@exulu/backend 1.58.0 → 1.60.0

package/dist/{chunk-RVLZ5EL3.js → chunk-23YNGK3V.js}

@@ -5,6 +5,32 @@ import { S3Client as S3Client2, PutObjectCommand as PutObjectCommand2, S3Service
 import { tool } from "ai";
 import { z } from "zod";
 
+// src/utils/sanitize-name.ts
+var sanitizeName = (name) => {
+  return name.toLowerCase().replace(/ /g, "_")?.trim();
+};
+
+// src/exulu/tool.ts
+import { randomUUID } from "crypto";
+
+// src/exulu/app/singleton.ts
+var instance = null;
+var exuluApp = {
+  get: () => {
+    if (!instance) {
+      throw new Error("ExuluApp not initialized");
+    }
+    return instance;
+  },
+  set: (app) => {
+    instance = app;
+  }
+};
+
+// src/exulu/resolve-model.ts
+import CryptoJS from "crypto-js";
+import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
+
 // src/postgres/client.ts
 import Knex from "knex";
 import "knex";
@@ -72,26 +98,20 @@ async function postgresClient() {
           database: dbName,
           password: process.env.POSTGRES_DB_PASSWORD,
           ssl: process.env.POSTGRES_DB_SSL === "true" ? { rejectUnauthorized: false } : false,
+          // TCP keepalive prevents idle sockets from being silently dropped by
+          // intermediate network devices (NAT, firewalls) between us and Hetzner.
+          keepAlive: true,
+          keepAliveInitialDelayMillis: 1e4,
           connectionTimeoutMillis: 3e4,
-          // Increased from 10s to 30s to handle connection spikes
-          // PostgreSQL statement timeout (in milliseconds) - kills queries that run too long
-          // This prevents runaway queries from blocking connections
           statement_timeout: 18e5,
-          // 30 minutes - should be longer than max job timeout (1200s = 20m)
-          // Connection idle timeout - how long pg client waits before timing out
           query_timeout: 18e5
-          // 30 minutes
         },
         pool: {
           min: 10,
-          // Minimum connections always ready
           max: 300,
-          // Increased to support high worker concurrency (250+ concurrent jobs)
           acquireTimeoutMillis: 12e4,
-          // 2 minutes - increased to handle high contention during bursts
           createTimeoutMillis: 3e4,
-          idleTimeoutMillis: 6e4,
-          // Keep connections alive for reuse
+          idleTimeoutMillis: 3e4,
           reapIntervalMillis: 1e3,
           createRetryIntervalMillis: 200,
           // Enable propagateCreateError to properly handle connection creation failures
@@ -127,30 +147,531 @@ async function postgresClient() {
   };
 }
 
-// src/exulu/tool.ts
-import CryptoJS from "crypto-js";
+// src/utils/check-record-access.ts
+var checkRecordAccessCache = /* @__PURE__ */ new Map();
+var checkRecordAccess = async (record, request, user) => {
+  const setRecordAccessCache = (hasAccess2) => {
+    checkRecordAccessCache.set(`${record.id}-${request}-${user?.id}`, {
+      hasAccess: hasAccess2,
+      expiresAt: new Date(Date.now() + 1e3 * 60 * 1)
+      // 1 minute
+    });
+  };
+  const cachedAccess = checkRecordAccessCache.get(`${record.id}-${request}-${user?.id}`);
+  if (cachedAccess && cachedAccess.expiresAt > /* @__PURE__ */ new Date()) {
+    return cachedAccess.hasAccess;
+  }
+  const isPublic = record.rights_mode === "public";
+  const byUsers = record.rights_mode === "users";
+  const byRoles = record.rights_mode === "roles";
+  const createdBy = typeof record.created_by === "string" ? record.created_by : record.created_by?.toString();
+  const isCreator = user ? createdBy === user.id.toString() : false;
+  const isAdmin = user ? user.super_admin : false;
+  const isApi = user ? user.type === "api" : false;
+  const isAdminApi = isApi && (!user.scope_mode || user.scope_mode === "admin");
+  const isAgentsScopedApi = isApi && user.scope_mode === "agents" && request === "read" && Array.isArray(user.agent_ids) && user.agent_ids.includes(String(record.id));
+  let hasAccess = "none";
+  if (isPublic || isCreator || isAdmin || isAdminApi || isAgentsScopedApi) {
+    setRecordAccessCache(true);
+    return true;
+  }
+  if (byUsers) {
+    if (!user) {
+      setRecordAccessCache(false);
+      return false;
+    }
+    hasAccess = record.RBAC?.users?.find((x) => x.id === user.id)?.rights || "none";
+    if (!hasAccess || hasAccess === "none" || hasAccess !== request) {
+      console.error(
+        `[EXULU] Your current user ${user.id} does not have access to this record, current access type is: ${hasAccess}.`
+      );
+      setRecordAccessCache(false);
+      return false;
+    } else {
+      setRecordAccessCache(true);
+      return true;
+    }
+  }
+  if (byRoles) {
+    if (!user) {
+      setRecordAccessCache(false);
+      return false;
+    }
+    hasAccess = record.RBAC?.roles?.find((x) => x.id === user.role?.id)?.rights || "none";
+    if (!hasAccess || hasAccess === "none" || hasAccess !== request) {
+      console.error(
+        `[EXULU] Your current role ${user.role?.name} does not have access to this record, current access type is: ${hasAccess}.`
+      );
+      setRecordAccessCache(false);
+      return false;
+    } else {
+      setRecordAccessCache(true);
+      return true;
+    }
+  }
+  setRecordAccessCache(false);
+  return false;
+};
 
-// src/utils/sanitize-name.ts
-var sanitizeName = (name) => {
-  return name.toLowerCase().replace(/ /g, "_")?.trim();
+// src/exulu/litellm/supervisor.ts
+import { spawn } from "child_process";
+import { existsSync } from "fs";
+import { resolve } from "path";
+var MAX_CRASHES = 5;
+var INITIAL_BACKOFF_MS = 1e3;
+var MAX_BACKOFF_MS = 3e4;
+var READY_TIMEOUT_MS = 3e4;
+var READY_POLL_INTERVAL_MS = 200;
+var SHUTDOWN_GRACE_MS = 5e3;
+var internal = {
+  child: void 0,
+  state: "idle",
+  crashCount: 0,
+  backoffMs: INITIAL_BACKOFF_MS,
+  readyPromise: void 0,
+  shutdownRequested: false
+};
+var isLiteLLMEnabled = () => process.env.EXULU_USE_LITELLM === "true";
+var resolveConfig = (packageRoot) => {
+  const host = process.env.LITELLM_HOST ?? "127.0.0.1";
+  const port = process.env.LITELLM_PORT ?? "4000";
+  const masterKey = process.env.LITELLM_MASTER_KEY;
+  const configPath = process.env.LITELLM_CONFIG_PATH ?? resolve(packageRoot, "./config.litellm.yaml");
+  const venvBin = resolve(packageRoot, "ee/python/.venv/bin");
+  const venvPython = resolve(venvBin, "python");
+  const litellmBin = resolve(venvBin, "litellm");
+  return { host, port, masterKey, configPath, venvBin, venvPython, litellmBin };
+};
+var log = (line) => console.log(`[EXULU-LITELLM] ${line}`);
+var pollHealth = async (host, port) => {
+  const url = `http://${host}:${port}/health/liveliness`;
+  const deadline = Date.now() + READY_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    try {
+      const res = await fetch(url, { method: "GET" });
+      if (res.ok) return;
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, READY_POLL_INTERVAL_MS));
+  }
+  throw new Error(
+    `LiteLLM did not become ready at ${url} within ${READY_TIMEOUT_MS}ms`
+  );
+};
+var spawnLiteLLM = (cfg) => {
+  log(
+    `Spawning LiteLLM: ${cfg.litellmBin} --config ${cfg.configPath} --port ${cfg.port} --host ${cfg.host}`
+  );
+  const { DEBUG: _debug, ...rest } = process.env;
+  const childEnv = { ...rest, DEBUG: "false" };
+  const child = spawn(
+    cfg.litellmBin,
+    [
+      "--config",
+      cfg.configPath,
+      "--port",
+      cfg.port,
+      "--host",
+      cfg.host
+    ],
+    {
+      stdio: ["ignore", "pipe", "pipe"],
+      env: childEnv
+    }
+  );
+  child.stdout?.on("data", (chunk) => {
+    chunk.toString().split("\n").filter((l) => l.length > 0).forEach((l) => log(l));
+  });
+  child.stderr?.on("data", (chunk) => {
+    chunk.toString().split("\n").filter((l) => l.length > 0).forEach((l) => log(`stderr: ${l}`));
+  });
+  return child;
+};
+var supervise = async (cfg) => {
+  while (!internal.shutdownRequested && internal.crashCount < MAX_CRASHES) {
+    internal.state = internal.crashCount === 0 ? "starting" : "respawning";
+    internal.child = spawnLiteLLM(cfg);
+    const exitPromise = new Promise((resolveFn) => {
+      internal.child.on("exit", (code2) => resolveFn(code2));
+    });
+    try {
+      await Promise.race([
+        pollHealth(cfg.host, cfg.port).then(() => "ready"),
+        exitPromise.then((code2) => ({ exited: code2 }))
+      ]);
+    } catch (err) {
+      log(`Readiness probe failed: ${err.message}`);
+      try {
+        internal.child?.kill("SIGTERM");
+      } catch {
+      }
+    }
+    if (!internal.child?.killed && internal.child?.exitCode === null) {
+      internal.state = "ready";
+      internal.crashCount = 0;
+      internal.backoffMs = INITIAL_BACKOFF_MS;
+      log("LiteLLM is ready.");
+    }
+    const code = await exitPromise;
+    internal.state = "respawning";
+    internal.child = void 0;
+    if (internal.shutdownRequested) {
+      log("Child exited during shutdown; supervisor stopping.");
+      internal.state = "stopped";
+      return;
+    }
+    internal.crashCount += 1;
+    log(
+      `LiteLLM exited (code=${code}). Crash ${internal.crashCount}/${MAX_CRASHES}. Respawning in ${internal.backoffMs}ms.`
+    );
+    if (internal.crashCount >= MAX_CRASHES) {
+      log(
+        "LiteLLM keeps crashing \u2014 fix the config and restart Exulu. Giving up on respawn."
+      );
+      internal.state = "given_up";
+      return;
+    }
+    await new Promise((r) => setTimeout(r, internal.backoffMs));
+    internal.backoffMs = Math.min(internal.backoffMs * 2, MAX_BACKOFF_MS);
+  }
+};
+var _packageRoot;
+var setLiteLLMPackageRoot = (root) => {
+  _packageRoot = root;
+};
+var startLiteLLMSupervisor = async (options = {}) => {
+  if (!isLiteLLMEnabled()) return;
+  if (internal.readyPromise) {
+    return internal.readyPromise;
+  }
+  if (!process.env.LITELLM_MASTER_KEY) {
+    throw new Error(
+      "EXULU_USE_LITELLM is true but LITELLM_MASTER_KEY is not set. Set LITELLM_MASTER_KEY to a strong secret and restart Exulu."
+    );
+  }
+  const packageRoot = options.packageRoot ?? _packageRoot;
+  if (!packageRoot) {
+    throw new Error(
+      "LiteLLM supervisor: package root not set. Call setLiteLLMPackageRoot() from the boot path before starting the supervisor."
+    );
+  }
+  const cfg = resolveConfig(packageRoot);
+  if (!existsSync(cfg.configPath)) {
+    log(
+      `LiteLLM config not found at ${cfg.configPath}. Copy ee/python/.litellm/config.yaml.example to that path, edit it, and restart Exulu. LiteLLM will NOT be started until then.`
+    );
+    internal.state = "given_up";
+    return;
+  }
+  if (!existsSync(cfg.litellmBin)) {
+    log(
+      `LiteLLM binary not found at ${cfg.litellmBin}. The Python venv may not be set up. Run setupPythonEnvironment() from @exulu/backend, then restart.`
+    );
+    internal.state = "given_up";
+    return;
+  }
+  internal.readyPromise = (async () => {
+    supervise(cfg);
+    const deadline = Date.now() + READY_TIMEOUT_MS + 5e3;
+    while (Date.now() < deadline) {
+      if (internal.state === "ready") return;
+      if (internal.state === "given_up") {
+        throw new Error("LiteLLM supervisor gave up before becoming ready.");
+      }
+      await new Promise((r) => setTimeout(r, READY_POLL_INTERVAL_MS));
+    }
+    throw new Error("Timed out waiting for LiteLLM supervisor readiness.");
+  })();
+  registerShutdownHandlers();
+  return internal.readyPromise;
+};
+var waitForLiteLLMReady = async () => {
+  if (!isLiteLLMEnabled()) return;
+  if (!internal.readyPromise) {
+    await startLiteLLMSupervisor();
+    return;
+  }
+  return internal.readyPromise;
+};
+var stopLiteLLM = (signal = "SIGTERM") => {
+  internal.shutdownRequested = true;
+  const child = internal.child;
+  if (!child) return;
+  try {
+    child.kill(signal);
+  } catch {
+  }
+  setTimeout(() => {
+    try {
+      if (!child.killed && child.exitCode === null) {
+        child.kill("SIGKILL");
+      }
+    } catch {
+    }
+  }, SHUTDOWN_GRACE_MS).unref();
+};
+var shutdownHandlersRegistered = false;
+var registerShutdownHandlers = () => {
+  if (shutdownHandlersRegistered) return;
+  shutdownHandlersRegistered = true;
+  process.on("SIGINT", () => stopLiteLLM("SIGTERM"));
+  process.on("SIGTERM", () => stopLiteLLM("SIGTERM"));
+  process.on("exit", () => stopLiteLLM("SIGTERM"));
 };
 
-// src/exulu/tool.ts
-import { randomUUID } from "crypto";
+// src/exulu/tags.ts
+var MAX_LEN = 63;
+function sanitizeTagValue(raw) {
+  if (raw === void 0 || raw === null) return void 0;
+  const s = String(raw).normalize("NFKC").toLowerCase().replace(/[^a-z0-9_-]/g, "-");
+  return s.slice(0, MAX_LEN);
+}
+function buildTags(input) {
+  const candidates = [];
+  if (input.user_id) {
+    candidates.push("user_id_" + input.user_id);
+  }
+  if (input.user_name) {
+    candidates.push("user_name_" + input.user_name);
+  }
+  if (input.role_id) {
+    candidates.push("role_id_" + input.role_id);
+  }
+  if (input.role_name) {
+    candidates.push("role_name_" + input.role_name);
+  }
+  if (input.project_id) {
+    candidates.push("project_id_" + input.project_id);
+  }
+  if (input.project_name) {
+    candidates.push("project_name_" + input.project_name);
+  }
+  if (input.agent_id) {
+    candidates.push("agent_id_" + input.agent_id);
+  }
+  if (input.agent_name) {
+    candidates.push("agent_name_" + input.agent_name);
+  }
+  console.log("[EXULU] Candidates", candidates);
+  const out = [];
+  for (const candidate of candidates) {
+    if (candidate === void 0 || candidate === null) continue;
+    const value = sanitizeTagValue(candidate);
+    console.log("[EXULU] Sanitized tag value", value);
+    if (value === void 0 || value === "") continue;
+    out.push(value);
+  }
+  return out;
+}
+function decodeBody(body) {
+  if (typeof body === "string") return body;
+  if (body instanceof Uint8Array) return new TextDecoder().decode(body);
+  return void 0;
+}
+function stripContentLengthHeader(headers) {
+  if (!headers) return headers;
+  if (typeof headers.delete === "function") {
+    const clone = new globalThis.Headers(headers);
+    clone.delete("content-length");
+    return clone;
+  }
+  if (Array.isArray(headers)) {
+    return headers.filter(
+      ([k]) => k.toLowerCase() !== "content-length"
+    );
+  }
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() === "content-length") continue;
+    out[k] = v;
+  }
+  return out;
+}
+function createTaggedFetch(tags) {
+  const labeled = async (input, init) => {
+    try {
+      if (!init || !init.body) return globalThis.fetch(input, init);
+      const method = (init.method ?? "POST").toUpperCase();
+      if (method !== "POST" && method !== "PUT" && method !== "PATCH") {
+        return globalThis.fetch(input, init);
+      }
+      const decoded = decodeBody(init.body);
+      if (decoded === void 0) {
+        console.warn("[vertex-labels] unsupported body type, forwarding unchanged");
+        return globalThis.fetch(input, init);
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(decoded);
+      } catch {
+        console.warn("[vertex-labels] body is not JSON, forwarding unchanged");
+        return globalThis.fetch(input, init);
+      }
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return globalThis.fetch(input, init);
+      }
+      const existing = parsed.metadata ?? {};
+      parsed.metadata = { ...existing, tags };
+      console.log("[EXULU] tags", parsed.metadata);
+      const nextInit = {
+        ...init,
+        body: JSON.stringify(parsed),
+        headers: stripContentLengthHeader(init.headers)
+      };
+      return globalThis.fetch(input, nextInit);
+    } catch (err) {
+      console.warn("[vertex-labels] label injection failed, forwarding unchanged", err);
+      return globalThis.fetch(input, init);
+    }
+  };
+  return labeled;
+}
 
-// src/exulu/app/singleton.ts
-var instance = null;
-var exuluApp = {
-  get: () => {
-    if (!instance) {
-      throw new Error("ExuluApp not initialized");
+// src/exulu/resolve-model.ts
+var LITELLM_PROVIDER_SENTINEL = new Proxy(
+  {},
+  {
+    get(_target, prop) {
+      if (prop === "id") return "litellm";
+      if (prop === Symbol.toPrimitive || prop === "toString") {
+        return () => "[LiteLLMProviderSentinel]";
+      }
+      console.error(`ExuluProvider.${String(prop)} is not available in LiteLLM mode. `, new Error().stack);
+      throw new Error(
+        `ExuluProvider.${String(prop)} is not available in LiteLLM mode. Code paths that depend on the in-code provider catalog must check isLiteLLMEnabled() and degrade.`
+      );
     }
-    return instance;
-  },
-  set: (app) => {
-    instance = app;
+  }
+);
+var ResolveModelError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "ResolveModelError";
   }
 };
+var _litellmProvider;
+var getLiteLLMProvider = ({
+  user,
+  role,
+  project,
+  agent
+}) => {
+  if (_litellmProvider) return _litellmProvider;
+  const host = process.env.LITELLM_HOST ?? "127.0.0.1";
+  const port = process.env.LITELLM_PORT ?? "4000";
+  const masterKey = process.env.LITELLM_MASTER_KEY;
+  const tags = buildTags({
+    user,
+    role,
+    project,
+    agent
+  });
+  if (!masterKey) {
+    throw new ResolveModelError(
+      "LITELLM_NOT_CONFIGURED",
+      "LITELLM_MASTER_KEY is required when EXULU_USE_LITELLM=true"
+    );
+  }
+  _litellmProvider = createOpenAICompatible({
+    name: "litellm",
+    baseURL: `http://${host}:${port}/v1`,
+    apiKey: masterKey,
+    fetch: createTaggedFetch(tags)
+  });
+  return _litellmProvider;
+};
+async function resolveModel(input) {
+  const { modelId, user, providers, agent, project, rbacBypass } = input;
+  const rbacRequest = input.rbacRequest ?? "read";
+  if (isLiteLLMEnabled()) {
+    try {
+      await waitForLiteLLMReady();
+    } catch (err) {
+      throw new ResolveModelError(
+        "LITELLM_NOT_READY",
+        `LiteLLM is not ready: ${err.message}`
+      );
+    }
+    const litellm = getLiteLLMProvider({
+      user: user?.id,
+      role: user?.role?.id,
+      project: project?.id,
+      agent: agent?.id
+    });
+    const languageModel2 = litellm(modelId);
+    const syntheticModel = {
+      id: modelId,
+      name: modelId,
+      provider: modelId,
+      active: true,
+      rights_mode: "public",
+      created_by: "litellm"
+    };
+    return {
+      languageModel: languageModel2,
+      model: syntheticModel,
+      exuluProvider: LITELLM_PROVIDER_SENTINEL,
+      apiKey: void 0
+    };
+  }
+  const { db: db2 } = await postgresClient();
+  const model = await db2.from("models").where({ id: modelId }).first();
+  if (!model) {
+    throw new ResolveModelError("MODEL_NOT_FOUND", `Model ${modelId} not found`);
+  }
+  if (!model.active) {
+    throw new ResolveModelError("MODEL_INACTIVE", `Model ${model.name} is inactive`);
+  }
+  if (!rbacBypass) {
+    const ok = await checkRecordAccess(model, rbacRequest, user);
+    if (!ok) {
+      throw new ResolveModelError(
+        "MODEL_FORBIDDEN",
+        `No ${rbacRequest} access to model ${model.name}`
+      );
+    }
+  }
+  const exuluProvider = providers.find((p) => p.id === model.provider);
+  if (!exuluProvider) {
+    throw new ResolveModelError(
+      "PROVIDER_NOT_FOUND",
+      `ExuluProvider ${model.provider} (referenced by model ${model.name}) not registered in this instance`
+    );
+  }
+  if (!exuluProvider.config?.model?.create) {
+    throw new ResolveModelError(
+      "PROVIDER_NO_MODEL",
+      `ExuluProvider ${exuluProvider.id} has no model.create()`
+    );
+  }
+  let apiKey;
+  if (model.authvariable) {
+    const variable = await db2.from("variables").where({ name: model.authvariable }).first();
+    if (!variable) {
+      throw new ResolveModelError(
+        "AUTH_VAR_NOT_FOUND",
+        `Auth variable ${model.authvariable} (referenced by model ${model.name}) not found`
+      );
+    }
+    if (!variable.encrypted) {
+      throw new ResolveModelError(
+        "AUTH_VAR_NOT_ENCRYPTED",
+        `Auth variable ${model.authvariable} must be encrypted`
+      );
+    }
+    const bytes = CryptoJS.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
+    apiKey = bytes.toString(CryptoJS.enc.Utf8);
+  }
+  const languageModel = exuluProvider.config.model.create({
+    apiKey,
+    user: user?.id,
+    role: user?.role?.id,
+    project: project?.id,
+    agent: agent?.id
+  });
+  return { languageModel, model, exuluProvider, apiKey };
+}
 
 // src/exulu/tool.ts
 var ExuluTool = class {
@@ -211,29 +732,19 @@ var ExuluTool = class {
     if (!agent) {
       throw new Error("Agent not found.");
     }
-    const { db: db2 } = await postgresClient();
     let providerapikey;
-    const variableName = agent.providerapikey;
-    if (variableName) {
-      console.log("[EXULU] provider api key variable name", variableName);
-      const variable = await db2.from("variables").where({ name: variableName }).first();
-      if (!variable) {
-        throw new Error(
-          "Provider API key variable not found for " + agent.name + " (" + agent.id + ")."
-        );
-      }
-      providerapikey = variable.value;
-      if (!variable.encrypted) {
-        throw new Error(
-          "Provider API key variable not encrypted, for security reasons you are only allowed to use encrypted variables for provider API keys."
-        );
-      }
-      if (variable.encrypted) {
-        const bytes = CryptoJS.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-        providerapikey = bytes.toString(CryptoJS.enc.Utf8);
-      }
+    if (agent.model) {
+      const providers = exuluApp.get().providers;
+      const resolved = await resolveModel({
+        modelId: agent.model,
+        user,
+        providers,
+        agent: { id: agent.id },
+        rbacBypass: true
+      });
+      providerapikey = resolved.apiKey;
     }
-    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-K4W6OJ3G.js");
+    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-PLLM2CJL.js");
     const tools = await convertExuluToolsToAiSdkTools2(
       [this],
       [],
@@ -560,7 +1071,7 @@ async function withRetry(generateFn, maxRetries = 3) {
       if (attempt === maxRetries) {
         throw error;
       }
-      await new Promise((resolve2) => setTimeout(resolve2, Math.pow(2, attempt) * 1e3));
+      await new Promise((resolve3) => setTimeout(resolve3, Math.pow(2, attempt) * 1e3));
     }
   }
   throw lastError;
@@ -929,7 +1440,7 @@ var uploadFile = async (file, fileName, config, options = {}, user, customBucket
       if (error.name === "SignatureDoesNotMatch" || error.name === "InvalidAccessKeyId" || error.name === "AccessDenied") {
         if (attempt < maxRetries) {
           const backoffMs = Math.pow(2, attempt) * 1e3;
-          await new Promise((resolve2) => setTimeout(resolve2, backoffMs));
+          await new Promise((resolve3) => setTimeout(resolve3, backoffMs));
           s3Client = void 0;
           getS3Client(config);
           continue;
@@ -2279,6 +2790,10 @@ var agentMessagesSchema = {
     {
       name: "session",
       type: "text"
+    },
+    {
+      name: "model",
+      type: "text"
     }
   ]
 };
@@ -2459,6 +2974,11 @@ var agentsSchema = {
       name: "feedback",
       type: "boolean"
     },
+    {
+      name: "suggestions_enabled",
+      type: "boolean",
+      default: false
+    },
     {
       name: "description",
       type: "text"
@@ -2477,11 +2997,7 @@ var agentsSchema = {
       // allows selecting a exulu context as native memory for the agent
     },
     {
-      name: "providerapikey",
-      type: "text"
-    },
-    {
-      name: "provider",
+      name: "model",
       type: "text"
     },
     {
@@ -2511,6 +3027,59 @@ var agentsSchema = {
     }
   ]
 };
+var modelsSchema = {
+  type: "models",
+  name: {
+    plural: "models",
+    singular: "model"
+  },
+  RBAC: true,
+  fields: [
+    {
+      name: "name",
+      type: "text",
+      required: true
+    },
+    {
+      name: "description",
+      type: "text"
+    },
+    {
+      name: "provider",
+      type: "text",
+      required: true
+    },
+    {
+      name: "authvariable",
+      type: "text"
+    },
+    {
+      name: "active",
+      type: "boolean",
+      default: true
+    },
+    {
+      name: "requests_per_window",
+      type: "number"
+    },
+    {
+      name: "window_seconds",
+      type: "number"
+    },
+    {
+      name: "token_budget",
+      type: "number"
+    },
+    {
+      name: "cost_budget_usd",
+      type: "number"
+    },
+    {
+      name: "budget_window",
+      type: "text"
+    }
+  ]
+};
 var usersSchema = {
   type: "users",
   name: {
@@ -2806,6 +3375,7 @@ var coreSchemas = {
       agentsSchema: () => addCoreFields(agentsSchema),
       agentMessagesSchema: () => addCoreFields(agentMessagesSchema),
       agentSessionsSchema: () => addCoreFields(agentSessionsSchema),
+      modelsSchema: () => addCoreFields(modelsSchema),
       projectsSchema: () => addCoreFields(projectsSchema),
       usersSchema: () => addCoreFields(usersSchema),
       skillsSchema: () => addCoreFields(skillsSchema),
@@ -5667,14 +6237,14 @@ import {
   SandboxManager
 } from "@anthropic-ai/sandbox-runtime";
 import { mkdir as mkdir2, rm, writeFile as writeFile2, readFile as fsReadFile, readdir, stat } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
-import { join as join3, dirname, resolve, relative, posix } from "path";
-import { exec as exec2, spawn } from "child_process";
+import { existsSync as existsSync3 } from "fs";
+import { join as join3, dirname, resolve as resolve2, relative, posix } from "path";
+import { exec as exec2, spawn as spawn2 } from "child_process";
 import { promisify as promisify2 } from "util";
 
 // src/exulu/system-dependencies.ts
 import { exec } from "child_process";
-import { existsSync } from "fs";
+import { existsSync as existsSync2 } from "fs";
 import { join as join2 } from "path";
 import { promisify } from "util";
 var execAsync = promisify(exec);
@@ -5740,7 +6310,7 @@ async function probeDependency(dep) {
     case "npm-global": {
       const root = await getNpmGlobalRoot();
       if (!root) return false;
-      return existsSync(join2(root, dep.check.packageName));
+      return existsSync2(join2(root, dep.check.packageName));
     }
   }
 }
@@ -5840,7 +6410,7 @@ async function downloadSkill(skill, skillsDirectory, config) {
   }
 }
 function isArtifactPath(absPath, sessionDir) {
-  const resolved = resolve(absPath);
+  const resolved = resolve2(absPath);
   const rel = relative(sessionDir, resolved);
   if (!rel || rel.startsWith("..")) return false;
   const first = rel.split("/")[0];
@@ -5899,7 +6469,7 @@ async function restoreArtifactsFromS3(sessionDir, sessionId, userId, config) {
 async function downloadKeyIntoSandbox(opts) {
   const { sessionId, userId, fullS3Key, config } = opts;
   const sessionDir = join3("/tmp", "exulu-sessions", sessionId);
-  if (!existsSync2(sessionDir)) {
+  if (!existsSync3(sessionDir)) {
     return { written: false };
   }
   const userPrefix = `user_${userId}/sessions/${sessionId}/`;
@@ -5933,7 +6503,7 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     return cached.handle;
   }
   const sessionDir = join3("/tmp", "exulu-sessions", sessionId);
-  const dirExisted = existsSync2(sessionDir);
+  const dirExisted = existsSync3(sessionDir);
   await mkdir2(sessionDir, { recursive: true });
   const skillsDirectory = join3(sessionDir, "skills");
   const installedSkills = /* @__PURE__ */ new Map();
@@ -6040,7 +6610,7 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     if (!persistenceEnabled || !isArtifactPath(absPath, sessionDir)) {
       return {};
     }
-    const rel = relative(sessionDir, resolve(absPath));
+    const rel = relative(sessionDir, resolve2(absPath));
     const s3Key = artifactS3Key(sessionId, rel);
     const out = {};
     try {
@@ -6085,7 +6655,7 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
         sessionSandboxConfig
       );
       await new Promise((resolveSpawn, rejectSpawn) => {
-        const child = spawn("/bin/bash", ["-c", wrapped]);
+        const child = spawn2("/bin/bash", ["-c", wrapped]);
         let stderr = "";
         child.stderr.on("data", (chunk) => {
           stderr += chunk.toString();
@@ -6595,9 +7165,18 @@ export {
   postgresClient,
   authentication,
   STATISTICS_TYPE_ENUM,
+  isLiteLLMEnabled,
+  setLiteLLMPackageRoot,
+  startLiteLLMSupervisor,
+  waitForLiteLLMReady,
   sanitizeName,
+  checkRecordAccess,
   checkLicense,
   exuluApp,
+  buildTags,
+  createTaggedFetch,
+  ResolveModelError,
+  resolveModel,
   updateStatistic,
   createProjectItemsRetrievalTool,
   sanitizeToolName,