@botcord/daemon 0.2.78 → 0.2.79

package/dist/gateway/dispatcher.js

@@ -124,6 +124,25 @@ function extractCloudRunBudget(msg) {
     }
     return out.maxWallTimeMs !== undefined || out.maxToolCalls !== undefined ? out : undefined;
 }
+function looksLikeRecoverableSessionFailure(error) {
+    return /compact|compaction|context|token limit|maximum context|too many tokens|conversation found|session .*not found|resume/i
+        .test(error);
+}
+function buildRuntimeRecoveryPrompt(args) {
+    return [
+        "[BotCord Runtime Recovery Notice]",
+        "The previous Codex runtime session for this room became unrecoverable while resuming or compacting context.",
+        `Previous runtime error: ${truncate(args.error, 1000)}`,
+        "You are now running in a fresh Codex session.",
+        "Use the recent room messages below, current filesystem state, and available BotCord memory/context tools to reconstruct the active task.",
+        "Continue the original user request without asking the user to repeat information unless it is missing from those sources.",
+        "",
+        args.recoveryContext?.trim() || "[Recent Room Messages]\n(unavailable)",
+        "",
+        "[Current User Turn]",
+        args.userTurn,
+    ].join("\n");
+}
 /**
  * Reason carried on `AbortController.abort()` when a cancel-previous wave
  * is taking over the slot. Distinguishing this from a timeout abort lets
@@ -164,6 +183,7 @@ export class Dispatcher {
     runtimeAuthFailureCooldownMs;
     buildSystemContext;
     buildMemoryContext;
+    buildRuntimeRecoveryContext;
     onInbound;
     onOutbound;
     onTurnComplete;
@@ -195,6 +215,7 @@ export class Dispatcher {
             opts.runtimeAuthFailureCooldownMs ?? DEFAULT_RUNTIME_AUTH_FAILURE_COOLDOWN_MS;
         this.buildSystemContext = opts.buildSystemContext;
         this.buildMemoryContext = opts.buildMemoryContext;
+        this.buildRuntimeRecoveryContext = opts.buildRuntimeRecoveryContext;
         this.onInbound = opts.onInbound;
         this.onOutbound = opts.onOutbound;
         this.onTurnComplete = opts.onTurnComplete;
@@ -1269,12 +1290,13 @@ export class Dispatcher {
         const runtime = this.runtimeFactory(route.runtime, route.extraArgs);
         let result;
         let threw;
+        let activeSessionId = sessionId;
         const turnStartedAt = Date.now();
         try {
             try {
-                result = await runtime.run({
-                    text: runtimeText,
-                    sessionId,
+                const runRuntime = (textForRun, sessionIdForRun) => runtime.run({
+                    text: textForRun,
+                    sessionId: sessionIdForRun,
                     cwd: route.cwd,
                     accountId: msg.accountId,
                     hubUrl: this.resolveHubUrl?.(msg.accountId),
@@ -1296,6 +1318,64 @@ export class Dispatcher {
                     gateway: route.gateway,
                     ...(route.hermesProfile ? { hermesProfile: route.hermesProfile } : {}),
                 });
+                result = await runRuntime(runtimeText, sessionId);
+                const firstError = result.error ?? "";
+                const firstReply = (result.text || "").trim();
+                const shouldRetryFresh = route.runtime === "codex" &&
+                    !!sessionId &&
+                    !!firstError &&
+                    !firstReply &&
+                    !looksLikeRuntimeAuthFailure(firstError) &&
+                    looksLikeRecoverableSessionFailure(firstError) &&
+                    !controller.signal.aborted &&
+                    !slot.timedOut &&
+                    !slot.budgetExceeded;
+                if (shouldRetryFresh) {
+                    try {
+                        await this.sessionStore.delete(key);
+                        this.log.info("dispatcher: dropped unrecoverable runtime session before fresh retry", {
+                            key,
+                            prevRuntimeSessionId: sessionId,
+                            runtime: route.runtime,
+                            error: firstError,
+                        });
+                    }
+                    catch (err) {
+                        this.log.warn("dispatcher: session-store.delete failed before fresh retry", {
+                            key,
+                            error: err instanceof Error ? err.message : String(err),
+                        });
+                    }
+                    let recoveryContext;
+                    if (this.buildRuntimeRecoveryContext) {
+                        try {
+                            recoveryContext = await this.buildRuntimeRecoveryContext(msg);
+                        }
+                        catch (err) {
+                            this.log.warn("dispatcher: buildRuntimeRecoveryContext threw — retrying without recent room context", {
+                                agentId: msg.accountId,
+                                roomId: msg.conversation.id,
+                                topicId: msg.conversation.threadId ?? null,
+                                turnId,
+                                error: err instanceof Error ? err.message : String(err),
+                            });
+                        }
+                    }
+                    activeSessionId = null;
+                    runtimeText = buildRuntimeRecoveryPrompt({
+                        userTurn: text,
+                        error: firstError,
+                        recoveryContext,
+                    });
+                    this.log.info("dispatcher: retrying codex turn in a fresh session with recovery context", {
+                        agentId: msg.accountId,
+                        roomId: msg.conversation.id,
+                        topicId: msg.conversation.threadId ?? null,
+                        turnId,
+                        queueKey,
+                    });
+                    result = await runRuntime(runtimeText, null);
+                }
             }
             catch (err) {
                 threw = err;
@@ -1477,12 +1557,12 @@ export class Dispatcher {
             //                                 even when the adapter echoes that id back
             //   result.newSessionId truthy  → upsert the entry
             //   otherwise                   → no-op (e.g. codex intentionally never persists)
-            if (sessionId && effectiveError && !replyText) {
+            if (activeSessionId && effectiveError && !replyText) {
                 try {
                     await this.sessionStore.delete(key);
                     this.log.info("dispatcher: dropped stale runtime session", {
                         key,
-                        prevRuntimeSessionId: sessionId,
+                        prevRuntimeSessionId: activeSessionId,
                         nextRuntimeSessionId: result.newSessionId || null,
                         error: effectiveError,
                     });
@@ -1509,7 +1589,7 @@ export class Dispatcher {
                     updatedAt: Date.now(),
                 };
                 try {
-                    const prevRuntimeSessionId = sessionId;
+                    const prevRuntimeSessionId = activeSessionId;
                     await this.sessionStore.set(session);
                     this.log.debug("dispatcher: persisted runtime session", {
                         key,
@@ -1524,12 +1604,12 @@ export class Dispatcher {
                     });
                 }
             }
-            else if (sessionId && effectiveError) {
+            else if (activeSessionId && effectiveError) {
                 try {
                     await this.sessionStore.delete(key);
                     this.log.info("dispatcher: dropped stale runtime session", {
                         key,
-                        prevRuntimeSessionId: sessionId,
+                        prevRuntimeSessionId: activeSessionId,
                         error: effectiveError,
                     });
                 }

package/dist/gateway/gateway.d.ts

@@ -2,7 +2,7 @@ import { type ChannelBackoffOptions } from "./channel-manager.js";
 import { type DispatcherOptions, type RuntimeFactory } from "./dispatcher.js";
 import { type GatewayLogger } from "./log.js";
 import { type TranscriptWriter } from "./transcript.js";
-import type { ChannelAdapter, GatewayChannelConfig, GatewayConfig, GatewayInboundMessage, GatewayOutboundMessage, GatewayRoute, GatewayRuntimeSnapshot, InboundObserver, MemoryContextBuilder, OutboundObserver, SystemContextBuilder, UserTurnBuilder } from "./types.js";
+import type { ChannelAdapter, GatewayChannelConfig, GatewayConfig, GatewayInboundMessage, GatewayOutboundMessage, GatewayRoute, GatewayRuntimeSnapshot, InboundObserver, MemoryContextBuilder, OutboundObserver, RuntimeRecoveryContextBuilder, SystemContextBuilder, UserTurnBuilder } from "./types.js";
 /** Constructor options for `Gateway`. */
 export interface GatewayBootOptions {
     config: GatewayConfig;
@@ -25,6 +25,11 @@ export interface GatewayBootOptions {
      * resumed runtime sessions get an explicit prompt when memory changes.
      */
     buildMemoryContext?: MemoryContextBuilder;
+    /**
+     * Recent room context provider used by dispatcher when it must discard a
+     * broken runtime session and retry the same turn in a fresh session.
+     */
+    buildRuntimeRecoveryContext?: RuntimeRecoveryContextBuilder;
     /**
      * Observer called after the dispatcher acks each inbound message. Useful
      * for activity tracking or metrics. Errors are logged and swallowed.
@@ -137,6 +142,16 @@ export declare class Gateway {
      * routing, queueing, transcript, and runtime behavior as channel messages.
      */
     injectInbound(message: GatewayInboundMessage): Promise<void>;
+    /**
+     * Inject an inbound message while routing replies through a caller-owned
+     * channel adapter. Cloud gateway runtime sessions use this to execute a
+     * provider message without loading provider credentials inside the sandbox:
+     * the temporary adapter captures the runtime's final reply and the always-on
+     * ingress service performs the provider send.
+     */
+    injectInboundThrough(message: GatewayInboundMessage, channel: ChannelAdapter, ack?: {
+        accept: () => Promise<void>;
+    }): Promise<void>;
     /**
      * Send a daemon-control initiated outbound message through a registered
      * channel. Used by proactive third-party gateway sends where the runtime

package/dist/gateway/gateway.js

@@ -69,6 +69,7 @@ export class Gateway {
             turnTimeoutMs: opts.turnTimeoutMs,
             buildSystemContext: opts.buildSystemContext,
             buildMemoryContext: opts.buildMemoryContext,
+            buildRuntimeRecoveryContext: opts.buildRuntimeRecoveryContext,
             onInbound: opts.onInbound,
             composeUserTurn: opts.composeUserTurn,
             onOutbound: opts.onOutbound,
@@ -178,6 +179,26 @@ export class Gateway {
     async injectInbound(message) {
         await this.dispatcher.handle({ message });
     }
+    /**
+     * Inject an inbound message while routing replies through a caller-owned
+     * channel adapter. Cloud gateway runtime sessions use this to execute a
+     * provider message without loading provider credentials inside the sandbox:
+     * the temporary adapter captures the runtime's final reply and the always-on
+     * ingress service performs the provider send.
+     */
+    async injectInboundThrough(message, channel, ack) {
+        const previous = this.channelMap.get(channel.id);
+        this.channelMap.set(channel.id, channel);
+        try {
+            await this.dispatcher.handle({ message, ...(ack ? { ack } : {}) });
+        }
+        finally {
+            if (previous)
+                this.channelMap.set(channel.id, previous);
+            else
+                this.channelMap.delete(channel.id);
+        }
+    }
     /**
      * Send a daemon-control initiated outbound message through a registered
      * channel. Used by proactive third-party gateway sends where the runtime

package/dist/gateway/policy-resolver.js

@@ -24,16 +24,24 @@
 const DEFAULT_TTL_MS = 5 * 60 * 1000;
 const FETCH_FAILED = Symbol("fetch_failed");
 /**
- * Force DM rooms (`rm_dm_*`) to `mode: "always"` per design §4.2 — UI never
+ * Force direct conversations to `mode: "always"` per design §4.2 — UI never
  * lets the user mute a DM, but a stale cache from before a UX bug is cheap
- * to defend against here.
+ * to defend against here. Third-party 1:1 gateway chats have the same
+ * expectation: they do not carry BotCord mention metadata, so applying a
+ * global mention-only policy would silently drop ordinary direct messages.
  */
-function maybeForceDm(roomId, policy) {
-    if (roomId && roomId.startsWith("rm_dm_") && policy.mode !== "always") {
+function maybeForceDirectConversation(roomId, policy) {
+    if (roomId && isDirectConversation(roomId) && policy.mode !== "always") {
         return { ...policy, mode: "always" };
     }
     return policy;
 }
+function isDirectConversation(roomId) {
+    return (roomId.startsWith("rm_dm_") ||
+        roomId.startsWith("telegram:user:") ||
+        roomId.startsWith("wechat:user:") ||
+        roomId.startsWith("feishu:user:"));
+}
 function defaultPolicy() {
     return { mode: "always", keywords: [] };
 }
@@ -65,10 +73,10 @@ export class PolicyResolver {
                 return defaultPolicy();
             const policy = fetched ?? defaultPolicy();
             this.cache.set(cacheKey(agentId, roomId), {
-                policy: maybeForceDm(roomId, policy),
+                policy: maybeForceDirectConversation(roomId, policy),
                 expiresAt: now + this.ttlMs,
             });
-            return maybeForceDm(roomId, policy);
+            return maybeForceDirectConversation(roomId, policy);
         }
         // 3. No room override known — inherit from the cached agent-wide global.
         //    Without this layer, group messages collapsed to mode=always whenever
@@ -77,7 +85,7 @@ export class PolicyResolver {
         const globalKey = cacheKey(agentId, null);
         const globalHit = this.cache.get(globalKey);
         if (globalHit && globalHit.expiresAt > now) {
-            return maybeForceDm(roomId, globalHit.policy);
+            return maybeForceDirectConversation(roomId, globalHit.policy);
         }
         // 4. Cold start for global.
         const fetched = await this.safeFetch(() => this.fetchGlobal(agentId));
@@ -85,7 +93,7 @@ export class PolicyResolver {
             return defaultPolicy();
         const policy = fetched ?? defaultPolicy();
         this.cache.set(globalKey, { policy, expiresAt: now + this.ttlMs });
-        return maybeForceDm(roomId, policy);
+        return maybeForceDirectConversation(roomId, policy);
     }
     async safeFetch(fn) {
         try {
@@ -113,7 +121,7 @@ export class PolicyResolver {
     put(agentId, roomId, policy) {
         const key = cacheKey(agentId, roomId);
         this.cache.set(key, {
-            policy: maybeForceDm(roomId, policy),
+            policy: maybeForceDirectConversation(roomId, policy),
             expiresAt: Date.now() + this.ttlMs,
         });
     }

package/dist/gateway/runtimes/deepseek-tui.js

@@ -316,14 +316,17 @@ export class DeepseekTuiAdapter {
                 if (eventName === "message.delta") {
                     append(stringField(payload, "content") ?? "");
                 }
-                else if (eventName === "item.delta" && payload?.payload?.kind === "agent_message") {
-                    append(stringField(payload.payload, "delta") ?? "");
+                else if (eventName === "item.delta" && isAgentMessageDelta(payload)) {
+                    append(extractDeepseekDelta(payload));
                 }
                 if (eventName === "turn.started" || embeddedDeepseekEvent(payload) === "turn.started") {
                     opts.onStatus?.({ kind: "thinking", phase: "started", label: "Thinking" });
                 }
-                else if (eventName === "tool.started" || isToolStarted(payload)) {
-                    const label = stringField(payload, "name") ?? stringField(payload?.payload?.tool, "name") ?? "tool";
+                else if (eventName === "tool.started" || isToolStarted(eventName, payload)) {
+                    const label = stringField(payload, "name") ??
+                        stringField(payload?.tool, "name") ??
+                        stringField(payload?.payload?.tool, "name") ??
+                        "tool";
                     opts.onStatus?.({ kind: "thinking", phase: "updated", label });
                 }
                 else if (isDeepseekTerminalEvent(eventName, payload)) {
@@ -385,15 +388,18 @@ function normalizeDeepseekEvent(eventName, payload, seq) {
     if (eventName === "message.delta") {
         return { raw: { event: eventName, payload }, kind: "assistant_text", seq };
     }
-    if (eventName === "tool.started" || isToolStarted(payload)) {
+    if (eventName === "tool.started" || isToolStarted(eventName, payload)) {
         return { raw: { event: eventName, payload }, kind: "tool_use", seq };
     }
-    if (eventName === "tool.completed" || isToolCompleted(payload)) {
+    if (eventName === "tool.completed" || isToolCompleted(eventName, payload)) {
         return { raw: { event: eventName, payload }, kind: "tool_result", seq };
     }
-    if (eventName === "item.delta" && payload?.payload?.kind === "agent_message") {
+    if (eventName === "item.delta" && isAgentMessageDelta(payload)) {
         return { raw: { event: eventName, payload }, kind: "assistant_text", seq };
     }
+    if (eventName === "item.completed" && isAgentReasoningItem(payload)) {
+        return { raw: { event: eventName, payload }, kind: "thinking", seq };
+    }
     if (eventName === "turn.started" || eventName === "status" || embeddedDeepseekEvent(payload) === "turn.started") {
         return { raw: { event: eventName, payload }, kind: "system", seq };
     }
@@ -416,14 +422,27 @@ function isDeepseekTerminalEvent(eventName, payload) {
         embedded === "turn.done" ||
         embedded === "done");
 }
-function isToolStarted(payload) {
-    return payload?.event === "item.started" && !!payload?.payload?.tool;
+function isToolStarted(eventName, payload) {
+    return ((eventName === "item.started" && (!!payload?.tool || payload?.item?.kind === "tool_call")) ||
+        (payload?.event === "item.started" && !!payload?.payload?.tool));
 }
-function isToolCompleted(payload) {
-    const kind = payload?.payload?.item?.kind;
-    return ((payload?.event === "item.completed" || payload?.event === "item.failed") &&
+function isToolCompleted(eventName, payload) {
+    const kind = payload?.payload?.item?.kind ?? payload?.item?.kind;
+    return ((eventName === "item.completed" ||
+        eventName === "item.failed" ||
+        payload?.event === "item.completed" ||
+        payload?.event === "item.failed") &&
         (kind === "tool_call" || kind === "file_change" || kind === "command_execution"));
 }
+function isAgentMessageDelta(payload) {
+    return payload?.kind === "agent_message" || payload?.payload?.kind === "agent_message";
+}
+function isAgentReasoningItem(payload) {
+    return payload?.item?.kind === "agent_reasoning" || payload?.payload?.item?.kind === "agent_reasoning";
+}
+function extractDeepseekDelta(payload) {
+    return stringField(payload, "delta") ?? stringField(payload?.payload, "delta") ?? "";
+}
 function extractDeepseekError(eventName, payload) {
     if (eventName === "error") {
         return (stringField(payload, "message") ??

package/dist/gateway/types.d.ts

@@ -1,4 +1,9 @@
 import type { GatewayLogger } from "./log.js";
+import type { GatewayInboundEnvelope as CanonicalGatewayInboundEnvelope, GatewayInboundMessage as CanonicalGatewayInboundMessage, GatewayOutboundAttachment as CanonicalGatewayOutboundAttachment, GatewayOutboundMessage as CanonicalGatewayOutboundMessage, RuntimeGatewayProvider } from "@botcord/protocol-core";
+export type GatewayInboundMessage = CanonicalGatewayInboundMessage;
+export type GatewayInboundEnvelope = CanonicalGatewayInboundEnvelope;
+export type GatewayOutboundAttachment = CanonicalGatewayOutboundAttachment;
+export type GatewayOutboundMessage = CanonicalGatewayOutboundMessage;
 /** Set of predicates matched against a normalized inbound message to pick a route. */
 export interface RouteMatch {
     channel?: string;
@@ -69,41 +74,6 @@ export interface GatewayConfig {
     managedRoutes?: GatewayRoute[];
     streamBlocks?: boolean;
 }
-/** Normalized inbound message produced by a channel adapter for the dispatcher. */
-export interface GatewayInboundMessage {
-    id: string;
-    /** Channel adapter id (`ChannelAdapter.id`), not channel type. */
-    channel: string;
-    accountId: string;
-    conversation: {
-        id: string;
-        kind: "direct" | "group";
-        title?: string;
-        threadId?: string | null;
-    };
-    sender: {
-        id: string;
-        name?: string;
-        kind: "user" | "agent" | "system";
-    };
-    text?: string;
-    raw: unknown;
-    replyTo?: string | null;
-    mentioned?: boolean;
-    receivedAt: number;
-    trace?: {
-        id: string;
-        streamable?: boolean;
-    };
-}
-/** Inbound envelope wrapping a normalized message with optional upstream ack callbacks. */
-export interface GatewayInboundEnvelope {
-    message: GatewayInboundMessage;
-    ack?: {
-        accept(): Promise<void>;
-        reject?(reason: string): Promise<void>;
-    };
-}
 /**
  * Channel-agnostic hook that produces a system-context string for a turn.
  * Called before every `runtime.run(...)`; returned value is passed through
@@ -137,33 +107,18 @@ export interface MemoryContextSnapshot {
     version: string;
 }
 export type MemoryContextBuilder = (message: GatewayInboundMessage) => Promise<MemoryContextSnapshot | null | undefined> | MemoryContextSnapshot | null | undefined;
+/**
+ * Optional hook used after a runtime session is discarded and retried fresh.
+ * The daemon implementation can pull recent room messages from Hub; gateway
+ * core treats the returned string as opaque recovery context.
+ */
+export type RuntimeRecoveryContextBuilder = (message: GatewayInboundMessage) => Promise<string | null | undefined> | string | null | undefined;
 /**
  * Optional hook fired after the dispatcher dispatches a reply to a channel.
  * Intended for outbound bookkeeping (loop-risk tracking, metrics). Errors
  * are caught and logged so observer failures never break the turn.
  */
 export type OutboundObserver = (message: GatewayOutboundMessage) => Promise<void> | void;
-/** Outbound reply payload passed to `ChannelAdapter.send()`. */
-export interface GatewayOutboundAttachment {
-    /** Local daemon-readable file path. */
-    filePath?: string;
-    /** In-memory bytes, primarily for tests and in-process tool callers. */
-    data?: Uint8Array;
-    filename?: string;
-    contentType?: string;
-    kind?: "image" | "file" | "video";
-}
-export interface GatewayOutboundMessage {
-    channel: string;
-    accountId: string;
-    conversationId: string;
-    threadId?: string | null;
-    type?: "message" | "error";
-    text: string;
-    attachments?: GatewayOutboundAttachment[];
-    replyTo?: string | null;
-    traceId?: string | null;
-}
 /** Per-channel status snapshot exposed for `status`/`doctor` style output. */
 export interface ChannelStatusSnapshot {
     channel: string;
@@ -176,7 +131,7 @@ export interface ChannelStatusSnapshot {
     lastStopAt?: number;
     lastError?: string | null;
     /** Third-party provider id when this channel is not the built-in BotCord. */
-    provider?: "wechat" | "telegram" | "feishu";
+    provider?: RuntimeGatewayProvider;
     /** Last time the adapter polled the upstream provider (ms epoch). */
     lastPollAt?: number;
     /** Last time the adapter accepted an inbound message (ms epoch). */

package/dist/gateway-control.js

@@ -108,13 +108,16 @@ export function createGatewayControl(ctx) {
             if (!loginId) {
                 return badParams("upsert_gateway: wechat requires loginId");
             }
-            const session = sessions.get(loginId);
-            if (!session) {
+            const resolved = sessions.resolve(loginId);
+            if (resolved.state !== "live") {
                 return {
                     ok: false,
-                    error: { code: "login_expired", message: `wechat login session "${loginId}" not found or expired` },
+                    error: resolved.state === "missing"
+                        ? { code: "login_missing", message: `wechat login session "${loginId}" not found` }
+                        : { code: "login_expired", message: `wechat login session "${loginId}" expired` },
                 };
             }
+            const session = resolved.session;
             if (session.provider !== "wechat") {
                 return badParams(`upsert_gateway: login session provider "${session.provider}" != "wechat"`);
             }
@@ -143,13 +146,16 @@ export function createGatewayControl(ctx) {
             if (!loginId) {
                 return badParams("upsert_gateway: feishu requires loginId");
             }
-            const session = sessions.get(loginId);
-            if (!session) {
+            const resolved = sessions.resolve(loginId);
+            if (resolved.state !== "live") {
                 return {
                     ok: false,
-                    error: { code: "login_expired", message: `feishu login session "${loginId}" not found or expired` },
+                    error: resolved.state === "missing"
+                        ? { code: "login_missing", message: `feishu login session "${loginId}" not found` }
+                        : { code: "login_expired", message: `feishu login session "${loginId}" expired` },
                 };
             }
+            const session = resolved.session;
             if (session.provider !== "feishu") {
                 return badParams(`upsert_gateway: login session provider "${session.provider}" != "feishu"`);
             }
@@ -659,13 +665,16 @@ export function createGatewayControl(ctx) {
         if (!params.accountId || typeof params.accountId !== "string") {
             return badParams("gateway_recent_senders: accountId is required");
         }
-        const session = sessions.get(params.loginId);
-        if (!session) {
+        const resolved = sessions.resolve(params.loginId);
+        if (resolved.state !== "live") {
             return {
                 ok: false,
-                error: { code: "login_expired", message: `wechat login session "${params.loginId}" not found or expired` },
+                error: resolved.state === "missing"
+                    ? { code: "login_missing", message: `wechat login session "${params.loginId}" not found` }
+                    : { code: "login_expired", message: `wechat login session "${params.loginId}" expired` },
             };
         }
+        const session = resolved.session;
         if (session.provider !== "wechat") {
             return badParams("gateway_recent_senders: provider does not match login session");
         }

package/dist/provision.d.ts

@@ -182,10 +182,14 @@ interface HelloIdentityResult {
     updated: number;
     skipped: number;
 }
+interface RuntimeSnapshotCtx {
+    gateway?: Gateway;
+}
 /**
  * Reconcile every agent identity carried by the `hello.agents` snapshot
- * against the on-disk `identity.md`. Best-effort: a malformed entry or a
- * file-system error for one agent never aborts the rest.
+ * against the on-disk `identity.md` and credentials runtime selectors.
+ * Best-effort: a malformed entry or a file-system error for one agent never
+ * aborts the rest.
  *
  * Identity-snapshot semantics intentionally only touch the metadata
  * line + Bio body — Role/Boundaries paragraphs the user authored locally
@@ -193,7 +197,7 @@ interface HelloIdentityResult {
  * (agent provisioned on a different daemon, or workspace cleared) are
  * silently skipped.
  */
-export declare function applyHelloIdentitySnapshot(snapshot: AgentIdentitySnapshot[] | undefined): HelloIdentityResult;
+export declare function applyHelloIdentitySnapshot(snapshot: AgentIdentitySnapshot[] | undefined, ctx?: RuntimeSnapshotCtx): HelloIdentityResult;
 interface ReloadResult {
     reloaded: true;
     added: string[];