* Rebuild the request's workspace with a real `createSecrets`, pulling each * referenced secret's VALUE from the container env. Secret values never cross * the `POST /run` boundary (`createSecrets` stores them under a non-enumerable * symbol, so serializing the workspace carries only the names) —
( workspace: WorkspaceDefinition, )
| 103 | * keyless run. |
| 104 | */ |
| 105 | function reconstituteWorkspace( |
| 106 | workspace: WorkspaceDefinition, |
| 107 | ): WorkspaceDefinition { |
| 108 | if (workspace.secrets === undefined) return workspace |
| 109 | const names = Object.keys(workspace.secrets) |
| 110 | if (names.length === 0) return workspace |
| 111 | const values: Record<string, string> = {} |
| 112 | for (const name of names) { |
| 113 | const value = process.env[name] |
| 114 | if (value === undefined || value === '') { |
| 115 | throw new Error( |
| 116 | `runInContainerHarness: secret "${name}" is not set in the container env`, |
| 117 | ) |
| 118 | } |
| 119 | values[name] = value |
| 120 | } |
| 121 | return defineWorkspace({ ...workspace, secrets: createSecrets(values) }) |
| 122 | } |
| 123 | |
| 124 | /** |
| 125 | * Build the `chat()` stream that runs the harness on THIS container via the |
no test coverage detected