@elizaos/app-core 2.0.0-alpha.413 → 2.0.0-alpha.414

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.js

@@ -1,6 +1,11 @@
 /**
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
+ *
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
+ * that displays the auth code on completion — there's no loopback
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
+ * the UI / CLI calls once the user has copied the code.
  */
 import { generatePKCE } from "./pkce.js";
 const decode = (s) => atob(s);
@@ -10,10 +15,11 @@ const TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
 const REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
 const SCOPES = "org:create_api_key user:profile user:inference";
 /**
- * @param onAuthUrl - Receives the browser authorization URL
- * @param onPromptCode - Resolves with pasted code (format: code#state)
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
+ * URL and a `submitCode` hook. The token exchange happens inside
+ * `completion` once the caller submits the code.
  */
-export async function loginAnthropic(onAuthUrl, onPromptCode) {
+export async function startAnthropicOAuthFlowRaw() {
     const { verifier, challenge } = await generatePKCE();
     const authParams = new URLSearchParams({
         code: "true",
@@ -26,35 +32,64 @@ export async function loginAnthropic(onAuthUrl, onPromptCode) {
         state: verifier,
     });
     const authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;
-    onAuthUrl(authUrl);
-    const authCode = await onPromptCode();
-    const splits = authCode.split("#");
-    const code = splits[0];
-    const state = splits[1];
-    const tokenResponse = await fetch(TOKEN_URL, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-            grant_type: "authorization_code",
-            client_id: CLIENT_ID,
-            code,
-            state,
-            redirect_uri: REDIRECT_URI,
-            code_verifier: verifier,
-        }),
+    let resolveCode = null;
+    let rejectCode = null;
+    const codePromise = new Promise((resolve, reject) => {
+        resolveCode = resolve;
+        rejectCode = reject;
     });
-    if (!tokenResponse.ok) {
-        const errText = await tokenResponse.text();
-        throw new Error(`Token exchange failed: ${errText}`);
-    }
-    const tokenData = (await tokenResponse.json());
-    const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
+    const completion = (async () => {
+        const authCode = await codePromise;
+        const splits = authCode.split("#");
+        const code = splits[0];
+        const state = splits[1];
+        const tokenResponse = await fetch(TOKEN_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "authorization_code",
+                client_id: CLIENT_ID,
+                code,
+                state,
+                redirect_uri: REDIRECT_URI,
+                code_verifier: verifier,
+            }),
+        });
+        if (!tokenResponse.ok) {
+            const errText = await tokenResponse.text();
+            throw new Error(`Token exchange failed: ${errText}`);
+        }
+        const tokenData = (await tokenResponse.json());
+        const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
+        return {
+            refresh: tokenData.refresh_token,
+            access: tokenData.access_token,
+            expires: expiresAt,
+        };
+    })();
     return {
-        refresh: tokenData.refresh_token,
-        access: tokenData.access_token,
-        expires: expiresAt,
+        authUrl,
+        submitCode: (code) => resolveCode?.(code),
+        completion,
+        cancel: (reason = "Cancelled") => rejectCode?.(new Error(reason)),
     };
 }
+/**
+ * @param onAuthUrl - Receives the browser authorization URL
+ * @param onPromptCode - Resolves with pasted code (format: code#state)
+ *
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
+ * the CLI entrypoint and any older callers. New code should use
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
+ */
+export async function loginAnthropic(onAuthUrl, onPromptCode) {
+    const handle = await startAnthropicOAuthFlowRaw();
+    onAuthUrl(handle.authUrl);
+    const code = await onPromptCode();
+    handle.submitCode(code);
+    return handle.completion;
+}
 export async function refreshAnthropicToken(refreshToken) {
     const response = await fetch(TOKEN_URL, {
         method: "POST",

package/packages/agent/src/config/schema.js

@@ -413,7 +413,7 @@ const FIELD_HELP = {
     "diagnostics.cacheTrace.includePrompt": "Include prompt text in trace output (default: true).",
     "diagnostics.cacheTrace.includeSystem": "Include system prompt in trace output (default: true).",
     "tools.exec.applyPatch.enabled": "Experimental. Enables apply_patch for OpenAI models when allowed by tool policy.",
-    "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.4" or "openai/gpt-5.4").',
+    "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.5" or "openai/gpt-5.5").',
     "tools.exec.notifyOnExit": "When true (default), backgrounded exec sessions enqueue a system event and request a heartbeat on exit.",
     "tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
     "tools.exec.safeBins": "Allow stdin-only safe binaries to run without explicit allowlist entries.",

package/packages/agent/src/config/types.messages.d.ts

@@ -123,7 +123,7 @@ export type MessagesConfig = {
      * - special value: `"auto"` derives `[{agents.list[].identity.name}]` for the routed agent (when set)
      *
      * Supported template variables (case-insensitive):
-     * - `{model}` - short model name (e.g., `claude-opus-4-7`, `gpt-5.4`)
+     * - `{model}` - short model name (e.g., `claude-opus-4-7`, `gpt-5.5`)
      * - `{modelFull}` - full model identifier (e.g., `anthropic/claude-opus-4.7`)
      * - `{provider}` - provider name (e.g., `anthropic`, `openai`)
      * - `{thinkingLevel}` or `{think}` - current thinking level (`high`, `low`, `off`)

package/packages/agent/src/config/types.tools.d.ts

@@ -141,7 +141,7 @@ export type ExecToolConfig = {
         enabled?: boolean;
         /**
          * Optional allowlist of model ids that can use apply_patch.
-         * Accepts either raw ids (e.g. "gpt-5.4") or full ids (e.g. "openai/gpt-5.4").
+         * Accepts either raw ids (e.g. "gpt-5.5") or full ids (e.g. "openai/gpt-5.5").
          */
         allowModels?: string[];
     };

package/packages/agent/src/runtime/eliza.js

@@ -464,8 +464,8 @@ function isLikelyOpenAiTextModel(value) {
  * Normalize known-bad provider compatibility shims before plugin resolution.
  *
  * A common failure mode is routing the OpenAI plugin through Groq's
- * OpenAI-compatible base URL while leaving OpenAI defaults (`gpt-5.4`,
- * `gpt-5.4-mini`) in place. Structured XML/object generation then fails during
+ * OpenAI-compatible base URL while leaving OpenAI defaults (`gpt-5.5`,
+ * `gpt-5.5-mini`) in place. Structured XML/object generation then fails during
  * message handling because Groq does not serve those model IDs.
  *
  * When we can confidently detect that state, rewrite the effective runtime
@@ -1036,7 +1036,7 @@ export function applyCloudConfigToEnv(config) {
     const llmText = resolveServiceRoutingInConfig(config)?.llmText;
     const models = config.models;
     if (effectivelyEnabled) {
-        const nano = llmText?.nanoModel || models?.nano || "openai/gpt-5.4-nano";
+        const nano = llmText?.nanoModel || models?.nano || "openai/gpt-5.5-nano";
         const small = llmText?.smallModel || models?.small || "minimax/minimax-m2.7";
         const medium = llmText?.mediumModel || models?.medium || small;
         const large = llmText?.largeModel || models?.large || "anthropic/claude-opus-4-7";

package/packages/app-core/src/components/conversations/conversation-utils.js

@@ -104,10 +104,10 @@ export function isNonChatModelLabel(model) {
 export function estimateTokenCost(promptTokens, completionTokens, model) {
     const normalizedModel = (model ?? "").toLowerCase();
     const pricingByMillion = {
-        "gpt-5.4-pro": [30.0, 180.0],
-        "gpt-5.4-mini": [0.75, 4.5],
-        "gpt-5.4-nano": [0.2, 1.25],
-        "gpt-5.4": [2.5, 15.0],
+        "gpt-5.5-pro": [30.0, 180.0],
+        "gpt-5.5-mini": [0.75, 4.5],
+        "gpt-5.5-nano": [0.2, 1.25],
+        "gpt-5.5": [2.5, 15.0],
         "gpt-4.1": [2.0, 8.0],
         "gpt-4o": [2.5, 10.0],
         "gpt-4": [30.0, 60.0],

package/packages/app-core/src/components/settings/ProviderSwitcher.js

@@ -168,7 +168,7 @@ export function ProviderSwitcher(props = {}) {
                 const providerId = getOnboardingProviderOption(llmText?.backend)?.id;
                 const elizaCloudEnabledCfg = llmText?.transport === "cloud-proxy" && providerId === "elizacloud";
                 const defaults = {
-                    nano: "openai/gpt-5.4-nano",
+                    nano: "openai/gpt-5.5-nano",
                     small: "minimax/minimax-m2.7",
                     medium: "anthropic/claude-sonnet-4.6",
                     large: "moonshotai/kimi-k2.5",

package/packages/app-core/src/services/account-pool.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Multi-account selection brain.
+ *
+ * Owns the runtime decision "which `LinkedAccountConfig` should serve this
+ * request?" given a strategy (priority / round-robin / least-used /
+ * quota-aware), session affinity, and per-account health state.
+ *
+ * The pool never reads OAuth credentials directly — callers resolve them
+ * via `getAccessToken(providerId, accountId)` from `@elizaos/agent` once
+ * the pool returns an account. Health, priority, and usage live in this
+ * layer; the OAuth blob lives under `~/.eliza/auth/` (see WS1's
+ * `account-storage.ts`).
+ *
+ * Persistence: the pool layers rich metadata (priority, enabled, health,
+ * usage) on top of WS1's credential records. The metadata is written to
+ * `<ELIZA_HOME>/auth/_pool-metadata.json` atomically so it survives
+ * process restarts and is independent of WS3's eventual `milady.json`
+ * field — when WS3 lands its CRUD API on top of `LinkedAccountsConfig`
+ * we can swap `createDefaultAccountPool()`'s deps without touching the
+ * pool itself.
+ */
+import type { LinkedAccountConfig, LinkedAccountProviderId, LinkedAccountsConfig } from "@elizaos/shared";
+export type Strategy = "priority" | "round-robin" | "least-used" | "quota-aware";
+export type PoolProviderId = LinkedAccountProviderId | "anthropic-api" | "openai-api";
+export interface AccountPoolDeps {
+    /** Read the current `LinkedAccountsConfig` (live). */
+    readAccounts: () => Record<string, LinkedAccountConfig>;
+    /** Persist a single account's mutated fields. */
+    writeAccount: (account: LinkedAccountConfig) => Promise<void>;
+}
+export interface SelectInput {
+    providerId: PoolProviderId;
+    /** Stable session key for affinity (e.g. agent id + run id). */
+    sessionKey?: string;
+    /** Defaults to `"priority"`. */
+    strategy?: Strategy;
+    /** Explicit pool; defaults to all enabled accounts for `providerId`. */
+    accountIds?: string[];
+    /** Account IDs to skip (e.g. just-failed accounts). */
+    exclude?: string[];
+}
+export declare class AccountPool {
+    private readonly deps;
+    private readonly affinity;
+    private readonly roundRobinCursor;
+    constructor(deps: AccountPoolDeps);
+    select(input: SelectInput): Promise<LinkedAccountConfig | null>;
+    private filterEligible;
+    private applyStrategy;
+    recordCall(accountId: string, result: {
+        tokens?: number;
+        latencyMs?: number;
+        ok: boolean;
+        errorCode?: string;
+        model?: string;
+    }): Promise<void>;
+    refreshUsage(accountId: string, accessToken: string, opts?: {
+        codexAccountId?: string;
+    }): Promise<void>;
+    markRateLimited(accountId: string, untilMs: number, detail?: string): Promise<void>;
+    markNeedsReauth(accountId: string, detail?: string): Promise<void>;
+    markInvalid(accountId: string, detail?: string): Promise<void>;
+    markHealthy(accountId: string): Promise<void>;
+    /**
+     * Re-probe accounts whose `health` is non-OK and whose `healthDetail.until`
+     * has passed (or is absent). Used by background sweepers to recover
+     * temporarily flagged accounts. We don't load access tokens here — the
+     * caller probes via `refreshUsage` separately.
+     */
+    reprobeFlagged(): Promise<string[]>;
+}
+/**
+ * Module-level singleton for the default pool wired against WS1's
+ * `account-storage` and the pool-owned metadata file. Plugins / runtime
+ * resolvers should import `getDefaultAccountPool()` rather than building
+ * a new pool. WS3 may later swap the default deps to read/write the
+ * `LinkedAccountsConfig` field directly out of `milady.json`; consumers
+ * keep the same accessor.
+ */
+export declare function getDefaultAccountPool(): AccountPool;
+/**
+ * @deprecated kept for compatibility with the WS2 spec naming. Use
+ * {@link getDefaultAccountPool}.
+ */
+export declare function createDefaultAccountPool(): AccountPool;
+/**
+ * Resets the cached singleton. Test-only.
+ */
+export declare function __resetDefaultAccountPoolForTests(): void;
+export type { LinkedAccountsConfig };
+//# sourceMappingURL=account-pool.d.ts.map

package/packages/app-core/src/services/account-pool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account-pool.d.ts","sourceRoot":"","sources":["../../../../../src/services/account-pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAgBH,OAAO,KAAK,EACV,mBAAmB,EAGnB,uBAAuB,EAEvB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AAOzB,MAAM,MAAM,QAAQ,GAChB,UAAU,GACV,aAAa,GACb,YAAY,GACZ,aAAa,CAAC;AAElB,MAAM,MAAM,cAAc,GACtB,uBAAuB,GACvB,eAAe,GACf,YAAY,CAAC;AAEjB,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,YAAY,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IACxD,iDAAiD;IACjD,YAAY,EAAE,CAAC,OAAO,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,cAAc,CAAC;IAC3B,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,wEAAwE;IACxE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAWD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAkB;IACvC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoC;IAC7D,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAqC;gBAE1D,IAAI,EAAE,eAAe;IAM3B,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IA+BrE,OAAO,CAAC,cAAc;IA4BtB,OAAO,CAAC,aAAa;IAiCf,UAAU,CACd,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE;QACN,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,EAAE,EAAE,OAAO,CAAC;QACZ,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GACA,OAAO,CAAC,IAAI,CAAC;IAWV,YAAY,CAChB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,GACjC,OAAO,CAAC,IAAI,CAAC;IA2BV,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAkBV,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAalE,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAa9D,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWnD;;;;;OAKG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAc1C;AAiKD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,IAAI,WAAW,CAQnD;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,WAAW,CAEtD;AAED;;GAEG;AACH,wBAAgB,iCAAiC,IAAI,IAAI,CAExD;AAED,YAAY,EAAE,oBAAoB,EAAE,CAAC"}

package/packages/app-core/src/services/account-pool.js

@@ -0,0 +1,376 @@
+/**
+ * Multi-account selection brain.
+ *
+ * Owns the runtime decision "which `LinkedAccountConfig` should serve this
+ * request?" given a strategy (priority / round-robin / least-used /
+ * quota-aware), session affinity, and per-account health state.
+ *
+ * The pool never reads OAuth credentials directly — callers resolve them
+ * via `getAccessToken(providerId, accountId)` from `@elizaos/agent` once
+ * the pool returns an account. Health, priority, and usage live in this
+ * layer; the OAuth blob lives under `~/.eliza/auth/` (see WS1's
+ * `account-storage.ts`).
+ *
+ * Persistence: the pool layers rich metadata (priority, enabled, health,
+ * usage) on top of WS1's credential records. The metadata is written to
+ * `<ELIZA_HOME>/auth/_pool-metadata.json` atomically so it survives
+ * process restarts and is independent of WS3's eventual `milady.json`
+ * field — when WS3 lands its CRUD API on top of `LinkedAccountsConfig`
+ * we can swap `createDefaultAccountPool()`'s deps without touching the
+ * pool itself.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { listProviderAccounts, } from "@elizaos/agent";
+import { pollAnthropicUsage, pollCodexUsage, recordCall as recordUsageEntry, } from "./account-usage.js";
+const DEFAULT_RATE_LIMIT_BACKOFF_MS = 60_000;
+const QUOTA_AWARE_SKIP_PCT = 85;
+const SESSION_AFFINITY_MAX_ATTEMPTS = 3;
+export class AccountPool {
+    deps;
+    affinity = new Map();
+    roundRobinCursor = new Map();
+    constructor(deps) {
+        this.deps = deps;
+    }
+    // Selection.
+    async select(input) {
+        const all = this.deps.readAccounts();
+        const eligible = this.filterEligible(all, input);
+        if (eligible.length === 0)
+            return null;
+        if (input.sessionKey) {
+            const cached = this.affinity.get(input.sessionKey);
+            if (cached &&
+                cached.attempts < SESSION_AFFINITY_MAX_ATTEMPTS &&
+                eligible.some((a) => a.id === cached.accountId)) {
+                cached.attempts += 1;
+                const account = eligible.find((a) => a.id === cached.accountId);
+                if (account)
+                    return account;
+            }
+        }
+        const strategy = input.strategy ?? "priority";
+        const picked = this.applyStrategy(strategy, eligible, input.providerId);
+        if (!picked)
+            return null;
+        if (input.sessionKey) {
+            this.affinity.set(input.sessionKey, {
+                accountId: picked.id,
+                attempts: 1,
+            });
+        }
+        return picked;
+    }
+    filterEligible(all, input) {
+        const exclude = new Set(input.exclude ?? []);
+        const explicit = input.accountIds && input.accountIds.length > 0
+            ? new Set(input.accountIds)
+            : null;
+        const now = Date.now();
+        return Object.values(all).filter((account) => {
+            if (account.providerId !== input.providerId)
+                return false;
+            if (!account.enabled)
+                return false;
+            if (exclude.has(account.id))
+                return false;
+            if (explicit && !explicit.has(account.id))
+                return false;
+            if (account.health === "ok")
+                return true;
+            // Allow rate-limited accounts back in once their reset has passed.
+            if (account.health === "rate-limited" &&
+                typeof account.healthDetail?.until === "number" &&
+                account.healthDetail.until < now) {
+                return true;
+            }
+            return false;
+        });
+    }
+    applyStrategy(strategy, eligible, providerId) {
+        if (eligible.length === 0)
+            return null;
+        if (eligible.length === 1)
+            return eligible[0] ?? null;
+        switch (strategy) {
+            case "round-robin": {
+                const sorted = [...eligible].sort(byPriorityThenAge);
+                const cursor = (this.roundRobinCursor.get(providerId) ?? -1) + 1;
+                const index = cursor % sorted.length;
+                this.roundRobinCursor.set(providerId, index);
+                return sorted[index] ?? null;
+            }
+            case "least-used": {
+                return [...eligible].sort(byLeastUsedThenPriority)[0] ?? null;
+            }
+            case "quota-aware": {
+                const underQuota = eligible.filter((a) => (a.usage?.sessionPct ?? 0) < QUOTA_AWARE_SKIP_PCT);
+                const pool = underQuota.length > 0 ? underQuota : eligible;
+                return [...pool].sort(byPriorityThenAge)[0] ?? null;
+            }
+            default:
+                return [...eligible].sort(byPriorityThenAge)[0] ?? null;
+        }
+    }
+    // Mutations.
+    async recordCall(accountId, result) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        recordUsageEntry(account.providerId, account.id, result);
+        const next = {
+            ...account,
+            lastUsedAt: Date.now(),
+        };
+        await this.deps.writeAccount(next);
+    }
+    async refreshUsage(accountId, accessToken, opts) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        let usage;
+        if (account.providerId === "anthropic-subscription") {
+            usage = await pollAnthropicUsage(accessToken);
+        }
+        else if (account.providerId === "openai-codex") {
+            const codexAccountId = opts?.codexAccountId ?? account.organizationId;
+            if (!codexAccountId) {
+                throw new Error(`[AccountPool] Codex usage probe needs the OpenAI account_id (account ${accountId} has no organizationId).`);
+            }
+            usage = await pollCodexUsage(accessToken, codexAccountId);
+        }
+        else {
+            // No probe defined for direct API providers.
+            return;
+        }
+        await this.deps.writeAccount({
+            ...account,
+            health: "ok",
+            usage,
+        });
+    }
+    async markRateLimited(accountId, untilMs, detail) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        const healthDetail = {
+            until: Number.isFinite(untilMs) && untilMs > Date.now()
+                ? untilMs
+                : Date.now() + DEFAULT_RATE_LIMIT_BACKOFF_MS,
+            lastChecked: Date.now(),
+            ...(detail ? { lastError: detail } : {}),
+        };
+        await this.deps.writeAccount({
+            ...account,
+            health: "rate-limited",
+            healthDetail,
+        });
+    }
+    async markNeedsReauth(accountId, detail) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        await this.deps.writeAccount({
+            ...account,
+            health: "needs-reauth",
+            healthDetail: {
+                lastChecked: Date.now(),
+                ...(detail ? { lastError: detail } : {}),
+            },
+        });
+    }
+    async markInvalid(accountId, detail) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        await this.deps.writeAccount({
+            ...account,
+            health: "invalid",
+            healthDetail: {
+                lastChecked: Date.now(),
+                ...(detail ? { lastError: detail } : {}),
+            },
+        });
+    }
+    async markHealthy(accountId) {
+        const account = this.deps.readAccounts()[accountId];
+        if (!account)
+            return;
+        if (account.health === "ok")
+            return;
+        await this.deps.writeAccount({
+            ...account,
+            health: "ok",
+            ...(account.healthDetail ? { healthDetail: undefined } : {}),
+        });
+    }
+    /**
+     * Re-probe accounts whose `health` is non-OK and whose `healthDetail.until`
+     * has passed (or is absent). Used by background sweepers to recover
+     * temporarily flagged accounts. We don't load access tokens here — the
+     * caller probes via `refreshUsage` separately.
+     */
+    async reprobeFlagged() {
+        const all = this.deps.readAccounts();
+        const now = Date.now();
+        const ready = [];
+        for (const account of Object.values(all)) {
+            if (account.health === "ok")
+                continue;
+            if (account.health === "rate-limited") {
+                const until = account.healthDetail?.until;
+                if (typeof until === "number" && until > now)
+                    continue;
+            }
+            ready.push(account.id);
+        }
+        return ready;
+    }
+}
+function byPriorityThenAge(a, b) {
+    if (a.priority !== b.priority)
+        return a.priority - b.priority;
+    const aLast = a.lastUsedAt ?? 0;
+    const bLast = b.lastUsedAt ?? 0;
+    return aLast - bLast; // older first
+}
+function byLeastUsedThenPriority(a, b) {
+    const aPct = a.usage?.sessionPct ?? 0;
+    const bPct = b.usage?.sessionPct ?? 0;
+    if (aPct !== bPct)
+        return aPct - bPct;
+    return byPriorityThenAge(a, b);
+}
+function authRoot() {
+    return path.join(process.env.ELIZA_HOME || path.join(os.homedir(), ".eliza"), "auth");
+}
+function metadataFile() {
+    return path.join(authRoot(), "_pool-metadata.json");
+}
+function isPoolProviderId(value) {
+    return (value === "anthropic-subscription" ||
+        value === "openai-codex" ||
+        value === "anthropic-api" ||
+        value === "openai-api");
+}
+function readMetaStore() {
+    const file = metadataFile();
+    if (!existsSync(file)) {
+        return {};
+    }
+    try {
+        const raw = readFileSync(file, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        // Corrupt file — fall through to empty store. Next write rewrites it.
+    }
+    return {};
+}
+function writeMetaStore(store) {
+    const file = metadataFile();
+    const dir = path.dirname(file);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    const tmp = `${file}.tmp`;
+    writeFileSync(tmp, JSON.stringify(store, null, 2), {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
+    renameSync(tmp, file);
+}
+function recordToLinked(record, meta, providerId, defaultPriority) {
+    return {
+        id: record.id,
+        providerId,
+        label: meta?.label ?? record.label,
+        source: record.source,
+        enabled: meta?.enabled ?? true,
+        priority: meta?.priority ?? defaultPriority,
+        createdAt: record.createdAt,
+        health: meta?.health ?? "ok",
+        ...(record.lastUsedAt !== undefined
+            ? { lastUsedAt: record.lastUsedAt }
+            : {}),
+        ...(meta?.healthDetail ? { healthDetail: meta.healthDetail } : {}),
+        ...(meta?.usage ? { usage: meta.usage } : {}),
+        ...(record.organizationId
+            ? { organizationId: record.organizationId }
+            : {}),
+        ...(record.userId ? { userId: record.userId } : {}),
+        ...(record.email ? { email: record.email } : {}),
+    };
+}
+function loadAllAccounts() {
+    const subscriptionProviders = [
+        "anthropic-subscription",
+        "openai-codex",
+    ];
+    const meta = readMetaStore();
+    const out = {};
+    for (const provider of subscriptionProviders) {
+        const records = listProviderAccounts(provider);
+        let priorityCounter = 0;
+        const sorted = [...records].sort((a, b) => a.createdAt - b.createdAt);
+        for (const record of sorted) {
+            const providerMeta = meta[provider]?.[record.id];
+            out[record.id] = recordToLinked(record, providerMeta, provider, priorityCounter);
+            priorityCounter += 1;
+        }
+    }
+    return out;
+}
+async function persistAccount(account) {
+    if (!isPoolProviderId(account.providerId))
+        return;
+    const store = readMetaStore();
+    if (!store[account.providerId]) {
+        store[account.providerId] = {};
+    }
+    store[account.providerId][account.id] = {
+        label: account.label,
+        enabled: account.enabled,
+        priority: account.priority,
+        health: account.health,
+        ...(account.healthDetail ? { healthDetail: account.healthDetail } : {}),
+        ...(account.usage ? { usage: account.usage } : {}),
+    };
+    writeMetaStore(store);
+}
+let cachedDefaultPool = null;
+/**
+ * Module-level singleton for the default pool wired against WS1's
+ * `account-storage` and the pool-owned metadata file. Plugins / runtime
+ * resolvers should import `getDefaultAccountPool()` rather than building
+ * a new pool. WS3 may later swap the default deps to read/write the
+ * `LinkedAccountsConfig` field directly out of `milady.json`; consumers
+ * keep the same accessor.
+ */
+export function getDefaultAccountPool() {
+    if (!cachedDefaultPool) {
+        cachedDefaultPool = new AccountPool({
+            readAccounts: () => loadAllAccounts(),
+            writeAccount: persistAccount,
+        });
+    }
+    return cachedDefaultPool;
+}
+/**
+ * @deprecated kept for compatibility with the WS2 spec naming. Use
+ * {@link getDefaultAccountPool}.
+ */
+export function createDefaultAccountPool() {
+    return getDefaultAccountPool();
+}
+/**
+ * Resets the cached singleton. Test-only.
+ */
+export function __resetDefaultAccountPoolForTests() {
+    cachedDefaultPool = null;
+}