@alfe.ai/openclaw-sync 0.2.10 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.ts CHANGED
@@ -101,10 +101,16 @@ declare function diffManifests(local: LocalManifest, remote: RemoteManifest): Ma
101
101
  //#endregion
102
102
  //#region src/ignore.d.ts
103
103
  declare const DEFAULT_IGNORES: string[];
104
- declare function loadIgnorePatterns(workspacePath: string, runtime?: string): Promise<string[]>;
105
- declare function shouldIgnore(relativePath: string, patterns: string[]): boolean;
106
- declare function shouldIgnoreDir(relativeDir: string, patterns: string[]): boolean;
107
- declare function filterIgnored(paths: string[], patterns: string[]): string[];
104
+ interface IgnoreRules {
105
+ /** Compiled-in runtime-safety base immune to user negation. */
106
+ forced: string[];
107
+ /** Workspace `.alfesyncignore` — additive-only, may negate among itself. */
108
+ user: string[];
109
+ }
110
+ declare function loadIgnorePatterns(workspacePath: string, runtime?: string): Promise<IgnoreRules>;
111
+ declare function shouldIgnore(relativePath: string, rules: IgnoreRules | string[]): boolean;
112
+ declare function shouldIgnoreDir(relativeDir: string, rules: IgnoreRules | string[]): boolean;
113
+ declare function filterIgnored(paths: string[], rules: IgnoreRules | string[]): string[];
108
114
  //# sourceMappingURL=ignore.d.ts.map
109
115
 
110
116
  //#endregion
@@ -117,6 +123,26 @@ interface AgentApiClientConfig {
117
123
  apiKey: string;
118
124
  apiUrl: string;
119
125
  }
126
+ /**
127
+ * The broad-news providers behind the metered `services/news` Lambda. The
128
+ * server validates this with a zod enum; a value outside the union is an
129
+ * unpriceable product, so keep the literal union in lockstep with the service.
130
+ */
131
+ type NewsProvider = "apitube" | "newsdata";
132
+ /** One normalized article. `sentiment` is provider-shaped (APITube supplies it). */
133
+ interface NewsArticle {
134
+ title: string;
135
+ url: string;
136
+ source: string;
137
+ publishedAt: string;
138
+ snippet: string;
139
+ sentiment?: unknown;
140
+ }
141
+ /** Provider-agnostic result — the server normalizes every adapter to this. */
142
+ interface NewsResult {
143
+ articles: NewsArticle[];
144
+ provider: string;
145
+ }
120
146
  interface RemoteSessionInfo {
121
147
  sessionId: string;
122
148
  agentId: string;
@@ -531,23 +557,33 @@ declare class AgentApiClient {
531
557
  * Pattern A: multi-account credential fetch for cTrader.
532
558
  *
533
559
  * Unlike atlassian/salesforce (one Connection row per account/site), a
534
- * single cTrader OAuth grant covers ALL of the user's trading accounts on
535
- * one shared access token only the `ctidTraderAccountId` and the
536
- * protobuf socket `host` (live vs demo) differ per account. So this returns
537
- * the flattened *trading accounts* array off the primary cTrader Connection
538
- * (mirroring how atlassian exposes `availableSites`), with the shared app
539
- * credentials (`clientId`/`clientSecret`) and the connection `accessToken`
540
- * hoisted to the top level the MCP server app-auths ONCE and account-auths
541
- * per selected `ctidTraderAccountId`.
560
+ * cTrader is MULTI-grant per agent: an agent may connect several distinct
561
+ * cTrader logins, each its own Connection row keyed on `accountIdentifier =
562
+ * ctid:<userId>` (Phase 1). This aggregates the *trading accounts* across
563
+ * ALL of those Connection rows each row contributes its `availableAccounts`
564
+ * flattened, and every account carries ITS OWN grant's `accessToken` (the
565
+ * token that authenticates that account against the cTrader Open API). One
566
+ * OAuth grant still covers all accounts under that single login on one shared
567
+ * token; only the `ctidTraderAccountId` and the protobuf socket `host` (live
568
+ * vs demo) differ within a grant. Across grants the tokens differ, so the
569
+ * token is now PER-ACCOUNT rather than hoisted to the top level.
542
570
  *
543
571
  * `host` per account is derived from the account's `isLive` flag
544
572
  * (`live.ctraderapi.com` / `demo.ctraderapi.com`) — the same mapping the
545
573
  * connect provider applies server-side when an account is auto-selected.
546
574
  *
547
- * Only the primary (first, most-specific-scope) cTrader Connection is used;
548
- * cTrader is single-grant, so there is normally exactly one. `clientId` /
549
- * `clientSecret` are the SST-sourced global app credentials the connect
550
- * endpoint injects never persisted on the connection.
575
+ * `clientId` / `clientSecret` are the SST-sourced GLOBAL app credentials the
576
+ * connect endpoint injects identical across every Connection row (one
577
+ * cTrader app), never persisted on a connection. We take them from the first
578
+ * row that carries them.
579
+ *
580
+ * Accounts are deduped on `ctidTraderAccountId` first-wins: Spotware ids are
581
+ * globally unique across logins, so a duplicate can only appear if the same
582
+ * account somehow surfaced under two grants — first-wins keeps it
583
+ * deterministic.
584
+ *
585
+ * `accounts` may be empty (no cTrader Connection at all), in which case we
586
+ * return empty creds rather than throwing.
551
587
  */
552
588
  getCTraderAccounts(): Promise<{
553
589
  accounts: {
@@ -556,10 +592,10 @@ declare class AgentApiClient {
556
592
  isLive: boolean;
557
593
  brokerName?: string;
558
594
  accountNumber?: string;
595
+ accessToken: string;
559
596
  }[];
560
597
  clientId: string;
561
598
  clientSecret: string;
562
- accessToken: string;
563
599
  }>;
564
600
  /**
565
601
  * @deprecated Returns a single primary credential blob (legacy "pick-the-
@@ -1406,6 +1442,13 @@ declare class AgentApiClient {
1406
1442
  synced: true;
1407
1443
  syncedAt: string;
1408
1444
  }>;
1445
+ sendSms(args: {
1446
+ to: string;
1447
+ body: string;
1448
+ }): Promise<{
1449
+ sent: boolean;
1450
+ sid: string;
1451
+ }>;
1409
1452
  searchWeb(params: {
1410
1453
  query: string;
1411
1454
  count?: number;
@@ -1422,6 +1465,25 @@ declare class AgentApiClient {
1422
1465
  count?: number;
1423
1466
  freshness?: string;
1424
1467
  }): Promise<unknown>;
1468
+ /** Search news across the selected provider's corpus. → POST /agent/news/search */
1469
+ newsSearch(params: {
1470
+ query: string;
1471
+ provider?: NewsProvider;
1472
+ source?: string;
1473
+ from?: string;
1474
+ to?: string;
1475
+ language?: string;
1476
+ category?: string;
1477
+ limit?: number;
1478
+ }): Promise<NewsResult>;
1479
+ /** Top headlines for the selected provider. → POST /agent/news/headlines */
1480
+ newsHeadlines(params?: {
1481
+ provider?: NewsProvider;
1482
+ category?: string;
1483
+ source?: string;
1484
+ language?: string;
1485
+ limit?: number;
1486
+ }): Promise<NewsResult>;
1425
1487
  /**
1426
1488
  * Semantic search across the agent's member scopes. Fan-out is gated
1427
1489
  * server-side by `listScopes` set-inclusion (fail-closed). Pass
@@ -1806,5 +1868,5 @@ interface SharedSyncEngine {
1806
1868
  }
1807
1869
  declare function createSharedSyncEngine(config: SharedSyncConfig, log: PluginLogger): SharedSyncEngine;
1808
1870
  //#endregion
1809
- export { DEFAULT_IGNORES, type DownloadResult, type LocalManifest, type ManifestDiff, type ManifestEntry, type RemoteManifest, type RetryOptions, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, loadIgnorePatterns, plugin, readManifest, removeManifestEntry, shouldIgnore, shouldIgnoreDir, startWatcher, updateManifestEntry, uploadFiles, withRetry, writeManifest };
1871
+ export { DEFAULT_IGNORES, type DownloadResult, type IgnoreRules, type LocalManifest, type ManifestDiff, type ManifestEntry, type RemoteManifest, type RetryOptions, type SharedScope, type SharedSyncConfig, type SharedSyncEngine, type SyncEngine, type SyncPluginConfig, type SyncResult, type UploadResult, type WatcherOptions, computeFileHash, createSharedSyncEngine, createSyncEngine, diffManifests, downloadFiles, filterIgnored, loadIgnorePatterns, plugin, readManifest, removeManifestEntry, shouldIgnore, shouldIgnoreDir, startWatcher, updateManifestEntry, uploadFiles, withRetry, writeManifest };
1810
1872
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":["ChangelogAction","ChangelogActor","ChangelogEntry","ChangelogEntry$1","EncryptedEnvelopeV1","EncryptedEnvelopeV1$1","Field","FieldEnvelope","FieldEnvelope$1","FieldFormat","FieldFormat$1","FieldSensitivity","FieldSensitivity$1","FieldView","GeneratedDataKey","GeneratedDataKey$1","IntegrationConfigResult","IntegrationConfigResult$1","IntegrationConfigSchemaField","IntegrationInstall","IntegrationInstall$1","RegistryEntry","RegistryEntry$1","ScopeInfo","ScopeInfo$1","SecretAggregate","SecretAggregate$1","SecretCategory","SecretCategory$1","SecretMetadata","SecretMetadata$1","SecretScope","SecretScope$1","ToolCaptureApi","InstallToolErrorCaptureOptions","installToolErrorCapture","AgentApiClientConfig","RemoteSessionInfo","SyncAgentInfo","SyncManifestEntry","SyncManifest","Record","SyncPresignedUrl","SyncConfirmedUpload","SyncReconstructFile","SyncReconstructBundle","SyncAgentStats","SyncFileEntry","SyncSessionEntry","SyncSessionContent","SharedFileEntry","KnowledgeScopeType","KnowledgeScope","KnowledgeSearchHit","KnowledgeSearchResult","KnowledgeProfileLink","KnowledgeProfile","KnowledgeDoc","ChangeRequestResourceType","ChangeRequestOperation","ChangeRequestStatus","ChangeRequestActorKind","KnowledgeChangeRequest","ProposeScopeChangeInput","AgentVoiceConfig","AgentSelf","AgentAvatarPresign","AgentVoice","VoiceTtsModel","VoiceTtsArgs","VoiceTtsResult","Buffer","VoiceSttArgs","Uint8Array","VoiceSttResult","AgentApiClient","Promise"],"sources":["../src/manifest.ts","../src/ignore.ts","../../agent-api-client/dist/index.d.ts","../src/sync-engine.ts","../src/watcher.ts","../src/uploader.ts","../src/downloader.ts","../src/retry.ts","../src/shared-sync.ts"],"sourcesContent":["import { ChangelogAction, ChangelogActor, ChangelogEntry, ChangelogEntry as ChangelogEntry$1, EncryptedEnvelopeV1, EncryptedEnvelopeV1 as EncryptedEnvelopeV1$1, Field, FieldEnvelope, FieldEnvelope as FieldEnvelope$1, FieldFormat, FieldFormat as FieldFormat$1, FieldSensitivity, FieldSensitivity as FieldSensitivity$1, FieldView, GeneratedDataKey, GeneratedDataKey as GeneratedDataKey$1, IntegrationConfigResult, IntegrationConfigResult as IntegrationConfigResult$1, IntegrationConfigSchemaField, IntegrationInstall, IntegrationInstall as IntegrationInstall$1, RegistryEntry, RegistryEntry as RegistryEntry$1, ScopeInfo, ScopeInfo as ScopeInfo$1, SecretAggregate, SecretAggregate as SecretAggregate$1, SecretCategory, SecretCategory as SecretCategory$1, SecretMetadata, SecretMetadata as SecretMetadata$1, SecretScope, SecretScope as SecretScope$1 } from \"@alfe/types\";\n\n//#region src/tool-error-capture.d.ts\n\n/**\n * Tool-error capture for Alfe OpenClaw plugins.\n *\n * OpenClaw converts a thrown tool handler into a model-facing `tool_result`\n * WITHOUT logging, and most Alfe plugins catch-and-return an error result the\n * same silent way — so tool failures never appear in the runtime's output and\n * therefore never reach Sentry (the gateway daemon supervises the OpenClaw\n * process and reports error-looking output lines to the `agent-runtime`\n * project — see packages/gateway/src/runtime-output-monitor.ts).\n *\n * `installToolErrorCapture(api, { plugin })` closes that gap at the ONE choke\n * point every plugin already has: it wraps `api.registerTool` so every tool's\n * `execute` emits a deterministic, detector-matched line on failure:\n *\n * [ERROR] alfe-tool plugin=<plugin> tool=<name> <thrown|result-error>: <msg> (at <first-frame>)\n *\n * The `[ERROR]` prefix at line start is exactly what the daemon's\n * `ErrorLineDetector` classifies as an error-log block, so the failure lands\n * in Sentry fingerprinted by its normalized message — no Sentry SDK inside\n * the plugin process, no new dependency. Behavior toward OpenClaw and the\n * model is UNCHANGED: throws are rethrown, results returned as-is.\n */\n/**\n * Minimal shape of the OpenClaw plugin api this helper relies on. Method\n * syntax on purpose — TS checks method signatures bivariantly, so each\n * plugin's own concretely-typed `registerTool(tool: ToolDef): void` is\n * accepted without casts.\n */\ninterface ToolCaptureApi {\n registerTool(...args: never[]): unknown;\n}\ninterface InstallToolErrorCaptureOptions {\n /** Plugin package short-name for attribution (e.g. \"openclaw-secrets\"). */\n plugin: string;\n /**\n * Line sink — defaults to writing `process.stderr` directly (the plugin\n * runs in-process in OpenClaw, so this lands on the runtime's stderr, which\n * the daemon supervises — and a console patch can't reformat it away).\n * Injectable for tests.\n */\n emit?: (line: string) => void;\n}\n/**\n * Wrap `api.registerTool` so every tool registered AFTER this call gets\n * failure capture. Handles both OpenClaw registration signatures:\n * `registerTool(toolDef)` and `registerTool((ctx) => toolDef, opts)`.\n * Call once, first thing in the plugin's `activate`/`register` entry.\n * Never throws.\n */\ndeclare function installToolErrorCapture(api: ToolCaptureApi, options: InstallToolErrorCaptureOptions): void;\n//# sourceMappingURL=tool-error-capture.d.ts.map\n//#endregion\n//#region src/index.d.ts\ninterface AgentApiClientConfig {\n apiKey: string;\n apiUrl: string;\n}\ninterface RemoteSessionInfo {\n sessionId: string;\n agentId: string;\n surface: \"browser\" | \"terminal\";\n status: \"agent_driving\" | \"awaiting_human\" | \"human_in_control\" | \"resuming\" | \"completed\" | \"expired\" | \"failed\";\n url?: string;\n instructions?: string;\n requestedAt?: string;\n}\ninterface SyncAgentInfo {\n agentId: string;\n tenantId: string;\n displayName: string;\n s3Prefix: string;\n status: \"stale\" | \"syncing\" | \"synced\";\n fileCount?: number;\n totalSize?: number;\n lastSync?: string;\n}\ninterface SyncManifestEntry {\n hash: string;\n size: number;\n modified: string;\n etag?: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncManifest {\n version: 1;\n agentId: string;\n lastSync: string;\n files: Record<string, SyncManifestEntry>;\n}\ninterface SyncPresignedUrl {\n path: string;\n url: string;\n expiresAt: string;\n}\ninterface SyncConfirmedUpload {\n filePath: string;\n hash: string;\n size: number;\n storageClass: \"STANDARD\" | \"GLACIER_IR\";\n syncedAt: string;\n}\ninterface SyncReconstructFile {\n path: string;\n size: number;\n url: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncReconstructBundle {\n agentId: string;\n mode: \"full\" | \"active\" | \"memory\";\n fileCount: number;\n totalSize: number;\n files: SyncReconstructFile[];\n expiresAt: string;\n}\ninterface SyncAgentStats {\n agentId: string;\n standardBytes: number;\n glacierBytes: number;\n fileCount: number;\n lastSyncAt: string | null;\n}\ninterface SyncFileEntry {\n filePath: string;\n size: number;\n modified: string;\n contentHash: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncSessionEntry {\n sessionId: string;\n size: number;\n lastModified: string;\n storageClass?: string;\n isArchived: boolean;\n}\ninterface SyncSessionContent {\n sessionId: string;\n content: string;\n compressed: boolean;\n}\ninterface SharedFileEntry {\n filePath: string;\n fileName: string;\n size: number;\n contentType?: string;\n}\ntype KnowledgeScopeType = \"org\" | \"team\" | \"project\";\ninterface KnowledgeScope {\n scopeType: KnowledgeScopeType;\n scopeId: string;\n name: string;\n}\ninterface KnowledgeSearchHit {\n id: string;\n text: string;\n /** Normalized relevance in (0,1]; higher = closer. */\n score: number;\n scopeType: KnowledgeScopeType;\n scopeId: string;\n /**\n * Provenance of the hit. All live results are `\"doc\"`; `\"fact\"` only ever\n * appears for legacy vectors indexed before the facts primitive was removed\n * (the search index stays tolerant of them). Treat every hit as a doc.\n */\n source: \"doc\" | \"fact\";\n /** The canonical file under shared/<scope>/ (present on doc hits). */\n filePath?: string;\n /** Legacy-only: the id of a pre-removal fact vector. */\n factId?: string;\n}\ninterface KnowledgeSearchResult {\n results: KnowledgeSearchHit[];\n /** True when fan-out breadth was capped (more member scopes than the cap). */\n truncatedScopes: boolean;\n}\ninterface KnowledgeProfileLink {\n label: string;\n url: string;\n}\ninterface KnowledgeProfile {\n scopeType: KnowledgeScopeType;\n scopeId: string;\n about: string | null;\n description: string | null;\n links: KnowledgeProfileLink[];\n updatedAt: string | null;\n updatedBy: string | null;\n}\ninterface KnowledgeDoc {\n filePath: string;\n fileName: string;\n contentType?: string;\n size: number;\n uploadedBy?: string;\n createdAt: string;\n updatedAt: string;\n}\ntype ChangeRequestResourceType = \"doc\" | \"profile\";\ntype ChangeRequestOperation = \"create\" | \"update\" | \"delete\";\ntype ChangeRequestStatus = \"open\" | \"approved\" | \"rejected\" | \"withdrawn\" | \"superseded\";\ntype ChangeRequestActorKind = \"human\" | \"agent\";\n/** Public projection of a change request (mirrors `PublicChangeRequest` in services/org). */\ninterface KnowledgeChangeRequest {\n changeRequestId: string;\n scopeType: KnowledgeScopeType;\n scopeId: string;\n resourceType: ChangeRequestResourceType;\n operation: ChangeRequestOperation;\n targetPath: string | null;\n baseVersionId: string | null;\n proposedContentType: string | null;\n status: ChangeRequestStatus;\n proposerId: string;\n proposerKind: ChangeRequestActorKind;\n rationale: string;\n reviewerId: string | null;\n reviewerKind: ChangeRequestActorKind | null;\n reviewedAt: string | null;\n reviewNote: string | null;\n appliedRef: string | null;\n createdAt: string;\n updatedAt: string;\n}\n/** Per-type proposal payload for `proposeScopeChange`. */\ninterface ProposeScopeChangeInput {\n resourceType: ChangeRequestResourceType;\n operation: ChangeRequestOperation;\n /** Why the change is proposed — shown to the reviewer. */\n rationale: string;\n /** doc: the path the proposal applies to (e.g. designs/data-center.md). */\n targetPath?: string;\n /** doc create/update: the staged body to upload (markdown or other text). */\n content?: string;\n /** doc create/update: content type of the staged body (default text/markdown). */\n contentType?: string;\n /** profile: the proposed value ({ about, description, links }). */\n proposedValue?: unknown;\n}\n/** Voice settings — core agent config. Mirrors `VoiceConfig` in `@alfe/types`. */\ninterface AgentVoiceConfig {\n /** ElevenLabs voice ID; platform default when unset. */\n voiceId?: string;\n ttsModel?: string;\n enabled?: boolean;\n}\n/**\n * The agent's own public identity, as returned by `updateSelf`, `generateAvatar`,\n * `presignAvatar`'s finalize (`finalizeAvatar`). This is the public agent\n * projection; only the identity-relevant fields are typed here — the response\n * carries the full public agent record.\n */\ninterface AgentSelf {\n agentId: string;\n tenantId: string;\n name: string;\n avatarUrl?: string;\n voiceConfig?: AgentVoiceConfig;\n status: string;\n}\n/** Result of `presignAvatar` — the agent PUTs bytes to `uploadUrl`, then finalizes with `s3Key`. */\ninterface AgentAvatarPresign {\n /** Presigned PUT URL to upload the image bytes to. */\n uploadUrl: string;\n /** Object key — echoed back to `finalizeAvatar`. */\n s3Key: string;\n /** Stable public URL the avatar will be served from once finalized. */\n publicUrl: string;\n /** ISO expiry of the presigned PUT URL. */\n expiresAt: string;\n}\n/** A voice in the platform catalogue (ElevenLabs), from `listVoices`. */\ninterface AgentVoice {\n id: string;\n name: string;\n previewUrl: string;\n description: string;\n labels: Record<string, string>;\n category: string;\n}\n/** The ElevenLabs models with a pricing row — the TTS endpoint rejects any other value. */\ntype VoiceTtsModel = \"eleven_turbo_v2_5\" | \"eleven_multilingual_v2\";\ninterface VoiceTtsArgs {\n /** Text to synthesize (1–5000 chars — the endpoint enforces this). */\n text: string;\n /** ElevenLabs voice id; platform default when unset. */\n voiceId?: string;\n /** TTS model; `eleven_turbo_v2_5` (lower latency) when unset. */\n model?: VoiceTtsModel;\n}\n/** Raw synthesized audio plus its PCM framing (from the response headers). */\ninterface VoiceTtsResult {\n /** Raw little-endian PCM samples — no container. Wrap in WAV to make a playable file. */\n audio: Buffer;\n /** Samples per second (e.g. 24000). */\n sampleRate: number;\n /** Channel count (mono = 1). */\n channels: number;\n /** Bits per sample (e.g. 16). */\n bitDepth: number;\n}\ninterface VoiceSttArgs {\n /** Raw linear16 (16-bit little-endian) mono PCM samples — no WAV/container header. */\n audio: Uint8Array;\n /** Sample rate of `audio` in Hz (8000–48000). */\n sampleRate: number;\n}\ninterface VoiceSttResult {\n text: string;\n /** Deepgram confidence in (0,1]. */\n confidence: number;\n}\ndeclare class AgentApiClient {\n private readonly apiKey;\n private readonly apiUrl;\n constructor(config: AgentApiClientConfig);\n private request;\n syncRegister(args?: {\n displayName?: string;\n }): Promise<{\n agent: SyncAgentInfo;\n }>;\n syncGetManifest(): Promise<SyncManifest>;\n syncPresign(args: {\n files: {\n path: string;\n operation: \"put\" | \"get\";\n contentType?: string;\n }[];\n }): Promise<{\n urls: SyncPresignedUrl[];\n }>;\n syncConfirmUpload(args: {\n filePath: string;\n hash: string;\n size: number;\n storageClass?: \"STANDARD\" | \"GLACIER_IR\";\n }): Promise<SyncConfirmedUpload>;\n syncReconstruct(args: {\n mode: \"full\" | \"active\" | \"memory\";\n }): Promise<SyncReconstructBundle>;\n syncGetStats(): Promise<SyncAgentStats>;\n syncListFiles(args?: {\n prefix?: string;\n }): Promise<{\n files: SyncFileEntry[];\n }>;\n syncListSessions(): Promise<{\n sessions: SyncSessionEntry[];\n }>;\n syncGetSession(sessionId: string): Promise<SyncSessionContent>;\n syncDeleteFile(filePath: string): Promise<{\n removed: boolean;\n }>;\n sharedListFiles(args: {\n scope: \"org\" | \"team\" | \"project\";\n scopeId: string;\n }): Promise<{\n files: SharedFileEntry[];\n nextCursor: string | null;\n }>;\n sharedDownloadUrl(args: {\n scope: \"org\" | \"team\" | \"project\";\n scopeId: string;\n filePath: string;\n }): Promise<{\n downloadUrl: string;\n expiresIn: number;\n }>;\n listIntegrations(): Promise<IntegrationInstall$1[]>;\n getIntegrationConfig(integrationId: string): Promise<IntegrationConfigResult$1>;\n updateIntegrationConfig(integrationId: string, config: Record<string, unknown>): Promise<void>;\n installIntegration(integrationId: string, options?: {\n version?: string;\n config?: Record<string, unknown>;\n }): Promise<IntegrationInstall$1>;\n removeIntegration(integrationId: string): Promise<IntegrationInstall$1>;\n getOAuthUrl(provider: string, scopes?: string[]): Promise<{\n url: string;\n provider: string;\n expiresIn: number;\n }>;\n getOAuthStatus(provider: string): Promise<{\n provider: string;\n connected: boolean;\n config?: Record<string, string>;\n }>;\n getRegistry(): Promise<{\n integrations: RegistryEntry$1[];\n }>;\n /**\n * Returns every connected Google account for the agent. Multi-account by\n * design — the openclaw-google plugin requires the LLM to pass `email`\n * explicitly to `google_run_command` so an account is always selected\n * deliberately.\n *\n * 2026-05-14 (connections-redesign PR 1): the legacy flat shape (`email`,\n * `refreshToken`, `accessToken`, etc., populated from the default account)\n * is gone. Iterate over `accounts`.\n */\n getGoogleCredentials(): Promise<{\n accounts: {\n email: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n disconnectGoogleAccount(email: string): Promise<{\n accounts: {\n email: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n getGoogleChatCredentials(): Promise<{\n email: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n displayName?: string;\n }>;\n /**\n * Fetch decrypted credentials for ONE specific connection by its\n * stable connectionId (connection-scoped, vs the provider-scoped\n * `get<Provider>Credentials` helpers). Used by the daemon to resolve\n * a Custom Connection-driven integration's credentials from the\n * exact connection it was installed from — every custom connection\n * shares the `custom` provider id, so provider-scoping is ambiguous.\n *\n * For custom connections `accessToken` is the JSON-encoded secret\n * bundle (the daemon un-bundles it); non-secret fields are on\n * `providerMetadata`. The endpoint enforces that the connection is in\n * the calling agent's effective scope (403 otherwise).\n */\n getConnectionCredentials(connectionId: string): Promise<{\n provider: string;\n connectionId: string;\n accountIdentifier?: string;\n accessToken?: string;\n providerMetadata?: Record<string, unknown>;\n [key: string]: unknown;\n }>;\n /**\n * Resolve the primary cTrader Connection's credentials for the calling\n * agent. Unlike most providers, the cTrader Open API needs app-level auth\n * (`clientId` + `clientSecret`) AND account auth (`accessToken` +\n * `accountId`) on the socket, so `@alfe.ai/ctrader-mcp` self-fetches the\n * full set here at startup (the atlassian/google pattern). `clientId` /\n * `clientSecret` are the SST-sourced global app credentials the connect\n * endpoint injects — they are never persisted on the connection. `host` is\n * the resolved TLS endpoint (`live.ctraderapi.com` / `demo.ctraderapi.com`)\n * derived from the selected account's live/demo flag.\n */\n getCTraderCredentials(): Promise<{\n accessToken: string;\n refreshToken: string;\n accountId: string;\n host: string;\n clientId: string;\n clientSecret: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for cTrader.\n *\n * Unlike atlassian/salesforce (one Connection row per account/site), a\n * single cTrader OAuth grant covers ALL of the user's trading accounts on\n * one shared access token — only the `ctidTraderAccountId` and the\n * protobuf socket `host` (live vs demo) differ per account. So this returns\n * the flattened *trading accounts* array off the primary cTrader Connection\n * (mirroring how atlassian exposes `availableSites`), with the shared app\n * credentials (`clientId`/`clientSecret`) and the connection `accessToken`\n * hoisted to the top level — the MCP server app-auths ONCE and account-auths\n * per selected `ctidTraderAccountId`.\n *\n * `host` per account is derived from the account's `isLive` flag\n * (`live.ctraderapi.com` / `demo.ctraderapi.com`) — the same mapping the\n * connect provider applies server-side when an account is auto-selected.\n *\n * Only the primary (first, most-specific-scope) cTrader Connection is used;\n * cTrader is single-grant, so there is normally exactly one. `clientId` /\n * `clientSecret` are the SST-sourced global app credentials the connect\n * endpoint injects — never persisted on the connection.\n */\n getCTraderAccounts(): Promise<{\n accounts: {\n ctidTraderAccountId: string;\n host: string;\n isLive: boolean;\n brokerName?: string;\n accountNumber?: string;\n }[];\n clientId: string;\n clientSecret: string;\n accessToken: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getGithubAccounts()` for the multi-\n * account shape required by Pattern A — explicit selector args on every\n * tool. Retained because the `@alfe.ai/github-mcp` proxy is the\n * only consumer that knows about Pattern A; legacy env-interpolation\n * callers will keep hitting `/credentials` until they move to the proxy.\n */\n getGithubCredentials(): Promise<{\n login: string;\n accessToken: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for GitHub.\n *\n * Returns every agent-scoped GitHub connection. The caller is expected\n * to require a `login` selector on every credential-touching tool and\n * look up the matching account at dispatch time.\n *\n * GitHub OAuth tokens have no expiry (`tokenLifecycle: \"no_expiry\"`),\n * so there is intentionally no `refreshGithubAccountToken` method — if\n * a token is revoked the user must re-run the OAuth flow.\n *\n * Returned `accounts[i].login` is the GitHub username — the stable\n * cross-session identifier the LLM should pass.\n */\n getGithubAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n login: string;\n scopes: string;\n }[];\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getXeroAccounts()` for the multi-\n * account shape required by Pattern A — explicit selector args on every\n * tool. This method will be removed once all consumers migrate.\n */\n getXeroCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n xeroTenantId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Xero. Returns every\n * agent-scoped Xero connection. The caller is expected to require a\n * selector arg (e.g. `xeroTenantId`) on every credential-touching tool\n * and look up the matching account by that selector at dispatch time.\n *\n * Returned `accounts[i].accountIdentifier` is the Xero tenantId — the\n * stable cross-session identifier the LLM should pass.\n */\n getXeroAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n xeroTenantId: string;\n }[];\n }>;\n refreshXeroToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * Pattern A: refresh a specific Xero connection by its `accountIdentifier`\n * (the Xero `tenantId`). The legacy `refreshXeroToken()` only refreshes\n * the *primary* connection, which is wrong for multi-tenant Xero where\n * each tenant has its own non-interchangeable access token.\n */\n refreshXeroAccountToken(xeroTenantId: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getNotionAccounts()` for the multi-\n * account shape required by Pattern A.\n */\n getNotionCredentials(): Promise<{\n accessToken: string;\n workspaceId: string;\n workspaceName: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Notion. Returns every\n * agent-scoped Notion connection. The caller is expected to require a\n * selector arg (e.g. `workspaceId`) on every credential-touching tool.\n *\n * Returned `accounts[i].accountIdentifier` is the Notion workspaceId.\n */\n getNotionAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n workspaceId: string;\n workspaceName: string;\n }[];\n }>;\n /**\n * @deprecated Returns a single primary Atlassian Connection's credentials\n * (one OAuth user, one cloudId) — the legacy \"pick-the-default-connection\"\n * shape. Atlassian is multi-site by nature (each OAuth user may have\n * access to multiple Cloud sites), so Pattern A plugins MUST use\n * `getAtlassianAccounts()` to discover the full set and dispatch via\n * the `cloudId` selector arg.\n */\n getAtlassianCredentials(): Promise<{\n accessToken: string;\n refreshToken: string;\n accessTokenExpiresAt: string;\n cloudId: string;\n siteName: string;\n siteUrl: string;\n email: string;\n enabledProducts: string[];\n clientId: string;\n clientSecret: string;\n }>;\n refreshAtlassianToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * Pattern A: multi-account / multi-site credential fetch for Atlassian.\n *\n * Returns every agent-scoped Atlassian Connection. Each Connection is\n * one OAuth user with a single access token and N accessible Cloud\n * sites (`availableSites`). The caller is expected to:\n *\n * 1. Flatten (connection × cloudId) into one MCP child per site.\n * 2. Require a `cloudId` selector on every credential-touching tool.\n * 3. Use the access token bound to the Connection that owns the\n * requested `cloudId` (Atlassian shares one access token across\n * all sites accessible to the OAuth user).\n *\n * Per-account token refresh uses `refreshAtlassianAccountToken(email)`\n * — refreshing one Connection rotates its single access token, which\n * then applies to every cloudId for that Connection.\n *\n * Returned `accounts[i].accountIdentifier` is the OAuth user's email\n * — the stable cross-session identifier for refresh purposes. The LLM\n * never sees this directly: it picks a site via the `cloudId` arg\n * instead.\n */\n getAtlassianAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n clientId: string;\n clientSecret: string;\n cloudId: string;\n siteName: string;\n siteUrl: string;\n availableSites: {\n id: string;\n url: string;\n name: string;\n scopes?: string[];\n avatarUrl?: string;\n }[];\n }[];\n }>;\n /**\n * Pattern A: refresh a specific Atlassian Connection by `accountIdentifier`\n * (the OAuth user's email).\n *\n * Atlassian rotates refresh tokens (`rotatesRefreshToken: true`); the\n * server-side per-account refresh endpoint handles rotation and\n * persistence. Refreshing one Connection updates its single access\n * token, which applies to every accessible Cloud site (cloudId) for\n * that OAuth user.\n *\n * Returns the new access token + expiry. The proxy is responsible for\n * fanning the new token out to every child server it spawned for\n * cloudIds owned by this Connection.\n */\n refreshAtlassianAccountToken(accountIdentifier: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getMYOBAccounts()` for the multi-\n * account shape required by Pattern A.\n */\n getMYOBCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n myobBusinessId: string;\n clientId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for MYOB. Returns every\n * agent-scoped MYOB connection. The caller is expected to require a\n * selector arg (e.g. `myobBusinessId` / `accountIdentifier`) on every\n * credential-touching tool.\n *\n * Returned `accounts[i].accountIdentifier` is the MYOB businessId.\n */\n getMYOBAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n myobBusinessId: string;\n clientId: string;\n }[];\n }>;\n refreshMYOBToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob. Use\n * `getSalesforceAccounts()` for the multi-account shape required by\n * Pattern A.\n */\n getSalesforceCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n instanceUrl: string;\n orgId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Salesforce. Returns every\n * agent-scoped Salesforce connection. One OAuth grant maps to one org, so\n * `accounts[i].accountIdentifier` (and `orgId`) is the Salesforce org id —\n * the selector every credential-touching tool requires.\n */\n getSalesforceAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n instanceUrl: string;\n orgId: string;\n }[];\n }>;\n /**\n * Refresh the access token for a specific Salesforce org. Salesforce\n * tokens aren't interchangeable across orgs, so the connection is targeted\n * by `accountIdentifier` (the org id) — mirrors `refreshXeroAccountToken`.\n */\n refreshSalesforceAccountToken(orgId: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * Disconnects one connected Microsoft 365 account for the agent, by its\n * `accountIdentifier`. Hits the generic per-account disconnect route\n * (`DELETE /agent/connect/microsoft/accounts/{accountIdentifier}`), which\n * resolves across the agent's full effective scope chain and deletes the\n * matching Connection row. Returns the remaining accounts.\n *\n * IMPORTANT: pass the `accountIdentifier` from `getMicrosoftAccounts()`, NOT\n * a synthesised email. For Microsoft, `accountIdentifier` is the user's email\n * only when the Graph profile fetch succeeded at connect time; it falls back\n * to the Azure tenant id (`tid` claim) otherwise. The backend matches on\n * `accountIdentifier` exactly, so passing an email would 404 on those\n * fallback-identifier accounts. (This is why the param is not named `email`,\n * unlike `disconnectGoogleAccount` where the identifier is always the email.)\n */\n disconnectMicrosoftAccount(accountIdentifier: string): Promise<{\n accounts: {\n accountIdentifier: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n /**\n * Pattern A: multi-account credential fetch for Microsoft 365.\n *\n * Returns every agent-scoped Microsoft connection. The caller is expected\n * to require an `email` selector on every credential-touching tool and\n * look up the matching account at dispatch time.\n *\n * Returned `accounts[i].accountIdentifier` is the user's primary email\n * (or the tid claim as fallback) — the stable cross-session identifier\n * the LLM should pass.\n *\n * Per-account token refresh is exposed via `refreshMicrosoftAccountToken`,\n * NOT `refreshXeroAccountToken` — Microsoft refresh tokens are not\n * interchangeable across (tenant, user) pairs.\n */\n getMicrosoftAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n email: string;\n microsoftTenantId: string;\n workspaceDomain: string;\n }[];\n }>;\n /**\n * Pattern A: refresh a specific Microsoft 365 connection by its\n * `accountIdentifier`. For Microsoft, `accountIdentifier` is the user's\n * email when the Graph profile fetch succeeded at connect time, and the\n * Azure tenant id (`tid` claim) as fallback. Callers should pass the\n * value returned by `getMicrosoftAccounts()` rather than synthesising\n * an email locally.\n *\n * Microsoft refresh tokens are bound to a specific (tenant, user) pair —\n * they are NOT interchangeable across accounts, so per-account refresh\n * is mandatory. The generic /accounts/{accountIdentifier}/refresh\n * endpoint walks the agent's full visible scope chain to find a matching\n * connection (works for inherited team/project Microsoft connections).\n */\n refreshMicrosoftAccountToken(accountIdentifier: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n getTeamsCredentials(): Promise<{\n agentId: string;\n tenantId: string;\n azureAppId: string;\n azureBotId: string;\n azureClientSecret: string;\n botDisplayName?: string;\n teamsTenantId?: string;\n serviceUrl?: string;\n }>;\n sendTeamsMessage(data: {\n conversationId: string;\n text?: string;\n adaptiveCard?: Record<string, unknown>;\n }): Promise<{\n ok: boolean;\n activityId: string;\n }>;\n listTeamsChannels(): Promise<{\n channels: {\n id: string;\n name: string;\n description?: string;\n }[];\n }>;\n presignAttachments(files: {\n filename: string;\n mimeType: string;\n size: number;\n }[]): Promise<{\n attachments: {\n id: string;\n uploadUrl: string;\n downloadUrl: string;\n s3Key: string;\n expiresAt: string;\n }[];\n }>;\n /**\n * Generate an image from a text prompt and get back a STABLE, public URL\n * (served from the agent-assets CDN — it does not expire). Embed the returned\n * `imageUrl` in a reply as markdown to show it to the user.\n *\n * ASYNC: `gpt-image-1` routinely runs 30–60s, which exceeds the API Gateway\n * 30s ceiling, so this enqueues a job (`POST /agent/images/generate` →\n * `jobId`) then polls (`GET /agent/images/{jobId}`) until it completes. The\n * worker's real failure message (e.g. an unsupported `size`) surfaces via the\n * job's `error` field.\n */\n generateImage(args: {\n prompt: string;\n model?: string;\n size?: string;\n quality?: string;\n }): Promise<{\n imageUrl: string;\n model: string;\n }>;\n recordActivity(data: {\n userId?: string;\n channel: string;\n role: \"user\" | \"assistant\";\n }): Promise<{\n recorded: boolean;\n }>;\n /** Update the agent's own name and/or voice config. Returns the updated agent. */\n updateSelf(update: {\n name?: string;\n voiceConfig?: AgentVoiceConfig;\n }): Promise<AgentSelf>;\n /**\n * Generate the agent's own avatar from a text prompt. The image is generated,\n * stored, and set on the agent server-side; returns the updated agent.\n *\n * ASYNC (same reason as `generateImage`): avatar gen runs `gpt-image-1`\n * (30–60s) which exceeds the API Gateway 30s ceiling, so this enqueues a job\n * (`POST /agent/avatar/generate` → `jobId`) then polls (`GET /agent/avatar/{jobId}`)\n * until the avatar is set. Signature unchanged — the plugin is unaffected.\n */\n generateAvatar(args: {\n prompt: string;\n }): Promise<AgentSelf>;\n /**\n * Get a presigned PUT URL to upload a new avatar image. Upload the bytes to\n * `uploadUrl`, then call `finalizeAvatar(s3Key)` to set it on the agent.\n */\n presignAvatar(args: {\n mimeType: string;\n size: number;\n }): Promise<AgentAvatarPresign>;\n /**\n * Finalize an avatar upload — validates ownership + size, then sets the\n * agent's `avatarUrl` server-side. Returns the updated agent.\n */\n finalizeAvatar(s3Key: string): Promise<AgentSelf>;\n /** List the platform voice catalogue (ElevenLabs) so the agent can pick its own voice. */\n listVoices(): Promise<{\n voices: AgentVoice[];\n }>;\n /**\n * Mint a fresh AES-256 data key for a specific (secret, field) pair. The\n * encryption context is rebuilt server-side from `auth.tenantId` + the body\n * fields including `fieldKey`; the agent cannot forge context for a scope\n * or field it doesn't own. Legacy single-envelope secrets are migrated to\n * `field#value` rows by the data migration, so call with `fieldKey: \"value\"`\n * to reach them.\n */\n generateSecretDataKey(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<GeneratedDataKey$1>;\n /**\n * Unwrap a wrapped data key so the agent can decrypt the envelope locally.\n * `fieldKey` MUST match the value supplied when the data key was generated\n * (it's bound into KMS encryption context); mismatch fails with\n * `InvalidCiphertextException`.\n */\n decryptSecretDataKey(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n dataKeyCiphertext: string;\n }): Promise<{\n plaintextKey: string;\n }>;\n /**\n * Create a new secret with one or more fields. Encrypted fields must arrive\n * pre-sealed (the agent has already obtained per-field data keys via\n * `generateSecretDataKey({ ..., fieldKey })` and AES-encrypted locally).\n * Plaintext fields ship the value inline.\n */\n createSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n secretName: string;\n category?: SecretCategory$1;\n description?: string;\n tags?: string[];\n fields: {\n key: string;\n format?: FieldFormat$1;\n sensitivity: FieldSensitivity$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n }[];\n reason?: string;\n }): Promise<SecretAggregate$1>;\n /** Fetch the secret aggregate plus per-field encrypted envelopes. */\n getSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n }): Promise<{\n aggregate: SecretAggregate$1;\n envelopes: FieldEnvelope$1[];\n }>;\n /** Fetch one field. Plaintext: value inline. Encrypted: envelope. */\n getSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<{\n key: string;\n sensitivity: FieldSensitivity$1;\n format?: FieldFormat$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n rotatedAt?: string;\n createdAt: string;\n updatedAt: string;\n }>;\n /** Add OR rotate one field. */\n setSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n sensitivity: FieldSensitivity$1;\n format?: FieldFormat$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n reason?: string;\n }): Promise<{\n fieldKey: string;\n rotated: boolean;\n }>;\n /** Remove one field. */\n removeSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<void>;\n /** Update secret-level metadata (name/description/tags/category). */\n updateSecretMetadata(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n secretName?: string;\n description?: string;\n tags?: string[];\n category?: SecretCategory$1;\n reason?: string;\n }): Promise<SecretAggregate$1>;\n /** List metadata for secrets in a scope. Optional filters route through the byFacet GSI. */\n listSecrets(args: {\n scope: SecretScope$1;\n scopeId: string;\n category?: SecretCategory$1;\n tag?: string;\n fieldKey?: string;\n }): Promise<SecretMetadata$1[]>;\n /** Bounded changelog read — metadata-only audit entries. */\n getSecretHistory(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n limit?: number;\n cursor?: string;\n }): Promise<{\n entries: ChangelogEntry$1[];\n nextCursor?: string;\n }>;\n /** Delete a secret (and all its field rows + tag rows + changelog rows). */\n deleteSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n }): Promise<void>;\n /** Enumerate scopes (org/team/project/agent) this agent can access. */\n listSecretScopes(): Promise<ScopeInfo$1[]>;\n /**\n * Returns the calling agent's own identity context — `{ agentId, tenantId }`\n * decoded server-side from the agent API token. Used by the\n * `@alfe.ai/openclaw-identity` plugin to bootstrap context when the\n * OpenClaw daemon doesn't plumb `ctx.agentId` through to plugin hooks.\n * Plugins should cache this for the daemon's lifetime (single-agent-per-\n * process invariant). One HTTP round-trip per process activate; not for\n * per-call use.\n */\n whoami(): Promise<{\n agentId: string;\n tenantId: string;\n }>;\n resolveIdentity(args: {\n provider: string;\n platformId: string;\n kind?: \"user\" | \"agent\" | \"service\" | \"bot\" | \"workspace\";\n displayName?: string;\n }): Promise<{\n identityId: string | null;\n status: string;\n created?: boolean;\n reason?: string;\n /**\n * Flattened auriclabs permission strings for the resolved identity\n * (scope-prefixed where applicable). Empty array on miss / org service\n * outage — the runtime gate fails closed in that case.\n */\n permissions: string[];\n }>;\n searchIdentities(args?: {\n q?: string;\n status?: string;\n limit?: number;\n }): Promise<{\n identities: unknown[];\n }>;\n getIdentityContext(identityId: string): Promise<{\n context: unknown;\n }>;\n mergeIdentities(survivorId: string, args: {\n mergedId: string;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n error?: string;\n }>;\n unmergeIdentity(identityId: string, args: {\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n error?: string;\n }>;\n addIdentityNote(identityId: string, args: {\n content: string;\n category?: string;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n noteId: string | null;\n }>;\n tagIdentity(identityId: string, args: {\n tag: string;\n action: \"add\" | \"remove\";\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n }>;\n getIdentityChangelog(identityId: string, args?: {\n limit?: number;\n }): Promise<{\n entries: unknown[];\n }>;\n rollbackIdentity(identityId: string, args: {\n targetVersion: number;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n entry?: unknown;\n }>;\n requestIdentityVerification(args: {\n claimedIdentityId: string;\n requestingIdentityId: string;\n requestingProvider: string;\n requestingPlatformId: string;\n preferredChannel?: \"mobile\" | \"email\";\n /**\n * Phase 2: agent-supplied contact endpoint. When provided, the top-level\n * `preferredChannel` is ignored — the contact's channel wins.\n */\n contact?: {\n channel: \"email\" | \"mobile\";\n value: string;\n };\n }): Promise<{\n verificationId: string;\n channel: string;\n deliveredTo: string;\n expiresAt: string;\n availableChannels: {\n channel: string;\n deliveredTo: string;\n }[];\n } | {\n error: string;\n }>;\n confirmIdentityVerification(args: {\n claimedIdentityId: string;\n verificationId: string;\n phrase: string;\n }): Promise<{\n verified: boolean;\n identityId?: string;\n /** Phase 2: how the confirm resolved — Scenario A vs B. */\n action?: \"merged\" | \"contact_verified\";\n error?: string;\n }>;\n /**\n * Update display-shape fields on an Identity. Body excludes `email` /\n * `phone` / `title` / `company` / `metadata` per Section D4 — contacts go\n * via the verify flow, title/company live on OrgMembership, metadata is\n * not agent-writable.\n */\n updateIdentity(identityId: string, args: {\n name?: string;\n avatarUrl?: string;\n timezone?: string;\n locale?: string;\n }): Promise<{\n ok: boolean;\n }>;\n /**\n * Phase 2 (Section H): server-side verification of a Google Chat sender via\n * the agent's existing Google OAuth credentials. Returns the resolved\n * identity (created or matched via Scenario-B email enrichment).\n */\n resolveGoogleChatSender(args: {\n senderUserId: string;\n spaceId?: string;\n }): Promise<{\n identityId: string | null;\n status: string;\n }>;\n memorySearch(query: string, opts?: {\n limit?: number;\n topic?: string;\n subtopic?: string;\n tag?: string;\n includeKnowledge?: boolean;\n }): Promise<{\n facts: {\n subject: string;\n predicate: string;\n object: string;\n since: string;\n confidence: number;\n }[];\n memories: {\n id: string;\n text: string;\n topic: string;\n subtopic: string;\n tag: string;\n importance: number;\n timestamp: number;\n score: number;\n }[];\n }>;\n memoryStore(text: string, opts?: {\n topic?: string;\n subtopic?: string;\n tag?: string;\n importance?: number;\n }): Promise<{\n memoryId: string;\n }>;\n memoryIngest(sessionKey: string, messages: {\n role: string;\n content: string;\n index: number;\n timestamp?: string;\n }[], metadata?: {\n channelId?: string;\n userId?: string;\n userName?: string;\n }): Promise<{\n queued: boolean;\n messageCount: number;\n }>;\n memoryLoadContext(tier?: number, topicHint?: string): Promise<{\n formatted: string;\n [key: string]: unknown;\n }>;\n memoryLookupEntity(subject: string): Promise<{\n subject: string;\n triples: {\n tripleId: string;\n predicate: string;\n object: string;\n validFrom: string;\n validTo?: string;\n confidence: number;\n }[];\n }>;\n memoryNavigate(): Promise<{\n topics: {\n name: string;\n tripleCount: number;\n subtopics: string[];\n }[];\n cursor: string | null;\n }>;\n memoryDelete(memoryId: string): Promise<{\n deleted: boolean;\n }>;\n memoryStats(): Promise<{\n vectorCount: number;\n tripleCount: number;\n storageEstimateBytes: number;\n lastIngestionAt?: string;\n }>;\n memoryLearn(args: {\n text: string;\n source?: string;\n sourceType?: \"file\" | \"url\" | \"inline\";\n metadata?: {\n sessionId?: string;\n channelId?: string;\n userName?: string;\n };\n }): Promise<{\n memoriesStored: number;\n triplesStored: number;\n chunks: number;\n source?: string;\n }>;\n memoryBootstrapStatus(): Promise<{\n synced: boolean;\n syncedAt?: string;\n sessionsBackfillSynced?: boolean;\n sessionsBackfillSyncedAt?: string;\n }>;\n memoryBootstrapStatusMark(scope?: \"files\" | \"sessions\"): Promise<{\n synced: true;\n syncedAt: string;\n }>;\n searchWeb(params: {\n query: string;\n count?: number;\n offset?: number;\n country?: string;\n freshness?: string;\n }): Promise<unknown>;\n searchImages(params: {\n query: string;\n count?: number;\n }): Promise<unknown>;\n searchNews(params: {\n query: string;\n count?: number;\n freshness?: string;\n }): Promise<unknown>;\n /**\n * Semantic search across the agent's member scopes. Fan-out is gated\n * server-side by `listScopes` set-inclusion (fail-closed). Pass\n * `scopeType` + `scopeId` to narrow to one scope; a non-member scope\n * yields empty results (never a cross-scope leak).\n */\n knowledgeSearch(query: string, opts?: {\n limit?: number;\n scopeType?: KnowledgeScopeType;\n scopeId?: string;\n }): Promise<KnowledgeSearchResult>;\n /** Enumerate the scopes (org + teams + projects) this agent belongs to. */\n listScopes(): Promise<{\n scopes: KnowledgeScope[];\n }>;\n /** Read a scope's structured knowledge profile (after membership check). */\n getScopeProfile(scopeType: KnowledgeScopeType, scopeId: string): Promise<KnowledgeProfile>;\n /** List a scope's docs (the org-files corpus; mirrored to shared/<scope>/). */\n listScopeDocs(scopeType: KnowledgeScopeType, scopeId: string, opts?: {\n limit?: number;\n cursor?: string;\n }): Promise<{\n files: KnowledgeDoc[];\n nextCursor: string | null;\n }>;\n /**\n * Read the full text of a scope doc. Resolves a presigned download URL\n * from `services/org`, then fetches the bytes directly from S3 (the one\n * legitimate raw fetch in a plugin — same pattern as sync).\n */\n readScopeDoc(scopeType: KnowledgeScopeType, scopeId: string, filePath: string): Promise<{\n filePath: string;\n text: string;\n }>;\n /**\n * Write (create or overwrite) a scope doc. Two-step presigned upload:\n * `services/org` returns a signed URL plus `requiredHeaders` (author /\n * authorKind / message as `x-amz-meta-*`) that MUST be sent verbatim on\n * the PUT, alongside the same `Content-Type` that was signed. Author and\n * authorKind are server-set from the agent token — never trusted here.\n */\n writeScopeDoc(scopeType: KnowledgeScopeType, scopeId: string, filePath: string, content: string, opts?: {\n contentType?: string;\n message?: string;\n }): Promise<{\n filePath: string;\n }>;\n /**\n * Open a change request against a scope's knowledge resource. For a doc\n * create/update, `services/org` returns a presigned staging PUT; this method\n * uploads the proposed `content` to it (echoing the same Content-Type that\n * was signed), mirroring `writeScopeDoc`. The staged body is applied to the\n * canonical doc — attributed to this agent — only when a reviewer approves.\n */\n proposeScopeChange(scopeType: KnowledgeScopeType, scopeId: string, input: ProposeScopeChangeInput): Promise<KnowledgeChangeRequest>;\n /**\n * List the agent's OWN change requests in a scope (filtered server-side to\n * this agent as proposer). Pass `status` to narrow to open / approved / etc.\n */\n listScopeChangeRequests(scopeType: KnowledgeScopeType, scopeId: string, opts?: {\n status?: ChangeRequestStatus;\n limit?: number;\n cursor?: string;\n }): Promise<{\n changeRequests: KnowledgeChangeRequest[];\n nextCursor: string | null;\n }>;\n registerDatabaseCredentials(): Promise<{\n connectionString: string;\n username: string;\n password: string;\n databases: string[];\n }>;\n reportDatabaseAudit(entry: {\n database: string;\n collection: string;\n operation: string;\n summary?: string;\n }): Promise<void>;\n requestBrowserTakeover(args: {\n instructions: string;\n url?: string;\n conversationId?: string;\n }): Promise<{\n sessionId: string;\n status: string;\n }>;\n getRemoteSession(sessionId: string): Promise<RemoteSessionInfo>;\n completeRemoteSession(sessionId: string): Promise<{\n ok: boolean;\n }>;\n /**\n * Issue a request that returns the raw `Response` (no JSON parsing, no\n * forced Content-Type). The caller sets `Content-Type`/`Accept` on `headers`\n * and reads the body itself (`arrayBuffer()` / `json()`).\n *\n * A single retry fires only on the same transient statuses `request()`\n * retries (authorizer-timeout 500 + LB 502/503/504) and transient network\n * errors — before the route handler runs — so re-issuing a POST does not\n * risk a duplicate side effect. Voice TTS/STT are effectively idempotent\n * (re-synthesize / re-transcribe) and meter server-side keyed on the\n * gateway requestId, so a retried transcription doesn't double-bill.\n */\n private rawFetch;\n /**\n * Text-to-speech. Returns raw PCM audio bytes plus their framing — the\n * voice service defaults to 24 kHz / mono / 16-bit. Wrap in a WAV container\n * to produce a playable file. Metered per character against the tenant\n * credit pool server-side; TTS completes regardless of metering outcome.\n */\n tts(args: VoiceTtsArgs): Promise<VoiceTtsResult>;\n /**\n * Speech-to-text. Accepts raw linear16 (16-bit LE) mono PCM — NOT a WAV or\n * other container (the endpoint transcribes with a fixed linear16 encoding,\n * so a container header would be transcribed as noise). Strip any WAV header\n * and pass `sampleRate` from it before calling. Metered by transcribed\n * duration against the tenant credit pool server-side.\n */\n stt(args: VoiceSttArgs): Promise<VoiceSttResult>;\n}\n//# sourceMappingURL=index.d.ts.map\n//#endregion\nexport { AgentApiClient, AgentApiClientConfig, AgentAvatarPresign, AgentSelf, AgentVoice, AgentVoiceConfig, ChangeRequestActorKind, ChangeRequestOperation, ChangeRequestResourceType, ChangeRequestStatus, type ChangelogAction, type ChangelogActor, type ChangelogEntry, type EncryptedEnvelopeV1, type Field, type FieldEnvelope, type FieldFormat, type FieldSensitivity, type FieldView, type GeneratedDataKey, type InstallToolErrorCaptureOptions, type IntegrationConfigResult, type IntegrationConfigSchemaField, type IntegrationInstall, KnowledgeChangeRequest, KnowledgeDoc, KnowledgeProfile, KnowledgeProfileLink, KnowledgeScope, KnowledgeScopeType, KnowledgeSearchHit, KnowledgeSearchResult, ProposeScopeChangeInput, type RegistryEntry, RemoteSessionInfo, type ScopeInfo, type SecretAggregate, type SecretCategory, type SecretMetadata, type SecretScope, SharedFileEntry, SyncAgentInfo, SyncAgentStats, SyncConfirmedUpload, SyncFileEntry, SyncManifest, SyncManifestEntry, SyncPresignedUrl, SyncReconstructBundle, SyncReconstructFile, SyncSessionContent, SyncSessionEntry, type ToolCaptureApi, VoiceSttArgs, VoiceSttResult, VoiceTtsArgs, VoiceTtsModel, VoiceTtsResult, installToolErrorCapture };\n//# sourceMappingURL=index.d.ts.map"],"mappings":";;;;;;;;;AAyBA;AAOA;;;;;AAcA;AAiBiB,UAtCA,aAAA,CAsCY;EA4BP,IAAA,EAAA,MAAA;EAAY,IAAA,EAAA,MAAA;YAEvB,EAAA,MAAA;cAAR,EAAA,UAAA,GAAA,YAAA;;AAmBmB,UAhFL,aAAA,CAgFkB;EAAA,KAAA,EA/E1B,MA+E0B,CAAA,MAAA,EA/EX,aA+EW,CAAA;;;;AAanC;;;;;AAgCA;EAgBsB,OAAA,CAAA,EAAA,MAAA;AAgBtB;AAA6B,UA/IZ,cAAA,CA+IY;SACpB,EAAA,CAAA;SACC,EAAA,MAAA;UACP,EAAA,MAAA;EAAY,KAAA,EA9IN,MA8IM,CAAA,MAAA,EAAA;;;;ICvHF,IAAA,CAAA,EAAA,MAAA;IAiDS,YAAA,CAAA,EAAA,MAAkB;IA+BxB,UAAA,CAAY,EAAA,OAAA;EAuBZ,CAAA,CAAA;AAUhB;UD3HiB,YAAA;;;EENPoC;EAIAC,MAAAA,EAAAA,MAAAA,EAAAA;EASAC;EAUAC,SAAAA,EAAAA,MAAAA,EAAAA;EAQAC;EAAY,aAAA,EAAA,MAAA,EAAA;;;;AAIP;AAEW;AAKG;AAOA;AAYD;AAUlBO,iBFrCY,YAAA,CEqCC,aAAA,EAAA,MAAA,CAAA,EFnCpB,OEmCoB,CFnCZ,aEmCY,CAAA;AAAA;AAQG;AAOE;AAKH;AAOfK,iBF3CY,aAAA,CE4CTD,aAAkB,EAAA,MAAA,EAAA,QAAA,EF1CnB,aE0CmB,CAAA,EFzC5B,OEyC4B,CAAA,IAAA,CAAA;AAAA;AASA;AAcF;AAQnBK,iBF9DY,mBAAA,CE8DI,aAAA,EAAA,MAAA,EAAA,YAAA,EAAA,MAAA,EAAA,KAAA,EF3DjB,aE2DiB,CAAA,EF1DvB,OE0DuB,CAAA,IAAA,CAAA;;;;;AAKG;AAIP;AASQ;AACH;;;;;AAajBI,iBF9DY,mBAAA,CE8DZA,aAAAA,EAAAA,MAAAA,EAAAA,YAAAA,EAAAA,MAAAA,CAAAA,EF3DP,OE2DOA,CAAAA,IAAAA,CAAAA;;;;AAK4B;AAQL,iBF3DX,eAAA,CE2DW,QAAA,EAAA,MAAA,CAAA,EF3DwB,OE2DxB,CAAA,MAAA,CAAA;;;;AAEE;AAaT;AAqBhBM,iBF/EM,aAAA,CE+EY,KAAA,EF9EnB,aE8EmB,EAAA,MAAA,EF7ElB,cE6EkB,CAAA,EF5EzB,YE4EyB;AAAA;;;cDnMf;iBAiDS,kBAAA,2CAGnB;iBA4Ba,YAAA;ADhIC,iBCuJD,eAAA,CDvJc,WAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,OAAA;AAOb,iBC0JD,aAAA,CD1Jc,KAAA,EAAA,MAAA,EAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,MAAA,EAAA;;;;;;;AE4Df;AAEW;AAKG,UA1CnB9B,oBAAAA,CAiDmB;EAAA,MAOnBS,EAAAA,MAAAA;EAKkB,MAGlBC,EAAAA,MAAAA;AAAc;AAOD,UAnEbT,iBAAAA,CA2EgB;EAAA,SAOhBY,EAAAA,MAAAA;EAAkB,OAKlBC,EAAAA,MAAAA;EAAe,OAMpBC,EAAAA,SAAAA,GAAAA,UAAkB;EAAA,MACbC,EAAAA,eAAc,GAAA,gBACXD,GAAAA,kBAAkB,GAAA,UAAA,GAAA,WAAA,GAAA,SAAA,GAAA,QAAA;EAAA,GAIrBE,CAAAA,EAAAA,MAAAA;EAKqB,YAarBC,CAAAA,EAAAA,MAAAA;EACmB,WAInBC,CAAAA,EAAAA,MAAAA;AAAoB;UAjHpBjB,aAAAA,CAqHgB;SACba,EAAAA,MAAAA;UAIJI,EAAAA,MAAAA;EAAoB,WAAA,EAAA,MAAA;EAAA,QAInBE,EAAAA,MAAAA;EAAY,MASjBC,EAAAA,OAAAA,GAAAA,SAAAA,GAAyB,QAAA;EAAA,SACzBC,CAAAA,EAAAA,MAAAA;EAAsB,SACtBC,CAAAA,EAAAA,MAAAA;EAAmB,QACnBC,CAAAA,EAAAA,MAAAA;AAAsB;UAhIjBtB,iBAAAA,CAkIsB;QAEnBY,MAAAA;QAEGO,MAAAA;UACHC,EAAAA,MAAAA;OAIHC,EAAAA,MAAAA;cAEMC,CAAAA,EAAAA,MAAAA;YAGAA,CAAAA,EAAAA,OAAAA;;AAAsB,UAxI5BrB,YAAAA,CAgJAuB;EAAuB,OAAA,EAAA,CAAA;SACjBL,EAAAA,MAAAA;UACHC,EAAAA,MAAAA;EAAsB,KAAA,EA9I1BlB,MA8I0B,CAAA,MAAA,EA9IXF,iBA8IW,CAAA;AAAA;AAaT,UAzJhBG,gBAAAA,CA0KMsB;EAAgB,IAItBE,EAAAA,MAAAA;EAAkB,GAWlBC,EAAAA,MAAAA;EAKM,SAIXC,EAAAA,MAAAA;AAAa;AAOK,UApMbzB,mBAAAA,CAuMc;EAET,QAQL6B,EAAAA,MAAAA;EAES,IAITE,EAAAA,MAAAA;EAAc,IAKVC,EAAAA,MAAAA;EAAc,YAAA,EAAA,UAAA,GAAA,YAAA;UAGNvC,EAAAA,MAAAA;;UAxNZQ,mBAAAA,CA4NJgC;QAGuBpC,MAAAA;QAARoC,MAAAA;OAQXlC,MAAAA;cADJkC,CAAAA,EAAAA,MAAAA;YAQQjC,CAAAA,EAAAA,OAAAA;;UAvOJE,qBAAAA,CA0OIA;SAAR+B,EAAAA,MAAAA;QACoB9B,MAAAA,GAAAA,QAAAA,GAAAA,QAAAA;WAAR8B,EAAAA,MAAAA;WAIP7B,EAAAA,MAAAA;OADL6B,EAzOGhC,mBAyOHgC,EAAAA;WAIQ5B,EAAAA,MAAAA;;UA1OJF,cAAAA,CA4OmCG;SAAR2B,EAAAA,MAAAA;eACDA,EAAAA,MAAAA;cAOzB1B,EAAAA,MAAAA;WADL0B,EAAAA,MAAAA;YAQAA,EAAAA,MAAAA,GAAAA,IAAAA;;UApPI7B,aAAAA,CAwPY6B;UACiC3D,EAAAA,MAAAA;QAAR2D,MAAAA;UACUnC,EAAAA,MAAAA;aAA0BmC,EAAAA,MAAAA;cAGtEnC,CAAAA,EAAAA,MAAAA;YACCrB,CAAAA,EAAAA,OAAAA;;UAtPJ4B,gBAAAA,CAuP0C5B;WAARwD,EAAAA,MAAAA;QACQA,MAAAA;cAQvCnC,EAAAA,MAAAA;cAHuBmC,CAAAA,EAAAA,MAAAA;YAMlBtD,EAAAA,OAAAA;;UA5PR2B,kBAAAA,CAwQgB2B;WAUgBA,EAAAA,MAAAA;SAOZA,EAAAA,MAAAA;YAyBPnC,EAAAA,OAAAA;;UA7SbS,eAAAA,CA2TiB0B;UA8BHA,EAAAA,MAAAA;UAoBEA,EAAAA,MAAAA;QAkBHA,MAAAA;aAiBCA,CAAAA,EAAAA,MAAAA;;KA1YnBzB,kBAAAA,GAmaiByB,KAAAA,GAAAA,MAAAA,GAAAA,SAAAA;UAlaZxB,cAAAA,CA4auCwB;WAUvBA,EArbbzB,kBAqbayB;SAYHA,EAAAA,MAAAA;QAmBMA,MAAAA;;UAhdnBvB,kBAAAA,CAsfgBuB;YAoCiCA;QAUnCA,MAAAA;;OA0BFA,EAAAA,MAAAA;WASQA,EAlkBjBzB,kBAkkBiByB;SAYHA,EAAAA,MAAAA;;;;;;QA2GRnC,EAAAA,KAAAA,GAAAA,MAAAA;;UAKImC,CAAAA,EAAAA,MAAAA;;QAoCjBA,CAAAA,EAAAA,MAAAA;;UArtBItB,qBAAAA,CAmuBQU;SACJC,EAnuBHZ,kBAmuBGY,EAAAA;;iBAYAA,EAAAA,OAAAA;;UA3uBJV,oBAAAA,CAmvBIW;OAARU,EAAAA,MAAAA;OAKmCX,MAAAA;;UApvB/BT,gBAAAA,CAuvBEW;WADIS,EArvBHzB,kBAqvBGyB;SAYL5C,EAAAA,MAAAA;OAIGjB,EAAAA,MAAAA,GAAAA,IAAAA;aAAR6D,EAAAA,MAAAA,GAAAA,IAAAA;OAQK5C,EAzwBFuB,oBAywBEvB,EAAAA;WAKL4C,EAAAA,MAAAA,GAAAA,IAAAA;WAUK5C,EAAAA,MAAAA,GAAAA,IAAAA;;UApxBDyB,YAAAA,CA6xBK/C;UACIE,EAAAA,MAAAA;UAEFP,EAAAA,MAAAA;aAGHqB,CAAAA,EAAAA,MAAAA;QAARkD,MAAAA;YAGK5C,CAAAA,EAAAA,MAAAA;WAIIN,EAAAA,MAAAA;WACAlB,EAAAA,MAAAA;;KAlyBVkD,yBAAAA,GAsyBM1B,KAAAA,GAAAA,SAAAA;KAryBN2B,sBAAAA,GA2yBY/C,QAAAA,GAAAA,QAAAA,GAAAA,QAAAA;KA1yBZgD,mBAAAA,GA2yBQlD,MAAAA,GAAAA,UAAAA,GAAAA,UAAAA,GAAAA,WAAAA,GAAAA,YAAAA;KA1yBRmD,sBAAAA,GA4yBUxD,OAAAA,GAAAA,OAAAA;;UA1yBLyD,sBAAAA,CAizBC9B;iBAIMpB,EAAAA,MAAAA;WACJF,EApzBAyC,kBAozBAzC;SAEEL,EAAAA,MAAAA;cAETuE,EAtzBUlB,yBAszBVkB;WAMK5C,EA3zBE2B,sBA2zBF3B;YAIL4C,EAAAA,MAAAA,GAAAA,IAAAA;eAGK5C,EAAAA,MAAAA,GAAAA,IAAAA;qBAMIJ,EAAAA,MAAAA,GAAAA,IAAAA;QAEDF,EAt0BJkC,mBAs0BIlC;YAARkD,EAAAA,MAAAA;cAGK5C,EAv0BK6B,sBAu0BL7B;WAEIJ,EAAAA,MAAAA;YAGDE,EAAAA,MAAAA,GAAAA,IAAAA;cAAR8C,EAz0BUf,sBAy0BVe,GAAAA,IAAAA;YAGK5C,EAAAA,MAAAA,GAAAA,IAAAA;YAME7B,EAAAA,MAAAA,GAAAA,IAAAA;YADPyE,EAAAA,MAAAA,GAAAA,IAAAA;WAMK5C,EAAAA,MAAAA;WAGL4C,EAAAA,MAAAA;;;UAl1BIb,uBAAAA,CA81BEa;cASNA,EAt2BUlB,yBAs2BVkB;WAgBAA,EAr3BOjB,sBAq3BPiB;;WAaAA,EAAAA,MAAAA;;YAsBAA,CAAAA,EAAAA,MAAAA;;SAgBAA,CAAAA,EAAAA,MAAAA;;aA4BAA,CAAAA,EAAAA,MAAAA;;eAkCAA,CAAAA,EAAAA,OAAAA;;;UAz9BIZ,gBAAAA,CAsgCJY;;SAgBkDA,CAAAA,EAAAA,MAAAA;UAIjBA,CAAAA,EAAAA,MAAAA;SAWnBA,CAAAA,EAAAA,OAAAA;;;;;;;;UAzhCVX,SAAAA,CAklCJW;SASUzB,EAAAA,MAAAA;UAEFG,EAAAA,MAAAA;QAARsB,MAAAA;WAGMxB,CAAAA,EAAAA,MAAAA;aADIwB,CAAAA,EA1lCAZ,gBA0lCAY;QAIazB,EAAAA,MAAAA;;;UA1lCnBe,kBAAAA,CA4lCiBf;;WAGrByB,EAAAA,MAAAA;;OAS4EA,EAAAA,MAAAA;;WAc5EA,EAAAA,MAAAA;;WAUsEb,EAAAA,MAAAA;;;UArnClEI,UAAAA,CA0nC2BhB;YACxBS;QAIOE,MAAAA;YADdc,EAAAA,MAAAA;aAI2BA,EAAAA,MAAAA;QAW3BA,EAxoCInC,MAwoCJmC,CAAAA,MAAAA,EAAAA,MAAAA,CAAAA;UAKAA,EAAAA,MAAAA;;;KAzoCDR,aAAAA,GA8oCuCQ,mBAAAA,GAAAA,wBAAAA;UA7oClCP,YAAAA,CAmqCEA;;QAAeO,MAAAA;;SAQQF,CAAAA,EAAAA,MAAAA;;EAAD,KAAA,CAAA,EArqCxBN,aAqqCwB;;;UAlqCxBE,cAAAA;ECjQV;EA8CA,KAAiB,EDqNRC,MCrNQ;EAqBjB;EAAgC,UAAA,EAAA,MAAA;;UAE9B,EAAA,MAAA;;UAEA,EAAA,MAAA;;UDoMQC,YAAAA;;OCtLH,EDwLEC,UCxLF;;YAwCA,EAAA,MAAA;;UDoJGC,cAAAA,CCxHyC;QAqCY,MAAA;;YA6HhD,EAAA,MAAA;;cDrCDC,cAAAA,CCwQC;mBAAR,MAAA;mBAgDQ,MAAA;aAAR,CAAA,MAAA,EDrTevC,oBCqTf;UAgCA,OAAA;EAAO,YAAA,CAAA,IAmBQ,CAnBR,EAAA;IAmBF,WAAA,CAAA,EAAU,MAAA;EAAA,CAAA,CAAA,EDpWhBwC,OCoWgB,CAAA;SAAqB,EDnWhCtC,aCmWgC;;EAAR,eAAA,CAAA,CAAA,EDjWdsC,OCiWc,CDjWNpC,YCiWM,CAAA;;;;MC/pBlB,SAAA,EAAA,KAAc,GAAA,KAAA;MAmBT,WAAA,CAAA,EAAY,MAAA;IAAA,CAAA,EAAA;MFkT5BoC,OEjTK,CAAA;QACM,EFiTPlC,gBEjTO,EAAA;;EAAP,iBAAA,CAAA,IAAA,EAAA;;;;ICTO,YAAA,CAAA,EAAY,UAAA,GAAA,YAAA;EAkG7B,CAAA,CAAsB,EH+NhBkC,OG/NgB,CH+NRjC,mBG/NmB,CAAA;EAAA,eAAA,CAAA,IAAA,EAAA;QAGvB,EAAA,MAAA,GAAA,QAAA,GAAA,QAAA;MH+NJiC,OG7NK,CH6NG/B,qBG7NH,CAAA;cAAR,CAAA,CAAA,EH8Ne+B,OG9Nf,CH8NuB9B,cG9NvB,CAAA;EAAO,aAAA,CAAA,KAAA,EAAA;;MHiOJ8B;WACK7B;EI3UX,CAAA,CAAiB;EAqDjB,gBAAsB,CAAA,CAAa,EJwRb6B,OIxRa,CAAA;IAAA,QAAA,EJyRrB5B,gBIzRqB,EAAA;;gBAIhB,CAAA,SAAA,EAAA,MAAA,CAAA,EJuRkB4B,OIvRlB,CJuR0B3B,kBIvR1B,CAAA;gBAER,CAAA,QAAA,EAAA,MAAA,CAAA,EJsRyB2B,OItRzB,CAAA;WAAR,EAAA,OAAA;EAAO,CAAA,CAAA;;;;ECxEV,CAAA,CAAiB,ELoWXA,OKpWW,CAAA;IAUK,KAAA,EL2VX1B,eK3VoB,EAAA;IAAA,UAAA,EAAA,MAAA,GAAA,IAAA;;mBACnB,CAAA,IAAA,EAAA;SACD,EAAA,KAAA,GAAA,MAAA,GAAA,SAAA;WACA,EAAA,MAAA;YAAR,EAAA,MAAA;EAAO,CAAA,CAAA,EL+VJ0B,OK/VI,CAAA;;;;ECSV,gBAA4B,CAAA,CAAA,EN0VNA,OM1VM,CN0VExD,kBM1VF,EAAA,CAAA;EAM5B,oBAAiB,CAAgB,aAEvB,EAAA,MAAA,CAAA,ENmVqCwD,OMnVvB,CNmV+B3D,uBMnV/B,CAAA;EACvB,uBAEqB,CAAA,aAAA,EAAA,MAAA,EAAA,MAAA,ENiVmCwB,MMjVnC,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA,ENiV6DmC,OMjV7D,CAAA,IAAA,CAAA;EAOtB,kBAAiB,CAAA,aAAgB,EAAA,MAAA,EAAA,QAAA,EAAA;IAAA,OAAA,CAAA,EAAA,MAAA;UACZ,CAAA,EN4URnC,MM5UQ,CAAA,MAAA,EAAA,OAAA,CAAA;MN6UfmC,OM7U+B,CN6UvBxD,kBM7UuB,CAAA;mBACd,CAAA,aAAA,EAAA,MAAA,CAAA,EN6UqBwD,OM7UrB,CN6U6BxD,kBM7U7B,CAAA;aAAgB,CAAA,QAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA,EAAA,CAAA,EN8UawD,OM9Ub,CAAA;OACmC,EAAA,MAAA;YAC5D,EAAA,MAAA;aACC,EAAA,MAAA;EAAW,CAAA,CAAA;EAG1B,cAAgB,CAAA,QAAA,EAAA,MAAsB,CAAA,EN6UFA,OM7UE,CAAA;IAAA,QAAA,EAAA,MAAA;aAC5B,EAAA,OAAA;UACH,CAAA,EN8UMnC,MM9UN,CAAA,MAAA,EAAA,MAAA,CAAA;;EACY,WAAA,CAAA,CAAA,EN+UFmC,OM/UE,CAAA;kBNgVDtD;;;;;;;;;;;;0BAYQsD;;;;;;;;;;0CAUgBA;;;;;;;8BAOZA;;;;;;;;;;;;;;;;;;;;kDAoBoBA;;;;;uBAK3BnC;;;;;;;;;;;;;;2BAcImC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wBA8BHA;;;;;;;;;;;;;;;;;;;;0BAoBEA;;;;;;;;;;;;;;;;;;uBAkBHA;;;;;;;;;;;;;;;;;wBAiBCA;;;;;;;;;;;;;;qBAcHA;;;;;;;;;;;sBAWCA;;;;;;;;;;iDAU2BA;;;;;;;;;;0BAUvBA;;;;;;;;;;;;uBAYHA;;;;;;;;;;;;;;;;;;;6BAmBMA;;;;;;;;;;;;2BAYFA;;;;;;;;;;;;;;;;;;;;;;;;;;0BA0BDA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAoCiCA;;;;;;;;;;wBAUnCA;;;;;;;;;;;;;;qBAcHA;;;;;;;;;;;;sBAYCA;;;;;;;;;8BASQA;;;;;;;;;;;;2BAYHA;;;;;;;;;;;;;;;;;gDAiBqBA;;;;;;;;;;;;;;;;;;;;yDAoBSA;;;;;;;;;;;;;;;;;;;;;;0BAsB/BA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DA8BiCA;;;;;yBAKlCA;;;;;;;;;;;;;mBAaNnC;MACbmC;;;;uBAIiBA;;;;;;;;;;;QAWfA;;;;;;;;;;;;;;;;;;;;;;;;;MAyBFA;;;;;;;;MAQAA;;;;;;kBAMYZ;MACZY,QAAQX;;;;;;;;;;;;MAYRW,QAAQX;;;;;;;;MAQRW,QAAQV;;;;;iCAKmBU,QAAQX;;gBAEzBW;YACJT;;;;;;;;;;;WAWDnC;;;;MAIL4C,QAAQ7D;;;;;;;;WAQHiB;;;;;MAKL4C;;;;;;;;;;WAUK5C;;;;eAIIJ;;;;;eAKAlB;mBACIE;;iBAEFP;;;MAGXuE,QAAQlD;;;WAGHM;;;MAGL4C;eACSlD;eACAlB;;;;WAIJwB;;;;MAIL4C;;iBAEWhE;aACJF;;eAEEL;;;;;;;WAOJ2B;;;;iBAIMpB;aACJF;;eAEEL;;MAETuE;;;;;;WAMK5C;;;;MAIL4C;;;WAGK5C;;;;;;eAMIJ;;MAETgD,QAAQlD;;;WAGHM;;eAEIJ;;;MAGTgD,QAAQ9C;;;WAGHE;;;;;MAKL4C;aACOzE;;;;;WAKF6B;;;MAGL4C;;sBAEgBA,QAAQpD;;;;;;;;;;YAUlBoD;;;;;;;;;MASNA;;;;;;;;;;;;;;;;MAgBAA;;;0CAGoCA;;;;;;;;;;MAUpCA;;;;;;;;;;MAUAA;;;;;;;;;;;;MAYAA;;;;;;;;;;;MAWAA;;;;;MAKAA;;;;;;;;;;MAUAA;;;;;;;;;;;;;;;;;;MAkBAA;;;;;;;;;;;;;;;;MAgBAA;;;;;;;;;;;;;;;;;;MAkBAA;;;;;;;;;;;MAWAA;;;;;;;;;;MAUAA;;;;;;;;;;;;;;;;;;;;;;;;MAwBAA;;;;;;;;;;;;MAYAA;;;;wDAIkDA;;;;uCAIjBA;;;;;;;;;;;oBAWnBA;;;;;;;;kCAQcA;;;iBAGjBA;;;;;;;;;;;;;;;MAeXA;;;;;;2BAMqBA;;;;;;2DAMgCA;;;;;;;;;;MAUrDA;;;;MAIAA;;;;;MAKAA;;;;;;;;;gBASUzB;;MAEVyB,QAAQtB;;gBAEEsB;YACJxB;;;6BAGiBD,sCAAsCyB,QAAQpB;;2BAEhDL;;;MAGrByB;WACKnB;;;;;;;;0BAQeN,wDAAwDyB;;;;;;;;;;;2BAWvDzB;;;MAGrByB;;;;;;;;;;gCAU0BzB,4CAA4CY,0BAA0Ba,QAAQd;;;;;qCAKzEX;aACxBS;;;MAGPgB;oBACcd;;;iCAGac;;;;;;;;;;;MAW3BA;;;;;MAKAA;;;;uCAIiCA,QAAQvC;4CACHuC;;;;;;;;;;;;;;;;;;;;;;YAsBhCP,eAAeO,QAAQN;;;;;;;;YAQvBE,eAAeI,QAAQF;;;;;;AFj3Cb,UGlDL,UAAA,CHkDiB;EAAA,MAAA,EAAA,MAAA;QAEvB,EAAA,MAAA;WAAR,EAAA,MAAA;EAAO,MAAA,EAAA,MAAA;AAmBV;;;;;AAaA;;;;;AAgCA;AAgBA;AAgBA;;;;;;;;;ACpHa,UEcI,iBAAA,CFbiD;EAgD5C,aAAA,EAAA,MAAkB;EA+BxB,MAAA,EEhEN,cFgEkB;EAuBZ;AAUhB;;;;ECjIUtC;AAAoB;AAIH;AASJ;EAkBbI,gBAAY,CAAA,EAAA,MAAA;;;;;AAIP;AAEW;AAKG;AAcnBK,iBCLM,gBAAA,CDUPD;EAAAA,aAAAA;EAAAA,MAAmB;EAAA,OAAA;EAAA;AAAA,CAAA,ECLzB,iBDKyB,CAAA,EAAA;EAGlBE,aAAAA,EAAAA,MAAc;EAOdC,MAAAA,gBAAa;EAQbC,OAAAA,EAAAA,MAAAA;EAOAC;AAAkB;AAKH;AAMF;EAMbI,IAAAA,CAAAA,KAAkB,CAAlBA,EAAAA,MAAAA,EAAkB,EAAA,OA2BlBG,CA3BkB,EAKfL;IAaHG,KAAAA,CAAAA,EAAAA,OAAAA;IAKAC,MAAAA,CAAAA,EAAAA,MAAAA;EAIAC,CAAAA,CAAAA,EC7DH,OD6DGA,CC7DK,UD6DW,CAAA;EAAA,WAAA,CAAA,KAAA,EAAA,MAAA,EAAA,EAAA,QAAA,EAAA;IACbL,KAAAA,CAAAA,EAAAA,OAAAA;MCtBN,OD0BEI,CC1BM,UD0BNA,CAAAA;EAAoB;EAInBE,IAAAA,CAAAA,OAULE,CAVKF,EAAY;IASjBC,KAAAA,CAAAA,EAAAA,OAAAA;EACAC,CAAAA,CAAAA,ECZ8C,ODY9CA,CCZsD,UDYtDA,CAAAA;EACAC;AAAmB;AACG;;UAIdT,CAAAA,QAAAA,EAAAA;IAEGO,KAAAA,CAAAA,EAAAA,OAAAA;MCiBuC,ODhB1CC,CCgBkD,UDhBlDA,CAAAA;;;;;AASyB;;;;;AAUH;AAaT;AAiBM;AAIJ;AAgBZ;AAIE;AAOK;AAKR;AAUI;AAIK;;;;;;;;;;;;;;;;;;;;;;;mBAkDlBiB,CAAAA,QAAAA,EAAAA;IAQAA,KAAAA,CAAAA,EAAAA,OAAAA;MChBC,ODoBuBxD,CCpBf,UDoBeA,CAAAA;;;;;WAEqDwD,CAAAA,KAAAA,EAAAA,MAAAA,EAAAA,EAAAA,QAAAA,EAAAA;IAGtEnC,KAAAA,CAAAA,EAAAA,OAAAA;MC0MN,ODzMOrB,CCyMC,UDzMDA,CAAAA;;;;;;;;;;;cA0CgBwD,CAAAA,QAAAA,EAAAA;IAyBPnC,KAAAA,CAAAA,EAAAA,OAAAA;IAL2BmC,KAAAA,CAAAA,EAAAA,MAAAA;MC2L3C,ODxKoBA,CCwKZ,UDxKYA,CAAAA;;;;;iBAmGNA,CAAAA,QAAAA,EAAAA,MAAAA,EAAAA,QAAAA,EAAAA;IAWCA,KAAAA,CAAAA,EAAAA,OAAAA;MC0Ff,ODhF0CA,CAAAA,IAAAA,CAAAA;;AAsB1BA,KC6EX,UAAA,GAAa,UD7EFA,CAAAA,OC6EoB,gBD7EpBA,CAAAA;;;;;;;;AFpkBvB;AAOA;AAA8B,UIrBb,cAAA,CJqBa;eACN,EAAA,MAAA;;;AAaxB;AAiBA;AA4BA;EAAkC,OAAA,CAAA,EAAA,MAAA;;YAE/B,CAAA,EAAA,MAAA;EAAO;EAmBY,SAAA,EAAA,CAAA,KAAa,EAAA,MAAA,EAAA,EAAA,GAAA,IAAA,GI1FM,OJ0FN,CAAA,IAAA,CAAA;;;;;AAanC;;AAGS,iBIlGa,YAAA,CJkGb,OAAA,EIjGE,cJiGF,CAAA,EIhGN,OJgGM,CAAA,GAAA,GIhGQ,OJgGR,CAAA,IAAA,CAAA,CAAA;;;;AArCa,UKpEL,YAAA,CLoEiB;EAAA,IAAA,EAAA,MAAA;SAEvB,EAAA,OAAA;MAAR,CAAA,EAAA,MAAA;EAAO,IAAA,CAAA,EAAA,MAAA;EAmBY,KAAA,CAAA,EAAA,MAAA;;;;;AAatB;;;;;AAgCA;AAgBA;AAgBgB,iBKpEM,WAAA,CLoEO,aAAA,EAAA,MAAA,EAAA,aAAA,EAAA,MAAA,EAAA,EAAA,MAAA,EKjEnB,cLiEmB,EAAA,QAAA,EAAA;EAAA,WAAA,CAAA,EAAA,MAAA;OACpB,CAAA,EAAA,OAAA;IKhEN,OLiEO,CKjEC,YLiED,EAAA,CAAA;;;;AAhIO,UM1CA,cAAA,CN0CY;EA4BP,IAAA,EAAA,MAAA;EAAY,OAAA,EAAA,OAAA;MAEvB,CAAA,EAAA,MAAA;OAAR,CAAA,EAAA,MAAA;;AAmBmB,iBMtCA,aAAA,CNsCa,aAAA,EAAA,MAAA,EAAA,aAAA,EAAA,MAAA,EAAA,EAAA,MAAA,EMnCzB,cNmCyB,EAAA,cAAA,CAAA,EMlChB,cNkCgB,EAAA,QAAA,EAAA;EAAA,WAAA,CAAA,EAAA,MAAA;OAEvB,CAAA,EAAA,OAAA;IMlCT,ONmCA,CMnCQ,cNmCR,EAAA,CAAA;;;;;;;;AA1Fc,UOjBA,YAAA,CPiBa;EAOb,UAAA,CAAA,EAAA,MAAa;EAAA,WAAA,CAAA,EAAA,MAAA;;;;AAc9B;AAiBA;AA4BA;AAAkC,iBOzEZ,SPyEY,CAAA,CAAA,CAAA,CAAA,EAAA,EAAA,GAAA,GOxEtB,OPwEsB,COxEd,CPwEc,CAAA,EAAA,OAAA,CAAA,EOvEvB,YPuEuB,CAAA,EOtE/B,OPsE+B,COtEvB,CPsEuB,CAAA;;;;AAAZ,UQ7DL,WAAA,CR6DiB;EAAA,SAAA,EAAA,MAAA,GAAA,SAAA,GAAA,KAAA;SAEvB,EAAA,MAAA;MAAR,EAAA,MAAA;;AAmBmB,UQ5EL,gBAAA,CR4EkB;EAAA,aAAA,EAAA,MAAA;QAEvB,EQ5EF,cR4EE;;UQzEF,YAAA,CR0EA;EAUY,IAAA,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAmB;EAAA,IAAA,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;OAGhC,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;OACN,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;;AA4BmB,UQ7GL,gBAAA,CR6GwB;EAgBnB,UAAA,CAAA,MAAA,EQ5HD,WR4HoC,EAAA,CAAA,EQ5HpB,OR4H2B,CAAA,IAAA,CAAA;EAgBhD,YAAA,CAAA,MAAa,EQ3IN,WR2IM,EAAA,CAAA,EQ3IU,OR2IV,CAAA,IAAA,CAAA;EAAA,kBAAA,CAAA,QAAA,EAAA,MAAA,EAAA,SAAA,EAAA,SAAA,GAAA,SAAA,CAAA,EQ1I6C,OR0I7C,CAAA,IAAA,CAAA;UACpB,EAAA,EQ1IK,OR0IL,CAAA,IAAA,CAAA;WACC,EAAA,EQ1IK,WR0IL,EAAA;;AACK,iBQxIC,sBAAA,CRwID,MAAA,EQvIL,gBRuIK,EAAA,GAAA,EQtIR,YRsIQ,CAAA,EQrIZ,gBRqIY"}
1
+ {"version":3,"file":"index.d.ts","names":["ChangelogAction","ChangelogActor","ChangelogEntry","ChangelogEntry$1","EncryptedEnvelopeV1","EncryptedEnvelopeV1$1","Field","FieldEnvelope","FieldEnvelope$1","FieldFormat","FieldFormat$1","FieldSensitivity","FieldSensitivity$1","FieldView","GeneratedDataKey","GeneratedDataKey$1","IntegrationConfigResult","IntegrationConfigResult$1","IntegrationConfigSchemaField","IntegrationInstall","IntegrationInstall$1","RegistryEntry","RegistryEntry$1","ScopeInfo","ScopeInfo$1","SecretAggregate","SecretAggregate$1","SecretCategory","SecretCategory$1","SecretMetadata","SecretMetadata$1","SecretScope","SecretScope$1","ToolCaptureApi","InstallToolErrorCaptureOptions","installToolErrorCapture","AgentApiClientConfig","NewsProvider","NewsArticle","NewsResult","RemoteSessionInfo","SyncAgentInfo","SyncManifestEntry","SyncManifest","Record","SyncPresignedUrl","SyncConfirmedUpload","SyncReconstructFile","SyncReconstructBundle","SyncAgentStats","SyncFileEntry","SyncSessionEntry","SyncSessionContent","SharedFileEntry","KnowledgeScopeType","KnowledgeScope","KnowledgeSearchHit","KnowledgeSearchResult","KnowledgeProfileLink","KnowledgeProfile","KnowledgeDoc","ChangeRequestResourceType","ChangeRequestOperation","ChangeRequestStatus","ChangeRequestActorKind","KnowledgeChangeRequest","ProposeScopeChangeInput","AgentVoiceConfig","AgentSelf","AgentAvatarPresign","AgentVoice","VoiceTtsModel","VoiceTtsArgs","VoiceTtsResult","Buffer","VoiceSttArgs","Uint8Array","VoiceSttResult","AgentApiClient","Promise"],"sources":["../src/manifest.ts","../src/ignore.ts","../../agent-api-client/dist/index.d.ts","../src/sync-engine.ts","../src/watcher.ts","../src/uploader.ts","../src/downloader.ts","../src/retry.ts","../src/shared-sync.ts"],"sourcesContent":["import { ChangelogAction, ChangelogActor, ChangelogEntry, ChangelogEntry as ChangelogEntry$1, EncryptedEnvelopeV1, EncryptedEnvelopeV1 as EncryptedEnvelopeV1$1, Field, FieldEnvelope, FieldEnvelope as FieldEnvelope$1, FieldFormat, FieldFormat as FieldFormat$1, FieldSensitivity, FieldSensitivity as FieldSensitivity$1, FieldView, GeneratedDataKey, GeneratedDataKey as GeneratedDataKey$1, IntegrationConfigResult, IntegrationConfigResult as IntegrationConfigResult$1, IntegrationConfigSchemaField, IntegrationInstall, IntegrationInstall as IntegrationInstall$1, RegistryEntry, RegistryEntry as RegistryEntry$1, ScopeInfo, ScopeInfo as ScopeInfo$1, SecretAggregate, SecretAggregate as SecretAggregate$1, SecretCategory, SecretCategory as SecretCategory$1, SecretMetadata, SecretMetadata as SecretMetadata$1, SecretScope, SecretScope as SecretScope$1 } from \"@alfe/types\";\n\n//#region src/tool-error-capture.d.ts\n\n/**\n * Tool-error capture for Alfe OpenClaw plugins.\n *\n * OpenClaw converts a thrown tool handler into a model-facing `tool_result`\n * WITHOUT logging, and most Alfe plugins catch-and-return an error result the\n * same silent way — so tool failures never appear in the runtime's output and\n * therefore never reach Sentry (the gateway daemon supervises the OpenClaw\n * process and reports error-looking output lines to the `agent-runtime`\n * project — see packages/gateway/src/runtime-output-monitor.ts).\n *\n * `installToolErrorCapture(api, { plugin })` closes that gap at the ONE choke\n * point every plugin already has: it wraps `api.registerTool` so every tool's\n * `execute` emits a deterministic, detector-matched line on failure:\n *\n * [ERROR] alfe-tool plugin=<plugin> tool=<name> <thrown|result-error>: <msg> (at <first-frame>)\n *\n * The `[ERROR]` prefix at line start is exactly what the daemon's\n * `ErrorLineDetector` classifies as an error-log block, so the failure lands\n * in Sentry fingerprinted by its normalized message — no Sentry SDK inside\n * the plugin process, no new dependency. Behavior toward OpenClaw and the\n * model is UNCHANGED: throws are rethrown, results returned as-is.\n */\n/**\n * Minimal shape of the OpenClaw plugin api this helper relies on. Method\n * syntax on purpose — TS checks method signatures bivariantly, so each\n * plugin's own concretely-typed `registerTool(tool: ToolDef): void` is\n * accepted without casts.\n */\ninterface ToolCaptureApi {\n registerTool(...args: never[]): unknown;\n}\ninterface InstallToolErrorCaptureOptions {\n /** Plugin package short-name for attribution (e.g. \"openclaw-secrets\"). */\n plugin: string;\n /**\n * Line sink — defaults to writing `process.stderr` directly (the plugin\n * runs in-process in OpenClaw, so this lands on the runtime's stderr, which\n * the daemon supervises — and a console patch can't reformat it away).\n * Injectable for tests.\n */\n emit?: (line: string) => void;\n}\n/**\n * Wrap `api.registerTool` so every tool registered AFTER this call gets\n * failure capture. Handles both OpenClaw registration signatures:\n * `registerTool(toolDef)` and `registerTool((ctx) => toolDef, opts)`.\n * Call once, first thing in the plugin's `activate`/`register` entry.\n * Never throws.\n */\ndeclare function installToolErrorCapture(api: ToolCaptureApi, options: InstallToolErrorCaptureOptions): void;\n//# sourceMappingURL=tool-error-capture.d.ts.map\n//#endregion\n//#region src/index.d.ts\ninterface AgentApiClientConfig {\n apiKey: string;\n apiUrl: string;\n}\n/**\n * The broad-news providers behind the metered `services/news` Lambda. The\n * server validates this with a zod enum; a value outside the union is an\n * unpriceable product, so keep the literal union in lockstep with the service.\n */\ntype NewsProvider = \"apitube\" | \"newsdata\";\n/** One normalized article. `sentiment` is provider-shaped (APITube supplies it). */\ninterface NewsArticle {\n title: string;\n url: string;\n source: string;\n publishedAt: string;\n snippet: string;\n sentiment?: unknown;\n}\n/** Provider-agnostic result — the server normalizes every adapter to this. */\ninterface NewsResult {\n articles: NewsArticle[];\n provider: string;\n}\ninterface RemoteSessionInfo {\n sessionId: string;\n agentId: string;\n surface: \"browser\" | \"terminal\";\n status: \"agent_driving\" | \"awaiting_human\" | \"human_in_control\" | \"resuming\" | \"completed\" | \"expired\" | \"failed\";\n url?: string;\n instructions?: string;\n requestedAt?: string;\n}\ninterface SyncAgentInfo {\n agentId: string;\n tenantId: string;\n displayName: string;\n s3Prefix: string;\n status: \"stale\" | \"syncing\" | \"synced\";\n fileCount?: number;\n totalSize?: number;\n lastSync?: string;\n}\ninterface SyncManifestEntry {\n hash: string;\n size: number;\n modified: string;\n etag?: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncManifest {\n version: 1;\n agentId: string;\n lastSync: string;\n files: Record<string, SyncManifestEntry>;\n}\ninterface SyncPresignedUrl {\n path: string;\n url: string;\n expiresAt: string;\n}\ninterface SyncConfirmedUpload {\n filePath: string;\n hash: string;\n size: number;\n storageClass: \"STANDARD\" | \"GLACIER_IR\";\n syncedAt: string;\n}\ninterface SyncReconstructFile {\n path: string;\n size: number;\n url: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncReconstructBundle {\n agentId: string;\n mode: \"full\" | \"active\" | \"memory\";\n fileCount: number;\n totalSize: number;\n files: SyncReconstructFile[];\n expiresAt: string;\n}\ninterface SyncAgentStats {\n agentId: string;\n standardBytes: number;\n glacierBytes: number;\n fileCount: number;\n lastSyncAt: string | null;\n}\ninterface SyncFileEntry {\n filePath: string;\n size: number;\n modified: string;\n contentHash: string;\n storageClass?: string;\n compressed?: boolean;\n}\ninterface SyncSessionEntry {\n sessionId: string;\n size: number;\n lastModified: string;\n storageClass?: string;\n isArchived: boolean;\n}\ninterface SyncSessionContent {\n sessionId: string;\n content: string;\n compressed: boolean;\n}\ninterface SharedFileEntry {\n filePath: string;\n fileName: string;\n size: number;\n contentType?: string;\n}\ntype KnowledgeScopeType = \"org\" | \"team\" | \"project\";\ninterface KnowledgeScope {\n scopeType: KnowledgeScopeType;\n scopeId: string;\n name: string;\n}\ninterface KnowledgeSearchHit {\n id: string;\n text: string;\n /** Normalized relevance in (0,1]; higher = closer. */\n score: number;\n scopeType: KnowledgeScopeType;\n scopeId: string;\n /**\n * Provenance of the hit. All live results are `\"doc\"`; `\"fact\"` only ever\n * appears for legacy vectors indexed before the facts primitive was removed\n * (the search index stays tolerant of them). Treat every hit as a doc.\n */\n source: \"doc\" | \"fact\";\n /** The canonical file under shared/<scope>/ (present on doc hits). */\n filePath?: string;\n /** Legacy-only: the id of a pre-removal fact vector. */\n factId?: string;\n}\ninterface KnowledgeSearchResult {\n results: KnowledgeSearchHit[];\n /** True when fan-out breadth was capped (more member scopes than the cap). */\n truncatedScopes: boolean;\n}\ninterface KnowledgeProfileLink {\n label: string;\n url: string;\n}\ninterface KnowledgeProfile {\n scopeType: KnowledgeScopeType;\n scopeId: string;\n about: string | null;\n description: string | null;\n links: KnowledgeProfileLink[];\n updatedAt: string | null;\n updatedBy: string | null;\n}\ninterface KnowledgeDoc {\n filePath: string;\n fileName: string;\n contentType?: string;\n size: number;\n uploadedBy?: string;\n createdAt: string;\n updatedAt: string;\n}\ntype ChangeRequestResourceType = \"doc\" | \"profile\";\ntype ChangeRequestOperation = \"create\" | \"update\" | \"delete\";\ntype ChangeRequestStatus = \"open\" | \"approved\" | \"rejected\" | \"withdrawn\" | \"superseded\";\ntype ChangeRequestActorKind = \"human\" | \"agent\";\n/** Public projection of a change request (mirrors `PublicChangeRequest` in services/org). */\ninterface KnowledgeChangeRequest {\n changeRequestId: string;\n scopeType: KnowledgeScopeType;\n scopeId: string;\n resourceType: ChangeRequestResourceType;\n operation: ChangeRequestOperation;\n targetPath: string | null;\n baseVersionId: string | null;\n proposedContentType: string | null;\n status: ChangeRequestStatus;\n proposerId: string;\n proposerKind: ChangeRequestActorKind;\n rationale: string;\n reviewerId: string | null;\n reviewerKind: ChangeRequestActorKind | null;\n reviewedAt: string | null;\n reviewNote: string | null;\n appliedRef: string | null;\n createdAt: string;\n updatedAt: string;\n}\n/** Per-type proposal payload for `proposeScopeChange`. */\ninterface ProposeScopeChangeInput {\n resourceType: ChangeRequestResourceType;\n operation: ChangeRequestOperation;\n /** Why the change is proposed — shown to the reviewer. */\n rationale: string;\n /** doc: the path the proposal applies to (e.g. designs/data-center.md). */\n targetPath?: string;\n /** doc create/update: the staged body to upload (markdown or other text). */\n content?: string;\n /** doc create/update: content type of the staged body (default text/markdown). */\n contentType?: string;\n /** profile: the proposed value ({ about, description, links }). */\n proposedValue?: unknown;\n}\n/** Voice settings — core agent config. Mirrors `VoiceConfig` in `@alfe/types`. */\ninterface AgentVoiceConfig {\n /** ElevenLabs voice ID; platform default when unset. */\n voiceId?: string;\n ttsModel?: string;\n enabled?: boolean;\n}\n/**\n * The agent's own public identity, as returned by `updateSelf`, `generateAvatar`,\n * `presignAvatar`'s finalize (`finalizeAvatar`). This is the public agent\n * projection; only the identity-relevant fields are typed here — the response\n * carries the full public agent record.\n */\ninterface AgentSelf {\n agentId: string;\n tenantId: string;\n name: string;\n avatarUrl?: string;\n voiceConfig?: AgentVoiceConfig;\n status: string;\n}\n/** Result of `presignAvatar` — the agent PUTs bytes to `uploadUrl`, then finalizes with `s3Key`. */\ninterface AgentAvatarPresign {\n /** Presigned PUT URL to upload the image bytes to. */\n uploadUrl: string;\n /** Object key — echoed back to `finalizeAvatar`. */\n s3Key: string;\n /** Stable public URL the avatar will be served from once finalized. */\n publicUrl: string;\n /** ISO expiry of the presigned PUT URL. */\n expiresAt: string;\n}\n/** A voice in the platform catalogue (ElevenLabs), from `listVoices`. */\ninterface AgentVoice {\n id: string;\n name: string;\n previewUrl: string;\n description: string;\n labels: Record<string, string>;\n category: string;\n}\n/** The ElevenLabs models with a pricing row — the TTS endpoint rejects any other value. */\ntype VoiceTtsModel = \"eleven_turbo_v2_5\" | \"eleven_multilingual_v2\";\ninterface VoiceTtsArgs {\n /** Text to synthesize (1–5000 chars — the endpoint enforces this). */\n text: string;\n /** ElevenLabs voice id; platform default when unset. */\n voiceId?: string;\n /** TTS model; `eleven_turbo_v2_5` (lower latency) when unset. */\n model?: VoiceTtsModel;\n}\n/** Raw synthesized audio plus its PCM framing (from the response headers). */\ninterface VoiceTtsResult {\n /** Raw little-endian PCM samples — no container. Wrap in WAV to make a playable file. */\n audio: Buffer;\n /** Samples per second (e.g. 24000). */\n sampleRate: number;\n /** Channel count (mono = 1). */\n channels: number;\n /** Bits per sample (e.g. 16). */\n bitDepth: number;\n}\ninterface VoiceSttArgs {\n /** Raw linear16 (16-bit little-endian) mono PCM samples — no WAV/container header. */\n audio: Uint8Array;\n /** Sample rate of `audio` in Hz (8000–48000). */\n sampleRate: number;\n}\ninterface VoiceSttResult {\n text: string;\n /** Deepgram confidence in (0,1]. */\n confidence: number;\n}\ndeclare class AgentApiClient {\n private readonly apiKey;\n private readonly apiUrl;\n constructor(config: AgentApiClientConfig);\n private request;\n syncRegister(args?: {\n displayName?: string;\n }): Promise<{\n agent: SyncAgentInfo;\n }>;\n syncGetManifest(): Promise<SyncManifest>;\n syncPresign(args: {\n files: {\n path: string;\n operation: \"put\" | \"get\";\n contentType?: string;\n }[];\n }): Promise<{\n urls: SyncPresignedUrl[];\n }>;\n syncConfirmUpload(args: {\n filePath: string;\n hash: string;\n size: number;\n storageClass?: \"STANDARD\" | \"GLACIER_IR\";\n }): Promise<SyncConfirmedUpload>;\n syncReconstruct(args: {\n mode: \"full\" | \"active\" | \"memory\";\n }): Promise<SyncReconstructBundle>;\n syncGetStats(): Promise<SyncAgentStats>;\n syncListFiles(args?: {\n prefix?: string;\n }): Promise<{\n files: SyncFileEntry[];\n }>;\n syncListSessions(): Promise<{\n sessions: SyncSessionEntry[];\n }>;\n syncGetSession(sessionId: string): Promise<SyncSessionContent>;\n syncDeleteFile(filePath: string): Promise<{\n removed: boolean;\n }>;\n sharedListFiles(args: {\n scope: \"org\" | \"team\" | \"project\";\n scopeId: string;\n }): Promise<{\n files: SharedFileEntry[];\n nextCursor: string | null;\n }>;\n sharedDownloadUrl(args: {\n scope: \"org\" | \"team\" | \"project\";\n scopeId: string;\n filePath: string;\n }): Promise<{\n downloadUrl: string;\n expiresIn: number;\n }>;\n listIntegrations(): Promise<IntegrationInstall$1[]>;\n getIntegrationConfig(integrationId: string): Promise<IntegrationConfigResult$1>;\n updateIntegrationConfig(integrationId: string, config: Record<string, unknown>): Promise<void>;\n installIntegration(integrationId: string, options?: {\n version?: string;\n config?: Record<string, unknown>;\n }): Promise<IntegrationInstall$1>;\n removeIntegration(integrationId: string): Promise<IntegrationInstall$1>;\n getOAuthUrl(provider: string, scopes?: string[]): Promise<{\n url: string;\n provider: string;\n expiresIn: number;\n }>;\n getOAuthStatus(provider: string): Promise<{\n provider: string;\n connected: boolean;\n config?: Record<string, string>;\n }>;\n getRegistry(): Promise<{\n integrations: RegistryEntry$1[];\n }>;\n /**\n * Returns every connected Google account for the agent. Multi-account by\n * design — the openclaw-google plugin requires the LLM to pass `email`\n * explicitly to `google_run_command` so an account is always selected\n * deliberately.\n *\n * 2026-05-14 (connections-redesign PR 1): the legacy flat shape (`email`,\n * `refreshToken`, `accessToken`, etc., populated from the default account)\n * is gone. Iterate over `accounts`.\n */\n getGoogleCredentials(): Promise<{\n accounts: {\n email: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n disconnectGoogleAccount(email: string): Promise<{\n accounts: {\n email: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n getGoogleChatCredentials(): Promise<{\n email: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n displayName?: string;\n }>;\n /**\n * Fetch decrypted credentials for ONE specific connection by its\n * stable connectionId (connection-scoped, vs the provider-scoped\n * `get<Provider>Credentials` helpers). Used by the daemon to resolve\n * a Custom Connection-driven integration's credentials from the\n * exact connection it was installed from — every custom connection\n * shares the `custom` provider id, so provider-scoping is ambiguous.\n *\n * For custom connections `accessToken` is the JSON-encoded secret\n * bundle (the daemon un-bundles it); non-secret fields are on\n * `providerMetadata`. The endpoint enforces that the connection is in\n * the calling agent's effective scope (403 otherwise).\n */\n getConnectionCredentials(connectionId: string): Promise<{\n provider: string;\n connectionId: string;\n accountIdentifier?: string;\n accessToken?: string;\n providerMetadata?: Record<string, unknown>;\n [key: string]: unknown;\n }>;\n /**\n * Resolve the primary cTrader Connection's credentials for the calling\n * agent. Unlike most providers, the cTrader Open API needs app-level auth\n * (`clientId` + `clientSecret`) AND account auth (`accessToken` +\n * `accountId`) on the socket, so `@alfe.ai/ctrader-mcp` self-fetches the\n * full set here at startup (the atlassian/google pattern). `clientId` /\n * `clientSecret` are the SST-sourced global app credentials the connect\n * endpoint injects — they are never persisted on the connection. `host` is\n * the resolved TLS endpoint (`live.ctraderapi.com` / `demo.ctraderapi.com`)\n * derived from the selected account's live/demo flag.\n */\n getCTraderCredentials(): Promise<{\n accessToken: string;\n refreshToken: string;\n accountId: string;\n host: string;\n clientId: string;\n clientSecret: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for cTrader.\n *\n * Unlike atlassian/salesforce (one Connection row per account/site), a\n * cTrader is MULTI-grant per agent: an agent may connect several distinct\n * cTrader logins, each its own Connection row keyed on `accountIdentifier =\n * ctid:<userId>` (Phase 1). This aggregates the *trading accounts* across\n * ALL of those Connection rows — each row contributes its `availableAccounts`\n * flattened, and every account carries ITS OWN grant's `accessToken` (the\n * token that authenticates that account against the cTrader Open API). One\n * OAuth grant still covers all accounts under that single login on one shared\n * token; only the `ctidTraderAccountId` and the protobuf socket `host` (live\n * vs demo) differ within a grant. Across grants the tokens differ, so the\n * token is now PER-ACCOUNT rather than hoisted to the top level.\n *\n * `host` per account is derived from the account's `isLive` flag\n * (`live.ctraderapi.com` / `demo.ctraderapi.com`) — the same mapping the\n * connect provider applies server-side when an account is auto-selected.\n *\n * `clientId` / `clientSecret` are the SST-sourced GLOBAL app credentials the\n * connect endpoint injects — identical across every Connection row (one\n * cTrader app), never persisted on a connection. We take them from the first\n * row that carries them.\n *\n * Accounts are deduped on `ctidTraderAccountId` first-wins: Spotware ids are\n * globally unique across logins, so a duplicate can only appear if the same\n * account somehow surfaced under two grants — first-wins keeps it\n * deterministic.\n *\n * `accounts` may be empty (no cTrader Connection at all), in which case we\n * return empty creds rather than throwing.\n */\n getCTraderAccounts(): Promise<{\n accounts: {\n ctidTraderAccountId: string;\n host: string;\n isLive: boolean;\n brokerName?: string;\n accountNumber?: string;\n accessToken: string;\n }[];\n clientId: string;\n clientSecret: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getGithubAccounts()` for the multi-\n * account shape required by Pattern A — explicit selector args on every\n * tool. Retained because the `@alfe.ai/github-mcp` proxy is the\n * only consumer that knows about Pattern A; legacy env-interpolation\n * callers will keep hitting `/credentials` until they move to the proxy.\n */\n getGithubCredentials(): Promise<{\n login: string;\n accessToken: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for GitHub.\n *\n * Returns every agent-scoped GitHub connection. The caller is expected\n * to require a `login` selector on every credential-touching tool and\n * look up the matching account at dispatch time.\n *\n * GitHub OAuth tokens have no expiry (`tokenLifecycle: \"no_expiry\"`),\n * so there is intentionally no `refreshGithubAccountToken` method — if\n * a token is revoked the user must re-run the OAuth flow.\n *\n * Returned `accounts[i].login` is the GitHub username — the stable\n * cross-session identifier the LLM should pass.\n */\n getGithubAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n login: string;\n scopes: string;\n }[];\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getXeroAccounts()` for the multi-\n * account shape required by Pattern A — explicit selector args on every\n * tool. This method will be removed once all consumers migrate.\n */\n getXeroCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n xeroTenantId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Xero. Returns every\n * agent-scoped Xero connection. The caller is expected to require a\n * selector arg (e.g. `xeroTenantId`) on every credential-touching tool\n * and look up the matching account by that selector at dispatch time.\n *\n * Returned `accounts[i].accountIdentifier` is the Xero tenantId — the\n * stable cross-session identifier the LLM should pass.\n */\n getXeroAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n xeroTenantId: string;\n }[];\n }>;\n refreshXeroToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * Pattern A: refresh a specific Xero connection by its `accountIdentifier`\n * (the Xero `tenantId`). The legacy `refreshXeroToken()` only refreshes\n * the *primary* connection, which is wrong for multi-tenant Xero where\n * each tenant has its own non-interchangeable access token.\n */\n refreshXeroAccountToken(xeroTenantId: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getNotionAccounts()` for the multi-\n * account shape required by Pattern A.\n */\n getNotionCredentials(): Promise<{\n accessToken: string;\n workspaceId: string;\n workspaceName: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Notion. Returns every\n * agent-scoped Notion connection. The caller is expected to require a\n * selector arg (e.g. `workspaceId`) on every credential-touching tool.\n *\n * Returned `accounts[i].accountIdentifier` is the Notion workspaceId.\n */\n getNotionAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n workspaceId: string;\n workspaceName: string;\n }[];\n }>;\n /**\n * @deprecated Returns a single primary Atlassian Connection's credentials\n * (one OAuth user, one cloudId) — the legacy \"pick-the-default-connection\"\n * shape. Atlassian is multi-site by nature (each OAuth user may have\n * access to multiple Cloud sites), so Pattern A plugins MUST use\n * `getAtlassianAccounts()` to discover the full set and dispatch via\n * the `cloudId` selector arg.\n */\n getAtlassianCredentials(): Promise<{\n accessToken: string;\n refreshToken: string;\n accessTokenExpiresAt: string;\n cloudId: string;\n siteName: string;\n siteUrl: string;\n email: string;\n enabledProducts: string[];\n clientId: string;\n clientSecret: string;\n }>;\n refreshAtlassianToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * Pattern A: multi-account / multi-site credential fetch for Atlassian.\n *\n * Returns every agent-scoped Atlassian Connection. Each Connection is\n * one OAuth user with a single access token and N accessible Cloud\n * sites (`availableSites`). The caller is expected to:\n *\n * 1. Flatten (connection × cloudId) into one MCP child per site.\n * 2. Require a `cloudId` selector on every credential-touching tool.\n * 3. Use the access token bound to the Connection that owns the\n * requested `cloudId` (Atlassian shares one access token across\n * all sites accessible to the OAuth user).\n *\n * Per-account token refresh uses `refreshAtlassianAccountToken(email)`\n * — refreshing one Connection rotates its single access token, which\n * then applies to every cloudId for that Connection.\n *\n * Returned `accounts[i].accountIdentifier` is the OAuth user's email\n * — the stable cross-session identifier for refresh purposes. The LLM\n * never sees this directly: it picks a site via the `cloudId` arg\n * instead.\n */\n getAtlassianAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n clientId: string;\n clientSecret: string;\n cloudId: string;\n siteName: string;\n siteUrl: string;\n availableSites: {\n id: string;\n url: string;\n name: string;\n scopes?: string[];\n avatarUrl?: string;\n }[];\n }[];\n }>;\n /**\n * Pattern A: refresh a specific Atlassian Connection by `accountIdentifier`\n * (the OAuth user's email).\n *\n * Atlassian rotates refresh tokens (`rotatesRefreshToken: true`); the\n * server-side per-account refresh endpoint handles rotation and\n * persistence. Refreshing one Connection updates its single access\n * token, which applies to every accessible Cloud site (cloudId) for\n * that OAuth user.\n *\n * Returns the new access token + expiry. The proxy is responsible for\n * fanning the new token out to every child server it spawned for\n * cloudIds owned by this Connection.\n */\n refreshAtlassianAccountToken(accountIdentifier: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob (legacy \"pick-the-\n * default-connection\" shape). Use `getMYOBAccounts()` for the multi-\n * account shape required by Pattern A.\n */\n getMYOBCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n myobBusinessId: string;\n clientId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for MYOB. Returns every\n * agent-scoped MYOB connection. The caller is expected to require a\n * selector arg (e.g. `myobBusinessId` / `accountIdentifier`) on every\n * credential-touching tool.\n *\n * Returned `accounts[i].accountIdentifier` is the MYOB businessId.\n */\n getMYOBAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n myobBusinessId: string;\n clientId: string;\n }[];\n }>;\n refreshMYOBToken(): Promise<{\n accessToken: string;\n expiresAt: string;\n }>;\n /**\n * @deprecated Returns a single primary credential blob. Use\n * `getSalesforceAccounts()` for the multi-account shape required by\n * Pattern A.\n */\n getSalesforceCredentials(): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n instanceUrl: string;\n orgId: string;\n }>;\n /**\n * Pattern A: multi-account credential fetch for Salesforce. Returns every\n * agent-scoped Salesforce connection. One OAuth grant maps to one org, so\n * `accounts[i].accountIdentifier` (and `orgId`) is the Salesforce org id —\n * the selector every credential-touching tool requires.\n */\n getSalesforceAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n instanceUrl: string;\n orgId: string;\n }[];\n }>;\n /**\n * Refresh the access token for a specific Salesforce org. Salesforce\n * tokens aren't interchangeable across orgs, so the connection is targeted\n * by `accountIdentifier` (the org id) — mirrors `refreshXeroAccountToken`.\n */\n refreshSalesforceAccountToken(orgId: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n /**\n * Disconnects one connected Microsoft 365 account for the agent, by its\n * `accountIdentifier`. Hits the generic per-account disconnect route\n * (`DELETE /agent/connect/microsoft/accounts/{accountIdentifier}`), which\n * resolves across the agent's full effective scope chain and deletes the\n * matching Connection row. Returns the remaining accounts.\n *\n * IMPORTANT: pass the `accountIdentifier` from `getMicrosoftAccounts()`, NOT\n * a synthesised email. For Microsoft, `accountIdentifier` is the user's email\n * only when the Graph profile fetch succeeded at connect time; it falls back\n * to the Azure tenant id (`tid` claim) otherwise. The backend matches on\n * `accountIdentifier` exactly, so passing an email would 404 on those\n * fallback-identifier accounts. (This is why the param is not named `email`,\n * unlike `disconnectGoogleAccount` where the identifier is always the email.)\n */\n disconnectMicrosoftAccount(accountIdentifier: string): Promise<{\n accounts: {\n accountIdentifier: string;\n displayName?: string;\n connectedAt?: string;\n }[];\n }>;\n /**\n * Pattern A: multi-account credential fetch for Microsoft 365.\n *\n * Returns every agent-scoped Microsoft connection. The caller is expected\n * to require an `email` selector on every credential-touching tool and\n * look up the matching account at dispatch time.\n *\n * Returned `accounts[i].accountIdentifier` is the user's primary email\n * (or the tid claim as fallback) — the stable cross-session identifier\n * the LLM should pass.\n *\n * Per-account token refresh is exposed via `refreshMicrosoftAccountToken`,\n * NOT `refreshXeroAccountToken` — Microsoft refresh tokens are not\n * interchangeable across (tenant, user) pairs.\n */\n getMicrosoftAccounts(): Promise<{\n accounts: {\n connectionId: string;\n accountIdentifier: string;\n displayName: string | null;\n connectedAt: string;\n accessToken: string;\n accessTokenExpiresAt: string;\n refreshToken: string;\n clientId: string;\n clientSecret: string;\n email: string;\n microsoftTenantId: string;\n workspaceDomain: string;\n }[];\n }>;\n /**\n * Pattern A: refresh a specific Microsoft 365 connection by its\n * `accountIdentifier`. For Microsoft, `accountIdentifier` is the user's\n * email when the Graph profile fetch succeeded at connect time, and the\n * Azure tenant id (`tid` claim) as fallback. Callers should pass the\n * value returned by `getMicrosoftAccounts()` rather than synthesising\n * an email locally.\n *\n * Microsoft refresh tokens are bound to a specific (tenant, user) pair —\n * they are NOT interchangeable across accounts, so per-account refresh\n * is mandatory. The generic /accounts/{accountIdentifier}/refresh\n * endpoint walks the agent's full visible scope chain to find a matching\n * connection (works for inherited team/project Microsoft connections).\n */\n refreshMicrosoftAccountToken(accountIdentifier: string): Promise<{\n accessToken: string;\n accessTokenExpiresAt: string;\n expiresAt: string;\n }>;\n getTeamsCredentials(): Promise<{\n agentId: string;\n tenantId: string;\n azureAppId: string;\n azureBotId: string;\n azureClientSecret: string;\n botDisplayName?: string;\n teamsTenantId?: string;\n serviceUrl?: string;\n }>;\n sendTeamsMessage(data: {\n conversationId: string;\n text?: string;\n adaptiveCard?: Record<string, unknown>;\n }): Promise<{\n ok: boolean;\n activityId: string;\n }>;\n listTeamsChannels(): Promise<{\n channels: {\n id: string;\n name: string;\n description?: string;\n }[];\n }>;\n presignAttachments(files: {\n filename: string;\n mimeType: string;\n size: number;\n }[]): Promise<{\n attachments: {\n id: string;\n uploadUrl: string;\n downloadUrl: string;\n s3Key: string;\n expiresAt: string;\n }[];\n }>;\n /**\n * Generate an image from a text prompt and get back a STABLE, public URL\n * (served from the agent-assets CDN — it does not expire). Embed the returned\n * `imageUrl` in a reply as markdown to show it to the user.\n *\n * ASYNC: `gpt-image-1` routinely runs 30–60s, which exceeds the API Gateway\n * 30s ceiling, so this enqueues a job (`POST /agent/images/generate` →\n * `jobId`) then polls (`GET /agent/images/{jobId}`) until it completes. The\n * worker's real failure message (e.g. an unsupported `size`) surfaces via the\n * job's `error` field.\n */\n generateImage(args: {\n prompt: string;\n model?: string;\n size?: string;\n quality?: string;\n }): Promise<{\n imageUrl: string;\n model: string;\n }>;\n recordActivity(data: {\n userId?: string;\n channel: string;\n role: \"user\" | \"assistant\";\n }): Promise<{\n recorded: boolean;\n }>;\n /** Update the agent's own name and/or voice config. Returns the updated agent. */\n updateSelf(update: {\n name?: string;\n voiceConfig?: AgentVoiceConfig;\n }): Promise<AgentSelf>;\n /**\n * Generate the agent's own avatar from a text prompt. The image is generated,\n * stored, and set on the agent server-side; returns the updated agent.\n *\n * ASYNC (same reason as `generateImage`): avatar gen runs `gpt-image-1`\n * (30–60s) which exceeds the API Gateway 30s ceiling, so this enqueues a job\n * (`POST /agent/avatar/generate` → `jobId`) then polls (`GET /agent/avatar/{jobId}`)\n * until the avatar is set. Signature unchanged — the plugin is unaffected.\n */\n generateAvatar(args: {\n prompt: string;\n }): Promise<AgentSelf>;\n /**\n * Get a presigned PUT URL to upload a new avatar image. Upload the bytes to\n * `uploadUrl`, then call `finalizeAvatar(s3Key)` to set it on the agent.\n */\n presignAvatar(args: {\n mimeType: string;\n size: number;\n }): Promise<AgentAvatarPresign>;\n /**\n * Finalize an avatar upload — validates ownership + size, then sets the\n * agent's `avatarUrl` server-side. Returns the updated agent.\n */\n finalizeAvatar(s3Key: string): Promise<AgentSelf>;\n /** List the platform voice catalogue (ElevenLabs) so the agent can pick its own voice. */\n listVoices(): Promise<{\n voices: AgentVoice[];\n }>;\n /**\n * Mint a fresh AES-256 data key for a specific (secret, field) pair. The\n * encryption context is rebuilt server-side from `auth.tenantId` + the body\n * fields including `fieldKey`; the agent cannot forge context for a scope\n * or field it doesn't own. Legacy single-envelope secrets are migrated to\n * `field#value` rows by the data migration, so call with `fieldKey: \"value\"`\n * to reach them.\n */\n generateSecretDataKey(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<GeneratedDataKey$1>;\n /**\n * Unwrap a wrapped data key so the agent can decrypt the envelope locally.\n * `fieldKey` MUST match the value supplied when the data key was generated\n * (it's bound into KMS encryption context); mismatch fails with\n * `InvalidCiphertextException`.\n */\n decryptSecretDataKey(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n dataKeyCiphertext: string;\n }): Promise<{\n plaintextKey: string;\n }>;\n /**\n * Create a new secret with one or more fields. Encrypted fields must arrive\n * pre-sealed (the agent has already obtained per-field data keys via\n * `generateSecretDataKey({ ..., fieldKey })` and AES-encrypted locally).\n * Plaintext fields ship the value inline.\n */\n createSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n secretName: string;\n category?: SecretCategory$1;\n description?: string;\n tags?: string[];\n fields: {\n key: string;\n format?: FieldFormat$1;\n sensitivity: FieldSensitivity$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n }[];\n reason?: string;\n }): Promise<SecretAggregate$1>;\n /** Fetch the secret aggregate plus per-field encrypted envelopes. */\n getSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n }): Promise<{\n aggregate: SecretAggregate$1;\n envelopes: FieldEnvelope$1[];\n }>;\n /** Fetch one field. Plaintext: value inline. Encrypted: envelope. */\n getSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<{\n key: string;\n sensitivity: FieldSensitivity$1;\n format?: FieldFormat$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n rotatedAt?: string;\n createdAt: string;\n updatedAt: string;\n }>;\n /** Add OR rotate one field. */\n setSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n sensitivity: FieldSensitivity$1;\n format?: FieldFormat$1;\n value?: string;\n envelope?: EncryptedEnvelopeV1$1;\n reason?: string;\n }): Promise<{\n fieldKey: string;\n rotated: boolean;\n }>;\n /** Remove one field. */\n removeSecretField(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n fieldKey: string;\n }): Promise<void>;\n /** Update secret-level metadata (name/description/tags/category). */\n updateSecretMetadata(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n secretName?: string;\n description?: string;\n tags?: string[];\n category?: SecretCategory$1;\n reason?: string;\n }): Promise<SecretAggregate$1>;\n /** List metadata for secrets in a scope. Optional filters route through the byFacet GSI. */\n listSecrets(args: {\n scope: SecretScope$1;\n scopeId: string;\n category?: SecretCategory$1;\n tag?: string;\n fieldKey?: string;\n }): Promise<SecretMetadata$1[]>;\n /** Bounded changelog read — metadata-only audit entries. */\n getSecretHistory(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n limit?: number;\n cursor?: string;\n }): Promise<{\n entries: ChangelogEntry$1[];\n nextCursor?: string;\n }>;\n /** Delete a secret (and all its field rows + tag rows + changelog rows). */\n deleteSecret(args: {\n scope: SecretScope$1;\n scopeId: string;\n secretId: string;\n }): Promise<void>;\n /** Enumerate scopes (org/team/project/agent) this agent can access. */\n listSecretScopes(): Promise<ScopeInfo$1[]>;\n /**\n * Returns the calling agent's own identity context — `{ agentId, tenantId }`\n * decoded server-side from the agent API token. Used by the\n * `@alfe.ai/openclaw-identity` plugin to bootstrap context when the\n * OpenClaw daemon doesn't plumb `ctx.agentId` through to plugin hooks.\n * Plugins should cache this for the daemon's lifetime (single-agent-per-\n * process invariant). One HTTP round-trip per process activate; not for\n * per-call use.\n */\n whoami(): Promise<{\n agentId: string;\n tenantId: string;\n }>;\n resolveIdentity(args: {\n provider: string;\n platformId: string;\n kind?: \"user\" | \"agent\" | \"service\" | \"bot\" | \"workspace\";\n displayName?: string;\n }): Promise<{\n identityId: string | null;\n status: string;\n created?: boolean;\n reason?: string;\n /**\n * Flattened auriclabs permission strings for the resolved identity\n * (scope-prefixed where applicable). Empty array on miss / org service\n * outage — the runtime gate fails closed in that case.\n */\n permissions: string[];\n }>;\n searchIdentities(args?: {\n q?: string;\n status?: string;\n limit?: number;\n }): Promise<{\n identities: unknown[];\n }>;\n getIdentityContext(identityId: string): Promise<{\n context: unknown;\n }>;\n mergeIdentities(survivorId: string, args: {\n mergedId: string;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n error?: string;\n }>;\n unmergeIdentity(identityId: string, args: {\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n error?: string;\n }>;\n addIdentityNote(identityId: string, args: {\n content: string;\n category?: string;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n noteId: string | null;\n }>;\n tagIdentity(identityId: string, args: {\n tag: string;\n action: \"add\" | \"remove\";\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n }>;\n getIdentityChangelog(identityId: string, args?: {\n limit?: number;\n }): Promise<{\n entries: unknown[];\n }>;\n rollbackIdentity(identityId: string, args: {\n targetVersion: number;\n changedBy: {\n type: string;\n id: string;\n name?: string;\n };\n }): Promise<{\n ok: boolean;\n entry?: unknown;\n }>;\n requestIdentityVerification(args: {\n claimedIdentityId: string;\n requestingIdentityId: string;\n requestingProvider: string;\n requestingPlatformId: string;\n preferredChannel?: \"mobile\" | \"email\";\n /**\n * Phase 2: agent-supplied contact endpoint. When provided, the top-level\n * `preferredChannel` is ignored — the contact's channel wins.\n */\n contact?: {\n channel: \"email\" | \"mobile\";\n value: string;\n };\n }): Promise<{\n verificationId: string;\n channel: string;\n deliveredTo: string;\n expiresAt: string;\n availableChannels: {\n channel: string;\n deliveredTo: string;\n }[];\n } | {\n error: string;\n }>;\n confirmIdentityVerification(args: {\n claimedIdentityId: string;\n verificationId: string;\n phrase: string;\n }): Promise<{\n verified: boolean;\n identityId?: string;\n /** Phase 2: how the confirm resolved — Scenario A vs B. */\n action?: \"merged\" | \"contact_verified\";\n error?: string;\n }>;\n /**\n * Update display-shape fields on an Identity. Body excludes `email` /\n * `phone` / `title` / `company` / `metadata` per Section D4 — contacts go\n * via the verify flow, title/company live on OrgMembership, metadata is\n * not agent-writable.\n */\n updateIdentity(identityId: string, args: {\n name?: string;\n avatarUrl?: string;\n timezone?: string;\n locale?: string;\n }): Promise<{\n ok: boolean;\n }>;\n /**\n * Phase 2 (Section H): server-side verification of a Google Chat sender via\n * the agent's existing Google OAuth credentials. Returns the resolved\n * identity (created or matched via Scenario-B email enrichment).\n */\n resolveGoogleChatSender(args: {\n senderUserId: string;\n spaceId?: string;\n }): Promise<{\n identityId: string | null;\n status: string;\n }>;\n memorySearch(query: string, opts?: {\n limit?: number;\n topic?: string;\n subtopic?: string;\n tag?: string;\n includeKnowledge?: boolean;\n }): Promise<{\n facts: {\n subject: string;\n predicate: string;\n object: string;\n since: string;\n confidence: number;\n }[];\n memories: {\n id: string;\n text: string;\n topic: string;\n subtopic: string;\n tag: string;\n importance: number;\n timestamp: number;\n score: number;\n }[];\n }>;\n memoryStore(text: string, opts?: {\n topic?: string;\n subtopic?: string;\n tag?: string;\n importance?: number;\n }): Promise<{\n memoryId: string;\n }>;\n memoryIngest(sessionKey: string, messages: {\n role: string;\n content: string;\n index: number;\n timestamp?: string;\n }[], metadata?: {\n channelId?: string;\n userId?: string;\n userName?: string;\n }): Promise<{\n queued: boolean;\n messageCount: number;\n }>;\n memoryLoadContext(tier?: number, topicHint?: string): Promise<{\n formatted: string;\n [key: string]: unknown;\n }>;\n memoryLookupEntity(subject: string): Promise<{\n subject: string;\n triples: {\n tripleId: string;\n predicate: string;\n object: string;\n validFrom: string;\n validTo?: string;\n confidence: number;\n }[];\n }>;\n memoryNavigate(): Promise<{\n topics: {\n name: string;\n tripleCount: number;\n subtopics: string[];\n }[];\n cursor: string | null;\n }>;\n memoryDelete(memoryId: string): Promise<{\n deleted: boolean;\n }>;\n memoryStats(): Promise<{\n vectorCount: number;\n tripleCount: number;\n storageEstimateBytes: number;\n lastIngestionAt?: string;\n }>;\n memoryLearn(args: {\n text: string;\n source?: string;\n sourceType?: \"file\" | \"url\" | \"inline\";\n metadata?: {\n sessionId?: string;\n channelId?: string;\n userName?: string;\n };\n }): Promise<{\n memoriesStored: number;\n triplesStored: number;\n chunks: number;\n source?: string;\n }>;\n memoryBootstrapStatus(): Promise<{\n synced: boolean;\n syncedAt?: string;\n sessionsBackfillSynced?: boolean;\n sessionsBackfillSyncedAt?: string;\n }>;\n memoryBootstrapStatusMark(scope?: \"files\" | \"sessions\"): Promise<{\n synced: true;\n syncedAt: string;\n }>;\n sendSms(args: {\n to: string;\n body: string;\n }): Promise<{\n sent: boolean;\n sid: string;\n }>;\n searchWeb(params: {\n query: string;\n count?: number;\n offset?: number;\n country?: string;\n freshness?: string;\n }): Promise<unknown>;\n searchImages(params: {\n query: string;\n count?: number;\n }): Promise<unknown>;\n searchNews(params: {\n query: string;\n count?: number;\n freshness?: string;\n }): Promise<unknown>;\n /** Search news across the selected provider's corpus. → POST /agent/news/search */\n newsSearch(params: {\n query: string;\n provider?: NewsProvider;\n source?: string;\n from?: string;\n to?: string;\n language?: string;\n category?: string;\n limit?: number;\n }): Promise<NewsResult>;\n /** Top headlines for the selected provider. → POST /agent/news/headlines */\n newsHeadlines(params?: {\n provider?: NewsProvider;\n category?: string;\n source?: string;\n language?: string;\n limit?: number;\n }): Promise<NewsResult>;\n /**\n * Semantic search across the agent's member scopes. Fan-out is gated\n * server-side by `listScopes` set-inclusion (fail-closed). Pass\n * `scopeType` + `scopeId` to narrow to one scope; a non-member scope\n * yields empty results (never a cross-scope leak).\n */\n knowledgeSearch(query: string, opts?: {\n limit?: number;\n scopeType?: KnowledgeScopeType;\n scopeId?: string;\n }): Promise<KnowledgeSearchResult>;\n /** Enumerate the scopes (org + teams + projects) this agent belongs to. */\n listScopes(): Promise<{\n scopes: KnowledgeScope[];\n }>;\n /** Read a scope's structured knowledge profile (after membership check). */\n getScopeProfile(scopeType: KnowledgeScopeType, scopeId: string): Promise<KnowledgeProfile>;\n /** List a scope's docs (the org-files corpus; mirrored to shared/<scope>/). */\n listScopeDocs(scopeType: KnowledgeScopeType, scopeId: string, opts?: {\n limit?: number;\n cursor?: string;\n }): Promise<{\n files: KnowledgeDoc[];\n nextCursor: string | null;\n }>;\n /**\n * Read the full text of a scope doc. Resolves a presigned download URL\n * from `services/org`, then fetches the bytes directly from S3 (the one\n * legitimate raw fetch in a plugin — same pattern as sync).\n */\n readScopeDoc(scopeType: KnowledgeScopeType, scopeId: string, filePath: string): Promise<{\n filePath: string;\n text: string;\n }>;\n /**\n * Write (create or overwrite) a scope doc. Two-step presigned upload:\n * `services/org` returns a signed URL plus `requiredHeaders` (author /\n * authorKind / message as `x-amz-meta-*`) that MUST be sent verbatim on\n * the PUT, alongside the same `Content-Type` that was signed. Author and\n * authorKind are server-set from the agent token — never trusted here.\n */\n writeScopeDoc(scopeType: KnowledgeScopeType, scopeId: string, filePath: string, content: string, opts?: {\n contentType?: string;\n message?: string;\n }): Promise<{\n filePath: string;\n }>;\n /**\n * Open a change request against a scope's knowledge resource. For a doc\n * create/update, `services/org` returns a presigned staging PUT; this method\n * uploads the proposed `content` to it (echoing the same Content-Type that\n * was signed), mirroring `writeScopeDoc`. The staged body is applied to the\n * canonical doc — attributed to this agent — only when a reviewer approves.\n */\n proposeScopeChange(scopeType: KnowledgeScopeType, scopeId: string, input: ProposeScopeChangeInput): Promise<KnowledgeChangeRequest>;\n /**\n * List the agent's OWN change requests in a scope (filtered server-side to\n * this agent as proposer). Pass `status` to narrow to open / approved / etc.\n */\n listScopeChangeRequests(scopeType: KnowledgeScopeType, scopeId: string, opts?: {\n status?: ChangeRequestStatus;\n limit?: number;\n cursor?: string;\n }): Promise<{\n changeRequests: KnowledgeChangeRequest[];\n nextCursor: string | null;\n }>;\n registerDatabaseCredentials(): Promise<{\n connectionString: string;\n username: string;\n password: string;\n databases: string[];\n }>;\n reportDatabaseAudit(entry: {\n database: string;\n collection: string;\n operation: string;\n summary?: string;\n }): Promise<void>;\n requestBrowserTakeover(args: {\n instructions: string;\n url?: string;\n conversationId?: string;\n }): Promise<{\n sessionId: string;\n status: string;\n }>;\n getRemoteSession(sessionId: string): Promise<RemoteSessionInfo>;\n completeRemoteSession(sessionId: string): Promise<{\n ok: boolean;\n }>;\n /**\n * Issue a request that returns the raw `Response` (no JSON parsing, no\n * forced Content-Type). The caller sets `Content-Type`/`Accept` on `headers`\n * and reads the body itself (`arrayBuffer()` / `json()`).\n *\n * A single retry fires only on the same transient statuses `request()`\n * retries (authorizer-timeout 500 + LB 502/503/504) and transient network\n * errors — before the route handler runs — so re-issuing a POST does not\n * risk a duplicate side effect. Voice TTS/STT are effectively idempotent\n * (re-synthesize / re-transcribe) and meter server-side keyed on the\n * gateway requestId, so a retried transcription doesn't double-bill.\n */\n private rawFetch;\n /**\n * Text-to-speech. Returns raw PCM audio bytes plus their framing — the\n * voice service defaults to 24 kHz / mono / 16-bit. Wrap in a WAV container\n * to produce a playable file. Metered per character against the tenant\n * credit pool server-side; TTS completes regardless of metering outcome.\n */\n tts(args: VoiceTtsArgs): Promise<VoiceTtsResult>;\n /**\n * Speech-to-text. Accepts raw linear16 (16-bit LE) mono PCM — NOT a WAV or\n * other container (the endpoint transcribes with a fixed linear16 encoding,\n * so a container header would be transcribed as noise). Strip any WAV header\n * and pass `sampleRate` from it before calling. Metered by transcribed\n * duration against the tenant credit pool server-side.\n */\n stt(args: VoiceSttArgs): Promise<VoiceSttResult>;\n}\n//# sourceMappingURL=index.d.ts.map\n//#endregion\nexport { AgentApiClient, AgentApiClientConfig, AgentAvatarPresign, AgentSelf, AgentVoice, AgentVoiceConfig, ChangeRequestActorKind, ChangeRequestOperation, ChangeRequestResourceType, ChangeRequestStatus, type ChangelogAction, type ChangelogActor, type ChangelogEntry, type EncryptedEnvelopeV1, type Field, type FieldEnvelope, type FieldFormat, type FieldSensitivity, type FieldView, type GeneratedDataKey, type InstallToolErrorCaptureOptions, type IntegrationConfigResult, type IntegrationConfigSchemaField, type IntegrationInstall, KnowledgeChangeRequest, KnowledgeDoc, KnowledgeProfile, KnowledgeProfileLink, KnowledgeScope, KnowledgeScopeType, KnowledgeSearchHit, KnowledgeSearchResult, NewsArticle, NewsProvider, NewsResult, ProposeScopeChangeInput, type RegistryEntry, RemoteSessionInfo, type ScopeInfo, type SecretAggregate, type SecretCategory, type SecretMetadata, type SecretScope, SharedFileEntry, SyncAgentInfo, SyncAgentStats, SyncConfirmedUpload, SyncFileEntry, SyncManifest, SyncManifestEntry, SyncPresignedUrl, SyncReconstructBundle, SyncReconstructFile, SyncSessionContent, SyncSessionEntry, type ToolCaptureApi, VoiceSttArgs, VoiceSttResult, VoiceTtsArgs, VoiceTtsModel, VoiceTtsResult, installToolErrorCapture };\n//# sourceMappingURL=index.d.ts.map"],"mappings":";;;;;;;;;AAyBA;AAOA;;;;;AAcA;AAiBiB,UAtCA,aAAA,CAsCY;EA4BP,IAAA,EAAA,MAAA;EAAY,IAAA,EAAA,MAAA;YAEvB,EAAA,MAAA;cAAR,EAAA,UAAA,GAAA,YAAA;;AAmBmB,UAhFL,aAAA,CAgFkB;EAAA,KAAA,EA/E1B,MA+E0B,CAAA,MAAA,EA/EX,aA+EW,CAAA;;;;AAanC;;;;;AAgCA;EAgBsB,OAAA,CAAA,EAAA,MAAA;AAgBtB;AAA6B,UA/IZ,cAAA,CA+IY;SACpB,EAAA,CAAA;SACC,EAAA,MAAA;UACP,EAAA,MAAA;EAAY,KAAA,EA9IN,MA8IM,CAAA,MAAA,EAAA;;;;ICvHF,IAAA,CAAA,EAAA,MAAA;IA8BI,YAAW,CAAA,EAAA,MAAA;IAsDN,UAAA,CAAA,EAAA,OAAkB;EAAA,CAAA,CAAA;;AAGrC,UDjGc,YAAA,CCiGd;EAAO;EAuCM,MAAA,EAAA,MAAA,EAAY;EA+BZ;EAUA,MAAA,EAAA,MAAA,EAAa;;;;ECvLnBoC,aAAAA,EAAAA,MAAAA,EAAoB;AAAA;AASb;AAEI;AAUE;AAGI;AASJ;AAUI;;AAYHM,iBFrBF,YAAA,CEqBEA,aAAAA,EAAAA,MAAAA,CAAAA,EFnBrB,OEmBqBA,CFnBb,aEmBaA,CAAAA;;;AAAT;AAEW;AAYhBK,iBFdY,aAAA,CEcO,aAAA,EAAA,MAAA,EAAA,QAAA,EFZjB,aEYiB,CAAA,EFX1B,OEW0B,CAAA,IAAA,CAAA;AAAA;AAYD;AAGJ;AAedI,iBF/BY,mBAAA,CE+BI,aAAA,EAAA,MAAA,EAAA,YAAA,EAAA,MAAA,EAAA,KAAA,EF5BjB,aE4BiB,CAAA,EF3BvB,OE2BuB,CAAA,IAAA,CAAA;AAAA;AAOE;AAKH;AAMF;AAEQ;AASA;AAcF;AAIC;;;AASD;AAIP;AAUjBW,iBFrEiB,mBAAA,CEqEK,aAAA,EAAA,MAAA,EAAA,YAAA,EAAA,MAAA,CAAA,EFlExB,OEkEwB,CAAA,IAAA,CAAA;AAAA;AACH;AACG;;AAIdR,iBF3DS,eAAA,CE2DTA,QAAAA,EAAAA,MAAAA,CAAAA,EF3D4C,OE2D5CA,CAAAA,MAAAA,CAAAA;;;;;;AAYyB,iBFvDtB,aAAA,CEuDsB,KAAA,EFtD7B,aEsD6B,EAAA,MAAA,EFrD5B,cEqD4B,CAAA,EFpDnC,YEoDmC;AAAA;;;cD3KzB;UA8BI,WAAA;;;ED9EA;EAOA,IAAA,EAAA,MAAA,EAAA;;AACR,iBC4Ha,kBAAA,CD5Hb,aAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EAAA,MAAA,CAAA,EC+HN,OD/HM,CC+HE,WD/HF,CAAA;AAAM,iBCsKC,YAAA,CDtKD,YAAA,EAAA,MAAA,EAAA,KAAA,ECwKN,WDxKM,GAAA,MAAA,EAAA,CAAA,EAAA,OAAA;AAaE,iBCwLD,eAAA,CDpLD,WAAA,EAAA,MAAA,EAAA,KAAA,ECsLN,WDtLM,GAAA,MAAA,EAAA,CAAA,EAAA,OAAA;AAaE,iBCiLD,aAAA,CDjLa,KAAA,EAAA,MAAA,EAAA,EAAA,KAAA,ECmLpB,WDnLoB,GAAA,MAAA,EAAA,CAAA,EAAA,MAAA,EAAA;AA4B7B;;;;;AEvBqB;AAUE;AAGI;AASJ,UAjCblB,oBAAAA,CA2CiB;EAAA,MAQjBO,EAAAA,MAAAA;EAAY,MAAA,EAAA,MAAA;;;;AAIP;AAEW;AAKG;AAOA,KA5DxBN,YAAAA,GAmEKW,SAAqB,GAAA,UAKtBD;AAAmB;AAGJ,UAzEdT,WAAAA,CAgFa;EAAA,KAQba,EAAAA,MAAAA;EAAgB,GAOhBC,EAAAA,MAAAA;EAAkB,MAKlBC,EAAAA,MAAAA;EAAe,WAMpBC,EAAAA,MAAAA;EAAkB,OACbC,EAAAA,MAAAA;EACqB,SAIrBC,CAAAA,EAAAA,OAAAA;AAKqB;AAcF;AAIC,UA9HpBjB,UAAAA,CAkIAoB;EAAgB,QAAA,EAjIdrB,WAiIc,EAAA;UACbgB,EAAAA,MAAAA;;UA/HHd,iBAAAA,CAmImB;EAAA,SAInBoB,EAAAA,MAAY;EAAA,OASjBC,EAAAA,MAAAA;EAAyB,OACzBC,EAAAA,SAAAA,GAAAA,UAAsB;EAAA,MACtBC,EAAAA,eAAAA,GAAmB,gBAAA,GAAA,kBAAA,GAAA,UAAA,GAAA,WAAA,GAAA,SAAA,GAAA,QAAA;EAAA,GACnBC,CAAAA,EAAAA,MAAAA;EAAsB,YAEjBC,CAAAA,EAAAA,MAAAA;EAAsB,WAAA,CAAA,EAAA,MAAA;;UA5ItBxB,aAAAA,CAgJMoB;SACHC,EAAAA,MAAAA;UAIHC,EAAAA,MAAAA;aAEMC,EAAAA,MAAAA;UAGAA,EAAAA,MAAAA;EAAsB,MAAA,EAAA,OAAA,GAAA,SAAA,GAAA,QAAA;EAAA,SAQ5BE,CAAAA,EAAAA,MAAAA;EAAuB,SAAA,CAAA,EAAA,MAAA;UACjBL,CAAAA,EAAAA,MAAAA;;UAzJNnB,iBAAAA,CA0JyB;EAAA,IAazByB,EAAAA,MAAAA;EAAgB,IAYhBC,EAAAA,MAAAA;EAKsB,QAItBC,EAAAA,MAAAA;EAAkB,IAWlBC,CAAAA,EAAAA,MAAAA;EAKM,YAIXC,CAAAA,EAAAA,MAAa;EAAA,UACRC,CAAAA,EAAAA,OAAY;AAMC;AAKR,UApNL7B,YAAAA,CA4NY;EAEH,OAITkC,EAAAA,CAAAA;EAAc,OAKVC,EAAAA,MAAAA;EAAc,QAAA,EAAA,MAAA;OAGN1C,EAtObQ,MAsOaR,CAAAA,MAAAA,EAtOEM,iBAsOFN,CAAAA;;UApOZS,gBAAAA,CAwOJkC;QAGuBpC,MAAAA;OAARoC,MAAAA;WAQXlC,EAAAA,MAAAA;;UA9OAC,mBAAAA,CAqPIA;UAARiC,EAAAA,MAAAA;QAGQ/B,MAAAA;QAAR+B,MAAAA;cACoB9B,EAAAA,UAAAA,GAAAA,YAAAA;UAAR8B,EAAAA,MAAAA;;UAlPRhC,mBAAAA,CAqPJgC;QAIQ5B,MAAAA;QADQ4B,MAAAA;OAGuB3B,MAAAA;cAAR2B,CAAAA,EAAAA,MAAAA;YACDA,CAAAA,EAAAA,OAAAA;;UArP1B/B,qBAAAA,CA2PJ+B;SAQAA,EAAAA,MAAAA;QAIwB3D,MAAAA,GAAAA,QAAAA,GAAAA,QAAAA;WAAR2D,EAAAA,MAAAA;WACiC9D,EAAAA,MAAAA;OAAR8D,EAnQtChC,mBAmQsCgC,EAAAA;WACUnC,EAAAA,MAAAA;;UAjQ/CK,cAAAA,CAoQGL;SACCxB,EAAAA,MAAAA;eAAR2D,EAAAA,MAAAA;cAC8C3D,EAAAA,MAAAA;WAAR2D,EAAAA,MAAAA;YACQA,EAAAA,MAAAA,GAAAA,IAAAA;;UAhQ1C7B,aAAAA,CAqQ0B6B;UAMlBzD,EAAAA,MAAAA;QADDyD,MAAAA;UAaSA,EAAAA,MAAAA;aAUgBA,EAAAA,MAAAA;cAOZA,CAAAA,EAAAA,MAAAA;YAyBPnC,CAAAA,EAAAA,OAAAA;;UAzTbO,gBAAAA,CAuUiB4B;WAwCHA,EAAAA,MAAAA;QAoBEA,MAAAA;cAkBHA,EAAAA,MAAAA;cAiBCA,CAAAA,EAAAA,MAAAA;YAcHA,EAAAA,OAAAA;;UA7aX3B,kBAAAA,CAkcuC2B;WAUvBA,EAAAA,MAAAA;SAYHA,EAAAA,MAAAA;YAmBMA,EAAAA,OAAAA;;UAtenB1B,eAAAA,CA4gBgB0B;UAoCiCA,EAAAA,MAAAA;UAUnCA,EAAAA,MAAAA;QAcHA,MAAAA;aAYCA,CAAAA,EAAAA,MAAAA;;KA9kBjBzB,kBAAAA,GAmmBsByB,KAAAA,GAAAA,MAAAA,GAAAA,SAAAA;UAlmBjBxB,cAAAA,CAmnBsCwB;WAoBSA,EAtoB5CzB,kBAsoB4CyB;SAsB/BA,EAAAA,MAAAA;QA8BiCA,MAAAA;;UAtrBjDvB,kBAAAA,CAwsBSZ;YACbmC;QAIiBA,MAAAA;;OAoCjBA,EAAAA,MAAAA;WAQAA,EApvBOzB,kBAovBPyB;SAMYZ,EAAAA,MAAAA;;;;;;QAqBZY,EAAAA,KAAAA,GAAAA,MAAAA;;UAK2BA,CAAAA,EAAAA,MAAAA;;QAEjBA,CAAAA,EAAAA,MAAAA;;UAzwBNtB,qBAAAA,CAyxBI1C;SAARgE,EAxxBKvB,kBAwxBLuB,EAAAA;;iBAaAA,EAAAA,OAAAA;;UAjyBIrB,oBAAAA,CA+yBK9B;OAKAlB,EAAAA,MAAAA;OACIE,MAAAA;;UAjzBT+C,gBAAAA,CAszBIjC;WAARqD,EArzBOzB,kBAqzBPyB;SAGK/C,EAAAA,MAAAA;OAIIN,EAAAA,MAAAA,GAAAA,IAAAA;aACAlB,EAAAA,MAAAA,GAAAA,IAAAA;OAFTuE,EAvzBGrB,oBAuzBHqB,EAAAA;WAMK/C,EAAAA,MAAAA,GAAAA,IAAAA;WAMMpB,EAAAA,MAAAA,GAAAA,IAAAA;;UA/zBPgD,YAAAA,CAk0BKvD;UALT0E,EAAAA,MAAAA;UAYK/C,EAAAA,MAAAA;aAIMpB,CAAAA,EAAAA,MAAAA;QACJF,MAAAA;YAEEL,CAAAA,EAAAA,MAAAA;WAET0E,EAAAA,MAAAA;WAMK/C,EAAAA,MAAAA;;KA/0BN6B,yBAAAA,GAs1BM7B,KAAAA,GAAAA,SAAAA;KAr1BN8B,sBAAAA,GA21BUlC,QAAAA,GAAAA,QAAAA,GAAAA,QAAAA;KA11BVmC,mBAAAA,GA41BSrC,MAAAA,GAAAA,UAAAA,GAAAA,UAAAA,GAAAA,WAAAA,GAAAA,YAAAA;KA31BTsC,sBAAAA,GA21BCe,OAAAA,GAAAA,OAAAA;;UAz1BId,sBAAAA,CA81BKrC;iBAGDE,EAAAA,MAAAA;WAARiD,EA/1BOzB,kBA+1BPyB;SAGK/C,EAAAA,MAAAA;cAME7B,EAt2BG0D,yBAs2BH1D;WADP4E,EAp2BOjB,sBAo2BPiB;YAMK/C,EAAAA,MAAAA,GAAAA,IAAAA;eAGL+C,EAAAA,MAAAA,GAAAA,IAAAA;qBAEwBvD,EAAAA,MAAAA,GAAAA,IAAAA;QAARuD,EA32BZhB,mBA22BYgB;YAUVA,EAAAA,MAAAA;cASNA,EA53BUf,sBA43BVe;WAgBAA,EAAAA,MAAAA;YAGoCA,EAAAA,MAAAA,GAAAA,IAAAA;cAUpCA,EAt5BUf,sBAs5BVe,GAAAA,IAAAA;YAUAA,EAAAA,MAAAA,GAAAA,IAAAA;YAYAA,EAAAA,MAAAA,GAAAA,IAAAA;YAWAA,EAAAA,MAAAA,GAAAA,IAAAA;WAKAA,EAAAA,MAAAA;WAUAA,EAAAA,MAAAA;;;UA97BIb,uBAAAA,CAk/BJa;cAWAA,EA5/BUlB,yBA4/BVkB;WAUAA,EArgCOjB,sBAqgCPiB;;WAoCAA,EAAAA,MAAAA;;YAQiCA,CAAAA,EAAAA,MAAAA;;SAmBLA,CAAAA,EAAAA,MAAAA;;aAkB5BA,CAAAA,EAAAA,MAAAA;;eAYqDA,CAAAA,EAAAA,OAAAA;;;UArlCjDZ,gBAAAA,CA0mCJY;;SASS1C,CAAAA,EAAAA,MAAAA;UAODE,CAAAA,EAAAA,MAAAA;SAARwC,CAAAA,EAAAA,OAAAA;;;;;;;;UA9mCIX,SAAAA,CAmoCMW;SAIazB,EAAAA,MAAAA;UAA8CK,EAAAA,MAAAA;QAARoB,MAAAA;WAExCzB,CAAAA,EAAAA,MAAAA;aAIhBM,CAAAA,EAxoCKO,gBAwoCLP;QADLmB,EAAAA,MAAAA;;;UAnoCIV,kBAAAA,CAupCiBf;;WAaKA,EAAAA,MAAAA;;OAA8EW,EAAAA,MAAAA;;WAKzEX,EAAAA,MAAAA;;WAKjBW,EAAAA,MAAAA;;;UAnqCVK,UAAAA,CAirCJS;YAKAA;QAIyCvC,MAAAA;YAARuC,EAAAA,MAAAA;aACKA,EAAAA,MAAAA;QAsBhCP,EA5sCF5B,MA4sCE4B,CAAAA,MAAAA,EAAAA,MAAAA,CAAAA;UAAuBC,EAAAA,MAAAA;;;KAxsC9BF,aAAAA,GAgtC8BM,mBAAAA,GAAAA,wBAAAA;UA/sCzBL,YAAAA,CA+sCiBO;EAAO;;;;EC19ClC;EA8CA,KAAiB,CAAA,EDmOPR,aCnOO;AAqBjB;;UDiNUE,cAAAA,CChNR;;OAEA,EDgNOC,MChNP;;YAEC,EAAA,MAAA;;UAaY,EAAA,MAAA;;UAwCA,EAAA,MAAA;;UDiKLC,YAAAA,CCrIiD;;OAqCI,EDkGtDC,UClGsD;;YA6HhD,EAAA,MAAA;;UDvBLC,cAAAA,CC0PK;QAAR,MAAA;;YAgDA,EAAA,MAAA;;cDrSOC,cAAAA,CCqUA;EAmBd,iBAAsB,MAAA;EAAA,iBAAA,MAAA;aAAqB,CAAA,MAAA,EDrVrB1C,oBCqVqB;UAAlB,OAAA;EAAU,YAAA,CAAA,KAAA,EAAA;;MDjV7B2C;WACKtC;EEhVX,CAAA,CAAiB;EAmBjB,eAAsB,CAAA,CAAY,EF+TbsC,OE/Ta,CF+TLpC,YE/TK,CAAA;EAAA,WAAA,CAAA,IAAA,EAAA;SACvB,EAAA;UACM,EAAA,MAAA;eAAd,EAAA,KAAA,GAAA,KAAA;MAAO,WAAA,CAAA,EAAA,MAAA;;MFoUJoC;UACIlC;EG9UV,CAAA,CAAiB;EAkGjB,iBAAiC,CAAA,IAAA,EAAA;IAAA,QAAA,EAAA,MAAA;QAGvB,EAAA,MAAA;QAEC,EAAA,MAAA;gBAAR,CAAA,EAAA,UAAA,GAAA,YAAA;EAAO,CAAA,CAAA,EH8OJkC,OG9OI,CH8OIjC,mBG9OJ,CAAA;;;MHiPJiC,QAAQ/B;EI1Vd,YAAiB,CAAA,CAAA,EJ2VC+B,OI3Va,CJ2VL9B,cI3VK,CAAA;EAqD/B,aAAsB,CAAA,KAAa,EAAA;IAAA,MAAA,CAAA,EAAA,MAAA;MJyS7B8B,OItSI,CAAA;SACS,EJsSR7B,aItSQ,EAAA;;kBAEhB,CAAA,CAAA,EJsSmB6B,OItSnB,CAAA;IAAO,QAAA,EJuSI5B,gBIvSJ,EAAA;;qCJyS2B4B,QAAQ3B;oCACT2B;IKlXnB,OAAA,EAAA,OAAY;EAU7B,CAAA,CAAsB;EAAS,eAAA,CAAA,IAAA,EAAA;SACX,EAAA,KAAA,GAAA,MAAA,GAAA,SAAA;WAAR,EAAA,MAAA;ML6WNA,OK5WK,CAAA;SACA,EL4WA1B,eK5WA,EAAA;cAAR,EAAA,MAAA,GAAA,IAAA;EAAO,CAAA,CAAA;;;;ICSO,QAAA,EAAA,MAAW;EAM5B,CAAA,CAAiB,ENoWX0B,OMpWW,CAAA;IAKP,WAAA,EAAA,MAAY;IAOL,SAAA,EAAA,MAAA;EAAgB,CAAA,CAAA;kBACZ,CAAA,CAAA,EN2VCA,OM3VD,CN2VS3D,kBM3VT,EAAA,CAAA;sBAAgB,CAAA,aAAA,EAAA,MAAA,CAAA,EN4VU2D,OM5VV,CN4VkB9D,uBM5VlB,CAAA;yBACd,CAAA,aAAA,EAAA,MAAA,EAAA,MAAA,EN4VkC2B,MM5VlC,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA,EN4V4DmC,OM5V5D,CAAA,IAAA,CAAA;oBAAgB,CAAA,aAAA,EAAA,MAAA,EAAA,QAAA,EAAA;WACmC,CAAA,EAAA,MAAA;UAC5D,CAAA,EN6VDnC,MM7VC,CAAA,MAAA,EAAA,OAAA,CAAA;MN8VRmC,OM7VS,CN6VD3D,kBM7VC,CAAA;EAAW,iBAAA,CAAA,aAAA,EAAA,MAAA,CAAA,EN8VkB2D,OM9VlB,CN8V0B3D,kBM9V1B,CAAA;EAG1B,WAAgB,CAAA,QAAA,EAAA,MAAsB,EAAA,MAAA,CAAA,EAAA,MAAA,EAAA,CAAA,EN4Vc2D,OM5Vd,CAAA;IAAA,GAAA,EAAA,MAAA;YAC5B,EAAA,MAAA;aACH,EAAA,MAAA;;EACY,cAAA,CAAA,QAAA,EAAA,MAAA,CAAA,EN8ViBA,OM9VjB,CAAA;;;aNiWNnC;;iBAEImC;kBACCzD;;;;;;;;;;;;0BAYQyD;;;;;;;;;;0CAUgBA;;;;;;;8BAOZA;;;;;;;;;;;;;;;;;;;;kDAoBoBA;;;;;uBAK3BnC;;;;;;;;;;;;;;2BAcImC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wBAwCHA;;;;;;;;;;;;;;;;;;;;0BAoBEA;;;;;;;;;;;;;;;;;;uBAkBHA;;;;;;;;;;;;;;;;;wBAiBCA;;;;;;;;;;;;;;qBAcHA;;;;;;;;;;;sBAWCA;;;;;;;;;;iDAU2BA;;;;;;;;;;0BAUvBA;;;;;;;;;;;;uBAYHA;;;;;;;;;;;;;;;;;;;6BAmBMA;;;;;;;;;;;;2BAYFA;;;;;;;;;;;;;;;;;;;;;;;;;;0BA0BDA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAoCiCA;;;;;;;;;;wBAUnCA;;;;;;;;;;;;;;qBAcHA;;;;;;;;;;;;sBAYCA;;;;;;;;;8BASQA;;;;;;;;;;;;2BAYHA;;;;;;;;;;;;;;;;;gDAiBqBA;;;;;;;;;;;;;;;;;;;;yDAoBSA;;;;;;;;;;;;;;;;;;;;;;0BAsB/BA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DA8BiCA;;;;;yBAKlCA;;;;;;;;;;;;;mBAaNnC;MACbmC;;;;uBAIiBA;;;;;;;;;;;QAWfA;;;;;;;;;;;;;;;;;;;;;;;;;MAyBFA;;;;;;;;MAQAA;;;;;;kBAMYZ;MACZY,QAAQX;;;;;;;;;;;;MAYRW,QAAQX;;;;;;;;MAQRW,QAAQV;;;;;iCAKmBU,QAAQX;;gBAEzBW;YACJT;;;;;;;;;;;WAWDtC;;;;MAIL+C,QAAQhE;;;;;;;;WAQHiB;;;;;MAKL+C;;;;;;;;;;WAUK/C;;;;eAIIJ;;;;;eAKAlB;mBACIE;;iBAEFP;;;MAGX0E,QAAQrD;;;WAGHM;;;MAGL+C;eACSrD;eACAlB;;;;WAIJwB;;;;MAIL+C;;iBAEWnE;aACJF;;eAEEL;;;;;;;WAOJ2B;;;;iBAIMpB;aACJF;;eAEEL;;MAET0E;;;;;;WAMK/C;;;;MAIL+C;;;WAGK/C;;;;;;eAMIJ;;MAETmD,QAAQrD;;;WAGHM;;eAEIJ;;;MAGTmD,QAAQjD;;;WAGHE;;;;;MAKL+C;aACO5E;;;;;WAKF6B;;;MAGL+C;;sBAEgBA,QAAQvD;;;;;;;;;;YAUlBuD;;;;;;;;;MASNA;;;;;;;;;;;;;;;;MAgBAA;;;0CAGoCA;;;;;;;;;;MAUpCA;;;;;;;;;;MAUAA;;;;;;;;;;;;MAYAA;;;;;;;;;;;MAWAA;;;;;MAKAA;;;;;;;;;;MAUAA;;;;;;;;;;;;;;;;;;MAkBAA;;;;;;;;;;;;;;;;MAgBAA;;;;;;;;;;;;;;;;;;MAkBAA;;;;;;;;;;;MAWAA;;;;;;;;;;MAUAA;;;;;;;;;;;;;;;;;;;;;;;;MAwBAA;;;;;;;;;;;;MAYAA;;;;wDAIkDA;;;;uCAIjBA;;;;;;;;;;;oBAWnBA;;;;;;;;kCAQcA;;;iBAGjBA;;;;;;;;;;;;;;;MAeXA;;;;;;2BAMqBA;;;;;;2DAMgCA;;;;;;;MAOrDA;;;;;;;;;;MAUAA;;;;MAIAA;;;;;MAKAA;;;;eAIS1C;;;;;;;MAOT0C,QAAQxC;;;eAGCF;;;;;MAKT0C,QAAQxC;;;;;;;;;gBASEe;;MAEVyB,QAAQtB;;gBAEEsB;YACJxB;;;6BAGiBD,sCAAsCyB,QAAQpB;;2BAEhDL;;;MAGrByB;WACKnB;;;;;;;;0BAQeN,wDAAwDyB;;;;;;;;;;;2BAWvDzB;;;MAGrByB;;;;;;;;;;gCAU0BzB,4CAA4CY,0BAA0Ba,QAAQd;;;;;qCAKzEX;aACxBS;;;MAGPgB;oBACcd;;;iCAGac;;;;;;;;;;;MAW3BA;;;;;MAKAA;;;;uCAIiCA,QAAQvC;4CACHuC;;;;;;;;;;;;;;;;;;;;;;YAsBhCP,eAAeO,QAAQN;;;;;;;;YAQvBE,eAAeI,QAAQF;;;;;;AFz6Cb,UGjDL,UAAA,CHiDiB;EAAA,MAAA,EAAA,MAAA;QAEvB,EAAA,MAAA;WAAR,EAAA,MAAA;EAAO,MAAA,EAAA,MAAA;AAmBV;;;;;AAaA;;;;;AAgCA;AAgBA;AAgBA;;;;;;;;;ACpHa,UEeI,iBAAA,CFdiD;EA6BjD,aAAA,EAAW,MAAA;EAsDN,MAAA,EEnEZ,cFmE8B;EAAA;;;;EA0CxB,OAAA,CAAA,EAAA,MAAY;EA+BZ;AAUhB;;;;AC3LqG;AAIvE;AASb;AAEI;AAUE;AAGI;AASJ;AAkBblC,iBCCM,gBAAA,CDDM;EAAA,aAAA;EAAA,MAAA;EAAA,OAAA;EAAA;AAAA,CAAA,ECMnB,iBDNmB,CAAA,EAAA;EAAA,aAAA,EAAA,MAAA;QAIED,gBAAAA;SAAfE,EAAAA,MAAAA;EAAM;AAAA;AAEW;AAKG;EAcnBI,IAAAA,CAAAA,KAAAA,CAAAA,EAAAA,MAAAA,EAAAA,EAAAA,OAuBAG,CAvBqB,EAAA;IAQrBF,KAAAA,CAAAA,EAAAA,OAAc;IAOdC,MAAAA,CAAAA,EAAAA,MAAa;EAQbC,CAAAA,CAAAA,EC7BH,OD6BGA,CC7BK,UD6BW,CAAA;EAOhBC,WAAAA,CAAAA,KAAAA,EAAAA,MAAkB,EAAA,EAAA,OAWvBE,CAXuB,EAAA;IAKlBD,KAAAA,CAAAA,EAAAA,OAAe;EAMpBC,CAAAA,CAAAA,ECPE,ODOFA,CCPU,UDOQ,CAAA;EACbC;EAKAC,IAAAA,CAAAA,OAuBAE,CAvBAF,EAAAA;IAkBAC,KAAAA,CAAAA,EAAAA,OAAAA;EAKAC,CAAAA,CAAAA,ECRyC,ODQzCA,CCRiD,UDQjDA,CAAoB;EAIpBC;;;;EAKmB,QAAA,CAAA,OAaxBE,CAbwB,EAAA;IAInBD,KAAAA,CAAAA,EAAAA,OAAY;EASjBC,CAAAA,CAAAA,ECOkD,ODPlDA,CCO0D,UDP1DA,CAAAA;EACAC;AAAsB;AACH;AACG;;;;;;;;;AAgBW;;;;;AAUH;AAaT;AAiBM;AAIJ;AAgBZ;AAIE;AAOK;AAKR;AAUI;AAIK;;;;;;;;;;;;;;;mBAsCbZ,CAAAA,QAAAA,EAAAA;IADL6B,KAAAA,CAAAA,EAAAA,OAAAA;MCdC,ODkBO5B,CClBC,UDkBDA,CAAAA;;;;;WAUHE,CAAAA,KAAAA,EAAAA,MAAAA,EAAAA,EAAAA,QAAAA,EAAAA;IADL0B,KAAAA,CAAAA,EAAAA,OAAAA;MCwMC,ODhMDA,CCgMS,UDhMTA,CAAAA;;;;;;;;;;;cAWsCA,CAAAA,QAAAA,EAAAA;IACQA,KAAAA,CAAAA,EAAAA,OAAAA;IAQvCnC,KAAAA,CAAAA,EAAAA,MAAAA;MC4NN,OD/N6BmC,CC+NrB,UD/NqBA,CAAAA;;;;;iBAmCNA,CAAAA,QAAAA,EAAAA,MAAAA,EAAAA,QAAAA,EAAAA;IAyBPnC,KAAAA,CAAAA,EAAAA,OAAAA;MCmMhB,ODxM2CmC,CAAAA,IAAAA,CAAAA;;AA2D1BA,KCgKZ,UAAA,GAAa,UDhKDA,CAAAA,OCgKmB,gBDhKnBA,CAAAA;;;;;;;;AFlfxB;AAOA;AAA8B,UIrBb,cAAA,CJqBa;eACN,EAAA,MAAA;;;AAaxB;AAiBA;AA4BA;EAAkC,OAAA,CAAA,EAAA,MAAA;;YAE/B,CAAA,EAAA,MAAA;EAAO;EAmBY,SAAA,EAAA,CAAA,KAAa,EAAA,MAAA,EAAA,EAAA,GAAA,IAAA,GI1FM,OJ0FN,CAAA,IAAA,CAAA;;;;;AAanC;;AAGS,iBIlGa,YAAA,CJkGb,OAAA,EIjGE,cJiGF,CAAA,EIhGN,OJgGM,CAAA,GAAA,GIhGQ,OJgGR,CAAA,IAAA,CAAA,CAAA;;;;AArCa,UKpEL,YAAA,CLoEiB;EAAA,IAAA,EAAA,MAAA;SAEvB,EAAA,OAAA;MAAR,CAAA,EAAA,MAAA;EAAO,IAAA,CAAA,EAAA,MAAA;EAmBY,KAAA,CAAA,EAAA,MAAA;;;;;AAatB;;;;;AAgCA;AAgBA;AAgBgB,iBKpEM,WAAA,CLoEO,aAAA,EAAA,MAAA,EAAA,aAAA,EAAA,MAAA,EAAA,EAAA,MAAA,EKjEnB,cLiEmB,EAAA,QAAA,EAAA;EAAA,WAAA,CAAA,EAAA,MAAA;OACpB,CAAA,EAAA,OAAA;IKhEN,OLiEO,CKjEC,YLiED,EAAA,CAAA;;;;AAhIO,UM1CA,cAAA,CN0CY;EA4BP,IAAA,EAAA,MAAA;EAAY,OAAA,EAAA,OAAA;MAEvB,CAAA,EAAA,MAAA;OAAR,CAAA,EAAA,MAAA;;AAmBmB,iBMtCA,aAAA,CNsCa,aAAA,EAAA,MAAA,EAAA,aAAA,EAAA,MAAA,EAAA,EAAA,MAAA,EMnCzB,cNmCyB,EAAA,cAAA,CAAA,EMlChB,cNkCgB,EAAA,QAAA,EAAA;EAAA,WAAA,CAAA,EAAA,MAAA;OAEvB,CAAA,EAAA,OAAA;IMlCT,ONmCA,CMnCQ,cNmCR,EAAA,CAAA;;;;;;;;AA1Fc,UOjBA,YAAA,CPiBa;EAOb,UAAA,CAAA,EAAA,MAAa;EAAA,WAAA,CAAA,EAAA,MAAA;;;;AAc9B;AAiBA;AA4BA;AAAkC,iBOzEZ,SPyEY,CAAA,CAAA,CAAA,CAAA,EAAA,EAAA,GAAA,GOxEtB,OPwEsB,COxEd,CPwEc,CAAA,EAAA,OAAA,CAAA,EOvEvB,YPuEuB,CAAA,EOtE/B,OPsE+B,COtEvB,CPsEuB,CAAA;;;;AAAZ,UQ7DL,WAAA,CR6DiB;EAAA,SAAA,EAAA,MAAA,GAAA,SAAA,GAAA,KAAA;SAEvB,EAAA,MAAA;MAAR,EAAA,MAAA;;AAmBmB,UQ5EL,gBAAA,CR4EkB;EAAA,aAAA,EAAA,MAAA;QAEvB,EQ5EF,cR4EE;;UQzEF,YAAA,CR0EA;EAUY,IAAA,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAmB;EAAA,IAAA,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;OAGhC,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;OACN,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,IAAA;;AA4BmB,UQ7GL,gBAAA,CR6GwB;EAgBnB,UAAA,CAAA,MAAA,EQ5HD,WR4HoC,EAAA,CAAA,EQ5HpB,OR4H2B,CAAA,IAAA,CAAA;EAgBhD,YAAA,CAAA,MAAa,EQ3IN,WR2IM,EAAA,CAAA,EQ3IU,OR2IV,CAAA,IAAA,CAAA;EAAA,kBAAA,CAAA,QAAA,EAAA,MAAA,EAAA,SAAA,EAAA,SAAA,GAAA,SAAA,CAAA,EQ1I6C,OR0I7C,CAAA,IAAA,CAAA;UACpB,EAAA,EQ1IK,OR0IL,CAAA,IAAA,CAAA;WACC,EAAA,EQ1IK,WR0IL,EAAA;;AACK,iBQxIC,sBAAA,CRwID,MAAA,EQvIL,gBRuIK,EAAA,GAAA,EQtIR,YRsIQ,CAAA,EQrIZ,gBRqIY"}
@@ -192,6 +192,12 @@ function runtimeDefaults(runtime) {
192
192
  runtimeDefaultsCache.set(runtime, patterns);
193
193
  return patterns;
194
194
  }
195
+ function toRules(input) {
196
+ return Array.isArray(input) ? {
197
+ forced: input,
198
+ user: []
199
+ } : input;
200
+ }
195
201
  function normaliseIgnorePattern(raw) {
196
202
  const trimmed = raw.trim();
197
203
  if (!trimmed) return trimmed;
@@ -207,21 +213,27 @@ function normaliseIgnorePattern(raw) {
207
213
  }
208
214
  async function loadIgnorePatterns(workspacePath, runtime = "openclaw") {
209
215
  const ignoreFile = (0, node_path.join)(workspacePath, ".alfesyncignore");
210
- const patterns = [...runtimeDefaults(runtime)];
216
+ const forced = [...runtimeDefaults(runtime)];
217
+ const user = [];
211
218
  if ((0, node_fs.existsSync)(ignoreFile)) try {
212
219
  const lines = (await (0, node_fs_promises.readFile)(ignoreFile, "utf-8")).split("\n");
213
220
  for (const line of lines) {
214
221
  const trimmed = line.trim();
215
222
  if (!trimmed || trimmed.startsWith("#")) continue;
216
- patterns.push(normaliseIgnorePattern(trimmed));
223
+ user.push(normaliseIgnorePattern(trimmed));
217
224
  }
218
225
  } catch {}
219
- return patterns;
226
+ return {
227
+ forced,
228
+ user
229
+ };
220
230
  }
221
- function shouldIgnore(relativePath, patterns) {
231
+ function shouldIgnore(relativePath, rules) {
232
+ const { forced, user } = toRules(rules);
233
+ if (forced.length > 0 && micromatch.default.isMatch(relativePath, forced, { dot: true })) return true;
222
234
  const positive = [];
223
235
  const negative = [];
224
- for (const p of patterns) if (p.startsWith("!")) negative.push(p.slice(1));
236
+ for (const p of user) if (p.startsWith("!")) negative.push(p.slice(1));
225
237
  else positive.push(p);
226
238
  if (positive.length === 0) return false;
227
239
  if (!micromatch.default.isMatch(relativePath, positive, { dot: true })) return false;
@@ -229,12 +241,12 @@ function shouldIgnore(relativePath, patterns) {
229
241
  return !micromatch.default.isMatch(relativePath, negative, { dot: true });
230
242
  }
231
243
  const IGNORE_DIR_PROBE = "__alfe_ignore_probe__";
232
- function shouldIgnoreDir(relativeDir, patterns) {
244
+ function shouldIgnoreDir(relativeDir, rules) {
233
245
  if (relativeDir === "") return false;
234
- return shouldIgnore(`${relativeDir}/${IGNORE_DIR_PROBE}`, patterns);
246
+ return shouldIgnore(`${relativeDir}/${IGNORE_DIR_PROBE}`, rules);
235
247
  }
236
- function filterIgnored(paths, patterns) {
237
- return paths.filter((p) => !shouldIgnore(p, patterns));
248
+ function filterIgnored(paths, rules) {
249
+ return paths.filter((p) => !shouldIgnore(p, rules));
238
250
  }
239
251
  //#endregion
240
252
  //#region src/retry.ts
@@ -169,6 +169,12 @@ function runtimeDefaults(runtime) {
169
169
  runtimeDefaultsCache.set(runtime, patterns);
170
170
  return patterns;
171
171
  }
172
+ function toRules(input) {
173
+ return Array.isArray(input) ? {
174
+ forced: input,
175
+ user: []
176
+ } : input;
177
+ }
172
178
  function normaliseIgnorePattern(raw) {
173
179
  const trimmed = raw.trim();
174
180
  if (!trimmed) return trimmed;
@@ -184,21 +190,27 @@ function normaliseIgnorePattern(raw) {
184
190
  }
185
191
  async function loadIgnorePatterns(workspacePath, runtime = "openclaw") {
186
192
  const ignoreFile = join(workspacePath, ".alfesyncignore");
187
- const patterns = [...runtimeDefaults(runtime)];
193
+ const forced = [...runtimeDefaults(runtime)];
194
+ const user = [];
188
195
  if (existsSync(ignoreFile)) try {
189
196
  const lines = (await readFile(ignoreFile, "utf-8")).split("\n");
190
197
  for (const line of lines) {
191
198
  const trimmed = line.trim();
192
199
  if (!trimmed || trimmed.startsWith("#")) continue;
193
- patterns.push(normaliseIgnorePattern(trimmed));
200
+ user.push(normaliseIgnorePattern(trimmed));
194
201
  }
195
202
  } catch {}
196
- return patterns;
203
+ return {
204
+ forced,
205
+ user
206
+ };
197
207
  }
198
- function shouldIgnore(relativePath, patterns) {
208
+ function shouldIgnore(relativePath, rules) {
209
+ const { forced, user } = toRules(rules);
210
+ if (forced.length > 0 && micromatch.isMatch(relativePath, forced, { dot: true })) return true;
199
211
  const positive = [];
200
212
  const negative = [];
201
- for (const p of patterns) if (p.startsWith("!")) negative.push(p.slice(1));
213
+ for (const p of user) if (p.startsWith("!")) negative.push(p.slice(1));
202
214
  else positive.push(p);
203
215
  if (positive.length === 0) return false;
204
216
  if (!micromatch.isMatch(relativePath, positive, { dot: true })) return false;
@@ -206,12 +218,12 @@ function shouldIgnore(relativePath, patterns) {
206
218
  return !micromatch.isMatch(relativePath, negative, { dot: true });
207
219
  }
208
220
  const IGNORE_DIR_PROBE = "__alfe_ignore_probe__";
209
- function shouldIgnoreDir(relativeDir, patterns) {
221
+ function shouldIgnoreDir(relativeDir, rules) {
210
222
  if (relativeDir === "") return false;
211
- return shouldIgnore(`${relativeDir}/${IGNORE_DIR_PROBE}`, patterns);
223
+ return shouldIgnore(`${relativeDir}/${IGNORE_DIR_PROBE}`, rules);
212
224
  }
213
- function filterIgnored(paths, patterns) {
214
- return paths.filter((p) => !shouldIgnore(p, patterns));
225
+ function filterIgnored(paths, rules) {
226
+ return paths.filter((p) => !shouldIgnore(p, rules));
215
227
  }
216
228
  //#endregion
217
229
  //#region src/retry.ts