@caplets/core 0.26.0 → 0.26.1

package/dist/native.js

@@ -1,4 +1,4 @@
-import { A as nativeCapletPromptGuidance, F as nativeCodeModeToolName, M as nativeCapletToolName, N as nativeCapletsSystemGuidance, P as nativeCodeModeToolId, h as createSdkRemoteCapletsClient, j as nativeCapletToolDescription, m as RemoteNativeCapletsService, t as createNativeCapletsService, v as resolveNativeCapletsServiceOptions } from "./service-rvZ7z6FI.js";
+import { A as nativeCapletPromptGuidance, F as nativeCodeModeToolName, M as nativeCapletToolName, N as nativeCapletsSystemGuidance, P as nativeCodeModeToolId, h as createSdkRemoteCapletsClient, j as nativeCapletToolDescription, m as RemoteNativeCapletsService, t as createNativeCapletsService, v as resolveNativeCapletsServiceOptions } from "./service-aBIn4nrw.js";
 import { generatedToolInputJsonSchema, generatedToolInputSchema } from "./generated-tool-input-schema.js";
 //#region src/native/process-cleanup.ts
 function registerNativeCapletsProcessCleanup(service, options = {}) {

package/dist/project-binding/errors.d.ts

@@ -1,5 +1,5 @@
 import { CapletsError } from "../errors";
-export declare const PROJECT_BINDING_ERROR_CODES: readonly ["cloud_auth_required", "cloud_auth_expired", "cloud_auth_revoked", "workspace_selection_required", "workspace_switch_required", "workspace_forbidden", "project_binding_forbidden", "endpoint_unavailable", "websocket_upgrade_required", "sync_required", "sync_failed", "sync_size_limit_exceeded", "lease_conflict", "lease_expired", "policy_denied", "usage_limit_reached", "billing_required", "subscription_past_due", "email_verification_required", "remote_credentials_required", "remote_auth_failed"];
+export declare const PROJECT_BINDING_ERROR_CODES: readonly ["cloud_auth_required", "cloud_auth_expired", "cloud_auth_revoked", "workspace_selection_required", "workspace_switch_required", "workspace_forbidden", "project_binding_forbidden", "endpoint_unavailable", "websocket_upgrade_required", "sync_required", "sync_failed", "sync_size_limit_exceeded", "lease_conflict", "lease_expired", "policy_denied", "usage_limit_reached", "billing_required", "subscription_past_due", "email_verification_required", "remote_credentials_required", "remote_credentials_revoked", "remote_auth_failed"];
 export type ProjectBindingErrorCode = (typeof PROJECT_BINDING_ERROR_CODES)[number];
 export type ProjectBindingRecovery = {
     code: ProjectBindingErrorCode;

package/dist/remote/profile-store.d.ts

@@ -16,6 +16,7 @@ export type CloudProfileLookup = {
 };
 export type SaveSelfHostedProfileInput = {
     hostUrl: string;
+    hostIdentity?: string | undefined;
     clientId: string;
     clientLabel?: string | undefined;
     credentials: RemoteProfileCredential;
@@ -23,6 +24,7 @@ export type SaveSelfHostedProfileInput = {
 };
 export type SelfHostedProfileLookup = {
     hostUrl: string;
+    hostIdentity?: string | undefined;
 };
 export type RefreshSelfHostedProfileInput = SelfHostedProfileLookup & {
     needsRefresh: (credential: RemoteProfileCredential) => boolean;

package/dist/remote/profiles.d.ts

@@ -16,6 +16,7 @@ export type RemoteProfileCredential = {
 export type RemoteProfileStatusInput = {
     kind: RemoteProfileKind;
     hostUrl: string;
+    hostIdentity?: string | undefined;
     key?: string | undefined;
     workspaceId?: string | undefined;
     workspaceSlug?: string | undefined;
@@ -31,6 +32,7 @@ export type RemoteProfileStatus = {
     kind: RemoteProfileKind;
     key: string;
     hostUrl: string;
+    hostIdentity?: string | undefined;
     workspaceId?: string | undefined;
     workspaceSlug?: string | undefined;
     clientId?: string | undefined;

package/dist/remote/server-credential-store.d.ts

@@ -1,4 +1,5 @@
-import type { IssuedRemoteClientCredentials, RemoteClientStatus, ValidatedRemoteClient } from "./server-credentials";
+import { type VaultEncryptedRecord } from "../vault/crypto";
+import type { IssuedRemoteClientCredentials, RemoteClientStatus, RemotePendingLoginStatus, RemotePendingLoginState, ValidatedRemoteClient } from "./server-credentials";
 export type RemoteServerCredentialStoreOptions = {
     dir: string;
 };
@@ -25,6 +26,29 @@ export type RefreshClientCredentialsInput = {
     refreshToken: string;
     now?: Date | undefined;
 };
+export type CreatePendingLoginInput = {
+    hostUrl: string;
+    hostIdentity?: string | undefined;
+    clientLabel?: string | undefined;
+    clientFingerprint?: string | undefined;
+    sourceHint?: string | undefined;
+    now?: Date | undefined;
+};
+export type PendingLoginPossessionInput = {
+    flowId: string;
+    pendingCompletionSecret: string;
+    now?: Date | undefined;
+};
+export type RefreshPendingLoginInput = PendingLoginPossessionInput & {
+    pendingRefreshSecret: string;
+};
+export type ApprovePendingLoginInput = {
+    operatorCode: string;
+    now?: Date | undefined;
+};
+export type CompletePendingLoginInput = PendingLoginPossessionInput & {
+    hostUrl: string;
+};
 type StoredPairingCode = {
     codeId: string;
     hostUrl: string;
@@ -49,18 +73,91 @@ type StoredRemoteClient = {
     lastUsedAt?: string | undefined;
     revokedAt?: string | undefined;
 };
+type PendingLoginStatus = RemotePendingLoginState;
+type StoredPendingLogin = {
+    flowId: string;
+    hostUrl: string;
+    hostIdentity?: string | undefined;
+    operatorCodeHash: string;
+    pendingRefreshHash: string;
+    supersededPendingRefreshHashes: SupersededRefreshToken[];
+    pendingRefreshReplay?: PendingRefreshReplay | undefined;
+    pendingCompletionHash: string;
+    completionReplay?: CompletionReplay | undefined;
+    clientLabel: string;
+    clientFingerprint?: string | undefined;
+    sourceHint?: string | undefined;
+    createdAt: string;
+    codeExpiresAt: string;
+    flowExpiresAt: string;
+    status: PendingLoginStatus;
+    operatorCodeFingerprint?: string | undefined;
+    approvedAt?: string | undefined;
+    deniedAt?: string | undefined;
+    cancelledAt?: string | undefined;
+    exchangedAt?: string | undefined;
+};
 type SupersededRefreshToken = {
     hash: string;
     supersededAt: string;
 };
+type PendingRefreshReplay = {
+    refreshHash: string;
+    expiresAt: string;
+    encryptedResponse: VaultEncryptedRecord;
+};
+type CompletionReplay = {
+    expiresAt: string;
+    encryptedCredentials: VaultEncryptedRecord;
+};
 type RemoteServerCredentialState = {
     version: 1;
     pairingCodes: StoredPairingCode[];
+    pendingLogins: StoredPendingLogin[];
     clients: StoredRemoteClient[];
 };
 export declare class RemoteServerCredentialStore {
     readonly dir: string;
     constructor(options: RemoteServerCredentialStoreOptions);
+    createPendingLogin(input: CreatePendingLoginInput): {
+        flowId: string;
+        operatorCode: string;
+        operatorCodeFingerprint: string;
+        pendingRefreshSecret: string;
+        pendingCompletionSecret: string;
+        codeExpiresAt: string;
+        flowExpiresAt: string;
+        intervalSeconds: number;
+    };
+    pollPendingLogin(input: PendingLoginPossessionInput): {
+        flowId: string;
+        status: PendingLoginStatus;
+    };
+    refreshPendingLogin(input: RefreshPendingLoginInput): {
+        flowId: string;
+        operatorCode: string;
+        operatorCodeFingerprint: string;
+        pendingRefreshSecret: string;
+        codeExpiresAt: string;
+        flowExpiresAt: string;
+        intervalSeconds: number;
+    };
+    denyPendingLogin(input: ApprovePendingLoginInput): {
+        flowId: string;
+        status: "denied";
+    };
+    cancelPendingLogin(input: PendingLoginPossessionInput): {
+        flowId: string;
+        status: "cancelled";
+    };
+    approvePendingLogin(input: ApprovePendingLoginInput): {
+        flowId: string;
+        status: "approved";
+        clientLabel: string;
+        clientFingerprint?: string | undefined;
+        sourceHint?: string | undefined;
+    };
+    completePendingLogin(input: CompletePendingLoginInput): IssuedRemoteClientCredentials;
     createPairingCode(input: CreatePairingCodeInput): {
         codeId: string;
         code: string;
@@ -68,6 +165,7 @@ export declare class RemoteServerCredentialStore {
     };
     exchangePairingCode(input: ExchangePairingCodeInput): IssuedRemoteClientCredentials;
     listClients(): RemoteClientStatus[];
+    listPendingLogins(now?: Date): RemotePendingLoginStatus[];
     revokeClient(clientId: string, now?: Date): boolean;
     validateAccessToken(input: ValidateAccessTokenInput): ValidatedRemoteClient;
     refreshClientCredentials(input: RefreshClientCredentialsInput): IssuedRemoteClientCredentials;
@@ -80,5 +178,6 @@ export declare class RemoteServerCredentialStore {
     private acquireLock;
     private releaseLock;
     private clearStaleLock;
+    private pendingLoginForCompletion;
 }
 export {};

package/dist/remote/server-credentials.d.ts

@@ -16,6 +16,24 @@ export type RemoteClientStatus = {
     lastUsedAt?: string | undefined;
     revokedAt?: string | undefined;
 };
+export type RemotePendingLoginState = "pending" | "approved" | "denied" | "cancelled" | "expired" | "exchanged";
+export type RemotePendingLoginStatus = {
+    flowId: string;
+    hostUrl: string;
+    hostIdentity?: string | undefined;
+    status: RemotePendingLoginState;
+    operatorCodeFingerprint?: string | undefined;
+    clientLabel: string;
+    clientFingerprint?: string | undefined;
+    sourceHint?: string | undefined;
+    createdAt: string;
+    codeExpiresAt: string;
+    flowExpiresAt: string;
+    approvedAt?: string | undefined;
+    deniedAt?: string | undefined;
+    cancelledAt?: string | undefined;
+    exchangedAt?: string | undefined;
+};
 export type ValidatedRemoteClient = RemoteClientStatus & {
     tokenType: "Bearer";
 };

package/dist/serve/http.d.ts

@@ -35,6 +35,11 @@ export declare function servicePaths(base: string): {
     attachInvoke: string;
     projectBindings: string;
     pairingExchange: string;
+    remoteLoginStart: string;
+    remoteLoginPoll: string;
+    remoteLoginRefresh: string;
+    remoteLoginComplete: string;
+    remoteLoginCancel: string;
     remoteRefresh: string;
     remoteClient: string;
     health: string;

package/dist/{service-rvZ7z6FI.js → service-aBIn4nrw.js}

@@ -1,5 +1,5 @@
 import { A as safeParseAsync$1, C as toJSONSchema, D as parse$3, E as $ZodType, F as NEVER, M as defineLazy, N as normalizeParams, O as parseAsync, P as $constructor, S as datetime, T as $ZodObject, _ as record, a as any, b as unknown, c as custom, d as literal, f as looseObject, g as preprocess, h as optional, i as _null, j as clone, k as safeParse$1, l as discriminatedUnion, m as object$1, o as array, p as number$1, r as _enum, s as boolean, t as ZodNumber$1, u as intersection, v as string, w as _coercedNumber, x as url, y as union } from "./schemas-BoqMu4MG.js";
-import { a as isAllowedHttpBaseUrl, c as validateHttpActionHeaders, d as errorResult, f as redactSecrets, i as SERVER_ID_PATTERN, n as HEADER_NAME_PATTERN, o as isAllowedRemoteUrl, p as toSafeError, r as HTTP_BASE_URL_PATTERN, s as isUrl, t as FORBIDDEN_HEADERS, u as CapletsError } from "./validation-C4tYXw6G.js";
+import { a as isAllowedHttpBaseUrl, c as validateHttpActionHeaders, d as errorResult, f as redactSecrets, i as SERVER_ID_PATTERN, n as HEADER_NAME_PATTERN, o as isAllowedRemoteUrl, p as toSafeError, r as HTTP_BASE_URL_PATTERN, s as isUrl, t as FORBIDDEN_HEADERS, u as CapletsError } from "./validation-GD2x5HW1.js";
 import { generatedToolInputJsonSchema, generatedToolInputJsonSchemaForCaplet, generatedToolInputSchemaForCaplet, mcpOperations, operations } from "./generated-tool-input-schema.js";
 import { f as observedOutputShapeKey, i as observeOutputShape, r as normalizedObservableValue, t as usefulOutputSchema, u as FileObservedOutputShapeStore } from "./observed-output-shapes-DuP7mJQf.js";
 import { createRequire } from "node:module";
@@ -64028,7 +64028,7 @@ var CapletsEngine = class {
 		}
 	}
 	async completeCliWords(words) {
-		const { completeCliWords } = await import("./completion-DaYL-XQN.js").then((n) => n.r);
+		const { completeCliWords } = await import("./completion-CFOJucl5.js").then((n) => n.r);
 		return await completeCliWords(words, {
 			config: this.registry.config,
 			managers: {
@@ -81700,13 +81700,16 @@ function isAuthFailure(error) {
 }
 function isPermanentRemoteCredentialsError(error) {
 	const candidate = error;
-	if (candidate?.projectBindingCode === "remote_credentials_required" || candidate?.projectBindingCode === "remote_auth_failed") return true;
+	if (isPermanentRemoteCredentialsCode(candidate?.projectBindingCode)) return true;
 	if (isPlainObject(candidate?.details)) {
 		const code = candidate.details.code;
-		if (code === "remote_credentials_required" || code === "remote_auth_failed") return true;
+		if (isPermanentRemoteCredentialsCode(code)) return true;
 	}
 	return isAuthFailure(error);
 }
+function isPermanentRemoteCredentialsCode(code) {
+	return code === "remote_credentials_required" || code === "remote_credentials_revoked" || code === "remote_auth_failed";
+}
 //#endregion
 //#region src/cloud-auth/errors.ts
 const SECRET_PATTERN = /(cap_access_[a-z0-9._~+/=-]+|cap_refresh_[a-z0-9._~+/=-]+|one_time_code_[a-z0-9._~+/=-]+|Bearer\s+)[^\s"]*/giu;
@@ -81869,6 +81872,7 @@ const PROJECT_BINDING_ERROR_CODES = [
 	"subscription_past_due",
 	"email_verification_required",
 	"remote_credentials_required",
+	"remote_credentials_revoked",
 	"remote_auth_failed"
 ];
 var ProjectBindingError = class extends CapletsError {
@@ -81902,6 +81906,7 @@ function recoveryCommandFor(code) {
 		case "workspace_switch_required": return "caplets remote login <cloud-url> --workspace <workspace>";
 		case "sync_size_limit_exceeded": return "Add exclusions to .capletsignore or upgrade the workspace plan.";
 		case "remote_credentials_required":
+		case "remote_credentials_revoked":
 		case "remote_auth_failed": return "caplets remote login <url>";
 		case "endpoint_unavailable":
 		case "websocket_upgrade_required": return "caplets doctor";
@@ -82079,6 +82084,7 @@ function remoteProfileStatus(input) {
 		kind: input.kind,
 		key,
 		hostUrl,
+		...input.hostIdentity ? { hostIdentity: input.hostIdentity } : {},
 		...input.workspaceId ? { workspaceId: input.workspaceId } : {},
 		...input.workspaceSlug ? { workspaceSlug: input.workspaceSlug } : {},
 		...input.clientId ? { clientId: input.clientId } : {},
@@ -82136,7 +82142,9 @@ var FileRemoteProfileStore = class {
 			kind: "self-hosted",
 			hostUrl: normalizeRemoteProfileHostUrl(input.hostUrl)
 		});
-		return this.statusByKey(key, false);
+		const status = await this.statusByKey(key, false);
+		assertHostIdentityMatches(status, input.hostIdentity);
+		return status;
 	}
 	async logoutSelfHostedProfile(input) {
 		return await this.withMutationLock(async () => {
@@ -82205,7 +82213,7 @@ var FileRemoteProfileStore = class {
 		}
 		const selected = this.readSelectedWorkspace(hostUrl);
 		if (selected) return this.statusByKey(selected.profileKey, true);
-		if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+		if (this.listProfilesForHost(hostUrl).length > 0) throw cloudWorkspaceAmbiguityError();
 		return this.migrateLegacyCloudProfile(hostUrl);
 	}
 	async listCloudProfileStatuses(hostUrlInput) {
@@ -82233,7 +82241,7 @@ var FileRemoteProfileStore = class {
 			let key;
 			if (workspace) key = this.listProfilesForHost(hostUrl).find((profile) => profileMatchesWorkspace(profile, workspace))?.key;
 			else if (selected) key = selected.profileKey;
-			else if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+			else if (this.listProfilesForHost(hostUrl).length > 0) throw cloudWorkspaceAmbiguityError();
 			if (!key) return false;
 			const profile = this.readProfile(key);
 			await this.credentials.delete(key);
@@ -82273,7 +82281,7 @@ var FileRemoteProfileStore = class {
 		else {
 			const selected = this.readSelectedWorkspace(hostUrl);
 			if (selected) status = await this.statusByKey(selected.profileKey, true);
-			else if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+			else if (this.listProfilesForHost(hostUrl).length > 0) throw cloudWorkspaceAmbiguityError();
 		}
 		if (!status) return void 0;
 		const credential = await this.credentials.load(status.key);
@@ -82326,6 +82334,7 @@ var FileRemoteProfileStore = class {
 			kind: profile.kind,
 			key: profile.key,
 			hostUrl: profile.hostUrl,
+			hostIdentity: profile.hostIdentity,
 			workspaceId: profile.workspaceId,
 			workspaceSlug: profile.workspaceSlug,
 			clientId: profile.clientId,
@@ -82346,11 +82355,13 @@ var FileRemoteProfileStore = class {
 		});
 		const now = (input.now ?? /* @__PURE__ */ new Date()).toISOString();
 		const existing = this.readProfile(key);
+		const hostIdentity = input.hostIdentity ?? existing?.hostIdentity;
 		const profile = {
 			version: 1,
 			kind: "self-hosted",
 			key,
 			hostUrl,
+			...hostIdentity ? { hostIdentity } : {},
 			clientId: input.clientId,
 			...input.clientLabel ? { clientLabel: input.clientLabel } : {},
 			createdAt: existing?.createdAt ?? now,
@@ -82523,6 +82534,14 @@ function legacyCredential(credentials) {
 		...credentials.tokenType ? { tokenType: credentials.tokenType } : {}
 	};
 }
+function assertHostIdentityMatches(status, expectedHostIdentity) {
+	if (!status || !expectedHostIdentity || !status.hostIdentity) return;
+	if (status.hostIdentity === expectedHostIdentity) return;
+	throw new CapletsError("AUTH_FAILED", "Remote Profile belongs to a different host identity.");
+}
+function cloudWorkspaceAmbiguityError() {
+	return new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.", { reason: "cloud_workspace_ambiguous" });
+}
 function parseStoredRemoteProfile(value) {
 	if (!isRecord$1(value)) return void 0;
 	if (value.version !== 1) return void 0;
@@ -82535,6 +82554,7 @@ function parseStoredRemoteProfile(value) {
 		kind: value.kind,
 		key: value.key,
 		hostUrl: value.hostUrl,
+		...typeof value.hostIdentity === "string" ? { hostIdentity: value.hostIdentity } : {},
 		...typeof value.workspaceId === "string" ? { workspaceId: value.workspaceId } : {},
 		...typeof value.workspaceSlug === "string" ? { workspaceSlug: value.workspaceSlug } : {},
 		...typeof value.clientId === "string" ? { clientId: value.clientId } : {},
@@ -82621,11 +82641,11 @@ async function resolveRemoteSelection(input = {}, env = process.env) {
 	const explicitWorkspace = input.workspace ?? (workspaceFromRemoteUrl ? void 0 : env.CAPLETS_REMOTE_WORKSPACE);
 	const profileWorkspace = workspaceFromRemoteUrl ?? explicitWorkspace;
 	const normalizedRemoteUrl = normalizeRemoteProfileHostUrl(remoteUrl);
-	let status = await store.getCloudProfileStatus({
+	let status = await getCloudProfileStatusForSelection(store, {
 		hostUrl: normalizedRemoteUrl,
 		workspace: profileWorkspace
 	});
-	if (!status && profileWorkspace) status = await store.getCloudProfileStatus({ hostUrl: normalizedRemoteUrl });
+	if (!status && profileWorkspace) status = await getCloudProfileStatusForSelection(store, { hostUrl: normalizedRemoteUrl });
 	let credential = status ? await store.credentials.load(status.key) : void 0;
 	if (!status || !credential?.accessToken) throw projectBindingError("cloud_auth_required");
 	let credentials = cloudCredentialsFromRemoteProfile(status, credential);
@@ -82703,7 +82723,7 @@ async function refreshSelfHostedCredentials(remoteUrl, refreshToken, options) {
 }
 async function selfHostedRefreshError(remoteUrl, response) {
 	const summary = await parseSelfHostedRefreshError(response);
-	if (response.status === 401 || summary?.code === "AUTH_FAILED") return remoteLoginRequired(remoteUrl);
+	if (response.status === 401 || summary?.code === "AUTH_FAILED" || summary?.code === "REMOTE_CREDENTIALS_REVOKED") return selfHostedRefreshLooksRevoked(summary) ? remoteLoginRevoked(remoteUrl) : remoteLoginRequired(remoteUrl);
 	if (response.status === 503 || summary?.code === "SERVER_UNAVAILABLE") return new CapletsError("SERVER_UNAVAILABLE", summary?.message ?? "Remote credential refresh is temporarily unavailable.");
 	return new CapletsError("AUTH_REFRESH_FAILED", summary?.message ?? `Remote credential refresh failed with HTTP ${response.status}.`);
 }
@@ -82749,6 +82769,30 @@ function remoteLoginRequired(remoteUrl) {
 		recoveryCommand: `caplets remote login ${normalizeRemoteProfileHostUrl(remoteUrl)}`
 	});
 }
+function remoteLoginRevoked(remoteUrl) {
+	const normalizedUrl = normalizeRemoteProfileHostUrl(remoteUrl);
+	return new ProjectBindingError({
+		code: "remote_credentials_revoked",
+		message: `Remote credentials for ${normalizedUrl} were revoked or rejected. Run Remote Login again and ask the server operator to approve the pending login.`,
+		recoveryCommand: `caplets remote login ${normalizedUrl}`
+	});
+}
+function selfHostedRefreshLooksRevoked(summary) {
+	if (summary?.code === "REMOTE_CREDENTIALS_REVOKED") return true;
+	return /revoked|rejected|stale/iu.test(summary?.message ?? "");
+}
+async function getCloudProfileStatusForSelection(store, input) {
+	try {
+		return await store.getCloudProfileStatus(input);
+	} catch (error) {
+		if (isCloudWorkspaceAmbiguity(error)) throw projectBindingError("workspace_switch_required", "Cloud Remote Profile requires a selected or explicit workspace.");
+		throw error;
+	}
+}
+function isCloudWorkspaceAmbiguity(error) {
+	const details = error instanceof CapletsError ? error.details : void 0;
+	return error instanceof CapletsError && error.code === "REQUEST_INVALID" && typeof details === "object" && details !== null && !Array.isArray(details) && details.reason === "cloud_workspace_ambiguous";
+}
 async function parseSelfHostedRefreshCredentials(response) {
 	const parsed = await response.json();
 	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Remote refresh response must be an object.");
@@ -83547,4 +83591,4 @@ function errorMessage(error) {
 	return error instanceof Error ? error.message : String(error);
 }
 //#endregion
-export { resolveExposure as $, CallToolRequestSchema as $t, nativeCapletPromptGuidance as A, getLiteralValue as An, startOAuthFlow as At, CodeModeSessionManager as B, __exportAll as Bn, defaultStateBaseDir as Bt, resolveHostedCloudRemote as C, SetLevelRequestSchema as Cn, hasRenderableStructuredContent as Ct, isLoopbackHost as D, isJSONRPCErrorResponse as Dn, runGenericOAuthFlow as Dt, controlUrlForBase as E, isInitializeRequest as En, refreshOAuthTokenBundle as Et, nativeCodeModeToolName as F, isZ4Schema as Fn, DEFAULT_COMPLETION_CACHE_DIR as Ft, CodeModeJournalStore as G, ReadBuffer as Gt, diagnoseCodeModeTypeScript as H, resolveConfigPath as Ht, codeModeRunInputSchema as I, normalizeObjectSchema as In, DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR as It, codeModeDeclarationHash as J, assertToolsCallTaskCapability as Jt, CodeModeLogStore as K, serializeMessage as Kt, codeModeRunParamsSchema as L, objectFromShape as Ln, defaultCacheBaseDir as Lt, nativeCapletToolName as M, getParseErrorMessage as Mn, isTokenBundleExpired as Mt, nativeCapletsSystemGuidance as N, getSchemaDescription as Nn, readTokenBundle as Nt, parseServerBaseUrl as O, isJSONRPCRequest as On, runOAuthFlow as Ot, nativeCodeModeToolId as P, isSchemaOptional as Pn, DEFAULT_AUTH_DIR as Pt, CapletsEngine as Q, toJsonSchemaCompat as Qt, emptyCodeModeRunMeta as R, safeParse as Rn, defaultConfigBaseDir as Rt, resolveCapletsRemote as S, SUPPORTED_PROTOCOL_VERSIONS as Sn, loadCapletFilesFromMap as St, appendBasePath as T, assertCompleteRequestResourceTemplate as Tn, markdownStructuredContent as Tt, createCodeModeCapletsApi as U, resolveProjectCapletsRoot as Ut, QuickJsCodeModeSandbox as V, resolveCapletsRoot as Vt, listCodeModeCallableCaplets as W, resolveProjectConfigPath as Wt, generateCodeModeRunToolDescription as X, Protocol as Xt, generateCodeModeDeclarations as Y, AjvJsonSchemaValidator as Yt, minifyCodeModeDeclarationText as Z, mergeCapabilities as Zt, CapletsCloudClient as _, ListRootsResultSchema as _n, FileVaultStore as _t, CloudAuthStore as a, DEFAULT_NEGOTIATED_PROTOCOL_VERSION as an, ServerRegistry as at, isCapletsCloudUrl as b, McpError as bn, discoverCapletFiles as bt, redactedCloudAuthStatus as c, ErrorCode as cn, loadConfig as ct, projectBindingError as d, InitializedNotificationSchema as dn, loadLocalOverlayConfigWithSources as dt, CallToolResultSchema as en, decodeDirectResourceUri as et, projectBindingRecovery as f, JSONRPCMessageSchema as fn, loadProjectConfig as ft, buildProjectSyncManifest as g, ListResourcesRequestSchema as gn, vaultStoreForAuthDir as gt, createSdkRemoteCapletsClient as h, ListResourceTemplatesRequestSchema as hn, vaultResolverForAuthDir as ht, createRemoteProfileStore as i, CreateTaskResultSchema as in, handleServerTool as it, nativeCapletToolDescription as j, getObjectShape as jn, deleteTokenBundle as jt, resolveCapletsServer as k, isJSONRPCResultResponse as kn, startGenericOAuthFlow as kt, PROJECT_BINDING_ERROR_CODES as l, GetPromptRequestSchema as ln, loadConfigWithSources as lt, RemoteNativeCapletsService as m, ListPromptsRequestSchema as mn, vaultBootstrapResolver as mt, resolveRemoteSelection as n, CreateMessageResultSchema as nn, findProjectRoot as nt, cloudAuthPath as o, ElicitResultSchema as on, capabilityDescription as ot, CloudAuthClient as p, LATEST_PROTOCOL_VERSION as pn, parseConfig as pt, redactCodeModeLogText as q, assertClientRequestTaskCapability as qt, cloudCredentialsFromRemoteProfile as r, CreateMessageResultWithToolsSchema as rn, fingerprintProjectRoot as rt, migrateCredentials as s, EmptyResultSchema as sn, GoogleDiscoveryManager as st, createNativeCapletsService as t, CompleteRequestSchema as tn, directResourceUriMatchesTemplate as tt, ProjectBindingError as u, InitializeRequestSchema as un, loadGlobalConfig as ut, resolveNativeCapletsServiceOptions as v, ListToolsRequestSchema as vn, VAULT_MAX_VALUE_BYTES as vt, resolveRemoteMode as w, assertCompleteRequestPrompt as wn, markdownCallToolResultContent as wt, normalizeRemoteProfileHostUrl as x, ReadResourceRequestSchema as xn, validateCapletFile as xt, hostedCloudWorkspaceFromRemoteUrl as y, LoggingLevelSchema as yn, validateVaultKeyName as yt, runCodeMode as z, safeParseAsync as zn, defaultConfigPath as zt };
+export { resolveExposure as $, mergeCapabilities as $t, nativeCapletPromptGuidance as A, isJSONRPCRequest as An, runOAuthFlow as At, CodeModeSessionManager as B, safeParse as Bn, defaultConfigBaseDir as Bt, resolveHostedCloudRemote as C, ReadResourceRequestSchema as Cn, validateCapletFile as Ct, isLoopbackHost as D, assertCompleteRequestResourceTemplate as Dn, markdownStructuredContent as Dt, controlUrlForBase as E, assertCompleteRequestPrompt as En, markdownCallToolResultContent as Et, nativeCodeModeToolName as F, getSchemaDescription as Fn, readTokenBundle as Ft, CodeModeJournalStore as G, resolveProjectCapletsRoot as Gt, diagnoseCodeModeTypeScript as H, __exportAll as Hn, defaultStateBaseDir as Ht, codeModeRunInputSchema as I, isSchemaOptional as In, DEFAULT_AUTH_DIR as It, codeModeDeclarationHash as J, serializeMessage as Jt, CodeModeLogStore as K, resolveProjectConfigPath as Kt, codeModeRunParamsSchema as L, isZ4Schema as Ln, DEFAULT_COMPLETION_CACHE_DIR as Lt, nativeCapletToolName as M, getLiteralValue as Mn, startOAuthFlow as Mt, nativeCapletsSystemGuidance as N, getObjectShape as Nn, deleteTokenBundle as Nt, parseServerBaseUrl as O, isInitializeRequest as On, refreshOAuthTokenBundle as Ot, nativeCodeModeToolId as P, getParseErrorMessage as Pn, isTokenBundleExpired as Pt, CapletsEngine as Q, Protocol as Qt, emptyCodeModeRunMeta as R, normalizeObjectSchema as Rn, DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR as Rt, resolveCapletsRemote as S, McpError as Sn, discoverCapletFiles as St, appendBasePath as T, SetLevelRequestSchema as Tn, hasRenderableStructuredContent as Tt, createCodeModeCapletsApi as U, resolveCapletsRoot as Ut, QuickJsCodeModeSandbox as V, safeParseAsync as Vn, defaultConfigPath as Vt, listCodeModeCallableCaplets as W, resolveConfigPath as Wt, generateCodeModeRunToolDescription as X, assertToolsCallTaskCapability as Xt, generateCodeModeDeclarations as Y, assertClientRequestTaskCapability as Yt, minifyCodeModeDeclarationText as Z, AjvJsonSchemaValidator as Zt, CapletsCloudClient as _, ListResourceTemplatesRequestSchema as _n, FileVaultStore as _t, CloudAuthStore as a, CreateMessageResultWithToolsSchema as an, ServerRegistry as at, isCapletsCloudUrl as b, ListToolsRequestSchema as bn, decryptVaultValue as bt, redactedCloudAuthStatus as c, ElicitResultSchema as cn, loadConfig as ct, projectBindingError as d, GetPromptRequestSchema as dn, loadLocalOverlayConfigWithSources as dt, toJsonSchemaCompat as en, decodeDirectResourceUri as et, projectBindingRecovery as f, InitializeRequestSchema as fn, loadProjectConfig as ft, buildProjectSyncManifest as g, ListPromptsRequestSchema as gn, vaultStoreForAuthDir as gt, createSdkRemoteCapletsClient as h, LATEST_PROTOCOL_VERSION as hn, vaultResolverForAuthDir as ht, createRemoteProfileStore as i, CreateMessageResultSchema as in, handleServerTool as it, nativeCapletToolDescription as j, isJSONRPCResultResponse as jn, startGenericOAuthFlow as jt, resolveCapletsServer as k, isJSONRPCErrorResponse as kn, runGenericOAuthFlow as kt, PROJECT_BINDING_ERROR_CODES as l, EmptyResultSchema as ln, loadConfigWithSources as lt, RemoteNativeCapletsService as m, JSONRPCMessageSchema as mn, vaultBootstrapResolver as mt, resolveRemoteSelection as n, CallToolResultSchema as nn, findProjectRoot as nt, cloudAuthPath as o, CreateTaskResultSchema as on, capabilityDescription as ot, CloudAuthClient as p, InitializedNotificationSchema as pn, parseConfig as pt, redactCodeModeLogText as q, ReadBuffer as qt, cloudCredentialsFromRemoteProfile as r, CompleteRequestSchema as rn, fingerprintProjectRoot as rt, migrateCredentials as s, DEFAULT_NEGOTIATED_PROTOCOL_VERSION as sn, GoogleDiscoveryManager as st, createNativeCapletsService as t, CallToolRequestSchema as tn, directResourceUriMatchesTemplate as tt, ProjectBindingError as u, ErrorCode as un, loadGlobalConfig as ut, resolveNativeCapletsServiceOptions as v, ListResourcesRequestSchema as vn, VAULT_MAX_VALUE_BYTES as vt, resolveRemoteMode as w, SUPPORTED_PROTOCOL_VERSIONS as wn, loadCapletFilesFromMap as wt, normalizeRemoteProfileHostUrl as x, LoggingLevelSchema as xn, encryptVaultValue as xt, hostedCloudWorkspaceFromRemoteUrl as y, ListRootsResultSchema as yn, validateVaultKeyName as yt, runCodeMode as z, objectFromShape as zn, defaultCacheBaseDir as zt };

package/dist/{validation-C4tYXw6G.js → validation-GD2x5HW1.js}

@@ -35,6 +35,7 @@ const CAPLETS_ERROR_CODES = [
 	"TOOL_CALL_TIMEOUT",
 	"AUTH_REQUIRED",
 	"AUTH_FAILED",
+	"REMOTE_CREDENTIALS_REVOKED",
 	"AUTH_REFRESH_FAILED",
 	"DOWNSTREAM_PROTOCOL_ERROR",
 	"DOWNSTREAM_TOOL_ERROR",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@caplets/core",
-  "version": "0.26.0",
+  "version": "0.26.1",
   "description": "Core runtime library for Caplets Code Mode and progressive disclosure gateways.",
   "keywords": [
     "caplets",