@alfe.ai/openclaw-sync 0.0.15 → 0.0.17

package/dist/index.d.cts

@@ -1,50 +1,17 @@
 import plugin, { SyncPluginConfig } from "./plugin.cjs";
 
-//#region src/config.d.ts
-/**
- * AlfeSync configuration — read/write `.alfesync/config.json` in workspace root.
- */
-interface SyncConfig {
-  agentId: string;
-  orgId: string;
-  token: string;
-  workspacePath: string;
-  apiUrl: string;
-}
-/**
- * Resolve the .alfesync directory path for a given workspace root.
- */
-declare function configDir(workspacePath: string): string;
-/**
- * Resolve the config file path for a given workspace root.
- */
-declare function configPath(workspacePath: string): string;
-/**
- * Check if a workspace has been initialized with AlfeSync.
- */
-declare function isInitialized(workspacePath: string): boolean;
-/**
- * Read the AlfeSync config from a workspace.
- * Returns null if not initialized.
- */
-declare function readConfig(workspacePath: string): Promise<SyncConfig | null>;
-/**
- * Write the AlfeSync config to a workspace.
- * Creates the .alfesync directory if it doesn't exist.
- */
-declare function writeConfig(config: SyncConfig): Promise<void>;
-/**
- * Load config from workspace, throwing if not initialized.
- */
-declare function requireConfig(workspacePath: string): Promise<SyncConfig>;
-//# sourceMappingURL=config.d.ts.map
-//#endregion
 //#region src/manifest.d.ts
+
 /**
- * AlfeSync manifest — local file manifest at `.alfesync/manifest.json`.
+ * AlfeSync manifest — local file manifest at `~/.alfe/sync/manifest.json`.
  *
  * Tracks file hashes, sizes, sync timestamps, and storage classes
- * to enable efficient diff-based syncing.
+ * to enable efficient diff-based syncing. Lives under `~/.alfe/sync/`
+ * so workspace directories stay clean.
+ *
+ * `workspacePath` is accepted by every function for consistency with the
+ * rest of the package, but the manifest itself is workspace-independent
+ * (one agent, one workspace, one manifest).
  */
 interface ManifestEntry {
   hash: string;
@@ -80,10 +47,15 @@ interface ManifestDiff {
 }
 /**
  * Read the local manifest. Returns empty manifest if not found.
+ *
+ * `workspacePath` is accepted for call-site symmetry with the rest of the
+ * package but is not used — the manifest path is resolved from
+ * `~/.alfe/sync/` regardless of which workspace the call comes from.
  */
 declare function readManifest(workspacePath: string): Promise<LocalManifest>;
 /**
- * Write the local manifest.
+ * Write the local manifest. `workspacePath` is accepted for call-site
+ * symmetry but unused (see `readManifest`).
  */
 declare function writeManifest(workspacePath: string, manifest: LocalManifest): Promise<void>;
 /**
@@ -127,196 +99,832 @@ declare function shouldIgnore(relativePath: string, patterns: string[]): boolean
 declare function filterIgnored(paths: string[], patterns: string[]): string[];
 //# sourceMappingURL=ignore.d.ts.map
 //#endregion
-//#region src/api-client.d.ts
-interface ApiClientConfig {
+//#region ../agent-api-client/dist/index.d.ts
+//#region ../../packages-internal/types/dist/access.d.ts
+
+/**
+ * The four resource scopes at which a permission can apply.
+ * Order is meaningful: broader scopes first (`org`) → narrower last (`agent`).
+ *
+ * `IntegrationScope` in integration.ts and `SecretScope` in secrets.ts are
+ * intentional aliases of this same enum — there is only one concept of
+ * "scope" in Alfe.
+ */
+declare const ResourceScope: {
+  readonly Org: "org";
+  readonly Team: "team";
+  readonly Project: "project";
+  readonly Agent: "agent";
+};
+type ResourceScope = (typeof ResourceScope)[keyof typeof ResourceScope];
+/** Ordered tuple of resource scope string values (broad → narrow). */
+//#endregion
+//#region ../../packages-internal/types/dist/integration.d.ts
+/** Controls where an integration appears: public (everyone), hidden (nowhere) */
+declare const IntegrationVisibility: {
+  readonly Public: "public";
+  readonly Hidden: "hidden";
+};
+type IntegrationVisibility = (typeof IntegrationVisibility)[keyof typeof IntegrationVisibility];
+/** Scope at which an integration is installed */
+declare const IntegrationScope: {
+  readonly Org: "org";
+  readonly Team: "team";
+  readonly Project: "project";
+  readonly Agent: "agent";
+};
+type IntegrationScope = ResourceScope;
+declare const IntegrationDesiredStatus: {
+  readonly Active: "active";
+  readonly Removed: "removed";
+};
+type IntegrationDesiredStatus = (typeof IntegrationDesiredStatus)[keyof typeof IntegrationDesiredStatus];
+declare const IntegrationActualStatus: {
+  readonly Installing: "installing";
+  readonly Active: "active";
+  readonly Error: "error";
+  readonly Removing: "removing";
+  readonly Inactive: "inactive";
+  readonly Unknown: "unknown";
+};
+type IntegrationActualStatus = (typeof IntegrationActualStatus)[keyof typeof IntegrationActualStatus];
+interface IntegrationInstall {
+  scope: IntegrationScope;
+  scopeId: string;
+  integrationId: string;
+  tenantId: string;
+  desiredStatus: IntegrationDesiredStatus;
+  actualStatus: IntegrationActualStatus;
+  version: string;
+  config: Record<string, unknown>;
+  errorMessage: string;
+  installedAt: string;
+  updatedAt: string;
+}
+/** @deprecated Use IntegrationInstall instead */
+
+interface IntegrationConfigSchemaField {
+  key: string;
+  label: string;
+  type: string;
+  description?: string;
+  required?: boolean;
+  default?: string | number | boolean;
+  options?: string[];
+  select_options?: {
+    value: string;
+    label: string;
+  }[];
+  oauth_provider?: string;
+  oauth_scopes?: string[];
+  oauth_integration_id?: string;
+  editable?: string;
+  hidden?: boolean;
+}
+interface IntegrationConfigResult {
+  integrationId: string;
+  config: Record<string, unknown>;
+  configSchema: IntegrationConfigSchemaField[];
+}
+interface RegistryEntry {
+  id: string;
+  name: string;
+  description: string;
+  versions: string[];
+  latest: string;
+  repository: string;
+  commit: string;
+  icon?: string;
+  author?: {
+    name: string;
+    url?: string;
+  } | string;
+  pricing?: {
+    type: "free" | "paid" | "usage";
+    price?: number;
+    currency?: string;
+    interval?: "month" | "year";
+    description?: string;
+  };
+  features?: string[];
+  preview_images?: string[];
+  config_schema?: IntegrationConfigSchemaField[];
+  supported_agents?: string[];
+  /** Scopes where this integration can be installed */
+  supported_scopes?: IntegrationScope[];
+  /** Visibility status — controls where integration appears */
+  visibility?: IntegrationVisibility;
+}
+//# sourceMappingURL=integration.d.ts.map
+//#endregion
+//#region ../../packages-internal/types/dist/secrets.d.ts
+/** Scope levels at which a secret can be owned. Aliased to ResourceScope. */
+type SecretScope = ResourceScope;
+/**
+ * v1 encrypted envelope as persisted by services/secrets and exchanged with
+ * agents. Values are AES-256-GCM ciphertext; iv/authTag/ciphertext/dataKeyCiphertext
+ * are all base64-encoded.
+ */
+interface EncryptedEnvelopeV1 {
+  version: 1;
+  iv: string;
+  ciphertext: string;
+  authTag: string;
+  dataKeyCiphertext: string;
+}
+/** Opaque metadata about a secret row — never includes plaintext. */
+interface SecretMetadata {
+  secretId: string;
+  secretName: string;
+  description?: string;
+  tags?: string[];
+  createdAt: string;
+  updatedAt: string;
+  rotatedAt?: string;
+}
+/** A single secret row including its encrypted envelope. */
+interface SecretEnvelopeResponse extends SecretMetadata {
+  envelope: EncryptedEnvelopeV1;
+}
+/** A scope the caller can read or write secrets in. */
+interface ScopeInfo {
+  scope: SecretScope;
+  scopeId: string;
+  name?: string;
+}
+/**
+ * KMS-issued data key, returned by the secrets service's
+ * `/secrets/generate-data-key` KMS proxy endpoint. The plaintext key is
+ * returned base64-encoded; callers MUST decode it to a Buffer and zero the
+ * Buffer after use — never keep the plaintext as a JS string.
+ */
+interface GeneratedDataKey {
+  plaintextKey: string;
+  dataKeyCiphertext: string;
+}
+//# sourceMappingURL=secrets.d.ts.map
+//#endregion
+//#region src/index.d.ts
+interface AgentApiClientConfig {
+  apiKey: string;
   apiUrl: string;
-  token: string;
+}
+interface SyncAgentInfo {
   agentId: string;
+  tenantId: string;
+  displayName: string;
+  s3Prefix: string;
+  status: "stale" | "syncing" | "synced";
+  fileCount?: number;
+  totalSize?: number;
+  lastSync?: string;
 }
-interface PresignResult {
-  path: string;
-  url: string;
-  expiresAt: string;
+interface SyncManifestEntry {
+  hash: string;
+  size: number;
+  modified: string;
+  etag?: string;
+  storageClass?: string;
+  compressed?: boolean;
 }
-interface AgentStats {
+interface SyncManifest {
+  version: 1;
   agentId: string;
-  standardBytes: number;
-  glacierBytes: number;
-  fileCount: number;
-  lastSyncAt: string | null;
+  lastSync: string;
+  files: Record<string, SyncManifestEntry>;
 }
-interface RegisterAgentResult {
-  agent: {
-    agentId: string;
-    orgId: string;
-    displayName: string;
-    status: string;
-    createdAt: string;
-  };
+interface SyncPresignedUrl {
+  path: string;
+  url: string;
+  expiresAt: string;
 }
-interface ConfirmResult {
+interface SyncConfirmedUpload {
   filePath: string;
   hash: string;
   size: number;
-  storageClass: string;
+  storageClass: "STANDARD" | "GLACIER_IR";
   syncedAt: string;
 }
-interface ReconstructResult {
+interface SyncReconstructFile {
+  path: string;
+  size: number;
+  url: string;
+  storageClass?: string;
+  compressed?: boolean;
+}
+interface SyncReconstructBundle {
   agentId: string;
   mode: "full" | "active" | "memory";
   fileCount: number;
   totalSize: number;
-  files: {
-    path: string;
-    url: string;
-    size: number;
-    compressed: boolean;
-    expiresAt: string;
-  }[];
-  generatedAt: string;
+  files: SyncReconstructFile[];
   expiresAt: string;
 }
-interface FileHistoryEntry {
-  versionId: string;
-  isLatest: boolean;
+interface SyncAgentStats {
+  agentId: string;
+  standardBytes: number;
+  glacierBytes: number;
+  fileCount: number;
+  lastSyncAt: string | null;
+}
+interface SyncFileEntry {
+  filePath: string;
+  size: number;
+  modified: string;
+  contentHash: string;
+  storageClass?: string;
+  compressed?: boolean;
+}
+interface SyncSessionEntry {
+  sessionId: string;
+  size: number;
   lastModified: string;
+  storageClass?: string;
+  isArchived: boolean;
+}
+interface SyncSessionContent {
+  sessionId: string;
+  content: string;
+  compressed: boolean;
+}
+interface SharedFileEntry {
+  filePath: string;
+  fileName: string;
   size: number;
-  etag?: string;
+  contentType?: string;
 }
-/**
- * Create an AlfeSync API client.
- */
-declare function createApiClient(config: ApiClientConfig): {
-  /**
-   * Get the remote manifest for this agent.
-   */
-  getManifest(): Promise<RemoteManifest>;
-  /**
-   * Request a presigned PUT URL for uploading a file.
-   */
-  presignPut(filePath: string, contentType?: string): Promise<PresignResult>;
-  /**
-   * Request presigned PUT URLs for multiple files.
-   */
-  presignPutBatch(files: {
-    path: string;
-    contentType?: string;
-  }[]): Promise<PresignResult[]>;
-  /**
-   * Confirm a presigned upload completed — updates DynamoDB.
-   */
-  confirmUpload(filePath: string, hash: string, size: number, storageClass?: "STANDARD" | "GLACIER_IR"): Promise<ConfirmResult>;
-  /**
-   * Request a presigned GET URL for downloading a file.
-   */
-  presignGet(filePath: string): Promise<PresignResult>;
-  /**
-   * Request presigned GET URLs for multiple files.
-   */
-  presignGetBatch(paths: string[]): Promise<PresignResult[]>;
+declare class AgentApiClient {
+  private readonly apiKey;
+  private readonly apiUrl;
+  constructor(config: AgentApiClientConfig);
+  private request;
+  syncRegister(args?: {
+    displayName?: string;
+  }): Promise<{
+    agent: SyncAgentInfo;
+  }>;
+  syncGetManifest(): Promise<SyncManifest>;
+  syncPresign(args: {
+    files: {
+      path: string;
+      operation: "put" | "get";
+      contentType?: string;
+    }[];
+  }): Promise<{
+    urls: SyncPresignedUrl[];
+  }>;
+  syncConfirmUpload(args: {
+    filePath: string;
+    hash: string;
+    size: number;
+    storageClass?: "STANDARD" | "GLACIER_IR";
+  }): Promise<SyncConfirmedUpload>;
+  syncReconstruct(args: {
+    mode: "full" | "active" | "memory";
+  }): Promise<SyncReconstructBundle>;
+  syncGetStats(): Promise<SyncAgentStats>;
+  syncListFiles(args?: {
+    prefix?: string;
+  }): Promise<{
+    files: SyncFileEntry[];
+  }>;
+  syncListSessions(): Promise<{
+    sessions: SyncSessionEntry[];
+  }>;
+  syncGetSession(sessionId: string): Promise<SyncSessionContent>;
+  syncDeleteFile(filePath: string): Promise<{
+    removed: boolean;
+  }>;
+  sharedListFiles(args: {
+    scope: "org" | "team" | "project";
+    scopeId: string;
+  }): Promise<{
+    files: SharedFileEntry[];
+    nextCursor: string | null;
+  }>;
+  sharedDownloadUrl(args: {
+    scope: "org" | "team" | "project";
+    scopeId: string;
+    filePath: string;
+  }): Promise<{
+    downloadUrl: string;
+    expiresIn: number;
+  }>;
+  listIntegrations(): Promise<IntegrationInstall[]>;
+  getIntegrationConfig(integrationId: string): Promise<IntegrationConfigResult>;
+  updateIntegrationConfig(integrationId: string, config: Record<string, unknown>): Promise<void>;
+  installIntegration(integrationId: string, options?: {
+    version?: string;
+    config?: Record<string, unknown>;
+  }): Promise<IntegrationInstall>;
+  removeIntegration(integrationId: string): Promise<IntegrationInstall>;
+  getOAuthUrl(provider: string, scopes?: string[]): Promise<{
+    url: string;
+    provider: string;
+    expiresIn: number;
+  }>;
+  getOAuthStatus(provider: string): Promise<{
+    provider: string;
+    connected: boolean;
+    config?: Record<string, string>;
+  }>;
+  getRegistry(): Promise<{
+    integrations: RegistryEntry[];
+  }>;
+  getGoogleCredentials(): Promise<{
+    accounts?: {
+      email: string;
+      refreshToken: string;
+      clientId: string;
+      clientSecret: string;
+      enabledServices?: string[];
+      isDefault: boolean;
+      displayName?: string;
+    }[];
+    email: string;
+    refreshToken: string;
+    clientId: string;
+    clientSecret: string;
+    projectId: string;
+    enabledServices?: string[];
+  }>;
+  disconnectGoogleAccount(email: string): Promise<{
+    accounts: {
+      email: string;
+      displayName?: string;
+      isDefault: boolean;
+    }[];
+  }>;
+  setDefaultGoogleAccount(email: string): Promise<{
+    accounts: {
+      email: string;
+      displayName?: string;
+      isDefault: boolean;
+    }[];
+  }>;
+  getGoogleChatCredentials(): Promise<{
+    email: string;
+    refreshToken: string;
+    clientId: string;
+    clientSecret: string;
+    displayName?: string;
+  }>;
+  getGithubCredentials(): Promise<{
+    login: string;
+    accessToken: string;
+  }>;
+  getXeroCredentials(): Promise<{
+    accessToken: string;
+    accessTokenExpiresAt: string;
+    xeroTenantId: string;
+  }>;
+  refreshXeroToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getNotionCredentials(): Promise<{
+    accessToken: string;
+    workspaceId: string;
+    workspaceName: string;
+  }>;
+  getAtlassianCredentials(): Promise<{
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAt: string;
+    cloudId: string;
+    siteName: string;
+    siteUrl: string;
+    email: string;
+    enabledProducts: string[];
+    clientId: string;
+    clientSecret: string;
+  }>;
+  refreshAtlassianToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getMYOBCredentials(): Promise<{
+    accessToken: string;
+    accessTokenExpiresAt: string;
+    myobBusinessId: string;
+    clientId: string;
+  }>;
+  refreshMYOBToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getTeamsCredentials(): Promise<{
+    agentId: string;
+    tenantId: string;
+    azureAppId: string;
+    azureBotId: string;
+    azureClientSecret: string;
+    botDisplayName?: string;
+    teamsTenantId?: string;
+    serviceUrl?: string;
+  }>;
+  sendTeamsMessage(data: {
+    conversationId: string;
+    text?: string;
+    adaptiveCard?: Record<string, unknown>;
+  }): Promise<{
+    ok: boolean;
+    activityId: string;
+  }>;
+  listTeamsChannels(): Promise<{
+    channels: {
+      id: string;
+      name: string;
+      description?: string;
+    }[];
+  }>;
+  presignAttachments(files: {
+    filename: string;
+    mimeType: string;
+    size: number;
+  }[]): Promise<{
+    attachments: {
+      id: string;
+      uploadUrl: string;
+      downloadUrl: string;
+      s3Key: string;
+      expiresAt: string;
+    }[];
+  }>;
+  recordActivity(data: {
+    userId?: string;
+    channel: string;
+    role: "user" | "assistant";
+  }): Promise<{
+    recorded: boolean;
+  }>;
   /**
-   * Get agent storage stats.
+   * Mint a fresh AES-256 data key for a new secret or rotation. The encryption
+   * context is rebuilt server-side from `auth.tenantId` + the body fields; the
+   * agent cannot forge context for a scope it doesn't own.
    */
-  getStats(): Promise<AgentStats>;
+  generateSecretDataKey(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<GeneratedDataKey>;
   /**
-   * Register this agent with the sync service.
+   * Unwrap a wrapped data key so the agent can decrypt the envelope locally.
+   * KMS Decrypt will fail with `InvalidCiphertextException` if the envelope
+   * was tampered with in a way that changes `{ tenantId, scope, scopeId, secretId }`.
    */
-  registerAgent(displayName?: string): Promise<RegisterAgentResult>;
+  decryptSecretDataKey(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+    dataKeyCiphertext: string;
+  }): Promise<{
+    plaintextKey: string;
+  }>;
+  /** Upload a pre-encrypted envelope for a secret. */
+  putSecretEnvelope(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+    secretName: string;
+    envelope: EncryptedEnvelopeV1;
+    description?: string;
+    tags?: string[];
+  }): Promise<{
+    secretId: string;
+  }>;
+  /** Fetch the encrypted envelope for a single secret. */
+  getSecretEnvelope(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<SecretEnvelopeResponse>;
+  /** List metadata (never envelopes) for secrets in a scope. */
+  listSecrets(args: {
+    scope: SecretScope;
+    scopeId: string;
+  }): Promise<SecretMetadata[]>;
+  /** Delete a secret. */
+  deleteSecret(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<void>;
+  /** Enumerate scopes (org/team/project/agent) this agent can access. */
+  listSecretScopes(): Promise<ScopeInfo[]>;
+  resolveIdentity(args: {
+    provider: string;
+    platformId: string;
+    kind?: "user" | "agent" | "service" | "bot" | "workspace";
+    displayName?: string;
+  }): Promise<{
+    identityId: string | null;
+    status: string;
+    accessAllowed: boolean;
+    created?: boolean;
+    reason?: string;
+  }>;
+  searchIdentities(args?: {
+    q?: string;
+    status?: string;
+    limit?: number;
+  }): Promise<{
+    identities: unknown[];
+  }>;
+  getIdentityContext(identityId: string): Promise<{
+    context: unknown;
+  }>;
+  mergeIdentities(survivorId: string, args: {
+    mergedId: string;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    error?: string;
+  }>;
+  unmergeIdentity(identityId: string, args: {
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    error?: string;
+  }>;
+  addIdentityNote(identityId: string, args: {
+    content: string;
+    category?: string;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    noteId: string | null;
+  }>;
+  tagIdentity(identityId: string, args: {
+    tag: string;
+    action: "add" | "remove";
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+  }>;
+  getIdentityChangelog(identityId: string, args?: {
+    limit?: number;
+  }): Promise<{
+    entries: unknown[];
+  }>;
+  rollbackIdentity(identityId: string, args: {
+    targetVersion: number;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    entry?: unknown;
+  }>;
+  requestIdentityVerification(args: {
+    claimedIdentityId: string;
+    requestingIdentityId: string;
+    requestingProvider: string;
+    requestingPlatformId: string;
+    preferredChannel?: "mobile" | "email";
+    /**
+     * Phase 2: agent-supplied contact endpoint. When provided, the top-level
+     * `preferredChannel` is ignored — the contact's channel wins.
+     */
+    contact?: {
+      channel: "email" | "mobile";
+      value: string;
+    };
+  }): Promise<{
+    verificationId: string;
+    channel: string;
+    deliveredTo: string;
+    expiresAt: string;
+    availableChannels: {
+      channel: string;
+      deliveredTo: string;
+    }[];
+  } | {
+    error: string;
+  }>;
+  confirmIdentityVerification(args: {
+    claimedIdentityId: string;
+    verificationId: string;
+    phrase: string;
+  }): Promise<{
+    verified: boolean;
+    identityId?: string;
+    /** Phase 2: how the confirm resolved — Scenario A vs B. */
+    action?: "merged" | "contact_verified";
+    error?: string;
+  }>;
   /**
-   * Get file version history.
+   * Update display-shape fields on an Identity. Body excludes `email` /
+   * `phone` / `title` / `company` / `metadata` per Section D4 — contacts go
+   * via the verify flow, title/company live on OrgMembership, metadata is
+   * not agent-writable.
    */
-  getFileHistory(filePath: string): Promise<FileHistoryEntry[]>;
+  updateIdentity(identityId: string, args: {
+    name?: string;
+    avatarUrl?: string;
+    timezone?: string;
+    locale?: string;
+  }): Promise<{
+    ok: boolean;
+  }>;
   /**
-   * Generate a reconstruction bundle.
+   * Phase 2 (Section H): server-side verification of a Google Chat sender via
+   * the agent's existing Google OAuth credentials. Returns the resolved
+   * identity (created or matched via Scenario-B email enrichment).
    */
-  reconstruct(mode?: "full" | "active" | "memory"): Promise<ReconstructResult>;
-};
-type ApiClient = ReturnType<typeof createApiClient>;
-//# sourceMappingURL=api-client.d.ts.map
+  resolveGoogleChatSender(args: {
+    senderUserId: string;
+    spaceId?: string;
+  }): Promise<{
+    identityId: string | null;
+    status: string;
+    accessAllowed: boolean;
+  }>;
+  memorySearch(query: string, opts?: {
+    limit?: number;
+    topic?: string;
+    subtopic?: string;
+    tag?: string;
+    includeKnowledge?: boolean;
+  }): Promise<{
+    facts: {
+      subject: string;
+      predicate: string;
+      object: string;
+      since: string;
+      confidence: number;
+    }[];
+    memories: {
+      id: string;
+      text: string;
+      topic: string;
+      subtopic: string;
+      tag: string;
+      importance: number;
+      timestamp: number;
+      score: number;
+    }[];
+  }>;
+  memoryStore(text: string, opts?: {
+    topic?: string;
+    subtopic?: string;
+    tag?: string;
+    importance?: number;
+  }): Promise<{
+    memoryId: string;
+  }>;
+  memoryIngest(sessionKey: string, messages: {
+    role: string;
+    content: string;
+    index: number;
+    timestamp?: string;
+  }[], metadata?: {
+    channelId?: string;
+    userId?: string;
+    userName?: string;
+  }): Promise<{
+    queued: boolean;
+    messageCount: number;
+  }>;
+  memoryLoadContext(tier?: number, topicHint?: string): Promise<{
+    formatted: string;
+    [key: string]: unknown;
+  }>;
+  memoryLookupEntity(subject: string): Promise<{
+    subject: string;
+    triples: {
+      tripleId: string;
+      predicate: string;
+      object: string;
+      validFrom: string;
+      validTo?: string;
+      confidence: number;
+    }[];
+  }>;
+  memoryNavigate(): Promise<{
+    topics: {
+      name: string;
+      tripleCount: number;
+      subtopics: string[];
+    }[];
+    cursor: string | null;
+  }>;
+  memoryDelete(memoryId: string): Promise<{
+    deleted: boolean;
+  }>;
+  memoryStats(): Promise<{
+    vectorCount: number;
+    tripleCount: number;
+    storageEstimateBytes: number;
+    lastIngestionAt?: string;
+  }>;
+  searchWeb(params: {
+    query: string;
+    count?: number;
+    offset?: number;
+    country?: string;
+    freshness?: string;
+  }): Promise<unknown>;
+  searchImages(params: {
+    query: string;
+    count?: number;
+  }): Promise<unknown>;
+  searchNews(params: {
+    query: string;
+    count?: number;
+    freshness?: string;
+  }): Promise<unknown>;
+  registerDatabaseCredentials(): Promise<{
+    connectionString: string;
+    username: string;
+    password: string;
+    databases: string[];
+  }>;
+  reportDatabaseAudit(entry: {
+    database: string;
+    collection: string;
+    operation: string;
+    summary?: string;
+  }): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map
+//#endregion
 //#endregion
 //#region src/sync-engine.d.ts
-/**
- * AlfeSync engine — orchestrates push, pull, and full sync operations.
- *
- * Handles:
- *   - push(paths[]): upload changed files to S3
- *   - pull(): download files newer on remote
- *   - fullSync(): bidirectional sync with conflict detection
- *
- * Conflict resolution: if remote file is newer than local manifest entry
- * AND local file has changed → write `.conflict-{timestamp}` alongside original.
- */
 interface SyncResult {
   pushed: number;
   pulled: number;
   conflicts: number;
   errors: number;
 }
+interface SyncEngineOptions {
+  workspacePath: string;
+  client: AgentApiClient;
+}
 /**
- * Create a sync engine for a workspace.
+ * Construct a sync engine bound to a workspace + agent API client.
+ *
+ * The client is constructed once in plugin.ts (or the CLI) and passed in,
+ * so credentials never leak into multiple places.
  */
-declare function createSyncEngine(workspacePath: string): Promise<{
-  config: SyncConfig;
-  client: {
-    getManifest(): Promise<RemoteManifest>;
-    presignPut(filePath: string, contentType?: string): Promise<PresignResult>;
-    presignPutBatch(files: {
-      path: string;
-      contentType?: string;
-    }[]): Promise<PresignResult[]>;
-    confirmUpload(filePath: string, hash: string, size: number, storageClass?: "STANDARD" | "GLACIER_IR"): Promise<ConfirmResult>;
-    presignGet(filePath: string): Promise<PresignResult>;
-    presignGetBatch(paths: string[]): Promise<PresignResult[]>;
-    getStats(): Promise<AgentStats>;
-    registerAgent(displayName?: string): Promise<RegisterAgentResult>;
-    getFileHistory(filePath: string): Promise<FileHistoryEntry[]>;
-    reconstruct(mode?: "full" | "active" | "memory"): Promise<ReconstructResult>;
-  };
+declare function createSyncEngine({
+  workspacePath,
+  client
+}: SyncEngineOptions): {
+  workspacePath: string;
+  client: AgentApiClient;
   /**
-   * Push changed files to remote.
-   *
-   * If paths are provided, only push those files.
-   * If no paths, detect all changed files and push them.
+   * Upload changed files. Pass `paths` for an explicit list, or omit
+   * to scan the workspace for anything that drifted from the manifest.
    */
   push(paths?: string[], options?: {
     quiet?: boolean;
     filter?: string;
   }): Promise<SyncResult>;
-  /**
-   * Pull files from remote that are newer than local.
-   */
+  /** Download files newer on remote. */
   pull(options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Full bidirectional sync with conflict detection.
-   *
-   * For conflicts: if remote file is newer than local manifest entry AND
-   * local file has changed → write `.conflict-{timestamp}` file alongside
-   * the original, then pull the remote version.
+   * Bidirectional sync. True conflicts (changed on both sides) are saved
+   * locally as `.conflict-<ts>` files and the remote version wins.
    */
   fullSync(options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Pull specific files by path without a full manifest diff.
-   *
-   * Used for notification-driven pulls where we already know which
-   * files changed on the remote.
+   * Pull a known list of files (used for relay-driven notifications,
+   * where we already know which paths changed remotely).
    */
   pullFiles(paths: string[], options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Remove a file locally and from the manifest.
-   *
-   * Used for notification-driven deletes when a remote file is removed.
+   * Delete a file locally and from the manifest. Used when the sync relay
+   * tells us a file was removed remotely.
    */
   removeLocalFile(filePath: string, options?: {
     quiet?: boolean;
   }): Promise<void>;
-}>;
-type SyncEngine = Awaited<ReturnType<typeof createSyncEngine>>;
+};
+type SyncEngine = ReturnType<typeof createSyncEngine>;
 //# sourceMappingURL=sync-engine.d.ts.map
 //#endregion
 //#region src/watcher.d.ts
@@ -350,11 +958,9 @@ interface UploadResult {
   error?: string;
 }
 /**
- * Upload multiple files to S3.
- *
- * Uploads are performed in parallel with a concurrency limit.
+ * Upload many files, batched by `concurrency`.
  */
-declare function uploadFiles(workspacePath: string, relativePaths: string[], client: ApiClient, options?: {
+declare function uploadFiles(workspacePath: string, relativePaths: string[], client: AgentApiClient, options?: {
   concurrency?: number;
   quiet?: boolean;
 }): Promise<UploadResult[]>;
@@ -367,26 +973,30 @@ interface DownloadResult {
   size?: number;
   error?: string;
 }
-/**
- * Download multiple files from S3.
- *
- * Downloads are performed in parallel with a concurrency limit.
- */
-declare function downloadFiles(workspacePath: string, relativePaths: string[], client: ApiClient, remoteManifest?: RemoteManifest, options?: {
+declare function downloadFiles(workspacePath: string, relativePaths: string[], client: AgentApiClient, remoteManifest?: RemoteManifest, options?: {
   concurrency?: number;
   quiet?: boolean;
 }): Promise<DownloadResult[]>;
 //# sourceMappingURL=downloader.d.ts.map
 //#endregion
-//#region src/shared-sync.d.ts
+//#region src/retry.d.ts
 /**
- * Shared file sync engine for org/team/project scoped files.
- *
- * Syncs shared files to a `shared/` directory in the agent's workspace,
- * organized by scope: shared/org/, shared/teams/{id}/, shared/projects/{id}/
- *
- * Uses the agent self-service API (/agents/org/...) with the agent's API key.
+ * Tiny retry helper used by uploader/downloader. Extracted so both
+ * use the same timing and surface the same final error shape.
+ */
+interface RetryOptions {
+  maxRetries?: number;
+  baseDelayMs?: number;
+}
+/**
+ * Run `fn` up to `maxRetries + 1` times with exponential backoff
+ * (`base * 2^attempt`). Returns the first successful value, or rethrows
+ * the last error.
  */
+declare function withRetry<T>(fn: () => Promise<T>, options?: RetryOptions): Promise<T>;
+//# sourceMappingURL=retry.d.ts.map
+//#endregion
+//#region src/shared-sync.d.ts
 interface SharedScope {
   scopeType: "team" | "project" | "org";
   scopeId: string;
@@ -394,9 +1004,7 @@ interface SharedScope {
 }
 interface SharedSyncConfig {
   workspacePath: string;
-  apiUrl: string;
-  token: string;
-  agentId: string;
+  client: AgentApiClient;
 }
 interface PluginLogger {
   info(msg: string): void;
@@ -413,5 +1021,5 @@ interface SharedSyncEngine {
 }
 declare function createSharedSyncEngine(config: SharedSyncConfig, log: PluginLogger): SharedSyncEngine;
 //#endregion
-export { type AgentStats, type ApiClient, type ApiClientConfig, type ConfirmResult, type DownloadResult, type FileHistoryEntry, type LocalManifest, type ManifestDiff, type ManifestEntry, type PresignResult, type ReconstructResult, type RegisterAgentResult, type RemoteManifest, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncConfig, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, configDir, configPath, createApiClient, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, isInitialized, loadIgnorePatterns, plugin, readConfig, readManifest, removeManifestEntry, requireConfig, shouldIgnore, startWatcher, updateManifestEntry, uploadFiles, writeConfig, writeManifest };
+export { type DownloadResult, type LocalManifest, type ManifestDiff, type ManifestEntry, type RemoteManifest, type RetryOptions, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, loadIgnorePatterns, plugin, readManifest, removeManifestEntry, shouldIgnore, startWatcher, updateManifestEntry, uploadFiles, withRetry, writeManifest };
 //# sourceMappingURL=index.d.cts.map