npm - @byfriends/sdk - Versions diffs - 0.3.0 → 0.3.2 - Mend

@byfriends/sdk 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -65,9 +65,6 @@ declare interface AgentAPI {
     setPermission: (payload: SetPermissionPayload) => void;
     setModel: (payload: SetModelPayload) => SetModelResult;
     getModel: (payload: EmptyPayload) => string;
-    enterPlan: (payload: EmptyPayload) => void;
-    cancelPlan: (payload: CancelPlanPayload) => void;
-    clearPlan: (payload: EmptyPayload) => void;
     beginCompaction: (payload: BeginCompactionPayload) => void;
     cancelCompaction: (payload: EmptyPayload) => void;
     registerTool: (payload: RegisterToolPayload) => void;
@@ -81,7 +78,6 @@ declare interface AgentAPI {
     getContext: (payload: EmptyPayload) => AgentContextData;
     getConfig: (payload: EmptyPayload) => AgentConfigData;
     getPermission: (payload: EmptyPayload) => PermissionData;
-    getPlan: (payload: EmptyPayload) => PlanData;
     getUsage: (payload: EmptyPayload) => UsageStatus;
     getTools: (payload: EmptyPayload) => readonly ToolInfo[];
     getBackground: (payload: GetBackgroundPayload) => readonly BackgroundTaskInfo[];
@@ -178,15 +174,6 @@ declare interface AgentRecordEvents {
     };
     'permission.record_approval_result': PermissionApprovalResultRecord;
     'full_compaction.begin': CompactionBeginData;
-    'plan_mode.enter': {
-        id: string;
-    };
-    'plan_mode.cancel': {
-        id?: string;
-    };
-    'plan_mode.exit': {
-        id?: string;
-    };
     'tools.register_user_tool': UserToolRegistration;
     'tools.unregister_user_tool': {
         name: string;
@@ -260,9 +247,6 @@ declare class AgentRecords {
 export declare type AgentReplayRecord = {
     type: 'message';
     message: ContextMessage;
-} | {
-    type: 'plan_updated';
-    enabled: boolean;
 } | {
     type: 'config_updated';
     config: AgentConfigUpdateData;
@@ -1149,8 +1133,8 @@ declare const ByfConfigPatchSchema: z.ZodObject<{
     defaultThinking: z.ZodOptional<z.ZodBoolean>;
     defaultPermissionMode: z.ZodOptional<z.ZodEnum<{
         auto: "auto";
-        yolo: "yolo";
         manual: "manual";
+        yolo: "yolo";
     }>>;
     permission: z.ZodOptional<z.ZodObject<{
         rules: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -1190,19 +1174,19 @@ declare const ByfConfigPatchSchema: z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strict>>>;
     services: z.ZodOptional<z.ZodObject<{
-        byfSearch: z.ZodOptional<z.ZodObject<{
-            baseUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-            apiKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-            oauth: z.ZodOptional<z.ZodOptional<z.ZodObject<{
-                storage: z.ZodEnum<{
-                    file: "file";
-                    keyring: "keyring";
+        webSearch: z.ZodOptional<z.ZodObject<{
+            providers: z.ZodArray<z.ZodObject<{
+                type: z.ZodEnum<{
+                    exa: "exa";
+                    brave: "brave";
+                    firecrawl: "firecrawl";
                 }>;
-                key: z.ZodString;
-            }, z.core.$strip>>>;
-            customHeaders: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>>;
+                apiKeys: z.ZodArray<z.ZodString>;
+                baseUrl: z.ZodOptional<z.ZodString>;
+                priority: z.ZodNumber;
+            }, z.core.$strip>>;
         }, z.core.$strip>>;
-        byfFetch: z.ZodOptional<z.ZodObject<{
+        fetchUrl: z.ZodOptional<z.ZodObject<{
             baseUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
             apiKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
             oauth: z.ZodOptional<z.ZodOptional<z.ZodObject<{
@@ -1287,8 +1271,8 @@ declare const ByfConfigSchema: z.ZodObject<{
     defaultThinking: z.ZodOptional<z.ZodBoolean>;
     defaultPermissionMode: z.ZodOptional<z.ZodEnum<{
         auto: "auto";
-        yolo: "yolo";
         manual: "manual";
+        yolo: "yolo";
     }>>;
     permission: z.ZodOptional<z.ZodObject<{
         rules: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -1328,19 +1312,19 @@ declare const ByfConfigSchema: z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strict>>>;
     services: z.ZodOptional<z.ZodObject<{
-        byfSearch: z.ZodOptional<z.ZodObject<{
-            baseUrl: z.ZodOptional<z.ZodString>;
-            apiKey: z.ZodOptional<z.ZodString>;
-            oauth: z.ZodOptional<z.ZodObject<{
-                storage: z.ZodEnum<{
-                    file: "file";
-                    keyring: "keyring";
+        webSearch: z.ZodOptional<z.ZodObject<{
+            providers: z.ZodArray<z.ZodObject<{
+                type: z.ZodEnum<{
+                    exa: "exa";
+                    brave: "brave";
+                    firecrawl: "firecrawl";
                 }>;
-                key: z.ZodString;
+                apiKeys: z.ZodArray<z.ZodString>;
+                baseUrl: z.ZodOptional<z.ZodString>;
+                priority: z.ZodNumber;
             }, z.core.$strip>>;
-            customHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
         }, z.core.$strip>>;
-        byfFetch: z.ZodOptional<z.ZodObject<{
+        fetchUrl: z.ZodOptional<z.ZodObject<{
             baseUrl: z.ZodOptional<z.ZodString>;
             apiKey: z.ZodOptional<z.ZodString>;
             oauth: z.ZodOptional<z.ZodObject<{
@@ -1406,9 +1390,6 @@ declare class ByfCore implements PromisableMethods<CoreAPI> {
     setThinking({ sessionId, ...payload }: SessionAgentPayload<SetThinkingPayload>): void | Promise<void>;
     setPermission({ sessionId, ...payload }: SessionAgentPayload<SetPermissionPayload>): void | Promise<void>;
     getModel({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): string | Promise<string>;
-    enterPlan({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): void | Promise<void>;
-    cancelPlan({ sessionId, ...payload }: SessionAgentPayload<CancelPlanPayload>): void | Promise<void>;
-    clearPlan({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): void | Promise<void>;
     beginCompaction({ sessionId, ...payload }: SessionAgentPayload<BeginCompactionPayload>): void | Promise<void>;
     cancelCompaction({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): void | Promise<void>;
     registerTool({ sessionId, ...payload }: SessionAgentPayload<RegisterToolPayload>): void | Promise<void>;
@@ -1422,7 +1403,6 @@ declare class ByfCore implements PromisableMethods<CoreAPI> {
     getContext({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): AgentContextData | Promise<AgentContextData>;
     getConfig({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): AgentConfigData | Promise<AgentConfigData>;
     getPermission({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): PermissionData | Promise<PermissionData>;
-    getPlan({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): Promise<null> | null;
     getUsage({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): UsageStatus | Promise<UsageStatus>;
     getTools({ sessionId, ...payload }: SessionAgentPayload<EmptyPayload>): readonly ToolInfo[] | Promise<readonly ToolInfo[]>;
     getBackground({ sessionId, ...payload }: SessionAgentPayload<GetBackgroundPayload>): readonly BackgroundTaskInfo[] | Promise<readonly BackgroundTaskInfo[]>;
@@ -1514,7 +1494,7 @@ export declare class ByfHarness {
     get sessions(): ReadonlyMap<string, Session>;
     get interactiveAgentId(): string;
     set interactiveAgentId(agentId: string);
-    track(event: string, properties?: Record<string, unknown>): void;
+    track(_event: string, _properties?: Record<string, unknown>): void;
     createSession(options: CreateSessionOptions): Promise<Session>;
     resumeSession(input: ResumeSessionInput): Promise<Session>;
     forkSession(input: ForkSessionInput): Promise<Session>;
@@ -1539,6 +1519,7 @@ export declare interface ByfHarnessOptions {
     readonly identity?: HostIdentity | undefined;
     readonly homeDir?: string | undefined;
     readonly configPath?: string | undefined;
+    readonly runtime?: RuntimeConfig | undefined;
     readonly autoLoadConfig?: boolean | undefined;
     readonly uiMode?: string;
     readonly skillDirs?: readonly string[];
@@ -1621,10 +1602,6 @@ declare interface CancelPayload {
     readonly turnId?: number;
 }
-declare interface CancelPlanPayload {
-    readonly id?: string;
-}
 /** Top-level catalog: `{ [providerId]: ProviderEntry }` (e.g. models.dev/api.json). */
 export declare type Catalog = Record<string, CatalogProviderEntry>;
@@ -3531,15 +3508,6 @@ declare type PermissionRuleDecision = 'allow' | 'deny' | 'ask';
  */
 declare type PermissionRuleScope = 'turn-override' | 'session-runtime' | 'project' | 'user';
-declare type PlanData = null;
-export declare interface PlanInfo {
-    readonly id: string;
-    readonly exists: boolean;
-    readonly content: string;
-    readonly path: string;
-}
 declare type PreparedSystemPromptContext = Pick<SystemPromptContext, 'cwd' | 'agentsMd'>;
 declare interface PrepareToolExecutionResult {
@@ -3959,7 +3927,6 @@ export declare interface ResumedAgentState {
     readonly context: AgentContextData;
     readonly replay: readonly AgentReplayRecord[];
     readonly permission: PermissionData;
-    readonly plan: PlanData;
     readonly usage: UsageStatus;
     readonly tools: readonly ToolInfo[];
     readonly toolStore?: Readonly<Record<string, unknown>>;
@@ -4097,8 +4064,6 @@ declare class SDKRpcClient {
     setModel(input: SetSessionModelRpcInput): Promise<SetSessionModelRpcResult>;
     setThinking(input: SetSessionThinkingRpcInput): Promise<void>;
     setPermission(input: SetSessionPermissionRpcInput): Promise<void>;
-    getPlan(input: SessionIdRpcInput): Promise<SessionPlan>;
-    clearPlan(input: SessionIdRpcInput): Promise<void>;
     compact(input: SessionIdRpcInput & CompactOptions): Promise<void>;
     cancelCompaction(input: SessionIdRpcInput): Promise<void>;
     getUsage(input: SessionIdRpcInput): Promise<SessionUsage>;
@@ -4145,6 +4110,7 @@ declare interface SDKRpcClientOptions {
     readonly homeDir?: string | undefined;
     readonly configPath?: string | undefined;
     readonly skillDirs?: readonly string[];
+    readonly runtime?: RuntimeConfig | undefined;
 }
 declare type SDKSessionAPI = WithAgentId<SDKAgentAPI>;
@@ -4158,19 +4124,19 @@ declare interface ServicesConfig_2 {
 }
 declare const ServicesConfigSchema: z.ZodObject<{
-    byfSearch: z.ZodOptional<z.ZodObject<{
-        baseUrl: z.ZodOptional<z.ZodString>;
-        apiKey: z.ZodOptional<z.ZodString>;
-        oauth: z.ZodOptional<z.ZodObject<{
-            storage: z.ZodEnum<{
-                file: "file";
-                keyring: "keyring";
+    webSearch: z.ZodOptional<z.ZodObject<{
+        providers: z.ZodArray<z.ZodObject<{
+            type: z.ZodEnum<{
+                exa: "exa";
+                brave: "brave";
+                firecrawl: "firecrawl";
             }>;
-            key: z.ZodString;
+            apiKeys: z.ZodArray<z.ZodString>;
+            baseUrl: z.ZodOptional<z.ZodString>;
+            priority: z.ZodNumber;
         }, z.core.$strip>>;
-        customHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     }, z.core.$strip>>;
-    byfFetch: z.ZodOptional<z.ZodObject<{
+    fetchUrl: z.ZodOptional<z.ZodObject<{
         baseUrl: z.ZodOptional<z.ZodString>;
         apiKey: z.ZodOptional<z.ZodString>;
         oauth: z.ZodOptional<z.ZodObject<{
@@ -4208,8 +4174,6 @@ export declare class Session {
     setModel(model: string): Promise<void>;
     setThinking(level: string): Promise<void>;
     setPermission(mode: PermissionMode): Promise<void>;
-    getPlan(): Promise<SessionPlan>;
-    clearPlan(): Promise<void>;
     compact(options?: CompactOptions): Promise<void>;
     cancelCompaction(): Promise<void>;
     getUsage(): Promise<SessionUsage>;
@@ -4385,8 +4349,6 @@ declare interface SessionOptions {
     readonly onClose?: (() => void | Promise<void>) | undefined;
 }
-export declare type SessionPlan = PlanInfo | null;
 declare interface SessionPromptRpcInput {
     readonly sessionId: string;
     readonly input: PromptInput;

package/dist/index.mjs CHANGED Viewed

@@ -46352,7 +46352,7 @@ var OpenAIResponsesChatProvider = class OpenAIResponsesChatProvider extends Base
 };
 //#endregion
 //#region ../kosong/src/providers/index.ts
-function createProvider(config) {
+function createProvider$1(config) {
 	switch (config.type) {
 		case "anthropic": return new AnthropicChatProvider(config);
 		case "openai-completions": return new OpenAICompletionsChatProvider(config);
@@ -58148,14 +58148,36 @@ function isRecord$4(value) {
 var mcp_config_default = "---\nname: mcp-config\ndescription: Configure MCP servers and handle MCP OAuth login.\n---\n\n# Interactive MCP server configuration\n\nThe user invoked this skill through `/mcp-config` or `/skill:mcp-config`.\nEither they want to log into an MCP server that asked for OAuth, or they\nwant to edit the `mcp.json` that lists MCP servers. The work is small and\nlocal — handle it on this turn yourself, no agents or planning todos.\n\nPick the flow from the user's message and your tool list:\n\n- An `mcp__<server>__authenticate` tool is in your list, the user says\n  \"log in\" / \"auth\" / \"sign in\", they invoke `/mcp-config login\n  <server>`, or they quote a `needs-auth` status → **Login**.\n- Add / edit / remove / list of an `mcp.json` entry → **Config edit**.\n- Bare `/mcp-config` with no `authenticate` tool in your list →\n  **Config edit**. If there were a pending login, the authenticate tool\n  would be in your list.\n\n## Login\n\nEach MCP server in `needs-auth` exposes one `mcp__<server>__authenticate`\ntool. Call it for the server the user means — its own description owns\nthe OAuth UX (printing the URL, blocking on the callback, reconnecting on\nsuccess). Surface its output verbatim, including the authorization URL\nunchanged; the URL contains state and PKCE parameters that break if\nedited.\n\nIf the user named a server that has no authenticate tool, say so in one\nsentence and stop — do **not** fall into config edit. They're trying to\nlog in to a server that isn't currently waiting for login; quietly\nrewriting `mcp.json` would be the wrong fix. If multiple authenticate\ntools exist and the user didn't name one, ask which.\n\n## Config edit\n\nConfig lives in two files; on key collision the project file overrides\nthe user-global one:\n\n- User-global: `~/.byf/mcp.json` (or `$BYF_HOME/mcp.json` if\n  set). Use for servers you want everywhere.\n- Project-local: `<cwd>/.byf/mcp.json`. Mention once that stdio\n  entries spawn commands at session start, so this should only live in\n  trusted repos.\n\nBoth files wrap their entries the same way:\n\n```json\n{ \"mcpServers\": { \"<name>\": { /* entry */ } } }\n```\n\nA minimal stdio entry needs `command` (+ optional `args`, `env`, `cwd`).\nA minimal http entry needs `url`; add `bearerTokenEnvVar: \"ENV_NAME\"` for\nservers that authenticate with a static bearer token from the\nenvironment. Servers that use OAuth take no token field — the login flow\nabove handles them. `transport` is inferred from `command` vs `url`, so\nomit it. For less common fields (`enabled`, `startupTimeoutMs`,\n`toolTimeoutMs`, `enabledTools`, `disabledTools`, `headers`) the source of\ntruth is `McpServerStdioConfigSchema` / `McpServerHttpConfigSchema` in\n`packages/agent-core/src/config/schema.ts`.\n\nIf the user only wants to **see** what's configured, read both files,\nshow a merged view, and stop — no scope prompt, no write.\n\nFor changes, the flow is:\n\n1. **Pick a scope.** Infer it from the user's words when you can\n   (project / repo / this checkout / cwd → project; global / everywhere /\n   all projects → user-global). When the request is genuinely scope-less,\n   use one `AskUserQuestion` to ask user-global vs project-local, defaulting\n   to user-global. Use plain text for every other question — `AskUserQuestion`\n   is a poor fit for free-form input. If the user dismisses the scope\n   question, stop; you can't safely guess where they wanted the change.\n2. **Read and announce.** Read the target file (a missing or empty file\n   is fine; you'll create `{ \"mcpServers\": {} }`). If JSON parsing fails,\n   surface the error verbatim and stop — silently overwriting a broken\n   file could destroy work. Then show the user the target path, what's\n   currently in it, and the entry you're about to write or delete. This\n   is for transparency, not a confirmation gate — the Edit/Write\n   permission prompt is the real gate, and your message is what gives\n   the user context when that prompt appears. In yolo / afk modes there\n   is no prompt, which is those modes' explicit contract.\n3. **Write and tell them how to reload MCP servers.** Preserve unrelated\n   entries and the `mcpServers` wrapper. MCP servers load at session\n   start, so tell the user to start a new session (for example `/new`) or\n   restart BYF for the change to take effect.\n\n## Secrets\n\nDon't store secrets (tokens, keys, passwords) as literals in\n`mcp.json` — it's a plain config file on disk. http servers should use\n`bearerTokenEnvVar` to reference an env var instead; if a stdio entry\nmust inline one in `env`, warn the user before writing.\n";
 //#endregion
 //#region ../agent-core/src/skill/builtin/mcp-config.ts
-const PSEUDO_PATH = "builtin://mcp-config";
-const parsed = parseSkillText({
+const PSEUDO_PATH$1 = "builtin://mcp-config";
+const parsed$1 = parseSkillText({
 	skillMdPath: "/builtin/skills/mcp-config.md",
 	skillDirName: "mcp-config",
 	source: "builtin",
 	text: mcp_config_default
 });
 const MCP_CONFIG_SKILL = {
+	...parsed$1,
+	path: PSEUDO_PATH$1,
+	dir: PSEUDO_PATH$1,
+	metadata: {
+		...parsed$1.metadata,
+		type: parsed$1.metadata.type ?? "inline",
+		disableModelInvocation: true
+	}
+};
+//#endregion
+//#region ../agent-core/src/skill/builtin/update-config.md
+var update_config_default = "---\nname: update-config\ndescription: Audit and fix ~/.byf/config.toml — remove deprecated fields, migrate legacy settings, and flag semantic conflicts.\n---\n\n# Audit and fix config.toml\n\nThe user invoked this skill via `/update-config` or `/skill:update-config`.\nThe goal is to bring `~/.byf/config.toml` in line with the current BYF schema:\nremove deprecated fields, migrate legacy settings, and point out semantic\nconflicts that a deterministic linter cannot catch. The work is small and\nlocal — handle it on this turn yourself, no agents or planning todos.\n\n## Read the config\n\n1. **Resolve the path.** Default: `~/.byf/config.toml` (or\n   `$BYF_HOME/config.toml` if that env var is set). If the user passed a path\n   as an argument, use that instead.\n2. **Read the file.** If it does not exist, say so and stop — there is nothing\n   to update. If the TOML fails to parse, surface the parse error verbatim and\n   **stop** — do not overwrite a broken file, that could destroy the user's\n   work.\n3. **Never echo secrets.** `config.toml` stores `api_key` secret values, and\n   `oauth` references (a `{ storage, key }` handle that points at a\n   file/keyring entry — not the token itself). When you describe what you\n   found or plan to change, state only that a credential is present or\n   absent — never quote the `api_key` value itself, not even partially.\n\n## What to check for\n\nField-level validity (which keys exist, what types and enums are allowed) is\n**not** something to reproduce here. The single source of truth is\n`ByfConfigSchema` in `packages/agent-core/src/config/schema.ts` — read it when\nyou need to confirm whether a field is recognized and what values it accepts.\n\nThe checks below fall into three groups. Report findings from all three before\nmaking any change.\n\n### 1. Deprecated, renamed, and migrated fields\n\nThese are historical fields that the schema no longer accepts or has replaced.\nDelete them, except where the table says to rename or migrate:\n\n| Field | Action |\n|---|---|\n| `default_yolo` / `defaultYolo` (top-level) | Remove. Use `yolo` instead. |\n| `services.byf_search` | Remove. (Legacy service, superseded by `[services.web_search]`.) |\n| `services.byf_fetch` | Remove. Use `[services.fetch_url]` instead. |\n| `loop_control.max_steps_per_run` | **Rename** to `max_steps_per_turn`, preserving the value. First check whether `max_steps_per_turn` is already present: if so, the old key is a stale duplicate — just delete it; if not, write `max_steps_per_turn` with the old value, then delete `max_steps_per_run`. (The runtime auto-copies the value on read, but this skill edits the file directly and skips that roundtrip — so you must perform the rename yourself to avoid losing the limit.) |\n| `default_thinking` (top-level boolean) | Migrate — see below. |\n\n**`default_thinking` migration** (matches the runtime precedence in\n`byf-tui.ts`: a `[thinking]` block wins over `default_thinking`):\n\n- If `[thinking]` already has `mode` or `effort` set, `default_thinking` was\n  never effective — just remove it.\n- Otherwise migrate by value: `true` → write `[thinking]` with\n  `mode = \"on\"` and `effort = \"high\"`; `false` → `[thinking]` with\n  `mode = \"off\"`. Then remove `default_thinking`.\n\n> **Raw-passthrough blind spot.** Fields stripped by the schema (like\n> `byf_search`, `byf_fetch`) survive inside `config.raw` and get written back\n> on every read→write roundtrip, so they linger in the file even though they\n> have no effect. Deleting them here is the only way to clear them — that is\n> the core value of this skill.\n\n### 2. Semantic conflicts (the part a linter cannot enumerate)\n\nLook for cross-field problems that require understanding intent:\n\n- A provider with **both** `api_key` and `oauth` configured — these are\n  mutually exclusive; ask which one the user meant.\n- `thinking.mode = \"off\"` **and** a non-empty `thinking.effort` — the effort\n  is ignored; suggest removing it or flipping the mode.\n- `models.<alias>.capabilities` containing a value not in the valid set. The\n  valid set is the single source of truth: read `CAPABILITY_DEFINITIONS` (or\n  the derived `VALID_CAPABILITIES`) in\n  `packages/agent-core/src/providers/runtime-provider.ts`. Comparison is\n  case-insensitive at runtime, so flag only genuine mismatches.\n- A model alias, `default_provider`, or `default_model` that points at a\n  provider or model that does not exist — a dangling reference. Report it; do\n  **not** delete it, the user may be mid-edit.\n\n### 3. Housekeeping\n\n- Top-level keys that are not in `ByfConfigSchema` (and not a deprecated key\n  above) — likely typos or leftovers from an old version. Report them; only\n  remove with user confirmation. Note that legitimate unknown keys (e.g.\n  `theme`, `notifications`) are preserved by design through `config.raw`, so\n  do not touch keys the user clearly added on purpose.\n- **Nested keys inside containers** (`[providers.<name>]`, `[models.<alias>]`,\n  `[services]`, `[background]`, `[loop_control]`, `[thinking]`,\n  `[permission]`). A key that the corresponding section of `ByfConfigSchema`\n  does not recognize is silently dropped by the parser and has no effect — a\n  common cause is a typo (e.g. `max_context_tokns` instead of\n  `max_context_size`). Cross-check each sub-key against the schema and flag\n  any mismatch; fix only with user confirmation. Note that `[permission]`\n  still accepts the legacy `deny`/`allow`/`ask` array shorthand, so do not\n  report those as unknown.\n\n## Make changes\n\nFor each change, show the user **what is currently there → what you plan to\nwrite** before editing. Then apply edits with Write/Edit. The Edit/Write\npermission prompt is the real safety gate — your summary is what gives the\nuser context when that prompt appears. There is no automatic backup; if the\nuser wants one, suggest they copy the file first.\n\nAfter editing, tell the user to start a new session (e.g. `/new`) or restart\nBYF for the config change to take effect.\n";
+//#endregion
+//#region ../agent-core/src/skill/builtin/update-config.ts
+const PSEUDO_PATH = "builtin://update-config";
+const parsed = parseSkillText({
+	skillMdPath: "/builtin/skills/update-config.md",
+	skillDirName: "update-config",
+	source: "builtin",
+	text: update_config_default
+});
+const UPDATE_CONFIG_SKILL = {
 	...parsed,
 	path: PSEUDO_PATH,
 	dir: PSEUDO_PATH,
@@ -58169,6 +58191,7 @@ const MCP_CONFIG_SKILL = {
 //#region ../agent-core/src/skill/builtin/index.ts
 function registerBuiltinSkills(registry) {
 	registry.registerBuiltinSkill(MCP_CONFIG_SKILL);
+	registry.registerBuiltinSkill(UPDATE_CONFIG_SKILL);
 }
 //#endregion
 //#region ../agent-core/src/skill/scanner.ts
@@ -58961,12 +58984,12 @@ function joinPath(parent, child, pathClass) {
 }
 //#endregion
 //#region ../agent-core/src/tools/builtin/file/glob.md
-var glob_default = "Find files (and optionally directories) by glob pattern, sorted by modification time (most recent first).\n\nGood patterns:\n- `*.ts` — files in the current directory matching an extension\n- `src/**/*.ts` — recursive with a subdirectory anchor and extension\n- `test_*.py` — files whose name starts with a literal prefix\n\nRejected patterns (no literal anchor):\n- `**`, `**/*`, `*/*` — pure wildcards. Add an extension or subdirectory to give the walk a concrete target.\n- Anything starting with `**/` (e.g. `**/*.md`, `**/main/*.py`). Anchor it with a top-level subdirectory like `src/**/*.md`.\n- `*.{ts,tsx}` — brace expansion is not supported. Issue two calls: `*.ts` and `*.tsx`.\n\nLarge-directory warning — avoid recursing into dependency/build output even with an anchor:\n- `node_modules/**/*.js`, `.venv/**/*.py`, `__pycache__/**`, `target/**` match technically but typically produce thousands of results that truncate at the match cap. Prefer specific subpaths like `node_modules/react/src/**/*.js`.\n";
+var glob_default = "Find files (and optionally directories) by glob pattern, sorted by modification time (most recent first).\n\nREJECTED patterns (no literal anchor — will be rejected):\n- **Pure wildcards**: `**`, `**/*`, `*/*` — no literal anchor bounds the result. Add an extension or subdirectory to give the walk a concrete target.\n- **`**/` prefix**: Anything starting with `**/` (e.g. `**/*.py`, `**/main/*.ts`). The leading `**/` has no literal anchor in front of it. Anchor it with a top-level subdirectory like `src/**/*.ts`.\n- **Brace expansion**: `*.{ts,tsx}` is not supported. Split it into separate calls: `*.ts` and `*.tsx`.\n\nGood patterns:\n- `*.ts` — files in the current directory matching an extension\n- `src/**/*.ts` — recursive with a subdirectory anchor and extension\n- `test_*.py` — files whose name starts with a literal prefix\n\nLarge-directory warning — avoid recursing into dependency/build output even with an anchor:\n- `node_modules/**/*.js`, `.venv/**/*.py`, `__pycache__/**`, `target/**` match technically but typically produce thousands of results that truncate at the match cap. Prefer specific subpaths like `node_modules/react/src/**/*.js`.\n\nWhen you need to search the entire project, first use Glob to explore the top-level directory structure, then use an anchored pattern like `src/**/*.ts` or `packages/**/*.ts` to narrow the search.\n";
 //#endregion
 //#region ../agent-core/src/tools/builtin/file/glob.ts
 const GlobInputSchema = z.object({
-	pattern: z.string().describe("Glob pattern to match files/directories."),
-	path: z.string().optional().describe("Absolute path to the directory to search in. Defaults to the current working directory."),
+	pattern: z.string().describe("Glob pattern to match files/directories. IMPORTANT: pattern MUST contain a literal anchor like a file extension (.ts) or a subdirectory name (src/). Patterns starting with **/ (e.g. **/*.py, **/main/*.ts), pure wildcards (**, **/*, */*, *), and brace expansion (*.{ts,tsx}) are REJECTED. Example: src/**/*.ts searches all .ts files under src/."),
+	path: z.string().optional().describe("Absolute path to the directory to search in. Defaults to the current working directory. Explicit absolute paths outside the workspace are allowed (e.g. to search a dependency installed elsewhere); relative paths are resolved against the working directory and rejected if they escape it."),
 	include_dirs: z.boolean().default(true).optional().describe("Whether to include directories in results. Defaults to true. Set false to return only files.")
 });
 const MAX_MATCHES = 1e3;
@@ -59008,7 +59031,7 @@ var GlobTool = class {
 			workspace: this.workspace,
 			operation: "search",
 			policy: {
-				guardMode: "strict",
+				guardMode: "absolute-outside-allowed",
 				checkSensitive: false
 			}
 		});
@@ -59042,7 +59065,7 @@ var GlobTool = class {
 			}
 			return {
 				isError: true,
-				output: `Pattern "${args.pattern}" is a pure wildcard (only \`*\`, \`?\`, \`**\`, \`/\`) and would enumerate every file under the search root — with no literal anchor to bound the result set, this typically exhausts your context on large trees. Add an extension ("${args.pattern === "**" || args.pattern === "**/*" ? "**/*.ts" : "**/*.md"}") or a subdirectory ("src/**/*.ts") to constrain the walk.\n\nAllowed roots for explicit path searches:\n${rootList}\n\nTop of ${this.workspace.workspaceDir}:\n${tree}`
+				output: `Pattern "${args.pattern}" is a pure wildcard (only \`*\`, \`?\`, \`**\`, \`/\`) and would enumerate every file under the search root — with no literal anchor to bound the result set, this typically exhausts your context on large trees. Add an extension ("${args.pattern === "**" || args.pattern === "**/*" ? "**/*.ts" : "**/*.md"}") or a subdirectory ("src/**/*.ts") to constrain the walk.\n\nWorkspace roots:\n${rootList}\n\nTop of ${this.workspace.workspaceDir}:\n${tree}`
 			};
 		}
 		if (containsBraceExpansion(args.pattern)) return {
@@ -59070,6 +59093,8 @@ var GlobTool = class {
 		try {
 			const seen = /* @__PURE__ */ new Set();
 			const entries = [];
+			const pathClass = this.kaos.pathClass();
+			const filteredSensitive = [];
 			const YIELD_SAFETY_CAP = MAX_MATCHES * 2;
 			let yielded = 0;
 			let truncated = false;
@@ -59085,6 +59110,10 @@ var GlobTool = class {
 					break outer;
 				}
 				seen.add(filePath);
+				if (isSensitiveFile(filePath, pathClass)) {
+					filteredSensitive.push(filePath);
+					continue;
+				}
 				let mtime = 0;
 				let isDir = false;
 				try {
@@ -59100,10 +59129,10 @@ var GlobTool = class {
 			}
 			entries.sort((a, b) => b.mtime - a.mtime);
 			const paths = entries.map((e) => e.path);
-			const pathClass = this.kaos.pathClass();
 			const relBase = searchRoots[0] ?? this.workspace.workspaceDir;
 			const displayLines = paths.map((p) => relativizeIfUnder$1(p, relBase, pathClass));
-			if (entries.length === 0 && !truncated) return { output: "No matches found" };
+			const filteredSome = filteredSensitive.length > 0;
+			if (entries.length === 0 && !truncated) return { output: filteredSome ? `No non-sensitive matches found (filtered ${String(filteredSensitive.length)} sensitive file(s))` : "No matches found" };
 			const lines = [];
 			if (truncated) {
 				lines.push(`[Truncated at ${String(MAX_MATCHES)} matches — use a more specific pattern]`);
@@ -59111,6 +59140,10 @@ var GlobTool = class {
 			}
 			lines.push(...displayLines);
 			if (!truncated && entries.length === 1e3) lines.push(`Found ${String(entries.length)} matches`);
+			if (filteredSome) {
+				const displayedFiltered = filteredSensitive.map((p) => relativizeIfUnder$1(p, relBase, pathClass));
+				lines.push(`Filtered ${String(filteredSensitive.length)} sensitive file(s): ${displayedFiltered.join(", ")}`);
+			}
 			return { output: lines.join("\n") };
 		} catch (error) {
 			if (error !== null && typeof error === "object" && "code" in error) {
@@ -65435,7 +65468,7 @@ function rewriteWindowsNullRedirect$1(command) {
 }
 //#endregion
 //#region ../agent-core/src/tools/builtin/state/todo-list.md
-var todo_list_default = "Use this tool to maintain a structured TODO list as you work through a multi-step task.\n\nUse for multi-step tasks, tracking investigation progress, or planning a sequence of edits. Do not use for single-shot answers or trivial requests.\n\n**Avoid churn:**\n- Do not re-call this tool when nothing meaningful has changed since the last call — update the list only after real progress.\n- When unsure of the current state, call query mode first (omit `todos`) to check the list before deciding what to update.\n- If no available tool can move any task forward, tell the user where you are stuck instead of repeatedly re-ordering the same todos.\n\n**How to use:**\n- Call with `todos: [...]` to replace the full list. Statuses: pending / in_progress / done.\n- Call with no arguments to query the current list.\n- Call with `todos: []` to clear the list.\n- Keep titles short and actionable.\n- Update statuses as you make progress — mark one item in_progress at a time.\n";
+var todo_list_default = "Use this tool to maintain a structured TODO list as you work through a multi-step task.\n\nUse for multi-step tasks, tracking investigation progress, or planning a sequence of edits. Do not use for single-shot answers or trivial requests.\n\n**Update discipline:**\n- Update status immediately when you start or complete a subtask: mark it `in_progress` when you begin working on it, and `done` when finished.\n- Do not skip the `in_progress` state — the user should always see what you are currently working on.\n- Avoid redundant calls: do not re-call this tool when nothing meaningful has changed since the last call.\n- When unsure of the current state, call query mode first (omit `todos`) to check the list before deciding what to update.\n- If no available tool can move any task forward, tell the user where you are stuck instead of repeatedly re-ordering the same todos.\n\n**How to use:**\n- Call with `todos: [...]` to replace the full list. Statuses: pending / in_progress / done.\n- Call with no arguments to query the current list.\n- Call with `todos: []` to clear the list.\n- Keep titles short and actionable.\n- Update statuses as you make progress — mark one item in_progress at a time.\n";
 //#endregion
 //#region ../agent-core/src/tools/builtin/state/todo-list.ts
 /**
@@ -66810,7 +66843,7 @@ var ConfigState = class {
 		return provider;
 	}
 	get provider() {
-		return createProvider(this.providerConfig);
+		return createProvider$1(this.providerConfig);
 	}
 	get model() {
 		if (this._modelAlias === void 0) throw new Error("Model not set");
@@ -70165,6 +70198,7 @@ const YoloOutsideWorkspacePermissionPolicy = {
 	evaluate({ agent, mode, toolCallContext }) {
 		if (mode !== "yolo") return void 0;
 		const toolName = toolCallContext.toolCall.name;
+		if (isDefaultAutoAllowTool(toolName)) return void 0;
 		const toolAccess = FILE_ACCESS_TOOLS[toolName];
 		if (toolAccess === void 0) return void 0;
 		const [operation, displayOperation] = toolAccess;
@@ -70672,8 +70706,7 @@ var AgentRecords = class {
 			tools: "tools",
 			usage: "usage",
 			background: "background",
-			full_compaction: "fullCompaction",
-			plan_mode: "planMode"
+			full_compaction: "fullCompaction"
 		}[recordType.split(".")[0]] ?? null;
 	}
 	async replay() {
@@ -82939,8 +82972,8 @@ var ToolManager = class {
 		return (input) => withProviderRequestAuth(resolveAuth, (auth) => uploadVideo(input, { auth }));
 	}
 	get loopTools() {
-		const builtinNames = [...this.builtinTools.keys()].filter((name) => this.enabledTools.has(name)).sort();
-		const userNames = [...this.userTools.keys()].filter((name) => this.enabledTools.has(name)).sort();
+		const builtinNames = [...this.builtinTools.keys()].filter((name) => this.enabledTools.has(name)).toSorted();
+		const userNames = [...this.userTools.keys()].filter((name) => this.enabledTools.has(name)).toSorted();
 		const mcpNames = [...this.mcpTools.keys()].filter((name) => this.isMcpToolEnabled(name));
 		return [
 			...builtinNames.map((name) => this.builtinTools.get(name)),
@@ -83116,7 +83149,7 @@ function findImplicitBoundaries(prompt) {
 		const index = prompt.indexOf(header);
 		if (index !== -1) boundaries.push(index);
 	}
-	return boundaries.sort((a, b) => a - b);
+	return boundaries.toSorted((a, b) => a - b);
 }
 /**
 * Split prompt by implicit boundaries into blocks.
@@ -84541,15 +84574,6 @@ var Agent = class {
 			getModel: () => {
 				return this.config.modelAlias ?? "";
 			},
-			enterPlan: async () => {
-				throw new ByfError(ErrorCodes.NOT_IMPLEMENTED, "Plan mode has been removed");
-			},
-			cancelPlan: async () => {
-				throw new ByfError(ErrorCodes.NOT_IMPLEMENTED, "Plan mode has been removed");
-			},
-			clearPlan: async () => {
-				throw new ByfError(ErrorCodes.NOT_IMPLEMENTED, "Plan mode has been removed");
-			},
 			beginCompaction: (payload) => {
 				this.fullCompaction.begin({
 					source: "manual",
@@ -84584,7 +84608,6 @@ var Agent = class {
 			getContext: () => this.context.data(),
 			getConfig: () => this.config.data(),
 			getPermission: () => this.permission.data(),
-			getPlan: async () => null,
 			getUsage: () => this.usage.data(),
 			getTools: () => this.tools.data(),
 			getBackground: (payload) => this.background.list(payload.activeOnly ?? false, payload.limit)
@@ -84717,6 +84740,21 @@ function proxyWithExtraPayload(methods, extraPayload) {
 		}, ...args);
 	} });
 }
+/** The Zod `z.enum` literal inferred from registry keys. */
+const PROVIDER_TYPE_VALUES = Object.keys({
+	exa: { defaultBaseUrl: "https://api.exa.ai/search" },
+	brave: { defaultBaseUrl: "https://api.search.brave.com/res/v1/web/search" },
+	firecrawl: { defaultBaseUrl: "https://api.firecrawl.dev/v2/search" }
+});
+const providerClassMap = /* @__PURE__ */ new Map();
+function registerProvider(type, cls) {
+	providerClassMap.set(type, cls);
+}
+function createProvider(type, options) {
+	const cls = providerClassMap.get(type);
+	if (cls === void 0) throw new Error(`WebSearch provider type "${type}" is not registered. Did you import the provider module?`);
+	return new cls(options);
+}
 //#endregion
 //#region ../agent-core/src/config/schema.ts
 const ProviderTypeSchema = z.enum([
@@ -84816,9 +84854,18 @@ const ByfServiceConfigSchema = z.object({
 	oauth: OAuthRefSchema.optional(),
 	customHeaders: StringRecordSchema.optional()
 });
+/** Provider type enum derived from webSearchProviderRegistry keys. */
+const WebSearchProviderTypeSchema = z.enum(PROVIDER_TYPE_VALUES);
+const WebSearchProviderConfigSchema = z.object({
+	type: WebSearchProviderTypeSchema,
+	apiKeys: z.array(z.string().min(1)).nonempty(),
+	baseUrl: z.string().optional(),
+	priority: z.number().int().positive()
+});
+const WebSearchConfigSchema = z.object({ providers: z.array(WebSearchProviderConfigSchema).nonempty() });
 const ServicesConfigSchema = z.object({
-	byfSearch: ByfServiceConfigSchema.optional(),
-	byfFetch: ByfServiceConfigSchema.optional()
+	webSearch: WebSearchConfigSchema.optional(),
+	fetchUrl: ByfServiceConfigSchema.optional()
 });
 const McpServerCommonFields = {
 	enabled: z.boolean().optional(),
@@ -84884,8 +84931,8 @@ const LoopControlPatchSchema = LoopControlSchema.partial();
 const BackgroundConfigPatchSchema = BackgroundConfigSchema.partial();
 const ByfServiceConfigPatchSchema = ByfServiceConfigSchema.partial();
 const ServicesConfigPatchSchema = z.object({
-	byfSearch: ByfServiceConfigPatchSchema.optional(),
-	byfFetch: ByfServiceConfigPatchSchema.optional()
+	webSearch: WebSearchConfigSchema.optional(),
+	fetchUrl: ByfServiceConfigPatchSchema.optional()
 });
 const ByfConfigPatchSchema = z.object({
 	providers: z.record(z.string(), ProviderConfigPatchSchema).optional(),
@@ -85133,10 +85180,15 @@ function transformServiceData(data) {
 		const targetKey = snakeToCamel(key);
 		if (targetKey === "oauth") out[targetKey] = isPlainObject$1(value) ? transformPlainObject(value) : value;
 		else if (targetKey === "customHeaders") out[targetKey] = cloneObjectValue(value);
+		else if (Array.isArray(value)) out[targetKey] = value.map((item) => isPlainObject$1(item) ? transformRecord(item, identity, snakeToCamel) : item);
+		else if (isPlainObject$1(value)) out[targetKey] = transformPlainObject(value);
 		else out[targetKey] = value;
 	}
 	return out;
 }
+function identity(v) {
+	return v;
+}
 function transformLoopControlData(data) {
 	const out = transformPlainObject(data);
 	if (out["maxStepsPerTurn"] === void 0 && out["maxStepsPerRun"] !== void 0) out["maxStepsPerTurn"] = out["maxStepsPerRun"];
@@ -85156,11 +85208,11 @@ function configToTomlData(config) {
 	delete out["default_yolo"];
 	delete out["defaultYolo"];
 	delete out["defaultPermissionMode"];
+	delete out["default_thinking"];
 	for (const key of [
 		"defaultProvider",
 		"defaultModel",
 		"yolo",
-		"defaultThinking",
 		"defaultPermissionMode",
 		"mergeAllAvailableSkills",
 		"extraSkillDirs"
@@ -85229,10 +85281,17 @@ function permissionRuleToToml(rule) {
 }
 function servicesToToml(services, rawServices) {
 	const out = cloneRecord(rawServices);
-	if (services.byfSearch !== void 0) out["byf_search"] = serviceToToml(services.byfSearch);
-	else delete out["byf_search"];
-	if (services.byfFetch !== void 0) out["byf_fetch"] = serviceToToml(services.byfFetch);
-	else delete out["byf_fetch"];
+	if (services.webSearch !== void 0 && services.webSearch.providers.length > 0) {
+		const providersToml = services.webSearch.providers.map((p) => {
+			const providerOut = {};
+			for (const [key, value] of Object.entries(p)) setDefined(providerOut, camelToSnake(key), value);
+			return providerOut;
+		});
+		out["web_search"] = out["web_search"] ?? {};
+		out["web_search"]["providers"] = providersToml;
+	} else delete out["web_search"];
+	if (services.fetchUrl !== void 0) out["fetch_url"] = serviceToToml(services.fetchUrl);
+	else delete out["fetch_url"];
 	return out;
 }
 function serviceToToml(service) {
@@ -125212,11 +125271,15 @@ function createProxiedFetch(deps) {
 		const proxyUrl = getProxyForUrl(url, envLookup, sysProxy);
 		const noProxyMatch = noProxy !== void 0 && isNoProxyHost(hostname, noProxy);
 		const controller = new AbortController();
-		const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+		const timeoutId = setTimeout(() => {
+			controller.abort();
+		}, REQUEST_TIMEOUT_MS);
 		if (init?.signal) if (init.signal.aborted) {
 			clearTimeout(timeoutId);
 			controller.abort();
-		} else init.signal.addEventListener("abort", () => controller.abort(), { once: true });
+		} else init.signal.addEventListener("abort", () => {
+			controller.abort();
+		}, { once: true });
 		const mergedInit = {
 			...init,
 			signal: controller.signal
@@ -125228,7 +125291,7 @@ function createProxiedFetch(deps) {
 			return response;
 		} catch (error) {
 			clearTimeout(timeoutId);
-			if (isRetryableError(error) && proxyUrl && !noProxyMatch) return await retryViaProxy(input, init, proxyUrl, innerFetch);
+			if (isRetryableError(error) && proxyUrl && !noProxyMatch) return retryViaProxy(input, init, proxyUrl, innerFetch);
 			throw error;
 		}
 	};
@@ -125236,11 +125299,15 @@ function createProxiedFetch(deps) {
 }
 async function retryViaProxy(input, init, proxyUrl, innerFetch) {
 	const controller = new AbortController();
-	const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+	const timeoutId = setTimeout(() => {
+		controller.abort();
+	}, REQUEST_TIMEOUT_MS);
 	if (init?.signal) if (init.signal.aborted) {
 		clearTimeout(timeoutId);
 		controller.abort();
-	} else init.signal.addEventListener("abort", () => controller.abort(), { once: true });
+	} else init.signal.addEventListener("abort", () => {
+		controller.abort();
+	}, { once: true });
 	const dispatcher = new import_undici.ProxyAgent(proxyUrl);
 	const retryInit = {
 		...init,
@@ -125390,82 +125457,188 @@ var RemoteFetchURLProvider = class {
 	}
 };
 //#endregion
-//#region ../agent-core/src/tools/providers/remote-web-search.ts
-var RemoteWebSearchProvider = class {
-	tokenProvider;
-	apiKey;
+//#region ../agent-core/src/tools/providers/router.ts
+var AllProvidersFailedError = class extends Error {
+	lastError;
+	constructor(lastError) {
+		super(`All search providers failed. Last error: ${lastError ?? "unknown"}`);
+		this.lastError = lastError;
+		this.name = "AllProvidersFailedError";
+	}
+};
+var PriorityRouter = class {
+	providers;
+	constructor(providers) {
+		this.providers = providers;
+	}
+	async search(query, options) {
+		let lastError;
+		for (const provider of this.providers) try {
+			return await provider.search(query, options);
+		} catch (error) {
+			lastError = error instanceof Error ? error.message : String(error);
+		}
+		throw new AllProvidersFailedError(lastError);
+	}
+};
+//#endregion
+//#region ../agent-core/src/tools/providers/exa.ts
+var ExaWebSearchProvider = class {
+	apiKeys;
 	baseUrl;
-	defaultHeaders;
-	customHeaders;
 	fetchImpl;
 	constructor(options) {
-		this.tokenProvider = options.tokenProvider;
-		this.apiKey = options.apiKey;
-		this.baseUrl = options.baseUrl;
-		this.defaultHeaders = options.defaultHeaders ?? {};
-		this.customHeaders = options.customHeaders ?? {};
+		this.apiKeys = options.apiKeys;
+		this.baseUrl = options.baseUrl ?? "https://api.exa.ai/search";
 		this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
 	}
 	async search(query, options) {
-		const body = {
-			text_query: query,
-			limit: options?.limit ?? 5,
-			enable_page_crawling: options?.includeContent ?? false,
-			timeout_seconds: 30
+		const limit = options?.limit ?? 5;
+		const includeContent = options?.includeContent ?? false;
+		const contents = {};
+		if (includeContent) contents.text = { maxCharacters: 1e4 };
+		else contents.highlights = {
+			query,
+			maxCharacters: 300
 		};
-		const bodyJson = JSON.stringify(body);
-		const response = await this.post(bodyJson);
-		if (response.status === 401) {
-			const detail = await safeReadText(response);
-			throw new Error(`Remote search request failed: HTTP 401 (auth/unauthorized). ${detail}`.trim());
-		}
-		if (response.status !== 200) {
-			const detail = await safeReadText(response);
-			throw new Error(`Remote search request failed: HTTP ${String(response.status)}. ${detail}`.trim());
-		}
-		const json = await response.json();
-		return (Array.isArray(json.search_results) ? json.search_results : []).map((r) => {
-			const out = {
-				title: r.title ?? "",
-				url: r.url ?? "",
-				snippet: r.snippet ?? ""
-			};
-			if (typeof r.date === "string" && r.date.length > 0) out.date = r.date;
-			if (typeof r.content === "string" && r.content.length > 0) out.content = r.content;
-			return out;
+		const body = JSON.stringify({
+			query,
+			numResults: limit,
+			contents
 		});
+		let lastError;
+		for (const apiKey of this.apiKeys) try {
+			const response = await this.fetchImpl(this.baseUrl, {
+				method: "POST",
+				headers: {
+					Authorization: `Bearer ${apiKey}`,
+					"Content-Type": "application/json"
+				},
+				body
+			});
+			if (!response.ok) {
+				const detail = (await response.text().catch(() => "")).slice(0, 200);
+				throw new Error(`Exa search failed: HTTP ${response.status}${detail ? `: ${detail}` : ""}`);
+			}
+			const json = await response.json();
+			return (Array.isArray(json.results) ? json.results : []).map((r) => {
+				const out = {
+					title: r.title ?? "",
+					url: r.url ?? "",
+					snippet: ""
+				};
+				if (includeContent && typeof r.text === "string") {
+					out.snippet = r.text.slice(0, 300);
+					if (r.text.length > 0) out.content = r.text;
+				} else if (Array.isArray(r.highlights) && r.highlights.length > 0) out.snippet = r.highlights[0].slice(0, 300);
+				if (typeof r.publishedDate === "string" && r.publishedDate.length > 0) out.date = r.publishedDate;
+				return out;
+			});
+		} catch (error) {
+			lastError = error instanceof Error ? error : new Error(String(error));
+		}
+		throw lastError ?? /* @__PURE__ */ new Error("Exa search failed: no API keys configured");
 	}
-	async post(bodyJson) {
-		const accessToken = await this.resolveApiKey();
-		return this.fetchImpl(this.baseUrl, {
-			method: "POST",
-			headers: {
-				...this.defaultHeaders,
-				Authorization: `Bearer ${accessToken}`,
-				"Content-Type": "application/json",
-				...this.customHeaders
-			},
-			body: bodyJson
-		});
+};
+registerProvider("exa", ExaWebSearchProvider);
+//#endregion
+//#region ../agent-core/src/tools/providers/brave.ts
+var BraveWebSearchProvider = class {
+	apiKeys;
+	baseUrl;
+	fetchImpl;
+	constructor(options) {
+		this.apiKeys = options.apiKeys;
+		this.baseUrl = options.baseUrl ?? "https://api.search.brave.com/res/v1/web/search";
+		this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
 	}
-	async resolveApiKey() {
-		if (this.tokenProvider !== void 0) try {
-			return await this.tokenProvider.getAccessToken();
+	async search(query, options) {
+		const limit = options?.limit ?? 5;
+		const url = new URL(this.baseUrl);
+		url.searchParams.set("q", query);
+		url.searchParams.set("count", String(limit));
+		let lastError;
+		for (const apiKey of this.apiKeys) try {
+			const response = await this.fetchImpl(url.toString(), {
+				method: "GET",
+				headers: {
+					"Accept": "application/json",
+					"Accept-Encoding": "gzip",
+					"X-Subscription-Token": apiKey
+				}
+			});
+			if (!response.ok) {
+				const detail = (await response.text().catch(() => "")).slice(0, 200);
+				throw new Error(`Brave search failed: HTTP ${response.status}${detail ? `: ${detail}` : ""}`);
+			}
+			const json = await response.json();
+			return (Array.isArray(json.web?.results) ? json.web.results : []).map((r) => {
+				const out = {
+					title: r.title ?? "",
+					url: r.url ?? "",
+					snippet: r.description ?? ""
+				};
+				if (typeof r.age === "string" && r.age.length > 0) out.date = r.age;
+				return out;
+			});
 		} catch (error) {
-			if (this.apiKey !== void 0 && this.apiKey.length > 0) return this.apiKey;
-			throw error;
+			lastError = error instanceof Error ? error : new Error(String(error));
 		}
-		if (this.apiKey !== void 0 && this.apiKey.length > 0) return this.apiKey;
-		throw new Error("Remote search service is not configured: missing API key or token provider.");
+		throw lastError ?? /* @__PURE__ */ new Error("Brave search failed: no API keys configured");
 	}
 };
-async function safeReadText(response) {
-	try {
-		return await response.text();
-	} catch {
-		return "";
+registerProvider("brave", BraveWebSearchProvider);
+//#endregion
+//#region ../agent-core/src/tools/providers/firecrawl.ts
+var FirecrawlWebSearchProvider = class {
+	apiKeys;
+	baseUrl;
+	fetchImpl;
+	constructor(options) {
+		this.apiKeys = options.apiKeys;
+		this.baseUrl = options.baseUrl ?? "https://api.firecrawl.dev/v2/search";
+		this.fetchImpl = options.fetchImpl ?? globalThis.fetch.bind(globalThis);
 	}
-}
+	async search(query, options) {
+		const limit = options?.limit ?? 5;
+		const includeContent = options?.includeContent ?? false;
+		const requestBody = {
+			query,
+			limit
+		};
+		if (includeContent) requestBody.scrapeOptions = { formats: ["markdown"] };
+		const body = JSON.stringify(requestBody);
+		let lastError;
+		for (const apiKey of this.apiKeys) try {
+			const response = await this.fetchImpl(this.baseUrl, {
+				method: "POST",
+				headers: {
+					"Authorization": `Bearer ${apiKey}`,
+					"Content-Type": "application/json"
+				},
+				body
+			});
+			if (!response.ok) {
+				const detail = (await response.text().catch(() => "")).slice(0, 200);
+				throw new Error(`Firecrawl search failed: HTTP ${response.status}${detail ? `: ${detail}` : ""}`);
+			}
+			const json = await response.json();
+			return (Array.isArray(json.data?.web) ? json.data.web : []).map((r) => {
+				const out = {
+					title: r.title ?? "",
+					url: r.url ?? "",
+					snippet: r.description ?? ""
+				};
+				if (includeContent && typeof r.markdown === "string" && r.markdown.length > 0) out.content = r.markdown;
+				return out;
+			});
+		} catch (error) {
+			lastError = error instanceof Error ? error : new Error(String(error));
+		}
+		throw lastError ?? /* @__PURE__ */ new Error("Firecrawl search failed: no API keys configured");
+	}
+};
+registerProvider("firecrawl", FirecrawlWebSearchProvider);
 //#endregion
 //#region ../agent-core/src/utils/environment.ts
 /**
@@ -125727,15 +125900,6 @@ var SessionAPIImpl = class {
 	getModel({ agentId, ...payload }) {
 		return this.getAgent(agentId).getModel(payload);
 	}
-	enterPlan({ agentId, ...payload }) {
-		return this.getAgent(agentId).enterPlan(payload);
-	}
-	cancelPlan({ agentId, ...payload }) {
-		return this.getAgent(agentId).cancelPlan(payload);
-	}
-	clearPlan({ agentId, ...payload }) {
-		return this.getAgent(agentId).clearPlan(payload);
-	}
 	beginCompaction({ agentId, ...payload }) {
 		return this.getAgent(agentId).beginCompaction(payload);
 	}
@@ -125776,9 +125940,6 @@ var SessionAPIImpl = class {
 	getPermission({ agentId, ...payload }) {
 		return this.getAgent(agentId).getPermission(payload);
 	}
-	getPlan({ agentId, ...payload }) {
-		return this.getAgent(agentId).getPlan(payload);
-	}
 	getUsage({ agentId, ...payload }) {
 		return this.getAgent(agentId).getUsage(payload);
 	}
@@ -126116,19 +126277,59 @@ function createRuntimeProviderAuthResolver(input, resolved = resolveRuntimeProvi
 function isAuthLoginRequired(error) {
 	return isByfError(error) && error.code === ErrorCodes.AUTH_LOGIN_REQUIRED;
 }
+const CAPABILITY_DEFINITIONS = [
+	{
+		name: "image_in",
+		returnKey: "image_in"
+	},
+	{
+		name: "video_in",
+		returnKey: "video_in"
+	},
+	{
+		name: "audio_in",
+		returnKey: "audio_in"
+	},
+	{
+		name: "thinking",
+		returnKey: "thinking"
+	},
+	{
+		name: "always_thinking",
+		returnKey: "thinking"
+	},
+	{
+		name: "tool_use",
+		returnKey: "tool_use"
+	},
+	{
+		name: "thinking_effort",
+		returnKey: "thinking_effort"
+	},
+	{
+		name: "thinking_xhigh",
+		returnKey: "thinking_xhigh"
+	},
+	{
+		name: "thinking_max",
+		returnKey: "thinking_max"
+	}
+];
+CAPABILITY_DEFINITIONS.map((d) => d.name);
 function resolveModelCapabilities(alias, provider) {
 	const capabilities = new Set((alias.capabilities ?? []).map((capability) => capability.trim().toLowerCase()));
 	const has = (capability) => capabilities.has(capability);
-	const providerCapability = createProvider(providerForCapabilityProbe(provider)).getCapability?.(provider.model) ?? UNKNOWN_CAPABILITY;
+	const providerCapability = createProvider$1(providerForCapabilityProbe(provider)).getCapability?.(provider.model) ?? UNKNOWN_CAPABILITY;
+	const returnKeyToNames = /* @__PURE__ */ new Map();
+	for (const def of CAPABILITY_DEFINITIONS) {
+		const names = returnKeyToNames.get(def.returnKey) ?? [];
+		names.push(def.name);
+		returnKeyToNames.set(def.returnKey, names);
+	}
+	const resolved = {};
+	for (const [returnKey, names] of returnKeyToNames) resolved[returnKey] = names.some((n) => has(n)) || Boolean(providerCapability[returnKey]);
 	return {
-		image_in: has("image_in") || providerCapability.image_in,
-		video_in: has("video_in") || providerCapability.video_in,
-		audio_in: has("audio_in") || providerCapability.audio_in,
-		thinking: has("thinking") || has("always_thinking") || providerCapability.thinking,
-		tool_use: has("tool_use") || providerCapability.tool_use,
-		thinking_effort: has("thinking_effort") || providerCapability.thinking_effort,
-		thinking_xhigh: has("thinking_xhigh") || providerCapability.thinking_xhigh,
-		thinking_max: has("thinking_max") || providerCapability.thinking_max,
+		...resolved,
 		max_context_tokens: alias.maxContextSize
 	};
 }
@@ -126936,15 +127137,6 @@ var ByfCore = class {
 	getModel({ sessionId, ...payload }) {
 		return this.sessionApi(sessionId).getModel(payload);
 	}
-	enterPlan({ sessionId, ...payload }) {
-		return this.sessionApi(sessionId).enterPlan(payload);
-	}
-	cancelPlan({ sessionId, ...payload }) {
-		return this.sessionApi(sessionId).cancelPlan(payload);
-	}
-	clearPlan({ sessionId, ...payload }) {
-		return this.sessionApi(sessionId).clearPlan(payload);
-	}
 	beginCompaction({ sessionId, ...payload }) {
 		return this.sessionApi(sessionId).beginCompaction(payload);
 	}
@@ -126984,9 +127176,6 @@ var ByfCore = class {
 	getPermission({ sessionId, ...payload }) {
 		return this.sessionApi(sessionId).getPermission(payload);
 	}
-	getPlan({ sessionId, ...payload }) {
-		return this.sessionApi(sessionId).getPlan(payload);
-	}
 	getUsage({ sessionId, ...payload }) {
 		return this.sessionApi(sessionId).getUsage(payload);
 	}
@@ -127074,8 +127263,8 @@ async function createRuntimeConfig(input) {
 		systemProxy: () => detectSystemProxy()
 	});
 	const localFetcher = new LocalFetchURLProvider({ fetchImpl: proxiedFetch });
-	const searchService = input.config.services?.byfSearch;
-	const fetchService = input.config.services?.byfFetch;
+	const fetchService = input.config.services?.fetchUrl;
+	const webSearchConfig = input.config.services?.webSearch;
 	return {
 		kaos: localKaos,
 		osEnv: await detectEnvironmentFromNode(),
@@ -127087,12 +127276,11 @@ async function createRuntimeConfig(input) {
 			fetchImpl: proxiedFetch,
 			...serviceCredentials(fetchService, input.resolveOAuthTokenProvider)
 		}),
-		webSearcher: searchService?.baseUrl === void 0 ? void 0 : new RemoteWebSearchProvider({
-			baseUrl: searchService.baseUrl,
-			defaultHeaders: input.byfRequestHeaders,
-			fetchImpl: proxiedFetch,
-			...serviceCredentials(searchService, input.resolveOAuthTokenProvider)
-		})
+		webSearcher: webSearchConfig === void 0 ? void 0 : new PriorityRouter([...webSearchConfig.providers].toSorted((a, b) => a.priority - b.priority).map((p) => createProvider(p.type, {
+			apiKeys: p.apiKeys,
+			baseUrl: p.baseUrl,
+			fetchImpl: proxiedFetch
+		})))
 	};
 }
 function serviceCredentials(service, resolveOAuthTokenProvider) {
@@ -127127,7 +127315,6 @@ async function resumeSessionResult(summary, session, warning) {
 			context,
 			replay: agent.replayBuilder.buildResult(),
 			permission,
-			plan: null,
 			usage,
 			tools: await api.getTools({ agentId }),
 			toolStore: agent.tools.storeData(),
@@ -127228,7 +127415,8 @@ var SDKRpcClient = class {
 		this.core = new ByfCore(coreRpc, {
 			homeDir: options.homeDir,
 			configPath: options.configPath,
-			skillDirs: options.skillDirs
+			skillDirs: options.skillDirs,
+			runtime: options.runtime
 		});
 		this.ready = sdkRpc(new ClientAPI(this)).then((rpc) => {
 			this.rpc = rpc;
@@ -127327,18 +127515,6 @@ var SDKRpcClient = class {
 			mode: input.mode
 		});
 	}
-	async getPlan(input) {
-		return (await this.getRpc()).getPlan({
-			sessionId: input.sessionId,
-			agentId: this.interactiveAgentId
-		});
-	}
-	async clearPlan(input) {
-		await (await this.getRpc()).clearPlan({
-			sessionId: input.sessionId,
-			agentId: this.interactiveAgentId
-		});
-	}
 	async compact(input) {
 		return (await this.getRpc()).beginCompaction({
 			sessionId: input.sessionId,
@@ -127644,13 +127820,6 @@ var Session = class {
 			mode
 		});
 	}
-	async getPlan() {
-		this.ensureOpen();
-		return null;
-	}
-	async clearPlan() {
-		this.ensureOpen();
-	}
 	async compact(options = {}) {
 		this.ensureOpen();
 		const instruction = normalizeOptionalString(options.instruction);
@@ -127857,7 +128026,8 @@ var ByfHarness = class {
 		this.rpc = new SDKRpcClient({
 			homeDir: options.homeDir,
 			configPath: this.configPath,
-			skillDirs: options.skillDirs
+			skillDirs: options.skillDirs,
+			runtime: options.runtime
 		});
 	}
 	configureLogging() {
@@ -127872,7 +128042,7 @@ var ByfHarness = class {
 	set interactiveAgentId(agentId) {
 		this.rpc.interactiveAgentId = agentId;
 	}
-	track(event, properties) {}
+	track(_event, _properties) {}
 	async createSession(options) {
 		const summary = await this.rpc.createSession(options);
 		const session = new Session({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@byfriends/sdk",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Public TypeScript SDK for BYF agents and sessions",
   "license": "Proprietary",
   "author": "ByronFinn",
@@ -49,10 +49,10 @@
   },
   "devDependencies": {
     "@types/yazl": "^2.4.6",
-    "@byfriends/agent-core": "^0.3.0",
-    "@byfriends/kosong": "^0.2.3",
-    "@byfriends/kaos": "^0.2.2",
-    "@byfriends/oauth": "^0.1.1"
+    "@byfriends/agent-core": "^0.3.2",
+    "@byfriends/kosong": "^0.3.2",
+    "@byfriends/kaos": "^0.3.2",
+    "@byfriends/oauth": "^0.3.2"
   },
   "scripts": {
     "build": "tsdown && pnpm run build:dts",