@aryee337/aery-ai 0.1.148 → 0.2.10

package/dist/types/utils/oauth/ollama.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Ollama login flow.
+ *
+ * Ollama is typically used locally without authentication, but some hosted
+ * deployments require a bearer token/API key.
+ *
+ * This flow is API-key based (not OAuth):
+ * 1. Optionally open Ollama docs
+ * 2. Prompt user for API key/token (optional)
+ * 3. Persist key only when provided
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Ollama.
+ *
+ * Returns a trimmed API key/token string. Empty string means local no-auth mode.
+ */
+export declare function loginOllama(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/openai-codex.d.ts

@@ -0,0 +1,21 @@
+import type { OAuthController, OAuthCredentials } from "./types";
+export declare function decodeJwt<T = Record<string, unknown>>(token: string): T | null;
+/**
+ * Login with OpenAI Codex OAuth
+ */
+export type OpenAICodexLoginOptions = OAuthController & {
+    /** Optional originator value for OpenAI Codex OAuth. Default: "opencode". */
+    originator?: string;
+};
+export declare function loginOpenAICodex(options: OpenAICodexLoginOptions): Promise<OAuthCredentials>;
+/**
+ * Login with OpenAI Codex using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export declare function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials>;
+/**
+ * Refresh OpenAI Codex OAuth token
+ */
+export declare function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials>;

package/dist/types/utils/oauth/opencode.d.ts

@@ -0,0 +1,18 @@
+/**
+ * OpenCode Zen login flow.
+ *
+ * OpenCode Zen is a subscription service that provides access to various AI models
+ * (GPT-5.x, Claude 4.x, Gemini 3, etc.) through a unified API at opencode.ai/zen.
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to https://opencode.ai/auth
+ * 2. User logs in and copies their API key
+ * 3. User pastes the API key back into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to OpenCode Zen.
+ *
+ * Opens browser to auth page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginOpenCode(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/openrouter.d.ts

@@ -0,0 +1 @@
+export declare const loginOpenRouter: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/parallel.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Parallel login flow.
+ *
+ * Parallel uses an API key from the account settings page.
+ * This is an API key flow:
+ * 1. Open browser to Parallel API key settings
+ * 2. User copies API key
+ * 3. User pastes key into the CLI/TUI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Parallel.
+ *
+ * Opens browser to the API keys page, prompts the user to paste their API key,
+ * and returns the API key directly.
+ */
+export declare function loginParallel(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/perplexity.d.ts

@@ -0,0 +1,9 @@
+import type { OAuthController, OAuthCredentials } from "./types";
+/**
+ * Login to Perplexity.
+ *
+ * Tries auto-extraction from the desktop app, then runs HTTP email OTP login.
+ *
+ * No browser/manual token paste fallback is used.
+ */
+export declare function loginPerplexity(ctrl: OAuthController): Promise<OAuthCredentials>;

package/dist/{utils → types/utils}/oauth/pkce.d.ts

@@ -1,7 +1,3 @@
-/**
- * PKCE utilities using Web Crypto API.
- * Works in both Node.js 20+ and browsers.
- */
 /**
  * Generate PKCE code verifier and challenge.
  * Uses Web Crypto API for cross-platform compatibility.
@@ -10,4 +6,3 @@ export declare function generatePKCE(): Promise<{
     verifier: string;
     challenge: string;
 }>;
-//# sourceMappingURL=pkce.d.ts.map

package/dist/types/utils/oauth/qianfan.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Qianfan login flow.
+ *
+ * Qianfan provides an OpenAI-compatible API endpoint.
+ * Login is API-key based:
+ * 1. Open browser to Qianfan API key console
+ * 2. User copies API key
+ * 3. User pastes key into CLI prompt
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Qianfan.
+ *
+ * Opens browser to API key page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginQianfan(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/qwen-portal.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Qwen Portal login flow.
+ *
+ * Qwen Portal exposes an OpenAI-compatible endpoint at https://portal.qwen.ai/v1
+ * and accepts OAuth bearer tokens or API keys.
+ *
+ * This is a token/API-key flow:
+ * 1. Open Qwen Portal
+ * 2. Copy either your OAuth token or API key
+ * 3. Paste it into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Qwen Portal.
+ *
+ * Prompts for either `QWEN_OAUTH_TOKEN` or `QWEN_PORTAL_API_KEY` value.
+ * Returns the value directly (stored as api_key credential in auth storage).
+ */
+export declare function loginQwenPortal(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/synthetic.d.ts

@@ -0,0 +1 @@
+export declare const loginSynthetic: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/tavily.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Tavily login flow.
+ *
+ * Tavily web search uses an API key from the account settings page.
+ * This is an API key flow:
+ * 1. Open browser to Tavily settings
+ * 2. User copies API key
+ * 3. User pastes key into CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Tavily.
+ *
+ * Opens browser to API keys page and prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginTavily(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/together.d.ts

@@ -0,0 +1 @@
+export declare const loginTogether: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/types.d.ts

@@ -0,0 +1,44 @@
+export type OAuthCredentials = {
+    refresh: string;
+    access: string;
+    expires: number;
+    enterpriseUrl?: string;
+    projectId?: string;
+    email?: string;
+    accountId?: string;
+};
+export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "openrouter" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "wafer-pass" | "wafer-serverless" | "vllm" | "xai-oauth" | "xiaomi" | "zenmux" | "zai" | "zhipu-coding-plan";
+export type OAuthProviderId = OAuthProvider | (string & {});
+export type OAuthPrompt = {
+    message: string;
+    placeholder?: string;
+    allowEmpty?: boolean;
+};
+export type OAuthAuthInfo = {
+    url: string;
+    instructions?: string;
+};
+export interface OAuthProviderInfo {
+    id: OAuthProviderId;
+    name: string;
+    available: boolean;
+}
+export interface OAuthController {
+    onAuth?(info: OAuthAuthInfo): void;
+    onProgress?(message: string): void;
+    onManualCodeInput?(): Promise<string>;
+    onPrompt?(prompt: OAuthPrompt): Promise<string>;
+    signal?: AbortSignal;
+}
+export interface OAuthLoginCallbacks extends OAuthController {
+    onAuth: (info: OAuthAuthInfo) => void;
+    onPrompt: (prompt: OAuthPrompt) => Promise<string>;
+}
+export interface OAuthProviderInterface {
+    readonly id: OAuthProviderId;
+    readonly name: string;
+    readonly sourceId?: string;
+    login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials | string>;
+    refreshToken?(credentials: OAuthCredentials): Promise<OAuthCredentials>;
+    getApiKey?(credentials: OAuthCredentials): string;
+}

package/dist/types/utils/oauth/venice.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Venice login flow.
+ *
+ * Venice provides OpenAI-compatible models via https://api.venice.ai/api/v1.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to Venice API key settings
+ * 2. User copies their API key
+ * 3. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Venice.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginVenice(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/vercel-ai-gateway.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Vercel AI Gateway login flow.
+ *
+ * Vercel AI Gateway proxies upstream model providers through a unified endpoint.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open Vercel AI Gateway docs
+ * 2. User copies their API key
+ * 3. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Vercel AI Gateway.
+ *
+ * Opens browser to Vercel AI Gateway docs and prompts for an API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginVercelAiGateway(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/vllm.d.ts

@@ -0,0 +1,16 @@
+/**
+ * vLLM login flow.
+ *
+ * vLLM is commonly self-hosted with an OpenAI-compatible API at a local base URL.
+ * Some deployments require a bearer token, others allow unauthenticated access.
+ *
+ * This flow stores an API-key-style credential used by `/login` and auth storage.
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to vLLM.
+ *
+ * Opens vLLM OpenAI-compatible auth docs, prompts for an optional token,
+ * and returns a stored key value.
+ */
+export declare function loginVllm(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/wafer.d.ts

@@ -0,0 +1,2 @@
+export declare const loginWaferPass: (options: import("./types").OAuthController) => Promise<string>;
+export declare const loginWaferServerless: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/xai-oauth.d.ts

@@ -0,0 +1,60 @@
+/**
+ * xAI Grok (SuperGrok Subscription) OAuth flow.
+ *
+ * Loopback PKCE flow on `127.0.0.1:56121/callback`. One token unlocks Grok-4.x
+ * chat, Grok Imagine image generation, and Grok Voice TTS via subsequent
+ * commits. Endpoint discovery is hardened against MITM via
+ * {@link validateXAIEndpoint}: any non-HTTPS or non-`x.ai`/`*.x.ai` host is
+ * rejected on every call site, not just the first.
+ */
+import { OAuthCallbackFlow } from "./callback-server";
+import type { OAuthController, OAuthCredentials } from "./types";
+/**
+ * Validate an xAI OIDC discovery endpoint against scheme + host.
+ *
+ * Hermes `_xai_validate_oauth_endpoint` L2997-3035. The discovery response is
+ * long-lived and cached in {@link OAuthCredentials}; a single MITM during
+ * initial login could substitute a malicious `token_endpoint` that would then
+ * receive every future refresh_token. Rejecting non-HTTPS or non-`x.ai` /
+ * `*.x.ai` hosts pins the cached endpoint to the xAI auth origin.
+ *
+ * @throws Error with message `Invalid xAI <field>: <url>` when the URL fails
+ *         either scheme or host validation.
+ */
+export declare function validateXAIEndpoint(url: string, field: string): string;
+/**
+ * Check whether a JWT access token is at or past its `exp` claim (with an
+ * optional refresh-skew margin).
+ *
+ * Hermes `_xai_access_token_is_expiring` L2979-2994. Returns `false` for any
+ * malformed input — this is a refresh-trigger check, not a validation, so
+ * non-JWTs ("no token in cache") must NOT trigger a spurious refresh.
+ */
+export declare function isXAIAccessTokenExpiring(jwt: string, skewSeconds?: number): boolean;
+/**
+ * xAI Grok OAuth loopback flow (Hermes `_xai_oauth_loopback_login` L5315-5469).
+ *
+ * Uses a fixed redirect URI so the callback server fails fast instead of
+ * falling back to a random port that xAI's redirect_uri allowlist rejects.
+ */
+export declare class XAIOAuthFlow extends OAuthCallbackFlow {
+    #private;
+    constructor(ctrl: OAuthController);
+    generateAuthUrl(state: string, redirectUri: string): Promise<{
+        url: string;
+        instructions?: string;
+    }>;
+    exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials>;
+}
+/**
+ * Login with xAI Grok OAuth (SuperGrok Subscription).
+ */
+export declare function loginXAIOAuth(ctrl: OAuthController): Promise<OAuthCredentials>;
+/**
+ * Refresh an xAI OAuth access token using a stored refresh_token.
+ *
+ * Hermes `refresh_xai_oauth_pure` L3087-3160. Re-runs OIDC discovery and
+ * re-validates the cached `token_endpoint` on the refresh hot path so a
+ * cached-but-poisoned endpoint cannot silently leak a refresh_token.
+ */
+export declare function refreshXAIOAuthToken(refreshToken: string): Promise<OAuthCredentials>;

package/dist/types/utils/oauth/xiaomi.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Xiaomi MiMo login flow.
+ *
+ * Xiaomi MiMo provides OpenAI-compatible models via
+ * https://api.xiaomimimo.com/v1.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to Xiaomi MiMo API key console
+ * 2. User copies their API key
+ * 3. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Xiaomi MiMo.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginXiaomi(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/zai.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Z.AI login flow.
+ *
+ * Z.AI is a platform that provides access to GLM models through an OpenAI-compatible API.
+ * API docs: https://docs.z.ai/guides/overview/quick-start
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. User gets their API key from https://z.ai/settings/api-keys
+ * 2. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Z.AI.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginZai(options: OAuthController): Promise<string>;

package/dist/types/utils/oauth/zenmux.d.ts

@@ -0,0 +1 @@
+export declare const loginZenMux: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/zhipu.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Zhipu Coding Plan login flow.
+ *
+ * GLM Coding Plan provides an OpenAI-compatible API on the dedicated coding
+ * endpoint. API docs: https://docs.bigmodel.cn/cn/coding-plan/quick-start
+ *
+ * Simple API key flow:
+ * 1. User gets a Coding Plan API key from https://bigmodel.cn/coding-plan/personal/overview
+ * 2. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Zhipu Coding Plan.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginZhipuCodingPlan(options: OAuthController): Promise<string>;

package/dist/{utils → types/utils}/overflow.d.ts

@@ -1,4 +1,4 @@
-import type { AssistantMessage } from "../types.ts";
+import type { AssistantMessage } from "../types";
 /**
  * Check if an assistant message represents a context overflow error.
  *
@@ -11,27 +11,26 @@ import type { AssistantMessage } from "../types.ts";
  * ## Reliability by Provider
  *
  * **Reliable detection (returns error with detectable message):**
- * - Anthropic: "prompt is too long: X tokens > Y maximum" or "request_too_large"
- * - OpenAI (Completions & Responses): "exceeds the context window" or "exceeds the model's maximum context length of X tokens"
+ * - Anthropic: "prompt is too long: X tokens > Y maximum"
+ * - OpenAI (Completions & Responses): "exceeds the context window"
  * - Google Gemini: "input token count exceeds the maximum"
  * - xAI (Grok): "maximum prompt length is X but request contains Y"
  * - Groq: "reduce the length of the messages"
  * - Cerebras: 400/413 status code (no body)
- * - Mistral: "Prompt contains X tokens ... too large for model with Y maximum context length"
+ * - Mistral: 400/413 status code (no body)
+ * - HTTP 413 payload/entity-too-large variants
  * - OpenRouter (all backends): "maximum context length is X tokens"
- * - Together AI: "The input (X tokens) is longer than the model's context length (Y tokens)."
  * - llama.cpp: "exceeds the available context size"
  * - LM Studio: "greater than the context length"
  * - Kimi For Coding: "exceeded model token limit: X (requested: Y)"
+ * - Anthropic 413: "request_too_large" (request body exceeds size limit)
+ * - HTTP 413: "Payload Too Large" / "Request Entity Too Large"
  *
  * **Unreliable detection:**
  * - z.ai: Sometimes accepts overflow silently (detectable via usage.input > contextWindow),
  *   sometimes returns rate limit errors. Pass contextWindow param to detect silent overflow.
- * - Xiaomi MiMo: Truncates input to fit contextWindow then returns stopReason "length" with
- *   output=0. Pass contextWindow param to detect via the "filled context + zero output" signal.
- * - Ollama: May truncate input silently for some setups, but may also return explicit
- *   overflow errors that match the patterns above. Silent truncation still cannot be
- *   detected here because we do not know the expected token count.
+ * - Ollama: Silently truncates input without error. Cannot be detected via this function.
+ *   The response will have usage.input < expected, but we don't know the expected value.
  *
  * ## Custom Providers
  *
@@ -53,4 +52,3 @@ export declare function isContextOverflow(message: AssistantMessage, contextWind
  * Get the overflow patterns for testing purposes.
  */
 export declare function getOverflowPatterns(): RegExp[];
-//# sourceMappingURL=overflow.d.ts.map

package/dist/types/utils/parse-bind.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Shared `host:port` parser used by the auth-broker and auth-gateway boot
+ * paths. Centralized so the two servers can't drift on what they accept (the
+ * gateway used to silently allow empty hostnames; this fixes it).
+ */
+export interface ParsedBind {
+    hostname: string;
+    port: number;
+}
+/**
+ * Parse a `host:port` (or bare `port`, which assumes loopback) string.
+ *
+ * Accepts:
+ *   - `"4000"`            → `127.0.0.1:4000`
+ *   - `"0.0.0.0:4000"`    → as written
+ *   - `"[::1]:4000"`      → as written (brackets retained, Bun handles them)
+ *
+ * Rejects:
+ *   - empty input
+ *   - empty hostname (`":4000"`)
+ *   - non-integer / out-of-range port
+ */
+export declare function parseBind(raw: string): ParsedBind;

package/dist/types/utils/provider-response.d.ts

@@ -0,0 +1,3 @@
+import type { Api, Model, ProviderResponseMetadata, StreamOptions } from "../types";
+export declare function normalizeProviderResponse(response: Response, requestId?: string | null, metadata?: Record<string, unknown>): ProviderResponseMetadata;
+export declare function notifyProviderResponse(options: Pick<StreamOptions, "onResponse"> | undefined, response: Response, model?: Model<Api>, requestId?: string | null, metadata?: Record<string, unknown>): Promise<void>;

package/dist/types/utils/request-debug.d.ts

@@ -0,0 +1,29 @@
+import type { FetchImpl } from "../types";
+export type RequestDebugHeaders = Headers | Record<string, string | string[] | number | undefined | null> | undefined;
+export interface RequestDebugPayload {
+    method: string;
+    url: string;
+    headers?: RequestDebugHeaders;
+    body?: unknown;
+    bodyText?: string;
+    bodyBase64?: string;
+    bodyUnavailable?: string;
+    protocol?: string;
+}
+export interface RequestDebugResponseLog {
+    write(chunk: Uint8Array | string): void;
+    close(): Promise<void>;
+}
+export interface RequestDebugSession {
+    readonly id: number;
+    readonly requestPath: string;
+    readonly responsePath: string;
+    openResponseLog(statusLine: string, headers?: RequestDebugHeaders): Promise<RequestDebugResponseLog>;
+    wrapResponse(response: Response): Promise<Response>;
+}
+export declare function isRequestDebugEnabled(): boolean;
+export declare function wrapFetchForRequestDebug(fetchImpl: FetchImpl): FetchImpl;
+export declare function withRequestDebugFetch<T extends {
+    fetch?: FetchImpl;
+} | undefined>(options: T): T;
+export declare function createRequestDebugSession(payload: RequestDebugPayload): Promise<RequestDebugSession>;

package/dist/types/utils/retry-after.d.ts

@@ -0,0 +1,3 @@
+export type HeadersLike = Headers | Record<string, string | undefined> | undefined | null;
+export declare function formatErrorMessageWithRetryAfter(error: unknown, headers?: HeadersLike): string;
+export declare function getRetryAfterMsFromHeaders(headers: HeadersLike): number | undefined;

package/dist/types/utils/retry.d.ts

@@ -0,0 +1,26 @@
+/**
+ * GitHub Copilot intermittently rejects preview models (gpt-5.3-codex,
+ * gpt-5.4, gpt-5.4-mini, ...) with HTTP 400 `model_not_supported`, even
+ * though the model is listed as enabled on the user's account via `/models`.
+ *
+ * Root cause: Copilot's request-routing backend is rolled out per OAuth
+ * client. Our OAuth client id is shared with opencode; VS Code uses its own
+ * client and sees full availability, so the same account may succeed in VS
+ * Code and flap between 200/400 here. See opencode#13313 and copilot-cli#2597.
+ *
+ * Retrying the identical request 2-3 times almost always lands on a backend
+ * that has the model, so we wrap the initial request with a short retry loop.
+ */
+export declare function isCopilotTransientModelError(error: unknown): boolean;
+/**
+ * Wrap an initial Copilot request so transient `model_not_supported` 400s are
+ * retried a small number of times. No-op for non-Copilot providers.
+ *
+ * The callback **MUST** create a fresh in-flight request each invocation — a
+ * once-consumed AsyncIterable cannot be re-iterated.
+ */
+export declare function callWithCopilotModelRetry<T>(fn: () => Promise<T>, options: {
+    provider: string;
+    signal?: AbortSignal;
+    retryBaseDelayMs?: number;
+}): Promise<T>;

package/dist/types/utils/schema/adapt.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Set when callers want to globally bypass OpenAI strict-mode enforcement
+ * (e.g. for debugging a provider that misreports strict support, or when
+ * comparing strict vs non-strict outputs).
+ *
+ * Honored by every provider that emits `strict: true` on its function tools —
+ * see `openai-completions`, `openai-responses`, `openai-codex-responses`, and
+ * the strict candidate selection in `anthropic`.
+ */
+export declare const NO_STRICT: boolean;
+/**
+ * Consolidated helper for OpenAI-style strict schema enforcement.
+ *
+ * Each provider computes its own `strict` boolean (logic differs), then calls
+ * this to handle the tryEnforceStrictSchema dance uniformly:
+ * - Draft-07-shaped inputs are upgraded to draft 2020-12 first.
+ * - If `strict` is false, passes the upgraded schema through unchanged.
+ * - If `strict` is true, attempts to enforce strict mode; falls back to
+ *   non-strict if the schema isn't representable.
+ */
+export declare function adaptSchemaForStrict(schema: Record<string, unknown>, strict: boolean): {
+    schema: Record<string, unknown>;
+    strict: boolean;
+};

package/dist/types/utils/schema/compatibility.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Schema compatibility audits.
+ *
+ * Each provider has a different idea of what JSON Schema features it accepts
+ * for tool definitions. The normalizers in `normalize.ts`, `strict-mode`,
+ * and `adapt.ts` rewrite incoming schemas to fit. This module is the
+ * *audit* counterpart: it walks a (presumably already-sanitized) schema and
+ * reports any feature the target provider would reject. Tests use it to lock
+ * down the contract; the runtime uses it to fail-open with diagnostic logs
+ * rather than silently shipping a broken tool definition.
+ */
+export type SchemaCompatibilityProvider = "openai-strict" | "google" | "cloud-code-assist-claude";
+export interface SchemaCompatibilityViolation {
+    path: string;
+    rule: string;
+    message: string;
+    key?: string;
+    value?: unknown;
+}
+export interface SchemaCompatibilityResult {
+    provider: SchemaCompatibilityProvider;
+    compatible: boolean;
+    violations: SchemaCompatibilityViolation[];
+}
+export interface StrictSchemaEnforcementResult {
+    schema: Record<string, unknown>;
+    strict: boolean;
+}
+export declare function validateSchemaCompatibility(schema: unknown, provider: SchemaCompatibilityProvider): SchemaCompatibilityResult;
+export declare function validateStrictSchemaEnforcement(originalSchema: Record<string, unknown>, result: StrictSchemaEnforcementResult): SchemaCompatibilityResult;

package/dist/types/utils/schema/dereference.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Dereference all local `$ref` pointers in a JSON Schema, inlining definitions
+ * from `$defs` / `definitions`. The `$defs` block is stripped from the output.
+ *
+ * Non-local refs (e.g. `http://...`) are left untouched.
+ * Circular references are broken with `{}`.
+ *
+ * @returns A new schema object with all local refs inlined, or the input unchanged
+ *          if it's not an object or has no `$defs`/`definitions`.
+ */
+export declare function dereferenceJsonSchema(schema: unknown): unknown;

package/dist/types/utils/schema/draft.d.ts

@@ -0,0 +1,10 @@
+export declare const JSON_SCHEMA_DRAFT_2020_12_URI = "https://json-schema.org/draft/2020-12/schema";
+/** Pre-check entrypoint. Exposed so callers can decide whether to take the upgrade path at all. */
+export declare function schemaNeedsDraft202012Upgrade(schema: unknown): boolean;
+/**
+ * Upgrade legacy JSON Schema shapes to the draft 2020-12 form emitted by Zod.
+ *
+ * This keeps extension/MCP/TypeBox schemas compatible with providers whose tool
+ * validators reject draft-07 tuple and dependency keywords.
+ */
+export declare function upgradeJsonSchemaTo202012(schema: unknown): unknown;

package/dist/types/utils/schema/equality.d.ts

@@ -0,0 +1,4 @@
+import type { JsonObject } from "./types";
+export declare function areJsonValuesEqual(left: unknown, right: unknown): boolean;
+export declare function mergeCompatibleEnumSchemas(existing: unknown, incoming: unknown): JsonObject | null;
+export declare function mergePropertySchemas(existing: unknown, incoming: unknown): unknown;