@executor-js/cli 0.0.2 → 0.2.1

package/dist/index.js

@@ -9,92 +9,103 @@ import fs from "fs/promises";
 import path2 from "path";
 import { Command } from "commander";
 
+// ../sdk/src/index.ts
+import { Context as Context2, Effect as Effect18, Layer as Layer5, Schema as Schema19, Data as Data6, Option as Option6 } from "effect";
+import {
+  HttpApi,
+  HttpApiBuilder,
+  HttpApiClient,
+  HttpApiEndpoint,
+  HttpApiGroup,
+  HttpApiMiddleware,
+  HttpApiSchema
+} from "effect/unstable/httpapi";
+
 // ../storage-core/src/factory.ts
-import { Effect } from "effect";
+import { Effect, Option, Schema } from "effect";
 
 // ../storage-core/src/errors.ts
 import { Data } from "effect";
 var StorageError = class extends Data.TaggedError("StorageError") {
 };
-var UniqueViolationError = class extends Data.TaggedError(
-  "UniqueViolationError"
-) {
+var UniqueViolationError = class extends Data.TaggedError("UniqueViolationError") {
 };
 
+// ../storage-core/src/factory.ts
+var decodeJsonFromString = Schema.decodeUnknownOption(Schema.UnknownFromJsonString);
+
 // ../sdk/src/ids.ts
-import { Schema } from "effect";
-var ScopeId = Schema.String.pipe(Schema.brand("ScopeId"));
-var ToolId = Schema.String.pipe(Schema.brand("ToolId"));
-var SecretId = Schema.String.pipe(Schema.brand("SecretId"));
-var PolicyId = Schema.String.pipe(Schema.brand("PolicyId"));
-var ConnectionId = Schema.String.pipe(Schema.brand("ConnectionId"));
+import { Schema as Schema2 } from "effect";
+var ScopeId = Schema2.String.pipe(Schema2.brand("ScopeId"));
+var ToolId = Schema2.String.pipe(Schema2.brand("ToolId"));
+var SecretId = Schema2.String.pipe(Schema2.brand("SecretId"));
+var PolicyId = Schema2.String.pipe(Schema2.brand("PolicyId"));
+var ConnectionId = Schema2.String.pipe(Schema2.brand("ConnectionId"));
+var CredentialBindingId = Schema2.String.pipe(Schema2.brand("CredentialBindingId"));
 
 // ../sdk/src/scope.ts
-import { Schema as Schema2 } from "effect";
-var Scope = class extends Schema2.Class("Scope")({
+import { Schema as Schema3 } from "effect";
+var Scope = class extends Schema3.Class("Scope")({
   id: ScopeId,
-  name: Schema2.String,
-  createdAt: Schema2.Date
+  name: Schema3.String,
+  createdAt: Schema3.Date
 }) {
 };
 
 // ../sdk/src/errors.ts
-import { Data as Data2, Schema as Schema3 } from "effect";
-var ToolNotFoundError = class extends Schema3.TaggedErrorClass()(
+import { Data as Data2, Schema as Schema4 } from "effect";
+var ToolNotFoundError = class extends Schema4.TaggedErrorClass()(
   "ToolNotFoundError",
   { toolId: ToolId }
 ) {
 };
 var ToolInvocationError = class extends Data2.TaggedError("ToolInvocationError") {
 };
-var PluginNotLoadedError = class extends Schema3.TaggedErrorClass()(
+var PluginNotLoadedError = class extends Schema4.TaggedErrorClass()(
   "PluginNotLoadedError",
   {
-    pluginId: Schema3.String,
+    pluginId: Schema4.String,
     toolId: ToolId
   }
 ) {
 };
-var NoHandlerError = class extends Schema3.TaggedErrorClass()(
-  "NoHandlerError",
-  {
-    toolId: ToolId,
-    pluginId: Schema3.String
-  }
-) {
+var NoHandlerError = class extends Schema4.TaggedErrorClass()("NoHandlerError", {
+  toolId: ToolId,
+  pluginId: Schema4.String
+}) {
 };
-var ToolBlockedError = class extends Schema3.TaggedErrorClass()(
+var ToolBlockedError = class extends Schema4.TaggedErrorClass()(
   "ToolBlockedError",
   {
     toolId: ToolId,
-    pattern: Schema3.String
+    pattern: Schema4.String
   }
 ) {
 };
-var SourceNotFoundError = class extends Schema3.TaggedErrorClass()(
+var SourceNotFoundError = class extends Schema4.TaggedErrorClass()(
   "SourceNotFoundError",
-  { sourceId: Schema3.String }
+  { sourceId: Schema4.String }
 ) {
 };
-var SourceRemovalNotAllowedError = class extends Schema3.TaggedErrorClass()(
+var SourceRemovalNotAllowedError = class extends Schema4.TaggedErrorClass()(
   "SourceRemovalNotAllowedError",
-  { sourceId: Schema3.String }
+  { sourceId: Schema4.String }
 ) {
 };
-var SecretNotFoundError = class extends Schema3.TaggedErrorClass()(
+var SecretNotFoundError = class extends Schema4.TaggedErrorClass()(
   "SecretNotFoundError",
   { secretId: SecretId }
 ) {
 };
-var SecretResolutionError = class extends Schema3.TaggedErrorClass()(
+var SecretResolutionError = class extends Schema4.TaggedErrorClass()(
   "SecretResolutionError",
   {
     secretId: SecretId,
-    message: Schema3.String
+    message: Schema4.String
   }
 ) {
 };
-var SecretOwnedByConnectionError = class extends Schema3.TaggedErrorClass()(
+var SecretOwnedByConnectionError = class extends Schema4.TaggedErrorClass()(
   "SecretOwnedByConnectionError",
   {
     secretId: SecretId,
@@ -102,72 +113,87 @@ var SecretOwnedByConnectionError = class extends Schema3.TaggedErrorClass()(
   }
 ) {
 };
-var ConnectionNotFoundError = class extends Schema3.TaggedErrorClass()(
+var SecretInUseError = class extends Schema4.TaggedErrorClass()(
+  "SecretInUseError",
+  {
+    secretId: SecretId,
+    usageCount: Schema4.Number
+  }
+) {
+};
+var ConnectionNotFoundError = class extends Schema4.TaggedErrorClass()(
   "ConnectionNotFoundError",
   { connectionId: ConnectionId }
 ) {
 };
-var ConnectionProviderNotRegisteredError = class extends Schema3.TaggedErrorClass()(
+var ConnectionProviderNotRegisteredError = class extends Schema4.TaggedErrorClass()(
   "ConnectionProviderNotRegisteredError",
   {
-    provider: Schema3.String,
-    connectionId: Schema3.optional(ConnectionId)
+    provider: Schema4.String,
+    connectionId: Schema4.optional(ConnectionId)
   }
 ) {
 };
-var ConnectionRefreshNotSupportedError = class extends Schema3.TaggedErrorClass()(
+var ConnectionRefreshNotSupportedError = class extends Schema4.TaggedErrorClass()(
   "ConnectionRefreshNotSupportedError",
   {
     connectionId: ConnectionId,
-    provider: Schema3.String
+    provider: Schema4.String
   }
 ) {
 };
-var ConnectionReauthRequiredError = class extends Schema3.TaggedErrorClass()(
+var ConnectionReauthRequiredError = class extends Schema4.TaggedErrorClass()(
   "ConnectionReauthRequiredError",
   {
     connectionId: ConnectionId,
-    provider: Schema3.String,
-    message: Schema3.String
+    provider: Schema4.String,
+    message: Schema4.String
+  }
+) {
+};
+var ConnectionInUseError = class extends Schema4.TaggedErrorClass()(
+  "ConnectionInUseError",
+  {
+    connectionId: ConnectionId,
+    usageCount: Schema4.Number
   }
 ) {
 };
 
 // ../sdk/src/types.ts
-import { Schema as Schema4 } from "effect";
-var ToolSchema = class extends Schema4.Class("ToolSchema")({
+import { Schema as Schema5 } from "effect";
+var ToolSchema = class extends Schema5.Class("ToolSchema")({
   id: ToolId,
-  name: Schema4.optional(Schema4.String),
-  description: Schema4.optional(Schema4.String),
-  inputSchema: Schema4.optional(Schema4.Unknown),
-  outputSchema: Schema4.optional(Schema4.Unknown),
-  inputTypeScript: Schema4.optional(Schema4.String),
-  outputTypeScript: Schema4.optional(Schema4.String),
-  typeScriptDefinitions: Schema4.optional(
-    Schema4.Record(Schema4.String, Schema4.String)
-  )
+  name: Schema5.optional(Schema5.String),
+  description: Schema5.optional(Schema5.String),
+  inputSchema: Schema5.optional(Schema5.Unknown),
+  outputSchema: Schema5.optional(Schema5.Unknown),
+  inputTypeScript: Schema5.optional(Schema5.String),
+  outputTypeScript: Schema5.optional(Schema5.String),
+  typeScriptDefinitions: Schema5.optional(Schema5.Record(Schema5.String, Schema5.String))
 }) {
 };
-var SourceDetectionResult = class extends Schema4.Class(
+var SourceDetectionResult = class extends Schema5.Class(
   "SourceDetectionResult"
 )({
   /** Plugin id that recognized the URL (e.g. "openapi", "graphql"). */
-  kind: Schema4.String,
+  kind: Schema5.String,
   /** Confidence tier — UI uses this to pick a winner when multiple
    *  plugins claim a URL. */
-  confidence: Schema4.Literals(["high", "medium", "low"]),
+  confidence: Schema5.Literals(["high", "medium", "low"]),
   /** The (possibly normalized) endpoint the plugin will use. */
-  endpoint: Schema4.String,
+  endpoint: Schema5.String,
   /** Human-readable name suggestion, typically derived from spec title
    *  or URL hostname. */
-  name: Schema4.String,
+  name: Schema5.String,
   /** Namespace suggestion — the plugin's recommendation for the source
    *  id. UI may override. */
-  namespace: Schema4.String
+  namespace: Schema5.String
 }) {
 };
 
 // ../sdk/src/core-schema.ts
+var credentialBindingKinds = ["text", "secret", "connection"];
 var coreSchema = {
   source: {
     fields: {
@@ -277,9 +303,8 @@ var coreSchema = {
     fields: {
       id: { type: "string", required: true },
       scope_id: { type: "string", required: true, index: true },
-      /** Routing key into `plugin.connectionProviders`. Typical shape
-       *  is `${pluginId}:${kind}` (e.g. `openapi:oauth2`, `mcp:oauth2`,
-       *  `google-discovery:google`). Mirrors `secret.provider`. */
+      /** Routing key into `plugin.connectionProviders`. OAuth2 connections
+       *  use the shared `oauth2` provider. Mirrors `secret.provider`. */
       provider: { type: "string", required: true, index: true },
       /** Display label shown in the Connections UI. Usually the account
        *  email / handle / org name the user signed in as. */
@@ -319,6 +344,26 @@ var coreSchema = {
       created_at: { type: "date", required: true }
     }
   },
+  // Shared credential slot bindings. Plugins keep source-specific semantics
+  // local, but credential ownership and resolution use one scoped shape.
+  credential_binding: {
+    fields: {
+      id: { type: "string", required: true },
+      scope_id: { type: "string", required: true, index: true },
+      plugin_id: { type: "string", required: true, index: true },
+      source_id: { type: "string", required: true, index: true },
+      source_scope_id: { type: "string", required: true, index: true },
+      slot_key: { type: "string", required: true, index: true },
+      /** "text" | "secret" | "connection". */
+      kind: { type: credentialBindingKinds, required: true, index: true },
+      text_value: { type: "string", required: false },
+      secret_id: { type: "string", required: false, index: true },
+      secret_scope_id: { type: "string", required: false, index: true },
+      connection_id: { type: "string", required: false, index: true },
+      created_at: { type: "date", required: true },
+      updated_at: { type: "date", required: true }
+    }
+  },
   // User-authored overrides for tool permissions. Each row is one rule:
   // a glob-ish pattern + an action (approve / require_approval / block).
   // Resolution walks the scope stack innermost-first, then `position`
@@ -353,84 +398,223 @@ var coreSchema = {
 };
 
 // ../sdk/src/policies.ts
-import { Schema as Schema5 } from "effect";
-var ToolPolicyActionSchema = Schema5.Literals([
-  "approve",
-  "require_approval",
-  "block"
-]);
+import { Match, Schema as Schema6 } from "effect";
+var ToolPolicyActionSchema = Schema6.Literals(["approve", "require_approval", "block"]);
 
 // ../sdk/src/secrets.ts
-import { Schema as Schema6 } from "effect";
-var SecretRef = class extends Schema6.Class("SecretRef")({
+import { Schema as Schema7 } from "effect";
+var SecretRef = class extends Schema7.Class("SecretRef")({
   id: SecretId,
   scopeId: ScopeId,
   /** Human-readable label (e.g. "Cloudflare API Token") */
-  name: Schema6.String,
+  name: Schema7.String,
   /** Which provider holds the value */
-  provider: Schema6.String,
-  createdAt: Schema6.Date
+  provider: Schema7.String,
+  createdAt: Schema7.Date
 }) {
 };
-var SetSecretInput = class extends Schema6.Class(
-  "SetSecretInput"
-)({
+var SetSecretInput = class extends Schema7.Class("SetSecretInput")({
   id: SecretId,
   /** Scope id to own this secret. Must be one of the executor's
    *  configured scopes. */
   scope: ScopeId,
   /** Display name shown in secret-list UI. */
-  name: Schema6.String,
+  name: Schema7.String,
   /** The secret value itself — never persisted outside the provider. */
-  value: Schema6.String,
+  value: Schema7.String,
   /** Optional provider routing. If unset the executor picks the first
    *  writable provider in registration order. */
-  provider: Schema6.optional(Schema6.String)
+  provider: Schema7.optional(Schema7.String)
+}) {
+};
+var RemoveSecretInput = class extends Schema7.Class("RemoveSecretInput")({
+  id: SecretId,
+  /** Scope id whose secret row/value should be removed. Must be one of
+   *  the executor's configured scopes. */
+  targetScope: ScopeId
 }) {
 };
 
 // ../sdk/src/secret-backed-value.ts
-import { Effect as Effect3, Schema as Schema7 } from "effect";
-var SecretBackedValue = Schema7.Union([
-  Schema7.String,
-  Schema7.Struct({
-    secretId: Schema7.String,
-    prefix: Schema7.optional(Schema7.String)
+import { Effect as Effect3, Schema as Schema8 } from "effect";
+var SecretBackedValue = Schema8.Union([
+  Schema8.String,
+  Schema8.Struct({
+    secretId: Schema8.String,
+    prefix: Schema8.optional(Schema8.String)
   })
 ]);
-var SecretBackedMap = Schema7.Record(Schema7.String, SecretBackedValue);
+var SecretBackedMap = Schema8.Record(Schema8.String, SecretBackedValue);
+
+// ../sdk/src/credential-bindings.ts
+import { Match as Match2, Schema as Schema9 } from "effect";
+var CredentialBindingKind = Schema9.Literals(credentialBindingKinds);
+var CredentialBindingValue = Schema9.Union([
+  Schema9.Struct({
+    kind: Schema9.Literal("text"),
+    text: Schema9.String
+  }),
+  Schema9.Struct({
+    kind: Schema9.Literal("secret"),
+    secretId: SecretId,
+    secretScopeId: Schema9.optional(ScopeId)
+  }),
+  Schema9.Struct({
+    kind: Schema9.Literal("connection"),
+    connectionId: ConnectionId
+  })
+]);
+var ConfiguredCredentialBindingSchema = Schema9.Struct({
+  kind: Schema9.Literal("binding"),
+  slot: Schema9.String,
+  prefix: Schema9.optional(Schema9.String)
+});
+var ConfiguredCredentialBinding = class extends Schema9.Class(
+  "ConfiguredCredentialBinding"
+)(ConfiguredCredentialBindingSchema.fields) {
+};
+var ConfiguredCredentialValue = Schema9.Union([Schema9.String, ConfiguredCredentialBinding]);
+var ConfiguredCredentialValueSchema = Schema9.Union([
+  Schema9.String,
+  ConfiguredCredentialBindingSchema
+]);
+var ScopedSecretCredentialInput = Schema9.Struct({
+  secretId: Schema9.String,
+  prefix: Schema9.optional(Schema9.String),
+  targetScope: ScopeId,
+  secretScopeId: Schema9.optional(ScopeId)
+});
+var CredentialBindingRef = class extends Schema9.Class(
+  "CredentialBindingRef"
+)({
+  id: CredentialBindingId,
+  scopeId: ScopeId,
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScopeId: ScopeId,
+  slotKey: Schema9.String,
+  value: CredentialBindingValue,
+  createdAt: Schema9.Date,
+  updatedAt: Schema9.Date
+}) {
+};
+var SetCredentialBindingInput = class extends Schema9.Class(
+  "SetCredentialBindingInput"
+)({
+  targetScope: ScopeId,
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScope: ScopeId,
+  slotKey: Schema9.String,
+  value: CredentialBindingValue
+}) {
+};
+var CredentialBindingSourceInput = class extends Schema9.Class(
+  "CredentialBindingSourceInput"
+)({
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScope: ScopeId
+}) {
+};
+var CredentialBindingSlotInput = class extends Schema9.Class(
+  "CredentialBindingSlotInput"
+)({
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScope: ScopeId,
+  slotKey: Schema9.String
+}) {
+};
+var RemoveCredentialBindingInput = class extends Schema9.Class(
+  "RemoveCredentialBindingInput"
+)({
+  targetScope: ScopeId,
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScope: ScopeId,
+  slotKey: Schema9.String
+}) {
+};
+var ReplaceCredentialBindingValue = class extends Schema9.Class(
+  "ReplaceCredentialBindingValue"
+)({
+  slotKey: Schema9.String,
+  value: CredentialBindingValue
+}) {
+};
+var ReplaceCredentialBindingsInput = class extends Schema9.Class(
+  "ReplaceCredentialBindingsInput"
+)({
+  targetScope: ScopeId,
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScope: ScopeId,
+  slotPrefixes: Schema9.Array(Schema9.String),
+  bindings: Schema9.Array(ReplaceCredentialBindingValue)
+}) {
+};
+var CredentialBindingResolutionStatus = Schema9.Literals([
+  "resolved",
+  "missing",
+  "blocked"
+]);
+var ResolvedCredentialSlot = class extends Schema9.Class(
+  "ResolvedCredentialSlot"
+)({
+  pluginId: Schema9.String,
+  sourceId: Schema9.String,
+  sourceScopeId: ScopeId,
+  slotKey: Schema9.String,
+  bindingScopeId: Schema9.NullOr(ScopeId),
+  kind: Schema9.NullOr(CredentialBindingKind),
+  status: CredentialBindingResolutionStatus
+}) {
+};
+
+// ../sdk/src/usages.ts
+import { Schema as Schema10 } from "effect";
+var Usage = class extends Schema10.Class("Usage")({
+  pluginId: Schema10.String,
+  scopeId: ScopeId,
+  ownerKind: Schema10.String,
+  ownerId: Schema10.String,
+  ownerName: Schema10.NullOr(Schema10.String),
+  slot: Schema10.String
+}) {
+};
 
 // ../sdk/src/connections.ts
-import { Data as Data3, Schema as Schema8 } from "effect";
-var ConnectionProviderState = Schema8.Record(Schema8.String, Schema8.Unknown);
-var ConnectionRef = class extends Schema8.Class("ConnectionRef")({
+import { Data as Data3, Schema as Schema11 } from "effect";
+var ConnectionProviderState = Schema11.Record(Schema11.String, Schema11.Unknown);
+var ConnectionRef = class extends Schema11.Class("ConnectionRef")({
   id: ConnectionId,
   scopeId: ScopeId,
-  provider: Schema8.String,
-  identityLabel: Schema8.NullOr(Schema8.String),
+  provider: Schema11.String,
+  identityLabel: Schema11.NullOr(Schema11.String),
   accessTokenSecretId: SecretId,
-  refreshTokenSecretId: Schema8.NullOr(SecretId),
+  refreshTokenSecretId: Schema11.NullOr(SecretId),
   /** Epoch ms when the access token expires; null if not declared. */
-  expiresAt: Schema8.NullOr(Schema8.Number),
+  expiresAt: Schema11.NullOr(Schema11.Number),
   /** OAuth-style scope string as returned by the token endpoint. Named
    *  `oauthScope` to avoid collision with the executor scope id. */
-  oauthScope: Schema8.NullOr(Schema8.String),
-  providerState: Schema8.NullOr(ConnectionProviderState),
-  createdAt: Schema8.Date,
-  updatedAt: Schema8.Date
+  oauthScope: Schema11.NullOr(Schema11.String),
+  providerState: Schema11.NullOr(ConnectionProviderState),
+  createdAt: Schema11.Date,
+  updatedAt: Schema11.Date
 }) {
 };
-var TokenMaterial = class extends Schema8.Class("TokenMaterial")({
+var TokenMaterial = class extends Schema11.Class("TokenMaterial")({
   /** Target secret id. Plugins typically derive this from the source id
    *  + a stable suffix (e.g. `${sourceId}.access_token`). */
   secretId: SecretId,
   /** Display name stamped on the secret row. Only visible to code — the
    *  Connections UI hides connection-owned secrets. */
-  name: Schema8.String,
-  value: Schema8.String
+  name: Schema11.String,
+  value: Schema11.String
 }) {
 };
-var CreateConnectionInput = class extends Schema8.Class(
+var CreateConnectionInput = class extends Schema11.Class(
   "CreateConnectionInput"
 )({
   id: ConnectionId,
@@ -438,300 +622,377 @@ var CreateConnectionInput = class extends Schema8.Class(
    *  secrets. This is the sharing boundary: a user scope is personal,
    *  an org/workspace scope is shared with descendants. */
   scope: ScopeId,
-  provider: Schema8.String,
-  identityLabel: Schema8.NullOr(Schema8.String),
+  provider: Schema11.String,
+  identityLabel: Schema11.NullOr(Schema11.String),
   accessToken: TokenMaterial,
-  refreshToken: Schema8.NullOr(TokenMaterial),
-  expiresAt: Schema8.NullOr(Schema8.Number),
+  refreshToken: Schema11.NullOr(TokenMaterial),
+  expiresAt: Schema11.NullOr(Schema11.Number),
   /** OAuth-style scope string. Distinct from the executor scope above. */
-  oauthScope: Schema8.NullOr(Schema8.String),
-  providerState: Schema8.NullOr(ConnectionProviderState)
+  oauthScope: Schema11.NullOr(Schema11.String),
+  providerState: Schema11.NullOr(ConnectionProviderState)
 }) {
 };
-var ConnectionRefreshError = class extends Data3.TaggedError(
-  "ConnectionRefreshError"
-) {
+var ConnectionRefreshError = class extends Data3.TaggedError("ConnectionRefreshError") {
 };
-var UpdateConnectionTokensInput = class extends Schema8.Class(
+var UpdateConnectionTokensInput = class extends Schema11.Class(
   "UpdateConnectionTokensInput"
 )({
   id: ConnectionId,
-  accessToken: Schema8.String,
-  refreshToken: Schema8.optional(Schema8.NullOr(Schema8.String)),
-  expiresAt: Schema8.optional(Schema8.NullOr(Schema8.Number)),
-  oauthScope: Schema8.optional(Schema8.NullOr(Schema8.String)),
-  providerState: Schema8.optional(Schema8.NullOr(ConnectionProviderState)),
-  identityLabel: Schema8.optional(Schema8.NullOr(Schema8.String))
+  accessToken: Schema11.String,
+  refreshToken: Schema11.optional(Schema11.NullOr(Schema11.String)),
+  expiresAt: Schema11.optional(Schema11.NullOr(Schema11.Number)),
+  oauthScope: Schema11.optional(Schema11.NullOr(Schema11.String)),
+  providerState: Schema11.optional(Schema11.NullOr(ConnectionProviderState)),
+  identityLabel: Schema11.optional(Schema11.NullOr(Schema11.String))
+}) {
+};
+var RemoveConnectionInput = class extends Schema11.Class(
+  "RemoveConnectionInput"
+)({
+  id: ConnectionId,
+  /** Scope id whose connection row and owned token secrets should be removed. */
+  targetScope: ScopeId
 }) {
 };
 
 // ../sdk/src/elicitation.ts
-import { Schema as Schema9 } from "effect";
-var FormElicitation = class extends Schema9.TaggedClass()("FormElicitation", {
-  message: Schema9.String,
+import { Schema as Schema12 } from "effect";
+var FormElicitation = class extends Schema12.TaggedClass()("FormElicitation", {
+  message: Schema12.String,
   /** JSON Schema describing the fields to collect */
-  requestedSchema: Schema9.Record(Schema9.String, Schema9.Unknown)
+  requestedSchema: Schema12.Record(Schema12.String, Schema12.Unknown)
 }) {
 };
-var UrlElicitation = class extends Schema9.TaggedClass()("UrlElicitation", {
-  message: Schema9.String,
-  url: Schema9.String,
+var UrlElicitation = class extends Schema12.TaggedClass()("UrlElicitation", {
+  message: Schema12.String,
+  url: Schema12.String,
   /** Unique ID so the host can correlate the callback */
-  elicitationId: Schema9.String
+  elicitationId: Schema12.String
 }) {
 };
-var ElicitationAction = Schema9.Literals(["accept", "decline", "cancel"]);
-var ElicitationResponse = class extends Schema9.Class("ElicitationResponse")({
+var ElicitationAction = Schema12.Literals(["accept", "decline", "cancel"]);
+var ElicitationResponse = class extends Schema12.Class("ElicitationResponse")({
   action: ElicitationAction,
   /** Present when action is "accept" — the data the user provided */
-  content: Schema9.optional(Schema9.Record(Schema9.String, Schema9.Unknown))
+  content: Schema12.optional(Schema12.Record(Schema12.String, Schema12.Unknown))
 }) {
 };
-var ElicitationDeclinedError = class extends Schema9.TaggedErrorClass()(
+var ElicitationDeclinedError = class extends Schema12.TaggedErrorClass()(
   "ElicitationDeclinedError",
   {
     toolId: ToolId,
-    action: Schema9.Literals(["decline", "cancel"])
+    action: Schema12.Literals(["decline", "cancel"])
   }
 ) {
 };
 
 // ../sdk/src/blob.ts
-import { Effect as Effect6 } from "effect";
+import { Effect as Effect7 } from "effect";
 
 // ../sdk/src/oauth.ts
-import { Effect as Effect7, Schema as Schema10 } from "effect";
-var OAuthDynamicDcrStrategy = Schema10.Struct({
-  kind: Schema10.Literal("dynamic-dcr"),
+import { Effect as Effect8, Schema as Schema13 } from "effect";
+var OAuthDynamicDcrStrategy = Schema13.Struct({
+  kind: Schema13.Literal("dynamic-dcr"),
   /** Scopes to request. Defaults to whatever `scopes_supported`
    *  advertises; caller can narrow or extend. */
-  scopes: Schema10.optional(Schema10.Array(Schema10.String))
+  scopes: Schema13.optional(Schema13.Array(Schema13.String))
 });
-var OAuthAuthorizationCodeStrategy = Schema10.Struct({
-  kind: Schema10.Literal("authorization-code"),
-  authorizationEndpoint: Schema10.String,
-  tokenEndpoint: Schema10.String,
+var OAuthAuthorizationCodeStrategy = Schema13.Struct({
+  kind: Schema13.Literal("authorization-code"),
+  authorizationEndpoint: Schema13.String,
+  tokenEndpoint: Schema13.String,
   /** Expected authorization-server issuer for ID token validation. Some
    *  providers use a token endpoint host that differs from issuer, or a
    *  path-scoped issuer such as Okta custom authorization servers. */
-  issuerUrl: Schema10.optional(Schema10.NullOr(Schema10.String)),
+  issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
   /** Secret id holding the `client_id`. Using a secret row rather than
    *  an inline string so the value lives at the scope where the caller
    *  configured it and shadowing behaves consistently. */
-  clientIdSecretId: Schema10.String,
+  clientIdSecretId: Schema13.String,
   /** Secret id for `client_secret`. Null for public clients using
    *  PKCE without a confidential secret. */
-  clientSecretSecretId: Schema10.NullOr(Schema10.String),
-  scopes: Schema10.Array(Schema10.String),
+  clientSecretSecretId: Schema13.NullOr(Schema13.String),
+  scopes: Schema13.Array(Schema13.String),
   /** Separator between scopes. RFC 6749 says space; some providers
    *  (GitHub classic) use comma. */
-  scopeSeparator: Schema10.optional(Schema10.String),
+  scopeSeparator: Schema13.optional(Schema13.String),
   /** Provider-specific params injected at authorization URL build time
    *  (Google's `access_type=offline`, `prompt=consent`, ...). */
-  extraAuthorizationParams: Schema10.optional(
-    Schema10.Record(Schema10.String, Schema10.String)
-  ),
+  extraAuthorizationParams: Schema13.optional(Schema13.Record(Schema13.String, Schema13.String)),
   /** `"body"` (default) sends client creds in the form body; `"basic"`
    *  uses HTTP Basic auth. Stripe-style servers require basic. */
-  clientAuth: Schema10.optional(Schema10.Literals(["body", "basic"]))
+  clientAuth: Schema13.optional(Schema13.Literals(["body", "basic"]))
 });
-var OAuthClientCredentialsStrategy = Schema10.Struct({
-  kind: Schema10.Literal("client-credentials"),
-  tokenEndpoint: Schema10.String,
-  clientIdSecretId: Schema10.String,
-  clientSecretSecretId: Schema10.String,
-  scopes: Schema10.optional(Schema10.Array(Schema10.String)),
-  scopeSeparator: Schema10.optional(Schema10.String),
-  clientAuth: Schema10.optional(Schema10.Literals(["body", "basic"]))
+var OAuthClientCredentialsStrategy = Schema13.Struct({
+  kind: Schema13.Literal("client-credentials"),
+  tokenEndpoint: Schema13.String,
+  clientIdSecretId: Schema13.String,
+  clientSecretSecretId: Schema13.String,
+  scopes: Schema13.optional(Schema13.Array(Schema13.String)),
+  scopeSeparator: Schema13.optional(Schema13.String),
+  clientAuth: Schema13.optional(Schema13.Literals(["body", "basic"]))
 });
-var OAuthStrategy = Schema10.Union([
+var OAuthStrategy = Schema13.Union([
   OAuthDynamicDcrStrategy,
   OAuthAuthorizationCodeStrategy,
   OAuthClientCredentialsStrategy
 ]);
-var OAuthProviderState = Schema10.Union([
-  Schema10.Struct({
-    kind: Schema10.Literal("dynamic-dcr"),
-    tokenEndpoint: Schema10.String,
-    issuerUrl: Schema10.optional(Schema10.NullOr(Schema10.String)),
-    authorizationServerUrl: Schema10.optional(Schema10.NullOr(Schema10.String)),
-    authorizationServerMetadataUrl: Schema10.NullOr(Schema10.String),
-    idTokenSigningAlgValuesSupported: Schema10.optional(
-      Schema10.Array(Schema10.String)
-    ),
+var OAuthProviderState = Schema13.Union([
+  Schema13.Struct({
+    kind: Schema13.Literal("dynamic-dcr"),
+    tokenEndpoint: Schema13.String,
+    issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    authorizationServerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    authorizationServerMetadataUrl: Schema13.NullOr(Schema13.String),
+    idTokenSigningAlgValuesSupported: Schema13.optional(Schema13.Array(Schema13.String)),
     /** DCR-minted client_id. Embedded inline (not a secret) — DCR
      *  clients are public-ish by design; the secret part (if the AS
      *  issued one) is a separate secret row. */
-    clientId: Schema10.String,
-    clientSecretSecretId: Schema10.NullOr(Schema10.String),
-    clientAuth: Schema10.Literals(["body", "basic"]),
-    scopes: Schema10.Array(Schema10.String).pipe(Schema10.withDecodingDefaultType(Effect7.succeed([]))),
-    scopeSeparator: Schema10.optional(Schema10.String),
-    scope: Schema10.NullOr(Schema10.String)
+    clientId: Schema13.String,
+    clientSecretSecretId: Schema13.NullOr(Schema13.String),
+    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    clientAuth: Schema13.Literals(["body", "basic"]),
+    scopes: Schema13.Array(Schema13.String).pipe(Schema13.withDecodingDefaultType(Effect8.succeed([]))),
+    scopeSeparator: Schema13.optional(Schema13.String),
+    scope: Schema13.NullOr(Schema13.String),
+    /** RFC 8707 canonical resource URL. Replayed on refresh so the new
+     *  access token's audience stays bound to the same resource. */
+    resource: Schema13.optional(Schema13.NullOr(Schema13.String))
   }),
-  Schema10.Struct({
-    kind: Schema10.Literal("authorization-code"),
-    tokenEndpoint: Schema10.String,
-    issuerUrl: Schema10.optional(Schema10.NullOr(Schema10.String)),
-    clientIdSecretId: Schema10.String,
-    clientSecretSecretId: Schema10.NullOr(Schema10.String),
-    clientAuth: Schema10.Literals(["body", "basic"]),
-    scopes: Schema10.Array(Schema10.String).pipe(Schema10.withDecodingDefaultType(Effect7.succeed([]))),
-    scopeSeparator: Schema10.optional(Schema10.String),
-    scope: Schema10.NullOr(Schema10.String)
+  Schema13.Struct({
+    kind: Schema13.Literal("authorization-code"),
+    tokenEndpoint: Schema13.String,
+    issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    clientIdSecretId: Schema13.String,
+    clientIdSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    clientSecretSecretId: Schema13.NullOr(Schema13.String),
+    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    clientAuth: Schema13.Literals(["body", "basic"]),
+    scopes: Schema13.Array(Schema13.String).pipe(Schema13.withDecodingDefaultType(Effect8.succeed([]))),
+    scopeSeparator: Schema13.optional(Schema13.String),
+    scope: Schema13.NullOr(Schema13.String),
+    resource: Schema13.optional(Schema13.NullOr(Schema13.String))
   }),
-  Schema10.Struct({
-    kind: Schema10.Literal("client-credentials"),
-    tokenEndpoint: Schema10.String,
-    clientIdSecretId: Schema10.String,
-    clientSecretSecretId: Schema10.String,
-    scopes: Schema10.Array(Schema10.String),
-    scopeSeparator: Schema10.optional(Schema10.String),
-    clientAuth: Schema10.Literals(["body", "basic"]),
-    scope: Schema10.NullOr(Schema10.String)
+  Schema13.Struct({
+    kind: Schema13.Literal("client-credentials"),
+    tokenEndpoint: Schema13.String,
+    clientIdSecretId: Schema13.String,
+    clientIdSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    clientSecretSecretId: Schema13.String,
+    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
+    scopes: Schema13.Array(Schema13.String),
+    scopeSeparator: Schema13.optional(Schema13.String),
+    clientAuth: Schema13.Literals(["body", "basic"]),
+    scope: Schema13.NullOr(Schema13.String)
   })
 ]);
-var OAuthProbeError = class extends Schema10.TaggedErrorClass()(
+var OAuthProbeError = class extends Schema13.TaggedErrorClass()(
   "OAuthProbeError",
   {
-    message: Schema10.String
-  }
+    message: Schema13.String
+  },
+  { httpApiStatus: 400 }
 ) {
-  static annotations = { httpApiStatus: 400 };
 };
-var OAuthStartError = class extends Schema10.TaggedErrorClass()(
+var OAuthStartError = class extends Schema13.TaggedErrorClass()(
   "OAuthStartError",
   {
-    message: Schema10.String
-  }
+    message: Schema13.String,
+    /** RFC 6749 §5.2 / RFC 7591 §3.2.2 error code propagated up from the
+     *  authorization server (e.g. `invalid_client_metadata`). UI surfaces
+     *  it as the structured "AS rejected the registration" reason. */
+    error: Schema13.optional(Schema13.String),
+    errorDescription: Schema13.optional(Schema13.String)
+  },
+  { httpApiStatus: 400 }
 ) {
-  static annotations = { httpApiStatus: 400 };
 };
-var OAuthCompleteError = class extends Schema10.TaggedErrorClass()(
+var OAuthCompleteError = class extends Schema13.TaggedErrorClass()(
   "OAuthCompleteError",
   {
-    message: Schema10.String,
+    message: Schema13.String,
     /** RFC 6749 §5.2 error code, when the token endpoint returned one.
      *  Callers distinguish terminal failures (`invalid_grant` ⇒
      *  re-auth required) from transient ones. */
-    code: Schema10.optional(Schema10.String)
-  }
+    code: Schema13.optional(Schema13.String)
+  },
+  { httpApiStatus: 400 }
 ) {
-  static annotations = { httpApiStatus: 400 };
 };
-var OAuthSessionNotFoundError = class extends Schema10.TaggedErrorClass()(
+var OAuthSessionNotFoundError = class extends Schema13.TaggedErrorClass()(
   "OAuthSessionNotFoundError",
   {
-    sessionId: Schema10.String
-  }
+    sessionId: Schema13.String
+  },
+  { httpApiStatus: 404 }
 ) {
-  static annotations = { httpApiStatus: 404 };
 };
 var OAUTH2_SESSION_TTL_MS = 15 * 60 * 1e3;
 
 // ../sdk/src/oauth-helpers.ts
-import { Data as Data4, Effect as Effect8 } from "effect";
+import { Data as Data4, Effect as Effect9, Predicate } from "effect";
 var OAuth2Error = class extends Data4.TaggedError("OAuth2Error") {
 };
+var isOAuth2Error = Predicate.isTagged("OAuth2Error");
 
 // ../sdk/src/oauth-service.ts
-import { Effect as Effect10, Schema as Schema12 } from "effect";
+import { Duration as Duration2, Effect as Effect11, Match as Match3, Option as Option3, Schema as Schema15 } from "effect";
+import { FetchHttpClient as FetchHttpClient2, HttpClient as HttpClient2, HttpClientRequest as HttpClientRequest2 } from "effect/unstable/http";
 
 // ../sdk/src/oauth-discovery.ts
-import { Data as Data5, Effect as Effect9, Result, Schema as Schema11 } from "effect";
-var OAuthDiscoveryError = class extends Data5.TaggedError(
-  "OAuthDiscoveryError"
-) {
+import { Data as Data5, Duration, Effect as Effect10, Option as Option2, Predicate as Predicate2, Result, Schema as Schema14 } from "effect";
+import { FetchHttpClient, HttpClient, HttpClientRequest } from "effect/unstable/http";
+var OAuthDiscoveryError = class extends Data5.TaggedError("OAuthDiscoveryError") {
 };
-var StringArray = Schema11.Array(Schema11.String);
-var OAuthProtectedResourceMetadataSchema = Schema11.Struct({
-  resource: Schema11.optional(Schema11.String),
-  authorization_servers: Schema11.optional(StringArray),
-  scopes_supported: Schema11.optional(StringArray),
-  bearer_methods_supported: Schema11.optional(StringArray),
-  resource_documentation: Schema11.optional(Schema11.String)
+var StringArray = Schema14.Array(Schema14.String);
+var OAuthProtectedResourceMetadataSchema = Schema14.Struct({
+  resource: Schema14.optional(Schema14.String),
+  authorization_servers: Schema14.optional(StringArray),
+  scopes_supported: Schema14.optional(StringArray),
+  bearer_methods_supported: Schema14.optional(StringArray),
+  resource_documentation: Schema14.optional(Schema14.String)
 }).annotate({ identifier: "OAuthProtectedResourceMetadata" });
-var OAuthAuthorizationServerMetadataSchema = Schema11.Struct({
-  issuer: Schema11.String,
-  authorization_endpoint: Schema11.String,
-  token_endpoint: Schema11.String,
-  registration_endpoint: Schema11.optional(Schema11.String),
-  scopes_supported: Schema11.optional(StringArray),
-  response_types_supported: Schema11.optional(StringArray),
-  grant_types_supported: Schema11.optional(StringArray),
-  code_challenge_methods_supported: Schema11.optional(StringArray),
-  token_endpoint_auth_methods_supported: Schema11.optional(StringArray),
-  revocation_endpoint: Schema11.optional(Schema11.String),
-  introspection_endpoint: Schema11.optional(Schema11.String),
-  userinfo_endpoint: Schema11.optional(Schema11.String),
-  id_token_signing_alg_values_supported: Schema11.optional(StringArray)
+var OAuthAuthorizationServerMetadataSchema = Schema14.Struct({
+  issuer: Schema14.String,
+  authorization_endpoint: Schema14.String,
+  token_endpoint: Schema14.String,
+  registration_endpoint: Schema14.optional(Schema14.String),
+  scopes_supported: Schema14.optional(StringArray),
+  response_types_supported: Schema14.optional(StringArray),
+  grant_types_supported: Schema14.optional(StringArray),
+  code_challenge_methods_supported: Schema14.optional(StringArray),
+  token_endpoint_auth_methods_supported: Schema14.optional(StringArray),
+  revocation_endpoint: Schema14.optional(Schema14.String),
+  introspection_endpoint: Schema14.optional(Schema14.String),
+  userinfo_endpoint: Schema14.optional(Schema14.String),
+  id_token_signing_alg_values_supported: Schema14.optional(StringArray)
 }).annotate({ identifier: "OAuthAuthorizationServerMetadata" });
-var OAuthClientInformationSchema = Schema11.Struct({
-  client_id: Schema11.String,
-  client_secret: Schema11.optional(Schema11.String),
-  client_id_issued_at: Schema11.optional(Schema11.Number),
-  client_secret_expires_at: Schema11.optional(Schema11.Number),
-  registration_access_token: Schema11.optional(Schema11.String),
-  registration_client_uri: Schema11.optional(Schema11.String),
-  token_endpoint_auth_method: Schema11.optional(Schema11.String),
-  grant_types: Schema11.optional(StringArray),
-  response_types: Schema11.optional(StringArray),
-  redirect_uris: Schema11.optional(StringArray),
-  client_name: Schema11.optional(Schema11.String),
-  scope: Schema11.optional(Schema11.String)
+var OAuthClientInformationSchema = Schema14.Struct({
+  client_id: Schema14.String,
+  client_secret: Schema14.optional(Schema14.String),
+  client_id_issued_at: Schema14.optional(Schema14.Number),
+  client_secret_expires_at: Schema14.optional(Schema14.Number),
+  registration_access_token: Schema14.optional(Schema14.String),
+  registration_client_uri: Schema14.optional(Schema14.String),
+  token_endpoint_auth_method: Schema14.optional(Schema14.String),
+  grant_types: Schema14.optional(StringArray),
+  response_types: Schema14.optional(StringArray),
+  redirect_uris: Schema14.optional(StringArray),
+  client_name: Schema14.optional(Schema14.String),
+  scope: Schema14.optional(Schema14.String)
 }).annotate({ identifier: "OAuthClientInformation" });
-var decodeResourceMetadata = Schema11.decodeUnknownEffect(
-  OAuthProtectedResourceMetadataSchema
+var decodeResourceMetadataJson = Schema14.decodeUnknownEffect(
+  Schema14.fromJsonString(OAuthProtectedResourceMetadataSchema)
 );
-var decodeAuthServerMetadata = Schema11.decodeUnknownEffect(
-  OAuthAuthorizationServerMetadataSchema
-);
-var decodeClientInformation = Schema11.decodeUnknownEffect(
-  OAuthClientInformationSchema
+var decodeAuthServerMetadata = Schema14.decodeUnknownEffect(OAuthAuthorizationServerMetadataSchema);
+var decodeClientInformationJson = Schema14.decodeUnknownEffect(
+  Schema14.fromJsonString(OAuthClientInformationSchema)
 );
+var DcrErrorBody = class extends Data5.TaggedError("DcrErrorBody") {
+};
+var DcrTransport = class extends Data5.TaggedError("DcrTransport") {
+};
+var DcrErrorBodyJson = Schema14.Struct({
+  error: Schema14.String,
+  error_description: Schema14.optional(Schema14.String)
+});
+var decodeDcrErrorBodyJson = Schema14.decodeUnknownOption(Schema14.fromJsonString(DcrErrorBodyJson));
 
 // ../sdk/src/oauth-service.ts
-var OAuthAuthorizationServerMetadataJson = Schema12.Record(Schema12.String, Schema12.Unknown);
-var OAuthClientInformationJson = Schema12.Record(Schema12.String, Schema12.Unknown);
-var DynamicDcrSessionPayload = Schema12.Struct({
-  kind: Schema12.Literal("dynamic-dcr"),
-  identityLabel: Schema12.NullOr(Schema12.String),
-  codeVerifier: Schema12.String,
-  authorizationServerUrl: Schema12.String,
-  authorizationServerMetadataUrl: Schema12.String,
+var OAuthAuthorizationServerMetadataJson = Schema15.Record(Schema15.String, Schema15.Unknown);
+var OAuthClientInformationJson = Schema15.Record(Schema15.String, Schema15.Unknown);
+var DynamicDcrSessionPayload = Schema15.Struct({
+  kind: Schema15.Literal("dynamic-dcr"),
+  identityLabel: Schema15.NullOr(Schema15.String),
+  codeVerifier: Schema15.String,
+  authorizationServerUrl: Schema15.String,
+  authorizationServerMetadataUrl: Schema15.String,
   authorizationServerMetadata: OAuthAuthorizationServerMetadataJson,
   clientInformation: OAuthClientInformationJson,
-  resourceMetadataUrl: Schema12.NullOr(Schema12.String),
-  resourceMetadata: Schema12.NullOr(
-    Schema12.Record(Schema12.String, Schema12.Unknown)
-  ),
-  scopes: Schema12.Array(Schema12.String)
+  resourceMetadataUrl: Schema15.NullOr(Schema15.String),
+  resourceMetadata: Schema15.NullOr(Schema15.Record(Schema15.String, Schema15.Unknown)),
+  scopes: Schema15.Array(Schema15.String),
+  resource: Schema15.NullOr(Schema15.String).pipe(Schema15.withDecodingDefaultType(Effect11.succeed(null)))
 });
-var AuthorizationCodeSessionPayload = Schema12.Struct({
-  kind: Schema12.Literal("authorization-code"),
-  identityLabel: Schema12.NullOr(Schema12.String),
-  codeVerifier: Schema12.String,
-  authorizationEndpoint: Schema12.String,
-  tokenEndpoint: Schema12.String,
-  issuerUrl: Schema12.NullOr(Schema12.String).pipe(Schema12.withDecodingDefaultType(Effect10.succeed(null))),
-  clientIdSecretId: Schema12.String,
-  clientSecretSecretId: Schema12.NullOr(Schema12.String),
-  scopes: Schema12.Array(Schema12.String),
-  scopeSeparator: Schema12.optional(Schema12.String),
-  clientAuth: Schema12.Literals(["body", "basic"])
+var AuthorizationCodeSessionPayload = Schema15.Struct({
+  kind: Schema15.Literal("authorization-code"),
+  identityLabel: Schema15.NullOr(Schema15.String),
+  codeVerifier: Schema15.String,
+  authorizationEndpoint: Schema15.String,
+  tokenEndpoint: Schema15.String,
+  issuerUrl: Schema15.NullOr(Schema15.String).pipe(
+    Schema15.withDecodingDefaultType(Effect11.succeed(null))
+  ),
+  clientIdSecretId: Schema15.String,
+  clientIdSecretScopeId: Schema15.NullOr(Schema15.String).pipe(
+    Schema15.withDecodingDefaultType(Effect11.succeed(null))
+  ),
+  clientSecretSecretId: Schema15.NullOr(Schema15.String),
+  clientSecretSecretScopeId: Schema15.NullOr(Schema15.String).pipe(
+    Schema15.withDecodingDefaultType(Effect11.succeed(null))
+  ),
+  scopes: Schema15.Array(Schema15.String),
+  scopeSeparator: Schema15.optional(Schema15.String),
+  clientAuth: Schema15.Literals(["body", "basic"])
 });
-var OAuthSessionPayload = Schema12.Union([
+var OAuthSessionPayload = Schema15.Union([
   DynamicDcrSessionPayload,
   AuthorizationCodeSessionPayload
 ]);
-var decodeSessionPayload = Schema12.decodeUnknownSync(OAuthSessionPayload);
-var encodeSessionPayload = Schema12.encodeSync(OAuthSessionPayload);
+var decodeSessionPayload = Schema15.decodeUnknownSync(OAuthSessionPayload);
+var encodeSessionPayload = Schema15.encodeSync(OAuthSessionPayload);
+var UnknownFromJsonString = Schema15.fromJsonString(Schema15.Unknown);
+var decodeUnknownJsonOption = Schema15.decodeUnknownOption(UnknownFromJsonString);
+var decodeProviderStateSync = Schema15.decodeUnknownSync(OAuthProviderState);
+var encodeProviderStateSync = Schema15.encodeSync(OAuthProviderState);
+
+// ../sdk/src/hosted-http-client.ts
+import { Effect as Effect12, Layer as Layer3, Schema as Schema16 } from "effect";
+import { FetchHttpClient as FetchHttpClient3 } from "effect/unstable/http";
+var HostedOutboundRequestBlocked = class extends Schema16.TaggedErrorClass()(
+  "HostedOutboundRequestBlocked",
+  {
+    url: Schema16.String,
+    reason: Schema16.String
+  }
+) {
+};
+
+// ../sdk/src/plugin.ts
+import { Effect as Effect13 } from "effect";
+function definePlugin(authorFactory) {
+  return (options) => {
+    const {
+      storage: storageOverride,
+      ...rest
+    } = options ?? {};
+    const hasAuthorOptions = Object.keys(rest).length > 0;
+    const spec = authorFactory(hasAuthorOptions ? rest : void 0);
+    return {
+      ...spec,
+      storage: storageOverride ?? spec.storage
+    };
+  };
+}
 
 // ../sdk/src/executor.ts
-import { Context, Deferred, Effect as Effect12, Option, Result as Result2, Schema as Schema13, Semaphore } from "effect";
+import {
+  Context,
+  Deferred,
+  Effect as Effect15,
+  Match as Match5,
+  Option as Option5,
+  Result as Result2,
+  Schema as Schema17,
+  Semaphore
+} from "effect";
+import { FetchHttpClient as FetchHttpClient4 } from "effect/unstable/http";
+
+// ../sdk/src/schema-types.ts
+import { Match as Match4, Option as Option4 } from "effect";
 
 // ../sdk/src/scoped-adapter.ts
-import { Effect as Effect11 } from "effect";
+import { Effect as Effect14 } from "effect";
 
 // ../sdk/src/executor.ts
 var collectSchemas = (plugins) => {
@@ -740,22 +1001,68 @@ var collectSchemas = (plugins) => {
     if (!plugin.schema) continue;
     for (const [modelKey, model] of Object.entries(plugin.schema)) {
       if (merged[modelKey]) {
-        throw new Error(
-          `Duplicate model "${modelKey}" contributed by plugin "${plugin.id}" (reserved by core or another plugin)`
-        );
+        throw new StorageError({
+          message: `Duplicate model "${modelKey}" contributed by plugin "${plugin.id}" (reserved by core or another plugin)`,
+          cause: void 0
+        });
       }
       merged[modelKey] = model;
     }
   }
   return merged;
 };
-var activeAdapterRef = Context.Reference(
-  "executor/ActiveAdapter",
-  { defaultValue: () => null }
+var decodeJsonFromString2 = Schema17.decodeUnknownOption(Schema17.UnknownFromJsonString);
+var decodeProviderState = Schema17.decodeUnknownOption(ConnectionProviderState);
+var activeAdapterRef = Context.Reference("executor/ActiveAdapter", {
+  defaultValue: () => null
+});
+var activeRawAdapterRef = Context.Reference(
+  "executor/ActiveRawAdapter",
+  {
+    defaultValue: () => null
+  }
 );
 
 // ../storage-core/src/testing/memory.ts
-import { Effect as Effect13 } from "effect";
+import { Effect as Effect16, Match as Match6 } from "effect";
+
+// ../sdk/src/test-config.ts
+import { Effect as Effect17 } from "effect";
+var memorySecretsPlugin = definePlugin(() => {
+  const store = /* @__PURE__ */ new Map();
+  const provider = {
+    key: "memory",
+    writable: true,
+    get: (id, scope) => Effect17.sync(() => store.get(`${scope}\0${id}`) ?? null),
+    set: (id, value, scope) => Effect17.sync(() => {
+      store.set(`${scope}\0${id}`, value);
+    }),
+    delete: (id, scope) => Effect17.sync(() => store.delete(`${scope}\0${id}`)),
+    list: () => Effect17.sync(
+      () => Array.from(store.keys()).map((key) => {
+        const name = key.split("\0", 2)[1] ?? key;
+        return { id: name, name };
+      })
+    )
+  };
+  return {
+    id: "memory-secrets",
+    storage: () => ({}),
+    secretProviders: [provider]
+  };
+});
+
+// ../sdk/src/api-errors.ts
+import { Schema as Schema18 } from "effect";
+var InternalError = class extends Schema18.TaggedErrorClass()(
+  "InternalError",
+  {
+    /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */
+    traceId: Schema18.String
+  },
+  { httpApiStatus: 500 }
+) {
+};
 
 // src/utils/get-config.ts
 import { existsSync } from "fs";
@@ -811,9 +1118,7 @@ var getType = (name, field, dialect) => {
         mysql: `mysqlEnum([${type.map((x) => `'${x}'`).join(", ")}])`
       }[dialect];
     }
-    throw new TypeError(
-      `Invalid field type for field ${name}`
-    );
+    throw new TypeError(`Invalid field type for field ${name}`);
   }
   const typeMap = {
     string: {
@@ -854,17 +1159,11 @@ var getType = (name, field, dialect) => {
   };
   const dbTypeMap = typeMap[type];
   if (!dbTypeMap) {
-    throw new Error(
-      `Unsupported field type '${field.type}' for field '${name}'.`
-    );
+    throw new Error(`Unsupported field type '${field.type}' for field '${name}'.`);
   }
   return dbTypeMap[dialect];
 };
-var generateDrizzleSchema = async ({
-  schema,
-  dialect,
-  file
-}) => {
+var generateDrizzleSchema = async ({ schema, dialect, file }) => {
   const filePath = file || "./executor-schema.ts";
   const fileExist = existsSync2(filePath);
   let code = generateImport({ dialect, schema });
@@ -1017,10 +1316,7 @@ ${block}
     const hasOne = singleRelations.length > 0;
     const hasMany = manyRelations.length > 0;
     if (hasOne || hasMany) {
-      const destructured = [
-        hasOne ? "one" : "",
-        hasMany ? "many" : ""
-      ].filter(Boolean).join(", ");
+      const destructured = [hasOne ? "one" : "", hasMany ? "many" : ""].filter(Boolean).join(", ");
       const body = [
         ...singleRelations.filter((r) => r.reference).map(
           (r) => `  ${r.key}: one(${r.model}, {
@@ -1028,9 +1324,7 @@ ${block}
     references: [${r.reference.references}],
   })`
         ),
-        ...manyRelations.map(
-          ({ key, model }) => `  ${key}: many(${model})`
-        )
+        ...manyRelations.map(({ key, model }) => `  ${key}: many(${model})`)
       ].join(",\n");
       const block = `export const ${modelName}Relations = relations(${modelName}, ({ ${destructured} }) => ({
 ${body}
@@ -1048,10 +1342,7 @@ ${relationsString}`;
     overwrite: fileExist
   };
 };
-function generateImport({
-  dialect,
-  schema
-}) {
+function generateImport({ dialect, schema }) {
   const rootImports = [];
   const coreImports = [];
   let hasBigint = false;
@@ -1138,7 +1429,7 @@ async function generateAction(opts) {
     );
     process.exit(1);
   }
-  const schema = collectSchemas(config.plugins);
+  const schema = collectSchemas(config.plugins());
   const result = await generateDrizzleSchema({
     schema,
     dialect: config.dialect,
@@ -1156,17 +1447,7 @@ async function generateAction(opts) {
   await fs.writeFile(outPath, result.code);
   console.log(`Schema generated: ${path2.relative(cwd, outPath)}`);
 }
-var generate = new Command("generate").description("Generate a drizzle schema file from the executor config").option(
-  "-c, --cwd <cwd>",
-  "the working directory",
-  process.cwd()
-).option(
-  "--config <config>",
-  "path to the executor config file"
-).option(
-  "--output <output>",
-  "output file path for the generated schema"
-).action(generateAction);
+var generate = new Command("generate").description("Generate a drizzle schema file from the executor config").option("-c, --cwd <cwd>", "the working directory", process.cwd()).option("--config <config>", "path to the executor config file").option("--output <output>", "output file path for the generated schema").action(generateAction);
 
 // src/index.ts
 process.on("SIGINT", () => process.exit(0));