed out after ${timeoutMs}ms`)\n            return\n          }\n          if (bufferTruncated) {\n            settle(143, `output exceeded ${maxBuffer}-byte buffer; process killed`)\n            return\n          }\n          if (signal) {\n            // Killed by some other signal we didn't issue. Treat as\n            // signal-killed for consumer compat.\n            settle(128 + 15, `terminated by signal ${signal}`)\n            return\n          }\n          settle(typeof code === 'number' ? code : 1)\n        }\n\n        child.on('error', (err) => {\n          // Spawn failure (ENOENT on `/bin/sh`, EACCES, …). Mirror\n          // `execAsync`'s \"rejects with an Error\" shape by surfacing\n          // the message on stderr and a non-zero exit.\n          settle(1, err.message)\n        })\n\n        child.on('close', (code, signal) => settleFromStatus(code, signal))\n\n        child.on('exit', (code, signal) => {\n          // The command is DONE here — `close` only adds \"every stdio\n          // pipe closed\", which a daemonized grandchild can block\n          // forever (see EXIT_PIPE_DRAIN_GRACE_MS). Give the pipes a\n          // short drain grace, then settle with what we have and\n          // release them. The daemon keeps running — that was the\n          // command's intent; killing the group here would be wrong.\n          exitGraceTimer = setTimeout(() => {\n            if (settled)\n              return\n            child.stdout?.destroy()\n            child.stderr?.destroy()\n            settleFromStatus(code, signal)\n          }, EXIT_PIPE_DRAIN_GRACE_MS)\n          exitGraceTimer.unref?.()\n        })\n      })\n    },\n\n    async readFile(handle: ExecutionHandle, path: string): Promise<string> {\n      return readFile(await resolveContained(handle, path), 'utf-8')\n    },\n\n    async readFileBinary(handle: ExecutionHandle, path: string): Promise<Uint8Array> {\n      // No encoding → returns a Buffer (which is a Uint8Array). Used by\n      // read_file to ferry image / binary content into the multimodal route.\n      const buf = await readFile(await resolveContained(handle, path))\n      return new Uint8Array(buf)\n    },\n\n    async writeFile(handle: ExecutionHandle, path: string, content: string): Promise<void> {\n      const fullPath = await resolveContained(handle, path)\n      await mkdir(dirname(fullPath), { recursive: true })\n      await writeFile(fullPath, content, 'utf-8')\n    },\n\n    async listFiles(handle: ExecutionHandle, path: string, options): Promise<ListFilesEntry[]> {\n      if (options?.glob) {\n        await resolveContained(handle, globLiteralPrefix(path) || '.')\n        const entries = await globFilesLocal(path, handle.cwd, {\n          limit: options?.limit ?? 1000,\n          metadata: options?.metadata,\n        })\n        if (workspaceRoot === undefined)\n          return entries\n        const contained: ListFilesEntry[] = []\n        for (const entry of entries) {\n          try {\n            await resolveContained(handle, entry.path)\n            contained.push(entry)\n          }\n          catch {\n            // Symlink escapes can be discovered by broad globs like `**/*`.\n            // Keep the process context's workspaceRoot invariant by filtering\n            // them exactly as read/write paths are filtered.\n          }\n        }\n        return contained\n      }\n      return readdir(await resolveContained(handle, path))\n    },\n\n    async execBackground(\n      handle: ExecutionHandle,\n      command: string,\n      options: {\n        cwd?: string\n        env?: Record<string, string>\n        outputDir: string\n        onExit?: (info: TaskExitInfo) => void\n        maxOutputBytes?: number\n        stallTimeoutMs?: number\n        onStall?: (info: TaskStallInfo) => void\n      },\n    ): Promise<TaskHandle> {\n      const cwd = options.cwd ? resolve(handle.cwd, options.cwd) : handle.cwd\n\n      // Resolve the subprocess primitive up front (see `loadSpawn`) so a runtime\n      // without `node:child_process` fails BEFORE we allocate the log dir +\n      // output stream — no orphaned fd / log file on an unsupported host.\n      const spawnChild = await loadSpawn()\n\n      await mkdir(options.outputDir, { recursive: true })\n\n      // Mint id + path. The id is sequential per context (model-facing,\n      // short, ergonomic for `shell_kill`). The log FILENAME embeds the\n      // context's start timestamp so two contexts sharing an `outputDir`\n      // (TUI restart on the same session, concurrent zidane instances,\n      // …) never resolve to the same file — we open with `flags: 'a'`\n      // and a name collision would interleave their output. Path\n      // validation is defensive — we mint our own ids so it never trips\n      // today, but it pins the invariant for forks / third parties.\n      const taskId = `bash_${++taskCounter}`\n      assertSafeTaskId(taskId)\n      const outputPath = resolve(options.outputDir, `${taskId}.${contextTimestamp}.log`)\n\n      // Install the orphan reaper on first task. See `exitHandler`'s\n      // JSDoc for the kill-on-shutdown rationale.\n      if (!exitHandlerRegistered) {\n        process.on('exit', exitHandler)\n        exitHandlerRegistered = true\n      }\n\n      // Open the output file. The timestamped path is unique per context\n      // so a brand-new file is the expected outcome; `flags: 'a'` is kept\n      // as the safe default (preserves bytes if the path collides for any\n      // reason — same-millisecond context creation, manual pre-population,\n      // etc.) rather than blindly truncating. Streams are opened BEFORE\n      // the spawn to avoid a race where the child writes before the stream\n      // is ready — `child_process` buffers stdio until the consumer\n      // attaches, but the FS handle has to exist either way for our pipe.\n      const outputStream: WriteStream = createWriteStream(outputPath, { flags: 'a' })\n      // Surface FS errors (ENOSPC, EACCES on a remounted FS, etc.)\n      // under ZIDANE_DEBUG instead of crashing the host via an\n      // unhandled 'error' event. Without a listener Node escalates\n      // any stream-level error to an uncaughtException and the whole\n      // process exits — the model and the user would lose every\n      // unrelated in-flight piece of work to one bad task's disk\n      // hiccup. Swallow + log is the safer default for a fire-and-\n      // forget log writer; the task's exit code still reports.\n      outputStream.on('error', (err) => {\n        if (process.env.ZIDANE_DEBUG)\n          process.stderr.write(`[zidane/contexts] task ${taskId} log stream error: ${err.message}\\n`)\n      })\n\n      // Spawn as a NEW process group leader so we can kill the whole\n      // subtree on demand. Same primitive `exec` uses for foreground\n      // shells — see the long comment in that method for the\n      // process-group rationale.\n      const child = spawnChild('/bin/sh', ['-c', command], {\n        cwd,\n        env: { ...baseEnv, ...defaultEnv, ...options.env },\n        stdio: ['ignore', 'pipe', 'pipe'],\n        detached: SUPPORTS_PROCESS_GROUPS,\n      })\n\n      const state: TaskState = {\n        taskId,\n        handleId: handle.id,\n        pid: child.pid ?? -1,\n        command,\n        cwd,\n        startedAt: Date.now(),\n        outputPath,\n        outputStream,\n        child,\n        status: 'running',\n        bytesWritten: 0,\n        settled: false,\n        onExit: options.onExit,\n      }\n      tasks.set(taskId, state)\n\n      // Output cap (optional). Beyond the cap the process keeps\n      // running — head-priority retention: bytes already on disk stay,\n      // subsequent bytes are counted but dropped, and a structured\n      // truncation marker is appended at settle so the model can\n      // pattern-match the loss. Killing on overflow (what the\n      // foreground `exec` does) would be wrong here: long-running\n      // servers legitimately log forever.\n      const maxOutputBytes = typeof options.maxOutputBytes === 'number' && options.maxOutputBytes > 0\n        ? options.maxOutputBytes\n        : undefined\n      let droppedBytes = 0\n      // Latched on the first overflowing chunk. Without it, a codepoint-\n      // boundary backoff (below) leaves a few bytes of \"room\" that later\n      // chunks would dribble into — appending disjoint fragments from\n      // much-later output right after the cut point.\n      let capExhausted = false\n\n      // Stall watchdog (optional). One-shot per quiet period: fires\n      // `onStall` after `stallTimeoutMs` of no output, then stays quiet\n      // until fresh output re-arms it. `unref()` so a pending timer\n      // never holds the host process open.\n      const stallTimeoutMs = typeof options.stallTimeoutMs === 'number' && options.stallTimeoutMs > 0\n        ? options.stallTimeoutMs\n        : undefined\n      const onStall = options.onStall\n      let stallTimer: NodeJS.Timeout | undefined\n      let lastOutputAt = Date.now()\n      const armStallTimer = (): void => {\n        if (!stallTimeoutMs || !onStall)\n          return\n        if (stallTimer)\n          clearTimeout(stallTimer)\n        stallTimer = setTimeout(() => {\n          stallTimer = undefined\n          if (state.settled)\n            return\n          try {\n            onStall({\n              taskId,\n              command,\n              outputPath,\n              stalledForMs: Date.now() - lastOutputAt,\n              bytesWritten: state.bytesWritten,\n            })\n          }\n          catch (err) {\n            if (process.env.ZIDANE_DEBUG)\n              process.stderr.write(`[zidane/contexts] task ${taskId} onStall threw: ${err instanceof Error ? err.message : String(err)}\\n`)\n          }\n        }, stallTimeoutMs)\n        stallTimer.unref?.()\n      }\n      const clearStallTimer = (): void => {\n        if (stallTimer) {\n          clearTimeout(stallTimer)\n          stallTimer = undefined\n        }\n      }\n      armStallTimer()\n\n      // Pipe both streams into the same file. Order between stdout and\n      // stderr is preserved per-stream; cross-stream ordering depends on\n      // Node's event loop — acceptable interleaving for log-shaped\n      // output. Tracked-bytes is updated on every chunk for the\n      // listBackground UX (counted even past the cap, so the UX shows\n      // the task's TRUE output volume).\n      const appendChunk = (chunk: Buffer): void => {\n        state.bytesWritten += chunk.length\n        lastOutputAt = Date.now()\n        armStallTimer()\n        if (maxOutputBytes !== undefined) {\n          const onDisk = state.bytesWritten - droppedBytes - chunk.length\n          if (capExhausted || onDisk >= maxOutputBytes) {\n            capExhausted = true\n            droppedBytes += chunk.length\n            return\n          }\n          const room = maxOutputBytes - onDisk\n          if (chunk.length > room) {\n            capExhausted = true\n            // Cut on a UTF-8 codepoint boundary, same as the foreground\n            // exec cap: back off while the byte after the cut is a\n            // continuation byte (0b10xxxxxx) so the log never ends in a\n            // mangled half-codepoint right before the truncation marker.\n            let end = room\n            while (end > 0 && (chunk[end] & 0xC0) === 0x80)\n              end--\n            droppedBytes += chunk.length - end\n            if (end > 0)\n              outputStream.write(chunk.subarray(0, end))\n            return\n          }\n        }\n        outputStream.write(chunk)\n      }\n      child.stdout?.on('data', chunk => appendChunk(chunk as Buffer))\n      child.stderr?.on('data', chunk => appendChunk(chunk as Buffer))\n\n      // Settle path — at-most-once via `settled` flag (checklist #14).\n      // Three trigger sources: `close` (natural OR signal-killed),\n      // `error` (spawn failure), explicit `killBackground` (which\n      // routes through `close` itself after the SIGTERM lands).\n      const settle = (cause: 'close' | 'error', code: number | null, signal: NodeJS.Signals | null, errMessage?: string): void => {\n        if (state.settled)\n          return\n        state.settled = true\n        clearStallTimer()\n        state.endedAt = Date.now()\n\n        // Determine final status from cause + signal.\n        const status: TaskExitInfo['status']\n          = signal === 'SIGTERM' || state.killRequested\n            ? 'killed'\n            : 'exited'\n        // Signal-killed children report null `code` from Node; map back\n        // to the POSIX `128 + signum` convention so consumers can read\n        // an integer either way.\n        const exitCode = code !== null\n          ? code\n          : signal === 'SIGTERM'\n            ? 143\n            : signal\n              ? 128\n              : 1\n        state.status = status\n        state.exitCode = exitCode\n        if (signal)\n          state.signal = signal\n\n        // Flush + close the WriteStream BEFORE firing onExit — model\n        // may read the file in the same turn it receives the\n        // notification, and a still-open stream can hold tail bytes\n        // back from disk. `stream.end(callback)` is the documented\n        // \"all queued writes are flushed when this fires\" idiom.\n        //\n        // ORDER MATTERS: any error preamble we want in the log file\n        // (spawn failures with no stdout, buffer overflows) MUST be\n        // written BEFORE `end()` — once `end()` is called the stream\n        // is closed for writing and subsequent `.write()` calls are\n        // dropped. Earlier revisions had this reversed and silently\n        // lost ENOENT-on-`/bin/sh` messages.\n        if (errMessage) {\n          try {\n            outputStream.write(`\\n${errMessage}\\n`)\n          }\n          catch {\n            // Stream may have errored before this — best-effort only.\n          }\n        }\n        if (droppedBytes > 0) {\n          try {\n            // Structured + loud — the model can pattern-match the tag\n            // rather than misread a truncated log as the full output.\n            outputStream.write(`\\n<output-truncated bytes-dropped=\"${droppedBytes}\"/>\\n`)\n          }\n          catch {\n            // Best-effort only, same as the error preamble above.\n          }\n        }\n        outputStream.end(() => {\n          // `stateToTaskExitInfo` reads the same fields we just set\n          // on `state`, so the snapshot the consumer gets matches the\n          // post-settle state exactly. `onExit` is optional — pull-based\n          // consumers reconcile via `listBackground` instead.\n          try {\n            state.onExit?.(stateToTaskExitInfo(state))\n          }\n          catch (err) {\n            // Defensive — a buggy onExit callback shouldn't crash the\n            // host. Surface via stderr under ZIDANE_DEBUG; otherwise\n            // swallow. Matches the spawn-tool's bubbleError pattern.\n            if (process.env.ZIDANE_DEBUG)\n              process.stderr.write(`[zidane/contexts] task ${taskId} onExit threw: ${err instanceof Error ? err.message : String(err)}\\n`)\n          }\n        })\n      }\n\n      child.on('close', (code, signal) => settle('close', code, signal))\n      child.on('error', err => settle('error', null, null, `[spawn error] ${err.message}`))\n\n      child.on('exit', (code, signal) => {\n        // Same pipe-hostage hazard as foreground `exec`: a grandchild\n        // that inherited the pipes blocks `close` forever, leaving the\n        // task `running` (and any waiter parked) long after the\n        // command exited. Settle after a short drain grace; `settle`'s\n        // latch makes this a no-op when `close` already fired.\n        const exitGraceTimer = setTimeout(() => {\n          if (state.settled)\n            return\n          child.stdout?.destroy()\n          child.stderr?.destroy()\n          settle('close', code, signal)\n        }, EXIT_PIPE_DRAIN_GRACE_MS)\n        exitGraceTimer.unref?.()\n      })\n\n      return { taskId, pid: state.pid, outputPath }\n    },\n\n    async killBackground(handle: ExecutionHandle, taskId: string): Promise<TaskExitInfo | null> {\n      const state = tasks.get(taskId)\n      // Two miss cases collapse into one `null` return: unknown id, AND\n      // known-id-but-not-owned-by-this-handle. The second case is the\n      // subagent-can't-kill-parent-tasks defense; surfacing it as a\n      // distinct error would leak the existence of the parent's task\n      // to the subagent's model, which violates the per-handle\n      // isolation contract.\n      if (!state || state.handleId !== handle.id)\n        return null\n      // Already exited — return the cached info. We don't keep a\n      // separate cached exit; the state itself carries every field\n      // `TaskExitInfo` needs and `stateToTaskExitInfo` projects it.\n      if (state.status !== 'running')\n        return stateToTaskExitInfo(state)\n\n      // Mark the intent BEFORE issuing the kill so the close handler\n      // classifies the exit as `'killed'` even on platforms where the\n      // SIGTERM-via-group lands faster than the close event drains.\n      // (Checklist #14: at-most-once settle, plus correct status\n      // classification regardless of event ordering.)\n      state.killRequested = true\n\n      // Wait for the existing close listener to fire — `settle()` does\n      // all the flushing + onExit work. We just sit on a one-shot\n      // promise tied to the `child.on('close')` we already registered\n      // at spawn time.\n      const closed = new Promise<void>((resolveP) => {\n        if (state.settled) {\n          resolveP()\n          return\n        }\n        const originalOnExit = state.onExit\n        state.onExit = (info) => {\n          originalOnExit?.(info)\n          resolveP()\n        }\n      })\n\n      killProcessGroup(state.child, 'SIGTERM')\n      await closed\n      return stateToTaskExitInfo(state)\n    },\n\n    async waitBackground(\n      handle: ExecutionHandle,\n      taskId: string,\n      options?: { timeoutMs?: number, signal?: AbortSignal },\n    ): Promise<TaskExitInfo | null> {\n      const state = tasks.get(taskId)\n      // Same two-misses-collapse-to-null contract as `killBackground`:\n      // unknown id AND known-but-other-handle both return `null` so a\n      // subagent can't observe the parent's tasks through the wait seam.\n      if (!state || state.handleId !== handle.id)\n        return null\n      if (state.settled)\n        return stateToTaskExitInfo(state)\n\n      return new Promise<TaskExitInfo | null>((resolveP) => {\n        let done = false\n        let timer: NodeJS.Timeout | undefined\n        const signal = options?.signal\n        const finish = (value: TaskExitInfo | null): void => {\n          if (done)\n            return\n          done = true\n          if (timer)\n            clearTimeout(timer)\n          signal?.removeEventListener('abort', onAbort)\n          resolveP(value)\n        }\n        function onAbort(): void {\n          finish(null)\n        }\n\n        // Chain onto the live exit callback rather than replacing it —\n        // the original (notification enqueue, kill-waiter, a sibling\n        // waiter) must keep firing. The `done` latch makes a late exit\n        // after timeout a no-op for THIS waiter.\n        const originalOnExit = state.onExit\n        state.onExit = (info) => {\n          originalOnExit?.(info)\n          finish(stateToTaskExitInfo(state))\n        }\n\n        if (signal) {\n          if (signal.aborted) {\n            finish(null)\n            return\n          }\n          signal.addEventListener('abort', onAbort, { once: true })\n        }\n        const timeoutMs = options?.timeoutMs\n        if (typeof timeoutMs === 'number' && Number.isFinite(timeoutMs) && timeoutMs > 0) {\n          timer = setTimeout(finish, timeoutMs, null)\n          timer.unref?.()\n        }\n      })\n    },\n\n    async reassignBackgroundTasks(\n      fromHandle: ExecutionHandle,\n      toHandle: ExecutionHandle,\n      newOnExit?: (info: TaskExitInfo) => void,\n    ): Promise<readonly TaskEntry[]> {\n      // No-op when source = destination — keeps the spawn.ts call site\n      // unconditional without forcing it to dedupe.\n      if (fromHandle.id === toHandle.id)\n        return []\n      const promoted: TaskEntry[] = []\n      for (const state of tasks.values()) {\n        if (state.handleId !== fromHandle.id || state.status !== 'running')\n          continue\n        state.handleId = toHandle.id\n        // Replace the natural-exit callback. The original closed over\n        // the spawning agent's hook bus, which is about to be destroyed\n        // — without rewiring, the task's eventual `background:exit`\n        // fires into a torn-down hookable and the parent never learns.\n        if (newOnExit)\n          state.onExit = newOnExit\n        promoted.push(stateToTaskEntry(state))\n      }\n      return promoted\n    },\n\n    async listBackground(handle: ExecutionHandle): Promise<readonly TaskEntry[]> {\n      // Snapshot — callers must not assume the returned array stays\n      // in sync with the live registry. Sorted by startedAt so the\n      // model / UI sees consistent ordering across calls. Scoped to\n      // the calling handle so subagents don't see the parent's tasks\n      // (and vice versa) in their listing.\n      return [...tasks.values()]\n        .filter(s => s.handleId === handle.id)\n        .sort((a, b) => a.startedAt - b.startedAt)\n        .map(stateToTaskEntry)\n    },\n\n    async destroy(handle: ExecutionHandle): Promise<void> {\n      // Kill every still-running background task SPAWNED THROUGH THIS\n      // HANDLE before tearing the handle down. SIGTERM the groups,\n      // await the close + flush, THEN drop the registry entries.\n      // Sequential — destroy is one-shot teardown, the few ms of extra\n      // latency aren't worth the synchronization complexity.\n      //\n      // The handle scope matters when the same `ExecutionContext` is\n      // shared across a parent agent and its `spawn`-ed subagents (the\n      // default — `spawn.ts` passes `execution: ctx.execution`). Each\n      // agent mints its own `ExecutionHandle` and registers its\n      // background tasks under that handle's id. Without the filter,\n      // a child agent's `destroy()` (fired by `spawn.ts`'s `finally`\n      // when the subagent finishes / is cancelled) would walk the\n      // shared registry and SIGTERM the parent's tasks too. So\n      // cancelling a subagent that has its own background shells now\n      // correctly kills JUST those subagent shells, leaving the\n      // parent's intact.\n      const survivors = [...tasks.values()].filter(s => s.handleId === handle.id && !s.settled)\n      await Promise.all(survivors.map(async (state) => {\n        state.killRequested = true\n        await new Promise<void>((resolveP) => {\n          let graceTimer: NodeJS.Timeout | undefined\n          const originalOnExit = state.onExit\n          state.onExit = (info) => {\n            originalOnExit?.(info)\n            if (graceTimer)\n              clearTimeout(graceTimer)\n            resolveP()\n          }\n          killProcessGroup(state.child, 'SIGTERM')\n          // Bounded drain: a task that traps/ignores SIGTERM — or whose\n          // `close` event is held back by an escaped grandchild (setsid'd\n          // out of the process group) keeping the inherited stdio pipe\n          // open — must not wedge `agent.destroy()` forever. After the\n          // grace period, SIGKILL the group and stop waiting: `close`\n          // may STILL never fire (the pipe holder isn't in the group),\n          // so resolving here is the only way destroy() stays bounded.\n          graceTimer = setTimeout(() => {\n            killProcessGroup(state.child, 'SIGKILL')\n            // settle() normally flushes + ends the log stream, but it\n            // only runs off `close` — which we just gave up on. Tear the\n            // stream down so the fd doesn't leak into a long-lived host.\n            state.outputStream.destroy()\n            resolveP()\n          }, destroyGraceMs)\n          graceTimer.unref?.()\n        })\n      }))\n      // Drop only this handle's tasks from the registry. Other handles\n      // (siblings, parent) keep their entries.\n      for (const [taskId, state] of tasks) {\n        if (state.handleId === handle.id)\n          tasks.delete(taskId)\n      }\n      handles.delete(handle.id)\n      // Drop the orphan reaper ONLY when no handles remain — otherwise\n      // a child's `destroy()` would strip the parent's safety net. The\n      // reaper protects every still-tracked task in the context, so it\n      // sticks around until the LAST handle is gone.\n      //\n      // Without this guard, the spawn-tool sequence\n      //   parent.spawn(child) → child.run() → child.destroy() (auto)\n      // would deregister the handler mid-parent-lifetime. The parent's\n      // own subsequent Ctrl+C orphan-kill safety would silently degrade.\n      if (exitHandlerRegistered && handles.size === 0) {\n        process.off('exit', exitHandler)\n        exitHandlerRegistered = false\n      }\n    },\n  }\n}\n\n/**\n * Per-task state. Lives in the context's `tasks` registry. Fields are\n * mutated in place by the spawn / close / kill / destroy code paths —\n * the registry isn't immutable. Treat the type as a record-of-cells,\n * not a value.\n */\ninterface TaskState {\n  taskId: string\n  /**\n   * `ExecutionHandle.id` of the spawning agent. The registry is\n   * context-scoped (one Map shared across all handles a context minted),\n   * so a per-task owner tag is what scopes `listBackground` /\n   * `killBackground` / `destroy` to the calling handle's slice.\n   *\n   * Without this, a subagent spawned via `spawn` tool — which inherits\n   * the parent's `ExecutionContext` but mints its OWN handle — would\n   * see (and accidentally kill on `destroy()`) every task the parent\n   * had running. Came up the first time the model spawned a subagent\n   * that ran a background task: the subagent's run-end `destroy()`\n   * SIGTERMed the parent's `npm run dev` mid-flight.\n   */\n  handleId: string\n  pid: number\n  command: string\n  cwd: string\n  startedAt: number\n  outputPath: string\n  outputStream: WriteStream\n  child: ChildProcess\n  status: 'running' | 'exited' | 'killed'\n  exitCode?: number\n  signal?: NodeJS.Signals\n  bytesWritten: number\n  /**\n   * `at-most-once` settle latch. Multiple trigger sources (`close`,\n   * `error`, `kill`) can race; the flag dedupes so `onExit` fires\n   * exactly once per task (checklist #14).\n   */\n  settled: boolean\n  /**\n   * Set by `killBackground` / `destroy` before issuing SIGTERM so the\n   * close handler classifies the exit as `'killed'` even when the\n   * platform delivers the close event ahead of our intent record.\n   */\n  killRequested?: boolean\n  /**\n   * `Date.now()` at settle time. Lets `durationMs` (and pull-based\n   * reconcile consumers reading `TaskEntry.endedAt`) report the task's\n   * real lifetime instead of a projection-time delta.\n   */\n  endedAt?: number\n  /**\n   * Optional push-style exit callback. Undefined for pull-based\n   * consumers (remote / durable hosts reconcile via `listBackground`).\n   * Mutated in place by the kill / destroy / wait chains.\n   */\n  onExit?: (info: TaskExitInfo) => void\n}\n\n/**\n * Send `signal` to the child's whole process group. Falls back to a\n * single-process kill on Windows (no POSIX process groups). Shared\n * across the foreground `exec` path, the background spawn / kill\n * paths, and the shutdown-time orphan reaper — keeping one definition\n * so the kill semantics can't drift between them.\n */\nfunction killProcessGroup(child: ChildProcess, signal: NodeJS.Signals): void {\n  const pid = child.pid\n  if (pid === undefined)\n    return\n  try {\n    if (SUPPORTS_PROCESS_GROUPS)\n      process.kill(-pid, signal)\n    else\n      process.kill(pid, signal)\n  }\n  catch {\n    // ESRCH / EPERM — process is already gone (race with natural exit)\n    // or we lost the right to kill it. Both are safe to swallow.\n  }\n}\n\n/**\n * Project a `TaskState` to the `TaskEntry` shape `listBackground` and\n * `reassignBackgroundTasks` return. Single helper keeps the shape\n * consistent across both call sites (and a future addition of fields\n * to `TaskEntry` only needs to land here).\n */\nfunction stateToTaskEntry(state: TaskState): TaskEntry {\n  return {\n    taskId: state.taskId,\n    pid: state.pid,\n    command: state.command,\n    cwd: state.cwd,\n    startedAt: state.startedAt,\n    ...(state.endedAt !== undefined ? { endedAt: state.endedAt } : {}),\n    outputPath: state.outputPath,\n    status: state.status,\n    ...(state.exitCode !== undefined ? { exitCode: state.exitCode } : {}),\n    ...(state.signal ? { signal: state.signal } : {}),\n    bytesWritten: state.bytesWritten,\n  }\n}\n\n/**\n * Project a settled `TaskState` to the `TaskExitInfo` shape `settle()`\n * fires from `onExit` and `killBackground` returns on the\n * cached-exit path. Pre-condition: `state.status !== 'running'`\n * (callers gate on this).\n */\nfunction stateToTaskExitInfo(state: TaskState): TaskExitInfo {\n  return {\n    taskId: state.taskId,\n    status: state.status as Exclude<TaskState['status'], 'running'>,\n    exitCode: state.exitCode ?? 0,\n    ...(state.signal ? { signal: state.signal } : {}),\n    outputPath: state.outputPath,\n    // Settle-time delta when available (always set since `endedAt` was\n    // introduced); the `Date.now()` fallback covers defensive callers\n    // projecting an unsettled state.\n    durationMs: (state.endedAt ?? Date.now()) - state.startedAt,\n    command: state.command,\n  }\n}\n","/**\n * Execution context types.\n *\n * An execution context defines *where* and *how* an agent's tools run.\n * The agent loop and tools interact through this interface without knowing\n * whether they're running in-process, in a Docker container, or in a\n * remote sandbox.\n */\n\n// ---------------------------------------------------------------------------\n// Capabilities\n// ---------------------------------------------------------------------------\n\n/**\n * Lifetime guarantee of background tasks started through\n * {@link ExecutionContext.execBackground}.\n *\n * - `'none'` — the context cannot detach tasks at all.\n * - `'process-lifetime'` — tasks live as long as the HOST process; a\n *   crash/restart of the host orphans or kills them (`ProcessContext`).\n * - `'durable'` — tasks live on a remote runner and survive host process\n *   death (remote execution contexts driven by durable runtimes).\n *\n * Durable-execution adapters (e.g. `zidane/restate`) consult this to\n * decide whether backgrounding is safe to expose: a `'durable'` context\n * keeps its tasks across worker crashes, so there is no reason to strip\n * the capability from the model.\n */\nexport type DetachedTasksCapability = 'none' | 'process-lifetime' | 'durable'\n\nexport interface ContextCapabilities {\n  /** Can execute shell commands */\n  shell: boolean\n  /** Can read/write files in a workspace */\n  filesystem: boolean\n  /** Can enumerate glob matches through `ExecutionContext.listFiles(..., { glob: true })`. */\n  glob?: boolean\n  /** Can make outbound network requests */\n  network: boolean\n  /** Has GPU access */\n  gpu: boolean\n  /**\n   * Background-task lifetime guarantee. Optional for backward\n   * compatibility — when absent, callers infer `'process-lifetime'`\n   * if the context implements `execBackground`, `'none'` otherwise\n   * (see {@link resolveDetachedTasksCapability}).\n   */\n  detachedTasks?: DetachedTasksCapability\n}\n\n/**\n * Effective {@link DetachedTasksCapability} of a context, with the\n * backward-compatible inference for contexts that predate the field.\n */\nexport function resolveDetachedTasksCapability(context: ExecutionContext): DetachedTasksCapability {\n  return context.capabilities.detachedTasks\n    ?? (context.execBackground ? 'process-lifetime' : 'none')\n}\n\n// ---------------------------------------------------------------------------\n// Execution handle\n// ---------------------------------------------------------------------------\n\n/** Opaque handle to a running execution context instance */\nexport interface ExecutionHandle {\n  id: string\n  type: ContextType\n  /** Working directory within the context */\n  cwd: string\n}\n\n// ---------------------------------------------------------------------------\n// Exec result\n// ---------------------------------------------------------------------------\n\nexport interface ExecResult {\n  stdout: string\n  stderr: string\n  exitCode: number\n}\n\nexport interface ListFileMetadata {\n  path: string\n  size?: number\n  mtimeMs?: number\n}\n\nexport type ListFilesEntry = string | ListFileMetadata\n\nexport interface ListFilesOptions {\n  /** Treat `path` as a glob match pattern instead of a literal directory path. */\n  glob?: boolean\n  limit?: number\n  metadata?: boolean\n}\n\n// ---------------------------------------------------------------------------\n// Spawn config\n// ---------------------------------------------------------------------------\n\nexport interface SpawnConfig {\n  /** Working directory (created if it doesn't exist) */\n  cwd?: string\n  /**\n   * Optional workspace-containment root for the file methods (`readFile`,\n   * `writeFile`, `listFiles`) of the process context.\n   *\n   * When set, a resolved path that escapes this root (via absolute path,\n   * `..`, or a symlink pointing outside) is rejected before any I/O. Default\n   * unset = no containment (back-compat; the agent can read/write anywhere\n   * the host process can). Set this for untrusted workloads to confine file\n   * tools to a directory. Shell commands are not covered — use a sandbox /\n   * docker context for full isolation.\n   */\n  workspaceRoot?: string\n  /** Environment variables */\n  env?: Record<string, string>\n  /**\n   * Whether spawned shells inherit the parent `process.env` (process context).\n   *\n   * Default `true` (preserves existing behavior — children see the parent\n   * environment including anything Bun auto-loaded from `.env`). Set `false`\n   * for untrusted workloads so secrets in the parent environment aren't\n   * readable by tool commands; only `env` / per-call env plus a minimal base\n   * (`PATH`, `HOME`, `SHELL`, `LANG`, `LC_ALL`, `USER`, `TERM`, `TMPDIR`) are\n   * passed through.\n   */\n  inheritEnv?: boolean\n  /** Docker image (only for 'docker' context) */\n  image?: string\n  /** Docker container name prefix (only for 'docker' context) */\n  name?: string\n  /** Host paths mounted into the context (only for 'docker' context today) */\n  mounts?: ContextMount[]\n  /** Resource limits */\n  limits?: {\n    /** Memory limit in MB */\n    memory?: number\n    /** CPU limit (e.g. '1.0' = 1 core) */\n    cpu?: string\n    /** Timeout in seconds for the entire context lifetime */\n    timeout?: number\n  }\n  /** Sandbox provider config (only for 'sandbox' context) */\n  sandbox?: {\n    provider: string\n    apiKey?: string\n    /**\n     * Attach to a pre-existing sandbox by id rather than creating one\n     * (provider-specific; E2B maps it to `Sandbox.connect`). The provider\n     * leaves a connected sandbox running on teardown.\n     */\n    sandboxId?: string\n    [key: string]: unknown\n  }\n\n  /**\n   * How long `destroy()` waits for a SIGTERM'd background task to settle\n   * before escalating to SIGKILL and abandoning the wait (process context\n   * only). Bounds `agent.destroy()` against tasks that trap SIGTERM or\n   * whose stdio pipes are held open by escaped grandchildren.\n   *\n   * Default: `5000`.\n   */\n  destroyGraceMs?: number\n\n  /**\n   * Publish container ports on the host (docker context only).\n   *\n   * Each entry maps a container port to either an explicit host port or\n   * (when `host` is omitted) a Docker-assigned random port. Retrieve the\n   * actual host port at runtime via `getMappedPort(container)` on the\n   * docker context.\n   */\n  ports?: Array<{ container: number, host?: number, proto?: 'tcp' | 'udp' }>\n\n  /**\n   * UID/GID the container should run as (docker context only).\n   *\n   * Accepts the same forms Docker's `--user` does: `uid`, `uid:gid`, or a\n   * named user that exists in the image. Default is the image's default\n   * user (typically root). Setting this to the host user's `uid:gid`\n   * avoids the EACCES-on-cleanup problem when sharing a workspace via\n   * a `shared` mount.\n   */\n  user?: string\n\n  /**\n   * User-defined Docker network to join (docker context only).\n   *\n   * Defaults to Docker's default bridge. Use a user network when you\n   * need multiple sibling containers (e.g. agent + database + dev\n   * server) to discover each other by name.\n   */\n  network?: string\n\n  /**\n   * Docker labels to attach to the container (docker context only).\n   *\n   * Useful for ownership tracking — callers can sweep abandoned\n   * containers (e.g. from a crashed parent process) by filtering on\n   * a label they own: `docker ps -aq --filter label=my-app=true`.\n   */\n  labels?: Record<string, string>\n\n  /**\n   * Container hardening options (docker context only).\n   *\n   * All fields are opt-in and OFF by default to preserve existing behavior\n   * (containers run with the image's default user/capabilities). Enable them\n   * for untrusted workloads. `dropAllCapabilities` and a non-root `user`\n   * (see {@link SpawnConfig.user}) can break images that expect root or\n   * specific capabilities, so they are not applied unless requested.\n   */\n  hardening?: ContextHardening\n}\n\n/**\n * Opt-in container hardening for the docker context. Every field defaults to\n * \"unset\" so an omitted `hardening` (or omitted field) reproduces the prior,\n * unrestricted behavior — this keeps the option purely additive.\n */\nexport interface ContextHardening {\n  /**\n   * Drop all Linux capabilities (`CapDrop: ['ALL']`). Strong isolation, but\n   * breaks images needing capabilities (e.g. binding low ports, `ping`).\n   * Default: `false`.\n   */\n  dropAllCapabilities?: boolean\n  /**\n   * Set `no-new-privileges` so processes can't gain privileges via setuid\n   * binaries. Low blast radius; safe for most workloads. Default: `false`.\n   */\n  noNewPrivileges?: boolean\n  /**\n   * Mount the container root filesystem read-only. Pair with writable mounts\n   * for scratch space. Default: `false`.\n   */\n  readonlyRootfs?: boolean\n  /**\n   * Max number of processes (`PidsLimit`) — caps fork-bombs. Default: unset\n   * (no limit). A few hundred is usually plenty for an agent sandbox.\n   */\n  pidsLimit?: number\n}\n\nexport interface ContextMount {\n  /** Absolute host path to mount. */\n  source: string\n  /** Absolute path inside the execution context. */\n  target: string\n  /** Mount read-only. Defaults to false for Docker's native bind behavior. */\n  readonly?: boolean\n  /**\n   * Apply the SELinux shared label (`:z`) so the host user and the container\n   * user can both read/write the mount (docker context only). No-op on\n   * non-SELinux hosts. Combine with `SpawnConfig.user` to avoid root-owned\n   * files leaking onto the host. Mutually exclusive with `readonly`.\n   */\n  shared?: boolean\n}\n\n// ---------------------------------------------------------------------------\n// Execution context interface\n// ---------------------------------------------------------------------------\n\nexport type ContextType = 'process' | 'docker' | 'sandbox'\n\nexport interface ExecutionContext {\n  /** Context type identifier */\n  readonly type: ContextType\n\n  /** What this context supports */\n  readonly capabilities: ContextCapabilities\n\n  /** Spawn a new execution environment */\n  spawn: (config?: SpawnConfig) => Promise<ExecutionHandle>\n\n  /**\n   * Execute a shell command in the context.\n   *\n   * `signal` propagates abort all the way down to the underlying child\n   * process — the implementation is expected to wire it into whatever\n   * spawn primitive it uses so the OS receives a SIGTERM (or equivalent)\n   * when the caller aborts. Without it, a cancelled tool returns its\n   * cancellation marker to the model but the underlying process keeps\n   * running in the background, orphaning compute / locks / IO. Pass\n   * `ctx.signal` from a tool body to inherit the per-call + run-level\n   * abort union; pass a freshly-built one for a host-driven kill.\n   *\n   * Implementations are free to ignore `signal` (the contract degrades\n   * gracefully — the process simply won't be killed), but the in-process\n   * default DOES honor it via `child_process.exec`'s native `signal`\n   * option.\n   */\n  exec: (handle: ExecutionHandle, command: string, options?: { cwd?: string, env?: Record<string, string>, timeout?: number, signal?: AbortSignal }) => Promise<ExecResult>\n\n  /**\n   * Start a process in the background. Settles as soon as `spawn` returns\n   * — does NOT wait for the child to exit. Stdout + stderr stream\n   * interleaved to the file at the returned `outputPath`. The caller\n   * (typically the agent) reads incremental output via the regular\n   * {@link ExecutionContext.readFile} seam.\n   *\n   * Optional — contexts without background support (some remote sandboxes)\n   * just don't implement it. The shell tool surfaces a clean\n   * \"background mode is not supported in this execution context\" error\n   * when this is undefined.\n   *\n   * `onExit` is called once when the child terminates (natural, killed,\n   * or error). The same instance that called `execBackground` is the\n   * exclusive owner of the callback — it's not a multi-cast bus. Hosts\n   * wire this to the agent's pending-notification queue so the model\n   * gets a `<task-notification>` on its next turn.\n   *\n   * `onExit` is OPTIONAL: remote / durable contexts may have no legal\n   * way to push a callback from a timer back into the host (a Restate\n   * journal, for instance, forbids out-of-band writes). Such contexts\n   * simply record the exit in their registry; the agent loop reconciles\n   * by polling {@link ExecutionContext.listBackground} at run\n   * boundaries, where a host journal wrapper is legal (the\n   * `background:reconcile` hook is the journalable seam).\n   *\n   * See `docs/RUN_IN_BACKGROUND.md` for the broader design contract\n   * (file location, replay semantics, suppression rules).\n   */\n  execBackground?: (\n    handle: ExecutionHandle,\n    command: string,\n    options: {\n      cwd?: string\n      env?: Record<string, string>\n      /**\n       * Absolute directory the context appends `<task-id>.log` to. The\n       * agent owns this path because it carries session-shaped knowledge\n       * (`<userDir>/<sessionId>/tasks/`) the context can't synthesize.\n       * Must already exist OR be creatable by the context — the\n       * implementation handles `mkdir -p` defensively.\n       */\n      outputDir: string\n      /** Push-style exit callback. Optional — see the method doc. */\n      onExit?: (info: TaskExitInfo) => void\n      /**\n       * Cap on bytes written to the output file. Beyond the cap the\n       * process KEEPS RUNNING; further output is counted but dropped,\n       * and a `<output-truncated bytes-dropped=\"N\"/>` marker is\n       * appended when the task settles. Unset / non-positive = no cap.\n       */\n      maxOutputBytes?: number\n      /**\n       * Stall watchdog: when the task produces no output for this many\n       * milliseconds, `onStall` fires ONCE (one-shot — re-arms only\n       * after fresh output arrives). The process is NOT killed; the\n       * consumer decides (typically by telling the model the task may\n       * be stuck at an interactive prompt). Unset = no watchdog.\n       */\n      stallTimeoutMs?: number\n      /** One-shot stall callback — see `stallTimeoutMs`. */\n      onStall?: (info: TaskStallInfo) => void\n    },\n  ) => Promise<TaskHandle>\n\n  /**\n   * SIGTERM the whole process group of a running background task.\n   * Idempotent — second call returns `null` (or the cached exit info).\n   * Resolves once the process has exited AND its output stream has\n   * been flushed + closed.\n   *\n   * `null` return on miss (unknown id, already cleaned up) so the\n   * shell_kill tool can surface a clean \"no such task\" message\n   * without throwing.\n   */\n  killBackground?: (\n    handle: ExecutionHandle,\n    taskId: string,\n  ) => Promise<TaskExitInfo | null>\n\n  /**\n   * Snapshot of every task in the context's registry — running AND\n   * terminated (entries remain until the next context destroy, so\n   * the model can still read output of exited tasks).\n   */\n  listBackground?: (\n    handle: ExecutionHandle,\n  ) => Promise<readonly TaskEntry[]>\n\n  /**\n   * Block until a background task terminates, then resolve with its\n   * exit info. Resolves immediately for already-terminated tasks.\n   *\n   * Returns `null` when:\n   *   - the task id is unknown (or owned by another handle — same\n   *     isolation contract as `killBackground`), OR\n   *   - `timeoutMs` elapsed / `signal` aborted before the task exited.\n   *\n   * Callers that need to distinguish \"unknown\" from \"still running\"\n   * should consult `listBackground` first (the `wait_task` tool does).\n   *\n   * This is the injectable wait seam for the `wait_task` tool:\n   * in-process contexts implement it on the existing `onExit`\n   * machinery; durable hosts implement it as an awakeable park\n   * (runner fires task-exit over their bridge → resolveAwakeable).\n   */\n  waitBackground?: (\n    handle: ExecutionHandle,\n    taskId: string,\n    options?: { timeoutMs?: number, signal?: AbortSignal },\n  ) => Promise<TaskExitInfo | null>\n\n  /**\n   * Transfer ownership of every still-running task from `fromHandle`\n   * to `toHandle`. Used by the spawn tool to \"promote\" a subagent's\n   * background tasks up to the parent's handle so they outlive the\n   * subagent's destroy() — matching shell semantics, where a `&`-ed\n   * command outlives the parent process.\n   *\n   * Side effects:\n   *   - The task's `handleId` is rewritten, so subsequent\n   *     `listBackground(toHandle)` / `killBackground(toHandle, …)` /\n   *     `destroy(toHandle)` see it (and `fromHandle`-scoped operations\n   *     don't).\n   *   - When `newOnExit` is provided, the original `onExit` is\n   *     REPLACED with it. Critical: the task's natural exit callback\n   *     was captured against the spawning agent's hook bus, which is\n   *     about to be destroyed; without rewiring, the parent never\n   *     learns when the task terminates. Pass a closure that fires\n   *     the parent agent's `background:exit` hook.\n   *\n   * Returns the entries that were actually reassigned (running tasks\n   * only; terminated ones stay where they are). Implementations that\n   * don't support reassignment can leave this undefined; the caller\n   * (spawn.ts) falls back to the current behavior of killing child\n   * tasks at subagent shutdown.\n   */\n  reassignBackgroundTasks?: (\n    fromHandle: ExecutionHandle,\n    toHandle: ExecutionHandle,\n    newOnExit?: (info: TaskExitInfo) => void,\n  ) => Promise<readonly TaskEntry[]>\n\n  /** Read a file from the context's filesystem */\n  readFile: (handle: ExecutionHandle, path: string) => Promise<string>\n\n  /**\n   * Read a file from the context's filesystem as raw bytes.\n   *\n   * Used by `read_file` to dispatch image / binary files into the multimodal\n   * `ToolResultContent[]` route. Optional — when not implemented, the tool\n   * falls back to `base64 < path` via the `exec` seam, which works in any\n   * shell-capable context. Implementations that already have a native\n   * binary read (in-process `fs.readFile` without encoding, container API,\n   * sandbox SDK) should override for the latency win.\n   */\n  readFileBinary?: (handle: ExecutionHandle, path: string) => Promise<Uint8Array>\n\n  /** Write a file to the context's filesystem */\n  writeFile: (handle: ExecutionHandle, path: string, content: string) => Promise<void>\n\n  /**\n   * List files in the context filesystem.\n   *\n   * Plain paths list immediate directory entries (legacy behavior). Paths that\n   * contain glob metacharacters (`*`, `?`, `[]`, `{}`) request matched file\n   * enumeration inside the target context. Contexts that cannot support\n   * globbing should throw a clear error rather than silently returning no\n   * matches. `metadata` is best-effort and only required when the context can\n   * provide it without expensive per-file shell calls.\n   */\n  listFiles: (handle: ExecutionHandle, path: string, options?: ListFilesOptions) => Promise<ListFilesEntry[]>\n\n  /**\n   * Resolve the host-side port that a container port was published on\n   * (docker context only, and only when the matching entry was created\n   * with `host` omitted in `SpawnConfig.ports`).\n   *\n   * Resolves to `null` if the container port isn't published. Other\n   * contexts (process, sandbox) don't implement this; they don't have\n   * a port-mapping concept.\n   */\n  getMappedPort?: (handle: ExecutionHandle, containerPort: number) => Promise<number | null>\n\n  /** Destroy the execution environment and clean up resources */\n  destroy: (handle: ExecutionHandle) => Promise<void>\n}\n\n// ---------------------------------------------------------------------------\n// Background task types\n// ---------------------------------------------------------------------------\n\n/**\n * Lifecycle status of a background task.\n *\n * - `'running'` — process is still live; `exitCode` / `signal` unset.\n * - `'exited'` — process terminated on its own (clean or non-zero exit).\n * - `'killed'` — the host issued `killBackground` (SIGTERM to the group).\n *\n * The status is a coarse-grained signal; the exit code carries the\n * fine-grained detail (e.g. `143 = SIGTERM` for `'killed'`).\n */\nexport type BackgroundTaskStatus = 'running' | 'exited' | 'killed'\n\n/**\n * Returned synchronously by `execBackground` — the handle the model and\n * the framework use to refer to the task until it terminates.\n *\n * `outputPath` is an absolute path to the log file the context is\n * appending stdout + stderr to (interleaved by emit order). The model\n * reads it via the normal `read_file` tool; no special tool is required.\n */\nexport interface TaskHandle {\n  /**\n   * Stable id minted by the context — typically `bash_<n>` for\n   * `ProcessContext`. Sequential within a single context instance,\n   * resets when a new context is constructed. Forwarded to `killBackground` /\n   * `listBackground` and stamped into every `<task-notification>` block.\n   */\n  taskId: string\n  /** OS pid of the spawned shell wrapper (process-group leader on POSIX). */\n  pid: number\n  /** Absolute path to the log file the context is streaming output into. */\n  outputPath: string\n}\n\n/**\n * Fired exactly once per task when the child process terminates, via\n * `execBackground`'s `onExit` callback. The agent layer translates this\n * into a queued `<task-notification>` for the next turn.\n *\n * `signal` is set when the child was terminated by a signal (e.g.\n * SIGTERM from our own kill-tree, SIGKILL from oom-killer); absent on\n * natural exit. `exitCode` is `128 + signal-number` on signal-killed\n * children, matching POSIX shell conventions — `143` for SIGTERM, etc.\n */\nexport interface TaskExitInfo {\n  taskId: string\n  status: Exclude<BackgroundTaskStatus, 'running'>\n  exitCode: number\n  signal?: NodeJS.Signals\n  outputPath: string\n  /** `Date.now()` delta between spawn and exit. */\n  durationMs: number\n  /** The original command string the model invoked — useful for telemetry / banner summary. */\n  command: string\n}\n\n/**\n * One row in `listBackground`'s snapshot. Living entries (status `'running'`)\n * have `exitCode` / `signal` / `endedAt` unset; terminated entries carry the\n * same data `TaskExitInfo` returned at exit time.\n */\nexport interface TaskEntry {\n  taskId: string\n  pid: number\n  command: string\n  cwd: string\n  startedAt: number\n  /**\n   * Set when the task terminated. Lets pull-based consumers (the agent's\n   * run-boundary reconcile) derive `durationMs = endedAt - startedAt`\n   * without depending on when the snapshot was taken.\n   */\n  endedAt?: number\n  outputPath: string\n  status: BackgroundTaskStatus\n  exitCode?: number\n  signal?: NodeJS.Signals\n  /** Total bytes written to the output file so far — useful for \"task X has produced N KB\" UX hints. */\n  bytesWritten: number\n}\n\n/**\n * Fired by the optional stall watchdog (see `execBackground`'s\n * `stallTimeoutMs`) when a running task has produced no output for the\n * configured window. The process is still alive — this is a signal, not\n * a state transition.\n */\nexport interface TaskStallInfo {\n  taskId: string\n  command: string\n  outputPath: string\n  /** Milliseconds since the last output chunk (>= the configured window). */\n  stalledForMs: number\n  /** Total bytes the task has written so far. */\n  bytesWritten: number\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA+BA,MAAM,YAAY,UAAU,aAAa,MAAM,OAAO,uBAAuB,KAAK;;;;;;;AAQlF,MAAM,0BAA0B,QAAQ,aAAa;;;;;;;AAQrD,MAAM,qBAAqB,KAAK,OAAO;;;;;;;AAQvC,MAAM,2BAA2B;;;;;;;;;;;;;;AAejC,MAAM,2BAA2B;;;;;;;;;;;AAYjC,MAAM,aAAa;AAEnB,SAAS,iBAAiB,QAAsB;CAC9C,IAAI,CAAC,WAAW,KAAK,MAAM,GACzB,MAAM,IAAI,MAAM,oBAAoB,OAAO,iBAAiB,WAAW,EAAE;AAC7E;;;;;;;;;AAUA,SAAgB,uBAAuB,MAAoB;CACzD,MAAM,QAAQ,MAAsB,EAAE,SAAS,EAAE,SAAS,GAAG,GAAG;CAChE,MAAM,QAAQ,MAAsB,EAAE,SAAS,EAAE,SAAS,GAAG,GAAG;CAQhE,OAAO,GAPG,KAAK,eAOL,IANA,KAAK,KAAK,YAAY,IAAI,CAMtB,IALJ,KAAK,KAAK,WAAW,CAKb,EAAE,GAJV,KAAK,KAAK,YAAY,CAIT,IAHb,KAAK,KAAK,cAAc,CAGP,IAFjB,KAAK,KAAK,cAAc,CAEH,EAAE,GADtB,KAAK,KAAK,mBAAmB,CACH;AACvC;;AAMA,SAAS,QAAQ,KAAwB,MAAmC;CAC1E,MAAM,MAAyB,CAAC;CAChC,KAAK,MAAM,OAAO,MAChB,IAAI,IAAI,SAAS,KAAA,GACf,IAAI,OAAO,IAAI;CAEnB,OAAO;AACT;AAEA,SAAgB,qBAAqB,QAAwC;CAC3E,IAAI,UAAU;CACd,MAAM,0BAAU,IAAI,IAA6B;CACjD,MAAM,aAAa,QAAQ,OAAO,QAAQ,IAAI;CAC9C,MAAM,aAAa,QAAQ;CAC3B,MAAM,iBAAiB,QAAQ,kBAAkB;CAMjD,MAAM,UAA6B,QAAQ,eAAe,QACtD,QAAQ,QAAQ,KAAK;EAAC;EAAQ;EAAQ;EAAS;EAAQ;EAAU;EAAQ;EAAQ;CAAQ,CAAC,IAC1F,QAAQ;CAGZ,MAAM,gBAAgB,QAAQ,kBAAkB,KAAA,IAC5C,QAAQ,YAAY,OAAO,aAAa,IACxC,KAAA;;CAGJ,SAAS,aAAa,MAAc,QAAyB;EAC3D,MAAM,MAAM,SAAS,MAAM,MAAM;EACjC,OAAO,QAAQ,MAAO,CAAC,IAAI,WAAW,IAAI,KAAK,CAAC,WAAW,GAAG;CAChE;;;;;;;CAQA,eAAe,iBAAiB,QAAyB,MAA+B;EACtF,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI;EACrC,IAAI,kBAAkB,KAAA,GACpB,OAAO;EAIT,IAAI,WAAW;EACf,MAAM,OAAiB,CAAC;EACxB,OAAO,MACL,IAAI;GACF,WAAW,MAAM,SAAS,QAAQ;GAClC;EACF,QACM;GACJ,MAAM,SAAS,QAAQ,QAAQ;GAC/B,IAAI,WAAW,UAAU;IAEvB,WAAW;IACX;GACF;GAGA,KAAK,QAAQ,SAAS,QAAQ,QAAQ,CAAC;GACvC,WAAW;EACb;EAEF,MAAM,YAAY,KAAK,SAAS,QAAQ,UAAU,GAAG,IAAI,IAAI;EAC7D,MAAM,gBAAgB,MAAM,SAAS,aAAa,EAAE,YAAY,aAAa;EAC7E,IAAI,CAAC,aAAa,eAAe,SAAS,GACxC,MAAM,IAAI,MACR,oCAAoC,KAAK,qBAAqB,cAAc,EAC9E;EAEF,OAAO;CACT;;;;;;;;CASA,MAAM,wBAAQ,IAAI,IAAuB;CACzC,IAAI,cAAc;;;;;;;;;;;;;;;;;;;;CAqBlB,MAAM,mBAAmB,uCAAuB,IAAI,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;CAqB1D,IAAI,wBAAwB;CAC5B,MAAM,oBAA0B;EAC9B,KAAK,MAAM,QAAQ,MAAM,OAAO,GAAG;GACjC,IAAI,KAAK,WAAW,WAClB;GACF,MAAM,MAAM,KAAK,MAAM;GACvB,IAAI,QAAQ,KAAA,GACV;GACF,IAAI;IACF,IAAI,yBACF,QAAQ,KAAK,CAAC,KAAK,SAAS;SAE5B,QAAQ,KAAK,KAAK,SAAS;GAC/B,QACM,CAIN;EACF;CACF;CAEA,OAAO;EACL,MAAM;EAEN,cAAc;GACZ,OAAO;GACP,YAAY;GACZ,MAAM;GACN,SAAS;GACT,KAAK;GAKL,eAAe;EACjB;EAEA,MAAM,MAAM,WAAmD;GAC7D,MAAM,KAAK,WAAW,EAAE;GACxB,MAAM,MAAM,WAAW,OAAO;GAW9B,IAAI,cAAc;GAClB,IAAI;IACF,MAAM,KAAK,GAAG;GAChB,SACO,KAAK;IACV,cAAe,KAA+B,SAAS;GACzD;GACA,IAAI,aACF,MAAM,MAAM,KAAK,EAAE,WAAW,KAAK,CAAC;GAEtC,MAAM,SAA0B;IAAE;IAAI,MAAM;IAAW;GAAI;GAC3D,QAAQ,IAAI,IAAI,MAAM;GACtB,OAAO;EACT;EAEA,MAAM,KACJ,QACA,SACA,SACqB;GACrB,MAAM,MAAM,SAAS,MAAM,QAAQ,OAAO,KAAK,QAAQ,GAAG,IAAI,OAAO;GAKrE,IAAI,SAAS,QAAQ,SACnB,OAAO;IAAE,QAAQ;IAAI,QAAQ;IAAkC,UAAU;GAAI;GAG/E,MAAM,aAAa,SAAS,WAAW,QAAQ,QAAQ,WAAW,MAAM;GACxE,MAAM,YAAY;GAIlB,MAAM,aAAa,MAAM,UAAU;GAEnC,OAAO,IAAI,SAAqB,aAAa;IAc3C,MAAM,QAAQ,WAAW,WAAW,CAAC,MAAM,OAAO,GAAG;KACnD;KACA,KAAK;MAAE,GAAG;MAAS,GAAG;MAAY,GAAG,SAAS;KAAI;KAClD,OAAO;MAAC;MAAU;MAAQ;KAAM;KAChC,UAAU;IACZ,CAAC;IAED,IAAI,SAAS;IACb,IAAI,SAAS;IAKb,IAAI,cAAc;IAClB,IAAI,cAAc;IAClB,IAAI,kBAAkB;IACtB,IAAI,WAAW;IACf,IAAI,gBAAgB;IACpB,IAAI,UAAU;IAEd,MAAM,gBAAgB,MAA2B,UAAwB;KACvE,MAAM,OAAO,SAAS,WAAW,cAAc;KAC/C,IAAI,QAAQ,WAAW;MAGrB,IAAI,CAAC,iBAAiB;OACpB,kBAAkB;OAClB,iBAAiB,OAAO,SAAS;MACnC;MACA;KACF;KACA,MAAM,OAAO,YAAY;KACzB,IAAI,QAAQ;KACZ,IAAI,MAAM,SAAS,MAAM;MAIvB,IAAI,MAAM;MACV,OAAO,MAAM,MAAM,MAAM,OAAO,SAAU,KACxC;MACF,QAAQ,MAAM,SAAS,GAAG,GAAG;KAC/B;KACA,IAAI,SAAS,UAAU;MACrB,UAAU,MAAM,SAAS,MAAM;MAC/B,eAAe,MAAM;KACvB,OACK;MACH,UAAU,MAAM,SAAS,MAAM;MAC/B,eAAe,MAAM;KACvB;KACA,IAAI,MAAM,SAAS,MAAM;MACvB,kBAAkB;MAGlB,iBAAiB,OAAO,SAAS;KACnC;IACF;IAEA,MAAM,QAAQ,GAAG,SAAQ,UAAS,aAAa,UAAU,KAAe,CAAC;IACzE,MAAM,QAAQ,GAAG,SAAQ,UAAS,aAAa,UAAU,KAAe,CAAC;IAEzE,MAAM,eAAe,YAAY,IAC7B,iBAAiB;KACf,WAAW;KACX,iBAAiB,OAAO,SAAS;IACnC,GAAG,SAAS,IACZ,KAAA;IAEJ,MAAM,gBAAsB;KAC1B,gBAAgB;KAChB,iBAAiB,OAAO,SAAS;IACnC;IACA,MAAM,aAAa,SAAS;IAC5B,IAAI,YACF,WAAW,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;IAE9D,IAAI;IAEJ,MAAM,UAAU,UAAkB,gBAA+B;KAC/D,IAAI,SACF;KACF,UAAU;KACV,IAAI,cACF,aAAa,YAAY;KAC3B,IAAI,gBACF,aAAa,cAAc;KAC7B,IAAI,YACF,WAAW,oBAAoB,SAAS,OAAO;KACjD,MAAM,cAAc,cACf,SAAS,GAAG,OAAO,IAAI,gBAAgB,cACxC;KACJ,SAAS;MAAE;MAAQ,QAAQ;MAAa;KAAS,CAAC;IACpD;IAQA,MAAM,oBAAoB,MAAqB,WAAwC;KACrF,IAAI,eAAe;MACjB,OAAO,KAAK,mBAAmB;MAC/B;KACF;KACA,IAAI,UAAU;MACZ,OAAO,KAAK,2BAA2B,UAAU,GAAG;MACpD;KACF;KACA,IAAI,iBAAiB;MACnB,OAAO,KAAK,mBAAmB,UAAU,6BAA6B;MACtE;KACF;KACA,IAAI,QAAQ;MAGV,OAAO,KAAU,wBAAwB,QAAQ;MACjD;KACF;KACA,OAAO,OAAO,SAAS,WAAW,OAAO,CAAC;IAC5C;IAEA,MAAM,GAAG,UAAU,QAAQ;KAIzB,OAAO,GAAG,IAAI,OAAO;IACvB,CAAC;IAED,MAAM,GAAG,UAAU,MAAM,WAAW,iBAAiB,MAAM,MAAM,CAAC;IAElE,MAAM,GAAG,SAAS,MAAM,WAAW;KAOjC,iBAAiB,iBAAiB;MAChC,IAAI,SACF;MACF,MAAM,QAAQ,QAAQ;MACtB,MAAM,QAAQ,QAAQ;MACtB,iBAAiB,MAAM,MAAM;KAC/B,GAAG,wBAAwB;KAC3B,eAAe,QAAQ;IACzB,CAAC;GACH,CAAC;EACH;EAEA,MAAM,SAAS,QAAyB,MAA+B;GACrE,OAAO,SAAS,MAAM,iBAAiB,QAAQ,IAAI,GAAG,OAAO;EAC/D;EAEA,MAAM,eAAe,QAAyB,MAAmC;GAG/E,MAAM,MAAM,MAAM,SAAS,MAAM,iBAAiB,QAAQ,IAAI,CAAC;GAC/D,OAAO,IAAI,WAAW,GAAG;EAC3B;EAEA,MAAM,UAAU,QAAyB,MAAc,SAAgC;GACrF,MAAM,WAAW,MAAM,iBAAiB,QAAQ,IAAI;GACpD,MAAM,MAAM,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;GAClD,MAAM,UAAU,UAAU,SAAS,OAAO;EAC5C;EAEA,MAAM,UAAU,QAAyB,MAAc,SAAoC;GACzF,IAAI,SAAS,MAAM;IACjB,MAAM,iBAAiB,QAAQ,kBAAkB,IAAI,KAAK,GAAG;IAC7D,MAAM,UAAU,MAAM,eAAe,MAAM,OAAO,KAAK;KACrD,OAAO,SAAS,SAAS;KACzB,UAAU,SAAS;IACrB,CAAC;IACD,IAAI,kBAAkB,KAAA,GACpB,OAAO;IACT,MAAM,YAA8B,CAAC;IACrC,KAAK,MAAM,SAAS,SAClB,IAAI;KACF,MAAM,iBAAiB,QAAQ,MAAM,IAAI;KACzC,UAAU,KAAK,KAAK;IACtB,QACM,CAIN;IAEF,OAAO;GACT;GACA,OAAO,QAAQ,MAAM,iBAAiB,QAAQ,IAAI,CAAC;EACrD;EAEA,MAAM,eACJ,QACA,SACA,SASqB;GACrB,MAAM,MAAM,QAAQ,MAAM,QAAQ,OAAO,KAAK,QAAQ,GAAG,IAAI,OAAO;GAKpE,MAAM,aAAa,MAAM,UAAU;GAEnC,MAAM,MAAM,QAAQ,WAAW,EAAE,WAAW,KAAK,CAAC;GAUlD,MAAM,SAAS,QAAQ,EAAE;GACzB,iBAAiB,MAAM;GACvB,MAAM,aAAa,QAAQ,QAAQ,WAAW,GAAG,OAAO,GAAG,iBAAiB,KAAK;GAIjF,IAAI,CAAC,uBAAuB;IAC1B,QAAQ,GAAG,QAAQ,WAAW;IAC9B,wBAAwB;GAC1B;GAUA,MAAM,eAA4B,kBAAkB,YAAY,EAAE,OAAO,IAAI,CAAC;GAS9E,aAAa,GAAG,UAAU,QAAQ;IAChC,IAAI,QAAQ,IAAI,cACd,QAAQ,OAAO,MAAM,0BAA0B,OAAO,qBAAqB,IAAI,QAAQ,GAAG;GAC9F,CAAC;GAMD,MAAM,QAAQ,WAAW,WAAW,CAAC,MAAM,OAAO,GAAG;IACnD;IACA,KAAK;KAAE,GAAG;KAAS,GAAG;KAAY,GAAG,QAAQ;IAAI;IACjD,OAAO;KAAC;KAAU;KAAQ;IAAM;IAChC,UAAU;GACZ,CAAC;GAED,MAAM,QAAmB;IACvB;IACA,UAAU,OAAO;IACjB,KAAK,MAAM,OAAO;IAClB;IACA;IACA,WAAW,KAAK,IAAI;IACpB;IACA;IACA;IACA,QAAQ;IACR,cAAc;IACd,SAAS;IACT,QAAQ,QAAQ;GAClB;GACA,MAAM,IAAI,QAAQ,KAAK;GASvB,MAAM,iBAAiB,OAAO,QAAQ,mBAAmB,YAAY,QAAQ,iBAAiB,IAC1F,QAAQ,iBACR,KAAA;GACJ,IAAI,eAAe;GAKnB,IAAI,eAAe;GAMnB,MAAM,iBAAiB,OAAO,QAAQ,mBAAmB,YAAY,QAAQ,iBAAiB,IAC1F,QAAQ,iBACR,KAAA;GACJ,MAAM,UAAU,QAAQ;GACxB,IAAI;GACJ,IAAI,eAAe,KAAK,IAAI;GAC5B,MAAM,sBAA4B;IAChC,IAAI,CAAC,kBAAkB,CAAC,SACtB;IACF,IAAI,YACF,aAAa,UAAU;IACzB,aAAa,iBAAiB;KAC5B,aAAa,KAAA;KACb,IAAI,MAAM,SACR;KACF,IAAI;MACF,QAAQ;OACN;OACA;OACA;OACA,cAAc,KAAK,IAAI,IAAI;OAC3B,cAAc,MAAM;MACtB,CAAC;KACH,SACO,KAAK;MACV,IAAI,QAAQ,IAAI,cACd,QAAQ,OAAO,MAAM,0BAA0B,OAAO,kBAAkB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,EAAE,GAAG;KAChI;IACF,GAAG,cAAc;IACjB,WAAW,QAAQ;GACrB;GACA,MAAM,wBAA8B;IAClC,IAAI,YAAY;KACd,aAAa,UAAU;KACvB,aAAa,KAAA;IACf;GACF;GACA,cAAc;GAQd,MAAM,eAAe,UAAwB;IAC3C,MAAM,gBAAgB,MAAM;IAC5B,eAAe,KAAK,IAAI;IACxB,cAAc;IACd,IAAI,mBAAmB,KAAA,GAAW;KAChC,MAAM,SAAS,MAAM,eAAe,eAAe,MAAM;KACzD,IAAI,gBAAgB,UAAU,gBAAgB;MAC5C,eAAe;MACf,gBAAgB,MAAM;MACtB;KACF;KACA,MAAM,OAAO,iBAAiB;KAC9B,IAAI,MAAM,SAAS,MAAM;MACvB,eAAe;MAKf,IAAI,MAAM;MACV,OAAO,MAAM,MAAM,MAAM,OAAO,SAAU,KACxC;MACF,gBAAgB,MAAM,SAAS;MAC/B,IAAI,MAAM,GACR,aAAa,MAAM,MAAM,SAAS,GAAG,GAAG,CAAC;MAC3C;KACF;IACF;IACA,aAAa,MAAM,KAAK;GAC1B;GACA,MAAM,QAAQ,GAAG,SAAQ,UAAS,YAAY,KAAe,CAAC;GAC9D,MAAM,QAAQ,GAAG,SAAQ,UAAS,YAAY,KAAe,CAAC;GAM9D,MAAM,UAAU,OAA0B,MAAqB,QAA+B,eAA8B;IAC1H,IAAI,MAAM,SACR;IACF,MAAM,UAAU;IAChB,gBAAgB;IAChB,MAAM,UAAU,KAAK,IAAI;IAGzB,MAAM,SACF,WAAW,aAAa,MAAM,gBAC5B,WACA;IAIN,MAAM,WAAW,SAAS,OACtB,OACA,WAAW,YACT,MACA,SACE,MACA;IACR,MAAM,SAAS;IACf,MAAM,WAAW;IACjB,IAAI,QACF,MAAM,SAAS;IAcjB,IAAI,YACF,IAAI;KACF,aAAa,MAAM,KAAK,WAAW,GAAG;IACxC,QACM,CAEN;IAEF,IAAI,eAAe,GACjB,IAAI;KAGF,aAAa,MAAM,sCAAsC,aAAa,MAAM;IAC9E,QACM,CAEN;IAEF,aAAa,UAAU;KAKrB,IAAI;MACF,MAAM,SAAS,oBAAoB,KAAK,CAAC;KAC3C,SACO,KAAK;MAIV,IAAI,QAAQ,IAAI,cACd,QAAQ,OAAO,MAAM,0BAA0B,OAAO,iBAAiB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,EAAE,GAAG;KAC/H;IACF,CAAC;GACH;GAEA,MAAM,GAAG,UAAU,MAAM,WAAW,OAAO,SAAS,MAAM,MAAM,CAAC;GACjE,MAAM,GAAG,UAAS,QAAO,OAAO,SAAS,MAAM,MAAM,iBAAiB,IAAI,SAAS,CAAC;GAEpF,MAAM,GAAG,SAAS,MAAM,WAAW;IAajC,iBAPwC;KACtC,IAAI,MAAM,SACR;KACF,MAAM,QAAQ,QAAQ;KACtB,MAAM,QAAQ,QAAQ;KACtB,OAAO,SAAS,MAAM,MAAM;IAC9B,GAAG,wBACU,EAAE,QAAQ;GACzB,CAAC;GAED,OAAO;IAAE;IAAQ,KAAK,MAAM;IAAK;GAAW;EAC9C;EAEA,MAAM,eAAe,QAAyB,QAA8C;GAC1F,MAAM,QAAQ,MAAM,IAAI,MAAM;GAO9B,IAAI,CAAC,SAAS,MAAM,aAAa,OAAO,IACtC,OAAO;GAIT,IAAI,MAAM,WAAW,WACnB,OAAO,oBAAoB,KAAK;GAOlC,MAAM,gBAAgB;GAMtB,MAAM,SAAS,IAAI,SAAe,aAAa;IAC7C,IAAI,MAAM,SAAS;KACjB,SAAS;KACT;IACF;IACA,MAAM,iBAAiB,MAAM;IAC7B,MAAM,UAAU,SAAS;KACvB,iBAAiB,IAAI;KACrB,SAAS;IACX;GACF,CAAC;GAED,iBAAiB,MAAM,OAAO,SAAS;GACvC,MAAM;GACN,OAAO,oBAAoB,KAAK;EAClC;EAEA,MAAM,eACJ,QACA,QACA,SAC8B;GAC9B,MAAM,QAAQ,MAAM,IAAI,MAAM;GAI9B,IAAI,CAAC,SAAS,MAAM,aAAa,OAAO,IACtC,OAAO;GACT,IAAI,MAAM,SACR,OAAO,oBAAoB,KAAK;GAElC,OAAO,IAAI,SAA8B,aAAa;IACpD,IAAI,OAAO;IACX,IAAI;IACJ,MAAM,SAAS,SAAS;IACxB,MAAM,UAAU,UAAqC;KACnD,IAAI,MACF;KACF,OAAO;KACP,IAAI,OACF,aAAa,KAAK;KACpB,QAAQ,oBAAoB,SAAS,OAAO;KAC5C,SAAS,KAAK;IAChB;IACA,SAAS,UAAgB;KACvB,OAAO,IAAI;IACb;IAMA,MAAM,iBAAiB,MAAM;IAC7B,MAAM,UAAU,SAAS;KACvB,iBAAiB,IAAI;KACrB,OAAO,oBAAoB,KAAK,CAAC;IACnC;IAEA,IAAI,QAAQ;KACV,IAAI,OAAO,SAAS;MAClB,OAAO,IAAI;MACX;KACF;KACA,OAAO,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;IAC1D;IACA,MAAM,YAAY,SAAS;IAC3B,IAAI,OAAO,cAAc,YAAY,OAAO,SAAS,SAAS,KAAK,YAAY,GAAG;KAChF,QAAQ,WAAW,QAAQ,WAAW,IAAI;KAC1C,MAAM,QAAQ;IAChB;GACF,CAAC;EACH;EAEA,MAAM,wBACJ,YACA,UACA,WAC+B;GAG/B,IAAI,WAAW,OAAO,SAAS,IAC7B,OAAO,CAAC;GACV,MAAM,WAAwB,CAAC;GAC/B,KAAK,MAAM,SAAS,MAAM,OAAO,GAAG;IAClC,IAAI,MAAM,aAAa,WAAW,MAAM,MAAM,WAAW,WACvD;IACF,MAAM,WAAW,SAAS;IAK1B,IAAI,WACF,MAAM,SAAS;IACjB,SAAS,KAAK,iBAAiB,KAAK,CAAC;GACvC;GACA,OAAO;EACT;EAEA,MAAM,eAAe,QAAwD;GAM3E,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,EACtB,QAAO,MAAK,EAAE,aAAa,OAAO,EAAE,EACpC,MAAM,GAAG,MAAM,EAAE,YAAY,EAAE,SAAS,EACxC,IAAI,gBAAgB;EACzB;EAEA,MAAM,QAAQ,QAAwC;GAkBpD,MAAM,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,EAAE,QAAO,MAAK,EAAE,aAAa,OAAO,MAAM,CAAC,EAAE,OAAO;GACxF,MAAM,QAAQ,IAAI,UAAU,IAAI,OAAO,UAAU;IAC/C,MAAM,gBAAgB;IACtB,MAAM,IAAI,SAAe,aAAa;KACpC,IAAI;KACJ,MAAM,iBAAiB,MAAM;KAC7B,MAAM,UAAU,SAAS;MACvB,iBAAiB,IAAI;MACrB,IAAI,YACF,aAAa,UAAU;MACzB,SAAS;KACX;KACA,iBAAiB,MAAM,OAAO,SAAS;KAQvC,aAAa,iBAAiB;MAC5B,iBAAiB,MAAM,OAAO,SAAS;MAIvC,MAAM,aAAa,QAAQ;MAC3B,SAAS;KACX,GAAG,cAAc;KACjB,WAAW,QAAQ;IACrB,CAAC;GACH,CAAC,CAAC;GAGF,KAAK,MAAM,CAAC,QAAQ,UAAU,OAC5B,IAAI,MAAM,aAAa,OAAO,IAC5B,MAAM,OAAO,MAAM;GAEvB,QAAQ,OAAO,OAAO,EAAE;GAUxB,IAAI,yBAAyB,QAAQ,SAAS,GAAG;IAC/C,QAAQ,IAAI,QAAQ,WAAW;IAC/B,wBAAwB;GAC1B;EACF;CACF;AACF;;;;;;;;AAoEA,SAAS,iBAAiB,OAAqB,QAA8B;CAC3E,MAAM,MAAM,MAAM;CAClB,IAAI,QAAQ,KAAA,GACV;CACF,IAAI;EACF,IAAI,yBACF,QAAQ,KAAK,CAAC,KAAK,MAAM;OAEzB,QAAQ,KAAK,KAAK,MAAM;CAC5B,QACM,CAGN;AACF;;;;;;;AAQA,SAAS,iBAAiB,OAA6B;CACrD,OAAO;EACL,QAAQ,MAAM;EACd,KAAK,MAAM;EACX,SAAS,MAAM;EACf,KAAK,MAAM;EACX,WAAW,MAAM;EACjB,GAAI,MAAM,YAAY,KAAA,IAAY,EAAE,SAAS,MAAM,QAAQ,IAAI,CAAC;EAChE,YAAY,MAAM;EAClB,QAAQ,MAAM;EACd,GAAI,MAAM,aAAa,KAAA,IAAY,EAAE,UAAU,MAAM,SAAS,IAAI,CAAC;EACnE,GAAI,MAAM,SAAS,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;EAC/C,cAAc,MAAM;CACtB;AACF;;;;;;;AAQA,SAAS,oBAAoB,OAAgC;CAC3D,OAAO;EACL,QAAQ,MAAM;EACd,QAAQ,MAAM;EACd,UAAU,MAAM,YAAY;EAC5B,GAAI,MAAM,SAAS,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;EAC/C,YAAY,MAAM;EAIlB,aAAa,MAAM,WAAW,KAAK,IAAI,KAAK,MAAM;EAClD,SAAS,MAAM;CACjB;AACF;;;;;;;ACjlCA,SAAgB,+BAA+B,SAAoD;CACjG,OAAO,QAAQ,aAAa,kBACtB,QAAQ,iBAAiB,qBAAqB;AACtD"}

package/dist/contexts.d.ts

@@ -1,3 +1,4 @@
 import { _ as TaskStallInfo, a as ContextType, c as ExecutionContext, d as ListFilesEntry, f as ListFilesOptions, g as TaskHandle, h as TaskExitInfo, i as ContextMount, l as ExecutionHandle, m as TaskEntry, n as ContextCapabilities, o as DetachedTasksCapability, p as SpawnConfig, r as ContextHardening, s as ExecResult, t as BackgroundTaskStatus, u as ListFileMetadata, v as resolveDetachedTasksCapability } from "./types-Bs2oY7Ux.js";
-import { n as createSandboxContext, r as createProcessContext, t as SandboxProvider } from "./index-CF15aqlk.js";
+import { t as createProcessContext } from "./index-HQJDOWvo.js";
+import { n as createSandboxContext, t as SandboxProvider } from "./sandbox-B-bMq3K6.js";
 export { type BackgroundTaskStatus, type ContextCapabilities, type ContextHardening, type ContextMount, type ContextType, type DetachedTasksCapability, type ExecResult, type ExecutionContext, type ExecutionHandle, type ListFileMetadata, type ListFilesEntry, type ListFilesOptions, type SandboxProvider, type SpawnConfig, type TaskEntry, type TaskExitInfo, type TaskHandle, type TaskStallInfo, createProcessContext, createSandboxContext, resolveDetachedTasksCapability };

package/dist/contexts.js

@@ -1,2 +1,3 @@
-import { n as createSandboxContext, r as createProcessContext, t as resolveDetachedTasksCapability } from "./contexts-DHi8LPCp.js";
+import { n as createProcessContext, t as resolveDetachedTasksCapability } from "./contexts-BebciJyQ.js";
+import { createSandboxContext } from "./contexts/sandbox.js";
 export { createProcessContext, createSandboxContext, resolveDetachedTasksCapability };

package/dist/{errors-BpPfMo_4.js → errors-DJUxZg9b.js}

@@ -158,7 +158,8 @@ const CONTEXT_EXCEEDED_MESSAGE_PATTERNS = [
 	/context[_\s]length[_\s]exceeded/i,
 	/maximum context length/i,
 	/prompt is too long/i,
-	/context window/i
+	/context window/i,
+	/maximum allowed input length/i
 ];
 /**
 * Regex patterns matching provider-side tool-call / tool-result adjacency
@@ -273,4 +274,4 @@ function toTypedError(classification, provider, cause) {
 //#endregion
 export { AgentToolNotAllowedError as a, classifyErrorPrelude as c, isRetryableHttpStatus as d, matchesContextExceeded as f, AgentProviderError as i, errorMessage as l, toTypedError as m, AgentBudgetExceededError as n, AgentToolPairingError as o, matchesToolPairingError as p, AgentContextExceededError as r, CONTEXT_EXCEEDED_MESSAGE_PATTERNS as s, AgentAbortedError as t, isAbortLikeError as u };
 
-//# sourceMappingURL=errors-BpPfMo_4.js.map
+//# sourceMappingURL=errors-DJUxZg9b.js.map

package/dist/{errors-BpPfMo_4.js.map → errors-DJUxZg9b.js.map}

@@ -1 +1 @@
-{"version":3,"file":"errors-BpPfMo_4.js","names":[],"sources":["../src/errors.ts"],"sourcesContent":["/**\n * Typed error classes for agent runs.\n *\n * Providers classify native errors into one of these so downstream consumers\n * can react without string-sniffing messages.\n *\n * Provider authors: implement `Provider.classifyError` to map native errors\n * (SDK exceptions, HTTP responses) to a `ClassifiedError`. The loop wraps\n * unclassified errors in `AgentProviderError` automatically.\n */\n\n/** Kind of classified provider error */\nexport type ClassifiedErrorKind = 'context_exceeded' | 'provider_error' | 'aborted' | 'tool_pairing_corruption'\n\n/** Structured classification returned by `Provider.classifyError` */\nexport interface ClassifiedError {\n  kind: ClassifiedErrorKind\n  /** Upstream error code as surfaced by the provider (e.g. `context_length_exceeded`). Optional. */\n  providerCode?: string\n  /** Optional human-readable message override. Falls back to the underlying error's message. */\n  message?: string\n  /**\n   * Hint that the error is transient and a retry with backoff is reasonable\n   * (e.g. 429, 5xx, truncated stream). Omitted when the provider can't decide;\n   * callers should default to \"do not retry\" when absent to avoid hammering\n   * terminal failures (auth, invalid request).\n   */\n  retryable?: boolean\n}\n\ninterface TypedErrorOptions {\n  /** Provider name, always set (e.g. `anthropic`, `openrouter`) */\n  provider: string\n  /** Optional upstream error code */\n  providerCode?: string\n  /** Original error from the provider SDK/HTTP layer */\n  cause?: unknown\n  /** See {@link ClassifiedError.retryable}. */\n  retryable?: boolean\n}\n\n/**\n * Thrown when the model or provider signals that the context window was exceeded.\n * Downstream consumers should catch this, prune history, and retry.\n */\nexport class AgentContextExceededError extends Error {\n  readonly code = 'context_exceeded' as const\n  readonly provider: string\n  readonly providerCode?: string\n\n  constructor(message: string, options: TypedErrorOptions) {\n    super(message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentContextExceededError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n  }\n}\n\n/**\n * Thrown when the provider returns a non-context error (auth, rate limit, server error, etc.).\n * Catch-all for unclassified provider failures.\n */\nexport class AgentProviderError extends Error {\n  readonly code = 'provider_error' as const\n  readonly provider: string\n  readonly providerCode?: string\n  /**\n   * Whether a retry with backoff is likely to succeed. See\n   * {@link ClassifiedError.retryable}. Absent when the provider did not\n   * classify the error — callers should treat absent as \"don't retry\".\n   */\n  readonly retryable?: boolean\n\n  constructor(message: string, options: TypedErrorOptions) {\n    super(message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentProviderError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n    this.retryable = options.retryable\n  }\n}\n\n/**\n * Thrown when a run is aborted by the consumer via `agent.abort()` or an external `AbortSignal`.\n */\nexport class AgentAbortedError extends Error {\n  readonly code = 'aborted' as const\n\n  constructor(message = 'Agent run aborted', options?: { cause?: unknown }) {\n    super(message, options?.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentAbortedError'\n  }\n}\n\n/**\n * Thrown by the loop when a run's cumulative cost, token consumption, or\n * wall-clock elapsed time crosses a ceiling configured on\n * {@link AgentBehavior.maxCostUsd} / {@link AgentBehavior.maxTotalTokens} /\n * {@link AgentBehavior.maxWallMs}. Acts as a programmable circuit\n * breaker for unattended runs — without this, the only built-in safety net\n * is {@link AgentBehavior.maxTurns}, which doesn't bound a single very\n * expensive turn (large context, deep reasoning).\n *\n * The breach is checked **after** each turn completes (post-`turn:after`),\n * so the run may exceed the budget by one turn's worth of usage before\n * tripping. Callers wanting a tighter pre-turn estimate should layer their\n * own check on top of the `usage` hook.\n *\n * The harness treats this the same way as {@link AgentAbortedError}: the\n * session run is finalized as `'aborted'`, persisted stats reflect what\n * was actually consumed, and the parent agent re-throws so a caller's\n * `try`/`catch` can branch on `err instanceof AgentBudgetExceededError`\n * without string-sniffing.\n */\nexport class AgentBudgetExceededError extends Error {\n  readonly code = 'budget_exceeded' as const\n  /** Which ceiling tripped. `'cost'` → `maxCostUsd`, `'tokens'` → `maxTotalTokens`, `'wallClock'` → `maxWallMs`. */\n  readonly limit: 'cost' | 'tokens' | 'wallClock'\n  /** The configured cap (USD for `cost`, total tokens for `tokens`, ms for `wallClock`). */\n  readonly limitValue: number\n  /** Actual consumed value at the moment the cap was crossed (same units as `limitValue`). */\n  readonly actualValue: number\n\n  constructor(options: {\n    limit: 'cost' | 'tokens' | 'wallClock'\n    limitValue: number\n    actualValue: number\n    cause?: unknown\n  }) {\n    const unit = options.limit === 'cost' ? 'USD' : options.limit === 'wallClock' ? 'ms' : 'tokens'\n    super(\n      `Agent run exceeded ${options.limit} budget: ${options.actualValue} ${unit} > ${options.limitValue} ${unit}`,\n      options.cause !== undefined ? { cause: options.cause } : undefined,\n    )\n    this.name = 'AgentBudgetExceededError'\n    this.limit = options.limit\n    this.limitValue = options.limitValue\n    this.actualValue = options.actualValue\n  }\n}\n\n/**\n * Thrown by the pre-send pairing repair when {@link AgentBehavior.strictToolPairing}\n * is `true` and {@link ensureToolResultPairing} would otherwise patch over\n * corruption. Strict mode opts into fail-fast for training-data collectors and\n * any consumer that prefers to bail out rather than ship a transcript carrying\n * a {@link SYNTHETIC_TOOL_RESULT_PLACEHOLDER}.\n *\n * The `repairs` field carries every repair the loop would have made — useful\n * for postmortems and for surfacing exactly which transcripts were rejected.\n *\n * Note: callers consuming the chat layer (TUI/SDK presets) typically leave\n * `strictToolPairing` off so user-facing sessions auto-heal instead of\n * crashing.\n */\nexport class AgentToolPairingError extends Error {\n  readonly code = 'tool_pairing_corruption' as const\n  /** Provider whose wire format the corruption would have hit. */\n  readonly provider?: string\n  /** Upstream error code when the corruption was detected from a 400 response. */\n  readonly providerCode?: string\n  /**\n   * Repairs the harness would have performed had strict mode been off.\n   * Preserves the full diagnostic so consumers can route to telemetry,\n   * `/rewind` flows, or training-data quarantine without re-walking the\n   * transcript.\n   */\n  readonly repairs: ReadonlyArray<{\n    mode: string\n    callId?: string\n    messageIndex: number\n  }>\n\n  constructor(options: {\n    message: string\n    provider?: string\n    providerCode?: string\n    repairs: ReadonlyArray<{ mode: string, callId?: string, messageIndex: number }>\n    cause?: unknown\n  }) {\n    super(options.message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentToolPairingError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n    this.repairs = options.repairs\n  }\n}\n\n/**\n * Thrown (well — constructed; attach via the `tool:gate` block signal) when the\n * union of `allowed-tools` across active skills does not permit a tool call.\n *\n * Produced by the allowed-tools middleware registered on `tool:gate` /\n * `mcp:tool:gate`. The gate's `block = true` + `reason` carry the same message\n * so consumers that don't look at this typed error still get a useful string.\n */\nexport class AgentToolNotAllowedError extends Error {\n  readonly code = 'tool_not_allowed' as const\n  /** Canonical tool name the agent tried to call. */\n  readonly toolName: string\n  /** Aliased / wire name the LLM saw. */\n  readonly displayName: string\n  /** Flattened union of `allowedTools` patterns across active skills. */\n  readonly allowedUnion: readonly string[]\n  /** Names of the skills currently active when the block fired. */\n  readonly activeSkills: readonly string[]\n\n  constructor(options: {\n    toolName: string\n    displayName: string\n    allowedUnion: readonly string[]\n    activeSkills: readonly string[]\n    cause?: unknown\n  }) {\n    // Recovery hint points the model at the deactivate path. Without it the\n    // model would invent folk theories like \"skill restrictions reset on\n    // the next user message\" and silently waste turns probing other tools.\n    // The hint mentions exactly one of the active skills (if any) so the\n    // model has a concrete `skills_use({ mode: \"deactivate\", name: ... })`\n    // call to make.\n    const sample = options.activeSkills[0]\n    const hint = sample !== undefined\n      ? ` To use this tool, call \\`skills_use\\` with \\`mode: \"deactivate\"\\` and the active skill name (e.g. \"${sample}\") to lift its restriction — or ask the user to switch agent profile.`\n      : ''\n    const msg = (\n      `Tool \"${options.displayName}\" is not in the allowed-tools union of the active `\n      + `skill(s) [${options.activeSkills.join(', ')}]. Union: [${options.allowedUnion.join(' ')}].${hint}`\n    )\n    super(msg, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentToolNotAllowedError'\n    this.toolName = options.toolName\n    this.displayName = options.displayName\n    this.allowedUnion = options.allowedUnion\n    this.activeSkills = options.activeSkills\n  }\n}\n\n/**\n * Regex patterns matching common \"context window exceeded\" messages across providers.\n *\n * Use {@link matchesContextExceeded} to test a free-form error message against them.\n * Provider authors can also compose these into their own `classifyError` fallbacks.\n */\nexport const CONTEXT_EXCEEDED_MESSAGE_PATTERNS: readonly RegExp[] = [\n  /context[_\\s]length[_\\s]exceeded/i,\n  /maximum context length/i,\n  /prompt is too long/i,\n  /context window/i,\n]\n\n/**\n * Regex patterns matching provider-side tool-call / tool-result adjacency\n * rejections. The local pre-send repair pass should prevent these, so a\n * provider still returning one is a typed `tool_pairing_corruption` signal.\n */\nexport const TOOL_PAIRING_ERROR_PATTERNS: readonly RegExp[] = [\n  /tool_use[^a-z0-9]+ids?[^a-z0-9]+were[^a-z0-9]+found[^a-z0-9]+without[^a-z0-9]+tool_result/i,\n  /tool_result[^a-z0-9]+must[^a-z0-9]+be[^a-z0-9]+preceded[^a-z0-9]+by[^a-z0-9]+a[^a-z0-9]+tool_call/i,\n  /unexpected[^a-z0-9]+tool_result[^a-z0-9]+block/i,\n  /tool_use[^a-z0-9]+block.*requires.*tool_result/i,\n  /tool_calls?[^a-z0-9]+must[^a-z0-9]+be[^a-z0-9]+followed[^a-z0-9]+by[^a-z0-9]+tool/i,\n  /tool_call_id[^a-z0-9]+(?:missing|mismatch|invalid)/i,\n  /tool_call_id[^a-z0-9]+not[^a-z0-9]+found/i,\n]\n\n/**\n * Return true when `message` matches any of the known \"context window exceeded\"\n * phrasings. Safe for `''` / non-strings (returns false).\n */\nexport function matchesContextExceeded(message: unknown): boolean {\n  if (typeof message !== 'string' || message.length === 0)\n    return false\n  return CONTEXT_EXCEEDED_MESSAGE_PATTERNS.some(re => re.test(message))\n}\n\n/**\n * Return true when `message` matches a known tool-call / tool-result pairing\n * rejection. Safe for `''` / non-strings (returns false).\n */\nexport function matchesToolPairingError(message: unknown): boolean {\n  if (typeof message !== 'string' || message.length === 0)\n    return false\n  return TOOL_PAIRING_ERROR_PATTERNS.some(re => re.test(message))\n}\n\n/**\n * Shared entry guard for provider `classifyError` paths. Returns:\n *   - `'not-object'` when `err` is null/undefined or not an object — the caller\n *     should `return null` (nothing to classify).\n *   - `'aborted'` when `err.name === 'AbortError'` — the caller should return\n *     `{ kind: 'aborted' }`.\n *   - `null` when `err` is a classifiable object that is not an abort.\n *\n * Collapses the byte-identical `if (!err || typeof err !== 'object') return null`\n * + `if (err.name === 'AbortError') return { kind: 'aborted' }` prelude every\n * provider repeated; per-provider classification past this point differs.\n */\nexport function classifyErrorPrelude(err: unknown): 'not-object' | 'aborted' | null {\n  if (!err || typeof err !== 'object')\n    return 'not-object'\n  if ((err as { name?: unknown }).name === 'AbortError')\n    return 'aborted'\n  return null\n}\n\n/**\n * HTTP status retry rule shared by provider `classifyError` paths: `429` (rate\n * limit) and `5xx` except `501 Not Implemented` are safe to retry with backoff;\n * every other 4xx (bad request, auth, not found) is terminal.\n *\n * Note: `compact/compact.ts` deliberately uses a plain `>=500 && <600` test for\n * a different decision and is intentionally not routed through this.\n */\nexport function isRetryableHttpStatus(status: number): boolean {\n  if (status === 429)\n    return true\n  if (status >= 500 && status !== 501)\n    return true\n  return false\n}\n\n/**\n * Extract a printable message from an unknown thrown value.\n *\n * Standardizes the `err instanceof Error ? err.message : String(err)` idiom\n * that every `catch (err)` block was reaching for.\n */\nexport function errorMessage(err: unknown): string {\n  if (err instanceof Error)\n    return err.message\n  return String(err)\n}\n\n/**\n * Whether `err` is an abort-shaped error — a DOM/Node `AbortError` or a Node\n * `ABORT_ERR` code.\n *\n * Tools that wrap their body in a catch-all converting failures into a normal\n * tool-result string (e.g. `grep`) MUST special-case this and RE-THROW: an\n * abort is not a tool failure. The agent loop turns a propagated abort into\n * its canonical interrupt/cascade marker, whereas a swallowed one would mask\n * cancellation as a misleading `<tool> error:` string.\n */\nexport function isAbortLikeError(err: unknown): boolean {\n  if (!err || typeof err !== 'object')\n    return false\n  const e = err as { name?: unknown, code?: unknown }\n  return e.name === 'AbortError' || e.code === 'ABORT_ERR'\n}\n\n/**\n * Convert a `ClassifiedError` + underlying cause into the matching typed error instance.\n */\nexport function toTypedError(\n  classification: ClassifiedError,\n  provider: string,\n  cause: unknown,\n): AgentContextExceededError | AgentProviderError | AgentAbortedError | AgentToolPairingError {\n  const message = classification.message ?? errorMessage(cause)\n\n  if (classification.kind === 'context_exceeded') {\n    return new AgentContextExceededError(message, {\n      provider,\n      providerCode: classification.providerCode,\n      cause,\n    })\n  }\n\n  if (classification.kind === 'aborted') {\n    return new AgentAbortedError(message, { cause })\n  }\n\n  if (classification.kind === 'tool_pairing_corruption') {\n    return new AgentToolPairingError({\n      message,\n      provider,\n      providerCode: classification.providerCode,\n      // Server-side rejection: we don't have the structured repair list a\n      // local-pre-send strict-mode throw would carry. Surface an empty\n      // array so consumers branching on `repairs.length` see \"the harness\n      // didn't get a chance to walk the transcript\".\n      repairs: [],\n      cause,\n    })\n  }\n\n  return new AgentProviderError(message, {\n    provider,\n    providerCode: classification.providerCode,\n    retryable: classification.retryable,\n    cause,\n  })\n}\n"],"mappings":";;;;;AA6CA,IAAa,4BAAb,cAA+C,MAAM;CACnD,OAAgB;CAChB;CACA;CAEA,YAAY,SAAiB,SAA4B;EACvD,MAAM,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACjF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;CAC9B;AACF;;;;;AAMA,IAAa,qBAAb,cAAwC,MAAM;CAC5C,OAAgB;CAChB;CACA;;;;;;CAMA;CAEA,YAAY,SAAiB,SAA4B;EACvD,MAAM,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACjF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;EAC5B,KAAK,YAAY,QAAQ;CAC3B;AACF;;;;AAKA,IAAa,oBAAb,cAAuC,MAAM;CAC3C,OAAgB;CAEhB,YAAY,UAAU,qBAAqB,SAA+B;EACxE,MAAM,SAAS,SAAS,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EAClF,KAAK,OAAO;CACd;AACF;;;;;;;;;;;;;;;;;;;;;AAsBA,IAAa,2BAAb,cAA8C,MAAM;CAClD,OAAgB;;CAEhB;;CAEA;;CAEA;CAEA,YAAY,SAKT;EACD,MAAM,OAAO,QAAQ,UAAU,SAAS,QAAQ,QAAQ,UAAU,cAAc,OAAO;EACvF,MACE,sBAAsB,QAAQ,MAAM,WAAW,QAAQ,YAAY,GAAG,KAAK,KAAK,QAAQ,WAAW,GAAG,QACtG,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAC3D;EACA,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,aAAa,QAAQ;EAC1B,KAAK,cAAc,QAAQ;CAC7B;AACF;;;;;;;;;;;;;;;AAgBA,IAAa,wBAAb,cAA2C,MAAM;CAC/C,OAAgB;;CAEhB;;CAEA;;;;;;;CAOA;CAMA,YAAY,SAMT;EACD,MAAM,QAAQ,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACzF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;EAC5B,KAAK,UAAU,QAAQ;CACzB;AACF;;;;;;;;;AAUA,IAAa,2BAAb,cAA8C,MAAM;CAClD,OAAgB;;CAEhB;;CAEA;;CAEA;;CAEA;CAEA,YAAY,SAMT;EAOD,MAAM,SAAS,QAAQ,aAAa;EACpC,MAAM,OAAO,WAAW,KAAA,IACpB,uGAAuG,OAAO,yEAC9G;EACJ,MAAM,MACJ,SAAS,QAAQ,YAAY,8DACd,QAAQ,aAAa,KAAK,IAAI,EAAE,aAAa,QAAQ,aAAa,KAAK,GAAG,EAAE,IAAI;EAEjG,MAAM,KAAK,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EAC7E,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,cAAc,QAAQ;EAC3B,KAAK,eAAe,QAAQ;EAC5B,KAAK,eAAe,QAAQ;CAC9B;AACF;;;;;;;AAQA,MAAa,oCAAuD;CAClE;CACA;CACA;CACA;AACF;;;;;;AAOA,MAAa,8BAAiD;CAC5D;CACA;CACA;CACA;CACA;CACA;CACA;AACF;;;;;AAMA,SAAgB,uBAAuB,SAA2B;CAChE,IAAI,OAAO,YAAY,YAAY,QAAQ,WAAW,GACpD,OAAO;CACT,OAAO,kCAAkC,MAAK,OAAM,GAAG,KAAK,OAAO,CAAC;AACtE;;;;;AAMA,SAAgB,wBAAwB,SAA2B;CACjE,IAAI,OAAO,YAAY,YAAY,QAAQ,WAAW,GACpD,OAAO;CACT,OAAO,4BAA4B,MAAK,OAAM,GAAG,KAAK,OAAO,CAAC;AAChE;;;;;;;;;;;;;AAcA,SAAgB,qBAAqB,KAA+C;CAClF,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,OAAO;CACT,IAAK,IAA2B,SAAS,cACvC,OAAO;CACT,OAAO;AACT;;;;;;;;;AAUA,SAAgB,sBAAsB,QAAyB;CAC7D,IAAI,WAAW,KACb,OAAO;CACT,IAAI,UAAU,OAAO,WAAW,KAC9B,OAAO;CACT,OAAO;AACT;;;;;;;AAQA,SAAgB,aAAa,KAAsB;CACjD,IAAI,eAAe,OACjB,OAAO,IAAI;CACb,OAAO,OAAO,GAAG;AACnB;;;;;;;;;;;AAYA,SAAgB,iBAAiB,KAAuB;CACtD,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,OAAO;CACT,MAAM,IAAI;CACV,OAAO,EAAE,SAAS,gBAAgB,EAAE,SAAS;AAC/C;;;;AAKA,SAAgB,aACd,gBACA,UACA,OAC4F;CAC5F,MAAM,UAAU,eAAe,WAAW,aAAa,KAAK;CAE5D,IAAI,eAAe,SAAS,oBAC1B,OAAO,IAAI,0BAA0B,SAAS;EAC5C;EACA,cAAc,eAAe;EAC7B;CACF,CAAC;CAGH,IAAI,eAAe,SAAS,WAC1B,OAAO,IAAI,kBAAkB,SAAS,EAAE,MAAM,CAAC;CAGjD,IAAI,eAAe,SAAS,2BAC1B,OAAO,IAAI,sBAAsB;EAC/B;EACA;EACA,cAAc,eAAe;EAK7B,SAAS,CAAC;EACV;CACF,CAAC;CAGH,OAAO,IAAI,mBAAmB,SAAS;EACrC;EACA,cAAc,eAAe;EAC7B,WAAW,eAAe;EAC1B;CACF,CAAC;AACH"}
+{"version":3,"file":"errors-DJUxZg9b.js","names":[],"sources":["../src/errors.ts"],"sourcesContent":["/**\n * Typed error classes for agent runs.\n *\n * Providers classify native errors into one of these so downstream consumers\n * can react without string-sniffing messages.\n *\n * Provider authors: implement `Provider.classifyError` to map native errors\n * (SDK exceptions, HTTP responses) to a `ClassifiedError`. The loop wraps\n * unclassified errors in `AgentProviderError` automatically.\n */\n\n/** Kind of classified provider error */\nexport type ClassifiedErrorKind = 'context_exceeded' | 'provider_error' | 'aborted' | 'tool_pairing_corruption'\n\n/** Structured classification returned by `Provider.classifyError` */\nexport interface ClassifiedError {\n  kind: ClassifiedErrorKind\n  /** Upstream error code as surfaced by the provider (e.g. `context_length_exceeded`). Optional. */\n  providerCode?: string\n  /** Optional human-readable message override. Falls back to the underlying error's message. */\n  message?: string\n  /**\n   * Hint that the error is transient and a retry with backoff is reasonable\n   * (e.g. 429, 5xx, truncated stream). Omitted when the provider can't decide;\n   * callers should default to \"do not retry\" when absent to avoid hammering\n   * terminal failures (auth, invalid request).\n   */\n  retryable?: boolean\n}\n\ninterface TypedErrorOptions {\n  /** Provider name, always set (e.g. `anthropic`, `openrouter`) */\n  provider: string\n  /** Optional upstream error code */\n  providerCode?: string\n  /** Original error from the provider SDK/HTTP layer */\n  cause?: unknown\n  /** See {@link ClassifiedError.retryable}. */\n  retryable?: boolean\n}\n\n/**\n * Thrown when the model or provider signals that the context window was exceeded.\n * Downstream consumers should catch this, prune history, and retry.\n */\nexport class AgentContextExceededError extends Error {\n  readonly code = 'context_exceeded' as const\n  readonly provider: string\n  readonly providerCode?: string\n\n  constructor(message: string, options: TypedErrorOptions) {\n    super(message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentContextExceededError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n  }\n}\n\n/**\n * Thrown when the provider returns a non-context error (auth, rate limit, server error, etc.).\n * Catch-all for unclassified provider failures.\n */\nexport class AgentProviderError extends Error {\n  readonly code = 'provider_error' as const\n  readonly provider: string\n  readonly providerCode?: string\n  /**\n   * Whether a retry with backoff is likely to succeed. See\n   * {@link ClassifiedError.retryable}. Absent when the provider did not\n   * classify the error — callers should treat absent as \"don't retry\".\n   */\n  readonly retryable?: boolean\n\n  constructor(message: string, options: TypedErrorOptions) {\n    super(message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentProviderError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n    this.retryable = options.retryable\n  }\n}\n\n/**\n * Thrown when a run is aborted by the consumer via `agent.abort()` or an external `AbortSignal`.\n */\nexport class AgentAbortedError extends Error {\n  readonly code = 'aborted' as const\n\n  constructor(message = 'Agent run aborted', options?: { cause?: unknown }) {\n    super(message, options?.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentAbortedError'\n  }\n}\n\n/**\n * Thrown by the loop when a run's cumulative cost, token consumption, or\n * wall-clock elapsed time crosses a ceiling configured on\n * {@link AgentBehavior.maxCostUsd} / {@link AgentBehavior.maxTotalTokens} /\n * {@link AgentBehavior.maxWallMs}. Acts as a programmable circuit\n * breaker for unattended runs — without this, the only built-in safety net\n * is {@link AgentBehavior.maxTurns}, which doesn't bound a single very\n * expensive turn (large context, deep reasoning).\n *\n * The breach is checked **after** each turn completes (post-`turn:after`),\n * so the run may exceed the budget by one turn's worth of usage before\n * tripping. Callers wanting a tighter pre-turn estimate should layer their\n * own check on top of the `usage` hook.\n *\n * The harness treats this the same way as {@link AgentAbortedError}: the\n * session run is finalized as `'aborted'`, persisted stats reflect what\n * was actually consumed, and the parent agent re-throws so a caller's\n * `try`/`catch` can branch on `err instanceof AgentBudgetExceededError`\n * without string-sniffing.\n */\nexport class AgentBudgetExceededError extends Error {\n  readonly code = 'budget_exceeded' as const\n  /** Which ceiling tripped. `'cost'` → `maxCostUsd`, `'tokens'` → `maxTotalTokens`, `'wallClock'` → `maxWallMs`. */\n  readonly limit: 'cost' | 'tokens' | 'wallClock'\n  /** The configured cap (USD for `cost`, total tokens for `tokens`, ms for `wallClock`). */\n  readonly limitValue: number\n  /** Actual consumed value at the moment the cap was crossed (same units as `limitValue`). */\n  readonly actualValue: number\n\n  constructor(options: {\n    limit: 'cost' | 'tokens' | 'wallClock'\n    limitValue: number\n    actualValue: number\n    cause?: unknown\n  }) {\n    const unit = options.limit === 'cost' ? 'USD' : options.limit === 'wallClock' ? 'ms' : 'tokens'\n    super(\n      `Agent run exceeded ${options.limit} budget: ${options.actualValue} ${unit} > ${options.limitValue} ${unit}`,\n      options.cause !== undefined ? { cause: options.cause } : undefined,\n    )\n    this.name = 'AgentBudgetExceededError'\n    this.limit = options.limit\n    this.limitValue = options.limitValue\n    this.actualValue = options.actualValue\n  }\n}\n\n/**\n * Thrown by the pre-send pairing repair when {@link AgentBehavior.strictToolPairing}\n * is `true` and {@link ensureToolResultPairing} would otherwise patch over\n * corruption. Strict mode opts into fail-fast for training-data collectors and\n * any consumer that prefers to bail out rather than ship a transcript carrying\n * a {@link SYNTHETIC_TOOL_RESULT_PLACEHOLDER}.\n *\n * The `repairs` field carries every repair the loop would have made — useful\n * for postmortems and for surfacing exactly which transcripts were rejected.\n *\n * Note: callers consuming the chat layer (TUI/SDK presets) typically leave\n * `strictToolPairing` off so user-facing sessions auto-heal instead of\n * crashing.\n */\nexport class AgentToolPairingError extends Error {\n  readonly code = 'tool_pairing_corruption' as const\n  /** Provider whose wire format the corruption would have hit. */\n  readonly provider?: string\n  /** Upstream error code when the corruption was detected from a 400 response. */\n  readonly providerCode?: string\n  /**\n   * Repairs the harness would have performed had strict mode been off.\n   * Preserves the full diagnostic so consumers can route to telemetry,\n   * `/rewind` flows, or training-data quarantine without re-walking the\n   * transcript.\n   */\n  readonly repairs: ReadonlyArray<{\n    mode: string\n    callId?: string\n    messageIndex: number\n  }>\n\n  constructor(options: {\n    message: string\n    provider?: string\n    providerCode?: string\n    repairs: ReadonlyArray<{ mode: string, callId?: string, messageIndex: number }>\n    cause?: unknown\n  }) {\n    super(options.message, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentToolPairingError'\n    this.provider = options.provider\n    this.providerCode = options.providerCode\n    this.repairs = options.repairs\n  }\n}\n\n/**\n * Thrown (well — constructed; attach via the `tool:gate` block signal) when the\n * union of `allowed-tools` across active skills does not permit a tool call.\n *\n * Produced by the allowed-tools middleware registered on `tool:gate` /\n * `mcp:tool:gate`. The gate's `block = true` + `reason` carry the same message\n * so consumers that don't look at this typed error still get a useful string.\n */\nexport class AgentToolNotAllowedError extends Error {\n  readonly code = 'tool_not_allowed' as const\n  /** Canonical tool name the agent tried to call. */\n  readonly toolName: string\n  /** Aliased / wire name the LLM saw. */\n  readonly displayName: string\n  /** Flattened union of `allowedTools` patterns across active skills. */\n  readonly allowedUnion: readonly string[]\n  /** Names of the skills currently active when the block fired. */\n  readonly activeSkills: readonly string[]\n\n  constructor(options: {\n    toolName: string\n    displayName: string\n    allowedUnion: readonly string[]\n    activeSkills: readonly string[]\n    cause?: unknown\n  }) {\n    // Recovery hint points the model at the deactivate path. Without it the\n    // model would invent folk theories like \"skill restrictions reset on\n    // the next user message\" and silently waste turns probing other tools.\n    // The hint mentions exactly one of the active skills (if any) so the\n    // model has a concrete `skills_use({ mode: \"deactivate\", name: ... })`\n    // call to make.\n    const sample = options.activeSkills[0]\n    const hint = sample !== undefined\n      ? ` To use this tool, call \\`skills_use\\` with \\`mode: \"deactivate\"\\` and the active skill name (e.g. \"${sample}\") to lift its restriction — or ask the user to switch agent profile.`\n      : ''\n    const msg = (\n      `Tool \"${options.displayName}\" is not in the allowed-tools union of the active `\n      + `skill(s) [${options.activeSkills.join(', ')}]. Union: [${options.allowedUnion.join(' ')}].${hint}`\n    )\n    super(msg, options.cause !== undefined ? { cause: options.cause } : undefined)\n    this.name = 'AgentToolNotAllowedError'\n    this.toolName = options.toolName\n    this.displayName = options.displayName\n    this.allowedUnion = options.allowedUnion\n    this.activeSkills = options.activeSkills\n  }\n}\n\n/**\n * Regex patterns matching common \"context window exceeded\" messages across providers.\n *\n * Use {@link matchesContextExceeded} to test a free-form error message against them.\n * Provider authors can also compose these into their own `classifyError` fallbacks.\n */\nexport const CONTEXT_EXCEEDED_MESSAGE_PATTERNS: readonly RegExp[] = [\n  /context[_\\s]length[_\\s]exceeded/i,\n  /maximum context length/i,\n  /prompt is too long/i,\n  /context window/i,\n  // Baseten Model APIs (GLM, Kimi, …): \"Input length 852084 exceeds the\n  // maximum allowed input length of 202720 tokens.\" Specific enough to avoid\n  // false positives on unrelated length errors.\n  /maximum allowed input length/i,\n]\n\n/**\n * Regex patterns matching provider-side tool-call / tool-result adjacency\n * rejections. The local pre-send repair pass should prevent these, so a\n * provider still returning one is a typed `tool_pairing_corruption` signal.\n */\nexport const TOOL_PAIRING_ERROR_PATTERNS: readonly RegExp[] = [\n  /tool_use[^a-z0-9]+ids?[^a-z0-9]+were[^a-z0-9]+found[^a-z0-9]+without[^a-z0-9]+tool_result/i,\n  /tool_result[^a-z0-9]+must[^a-z0-9]+be[^a-z0-9]+preceded[^a-z0-9]+by[^a-z0-9]+a[^a-z0-9]+tool_call/i,\n  /unexpected[^a-z0-9]+tool_result[^a-z0-9]+block/i,\n  /tool_use[^a-z0-9]+block.*requires.*tool_result/i,\n  /tool_calls?[^a-z0-9]+must[^a-z0-9]+be[^a-z0-9]+followed[^a-z0-9]+by[^a-z0-9]+tool/i,\n  /tool_call_id[^a-z0-9]+(?:missing|mismatch|invalid)/i,\n  /tool_call_id[^a-z0-9]+not[^a-z0-9]+found/i,\n]\n\n/**\n * Return true when `message` matches any of the known \"context window exceeded\"\n * phrasings. Safe for `''` / non-strings (returns false).\n */\nexport function matchesContextExceeded(message: unknown): boolean {\n  if (typeof message !== 'string' || message.length === 0)\n    return false\n  return CONTEXT_EXCEEDED_MESSAGE_PATTERNS.some(re => re.test(message))\n}\n\n/**\n * Return true when `message` matches a known tool-call / tool-result pairing\n * rejection. Safe for `''` / non-strings (returns false).\n */\nexport function matchesToolPairingError(message: unknown): boolean {\n  if (typeof message !== 'string' || message.length === 0)\n    return false\n  return TOOL_PAIRING_ERROR_PATTERNS.some(re => re.test(message))\n}\n\n/**\n * Shared entry guard for provider `classifyError` paths. Returns:\n *   - `'not-object'` when `err` is null/undefined or not an object — the caller\n *     should `return null` (nothing to classify).\n *   - `'aborted'` when `err.name === 'AbortError'` — the caller should return\n *     `{ kind: 'aborted' }`.\n *   - `null` when `err` is a classifiable object that is not an abort.\n *\n * Collapses the byte-identical `if (!err || typeof err !== 'object') return null`\n * + `if (err.name === 'AbortError') return { kind: 'aborted' }` prelude every\n * provider repeated; per-provider classification past this point differs.\n */\nexport function classifyErrorPrelude(err: unknown): 'not-object' | 'aborted' | null {\n  if (!err || typeof err !== 'object')\n    return 'not-object'\n  if ((err as { name?: unknown }).name === 'AbortError')\n    return 'aborted'\n  return null\n}\n\n/**\n * HTTP status retry rule shared by provider `classifyError` paths: `429` (rate\n * limit) and `5xx` except `501 Not Implemented` are safe to retry with backoff;\n * every other 4xx (bad request, auth, not found) is terminal.\n *\n * Note: `compact/compact.ts` deliberately uses a plain `>=500 && <600` test for\n * a different decision and is intentionally not routed through this.\n */\nexport function isRetryableHttpStatus(status: number): boolean {\n  if (status === 429)\n    return true\n  if (status >= 500 && status !== 501)\n    return true\n  return false\n}\n\n/**\n * Extract a printable message from an unknown thrown value.\n *\n * Standardizes the `err instanceof Error ? err.message : String(err)` idiom\n * that every `catch (err)` block was reaching for.\n */\nexport function errorMessage(err: unknown): string {\n  if (err instanceof Error)\n    return err.message\n  return String(err)\n}\n\n/**\n * Whether `err` is an abort-shaped error — a DOM/Node `AbortError` or a Node\n * `ABORT_ERR` code.\n *\n * Tools that wrap their body in a catch-all converting failures into a normal\n * tool-result string (e.g. `grep`) MUST special-case this and RE-THROW: an\n * abort is not a tool failure. The agent loop turns a propagated abort into\n * its canonical interrupt/cascade marker, whereas a swallowed one would mask\n * cancellation as a misleading `<tool> error:` string.\n */\nexport function isAbortLikeError(err: unknown): boolean {\n  if (!err || typeof err !== 'object')\n    return false\n  const e = err as { name?: unknown, code?: unknown }\n  return e.name === 'AbortError' || e.code === 'ABORT_ERR'\n}\n\n/**\n * Convert a `ClassifiedError` + underlying cause into the matching typed error instance.\n */\nexport function toTypedError(\n  classification: ClassifiedError,\n  provider: string,\n  cause: unknown,\n): AgentContextExceededError | AgentProviderError | AgentAbortedError | AgentToolPairingError {\n  const message = classification.message ?? errorMessage(cause)\n\n  if (classification.kind === 'context_exceeded') {\n    return new AgentContextExceededError(message, {\n      provider,\n      providerCode: classification.providerCode,\n      cause,\n    })\n  }\n\n  if (classification.kind === 'aborted') {\n    return new AgentAbortedError(message, { cause })\n  }\n\n  if (classification.kind === 'tool_pairing_corruption') {\n    return new AgentToolPairingError({\n      message,\n      provider,\n      providerCode: classification.providerCode,\n      // Server-side rejection: we don't have the structured repair list a\n      // local-pre-send strict-mode throw would carry. Surface an empty\n      // array so consumers branching on `repairs.length` see \"the harness\n      // didn't get a chance to walk the transcript\".\n      repairs: [],\n      cause,\n    })\n  }\n\n  return new AgentProviderError(message, {\n    provider,\n    providerCode: classification.providerCode,\n    retryable: classification.retryable,\n    cause,\n  })\n}\n"],"mappings":";;;;;AA6CA,IAAa,4BAAb,cAA+C,MAAM;CACnD,OAAgB;CAChB;CACA;CAEA,YAAY,SAAiB,SAA4B;EACvD,MAAM,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACjF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;CAC9B;AACF;;;;;AAMA,IAAa,qBAAb,cAAwC,MAAM;CAC5C,OAAgB;CAChB;CACA;;;;;;CAMA;CAEA,YAAY,SAAiB,SAA4B;EACvD,MAAM,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACjF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;EAC5B,KAAK,YAAY,QAAQ;CAC3B;AACF;;;;AAKA,IAAa,oBAAb,cAAuC,MAAM;CAC3C,OAAgB;CAEhB,YAAY,UAAU,qBAAqB,SAA+B;EACxE,MAAM,SAAS,SAAS,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EAClF,KAAK,OAAO;CACd;AACF;;;;;;;;;;;;;;;;;;;;;AAsBA,IAAa,2BAAb,cAA8C,MAAM;CAClD,OAAgB;;CAEhB;;CAEA;;CAEA;CAEA,YAAY,SAKT;EACD,MAAM,OAAO,QAAQ,UAAU,SAAS,QAAQ,QAAQ,UAAU,cAAc,OAAO;EACvF,MACE,sBAAsB,QAAQ,MAAM,WAAW,QAAQ,YAAY,GAAG,KAAK,KAAK,QAAQ,WAAW,GAAG,QACtG,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAC3D;EACA,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,aAAa,QAAQ;EAC1B,KAAK,cAAc,QAAQ;CAC7B;AACF;;;;;;;;;;;;;;;AAgBA,IAAa,wBAAb,cAA2C,MAAM;CAC/C,OAAgB;;CAEhB;;CAEA;;;;;;;CAOA;CAMA,YAAY,SAMT;EACD,MAAM,QAAQ,SAAS,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EACzF,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,eAAe,QAAQ;EAC5B,KAAK,UAAU,QAAQ;CACzB;AACF;;;;;;;;;AAUA,IAAa,2BAAb,cAA8C,MAAM;CAClD,OAAgB;;CAEhB;;CAEA;;CAEA;;CAEA;CAEA,YAAY,SAMT;EAOD,MAAM,SAAS,QAAQ,aAAa;EACpC,MAAM,OAAO,WAAW,KAAA,IACpB,uGAAuG,OAAO,yEAC9G;EACJ,MAAM,MACJ,SAAS,QAAQ,YAAY,8DACd,QAAQ,aAAa,KAAK,IAAI,EAAE,aAAa,QAAQ,aAAa,KAAK,GAAG,EAAE,IAAI;EAEjG,MAAM,KAAK,QAAQ,UAAU,KAAA,IAAY,EAAE,OAAO,QAAQ,MAAM,IAAI,KAAA,CAAS;EAC7E,KAAK,OAAO;EACZ,KAAK,WAAW,QAAQ;EACxB,KAAK,cAAc,QAAQ;EAC3B,KAAK,eAAe,QAAQ;EAC5B,KAAK,eAAe,QAAQ;CAC9B;AACF;;;;;;;AAQA,MAAa,oCAAuD;CAClE;CACA;CACA;CACA;CAIA;AACF;;;;;;AAOA,MAAa,8BAAiD;CAC5D;CACA;CACA;CACA;CACA;CACA;CACA;AACF;;;;;AAMA,SAAgB,uBAAuB,SAA2B;CAChE,IAAI,OAAO,YAAY,YAAY,QAAQ,WAAW,GACpD,OAAO;CACT,OAAO,kCAAkC,MAAK,OAAM,GAAG,KAAK,OAAO,CAAC;AACtE;;;;;AAMA,SAAgB,wBAAwB,SAA2B;CACjE,IAAI,OAAO,YAAY,YAAY,QAAQ,WAAW,GACpD,OAAO;CACT,OAAO,4BAA4B,MAAK,OAAM,GAAG,KAAK,OAAO,CAAC;AAChE;;;;;;;;;;;;;AAcA,SAAgB,qBAAqB,KAA+C;CAClF,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,OAAO;CACT,IAAK,IAA2B,SAAS,cACvC,OAAO;CACT,OAAO;AACT;;;;;;;;;AAUA,SAAgB,sBAAsB,QAAyB;CAC7D,IAAI,WAAW,KACb,OAAO;CACT,IAAI,UAAU,OAAO,WAAW,KAC9B,OAAO;CACT,OAAO;AACT;;;;;;;AAQA,SAAgB,aAAa,KAAsB;CACjD,IAAI,eAAe,OACjB,OAAO,IAAI;CACb,OAAO,OAAO,GAAG;AACnB;;;;;;;;;;;AAYA,SAAgB,iBAAiB,KAAuB;CACtD,IAAI,CAAC,OAAO,OAAO,QAAQ,UACzB,OAAO;CACT,MAAM,IAAI;CACV,OAAO,EAAE,SAAS,gBAAgB,EAAE,SAAS;AAC/C;;;;AAKA,SAAgB,aACd,gBACA,UACA,OAC4F;CAC5F,MAAM,UAAU,eAAe,WAAW,aAAa,KAAK;CAE5D,IAAI,eAAe,SAAS,oBAC1B,OAAO,IAAI,0BAA0B,SAAS;EAC5C;EACA,cAAc,eAAe;EAC7B;CACF,CAAC;CAGH,IAAI,eAAe,SAAS,WAC1B,OAAO,IAAI,kBAAkB,SAAS,EAAE,MAAM,CAAC;CAGjD,IAAI,eAAe,SAAS,2BAC1B,OAAO,IAAI,sBAAsB;EAC/B;EACA;EACA,cAAc,eAAe;EAK7B,SAAS,CAAC;EACV;CACF,CAAC;CAGH,OAAO,IAAI,mBAAmB,SAAS;EACrC;EACA,cAAc,eAAe;EAC7B,WAAW,eAAe;EAC1B;CACF,CAAC;AACH"}

package/dist/eval.d.ts

@@ -1,2 +1,2 @@
-import { $t as buildEvalRunSummary, At as EvalRunSummary, Bt as EvalWorkspaceSnapshot, Cn as relativeArtifactPath, Ct as EvalDefinition, Dt as EvalRunMetricAggregate, Et as EvalMetricError, Ft as EvalScorerContext, Gt as MetricSpecMap, Ht as MetricDirection, It as EvalTestRunner, Jt as ReusableExecutionContext, Kt as MetricStats, Lt as EvalVariantSummary, Mt as EvalRunUsage, Nt as EvalScore, Ot as EvalRunReporter, Pt as EvalScorer, Qt as artifactPath, Rt as EvalWorkspaceFile, Sn as registerEvalTests, St as EvalCaseResult, Tn as statusCompleted, Tt as EvalMetric, Ut as MetricEmitter, Vt as LlmJudgeOptions, Wt as MetricSpec, Xt as TrajectoryStep, Yt as Trajectory, Zt as TrajectoryStepKind, _n as formatEvalRunSummary, _t as EvalAgentRunResult, an as createEvalRunReporter, bn as llmJudge, bt as EvalArtifacts, cn as defineMetrics, dn as fileContains, en as buildRegisteredEvals, fn as fileContentQuality, ft as CreateEvalAgentOptions, gn as formatEvalCaseSummary, gt as EvalAgentRunOptions, hn as finalizeEvalMetrics, ht as EvalAgentMcpServers, in as createEvalAgent, jt as EvalRunSummaryCase, kt as EvalRunReporterOptions, ln as efficiencyMetricValues, mn as fileExistsOneOf, mt as EvalAgent, nn as clearRegisteredEvals, on as createReusableExecutionContext, pn as fileExists, pt as EFFICIENCY_METRICS, qt as RegisterEvalTestsOptions, rn as computeEvalTagScores, sn as defineEval, tn as buildTrajectory, un as emitEfficiencyMetrics, vn as formatTrajectoryLine, vt as EvalAgentRunStats, wn as runEvalCase, wt as EvalDefinitionContext, xn as normalizeMetric, xt as EvalCaseOptions, yn as functionalityMetric, yt as EvalAgentStats, zt as EvalWorkspaceOptions } from "./index-BgB_425D.js";
+import { $t as buildEvalRunSummary, At as EvalRunSummary, Bt as EvalWorkspaceSnapshot, Cn as relativeArtifactPath, Ct as EvalDefinition, Dt as EvalRunMetricAggregate, Et as EvalMetricError, Ft as EvalScorerContext, Gt as MetricSpecMap, Ht as MetricDirection, It as EvalTestRunner, Jt as ReusableExecutionContext, Kt as MetricStats, Lt as EvalVariantSummary, Mt as EvalRunUsage, Nt as EvalScore, Ot as EvalRunReporter, Pt as EvalScorer, Qt as artifactPath, Rt as EvalWorkspaceFile, Sn as registerEvalTests, St as EvalCaseResult, Tn as statusCompleted, Tt as EvalMetric, Ut as MetricEmitter, Vt as LlmJudgeOptions, Wt as MetricSpec, Xt as TrajectoryStep, Yt as Trajectory, Zt as TrajectoryStepKind, _n as formatEvalRunSummary, _t as EvalAgentRunResult, an as createEvalRunReporter, bn as llmJudge, bt as EvalArtifacts, cn as defineMetrics, dn as fileContains, en as buildRegisteredEvals, fn as fileContentQuality, ft as CreateEvalAgentOptions, gn as formatEvalCaseSummary, gt as EvalAgentRunOptions, hn as finalizeEvalMetrics, ht as EvalAgentMcpServers, in as createEvalAgent, jt as EvalRunSummaryCase, kt as EvalRunReporterOptions, ln as efficiencyMetricValues, mn as fileExistsOneOf, mt as EvalAgent, nn as clearRegisteredEvals, on as createReusableExecutionContext, pn as fileExists, pt as EFFICIENCY_METRICS, qt as RegisterEvalTestsOptions, rn as computeEvalTagScores, sn as defineEval, tn as buildTrajectory, un as emitEfficiencyMetrics, vn as formatTrajectoryLine, vt as EvalAgentRunStats, wn as runEvalCase, wt as EvalDefinitionContext, xn as normalizeMetric, xt as EvalCaseOptions, yn as functionalityMetric, yt as EvalAgentStats, zt as EvalWorkspaceOptions } from "./index-DXwsHr4o.js";
 export { CreateEvalAgentOptions, EFFICIENCY_METRICS, EvalAgent, EvalAgentMcpServers, EvalAgentRunOptions, EvalAgentRunResult, EvalAgentRunStats, EvalAgentStats, EvalArtifacts, EvalCaseOptions, EvalCaseResult, EvalDefinition, EvalDefinitionContext, EvalMetric, EvalMetricError, EvalRunMetricAggregate, EvalRunReporter, EvalRunReporterOptions, EvalRunSummary, EvalRunSummaryCase, EvalRunUsage, EvalScore, EvalScorer, EvalScorerContext, EvalTestRunner, EvalVariantSummary, EvalWorkspaceFile, EvalWorkspaceOptions, EvalWorkspaceSnapshot, LlmJudgeOptions, MetricDirection, MetricEmitter, MetricSpec, MetricSpecMap, MetricStats, RegisterEvalTestsOptions, ReusableExecutionContext, Trajectory, TrajectoryStep, TrajectoryStepKind, artifactPath, buildEvalRunSummary, buildRegisteredEvals, buildTrajectory, clearRegisteredEvals, computeEvalTagScores, createEvalAgent, createEvalRunReporter, createReusableExecutionContext, defineEval, defineMetrics, efficiencyMetricValues, emitEfficiencyMetrics, fileContains, fileContentQuality, fileExists, fileExistsOneOf, finalizeEvalMetrics, formatEvalCaseSummary, formatEvalRunSummary, formatTrajectoryLine, functionalityMetric, llmJudge, normalizeMetric, registerEvalTests, relativeArtifactPath, runEvalCase, statusCompleted };

package/dist/eval.js

@@ -1,7 +1,7 @@
-import { r as createProcessContext } from "./contexts-DHi8LPCp.js";
+import { n as createProcessContext } from "./contexts-BebciJyQ.js";
 import { t as alwaysQuote } from "./shell-quote-BmnhZmdM.js";
-import { a as headlessEventToJsonl, c as runHeadless } from "./headless-C6Idunwh.js";
-import { a as createMemoryStore, t as createSession } from "./session-DQ4bEncf.js";
+import { a as headlessEventToJsonl, c as runHeadless } from "./headless-Dtd24J6l.js";
+import { a as createMemoryStore, t as createSession } from "./session-C0D4p0Gy.js";
 import { join, relative, resolve } from "node:path";
 import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";

package/dist/{fetch-url-Cgbq-HYx.js → fetch-url-CWE8X5OD.js}

@@ -1,4 +1,4 @@
-import { l as errorMessage } from "./errors-BpPfMo_4.js";
+import { l as errorMessage } from "./errors-DJUxZg9b.js";
 import { Buffer } from "node:buffer";
 import { request } from "node:http";
 import { promises } from "node:dns";
@@ -531,4 +531,4 @@ const fetchUrl = {
 //#endregion
 export { isBlockedAddress as a, stripHtmlInline as c, fetchWithSsrfGuard as i, clearFetchUrlCache as n, isHostAllowed as o, fetchUrl as r, pinnedRequest as s, __fetchCacheTestApi as t };
 
-//# sourceMappingURL=fetch-url-Cgbq-HYx.js.map
+//# sourceMappingURL=fetch-url-CWE8X5OD.js.map

package/dist/{fetch-url-Cgbq-HYx.js.map → fetch-url-CWE8X5OD.js.map}

@@ -1 +1 @@
-{"version":3,"file":"fetch-url-Cgbq-HYx.js","names":["dns","request","httpsRequest","httpRequest"],"sources":["../src/tools/_html.ts","../src/tools/fetch-url.ts"],"sourcesContent":["/**\n * Shared HTML → plain-text helpers used by the web-egress tools (`web_search`\n * snippet extraction, `fetch_url` body decoding).\n *\n * Best-effort by contract: a real HTML parser would be more correct but the\n * payload is always model context, never user-facing rendered output, so a\n * tag-stripper plus a curated entity table covers the practical cases\n * (Wikipedia, GitHub READMEs, MDN docs, Stack Overflow answers). When a tool\n * needs richer parsing it should reach for an actual parser rather than\n * extending these helpers ad-hoc.\n */\n\n/**\n * Curated named-entity table. Kept narrow on purpose — the long tail\n * (`&Aring;`, `&times;`, mathematical refs, …) is out of scope because the\n * model handles unknown entities fine when they pass through verbatim. Add\n * entries when an entity is observed mangling real output, not speculatively.\n *\n * Keys are stored without the leading `&` / trailing `;` and matched\n * case-insensitively by the decoder.\n */\nconst NAMED_ENTITIES: Record<string, string> = {\n  amp: '&',\n  apos: '\\'',\n  bull: '•',\n  copy: '\\u00A9',\n  ensp: ' ',\n  emsp: ' ',\n  gt: '>',\n  hellip: '\\u2026',\n  laquo: '\\u00AB',\n  ldquo: '\\u201C',\n  lsquo: '\\u2018',\n  lt: '<',\n  mdash: '\\u2014',\n  middot: '\\u00B7',\n  nbsp: ' ',\n  ndash: '\\u2013',\n  quot: '\"',\n  raquo: '\\u00BB',\n  rdquo: '\\u201D',\n  reg: '\\u00AE',\n  rsquo: '\\u2019',\n  thinsp: ' ',\n  trade: '\\u2122',\n}\n\n/**\n * `String.fromCodePoint` raises on out-of-range / non-finite inputs; the\n * agent's untrusted-payload assumption means we can't let a single broken\n * numeric reference crash the whole decode. Empty string on rejection is\n * the safest outcome (matches what most browsers do for invalid refs).\n */\nfunction safeFromCodePoint(cp: number): string {\n  if (!Number.isFinite(cp) || cp < 0 || cp > 0x10FFFF)\n    return ''\n  try {\n    return String.fromCodePoint(cp)\n  }\n  catch {\n    return ''\n  }\n}\n\n/**\n * Decode numeric character references (`&#x...;` / `&#NNN;`) and the curated\n * subset of named entities in {@link NAMED_ENTITIES}. Unknown named entities\n * are left as-is so the model can detect them rather than seeing a silently\n * corrupted token.\n *\n * `&amp;` is decoded LAST so a double-escaped string like `&amp;lt;` resolves\n * to `&lt;` (not `<`) — that's the spec-correct single-pass decode shape.\n */\nexport function decodeHtmlEntities(text: string): string {\n  let s = text\n    .replace(/&#x([0-9a-f]+);/gi, (_, h) => safeFromCodePoint(Number.parseInt(h, 16)))\n    .replace(/&#(\\d+);/g, (_, n) => safeFromCodePoint(Number.parseInt(n, 10)))\n  s = s.replace(/&([a-z][a-z0-9]*);/gi, (full, name) => {\n    const key = name.toLowerCase()\n    // Defer `amp` so `&amp;lt;` doesn't double-decode in a single pass.\n    if (key === 'amp')\n      return full\n    const replacement = NAMED_ENTITIES[key]\n    return replacement ?? full\n  })\n  return s.replace(/&amp;/gi, '&')\n}\n\n/**\n * Strip `<script>`, `<style>`, `<noscript>`, comments, and every other tag.\n * Block-level openers (`<br>`, `<p>`, `<div>`, `<li>`, `<tr>`, `<h1-6>`) are\n * replaced with newlines so the resulting plaintext preserves readable\n * structure. Other tags collapse to spaces.\n */\nexport function stripHtml(html: string): string {\n  return html\n    .replace(/<script[\\s\\S]*?<\\/script>/gi, ' ')\n    .replace(/<style[\\s\\S]*?<\\/style>/gi, ' ')\n    .replace(/<noscript[\\s\\S]*?<\\/noscript>/gi, ' ')\n    .replace(/<!--[\\s\\S]*?-->/g, ' ')\n    .replace(/<(?:br|p|div|li|tr|h[1-6])[^>]*>/gi, '\\n')\n    .replace(/<[^>]+>/g, ' ')\n}\n\n/**\n * Inline variant — strip tags + decode entities + collapse all whitespace\n * (including line breaks) into single spaces. For short snippets where\n * structural breaks would be visual noise (search-result titles, link text).\n */\nexport function stripHtmlInline(html: string): string {\n  return decodeHtmlEntities(stripHtml(html))\n    .replace(/\\s+/g, ' ')\n    .trim()\n}\n\n/**\n * Block variant — strip tags + decode entities, preserve newlines emitted\n * by block-level openers, then collapse inline whitespace per-line and drop\n * empty lines. For full-page reductions where structure aids reading.\n */\nexport function stripHtmlBlock(html: string): string {\n  return decodeHtmlEntities(stripHtml(html))\n    .split('\\n')\n    .map(line => line.replace(/[ \\t]+/g, ' ').trim())\n    .filter(line => line.length > 0)\n    .join('\\n')\n}\n","import type { RequestOptions as HttpRequestOptions } from 'node:http'\nimport type { RequestOptions as HttpsRequestOptions } from 'node:https'\nimport type { ToolContext, ToolDef } from './types'\nimport { Buffer } from 'node:buffer'\nimport { promises as dns } from 'node:dns'\nimport { request as httpRequest } from 'node:http'\nimport { request as httpsRequest } from 'node:https'\nimport { isIP } from 'node:net'\nimport { errorMessage } from '../errors'\nimport { stripHtmlBlock } from './_html'\n\n/**\n * Fetch a URL and return its text content.\n *\n * Companion to `web_search` (when registered) — after the model finds a\n * promising result it fetches the page to read the body in full. HTML is\n * reduced to plain text because the model rarely benefits from the markup\n * and we want to keep the payload inside the per-turn output budget.\n *\n * Restrictions:\n * - Only http(s) URLs. Anything else (file://, data:, ftp:) is rejected so\n *   the tool can't be coerced into reading local files or arbitrary\n *   resources.\n * - SSRF guard with TOCTOU defense: the host is DNS-resolved against the\n *   loopback / link-local / private / reserved blocklist BEFORE the\n *   request, and the resolved IP is then PINNED at the connection layer\n *   via `node:http(s).request({ host: <resolved IP>, headers: { Host: ... },\n *   servername: ... })`. This closes the classic DNS-rebinding gap where a\n *   `globalThis.fetch` re-resolves the hostname and connects to a freshly\n *   minted private IP. TLS verification still runs against the original\n *   hostname via the explicit `servername` option.\n *\n *   Note: the more idiomatic Node fix (an `undici.Agent` with a custom\n *   `connect.lookup`) is silently a no-op on Bun ≤1.3 — both\n *   `undici.Agent` and `node:https.Agent.lookup` are stubbed out. The\n *   explicit `host: IP` + `Host:` header dance is the only mechanism that\n *   actually pins on the current Bun runtime.\n * - Redirects are followed manually (up to `MAX_REDIRECTS`) and each hop\n *   is re-validated, so a public hostname that 302s into a metadata\n *   endpoint is rejected at the redirect step.\n * - 15s hard timeout per request.\n * - Output capped at `max_bytes` (default 200 KiB) — long pages are\n *   truncated with an explicit marker. The pinned reader also stops\n *   buffering past 2× the cap so a multi-MB body can't OOM us.\n */\n\nconst DEFAULT_MAX_BYTES = 200 * 1024\nconst HARD_MAX_BYTES = 1024 * 1024\nconst HTTP_TIMEOUT_MS = 15_000\nconst MAX_REDIRECTS = 5\n\n/**\n * IPv4 ranges that the SSRF guard refuses to fetch from. Covers the cloud\n * metadata services (AWS/Azure 169.254.169.254, GCP routes through the same\n * link-local block) plus every RFC1918 / loopback / reserved block a model\n * could be prompt-injected into hitting.\n */\nfunction isBlockedIPv4(ip: string): boolean {\n  const parts = ip.split('.').map(Number)\n  if (parts.length !== 4 || parts.some(p => !Number.isInteger(p) || p < 0 || p > 255))\n    return true\n  const [a, b] = parts as [number, number, number, number]\n  if (a === 0)\n    return true // 0.0.0.0/8 unspecified / \"this network\"\n  if (a === 10)\n    return true // 10/8 private\n  if (a === 127)\n    return true // loopback\n  if (a === 169 && b === 254)\n    return true // link-local + cloud metadata\n  if (a === 172 && b >= 16 && b <= 31)\n    return true // 172.16/12 private\n  if (a === 192 && b === 168)\n    return true // 192.168/16 private\n  if (a === 192 && b === 0 && parts[2] === 0)\n    return true // 192.0.0/24 IETF\n  if (a === 198 && (b === 18 || b === 19))\n    return true // 198.18/15 benchmark\n  if (a >= 224)\n    return true // multicast + reserved (224/4, 240/4)\n  return false\n}\n\nfunction isBlockedIPv6(ip: string): boolean {\n  const lower = ip.toLowerCase()\n  // Normalise IPv4-mapped (::ffff:1.2.3.4) — recurse on the v4 tail. URL\n  // parsing tends to canonicalise the dotted form into the hex pair\n  // `::ffff:a9fe:a9fe`, so accept both shapes.\n  const v4MappedDotted = lower.match(/^::ffff:([0-9.]+)$/)\n  if (v4MappedDotted)\n    return isBlockedIPv4(v4MappedDotted[1]!)\n  const v4MappedHex = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/)\n  if (v4MappedHex) {\n    const hi = Number.parseInt(v4MappedHex[1]!, 16)\n    const lo = Number.parseInt(v4MappedHex[2]!, 16)\n    const ipv4 = `${(hi >> 8) & 0xFF}.${hi & 0xFF}.${(lo >> 8) & 0xFF}.${lo & 0xFF}`\n    return isBlockedIPv4(ipv4)\n  }\n  if (lower === '::' || lower === '::1')\n    return true\n  // fc00::/7 unique-local (covers fc.. and fd..)\n  if (/^f[cd][0-9a-f]{0,2}:/.test(lower))\n    return true\n  // fe80::/10 link-local\n  if (/^fe[89ab][0-9a-f]?:/.test(lower))\n    return true\n  // ff00::/8 multicast\n  if (lower.startsWith('ff'))\n    return true\n  return false\n}\n\nexport function isBlockedAddress(ip: string): boolean {\n  const family = isIP(ip)\n  if (family === 4)\n    return isBlockedIPv4(ip)\n  if (family === 6)\n    return isBlockedIPv6(ip)\n  return true // not a recognised IP literal — refuse\n}\n\n/**\n * Normalize a hostname for allowlist comparison: lowercase, strip a trailing\n * dot (FQDN root) and IPv6 brackets, drop a leading dot on allowlist entries.\n */\nfunction normalizeHost(host: string): string {\n  let h = host.trim().toLowerCase()\n  if (h.startsWith('[') && h.endsWith(']'))\n    h = h.slice(1, -1)\n  if (h.endsWith('.'))\n    h = h.slice(0, -1)\n  if (h.startsWith('.'))\n    h = h.slice(1)\n  return h\n}\n\n/**\n * Site identity for cross-host redirect detection: the lowercased hostname\n * with a leading `www.` stripped, so `example.com` ⇄ `www.example.com` and a\n * path-only redirect aren't flagged as cross-host. Returns `null` for an\n * unparseable URL (caller skips the note rather than guessing).\n */\nfunction sameSiteHost(url: string): string | null {\n  try {\n    return new URL(url).hostname.toLowerCase().replace(/^www\\./, '')\n  }\n  catch {\n    return null\n  }\n}\n\n/**\n * Host-suffix allowlist check. An empty / undefined list means \"no allowlist\"\n * → every host passes (the SSRF blocklist is the only gate). Otherwise the\n * host must equal, or be a subdomain of, one of the entries. Subdomain match\n * is on a dot boundary so `example.com` matches `docs.example.com` but not\n * `notexample.com`.\n */\nexport function isHostAllowed(hostname: string, allowHosts: readonly string[] | undefined): boolean {\n  if (!allowHosts || allowHosts.length === 0)\n    return true\n  const host = normalizeHost(hostname)\n  for (const entry of allowHosts) {\n    const allowed = normalizeHost(entry)\n    if (allowed.length === 0)\n      continue\n    if (host === allowed || host.endsWith(`.${allowed}`))\n      return true\n  }\n  return false\n}\n\n/**\n * Resolve `hostname` and refuse if any answer falls in a blocked range.\n *\n * Returns the first allowed `{ address, family }` so the caller can pin\n * the connection to it. Throws on any blocked answer so a multi-record\n * response with one private record fails closed.\n */\nasync function resolveAndCheck(hostname: string, allowHosts?: readonly string[]): Promise<{ address: string, family: 4 | 6 }> {\n  // Egress allowlist (when configured) gates BEFORE DNS so a non-approved\n  // host never even triggers a lookup. Enforced here so every redirect hop\n  // is re-checked, not just the initial URL.\n  if (!isHostAllowed(hostname, allowHosts))\n    throw new Error(`refused: ${hostname} is not in the configured egress allowlist`)\n  // `URL.hostname` keeps brackets around IPv6 literals (`[::1]`) — strip them\n  // before the IP check so `isIP` recognises the literal and `dns.lookup`\n  // doesn't try to resolve `[::1]` as a name.\n  const bare = hostname.startsWith('[') && hostname.endsWith(']')\n    ? hostname.slice(1, -1)\n    : hostname\n  const family = isIP(bare)\n  if (family === 4 || family === 6) {\n    if (isBlockedAddress(bare))\n      throw new Error(`refused: ${bare} is in a blocked range`)\n    return { address: bare, family }\n  }\n  const answers = await dns.lookup(bare, { all: true, verbatim: true })\n  if (answers.length === 0)\n    throw new Error(`DNS lookup returned no records for ${bare}`)\n  for (const { address } of answers) {\n    if (isBlockedAddress(address))\n      throw new Error(`refused: ${bare} resolves to blocked address ${address}`)\n  }\n  const first = answers[0]!\n  const fam = first.family === 6 ? 6 : 4\n  return { address: first.address, family: fam }\n}\n\n/**\n * Pinned HTTP/HTTPS request. Connects to `pinnedIp` directly (bypassing\n * Node/Bun's own DNS resolution) while preserving the `Host:` header and\n * (for HTTPS) TLS SNI on the URL's original hostname. This is the\n * concrete defense against DNS rebinding — see the file-level docstring.\n *\n * Reads up to `maxBufferBytes` of body and then forcibly closes the\n * connection. The body is decoded as UTF-8; binary responses degrade to\n * mojibake but the tool's contract is text payloads anyway.\n */\ninterface PinnedResponse {\n  status: number\n  url: string\n  contentType: string\n  body: string\n  location: string | null\n  /**\n   * True when the body was cut at `maxBufferBytes` before the server\n   * finished sending. Optional so test seams that stub `requestImpl`\n   * don't have to populate it; absent means \"not truncated\".\n   */\n  truncated?: boolean\n}\n\nfunction buildHostHeader(url: URL): string {\n  if (!url.port)\n    return url.hostname\n  const defaultPort = url.protocol === 'https:' ? '443' : '80'\n  return url.port === defaultPort ? url.hostname : `${url.hostname}:${url.port}`\n}\n\nexport function pinnedRequest(\n  url: URL,\n  pinnedIp: string,\n  family: 4 | 6,\n  headers: Record<string, string>,\n  signal: AbortSignal,\n  maxBufferBytes: number,\n): Promise<PinnedResponse> {\n  return new Promise((resolve, reject) => {\n    const isHttps = url.protocol === 'https:'\n    const port = url.port\n      ? Number.parseInt(url.port, 10)\n      : (isHttps ? 443 : 80)\n\n    // `host` is the literal IP, `servername` is the original hostname so\n    // TLS cert verification still matches the cert's SAN/CN against the\n    // user-visible name. Node uses `servername` for `checkServerIdentity`\n    // automatically when set.\n    const options: HttpRequestOptions & HttpsRequestOptions = {\n      host: pinnedIp,\n      port,\n      path: `${url.pathname}${url.search}`,\n      method: 'GET',\n      family,\n      headers: { ...headers, Host: buildHostHeader(url) },\n      ...(isHttps ? { servername: url.hostname } : {}),\n    }\n\n    const request = isHttps ? httpsRequest : httpRequest\n    const chunks: Buffer[] = []\n    let received = 0\n    // Single-shot settle guard. Bun's `node:http` is quirky around\n    // `req.destroy(err)` — passing an error doesn't reliably surface as an\n    // `error` event the way it does on Node. We track the settle state\n    // ourselves and call `resolve` / `reject` directly from the abort /\n    // timeout paths so the promise terminates even when the underlying\n    // socket teardown is silent.\n    let settled = false\n    // Forward-declared so the `finish` / abort / timeout handlers can\n    // close over `req` before it's assigned below. The request object is\n    // wired into them via mutable refs because the handlers must be set\n    // up *before* `request(options, callback)` fires its first event.\n    let req: ReturnType<typeof httpRequest> | undefined\n    let timer: ReturnType<typeof setTimeout> | undefined\n\n    const teardown = (): void => {\n      try { req?.destroy() }\n      catch { /* tear-down best effort */ }\n    }\n\n    const finish = (settler: () => void): void => {\n      if (settled)\n        return\n      settled = true\n      if (timer)\n        clearTimeout(timer)\n      signal.removeEventListener('abort', onSignalAbort)\n      settler()\n    }\n\n    function onSignalAbort(): void {\n      finish(() => reject(new Error('request aborted')))\n      teardown()\n    }\n\n    // Pre-aborted signal — short-circuit so we don't even open a socket.\n    // (This is the realistic shape when a user hits Ctrl+C while the agent\n    // is already shutting down: the signal is `.aborted` by the time the\n    // tool function runs.)\n    if (signal.aborted) {\n      reject(new Error('request aborted'))\n      return\n    }\n\n    timer = setTimeout(() => {\n      finish(() => reject(new Error(`request timed out after ${HTTP_TIMEOUT_MS}ms`)))\n      teardown()\n    }, HTTP_TIMEOUT_MS)\n\n    signal.addEventListener('abort', onSignalAbort, { once: true })\n\n    req = request(options, (res) => {\n      const status = res.statusCode ?? 0\n      const headersOut = res.headers\n      const contentType = (headersOut['content-type'] ?? '').toString().toLowerCase()\n      const location = typeof headersOut.location === 'string' ? headersOut.location : null\n\n      // Short-circuit on redirect responses — body is irrelevant.\n      if (status >= 300 && status < 400 && location) {\n        res.resume() // drain so the socket can be released\n        finish(() => resolve({ status, url: url.toString(), contentType, body: '', location }))\n        return\n      }\n\n      let bodyTruncated = false\n      res.on('data', (chunk: Buffer) => {\n        if (received >= maxBufferBytes) {\n          // Stop accumulating; tear the socket down so the server stops\n          // sending. We still resolve cleanly from `end` (or `close` if\n          // the server doesn't finish flushing before the kill lands).\n          bodyTruncated = true\n          teardown()\n          return\n        }\n        // Keep only what fits in the budget — a chunk straddling the cap\n        // would otherwise overshoot it by up to one chunk. A partial slice\n        // means the body was cut, so flag it and stop the transfer.\n        const room = maxBufferBytes - received\n        if (chunk.length > room) {\n          chunks.push(chunk.subarray(0, room))\n          received += room\n          bodyTruncated = true\n          teardown()\n          return\n        }\n        received += chunk.length\n        chunks.push(chunk)\n      })\n      res.on('end', () => {\n        const body = Buffer.concat(chunks).toString('utf-8')\n        finish(() => resolve({ status, url: url.toString(), contentType, body, location: null, truncated: bodyTruncated }))\n      })\n      res.on('close', () => {\n        // Socket torn down before `end` (e.g. when our maxBufferBytes\n        // trigger destroyed the request). Resolve with whatever we\n        // buffered so far — `truncated` tells the caller the body is cut.\n        if (!settled) {\n          const body = Buffer.concat(chunks).toString('utf-8')\n          finish(() => resolve({ status, url: url.toString(), contentType, body, location: null, truncated: bodyTruncated }))\n        }\n      })\n      res.on('error', err => finish(() => reject(err)))\n    })\n\n    req.on('error', (err: Error) => finish(() => reject(err)))\n    req.end()\n  })\n}\n\n/**\n * Walk up to {@link MAX_REDIRECTS} hops, validating the target host of each\n * 3xx response against the SSRF blocklist before following.\n *\n * `deps` is an internal seam for tests — production callers use the\n * defaults. Both knobs are intentionally opaque: hosts that want to\n * customize the blocklist should use a higher-level mechanism (a future\n * `behavior.fetchUrlAllowHosts` setting) rather than reaching into this.\n */\nexport interface FetchSsrfDeps {\n  /** Resolve + validate a hostname. Defaults to {@link resolveAndCheck}. */\n  resolver?: (hostname: string) => Promise<{ address: string, family: 4 | 6 }>\n  /** Execute a single pinned HTTP request. Defaults to {@link pinnedRequest}. */\n  requestImpl?: typeof pinnedRequest\n}\n\nexport async function fetchWithSsrfGuard(\n  startUrl: URL,\n  headers: Record<string, string>,\n  signal: AbortSignal,\n  maxBufferBytes: number,\n  deps: FetchSsrfDeps = {},\n  allowHosts?: readonly string[],\n): Promise<PinnedResponse> {\n  // Default resolver binds the egress allowlist; a test-injected resolver\n  // owns its own policy.\n  const resolver = deps.resolver ?? ((hostname: string) => resolveAndCheck(hostname, allowHosts))\n  const requestImpl = deps.requestImpl ?? pinnedRequest\n  let current = startUrl\n  for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {\n    const { address, family } = await resolver(current.hostname)\n    const res = await requestImpl(current, address, family, headers, signal, maxBufferBytes)\n    if (!res.location)\n      return res\n    if (hop === MAX_REDIRECTS)\n      throw new Error(`too many redirects (>${MAX_REDIRECTS})`)\n    let next: URL\n    try {\n      next = new URL(res.location, current)\n    }\n    catch {\n      throw new Error(`invalid redirect target: ${res.location}`)\n    }\n    if (next.protocol !== 'http:' && next.protocol !== 'https:')\n      throw new Error(`refused redirect to non-http(s) target: ${next.protocol}`)\n    current = next\n  }\n  throw new Error('redirect loop exited unexpectedly')\n}\n\n/**\n * Opt-in, process-local response cache for `fetch_url`. Disabled unless\n * `behavior.fetchUrlCacheTtlMs` is set (> 0). Bounded by entry count and total\n * cached bytes; eviction is oldest-first (insertion order via `Map`, which is\n * a good-enough LRU because we delete-then-set on hit to refresh recency).\n *\n * Keyed on `<url>\\u0000<cap>\\u0000<egress-policy>` so two calls with different\n * `max_bytes` (hence different truncation) don't alias, and — because the\n * cache is module-global — an agent with a permissive `fetchUrlAllowHosts`\n * can't populate entries that a co-resident agent with a stricter allowlist\n * would then be served. Only successful text responses are stored — the\n * caller gates on status before writing.\n */\nconst FETCH_CACHE_MAX_ENTRIES = 64\nconst FETCH_CACHE_MAX_BYTES = 16 * 1024 * 1024 // 16 MiB total\n\ninterface FetchCacheEntry {\n  /** Fully-formatted tool output (header + body) ready to return verbatim. */\n  output: string\n  expiresAt: number\n  bytes: number\n}\n\nconst fetchCache = new Map<string, FetchCacheEntry>()\nlet fetchCacheBytes = 0\n\nfunction cacheKey(url: string, cap: number, allowHosts?: readonly string[]): string {\n  // Normalize + sort so equivalent policies (`['A.com', 'b.com']` vs\n  // `['b.com', 'a.com.']`) share entries; an absent/empty allowlist keys\n  // as the empty policy.\n  const policy = (allowHosts ?? []).map(normalizeHost).sort().join(',')\n  return `${url}\\u0000${cap}\\u0000${policy}`\n}\n\nfunction cacheGet(key: string): string | null {\n  const entry = fetchCache.get(key)\n  if (!entry)\n    return null\n  if (Date.now() >= entry.expiresAt) {\n    fetchCache.delete(key)\n    fetchCacheBytes -= entry.bytes\n    return null\n  }\n  // Refresh recency: re-insert at the tail of the Map's iteration order.\n  fetchCache.delete(key)\n  fetchCache.set(key, entry)\n  return entry.output\n}\n\nfunction cacheSet(key: string, output: string, ttlMs: number): void {\n  const bytes = Buffer.byteLength(output, 'utf-8')\n  // A single oversize payload that can't fit under the byte cap is simply not\n  // cached (still returned to the caller) rather than evicting everything.\n  if (bytes > FETCH_CACHE_MAX_BYTES)\n    return\n  // Drop any stale entry for this key first so the byte accounting stays exact.\n  const prev = fetchCache.get(key)\n  if (prev) {\n    fetchCache.delete(key)\n    fetchCacheBytes -= prev.bytes\n  }\n  fetchCache.set(key, { output, expiresAt: Date.now() + ttlMs, bytes })\n  fetchCacheBytes += bytes\n  // Evict oldest-first until both caps are satisfied.\n  while (fetchCache.size > FETCH_CACHE_MAX_ENTRIES || fetchCacheBytes > FETCH_CACHE_MAX_BYTES) {\n    const oldest = fetchCache.keys().next().value\n    if (oldest === undefined)\n      break\n    const victim = fetchCache.get(oldest)!\n    fetchCache.delete(oldest)\n    fetchCacheBytes -= victim.bytes\n  }\n}\n\n/** Test seam — drop all cached entries. */\nexport function clearFetchUrlCache(): void {\n  fetchCache.clear()\n  fetchCacheBytes = 0\n}\n\n/**\n * Test seam — exercise the cache get/set/eviction in isolation without\n * standing up the full SSRF + HTTP path. Not part of the public tool surface;\n * `execute` uses the module-private functions directly.\n */\nexport const __fetchCacheTestApi = {\n  key: cacheKey,\n  get: cacheGet,\n  set: cacheSet,\n  size: () => fetchCache.size,\n  bytes: () => fetchCacheBytes,\n}\n\nexport const fetchUrl: ToolDef = {\n  isConcurrencySafe: true,\n  spec: {\n    name: 'fetch_url',\n    description: 'Fetch a public URL and return its body as plain text. HTML is reduced to text (scripts, styles, tags stripped; entities decoded). If a `web_search` tool is also available, use it first to find the URL. Only http(s) URLs are accepted; loopback, link-local, private, and cloud-metadata addresses are refused. Output is capped (default 200 KiB).',\n    inputSchema: {\n      type: 'object',\n      properties: {\n        url: {\n          type: 'string',\n          description: 'HTTP or HTTPS URL to fetch.',\n        },\n        max_bytes: {\n          type: 'number',\n          description: `Truncate the response body beyond this many bytes. Default: ${DEFAULT_MAX_BYTES}. Hard cap: ${HARD_MAX_BYTES}.`,\n        },\n      },\n      required: ['url'],\n    },\n  },\n  async execute({ url, max_bytes }, ctx: ToolContext) {\n    const raw = typeof url === 'string' ? url.trim() : ''\n    if (!raw)\n      return 'fetch_url error: `url` is required'\n    let parsed: URL\n    try {\n      parsed = new URL(raw)\n    }\n    catch {\n      return `fetch_url error: invalid URL: ${raw}`\n    }\n    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')\n      return `fetch_url error: only http(s) URLs are allowed (got ${parsed.protocol})`\n\n    const cap = Math.min(\n      typeof max_bytes === 'number' && max_bytes > 0 ? Math.floor(max_bytes) : DEFAULT_MAX_BYTES,\n      HARD_MAX_BYTES,\n    )\n    // Buffer up to 2× the cap so HTML overhead doesn't starve the visible\n    // text budget — a 200 KiB cap on rendered text can legitimately need to\n    // read ~400 KiB of raw HTML before stripping. Hard ceiling is still\n    // governed by `HARD_MAX_BYTES * 2` which is comfortably below OOM.\n    const bufferCap = Math.min(cap * 2, HARD_MAX_BYTES * 2)\n\n    // Opt-in response cache (off unless `behavior.fetchUrlCacheTtlMs > 0`).\n    // The egress allowlist is part of the key AND re-checked before serving\n    // a hit — the cache is module-global, so neither a policy change within\n    // an agent nor a co-resident agent's entries may bypass this agent's\n    // allowlist.\n    const allowHosts = ctx.behavior?.fetchUrlAllowHosts\n    const ttlMs = ctx.behavior?.fetchUrlCacheTtlMs\n    const cacheEnabled = typeof ttlMs === 'number' && ttlMs > 0\n    const key = cacheKey(parsed.toString(), cap, allowHosts)\n    if (cacheEnabled && isHostAllowed(parsed.hostname, allowHosts)) {\n      const hit = cacheGet(key)\n      if (hit !== null)\n        return hit\n    }\n\n    try {\n      const res = await fetchWithSsrfGuard(\n        parsed,\n        {\n          'user-agent': 'Mozilla/5.0 (compatible; zidane/1.0)',\n          'accept': 'text/html,text/plain,application/json;q=0.9,*/*;q=0.5',\n          'accept-encoding': 'identity', // no gzip — we don't decompress\n        },\n        ctx.signal,\n        bufferCap,\n        {},\n        allowHosts,\n      )\n      const body = res.body\n      const isHtml = res.contentType.includes('html') || /^\\s*<!doctype html|^\\s*<html/i.test(body)\n      const text = isHtml ? stripHtmlBlock(body) : body\n      const truncated = text.length > cap\n      // Two distinct truncation reasons: the rendered text overflowing `cap`,\n      // and the raw transfer being cut at the buffer ceiling (`res.truncated`)\n      // — the latter can leave the rendered text under `cap` (HTML overhead\n      // stripped away), so it needs its own marker or the model would treat\n      // a partial body as complete.\n      const out = truncated\n        ? `${text.slice(0, cap)}\\n\\n[truncated at ${cap} bytes; full length ${text.length}]`\n        : res.truncated\n          ? `${text}\\n\\n[response truncated: body exceeded the ${bufferCap}-byte transfer buffer]`\n          : text\n      // `res.url` reflects the FINAL hop after redirects; flag a cross-host\n      // landing so the model knows the content came from a different origin\n      // than it asked for (open-redirect awareness). Same-host path changes\n      // and www add/strip are treated as the same site and not flagged.\n      const finalHost = sameSiteHost(res.url)\n      const requestedHost = sameSiteHost(parsed.toString())\n      const redirectNote = finalHost && requestedHost && finalHost !== requestedHost\n        ? `Note: ${parsed.hostname} redirected to a different host (${new URL(res.url).hostname}).\\n`\n        : ''\n      const header = `URL: ${res.url}\\nStatus: ${res.status}\\nContent-Type: ${res.contentType || '(none)'}\\n${redirectNote}\\n`\n      const formatted = header + out\n      // Cache only successful, complete text responses — never errors /\n      // redirects / transfer-truncated bodies (a retry may get the rest).\n      if (cacheEnabled && res.status >= 200 && res.status < 300 && res.truncated !== true)\n        cacheSet(key, formatted, ttlMs)\n      return formatted\n    }\n    catch (err) {\n      return `fetch_url error: ${errorMessage(err)}`\n    }\n  },\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAqBA,MAAM,iBAAyC;CAC7C,KAAK;CACL,MAAM;CACN,MAAM;CACN,MAAM;CACN,MAAM;CACN,MAAM;CACN,IAAI;CACJ,QAAQ;CACR,OAAO;CACP,OAAO;CACP,OAAO;CACP,IAAI;CACJ,OAAO;CACP,QAAQ;CACR,MAAM;CACN,OAAO;CACP,MAAM;CACN,OAAO;CACP,OAAO;CACP,KAAK;CACL,OAAO;CACP,QAAQ;CACR,OAAO;AACT;;;;;;;AAQA,SAAS,kBAAkB,IAAoB;CAC7C,IAAI,CAAC,OAAO,SAAS,EAAE,KAAK,KAAK,KAAK,KAAK,SACzC,OAAO;CACT,IAAI;EACF,OAAO,OAAO,cAAc,EAAE;CAChC,QACM;EACJ,OAAO;CACT;AACF;;;;;;;;;;AAWA,SAAgB,mBAAmB,MAAsB;CACvD,IAAI,IAAI,KACL,QAAQ,sBAAsB,GAAG,MAAM,kBAAkB,OAAO,SAAS,GAAG,EAAE,CAAC,CAAC,EAChF,QAAQ,cAAc,GAAG,MAAM,kBAAkB,OAAO,SAAS,GAAG,EAAE,CAAC,CAAC;CAC3E,IAAI,EAAE,QAAQ,yBAAyB,MAAM,SAAS;EACpD,MAAM,MAAM,KAAK,YAAY;EAE7B,IAAI,QAAQ,OACV,OAAO;EAET,OADoB,eAAe,QACb;CACxB,CAAC;CACD,OAAO,EAAE,QAAQ,WAAW,GAAG;AACjC;;;;;;;AAQA,SAAgB,UAAU,MAAsB;CAC9C,OAAO,KACJ,QAAQ,+BAA+B,GAAG,EAC1C,QAAQ,6BAA6B,GAAG,EACxC,QAAQ,mCAAmC,GAAG,EAC9C,QAAQ,oBAAoB,GAAG,EAC/B,QAAQ,sCAAsC,IAAI,EAClD,QAAQ,YAAY,GAAG;AAC5B;;;;;;AAOA,SAAgB,gBAAgB,MAAsB;CACpD,OAAO,mBAAmB,UAAU,IAAI,CAAC,EACtC,QAAQ,QAAQ,GAAG,EACnB,KAAK;AACV;;;;;;AAOA,SAAgB,eAAe,MAAsB;CACnD,OAAO,mBAAmB,UAAU,IAAI,CAAC,EACtC,MAAM,IAAI,EACV,KAAI,SAAQ,KAAK,QAAQ,WAAW,GAAG,EAAE,KAAK,CAAC,EAC/C,QAAO,SAAQ,KAAK,SAAS,CAAC,EAC9B,KAAK,IAAI;AACd;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AChFA,MAAM,oBAAoB,MAAM;AAChC,MAAM,iBAAiB,OAAO;AAC9B,MAAM,kBAAkB;AACxB,MAAM,gBAAgB;;;;;;;AAQtB,SAAS,cAAc,IAAqB;CAC1C,MAAM,QAAQ,GAAG,MAAM,GAAG,EAAE,IAAI,MAAM;CACtC,IAAI,MAAM,WAAW,KAAK,MAAM,MAAK,MAAK,CAAC,OAAO,UAAU,CAAC,KAAK,IAAI,KAAK,IAAI,GAAG,GAChF,OAAO;CACT,MAAM,CAAC,GAAG,KAAK;CACf,IAAI,MAAM,GACR,OAAO;CACT,IAAI,MAAM,IACR,OAAO;CACT,IAAI,MAAM,KACR,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KACrB,OAAO;CACT,IAAI,MAAM,OAAO,KAAK,MAAM,KAAK,IAC/B,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KACrB,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KAAK,MAAM,OAAO,GACvC,OAAO;CACT,IAAI,MAAM,QAAQ,MAAM,MAAM,MAAM,KAClC,OAAO;CACT,IAAI,KAAK,KACP,OAAO;CACT,OAAO;AACT;AAEA,SAAS,cAAc,IAAqB;CAC1C,MAAM,QAAQ,GAAG,YAAY;CAI7B,MAAM,iBAAiB,MAAM,MAAM,oBAAoB;CACvD,IAAI,gBACF,OAAO,cAAc,eAAe,EAAG;CACzC,MAAM,cAAc,MAAM,MAAM,0CAA0C;CAC1E,IAAI,aAAa;EACf,MAAM,KAAK,OAAO,SAAS,YAAY,IAAK,EAAE;EAC9C,MAAM,KAAK,OAAO,SAAS,YAAY,IAAK,EAAE;EAE9C,OAAO,cAAc,GADJ,MAAM,IAAK,IAAK,GAAG,KAAK,IAAK,GAAI,MAAM,IAAK,IAAK,GAAG,KAAK,KACjD;CAC3B;CACA,IAAI,UAAU,QAAQ,UAAU,OAC9B,OAAO;CAET,IAAI,uBAAuB,KAAK,KAAK,GACnC,OAAO;CAET,IAAI,sBAAsB,KAAK,KAAK,GAClC,OAAO;CAET,IAAI,MAAM,WAAW,IAAI,GACvB,OAAO;CACT,OAAO;AACT;AAEA,SAAgB,iBAAiB,IAAqB;CACpD,MAAM,SAAS,KAAK,EAAE;CACtB,IAAI,WAAW,GACb,OAAO,cAAc,EAAE;CACzB,IAAI,WAAW,GACb,OAAO,cAAc,EAAE;CACzB,OAAO;AACT;;;;;AAMA,SAAS,cAAc,MAAsB;CAC3C,IAAI,IAAI,KAAK,KAAK,EAAE,YAAY;CAChC,IAAI,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,GACrC,IAAI,EAAE,MAAM,GAAG,EAAE;CACnB,IAAI,EAAE,SAAS,GAAG,GAChB,IAAI,EAAE,MAAM,GAAG,EAAE;CACnB,IAAI,EAAE,WAAW,GAAG,GAClB,IAAI,EAAE,MAAM,CAAC;CACf,OAAO;AACT;;;;;;;AAQA,SAAS,aAAa,KAA4B;CAChD,IAAI;EACF,OAAO,IAAI,IAAI,GAAG,EAAE,SAAS,YAAY,EAAE,QAAQ,UAAU,EAAE;CACjE,QACM;EACJ,OAAO;CACT;AACF;;;;;;;;AASA,SAAgB,cAAc,UAAkB,YAAoD;CAClG,IAAI,CAAC,cAAc,WAAW,WAAW,GACvC,OAAO;CACT,MAAM,OAAO,cAAc,QAAQ;CACnC,KAAK,MAAM,SAAS,YAAY;EAC9B,MAAM,UAAU,cAAc,KAAK;EACnC,IAAI,QAAQ,WAAW,GACrB;EACF,IAAI,SAAS,WAAW,KAAK,SAAS,IAAI,SAAS,GACjD,OAAO;CACX;CACA,OAAO;AACT;;;;;;;;AASA,eAAe,gBAAgB,UAAkB,YAA6E;CAI5H,IAAI,CAAC,cAAc,UAAU,UAAU,GACrC,MAAM,IAAI,MAAM,YAAY,SAAS,2CAA2C;CAIlF,MAAM,OAAO,SAAS,WAAW,GAAG,KAAK,SAAS,SAAS,GAAG,IAC1D,SAAS,MAAM,GAAG,EAAE,IACpB;CACJ,MAAM,SAAS,KAAK,IAAI;CACxB,IAAI,WAAW,KAAK,WAAW,GAAG;EAChC,IAAI,iBAAiB,IAAI,GACvB,MAAM,IAAI,MAAM,YAAY,KAAK,uBAAuB;EAC1D,OAAO;GAAE,SAAS;GAAM;EAAO;CACjC;CACA,MAAM,UAAU,MAAMA,SAAI,OAAO,MAAM;EAAE,KAAK;EAAM,UAAU;CAAK,CAAC;CACpE,IAAI,QAAQ,WAAW,GACrB,MAAM,IAAI,MAAM,sCAAsC,MAAM;CAC9D,KAAK,MAAM,EAAE,aAAa,SACxB,IAAI,iBAAiB,OAAO,GAC1B,MAAM,IAAI,MAAM,YAAY,KAAK,+BAA+B,SAAS;CAE7E,MAAM,QAAQ,QAAQ;CACtB,MAAM,MAAM,MAAM,WAAW,IAAI,IAAI;CACrC,OAAO;EAAE,SAAS,MAAM;EAAS,QAAQ;CAAI;AAC/C;AA0BA,SAAS,gBAAgB,KAAkB;CACzC,IAAI,CAAC,IAAI,MACP,OAAO,IAAI;CACb,MAAM,cAAc,IAAI,aAAa,WAAW,QAAQ;CACxD,OAAO,IAAI,SAAS,cAAc,IAAI,WAAW,GAAG,IAAI,SAAS,GAAG,IAAI;AAC1E;AAEA,SAAgB,cACd,KACA,UACA,QACA,SACA,QACA,gBACyB;CACzB,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,UAAU,IAAI,aAAa;EASjC,MAAM,UAAoD;GACxD,MAAM;GACN,MAVW,IAAI,OACb,OAAO,SAAS,IAAI,MAAM,EAAE,IAC3B,UAAU,MAAM;GASnB,MAAM,GAAG,IAAI,WAAW,IAAI;GAC5B,QAAQ;GACR;GACA,SAAS;IAAE,GAAG;IAAS,MAAM,gBAAgB,GAAG;GAAE;GAClD,GAAI,UAAU,EAAE,YAAY,IAAI,SAAS,IAAI,CAAC;EAChD;EAEA,MAAMC,YAAU,UAAUC,YAAeC;EACzC,MAAM,SAAmB,CAAC;EAC1B,IAAI,WAAW;EAOf,IAAI,UAAU;EAKd,IAAI;EACJ,IAAI;EAEJ,MAAM,iBAAuB;GAC3B,IAAI;IAAE,KAAK,QAAQ;GAAE,QACf,CAA8B;EACtC;EAEA,MAAM,UAAU,YAA8B;GAC5C,IAAI,SACF;GACF,UAAU;GACV,IAAI,OACF,aAAa,KAAK;GACpB,OAAO,oBAAoB,SAAS,aAAa;GACjD,QAAQ;EACV;EAEA,SAAS,gBAAsB;GAC7B,aAAa,uBAAO,IAAI,MAAM,iBAAiB,CAAC,CAAC;GACjD,SAAS;EACX;EAMA,IAAI,OAAO,SAAS;GAClB,uBAAO,IAAI,MAAM,iBAAiB,CAAC;GACnC;EACF;EAEA,QAAQ,iBAAiB;GACvB,aAAa,uBAAO,IAAI,MAAM,2BAA2B,gBAAgB,GAAG,CAAC,CAAC;GAC9E,SAAS;EACX,GAAG,eAAe;EAElB,OAAO,iBAAiB,SAAS,eAAe,EAAE,MAAM,KAAK,CAAC;EAE9D,MAAMF,UAAQ,UAAU,QAAQ;GAC9B,MAAM,SAAS,IAAI,cAAc;GACjC,MAAM,aAAa,IAAI;GACvB,MAAM,eAAe,WAAW,mBAAmB,IAAI,SAAS,EAAE,YAAY;GAC9E,MAAM,WAAW,OAAO,WAAW,aAAa,WAAW,WAAW,WAAW;GAGjF,IAAI,UAAU,OAAO,SAAS,OAAO,UAAU;IAC7C,IAAI,OAAO;IACX,aAAa,QAAQ;KAAE;KAAQ,KAAK,IAAI,SAAS;KAAG;KAAa,MAAM;KAAI;IAAS,CAAC,CAAC;IACtF;GACF;GAEA,IAAI,gBAAgB;GACpB,IAAI,GAAG,SAAS,UAAkB;IAChC,IAAI,YAAY,gBAAgB;KAI9B,gBAAgB;KAChB,SAAS;KACT;IACF;IAIA,MAAM,OAAO,iBAAiB;IAC9B,IAAI,MAAM,SAAS,MAAM;KACvB,OAAO,KAAK,MAAM,SAAS,GAAG,IAAI,CAAC;KACnC,YAAY;KACZ,gBAAgB;KAChB,SAAS;KACT;IACF;IACA,YAAY,MAAM;IAClB,OAAO,KAAK,KAAK;GACnB,CAAC;GACD,IAAI,GAAG,aAAa;IAClB,MAAM,OAAO,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO;IACnD,aAAa,QAAQ;KAAE;KAAQ,KAAK,IAAI,SAAS;KAAG;KAAa;KAAM,UAAU;KAAM,WAAW;IAAc,CAAC,CAAC;GACpH,CAAC;GACD,IAAI,GAAG,eAAe;IAIpB,IAAI,CAAC,SAAS;KACZ,MAAM,OAAO,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO;KACnD,aAAa,QAAQ;MAAE;MAAQ,KAAK,IAAI,SAAS;MAAG;MAAa;MAAM,UAAU;MAAM,WAAW;KAAc,CAAC,CAAC;IACpH;GACF,CAAC;GACD,IAAI,GAAG,UAAS,QAAO,aAAa,OAAO,GAAG,CAAC,CAAC;EAClD,CAAC;EAED,IAAI,GAAG,UAAU,QAAe,aAAa,OAAO,GAAG,CAAC,CAAC;EACzD,IAAI,IAAI;CACV,CAAC;AACH;AAkBA,eAAsB,mBACpB,UACA,SACA,QACA,gBACA,OAAsB,CAAC,GACvB,YACyB;CAGzB,MAAM,WAAW,KAAK,cAAc,aAAqB,gBAAgB,UAAU,UAAU;CAC7F,MAAM,cAAc,KAAK,eAAe;CACxC,IAAI,UAAU;CACd,KAAK,IAAI,MAAM,GAAG,OAAO,eAAe,OAAO;EAC7C,MAAM,EAAE,SAAS,WAAW,MAAM,SAAS,QAAQ,QAAQ;EAC3D,MAAM,MAAM,MAAM,YAAY,SAAS,SAAS,QAAQ,SAAS,QAAQ,cAAc;EACvF,IAAI,CAAC,IAAI,UACP,OAAO;EACT,IAAI,QAAQ,eACV,MAAM,IAAI,MAAM,wBAAwB,cAAc,EAAE;EAC1D,IAAI;EACJ,IAAI;GACF,OAAO,IAAI,IAAI,IAAI,UAAU,OAAO;EACtC,QACM;GACJ,MAAM,IAAI,MAAM,4BAA4B,IAAI,UAAU;EAC5D;EACA,IAAI,KAAK,aAAa,WAAW,KAAK,aAAa,UACjD,MAAM,IAAI,MAAM,2CAA2C,KAAK,UAAU;EAC5E,UAAU;CACZ;CACA,MAAM,IAAI,MAAM,mCAAmC;AACrD;;;;;;;;;;;;;;AAeA,MAAM,0BAA0B;AAChC,MAAM,wBAAwB,KAAK,OAAO;AAS1C,MAAM,6BAAa,IAAI,IAA6B;AACpD,IAAI,kBAAkB;AAEtB,SAAS,SAAS,KAAa,KAAa,YAAwC;CAKlF,OAAO,GAAG,IAAI,QAAQ,IAAI,SADV,cAAc,CAAC,GAAG,IAAI,aAAa,EAAE,KAAK,EAAE,KAAK,GAC1B;AACzC;AAEA,SAAS,SAAS,KAA4B;CAC5C,MAAM,QAAQ,WAAW,IAAI,GAAG;CAChC,IAAI,CAAC,OACH,OAAO;CACT,IAAI,KAAK,IAAI,KAAK,MAAM,WAAW;EACjC,WAAW,OAAO,GAAG;EACrB,mBAAmB,MAAM;EACzB,OAAO;CACT;CAEA,WAAW,OAAO,GAAG;CACrB,WAAW,IAAI,KAAK,KAAK;CACzB,OAAO,MAAM;AACf;AAEA,SAAS,SAAS,KAAa,QAAgB,OAAqB;CAClE,MAAM,QAAQ,OAAO,WAAW,QAAQ,OAAO;CAG/C,IAAI,QAAQ,uBACV;CAEF,MAAM,OAAO,WAAW,IAAI,GAAG;CAC/B,IAAI,MAAM;EACR,WAAW,OAAO,GAAG;EACrB,mBAAmB,KAAK;CAC1B;CACA,WAAW,IAAI,KAAK;EAAE;EAAQ,WAAW,KAAK,IAAI,IAAI;EAAO;CAAM,CAAC;CACpE,mBAAmB;CAEnB,OAAO,WAAW,OAAO,2BAA2B,kBAAkB,uBAAuB;EAC3F,MAAM,SAAS,WAAW,KAAK,EAAE,KAAK,EAAE;EACxC,IAAI,WAAW,KAAA,GACb;EACF,MAAM,SAAS,WAAW,IAAI,MAAM;EACpC,WAAW,OAAO,MAAM;EACxB,mBAAmB,OAAO;CAC5B;AACF;;AAGA,SAAgB,qBAA2B;CACzC,WAAW,MAAM;CACjB,kBAAkB;AACpB;;;;;;AAOA,MAAa,sBAAsB;CACjC,KAAK;CACL,KAAK;CACL,KAAK;CACL,YAAY,WAAW;CACvB,aAAa;AACf;AAEA,MAAa,WAAoB;CAC/B,mBAAmB;CACnB,MAAM;EACJ,MAAM;EACN,aAAa;EACb,aAAa;GACX,MAAM;GACN,YAAY;IACV,KAAK;KACH,MAAM;KACN,aAAa;IACf;IACA,WAAW;KACT,MAAM;KACN,aAAa,+DAA+D,kBAAkB,cAAc,eAAe;IAC7H;GACF;GACA,UAAU,CAAC,KAAK;EAClB;CACF;CACA,MAAM,QAAQ,EAAE,KAAK,aAAa,KAAkB;EAClD,MAAM,MAAM,OAAO,QAAQ,WAAW,IAAI,KAAK,IAAI;EACnD,IAAI,CAAC,KACH,OAAO;EACT,IAAI;EACJ,IAAI;GACF,SAAS,IAAI,IAAI,GAAG;EACtB,QACM;GACJ,OAAO,iCAAiC;EAC1C;EACA,IAAI,OAAO,aAAa,WAAW,OAAO,aAAa,UACrD,OAAO,uDAAuD,OAAO,SAAS;EAEhF,MAAM,MAAM,KAAK,IACf,OAAO,cAAc,YAAY,YAAY,IAAI,KAAK,MAAM,SAAS,IAAI,mBACzE,cACF;EAKA,MAAM,YAAY,KAAK,IAAI,MAAM,GAAG,iBAAiB,CAAC;EAOtD,MAAM,aAAa,IAAI,UAAU;EACjC,MAAM,QAAQ,IAAI,UAAU;EAC5B,MAAM,eAAe,OAAO,UAAU,YAAY,QAAQ;EAC1D,MAAM,MAAM,SAAS,OAAO,SAAS,GAAG,KAAK,UAAU;EACvD,IAAI,gBAAgB,cAAc,OAAO,UAAU,UAAU,GAAG;GAC9D,MAAM,MAAM,SAAS,GAAG;GACxB,IAAI,QAAQ,MACV,OAAO;EACX;EAEA,IAAI;GACF,MAAM,MAAM,MAAM,mBAChB,QACA;IACE,cAAc;IACd,UAAU;IACV,mBAAmB;GACrB,GACA,IAAI,QACJ,WACA,CAAC,GACD,UACF;GACA,MAAM,OAAO,IAAI;GAEjB,MAAM,OADS,IAAI,YAAY,SAAS,MAAM,KAAK,gCAAgC,KAAK,IAAI,IACtE,eAAe,IAAI,IAAI;GAO7C,MAAM,MANY,KAAK,SAAS,MAO5B,GAAG,KAAK,MAAM,GAAG,GAAG,EAAE,oBAAoB,IAAI,sBAAsB,KAAK,OAAO,KAChF,IAAI,YACF,GAAG,KAAK,6CAA6C,UAAU,0BAC/D;GAKN,MAAM,YAAY,aAAa,IAAI,GAAG;GACtC,MAAM,gBAAgB,aAAa,OAAO,SAAS,CAAC;GACpD,MAAM,eAAe,aAAa,iBAAiB,cAAc,gBAC7D,SAAS,OAAO,SAAS,mCAAmC,IAAI,IAAI,IAAI,GAAG,EAAE,SAAS,QACtF;GAEJ,MAAM,YAAY,QADK,IAAI,IAAI,YAAY,IAAI,OAAO,kBAAkB,IAAI,eAAe,SAAS,IAAI,aAAa,MAC1F;GAG3B,IAAI,gBAAgB,IAAI,UAAU,OAAO,IAAI,SAAS,OAAO,IAAI,cAAc,MAC7E,SAAS,KAAK,WAAW,KAAK;GAChC,OAAO;EACT,SACO,KAAK;GACV,OAAO,oBAAoB,aAAa,GAAG;EAC7C;CACF;AACF"}
+{"version":3,"file":"fetch-url-CWE8X5OD.js","names":["dns","request","httpsRequest","httpRequest"],"sources":["../src/tools/_html.ts","../src/tools/fetch-url.ts"],"sourcesContent":["/**\n * Shared HTML → plain-text helpers used by the web-egress tools (`web_search`\n * snippet extraction, `fetch_url` body decoding).\n *\n * Best-effort by contract: a real HTML parser would be more correct but the\n * payload is always model context, never user-facing rendered output, so a\n * tag-stripper plus a curated entity table covers the practical cases\n * (Wikipedia, GitHub READMEs, MDN docs, Stack Overflow answers). When a tool\n * needs richer parsing it should reach for an actual parser rather than\n * extending these helpers ad-hoc.\n */\n\n/**\n * Curated named-entity table. Kept narrow on purpose — the long tail\n * (`&Aring;`, `&times;`, mathematical refs, …) is out of scope because the\n * model handles unknown entities fine when they pass through verbatim. Add\n * entries when an entity is observed mangling real output, not speculatively.\n *\n * Keys are stored without the leading `&` / trailing `;` and matched\n * case-insensitively by the decoder.\n */\nconst NAMED_ENTITIES: Record<string, string> = {\n  amp: '&',\n  apos: '\\'',\n  bull: '•',\n  copy: '\\u00A9',\n  ensp: ' ',\n  emsp: ' ',\n  gt: '>',\n  hellip: '\\u2026',\n  laquo: '\\u00AB',\n  ldquo: '\\u201C',\n  lsquo: '\\u2018',\n  lt: '<',\n  mdash: '\\u2014',\n  middot: '\\u00B7',\n  nbsp: ' ',\n  ndash: '\\u2013',\n  quot: '\"',\n  raquo: '\\u00BB',\n  rdquo: '\\u201D',\n  reg: '\\u00AE',\n  rsquo: '\\u2019',\n  thinsp: ' ',\n  trade: '\\u2122',\n}\n\n/**\n * `String.fromCodePoint` raises on out-of-range / non-finite inputs; the\n * agent's untrusted-payload assumption means we can't let a single broken\n * numeric reference crash the whole decode. Empty string on rejection is\n * the safest outcome (matches what most browsers do for invalid refs).\n */\nfunction safeFromCodePoint(cp: number): string {\n  if (!Number.isFinite(cp) || cp < 0 || cp > 0x10FFFF)\n    return ''\n  try {\n    return String.fromCodePoint(cp)\n  }\n  catch {\n    return ''\n  }\n}\n\n/**\n * Decode numeric character references (`&#x...;` / `&#NNN;`) and the curated\n * subset of named entities in {@link NAMED_ENTITIES}. Unknown named entities\n * are left as-is so the model can detect them rather than seeing a silently\n * corrupted token.\n *\n * `&amp;` is decoded LAST so a double-escaped string like `&amp;lt;` resolves\n * to `&lt;` (not `<`) — that's the spec-correct single-pass decode shape.\n */\nexport function decodeHtmlEntities(text: string): string {\n  let s = text\n    .replace(/&#x([0-9a-f]+);/gi, (_, h) => safeFromCodePoint(Number.parseInt(h, 16)))\n    .replace(/&#(\\d+);/g, (_, n) => safeFromCodePoint(Number.parseInt(n, 10)))\n  s = s.replace(/&([a-z][a-z0-9]*);/gi, (full, name) => {\n    const key = name.toLowerCase()\n    // Defer `amp` so `&amp;lt;` doesn't double-decode in a single pass.\n    if (key === 'amp')\n      return full\n    const replacement = NAMED_ENTITIES[key]\n    return replacement ?? full\n  })\n  return s.replace(/&amp;/gi, '&')\n}\n\n/**\n * Strip `<script>`, `<style>`, `<noscript>`, comments, and every other tag.\n * Block-level openers (`<br>`, `<p>`, `<div>`, `<li>`, `<tr>`, `<h1-6>`) are\n * replaced with newlines so the resulting plaintext preserves readable\n * structure. Other tags collapse to spaces.\n */\nexport function stripHtml(html: string): string {\n  return html\n    .replace(/<script[\\s\\S]*?<\\/script>/gi, ' ')\n    .replace(/<style[\\s\\S]*?<\\/style>/gi, ' ')\n    .replace(/<noscript[\\s\\S]*?<\\/noscript>/gi, ' ')\n    .replace(/<!--[\\s\\S]*?-->/g, ' ')\n    .replace(/<(?:br|p|div|li|tr|h[1-6])[^>]*>/gi, '\\n')\n    .replace(/<[^>]+>/g, ' ')\n}\n\n/**\n * Inline variant — strip tags + decode entities + collapse all whitespace\n * (including line breaks) into single spaces. For short snippets where\n * structural breaks would be visual noise (search-result titles, link text).\n */\nexport function stripHtmlInline(html: string): string {\n  return decodeHtmlEntities(stripHtml(html))\n    .replace(/\\s+/g, ' ')\n    .trim()\n}\n\n/**\n * Block variant — strip tags + decode entities, preserve newlines emitted\n * by block-level openers, then collapse inline whitespace per-line and drop\n * empty lines. For full-page reductions where structure aids reading.\n */\nexport function stripHtmlBlock(html: string): string {\n  return decodeHtmlEntities(stripHtml(html))\n    .split('\\n')\n    .map(line => line.replace(/[ \\t]+/g, ' ').trim())\n    .filter(line => line.length > 0)\n    .join('\\n')\n}\n","import type { RequestOptions as HttpRequestOptions } from 'node:http'\nimport type { RequestOptions as HttpsRequestOptions } from 'node:https'\nimport type { ToolContext, ToolDef } from './types'\nimport { Buffer } from 'node:buffer'\nimport { promises as dns } from 'node:dns'\nimport { request as httpRequest } from 'node:http'\nimport { request as httpsRequest } from 'node:https'\nimport { isIP } from 'node:net'\nimport { errorMessage } from '../errors'\nimport { stripHtmlBlock } from './_html'\n\n/**\n * Fetch a URL and return its text content.\n *\n * Companion to `web_search` (when registered) — after the model finds a\n * promising result it fetches the page to read the body in full. HTML is\n * reduced to plain text because the model rarely benefits from the markup\n * and we want to keep the payload inside the per-turn output budget.\n *\n * Restrictions:\n * - Only http(s) URLs. Anything else (file://, data:, ftp:) is rejected so\n *   the tool can't be coerced into reading local files or arbitrary\n *   resources.\n * - SSRF guard with TOCTOU defense: the host is DNS-resolved against the\n *   loopback / link-local / private / reserved blocklist BEFORE the\n *   request, and the resolved IP is then PINNED at the connection layer\n *   via `node:http(s).request({ host: <resolved IP>, headers: { Host: ... },\n *   servername: ... })`. This closes the classic DNS-rebinding gap where a\n *   `globalThis.fetch` re-resolves the hostname and connects to a freshly\n *   minted private IP. TLS verification still runs against the original\n *   hostname via the explicit `servername` option.\n *\n *   Note: the more idiomatic Node fix (an `undici.Agent` with a custom\n *   `connect.lookup`) is silently a no-op on Bun ≤1.3 — both\n *   `undici.Agent` and `node:https.Agent.lookup` are stubbed out. The\n *   explicit `host: IP` + `Host:` header dance is the only mechanism that\n *   actually pins on the current Bun runtime.\n * - Redirects are followed manually (up to `MAX_REDIRECTS`) and each hop\n *   is re-validated, so a public hostname that 302s into a metadata\n *   endpoint is rejected at the redirect step.\n * - 15s hard timeout per request.\n * - Output capped at `max_bytes` (default 200 KiB) — long pages are\n *   truncated with an explicit marker. The pinned reader also stops\n *   buffering past 2× the cap so a multi-MB body can't OOM us.\n */\n\nconst DEFAULT_MAX_BYTES = 200 * 1024\nconst HARD_MAX_BYTES = 1024 * 1024\nconst HTTP_TIMEOUT_MS = 15_000\nconst MAX_REDIRECTS = 5\n\n/**\n * IPv4 ranges that the SSRF guard refuses to fetch from. Covers the cloud\n * metadata services (AWS/Azure 169.254.169.254, GCP routes through the same\n * link-local block) plus every RFC1918 / loopback / reserved block a model\n * could be prompt-injected into hitting.\n */\nfunction isBlockedIPv4(ip: string): boolean {\n  const parts = ip.split('.').map(Number)\n  if (parts.length !== 4 || parts.some(p => !Number.isInteger(p) || p < 0 || p > 255))\n    return true\n  const [a, b] = parts as [number, number, number, number]\n  if (a === 0)\n    return true // 0.0.0.0/8 unspecified / \"this network\"\n  if (a === 10)\n    return true // 10/8 private\n  if (a === 127)\n    return true // loopback\n  if (a === 169 && b === 254)\n    return true // link-local + cloud metadata\n  if (a === 172 && b >= 16 && b <= 31)\n    return true // 172.16/12 private\n  if (a === 192 && b === 168)\n    return true // 192.168/16 private\n  if (a === 192 && b === 0 && parts[2] === 0)\n    return true // 192.0.0/24 IETF\n  if (a === 198 && (b === 18 || b === 19))\n    return true // 198.18/15 benchmark\n  if (a >= 224)\n    return true // multicast + reserved (224/4, 240/4)\n  return false\n}\n\nfunction isBlockedIPv6(ip: string): boolean {\n  const lower = ip.toLowerCase()\n  // Normalise IPv4-mapped (::ffff:1.2.3.4) — recurse on the v4 tail. URL\n  // parsing tends to canonicalise the dotted form into the hex pair\n  // `::ffff:a9fe:a9fe`, so accept both shapes.\n  const v4MappedDotted = lower.match(/^::ffff:([0-9.]+)$/)\n  if (v4MappedDotted)\n    return isBlockedIPv4(v4MappedDotted[1]!)\n  const v4MappedHex = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/)\n  if (v4MappedHex) {\n    const hi = Number.parseInt(v4MappedHex[1]!, 16)\n    const lo = Number.parseInt(v4MappedHex[2]!, 16)\n    const ipv4 = `${(hi >> 8) & 0xFF}.${hi & 0xFF}.${(lo >> 8) & 0xFF}.${lo & 0xFF}`\n    return isBlockedIPv4(ipv4)\n  }\n  if (lower === '::' || lower === '::1')\n    return true\n  // fc00::/7 unique-local (covers fc.. and fd..)\n  if (/^f[cd][0-9a-f]{0,2}:/.test(lower))\n    return true\n  // fe80::/10 link-local\n  if (/^fe[89ab][0-9a-f]?:/.test(lower))\n    return true\n  // ff00::/8 multicast\n  if (lower.startsWith('ff'))\n    return true\n  return false\n}\n\nexport function isBlockedAddress(ip: string): boolean {\n  const family = isIP(ip)\n  if (family === 4)\n    return isBlockedIPv4(ip)\n  if (family === 6)\n    return isBlockedIPv6(ip)\n  return true // not a recognised IP literal — refuse\n}\n\n/**\n * Normalize a hostname for allowlist comparison: lowercase, strip a trailing\n * dot (FQDN root) and IPv6 brackets, drop a leading dot on allowlist entries.\n */\nfunction normalizeHost(host: string): string {\n  let h = host.trim().toLowerCase()\n  if (h.startsWith('[') && h.endsWith(']'))\n    h = h.slice(1, -1)\n  if (h.endsWith('.'))\n    h = h.slice(0, -1)\n  if (h.startsWith('.'))\n    h = h.slice(1)\n  return h\n}\n\n/**\n * Site identity for cross-host redirect detection: the lowercased hostname\n * with a leading `www.` stripped, so `example.com` ⇄ `www.example.com` and a\n * path-only redirect aren't flagged as cross-host. Returns `null` for an\n * unparseable URL (caller skips the note rather than guessing).\n */\nfunction sameSiteHost(url: string): string | null {\n  try {\n    return new URL(url).hostname.toLowerCase().replace(/^www\\./, '')\n  }\n  catch {\n    return null\n  }\n}\n\n/**\n * Host-suffix allowlist check. An empty / undefined list means \"no allowlist\"\n * → every host passes (the SSRF blocklist is the only gate). Otherwise the\n * host must equal, or be a subdomain of, one of the entries. Subdomain match\n * is on a dot boundary so `example.com` matches `docs.example.com` but not\n * `notexample.com`.\n */\nexport function isHostAllowed(hostname: string, allowHosts: readonly string[] | undefined): boolean {\n  if (!allowHosts || allowHosts.length === 0)\n    return true\n  const host = normalizeHost(hostname)\n  for (const entry of allowHosts) {\n    const allowed = normalizeHost(entry)\n    if (allowed.length === 0)\n      continue\n    if (host === allowed || host.endsWith(`.${allowed}`))\n      return true\n  }\n  return false\n}\n\n/**\n * Resolve `hostname` and refuse if any answer falls in a blocked range.\n *\n * Returns the first allowed `{ address, family }` so the caller can pin\n * the connection to it. Throws on any blocked answer so a multi-record\n * response with one private record fails closed.\n */\nasync function resolveAndCheck(hostname: string, allowHosts?: readonly string[]): Promise<{ address: string, family: 4 | 6 }> {\n  // Egress allowlist (when configured) gates BEFORE DNS so a non-approved\n  // host never even triggers a lookup. Enforced here so every redirect hop\n  // is re-checked, not just the initial URL.\n  if (!isHostAllowed(hostname, allowHosts))\n    throw new Error(`refused: ${hostname} is not in the configured egress allowlist`)\n  // `URL.hostname` keeps brackets around IPv6 literals (`[::1]`) — strip them\n  // before the IP check so `isIP` recognises the literal and `dns.lookup`\n  // doesn't try to resolve `[::1]` as a name.\n  const bare = hostname.startsWith('[') && hostname.endsWith(']')\n    ? hostname.slice(1, -1)\n    : hostname\n  const family = isIP(bare)\n  if (family === 4 || family === 6) {\n    if (isBlockedAddress(bare))\n      throw new Error(`refused: ${bare} is in a blocked range`)\n    return { address: bare, family }\n  }\n  const answers = await dns.lookup(bare, { all: true, verbatim: true })\n  if (answers.length === 0)\n    throw new Error(`DNS lookup returned no records for ${bare}`)\n  for (const { address } of answers) {\n    if (isBlockedAddress(address))\n      throw new Error(`refused: ${bare} resolves to blocked address ${address}`)\n  }\n  const first = answers[0]!\n  const fam = first.family === 6 ? 6 : 4\n  return { address: first.address, family: fam }\n}\n\n/**\n * Pinned HTTP/HTTPS request. Connects to `pinnedIp` directly (bypassing\n * Node/Bun's own DNS resolution) while preserving the `Host:` header and\n * (for HTTPS) TLS SNI on the URL's original hostname. This is the\n * concrete defense against DNS rebinding — see the file-level docstring.\n *\n * Reads up to `maxBufferBytes` of body and then forcibly closes the\n * connection. The body is decoded as UTF-8; binary responses degrade to\n * mojibake but the tool's contract is text payloads anyway.\n */\ninterface PinnedResponse {\n  status: number\n  url: string\n  contentType: string\n  body: string\n  location: string | null\n  /**\n   * True when the body was cut at `maxBufferBytes` before the server\n   * finished sending. Optional so test seams that stub `requestImpl`\n   * don't have to populate it; absent means \"not truncated\".\n   */\n  truncated?: boolean\n}\n\nfunction buildHostHeader(url: URL): string {\n  if (!url.port)\n    return url.hostname\n  const defaultPort = url.protocol === 'https:' ? '443' : '80'\n  return url.port === defaultPort ? url.hostname : `${url.hostname}:${url.port}`\n}\n\nexport function pinnedRequest(\n  url: URL,\n  pinnedIp: string,\n  family: 4 | 6,\n  headers: Record<string, string>,\n  signal: AbortSignal,\n  maxBufferBytes: number,\n): Promise<PinnedResponse> {\n  return new Promise((resolve, reject) => {\n    const isHttps = url.protocol === 'https:'\n    const port = url.port\n      ? Number.parseInt(url.port, 10)\n      : (isHttps ? 443 : 80)\n\n    // `host` is the literal IP, `servername` is the original hostname so\n    // TLS cert verification still matches the cert's SAN/CN against the\n    // user-visible name. Node uses `servername` for `checkServerIdentity`\n    // automatically when set.\n    const options: HttpRequestOptions & HttpsRequestOptions = {\n      host: pinnedIp,\n      port,\n      path: `${url.pathname}${url.search}`,\n      method: 'GET',\n      family,\n      headers: { ...headers, Host: buildHostHeader(url) },\n      ...(isHttps ? { servername: url.hostname } : {}),\n    }\n\n    const request = isHttps ? httpsRequest : httpRequest\n    const chunks: Buffer[] = []\n    let received = 0\n    // Single-shot settle guard. Bun's `node:http` is quirky around\n    // `req.destroy(err)` — passing an error doesn't reliably surface as an\n    // `error` event the way it does on Node. We track the settle state\n    // ourselves and call `resolve` / `reject` directly from the abort /\n    // timeout paths so the promise terminates even when the underlying\n    // socket teardown is silent.\n    let settled = false\n    // Forward-declared so the `finish` / abort / timeout handlers can\n    // close over `req` before it's assigned below. The request object is\n    // wired into them via mutable refs because the handlers must be set\n    // up *before* `request(options, callback)` fires its first event.\n    let req: ReturnType<typeof httpRequest> | undefined\n    let timer: ReturnType<typeof setTimeout> | undefined\n\n    const teardown = (): void => {\n      try { req?.destroy() }\n      catch { /* tear-down best effort */ }\n    }\n\n    const finish = (settler: () => void): void => {\n      if (settled)\n        return\n      settled = true\n      if (timer)\n        clearTimeout(timer)\n      signal.removeEventListener('abort', onSignalAbort)\n      settler()\n    }\n\n    function onSignalAbort(): void {\n      finish(() => reject(new Error('request aborted')))\n      teardown()\n    }\n\n    // Pre-aborted signal — short-circuit so we don't even open a socket.\n    // (This is the realistic shape when a user hits Ctrl+C while the agent\n    // is already shutting down: the signal is `.aborted` by the time the\n    // tool function runs.)\n    if (signal.aborted) {\n      reject(new Error('request aborted'))\n      return\n    }\n\n    timer = setTimeout(() => {\n      finish(() => reject(new Error(`request timed out after ${HTTP_TIMEOUT_MS}ms`)))\n      teardown()\n    }, HTTP_TIMEOUT_MS)\n\n    signal.addEventListener('abort', onSignalAbort, { once: true })\n\n    req = request(options, (res) => {\n      const status = res.statusCode ?? 0\n      const headersOut = res.headers\n      const contentType = (headersOut['content-type'] ?? '').toString().toLowerCase()\n      const location = typeof headersOut.location === 'string' ? headersOut.location : null\n\n      // Short-circuit on redirect responses — body is irrelevant.\n      if (status >= 300 && status < 400 && location) {\n        res.resume() // drain so the socket can be released\n        finish(() => resolve({ status, url: url.toString(), contentType, body: '', location }))\n        return\n      }\n\n      let bodyTruncated = false\n      res.on('data', (chunk: Buffer) => {\n        if (received >= maxBufferBytes) {\n          // Stop accumulating; tear the socket down so the server stops\n          // sending. We still resolve cleanly from `end` (or `close` if\n          // the server doesn't finish flushing before the kill lands).\n          bodyTruncated = true\n          teardown()\n          return\n        }\n        // Keep only what fits in the budget — a chunk straddling the cap\n        // would otherwise overshoot it by up to one chunk. A partial slice\n        // means the body was cut, so flag it and stop the transfer.\n        const room = maxBufferBytes - received\n        if (chunk.length > room) {\n          chunks.push(chunk.subarray(0, room))\n          received += room\n          bodyTruncated = true\n          teardown()\n          return\n        }\n        received += chunk.length\n        chunks.push(chunk)\n      })\n      res.on('end', () => {\n        const body = Buffer.concat(chunks).toString('utf-8')\n        finish(() => resolve({ status, url: url.toString(), contentType, body, location: null, truncated: bodyTruncated }))\n      })\n      res.on('close', () => {\n        // Socket torn down before `end` (e.g. when our maxBufferBytes\n        // trigger destroyed the request). Resolve with whatever we\n        // buffered so far — `truncated` tells the caller the body is cut.\n        if (!settled) {\n          const body = Buffer.concat(chunks).toString('utf-8')\n          finish(() => resolve({ status, url: url.toString(), contentType, body, location: null, truncated: bodyTruncated }))\n        }\n      })\n      res.on('error', err => finish(() => reject(err)))\n    })\n\n    req.on('error', (err: Error) => finish(() => reject(err)))\n    req.end()\n  })\n}\n\n/**\n * Walk up to {@link MAX_REDIRECTS} hops, validating the target host of each\n * 3xx response against the SSRF blocklist before following.\n *\n * `deps` is an internal seam for tests — production callers use the\n * defaults. Both knobs are intentionally opaque: hosts that want to\n * customize the blocklist should use a higher-level mechanism (a future\n * `behavior.fetchUrlAllowHosts` setting) rather than reaching into this.\n */\nexport interface FetchSsrfDeps {\n  /** Resolve + validate a hostname. Defaults to {@link resolveAndCheck}. */\n  resolver?: (hostname: string) => Promise<{ address: string, family: 4 | 6 }>\n  /** Execute a single pinned HTTP request. Defaults to {@link pinnedRequest}. */\n  requestImpl?: typeof pinnedRequest\n}\n\nexport async function fetchWithSsrfGuard(\n  startUrl: URL,\n  headers: Record<string, string>,\n  signal: AbortSignal,\n  maxBufferBytes: number,\n  deps: FetchSsrfDeps = {},\n  allowHosts?: readonly string[],\n): Promise<PinnedResponse> {\n  // Default resolver binds the egress allowlist; a test-injected resolver\n  // owns its own policy.\n  const resolver = deps.resolver ?? ((hostname: string) => resolveAndCheck(hostname, allowHosts))\n  const requestImpl = deps.requestImpl ?? pinnedRequest\n  let current = startUrl\n  for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {\n    const { address, family } = await resolver(current.hostname)\n    const res = await requestImpl(current, address, family, headers, signal, maxBufferBytes)\n    if (!res.location)\n      return res\n    if (hop === MAX_REDIRECTS)\n      throw new Error(`too many redirects (>${MAX_REDIRECTS})`)\n    let next: URL\n    try {\n      next = new URL(res.location, current)\n    }\n    catch {\n      throw new Error(`invalid redirect target: ${res.location}`)\n    }\n    if (next.protocol !== 'http:' && next.protocol !== 'https:')\n      throw new Error(`refused redirect to non-http(s) target: ${next.protocol}`)\n    current = next\n  }\n  throw new Error('redirect loop exited unexpectedly')\n}\n\n/**\n * Opt-in, process-local response cache for `fetch_url`. Disabled unless\n * `behavior.fetchUrlCacheTtlMs` is set (> 0). Bounded by entry count and total\n * cached bytes; eviction is oldest-first (insertion order via `Map`, which is\n * a good-enough LRU because we delete-then-set on hit to refresh recency).\n *\n * Keyed on `<url>\\u0000<cap>\\u0000<egress-policy>` so two calls with different\n * `max_bytes` (hence different truncation) don't alias, and — because the\n * cache is module-global — an agent with a permissive `fetchUrlAllowHosts`\n * can't populate entries that a co-resident agent with a stricter allowlist\n * would then be served. Only successful text responses are stored — the\n * caller gates on status before writing.\n */\nconst FETCH_CACHE_MAX_ENTRIES = 64\nconst FETCH_CACHE_MAX_BYTES = 16 * 1024 * 1024 // 16 MiB total\n\ninterface FetchCacheEntry {\n  /** Fully-formatted tool output (header + body) ready to return verbatim. */\n  output: string\n  expiresAt: number\n  bytes: number\n}\n\nconst fetchCache = new Map<string, FetchCacheEntry>()\nlet fetchCacheBytes = 0\n\nfunction cacheKey(url: string, cap: number, allowHosts?: readonly string[]): string {\n  // Normalize + sort so equivalent policies (`['A.com', 'b.com']` vs\n  // `['b.com', 'a.com.']`) share entries; an absent/empty allowlist keys\n  // as the empty policy.\n  const policy = (allowHosts ?? []).map(normalizeHost).sort().join(',')\n  return `${url}\\u0000${cap}\\u0000${policy}`\n}\n\nfunction cacheGet(key: string): string | null {\n  const entry = fetchCache.get(key)\n  if (!entry)\n    return null\n  if (Date.now() >= entry.expiresAt) {\n    fetchCache.delete(key)\n    fetchCacheBytes -= entry.bytes\n    return null\n  }\n  // Refresh recency: re-insert at the tail of the Map's iteration order.\n  fetchCache.delete(key)\n  fetchCache.set(key, entry)\n  return entry.output\n}\n\nfunction cacheSet(key: string, output: string, ttlMs: number): void {\n  const bytes = Buffer.byteLength(output, 'utf-8')\n  // A single oversize payload that can't fit under the byte cap is simply not\n  // cached (still returned to the caller) rather than evicting everything.\n  if (bytes > FETCH_CACHE_MAX_BYTES)\n    return\n  // Drop any stale entry for this key first so the byte accounting stays exact.\n  const prev = fetchCache.get(key)\n  if (prev) {\n    fetchCache.delete(key)\n    fetchCacheBytes -= prev.bytes\n  }\n  fetchCache.set(key, { output, expiresAt: Date.now() + ttlMs, bytes })\n  fetchCacheBytes += bytes\n  // Evict oldest-first until both caps are satisfied.\n  while (fetchCache.size > FETCH_CACHE_MAX_ENTRIES || fetchCacheBytes > FETCH_CACHE_MAX_BYTES) {\n    const oldest = fetchCache.keys().next().value\n    if (oldest === undefined)\n      break\n    const victim = fetchCache.get(oldest)!\n    fetchCache.delete(oldest)\n    fetchCacheBytes -= victim.bytes\n  }\n}\n\n/** Test seam — drop all cached entries. */\nexport function clearFetchUrlCache(): void {\n  fetchCache.clear()\n  fetchCacheBytes = 0\n}\n\n/**\n * Test seam — exercise the cache get/set/eviction in isolation without\n * standing up the full SSRF + HTTP path. Not part of the public tool surface;\n * `execute` uses the module-private functions directly.\n */\nexport const __fetchCacheTestApi = {\n  key: cacheKey,\n  get: cacheGet,\n  set: cacheSet,\n  size: () => fetchCache.size,\n  bytes: () => fetchCacheBytes,\n}\n\nexport const fetchUrl: ToolDef = {\n  isConcurrencySafe: true,\n  spec: {\n    name: 'fetch_url',\n    description: 'Fetch a public URL and return its body as plain text. HTML is reduced to text (scripts, styles, tags stripped; entities decoded). If a `web_search` tool is also available, use it first to find the URL. Only http(s) URLs are accepted; loopback, link-local, private, and cloud-metadata addresses are refused. Output is capped (default 200 KiB).',\n    inputSchema: {\n      type: 'object',\n      properties: {\n        url: {\n          type: 'string',\n          description: 'HTTP or HTTPS URL to fetch.',\n        },\n        max_bytes: {\n          type: 'number',\n          description: `Truncate the response body beyond this many bytes. Default: ${DEFAULT_MAX_BYTES}. Hard cap: ${HARD_MAX_BYTES}.`,\n        },\n      },\n      required: ['url'],\n    },\n  },\n  async execute({ url, max_bytes }, ctx: ToolContext) {\n    const raw = typeof url === 'string' ? url.trim() : ''\n    if (!raw)\n      return 'fetch_url error: `url` is required'\n    let parsed: URL\n    try {\n      parsed = new URL(raw)\n    }\n    catch {\n      return `fetch_url error: invalid URL: ${raw}`\n    }\n    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')\n      return `fetch_url error: only http(s) URLs are allowed (got ${parsed.protocol})`\n\n    const cap = Math.min(\n      typeof max_bytes === 'number' && max_bytes > 0 ? Math.floor(max_bytes) : DEFAULT_MAX_BYTES,\n      HARD_MAX_BYTES,\n    )\n    // Buffer up to 2× the cap so HTML overhead doesn't starve the visible\n    // text budget — a 200 KiB cap on rendered text can legitimately need to\n    // read ~400 KiB of raw HTML before stripping. Hard ceiling is still\n    // governed by `HARD_MAX_BYTES * 2` which is comfortably below OOM.\n    const bufferCap = Math.min(cap * 2, HARD_MAX_BYTES * 2)\n\n    // Opt-in response cache (off unless `behavior.fetchUrlCacheTtlMs > 0`).\n    // The egress allowlist is part of the key AND re-checked before serving\n    // a hit — the cache is module-global, so neither a policy change within\n    // an agent nor a co-resident agent's entries may bypass this agent's\n    // allowlist.\n    const allowHosts = ctx.behavior?.fetchUrlAllowHosts\n    const ttlMs = ctx.behavior?.fetchUrlCacheTtlMs\n    const cacheEnabled = typeof ttlMs === 'number' && ttlMs > 0\n    const key = cacheKey(parsed.toString(), cap, allowHosts)\n    if (cacheEnabled && isHostAllowed(parsed.hostname, allowHosts)) {\n      const hit = cacheGet(key)\n      if (hit !== null)\n        return hit\n    }\n\n    try {\n      const res = await fetchWithSsrfGuard(\n        parsed,\n        {\n          'user-agent': 'Mozilla/5.0 (compatible; zidane/1.0)',\n          'accept': 'text/html,text/plain,application/json;q=0.9,*/*;q=0.5',\n          'accept-encoding': 'identity', // no gzip — we don't decompress\n        },\n        ctx.signal,\n        bufferCap,\n        {},\n        allowHosts,\n      )\n      const body = res.body\n      const isHtml = res.contentType.includes('html') || /^\\s*<!doctype html|^\\s*<html/i.test(body)\n      const text = isHtml ? stripHtmlBlock(body) : body\n      const truncated = text.length > cap\n      // Two distinct truncation reasons: the rendered text overflowing `cap`,\n      // and the raw transfer being cut at the buffer ceiling (`res.truncated`)\n      // — the latter can leave the rendered text under `cap` (HTML overhead\n      // stripped away), so it needs its own marker or the model would treat\n      // a partial body as complete.\n      const out = truncated\n        ? `${text.slice(0, cap)}\\n\\n[truncated at ${cap} bytes; full length ${text.length}]`\n        : res.truncated\n          ? `${text}\\n\\n[response truncated: body exceeded the ${bufferCap}-byte transfer buffer]`\n          : text\n      // `res.url` reflects the FINAL hop after redirects; flag a cross-host\n      // landing so the model knows the content came from a different origin\n      // than it asked for (open-redirect awareness). Same-host path changes\n      // and www add/strip are treated as the same site and not flagged.\n      const finalHost = sameSiteHost(res.url)\n      const requestedHost = sameSiteHost(parsed.toString())\n      const redirectNote = finalHost && requestedHost && finalHost !== requestedHost\n        ? `Note: ${parsed.hostname} redirected to a different host (${new URL(res.url).hostname}).\\n`\n        : ''\n      const header = `URL: ${res.url}\\nStatus: ${res.status}\\nContent-Type: ${res.contentType || '(none)'}\\n${redirectNote}\\n`\n      const formatted = header + out\n      // Cache only successful, complete text responses — never errors /\n      // redirects / transfer-truncated bodies (a retry may get the rest).\n      if (cacheEnabled && res.status >= 200 && res.status < 300 && res.truncated !== true)\n        cacheSet(key, formatted, ttlMs)\n      return formatted\n    }\n    catch (err) {\n      return `fetch_url error: ${errorMessage(err)}`\n    }\n  },\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAqBA,MAAM,iBAAyC;CAC7C,KAAK;CACL,MAAM;CACN,MAAM;CACN,MAAM;CACN,MAAM;CACN,MAAM;CACN,IAAI;CACJ,QAAQ;CACR,OAAO;CACP,OAAO;CACP,OAAO;CACP,IAAI;CACJ,OAAO;CACP,QAAQ;CACR,MAAM;CACN,OAAO;CACP,MAAM;CACN,OAAO;CACP,OAAO;CACP,KAAK;CACL,OAAO;CACP,QAAQ;CACR,OAAO;AACT;;;;;;;AAQA,SAAS,kBAAkB,IAAoB;CAC7C,IAAI,CAAC,OAAO,SAAS,EAAE,KAAK,KAAK,KAAK,KAAK,SACzC,OAAO;CACT,IAAI;EACF,OAAO,OAAO,cAAc,EAAE;CAChC,QACM;EACJ,OAAO;CACT;AACF;;;;;;;;;;AAWA,SAAgB,mBAAmB,MAAsB;CACvD,IAAI,IAAI,KACL,QAAQ,sBAAsB,GAAG,MAAM,kBAAkB,OAAO,SAAS,GAAG,EAAE,CAAC,CAAC,EAChF,QAAQ,cAAc,GAAG,MAAM,kBAAkB,OAAO,SAAS,GAAG,EAAE,CAAC,CAAC;CAC3E,IAAI,EAAE,QAAQ,yBAAyB,MAAM,SAAS;EACpD,MAAM,MAAM,KAAK,YAAY;EAE7B,IAAI,QAAQ,OACV,OAAO;EAET,OADoB,eAAe,QACb;CACxB,CAAC;CACD,OAAO,EAAE,QAAQ,WAAW,GAAG;AACjC;;;;;;;AAQA,SAAgB,UAAU,MAAsB;CAC9C,OAAO,KACJ,QAAQ,+BAA+B,GAAG,EAC1C,QAAQ,6BAA6B,GAAG,EACxC,QAAQ,mCAAmC,GAAG,EAC9C,QAAQ,oBAAoB,GAAG,EAC/B,QAAQ,sCAAsC,IAAI,EAClD,QAAQ,YAAY,GAAG;AAC5B;;;;;;AAOA,SAAgB,gBAAgB,MAAsB;CACpD,OAAO,mBAAmB,UAAU,IAAI,CAAC,EACtC,QAAQ,QAAQ,GAAG,EACnB,KAAK;AACV;;;;;;AAOA,SAAgB,eAAe,MAAsB;CACnD,OAAO,mBAAmB,UAAU,IAAI,CAAC,EACtC,MAAM,IAAI,EACV,KAAI,SAAQ,KAAK,QAAQ,WAAW,GAAG,EAAE,KAAK,CAAC,EAC/C,QAAO,SAAQ,KAAK,SAAS,CAAC,EAC9B,KAAK,IAAI;AACd;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AChFA,MAAM,oBAAoB,MAAM;AAChC,MAAM,iBAAiB,OAAO;AAC9B,MAAM,kBAAkB;AACxB,MAAM,gBAAgB;;;;;;;AAQtB,SAAS,cAAc,IAAqB;CAC1C,MAAM,QAAQ,GAAG,MAAM,GAAG,EAAE,IAAI,MAAM;CACtC,IAAI,MAAM,WAAW,KAAK,MAAM,MAAK,MAAK,CAAC,OAAO,UAAU,CAAC,KAAK,IAAI,KAAK,IAAI,GAAG,GAChF,OAAO;CACT,MAAM,CAAC,GAAG,KAAK;CACf,IAAI,MAAM,GACR,OAAO;CACT,IAAI,MAAM,IACR,OAAO;CACT,IAAI,MAAM,KACR,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KACrB,OAAO;CACT,IAAI,MAAM,OAAO,KAAK,MAAM,KAAK,IAC/B,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KACrB,OAAO;CACT,IAAI,MAAM,OAAO,MAAM,KAAK,MAAM,OAAO,GACvC,OAAO;CACT,IAAI,MAAM,QAAQ,MAAM,MAAM,MAAM,KAClC,OAAO;CACT,IAAI,KAAK,KACP,OAAO;CACT,OAAO;AACT;AAEA,SAAS,cAAc,IAAqB;CAC1C,MAAM,QAAQ,GAAG,YAAY;CAI7B,MAAM,iBAAiB,MAAM,MAAM,oBAAoB;CACvD,IAAI,gBACF,OAAO,cAAc,eAAe,EAAG;CACzC,MAAM,cAAc,MAAM,MAAM,0CAA0C;CAC1E,IAAI,aAAa;EACf,MAAM,KAAK,OAAO,SAAS,YAAY,IAAK,EAAE;EAC9C,MAAM,KAAK,OAAO,SAAS,YAAY,IAAK,EAAE;EAE9C,OAAO,cAAc,GADJ,MAAM,IAAK,IAAK,GAAG,KAAK,IAAK,GAAI,MAAM,IAAK,IAAK,GAAG,KAAK,KACjD;CAC3B;CACA,IAAI,UAAU,QAAQ,UAAU,OAC9B,OAAO;CAET,IAAI,uBAAuB,KAAK,KAAK,GACnC,OAAO;CAET,IAAI,sBAAsB,KAAK,KAAK,GAClC,OAAO;CAET,IAAI,MAAM,WAAW,IAAI,GACvB,OAAO;CACT,OAAO;AACT;AAEA,SAAgB,iBAAiB,IAAqB;CACpD,MAAM,SAAS,KAAK,EAAE;CACtB,IAAI,WAAW,GACb,OAAO,cAAc,EAAE;CACzB,IAAI,WAAW,GACb,OAAO,cAAc,EAAE;CACzB,OAAO;AACT;;;;;AAMA,SAAS,cAAc,MAAsB;CAC3C,IAAI,IAAI,KAAK,KAAK,EAAE,YAAY;CAChC,IAAI,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,GACrC,IAAI,EAAE,MAAM,GAAG,EAAE;CACnB,IAAI,EAAE,SAAS,GAAG,GAChB,IAAI,EAAE,MAAM,GAAG,EAAE;CACnB,IAAI,EAAE,WAAW,GAAG,GAClB,IAAI,EAAE,MAAM,CAAC;CACf,OAAO;AACT;;;;;;;AAQA,SAAS,aAAa,KAA4B;CAChD,IAAI;EACF,OAAO,IAAI,IAAI,GAAG,EAAE,SAAS,YAAY,EAAE,QAAQ,UAAU,EAAE;CACjE,QACM;EACJ,OAAO;CACT;AACF;;;;;;;;AASA,SAAgB,cAAc,UAAkB,YAAoD;CAClG,IAAI,CAAC,cAAc,WAAW,WAAW,GACvC,OAAO;CACT,MAAM,OAAO,cAAc,QAAQ;CACnC,KAAK,MAAM,SAAS,YAAY;EAC9B,MAAM,UAAU,cAAc,KAAK;EACnC,IAAI,QAAQ,WAAW,GACrB;EACF,IAAI,SAAS,WAAW,KAAK,SAAS,IAAI,SAAS,GACjD,OAAO;CACX;CACA,OAAO;AACT;;;;;;;;AASA,eAAe,gBAAgB,UAAkB,YAA6E;CAI5H,IAAI,CAAC,cAAc,UAAU,UAAU,GACrC,MAAM,IAAI,MAAM,YAAY,SAAS,2CAA2C;CAIlF,MAAM,OAAO,SAAS,WAAW,GAAG,KAAK,SAAS,SAAS,GAAG,IAC1D,SAAS,MAAM,GAAG,EAAE,IACpB;CACJ,MAAM,SAAS,KAAK,IAAI;CACxB,IAAI,WAAW,KAAK,WAAW,GAAG;EAChC,IAAI,iBAAiB,IAAI,GACvB,MAAM,IAAI,MAAM,YAAY,KAAK,uBAAuB;EAC1D,OAAO;GAAE,SAAS;GAAM;EAAO;CACjC;CACA,MAAM,UAAU,MAAMA,SAAI,OAAO,MAAM;EAAE,KAAK;EAAM,UAAU;CAAK,CAAC;CACpE,IAAI,QAAQ,WAAW,GACrB,MAAM,IAAI,MAAM,sCAAsC,MAAM;CAC9D,KAAK,MAAM,EAAE,aAAa,SACxB,IAAI,iBAAiB,OAAO,GAC1B,MAAM,IAAI,MAAM,YAAY,KAAK,+BAA+B,SAAS;CAE7E,MAAM,QAAQ,QAAQ;CACtB,MAAM,MAAM,MAAM,WAAW,IAAI,IAAI;CACrC,OAAO;EAAE,SAAS,MAAM;EAAS,QAAQ;CAAI;AAC/C;AA0BA,SAAS,gBAAgB,KAAkB;CACzC,IAAI,CAAC,IAAI,MACP,OAAO,IAAI;CACb,MAAM,cAAc,IAAI,aAAa,WAAW,QAAQ;CACxD,OAAO,IAAI,SAAS,cAAc,IAAI,WAAW,GAAG,IAAI,SAAS,GAAG,IAAI;AAC1E;AAEA,SAAgB,cACd,KACA,UACA,QACA,SACA,QACA,gBACyB;CACzB,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,UAAU,IAAI,aAAa;EASjC,MAAM,UAAoD;GACxD,MAAM;GACN,MAVW,IAAI,OACb,OAAO,SAAS,IAAI,MAAM,EAAE,IAC3B,UAAU,MAAM;GASnB,MAAM,GAAG,IAAI,WAAW,IAAI;GAC5B,QAAQ;GACR;GACA,SAAS;IAAE,GAAG;IAAS,MAAM,gBAAgB,GAAG;GAAE;GAClD,GAAI,UAAU,EAAE,YAAY,IAAI,SAAS,IAAI,CAAC;EAChD;EAEA,MAAMC,YAAU,UAAUC,YAAeC;EACzC,MAAM,SAAmB,CAAC;EAC1B,IAAI,WAAW;EAOf,IAAI,UAAU;EAKd,IAAI;EACJ,IAAI;EAEJ,MAAM,iBAAuB;GAC3B,IAAI;IAAE,KAAK,QAAQ;GAAE,QACf,CAA8B;EACtC;EAEA,MAAM,UAAU,YAA8B;GAC5C,IAAI,SACF;GACF,UAAU;GACV,IAAI,OACF,aAAa,KAAK;GACpB,OAAO,oBAAoB,SAAS,aAAa;GACjD,QAAQ;EACV;EAEA,SAAS,gBAAsB;GAC7B,aAAa,uBAAO,IAAI,MAAM,iBAAiB,CAAC,CAAC;GACjD,SAAS;EACX;EAMA,IAAI,OAAO,SAAS;GAClB,uBAAO,IAAI,MAAM,iBAAiB,CAAC;GACnC;EACF;EAEA,QAAQ,iBAAiB;GACvB,aAAa,uBAAO,IAAI,MAAM,2BAA2B,gBAAgB,GAAG,CAAC,CAAC;GAC9E,SAAS;EACX,GAAG,eAAe;EAElB,OAAO,iBAAiB,SAAS,eAAe,EAAE,MAAM,KAAK,CAAC;EAE9D,MAAMF,UAAQ,UAAU,QAAQ;GAC9B,MAAM,SAAS,IAAI,cAAc;GACjC,MAAM,aAAa,IAAI;GACvB,MAAM,eAAe,WAAW,mBAAmB,IAAI,SAAS,EAAE,YAAY;GAC9E,MAAM,WAAW,OAAO,WAAW,aAAa,WAAW,WAAW,WAAW;GAGjF,IAAI,UAAU,OAAO,SAAS,OAAO,UAAU;IAC7C,IAAI,OAAO;IACX,aAAa,QAAQ;KAAE;KAAQ,KAAK,IAAI,SAAS;KAAG;KAAa,MAAM;KAAI;IAAS,CAAC,CAAC;IACtF;GACF;GAEA,IAAI,gBAAgB;GACpB,IAAI,GAAG,SAAS,UAAkB;IAChC,IAAI,YAAY,gBAAgB;KAI9B,gBAAgB;KAChB,SAAS;KACT;IACF;IAIA,MAAM,OAAO,iBAAiB;IAC9B,IAAI,MAAM,SAAS,MAAM;KACvB,OAAO,KAAK,MAAM,SAAS,GAAG,IAAI,CAAC;KACnC,YAAY;KACZ,gBAAgB;KAChB,SAAS;KACT;IACF;IACA,YAAY,MAAM;IAClB,OAAO,KAAK,KAAK;GACnB,CAAC;GACD,IAAI,GAAG,aAAa;IAClB,MAAM,OAAO,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO;IACnD,aAAa,QAAQ;KAAE;KAAQ,KAAK,IAAI,SAAS;KAAG;KAAa;KAAM,UAAU;KAAM,WAAW;IAAc,CAAC,CAAC;GACpH,CAAC;GACD,IAAI,GAAG,eAAe;IAIpB,IAAI,CAAC,SAAS;KACZ,MAAM,OAAO,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO;KACnD,aAAa,QAAQ;MAAE;MAAQ,KAAK,IAAI,SAAS;MAAG;MAAa;MAAM,UAAU;MAAM,WAAW;KAAc,CAAC,CAAC;IACpH;GACF,CAAC;GACD,IAAI,GAAG,UAAS,QAAO,aAAa,OAAO,GAAG,CAAC,CAAC;EAClD,CAAC;EAED,IAAI,GAAG,UAAU,QAAe,aAAa,OAAO,GAAG,CAAC,CAAC;EACzD,IAAI,IAAI;CACV,CAAC;AACH;AAkBA,eAAsB,mBACpB,UACA,SACA,QACA,gBACA,OAAsB,CAAC,GACvB,YACyB;CAGzB,MAAM,WAAW,KAAK,cAAc,aAAqB,gBAAgB,UAAU,UAAU;CAC7F,MAAM,cAAc,KAAK,eAAe;CACxC,IAAI,UAAU;CACd,KAAK,IAAI,MAAM,GAAG,OAAO,eAAe,OAAO;EAC7C,MAAM,EAAE,SAAS,WAAW,MAAM,SAAS,QAAQ,QAAQ;EAC3D,MAAM,MAAM,MAAM,YAAY,SAAS,SAAS,QAAQ,SAAS,QAAQ,cAAc;EACvF,IAAI,CAAC,IAAI,UACP,OAAO;EACT,IAAI,QAAQ,eACV,MAAM,IAAI,MAAM,wBAAwB,cAAc,EAAE;EAC1D,IAAI;EACJ,IAAI;GACF,OAAO,IAAI,IAAI,IAAI,UAAU,OAAO;EACtC,QACM;GACJ,MAAM,IAAI,MAAM,4BAA4B,IAAI,UAAU;EAC5D;EACA,IAAI,KAAK,aAAa,WAAW,KAAK,aAAa,UACjD,MAAM,IAAI,MAAM,2CAA2C,KAAK,UAAU;EAC5E,UAAU;CACZ;CACA,MAAM,IAAI,MAAM,mCAAmC;AACrD;;;;;;;;;;;;;;AAeA,MAAM,0BAA0B;AAChC,MAAM,wBAAwB,KAAK,OAAO;AAS1C,MAAM,6BAAa,IAAI,IAA6B;AACpD,IAAI,kBAAkB;AAEtB,SAAS,SAAS,KAAa,KAAa,YAAwC;CAKlF,OAAO,GAAG,IAAI,QAAQ,IAAI,SADV,cAAc,CAAC,GAAG,IAAI,aAAa,EAAE,KAAK,EAAE,KAAK,GAC1B;AACzC;AAEA,SAAS,SAAS,KAA4B;CAC5C,MAAM,QAAQ,WAAW,IAAI,GAAG;CAChC,IAAI,CAAC,OACH,OAAO;CACT,IAAI,KAAK,IAAI,KAAK,MAAM,WAAW;EACjC,WAAW,OAAO,GAAG;EACrB,mBAAmB,MAAM;EACzB,OAAO;CACT;CAEA,WAAW,OAAO,GAAG;CACrB,WAAW,IAAI,KAAK,KAAK;CACzB,OAAO,MAAM;AACf;AAEA,SAAS,SAAS,KAAa,QAAgB,OAAqB;CAClE,MAAM,QAAQ,OAAO,WAAW,QAAQ,OAAO;CAG/C,IAAI,QAAQ,uBACV;CAEF,MAAM,OAAO,WAAW,IAAI,GAAG;CAC/B,IAAI,MAAM;EACR,WAAW,OAAO,GAAG;EACrB,mBAAmB,KAAK;CAC1B;CACA,WAAW,IAAI,KAAK;EAAE;EAAQ,WAAW,KAAK,IAAI,IAAI;EAAO;CAAM,CAAC;CACpE,mBAAmB;CAEnB,OAAO,WAAW,OAAO,2BAA2B,kBAAkB,uBAAuB;EAC3F,MAAM,SAAS,WAAW,KAAK,EAAE,KAAK,EAAE;EACxC,IAAI,WAAW,KAAA,GACb;EACF,MAAM,SAAS,WAAW,IAAI,MAAM;EACpC,WAAW,OAAO,MAAM;EACxB,mBAAmB,OAAO;CAC5B;AACF;;AAGA,SAAgB,qBAA2B;CACzC,WAAW,MAAM;CACjB,kBAAkB;AACpB;;;;;;AAOA,MAAa,sBAAsB;CACjC,KAAK;CACL,KAAK;CACL,KAAK;CACL,YAAY,WAAW;CACvB,aAAa;AACf;AAEA,MAAa,WAAoB;CAC/B,mBAAmB;CACnB,MAAM;EACJ,MAAM;EACN,aAAa;EACb,aAAa;GACX,MAAM;GACN,YAAY;IACV,KAAK;KACH,MAAM;KACN,aAAa;IACf;IACA,WAAW;KACT,MAAM;KACN,aAAa,+DAA+D,kBAAkB,cAAc,eAAe;IAC7H;GACF;GACA,UAAU,CAAC,KAAK;EAClB;CACF;CACA,MAAM,QAAQ,EAAE,KAAK,aAAa,KAAkB;EAClD,MAAM,MAAM,OAAO,QAAQ,WAAW,IAAI,KAAK,IAAI;EACnD,IAAI,CAAC,KACH,OAAO;EACT,IAAI;EACJ,IAAI;GACF,SAAS,IAAI,IAAI,GAAG;EACtB,QACM;GACJ,OAAO,iCAAiC;EAC1C;EACA,IAAI,OAAO,aAAa,WAAW,OAAO,aAAa,UACrD,OAAO,uDAAuD,OAAO,SAAS;EAEhF,MAAM,MAAM,KAAK,IACf,OAAO,cAAc,YAAY,YAAY,IAAI,KAAK,MAAM,SAAS,IAAI,mBACzE,cACF;EAKA,MAAM,YAAY,KAAK,IAAI,MAAM,GAAG,iBAAiB,CAAC;EAOtD,MAAM,aAAa,IAAI,UAAU;EACjC,MAAM,QAAQ,IAAI,UAAU;EAC5B,MAAM,eAAe,OAAO,UAAU,YAAY,QAAQ;EAC1D,MAAM,MAAM,SAAS,OAAO,SAAS,GAAG,KAAK,UAAU;EACvD,IAAI,gBAAgB,cAAc,OAAO,UAAU,UAAU,GAAG;GAC9D,MAAM,MAAM,SAAS,GAAG;GACxB,IAAI,QAAQ,MACV,OAAO;EACX;EAEA,IAAI;GACF,MAAM,MAAM,MAAM,mBAChB,QACA;IACE,cAAc;IACd,UAAU;IACV,mBAAmB;GACrB,GACA,IAAI,QACJ,WACA,CAAC,GACD,UACF;GACA,MAAM,OAAO,IAAI;GAEjB,MAAM,OADS,IAAI,YAAY,SAAS,MAAM,KAAK,gCAAgC,KAAK,IAAI,IACtE,eAAe,IAAI,IAAI;GAO7C,MAAM,MANY,KAAK,SAAS,MAO5B,GAAG,KAAK,MAAM,GAAG,GAAG,EAAE,oBAAoB,IAAI,sBAAsB,KAAK,OAAO,KAChF,IAAI,YACF,GAAG,KAAK,6CAA6C,UAAU,0BAC/D;GAKN,MAAM,YAAY,aAAa,IAAI,GAAG;GACtC,MAAM,gBAAgB,aAAa,OAAO,SAAS,CAAC;GACpD,MAAM,eAAe,aAAa,iBAAiB,cAAc,gBAC7D,SAAS,OAAO,SAAS,mCAAmC,IAAI,IAAI,IAAI,GAAG,EAAE,SAAS,QACtF;GAEJ,MAAM,YAAY,QADK,IAAI,IAAI,YAAY,IAAI,OAAO,kBAAkB,IAAI,eAAe,SAAS,IAAI,aAAa,MAC1F;GAG3B,IAAI,gBAAgB,IAAI,UAAU,OAAO,IAAI,SAAS,OAAO,IAAI,cAAc,MAC7E,SAAS,KAAK,WAAW,KAAK;GAChC,OAAO;EACT,SACO,KAAK;GACV,OAAO,oBAAoB,aAAa,GAAG;EAC7C;CACF;AACF"}