@elizaos/plugin-elizacloud 2.0.0-alpha.8 → 2.0.11-beta.7

package/dist/register-routes.js

@@ -0,0 +1,2938 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/cloud/base-url.ts
+import { normalizeCloudSiteUrl, resolveCloudApiBaseUrl } from "@elizaos/shared";
+var init_base_url = () => {};
+
+// src/cloud/validate-url.ts
+import dns from "node:dns";
+import net from "node:net";
+import { promisify } from "node:util";
+function normalizeHostLike(value) {
+  return value.trim().toLowerCase().replace(/^\[|\]$/g, "");
+}
+function decodeIpv6MappedHex(mapped) {
+  const parts = mapped.split(":");
+  if (parts.length < 1 || parts.length > 2)
+    return null;
+  const parsed = parts.map((part) => {
+    if (!/^[0-9a-f]{1,4}$/i.test(part))
+      return Number.NaN;
+    return Number.parseInt(part, 16);
+  });
+  if (parsed.some((value) => !Number.isFinite(value)))
+    return null;
+  const [hi, lo] = parsed.length === 1 ? [0, parsed[0]] : parsed;
+  const octets = [hi >> 8, hi & 255, lo >> 8, lo & 255];
+  return octets.join(".");
+}
+function canonicalizeIpv6(ip) {
+  try {
+    return new URL(`http://[${ip}]/`).hostname.replace(/^\[|\]$/g, "");
+  } catch {
+    return null;
+  }
+}
+function normalizeIpForPolicy(ip) {
+  const base = normalizeHostLike(ip).split("%")[0];
+  if (!base)
+    return base;
+  let normalized = base;
+  if (net.isIP(normalized) === 6) {
+    normalized = canonicalizeIpv6(normalized) ?? normalized;
+  }
+  let mapped = null;
+  if (normalized.startsWith("::ffff:")) {
+    mapped = normalized.slice("::ffff:".length);
+  } else if (normalized.startsWith("0:0:0:0:0:ffff:")) {
+    mapped = normalized.slice("0:0:0:0:0:ffff:".length);
+  }
+  if (!mapped)
+    return normalized;
+  if (net.isIP(mapped) === 4)
+    return mapped;
+  return decodeIpv6MappedHex(mapped) ?? normalized;
+}
+function cidrV4(base, prefix) {
+  const parsed = parseIpv4ToInt(base);
+  if (parsed === null) {
+    throw new Error(`Invalid CIDR base IPv4 address: ${base}`);
+  }
+  const shift = 32 - prefix;
+  const mask = shift === 32 ? 0 : 4294967295 << shift >>> 0;
+  return { base: parsed & mask, mask };
+}
+function parseIpv4ToInt(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4)
+    return null;
+  let value = 0;
+  for (const part of parts) {
+    if (!/^\d{1,3}$/.test(part))
+      return null;
+    const octet = Number.parseInt(part, 10);
+    if (!Number.isInteger(octet) || octet < 0 || octet > 255)
+      return null;
+    value = value << 8 | octet;
+  }
+  return value >>> 0;
+}
+function isBlockedIpv4(ip) {
+  const asInt = parseIpv4ToInt(ip);
+  if (asInt === null)
+    return true;
+  return BLOCKED_IPV4_CIDRS.some((cidr) => (asInt & cidr.mask) === cidr.base);
+}
+function isBlockedIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized === "::" || normalized === "::1" || /^fe[89ab][0-9a-f]:/.test(normalized) || /^f[cd][0-9a-f]{2}:/i.test(normalized) || normalized.startsWith("ff");
+}
+function isBlockedIp(ip) {
+  const normalized = normalizeIpForPolicy(ip);
+  const family = net.isIP(normalized);
+  if (family === 4)
+    return isBlockedIpv4(normalized);
+  if (family === 6)
+    return isBlockedIpv6(normalized);
+  return false;
+}
+async function validateCloudBaseUrl(rawUrl) {
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    return `Invalid cloud base URL: "${rawUrl}"`;
+  }
+  if (parsed.protocol !== "https:") {
+    return `Cloud base URL must use HTTPS, got "${parsed.protocol}" in "${rawUrl}"`;
+  }
+  const hostname = normalizeHostLike(parsed.hostname);
+  if (!hostname) {
+    return `Invalid cloud base URL: "${rawUrl}"`;
+  }
+  if (hostname === "localhost" || hostname.endsWith(".localhost") || hostname.endsWith(".local")) {
+    return `Cloud base URL "${rawUrl}" points to a blocked local hostname.`;
+  }
+  const elizaDev = process.env.ELIZA_DEV?.trim().toLowerCase();
+  if (true) {
+    return null;
+  }
+  if (isBlockedIp(hostname)) {
+    return `Cloud base URL "${rawUrl}" points to a blocked address.`;
+  }
+  try {
+    const results = await dnsLookupAll(hostname, { all: true });
+    const addresses = Array.isArray(results) ? results : [results];
+    for (const entry of addresses) {
+      const ip = typeof entry === "string" ? entry : entry.address;
+      if (isBlockedIp(ip)) {
+        return `Cloud base URL "${rawUrl}" resolves to ${ip}, ` + "which is a blocked internal/metadata address.";
+      }
+    }
+  } catch {
+    return `Cloud base URL "${rawUrl}" could not be resolved via DNS.`;
+  }
+  return null;
+}
+var dnsLookupAll, BLOCKED_IPV4_CIDRS;
+var init_validate_url = __esm(() => {
+  dnsLookupAll = promisify(dns.lookup);
+  BLOCKED_IPV4_CIDRS = [
+    cidrV4("0.0.0.0", 8),
+    cidrV4("10.0.0.0", 8),
+    cidrV4("172.16.0.0", 12),
+    cidrV4("192.168.0.0", 16),
+    cidrV4("100.64.0.0", 10),
+    cidrV4("127.0.0.0", 8),
+    cidrV4("169.254.0.0", 16),
+    cidrV4("192.0.0.0", 24),
+    cidrV4("198.18.0.0", 15),
+    cidrV4("192.0.2.0", 24),
+    cidrV4("198.51.100.0", 24),
+    cidrV4("203.0.113.0", 24),
+    cidrV4("224.0.0.0", 4),
+    cidrV4("240.0.0.0", 4)
+  ];
+});
+
+// src/cloud/auth-service-types.ts
+function isCloudAuthApiKeyService(value) {
+  return value !== null && value !== undefined && typeof value.isAuthenticated === "function";
+}
+function normalizeCloudApiKey(value) {
+  if (typeof value !== "string")
+    return null;
+  const trimmed = value.trim();
+  if (!trimmed || trimmed.toUpperCase() === "[REDACTED]")
+    return null;
+  return trimmed;
+}
+
+// src/cloud/cloud-api-key.ts
+function normalizeCloudSecret(value) {
+  if (typeof value !== "string")
+    return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function resolveRuntimeCloudApiKey(runtime) {
+  const fromSetting = runtime?.getSetting?.("ELIZAOS_CLOUD_API_KEY");
+  if (typeof fromSetting === "string") {
+    return normalizeCloudSecret(fromSetting);
+  }
+  const fromSecrets = runtime?.character?.secrets?.ELIZAOS_CLOUD_API_KEY;
+  return typeof fromSecrets === "string" ? normalizeCloudSecret(fromSecrets) : null;
+}
+function resolveCloudApiBaseUrl2(rawBaseUrl) {
+  const candidate = normalizeCloudSecret(rawBaseUrl ?? process.env.ELIZAOS_CLOUD_BASE_URL) ?? DEFAULT_CLOUD_API_BASE_URL;
+  try {
+    const parsed = new URL(candidate);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return null;
+    }
+    parsed.hash = "";
+    parsed.search = "";
+    const normalizedBase = parsed.toString().replace(/\/+$/, "");
+    return normalizedBase.endsWith("/api/v1") ? normalizedBase : `${normalizedBase}/api/v1`;
+  } catch {
+    return null;
+  }
+}
+function resolveCloudApiKey(config, runtime) {
+  return normalizeCloudSecret(config?.cloud?.apiKey ?? resolveRuntimeCloudApiKey(runtime) ?? process.env.ELIZAOS_CLOUD_API_KEY);
+}
+var DEFAULT_CLOUD_API_BASE_URL = "https://elizacloud.ai/api/v1";
+
+// src/lib/state-paths.ts
+import fs from "node:fs";
+import path from "node:path";
+import {
+  getElizaNamespace,
+  resolveStateDir,
+  resolveUserPath
+} from "@elizaos/core";
+function resolveConfigPath(env = process.env, stateDirPath = resolveStateDir(env)) {
+  const override = env.ELIZA_CONFIG_PATH?.trim();
+  if (override)
+    return resolveUserPath(override);
+  const namespace = getElizaNamespace(env);
+  const primaryPath = path.join(stateDirPath, `${namespace}.json`);
+  if (fs.existsSync(primaryPath))
+    return primaryPath;
+  if (namespace !== "eliza") {
+    const legacyPath = path.join(stateDirPath, "eliza.json");
+    if (fs.existsSync(legacyPath))
+      return legacyPath;
+  }
+  return primaryPath;
+}
+var init_state_paths = () => {};
+
+// src/lib/config-env.ts
+import fs2 from "node:fs/promises";
+import path2 from "node:path";
+function parseConfigEnv(contents) {
+  const lines = contents.length === 0 ? [] : contents.split(/\r?\n/);
+  if (lines.length > 0 && lines[lines.length - 1] === "") {
+    lines.pop();
+  }
+  const index = new Map;
+  for (let i = 0;i < lines.length; i += 1) {
+    const line = lines[i] ?? "";
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#"))
+      continue;
+    const eq = line.indexOf("=");
+    if (eq <= 0)
+      continue;
+    const key = line.slice(0, eq).trim();
+    if (KEY_PATTERN.test(key))
+      index.set(key, i);
+  }
+  return { lines, index };
+}
+function serialiseConfigEnv(parsed) {
+  return parsed.lines.length === 0 ? "" : `${parsed.lines.join(`
+`)}
+`;
+}
+function encodeValue(value) {
+  if (value === "")
+    return "";
+  const needsQuoting = /[\s#"'\\]|^\s|\s$/.test(value) || /\n|\r/.test(value);
+  if (!needsQuoting)
+    return value;
+  const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n").replace(/\r/g, "\\r");
+  return `"${escaped}"`;
+}
+function validateKey(key) {
+  if (!KEY_PATTERN.test(key)) {
+    throw new Error(`persistConfigEnv: invalid key "${key}" - must match /^[A-Z][A-Z0-9_]*$/`);
+  }
+  if (BLOCKED_CONFIG_ENV_KEYS.has(key)) {
+    throw new Error(`persistConfigEnv: key "${key}" is a shell/runtime hijack vector and cannot be written`);
+  }
+}
+async function readIfExists(filePath) {
+  try {
+    return await fs2.readFile(filePath, "utf8");
+  } catch (error) {
+    if (error.code === "ENOENT")
+      return null;
+    throw error;
+  }
+}
+async function writeAtomic(filePath, contents) {
+  const tmpPath = `${filePath}${TMP_SUFFIX}`;
+  const handle = await fs2.open(tmpPath, "w", 384);
+  try {
+    await handle.writeFile(contents, "utf8");
+    await handle.sync();
+  } finally {
+    await handle.close();
+  }
+  await fs2.rename(tmpPath, filePath);
+}
+function serialise(fn) {
+  const next = writeChain.then(fn, fn);
+  writeChain = next.catch(() => {
+    return;
+  });
+  return next;
+}
+function resolveConfigEnvPath(stateDir) {
+  return path2.join(stateDir ?? resolveStateDir(), CONFIG_ENV_FILENAME);
+}
+async function persistConfigEnv(key, value, opts = {}) {
+  validateKey(key);
+  await serialise(async () => {
+    const filePath = resolveConfigEnvPath(opts.stateDir);
+    await fs2.mkdir(path2.dirname(filePath), { recursive: true });
+    const existing = await readIfExists(filePath) ?? "";
+    const parsed = parseConfigEnv(existing);
+    const existingIdx = parsed.index.get(key);
+    const isDelete = value === "";
+    if (isDelete) {
+      if (existingIdx === undefined) {
+        delete process.env[key];
+        return;
+      }
+      parsed.lines.splice(existingIdx, 1);
+    } else {
+      const encoded = `${key}=${encodeValue(value)}`;
+      if (existingIdx === undefined) {
+        parsed.lines.push(encoded);
+      } else {
+        parsed.lines[existingIdx] = encoded;
+      }
+    }
+    if (existing.length > 0) {
+      await fs2.writeFile(`${filePath}${BAK_SUFFIX}`, existing, {
+        encoding: "utf8",
+        mode: 384
+      });
+    }
+    await writeAtomic(filePath, serialiseConfigEnv(parsed));
+    if (isDelete) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  });
+}
+var CONFIG_ENV_FILENAME = "config.env", BAK_SUFFIX = ".bak", TMP_SUFFIX = ".tmp", KEY_PATTERN, BLOCKED_CONFIG_ENV_KEYS, writeChain;
+var init_config_env = __esm(() => {
+  init_state_paths();
+  KEY_PATTERN = /^[A-Z][A-Z0-9_]*$/;
+  BLOCKED_CONFIG_ENV_KEYS = new Set([
+    "NODE_OPTIONS",
+    "NODE_EXTRA_CA_CERTS",
+    "NODE_TLS_REJECT_UNAUTHORIZED",
+    "NODE_PATH",
+    "LD_PRELOAD",
+    "LD_LIBRARY_PATH",
+    "DYLD_INSERT_LIBRARIES",
+    "DYLD_LIBRARY_PATH",
+    "DYLD_FRAMEWORK_PATH",
+    "DYLD_FALLBACK_FRAMEWORK_PATH",
+    "DYLD_FALLBACK_LIBRARY_PATH",
+    "PATH",
+    "HOME",
+    "SHELL",
+    "HTTP_PROXY",
+    "HTTPS_PROXY",
+    "ALL_PROXY",
+    "NO_PROXY",
+    "SSL_CERT_FILE",
+    "SSL_CERT_DIR",
+    "CURL_CA_BUNDLE"
+  ]);
+  writeChain = Promise.resolve();
+});
+
+// src/lib/feature-flags.ts
+function readBoolFlag(name, fallback = false) {
+  const raw = process.env[name];
+  if (raw === undefined || raw === null || raw === "")
+    return fallback;
+  const trimmed = String(raw).trim().toLowerCase();
+  if (trimmed === "1" || trimmed === "true" || trimmed === "yes" || trimmed === "on") {
+    return true;
+  }
+  if (trimmed === "0" || trimmed === "false" || trimmed === "no" || trimmed === "off") {
+    return false;
+  }
+  return fallback;
+}
+function isCloudWalletEnabled() {
+  return readBoolFlag("ENABLE_CLOUD_WALLET");
+}
+
+// src/cloud/cloud-wallet.ts
+import { generatePrivateKey, privateKeyToAccount } from "viem/accounts";
+function ensureFlag() {
+  if (!isCloudWalletEnabled()) {
+    throw new CloudWalletFlagDisabledError;
+  }
+}
+function normalizePrivateKey(raw) {
+  const trimmed = raw.trim();
+  const hex = trimmed.startsWith("0x") ? trimmed.slice(2) : trimmed;
+  if (!/^[0-9a-fA-F]{64}$/.test(hex)) {
+    throw new Error(`Malformed ${ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV}: expected 32-byte hex`);
+  }
+  return `0x${hex.toLowerCase()}`;
+}
+async function getOrCreateClientAddressKey(opts = {}) {
+  ensureFlag();
+  const existing = process.env[ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV];
+  if (existing && existing.trim().length > 0) {
+    const privateKey2 = normalizePrivateKey(existing);
+    const account2 = privateKeyToAccount(privateKey2);
+    return { privateKey: privateKey2, address: account2.address, minted: false };
+  }
+  const privateKey = generatePrivateKey();
+  const account = privateKeyToAccount(privateKey);
+  process.env[ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV] = privateKey;
+  await persistConfigEnv(ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV, privateKey, {
+    stateDir: opts.stateDir
+  });
+  return { privateKey, address: account.address, minted: true };
+}
+function inflightKey(agentId, chain) {
+  return `${agentId}::${chain}`;
+}
+async function provisionOne(bridge, agentId, chain, clientAddress) {
+  try {
+    return await bridge.getAgentWallet(agentId, chain);
+  } catch (error) {
+    if (!isMissingCloudWalletError(error, chain)) {
+      throw error;
+    }
+  }
+  const provisioned = await bridge.provisionWallet({
+    chainType: chain,
+    clientAddress
+  });
+  return {
+    agentWalletId: provisioned.walletId,
+    walletAddress: provisioned.address,
+    walletProvider: provisioned.provider,
+    chainType: chain
+  };
+}
+function isMissingCloudWalletError(error, chain) {
+  if (error instanceof Error && new RegExp(`no cloud ${chain} wallet provisioned`, "i").test(error.message)) {
+    return true;
+  }
+  return typeof error === "object" && error !== null && "name" in error && error.name === "CloudBridgeError" && typeof error.status === "number" && error.status === 404;
+}
+function formatProvisionWarning(chain, error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return `Cloud ${chain} wallet import failed: ${message}`;
+}
+async function provisionCloudWalletsBestEffort(bridge, opts) {
+  ensureFlag();
+  const chains = opts.chains ?? ["evm", "solana"];
+  const results = await Promise.all(chains.map((chain) => {
+    const key = inflightKey(opts.agentId, chain);
+    const pending = inflight.get(key);
+    if (pending) {
+      return pending.then((descriptor) => ({
+        chain,
+        ok: true,
+        descriptor
+      }), (error) => ({
+        chain,
+        ok: false,
+        error
+      }));
+    }
+    const p = provisionOne(bridge, opts.agentId, chain, opts.clientAddress).finally(() => {
+      inflight.delete(key);
+    });
+    inflight.set(key, p);
+    return p.then((descriptor) => ({
+      chain,
+      ok: true,
+      descriptor
+    }), (error) => ({
+      chain,
+      ok: false,
+      error
+    }));
+  }));
+  const out = {};
+  const failures = [];
+  for (const result of results) {
+    if ("descriptor" in result) {
+      out[result.chain] = result.descriptor;
+      continue;
+    }
+    failures.push({ chain: result.chain, error: result.error });
+  }
+  return {
+    descriptors: out,
+    failures,
+    warnings: failures.map(({ chain, error }) => formatProvisionWarning(chain, error))
+  };
+}
+async function provisionCloudWallets(bridge, opts) {
+  const result = await provisionCloudWalletsBestEffort(bridge, opts);
+  if (result.failures.length > 0 && Object.keys(result.descriptors).length === 0) {
+    const firstFailure = result.failures[0];
+    if (firstFailure?.error instanceof Error) {
+      throw firstFailure.error;
+    }
+    throw new Error(result.warnings[0] ?? "Failed to provision cloud wallets");
+  }
+  return result.descriptors;
+}
+function persistCloudWalletCache(config, descriptors) {
+  ensureFlag();
+  const wallet = config.wallet ?? {};
+  const cloud = { ...wallet.cloud ?? {} };
+  if (descriptors.evm)
+    cloud.evm = descriptors.evm;
+  if (descriptors.solana)
+    cloud.solana = descriptors.solana;
+  wallet.cloud = cloud;
+  config.wallet = wallet;
+}
+function __resetCloudWalletModuleForTests() {
+  inflight.clear();
+  delete process.env[ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV];
+}
+var ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV = "ELIZA_CLOUD_CLIENT_ADDRESS_KEY", CloudWalletFlagDisabledError, inflight;
+var init_cloud_wallet = __esm(() => {
+  init_config_env();
+  CloudWalletFlagDisabledError = class CloudWalletFlagDisabledError extends Error {
+    constructor() {
+      super("ENABLE_CLOUD_WALLET is off; cloud wallet code paths are inactive");
+      this.name = "CloudWalletFlagDisabledError";
+    }
+  };
+  inflight = new Map;
+});
+
+// src/lib/http.ts
+function scrubStackFields(value) {
+  if (value instanceof Error) {
+    return { error: value.message || "Internal error" };
+  }
+  if (Array.isArray(value)) {
+    return value.map(scrubStackFields);
+  }
+  if (value && typeof value === "object") {
+    const out = {};
+    for (const [key, nested] of Object.entries(value)) {
+      if (key === "stack" || key === "stackTrace")
+        continue;
+      out[key] = scrubStackFields(nested);
+    }
+    return out;
+  }
+  return value;
+}
+function sendJson(res, body, status = 200) {
+  if (res.headersSent)
+    return;
+  res.statusCode = status;
+  res.setHeader("content-type", "application/json; charset=utf-8");
+  res.end(JSON.stringify(scrubStackFields(body)));
+}
+function sendJsonError(res, message, status = 400) {
+  sendJson(res, { error: message }, status);
+}
+async function readRequestBody(req, options) {
+  const maxBytes = options.maxBytes ?? 1048576;
+  const chunks = [];
+  let size = 0;
+  for await (const chunk of req) {
+    const buffer = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
+    size += buffer.length;
+    if (size > maxBytes) {
+      if (options.destroyOnTooLarge)
+        req.destroy();
+      throw new Error(options.tooLargeMessage ?? "Request body too large");
+    }
+    chunks.push(buffer);
+  }
+  if (chunks.length === 0)
+    return null;
+  return Buffer.concat(chunks).toString("utf8");
+}
+async function readJsonBody(req, res, options = {}) {
+  const cached = req.body;
+  if (cached !== undefined) {
+    if (options.requireObject !== false && (!cached || typeof cached !== "object" || Array.isArray(cached))) {
+      sendJsonError(res, "Request body must be a JSON object", 400);
+      return null;
+    }
+    return cached;
+  }
+  let raw;
+  try {
+    raw = await readRequestBody(req, options);
+  } catch (error) {
+    sendJsonError(res, error instanceof Error ? error.message : "Failed to read request body", 413);
+    return null;
+  }
+  if (!raw?.trim()) {
+    const empty = {};
+    req.body = empty;
+    return empty;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    sendJsonError(res, "Invalid JSON in request body", 400);
+    return null;
+  }
+  if (options.requireObject !== false && (!parsed || typeof parsed !== "object" || Array.isArray(parsed))) {
+    sendJsonError(res, "Request body must be a JSON object", 400);
+    return null;
+  }
+  req.body = parsed;
+  return parsed;
+}
+
+// src/routes/cloud-billing-routes.ts
+function cryptoStatusCacheKey(baseUrl, headers) {
+  return `${baseUrl}|${headers.Authorization ?? ""}`;
+}
+async function fetchCryptoStatusCached(baseUrl, headers) {
+  const now = Date.now();
+  const cacheKey = cryptoStatusCacheKey(baseUrl, headers);
+  const cached = cryptoStatusCache.get(cacheKey);
+  if (cached && cached.expiresAt > now) {
+    return cached.value;
+  }
+  const response = await fetchUpstream(`${baseUrl}/api/crypto/status`, "GET", headers, undefined).catch(() => null);
+  if (!response?.ok) {
+    return cached?.value ?? null;
+  }
+  const value = await readJsonResponse(response).catch(() => ({}));
+  cryptoStatusCache.set(cacheKey, {
+    value,
+    expiresAt: now + CRYPTO_STATUS_CACHE_MS
+  });
+  return value;
+}
+function resolveCloudBaseUrl(config) {
+  return normalizeCloudSiteUrl(config.cloud?.baseUrl);
+}
+function resolveProxyApiKey(state) {
+  const cloudAuth = state.runtime ? state.runtime.getService("CLOUD_AUTH") : null;
+  const runtimeApiKey = cloudAuth?.isAuthenticated() === true ? normalizeCloudApiKey(cloudAuth.getApiKey?.()) : null;
+  return runtimeApiKey ?? resolveCloudApiKey(state.config, state.runtime);
+}
+function buildAuthHeaders(config, apiKeyOverride) {
+  const serviceKey = config.cloud?.serviceKey?.trim();
+  const apiKey = normalizeCloudApiKey(apiKeyOverride) ?? resolveCloudApiKey(config);
+  const headers = {
+    Accept: "application/json",
+    "Content-Type": "application/json"
+  };
+  if (serviceKey) {
+    headers["X-Service-Key"] = serviceKey;
+  }
+  if (apiKey) {
+    headers.Authorization = `Bearer ${apiKey}`;
+  }
+  return headers;
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function readString(value) {
+  return typeof value === "string" && value.trim() ? value : undefined;
+}
+function readNumber(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Number(value);
+    return Number.isFinite(parsed) ? parsed : null;
+  }
+  return null;
+}
+function readBoolean(value) {
+  return typeof value === "boolean" ? value : undefined;
+}
+function readBody(req) {
+  const preParsedBody = req.body;
+  if (preParsedBody !== undefined) {
+    return Promise.resolve(typeof preParsedBody === "string" ? preParsedBody : JSON.stringify(preParsedBody));
+  }
+  if (req.readableEnded) {
+    return Promise.resolve(undefined);
+  }
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+    req.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > MAX_BODY_BYTES) {
+        reject(new Error("Request body too large"));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => resolve(chunks.length > 0 ? Buffer.concat(chunks).toString("utf-8") : undefined));
+    req.on("error", reject);
+  });
+}
+async function fetchUpstream(url, method, headers, body) {
+  let currentUrl = url;
+  let currentMethod = method;
+  let currentBody = body;
+  for (let redirectCount = 0;redirectCount <= MAX_REDIRECTS; redirectCount += 1) {
+    const response = await fetch(currentUrl, {
+      method: currentMethod,
+      headers,
+      body: currentBody,
+      redirect: "manual",
+      signal: AbortSignal.timeout(PROXY_TIMEOUT_MS)
+    });
+    if (response.status < 300 || response.status >= 400) {
+      return response;
+    }
+    const location = response.headers.get("location");
+    if (!location) {
+      throw Object.assign(new Error("redirect"), { code: "REDIRECT" });
+    }
+    const nextUrl = new URL(location, currentUrl).toString();
+    const currentOrigin = normalizeCloudSiteUrl(new URL(currentUrl).origin);
+    const nextOrigin = normalizeCloudSiteUrl(new URL(nextUrl).origin);
+    if (new URL(currentUrl).origin !== new URL(nextUrl).origin && currentOrigin !== nextOrigin) {
+      throw Object.assign(new Error("redirect"), { code: "REDIRECT" });
+    }
+    currentUrl = nextUrl;
+    if (currentMethod !== "GET" && currentMethod !== "HEAD" && (response.status === 301 || response.status === 302 || response.status === 303)) {
+      currentMethod = "GET";
+      currentBody = undefined;
+    }
+  }
+  throw Object.assign(new Error("redirect"), { code: "REDIRECT" });
+}
+async function readJsonResponse(response) {
+  return response.json().catch(async () => ({
+    success: response.ok,
+    error: await response.text().catch(() => "Billing request failed")
+  }));
+}
+function buildRedirectUrl(baseUrl, pathname, params) {
+  const url = new URL(pathname, `${baseUrl}/`);
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  return url.toString();
+}
+function normalizeCryptoNetwork(value) {
+  if (!value)
+    return;
+  const normalized = value.trim().toUpperCase();
+  switch (normalized) {
+    case "BSC":
+    case "BEP20":
+      return "BEP20";
+    case "ETH":
+    case "ERC20":
+      return "ERC20";
+    case "MATIC":
+    case "POLYGON":
+      return "POLYGON";
+    case "SOL":
+    case "SOLANA":
+      return "SOL";
+    case "BASE":
+      return "BASE";
+    case "ARB":
+    case "ARBITRUM":
+      return "ARB";
+    case "OP":
+    case "OPTIMISM":
+      return "OP";
+    case "TRON":
+    case "TRC20":
+      return "TRC20";
+    default:
+      return;
+  }
+}
+function mapBillingSummary(payload, baseUrl, cryptoStatus) {
+  const source = isRecord(payload) ? payload : {};
+  const organization = isRecord(source.organization) ? source.organization : {};
+  const pricing = isRecord(source.pricing) ? source.pricing : {};
+  const crypto2 = isRecord(cryptoStatus) ? cryptoStatus : {};
+  const balance = readNumber(organization.creditBalance) ?? 0;
+  return {
+    success: source.success ?? true,
+    balance,
+    currency: "USD",
+    topUpUrl: `${baseUrl}/dashboard/settings?tab=billing`,
+    embeddedCheckoutEnabled: false,
+    hostedCheckoutEnabled: true,
+    cryptoEnabled: readBoolean(crypto2.enabled) ?? readBoolean(pricing.x402Enabled) ?? false,
+    low: balance < 2,
+    critical: balance < 0.5,
+    hasPaymentMethod: readBoolean(organization.hasPaymentMethod) ?? false,
+    autoTopUpEnabled: readBoolean(organization.autoTopUpEnabled) ?? false,
+    autoTopUpAmount: readNumber(organization.autoTopUpAmount),
+    autoTopUpThreshold: readNumber(organization.autoTopUpThreshold),
+    minimumTopUp: readNumber(pricing.minimumTopUp)
+  };
+}
+function mapPaymentMethods(payload) {
+  const source = isRecord(payload) ? payload : {};
+  const organization = isRecord(source.organization) ? source.organization : {};
+  const hasPaymentMethod = readBoolean(organization.hasPaymentMethod) ?? false;
+  return {
+    success: true,
+    data: hasPaymentMethod ? [
+      {
+        id: "stripe-default",
+        type: "card",
+        label: "Saved payment method",
+        brand: "Card",
+        isDefault: true
+      }
+    ] : []
+  };
+}
+function mapBillingHistory(payload) {
+  const source = isRecord(payload) ? payload : {};
+  const rawTransactions = Array.isArray(source.transactions) ? source.transactions : [];
+  return {
+    success: true,
+    data: rawTransactions.filter(isRecord).map((item, index) => ({
+      id: readString(item.id) ?? `txn-${index}`,
+      kind: readString(item.type),
+      provider: readString(item.stripe_payment_intent_id) ? "stripe" : undefined,
+      status: (readNumber(item.amount) ?? 0) >= 0 ? "credited" : "usage",
+      amount: readNumber(item.amount) ?? 0,
+      currency: "USD",
+      description: readString(item.description),
+      createdAt: readString(item.created_at) ?? new Date().toISOString()
+    })),
+    total: readNumber(source.total),
+    period: source.period
+  };
+}
+function mapCheckoutResponse(payload) {
+  const source = isRecord(payload) ? payload : {};
+  return {
+    success: true,
+    provider: "stripe",
+    mode: "hosted",
+    checkoutUrl: readString(source.url) ?? readString(source.checkoutUrl),
+    sessionId: readString(source.sessionId)
+  };
+}
+function mapCryptoQuoteResponse(payload, amountUsd, payCurrency, network) {
+  const source = isRecord(payload) ? payload : {};
+  return {
+    success: true,
+    provider: "oxapay",
+    invoiceId: readString(source.paymentId) ?? readString(source.trackId),
+    trackId: readString(source.trackId),
+    network,
+    currency: payCurrency,
+    amount: readString(source.creditsToAdd) ?? String(amountUsd),
+    amountUsd,
+    paymentLinkUrl: readString(source.payLink),
+    expiresAt: readString(source.expiresAt)
+  };
+}
+function parseJsonBody(body) {
+  if (!body)
+    return {};
+  const parsed = JSON.parse(body);
+  return isRecord(parsed) ? parsed : {};
+}
+async function forwardSummary(baseUrl, headers) {
+  const summaryResponse = await fetchUpstream(`${baseUrl}/api/v1/credits/summary`, "GET", headers, undefined);
+  const summaryPayload = await readJsonResponse(summaryResponse);
+  if (!summaryResponse.ok) {
+    return { status: summaryResponse.status, payload: summaryPayload };
+  }
+  const cryptoPayload = await fetchCryptoStatusCached(baseUrl, headers) ?? {};
+  return {
+    status: summaryResponse.status,
+    payload: mapBillingSummary(summaryPayload, baseUrl, cryptoPayload)
+  };
+}
+function sendJsonWithRetry(res, payload, status) {
+  if (status === 429 && isRecord(payload)) {
+    const retryAfter = readNumber(payload.retryAfter);
+    if (retryAfter && retryAfter > 0) {
+      res.setHeader("Retry-After", String(Math.ceil(retryAfter)));
+    }
+  }
+  sendJson(res, payload, status);
+}
+function mirrorPaymentHeaders(res, upstreamResponse) {
+  for (const header of [
+    "PAYMENT-REQUIRED",
+    "Payment-Required",
+    "PAYMENT-RESPONSE",
+    "Payment-Response",
+    "Access-Control-Expose-Headers"
+  ]) {
+    const value = upstreamResponse.headers.get(header);
+    if (value) {
+      res.setHeader(header, value);
+    }
+  }
+}
+function isAllowedAppMoneyPath(pathname) {
+  const appMoneyPath = /^\/api\/cloud\/billing\/apps\/[^/]+\/(charges|earnings|monetization)(?:\/|$)/;
+  return appMoneyPath.test(pathname);
+}
+function mapBillingProxyPath(pathname) {
+  if (pathname === "/api/cloud/billing/x402")
+    return "/api/v1/x402";
+  if (pathname.startsWith("/api/cloud/billing/x402/")) {
+    return pathname.replace("/api/cloud/billing/x402", "/api/v1/x402");
+  }
+  if (pathname === "/api/cloud/billing/app-credits") {
+    return "/api/v1/app-credits";
+  }
+  if (pathname.startsWith("/api/cloud/billing/app-credits/")) {
+    return pathname.replace("/api/cloud/billing/app-credits", "/api/v1/app-credits");
+  }
+  if (pathname === "/api/cloud/billing/affiliates") {
+    return "/api/v1/affiliates";
+  }
+  if (pathname.startsWith("/api/cloud/billing/affiliates/")) {
+    return pathname.replace("/api/cloud/billing/affiliates", "/api/v1/affiliates");
+  }
+  if (pathname === "/api/cloud/billing/redemptions") {
+    return "/api/v1/redemptions";
+  }
+  if (pathname.startsWith("/api/cloud/billing/redemptions/")) {
+    return pathname.replace("/api/cloud/billing/redemptions", "/api/v1/redemptions");
+  }
+  if (isAllowedAppMoneyPath(pathname)) {
+    return pathname.replace("/api/cloud/billing/apps", "/api/v1/apps");
+  }
+  return null;
+}
+async function forwardBillingProxy(req, res, method, baseUrl, headers, upstreamPath, search) {
+  let body;
+  if (method !== "GET" && method !== "HEAD") {
+    body = await readBody(req);
+  }
+  const upstreamResponse = await fetchUpstream(`${baseUrl}${upstreamPath}${search}`, method, headers, body);
+  const responseData = await readJsonResponse(upstreamResponse);
+  mirrorPaymentHeaders(res, upstreamResponse);
+  sendJsonWithRetry(res, responseData, upstreamResponse.status);
+}
+async function handleCloudBillingRoute(req, res, pathname, method, state) {
+  if (!pathname.startsWith("/api/cloud/billing"))
+    return false;
+  const apiKey = resolveProxyApiKey(state);
+  if (!apiKey) {
+    sendJsonError(res, "Not connected to Eliza Cloud. Please log in first.", 401);
+    return true;
+  }
+  const baseUrl = resolveCloudBaseUrl(state.config);
+  const urlError = await validateCloudBaseUrl(baseUrl);
+  if (urlError) {
+    sendJsonError(res, urlError, 502);
+    return true;
+  }
+  const headers = buildAuthHeaders(state.config, apiKey);
+  const fullUrl = new URL(req.url ?? pathname, "http://localhost");
+  const proxiedMoneyPath = mapBillingProxyPath(pathname);
+  if (proxiedMoneyPath) {
+    await forwardBillingProxy(req, res, method, baseUrl, headers, proxiedMoneyPath, fullUrl.search);
+    return true;
+  }
+  if (pathname === "/api/cloud/billing/summary" && method === "GET") {
+    const { status, payload } = await forwardSummary(baseUrl, headers);
+    sendJsonWithRetry(res, payload, status);
+    return true;
+  }
+  if (pathname === "/api/cloud/billing/payment-methods" && method === "GET") {
+    const summaryResponse = await fetchUpstream(`${baseUrl}/api/v1/credits/summary`, "GET", headers, undefined);
+    const summaryPayload = await readJsonResponse(summaryResponse);
+    sendJsonWithRetry(res, summaryResponse.ok ? mapPaymentMethods(summaryPayload) : summaryPayload, summaryResponse.status);
+    return true;
+  }
+  if (pathname === "/api/cloud/billing/history" && method === "GET") {
+    const upstreamUrl = `${baseUrl}/api/credits/transactions${fullUrl.search}`;
+    const historyResponse = await fetchUpstream(upstreamUrl, "GET", headers, undefined);
+    const historyPayload = await readJsonResponse(historyResponse);
+    sendJsonWithRetry(res, historyResponse.ok ? mapBillingHistory(historyPayload) : historyPayload, historyResponse.status);
+    return true;
+  }
+  if (pathname === "/api/cloud/billing/checkout" && method === "POST") {
+    const body2 = await readBody(req);
+    const requestBody = parseJsonBody(body2);
+    const amountUsd = readNumber(requestBody.amountUsd);
+    if (!amountUsd || amountUsd <= 0) {
+      sendJsonError(res, "Invalid top-up amount", 400);
+      return true;
+    }
+    const upstreamBody = JSON.stringify({
+      credits: amountUsd,
+      success_url: buildRedirectUrl(baseUrl, "/dashboard/billing/success", {
+        from: "eliza"
+      }),
+      cancel_url: buildRedirectUrl(baseUrl, "/dashboard/settings", {
+        from: "eliza",
+        tab: "billing",
+        canceled: "1"
+      })
+    });
+    const checkoutResponse = await fetchUpstream(`${baseUrl}/api/v1/credits/checkout`, "POST", headers, upstreamBody);
+    const checkoutPayload = await readJsonResponse(checkoutResponse);
+    sendJsonWithRetry(res, checkoutResponse.ok ? mapCheckoutResponse(checkoutPayload) : checkoutPayload, checkoutResponse.status);
+    return true;
+  }
+  if (pathname === "/api/cloud/billing/crypto/quote" && method === "POST") {
+    const body2 = await readBody(req);
+    const requestBody = parseJsonBody(body2);
+    const amountUsd = readNumber(requestBody.amountUsd);
+    if (!amountUsd || amountUsd <= 0) {
+      sendJsonError(res, "Invalid top-up amount", 400);
+      return true;
+    }
+    const payCurrency = readString(requestBody.currency)?.trim().toUpperCase() ?? "USDC";
+    const network = normalizeCryptoNetwork(readString(requestBody.network));
+    const upstreamBody = JSON.stringify({
+      amount: amountUsd,
+      payCurrency,
+      network
+    });
+    const cryptoResponse = await fetchUpstream(`${baseUrl}/api/crypto/payments`, "POST", headers, upstreamBody);
+    const cryptoPayload = await readJsonResponse(cryptoResponse);
+    sendJsonWithRetry(res, cryptoResponse.ok ? mapCryptoQuoteResponse(cryptoPayload, amountUsd, payCurrency, network) : cryptoPayload, cryptoResponse.status);
+    return true;
+  }
+  if (pathname.startsWith("/api/cloud/billing/credits/")) {
+    let body2;
+    if (method !== "GET" && method !== "HEAD") {
+      body2 = await readBody(req);
+    }
+    const upstreamPath = pathname.replace("/api/cloud/billing/credits", "/api/v1/credits");
+    const upstreamResponse2 = await fetchUpstream(`${baseUrl}${upstreamPath}${fullUrl.search}`, method, headers, body2);
+    const responseData2 = await readJsonResponse(upstreamResponse2);
+    sendJsonWithRetry(res, responseData2, upstreamResponse2.status);
+    return true;
+  }
+  if (pathname.startsWith("/api/cloud/billing/crypto/") && pathname !== "/api/cloud/billing/crypto/quote") {
+    let body2;
+    if (method !== "GET" && method !== "HEAD") {
+      body2 = await readBody(req);
+    }
+    const upstreamPath = pathname.replace("/api/cloud/billing/crypto", "/api/crypto");
+    const upstreamResponse2 = await fetchUpstream(`${baseUrl}${upstreamPath}${fullUrl.search}`, method, headers, body2);
+    const responseData2 = await readJsonResponse(upstreamResponse2);
+    sendJsonWithRetry(res, responseData2, upstreamResponse2.status);
+    return true;
+  }
+  let body;
+  if (method !== "GET" && method !== "HEAD") {
+    body = await readBody(req);
+  }
+  const billingPath = pathname.replace("/api/cloud/billing", "/api/v1/billing");
+  const upstreamResponse = await fetchUpstream(`${baseUrl}${billingPath}${fullUrl.search}`, method, headers, body);
+  const responseData = await readJsonResponse(upstreamResponse);
+  sendJsonWithRetry(res, responseData, upstreamResponse.status);
+  return true;
+}
+var PROXY_TIMEOUT_MS = 15000, MAX_BODY_BYTES = 1048576, MAX_REDIRECTS = 4, CRYPTO_STATUS_CACHE_MS = 60000, cryptoStatusCache;
+var init_cloud_billing_routes = __esm(() => {
+  init_base_url();
+  init_validate_url();
+  cryptoStatusCache = new Map;
+});
+
+// src/routes/home-remote-runner-access-url.ts
+import { normalizeCloudSiteUrl as normalizeCloudSiteUrl2 } from "@elizaos/shared";
+function buildHomeRemoteRunnerAccessUrl(input) {
+  const sessionId = input.sessionId?.trim();
+  if (!sessionId)
+    return null;
+  try {
+    const url = new URL(normalizeCloudSiteUrl2(input.cloudBaseUrl ?? undefined));
+    url.pathname = "/dashboard/app";
+    url.search = "";
+    url.hash = "";
+    url.searchParams.set(HOME_REMOTE_RUNNER_ACCESS_SESSION_PARAM, sessionId);
+    return url.toString();
+  } catch {
+    return null;
+  }
+}
+function buildHomeRemoteRunnerSshTunnel(input) {
+  const sshTarget = normalizeSshTarget(input.sshTarget);
+  if (!sshTarget)
+    return null;
+  let parsed;
+  try {
+    parsed = new URL(input.remoteBaseUrl?.trim() ?? "");
+  } catch {
+    return null;
+  }
+  if (parsed.protocol !== "http:") {
+    return null;
+  }
+  const remotePort = parsed.port || "80";
+  const localPort = normalizePort(input.localPort) ?? remotePort;
+  const remoteHost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" ? "127.0.0.1" : parsed.hostname;
+  const identityArg = input.sshIdentity?.trim() ? ` -i ${quoteShellArg(input.sshIdentity.trim())}` : "";
+  const command = `ssh -N${identityArg} -L 127.0.0.1:${localPort}:${remoteHost}:${remotePort} ${sshTarget}`;
+  return {
+    command,
+    localUrl: `${parsed.protocol}//127.0.0.1:${localPort}`
+  };
+}
+function normalizePort(value) {
+  if (value === null || value === undefined)
+    return null;
+  const raw = String(value).trim();
+  if (!/^\d+$/.test(raw))
+    return null;
+  const port = Number(raw);
+  if (!Number.isInteger(port) || port < 1 || port > 65535)
+    return null;
+  return String(port);
+}
+function normalizeSshTarget(value) {
+  const target = value?.trim();
+  if (!target)
+    return null;
+  if (!/^[A-Za-z0-9._~%+-]+@[A-Za-z0-9.-]+$/.test(target))
+    return null;
+  return target;
+}
+function quoteShellArg(value) {
+  return `'${value.replace(/'/g, "'\\''")}'`;
+}
+var HOME_REMOTE_RUNNER_ACCESS_SESSION_PARAM = "homeRemoteRunnerSession";
+var init_home_remote_runner_access_url = () => {};
+
+// src/lib/config-like.ts
+function ensureLinkedAccounts(config) {
+  config.linkedAccounts ??= {};
+  return config.linkedAccounts;
+}
+function ensureServiceRouting(config) {
+  config.serviceRouting ??= {};
+  return config.serviceRouting;
+}
+function persistDeploymentTarget(config, deploymentTarget) {
+  if (!deploymentTarget) {
+    delete config.deploymentTarget;
+    return;
+  }
+  config.deploymentTarget = { ...deploymentTarget };
+}
+function persistLinkedAccounts(config, linkedAccounts) {
+  if (!linkedAccounts)
+    return;
+  const existing = ensureLinkedAccounts(config);
+  for (const [accountId, account] of Object.entries(linkedAccounts)) {
+    if (!account || Object.keys(account).length === 0) {
+      delete existing[accountId];
+      continue;
+    }
+    existing[accountId] = {
+      ...existing[accountId],
+      ...account
+    };
+  }
+  if (Object.keys(existing).length === 0) {
+    delete config.linkedAccounts;
+  }
+}
+function persistServiceRouting(config, serviceRouting, clearRoutes = []) {
+  const existing = ensureServiceRouting(config);
+  for (const capability of clearRoutes) {
+    delete existing[capability];
+  }
+  if (serviceRouting) {
+    for (const [capability, route] of Object.entries(serviceRouting)) {
+      const serviceKey = capability;
+      if (!route || Object.keys(route).length === 0) {
+        delete existing[serviceKey];
+        continue;
+      }
+      existing[serviceKey] = { ...route };
+    }
+  }
+  if (Object.keys(existing).length === 0) {
+    delete config.serviceRouting;
+  }
+}
+function applyCanonicalSetupConfig(config, args) {
+  if (args.deploymentTarget !== undefined) {
+    persistDeploymentTarget(config, args.deploymentTarget);
+  }
+  if (args.linkedAccounts !== undefined) {
+    persistLinkedAccounts(config, args.linkedAccounts);
+  }
+  if (args.serviceRouting !== undefined || args.clearRoutes?.length) {
+    persistServiceRouting(config, args.serviceRouting, args.clearRoutes);
+  }
+}
+function normalizeEnvValue(value) {
+  if (typeof value !== "string")
+    return;
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}
+function isTimeoutError(error) {
+  if (!(error instanceof Error))
+    return false;
+  if (error.name === "TimeoutError" || error.name === "AbortError")
+    return true;
+  const message = error.message.toLowerCase();
+  return message.includes("timed out") || message.includes("timeout");
+}
+
+// src/routes/cloud-routes-autonomous.ts
+import fs3 from "node:fs/promises";
+import path3 from "node:path";
+import {
+  isCloudInferenceSelectedInConfig,
+  migrateLegacyRuntimeConfig
+} from "@elizaos/core";
+import { logger } from "@elizaos/core";
+function extractAgentId(pathname) {
+  const id = pathname.split("/")[4];
+  return id && UUID_RE.test(id) ? id : null;
+}
+function replaceMutableRoot(target, snapshot) {
+  const targetRecord = target;
+  for (const key of Object.keys(targetRecord)) {
+    delete targetRecord[key];
+  }
+  Object.assign(targetRecord, structuredClone(snapshot));
+}
+function getCloudAuth(runtime) {
+  if (typeof runtime?.getService !== "function") {
+    return null;
+  }
+  const service = runtime.getService("CLOUD_AUTH");
+  return service && typeof service === "object" ? service : null;
+}
+function clearCloudAuth(runtime) {
+  const cloudAuth = getCloudAuth(runtime);
+  if (typeof cloudAuth?.clearAuth === "function") {
+    cloudAuth.clearAuth();
+  }
+  return cloudAuth;
+}
+async function captureConfigEnvRollbackSnapshot() {
+  const filePath = path3.join(resolveStateDir(), CONFIG_ENV_FILENAME2);
+  const bakPath = `${filePath}${CONFIG_ENV_BAK_SUFFIX}`;
+  let originalRaw = null;
+  try {
+    originalRaw = await fs3.readFile(filePath, "utf8");
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      throw err;
+    }
+  }
+  const previousEnv = Object.fromEntries(CLOUD_WALLET_ROLLBACK_ENV_KEYS.flatMap((key) => {
+    const value = process.env[key];
+    return typeof value === "string" ? [[key, value]] : [];
+  }));
+  return {
+    bakPath,
+    filePath,
+    originalRaw,
+    previousEnv
+  };
+}
+async function restoreConfigEnvRollbackSnapshot(snapshot) {
+  await fs3.mkdir(path3.dirname(snapshot.filePath), { recursive: true });
+  if (snapshot.originalRaw === null) {
+    await fs3.rm(snapshot.filePath, { force: true });
+    await fs3.rm(snapshot.bakPath, { force: true });
+  } else {
+    await fs3.writeFile(snapshot.filePath, snapshot.originalRaw, {
+      encoding: "utf8",
+      mode: 384
+    });
+    await fs3.writeFile(snapshot.bakPath, snapshot.originalRaw, {
+      encoding: "utf8",
+      mode: 384
+    });
+  }
+  for (const key of CLOUD_WALLET_ROLLBACK_ENV_KEYS) {
+    const previousValue = snapshot.previousEnv[key];
+    if (typeof previousValue === "string") {
+      process.env[key] = previousValue;
+    } else {
+      delete process.env[key];
+    }
+  }
+}
+function saveConfigOrThrow(state) {
+  if (!state.saveConfig) {
+    throw new Error("saveConfig not available");
+  }
+  state.saveConfig(state.config);
+}
+async function readJsonBody2(req, res) {
+  return await readJsonBody(req, res, {
+    maxBytes: 1048576,
+    tooLargeMessage: "Request body too large",
+    destroyOnTooLarge: true
+  });
+}
+function isRedirectResponse(response) {
+  return response.status >= 300 && response.status < 400;
+}
+function createNoopTelemetrySpan() {
+  return {
+    success: () => {},
+    failure: () => {}
+  };
+}
+function getTelemetrySpan(state, meta) {
+  return state.createTelemetrySpan?.(meta) ?? createNoopTelemetrySpan();
+}
+async function fetchWithTimeout(input, init, timeoutMs) {
+  return fetch(input, {
+    ...init,
+    redirect: "manual",
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+}
+async function handleCloudRoute(req, res, pathname, method, state) {
+  if (method === "POST" && pathname === "/api/cloud/login") {
+    const baseUrl = normalizeCloudSiteUrl(state.config.cloud?.baseUrl);
+    const urlError = await validateCloudBaseUrl(baseUrl);
+    if (urlError) {
+      sendJsonError(res, urlError);
+      return true;
+    }
+    const sessionId = crypto.randomUUID();
+    const loginCreateSpan = getTelemetrySpan(state, {
+      boundary: "cloud",
+      operation: "login_create_session",
+      timeoutMs: CLOUD_LOGIN_CREATE_TIMEOUT_MS
+    });
+    let createRes;
+    try {
+      createRes = await fetchWithTimeout(`${baseUrl}/api/auth/cli-session`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ sessionId })
+      }, CLOUD_LOGIN_CREATE_TIMEOUT_MS);
+    } catch (err) {
+      if (isTimeoutError(err)) {
+        loginCreateSpan.failure({ error: err, statusCode: 504 });
+        sendJsonError(res, "Eliza Cloud login request timed out", 504);
+        return true;
+      }
+      loginCreateSpan.failure({ error: err, statusCode: 502 });
+      sendJsonError(res, "Failed to reach Eliza Cloud", 502);
+      return true;
+    }
+    if (isRedirectResponse(createRes)) {
+      loginCreateSpan.failure({
+        statusCode: createRes.status,
+        errorKind: "redirect_response"
+      });
+      sendJsonError(res, "Eliza Cloud login request was redirected; redirects are not allowed", 502);
+      return true;
+    }
+    if (!createRes.ok) {
+      loginCreateSpan.failure({
+        statusCode: createRes.status,
+        errorKind: "http_error"
+      });
+      sendJsonError(res, "Failed to create auth session with Eliza Cloud", 502);
+      return true;
+    }
+    loginCreateSpan.success({ statusCode: createRes.status });
+    sendJson(res, {
+      ok: true,
+      sessionId,
+      browserUrl: `${baseUrl}/auth/cli-login?session=${encodeURIComponent(sessionId)}`
+    });
+    return true;
+  }
+  if (method === "GET" && pathname.startsWith("/api/cloud/login/status")) {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const sessionId = url.searchParams.get("sessionId");
+    if (!sessionId) {
+      sendJsonError(res, "sessionId query parameter is required");
+      return true;
+    }
+    const baseUrl = normalizeCloudSiteUrl(state.config.cloud?.baseUrl);
+    const urlError = await validateCloudBaseUrl(baseUrl);
+    if (urlError) {
+      sendJsonError(res, urlError);
+      return true;
+    }
+    const loginPollSpan = getTelemetrySpan(state, {
+      boundary: "cloud",
+      operation: "login_poll_status",
+      timeoutMs: CLOUD_LOGIN_POLL_TIMEOUT_MS
+    });
+    let pollRes;
+    try {
+      pollRes = await fetchWithTimeout(`${baseUrl}/api/auth/cli-session/${encodeURIComponent(sessionId)}`, {}, CLOUD_LOGIN_POLL_TIMEOUT_MS);
+    } catch (err) {
+      if (isTimeoutError(err)) {
+        loginPollSpan.failure({ error: err, statusCode: 504 });
+        sendJson(res, {
+          status: "error",
+          error: "Eliza Cloud status request timed out"
+        }, 504);
+        return true;
+      }
+      loginPollSpan.failure({ error: err, statusCode: 502 });
+      sendJson(res, {
+        status: "error",
+        error: "Failed to reach Eliza Cloud"
+      }, 502);
+      return true;
+    }
+    if (isRedirectResponse(pollRes)) {
+      loginPollSpan.failure({
+        statusCode: pollRes.status,
+        errorKind: "redirect_response"
+      });
+      sendJson(res, {
+        status: "error",
+        error: "Eliza Cloud status request was redirected; redirects are not allowed"
+      }, 502);
+      return true;
+    }
+    if (!pollRes.ok) {
+      loginPollSpan.failure({
+        statusCode: pollRes.status,
+        errorKind: "http_error"
+      });
+      sendJson(res, pollRes.status === 404 ? { status: "expired", error: "Session not found or expired" } : {
+        status: "error",
+        error: `Eliza Cloud returned HTTP ${pollRes.status}`
+      });
+      return true;
+    }
+    let data;
+    try {
+      data = await pollRes.json();
+    } catch (parseErr) {
+      loginPollSpan.failure({ error: parseErr, statusCode: pollRes.status });
+      sendJson(res, { status: "error", error: "Eliza Cloud returned invalid JSON" }, 502);
+      return true;
+    }
+    loginPollSpan.success({ statusCode: pollRes.status });
+    if (data.status === "authenticated" && data.apiKey) {
+      const organizationId = typeof data.organizationId === "string" ? data.organizationId.trim() : undefined;
+      const userId = typeof data.userId === "string" ? data.userId.trim() : undefined;
+      const cloudAuth = clearCloudAuth(state.runtime);
+      migrateLegacyRuntimeConfig(state.config);
+      const cloud = state.config.cloud ?? {};
+      cloud.apiKey = data.apiKey;
+      state.config.cloud = cloud;
+      applyCanonicalSetupConfig(state.config, {
+        linkedAccounts: {
+          elizacloud: {
+            status: "linked",
+            source: "api-key"
+          }
+        }
+      });
+      const cloudInferenceSelected = isCloudInferenceSelectedInConfig(state.config);
+      migrateLegacyRuntimeConfig(state.config);
+      try {
+        if (state.saveConfig) {
+          state.saveConfig(state.config);
+        } else {
+          logger.warn("[cloud-login] saveConfig not available — config not persisted");
+        }
+        logger.info("[cloud-login] API key saved to config file");
+      } catch (saveErr) {
+        logger.error(`[cloud-login] Failed to save config: ${String(saveErr)}`);
+        sendJson(res, { status: "error", error: "Authenticated but failed to save config" }, 500);
+        return true;
+      }
+      process.env.ELIZAOS_CLOUD_API_KEY = data.apiKey;
+      if (cloudInferenceSelected) {
+        process.env.ELIZAOS_CLOUD_ENABLED = "true";
+      } else {
+        delete process.env.ELIZAOS_CLOUD_ENABLED;
+      }
+      if (state.runtime) {
+        const character = state.runtime.character ?? {};
+        state.runtime.character = character;
+        if (!character.secrets) {
+          character.secrets = {};
+        }
+        const secrets = character.secrets;
+        secrets.ELIZAOS_CLOUD_API_KEY = data.apiKey;
+        if (userId) {
+          secrets.ELIZA_CLOUD_USER_ID = userId;
+        } else {
+          delete secrets.ELIZA_CLOUD_USER_ID;
+        }
+        if (organizationId) {
+          secrets.ELIZA_CLOUD_ORGANIZATION_ID = organizationId;
+        } else {
+          delete secrets.ELIZA_CLOUD_ORGANIZATION_ID;
+        }
+        if (cloudInferenceSelected) {
+          secrets.ELIZAOS_CLOUD_ENABLED = "true";
+        } else {
+          delete secrets.ELIZAOS_CLOUD_ENABLED;
+        }
+        if (typeof state.runtime.setSetting === "function") {
+          state.runtime.setSetting("ELIZA_CLOUD_USER_ID", userId ?? null);
+          state.runtime.setSetting("ELIZA_CLOUD_ORGANIZATION_ID", organizationId ?? null);
+        }
+        if (typeof state.runtime.updateAgent === "function") {
+          await state.runtime.updateAgent(state.runtime.agentId, {
+            secrets: { ...secrets }
+          });
+          logger.info("[cloud-login] API key persisted to agent DB record");
+        } else {
+          logger.warn("[cloud-login] runtime.updateAgent not available — agent DB secrets not persisted");
+        }
+      }
+      if (state.cloudManager && typeof state.cloudManager.replaceApiKey === "function") {
+        await state.cloudManager.replaceApiKey(data.apiKey);
+      } else if (state.cloudManager && !state.cloudManager.getClient() && typeof state.cloudManager.init === "function") {
+        await state.cloudManager.init();
+      }
+      if (typeof cloudAuth?.authenticateWithApiKey === "function") {
+        cloudAuth.authenticateWithApiKey({
+          apiKey: data.apiKey,
+          organizationId,
+          userId
+        });
+      }
+      if (isCloudWalletEnabled()) {
+        const rollbackConfigSnapshot = structuredClone(state.config);
+        const rollbackEnvSnapshot = await captureConfigEnvRollbackSnapshot();
+        try {
+          const bridge = state.cloudManager?.getClient();
+          const agentId = state.runtime?.agentId;
+          if (!bridge) {
+            throw new Error("cloud-wallet bridge unavailable");
+          }
+          if (!agentId) {
+            throw new Error("cloud-wallet runtime agentId missing");
+          }
+          const { address: clientAddress, minted } = await getOrCreateClientAddressKey();
+          if (minted) {
+            logger.info(`[cloud-login] cloud-wallet: minted client_address ${clientAddress}`);
+          }
+          const descriptors = await provisionCloudWallets(bridge, {
+            agentId,
+            clientAddress
+          });
+          persistCloudWalletCache(state.config, descriptors);
+          const cloudCfg = state.config.cloud ?? {};
+          cloudCfg.clientAddressPublicKey = clientAddress;
+          state.config.cloud = cloudCfg;
+          saveConfigOrThrow(state);
+          if (descriptors.evm?.walletAddress) {
+            process.env.ELIZA_CLOUD_EVM_ADDRESS = descriptors.evm.walletAddress;
+            await persistConfigEnv("ELIZA_CLOUD_EVM_ADDRESS", descriptors.evm.walletAddress);
+          }
+          if (descriptors.solana?.walletAddress) {
+            process.env.ELIZA_CLOUD_SOLANA_ADDRESS = descriptors.solana.walletAddress;
+            await persistConfigEnv("ELIZA_CLOUD_SOLANA_ADDRESS", descriptors.solana.walletAddress);
+          }
+          if (descriptors.evm) {
+            await persistConfigEnv("WALLET_SOURCE_EVM", "cloud");
+          }
+          if (descriptors.solana) {
+            await persistConfigEnv("WALLET_SOURCE_SOLANA", "cloud");
+          }
+          const wallet = state.config.wallet ?? {};
+          const primary = {
+            ...wallet.primary ?? {}
+          };
+          if (descriptors.evm)
+            primary.evm = "cloud";
+          if (descriptors.solana)
+            primary.solana = "cloud";
+          wallet.primary = primary;
+          state.config.wallet = wallet;
+          saveConfigOrThrow(state);
+          logger.info(`[cloud-login] cloud-wallet: provisioned ${Object.keys(descriptors).join(", ")} — applying runtime reload`);
+          const restarted = state.restartRuntime ? await Promise.resolve(state.restartRuntime("cloud-wallet-bound")) : false;
+          if (!restarted) {
+            logger.warn("[cloud-login] cloud-wallet: restartRuntime not wired or restart declined — user must restart manually");
+          }
+        } catch (cloudWalletErr) {
+          try {
+            await restoreConfigEnvRollbackSnapshot(rollbackEnvSnapshot);
+          } catch (rollbackErr) {
+            logger.error(`[cloud-login] cloud-wallet rollback failed: ${String(rollbackErr)}`);
+          }
+          replaceMutableRoot(state.config, rollbackConfigSnapshot);
+          try {
+            saveConfigOrThrow(state);
+          } catch (saveRollbackErr) {
+            logger.error(`[cloud-login] cloud-wallet config rollback failed: ${String(saveRollbackErr)}`);
+          }
+          logger.error(`[cloud-login] cloud-wallet provision failed: ${String(cloudWalletErr)}`);
+        }
+      }
+      logger.info(`[cloud-login] sending API key to loopback renderer (single-user desktop trust model)`);
+      sendJson(res, {
+        status: "authenticated",
+        token: data.apiKey,
+        keyPrefix: data.keyPrefix,
+        organizationId,
+        userId
+      });
+    } else {
+      sendJson(res, { status: data.status });
+    }
+    return true;
+  }
+  if (method === "GET" && pathname === "/api/cloud/agents") {
+    const client = state.cloudManager?.getClient();
+    if (!client) {
+      sendJsonError(res, "Not connected to Eliza Cloud", 401);
+      return true;
+    }
+    sendJson(res, { ok: true, agents: await client.listAgents() });
+    return true;
+  }
+  if (method === "POST" && pathname === "/api/cloud/agents") {
+    const client = state.cloudManager?.getClient();
+    if (!client) {
+      sendJsonError(res, "Not connected to Eliza Cloud", 401);
+      return true;
+    }
+    const body = await readJsonBody2(req, res);
+    if (!body)
+      return true;
+    if (!body.agentName?.trim()) {
+      sendJsonError(res, "agentName is required");
+      return true;
+    }
+    let agent;
+    try {
+      agent = await client.createAgent({
+        agentName: body.agentName,
+        agentConfig: body.agentConfig,
+        environmentVars: body.environmentVars
+      });
+    } catch (err) {
+      logger.error(`[cloud] createAgent failed: ${String(err)}`);
+      sendJson(res, { ok: false, error: `Cloud createAgent failed: ${String(err)}` }, 502);
+      return true;
+    }
+    sendJson(res, { ok: true, agent }, 201);
+    return true;
+  }
+  if (method === "POST" && pathname.startsWith("/api/cloud/agents/") && pathname.endsWith("/provision")) {
+    const agentId = extractAgentId(pathname);
+    if (!agentId || !state.cloudManager) {
+      sendJsonError(res, "Invalid agent ID or cloud not connected", 400);
+      return true;
+    }
+    let proxy;
+    try {
+      proxy = await state.cloudManager.connect(agentId);
+    } catch (err) {
+      logger.error(`[cloud] provision/connect failed: ${String(err)}`);
+      sendJson(res, { ok: false, error: `Cloud provision failed: ${String(err)}` }, 502);
+      return true;
+    }
+    sendJson(res, {
+      ok: true,
+      agentId,
+      agentName: proxy.agentName,
+      status: state.cloudManager.getStatus()
+    });
+    return true;
+  }
+  if (method === "POST" && pathname.startsWith("/api/cloud/agents/") && pathname.endsWith("/shutdown")) {
+    const agentId = extractAgentId(pathname);
+    if (!agentId || !state.cloudManager) {
+      sendJsonError(res, "Invalid agent ID or cloud not connected", 400);
+      return true;
+    }
+    const client = state.cloudManager.getClient();
+    if (!client) {
+      sendJsonError(res, "Not connected to Eliza Cloud", 401);
+      return true;
+    }
+    try {
+      if (state.cloudManager.getActiveAgentId() === agentId) {
+        await state.cloudManager.disconnect();
+      }
+      await client.deleteAgent(agentId);
+    } catch (err) {
+      logger.error(`[cloud] shutdown/deleteAgent failed: ${String(err)}`);
+      sendJson(res, { ok: false, error: `Cloud shutdown failed: ${String(err)}` }, 502);
+      return true;
+    }
+    sendJson(res, { ok: true, agentId, status: "stopped" });
+    return true;
+  }
+  if (method === "POST" && pathname.startsWith("/api/cloud/agents/") && pathname.endsWith("/connect")) {
+    const agentId = extractAgentId(pathname);
+    if (!agentId || !state.cloudManager) {
+      sendJsonError(res, "Invalid agent ID or cloud not connected", 400);
+      return true;
+    }
+    let proxy;
+    try {
+      if (state.cloudManager.getActiveAgentId()) {
+        await state.cloudManager.disconnect();
+      }
+      proxy = await state.cloudManager.connect(agentId);
+    } catch (err) {
+      logger.error(`[cloud] connect failed: ${String(err)}`);
+      sendJson(res, { ok: false, error: `Cloud connect failed: ${String(err)}` }, 502);
+      return true;
+    }
+    sendJson(res, {
+      ok: true,
+      agentId,
+      agentName: proxy.agentName,
+      status: state.cloudManager.getStatus()
+    });
+    return true;
+  }
+  if (method === "POST" && pathname === "/api/cloud/disconnect") {
+    if (state.cloudManager) {
+      await state.cloudManager.disconnect();
+    }
+    const cloud = state.config.cloud ?? {};
+    delete cloud.apiKey;
+    state.config.cloud = cloud;
+    applyCanonicalSetupConfig(state.config, {
+      deploymentTarget: { runtime: "local" },
+      linkedAccounts: {
+        elizacloud: {
+          status: "unlinked",
+          source: "api-key"
+        }
+      },
+      clearRoutes: ["llmText", "tts", "media", "embeddings", "rpc"]
+    });
+    migrateLegacyRuntimeConfig(state.config);
+    try {
+      if (state.saveConfig) {
+        state.saveConfig(state.config);
+      } else {
+        logger.warn("[cloud-disconnect] saveConfig not available — config not persisted");
+      }
+    } catch (saveErr) {
+      logger.error(`[cloud-disconnect] Failed to save config: ${String(saveErr)}`);
+      sendJson(res, { ok: false, error: "Disconnected but failed to save config" }, 500);
+      return true;
+    }
+    delete process.env.ELIZAOS_CLOUD_API_KEY;
+    delete process.env.ELIZAOS_CLOUD_ENABLED;
+    if (state.runtime) {
+      const character = state.runtime.character ?? {};
+      state.runtime.character = character;
+      if (!character.secrets) {
+        character.secrets = {};
+      }
+      const secrets = character.secrets;
+      delete secrets.ELIZAOS_CLOUD_API_KEY;
+      delete secrets.ELIZAOS_CLOUD_ENABLED;
+      if (typeof state.runtime.updateAgent === "function") {
+        await state.runtime.updateAgent(state.runtime.agentId, {
+          secrets: { ...secrets }
+        });
+      } else {
+        logger.warn("[cloud-disconnect] updateAgent not available — runtime secrets not persisted");
+      }
+    }
+    sendJson(res, { ok: true, status: "disconnected" });
+    return true;
+  }
+  return false;
+}
+var UUID_RE, CLOUD_LOGIN_CREATE_TIMEOUT_MS = 1e4, CLOUD_LOGIN_POLL_TIMEOUT_MS = 1e4, CONFIG_ENV_FILENAME2 = "config.env", CONFIG_ENV_BAK_SUFFIX = ".bak", CLOUD_WALLET_ROLLBACK_ENV_KEYS;
+var init_cloud_routes_autonomous = __esm(() => {
+  init_base_url();
+  init_cloud_wallet();
+  init_validate_url();
+  init_config_env();
+  init_state_paths();
+  UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  CLOUD_WALLET_ROLLBACK_ENV_KEYS = [
+    ELIZA_CLOUD_CLIENT_ADDRESS_KEY_ENV,
+    "ELIZA_CLOUD_EVM_ADDRESS",
+    "ELIZA_CLOUD_SOLANA_ADDRESS",
+    "WALLET_SOURCE_EVM",
+    "WALLET_SOURCE_SOLANA"
+  ];
+});
+
+// src/lib/cloud-secrets.ts
+import {
+  clearCloudSecrets,
+  getCloudSecret,
+  scrubCloudSecretsFromEnv,
+  _resetCloudSecretsForTesting
+} from "@elizaos/shared";
+var init_cloud_secrets = () => {};
+
+// src/lib/cloud-connection.ts
+import {
+  isCloudInferenceSelectedInConfig as isCloudInferenceSelectedInConfig2,
+  isElizaSettingsDebugEnabled,
+  migrateLegacyRuntimeConfig as migrateLegacyRuntimeConfig2,
+  settingsDebugCloudSummary
+} from "@elizaos/core";
+import { logger as logger2 } from "@elizaos/core";
+function cloudCreditsHttpErrorMessage(status, creditResponse) {
+  const err = creditResponse.error;
+  if (typeof err === "string" && err.trim()) {
+    return err.trim();
+  }
+  if (err && typeof err === "object" && "message" in err) {
+    const msg = err.message;
+    if (typeof msg === "string" && msg.trim()) {
+      return msg.trim();
+    }
+  }
+  return `HTTP ${status}`;
+}
+function asRuntimeCloud(runtime) {
+  return runtime;
+}
+function getCloudAuth2(runtime) {
+  const runtimeWithServices = asRuntimeCloud(runtime);
+  if (typeof runtimeWithServices?.getService !== "function") {
+    return null;
+  }
+  const service = runtimeWithServices.getService("CLOUD_AUTH");
+  return service && typeof service === "object" ? service : null;
+}
+function resolvePersistedCloudIdentity(runtime) {
+  const runtimeWithCloud = asRuntimeCloud(runtime);
+  return {
+    organizationId: normalizeEnvValue(runtimeWithCloud?.getSetting?.("ELIZA_CLOUD_ORGANIZATION_ID")) ?? normalizeEnvValue(runtimeWithCloud?.character?.secrets?.ELIZA_CLOUD_ORGANIZATION_ID),
+    userId: normalizeEnvValue(runtimeWithCloud?.getSetting?.("ELIZA_CLOUD_USER_ID")) ?? normalizeEnvValue(runtimeWithCloud?.character?.secrets?.ELIZA_CLOUD_USER_ID)
+  };
+}
+function resolveCloudApiBaseUrl3(rawBaseUrl) {
+  return resolveCloudApiBaseUrl(rawBaseUrl ?? DEFAULT_CLOUD_API_BASE_URL2) ?? DEFAULT_CLOUD_API_BASE_URL2;
+}
+function resolveCloudApiKey2(config, runtime) {
+  migrateLegacyRuntimeConfig2(config);
+  const configApiKey = normalizeEnvValue(config.cloud?.apiKey);
+  if (configApiKey)
+    return configApiKey;
+  if (!isCloudInferenceSelectedInConfig2(config)) {
+    return;
+  }
+  const sealedKey = normalizeEnvValue(getCloudSecret("ELIZAOS_CLOUD_API_KEY"));
+  if (sealedKey)
+    return sealedKey;
+  const envKey = normalizeEnvValue(process.env.ELIZAOS_CLOUD_API_KEY);
+  if (envKey)
+    return envKey;
+  const runtimeSettingKey = normalizeEnvValue(runtime?.getSetting?.("ELIZAOS_CLOUD_API_KEY"));
+  if (runtimeSettingKey)
+    return runtimeSettingKey;
+  const runtimeKey = normalizeEnvValue(runtime?.character?.secrets?.ELIZAOS_CLOUD_API_KEY);
+  if (runtimeKey)
+    return runtimeKey;
+  return;
+}
+function resolveCloudConnectionSnapshot(config, runtime) {
+  migrateLegacyRuntimeConfig2(config);
+  const _cloudRecord = config.cloud && typeof config.cloud === "object" ? config.cloud : undefined;
+  const enabled = isCloudInferenceSelectedInConfig2(config);
+  const apiKey = resolveCloudApiKey2(config, runtime);
+  const cloudAuth = getCloudAuth2(runtime);
+  const authConnected = Boolean(cloudAuth?.isAuthenticated?.());
+  const hasApiKey = Boolean(apiKey);
+  const persistedIdentity = resolvePersistedCloudIdentity(runtime);
+  const shouldExposeIdentity = authConnected || hasApiKey;
+  return {
+    apiKey,
+    authConnected,
+    cloudAuth,
+    connected: authConnected || hasApiKey,
+    enabled,
+    hasApiKey,
+    organizationId: shouldExposeIdentity ? normalizeEnvValue(cloudAuth?.getOrganizationId?.()) ?? persistedIdentity.organizationId : undefined,
+    userId: shouldExposeIdentity ? normalizeEnvValue(cloudAuth?.getUserId?.()) ?? persistedIdentity.userId : undefined
+  };
+}
+function coerceCloudBalance(value) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return value;
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (!trimmed)
+      return null;
+    const parsed = Number.parseFloat(trimmed);
+    return Number.isFinite(parsed) ? parsed : null;
+  }
+  return null;
+}
+async function fetchCloudCreditsByApiKey(baseUrl, apiKey) {
+  const response = await fetch(`${baseUrl}/credits/balance`, {
+    headers: {
+      Accept: "application/json",
+      Authorization: `Bearer ${apiKey}`
+    },
+    redirect: "manual",
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (response.status >= 300 && response.status < 400) {
+    throw new Error("Cloud credits request was redirected; redirects are not allowed");
+  }
+  const creditResponse = await response.json().catch((err) => {
+    console.warn("[cloud-connection] Failed to parse credit balance response JSON:", err);
+    return {};
+  });
+  if (response.status === 401) {
+    throw new CloudCreditsAuthRejectedError(cloudCreditsHttpErrorMessage(401, creditResponse));
+  }
+  if (!response.ok) {
+    throw new Error(cloudCreditsHttpErrorMessage(response.status, creditResponse));
+  }
+  const balance = coerceCloudBalance(creditResponse.balance) ?? coerceCloudBalance(creditResponse.data?.balance);
+  return balance;
+}
+function withCreditFlags(balance) {
+  return {
+    connected: true,
+    balance,
+    low: balance < CREDIT_LOW_THRESHOLD,
+    critical: balance < CREDIT_CRITICAL_THRESHOLD,
+    topUpUrl: CLOUD_BILLING_URL
+  };
+}
+async function fetchCloudCredits(config, runtime) {
+  const snapshot = resolveCloudConnectionSnapshot(config, runtime);
+  let authenticatedFailure = null;
+  let authenticatedUnexpectedResponse = false;
+  if (!snapshot.connected) {
+    return { balance: null, connected: false };
+  }
+  const cloudClient = snapshot.cloudAuth?.getClient?.();
+  if (snapshot.authConnected && typeof cloudClient?.get === "function") {
+    try {
+      const creditResponse = await cloudClient.get("/credits/balance");
+      const rawBalance = coerceCloudBalance(creditResponse?.balance) ?? coerceCloudBalance(creditResponse?.data?.balance);
+      if (typeof rawBalance === "number") {
+        return withCreditFlags(rawBalance);
+      }
+      authenticatedUnexpectedResponse = true;
+      logger2.debug(`[cloud/credits] Unexpected authenticated response shape: ${JSON.stringify(creditResponse)}`);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "cloud API unreachable";
+      authenticatedFailure = msg;
+      logger2.debug(`[cloud/credits] Authenticated balance fetch failed: ${msg}`);
+    }
+  }
+  if (!snapshot.apiKey) {
+    return {
+      balance: null,
+      connected: snapshot.connected,
+      error: authenticatedFailure ?? (authenticatedUnexpectedResponse ? "unexpected response" : "missing cloud api key")
+    };
+  }
+  const resolvedBaseUrl = resolveCloudApiBaseUrl3(config.cloud?.baseUrl);
+  const baseUrlRejection = await validateCloudBaseUrl(resolvedBaseUrl);
+  if (baseUrlRejection) {
+    return {
+      balance: null,
+      connected: true,
+      error: baseUrlRejection
+    };
+  }
+  try {
+    const balance = await fetchCloudCreditsByApiKey(resolvedBaseUrl, snapshot.apiKey);
+    if (typeof balance !== "number") {
+      return {
+        balance: null,
+        connected: true,
+        error: "unexpected response"
+      };
+    }
+    return withCreditFlags(balance);
+  } catch (err) {
+    if (err instanceof CloudCreditsAuthRejectedError) {
+      logger2.debug(`[cloud/credits] API key rejected: ${err.message}`);
+      return {
+        balance: null,
+        connected: true,
+        authRejected: true,
+        error: err.message,
+        topUpUrl: CLOUD_BILLING_URL
+      };
+    }
+    const msg = err instanceof Error ? err.message : "cloud API unreachable";
+    logger2.debug(`[cloud/credits] Failed to fetch balance via API key: ${msg}`);
+    return {
+      balance: null,
+      connected: true,
+      error: msg
+    };
+  }
+}
+async function clearCloudAuthService(cloudAuth) {
+  if (!cloudAuth) {
+    return;
+  }
+  const seen = new Set;
+  for (const methodName of CLOUD_AUTH_CLEAR_METHODS) {
+    const method = cloudAuth[methodName];
+    if (typeof method !== "function" || seen.has(method)) {
+      continue;
+    }
+    seen.add(method);
+    try {
+      await method.call(cloudAuth);
+      break;
+    } catch (err) {
+      logger2.warn(`[cloud/disconnect] Failed to invoke CLOUD_AUTH.${methodName}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+}
+function clearCloudEnv() {
+  for (const key of CLOUD_ENV_KEYS) {
+    delete process.env[key];
+  }
+  clearCloudSecrets();
+  scrubCloudSecretsFromEnv();
+}
+async function clearRuntimeCloudState(runtime) {
+  const runtimeWithCloud = asRuntimeCloud(runtime);
+  if (!runtimeWithCloud) {
+    return;
+  }
+  const existingSecrets = runtimeWithCloud.character.secrets ?? {};
+  const nextSecrets = { ...existingSecrets };
+  for (const key of CLOUD_RUNTIME_SECRET_KEYS) {
+    delete nextSecrets[key];
+  }
+  runtimeWithCloud.character.secrets = nextSecrets;
+  if (runtimeWithCloud.character.settings && typeof runtimeWithCloud.character.settings === "object") {
+    for (const key of CLOUD_RUNTIME_SETTING_KEYS) {
+      delete runtimeWithCloud.character.settings[key];
+    }
+  }
+  if (typeof runtimeWithCloud.setSetting === "function") {
+    for (const key of CLOUD_RUNTIME_SETTING_KEYS) {
+      try {
+        runtimeWithCloud.setSetting(key, null);
+      } catch (err) {
+        logger2.warn(`[cloud/disconnect] Failed to clear runtime setting ${key}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+  }
+  if (typeof runtimeWithCloud.updateAgent === "function") {
+    try {
+      await runtimeWithCloud.updateAgent(runtimeWithCloud.agentId, {
+        secrets: { ...nextSecrets }
+      });
+    } catch (err) {
+      logger2.warn(`[cloud/disconnect] Failed to clear cloud secrets from agent DB: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+}
+async function disconnectCloudConnection(args) {
+  const { cloudManager = null, config, runtime, saveConfig } = args;
+  if (isElizaSettingsDebugEnabled()) {
+    const c = config.cloud;
+    logger2.debug(`[eliza][settings][cloud] disconnectCloudConnection start cloud=${JSON.stringify(settingsDebugCloudSummary(c))}`);
+  }
+  if (typeof cloudManager?.disconnect === "function") {
+    try {
+      await cloudManager.disconnect();
+    } catch (err) {
+      logger2.warn(`[cloud/disconnect] Failed to disconnect cloud manager: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  await clearCloudAuthService(getCloudAuth2(runtime));
+  const nextCloud = { ...config.cloud ?? {} };
+  delete nextCloud.apiKey;
+  config.cloud = nextCloud;
+  applyCanonicalSetupConfig(config, {
+    deploymentTarget: { runtime: "local" },
+    linkedAccounts: {
+      elizacloud: {
+        status: "unlinked",
+        source: "api-key"
+      }
+    },
+    clearRoutes: ["llmText", "tts", "media", "embeddings", "rpc"]
+  });
+  migrateLegacyRuntimeConfig2(config);
+  try {
+    saveConfig?.(config);
+    if (isElizaSettingsDebugEnabled()) {
+      const c = config.cloud;
+      logger2.debug(`[eliza][settings][cloud] disconnectCloudConnection saveConfig OK cloud=${JSON.stringify(settingsDebugCloudSummary(c))}`);
+    }
+  } catch (err) {
+    logger2.warn(`[cloud/disconnect] Failed to save cloud disconnect state: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  clearCloudEnv();
+  await clearRuntimeCloudState(runtime);
+  if (isElizaSettingsDebugEnabled()) {
+    logger2.debug("[eliza][settings][cloud] disconnectCloudConnection done (env cleared + runtime cloud state cleared)");
+  }
+}
+function isCloudStatusReasonApiKeyOnly(reason) {
+  return typeof reason === "string" && CLOUD_STATUS_API_KEY_ONLY_REASONS.has(reason);
+}
+var DEFAULT_CLOUD_API_BASE_URL2 = "https://www.elizacloud.ai/api/v1", CLOUD_BILLING_URL = "https://www.elizacloud.ai/dashboard/settings?tab=billing", CLOUD_ENV_KEYS, CLOUD_RUNTIME_SECRET_KEYS, CLOUD_RUNTIME_SETTING_KEYS, CLOUD_AUTH_CLEAR_METHODS, CloudCreditsAuthRejectedError, CREDIT_LOW_THRESHOLD, CREDIT_CRITICAL_THRESHOLD, CLOUD_STATUS_API_KEY_ONLY_REASONS;
+var init_cloud_connection = __esm(() => {
+  init_base_url();
+  init_validate_url();
+  init_cloud_secrets();
+  CLOUD_ENV_KEYS = [
+    "ELIZAOS_CLOUD_API_KEY",
+    "ELIZAOS_CLOUD_ENABLED",
+    "ELIZAOS_CLOUD_BASE_URL",
+    "ELIZAOS_CLOUD_NANO_MODEL",
+    "ELIZAOS_CLOUD_MEDIUM_MODEL",
+    "ELIZAOS_CLOUD_SMALL_MODEL",
+    "ELIZAOS_CLOUD_LARGE_MODEL",
+    "ELIZAOS_CLOUD_MEGA_MODEL",
+    "ELIZAOS_CLOUD_RESPONSE_HANDLER_MODEL",
+    "ELIZAOS_CLOUD_SHOULD_RESPOND_MODEL",
+    "ELIZAOS_CLOUD_ACTION_PLANNER_MODEL",
+    "ELIZAOS_CLOUD_PLANNER_MODEL",
+    "ELIZAOS_CLOUD_USE_INFERENCE",
+    "ELIZAOS_CLOUD_USE_TTS",
+    "ELIZAOS_CLOUD_USE_MEDIA",
+    "ELIZAOS_CLOUD_USE_EMBEDDINGS",
+    "ELIZAOS_CLOUD_USE_RPC"
+  ];
+  CLOUD_RUNTIME_SECRET_KEYS = [
+    "ELIZAOS_CLOUD_API_KEY",
+    "ELIZAOS_CLOUD_ENABLED",
+    "ELIZAOS_CLOUD_BASE_URL",
+    "ELIZAOS_CLOUD_NANO_MODEL",
+    "ELIZAOS_CLOUD_MEDIUM_MODEL",
+    "ELIZAOS_CLOUD_SMALL_MODEL",
+    "ELIZAOS_CLOUD_LARGE_MODEL",
+    "ELIZAOS_CLOUD_MEGA_MODEL",
+    "ELIZAOS_CLOUD_RESPONSE_HANDLER_MODEL",
+    "ELIZAOS_CLOUD_SHOULD_RESPOND_MODEL",
+    "ELIZAOS_CLOUD_ACTION_PLANNER_MODEL",
+    "ELIZAOS_CLOUD_PLANNER_MODEL",
+    "ELIZA_CLOUD_AUTH_TOKEN",
+    "ELIZA_CLOUD_USER_ID",
+    "ELIZA_CLOUD_ORGANIZATION_ID"
+  ];
+  CLOUD_RUNTIME_SETTING_KEYS = [
+    "ELIZA_CLOUD_AUTH_TOKEN",
+    "ELIZA_CLOUD_USER_ID",
+    "ELIZA_CLOUD_ORGANIZATION_ID"
+  ];
+  CLOUD_AUTH_CLEAR_METHODS = [
+    "disconnect",
+    "logout",
+    "signOut",
+    "signout",
+    "clearSession",
+    "clearAuth",
+    "resetAuth",
+    "reset"
+  ];
+  CloudCreditsAuthRejectedError = class CloudCreditsAuthRejectedError extends Error {
+    name = "CloudCreditsAuthRejectedError";
+    constructor(message = "Eliza Cloud API key was rejected") {
+      super(message);
+    }
+  };
+  CREDIT_LOW_THRESHOLD = Number(process.env.ELIZA_CREDIT_LOW_THRESHOLD ?? "2.0");
+  CREDIT_CRITICAL_THRESHOLD = Number(process.env.ELIZA_CREDIT_CRITICAL_THRESHOLD ?? "0.5");
+  CLOUD_STATUS_API_KEY_ONLY_REASONS = new Set([
+    "api_key_present_not_authenticated",
+    "api_key_present_runtime_not_started"
+  ]);
+});
+
+// src/routes/cloud-status-routes.ts
+import { isElizaCloudServiceSelectedInConfig } from "@elizaos/core";
+async function handleCloudStatusRoutes(ctx) {
+  const { res, method, pathname, config, runtime, json } = ctx;
+  const typedConfig = config;
+  if (method === "GET" && pathname === "/api/cloud/status") {
+    const snapshot = resolveCloudConnectionSnapshot(typedConfig, runtime);
+    const cloudVoiceProxyAvailable = isElizaCloudServiceSelectedInConfig(typedConfig, "tts");
+    if (snapshot.connected) {
+      json(res, {
+        connected: true,
+        enabled: snapshot.enabled,
+        cloudVoiceProxyAvailable,
+        hasApiKey: snapshot.hasApiKey,
+        userId: snapshot.userId,
+        organizationId: snapshot.organizationId,
+        topUpUrl: CLOUD_BILLING_URL,
+        reason: snapshot.authConnected ? undefined : runtime ? "api_key_present_not_authenticated" : "api_key_present_runtime_not_started"
+      });
+      return true;
+    }
+    if (!runtime) {
+      json(res, {
+        connected: false,
+        enabled: snapshot.enabled,
+        cloudVoiceProxyAvailable,
+        hasApiKey: snapshot.hasApiKey,
+        reason: "runtime_not_started"
+      });
+      return true;
+    }
+    json(res, {
+      connected: false,
+      enabled: snapshot.enabled,
+      cloudVoiceProxyAvailable,
+      hasApiKey: snapshot.hasApiKey,
+      reason: "not_authenticated"
+    });
+    return true;
+  }
+  if (method === "GET" && pathname === "/api/cloud/credits") {
+    json(res, await fetchCloudCredits(typedConfig, runtime));
+    return true;
+  }
+  return false;
+}
+var init_cloud_status_routes = __esm(() => {
+  init_cloud_connection();
+});
+
+// src/routes/cloud-coding-container-routes.ts
+import {
+  PromoteVfsToCloudContainerRequestSchema,
+  RequestCodingAgentContainerRequestSchema,
+  SyncCloudCodingContainerRequestSchema
+} from "@elizaos/shared";
+async function handleCloudCodingContainerRoute(req, res, pathname, method, state) {
+  if (method === "POST" && pathname === "/api/cloud/coding-containers/promotions") {
+    const service = getCloudContainerService(state);
+    if (!service) {
+      sendJsonError(res, "Cloud container service is not available", 503);
+      return true;
+    }
+    const body = await readJsonBody3(req, res);
+    if (!body)
+      return true;
+    const parsed = PromoteVfsToCloudContainerRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      sendJsonError(res, parsed.error.issues[0]?.message ?? "Invalid promotion request", 400);
+      return true;
+    }
+    await sendServiceResponse(res, () => service.promoteVfsToCloudContainer(parsed.data));
+    return true;
+  }
+  if (method === "POST" && pathname === "/api/cloud/coding-containers") {
+    const service = getCloudContainerService(state);
+    if (!service) {
+      sendJsonError(res, "Cloud container service is not available", 503);
+      return true;
+    }
+    const body = await readJsonBody3(req, res);
+    if (!body)
+      return true;
+    const parsed = RequestCodingAgentContainerRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      sendJsonError(res, parsed.error.issues[0]?.message ?? "Invalid coding container request", 400);
+      return true;
+    }
+    await sendServiceResponse(res, () => service.requestCodingAgentContainer(parsed.data));
+    return true;
+  }
+  const syncMatch = /^\/api\/cloud\/coding-containers\/([^/]+)\/sync$/.exec(pathname);
+  if (method === "POST" && syncMatch) {
+    const service = getCloudContainerService(state);
+    if (!service) {
+      sendJsonError(res, "Cloud container service is not available", 503);
+      return true;
+    }
+    const containerId = decodeURIComponent(syncMatch[1]);
+    const body = await readJsonBody3(req, res);
+    if (!body)
+      return true;
+    const parsed = SyncCloudCodingContainerRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      sendJsonError(res, parsed.error.issues[0]?.message ?? "Invalid sync request", 400);
+      return true;
+    }
+    await sendServiceResponse(res, () => service.syncCodingContainerChanges(containerId, parsed.data));
+    return true;
+  }
+  return false;
+}
+function getCloudContainerService(state) {
+  const service = state.runtime?.getService?.("CLOUD_CONTAINER") ?? state.runtime?.getService?.("cloud-container") ?? state.runtime?.getService?.("cloudContainer");
+  if (!service || typeof service !== "object")
+    return null;
+  const candidate = service;
+  if (typeof candidate.promoteVfsToCloudContainer === "function" && typeof candidate.requestCodingAgentContainer === "function" && typeof candidate.syncCodingContainerChanges === "function") {
+    return candidate;
+  }
+  return null;
+}
+async function readJsonBody3(req, res) {
+  const preParsed = req.body;
+  if (preParsed && typeof preParsed === "object" && !Array.isArray(preParsed)) {
+    return preParsed;
+  }
+  const chunks = [];
+  for await (const chunk of req) {
+    chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+  }
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  if (!raw)
+    return {};
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    sendJsonError(res, "Invalid JSON body", 400);
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    sendJsonError(res, "Invalid JSON body", 400);
+    return null;
+  }
+  return parsed;
+}
+async function sendServiceResponse(res, fn) {
+  try {
+    sendJson(res, await fn());
+  } catch (error) {
+    const status = typeof error?.statusCode === "number" ? error.statusCode : 500;
+    sendJsonError(res, error instanceof Error ? error.message : String(error), status);
+  }
+}
+var init_cloud_coding_container_routes = () => {};
+
+// src/routes/cloud-routes.ts
+import {
+  isCloudInferenceSelectedInConfig as isCloudInferenceSelectedInConfig3,
+  migrateLegacyRuntimeConfig as migrateLegacyRuntimeConfig3
+} from "@elizaos/core";
+import { logger as logger3 } from "@elizaos/core";
+async function readRouteJsonBody(req) {
+  const preParsed = req.body;
+  if (preParsed && typeof preParsed === "object" && !Array.isArray(preParsed)) {
+    return preParsed;
+  }
+  const chunks = [];
+  for await (const chunk of req) {
+    chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+  }
+  const rawBody = Buffer.concat(chunks).toString("utf8").trim();
+  if (!rawBody) {
+    return {};
+  }
+  const parsed = JSON.parse(rawBody);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("Invalid JSON body");
+  }
+  return parsed;
+}
+function isRedirectResponse2(response) {
+  return response.status >= 300 && response.status < 400;
+}
+function createNoopTelemetrySpan2() {
+  return {
+    success: () => {},
+    failure: () => {}
+  };
+}
+function getTelemetrySpan2(meta) {
+  return meta.services.createIntegrationTelemetrySpan(meta) ?? createNoopTelemetrySpan2();
+}
+async function fetchCloudLoginStatus(sessionId, baseUrl) {
+  return fetch(`${baseUrl}/api/auth/cli-session/${encodeURIComponent(sessionId)}`, {
+    redirect: "manual",
+    signal: AbortSignal.timeout(CLOUD_LOGIN_POLL_TIMEOUT_MS2)
+  });
+}
+async function persistCloudLoginStatus(args) {
+  if (args.epochAtPollStart !== undefined && args.epochAtPollStart !== cloudDisconnectEpoch) {
+    logger3.warn("[cloud-login] Skipping login persist: a disconnect occurred while the login poll was in-flight");
+    return;
+  }
+  migrateLegacyRuntimeConfig3(args.state.config);
+  const runtime = args.state.runtime;
+  const cloudAuth = getCloudAuth2(runtime);
+  await clearCloudAuthService(cloudAuth);
+  const cloud = { ...args.state.config.cloud ?? {} };
+  cloud.apiKey = args.apiKey;
+  const cloudInferenceSelected = isCloudInferenceSelectedInConfig3(args.state.config);
+  args.state.config.cloud = cloud;
+  args.services.applyCanonicalSetupConfig(args.state.config, {
+    linkedAccounts: {
+      elizacloud: {
+        status: "linked",
+        source: "api-key"
+      }
+    }
+  });
+  migrateLegacyRuntimeConfig3(args.state.config);
+  try {
+    args.services.saveElizaConfig(args.state.config);
+    logger3.info("[cloud-login] Saved cloud API key to config file");
+    logger3.warn("[cloud-login] Cloud API key is stored in cleartext in ~/.eliza/eliza.json. " + "Ensure this file has restrictive permissions (chmod 600).");
+  } catch (saveErr) {
+    logger3.error(`[cloud-login] Failed to save cloud API key to config: ${saveErr instanceof Error ? saveErr.message : String(saveErr)}`);
+  }
+  clearCloudSecrets();
+  process.env.ELIZAOS_CLOUD_API_KEY = args.apiKey;
+  if (cloudInferenceSelected) {
+    process.env.ELIZAOS_CLOUD_ENABLED = "true";
+  } else {
+    delete process.env.ELIZAOS_CLOUD_ENABLED;
+  }
+  scrubCloudSecretsFromEnv();
+  const cloudManager = args.state.cloudManager;
+  if (cloudManager && typeof cloudManager.replaceApiKey === "function") {
+    await cloudManager.replaceApiKey(args.apiKey);
+  } else if (cloudManager && !cloudManager.getClient() && typeof cloudManager.init === "function") {
+    await cloudManager.init();
+  }
+  if (typeof cloudAuth?.authenticateWithApiKey === "function") {
+    cloudAuth.authenticateWithApiKey({
+      apiKey: args.apiKey,
+      organizationId: args.organizationId,
+      userId: args.userId
+    });
+  }
+  const relayService = runtime?.getService("CLOUD_MANAGED_GATEWAY_RELAY") ?? runtime?.getService("cloud-managed-gateway-relay") ?? runtime?.getService("cloudManagedGatewayRelay");
+  if (typeof relayService?.startRelayLoopIfReady === "function") {
+    await relayService.startRelayLoopIfReady();
+  }
+  if (!runtime || typeof runtime.updateAgent !== "function") {
+    return;
+  }
+  try {
+    const nextSecrets = {
+      ...runtime.character.secrets ?? {},
+      ELIZAOS_CLOUD_API_KEY: args.apiKey
+    };
+    if (args.userId) {
+      nextSecrets.ELIZA_CLOUD_USER_ID = args.userId;
+      nextSecrets.ELIZAOS_CLOUD_USER_ID = args.userId;
+    } else {
+      delete nextSecrets.ELIZA_CLOUD_USER_ID;
+      delete nextSecrets.ELIZAOS_CLOUD_USER_ID;
+    }
+    if (args.organizationId) {
+      nextSecrets.ELIZA_CLOUD_ORGANIZATION_ID = args.organizationId;
+      nextSecrets.ELIZAOS_CLOUD_ORG_ID = args.organizationId;
+    } else {
+      delete nextSecrets.ELIZA_CLOUD_ORGANIZATION_ID;
+      delete nextSecrets.ELIZAOS_CLOUD_ORG_ID;
+    }
+    if (cloudInferenceSelected) {
+      nextSecrets.ELIZAOS_CLOUD_ENABLED = "true";
+    } else {
+      delete nextSecrets.ELIZAOS_CLOUD_ENABLED;
+    }
+    runtime.character.secrets = nextSecrets;
+    if (typeof runtime.setSetting === "function") {
+      runtime.setSetting("ELIZA_CLOUD_USER_ID", args.userId ?? null);
+      runtime.setSetting("ELIZAOS_CLOUD_USER_ID", args.userId ?? null);
+      runtime.setSetting("ELIZA_CLOUD_ORGANIZATION_ID", args.organizationId ?? null);
+      runtime.setSetting("ELIZAOS_CLOUD_ORG_ID", args.organizationId ?? null);
+    }
+    await runtime.updateAgent(runtime.agentId, {
+      secrets: { ...nextSecrets }
+    });
+  } catch (err) {
+    logger3.warn(`[cloud-routes] Failed to persist cloud secrets to agent DB: ${String(err)}`);
+  }
+}
+function getCloudRouteServices(state) {
+  return {
+    ...DEFAULT_CLOUD_ROUTE_SERVICES,
+    ...state.services
+  };
+}
+function readRuntimeSetting(runtime, key) {
+  const value = runtime?.getSetting(key);
+  if (typeof value !== "string")
+    return null;
+  const trimmed = value.trim();
+  return trimmed ? trimmed : null;
+}
+function toAutonomousState(state, services) {
+  return {
+    ...state,
+    saveConfig: () => services.saveElizaConfig(state.config),
+    createTelemetrySpan: services.createIntegrationTelemetrySpan
+  };
+}
+async function handleCloudRoute2(req, res, pathname, method, state) {
+  const services = getCloudRouteServices(state);
+  const codingContainerHandled = await handleCloudCodingContainerRoute(req, res, pathname, method, { runtime: state.runtime });
+  if (codingContainerHandled) {
+    return true;
+  }
+  if (method === "GET" && pathname === "/api/cloud/relay-status") {
+    const relayService = state.runtime?.getService("CLOUD_MANAGED_GATEWAY_RELAY") ?? state.runtime?.getService("cloud-managed-gateway-relay") ?? state.runtime?.getService("cloudManagedGatewayRelay");
+    if (typeof relayService?.getSessionInfo !== "function") {
+      sendJson(res, {
+        available: false,
+        status: "not_registered",
+        reason: "Gateway relay service not active. Connect to Eliza Cloud in Settings to enable instance routing."
+      });
+      return true;
+    }
+    try {
+      const info = relayService.getSessionInfo();
+      sendJson(res, {
+        available: true,
+        ...info,
+        accessUrl: buildHomeRemoteRunnerAccessUrl({
+          cloudBaseUrl: services.normalizeCloudSiteUrl(state.config.cloud?.baseUrl),
+          sessionId: info.sessionId
+        }),
+        ssh: buildHomeRemoteRunnerSshTunnel({
+          remoteBaseUrl: readRuntimeSetting(state.runtime, "ELIZA_HOME_REMOTE_RUNNER_URL") ?? process.env.ELIZA_HOME_REMOTE_RUNNER_URL ?? readRuntimeSetting(state.runtime, "ELIZA_HOME_RUNNER_URL") ?? process.env.ELIZA_HOME_RUNNER_URL,
+          sshTarget: readRuntimeSetting(state.runtime, "ELIZA_HOME_REMOTE_RUNNER_SSH_TARGET") ?? process.env.ELIZA_HOME_REMOTE_RUNNER_SSH_TARGET ?? readRuntimeSetting(state.runtime, "ELIZA_HOME_SSH_TARGET") ?? process.env.ELIZA_HOME_SSH_TARGET,
+          sshIdentity: readRuntimeSetting(state.runtime, "ELIZA_HOME_REMOTE_RUNNER_SSH_IDENTITY") ?? process.env.ELIZA_HOME_REMOTE_RUNNER_SSH_IDENTITY ?? readRuntimeSetting(state.runtime, "ELIZA_HOME_SSH_IDENTITY") ?? process.env.ELIZA_HOME_SSH_IDENTITY,
+          localPort: readRuntimeSetting(state.runtime, "ELIZA_HOME_REMOTE_RUNNER_SSH_LOCAL_PORT") ?? process.env.ELIZA_HOME_REMOTE_RUNNER_SSH_LOCAL_PORT
+        })
+      });
+    } catch (error) {
+      sendJson(res, {
+        available: false,
+        status: "error",
+        reason: error instanceof Error ? error.message : String(error)
+      });
+    }
+    return true;
+  }
+  if (method === "POST" && pathname === "/api/cloud/disconnect") {
+    cloudDisconnectEpoch++;
+    try {
+      await disconnectCloudConnection({
+        cloudManager: state.cloudManager,
+        config: state.config,
+        runtime: state.runtime,
+        saveConfig: services.saveElizaConfig
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger3.error(`[cloud/disconnect] failed: ${message}`);
+      sendJson(res, { ok: false, error: message }, 500);
+      return true;
+    }
+    sendJson(res, { ok: true, status: "disconnected" });
+    return true;
+  }
+  if (method === "POST" && pathname === "/api/cloud/login/persist") {
+    try {
+      const body = await readRouteJsonBody(req);
+      if (typeof body.apiKey !== "string" || !body.apiKey.trim()) {
+        sendJson(res, { ok: false, error: "apiKey is required" }, 400);
+        return true;
+      }
+      await persistCloudLoginStatus({
+        apiKey: body.apiKey.trim(),
+        organizationId: typeof body.organizationId === "string" ? body.organizationId.trim() : undefined,
+        services,
+        state,
+        userId: typeof body.userId === "string" ? body.userId.trim() : undefined
+      });
+      sendJson(res, { ok: true });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      logger3.error(`[cloud/login/persist] Failed: ${msg}`);
+      sendJson(res, { ok: false, error: msg }, 500);
+    }
+    return true;
+  }
+  if (method === "GET" && pathname.startsWith("/api/cloud/login/status")) {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const sessionId = url.searchParams.get("sessionId");
+    if (!sessionId) {
+      sendJsonError(res, "sessionId query parameter is required", 400);
+      return true;
+    }
+    const baseUrl = services.normalizeCloudSiteUrl(state.config.cloud?.baseUrl);
+    const urlError = await services.validateCloudBaseUrl(baseUrl);
+    if (urlError) {
+      sendJsonError(res, urlError, 400);
+      return true;
+    }
+    const epochBeforePoll = cloudDisconnectEpoch;
+    const loginPollSpan = getTelemetrySpan2({
+      boundary: "cloud",
+      operation: "login_poll_status",
+      services,
+      timeoutMs: CLOUD_LOGIN_POLL_TIMEOUT_MS2
+    });
+    let pollRes;
+    try {
+      pollRes = await fetchCloudLoginStatus(sessionId, baseUrl);
+    } catch (fetchErr) {
+      if (isTimeoutError(fetchErr)) {
+        loginPollSpan.failure({ error: fetchErr, statusCode: 504 });
+        sendJson(res, {
+          status: "error",
+          error: "Eliza Cloud status request timed out"
+        }, 504);
+        return true;
+      }
+      loginPollSpan.failure({ error: fetchErr, statusCode: 502 });
+      sendJson(res, {
+        status: "error",
+        error: "Failed to reach Eliza Cloud"
+      }, 502);
+      return true;
+    }
+    if (isRedirectResponse2(pollRes)) {
+      loginPollSpan.failure({
+        statusCode: pollRes.status,
+        errorKind: "redirect_response"
+      });
+      sendJson(res, {
+        status: "error",
+        error: "Eliza Cloud status request was redirected; redirects are not allowed"
+      }, 502);
+      return true;
+    }
+    if (!pollRes.ok) {
+      loginPollSpan.failure({
+        statusCode: pollRes.status,
+        errorKind: "http_error"
+      });
+      sendJson(res, pollRes.status === 404 ? { status: "expired", error: "Session not found or expired" } : {
+        status: "error",
+        error: `Eliza Cloud returned HTTP ${pollRes.status}`
+      });
+      return true;
+    }
+    let data;
+    try {
+      data = await pollRes.json();
+    } catch (parseErr) {
+      loginPollSpan.failure({ error: parseErr, statusCode: pollRes.status });
+      sendJson(res, {
+        status: "error",
+        error: "Eliza Cloud returned invalid JSON"
+      }, 502);
+      return true;
+    }
+    loginPollSpan.success({ statusCode: pollRes.status });
+    if (data.status === "authenticated" && typeof data.apiKey === "string") {
+      await persistCloudLoginStatus({
+        apiKey: data.apiKey,
+        organizationId: typeof data.organizationId === "string" ? data.organizationId : undefined,
+        services,
+        state,
+        epochAtPollStart: epochBeforePoll,
+        userId: typeof data.userId === "string" ? data.userId : undefined
+      });
+      sendJson(res, {
+        status: "authenticated",
+        keyPrefix: typeof data.keyPrefix === "string" ? data.keyPrefix : undefined,
+        organizationId: typeof data.organizationId === "string" ? data.organizationId : undefined,
+        token: data.apiKey,
+        userId: typeof data.userId === "string" ? data.userId : undefined
+      });
+      return true;
+    }
+    sendJson(res, {
+      status: typeof data.status === "string" ? data.status : "error"
+    });
+    return true;
+  }
+  const result = await services.handleAutonomousCloudRoute(req, res, pathname, method, toAutonomousState(state, services));
+  scrubCloudSecretsFromEnv();
+  return result;
+}
+var CLOUD_LOGIN_POLL_TIMEOUT_MS2 = 1e4, DEFAULT_CLOUD_ROUTE_SERVICES, cloudDisconnectEpoch = 0;
+var init_cloud_routes = __esm(() => {
+  init_cloud_routes_autonomous();
+  init_home_remote_runner_access_url();
+  init_base_url();
+  init_validate_url();
+  init_cloud_coding_container_routes();
+  init_cloud_connection();
+  init_cloud_secrets();
+  DEFAULT_CLOUD_ROUTE_SERVICES = {
+    applyCanonicalSetupConfig,
+    createIntegrationTelemetrySpan: () => {
+      return;
+    },
+    handleAutonomousCloudRoute: handleCloudRoute,
+    normalizeCloudSiteUrl,
+    saveElizaConfig: () => {
+      logger3.warn("[cloud-routes] saveConfig unavailable - config not persisted");
+    },
+    validateCloudBaseUrl
+  };
+});
+
+// src/plugin.ts
+var exports_plugin = {};
+__export(exports_plugin, {
+  elizaCloudRoutePlugin: () => elizaCloudRoutePlugin,
+  default: () => plugin_default
+});
+import { logger as logger4 } from "@elizaos/core";
+import { getRuntimeRouteHostContext } from "@elizaos/core";
+function getHostContext(runtime) {
+  return getRuntimeRouteHostContext(runtime && typeof runtime === "object" ? runtime : null);
+}
+function getRuntimeConfig(runtime) {
+  return getHostContext(runtime)?.config ?? {};
+}
+function makeStatusHandler() {
+  return async (req, res, runtime) => {
+    const httpReq = req;
+    const httpRes = res;
+    const url = new URL(httpReq.url ?? "/", "http://localhost");
+    const method = (httpReq.method ?? "GET").toUpperCase();
+    const runtimeRef = runtime;
+    const config = getRuntimeConfig(runtime);
+    await handleCloudStatusRoutes({
+      req: httpReq,
+      res: httpRes,
+      method,
+      pathname: url.pathname,
+      config,
+      runtime: runtimeRef,
+      json: (_res, body, status = 200) => {
+        sendJson(httpRes, body, status);
+      }
+    });
+  };
+}
+function makeCloudRouteHandler() {
+  return async (req, res, runtime) => {
+    const httpReq = req;
+    const httpRes = res;
+    const url = new URL(httpReq.url ?? "/", "http://localhost");
+    const method = (httpReq.method ?? "GET").toUpperCase();
+    const hostContext = getHostContext(runtime);
+    if (!hostContext?.config) {
+      logger4.warn("[eliza-cloud-routes] host config unavailable");
+    }
+    const config = hostContext?.config ?? {};
+    const cloudState = {
+      config,
+      runtime,
+      cloudManager: null,
+      restartRuntime: hostContext?.restartRuntime,
+      services: {
+        createIntegrationTelemetrySpan: hostContext?.createTelemetrySpan,
+        saveElizaConfig: (nextConfig) => {
+          hostContext?.saveConfig?.(nextConfig);
+        }
+      }
+    };
+    const handled = await handleCloudRoute2(httpReq, httpRes, url.pathname, method, cloudState);
+    if (!handled) {
+      return;
+    }
+  };
+}
+function makeBillingRouteHandler() {
+  return async (req, res, runtime) => {
+    const httpReq = req;
+    const httpRes = res;
+    const url = new URL(httpReq.url ?? "/", "http://localhost");
+    const method = (httpReq.method ?? "GET").toUpperCase();
+    const hostContext = getHostContext(runtime);
+    const state = {
+      config: hostContext?.config ?? {},
+      runtime
+    };
+    await handleCloudBillingRoute(httpReq, httpRes, url.pathname, method, state);
+  };
+}
+var cloudStatusHandler, cloudRouteHandler, cloudBillingRouteHandler, cloudRoutes, elizaCloudRoutePlugin, plugin_default;
+var init_plugin = __esm(() => {
+  init_cloud_billing_routes();
+  init_cloud_routes();
+  init_cloud_status_routes();
+  cloudStatusHandler = makeStatusHandler();
+  cloudRouteHandler = makeCloudRouteHandler();
+  cloudBillingRouteHandler = makeBillingRouteHandler();
+  cloudRoutes = [
+    {
+      type: "GET",
+      path: "/api/cloud/status",
+      rawPath: true,
+      handler: cloudStatusHandler
+    },
+    {
+      type: "GET",
+      path: "/api/cloud/credits",
+      rawPath: true,
+      handler: cloudStatusHandler
+    },
+    {
+      type: "GET",
+      path: "/api/cloud/relay-status",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers/promotions",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers/:containerId/sync",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    ...["GET", "POST", "PUT", "PATCH", "DELETE"].map((type) => ({
+      type,
+      path: "/api/cloud/billing/:path*",
+      rawPath: true,
+      handler: cloudBillingRouteHandler
+    })),
+    {
+      type: "POST",
+      path: "/api/cloud/disconnect",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/login",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/login/persist",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "GET",
+      path: "/api/cloud/login/status",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "GET",
+      path: "/api/cloud/agents",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/agents",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/agents/:agentId/provision",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/agents/:agentId/connect",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/agents/:agentId/shutdown",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers/promotions",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers",
+      rawPath: true,
+      handler: cloudRouteHandler
+    },
+    {
+      type: "POST",
+      path: "/api/cloud/coding-containers/:containerId/sync",
+      rawPath: true,
+      handler: cloudRouteHandler
+    }
+  ];
+  elizaCloudRoutePlugin = {
+    name: "@elizaos/plugin-elizacloud:routes",
+    description: "Eliza Cloud connection, login, status, credit, and relay routes (extracted from app-core/server.ts)",
+    routes: cloudRoutes,
+    dispose: async (_runtime) => {}
+  };
+  plugin_default = elizaCloudRoutePlugin;
+});
+
+// src/register-routes.ts
+import { registerAppRoutePluginLoader } from "@elizaos/core";
+registerAppRoutePluginLoader("@elizaos/plugin-elizacloud:routes", async () => {
+  const { elizaCloudRoutePlugin: elizaCloudRoutePlugin2 } = await Promise.resolve().then(() => (init_plugin(), exports_plugin));
+  return elizaCloudRoutePlugin2;
+});
+
+//# debugId=F331B453A50193C464756E2164756E21