@flashbacktech/tsclient 0.4.33

package/dist/index.cjs

@@ -0,0 +1,1805 @@
+'use strict';
+
+// src/http/HttpError.ts
+var HttpError = class extends Error {
+  constructor(status, statusText, body) {
+    const errorCode = extractErrorCode(body);
+    const message = extractMessage(body) ?? `${status} ${statusText}`;
+    super(message);
+    this.name = "HttpError";
+    this.status = status;
+    this.statusText = statusText;
+    this.errorCode = errorCode;
+    this.body = body;
+  }
+};
+function extractErrorCode(body) {
+  if (body && typeof body === "object") {
+    const code = body.error_code ?? body.errorCode;
+    if (typeof code === "string") return code;
+  }
+  return null;
+}
+function extractMessage(body) {
+  if (body && typeof body === "object") {
+    const msg = body.message ?? body.error;
+    if (typeof msg === "string") return msg;
+  }
+  return null;
+}
+var NotImplementedError = class extends Error {
+  constructor(method) {
+    super(`${method} is not implemented in the cloud-agent backend yet.`);
+    this.name = "NotImplementedError";
+  }
+};
+
+// src/http/BaseClient.ts
+var BaseClient = class {
+  constructor(options) {
+    if (!options.baseUrl) throw new Error("CloudAgentClient: baseUrl is required");
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.getToken = options.getToken;
+    this.onUnauthorized = options.onUnauthorized;
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
+    this.debug = options.debug ?? false;
+    this.defaultHeaders = options.defaultHeaders ?? {};
+    this.getImpersonateOrgId = options.getImpersonateOrgId;
+  }
+  get(path, options) {
+    return this.request("GET", path, options);
+  }
+  post(path, options) {
+    return this.request("POST", path, options);
+  }
+  put(path, options) {
+    return this.request("PUT", path, options);
+  }
+  patch(path, options) {
+    return this.request("PATCH", path, options);
+  }
+  delete(path, options) {
+    return this.request("DELETE", path, options);
+  }
+  async request(method, path, options = {}) {
+    const url = this.buildUrl(path, options.query);
+    const headers = { ...this.defaultHeaders, ...options.headers ?? {} };
+    if (!options.skipAuth && this.getToken) {
+      const token = await this.getToken();
+      if (token) headers["Authorization"] = `Bearer ${token}`;
+    }
+    if (!options.skipAuth && this.getImpersonateOrgId && !("X-Impersonate-Org-Id" in headers) && !("x-impersonate-org-id" in headers)) {
+      const target = await this.getImpersonateOrgId();
+      if (target) headers["X-Impersonate-Org-Id"] = target;
+    }
+    let body;
+    if (options.body !== void 0 && options.body !== null) {
+      if (options.body instanceof FormData) {
+        body = options.body;
+      } else {
+        if (!("Content-Type" in headers) && !("content-type" in headers)) {
+          headers["Content-Type"] = "application/json";
+        }
+        body = JSON.stringify(options.body);
+      }
+    }
+    if (this.debug) {
+      console.debug("[flashbacktech/tsclient] \u2192", method, url, options.body ?? "");
+    }
+    const res = await this.fetchImpl(url, { method, headers, body });
+    let parsed = null;
+    const text = await res.text();
+    if (text.length > 0) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+        parsed = text;
+      }
+    }
+    if (this.debug) {
+      console.debug("[flashbacktech/tsclient] \u2190", res.status, url, parsed);
+    }
+    if (!res.ok) {
+      if (res.status === 401 && this.onUnauthorized) {
+        try {
+          await this.onUnauthorized();
+        } catch {
+        }
+      }
+      throw new HttpError(res.status, res.statusText, parsed);
+    }
+    return parsed;
+  }
+  buildUrl(path, query) {
+    const base = path.startsWith("http") ? path : `${this.baseUrl}${path.startsWith("/") ? path : `/${path}`}`;
+    if (!query) return base;
+    const params = new URLSearchParams();
+    for (const [key, value] of Object.entries(query)) {
+      if (value === void 0 || value === null) continue;
+      if (Array.isArray(value)) {
+        for (const v of value) params.append(key, String(v));
+      } else {
+        params.set(key, String(value));
+      }
+    }
+    const qs = params.toString();
+    return qs ? `${base}?${qs}` : base;
+  }
+};
+
+// src/modules/auth/AuthClient.ts
+var AuthClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  login(body) {
+    return this.http.post("/user/login", { body, skipAuth: true });
+  }
+  register(body) {
+    return this.http.post("/user/register", { body, skipAuth: true });
+  }
+  logout(refreshToken) {
+    return this.http.post("/user/logout", {
+      body: { refreshToken }
+    });
+  }
+  refresh(body) {
+    return this.http.post("/user/refresh", { body, skipAuth: true });
+  }
+  activate(body) {
+    return this.http.post("/user/activate", { body, skipAuth: true });
+  }
+  requestVerification(email) {
+    return this.http.post("/user/request-verification", {
+      body: { email },
+      skipAuth: true
+    });
+  }
+  requestPasswordReset(email) {
+    return this.http.post("/user/request-reset-password", {
+      body: { email },
+      skipAuth: true
+    });
+  }
+  resetPassword(body) {
+    return this.http.post("/user/reset-password", { body, skipAuth: true });
+  }
+  exchangeGoogle(body) {
+    return this.http.post("/auth/google/exchange", { body, skipAuth: true });
+  }
+};
+
+// src/common/envelope.ts
+function unwrapData(payload) {
+  if (!payload || payload.data === void 0) {
+    throw new Error("Response envelope missing `data` field.");
+  }
+  return payload.data;
+}
+
+// src/modules/mfa/MfaClient.ts
+var MfaClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getStatus() {
+    const res = await this.http.get("/mfa/status");
+    return unwrapData(res);
+  }
+  async getMethods() {
+    const res = await this.http.get("/mfa/methods");
+    return res.data?.methods ?? [];
+  }
+  setup(body) {
+    return this.http.post("/mfa/setup", { body });
+  }
+  verifySetup(body) {
+    return this.http.post("/mfa/verify-setup", { body });
+  }
+  enable(mfaType) {
+    return this.http.post("/mfa/enable", { body: { mfaType } });
+  }
+  disable(mfaType) {
+    return this.http.post("/mfa/disable", { body: { mfaType } });
+  }
+  setPrimary(mfaType) {
+    return this.http.post("/mfa/primary", { body: { mfaType } });
+  }
+  sendMagicLink() {
+    return this.http.post("/mfa/magic-link/send", {});
+  }
+  activateMagicLink(body) {
+    return this.http.post("/mfa/magic-link/activate", { body, skipAuth: true });
+  }
+  verifyLogin(body) {
+    return this.http.post("/mfa/verify-login", { body });
+  }
+};
+
+// src/modules/user/UserClient.ts
+var UserClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getProfile() {
+    const res = await this.http.get("/me");
+    return unwrapData(res);
+  }
+  update(body) {
+    return this.http.put("/user", { body });
+  }
+};
+
+// src/modules/organization/OrganizationClient.ts
+var OrganizationClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async get(orgId) {
+    const res = await this.http.get(`/organization/${orgId}`);
+    return unwrapData(res);
+  }
+  async update(orgId, body) {
+    const res = await this.http.put(`/organization/${orgId}`, { body });
+    return unwrapData(res);
+  }
+  async listUsers() {
+    const res = await this.http.get("/organization/users");
+    return res.data ?? [];
+  }
+  updateUser(userId, body) {
+    return this.http.put(`/organization/users/${userId}`, { body });
+  }
+  /** Backend currently returns 501. Surfaced for forward-compat. */
+  createUser(body) {
+    return this.http.post("/organization/users", { body });
+  }
+  /** Backend currently returns 501. Surfaced for forward-compat. */
+  deleteUser(userId) {
+    return this.http.delete(`/organization/users/${userId}`);
+  }
+  /** Accept an org invite: verifies the one-time token and sets the user's password. */
+  acceptInvite(body) {
+    return this.http.post("/organization/invite/accept", { body });
+  }
+  /**
+   * Platform-admin only: list every org for the impersonation picker.
+   * The server returns 403 when the caller's home org is not the
+   * configured ADMIN_ORGANIZATION; render the picker only when the
+   * authenticated user has `isPlatformAdmin === true`.
+   */
+  async listAll() {
+    const res = await this.http.get("/orgs/list-all");
+    return res.data ?? [];
+  }
+  /**
+   * Platform-admin only: enable or disable the debug surface for an org.
+   * Returns the updated org entry with the new allowDebug value.
+   */
+  async setAllowDebug(orgId, allow) {
+    const res = await this.http.patch(`/orgs/${orgId}/allow-debug`, { body: { allow } });
+    return res.data;
+  }
+};
+
+// src/adapters/projectAdapter.ts
+var projectAdapter = {
+  fromListResponse(payload) {
+    const list = payload?.workspaces ?? payload?.projects ?? [];
+    return list.map(normalize);
+  },
+  fromGetResponse(payload) {
+    const wire = payload;
+    const value = wire?.workspace ?? wire?.project ?? wire?.data;
+    if (!value) throw new Error("Project response missing body.");
+    return normalize(value);
+  },
+  normalize
+};
+function normalize(wire) {
+  return {
+    id: wire.id,
+    name: wire.name,
+    orgId: wire.orgId,
+    default: wire.default ?? false,
+    users: wire.users ?? []
+  };
+}
+
+// src/modules/projects/ProjectsClient.ts
+var ProjectsClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list() {
+    const res = await this.http.get("/project");
+    return projectAdapter.fromListResponse(res);
+  }
+  async get(projectId) {
+    const res = await this.http.get(`/project/${projectId}`);
+    return projectAdapter.fromGetResponse(res);
+  }
+  async create(body) {
+    const res = await this.http.post("/project", { body });
+    return projectAdapter.fromGetResponse(res);
+  }
+  async update(projectId, body) {
+    const res = await this.http.put(`/project/${projectId}`, { body });
+    return projectAdapter.fromGetResponse(res);
+  }
+  delete(projectId) {
+    return this.http.delete(`/project/${projectId}`);
+  }
+  addMember(projectId, body) {
+    return this.http.post(`/project/${projectId}/users`, { body });
+  }
+  updateMemberRole(projectId, userId, body) {
+    return this.http.put(`/project/${projectId}/users/${userId}`, { body });
+  }
+  removeMember(projectId, userId) {
+    return this.http.delete(`/project/${projectId}/users/${userId}`);
+  }
+};
+
+// src/adapters/sandboxAdapter.ts
+var sandboxAdapter = {
+  fromListResponse(payload) {
+    const list = payload?.repos ?? payload?.sandboxes ?? [];
+    return list.map(normalize2);
+  },
+  fromGetResponse(payload) {
+    const wire = payload;
+    const value = wire?.repo ?? wire?.sandbox ?? wire?.data;
+    if (!value) throw new Error("Sandbox response missing body.");
+    return normalize2(value);
+  },
+  normalize: normalize2
+};
+function normalize2(wire) {
+  return {
+    id: wire.id,
+    name: wire.name,
+    storageType: wire.storageType,
+    mode: wire.mode,
+    orgId: wire.orgId,
+    userId: wire.userId,
+    projectId: wire.projectId ?? wire.workspaceId ?? null,
+    createdAt: wire.createdAt,
+    disabled: wire.disabled ?? false
+  };
+}
+
+// src/modules/sandboxes/SandboxesClient.ts
+var SandboxesClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(query = {}) {
+    const res = await this.http.get("/sandbox", {
+      query: { projectId: query.projectId }
+    });
+    return sandboxAdapter.fromListResponse(res);
+  }
+  async get(sandboxId) {
+    const res = await this.http.get(`/sandbox/${sandboxId}`);
+    return sandboxAdapter.fromGetResponse(res);
+  }
+  async create(body) {
+    const res = await this.http.post("/sandbox", {
+      body: {
+        name: body.name,
+        projectId: body.projectId,
+        storageType: body.storageType ?? "S3",
+        mode: body.mode ?? "NORMAL"
+      }
+    });
+    return sandboxAdapter.fromGetResponse(res);
+  }
+  async update(sandboxId, body) {
+    const res = await this.http.put(`/sandbox/${sandboxId}`, { body });
+    return sandboxAdapter.fromGetResponse(res);
+  }
+  delete(sandboxId) {
+    return this.http.delete(`/sandbox/${sandboxId}`);
+  }
+};
+
+// src/modules/credentials/types.ts
+function normalizeSandboxCredential(wire) {
+  return {
+    sandboxId: wire.sandboxId ?? wire.repoId ?? "",
+    credentialId: wire.credentialId,
+    provider: wire.provider,
+    label: wire.label,
+    displayHint: wire.displayHint ?? void 0,
+    createdAt: wire.createdAt
+  };
+}
+function normalizeGatewayToken(wire) {
+  return {
+    id: wire.id,
+    sandboxId: wire.sandboxId ?? wire.repoId ?? "",
+    label: wire.label,
+    createdAt: wire.createdAt
+  };
+}
+
+// src/modules/credentials/GatewayTokensClient.ts
+var GatewayTokensClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(sandboxId) {
+    const res = await this.http.get(
+      `/sandbox/${sandboxId}/gateway-token`
+    );
+    const list = res.tokens ?? res.data ?? [];
+    return list.map(normalizeGatewayToken);
+  }
+  /**
+   * create returns both the persisted token row and the plaintext bearer
+   * (`secret`). The bearer is shown only here; surface it to the user
+   * immediately. If they navigate away without copying, they have to
+   * delete the token and create a new one.
+   */
+  async create(sandboxId, body) {
+    const res = await this.http.post(`/sandbox/${sandboxId}/gateway-token`, { body });
+    if (!res.token || !res.secret) {
+      throw new Error("createGatewayToken response missing token or secret.");
+    }
+    return {
+      token: normalizeGatewayToken(res.token),
+      secret: res.secret
+    };
+  }
+  delete(sandboxId, tokenId) {
+    return this.http.delete(`/sandbox/${sandboxId}/gateway-token/${tokenId}`);
+  }
+};
+
+// src/modules/credentials/CredentialsClient.ts
+var SandboxCredentialScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async list(sandboxId) {
+    const res = await this.http.get(
+      `/sandbox/${sandboxId}/credential`
+    );
+    const list = res.items ?? res.data ?? [];
+    return list.map(normalizeSandboxCredential);
+  }
+  attach(sandboxId, credentialId) {
+    return this.http.post(`/sandbox/${sandboxId}/credential`, {
+      body: { credentialId }
+    });
+  }
+  detach(sandboxId, credentialId) {
+    return this.http.delete(`/sandbox/${sandboxId}/credential/${credentialId}`);
+  }
+};
+var CredentialsClient = class {
+  constructor(http) {
+    this.http = http;
+    this.sandbox = new SandboxCredentialScope(http);
+    this.gatewayTokens = new GatewayTokensClient(http);
+  }
+  async list(query) {
+    const res = await this.http.get(
+      "/credentials",
+      {
+        query: {
+          projectId: query.projectId,
+          provider: query.provider,
+          capability: query.capability
+        }
+      }
+    );
+    return res.credentials ?? res.data ?? [];
+  }
+  async create(body) {
+    const res = await this.http.post(
+      "/credentials",
+      { body }
+    );
+    const value = res.data ?? res.credential;
+    if (!value) throw new Error("createCredential response missing body.");
+    return value;
+  }
+  async update(credentialId, body) {
+    const res = await this.http.put(
+      `/credentials/${credentialId}`,
+      { body }
+    );
+    const value = res.credential ?? res.data;
+    if (!value) throw new Error("updateCredential response missing body.");
+    return value;
+  }
+  delete(credentialId) {
+    return this.http.delete(`/credentials/${credentialId}`);
+  }
+  /**
+   * providers fetches the server-side catalog. The tsclient ships its
+   * own catalog mirror in ./providers.ts that the frontend can use
+   * synchronously; this endpoint is the runtime source of truth and
+   * picks up customer extensions added server-side without a tsclient
+   * republish.
+   */
+  async providers() {
+    const res = await this.http.get("/providers");
+    return res.providers ?? res.data ?? [];
+  }
+};
+
+// src/modules/chat/ChatStream.ts
+var STREAM_PATH = "/api/agentengine/v1/agent/chat/sessions";
+async function openChatStream(deps, options) {
+  const mod = await import('event-source-polyfill');
+  const Polyfill = mod.EventSourcePolyfill ?? mod.default?.EventSourcePolyfill ?? mod.default;
+  if (!Polyfill) {
+    throw new Error("event-source-polyfill is required for client.chat.openStream(). Install it as a peer dep.");
+  }
+  const url = `${deps.baseUrl.replace(/\/$/, "")}${STREAM_PATH}/${options.conversationId}/stream`;
+  const headers = {
+    "X-Org-Id": options.scope.orgId,
+    "X-User-Id": options.scope.userId,
+    "X-Sandbox-Id": options.scope.sandboxId ?? options.scope.repoId ?? "",
+    "X-Repo-Id": options.scope.sandboxId ?? options.scope.repoId ?? ""
+  };
+  if (options.scope.projectId ?? options.scope.workspaceId) {
+    headers["X-Project-Id"] = options.scope.projectId ?? options.scope.workspaceId ?? "";
+    headers["X-Workspace-Id"] = options.scope.projectId ?? options.scope.workspaceId ?? "";
+  }
+  if (deps.getToken) {
+    const token = await deps.getToken();
+    if (token) headers["Authorization"] = `Bearer ${token}`;
+  }
+  if (options.lastEventId) headers["Last-Event-ID"] = options.lastEventId;
+  const es = new Polyfill(url, {
+    headers,
+    heartbeatTimeout: options.heartbeatTimeout ?? 6e4
+  });
+  const KNOWN_EVENTS = [
+    "phase",
+    "question",
+    "plan_draft",
+    "step_started",
+    "step_completed",
+    "step_failed",
+    "step_progress",
+    "narration",
+    "assistant_message",
+    "done",
+    "session_title",
+    "tool_call_started",
+    "tool_call_finished",
+    "llm_call_finished",
+    "tool_call_confirmation_required"
+  ];
+  const handleRaw = (raw) => {
+    try {
+      const parsed = JSON.parse(raw.data);
+      options.onEvent(parsed);
+    } catch {
+    }
+  };
+  for (const name of KNOWN_EVENTS) {
+    es.addEventListener(name, handleRaw);
+  }
+  if (options.onError) {
+    es.onerror = (event) => options.onError?.(event);
+  }
+  return { close: () => es.close() };
+}
+
+// src/modules/chat/ChatClient.ts
+var BASE_PATH = "/api/agentengine/v1/agent/chat/sessions";
+function scopeHeaders(scope) {
+  const sandboxId = scope.sandboxId ?? scope.repoId ?? "";
+  const projectId = scope.projectId ?? scope.workspaceId;
+  const headers = {
+    "X-Org-Id": scope.orgId,
+    "X-User-Id": scope.userId,
+    "X-Sandbox-Id": sandboxId,
+    "X-Repo-Id": sandboxId
+  };
+  if (projectId) {
+    headers["X-Project-Id"] = projectId;
+    headers["X-Workspace-Id"] = projectId;
+  }
+  return headers;
+}
+var ChatSessionsScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  create(scope, body) {
+    return this.http.post(BASE_PATH, {
+      body,
+      headers: scopeHeaders(scope)
+    });
+  }
+  list(scope, query = {}) {
+    return this.http.get(BASE_PATH, {
+      query,
+      headers: scopeHeaders(scope)
+    });
+  }
+  get(scope, conversationId) {
+    return this.http.get(`${BASE_PATH}/${conversationId}`, {
+      headers: scopeHeaders(scope)
+    });
+  }
+  delete(scope, conversationId) {
+    return this.http.delete(`${BASE_PATH}/${conversationId}`, {
+      headers: scopeHeaders(scope)
+    });
+  }
+};
+var ChatMessagesScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  post(scope, conversationId, body) {
+    return this.http.post(`${BASE_PATH}/${conversationId}/messages`, {
+      body,
+      headers: scopeHeaders(scope)
+    });
+  }
+  /**
+   * Interrupts an in-flight chat-loop turn. The engine cancels the turn's
+   * Go context and asks the sandbox service to kill any in-flight docker
+   * exec inside the per-session container (the container itself survives
+   * so the next turn keeps its filesystem state). Returns 404 when no
+   * turn matches `turnId` — covers the race where the user clicks Stop
+   * just after the turn already finished.
+   *
+   * The engine still emits a terminal `done` SSE event with
+   * status="context_cancelled" after this returns; the frontend should
+   * render its "Cancelled" marker on that event rather than on this
+   * response, so a reload mid-cancel still ends in the same UI state.
+   */
+  cancel(scope, conversationId, turnId) {
+    return this.http.post(
+      `${BASE_PATH}/${conversationId}/messages/${turnId}/cancel`,
+      { headers: scopeHeaders(scope) }
+    );
+  }
+  /**
+   * Deliver the user's allow/deny decision on an M3 confirmation modal
+   * (fired when the policy hook emits a
+   * `tool_call_confirmation_required` SSE event). The chat-loop has
+   * suspended waiting on this call; on allow it dispatches the tool, on
+   * deny it synthesises a "DENIED:" tool result so the model can react.
+   * Returns 404 when no pending confirmation exists for the given
+   * (turn, tool_call) — usually means the 4-minute confirmer timeout
+   * already elapsed.
+   */
+  confirmToolCall(scope, conversationId, turnId, toolCallId, body) {
+    return this.http.post(
+      `${BASE_PATH}/${conversationId}/messages/${turnId}/confirm/${toolCallId}`,
+      { body, headers: scopeHeaders(scope) }
+    );
+  }
+};
+var ChatQuestionsScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  answer(scope, conversationId, turnId, body) {
+    return this.http.post(
+      `${BASE_PATH}/${conversationId}/messages/${turnId}/answers`,
+      { body, headers: scopeHeaders(scope) }
+    );
+  }
+};
+var ChatDebugScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  getByConversation(scope, conversationId) {
+    return this.http.get(`${BASE_PATH}/${conversationId}/debug`, {
+      headers: scopeHeaders(scope)
+    });
+  }
+};
+var ChatSchedulesScope = class {
+  constructor(http) {
+    this.http = http;
+  }
+  repoPath(scope) {
+    const repoID = scope.sandboxId ?? scope.repoId ?? "";
+    return `/api/agentengine/v1/agent/repos/${repoID}/schedules`;
+  }
+  list(scope) {
+    return this.http.get(this.repoPath(scope), {
+      headers: scopeHeaders(scope)
+    });
+  }
+  create(scope, body) {
+    return this.http.post(this.repoPath(scope), {
+      body,
+      headers: scopeHeaders(scope)
+    });
+  }
+  get(scope, scheduleId) {
+    return this.http.get(`${this.repoPath(scope)}/${scheduleId}`, {
+      headers: scopeHeaders(scope)
+    });
+  }
+  update(scope, scheduleId, body) {
+    return this.http.put(`${this.repoPath(scope)}/${scheduleId}`, {
+      body,
+      headers: scopeHeaders(scope)
+    });
+  }
+  delete(scope, scheduleId) {
+    return this.http.delete(`${this.repoPath(scope)}/${scheduleId}`, {
+      headers: scopeHeaders(scope)
+    });
+  }
+  /**
+   * List recent chat sessions spawned by a schedule's cron tick — used
+   * by the SchedulesTab "Runs" panel to surface real audit trail
+   * instead of dumping the user into the global chat list.
+   *
+   * Each entry is a full ChatSession row; `.id` is the conversation id
+   * the dashboard navigates to (`/chat/:conversationId`). All rows are
+   * unattended (the scheduler is the only writer of `schedule_id`),
+   * which makes the chat session viewer render the "Scheduled run"
+   * ribbon and hide the composer.
+   *
+   * Server returns the 50 most-recent rows; no cursor pagination in
+   * v1 (deferred until the long-tail audit case proves real).
+   */
+  listRuns(scope, scheduleId) {
+    return this.http.get(
+      `${this.repoPath(scope)}/${scheduleId}/runs`,
+      { headers: scopeHeaders(scope) }
+    );
+  }
+};
+var ChatClient = class {
+  constructor(http, streamDeps) {
+    this.http = http;
+    this.streamDeps = streamDeps;
+    this.sessions = new ChatSessionsScope(http);
+    this.messages = new ChatMessagesScope(http);
+    this.questions = new ChatQuestionsScope(http);
+    this.debug = new ChatDebugScope(http);
+    this.schedules = new ChatSchedulesScope(http);
+  }
+  openStream(options) {
+    return openChatStream(this.streamDeps, options);
+  }
+};
+
+// src/modules/agentEngine/TemplatesClient.ts
+var BASE_PATH2 = "/api/agentengine/v1/agent/templates";
+var TemplatesClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  list(query = {}) {
+    return this.http.get(BASE_PATH2, { query });
+  }
+  create(body) {
+    return this.http.post(BASE_PATH2, { body });
+  }
+  delete(templateId) {
+    return this.http.delete(`${BASE_PATH2}/${templateId}`);
+  }
+};
+
+// src/modules/agentEngine/ScheduledTasksClient.ts
+var BASE_PATH3 = "/api/agentengine/v1/agent/scheduled-tasks";
+var ScheduledTasksClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  list(query) {
+    return this.http.get(BASE_PATH3, { query });
+  }
+  create(body) {
+    return this.http.post(BASE_PATH3, { body });
+  }
+  delete(taskId, orgId) {
+    return this.http.delete(`${BASE_PATH3}/${taskId}`, {
+      query: { org_id: orgId }
+    });
+  }
+};
+
+// src/modules/resources/ResourcesClient.ts
+var ResourcesClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  getTree(repoId, query) {
+    const params = new URLSearchParams();
+    const search = query?.search?.trim();
+    if (search) params.set("search", search);
+    if (query?.showDefault === true) params.set("showDefault", "true");
+    const qs = params.size > 0 ? `?${params.toString()}` : "";
+    return this.http.get(`/repos/${repoId}/resources/tree${qs}`);
+  }
+  /**
+   * BFS-walks the dependency graph starting from `seedResourceIds` (or
+   * `seedNameTokens`) and returns the matching nodes + edges. Use this
+   * to render an inbound/outbound dependency view for a selected
+   * resource. The server caps the result at maxNodes (default 80,
+   * hard cap 200) and sets `truncated` when the cap was hit.
+   */
+  getSubgraph(repoId, request) {
+    return this.http.post(`/repos/${repoId}/resources/subgraph`, { body: request });
+  }
+  /**
+   * Returns recent scan history for a repo, optionally filtered by
+   * credential. Backed by CloudScanHistory rows written when the
+   * agent's discovery orchestrator releases a lease (or when the
+   * backend's cleanup job sweeps an expired one). Use this to render
+   * "last refreshed N min ago" badges and per-scope add/remove counts
+   * next to the resource tree.
+   */
+  listScans(repoId, query) {
+    const params = new URLSearchParams();
+    if (query?.credentialId) params.set("credentialId", query.credentialId);
+    if (query?.limit != null) params.set("limit", String(query.limit));
+    const qs = params.size > 0 ? `?${params.toString()}` : "";
+    return this.http.get(`/repos/${repoId}/scans${qs}`);
+  }
+  /**
+   * Peeks the active scan lease (if any) for the given credential. Used
+   * by the dashboard to display a "scan in progress" badge without
+   * attempting to acquire the lease. Returns `lease: null` when no
+   * scan is running. Expired leases are returned with their stale
+   * timestamps — callers should compare `expiresAt` to `Date.now()`
+   * before treating them as active.
+   */
+  peekScanLease(repoId, credentialId) {
+    const params = new URLSearchParams();
+    params.set("credentialId", credentialId);
+    return this.http.get(`/repos/${repoId}/scans/lease?${params.toString()}`);
+  }
+  /**
+   * Attempts to claim a scan lease. Returns the acquired lease on
+   * success. The server responds 409 with a `ScanInProgressError`-
+   * shaped body when another scan is already in flight — callers
+   * should catch the HttpError, parse the body, and surface a polite
+   * "another scan is running" notice rather than retry automatically.
+   *
+   * NOTE: routine use is the agent's job. The dashboard typically only
+   * calls peekScanLease + listScans; this method is exposed for power-
+   * user tooling and automated test harnesses.
+   */
+  acquireScanLease(repoId, request) {
+    return this.http.post(`/repos/${repoId}/scans/lease`, { body: request });
+  }
+};
+
+// src/modules/systemEvents/types.ts
+function normalizeSystemEvent(wire) {
+  return {
+    id: wire.id,
+    timestamp: wire.timestamp,
+    contextId: wire.contextId,
+    context: wire.context,
+    event: wire.event,
+    orgId: wire.orgId,
+    userId: wire.userId,
+    userName: wire.userName,
+    userEmail: wire.userEmail,
+    projectId: wire.projectId ?? wire.workspaceId ?? null,
+    jsonData: wire.jsonData ?? null,
+    showUnread: wire.showUnread
+  };
+}
+
+// src/modules/systemEvents/SystemEventsClient.ts
+var SystemEventsClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async query(body) {
+    const wire = await this.http.post("/systemevent", { body });
+    return {
+      events: (wire.events ?? []).map(normalizeSystemEvent),
+      total: wire.total ?? 0,
+      skip: wire.skip ?? 0,
+      take: wire.take ?? 0
+    };
+  }
+  markRead(eventIdOrIds) {
+    const body = Array.isArray(eventIdOrIds) ? { ids: eventIdOrIds } : { id: eventIdOrIds };
+    return this.http.post("/systemevent/read", { body });
+  }
+  markUnread(eventIdOrIds) {
+    const body = Array.isArray(eventIdOrIds) ? { ids: eventIdOrIds } : { id: eventIdOrIds };
+    return this.http.delete("/systemevent/read", { body });
+  }
+};
+
+// src/modules/billing/SubscriptionsClient.ts
+var SubscriptionsClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async listCatalog() {
+    const res = await this.http.get("/subscriptions", { skipAuth: true });
+    return res.data ?? [];
+  }
+  async getMine() {
+    const res = await this.http.get("/subscriptions/my");
+    return res.data ?? null;
+  }
+  buy(body) {
+    return this.http.post("/subscriptions/buy", { body });
+  }
+  cancel() {
+    return this.http.post("/subscriptions/cancel", {});
+  }
+  async listPayments() {
+    const res = await this.http.get("/subscriptions/payments");
+    return res.data ?? [];
+  }
+  /** Stripe-hosted billing portal URL. */
+  async portal() {
+    const res = await this.http.post("/subscriptions/portal", {});
+    return unwrapData(res);
+  }
+};
+
+// src/modules/billing/CreditsClient.ts
+var CreditsClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async getBalance() {
+    const res = await this.http.get("/credits/balance");
+    return unwrapData(res);
+  }
+  listTransactions(query = {}) {
+    return this.http.get("/credits/transactions", { query });
+  }
+  /** Backend currently returns 501. Surfaced for forward-compat. */
+  async getMonthlyStats() {
+    const res = await this.http.get("/credits/stats/monthly");
+    return res.data ?? [];
+  }
+};
+
+// src/modules/usage/UsageClient.ts
+var LEGACY_AGENT_PATH = "/api/agentengine/v1/usage";
+var SCOPED_BASE = "/usage";
+var UsageClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  // ── legacy ─────────────────────────────────────────────────────────────────
+  // Existing Settings → Usage page calls this. Kept for back-compat until the
+  // new dashboard fully replaces the JSON dump.
+  getSummary(query) {
+    return this.http.get(`${LEGACY_AGENT_PATH}/summary`, { query });
+  }
+  // ── new scoped surface ─────────────────────────────────────────────────────
+  // Hits the backend-side RBAC wrapper; the backend re-injects the scope id
+  // into the agent query so we don't have to.
+  org(query = {}) {
+    return this.http.get(`${SCOPED_BASE}/org`, { query });
+  }
+  project(projectId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/project/${encodeURIComponent(projectId)}`, { query });
+  }
+  sandbox(sandboxId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/sandbox/${encodeURIComponent(sandboxId)}`, { query });
+  }
+  chat(chatId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/chat/${encodeURIComponent(chatId)}`, { query });
+  }
+  // Each report variant exists so the dashboard chart can request hourly /
+  // daily buckets without leaking scope routing into the caller.
+  orgReport(query = {}) {
+    return this.http.get(`${SCOPED_BASE}/org`, { query: { ...query, kind: "report" } });
+  }
+  projectReport(projectId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/project/${encodeURIComponent(projectId)}`, { query: { ...query, kind: "report" } });
+  }
+  sandboxReport(sandboxId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/sandbox/${encodeURIComponent(sandboxId)}`, { query: { ...query, kind: "report" } });
+  }
+  chatReport(chatId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/chat/${encodeURIComponent(chatId)}`, { query: { ...query, kind: "report" } });
+  }
+  // Per-model breakdown — drives the table under the bar chart.
+  orgByModel(query = {}) {
+    return this.http.get(`${SCOPED_BASE}/org`, { query: { ...query, kind: "by_model" } });
+  }
+  projectByModel(projectId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/project/${encodeURIComponent(projectId)}`, { query: { ...query, kind: "by_model" } });
+  }
+  sandboxByModel(sandboxId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/sandbox/${encodeURIComponent(sandboxId)}`, { query: { ...query, kind: "by_model" } });
+  }
+  chatByModel(chatId, query = {}) {
+    return this.http.get(`${SCOPED_BASE}/chat/${encodeURIComponent(chatId)}`, { query: { ...query, kind: "by_model" } });
+  }
+};
+
+// src/modules/budgets/BudgetsClient.ts
+var BASE = "/budgets";
+var BudgetsClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  // ── org ──
+  getOrg() {
+    return this.http.get(`${BASE}/org`);
+  }
+  updateOrg(body) {
+    return this.http.put(`${BASE}/org`, { body });
+  }
+  // ── project (workspace) ──
+  getProject(projectId) {
+    return this.http.get(`${BASE}/project/${encodeURIComponent(projectId)}`);
+  }
+  updateProject(projectId, body) {
+    return this.http.put(`${BASE}/project/${encodeURIComponent(projectId)}`, { body });
+  }
+  // ── sandbox (repo) ──
+  getSandbox(sandboxId) {
+    return this.http.get(`${BASE}/sandbox/${encodeURIComponent(sandboxId)}`);
+  }
+  updateSandbox(sandboxId, body) {
+    return this.http.put(`${BASE}/sandbox/${encodeURIComponent(sandboxId)}`, { body });
+  }
+  // ── chat session ──
+  getChat(chatId) {
+    return this.http.get(`${BASE}/chat/${encodeURIComponent(chatId)}`);
+  }
+  updateChat(chatId, body) {
+    return this.http.put(`${BASE}/chat/${encodeURIComponent(chatId)}`, { body });
+  }
+  // Resolves chat → sandbox → project → org and returns the first non-zero
+  // per-chat USD cap plus the level it came from. Powers the chat header
+  // budget badge — UI labels inherited values.
+  getEffectiveChat(chatId) {
+    return this.http.get(`${BASE}/chat/${encodeURIComponent(chatId)}/effective`);
+  }
+  // ── per-template / per-scheduled USD caps ──
+  updateTemplateCostLimit(templateId, body) {
+    return this.http.put(`${BASE}/template/${encodeURIComponent(templateId)}/cost_limit`, { body });
+  }
+  updateScheduleCostLimit(scheduleId, body) {
+    return this.http.put(`${BASE}/schedule/${encodeURIComponent(scheduleId)}/cost_limit`, { body });
+  }
+};
+
+// src/client.ts
+var AgentEngineFacade = class {
+  constructor(templates, scheduledTasks) {
+    this.templates = templates;
+    this.scheduledTasks = scheduledTasks;
+  }
+};
+var BillingFacade = class {
+  constructor(subscriptions, credits) {
+    this.subscriptions = subscriptions;
+    this.credits = credits;
+  }
+};
+var CloudAgentClient = class {
+  constructor(options) {
+    this.http = new BaseClient(options);
+    this.auth = new AuthClient(this.http);
+    this.mfa = new MfaClient(this.http);
+    this.user = new UserClient(this.http);
+    this.organization = new OrganizationClient(this.http);
+    this.projects = new ProjectsClient(this.http);
+    this.sandboxes = new SandboxesClient(this.http);
+    this.credentials = new CredentialsClient(this.http);
+    this.chat = new ChatClient(this.http, { baseUrl: this.http.baseUrl, getToken: options.getToken });
+    this.agentEngine = new AgentEngineFacade(
+      new TemplatesClient(this.http),
+      new ScheduledTasksClient(this.http)
+    );
+    this.resources = new ResourcesClient(this.http);
+    this.systemEvents = new SystemEventsClient(this.http);
+    this.billing = new BillingFacade(new SubscriptionsClient(this.http), new CreditsClient(this.http));
+    this.usage = new UsageClient(this.http);
+    this.budgets = new BudgetsClient(this.http);
+  }
+};
+
+// src/common/types.ts
+var ProviderType = /* @__PURE__ */ ((ProviderType2) => {
+  ProviderType2["LOCAL"] = "LOCAL";
+  ProviderType2["GOOGLE"] = "GOOGLE";
+  ProviderType2["MICROSOFT"] = "MICROSOFT";
+  ProviderType2["GITHUB"] = "GITHUB";
+  ProviderType2["WEB3_STELLAR"] = "WEB3_STELLAR";
+  return ProviderType2;
+})(ProviderType || {});
+var AccessType = /* @__PURE__ */ ((AccessType2) => {
+  AccessType2["READ"] = "READ";
+  AccessType2["WRITE"] = "WRITE";
+  AccessType2["ADMIN"] = "ADMIN";
+  return AccessType2;
+})(AccessType || {});
+var OrgRoles = /* @__PURE__ */ ((OrgRoles2) => {
+  OrgRoles2[OrgRoles2["USER"] = 0] = "USER";
+  OrgRoles2[OrgRoles2["BILLING"] = 1] = "BILLING";
+  OrgRoles2[OrgRoles2["WORKSPACES"] = 2] = "WORKSPACES";
+  OrgRoles2[OrgRoles2["ADMINISTRATORS"] = 254] = "ADMINISTRATORS";
+  OrgRoles2[OrgRoles2["OWNER"] = 255] = "OWNER";
+  return OrgRoles2;
+})(OrgRoles || {});
+
+// src/modules/mfa/types.ts
+var MFAType = /* @__PURE__ */ ((MFAType2) => {
+  MFAType2["GOOGLE_AUTH"] = "GOOGLE_AUTH";
+  MFAType2["MAGIC_LINK"] = "MAGIC_LINK";
+  MFAType2["PASSKEY"] = "PASSKEY";
+  return MFAType2;
+})(MFAType || {});
+
+// src/modules/credentials/providers.ts
+var CAP_STORAGE = 1;
+var CAP_AI = 2;
+var CAP_COMPUTE = 4;
+var CAP_VCS = 8;
+var CAP_GENERAL = 255;
+var PROVIDER_CATALOG = {
+  AWS: {
+    id: "AWS",
+    displayName: "Amazon Web Services",
+    capabilities: CAP_STORAGE,
+    fields: [
+      {
+        path: "metadata.accessKeyId",
+        label: "Access Key ID",
+        type: "text",
+        required: true,
+        placeholder: "AKIAxxxxxxxxxxxxxxxx",
+        help: "The AKIA-prefixed identifier from IAM. Stored in plain text \u2014 only the secret access key is encrypted."
+      },
+      {
+        path: "secret",
+        label: "Secret Access Key",
+        type: "password",
+        required: true,
+        secret: true,
+        help: "The 40-character secret. Encrypted at rest."
+      },
+      {
+        path: "metadata.region",
+        label: "Region",
+        type: "text",
+        required: false,
+        placeholder: "us-east-1",
+        help: "Default region for boto3 clients. Optional \u2014 leave blank to use the SDK default."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://s3.amazonaws.com",
+        help: "Override for non-AWS S3-compatible endpoints (MinIO, Wasabi, etc.). Most users leave blank."
+      }
+    ]
+  },
+  BEDROCK: {
+    id: "BEDROCK",
+    displayName: "AWS Bedrock",
+    capabilities: CAP_AI,
+    fields: [
+      {
+        path: "metadata.accessKeyId",
+        label: "Access Key ID",
+        type: "text",
+        required: true,
+        placeholder: "AKIAxxxxxxxxxxxxxxxx",
+        help: "IAM access key allowed to invoke Bedrock. Stored in plain text \u2014 only the secret access key is encrypted."
+      },
+      {
+        path: "secret",
+        label: "Secret Access Key",
+        type: "password",
+        required: true,
+        secret: true,
+        help: "The IAM secret. Encrypted at rest."
+      },
+      {
+        path: "metadata.region",
+        label: "Region",
+        type: "text",
+        required: false,
+        placeholder: "us-east-1",
+        help: "Default region for Bedrock Runtime. Optional \u2014 leave blank to use the SDK default."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://bedrock-runtime.us-east-1.amazonaws.com",
+        help: "Override for VPC endpoints or testing. Most users leave blank."
+      }
+    ]
+  },
+  GCP: {
+    id: "GCP",
+    displayName: "Google Cloud",
+    capabilities: CAP_STORAGE,
+    fields: [
+      {
+        path: "secret",
+        label: "Service Account JSON",
+        type: "json",
+        required: true,
+        secret: true,
+        placeholder: '{"type":"service_account","project_id":"\u2026","client_email":"\u2026","private_key":"\u2026"}',
+        help: "Paste the service-account JSON, or drop the file you downloaded from the IAM console. The full document is encrypted; project_id and client_email are extracted automatically for display."
+      }
+    ]
+  },
+  AZURE: {
+    id: "AZURE",
+    displayName: "Microsoft Azure",
+    capabilities: CAP_STORAGE,
+    fields: [
+      {
+        path: "metadata.clientId",
+        label: "Client ID (Application ID)",
+        type: "text",
+        required: true,
+        placeholder: "00000000-0000-0000-0000-000000000000"
+      },
+      {
+        path: "secret",
+        label: "Client Secret",
+        type: "password",
+        required: true,
+        secret: true,
+        help: "The secret value generated when you registered the app. Encrypted at rest."
+      },
+      {
+        path: "metadata.tenantId",
+        label: "Tenant ID",
+        type: "text",
+        required: true,
+        placeholder: "00000000-0000-0000-0000-000000000000"
+      },
+      {
+        path: "metadata.subscriptionId",
+        label: "Subscription ID",
+        type: "text",
+        required: false,
+        placeholder: "00000000-0000-0000-0000-000000000000"
+      }
+    ]
+  },
+  SSH: {
+    id: "SSH",
+    displayName: "SSH",
+    capabilities: CAP_COMPUTE,
+    fields: [
+      {
+        path: "metadata.user",
+        label: "User",
+        type: "text",
+        required: true,
+        placeholder: "ubuntu",
+        help: "Linux user the agent will SSH as."
+      },
+      {
+        path: "metadata.host",
+        label: "Host",
+        type: "text",
+        required: true,
+        placeholder: "vps.example.com  or  *  for wildcard",
+        help: "Hostname or IP. Use '*' for a key that's valid across multiple hosts; the agent will require the prompt to name the target host."
+      },
+      {
+        path: "metadata.port",
+        label: "Port",
+        type: "number",
+        required: false,
+        default: 22,
+        placeholder: "22"
+      },
+      {
+        path: "secret",
+        label: "PEM Private Key",
+        type: "pem",
+        required: true,
+        secret: true,
+        placeholder: "-----BEGIN OPENSSH PRIVATE KEY-----\n\u2026\n-----END OPENSSH PRIVATE KEY-----",
+        help: "Paste the PEM, or drop the private key file (e.g. id_ed25519). Passphrase-encrypted keys are rejected \u2014 the agent runs unattended."
+      }
+    ]
+  },
+  GITHUB: {
+    id: "GITHUB",
+    displayName: "GitHub",
+    capabilities: CAP_VCS,
+    fields: [
+      {
+        path: "secret",
+        label: "Personal Access Token (PAT)",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "ghp_xxxxxxxxxxxxxxxxxxxxxxxx",
+        help: "A classic or fine-grained PAT. Encrypted at rest. The first 7 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.org",
+        label: "Org (optional)",
+        type: "text",
+        required: false,
+        placeholder: "my-github-org",
+        help: "Restrict this credential to a single org if you scoped the PAT that way. Optional \u2014 leave blank for personal-account access."
+      },
+      {
+        path: "metadata.repoSlugs",
+        label: "Allowed Repos (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "owner/repo",
+        help: "Repos the agent is allowed to operate on with this credential, as 'owner/name'. Drives the awareness block injected into the planner. Leave empty to grant the full PAT scope (the agent will still only act on repos the user names in prompts)."
+      },
+      {
+        path: "metadata.protectedBranches",
+        label: "Protected Branches (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "main",
+        help: "Branches that require explicit user approval for write operations (push, merge, delete). 'main' / 'master' / 'release/*' are good defaults."
+      }
+    ]
+  },
+  GITLAB: {
+    id: "GITLAB",
+    displayName: "GitLab",
+    capabilities: CAP_VCS,
+    fields: [
+      {
+        path: "secret",
+        label: "Access Token",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "glpat-xxxxxxxxxxxxxxxxxxxx",
+        help: "A personal, project, or group access token. Encrypted at rest. The first 9 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://gitlab.example.com/api/v4",
+        help: "Override for self-hosted GitLab. Leave blank to use https://gitlab.com/api/v4."
+      },
+      {
+        path: "metadata.group",
+        label: "Top-level Group (optional)",
+        type: "text",
+        required: false,
+        placeholder: "my-gitlab-group",
+        help: "Restrict this credential to a single top-level group if you scoped the token that way. Optional \u2014 leave blank for personal-account or wider scope."
+      },
+      {
+        path: "metadata.repoSlugs",
+        label: "Allowed Projects (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "group/subgroup/project",
+        help: "Project paths the agent is allowed to operate on with this credential. GitLab project paths can be arbitrarily deep (group/subgroup/.../project). Leave empty to grant the full token scope."
+      },
+      {
+        path: "metadata.protectedBranches",
+        label: "Protected Branches (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "main",
+        help: "Branches that require explicit user approval for write operations. 'main' / 'master' / 'release/*' are good defaults."
+      }
+    ]
+  },
+  AZURE_DEVOPS: {
+    id: "AZURE_DEVOPS",
+    displayName: "Azure DevOps",
+    capabilities: CAP_VCS,
+    fields: [
+      {
+        path: "secret",
+        label: "Personal Access Token (PAT)",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+        help: "An ADO PAT with the scopes you want the agent to use (Code, Build, Release, Work Items \u2026). Encrypted at rest. The first 7 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.organization",
+        label: "Organization",
+        type: "text",
+        required: true,
+        placeholder: "my-ado-org",
+        help: "The ADO organization name (the segment after dev.azure.com/, or the prefix in your-org.visualstudio.com)."
+      },
+      {
+        path: "metadata.project",
+        label: "Project (optional)",
+        type: "text",
+        required: false,
+        placeholder: "Engineering",
+        help: "Restrict this credential to a single ADO project. Optional \u2014 leave blank if the PAT spans multiple projects in the org."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://dev.azure.com",
+        help: "Override for ADO Server (on-prem) deployments. Leave blank to use https://dev.azure.com."
+      },
+      {
+        path: "metadata.repoSlugs",
+        label: "Allowed Repos (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "project/repo",
+        help: "Repos the agent is allowed to operate on. Use 'project/repo' when 'Project' is blank, or just 'repo' when scoped to one project. Leave empty to grant the full PAT scope."
+      },
+      {
+        path: "metadata.protectedBranches",
+        label: "Protected Branches (optional)",
+        type: "stringList",
+        required: false,
+        placeholder: "main",
+        help: "Branches that require explicit user approval for write operations and pipeline triggers."
+      }
+    ]
+  },
+  OPENAI: {
+    id: "OPENAI",
+    displayName: "OpenAI",
+    capabilities: CAP_AI,
+    fields: [
+      {
+        path: "secret",
+        label: "API Key",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "sk-\u2026",
+        help: "Your OpenAI API key. Encrypted at rest. The first ~7 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://api.openai.com/v1",
+        help: "Override for OpenAI-compatible endpoints (Azure OpenAI, self-hosted gateways). Most users leave blank."
+      }
+    ]
+  },
+  ANTHROPIC: {
+    id: "ANTHROPIC",
+    displayName: "Anthropic",
+    capabilities: CAP_AI,
+    fields: [
+      {
+        path: "secret",
+        label: "API Key",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "sk-ant-\u2026",
+        help: "Your Anthropic API key. Encrypted at rest. The first ~10 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://api.anthropic.com",
+        help: "Override for Anthropic-compatible endpoints. Most users leave blank."
+      }
+    ]
+  },
+  GEMINI: {
+    id: "GEMINI",
+    displayName: "Google Gemini",
+    capabilities: CAP_AI,
+    fields: [
+      {
+        path: "secret",
+        label: "API Key",
+        type: "password",
+        required: true,
+        secret: true,
+        placeholder: "AIza\u2026",
+        help: "Your Gemini API key from Google AI Studio. Encrypted at rest. The first ~7 characters are kept in metadata for display."
+      },
+      {
+        path: "metadata.endpoint",
+        label: "Endpoint (optional)",
+        type: "text",
+        required: false,
+        placeholder: "https://generativelanguage.googleapis.com",
+        help: "Override for proxies or regional endpoints. Most users leave blank to use the default Gemini API base URL."
+      }
+    ]
+  }
+};
+var PROVIDER_ORDER = ["AWS", "BEDROCK", "GCP", "AZURE", "SSH", "GITHUB", "GITLAB", "AZURE_DEVOPS", "OPENAI", "ANTHROPIC", "GEMINI"];
+function listProviders() {
+  return PROVIDER_ORDER.flatMap((id) => PROVIDER_CATALOG[id] ? [PROVIDER_CATALOG[id]] : []);
+}
+function getProvider(id) {
+  return PROVIDER_CATALOG[id];
+}
+var SECRET_PATH = "secret";
+var METADATA_PREFIX = "metadata.";
+function isSecretPath(path) {
+  return path === SECRET_PATH;
+}
+function isMetadataPath(path) {
+  return path.startsWith(METADATA_PREFIX);
+}
+function metadataKey(path) {
+  return isMetadataPath(path) ? path.slice(METADATA_PREFIX.length) : void 0;
+}
+function getValueAt(secret, metadata, path) {
+  if (path === SECRET_PATH) return secret;
+  const k = metadataKey(path);
+  return k ? metadata[k] : void 0;
+}
+function setValueAt(secret, metadata, path, value) {
+  if (path === SECRET_PATH) return { secret: typeof value === "string" ? value : "", metadata };
+  const k = metadataKey(path);
+  if (!k) return { secret, metadata };
+  const nextMeta = { ...metadata };
+  if (value === void 0 || value === null || value === "") delete nextMeta[k];
+  else nextMeta[k] = value;
+  return { secret, metadata: nextMeta };
+}
+function validate(providerId, label, secret, metadata) {
+  const spec = getProvider(providerId);
+  if (!spec) {
+    return `Unknown provider "${providerId}". Known providers: ${Object.keys(PROVIDER_CATALOG).join(", ")}`;
+  }
+  if (!label || label.trim() === "") {
+    return "Label is required";
+  }
+  for (const f of spec.fields) {
+    const present = isFieldPresent(secret, metadata, f.path);
+    if (f.required && !present) {
+      return `${spec.id}.${f.label} is required`;
+    }
+    if (!present) continue;
+    const value = getValueAt(secret, metadata, f.path);
+    const typeErr = typeCheck(f, value);
+    if (typeErr) return typeErr;
+  }
+  const allowed = allowedMetadataKeys(spec);
+  for (const k of Object.keys(metadata)) {
+    if (k.startsWith("_")) {
+      return `Metadata key "${k}" is reserved (the leading underscore is catalog-managed); remove it from the payload`;
+    }
+    if (!allowed.has(k)) {
+      return `Metadata key "${k}" is not part of the ${spec.id} spec. Allowed keys: ${[...allowed].join(", ")}`;
+    }
+  }
+  return null;
+}
+function isFieldPresent(secret, metadata, path) {
+  const v = getValueAt(secret, metadata, path);
+  if (v === void 0 || v === null) return false;
+  if (typeof v === "string") return v.trim() !== "";
+  if (Array.isArray(v)) return v.length > 0;
+  return true;
+}
+function typeCheck(f, value) {
+  switch (f.type) {
+    case "text":
+    case "password":
+    case "textarea":
+      return typeof value === "string" ? null : `${f.label} must be a string`;
+    case "number":
+      if (typeof value === "number" && Number.isInteger(value) && value >= 0) return null;
+      if (typeof value === "string" && /^\d+$/.test(value)) return null;
+      return `${f.label} must be a non-negative integer`;
+    case "json":
+      if (typeof value !== "string") return `${f.label} must be a JSON string`;
+      try {
+        JSON.parse(value);
+        return null;
+      } catch {
+        return `${f.label} is not valid JSON`;
+      }
+    case "pem":
+      if (typeof value !== "string") return `${f.label} must be a PEM string`;
+      return validatePEM(value, f.label);
+    case "stringList": {
+      if (!Array.isArray(value)) return `${f.label} must be a list of strings`;
+      for (let i = 0; i < value.length; i++) {
+        const item = value[i];
+        if (typeof item !== "string") return `${f.label}[${i}] must be a string`;
+        if (item.trim() === "") return `${f.label}[${i}] is empty`;
+      }
+      return null;
+    }
+    default:
+      return `${f.label} has unsupported field type ${f.type}`;
+  }
+}
+var PEM_BEGIN_RE = /-----BEGIN [^-]+-----/;
+var PEM_END_RE = /-----END [^-]+-----/;
+var PEM_PROC_TYPE_ENCRYPTED = /^Proc-Type:\s*\d+,\s*ENCRYPTED/m;
+var PEM_DEK_INFO = /^DEK-Info:/m;
+function validatePEM(s, label) {
+  const t = s.trim();
+  if (!t) return `${label}: empty PEM`;
+  if (!PEM_BEGIN_RE.test(t) || !PEM_END_RE.test(t)) {
+    return `${label}: no valid PEM block found (expected '-----BEGIN ... PRIVATE KEY-----')`;
+  }
+  if (PEM_PROC_TYPE_ENCRYPTED.test(t) || PEM_DEK_INFO.test(t)) {
+    return `${label}: passphrase-encrypted PEM is not supported (the agent runs unattended)`;
+  }
+  return null;
+}
+function allowedMetadataKeys(spec) {
+  const out = /* @__PURE__ */ new Set();
+  for (const f of spec.fields) {
+    const k = metadataKey(f.path);
+    if (k) out.add(k);
+  }
+  switch (spec.id) {
+    case "GCP":
+      out.add("clientEmail");
+      out.add("projectId");
+      break;
+    case "GITHUB":
+    case "AZURE_DEVOPS":
+    case "OPENAI":
+    case "ANTHROPIC":
+    case "GEMINI":
+      out.add("tokenPrefix");
+      break;
+    case "GITLAB":
+      out.add("tokenPrefix");
+      out.add("host");
+      break;
+  }
+  return out;
+}
+function computeDisplayHint(providerId, metadata) {
+  const cached = metadata["_displayHint"];
+  if (typeof cached === "string" && cached) return cached;
+  switch (providerId) {
+    case "AWS":
+    case "BEDROCK": {
+      const key = str(metadata["accessKeyId"]);
+      const region = str(metadata["region"]);
+      return shortPrefix(key, 8) + (region ? ` / ${region}` : "");
+    }
+    case "GCP": {
+      const email = str(metadata["clientEmail"]);
+      const proj = str(metadata["projectId"]);
+      if (!email && !proj) return "";
+      if (!email) return proj;
+      if (!proj) return email;
+      return `${email} / ${proj}`;
+    }
+    case "AZURE": {
+      const client = str(metadata["clientId"]);
+      const sub = str(metadata["subscriptionId"]);
+      const head = shortPrefix(client, 8);
+      return head + (sub ? ` / sub:${shortPrefix(sub, 8)}` : "");
+    }
+    case "SSH": {
+      const user = str(metadata["user"]);
+      const host = str(metadata["host"]);
+      const port = metadata["port"];
+      let portStr = "";
+      if (typeof port === "number" && port > 0 && port !== 22) portStr = `:${port}`;
+      else if (typeof port === "string" && /^\d+$/.test(port) && port !== "22") portStr = `:${port}`;
+      if (!user && !host) return "";
+      return `${user}@${host}${portStr}`.replace(/^@/, "");
+    }
+    case "GITHUB": {
+      const prefix = str(metadata["tokenPrefix"]);
+      const org = str(metadata["org"]);
+      const head = prefix ? `${prefix}\u2026` : "";
+      return [head, org].filter(Boolean).join(" / ");
+    }
+    case "GITLAB": {
+      const prefix = str(metadata["tokenPrefix"]);
+      const group = str(metadata["group"]);
+      let host = str(metadata["host"]);
+      if (!host) {
+        const endpoint = str(metadata["endpoint"]);
+        host = endpoint ? hostFromURL(endpoint) : "gitlab.com";
+      }
+      let out = prefix ? `${prefix}\u2026` : "";
+      if (group) out = out ? `${out} / ${group}` : group;
+      if (host && host !== "gitlab.com") out = out ? `${out} @ ${host}` : host;
+      return out;
+    }
+    case "AZURE_DEVOPS": {
+      const prefix = str(metadata["tokenPrefix"]);
+      const org = str(metadata["organization"]);
+      const project = str(metadata["project"]);
+      let out = prefix ? `${prefix}\u2026` : "";
+      if (org) {
+        const orgSeg = project ? `${org}/${project}` : org;
+        out = out ? `${out} / ${orgSeg}` : orgSeg;
+      }
+      return out;
+    }
+    case "OPENAI":
+    case "ANTHROPIC":
+    case "GEMINI": {
+      const prefix = str(metadata["tokenPrefix"]);
+      return prefix ? `${prefix}\u2026` : "";
+    }
+    default:
+      return "";
+  }
+}
+function str(v) {
+  return typeof v === "string" ? v : "";
+}
+function shortPrefix(s, n) {
+  if (!s) return "";
+  if (s.length <= n) return s;
+  return s.slice(0, n) + "\u2026";
+}
+function hostFromURL(raw) {
+  let s = raw.trim();
+  const schemeIdx = s.indexOf("://");
+  if (schemeIdx >= 0) s = s.slice(schemeIdx + 3);
+  const cut = s.search(/[/?#]/);
+  if (cut >= 0) s = s.slice(0, cut);
+  return s;
+}
+
+// src/modules/budgets/types.ts
+var usdMicros = {
+  toDollars: (micros) => micros / 1e6,
+  fromDollars: (dollars) => Math.round(dollars * 1e6)
+};
+
+exports.AccessType = AccessType;
+exports.BaseClient = BaseClient;
+exports.BudgetsClient = BudgetsClient;
+exports.CAP_AI = CAP_AI;
+exports.CAP_COMPUTE = CAP_COMPUTE;
+exports.CAP_GENERAL = CAP_GENERAL;
+exports.CAP_STORAGE = CAP_STORAGE;
+exports.CAP_VCS = CAP_VCS;
+exports.CloudAgentClient = CloudAgentClient;
+exports.HttpError = HttpError;
+exports.MFAType = MFAType;
+exports.NotImplementedError = NotImplementedError;
+exports.OrgRoles = OrgRoles;
+exports.PROVIDER_CATALOG = PROVIDER_CATALOG;
+exports.ProviderType = ProviderType;
+exports.ResourcesClient = ResourcesClient;
+exports.computeDisplayHint = computeDisplayHint;
+exports.getProvider = getProvider;
+exports.getValueAt = getValueAt;
+exports.isMetadataPath = isMetadataPath;
+exports.isSecretPath = isSecretPath;
+exports.listProviders = listProviders;
+exports.metadataKey = metadataKey;
+exports.setValueAt = setValueAt;
+exports.usdMicros = usdMicros;
+exports.validate = validate;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map