@alfe.ai/openclaw-sync 0.0.16 → 0.0.17

package/dist/index.d.ts

@@ -1,61 +1,7 @@
 import plugin, { SyncPluginConfig } from "./plugin.js";
 
-//#region src/config.d.ts
-
-/**
- * AlfeSync configuration.
- *
- * Derives credentials from `@alfe.ai/config` (~/.alfe/config.toml) so the
- * sync plugin works on any agent that's already logged in — no separate
- * `.alfesync/config.json` or manual `alfesync init` required.
- *
- * The only field not directly in @alfe.ai/config is `agentId`, which is
- * resolved once at startup by calling POST /auth/validate (same pattern
- * the gateway daemon uses to bootstrap its own identity).
- */
-interface SyncConfig {
-  agentId: string;
-  orgId: string;
-  token: string;
-  workspacePath: string;
-  apiUrl: string;
-}
-/**
- * Local on-disk state directory (manifest, etc.) — separate from credentials.
- * Lives under ~/.alfe/sync/ so sync state stays alongside the rest of Alfe's
- * agent state, not scattered across the workspace.
- */
-declare function syncStateDir(): string;
-/**
- * True if the agent has logged in (~/.alfe/config.toml exists).
- * Sync needs no separate initialization — login is enough.
- */
-declare function isInitialized(): boolean;
-/**
- * Invalidate the in-memory config cache. Call after login changes.
- */
-declare function invalidateSyncConfigCache(): void;
-/**
- * Resolve the full sync config — apiKey + apiUrl from @alfe.ai/config,
- * agentId/orgId fetched once from /auth/validate.
- *
- * Returns null if the agent isn't logged in or validation fails.
- * Callers that require config should use requireConfig().
- *
- * Concurrent callers share a single in-flight promise; failures are
- * not cached so a transient API blip doesn't poison the process.
- */
-declare function resolveSyncConfig(): Promise<SyncConfig | null>;
-/**
- * Resolve config or throw with a clear message. Use in CLI entry points.
- */
-declare function requireConfig(): Promise<SyncConfig>;
-/**
- * Local-only check: does the on-disk sync state directory exist?
- * Used by manifest loading to decide whether to create it.
- */
-//#endregion
 //#region src/manifest.d.ts
+
 /**
  * AlfeSync manifest — local file manifest at `~/.alfe/sync/manifest.json`.
  *
@@ -153,197 +99,832 @@ declare function shouldIgnore(relativePath: string, patterns: string[]): boolean
 declare function filterIgnored(paths: string[], patterns: string[]): string[];
 //# sourceMappingURL=ignore.d.ts.map
 //#endregion
-//#region src/api-client.d.ts
-interface ApiClientConfig {
+//#region ../agent-api-client/dist/index.d.ts
+//#region ../../packages-internal/types/dist/access.d.ts
+
+/**
+ * The four resource scopes at which a permission can apply.
+ * Order is meaningful: broader scopes first (`org`) → narrower last (`agent`).
+ *
+ * `IntegrationScope` in integration.ts and `SecretScope` in secrets.ts are
+ * intentional aliases of this same enum — there is only one concept of
+ * "scope" in Alfe.
+ */
+declare const ResourceScope: {
+  readonly Org: "org";
+  readonly Team: "team";
+  readonly Project: "project";
+  readonly Agent: "agent";
+};
+type ResourceScope = (typeof ResourceScope)[keyof typeof ResourceScope];
+/** Ordered tuple of resource scope string values (broad → narrow). */
+//#endregion
+//#region ../../packages-internal/types/dist/integration.d.ts
+/** Controls where an integration appears: public (everyone), hidden (nowhere) */
+declare const IntegrationVisibility: {
+  readonly Public: "public";
+  readonly Hidden: "hidden";
+};
+type IntegrationVisibility = (typeof IntegrationVisibility)[keyof typeof IntegrationVisibility];
+/** Scope at which an integration is installed */
+declare const IntegrationScope: {
+  readonly Org: "org";
+  readonly Team: "team";
+  readonly Project: "project";
+  readonly Agent: "agent";
+};
+type IntegrationScope = ResourceScope;
+declare const IntegrationDesiredStatus: {
+  readonly Active: "active";
+  readonly Removed: "removed";
+};
+type IntegrationDesiredStatus = (typeof IntegrationDesiredStatus)[keyof typeof IntegrationDesiredStatus];
+declare const IntegrationActualStatus: {
+  readonly Installing: "installing";
+  readonly Active: "active";
+  readonly Error: "error";
+  readonly Removing: "removing";
+  readonly Inactive: "inactive";
+  readonly Unknown: "unknown";
+};
+type IntegrationActualStatus = (typeof IntegrationActualStatus)[keyof typeof IntegrationActualStatus];
+interface IntegrationInstall {
+  scope: IntegrationScope;
+  scopeId: string;
+  integrationId: string;
+  tenantId: string;
+  desiredStatus: IntegrationDesiredStatus;
+  actualStatus: IntegrationActualStatus;
+  version: string;
+  config: Record<string, unknown>;
+  errorMessage: string;
+  installedAt: string;
+  updatedAt: string;
+}
+/** @deprecated Use IntegrationInstall instead */
+
+interface IntegrationConfigSchemaField {
+  key: string;
+  label: string;
+  type: string;
+  description?: string;
+  required?: boolean;
+  default?: string | number | boolean;
+  options?: string[];
+  select_options?: {
+    value: string;
+    label: string;
+  }[];
+  oauth_provider?: string;
+  oauth_scopes?: string[];
+  oauth_integration_id?: string;
+  editable?: string;
+  hidden?: boolean;
+}
+interface IntegrationConfigResult {
+  integrationId: string;
+  config: Record<string, unknown>;
+  configSchema: IntegrationConfigSchemaField[];
+}
+interface RegistryEntry {
+  id: string;
+  name: string;
+  description: string;
+  versions: string[];
+  latest: string;
+  repository: string;
+  commit: string;
+  icon?: string;
+  author?: {
+    name: string;
+    url?: string;
+  } | string;
+  pricing?: {
+    type: "free" | "paid" | "usage";
+    price?: number;
+    currency?: string;
+    interval?: "month" | "year";
+    description?: string;
+  };
+  features?: string[];
+  preview_images?: string[];
+  config_schema?: IntegrationConfigSchemaField[];
+  supported_agents?: string[];
+  /** Scopes where this integration can be installed */
+  supported_scopes?: IntegrationScope[];
+  /** Visibility status — controls where integration appears */
+  visibility?: IntegrationVisibility;
+}
+//# sourceMappingURL=integration.d.ts.map
+//#endregion
+//#region ../../packages-internal/types/dist/secrets.d.ts
+/** Scope levels at which a secret can be owned. Aliased to ResourceScope. */
+type SecretScope = ResourceScope;
+/**
+ * v1 encrypted envelope as persisted by services/secrets and exchanged with
+ * agents. Values are AES-256-GCM ciphertext; iv/authTag/ciphertext/dataKeyCiphertext
+ * are all base64-encoded.
+ */
+interface EncryptedEnvelopeV1 {
+  version: 1;
+  iv: string;
+  ciphertext: string;
+  authTag: string;
+  dataKeyCiphertext: string;
+}
+/** Opaque metadata about a secret row — never includes plaintext. */
+interface SecretMetadata {
+  secretId: string;
+  secretName: string;
+  description?: string;
+  tags?: string[];
+  createdAt: string;
+  updatedAt: string;
+  rotatedAt?: string;
+}
+/** A single secret row including its encrypted envelope. */
+interface SecretEnvelopeResponse extends SecretMetadata {
+  envelope: EncryptedEnvelopeV1;
+}
+/** A scope the caller can read or write secrets in. */
+interface ScopeInfo {
+  scope: SecretScope;
+  scopeId: string;
+  name?: string;
+}
+/**
+ * KMS-issued data key, returned by the secrets service's
+ * `/secrets/generate-data-key` KMS proxy endpoint. The plaintext key is
+ * returned base64-encoded; callers MUST decode it to a Buffer and zero the
+ * Buffer after use — never keep the plaintext as a JS string.
+ */
+interface GeneratedDataKey {
+  plaintextKey: string;
+  dataKeyCiphertext: string;
+}
+//# sourceMappingURL=secrets.d.ts.map
+//#endregion
+//#region src/index.d.ts
+interface AgentApiClientConfig {
+  apiKey: string;
   apiUrl: string;
-  token: string;
+}
+interface SyncAgentInfo {
   agentId: string;
+  tenantId: string;
+  displayName: string;
+  s3Prefix: string;
+  status: "stale" | "syncing" | "synced";
+  fileCount?: number;
+  totalSize?: number;
+  lastSync?: string;
 }
-interface PresignResult {
-  path: string;
-  url: string;
-  expiresAt: string;
+interface SyncManifestEntry {
+  hash: string;
+  size: number;
+  modified: string;
+  etag?: string;
+  storageClass?: string;
+  compressed?: boolean;
 }
-interface AgentStats {
+interface SyncManifest {
+  version: 1;
   agentId: string;
-  standardBytes: number;
-  glacierBytes: number;
-  fileCount: number;
-  lastSyncAt: string | null;
+  lastSync: string;
+  files: Record<string, SyncManifestEntry>;
 }
-interface RegisterAgentResult {
-  agent: {
-    agentId: string;
-    orgId: string;
-    displayName: string;
-    status: string;
-    createdAt: string;
-  };
+interface SyncPresignedUrl {
+  path: string;
+  url: string;
+  expiresAt: string;
 }
-interface ConfirmResult {
+interface SyncConfirmedUpload {
   filePath: string;
   hash: string;
   size: number;
-  storageClass: string;
+  storageClass: "STANDARD" | "GLACIER_IR";
   syncedAt: string;
 }
-interface ReconstructResult {
+interface SyncReconstructFile {
+  path: string;
+  size: number;
+  url: string;
+  storageClass?: string;
+  compressed?: boolean;
+}
+interface SyncReconstructBundle {
   agentId: string;
   mode: "full" | "active" | "memory";
   fileCount: number;
   totalSize: number;
-  files: {
-    path: string;
-    url: string;
-    size: number;
-    compressed: boolean;
-    expiresAt: string;
-  }[];
-  generatedAt: string;
+  files: SyncReconstructFile[];
   expiresAt: string;
 }
-interface FileHistoryEntry {
-  versionId: string;
-  isLatest: boolean;
+interface SyncAgentStats {
+  agentId: string;
+  standardBytes: number;
+  glacierBytes: number;
+  fileCount: number;
+  lastSyncAt: string | null;
+}
+interface SyncFileEntry {
+  filePath: string;
+  size: number;
+  modified: string;
+  contentHash: string;
+  storageClass?: string;
+  compressed?: boolean;
+}
+interface SyncSessionEntry {
+  sessionId: string;
+  size: number;
   lastModified: string;
+  storageClass?: string;
+  isArchived: boolean;
+}
+interface SyncSessionContent {
+  sessionId: string;
+  content: string;
+  compressed: boolean;
+}
+interface SharedFileEntry {
+  filePath: string;
+  fileName: string;
   size: number;
-  etag?: string;
+  contentType?: string;
 }
-/**
- * Create an AlfeSync API client.
- */
-declare function createApiClient(config: ApiClientConfig): {
-  /**
-   * Get the remote manifest for this agent.
-   */
-  getManifest(): Promise<RemoteManifest>;
-  /**
-   * Request a presigned PUT URL for uploading a file.
-   */
-  presignPut(filePath: string, contentType?: string): Promise<PresignResult>;
-  /**
-   * Request presigned PUT URLs for multiple files.
-   */
-  presignPutBatch(files: {
-    path: string;
-    contentType?: string;
-  }[]): Promise<PresignResult[]>;
-  /**
-   * Confirm a presigned upload completed — updates DynamoDB.
-   */
-  confirmUpload(filePath: string, hash: string, size: number, storageClass?: "STANDARD" | "GLACIER_IR"): Promise<ConfirmResult>;
-  /**
-   * Request a presigned GET URL for downloading a file.
-   */
-  presignGet(filePath: string): Promise<PresignResult>;
-  /**
-   * Request presigned GET URLs for multiple files.
-   */
-  presignGetBatch(paths: string[]): Promise<PresignResult[]>;
+declare class AgentApiClient {
+  private readonly apiKey;
+  private readonly apiUrl;
+  constructor(config: AgentApiClientConfig);
+  private request;
+  syncRegister(args?: {
+    displayName?: string;
+  }): Promise<{
+    agent: SyncAgentInfo;
+  }>;
+  syncGetManifest(): Promise<SyncManifest>;
+  syncPresign(args: {
+    files: {
+      path: string;
+      operation: "put" | "get";
+      contentType?: string;
+    }[];
+  }): Promise<{
+    urls: SyncPresignedUrl[];
+  }>;
+  syncConfirmUpload(args: {
+    filePath: string;
+    hash: string;
+    size: number;
+    storageClass?: "STANDARD" | "GLACIER_IR";
+  }): Promise<SyncConfirmedUpload>;
+  syncReconstruct(args: {
+    mode: "full" | "active" | "memory";
+  }): Promise<SyncReconstructBundle>;
+  syncGetStats(): Promise<SyncAgentStats>;
+  syncListFiles(args?: {
+    prefix?: string;
+  }): Promise<{
+    files: SyncFileEntry[];
+  }>;
+  syncListSessions(): Promise<{
+    sessions: SyncSessionEntry[];
+  }>;
+  syncGetSession(sessionId: string): Promise<SyncSessionContent>;
+  syncDeleteFile(filePath: string): Promise<{
+    removed: boolean;
+  }>;
+  sharedListFiles(args: {
+    scope: "org" | "team" | "project";
+    scopeId: string;
+  }): Promise<{
+    files: SharedFileEntry[];
+    nextCursor: string | null;
+  }>;
+  sharedDownloadUrl(args: {
+    scope: "org" | "team" | "project";
+    scopeId: string;
+    filePath: string;
+  }): Promise<{
+    downloadUrl: string;
+    expiresIn: number;
+  }>;
+  listIntegrations(): Promise<IntegrationInstall[]>;
+  getIntegrationConfig(integrationId: string): Promise<IntegrationConfigResult>;
+  updateIntegrationConfig(integrationId: string, config: Record<string, unknown>): Promise<void>;
+  installIntegration(integrationId: string, options?: {
+    version?: string;
+    config?: Record<string, unknown>;
+  }): Promise<IntegrationInstall>;
+  removeIntegration(integrationId: string): Promise<IntegrationInstall>;
+  getOAuthUrl(provider: string, scopes?: string[]): Promise<{
+    url: string;
+    provider: string;
+    expiresIn: number;
+  }>;
+  getOAuthStatus(provider: string): Promise<{
+    provider: string;
+    connected: boolean;
+    config?: Record<string, string>;
+  }>;
+  getRegistry(): Promise<{
+    integrations: RegistryEntry[];
+  }>;
+  getGoogleCredentials(): Promise<{
+    accounts?: {
+      email: string;
+      refreshToken: string;
+      clientId: string;
+      clientSecret: string;
+      enabledServices?: string[];
+      isDefault: boolean;
+      displayName?: string;
+    }[];
+    email: string;
+    refreshToken: string;
+    clientId: string;
+    clientSecret: string;
+    projectId: string;
+    enabledServices?: string[];
+  }>;
+  disconnectGoogleAccount(email: string): Promise<{
+    accounts: {
+      email: string;
+      displayName?: string;
+      isDefault: boolean;
+    }[];
+  }>;
+  setDefaultGoogleAccount(email: string): Promise<{
+    accounts: {
+      email: string;
+      displayName?: string;
+      isDefault: boolean;
+    }[];
+  }>;
+  getGoogleChatCredentials(): Promise<{
+    email: string;
+    refreshToken: string;
+    clientId: string;
+    clientSecret: string;
+    displayName?: string;
+  }>;
+  getGithubCredentials(): Promise<{
+    login: string;
+    accessToken: string;
+  }>;
+  getXeroCredentials(): Promise<{
+    accessToken: string;
+    accessTokenExpiresAt: string;
+    xeroTenantId: string;
+  }>;
+  refreshXeroToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getNotionCredentials(): Promise<{
+    accessToken: string;
+    workspaceId: string;
+    workspaceName: string;
+  }>;
+  getAtlassianCredentials(): Promise<{
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAt: string;
+    cloudId: string;
+    siteName: string;
+    siteUrl: string;
+    email: string;
+    enabledProducts: string[];
+    clientId: string;
+    clientSecret: string;
+  }>;
+  refreshAtlassianToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getMYOBCredentials(): Promise<{
+    accessToken: string;
+    accessTokenExpiresAt: string;
+    myobBusinessId: string;
+    clientId: string;
+  }>;
+  refreshMYOBToken(): Promise<{
+    accessToken: string;
+    expiresAt: string;
+  }>;
+  getTeamsCredentials(): Promise<{
+    agentId: string;
+    tenantId: string;
+    azureAppId: string;
+    azureBotId: string;
+    azureClientSecret: string;
+    botDisplayName?: string;
+    teamsTenantId?: string;
+    serviceUrl?: string;
+  }>;
+  sendTeamsMessage(data: {
+    conversationId: string;
+    text?: string;
+    adaptiveCard?: Record<string, unknown>;
+  }): Promise<{
+    ok: boolean;
+    activityId: string;
+  }>;
+  listTeamsChannels(): Promise<{
+    channels: {
+      id: string;
+      name: string;
+      description?: string;
+    }[];
+  }>;
+  presignAttachments(files: {
+    filename: string;
+    mimeType: string;
+    size: number;
+  }[]): Promise<{
+    attachments: {
+      id: string;
+      uploadUrl: string;
+      downloadUrl: string;
+      s3Key: string;
+      expiresAt: string;
+    }[];
+  }>;
+  recordActivity(data: {
+    userId?: string;
+    channel: string;
+    role: "user" | "assistant";
+  }): Promise<{
+    recorded: boolean;
+  }>;
   /**
-   * Get agent storage stats.
+   * Mint a fresh AES-256 data key for a new secret or rotation. The encryption
+   * context is rebuilt server-side from `auth.tenantId` + the body fields; the
+   * agent cannot forge context for a scope it doesn't own.
    */
-  getStats(): Promise<AgentStats>;
+  generateSecretDataKey(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<GeneratedDataKey>;
   /**
-   * Register this agent with the sync service.
+   * Unwrap a wrapped data key so the agent can decrypt the envelope locally.
+   * KMS Decrypt will fail with `InvalidCiphertextException` if the envelope
+   * was tampered with in a way that changes `{ tenantId, scope, scopeId, secretId }`.
    */
-  registerAgent(displayName?: string): Promise<RegisterAgentResult>;
+  decryptSecretDataKey(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+    dataKeyCiphertext: string;
+  }): Promise<{
+    plaintextKey: string;
+  }>;
+  /** Upload a pre-encrypted envelope for a secret. */
+  putSecretEnvelope(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+    secretName: string;
+    envelope: EncryptedEnvelopeV1;
+    description?: string;
+    tags?: string[];
+  }): Promise<{
+    secretId: string;
+  }>;
+  /** Fetch the encrypted envelope for a single secret. */
+  getSecretEnvelope(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<SecretEnvelopeResponse>;
+  /** List metadata (never envelopes) for secrets in a scope. */
+  listSecrets(args: {
+    scope: SecretScope;
+    scopeId: string;
+  }): Promise<SecretMetadata[]>;
+  /** Delete a secret. */
+  deleteSecret(args: {
+    scope: SecretScope;
+    scopeId: string;
+    secretId: string;
+  }): Promise<void>;
+  /** Enumerate scopes (org/team/project/agent) this agent can access. */
+  listSecretScopes(): Promise<ScopeInfo[]>;
+  resolveIdentity(args: {
+    provider: string;
+    platformId: string;
+    kind?: "user" | "agent" | "service" | "bot" | "workspace";
+    displayName?: string;
+  }): Promise<{
+    identityId: string | null;
+    status: string;
+    accessAllowed: boolean;
+    created?: boolean;
+    reason?: string;
+  }>;
+  searchIdentities(args?: {
+    q?: string;
+    status?: string;
+    limit?: number;
+  }): Promise<{
+    identities: unknown[];
+  }>;
+  getIdentityContext(identityId: string): Promise<{
+    context: unknown;
+  }>;
+  mergeIdentities(survivorId: string, args: {
+    mergedId: string;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    error?: string;
+  }>;
+  unmergeIdentity(identityId: string, args: {
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    error?: string;
+  }>;
+  addIdentityNote(identityId: string, args: {
+    content: string;
+    category?: string;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    noteId: string | null;
+  }>;
+  tagIdentity(identityId: string, args: {
+    tag: string;
+    action: "add" | "remove";
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+  }>;
+  getIdentityChangelog(identityId: string, args?: {
+    limit?: number;
+  }): Promise<{
+    entries: unknown[];
+  }>;
+  rollbackIdentity(identityId: string, args: {
+    targetVersion: number;
+    changedBy: {
+      type: string;
+      id: string;
+      name?: string;
+    };
+  }): Promise<{
+    ok: boolean;
+    entry?: unknown;
+  }>;
+  requestIdentityVerification(args: {
+    claimedIdentityId: string;
+    requestingIdentityId: string;
+    requestingProvider: string;
+    requestingPlatformId: string;
+    preferredChannel?: "mobile" | "email";
+    /**
+     * Phase 2: agent-supplied contact endpoint. When provided, the top-level
+     * `preferredChannel` is ignored — the contact's channel wins.
+     */
+    contact?: {
+      channel: "email" | "mobile";
+      value: string;
+    };
+  }): Promise<{
+    verificationId: string;
+    channel: string;
+    deliveredTo: string;
+    expiresAt: string;
+    availableChannels: {
+      channel: string;
+      deliveredTo: string;
+    }[];
+  } | {
+    error: string;
+  }>;
+  confirmIdentityVerification(args: {
+    claimedIdentityId: string;
+    verificationId: string;
+    phrase: string;
+  }): Promise<{
+    verified: boolean;
+    identityId?: string;
+    /** Phase 2: how the confirm resolved — Scenario A vs B. */
+    action?: "merged" | "contact_verified";
+    error?: string;
+  }>;
   /**
-   * Get file version history.
+   * Update display-shape fields on an Identity. Body excludes `email` /
+   * `phone` / `title` / `company` / `metadata` per Section D4 — contacts go
+   * via the verify flow, title/company live on OrgMembership, metadata is
+   * not agent-writable.
    */
-  getFileHistory(filePath: string): Promise<FileHistoryEntry[]>;
+  updateIdentity(identityId: string, args: {
+    name?: string;
+    avatarUrl?: string;
+    timezone?: string;
+    locale?: string;
+  }): Promise<{
+    ok: boolean;
+  }>;
   /**
-   * Generate a reconstruction bundle.
+   * Phase 2 (Section H): server-side verification of a Google Chat sender via
+   * the agent's existing Google OAuth credentials. Returns the resolved
+   * identity (created or matched via Scenario-B email enrichment).
    */
-  reconstruct(mode?: "full" | "active" | "memory"): Promise<ReconstructResult>;
-};
-type ApiClient = ReturnType<typeof createApiClient>;
-//# sourceMappingURL=api-client.d.ts.map
+  resolveGoogleChatSender(args: {
+    senderUserId: string;
+    spaceId?: string;
+  }): Promise<{
+    identityId: string | null;
+    status: string;
+    accessAllowed: boolean;
+  }>;
+  memorySearch(query: string, opts?: {
+    limit?: number;
+    topic?: string;
+    subtopic?: string;
+    tag?: string;
+    includeKnowledge?: boolean;
+  }): Promise<{
+    facts: {
+      subject: string;
+      predicate: string;
+      object: string;
+      since: string;
+      confidence: number;
+    }[];
+    memories: {
+      id: string;
+      text: string;
+      topic: string;
+      subtopic: string;
+      tag: string;
+      importance: number;
+      timestamp: number;
+      score: number;
+    }[];
+  }>;
+  memoryStore(text: string, opts?: {
+    topic?: string;
+    subtopic?: string;
+    tag?: string;
+    importance?: number;
+  }): Promise<{
+    memoryId: string;
+  }>;
+  memoryIngest(sessionKey: string, messages: {
+    role: string;
+    content: string;
+    index: number;
+    timestamp?: string;
+  }[], metadata?: {
+    channelId?: string;
+    userId?: string;
+    userName?: string;
+  }): Promise<{
+    queued: boolean;
+    messageCount: number;
+  }>;
+  memoryLoadContext(tier?: number, topicHint?: string): Promise<{
+    formatted: string;
+    [key: string]: unknown;
+  }>;
+  memoryLookupEntity(subject: string): Promise<{
+    subject: string;
+    triples: {
+      tripleId: string;
+      predicate: string;
+      object: string;
+      validFrom: string;
+      validTo?: string;
+      confidence: number;
+    }[];
+  }>;
+  memoryNavigate(): Promise<{
+    topics: {
+      name: string;
+      tripleCount: number;
+      subtopics: string[];
+    }[];
+    cursor: string | null;
+  }>;
+  memoryDelete(memoryId: string): Promise<{
+    deleted: boolean;
+  }>;
+  memoryStats(): Promise<{
+    vectorCount: number;
+    tripleCount: number;
+    storageEstimateBytes: number;
+    lastIngestionAt?: string;
+  }>;
+  searchWeb(params: {
+    query: string;
+    count?: number;
+    offset?: number;
+    country?: string;
+    freshness?: string;
+  }): Promise<unknown>;
+  searchImages(params: {
+    query: string;
+    count?: number;
+  }): Promise<unknown>;
+  searchNews(params: {
+    query: string;
+    count?: number;
+    freshness?: string;
+  }): Promise<unknown>;
+  registerDatabaseCredentials(): Promise<{
+    connectionString: string;
+    username: string;
+    password: string;
+    databases: string[];
+  }>;
+  reportDatabaseAudit(entry: {
+    database: string;
+    collection: string;
+    operation: string;
+    summary?: string;
+  }): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map
+//#endregion
 //#endregion
 //#region src/sync-engine.d.ts
-/**
- * AlfeSync engine — orchestrates push, pull, and full sync operations.
- *
- * Handles:
- *   - push(paths[]): upload changed files to S3
- *   - pull(): download files newer on remote
- *   - fullSync(): bidirectional sync with conflict detection
- *
- * Conflict resolution: if remote file is newer than local manifest entry
- * AND local file has changed → write `.conflict-{timestamp}` alongside original.
- */
 interface SyncResult {
   pushed: number;
   pulled: number;
   conflicts: number;
   errors: number;
 }
+interface SyncEngineOptions {
+  workspacePath: string;
+  client: AgentApiClient;
+}
 /**
- * Create a sync engine. Workspace path defaults to `config.workspacePath`
- * from the resolved Alfe config, but can be overridden (e.g. for tests).
+ * Construct a sync engine bound to a workspace + agent API client.
+ *
+ * The client is constructed once in plugin.ts (or the CLI) and passed in,
+ * so credentials never leak into multiple places.
  */
-declare function createSyncEngine(workspacePathOverride?: string): Promise<{
-  config: SyncConfig;
-  client: {
-    getManifest(): Promise<RemoteManifest>;
-    presignPut(filePath: string, contentType?: string): Promise<PresignResult>;
-    presignPutBatch(files: {
-      path: string;
-      contentType?: string;
-    }[]): Promise<PresignResult[]>;
-    confirmUpload(filePath: string, hash: string, size: number, storageClass?: "STANDARD" | "GLACIER_IR"): Promise<ConfirmResult>;
-    presignGet(filePath: string): Promise<PresignResult>;
-    presignGetBatch(paths: string[]): Promise<PresignResult[]>;
-    getStats(): Promise<AgentStats>;
-    registerAgent(displayName?: string): Promise<RegisterAgentResult>;
-    getFileHistory(filePath: string): Promise<FileHistoryEntry[]>;
-    reconstruct(mode?: "full" | "active" | "memory"): Promise<ReconstructResult>;
-  };
+declare function createSyncEngine({
+  workspacePath,
+  client
+}: SyncEngineOptions): {
+  workspacePath: string;
+  client: AgentApiClient;
   /**
-   * Push changed files to remote.
-   *
-   * If paths are provided, only push those files.
-   * If no paths, detect all changed files and push them.
+   * Upload changed files. Pass `paths` for an explicit list, or omit
+   * to scan the workspace for anything that drifted from the manifest.
    */
   push(paths?: string[], options?: {
     quiet?: boolean;
     filter?: string;
   }): Promise<SyncResult>;
-  /**
-   * Pull files from remote that are newer than local.
-   */
+  /** Download files newer on remote. */
   pull(options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Full bidirectional sync with conflict detection.
-   *
-   * For conflicts: if remote file is newer than local manifest entry AND
-   * local file has changed → write `.conflict-{timestamp}` file alongside
-   * the original, then pull the remote version.
+   * Bidirectional sync. True conflicts (changed on both sides) are saved
+   * locally as `.conflict-<ts>` files and the remote version wins.
    */
   fullSync(options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Pull specific files by path without a full manifest diff.
-   *
-   * Used for notification-driven pulls where we already know which
-   * files changed on the remote.
+   * Pull a known list of files (used for relay-driven notifications,
+   * where we already know which paths changed remotely).
    */
   pullFiles(paths: string[], options?: {
     quiet?: boolean;
   }): Promise<SyncResult>;
   /**
-   * Remove a file locally and from the manifest.
-   *
-   * Used for notification-driven deletes when a remote file is removed.
+   * Delete a file locally and from the manifest. Used when the sync relay
+   * tells us a file was removed remotely.
    */
   removeLocalFile(filePath: string, options?: {
     quiet?: boolean;
   }): Promise<void>;
-}>;
-type SyncEngine = Awaited<ReturnType<typeof createSyncEngine>>;
+};
+type SyncEngine = ReturnType<typeof createSyncEngine>;
 //# sourceMappingURL=sync-engine.d.ts.map
 //#endregion
 //#region src/watcher.d.ts
@@ -377,11 +958,9 @@ interface UploadResult {
   error?: string;
 }
 /**
- * Upload multiple files to S3.
- *
- * Uploads are performed in parallel with a concurrency limit.
+ * Upload many files, batched by `concurrency`.
  */
-declare function uploadFiles(workspacePath: string, relativePaths: string[], client: ApiClient, options?: {
+declare function uploadFiles(workspacePath: string, relativePaths: string[], client: AgentApiClient, options?: {
   concurrency?: number;
   quiet?: boolean;
 }): Promise<UploadResult[]>;
@@ -394,26 +973,30 @@ interface DownloadResult {
   size?: number;
   error?: string;
 }
-/**
- * Download multiple files from S3.
- *
- * Downloads are performed in parallel with a concurrency limit.
- */
-declare function downloadFiles(workspacePath: string, relativePaths: string[], client: ApiClient, remoteManifest?: RemoteManifest, options?: {
+declare function downloadFiles(workspacePath: string, relativePaths: string[], client: AgentApiClient, remoteManifest?: RemoteManifest, options?: {
   concurrency?: number;
   quiet?: boolean;
 }): Promise<DownloadResult[]>;
 //# sourceMappingURL=downloader.d.ts.map
 //#endregion
-//#region src/shared-sync.d.ts
+//#region src/retry.d.ts
 /**
- * Shared file sync engine for org/team/project scoped files.
- *
- * Syncs shared files to a `shared/` directory in the agent's workspace,
- * organized by scope: shared/org/, shared/teams/{id}/, shared/projects/{id}/
- *
- * Uses the agent self-service API (/agents/org/...) with the agent's API key.
+ * Tiny retry helper used by uploader/downloader. Extracted so both
+ * use the same timing and surface the same final error shape.
  */
+interface RetryOptions {
+  maxRetries?: number;
+  baseDelayMs?: number;
+}
+/**
+ * Run `fn` up to `maxRetries + 1` times with exponential backoff
+ * (`base * 2^attempt`). Returns the first successful value, or rethrows
+ * the last error.
+ */
+declare function withRetry<T>(fn: () => Promise<T>, options?: RetryOptions): Promise<T>;
+//# sourceMappingURL=retry.d.ts.map
+//#endregion
+//#region src/shared-sync.d.ts
 interface SharedScope {
   scopeType: "team" | "project" | "org";
   scopeId: string;
@@ -421,9 +1004,7 @@ interface SharedScope {
 }
 interface SharedSyncConfig {
   workspacePath: string;
-  apiUrl: string;
-  token: string;
-  agentId: string;
+  client: AgentApiClient;
 }
 interface PluginLogger {
   info(msg: string): void;
@@ -440,5 +1021,5 @@ interface SharedSyncEngine {
 }
 declare function createSharedSyncEngine(config: SharedSyncConfig, log: PluginLogger): SharedSyncEngine;
 //#endregion
-export { type AgentStats, type ApiClient, type ApiClientConfig, type ConfirmResult, type DownloadResult, type FileHistoryEntry, type LocalManifest, type ManifestDiff, type ManifestEntry, type PresignResult, type ReconstructResult, type RegisterAgentResult, type RemoteManifest, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncConfig, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, createApiClient, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, invalidateSyncConfigCache, isInitialized, loadIgnorePatterns, plugin, readManifest, removeManifestEntry, requireConfig, resolveSyncConfig, shouldIgnore, startWatcher, syncStateDir, updateManifestEntry, uploadFiles, writeManifest };
+export { type DownloadResult, type LocalManifest, type ManifestDiff, type ManifestEntry, type RemoteManifest, type RetryOptions, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, loadIgnorePatterns, plugin, readManifest, removeManifestEntry, shouldIgnore, startWatcher, updateManifestEntry, uploadFiles, withRetry, writeManifest };
 //# sourceMappingURL=index.d.ts.map