@gaodefa/daocore 2026.5.86 → 2026.5.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1615) hide show
  1. package/dist/abort-DF_NBB7k.js +277 -0
  2. package/dist/abort.runtime-D4MkvEhQ.js +2 -0
  3. package/dist/abort.runtime.js +1 -1
  4. package/dist/account-inspect-BgTcq2xK.js +173 -0
  5. package/dist/accounts-B4A5OwEA.js +119 -0
  6. package/dist/accounts-BkS1Fh-0.js +107 -0
  7. package/dist/accounts-DF7-7Smq.js +107 -0
  8. package/dist/accounts-UL1OgSV7.js +2 -0
  9. package/dist/acp-runtime-Cx2ACvcD.js +26 -0
  10. package/dist/acp-spawn-BGd_lmtE.js +2 -0
  11. package/dist/acp-spawn-BV0aSrgH.js +1275 -0
  12. package/dist/acp-stateful-target-driver-BZXAtm9O.js +89 -0
  13. package/dist/action-kill-CrabJ-6-.js +33 -0
  14. package/dist/action-runtime-BWOfmJe3.js +469 -0
  15. package/dist/action-runtime-api-Fr0Pcsql.js +2 -0
  16. package/dist/action-send-Cpl-x8ro.js +39 -0
  17. package/dist/action-spawn-DceGvU1M.js +47 -0
  18. package/dist/actions-Dx4zHx1-.js +161 -0
  19. package/dist/actions.runtime-CXgc7_sE.js +5 -0
  20. package/dist/agent-6f80KcUH.js +2 -0
  21. package/dist/agent-B2kAd5xV.js +3 -0
  22. package/dist/agent-command-DwGwELK0.js +1367 -0
  23. package/dist/agent-components.runtime-DJYuGMFi.js +10 -0
  24. package/dist/agent-components.runtime.js +1 -1
  25. package/dist/agent-harness-Dya8_zFH.d.ts +146 -0
  26. package/dist/agent-harness-runtime-B18Zw6Rz.d.ts +691 -0
  27. package/dist/agent-harness-runtime-D_wIHJVe.js +180 -0
  28. package/dist/agent-harness-task-runtime-ol_ltjHi.js +140 -0
  29. package/dist/agent-runner-execution-D5wMRx5h.js +1713 -0
  30. package/dist/agent-runner-utils-CLCfaT2K.js +266 -0
  31. package/dist/agent-runner.runtime-Igsb-Us4.js +3455 -0
  32. package/dist/agent-runner.runtime.js +1 -1
  33. package/dist/agent-runtime-tAPmASEK.js +229 -0
  34. package/dist/agent-via-gateway-CmOOhHWf.js +463 -0
  35. package/dist/agents/pi-embedded-runner/tool-split.d.ts +1 -1
  36. package/dist/api-BGUYfA7u.js +639 -0
  37. package/dist/api-Bb3jRMVp.js +3 -0
  38. package/dist/api-CDGKNega.js +6 -0
  39. package/dist/api-D-TLdpx5.js +2 -0
  40. package/dist/api-DXDbFZ7W.js +134 -0
  41. package/dist/api-DYuUdqrI.d.ts +52 -0
  42. package/dist/api-o2EhTZRZ.js +2 -0
  43. package/dist/apply-BWXKR0_1.js +41 -0
  44. package/dist/apply-C3i3NucS.js +54 -0
  45. package/dist/approval-handler.runtime-DhzHxhOa.js +130 -0
  46. package/dist/assistant-SXZqrOD4.js +291 -0
  47. package/dist/attachment-normalize-DobdGk6t.js +225 -0
  48. package/dist/attempt-execution-BOV_h0-N.js +558 -0
  49. package/dist/attempt-execution.runtime-CXlw2E2H.js +3 -0
  50. package/dist/attempt-execution.runtime.js +1 -1
  51. package/dist/attempt-execution.shared-BUNB-ofJ.js +38 -0
  52. package/dist/attempt.prompt-helpers-DfgNBTYi.js +475 -0
  53. package/dist/attempt.tool-run-context-DdadqfC-.js +2094 -0
  54. package/dist/binding-routing-BYWsTgH4.js +113 -0
  55. package/dist/binding-targets-CDxkaXRY.js +121 -0
  56. package/dist/bot-BMJcaPAi.js +7894 -0
  57. package/dist/bot-deps-CNg_Zt2P.js +2 -0
  58. package/dist/bot-deps-FZotnMZO.js +747 -0
  59. package/dist/bot-message-context.runtime-C_OEKOE-.js +7 -0
  60. package/dist/bot-message-context.runtime.js +1 -1
  61. package/dist/bot-message-context.session.runtime-VbbwvU7y.js +12 -0
  62. package/dist/bot-message-context.session.runtime.js +1 -1
  63. package/dist/bot-native-commands.delivery.runtime-CuquGLAx.js +4 -0
  64. package/dist/bot-native-commands.delivery.runtime.js +1 -1
  65. package/dist/bot-native-commands.runtime-DtYCPjvW.js +13 -0
  66. package/dist/bot-native-commands.runtime.js +1 -1
  67. package/dist/bridge-server-B4pS54jd.js +113 -0
  68. package/dist/browser-cli-BHUdFJIS.js +230 -0
  69. package/dist/browser-cli-BWWH1Csp.js +2 -0
  70. package/dist/browser-cli-actions-input-1hfL1q3f.js +473 -0
  71. package/dist/browser-cli-actions-observe-Ctdz-Ocl.js +81 -0
  72. package/dist/browser-cli-debug-D4yOgAhy.js +137 -0
  73. package/dist/browser-cli-inspect-D6c28uLw.js +104 -0
  74. package/dist/browser-cli-manage-DoCDoOsO.js +443 -0
  75. package/dist/browser-cli-resize-Dgb5KdMO.js +26 -0
  76. package/dist/browser-cli-shared-C1LIiQyl.js +50 -0
  77. package/dist/browser-cli-state-CwIDB8-B.js +337 -0
  78. package/dist/browser-control-auth-COjZjE3L.js +2 -0
  79. package/dist/browser-profiles-D085C5gN.js +2 -0
  80. package/dist/browser-runtime-CKIOtwI9.js +384 -0
  81. package/dist/build-DHK6vRrC.js +257 -0
  82. package/dist/build-info.json +3 -3
  83. package/dist/bundled/boot-md/handler.js +2 -2
  84. package/dist/bundled/session-memory/handler.js +1 -1
  85. package/dist/bundled-channel-config-schema-BsHcx3wh.d.ts +3163 -0
  86. package/dist/call-D8ev9OI5.d.ts +43 -0
  87. package/dist/canvas-host/a2ui/.bundle.hash +1 -1
  88. package/dist/capability-cli-DRrPaB5q.js +1782 -0
  89. package/dist/channel-29833Q7U.d.ts +8 -0
  90. package/dist/channel-B0gFm2e0.d.ts +49 -0
  91. package/dist/channel-B4huj9Kp.js +362 -0
  92. package/dist/channel-B4wQxeHH.d.ts +14 -0
  93. package/dist/channel-BLs4RYYL.js +1777 -0
  94. package/dist/channel-BS3cqj-Z.d.ts +6 -0
  95. package/dist/channel-BU5YCSFs.d.ts +427 -0
  96. package/dist/channel-BXg8HDz6.d.ts +7 -0
  97. package/dist/channel-B_rnZ7-_.d.ts +26 -0
  98. package/dist/channel-BnSrEvQt.js +238 -0
  99. package/dist/channel-BuEQnzVg.js +1556 -0
  100. package/dist/channel-BvlX4grI.d.ts +106 -0
  101. package/dist/channel-C75uc-F0.d.ts +12 -0
  102. package/dist/channel-CMIcwlip.js +955 -0
  103. package/dist/channel-CTTRs_4Q.js +376 -0
  104. package/dist/channel-Ceh4DhGf.js +808 -0
  105. package/dist/channel-Cg78poCb.d.ts +7 -0
  106. package/dist/channel-CtVWvTxM.d.ts +8 -0
  107. package/dist/channel-CxzIiRo0.js +740 -0
  108. package/dist/channel-D3sCmweW.d.ts +64 -0
  109. package/dist/channel-DBe2Xwn9.js +1249 -0
  110. package/dist/channel-DOB2mltt.js +867 -0
  111. package/dist/channel-DU9qt3dX.js +481 -0
  112. package/dist/channel-DWCzQ-Po.js +562 -0
  113. package/dist/channel-Dha12xQd.js +2126 -0
  114. package/dist/channel-EAYFx_aX.d.ts +47 -0
  115. package/dist/channel-VJIcMa-M.js +508 -0
  116. package/dist/channel-WPOWimOu.js +1134 -0
  117. package/dist/channel-actions.runtime-bqHQHH3X.js +265 -0
  118. package/dist/channel-actions.runtime.js +1 -1
  119. package/dist/channel-core-DsmamxDL.d.ts +6 -0
  120. package/dist/channel-core-m0EI5nTB.js +5 -0
  121. package/dist/channel-entry-contract-DwsX3A32.d.ts +112 -0
  122. package/dist/channel-ez59JAzr.d.ts +114 -0
  123. package/dist/channel-inbound-hFEolyVo.js +80 -0
  124. package/dist/channel-l10cAz1Q.js +1496 -0
  125. package/dist/channel-oeyyvfIC.d.ts +104 -0
  126. package/dist/channel-plugin-runtime-BMtJ1Wgj.js +998 -0
  127. package/dist/channel-plugin-runtime-Cm532MRz.d.ts +7 -0
  128. package/dist/channel-runtime-TLiTFcI9.js +408 -0
  129. package/dist/channel-ryumzsaN.d.ts +28 -0
  130. package/dist/channel-uLv7YV-J.js +653 -0
  131. package/dist/channel-zfDQdZSM.d.ts +8 -0
  132. package/dist/channel.runtime-3Aev2p4z.js +88 -0
  133. package/dist/channel.runtime-BBoj-2rR.js +2528 -0
  134. package/dist/channel.runtime-BHW11124.js +254 -0
  135. package/dist/channel.runtime-BO5IrBIY.js +652 -0
  136. package/dist/channel.runtime-C8L4S2Y3.js +109 -0
  137. package/dist/channel.runtime-D55LFe_S.js +21009 -0
  138. package/dist/channel.runtime-DUVRcCkd.js +1008 -0
  139. package/dist/channel.runtime-eAjrNDCs.js +733 -0
  140. package/dist/channel.runtime-ek9gTQao.js +4 -0
  141. package/dist/channel.setup-BKCOmQ1R.d.ts +6 -0
  142. package/dist/channel.setup-C4kFVZ9n.js +1098 -0
  143. package/dist/channel.setup-CG4h40nr.js +10 -0
  144. package/dist/channel.setup-CIy_GOHl.d.ts +8 -0
  145. package/dist/channel.setup-DLoH7iov.d.ts +7 -0
  146. package/dist/channel.setup-t6GC0j9y.js +343 -0
  147. package/dist/chat-u7qZ4sNv.js +2666 -0
  148. package/dist/chrome-CcpklbxU.js +1503 -0
  149. package/dist/cli/run-main.js +5 -5
  150. package/dist/cli-DfMcB-YB.d.ts +20 -0
  151. package/dist/cli-DuN9_yOX.js +1341 -0
  152. package/dist/cli-backend-C3cY7GNo.d.ts +5 -0
  153. package/dist/cli-backend-Dq6pWbMI.d.ts +5 -0
  154. package/dist/cli-compaction-_t3h1d1Y.js +347 -0
  155. package/dist/cli-metadata-CuQDanWu.js +22 -0
  156. package/dist/cli-runner-BICDg94b.js +2 -0
  157. package/dist/cli-runner-CeaLhAdU.js +540 -0
  158. package/dist/cli-runner.runtime-Ckyx1-nO.js +4 -0
  159. package/dist/cli-runner.runtime-ZsfkXp6T.js +3 -0
  160. package/dist/cli-runner.runtime.js +1 -1
  161. package/dist/cli-shared-CLlJpRmc.d.ts +20 -0
  162. package/dist/cli-startup-metadata.json +8 -8
  163. package/dist/client-UnpX4vLL.js +650 -0
  164. package/dist/client-adapter-DXOFyLda.js +897 -0
  165. package/dist/client-factory-DvI4dWav.js +9 -0
  166. package/dist/command-auth--55vYozU.js +135 -0
  167. package/dist/command-handlers-luOY52Zj.js +1609 -0
  168. package/dist/command-registry-2ZPFOxQD.js +4 -0
  169. package/dist/command-registry-BnlVL4Z5.js +9 -0
  170. package/dist/command-registry-core-CY3_nsXj.js +110 -0
  171. package/dist/command-status.runtime-DlWcbk6f.js +90 -0
  172. package/dist/command-status.runtime.js +1 -1
  173. package/dist/commands-9rlXSaBn.d.ts +113 -0
  174. package/dist/commands-acp-1GcD7q5q.js +74 -0
  175. package/dist/commands-compact.runtime-DO9NBGsY.js +10 -0
  176. package/dist/commands-compact.runtime.js +1 -1
  177. package/dist/commands-handlers.runtime-CS9oLcTy.js +6154 -0
  178. package/dist/commands-handlers.runtime.js +1 -1
  179. package/dist/commands-status-B-VHaYH5.js +3 -0
  180. package/dist/commands-status-CD4lbvZe.js +16 -0
  181. package/dist/commands-status.runtime-B-VHaYH5.js +3 -0
  182. package/dist/commands-status.runtime.js +1 -1
  183. package/dist/commands-subagents-control.runtime-BW2wSGGB.js +2 -0
  184. package/dist/commands-subagents-control.runtime-DayCbQBi.js +3 -0
  185. package/dist/commands-subagents-control.runtime.js +1 -1
  186. package/dist/commands-system-prompt-Bu0-zdQV.js +162 -0
  187. package/dist/commands-system-prompt-DqzUrExG.js +2 -0
  188. package/dist/commands.runtime-Bi618hLG.js +176 -0
  189. package/dist/commands.runtime.js +1 -1
  190. package/dist/commitments/runtime.js +1 -1
  191. package/dist/compact-D6RF2ao-.js +480 -0
  192. package/dist/compact-DOHvJc9C.js +1141 -0
  193. package/dist/compact.runtime-BMV69fdx.js +12 -0
  194. package/dist/compact.runtime.js +1 -1
  195. package/dist/completion-cli-CKorRumh.js +315 -0
  196. package/dist/computer-use-QDwH-PSW.js +367 -0
  197. package/dist/config-D085C5gN.js +2 -0
  198. package/dist/config-kivtFwCd.js +373 -0
  199. package/dist/config-mutations-BEpZ3rYv.js +159 -0
  200. package/dist/config-schema-Bwgooc-v.d.ts +20 -0
  201. package/dist/config-schema-lIvqvlbL.d.ts +34 -0
  202. package/dist/context-engine-host-compat-BXoUGeB_.js +2 -0
  203. package/dist/context-engine-host-compat-CcCmD5o9.js +288 -0
  204. package/dist/context-engine-lifecycle-CwtbthA3.js +1274 -0
  205. package/dist/contracts-testkit-DC7MJzfa.d.ts +145 -0
  206. package/dist/control-auth-wsG-pObJ.js +114 -0
  207. package/dist/control-service-DoSyDuPZ.js +145 -0
  208. package/dist/conversation-binding-runtime-vZQ351Yx.js +4 -0
  209. package/dist/conversation-runtime-DZztdc11.js +31 -0
  210. package/dist/core-CcQCE1PE.js +282 -0
  211. package/dist/core-api-Cn9nxEQY.js +5 -0
  212. package/dist/core-api-DJttT99e.js +2 -0
  213. package/dist/core-loprAG73.d.ts +224 -0
  214. package/dist/crestodian/crestodian.js +1 -1
  215. package/dist/crestodian/rescue-message.js +1 -1
  216. package/dist/crestodian-B77mGOnM.js +55 -0
  217. package/dist/daocore-runtime-B-rzUpKx.d.ts +151 -0
  218. package/dist/daocore-tools-B2AoPxwu.js +11727 -0
  219. package/dist/delivery-DrO-hbmH.js +1002 -0
  220. package/dist/dialogue-xd9pIoHO.js +37 -0
  221. package/dist/dir-fetch-tool-CMJ9Pt6u.js +565 -0
  222. package/dist/dir-list-tool-BrTrO97I.js +100 -0
  223. package/dist/direct-dm-Dbxrg-M8.js +64 -0
  224. package/dist/directive-handling.fast-lane-Cm6q7myY.js +68 -0
  225. package/dist/directive-handling.impl-BW2_4S2v.js +818 -0
  226. package/dist/directive-handling.impl-DkMvyjSy.js +2 -0
  227. package/dist/directive-handling.model-selection-BBc-JgRD.js +122 -0
  228. package/dist/directive-handling.persist.runtime-ByZk594V.js +263 -0
  229. package/dist/directive-handling.persist.runtime.js +1 -1
  230. package/dist/dispatch-acp-transcript.runtime-t6_JeKwA.js +40 -0
  231. package/dist/dispatch-acp-transcript.runtime.js +1 -1
  232. package/dist/dispatch-acp.runtime-yf6pNdiB.js +18 -0
  233. package/dist/dispatch-acp.runtime.js +1 -1
  234. package/dist/dispatch-rpGfQmzk.js +1640 -0
  235. package/dist/doctor-Ce9osVgH.js +6 -0
  236. package/dist/doctor-Dl4rkbw8.js +2 -0
  237. package/dist/doctor-config-flow-IokiMPZL.js +1741 -0
  238. package/dist/doctor-core-checks-DPugZhrT.js +2 -0
  239. package/dist/doctor-core-checks-DTM0dPXV.js +573 -0
  240. package/dist/doctor-health-D9BF5XjZ.js +65 -0
  241. package/dist/doctor-health-contributions-CeAx5c5L.js +696 -0
  242. package/dist/doctor-lint-B3Ya8mmD.js +94 -0
  243. package/dist/doctor-state-integrity-B5aQjl2y.js +1231 -0
  244. package/dist/doctor-update-CGkyLrKv.js +58 -0
  245. package/dist/doctor-update-fix-CQ8qVhBX.js +107 -0
  246. package/dist/dynamic-tools-DZebai0O.js +486 -0
  247. package/dist/embedded-backend-BS79InDg.js +579 -0
  248. package/dist/embedded-gateway-stub.runtime-CsTs2-an.js +12 -0
  249. package/dist/embedded-gateway-stub.runtime.js +1 -1
  250. package/dist/embedding-provider-BKIXHvGl.d.ts +16 -0
  251. package/dist/embedding-provider-ZDZfzTLK.d.ts +65 -0
  252. package/dist/embedding-provider-uqWqn4wW.d.ts +21 -0
  253. package/dist/entry.d.ts +1 -1
  254. package/dist/exec-approvals-DSGilgX_.js +149 -0
  255. package/dist/extensionAPI.js +1 -1
  256. package/dist/extensions/active-memory/index.d.ts +1 -1
  257. package/dist/extensions/active-memory/index.js +1 -1
  258. package/dist/extensions/admin-http-rpc/index.d.ts +1 -1
  259. package/dist/extensions/admin-http-rpc/index.js +1 -1
  260. package/dist/extensions/alibaba/index.d.ts +1 -1
  261. package/dist/extensions/anthropic/api.d.ts +3 -3
  262. package/dist/extensions/anthropic/cli-backend-api.d.ts +2 -2
  263. package/dist/extensions/anthropic/cli-backend.d.ts +1 -1
  264. package/dist/extensions/anthropic/cli-migration.d.ts +1 -1
  265. package/dist/extensions/anthropic/cli-shared.d.ts +1 -1
  266. package/dist/extensions/anthropic/contract-api.d.ts +1 -1
  267. package/dist/extensions/anthropic/index.d.ts +1 -1
  268. package/dist/extensions/anthropic/provider-contract-api.d.ts +1 -1
  269. package/dist/extensions/anthropic/provider-discovery.d.ts +1 -1
  270. package/dist/extensions/anthropic/provider-policy-api.d.ts +1 -1
  271. package/dist/extensions/anthropic/register.runtime.d.ts +1 -1
  272. package/dist/extensions/anthropic/replay-policy.d.ts +1 -1
  273. package/dist/extensions/anthropic/setup-api.d.ts +1 -1
  274. package/dist/extensions/anthropic/stream-wrappers.d.ts +1 -1
  275. package/dist/extensions/anthropic/test-api.d.ts +2 -2
  276. package/dist/extensions/arcee/index.d.ts +1 -1
  277. package/dist/extensions/azure-speech/index.d.ts +1 -1
  278. package/dist/extensions/azure-speech/speech-provider.d.ts +1 -1
  279. package/dist/extensions/bonjour/index.d.ts +1 -1
  280. package/dist/extensions/browser/browser-bridge.js +1 -1
  281. package/dist/extensions/browser/browser-config.js +4 -4
  282. package/dist/extensions/browser/browser-control-auth.js +2 -2
  283. package/dist/extensions/browser/browser-doctor.js +2 -2
  284. package/dist/extensions/browser/browser-maintenance.js +1 -1
  285. package/dist/extensions/browser/browser-profiles.js +2 -2
  286. package/dist/extensions/browser/browser-runtime-api.js +11 -11
  287. package/dist/extensions/browser/cli-metadata.d.ts +1 -1
  288. package/dist/extensions/browser/cli-metadata.js +1 -1
  289. package/dist/extensions/browser/index.d.ts +1 -1
  290. package/dist/extensions/browser/index.js +1 -1
  291. package/dist/extensions/browser/plugin-registration.d.ts +1 -1
  292. package/dist/extensions/browser/plugin-registration.js +1 -1
  293. package/dist/extensions/browser/register.runtime.d.ts +2 -2
  294. package/dist/extensions/browser/register.runtime.js +4 -4
  295. package/dist/extensions/browser/runtime-api.d.ts +3 -3
  296. package/dist/extensions/browser/runtime-api.js +13 -13
  297. package/dist/extensions/browser/setup-api.d.ts +1 -1
  298. package/dist/extensions/byteplus/index.d.ts +1 -1
  299. package/dist/extensions/byteplus/provider-discovery.d.ts +1 -1
  300. package/dist/extensions/canvas/cli-metadata.d.ts +1 -1
  301. package/dist/extensions/canvas/index.d.ts +1 -1
  302. package/dist/extensions/canvas/index.js +1 -1
  303. package/dist/extensions/canvas/runtime-api.d.ts +2 -2
  304. package/dist/extensions/canvas/setup-api.d.ts +1 -1
  305. package/dist/extensions/cerebras/index.d.ts +1 -1
  306. package/dist/extensions/chutes/index.d.ts +1 -1
  307. package/dist/extensions/clickclack/api.d.ts +2 -2
  308. package/dist/extensions/clickclack/api.js +2 -2
  309. package/dist/extensions/clickclack/channel-plugin-api.d.ts +1 -1
  310. package/dist/extensions/clickclack/channel-plugin-api.js +1 -1
  311. package/dist/extensions/clickclack/index.d.ts +2 -2
  312. package/dist/extensions/clickclack/runtime-api.d.ts +2 -2
  313. package/dist/extensions/clickclack/runtime-api.js +2 -2
  314. package/dist/extensions/cloudflare-ai-gateway/index.d.ts +1 -1
  315. package/dist/extensions/cloudflare-ai-gateway/stream-wrappers.d.ts +1 -1
  316. package/dist/extensions/comfy/index.d.ts +1 -1
  317. package/dist/extensions/copilot-proxy/index.d.ts +1 -1
  318. package/dist/extensions/copilot-proxy/runtime-api.d.ts +2 -2
  319. package/dist/extensions/deepgram/index.d.ts +1 -1
  320. package/dist/extensions/deepgram/realtime-transcription-provider.d.ts +1 -1
  321. package/dist/extensions/deepgram/test-api.d.ts +1 -1
  322. package/dist/extensions/deepinfra/api.d.ts +2 -2
  323. package/dist/extensions/deepinfra/embedding-provider.d.ts +1 -1
  324. package/dist/extensions/deepinfra/index.d.ts +1 -1
  325. package/dist/extensions/deepinfra/memory-embedding-adapter.d.ts +1 -1
  326. package/dist/extensions/deepinfra/speech-provider.d.ts +1 -1
  327. package/dist/extensions/deepseek/api.d.ts +1 -1
  328. package/dist/extensions/deepseek/index.d.ts +1 -1
  329. package/dist/extensions/deepseek/provider-discovery.d.ts +1 -1
  330. package/dist/extensions/deepseek/provider-policy-api.d.ts +1 -1
  331. package/dist/extensions/deepseek/stream.d.ts +1 -1
  332. package/dist/extensions/deepseek/thinking.d.ts +1 -1
  333. package/dist/extensions/device-pair/api.d.ts +3 -3
  334. package/dist/extensions/device-pair/api.js +1 -1
  335. package/dist/extensions/device-pair/index.d.ts +1 -1
  336. package/dist/extensions/device-pair/notify.d.ts +1 -1
  337. package/dist/extensions/device-pair/pair-command-approve.js +1 -1
  338. package/dist/extensions/document-extract/index.d.ts +1 -1
  339. package/dist/extensions/duckduckgo/index.d.ts +1 -1
  340. package/dist/extensions/elevenlabs/index.d.ts +1 -1
  341. package/dist/extensions/elevenlabs/realtime-transcription-provider.d.ts +1 -1
  342. package/dist/extensions/elevenlabs/setup-api.d.ts +1 -1
  343. package/dist/extensions/elevenlabs/speech-provider.d.ts +1 -1
  344. package/dist/extensions/elevenlabs/test-api.d.ts +2 -2
  345. package/dist/extensions/exa/index.d.ts +1 -1
  346. package/dist/extensions/fal/index.d.ts +1 -1
  347. package/dist/extensions/fal/provider-contract-api.d.ts +1 -1
  348. package/dist/extensions/fal/provider-registration.d.ts +1 -1
  349. package/dist/extensions/file-transfer/index.d.ts +1 -1
  350. package/dist/extensions/file-transfer/index.js +4 -4
  351. package/dist/extensions/firecrawl/index.d.ts +1 -1
  352. package/dist/extensions/fireworks/index.d.ts +1 -1
  353. package/dist/extensions/fireworks/provider-policy-api.d.ts +1 -1
  354. package/dist/extensions/fireworks/stream.d.ts +1 -1
  355. package/dist/extensions/fireworks/thinking-policy.d.ts +1 -1
  356. package/dist/extensions/github-copilot/embeddings.d.ts +1 -1
  357. package/dist/extensions/github-copilot/index.d.ts +1 -1
  358. package/dist/extensions/github-copilot/models.d.ts +1 -1
  359. package/dist/extensions/github-copilot/register.runtime.d.ts +2 -2
  360. package/dist/extensions/github-copilot/stream.d.ts +1 -1
  361. package/dist/extensions/google/api.d.ts +5 -5
  362. package/dist/extensions/google/cli-backend.d.ts +1 -1
  363. package/dist/extensions/google/embedding-batch.d.ts +1 -1
  364. package/dist/extensions/google/embedding-provider.d.ts +1 -1
  365. package/dist/extensions/google/gemini-cli-provider.d.ts +1 -1
  366. package/dist/extensions/google/index.d.ts +1 -1
  367. package/dist/extensions/google/memory-embedding-adapter.d.ts +1 -1
  368. package/dist/extensions/google/provider-contract-api.d.ts +1 -1
  369. package/dist/extensions/google/provider-hooks.d.ts +2 -2
  370. package/dist/extensions/google/provider-models.d.ts +1 -1
  371. package/dist/extensions/google/provider-policy-api.d.ts +1 -1
  372. package/dist/extensions/google/provider-policy.d.ts +1 -1
  373. package/dist/extensions/google/provider-registration.d.ts +1 -1
  374. package/dist/extensions/google/realtime-voice-provider.d.ts +1 -1
  375. package/dist/extensions/google/runtime-api.d.ts +3 -3
  376. package/dist/extensions/google/setup-api.d.ts +1 -1
  377. package/dist/extensions/google/speech-provider.d.ts +1 -1
  378. package/dist/extensions/google/test-api.d.ts +2 -2
  379. package/dist/extensions/google/thinking-api.d.ts +1 -1
  380. package/dist/extensions/google/thinking.d.ts +1 -1
  381. package/dist/extensions/google/transport-stream.d.ts +1 -1
  382. package/dist/extensions/gradium/index.d.ts +1 -1
  383. package/dist/extensions/gradium/speech-provider.d.ts +1 -1
  384. package/dist/extensions/groq/index.d.ts +1 -1
  385. package/dist/extensions/huggingface/index.d.ts +1 -1
  386. package/dist/extensions/image-generation-core/api.d.ts +3 -3
  387. package/dist/extensions/image-generation-core/runtime-api.d.ts +1 -1
  388. package/dist/extensions/imessage/api.d.ts +2 -2
  389. package/dist/extensions/imessage/api.js +2 -2
  390. package/dist/extensions/imessage/channel-plugin-api.d.ts +1 -1
  391. package/dist/extensions/imessage/channel-plugin-api.js +1 -1
  392. package/dist/extensions/imessage/index.d.ts +2 -2
  393. package/dist/extensions/imessage/message-tool-api.d.ts +1 -1
  394. package/dist/extensions/imessage/runtime-api.d.ts +4 -4
  395. package/dist/extensions/imessage/runtime-api.js +3 -3
  396. package/dist/extensions/imessage/setup-entry.d.ts +2 -2
  397. package/dist/extensions/imessage/test-api.d.ts +1 -1
  398. package/dist/extensions/inworld/index.d.ts +1 -1
  399. package/dist/extensions/inworld/speech-provider.d.ts +1 -1
  400. package/dist/extensions/irc/api.d.ts +1 -1
  401. package/dist/extensions/irc/api.js +2 -2
  402. package/dist/extensions/irc/channel-plugin-api.d.ts +1 -1
  403. package/dist/extensions/irc/channel-plugin-api.js +1 -1
  404. package/dist/extensions/irc/index.d.ts +2 -2
  405. package/dist/extensions/irc/setup-entry.d.ts +2 -2
  406. package/dist/extensions/kilocode/index.d.ts +1 -1
  407. package/dist/extensions/kimi-coding/index.d.ts +1 -1
  408. package/dist/extensions/kimi-coding/stream.d.ts +1 -1
  409. package/dist/extensions/litellm/index.d.ts +1 -1
  410. package/dist/extensions/llm-task/api.d.ts +2 -2
  411. package/dist/extensions/llm-task/index.d.ts +1 -1
  412. package/dist/extensions/llm-task/index.js +1 -1
  413. package/dist/extensions/lmstudio/api.d.ts +1 -1
  414. package/dist/extensions/lmstudio/index.d.ts +1 -1
  415. package/dist/extensions/lmstudio/memory-embedding-adapter.d.ts +1 -1
  416. package/dist/extensions/mattermost/api.js +1 -1
  417. package/dist/extensions/mattermost/channel-plugin-api.d.ts +2 -2
  418. package/dist/extensions/mattermost/channel-plugin-api.js +1 -1
  419. package/dist/extensions/mattermost/channel-plugin-runtime.d.ts +1 -1
  420. package/dist/extensions/mattermost/channel-plugin-runtime.js +1 -1
  421. package/dist/extensions/mattermost/index.d.ts +2 -2
  422. package/dist/extensions/mattermost/policy-api.js +1 -1
  423. package/dist/extensions/mattermost/runtime-api.d.ts +4 -4
  424. package/dist/extensions/mattermost/runtime-api.js +2 -2
  425. package/dist/extensions/mattermost/setup-entry.d.ts +2 -2
  426. package/dist/extensions/mattermost/slash-route-api.d.ts +1 -1
  427. package/dist/extensions/mattermost/slash-route-api.js +1 -1
  428. package/dist/extensions/memory-core/api.d.ts +1 -1
  429. package/dist/extensions/memory-core/cli-metadata.d.ts +1 -1
  430. package/dist/extensions/memory-core/cli-metadata.js +1 -1
  431. package/dist/extensions/memory-core/index.d.ts +1 -1
  432. package/dist/extensions/memory-core/manager-runtime.d.ts +1 -1
  433. package/dist/extensions/memory-core/runtime-api.d.ts +2 -2
  434. package/dist/extensions/memory-wiki/api.d.ts +3 -3
  435. package/dist/extensions/memory-wiki/cli-metadata.d.ts +1 -1
  436. package/dist/extensions/memory-wiki/index.d.ts +1 -1
  437. package/dist/extensions/memory-wiki/setup-api.d.ts +1 -1
  438. package/dist/extensions/microsoft/index.d.ts +1 -1
  439. package/dist/extensions/microsoft/speech-provider.d.ts +1 -1
  440. package/dist/extensions/microsoft/test-api.d.ts +1 -1
  441. package/dist/extensions/microsoft-foundry/auth.d.ts +1 -1
  442. package/dist/extensions/microsoft-foundry/cli.d.ts +1 -1
  443. package/dist/extensions/microsoft-foundry/index.d.ts +1 -1
  444. package/dist/extensions/microsoft-foundry/onboard.d.ts +3 -3
  445. package/dist/extensions/microsoft-foundry/provider.d.ts +1 -1
  446. package/dist/extensions/microsoft-foundry/runtime.d.ts +1 -1
  447. package/dist/extensions/microsoft-foundry/shared-runtime.d.ts +1 -1
  448. package/dist/extensions/microsoft-foundry/shared.d.ts +1 -1
  449. package/dist/extensions/migrate-claude/apply.d.ts +1 -1
  450. package/dist/extensions/migrate-claude/apply.js +1 -1
  451. package/dist/extensions/migrate-claude/config.d.ts +1 -1
  452. package/dist/extensions/migrate-claude/helpers.d.ts +1 -1
  453. package/dist/extensions/migrate-claude/index.d.ts +1 -1
  454. package/dist/extensions/migrate-claude/index.js +1 -1
  455. package/dist/extensions/migrate-claude/memory.d.ts +2 -2
  456. package/dist/extensions/migrate-claude/plan.d.ts +1 -1
  457. package/dist/extensions/migrate-claude/plan.js +1 -1
  458. package/dist/extensions/migrate-claude/provider.d.ts +1 -1
  459. package/dist/extensions/migrate-claude/provider.js +1 -1
  460. package/dist/extensions/migrate-claude/skills.d.ts +2 -2
  461. package/dist/extensions/migrate-claude/targets.d.ts +1 -1
  462. package/dist/extensions/migrate-claude/targets.js +1 -1
  463. package/dist/extensions/migrate-hermes/apply.d.ts +1 -1
  464. package/dist/extensions/migrate-hermes/apply.js +1 -1
  465. package/dist/extensions/migrate-hermes/config.d.ts +1 -1
  466. package/dist/extensions/migrate-hermes/helpers.d.ts +1 -1
  467. package/dist/extensions/migrate-hermes/index.d.ts +1 -1
  468. package/dist/extensions/migrate-hermes/index.js +1 -1
  469. package/dist/extensions/migrate-hermes/items.d.ts +1 -1
  470. package/dist/extensions/migrate-hermes/model.d.ts +1 -1
  471. package/dist/extensions/migrate-hermes/model.js +1 -1
  472. package/dist/extensions/migrate-hermes/plan.d.ts +1 -1
  473. package/dist/extensions/migrate-hermes/plan.js +1 -1
  474. package/dist/extensions/migrate-hermes/provider.d.ts +1 -1
  475. package/dist/extensions/migrate-hermes/provider.js +1 -1
  476. package/dist/extensions/migrate-hermes/secrets.d.ts +2 -2
  477. package/dist/extensions/migrate-hermes/secrets.js +1 -1
  478. package/dist/extensions/migrate-hermes/skills.d.ts +2 -2
  479. package/dist/extensions/migrate-hermes/targets.d.ts +1 -1
  480. package/dist/extensions/migrate-hermes/targets.js +1 -1
  481. package/dist/extensions/minimax/index.d.ts +1 -1
  482. package/dist/extensions/minimax/provider-contract-api.d.ts +1 -1
  483. package/dist/extensions/minimax/provider-registration.d.ts +1 -1
  484. package/dist/extensions/minimax/speech-provider.d.ts +1 -1
  485. package/dist/extensions/mistral/embedding-provider.d.ts +1 -1
  486. package/dist/extensions/mistral/index.d.ts +1 -1
  487. package/dist/extensions/mistral/memory-embedding-adapter.d.ts +1 -1
  488. package/dist/extensions/mistral/realtime-transcription-provider.d.ts +1 -1
  489. package/dist/extensions/mistral/test-api.d.ts +1 -1
  490. package/dist/extensions/moonshot/index.d.ts +1 -1
  491. package/dist/extensions/moonshot/provider-contract-api.d.ts +1 -1
  492. package/dist/extensions/moonshot/provider-discovery.d.ts +1 -1
  493. package/dist/extensions/nvidia/index.d.ts +1 -1
  494. package/dist/extensions/oc-path/cli-metadata.d.ts +1 -1
  495. package/dist/extensions/oc-path/cli-registration.d.ts +1 -1
  496. package/dist/extensions/oc-path/index.d.ts +1 -1
  497. package/dist/extensions/ollama/api.d.ts +1 -1
  498. package/dist/extensions/ollama/index.d.ts +1 -1
  499. package/dist/extensions/ollama/provider-discovery.d.ts +1 -1
  500. package/dist/extensions/ollama/provider-policy-api.d.ts +1 -1
  501. package/dist/extensions/ollama/runtime-api.d.ts +1 -1
  502. package/dist/extensions/open-prose/index.d.ts +1 -1
  503. package/dist/extensions/open-prose/runtime-api.d.ts +2 -2
  504. package/dist/extensions/openai/api.d.ts +4 -4
  505. package/dist/extensions/openai/embedding-batch.d.ts +1 -1
  506. package/dist/extensions/openai/embedding-provider.d.ts +1 -1
  507. package/dist/extensions/openai/index.d.ts +1 -1
  508. package/dist/extensions/openai/memory-embedding-adapter.d.ts +1 -1
  509. package/dist/extensions/openai/openai-codex-oauth.runtime.d.ts +1 -1
  510. package/dist/extensions/openai/openai-codex-provider.d.ts +1 -1
  511. package/dist/extensions/openai/openai-provider.d.ts +1 -1
  512. package/dist/extensions/openai/prompt-overlay.d.ts +1 -1
  513. package/dist/extensions/openai/provider-contract-api.d.ts +1 -1
  514. package/dist/extensions/openai/provider-policy-api.d.ts +1 -1
  515. package/dist/extensions/openai/realtime-transcription-provider.d.ts +1 -1
  516. package/dist/extensions/openai/realtime-voice-provider.d.ts +1 -1
  517. package/dist/extensions/openai/register.runtime.d.ts +6 -6
  518. package/dist/extensions/openai/replay-policy.d.ts +1 -1
  519. package/dist/extensions/openai/setup-api.d.ts +1 -1
  520. package/dist/extensions/openai/shared.d.ts +3 -3
  521. package/dist/extensions/openai/speech-provider.d.ts +1 -1
  522. package/dist/extensions/openai/test-api.d.ts +3 -3
  523. package/dist/extensions/openai/thinking-policy.d.ts +1 -1
  524. package/dist/extensions/openai/transport-policy.d.ts +1 -1
  525. package/dist/extensions/opencode/index.d.ts +1 -1
  526. package/dist/extensions/opencode/provider-policy-api.d.ts +1 -1
  527. package/dist/extensions/opencode-go/index.d.ts +1 -1
  528. package/dist/extensions/opencode-go/provider-catalog.d.ts +1 -1
  529. package/dist/extensions/opencode-go/stream.d.ts +1 -1
  530. package/dist/extensions/openrouter/api.d.ts +1 -1
  531. package/dist/extensions/openrouter/index.d.ts +1 -1
  532. package/dist/extensions/openrouter/provider-contract-api.d.ts +1 -1
  533. package/dist/extensions/openrouter/provider-policy-api.d.ts +1 -1
  534. package/dist/extensions/openrouter/speech-provider.d.ts +1 -1
  535. package/dist/extensions/openrouter/stream.d.ts +1 -1
  536. package/dist/extensions/openrouter/test-api.d.ts +1 -1
  537. package/dist/extensions/openrouter/thinking-policy.d.ts +1 -1
  538. package/dist/extensions/openrouter/video-generation-provider.d.ts +1 -1
  539. package/dist/extensions/openrouter/video-model-catalog.d.ts +1 -1
  540. package/dist/extensions/perplexity/index.d.ts +1 -1
  541. package/dist/extensions/phone-control/index.d.ts +1 -1
  542. package/dist/extensions/phone-control/runtime-api.d.ts +2 -2
  543. package/dist/extensions/policy/api.js +1 -1
  544. package/dist/extensions/policy/index.d.ts +1 -1
  545. package/dist/extensions/policy/index.js +2 -2
  546. package/dist/extensions/qianfan/index.d.ts +1 -1
  547. package/dist/extensions/qwen/api.d.ts +1 -1
  548. package/dist/extensions/qwen/index.d.ts +1 -1
  549. package/dist/extensions/qwen/stream.d.ts +1 -1
  550. package/dist/extensions/qwen-dashscope/index.d.ts +1 -1
  551. package/dist/extensions/runway/index.d.ts +1 -1
  552. package/dist/extensions/searxng/index.d.ts +1 -1
  553. package/dist/extensions/senseaudio/index.d.ts +1 -1
  554. package/dist/extensions/sglang/index.d.ts +1 -1
  555. package/dist/extensions/signal/api.d.ts +2 -2
  556. package/dist/extensions/signal/api.js +6 -6
  557. package/dist/extensions/signal/channel-entry.d.ts +2 -2
  558. package/dist/extensions/signal/channel-plugin-api.d.ts +1 -1
  559. package/dist/extensions/signal/channel-plugin-api.js +1 -1
  560. package/dist/extensions/signal/index.d.ts +2 -2
  561. package/dist/extensions/signal/reaction-runtime-api.js +1 -1
  562. package/dist/extensions/signal/runtime-api.d.ts +6 -6
  563. package/dist/extensions/signal/runtime-api.js +7 -7
  564. package/dist/extensions/signal/setup-entry.d.ts +2 -2
  565. package/dist/extensions/skill-workshop/api.d.ts +2 -2
  566. package/dist/extensions/skill-workshop/api.js +1 -1
  567. package/dist/extensions/skill-workshop/index.d.ts +1 -1
  568. package/dist/extensions/skill-workshop/index.js +2 -2
  569. package/dist/extensions/speech-core/api.d.ts +3 -3
  570. package/dist/extensions/speech-core/runtime-api.d.ts +2 -2
  571. package/dist/extensions/stepfun/index.d.ts +1 -1
  572. package/dist/extensions/synthetic/index.d.ts +1 -1
  573. package/dist/extensions/talk-voice/api.d.ts +2 -2
  574. package/dist/extensions/talk-voice/index.d.ts +1 -1
  575. package/dist/extensions/tavily/index.d.ts +1 -1
  576. package/dist/extensions/telegram/account-inspect-api.js +1 -1
  577. package/dist/extensions/telegram/api.d.ts +4 -4
  578. package/dist/extensions/telegram/api.js +11 -11
  579. package/dist/extensions/telegram/channel-plugin-api.d.ts +2 -2
  580. package/dist/extensions/telegram/channel-plugin-api.js +2 -2
  581. package/dist/extensions/telegram/contract-api.d.ts +1 -1
  582. package/dist/extensions/telegram/contract-api.js +3 -3
  583. package/dist/extensions/telegram/index.d.ts +2 -2
  584. package/dist/extensions/telegram/runtime-api.d.ts +5 -5
  585. package/dist/extensions/telegram/runtime-api.js +7 -7
  586. package/dist/extensions/telegram/security-audit-contract-api.js +1 -1
  587. package/dist/extensions/telegram/setup-entry.d.ts +2 -2
  588. package/dist/extensions/telegram/setup-plugin-api.d.ts +1 -1
  589. package/dist/extensions/telegram/setup-plugin-api.js +1 -1
  590. package/dist/extensions/telegram/test-api.js +2 -2
  591. package/dist/extensions/tencent/index.d.ts +1 -1
  592. package/dist/extensions/tencent/provider-discovery.d.ts +1 -1
  593. package/dist/extensions/thread-ownership/api.d.ts +2 -2
  594. package/dist/extensions/thread-ownership/index.d.ts +1 -1
  595. package/dist/extensions/together/index.d.ts +1 -1
  596. package/dist/extensions/tokenjuice/index.d.ts +1 -1
  597. package/dist/extensions/tokenjuice/tool-result-middleware.d.ts +1 -1
  598. package/dist/extensions/tts-local-cli/index.d.ts +1 -1
  599. package/dist/extensions/tts-local-cli/speech-provider.d.ts +1 -1
  600. package/dist/extensions/venice/index.d.ts +1 -1
  601. package/dist/extensions/venice/stream.d.ts +1 -1
  602. package/dist/extensions/vercel-ai-gateway/index.d.ts +1 -1
  603. package/dist/extensions/vercel-ai-gateway/thinking.d.ts +1 -1
  604. package/dist/extensions/video-generation-core/api.d.ts +2 -2
  605. package/dist/extensions/video-generation-core/runtime-api.d.ts +1 -1
  606. package/dist/extensions/vllm/api.d.ts +1 -1
  607. package/dist/extensions/vllm/index.d.ts +1 -1
  608. package/dist/extensions/vllm/stream.d.ts +1 -1
  609. package/dist/extensions/volcengine/index.d.ts +1 -1
  610. package/dist/extensions/volcengine/provider-discovery.d.ts +1 -1
  611. package/dist/extensions/volcengine/speech-provider.d.ts +1 -1
  612. package/dist/extensions/voyage/embedding-batch.d.ts +1 -1
  613. package/dist/extensions/voyage/embedding-provider.d.ts +1 -1
  614. package/dist/extensions/voyage/index.d.ts +1 -1
  615. package/dist/extensions/voyage/memory-embedding-adapter.d.ts +1 -1
  616. package/dist/extensions/vydra/index.d.ts +1 -1
  617. package/dist/extensions/vydra/speech-provider.d.ts +1 -1
  618. package/dist/extensions/web-readability/index.d.ts +1 -1
  619. package/dist/extensions/webhooks/api.d.ts +2 -2
  620. package/dist/extensions/webhooks/api.js +1 -1
  621. package/dist/extensions/webhooks/index.d.ts +1 -1
  622. package/dist/extensions/webhooks/index.js +1 -1
  623. package/dist/extensions/webhooks/runtime-api.d.ts +1 -1
  624. package/dist/extensions/xai/api.d.ts +1 -1
  625. package/dist/extensions/xai/index.d.ts +1 -1
  626. package/dist/extensions/xai/index.js +4 -4
  627. package/dist/extensions/xai/provider-contract-api.d.ts +1 -1
  628. package/dist/extensions/xai/provider-discovery.d.ts +1 -1
  629. package/dist/extensions/xai/provider-models.d.ts +1 -1
  630. package/dist/extensions/xai/provider-policy-api.d.ts +1 -1
  631. package/dist/extensions/xai/realtime-transcription-provider.d.ts +1 -1
  632. package/dist/extensions/xai/realtime-transcription-provider.js +1 -1
  633. package/dist/extensions/xai/setup-api.d.ts +1 -1
  634. package/dist/extensions/xai/speech-provider.d.ts +1 -1
  635. package/dist/extensions/xai/speech-provider.js +1 -1
  636. package/dist/extensions/xai/stream.d.ts +1 -1
  637. package/dist/extensions/xai/test-api.js +1 -1
  638. package/dist/extensions/xai/tts.js +1 -1
  639. package/dist/extensions/xai/web-search.js +1 -1
  640. package/dist/extensions/xai/xai-oauth.d.ts +1 -1
  641. package/dist/extensions/xai/xai-oauth.js +1 -1
  642. package/dist/extensions/xiaomi/index.d.ts +1 -1
  643. package/dist/extensions/xiaomi/speech-provider.d.ts +1 -1
  644. package/dist/extensions/xiaomi/stream.d.ts +1 -1
  645. package/dist/extensions/xiaomi/thinking.d.ts +1 -1
  646. package/dist/extensions/zai/index.d.ts +1 -1
  647. package/dist/file-fetch-tool-QFQ7QZQ9.js +124 -0
  648. package/dist/file-write-tool-znIJ5MOE.js +127 -0
  649. package/dist/format-B3nq4sfa.js +1145 -0
  650. package/dist/gateway/protocol/index.d.ts +1 -1
  651. package/dist/gateway-cli-D5nQafQi.js +435 -0
  652. package/dist/gateway-method-runtime-BXmOAMxN.js +21 -0
  653. package/dist/gateway-runtime-BRfyNjsE.d.ts +163 -0
  654. package/dist/gemini-cli-provider-2RAshvHZ.d.ts +6 -0
  655. package/dist/get-reply-DZK53szF.js +4689 -0
  656. package/dist/get-reply-from-config.runtime-Kx4GwLAA.js +2 -0
  657. package/dist/get-reply-from-config.runtime.js +1 -1
  658. package/dist/graph-users-CNpoBMLI.js +1419 -0
  659. package/dist/group-access-B-lpiIoP.js +112 -0
  660. package/dist/handle-action.guild-admin-D7AInszH.js +288 -0
  661. package/dist/harness-BPTKe2TG.js +61 -0
  662. package/dist/health-BkXVkm2H.js +4 -0
  663. package/dist/heartbeat-runner-Dbddl21A.js +5 -0
  664. package/dist/heartbeat-runner.runtime-CDmb7D-Q.js +4 -0
  665. package/dist/heartbeat-runner.runtime.js +1 -1
  666. package/dist/hooks-90WH7Tva.js +534 -0
  667. package/dist/http-registry-DydRvucX.d.ts +23 -0
  668. package/dist/image-generation-runtime-CYSxJAy2.d.ts +21 -0
  669. package/dist/inbound-direct-dm-runtime-bXneq4t0.js +2 -0
  670. package/dist/inbound-reply-dispatch-BVzOSvZX.js +148 -0
  671. package/dist/index-BFhfE749.d.ts +3971 -0
  672. package/dist/index.js +1 -1
  673. package/dist/init-DWgLcXq7.js +59 -0
  674. package/dist/inline-buttons-DtcEDZIV.js +40 -0
  675. package/dist/interactive-dispatch-CNUK2pZt.d.ts +56 -0
  676. package/dist/interactive-dispatch-DuuOPzwD.d.ts +143 -0
  677. package/dist/internal-events-D3SdlwzM.js +90 -0
  678. package/dist/isolated-agent-B9qCvLC4.js +1118 -0
  679. package/dist/isolated-agent-DaBWyrzI.js +2 -0
  680. package/dist/lifecycle-CfcTMzLT.js +571 -0
  681. package/dist/list.probe-aXBUfusA.js +449 -0
  682. package/dist/list.status-command-xrFMny0R.js +789 -0
  683. package/dist/llm-slug-generator-D5FE5osT.js +78 -0
  684. package/dist/llm-slug-generator.js +1 -1
  685. package/dist/loader-BKopCdPY.d.ts +142 -0
  686. package/dist/local-dispatch.runtime-0dOK_rcW.js +9 -0
  687. package/dist/local-dispatch.runtime.js +1 -1
  688. package/dist/manager-BrS--u6G.d.ts +356 -0
  689. package/dist/manager.runtime-pUdntZ2i.js +2714 -0
  690. package/dist/manager.runtime.js +1 -1
  691. package/dist/markdown-to-line-Cv0Gm132.js +811 -0
  692. package/dist/mcp-http-CaliRokB.js +555 -0
  693. package/dist/mcp-http-Dgcmuypw.js +2 -0
  694. package/dist/media-understanding-provider-Cu7iRaWL.js +339 -0
  695. package/dist/memory-core-host-engine-storage-DsNomsw4.d.ts +54 -0
  696. package/dist/memory-embedding-adapter-Ba-UYpWr.d.ts +5 -0
  697. package/dist/message-actions-BBiWyHuJ.js +145 -0
  698. package/dist/message-handler-VnxCCjy7.js +384 -0
  699. package/dist/message-handler-dNRhdkX3.js +1715 -0
  700. package/dist/message-handler.preflight-CREgYCNj.js +1125 -0
  701. package/dist/message-handler.process-DN93vvas.js +1484 -0
  702. package/dist/migration-DOuQeJ7P.d.ts +45 -0
  703. package/dist/model-Bp-W7fVB.js +74 -0
  704. package/dist/model-eEpAu59T.d.ts +33 -0
  705. package/dist/model-selection-CXTwfi0m.js +272 -0
  706. package/dist/models-BF1vdgHr.js +2 -0
  707. package/dist/models-DepHj1G3.d.ts +24 -0
  708. package/dist/models-DvbokHz4.js +104 -0
  709. package/dist/models-cli-B_zT7frv.js +256 -0
  710. package/dist/monitor-BoW4qfGV.js +834 -0
  711. package/dist/monitor-Bs8KSKu7.js +60 -0
  712. package/dist/monitor-DHgHadUx.js +1370 -0
  713. package/dist/monitor-DX7Ya0rb.js +715 -0
  714. package/dist/monitor-DlzBuqhN.js +2788 -0
  715. package/dist/monitor-DnzcdtYh.js +1657 -0
  716. package/dist/monitor-DwwFCaSy.js +4377 -0
  717. package/dist/monitor-auth-BRF9yj8s.js +179 -0
  718. package/dist/monitor-m5zwJU51.js +2 -0
  719. package/dist/monitor-polling.runtime-DXMM7v9c.js +883 -0
  720. package/dist/monitor-polling.runtime.js +1 -1
  721. package/dist/monitor-webhook.runtime-vNDAo7Yq.js +387 -0
  722. package/dist/monitor-webhook.runtime.js +1 -1
  723. package/dist/monitor.account-DT1JC2fm.js +5233 -0
  724. package/dist/monitor.runtime-BUw4UbJN.js +2 -0
  725. package/dist/monitor.runtime.js +1 -1
  726. package/dist/monitor.webhook-IBx7ZFi4.js +180 -0
  727. package/dist/node-cli-sessions-BJW0oB3s.js +1228 -0
  728. package/dist/openai-codex-provider-LwMbKOK1.d.ts +5 -0
  729. package/dist/openai-http-BX-DFq23.js +824 -0
  730. package/dist/openai-provider-F0nEHs4l.d.ts +5 -0
  731. package/dist/openresponses-http-BN6ztKxO.js +1173 -0
  732. package/dist/operations-DmaD-gxv.js +805 -0
  733. package/dist/outbound-adapter-v9Q4K2Bl.js +543 -0
  734. package/dist/outbound-session-route-BxhErAps.js +45 -0
  735. package/dist/outbound.runtime-ClUOK-Ir.js +2 -0
  736. package/dist/outbound.runtime.js +1 -1
  737. package/dist/pi-embedded-CG0u988w.js +4 -0
  738. package/dist/pi-embedded-D7UoOQFj.js +3796 -0
  739. package/dist/pi-embedded.runtime-CKNVJdm9.js +4 -0
  740. package/dist/pi-embedded.runtime.js +1 -1
  741. package/dist/pi-tools-DP7eGHq-.js +2413 -0
  742. package/dist/plan-BD5JNOvV.js +81 -0
  743. package/dist/plan-BSDlELnX.js +112 -0
  744. package/dist/plugin-4bygXnMD.js +12396 -0
  745. package/dist/plugin-BW5kVZrl.d.ts +17 -0
  746. package/dist/plugin-app-cache-key-BfaJYLXl.js +46 -0
  747. package/dist/plugin-enabled-44kWBMek.js +233 -0
  748. package/dist/plugin-entry-oVFfOYI7.d.ts +47 -0
  749. package/dist/plugin-registration-DoD5ARyg.js +88 -0
  750. package/dist/plugin-runtime-Bx8TuYU5.d.ts +117 -0
  751. package/dist/plugin-sdk/.boundary-entry-shims.stamp +1 -1
  752. package/dist/plugin-sdk/acp-runtime-backend.js +1 -1
  753. package/dist/plugin-sdk/acp-runtime.js +2 -2
  754. package/dist/plugin-sdk/agent-harness-runtime.js +6 -6
  755. package/dist/plugin-sdk/agent-harness-task-runtime.js +1 -1
  756. package/dist/plugin-sdk/agent-harness.js +7 -7
  757. package/dist/plugin-sdk/agent-runtime.js +2 -2
  758. package/dist/plugin-sdk/channel-core.js +2 -2
  759. package/dist/plugin-sdk/channel-inbound.js +2 -2
  760. package/dist/plugin-sdk/channel-test-helpers.js +1 -1
  761. package/dist/plugin-sdk/command-auth.js +1 -1
  762. package/dist/plugin-sdk/command-status-runtime.js +1 -1
  763. package/dist/plugin-sdk/compat.js +1 -1
  764. package/dist/plugin-sdk/conversation-binding-runtime.js +2 -2
  765. package/dist/plugin-sdk/conversation-runtime.js +3 -3
  766. package/dist/plugin-sdk/core.js +2 -2
  767. package/dist/plugin-sdk/direct-dm.js +1 -1
  768. package/dist/plugin-sdk/gateway-method-runtime.js +1 -1
  769. package/dist/plugin-sdk/health.js +2 -2
  770. package/dist/plugin-sdk/inbound-reply-dispatch.js +1 -1
  771. package/dist/plugin-sdk/index.js +1 -1
  772. package/dist/plugin-sdk/mattermost.js +1 -1
  773. package/dist/plugin-sdk/plugin-test-contracts.js +2 -2
  774. package/dist/plugin-sdk/provider-test-contracts.js +4 -4
  775. package/dist/plugin-sdk/reply-runtime.js +4 -4
  776. package/dist/plugin-sdk/testing.js +2 -2
  777. package/dist/plugin-sdk/zalouser.js +1 -1
  778. package/dist/plugin-service-CJqwjPRa.js +1229 -0
  779. package/dist/plugin-service-W6IMgQjk.d.ts +24 -0
  780. package/dist/plugins/build-smoke-entry.d.ts +2 -2
  781. package/dist/plugins/loader.d.ts +1 -1
  782. package/dist/plugins/provider-discovery.runtime.d.ts +1 -1
  783. package/dist/plugins/provider-runtime.runtime.d.ts +1 -1
  784. package/dist/plugins/runtime/index.js +4 -4
  785. package/dist/policy-C2YDmnm2.js +138 -0
  786. package/dist/policy-CYBwtJmM.js +680 -0
  787. package/dist/prepare.runtime-B9SQyzSp.js +732 -0
  788. package/dist/prepare.runtime.js +1 -1
  789. package/dist/preview-warnings-DkMoGKdo.js +392 -0
  790. package/dist/probe-BYucGf4s.js +682 -0
  791. package/dist/probe-D8YoJ89r.js +2204 -0
  792. package/dist/probe-DKinNcah.js +47 -0
  793. package/dist/probe-DSYRrw81.js +2 -0
  794. package/dist/program-MtNU1_sG.js +131 -0
  795. package/dist/prompt-overlay-CaXYKmjI.d.ts +23 -0
  796. package/dist/provider-26ZZeAkw.js +32 -0
  797. package/dist/provider-BtNK1WFZ.js +8735 -0
  798. package/dist/provider-CfJzlnOm.js +32 -0
  799. package/dist/provider-Dl-E4_a8.js +152 -0
  800. package/dist/provider-api-key-auth-DOu4GJBt.d.ts +27 -0
  801. package/dist/provider-auth-result-CO9yqIJ_.d.ts +21 -0
  802. package/dist/provider-catalog-runtime-f_87intf.d.ts +23 -0
  803. package/dist/provider-catalog-shared-CXZnqdym.d.ts +62 -0
  804. package/dist/provider-dispatcher-CAaa54DQ.js +22 -0
  805. package/dist/provider-dispatcher.runtime.js +1 -1
  806. package/dist/provider-hook-runtime-o2J0hqhZ.d.ts +61 -0
  807. package/dist/provider-model-shared-CsZtXE0W.d.ts +143 -0
  808. package/dist/provider-models-BbjvK4gF.d.ts +12 -0
  809. package/dist/provider-policy-BwZykYqb.d.ts +30 -0
  810. package/dist/provider-registration-CytP1d9Y.d.ts +6 -0
  811. package/dist/provider-registry-Ct1dA5S3.d.ts +8 -0
  812. package/dist/provider-registry-DgEFqiK2.d.ts +30 -0
  813. package/dist/provider-registry-Dilmwbu_.d.ts +8 -0
  814. package/dist/provider-runtime-ChO01VYW.d.ts +359 -0
  815. package/dist/provider-self-hosted-setup-DCeKR5ZH.d.ts +74 -0
  816. package/dist/provider-session.runtime-DDMGL25I.js +9 -0
  817. package/dist/provider-session.runtime.js +1 -1
  818. package/dist/provider-stream-CrWY0s8C.d.ts +140 -0
  819. package/dist/provider-stream-shared-CgnrFxMf.d.ts +128 -0
  820. package/dist/provider.runtime-CUdlREry.js +2 -0
  821. package/dist/provider.runtime.js +1 -1
  822. package/dist/providers.runtime-CiX4UePR.d.ts +25 -0
  823. package/dist/public-surface-loader-iYUvHxzC.js +114 -0
  824. package/dist/pw-ai-DQjpZTSa.js +3029 -0
  825. package/dist/pw-role-snapshot-DgavoGdC.js +333 -0
  826. package/dist/reaction-level-uiCaLj0m.js +19 -0
  827. package/dist/reaction-runtime-api-ErmZKqXv.js +116 -0
  828. package/dist/realtime-transcription-abdbHd8R.d.ts +43 -0
  829. package/dist/realtime-transcription-provider-CPK7XYp9.d.ts +5 -0
  830. package/dist/realtime-transcription-provider-DC2AscwX.d.ts +32 -0
  831. package/dist/realtime-transcription-provider-Dg5t03mY.d.ts +28 -0
  832. package/dist/realtime-transcription-provider-UesXbEwy.d.ts +37 -0
  833. package/dist/realtime-transcription-provider-tLRMgcYk.js +205 -0
  834. package/dist/realtime-voice-D1aiUBBt.d.ts +333 -0
  835. package/dist/realtime-voice-provider-D5DZsLRA.d.ts +5 -0
  836. package/dist/register-DxldPhbz.js +2178 -0
  837. package/dist/register.agent-B9171wFk.js +156 -0
  838. package/dist/register.crestodian-plvra03q.js +24 -0
  839. package/dist/register.maintenance-BLH-PhXR.js +105 -0
  840. package/dist/register.runtime-CAW8ORTZ.d.ts +6 -0
  841. package/dist/register.runtime-CnuNQn65.js +54 -0
  842. package/dist/register.subclis-C9TqTF1g.js +3 -0
  843. package/dist/register.subclis-core-B4RLAWNE.js +273 -0
  844. package/dist/register.subclis-zvycA0fS.js +31 -0
  845. package/dist/registry-paAkM8At.d.ts +91 -0
  846. package/dist/registry-types-DSJvRhBP.d.ts +392 -0
  847. package/dist/repair-sequencing-3Q95ftKn.js +640 -0
  848. package/dist/reply-delivery-BYtyofYM.js +196 -0
  849. package/dist/reply-runtime-P6EiRGYz.js +11 -0
  850. package/dist/reply.runtime-Kx4GwLAA.js +2 -0
  851. package/dist/reply.runtime.js +1 -1
  852. package/dist/request-B8_J1Hk5.js +54 -0
  853. package/dist/resolve-allowlist-BHhr7pGG.js +220 -0
  854. package/dist/result-fallback-classifier-v1BgnJLN.js +79 -0
  855. package/dist/route-Dl0ZJvrW.js +469 -0
  856. package/dist/route-resolution-mVRyzqn_.js +274 -0
  857. package/dist/routes-B8uiTXHO.js +3602 -0
  858. package/dist/routes-Bjw1nWyB.js +2 -0
  859. package/dist/run-attempt-DKRsY7Xs.js +7704 -0
  860. package/dist/run-command-Bs2y31Ew.js +2 -0
  861. package/dist/run-command-CBDF_cGB.js +23 -0
  862. package/dist/run-embedded.runtime-2GWQN_Qf.js +4 -0
  863. package/dist/run-embedded.runtime.js +1 -1
  864. package/dist/run-execution-cli.runtime-BEXMdwL2.js +4 -0
  865. package/dist/run-execution-cli.runtime.js +1 -1
  866. package/dist/run-executor.runtime.js +1 -1
  867. package/dist/run-rMTtvEMF.js +1163 -0
  868. package/dist/run-subagent-registry.runtime-CBmgh09W.js +2 -0
  869. package/dist/run-subagent-registry.runtime.js +1 -1
  870. package/dist/runtime-DFBt4ZZw.js +1287 -0
  871. package/dist/runtime-DQV1yYF5.js +6179 -0
  872. package/dist/runtime-api-B6S-7TVS.js +3 -0
  873. package/dist/runtime-api-BLV9PO47.js +24 -0
  874. package/dist/runtime-api-BX1AvShq.js +17 -0
  875. package/dist/runtime-api-BnN22IWf.js +13 -0
  876. package/dist/runtime-api-BsmZgGnI.js +21 -0
  877. package/dist/runtime-api-CJ6x4Uuu.js +13 -0
  878. package/dist/runtime-api-DTdQMFV-.d.ts +3151 -0
  879. package/dist/runtime-api-DXCKXAYu.js +4 -0
  880. package/dist/runtime-api.actions-C9Jtoruo.js +3 -0
  881. package/dist/runtime-api.monitor-slWfxEgT.js +6 -0
  882. package/dist/runtime-api.send-D_auPJG_.js +4 -0
  883. package/dist/runtime-api.threads-BWzc1vrN.js +2 -0
  884. package/dist/runtime-channel-BOnbxldg.js +2 -0
  885. package/dist/runtime-channel-Dh45Bl_Q.js +150 -0
  886. package/dist/runtime-embedded-pi.runtime-BVjCGIqB.js +2 -0
  887. package/dist/runtime-embedded-pi.runtime.js +1 -1
  888. package/dist/runtime-hYOWxRKE.js +438 -0
  889. package/dist/runtime-taskflow-BYZsMg1i.d.ts +435 -0
  890. package/dist/sanitize-outbound-CP-twYgG.js +127 -0
  891. package/dist/sdk-setup-tools-Cfh-ATXD.js +8 -0
  892. package/dist/secrets-DcQ7WBB-.js +113 -0
  893. package/dist/security-audit-CwMh7ULQ.js +118 -0
  894. package/dist/security-audit-yRC5cfp1.js +122 -0
  895. package/dist/security-audit.runtime-COitYvaV.js +2 -0
  896. package/dist/security-audit.runtime.js +1 -1
  897. package/dist/selection-C_swgArS.js +3 -0
  898. package/dist/selection-Cud_xC6-.js +16157 -0
  899. package/dist/send-BXTj6QIe.js +143 -0
  900. package/dist/send-Be-rQ3Py.js +1631 -0
  901. package/dist/send-DrSo2pTm.js +192 -0
  902. package/dist/send-un_jKNYG.js +2 -0
  903. package/dist/send.components-C0ugXCvj.js +500 -0
  904. package/dist/send.components-CaHcQCve.js +2 -0
  905. package/dist/send.runtime-CcGjdPIe.js +2 -0
  906. package/dist/send.runtime.js +1 -1
  907. package/dist/server-Belw8J0P.js +24 -0
  908. package/dist/server-CbbbWl0g.js +73 -0
  909. package/dist/server-close.runtime.d.ts +1 -1
  910. package/dist/server-close.runtime.js +1 -1
  911. package/dist/server-context-D5PPz4pG.js +955 -0
  912. package/dist/server-context-DfiZrO39.js +2 -0
  913. package/dist/server-cron-B4uqojsc.js +2989 -0
  914. package/dist/server-cron-D5ofhC2R.js +2 -0
  915. package/dist/server-methods-BtrFcSCY.js +16499 -0
  916. package/dist/server-node-events-B7f6W47S.js +596 -0
  917. package/dist/server-plugin-bootstrap-CldF7ied.js +70 -0
  918. package/dist/server-plugins-BkRL48_Y.js +432 -0
  919. package/dist/server-reload-handlers-CmD463eg.js +714 -0
  920. package/dist/server-restart-sentinel-1-GltJOW.js +2 -0
  921. package/dist/server-restart-sentinel-BAc6ad7u.js +747 -0
  922. package/dist/server-runtime-services-DdDWPwwJ.js +2 -0
  923. package/dist/server-runtime-services-q4vtzdgR.js +267 -0
  924. package/dist/server-startup-plugins-RDIvIW1b.js +113 -0
  925. package/dist/server-startup-post-attach-B-Bcz1b8.js +716 -0
  926. package/dist/server-ws-runtime-ClfNa1gj.js +349 -0
  927. package/dist/server.impl-5A5eWz1g.js +2587 -0
  928. package/dist/service-BIi_LAz_.js +1446 -0
  929. package/dist/session-binding-DxgaaGZ8.js +219 -0
  930. package/dist/session-binding-SoSof-ir.js +2 -0
  931. package/dist/session-kill-http-CpA7WXXP.js +121 -0
  932. package/dist/session-reset-service-MBceWYbr.js +625 -0
  933. package/dist/session-route-SMerc1ZF.js +93 -0
  934. package/dist/session-status.runtime-C1MOnm-1.js +2 -0
  935. package/dist/session-status.runtime.js +1 -1
  936. package/dist/session-subagent-reactivation.runtime-Cca41-p8.js +2 -0
  937. package/dist/session-subagent-reactivation.runtime.js +1 -1
  938. package/dist/session-tab-registry-BL8A9tMR.js +521 -0
  939. package/dist/sessions-history-http-Cb21uPHU.js +430 -0
  940. package/dist/sessions.runtime-ClHkmNrd.js +2 -0
  941. package/dist/sessions.runtime.js +1 -1
  942. package/dist/setup-api-CwKuO7ZG.js +29 -0
  943. package/dist/setup-core-C8_XbMIV.js +174 -0
  944. package/dist/setup-surface-B3m7rAoM.js +405 -0
  945. package/dist/setup-surface-BstaBVou.js +320 -0
  946. package/dist/setup-surface-C5L8UmIu.js +221 -0
  947. package/dist/setup-surface-DwijXcOh.js +288 -0
  948. package/dist/shared-DdLk0hA6.d.ts +115 -0
  949. package/dist/shared-DemthgnG.js +121 -0
  950. package/dist/shared-client-CLvetNfK.js +2 -0
  951. package/dist/shared-client-CR88Qth4.js +629 -0
  952. package/dist/side-question-BKRlgFVG.js +683 -0
  953. package/dist/simple-completion-runtime-D3vYpwbZ.d.ts +73 -0
  954. package/dist/skill-tool-dispatch.runtime-Bsz4SNiK.js +143 -0
  955. package/dist/skill-tool-dispatch.runtime.js +1 -1
  956. package/dist/slash-state-Cbb2tkH9.js +2166 -0
  957. package/dist/speech-Cf7RmLix.d.ts +47 -0
  958. package/dist/speech-core-BWd27MY5.d.ts +36 -0
  959. package/dist/speech-provider-Csdu9pW1.d.ts +5 -0
  960. package/dist/speech-provider-D4v4Jv2s.d.ts +34 -0
  961. package/dist/speech-provider-Dj7nG9do.d.ts +5 -0
  962. package/dist/speech-provider-DnyUKHSU.d.ts +5 -0
  963. package/dist/speech-provider-MoJPg1gB.d.ts +8 -0
  964. package/dist/speech-provider-hT52upCX.d.ts +8 -0
  965. package/dist/speech-provider-hqhi426N.js +184 -0
  966. package/dist/src-wxYdKry6.js +4256 -0
  967. package/dist/startup-context-CidK9XK8.js +313 -0
  968. package/dist/status-subagents.runtime-DgYNfrbK.js +18 -0
  969. package/dist/status-subagents.runtime.js +1 -1
  970. package/dist/status-text-w43pGoDJ.js +296 -0
  971. package/dist/sticker-cache-BdIkkDGC.js +206 -0
  972. package/dist/sticker-vision.runtime-bmccn4BW.js +17 -0
  973. package/dist/sticker-vision.runtime.js +1 -1
  974. package/dist/stream-BVr9Y5Fk.d.ts +19 -0
  975. package/dist/stream-C5ugQLbM.d.ts +10 -0
  976. package/dist/stream-CDDV9-Wq.d.ts +5 -0
  977. package/dist/stream-D3ZhJVM7.d.ts +16 -0
  978. package/dist/stream-Dhh55ncO.d.ts +120 -0
  979. package/dist/stream-wrappers-PZu4IPG2.d.ts +21 -0
  980. package/dist/subagent-announce-Cig5R7bU.js +354 -0
  981. package/dist/subagent-announce-delivery-DElem-jW.js +958 -0
  982. package/dist/subagent-control-Dx1qbt2M.js +508 -0
  983. package/dist/subagent-hooks-03ne_B1P.js +2 -0
  984. package/dist/subagent-hooks-BW4tdl1N.js +116 -0
  985. package/dist/subagent-hooks-BdADgqQH.js +2 -0
  986. package/dist/subagent-hooks-D5ZUfS0C.js +146 -0
  987. package/dist/subagent-hooks-DKEWsBSa.js +230 -0
  988. package/dist/subagent-hooks-api-BNJpIv9Q.js +23 -0
  989. package/dist/subagent-hooks-api-BXE-a9iQ.js +22 -0
  990. package/dist/subagent-hooks-api-w7wOpXSR.js +23 -0
  991. package/dist/subagent-hooks-kf263oYw.js +2 -0
  992. package/dist/subagent-orphan-recovery-TGLIuI1K.js +352 -0
  993. package/dist/subagent-registry-Bai39rEv.js +3 -0
  994. package/dist/subagent-registry-vgjMT_I1.js +2351 -0
  995. package/dist/subagent-registry.runtime.js +1 -1
  996. package/dist/subagent-session-cleanup-PEEQtuLS.js +525 -0
  997. package/dist/subagent-spawn-2TTDQg5Y.js +1164 -0
  998. package/dist/target-id-BgSzF2Lk.js +107 -0
  999. package/dist/targets-Bd9-WGJt.js +19 -0
  1000. package/dist/targets-CdiGPFGr.d.ts +10 -0
  1001. package/dist/targets-DxKwMzNB.js +44 -0
  1002. package/dist/targets-DzdYRUSR.js +19 -0
  1003. package/dist/targets-ZJ1ZRt5L.d.ts +10 -0
  1004. package/dist/task-registry-control.runtime.js +1 -1
  1005. package/dist/telegram/token.js +1 -1
  1006. package/dist/testing-B6jLjq4r.js +267 -0
  1007. package/dist/thinking-policy-CAsew9b-.d.ts +5 -0
  1008. package/dist/thread-bindings-BumrOVO8.js +571 -0
  1009. package/dist/thread-bindings-C4yc8CZT.js +228 -0
  1010. package/dist/thread-bindings-Dkeit03N.js +8 -0
  1011. package/dist/thread-bindings-FVOv7g2T.js +232 -0
  1012. package/dist/thread-bindings.discord-api-D83vw86t.js +187 -0
  1013. package/dist/thread-bindings.manager-DEqfX4rc.js +2 -0
  1014. package/dist/thread-bindings.manager-LOMmQ1pN.js +536 -0
  1015. package/dist/thread-lifecycle-CGFgul5c.js +1614 -0
  1016. package/dist/token-CoB7XxKt.js +134 -0
  1017. package/dist/tool-CIfIAkxV.js +139 -0
  1018. package/dist/tool-actions.runtime-BrVxKuRd.js +534 -0
  1019. package/dist/tool-actions.runtime.js +1 -1
  1020. package/dist/tool-plugin-B18esZUX.d.ts +77 -0
  1021. package/dist/tool-resolution-BWdOXsX0.js +149 -0
  1022. package/dist/tool-split-_O9ZqSIU.d.ts +19 -0
  1023. package/dist/tools-effective-inventory-CW8_FJBN.js +204 -0
  1024. package/dist/tools-invoke-http-CYJCHpxL.js +67 -0
  1025. package/dist/tools-invoke-shared-SnaEXvuz.js +200 -0
  1026. package/dist/transport-stream-Piw1coFu.d.ts +42 -0
  1027. package/dist/tts-5p3qPz-P.js +66 -0
  1028. package/dist/tui-BYTSFA_c.js +4709 -0
  1029. package/dist/tui-LOGspKbe.js +2 -0
  1030. package/dist/tui-backend-C8nbqNLo.js +256 -0
  1031. package/dist/tui-cli-C91LywYY.js +37 -0
  1032. package/dist/types--mFsqUEV.d.ts +786 -0
  1033. package/dist/types-CcjGrBF52.d.ts +3650 -0
  1034. package/dist/types.public-rJrhXChy.d.ts +70 -0
  1035. package/dist/update-cli-DZuYe1aX.js +3665 -0
  1036. package/dist/update-global-ucSOAIga.js +606 -0
  1037. package/dist/update-runner-2pS-KlSn.js +1798 -0
  1038. package/dist/video-generation-runtime-CA2LiNwu.d.ts +21 -0
  1039. package/dist/video-model-catalog-BJ9GJKrw.d.ts +16 -0
  1040. package/dist/vision-tools-mJMJD3Yw.js +1409 -0
  1041. package/dist/web-search-BZgc3DQT.js +62 -0
  1042. package/dist/web-search-provider.runtime-BgoF9yna.js +328 -0
  1043. package/dist/web-search-provider.runtime-D1lmfAbp.js +2 -0
  1044. package/dist/web-search-provider.runtime.js +1 -1
  1045. package/dist/webhook-targets-B_syT8-q.d.ts +99 -0
  1046. package/dist/xai-oauth-B-LPhpsk.js +479 -0
  1047. package/dist/xai-user-agent-B0F4Hyt5.js +32 -0
  1048. package/dist/zod-schema.core-Bwbyyd_y.d.ts +166 -0
  1049. package/npm-shrinkwrap.json +2 -2
  1050. package/package.json +1 -1
  1051. package/dist/abort-BtS5AfJG.js +0 -277
  1052. package/dist/abort.runtime-D211494J.js +0 -2
  1053. package/dist/account-inspect-BqAxH1Q_.js +0 -173
  1054. package/dist/accounts-2VYKksau.js +0 -107
  1055. package/dist/accounts-B6aVCtty.js +0 -119
  1056. package/dist/accounts-CE6mvWMC.js +0 -2
  1057. package/dist/accounts-eprn8x0M.js +0 -107
  1058. package/dist/acp-runtime-C_0NA0CS.js +0 -26
  1059. package/dist/acp-spawn-CTmucfK5.js +0 -2
  1060. package/dist/acp-spawn-DcTgPZQB.js +0 -1275
  1061. package/dist/acp-stateful-target-driver-DVWNxIEX.js +0 -89
  1062. package/dist/action-kill-C6NRFglx.js +0 -33
  1063. package/dist/action-runtime-BaKOu7uV.js +0 -469
  1064. package/dist/action-runtime-api-QC43ZgvC.js +0 -2
  1065. package/dist/action-send-B790BH2g.js +0 -39
  1066. package/dist/action-spawn-Dgf97JGp.js +0 -47
  1067. package/dist/actions-DhY0Hqxd.js +0 -161
  1068. package/dist/actions.runtime-BfdjoY4f.js +0 -5
  1069. package/dist/agent-C1VC8waN.js +0 -3
  1070. package/dist/agent-DuLat04d.js +0 -2
  1071. package/dist/agent-command-BQ2JuYpP.js +0 -1367
  1072. package/dist/agent-components.runtime-BskyK1iq.js +0 -10
  1073. package/dist/agent-harness-Bt_1zRJ1.d.ts +0 -146
  1074. package/dist/agent-harness-runtime-CsWVHhWd.d.ts +0 -691
  1075. package/dist/agent-harness-runtime-l4d66klL.js +0 -180
  1076. package/dist/agent-harness-task-runtime-D5vhG7mw.js +0 -140
  1077. package/dist/agent-runner-execution-DKJ7YE9g.js +0 -1713
  1078. package/dist/agent-runner-utils-BOJEvwHI.js +0 -266
  1079. package/dist/agent-runner.runtime-BAC7XlZX.js +0 -3455
  1080. package/dist/agent-runtime-D8J3kngS.js +0 -229
  1081. package/dist/agent-via-gateway-BPZeOgET.js +0 -463
  1082. package/dist/api-2J3KsQlI.js +0 -2
  1083. package/dist/api-BNZFdrOx.js +0 -639
  1084. package/dist/api-CQY8p5l4.js +0 -134
  1085. package/dist/api-CdIYfiOh.js +0 -3
  1086. package/dist/api-D5uGvU4G.d.ts +0 -52
  1087. package/dist/api-DaLfnqrr.js +0 -2
  1088. package/dist/api-DzpDMEqm.js +0 -6
  1089. package/dist/apply-DTkOJDSZ.js +0 -54
  1090. package/dist/apply-DY6Ov6qF.js +0 -41
  1091. package/dist/approval-handler.runtime-9W6kSKLn.js +0 -130
  1092. package/dist/assistant-D338eQWk.js +0 -291
  1093. package/dist/attachment-normalize-BaGndElX.js +0 -225
  1094. package/dist/attempt-execution-aOkjnMht.js +0 -558
  1095. package/dist/attempt-execution.runtime-lKPuGjsg.js +0 -3
  1096. package/dist/attempt-execution.shared-lwEBnvQR.js +0 -38
  1097. package/dist/attempt.prompt-helpers-BVDwNazv.js +0 -475
  1098. package/dist/attempt.tool-run-context-DXgP_TxW.js +0 -2094
  1099. package/dist/binding-routing-CA-u9MaB.js +0 -113
  1100. package/dist/binding-targets-SGf9XyYl.js +0 -121
  1101. package/dist/bot-C0uHsCiq.js +0 -7894
  1102. package/dist/bot-deps-CfqgukPx.js +0 -747
  1103. package/dist/bot-deps-D0dGR0Um.js +0 -2
  1104. package/dist/bot-message-context.runtime-aqONyuCb.js +0 -7
  1105. package/dist/bot-message-context.session.runtime-CYJpmbne.js +0 -12
  1106. package/dist/bot-native-commands.delivery.runtime-DjCvDhXo.js +0 -4
  1107. package/dist/bot-native-commands.runtime-CNDOgqnt.js +0 -13
  1108. package/dist/bridge-server-DX39VTjh.js +0 -113
  1109. package/dist/browser-cli-BM0neIBN.js +0 -2
  1110. package/dist/browser-cli-TjkCzsOd.js +0 -230
  1111. package/dist/browser-cli-actions-input-Crdngwmz.js +0 -473
  1112. package/dist/browser-cli-actions-observe-CR0DTzDP.js +0 -81
  1113. package/dist/browser-cli-debug-CC9OYHxx.js +0 -137
  1114. package/dist/browser-cli-inspect-DVWu-CO3.js +0 -104
  1115. package/dist/browser-cli-manage-BfSgA18U.js +0 -443
  1116. package/dist/browser-cli-resize-ddNFsnFm.js +0 -26
  1117. package/dist/browser-cli-shared-B_5TDXXY.js +0 -50
  1118. package/dist/browser-cli-state-CnLWkvHn.js +0 -337
  1119. package/dist/browser-control-auth-1gcUHgnp.js +0 -2
  1120. package/dist/browser-profiles-BkIb0hYP.js +0 -2
  1121. package/dist/browser-runtime-RQ9H-pQ2.js +0 -384
  1122. package/dist/build-C3ote3YU.js +0 -257
  1123. package/dist/bundled-channel-config-schema-4eXcH-RE.d.ts +0 -3163
  1124. package/dist/call-DY6_VEa_.d.ts +0 -43
  1125. package/dist/capability-cli-D2fTtzuV.js +0 -1782
  1126. package/dist/channel-B0dtLI6U.d.ts +0 -49
  1127. package/dist/channel-B2MLRCOm.d.ts +0 -106
  1128. package/dist/channel-B4XBSqBl.d.ts +0 -7
  1129. package/dist/channel-BC3xWers.js +0 -808
  1130. package/dist/channel-BJFPY0Kt.js +0 -376
  1131. package/dist/channel-BMVs8cLm.js +0 -740
  1132. package/dist/channel-BNmekEHv.js +0 -508
  1133. package/dist/channel-BnPanYUC.js +0 -562
  1134. package/dist/channel-BompXOlb.js +0 -1134
  1135. package/dist/channel-Bq3wyp3c.d.ts +0 -8
  1136. package/dist/channel-BwdtLWWj.js +0 -1556
  1137. package/dist/channel-C1AEDysJ.d.ts +0 -47
  1138. package/dist/channel-CEH1dfVt.d.ts +0 -12
  1139. package/dist/channel-CQJHudhH.d.ts +0 -114
  1140. package/dist/channel-CUu3R9QU.d.ts +0 -14
  1141. package/dist/channel-CaugIi5d.js +0 -481
  1142. package/dist/channel-CsdkcuzU.d.ts +0 -7
  1143. package/dist/channel-D-QJ4LSf.d.ts +0 -28
  1144. package/dist/channel-D07QdL-Z.d.ts +0 -8
  1145. package/dist/channel-D1AKh1-N.d.ts +0 -6
  1146. package/dist/channel-D7LE0yXG.js +0 -653
  1147. package/dist/channel-DBucF-mL.js +0 -1496
  1148. package/dist/channel-DC98b13r.js +0 -238
  1149. package/dist/channel-DECcAIqn.d.ts +0 -104
  1150. package/dist/channel-DGWSLAgs.js +0 -1249
  1151. package/dist/channel-DHk6PKNy.js +0 -362
  1152. package/dist/channel-DZW76PDC.d.ts +0 -8
  1153. package/dist/channel-Dqyy2G9y.js +0 -955
  1154. package/dist/channel-DwSP9REc.d.ts +0 -64
  1155. package/dist/channel-LKyGksmz.d.ts +0 -26
  1156. package/dist/channel-Z-wTsii5.js +0 -1777
  1157. package/dist/channel-_B9ZXRPx.js +0 -867
  1158. package/dist/channel-actions.runtime-C3lWtJBL.js +0 -265
  1159. package/dist/channel-cGJKLfJe.d.ts +0 -427
  1160. package/dist/channel-core-B3Xqnnjw.js +0 -5
  1161. package/dist/channel-core-DshTARNf.d.ts +0 -6
  1162. package/dist/channel-entry-contract-DpdwxgOw.d.ts +0 -112
  1163. package/dist/channel-inbound-BnUDIbdQ.js +0 -80
  1164. package/dist/channel-plugin-runtime-CFKbI6Pu.js +0 -998
  1165. package/dist/channel-plugin-runtime-CS0_tyOZ.d.ts +0 -7
  1166. package/dist/channel-runtime-BLFYOC-l.js +0 -408
  1167. package/dist/channel-yBZ1hu-c.js +0 -2126
  1168. package/dist/channel.runtime-BMBFwVOB.js +0 -1008
  1169. package/dist/channel.runtime-BPaTa_4p.js +0 -4
  1170. package/dist/channel.runtime-BiOmO6NR.js +0 -254
  1171. package/dist/channel.runtime-BmwN1CYk.js +0 -652
  1172. package/dist/channel.runtime-C5JA3DOQ.js +0 -21009
  1173. package/dist/channel.runtime-CWmegcjl.js +0 -109
  1174. package/dist/channel.runtime-DDs1y218.js +0 -733
  1175. package/dist/channel.runtime-DJMJ7DxI.js +0 -88
  1176. package/dist/channel.runtime-Dr7_P-K2.js +0 -2528
  1177. package/dist/channel.setup-B03MiH5Q.d.ts +0 -6
  1178. package/dist/channel.setup-BRhsffda.js +0 -10
  1179. package/dist/channel.setup-ByuZMttY.d.ts +0 -8
  1180. package/dist/channel.setup-C74nA6R0.js +0 -343
  1181. package/dist/channel.setup-CIlbvWjW.d.ts +0 -7
  1182. package/dist/channel.setup-RbyDP1dD.js +0 -1098
  1183. package/dist/chat-CGdonziw.js +0 -2666
  1184. package/dist/chrome-BbE0579R.js +0 -1503
  1185. package/dist/cli-CJkC6ybf.js +0 -1341
  1186. package/dist/cli-backend-Dg9IEgrP.d.ts +0 -5
  1187. package/dist/cli-backend-DwmYGZX7.d.ts +0 -5
  1188. package/dist/cli-compaction-D7zwr6if.js +0 -347
  1189. package/dist/cli-metadata-gL02qQsZ.js +0 -22
  1190. package/dist/cli-pk6gIQfi.d.ts +0 -20
  1191. package/dist/cli-runner-DTqOC0Ap.js +0 -540
  1192. package/dist/cli-runner-DX7wbmT5.js +0 -2
  1193. package/dist/cli-runner.runtime-CMFns61M.js +0 -4
  1194. package/dist/cli-runner.runtime-DH0Kp9FZ.js +0 -3
  1195. package/dist/cli-shared-C_4_xNC-.d.ts +0 -20
  1196. package/dist/client-B763Tol6.js +0 -650
  1197. package/dist/client-adapter-WxKxH6x-.js +0 -897
  1198. package/dist/client-factory-00sxHiJF.js +0 -9
  1199. package/dist/command-auth-CXYQ5Z0j.js +0 -135
  1200. package/dist/command-handlers-D1Ac0Dkj.js +0 -1609
  1201. package/dist/command-registry-D2dsDDz5.js +0 -9
  1202. package/dist/command-registry-Dih3NQG-.js +0 -4
  1203. package/dist/command-registry-core-CjXOyB2J.js +0 -110
  1204. package/dist/command-status.runtime-B0-uERwh.js +0 -90
  1205. package/dist/commands-CLbV1tFt.d.ts +0 -113
  1206. package/dist/commands-acp-pD2JpUSj.js +0 -74
  1207. package/dist/commands-compact.runtime-V-TcIs65.js +0 -10
  1208. package/dist/commands-handlers.runtime-5M-A0jiA.js +0 -6154
  1209. package/dist/commands-status-Bm4dG6pI.js +0 -3
  1210. package/dist/commands-status-qm4EnRyE.js +0 -16
  1211. package/dist/commands-status.runtime-Bm4dG6pI.js +0 -3
  1212. package/dist/commands-subagents-control.runtime-DI46smsH.js +0 -2
  1213. package/dist/commands-subagents-control.runtime-rWDaFqzc.js +0 -3
  1214. package/dist/commands-system-prompt-B4F4MOEY.js +0 -162
  1215. package/dist/commands-system-prompt-jk5Mc_DP.js +0 -2
  1216. package/dist/commands.runtime-Bc23O5Mi.js +0 -176
  1217. package/dist/compact-CtN0DOvK.js +0 -480
  1218. package/dist/compact-D1ChSGOh.js +0 -1141
  1219. package/dist/compact.runtime-C7If8t90.js +0 -12
  1220. package/dist/completion-cli-gXouR92c.js +0 -315
  1221. package/dist/computer-use-CdO4BAyI.js +0 -367
  1222. package/dist/config-BkIb0hYP.js +0 -2
  1223. package/dist/config-dmYhst2s.js +0 -373
  1224. package/dist/config-mutations-D2ETKy_j.js +0 -159
  1225. package/dist/config-schema-BwKcspTI.d.ts +0 -20
  1226. package/dist/config-schema-Dx48Ud8L.d.ts +0 -34
  1227. package/dist/context-engine-host-compat-DgNqJwdY.js +0 -288
  1228. package/dist/context-engine-host-compat-OWTQLkIP.js +0 -2
  1229. package/dist/context-engine-lifecycle-CGVL8HdA.js +0 -1274
  1230. package/dist/contracts-testkit-CzhusazO.d.ts +0 -145
  1231. package/dist/control-auth-BFMiW_62.js +0 -114
  1232. package/dist/control-service-D7r7Quub.js +0 -145
  1233. package/dist/control-ui/sw.js +0 -133
  1234. package/dist/conversation-binding-runtime-BW_4K8cX.js +0 -4
  1235. package/dist/conversation-runtime-oIeuYAld.js +0 -31
  1236. package/dist/core-B7zb6eoz.d.ts +0 -224
  1237. package/dist/core-Cqwgrdgs.js +0 -282
  1238. package/dist/core-api-DI9CNhVz.js +0 -2
  1239. package/dist/core-api-Dcj6myhZ.js +0 -5
  1240. package/dist/crestodian-DVM5VVBT.js +0 -55
  1241. package/dist/daocore-runtime-DogaiqPT.d.ts +0 -151
  1242. package/dist/daocore-tools-bO6317PZ.js +0 -11727
  1243. package/dist/delivery-BCvDWVt-.js +0 -1002
  1244. package/dist/dialogue-D7jagbT_.js +0 -37
  1245. package/dist/dir-fetch-tool-BT5EPw-5.js +0 -565
  1246. package/dist/dir-list-tool-H_efDjDq.js +0 -100
  1247. package/dist/direct-dm-D0B-QMik.js +0 -64
  1248. package/dist/directive-handling.fast-lane-DsGCtBC-.js +0 -68
  1249. package/dist/directive-handling.impl-C-1mgd9g.js +0 -2
  1250. package/dist/directive-handling.impl-DumICYAp.js +0 -818
  1251. package/dist/directive-handling.model-selection-BJZn2fo_.js +0 -122
  1252. package/dist/directive-handling.persist.runtime-D62V2_9_.js +0 -263
  1253. package/dist/dispatch-CnOOlfPn.js +0 -1640
  1254. package/dist/dispatch-acp-transcript.runtime-DV_7Zl9P.js +0 -40
  1255. package/dist/dispatch-acp.runtime-ATTViG-t.js +0 -18
  1256. package/dist/doctor-8vhWy3Dw.js +0 -2
  1257. package/dist/doctor-CKYTXvU7.js +0 -6
  1258. package/dist/doctor-config-flow-B0Ilj0MM.js +0 -1741
  1259. package/dist/doctor-core-checks-B0DeLp7M.js +0 -2
  1260. package/dist/doctor-core-checks-NFFEe2qP.js +0 -573
  1261. package/dist/doctor-health-BQDkMVRf.js +0 -65
  1262. package/dist/doctor-health-contributions-BTtoe4Zy.js +0 -696
  1263. package/dist/doctor-lint-CtjiT5S1.js +0 -94
  1264. package/dist/doctor-state-integrity-C1p_aTX_.js +0 -1231
  1265. package/dist/doctor-update-Dzr9Vt00.js +0 -58
  1266. package/dist/doctor-update-fix-Dw80wTUs.js +0 -107
  1267. package/dist/dynamic-tools-Cb1BxOUV.js +0 -486
  1268. package/dist/embedded-backend-DIv3GabL.js +0 -579
  1269. package/dist/embedded-gateway-stub.runtime-DqgU4q-g.js +0 -12
  1270. package/dist/embedding-provider-B82QlZsy.d.ts +0 -21
  1271. package/dist/embedding-provider-Cmb3dgUf.d.ts +0 -65
  1272. package/dist/embedding-provider-w7EJz-DO.d.ts +0 -16
  1273. package/dist/exec-approvals-ClOFMgg8.js +0 -149
  1274. package/dist/file-fetch-tool-CIe7NhYV.js +0 -124
  1275. package/dist/file-write-tool-DBpMRVuc.js +0 -127
  1276. package/dist/format-DwlQcHW-.js +0 -1145
  1277. package/dist/gateway-cli-B-RpSgut.js +0 -435
  1278. package/dist/gateway-method-runtime-BblhHt-0.js +0 -21
  1279. package/dist/gateway-runtime-BcWCu-QH.d.ts +0 -163
  1280. package/dist/gemini-cli-provider-DtyOwxHA.d.ts +0 -6
  1281. package/dist/get-reply-HRNSgWtJ.js +0 -4689
  1282. package/dist/get-reply-from-config.runtime-D_IjyVEy.js +0 -2
  1283. package/dist/graph-users-xOkVRyWa.js +0 -1419
  1284. package/dist/group-access-5rOw40mA.js +0 -112
  1285. package/dist/handle-action.guild-admin-3izRlfhG.js +0 -288
  1286. package/dist/harness-DSATBx4q.js +0 -61
  1287. package/dist/health-gXf5LPQE.js +0 -4
  1288. package/dist/heartbeat-runner-BAl6rYJ4.js +0 -5
  1289. package/dist/heartbeat-runner.runtime-BwR4hXGN.js +0 -4
  1290. package/dist/hooks-Ds30xkRl.js +0 -534
  1291. package/dist/http-registry-D3Cdok5J.d.ts +0 -23
  1292. package/dist/image-generation-runtime-DhYgou3B.d.ts +0 -21
  1293. package/dist/inbound-direct-dm-runtime-VLA3Sl_Y.js +0 -2
  1294. package/dist/inbound-reply-dispatch-B1Yv-_Ol.js +0 -148
  1295. package/dist/index-ChRAMnH9.d.ts +0 -3971
  1296. package/dist/init-C94m6gc5.js +0 -59
  1297. package/dist/inline-buttons-B48KLvRY.js +0 -40
  1298. package/dist/interactive-dispatch-B-NLdr77.d.ts +0 -56
  1299. package/dist/interactive-dispatch-B66zssEF.d.ts +0 -143
  1300. package/dist/internal-events-DH1wKI3W.js +0 -90
  1301. package/dist/isolated-agent-BHtpDjQ3.js +0 -1118
  1302. package/dist/isolated-agent-CQ8xLCdA.js +0 -2
  1303. package/dist/lifecycle-J2_rGItq.js +0 -571
  1304. package/dist/list.probe-CQkRrePt.js +0 -449
  1305. package/dist/list.status-command-Dh4C_nmX.js +0 -789
  1306. package/dist/llm-slug-generator-CuTyqyw9.js +0 -78
  1307. package/dist/loader-Ben-RYnp.d.ts +0 -142
  1308. package/dist/local-dispatch.runtime-DMFlGKN5.js +0 -9
  1309. package/dist/manager-BDWyUfHJ.d.ts +0 -356
  1310. package/dist/manager.runtime-ChEFeq5B.js +0 -2714
  1311. package/dist/markdown-to-line-BXszL2cy.js +0 -811
  1312. package/dist/mcp-http-BfLRPB10.js +0 -555
  1313. package/dist/mcp-http-C4jMPkoA.js +0 -2
  1314. package/dist/media-understanding-provider-By_IYDJy.js +0 -339
  1315. package/dist/memory-core-host-engine-storage-BAq5Rf51.d.ts +0 -54
  1316. package/dist/memory-embedding-adapter-Cv87QsD0.d.ts +0 -5
  1317. package/dist/message-actions-CnGb9RhR.js +0 -145
  1318. package/dist/message-handler-BczaNv3J.js +0 -384
  1319. package/dist/message-handler-txIHUJJr.js +0 -1715
  1320. package/dist/message-handler.preflight-DQ_XIRJD.js +0 -1125
  1321. package/dist/message-handler.process-DW_BauDK.js +0 -1484
  1322. package/dist/migration-BOkhOT4K.d.ts +0 -45
  1323. package/dist/model-B4s-pIp8.d.ts +0 -33
  1324. package/dist/model-CzeDtlL2.js +0 -74
  1325. package/dist/model-selection-DISTEWT3.js +0 -272
  1326. package/dist/models-6NYWdsJM.d.ts +0 -24
  1327. package/dist/models-Cs632hpM.js +0 -104
  1328. package/dist/models-DFdDefW_.js +0 -2
  1329. package/dist/models-cli-CEJaAepl.js +0 -256
  1330. package/dist/monitor-1sdwxltF.js +0 -2788
  1331. package/dist/monitor-B3satZZM.js +0 -2
  1332. package/dist/monitor-BjTf4-1k.js +0 -715
  1333. package/dist/monitor-Blfd3oxm.js +0 -1370
  1334. package/dist/monitor-CTBBctRZ.js +0 -60
  1335. package/dist/monitor-DMs9Fc-I.js +0 -4377
  1336. package/dist/monitor-Jaf6yIPY.js +0 -1657
  1337. package/dist/monitor-QlSkTI6D.js +0 -834
  1338. package/dist/monitor-auth-C1tksIdC.js +0 -179
  1339. package/dist/monitor-polling.runtime-BfiQ9WKu.js +0 -883
  1340. package/dist/monitor-webhook.runtime-DaN0Z6_6.js +0 -387
  1341. package/dist/monitor.account-DXs-I96r.js +0 -5233
  1342. package/dist/monitor.runtime-CfhDXAnn.js +0 -2
  1343. package/dist/monitor.webhook-Dh2yCA0H.js +0 -180
  1344. package/dist/node-cli-sessions-BRSHPLpR.js +0 -1228
  1345. package/dist/openai-codex-provider-CByFL0Au.d.ts +0 -5
  1346. package/dist/openai-http-CJKcPRWW.js +0 -824
  1347. package/dist/openai-provider-DbEgHbfx.d.ts +0 -5
  1348. package/dist/openresponses-http-BhyRvqJ0.js +0 -1173
  1349. package/dist/operations-CL7dqxSs.js +0 -805
  1350. package/dist/outbound-adapter-BzLFym-i.js +0 -543
  1351. package/dist/outbound-session-route-do6mbRaF.js +0 -45
  1352. package/dist/outbound.runtime-ClwB5soC.js +0 -2
  1353. package/dist/pi-embedded-BtyxupRo.js +0 -3796
  1354. package/dist/pi-embedded-DC6txKUX.js +0 -4
  1355. package/dist/pi-embedded.runtime-CLGqbc8E.js +0 -4
  1356. package/dist/pi-tools-BNtGWzuL.js +0 -2413
  1357. package/dist/plan-BKvy4WrJ.js +0 -81
  1358. package/dist/plan-DwVlQpE1.js +0 -112
  1359. package/dist/plugin-BehbkTVr.d.ts +0 -17
  1360. package/dist/plugin-CY0rEF7s.js +0 -12396
  1361. package/dist/plugin-app-cache-key-DNUt0H7R.js +0 -46
  1362. package/dist/plugin-enabled-Cyd8634I.js +0 -233
  1363. package/dist/plugin-entry-feg_rkHL.d.ts +0 -47
  1364. package/dist/plugin-registration-B_-ymgPg.js +0 -88
  1365. package/dist/plugin-runtime-paqzXBLJ.d.ts +0 -117
  1366. package/dist/plugin-service-C0JwHvDr.d.ts +0 -24
  1367. package/dist/plugin-service-Dxx-FdeS.js +0 -1229
  1368. package/dist/policy-BXjjr3b_.js +0 -138
  1369. package/dist/policy-cKo9Yeux.js +0 -680
  1370. package/dist/prepare.runtime-DKbtJNij.js +0 -732
  1371. package/dist/preview-warnings-B_dB0-nc.js +0 -392
  1372. package/dist/probe-D02PTGyD.js +0 -47
  1373. package/dist/probe-DywFeNCV.js +0 -682
  1374. package/dist/probe-f3qP15_E.js +0 -2204
  1375. package/dist/probe-sSNH7OtW.js +0 -2
  1376. package/dist/program-CI-yGmHj.js +0 -131
  1377. package/dist/prompt-overlay-qLjnjnSK.d.ts +0 -23
  1378. package/dist/provider-0MTK_A59.js +0 -32
  1379. package/dist/provider-Bqz_XGo0.js +0 -8735
  1380. package/dist/provider-DguV0rAM.js +0 -32
  1381. package/dist/provider-Vf0kCR9H.js +0 -152
  1382. package/dist/provider-api-key-auth-CB8Tllmv.d.ts +0 -27
  1383. package/dist/provider-auth-result-Xze96yVn.d.ts +0 -21
  1384. package/dist/provider-catalog-runtime-Bo88wUpB.d.ts +0 -23
  1385. package/dist/provider-catalog-shared-rq7-Hkyg.d.ts +0 -62
  1386. package/dist/provider-dispatcher-DYgMXESe.js +0 -22
  1387. package/dist/provider-hook-runtime-bhgA4zLg.d.ts +0 -61
  1388. package/dist/provider-model-shared-Bv_vhH6i.d.ts +0 -143
  1389. package/dist/provider-models-DzbXgGDD.d.ts +0 -12
  1390. package/dist/provider-policy-Cx2IwhQ-.d.ts +0 -30
  1391. package/dist/provider-registration-D4DJp8vF.d.ts +0 -6
  1392. package/dist/provider-registry-BQ5DzWBt.d.ts +0 -8
  1393. package/dist/provider-registry-BrtezAkH.d.ts +0 -30
  1394. package/dist/provider-registry-DG571X-9.d.ts +0 -8
  1395. package/dist/provider-runtime-BJlV-8wH.d.ts +0 -359
  1396. package/dist/provider-self-hosted-setup-C5mGtzPJ.d.ts +0 -74
  1397. package/dist/provider-session.runtime-DPLsI_az.js +0 -9
  1398. package/dist/provider-stream-D-MYyujL.d.ts +0 -140
  1399. package/dist/provider-stream-shared-B6pQNRl4.d.ts +0 -128
  1400. package/dist/provider.runtime-Dqb234pz.js +0 -2
  1401. package/dist/providers.runtime-B9kfx6q8.d.ts +0 -25
  1402. package/dist/public-surface-loader-BFaumhij.js +0 -114
  1403. package/dist/pw-ai-G5xV3oAx.js +0 -3029
  1404. package/dist/pw-role-snapshot-Dx3HJBHP.js +0 -333
  1405. package/dist/reaction-level-cwg9IPV-.js +0 -19
  1406. package/dist/reaction-runtime-api-BO5tonA_.js +0 -116
  1407. package/dist/realtime-transcription-CAC89bnc.d.ts +0 -43
  1408. package/dist/realtime-transcription-provider-BPUt8lMk.js +0 -205
  1409. package/dist/realtime-transcription-provider-ChYQDNhv.d.ts +0 -5
  1410. package/dist/realtime-transcription-provider-DTYtMlJi.d.ts +0 -28
  1411. package/dist/realtime-transcription-provider-DirKeOjA.d.ts +0 -32
  1412. package/dist/realtime-transcription-provider-QHEXWhCJ.d.ts +0 -37
  1413. package/dist/realtime-voice-Bm0GBqnc.d.ts +0 -333
  1414. package/dist/realtime-voice-provider-NcUDkuN4.d.ts +0 -5
  1415. package/dist/register-hPi-PJ7K.js +0 -2178
  1416. package/dist/register.agent-C17wwmyB.js +0 -156
  1417. package/dist/register.crestodian-BgN2eNeU.js +0 -24
  1418. package/dist/register.maintenance-CZV43uUT.js +0 -105
  1419. package/dist/register.runtime-B6KhmuJw.js +0 -54
  1420. package/dist/register.runtime-CXLFfKiU.d.ts +0 -6
  1421. package/dist/register.subclis-By70wsLN.js +0 -31
  1422. package/dist/register.subclis-D_XDgsMy.js +0 -3
  1423. package/dist/register.subclis-core-CYi-wxpA.js +0 -273
  1424. package/dist/registry-DXBS27qE.d.ts +0 -91
  1425. package/dist/registry-types-DlO771W4.d.ts +0 -392
  1426. package/dist/repair-sequencing-ze6dXKp3.js +0 -640
  1427. package/dist/reply-delivery-BRsL-nIn.js +0 -196
  1428. package/dist/reply-runtime-hB7p7Uov.js +0 -11
  1429. package/dist/reply.runtime-D_IjyVEy.js +0 -2
  1430. package/dist/request-C6QBV_dA.js +0 -54
  1431. package/dist/resolve-allowlist-zmvmVPzW.js +0 -220
  1432. package/dist/result-fallback-classifier-hWTcOYyH.js +0 -79
  1433. package/dist/route-BMCrq1SN.js +0 -469
  1434. package/dist/route-resolution-nWgSniti.js +0 -274
  1435. package/dist/routes-BXyfYxi-.js +0 -2
  1436. package/dist/routes-CpMZFxzv.js +0 -3602
  1437. package/dist/run-Bzp1cq1J.js +0 -1163
  1438. package/dist/run-attempt-DMj1Q3oE.js +0 -7704
  1439. package/dist/run-command-CbDBts53.js +0 -23
  1440. package/dist/run-command-CrJ2mrht.js +0 -2
  1441. package/dist/run-embedded.runtime-sD3O3k2K.js +0 -4
  1442. package/dist/run-execution-cli.runtime-CG1zNse6.js +0 -4
  1443. package/dist/run-subagent-registry.runtime-CGzIerQZ.js +0 -2
  1444. package/dist/runtime-B0ZKPxxL.js +0 -6179
  1445. package/dist/runtime-Dh-KFKJv.js +0 -1287
  1446. package/dist/runtime-api-9Xxm9K2E.js +0 -21
  1447. package/dist/runtime-api-C2252PQ4.js +0 -4
  1448. package/dist/runtime-api-C7ToEUFX.d.ts +0 -3151
  1449. package/dist/runtime-api-Cl3W6JLB.js +0 -13
  1450. package/dist/runtime-api-CwyQGzrm.js +0 -24
  1451. package/dist/runtime-api-DQVZQ82e.js +0 -17
  1452. package/dist/runtime-api-Ksdts3J7.js +0 -13
  1453. package/dist/runtime-api-lHayJI0f.js +0 -3
  1454. package/dist/runtime-api.actions-CHH4JoFd.js +0 -3
  1455. package/dist/runtime-api.monitor-CuAnxOiA.js +0 -6
  1456. package/dist/runtime-api.send-C5Ndv4Sb.js +0 -4
  1457. package/dist/runtime-api.threads-Car1xuWI.js +0 -2
  1458. package/dist/runtime-channel-PhHAbE3P.js +0 -2
  1459. package/dist/runtime-channel-ehNPdqhp.js +0 -150
  1460. package/dist/runtime-embedded-pi.runtime-BExQEON7.js +0 -2
  1461. package/dist/runtime-l-x1mIPp.js +0 -438
  1462. package/dist/runtime-taskflow-PDIujF9q.d.ts +0 -435
  1463. package/dist/sanitize-outbound-CINW3wBb.js +0 -127
  1464. package/dist/sdk-setup-tools-DotzY-Ff.js +0 -8
  1465. package/dist/secrets-BdWCp_pg.js +0 -113
  1466. package/dist/security-audit-BMS02wuX.js +0 -122
  1467. package/dist/security-audit-BXupNbYa.js +0 -118
  1468. package/dist/security-audit.runtime-CONAKFRk.js +0 -2
  1469. package/dist/selection-8iOGMBPh.js +0 -16157
  1470. package/dist/selection-D9-GNcGp.js +0 -3
  1471. package/dist/send-BsqMC7vV.js +0 -143
  1472. package/dist/send-ChUpwNpF.js +0 -2
  1473. package/dist/send-D92kiCYa.js +0 -192
  1474. package/dist/send-LSm52k6p.js +0 -1631
  1475. package/dist/send.components-D_1vDkKM.js +0 -2
  1476. package/dist/send.components-Scs0rrDy.js +0 -500
  1477. package/dist/send.runtime-BJbljin6.js +0 -2
  1478. package/dist/server-BQ9wTpKB.js +0 -73
  1479. package/dist/server-CHWh_XGy.js +0 -24
  1480. package/dist/server-context-D42gG6GT.js +0 -2
  1481. package/dist/server-context-oRlMLKPz.js +0 -955
  1482. package/dist/server-cron-BpLzGXmi.js +0 -2
  1483. package/dist/server-cron-DFsVLz6k.js +0 -2989
  1484. package/dist/server-methods-CVgaE49L.js +0 -16499
  1485. package/dist/server-node-events-DmaGt81F.js +0 -596
  1486. package/dist/server-plugin-bootstrap-ypOUJ438.js +0 -70
  1487. package/dist/server-plugins-BZZxcYFZ.js +0 -432
  1488. package/dist/server-reload-handlers-Ccu2KW5E.js +0 -714
  1489. package/dist/server-restart-sentinel-Bud1fPG5.js +0 -2
  1490. package/dist/server-restart-sentinel-C4oYiDTT.js +0 -747
  1491. package/dist/server-runtime-services-BAlijw2O.js +0 -267
  1492. package/dist/server-runtime-services-BY8y-CAk.js +0 -2
  1493. package/dist/server-startup-plugins-utvxpVCl.js +0 -113
  1494. package/dist/server-startup-post-attach-C09QVu1D.js +0 -716
  1495. package/dist/server-ws-runtime-hgZQmILO.js +0 -349
  1496. package/dist/server.impl-btEzW7aF.js +0 -2587
  1497. package/dist/service-DYvUSJDx.js +0 -1446
  1498. package/dist/session-binding-Smi9h573.js +0 -219
  1499. package/dist/session-binding-vAzR408o.js +0 -2
  1500. package/dist/session-kill-http-HXI6hUDG.js +0 -121
  1501. package/dist/session-reset-service-CdqhH7XS.js +0 -625
  1502. package/dist/session-route-DX9HyYoG.js +0 -93
  1503. package/dist/session-status.runtime-B7dGtknj.js +0 -2
  1504. package/dist/session-subagent-reactivation.runtime-Dn-wvdjM.js +0 -2
  1505. package/dist/session-tab-registry-UN4VZE8a.js +0 -521
  1506. package/dist/sessions-history-http--Dgcvhb0.js +0 -430
  1507. package/dist/sessions.runtime-LnYxeKSP.js +0 -2
  1508. package/dist/setup-api-BfO7Ctmd.js +0 -29
  1509. package/dist/setup-core-DlCsv-9q.js +0 -174
  1510. package/dist/setup-surface-BDXmLycW.js +0 -221
  1511. package/dist/setup-surface-Bi-pZtB0.js +0 -405
  1512. package/dist/setup-surface-Bk9MdZ9I.js +0 -288
  1513. package/dist/setup-surface-m649hpou.js +0 -320
  1514. package/dist/shared-DwXuhcIz.js +0 -121
  1515. package/dist/shared-client-Cj3X4R8q.js +0 -2
  1516. package/dist/shared-client-D02xLLJg.js +0 -629
  1517. package/dist/shared-eYKaB8rP.d.ts +0 -115
  1518. package/dist/side-question-DbsrGTKR.js +0 -683
  1519. package/dist/simple-completion-runtime-D3SeEaWT.d.ts +0 -73
  1520. package/dist/skill-tool-dispatch.runtime-CswUeFQB.js +0 -143
  1521. package/dist/slash-state-Br7bOIIy.js +0 -2166
  1522. package/dist/speech-Dbhvhbdq.d.ts +0 -47
  1523. package/dist/speech-core-8X_D3HLF.d.ts +0 -36
  1524. package/dist/speech-provider-BHcOkoLn.js +0 -184
  1525. package/dist/speech-provider-BYm63_co.d.ts +0 -8
  1526. package/dist/speech-provider-BtJxZzKb.d.ts +0 -8
  1527. package/dist/speech-provider-CbneUhtJ.d.ts +0 -5
  1528. package/dist/speech-provider-DOAvAvlS.d.ts +0 -5
  1529. package/dist/speech-provider-DdfnOmrC.d.ts +0 -5
  1530. package/dist/speech-provider-ptNkD7Yf.d.ts +0 -34
  1531. package/dist/src-DcIZ_w7l.js +0 -4256
  1532. package/dist/startup-context-BU3ZwnPZ.js +0 -313
  1533. package/dist/status-subagents.runtime-U9cVRB6A.js +0 -18
  1534. package/dist/status-text-DlZ-OoHI.js +0 -296
  1535. package/dist/sticker-cache-BfgCFMo_.js +0 -206
  1536. package/dist/sticker-vision.runtime-DYSdlJUC.js +0 -17
  1537. package/dist/stream-BHkpDd1i.d.ts +0 -10
  1538. package/dist/stream-C6huJP_D.d.ts +0 -5
  1539. package/dist/stream-D4Pmcj3t.d.ts +0 -16
  1540. package/dist/stream-DpSe6hAE.d.ts +0 -19
  1541. package/dist/stream-DrRUuJ8m.d.ts +0 -120
  1542. package/dist/stream-wrappers-DLxwmPDI.d.ts +0 -21
  1543. package/dist/subagent-announce-BntptirO.js +0 -354
  1544. package/dist/subagent-announce-delivery-6GUsisag.js +0 -958
  1545. package/dist/subagent-control-C7DSvkWz.js +0 -508
  1546. package/dist/subagent-hooks-4aumktTW.js +0 -2
  1547. package/dist/subagent-hooks-COUrrxEC.js +0 -2
  1548. package/dist/subagent-hooks-DUGDXbSM.js +0 -146
  1549. package/dist/subagent-hooks-DjDgoKjj.js +0 -230
  1550. package/dist/subagent-hooks-DjvL3k1b.js +0 -2
  1551. package/dist/subagent-hooks-api-BxfHMA2E.js +0 -22
  1552. package/dist/subagent-hooks-api-Cn7QkuFW.js +0 -23
  1553. package/dist/subagent-hooks-api-_lgvYj20.js +0 -23
  1554. package/dist/subagent-hooks-gWxlJnmo.js +0 -116
  1555. package/dist/subagent-orphan-recovery-CcAPcsDk.js +0 -352
  1556. package/dist/subagent-registry-BsYF1Amv.js +0 -3
  1557. package/dist/subagent-registry-LC_Gic13.js +0 -2351
  1558. package/dist/subagent-session-cleanup-6AY_7hyu.js +0 -525
  1559. package/dist/subagent-spawn-C2IO1E1i.js +0 -1164
  1560. package/dist/target-id-By34AE0b.js +0 -107
  1561. package/dist/targets-B40DzW6Y.js +0 -44
  1562. package/dist/targets-BttGNxRs.js +0 -19
  1563. package/dist/targets-C6bpLZdS.js +0 -19
  1564. package/dist/targets-CZhlhiDN.d.ts +0 -10
  1565. package/dist/targets-HPytm6Z8.d.ts +0 -10
  1566. package/dist/testing-BzZIozrH.js +0 -267
  1567. package/dist/thinking-policy-wJH8MNPa.d.ts +0 -5
  1568. package/dist/thread-bindings-CBiuE4G4.js +0 -228
  1569. package/dist/thread-bindings-CTJq5UHl.js +0 -232
  1570. package/dist/thread-bindings-bN9Ad5r9.js +0 -571
  1571. package/dist/thread-bindings-kXHwWthg.js +0 -8
  1572. package/dist/thread-bindings.discord-api-C8jkPA0w.js +0 -187
  1573. package/dist/thread-bindings.manager-BsFmjrbx.js +0 -536
  1574. package/dist/thread-bindings.manager-DfJgNAl6.js +0 -2
  1575. package/dist/thread-lifecycle-gR5OSLzh.js +0 -1614
  1576. package/dist/token-B2FhcBoz.js +0 -134
  1577. package/dist/tool-47nHlaiR.js +0 -139
  1578. package/dist/tool-actions.runtime-DwQ1lVPo.js +0 -534
  1579. package/dist/tool-plugin-CmXn59FQ.d.ts +0 -77
  1580. package/dist/tool-resolution-DQej_E5w.js +0 -149
  1581. package/dist/tool-split-CaXOLBeI.d.ts +0 -19
  1582. package/dist/tools-effective-inventory-CyXaSANM.js +0 -204
  1583. package/dist/tools-invoke-http-yo3HU4V6.js +0 -67
  1584. package/dist/tools-invoke-shared-LpV_xD9g.js +0 -200
  1585. package/dist/transport-stream-lU_hAKuv.d.ts +0 -42
  1586. package/dist/tts-E7ULNzl4.js +0 -66
  1587. package/dist/tui-B-wyN6wJ.js +0 -4709
  1588. package/dist/tui-CdI6yMis.js +0 -2
  1589. package/dist/tui-backend-CXej-4Er.js +0 -256
  1590. package/dist/tui-cli-wboa0AnA.js +0 -37
  1591. package/dist/types-CD1xwSld.d.ts +0 -786
  1592. package/dist/types-Zj4Bq9h-2.d.ts +0 -3650
  1593. package/dist/types.public-B0VjJLe9.d.ts +0 -70
  1594. package/dist/update-cli-CGUsDh2T.js +0 -3665
  1595. package/dist/update-global-BbP9IhEf.js +0 -601
  1596. package/dist/update-runner-B54rgAmr.js +0 -1798
  1597. package/dist/video-generation-runtime-DsFG7djU.d.ts +0 -21
  1598. package/dist/video-model-catalog-CfhC-Mol.d.ts +0 -16
  1599. package/dist/vision-tools-wacIK5vr.js +0 -1409
  1600. package/dist/web-search-AMwc61Dr.js +0 -62
  1601. package/dist/web-search-provider.runtime-CNG2uQTF.js +0 -2
  1602. package/dist/web-search-provider.runtime-oBaJtm_S.js +0 -328
  1603. package/dist/webhook-targets-C9cJD_kB.d.ts +0 -99
  1604. package/dist/xai-oauth-DOqf2jTO.js +0 -479
  1605. package/dist/xai-user-agent-Dk71wEWd.js +0 -32
  1606. package/dist/zod-schema.core-BhLPa6BF.d.ts +0 -166
  1607. /package/dist/{acp-runtime-backend-4DfhM5M9.js → acp-runtime-backend-CxP454w8.js} +0 -0
  1608. /package/dist/{channel-actions-CYB0u2id.js → channel-actions-AudMk4Yk.js} +0 -0
  1609. /package/dist/{command-status-runtime-CPIRzAU6.js → command-status-runtime-BWRWzQv1.js} +0 -0
  1610. /package/dist/{delegate-DpQ2iXjn.js → delegate-CLZeP48P.js} +0 -0
  1611. /package/dist/{dispatch-acp-Bdp6i1Mz.js → dispatch-acp-BK0Zh3_p.js} +0 -0
  1612. /package/dist/{heartbeat-runner-Cx01gr5N.js → heartbeat-runner-BouutzYV.js} +0 -0
  1613. /package/dist/{library-BSsSuIcq.js → library-C-O719bG.js} +0 -0
  1614. /package/dist/{run-executor.runtime-DwZVL5h6.js → run-executor.runtime-DF1Wol1i.js} +0 -0
  1615. /package/dist/{shared-DJ7fJ5uN.js → shared-BqbJdmuE.js} +0 -0
package/dist/message-handler-txIHUJJr.js DELETED
@@ -1,1715 +0,0 @@
1
- import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString } from "./string-coerce-DyL154ka.js";
2
- import { s as resolveRuntimeServiceVersion } from "./version-QmPt05QD.js";
3
- import { t as normalizeArrayBackedTrimmedStringList } from "./string-normalization-DiPHgdft.js";
4
- import { S as runWithDiagnosticTraceContext, p as createDiagnosticTraceContext } from "./diagnostic-events-DPfGiEBK.js";
5
- import { a as isPrivateOrLoopbackAddress, c as isTrustedProxyAddress, f as resolveClientIp, h as resolveHostName, i as isLoopbackHost, n as isLocalishHost, o as isPrivateOrLoopbackHost, r as isLoopbackAddress } from "./net-CRvxvxp_.js";
6
- import { i as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, n as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN } from "./auth-rate-limit-DIqrG8MV.js";
7
- import { a as hasForwardedRequestHeaders, i as authorizeWsControlUiGatewayConnect, o as isLocalDirectRequest, r as authorizeHttpGatewayConnect, s as checkBrowserOrigin } from "./auth-B4O5Qj59.js";
8
- import { i as getRuntimeConfig } from "./io-BAMe9xIp.js";
9
- import { i as normalizeDevicePublicKeyBase64Url, s as verifyDeviceSignature, t as deriveDeviceIdFromPublicKey } from "./device-identity-BVmCQ4s6.js";
10
- import { n as GATEWAY_CLIENT_IDS, r as GATEWAY_CLIENT_MODES } from "./client-info-B56HGdh-.js";
11
- import { a as isOperatorUiClient, n as isGatewayCliClient, o as isWebchatClient, t as isBrowserOperatorUiClient } from "./message-channel-CRza_Xs_.js";
12
- import { c as GATEWAY_STARTUP_CLOSE_REASON, d as buildDeviceAuthPayload, f as buildDeviceAuthPayloadV3, l as GATEWAY_STARTUP_PENDING_CLOSE_CAUSE, s as GATEWAY_STARTUP_CLOSE_CODE, u as gatewayStartupUnavailableDetails } from "./client-D4Yd4v9l.js";
13
- import { t as rawDataToString } from "./ws-C3qhmaFC.js";
14
- import { t as normalizeDeviceMetadataForAuth } from "./device-metadata-normalization-PRIe4LWk.js";
15
- import { i as buildPairingConnectErrorMessage, m as resolveDeviceAuthConnectErrorDetailCode, n as buildPairingConnectCloseReason, p as resolveAuthConnectErrorDetailCode, r as buildPairingConnectErrorDetails, t as ConnectErrorDetailCodes } from "./connect-error-details-BNpp20bs.js";
16
- import { At as validateRequestFrame, M as validateConnectParams, Ni as ErrorCodes, Pi as errorShape, t as formatValidationErrors } from "./protocol-BqIJbb8x.js";
17
- import "./version-DDqbebEG.js";
18
- import { t as ADMIN_SCOPE } from "./operator-scopes-DGvgHuOd.js";
19
- import "./method-scopes-Ce2SpYo5.js";
20
- import { n as isOperatorApprovalRuntimeToken } from "./operator-approval-runtime-token-C5pv_wEb.js";
21
- import { n as logRejectedLargePayload } from "./diagnostic-payload-BfH_Skky.js";
22
- import { a as MAX_PAYLOAD_BYTES, i as MAX_BUFFERED_BYTES, o as MAX_PREAUTH_PAYLOAD_BYTES, s as TICK_INTERVAL_MS } from "./server-constants-BGwLM6XN.js";
23
- import { a as indexPluginNodeCapabilitySurfaces, l as resolvePluginNodeCapabilityTtlMs, o as mintPluginNodeCapabilityToken, r as buildPluginNodeCapabilityScopedHostUrl, u as setClientPluginNodeCapability } from "./plugin-node-capability-D0b7yj9X.js";
24
- import { a as normalizeDeclaredNodeCommands, o as resolveNodeCommandAllowlist, s as resolveNodePairingCommandAllowlist } from "./node-command-policy-ExurUhwh.js";
25
- import { n as logWs, t as formatForLog } from "./ws-log-GIogCC4d.js";
26
- import { l as roleScopesAllow } from "./pairing-token-B1grnvMr.js";
27
- import { c as updatePairedNodeMetadata, n as getPairedNode, s as requestNodePairing } from "./node-pairing-B5I4lpks.js";
28
- import { i as recordRemoteNodeInfo, o as refreshRemoteNodeBins } from "./skills-remote-CGj8EexS.js";
29
- import { a as redeemDeviceBootstrapTokenProfile, d as PAIRING_SETUP_BOOTSTRAP_PROFILE, l as verifyDeviceBootstrapToken, n as getBoundDeviceBootstrapProfile, o as restoreDeviceBootstrapToken, p as resolveBootstrapProfileScopesForRole, r as getDeviceBootstrapTokenProfile, s as revokeDeviceBootstrapToken, u as BOOTSTRAP_HANDOFF_OPERATOR_SCOPES } from "./device-bootstrap-C0C1wAEL.js";
30
- import { _ as updatePairedDeviceMetadata, a as getPairedDevice, c as listApprovedPairedDeviceRoles, l as listDevicePairing, n as approveDevicePairing, p as requestDevicePairing, r as ensureDeviceToken, s as hasEffectivePairedDeviceRole, t as approveBootstrapDevicePairing, u as listEffectivePairedDeviceRoles, v as verifyDeviceToken } from "./device-pairing-d3dHbNMN.js";
31
- import { r as loadVoiceWakeConfig, t as formatError } from "./server-utils-Dzo1sugg.js";
32
- import { r as upsertPresence } from "./system-presence-D6yE9_vi.js";
33
- import { a as incrementPresenceVersion, n as getHealthCache, r as getHealthVersion, t as buildGatewaySnapshot } from "./health-state-6s0oNnHj.js";
34
- import { c as roleCanSkipDeviceIdentity, s as parseGatewayRole, t as loadVoiceWakeRoutingConfig } from "./voicewake-routing-DZDAf5fD.js";
35
- import { t as resolveSharedGatewaySessionGeneration } from "./ws-shared-generation-Bp5l7wzu.js";
36
- import { t as truncateCloseReason } from "./close-reason-f7R6T5LC.js";
37
- import os from "node:os";
38
- //#region src/gateway/node-connect-reconcile.ts
39
- function resolveApprovedReconnectCommands(params) {
40
- return normalizeDeclaredNodeCommands({
41
- declaredCommands: Array.isArray(params.pairedCommands) ? params.pairedCommands : [],
42
- allowlist: params.allowlist
43
- });
44
- }
45
- function normalizeApprovalSurfaceList(value) {
46
- return normalizeArrayBackedTrimmedStringList(value) ?? [];
47
- }
48
- function sameApprovalSurfaceSet(left, right) {
49
- const normalizedLeft = new Set(normalizeApprovalSurfaceList(left));
50
- const normalizedRight = new Set(normalizeApprovalSurfaceList(right));
51
- if (normalizedLeft.size !== normalizedRight.size) return false;
52
- for (const entry of normalizedLeft) if (!normalizedRight.has(entry)) return false;
53
- return true;
54
- }
55
- function normalizePermissionMap(value) {
56
- if (!value) return;
57
- const entries = Object.entries(value).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
58
- return entries.length > 0 ? Object.fromEntries(entries) : void 0;
59
- }
60
- function samePermissions(left, right) {
61
- const leftEntries = Object.entries(left ?? {}).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
62
- const rightEntries = Object.entries(right ?? {}).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
63
- if (leftEntries.length !== rightEntries.length) return false;
64
- return leftEntries.every(([key, value], index) => {
65
- const rightEntry = rightEntries[index];
66
- return rightEntry !== void 0 && rightEntry[0] === key && rightEntry[1] === value;
67
- });
68
- }
69
- function intersectApprovalSurfaceList(params) {
70
- const approved = new Set(normalizeApprovalSurfaceList(params.approved));
71
- return normalizeApprovalSurfaceList(params.declared).filter((entry) => approved.has(entry));
72
- }
73
- function intersectPermissionSurface(params) {
74
- const entries = [];
75
- for (const [key, declaredValue] of Object.entries(params.declared ?? {})) {
76
- const approvedValue = params.approved?.[key];
77
- if (!declaredValue) {
78
- entries.push([key, false]);
79
- continue;
80
- }
81
- if (approvedValue === true) {
82
- entries.push([key, true]);
83
- continue;
84
- }
85
- if (approvedValue === false) entries.push([key, false]);
86
- }
87
- return entries.length > 0 ? Object.fromEntries(entries) : void 0;
88
- }
89
- function buildNodePairingRequestInput(params) {
90
- return {
91
- nodeId: params.nodeId,
92
- displayName: params.connectParams.client.displayName,
93
- platform: params.connectParams.client.platform,
94
- version: params.connectParams.client.version,
95
- deviceFamily: params.connectParams.client.deviceFamily,
96
- modelIdentifier: params.connectParams.client.modelIdentifier,
97
- caps: params.caps,
98
- commands: params.commands,
99
- permissions: params.permissions,
100
- remoteIp: params.remoteIp
101
- };
102
- }
103
- async function reconcileNodePairingOnConnect(params) {
104
- const nodeId = params.connectParams.device?.id ?? params.connectParams.client.id;
105
- const policyNode = {
106
- platform: params.connectParams.client.platform,
107
- deviceFamily: params.connectParams.client.deviceFamily,
108
- caps: params.connectParams.caps,
109
- commands: params.connectParams.commands
110
- };
111
- const pairingAllowlist = resolveNodePairingCommandAllowlist(params.cfg, policyNode);
112
- const declared = normalizeDeclaredNodeCommands({
113
- declaredCommands: Array.isArray(params.connectParams.commands) ? params.connectParams.commands : [],
114
- allowlist: pairingAllowlist
115
- });
116
- const declaredCaps = normalizeApprovalSurfaceList(params.connectParams.caps);
117
- const declaredPermissions = normalizePermissionMap(params.connectParams.permissions);
118
- if (!params.pairedNode) return {
119
- nodeId,
120
- declaredCaps,
121
- effectiveCaps: [],
122
- declaredCommands: declared,
123
- effectiveCommands: [],
124
- declaredPermissions,
125
- effectivePermissions: void 0,
126
- pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
127
- nodeId,
128
- connectParams: params.connectParams,
129
- caps: declaredCaps,
130
- commands: declared,
131
- permissions: declaredPermissions,
132
- remoteIp: params.reportedClientIp
133
- }))
134
- };
135
- const runtimeAllowlist = resolveNodeCommandAllowlist(params.cfg, {
136
- ...policyNode,
137
- approvedCommands: params.pairedNode.commands
138
- });
139
- const approvedCommands = resolveApprovedReconnectCommands({
140
- pairedCommands: params.pairedNode.commands,
141
- allowlist: runtimeAllowlist
142
- });
143
- const approvedCaps = normalizeApprovalSurfaceList(params.pairedNode.caps);
144
- const approvedPermissions = normalizePermissionMap(params.pairedNode.permissions);
145
- const hasCommandUpgrade = declared.some((command) => !approvedCommands.includes(command));
146
- const hasCapabilityChange = !sameApprovalSurfaceSet(params.pairedNode.caps, declaredCaps);
147
- const hasPermissionChange = !samePermissions(params.pairedNode.permissions, declaredPermissions);
148
- const effectiveApprovedDeclaredCaps = intersectApprovalSurfaceList({
149
- approved: approvedCaps,
150
- declared: declaredCaps
151
- });
152
- const effectiveApprovedDeclaredCommands = intersectApprovalSurfaceList({
153
- approved: approvedCommands,
154
- declared
155
- });
156
- const effectiveApprovedDeclaredPermissions = intersectPermissionSurface({
157
- approved: approvedPermissions,
158
- declared: declaredPermissions
159
- });
160
- if (hasCommandUpgrade || hasCapabilityChange || hasPermissionChange) return {
161
- nodeId,
162
- declaredCaps,
163
- effectiveCaps: effectiveApprovedDeclaredCaps,
164
- declaredCommands: declared,
165
- effectiveCommands: effectiveApprovedDeclaredCommands,
166
- declaredPermissions,
167
- effectivePermissions: effectiveApprovedDeclaredPermissions,
168
- pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
169
- nodeId,
170
- connectParams: params.connectParams,
171
- caps: declaredCaps,
172
- commands: declared,
173
- permissions: declaredPermissions ?? (hasPermissionChange ? {} : void 0),
174
- remoteIp: params.reportedClientIp
175
- }))
176
- };
177
- return {
178
- nodeId,
179
- declaredCaps,
180
- effectiveCaps: declaredCaps,
181
- declaredCommands: declared,
182
- effectiveCommands: declared,
183
- declaredPermissions,
184
- effectivePermissions: declaredPermissions
185
- };
186
- }
187
- //#endregion
188
- //#region src/gateway/node-pairing-auto-approve.ts
189
- function resolveNodePairingClientIpSource(params) {
190
- if (!params.reportedClientIp) return "none";
191
- if (!params.hasProxyHeaders || !params.remoteIsTrustedProxy) return "direct";
192
- return params.remoteIsLoopback ? "loopback-trusted-proxy" : "trusted-proxy";
193
- }
194
- function shouldAutoApproveNodePairingFromTrustedCidrs(params) {
195
- if (params.existingPairedDevice) return false;
196
- if (params.role !== "node") return false;
197
- if (params.reason !== "not-paired") return false;
198
- if (params.scopes.length > 0) return false;
199
- if (params.hasBrowserOriginHeader || params.isControlUi || params.isWebchat) return false;
200
- if (params.reportedClientIpSource === "none" || params.reportedClientIpSource === "loopback-trusted-proxy") return false;
201
- if (!params.reportedClientIp) return false;
202
- const autoApproveCidrs = params.autoApproveCidrs?.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
203
- if (!autoApproveCidrs || autoApproveCidrs.length === 0) return false;
204
- return isTrustedProxyAddress(params.reportedClientIp, autoApproveCidrs);
205
- }
206
- //#endregion
207
- //#region src/gateway/server/ws-connection/auth-context.ts
208
- function mapDeviceTokenAuthFailureReason(params) {
209
- if (params.tokenCheckReason === "scope-mismatch" || params.tokenCheckReason === "scope_mismatch") return "scope_mismatch";
210
- if (params.candidateSource === "explicit-device-token") return "device_token_mismatch";
211
- return params.fallbackReason ?? "device_token_mismatch";
212
- }
213
- function resolveSharedConnectAuth(connectAuth) {
214
- const token = normalizeOptionalString(connectAuth?.token);
215
- const password = normalizeOptionalString(connectAuth?.password);
216
- if (!token && !password) return;
217
- return {
218
- token,
219
- password
220
- };
221
- }
222
- function resolveDeviceTokenCandidate(connectAuth) {
223
- const explicitDeviceToken = normalizeOptionalString(connectAuth?.deviceToken);
224
- if (explicitDeviceToken) return {
225
- token: explicitDeviceToken,
226
- source: "explicit-device-token"
227
- };
228
- const fallbackToken = normalizeOptionalString(connectAuth?.token);
229
- if (!fallbackToken) return {};
230
- return {
231
- token: fallbackToken,
232
- source: "shared-token-fallback"
233
- };
234
- }
235
- async function resolveConnectAuthState(params) {
236
- const sharedConnectAuth = resolveSharedConnectAuth(params.connectAuth);
237
- const sharedAuthProvided = Boolean(sharedConnectAuth);
238
- const bootstrapTokenCandidate = params.hasDeviceIdentity ? normalizeOptionalString(params.connectAuth?.bootstrapToken) : void 0;
239
- const { token: deviceTokenCandidate, source: deviceTokenCandidateSource } = params.hasDeviceIdentity ? resolveDeviceTokenCandidate(params.connectAuth) : {};
240
- let authResult = await authorizeWsControlUiGatewayConnect({
241
- auth: params.resolvedAuth,
242
- connectAuth: sharedConnectAuth,
243
- req: params.req,
244
- trustedProxies: params.trustedProxies,
245
- allowRealIpFallback: params.allowRealIpFallback,
246
- rateLimiter: sharedAuthProvided ? params.rateLimiter : void 0,
247
- clientIp: params.clientIp,
248
- rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET
249
- });
250
- const sharedAuthResult = sharedConnectAuth && await authorizeHttpGatewayConnect({
251
- auth: {
252
- ...params.resolvedAuth,
253
- allowTailscale: false
254
- },
255
- connectAuth: sharedConnectAuth,
256
- req: params.req,
257
- trustedProxies: params.trustedProxies,
258
- allowRealIpFallback: params.allowRealIpFallback,
259
- rateLimitScope: "shared-secret"
260
- });
261
- const sharedAuthOk = sharedAuthResult?.ok === true && (sharedAuthResult.method === "token" || sharedAuthResult.method === "password") || authResult.ok && authResult.method === "trusted-proxy";
262
- return {
263
- authResult,
264
- authOk: authResult.ok,
265
- authMethod: authResult.method ?? (params.resolvedAuth.mode === "password" ? "password" : "token"),
266
- sharedAuthOk,
267
- sharedAuthProvided,
268
- bootstrapTokenCandidate,
269
- deviceTokenCandidate,
270
- deviceTokenCandidateSource
271
- };
272
- }
273
- async function resolveConnectAuthDecision(params) {
274
- let authResult = params.state.authResult;
275
- let authOk = params.state.authOk;
276
- let authMethod = params.state.authMethod;
277
- const bootstrapTokenCandidate = params.state.bootstrapTokenCandidate;
278
- if (params.hasDeviceIdentity && params.deviceId && params.publicKey && bootstrapTokenCandidate) {
279
- const tokenCheck = await params.verifyBootstrapToken({
280
- deviceId: params.deviceId,
281
- publicKey: params.publicKey,
282
- token: bootstrapTokenCandidate,
283
- role: params.role,
284
- scopes: params.scopes
285
- });
286
- if (tokenCheck.ok) {
287
- authOk = true;
288
- authMethod = "bootstrap-token";
289
- } else if (!authOk) authResult = {
290
- ok: false,
291
- reason: tokenCheck.reason ?? "bootstrap_token_invalid"
292
- };
293
- }
294
- const deviceTokenCandidate = params.state.deviceTokenCandidate;
295
- if (!params.hasDeviceIdentity || !params.deviceId || authOk || !deviceTokenCandidate) return {
296
- authResult,
297
- authOk,
298
- authMethod
299
- };
300
- let deviceTokenRateLimited = false;
301
- if (params.rateLimiter) {
302
- const deviceRateCheck = params.rateLimiter.check(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
303
- if (!deviceRateCheck.allowed) {
304
- deviceTokenRateLimited = true;
305
- authResult = {
306
- ok: false,
307
- reason: "rate_limited",
308
- rateLimited: true,
309
- retryAfterMs: deviceRateCheck.retryAfterMs
310
- };
311
- }
312
- }
313
- if (!deviceTokenRateLimited) {
314
- const tokenCheck = await params.verifyDeviceToken({
315
- deviceId: params.deviceId,
316
- token: deviceTokenCandidate,
317
- role: params.role,
318
- scopes: params.scopes
319
- });
320
- if (tokenCheck.ok) {
321
- authOk = true;
322
- authMethod = "device-token";
323
- params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
324
- if (params.state.sharedAuthProvided) params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET);
325
- } else {
326
- authResult = {
327
- ok: false,
328
- reason: mapDeviceTokenAuthFailureReason({
329
- tokenCheckReason: tokenCheck.reason,
330
- candidateSource: params.state.deviceTokenCandidateSource,
331
- fallbackReason: authResult.reason
332
- })
333
- };
334
- params.rateLimiter?.recordFailure(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
335
- }
336
- }
337
- return {
338
- authResult,
339
- authOk,
340
- authMethod
341
- };
342
- }
343
- //#endregion
344
- //#region src/gateway/server/ws-connection/auth-messages.ts
345
- function formatGatewayAuthFailureMessage(params) {
346
- const { authMode, authProvided, reason, client } = params;
347
- const isCli = isGatewayCliClient(client);
348
- const isControlUi = isOperatorUiClient(client);
349
- const isWebchat = isWebchatClient(client);
350
- const tokenHint = isCli ? "set gateway.remote.token to match gateway.auth.token" : isControlUi || isWebchat ? "open the dashboard URL and paste the token in Control UI settings" : "provide gateway auth token";
351
- const passwordHint = isCli ? "set gateway.remote.password to match gateway.auth.password" : isControlUi || isWebchat ? "enter the password in Control UI settings" : "provide gateway auth password";
352
- switch (reason) {
353
- case "token_missing": return `unauthorized: gateway token missing (${tokenHint})`;
354
- case "token_mismatch": return `unauthorized: gateway token mismatch (${tokenHint})`;
355
- case "token_missing_config": return "unauthorized: gateway token not configured on gateway (set gateway.auth.token)";
356
- case "password_missing": return `unauthorized: gateway password missing (${passwordHint})`;
357
- case "password_mismatch": return `unauthorized: gateway password mismatch (${passwordHint})`;
358
- case "password_missing_config": return "unauthorized: gateway password not configured on gateway (set gateway.auth.password)";
359
- case "bootstrap_token_invalid": return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
360
- case "tailscale_user_missing": return "unauthorized: tailscale identity missing (use Tailscale Serve auth or gateway token/password)";
361
- case "tailscale_proxy_missing": return "unauthorized: tailscale proxy headers missing (use Tailscale Serve or gateway token/password)";
362
- case "tailscale_whois_failed": return "unauthorized: tailscale identity check failed (use Tailscale Serve auth or gateway token/password)";
363
- case "tailscale_user_mismatch": return "unauthorized: tailscale identity mismatch (use Tailscale Serve auth or gateway token/password)";
364
- case "rate_limited": return "unauthorized: too many failed authentication attempts (retry later)";
365
- case "device_token_mismatch": return "unauthorized: device token mismatch (rotate/reissue device token)";
366
- case "scope_mismatch": return "unauthorized: device token scope mismatch (re-pair or approve scope upgrade)";
367
- default: break;
368
- }
369
- if (authMode === "token" && authProvided === "none") return `unauthorized: gateway token missing (${tokenHint})`;
370
- if (authMode === "token" && authProvided === "device-token") return "unauthorized: device token rejected (pair/repair this device, or provide gateway token)";
371
- if (authProvided === "bootstrap-token") return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
372
- if (authMode === "password" && authProvided === "none") return `unauthorized: gateway password missing (${passwordHint})`;
373
- return "unauthorized";
374
- }
375
- //#endregion
376
- //#region src/gateway/server/ws-connection/connect-policy.ts
377
- function resolveControlUiAuthPolicy(params) {
378
- const allowInsecureAuthConfigured = params.isControlUi && params.controlUiConfig?.allowInsecureAuth === true;
379
- const dangerouslyDisableDeviceAuth = params.isControlUi && params.controlUiConfig?.dangerouslyDisableDeviceAuth === true;
380
- return {
381
- isControlUi: params.isControlUi,
382
- allowInsecureAuthConfigured,
383
- dangerouslyDisableDeviceAuth,
384
- allowBypass: dangerouslyDisableDeviceAuth,
385
- device: dangerouslyDisableDeviceAuth ? null : params.deviceRaw
386
- };
387
- }
388
- function shouldSkipControlUiPairing(policy, role, _trustedProxyAuthOk = false, authMode, authMethod) {
389
- if (policy.isControlUi && role === "operator" && authMethod === "tailscale" && policy.device) return true;
390
- if (policy.isControlUi && role === "operator" && authMode === "none") return true;
391
- return role === "operator" && policy.allowBypass;
392
- }
393
- function isTrustedProxyControlUiOperatorAuth(params) {
394
- return params.isControlUi && params.role === "operator" && params.authMode === "trusted-proxy" && params.authOk && params.authMethod === "trusted-proxy";
395
- }
396
- function shouldClearUnboundScopesForMissingDeviceIdentity(params) {
397
- return params.decision.kind !== "allow" || !params.controlUiAuthPolicy.allowBypass && !params.preserveInsecureLocalControlUiScopes && (params.authMethod === "token" || params.authMethod === "password" || params.authMethod === "trusted-proxy");
398
- }
399
- function evaluateMissingDeviceIdentity(params) {
400
- if (params.hasDeviceIdentity) return { kind: "allow" };
401
- if (params.isControlUi && params.trustedProxyAuthOk) return { kind: "allow" };
402
- if (params.isControlUi && params.controlUiAuthPolicy.allowBypass && params.role === "operator") return { kind: "allow" };
403
- if (params.localBackendSelfPairingOk && params.role === "operator") return { kind: "allow" };
404
- if (params.isControlUi && !params.controlUiAuthPolicy.allowBypass) {
405
- if (!params.controlUiAuthPolicy.allowInsecureAuthConfigured || !params.isLocalClient) return { kind: "reject-control-ui-insecure-auth" };
406
- }
407
- if (roleCanSkipDeviceIdentity(params.role, params.sharedAuthOk)) return { kind: "allow" };
408
- if (!params.authOk && params.hasSharedAuth) return { kind: "reject-unauthorized" };
409
- return { kind: "reject-device-required" };
410
- }
411
- //#endregion
412
- //#region src/gateway/server/ws-connection/handshake-auth-helpers.ts
413
- const BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP = "198.18.0.1";
414
- const BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX = "browser-origin:";
415
- function resolveBrowserOriginRateLimitKey(requestOrigin) {
416
- const trimmedOrigin = requestOrigin?.trim();
417
- if (!trimmedOrigin) return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
418
- try {
419
- return `${BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX}${normalizeLowercaseStringOrEmpty(new URL(trimmedOrigin).origin)}`;
420
- } catch {
421
- return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
422
- }
423
- }
424
- function resolveHandshakeBrowserSecurityContext(params) {
425
- const hasBrowserOriginHeader = Boolean(params.requestOrigin && params.requestOrigin.trim() !== "");
426
- return {
427
- hasBrowserOriginHeader,
428
- enforceOriginCheckForAnyClient: hasBrowserOriginHeader,
429
- rateLimitClientIp: hasBrowserOriginHeader && isLoopbackAddress(params.clientIp) ? resolveBrowserOriginRateLimitKey(params.requestOrigin) : params.clientIp,
430
- authRateLimiter: hasBrowserOriginHeader && params.browserRateLimiter ? params.browserRateLimiter : params.rateLimiter
431
- };
432
- }
433
- function shouldAllowSilentLocalPairing(params) {
434
- if (params.locality === "remote") return false;
435
- if (params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat) return false;
436
- if (params.reason === "not-paired" || params.reason === "scope-upgrade" || params.reason === "role-upgrade") return true;
437
- if (params.reason === "metadata-upgrade" && !params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat && (params.locality === "direct_local" && params.isNativeAppUi === true || params.locality === "cli_container_local" || params.locality === "shared_secret_loopback_local")) return true;
438
- return false;
439
- }
440
- function isCliContainerLocalEquivalent(params) {
441
- const isCliClient = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CLI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.CLI;
442
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
443
- return isCliClient && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
444
- }
445
- function isSharedSecretLoopbackLocalEquivalent(params) {
446
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
447
- return params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
448
- }
449
- function resolveOriginHost(origin) {
450
- const trimmed = origin?.trim();
451
- if (!trimmed) return "";
452
- try {
453
- return new URL(trimmed).hostname;
454
- } catch {
455
- return "";
456
- }
457
- }
458
- function isControlUiBrowserContainerLocalEquivalent(params) {
459
- const isControlUiBrowser = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CONTROL_UI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.WEBCHAT;
460
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
461
- return isControlUiBrowser && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && params.hasBrowserOriginHeader && isPrivateOrLoopbackAddress(params.remoteAddress) && isLoopbackHost(resolveHostName(params.requestHost)) && isLoopbackHost(resolveOriginHost(params.requestOrigin));
462
- }
463
- function resolvePairingLocality(params) {
464
- if (params.isLocalClient) return "direct_local";
465
- if (isControlUiBrowserContainerLocalEquivalent({
466
- connectParams: params.connectParams,
467
- requestHost: params.requestHost,
468
- requestOrigin: params.requestOrigin,
469
- remoteAddress: params.remoteAddress,
470
- hasProxyHeaders: params.hasProxyHeaders,
471
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
472
- sharedAuthOk: params.sharedAuthOk,
473
- authMethod: params.authMethod
474
- })) return "browser_container_local";
475
- if (isCliContainerLocalEquivalent({
476
- connectParams: params.connectParams,
477
- requestHost: params.requestHost,
478
- remoteAddress: params.remoteAddress,
479
- hasProxyHeaders: params.hasProxyHeaders,
480
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
481
- sharedAuthOk: params.sharedAuthOk,
482
- authMethod: params.authMethod
483
- })) return "cli_container_local";
484
- if (isSharedSecretLoopbackLocalEquivalent({
485
- requestHost: params.requestHost,
486
- remoteAddress: params.remoteAddress,
487
- hasProxyHeaders: params.hasProxyHeaders,
488
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
489
- sharedAuthOk: params.sharedAuthOk,
490
- authMethod: params.authMethod
491
- })) return "shared_secret_loopback_local";
492
- return "remote";
493
- }
494
- function shouldSkipLocalBackendSelfPairing(params) {
495
- if (!(params.connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND)) return false;
496
- if (!(params.locality === "direct_local" || params.locality === "shared_secret_loopback_local") || params.hasBrowserOriginHeader) return false;
497
- if (params.authMethod === "none") return true;
498
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
499
- const usesDeviceTokenAuth = params.authMethod === "device-token";
500
- return params.sharedAuthOk && usesSharedSecretAuth || usesDeviceTokenAuth;
501
- }
502
- function resolveSignatureToken(connectParams) {
503
- return connectParams.auth?.token ?? connectParams.auth?.deviceToken ?? connectParams.auth?.bootstrapToken ?? null;
504
- }
505
- function buildUnauthorizedHandshakeContext(params) {
506
- return {
507
- authProvided: params.authProvided,
508
- canRetryWithDeviceToken: params.canRetryWithDeviceToken,
509
- recommendedNextStep: params.recommendedNextStep
510
- };
511
- }
512
- function resolveDeviceSignaturePayloadVersion(params) {
513
- const signatureToken = resolveSignatureToken(params.connectParams);
514
- const basePayload = {
515
- deviceId: params.device.id,
516
- clientId: params.connectParams.client.id,
517
- clientMode: params.connectParams.client.mode,
518
- role: params.role,
519
- scopes: params.scopes,
520
- signedAtMs: params.signedAtMs,
521
- token: signatureToken,
522
- nonce: params.nonce
523
- };
524
- const payloadV3 = buildDeviceAuthPayloadV3({
525
- ...basePayload,
526
- platform: params.connectParams.client.platform,
527
- deviceFamily: params.connectParams.client.deviceFamily
528
- });
529
- if (verifyDeviceSignature(params.device.publicKey, payloadV3, params.device.signature)) return "v3";
530
- const payloadV2 = buildDeviceAuthPayload(basePayload);
531
- if (verifyDeviceSignature(params.device.publicKey, payloadV2, params.device.signature)) return "v2";
532
- return null;
533
- }
534
- function resolveAuthProvidedKind(connectAuth) {
535
- return connectAuth?.password ? "password" : connectAuth?.token ? "token" : connectAuth?.bootstrapToken ? "bootstrap-token" : connectAuth?.deviceToken ? "device-token" : "none";
536
- }
537
- function resolveUnauthorizedHandshakeContext(params) {
538
- const authProvided = resolveAuthProvidedKind(params.connectAuth);
539
- const canRetryWithDeviceToken = params.failedAuth.reason === "token_mismatch" && params.hasDeviceIdentity && authProvided === "token" && !params.connectAuth?.deviceToken;
540
- if (canRetryWithDeviceToken) return buildUnauthorizedHandshakeContext({
541
- authProvided,
542
- canRetryWithDeviceToken,
543
- recommendedNextStep: "retry_with_device_token"
544
- });
545
- switch (params.failedAuth.reason) {
546
- case "token_missing":
547
- case "token_missing_config":
548
- case "password_missing":
549
- case "password_missing_config": return buildUnauthorizedHandshakeContext({
550
- authProvided,
551
- canRetryWithDeviceToken,
552
- recommendedNextStep: "update_auth_configuration"
553
- });
554
- case "token_mismatch":
555
- case "password_mismatch":
556
- case "device_token_mismatch": return buildUnauthorizedHandshakeContext({
557
- authProvided,
558
- canRetryWithDeviceToken,
559
- recommendedNextStep: "update_auth_credentials"
560
- });
561
- case "scope_mismatch": return buildUnauthorizedHandshakeContext({
562
- authProvided,
563
- canRetryWithDeviceToken,
564
- recommendedNextStep: "review_auth_configuration"
565
- });
566
- case "rate_limited": return buildUnauthorizedHandshakeContext({
567
- authProvided,
568
- canRetryWithDeviceToken,
569
- recommendedNextStep: "wait_then_retry"
570
- });
571
- default: return buildUnauthorizedHandshakeContext({
572
- authProvided,
573
- canRetryWithDeviceToken,
574
- recommendedNextStep: "review_auth_configuration"
575
- });
576
- }
577
- }
578
- //#endregion
579
- //#region src/gateway/server/ws-connection/unauthorized-flood-guard.ts
580
- const DEFAULT_CLOSE_AFTER = 10;
581
- const DEFAULT_LOG_EVERY = 100;
582
- var UnauthorizedFloodGuard = class {
583
- constructor(options) {
584
- this.count = 0;
585
- this.suppressedSinceLastLog = 0;
586
- this.closeAfter = Math.max(1, Math.floor(options?.closeAfter ?? DEFAULT_CLOSE_AFTER));
587
- this.logEvery = Math.max(1, Math.floor(options?.logEvery ?? DEFAULT_LOG_EVERY));
588
- }
589
- registerUnauthorized() {
590
- this.count += 1;
591
- const shouldClose = this.count > this.closeAfter;
592
- if (!(this.count === 1 || this.count % this.logEvery === 0 || shouldClose)) {
593
- this.suppressedSinceLastLog += 1;
594
- return {
595
- shouldClose,
596
- shouldLog: false,
597
- count: this.count,
598
- suppressedSinceLastLog: 0
599
- };
600
- }
601
- const suppressedSinceLastLog = this.suppressedSinceLastLog;
602
- this.suppressedSinceLastLog = 0;
603
- return {
604
- shouldClose,
605
- shouldLog: true,
606
- count: this.count,
607
- suppressedSinceLastLog
608
- };
609
- }
610
- reset() {
611
- this.count = 0;
612
- this.suppressedSinceLastLog = 0;
613
- }
614
- };
615
- function isUnauthorizedRoleError(error) {
616
- if (!error) return false;
617
- return error.code === ErrorCodes.INVALID_REQUEST && typeof error.message === "string" && error.message.startsWith("unauthorized role:");
618
- }
619
- //#endregion
620
- //#region src/gateway/server/ws-connection/message-handler.ts
621
- const DEVICE_SIGNATURE_SKEW_MS = 120 * 1e3;
622
- function sameBootstrapProfile(left, right) {
623
- if (left.roles.length !== right.roles.length || left.scopes.length !== right.scopes.length) return false;
624
- return left.roles.every((role, index) => role === right.roles[index]) && left.scopes.every((scope, index) => scope === right.scopes[index]);
625
- }
626
- function firstHeaderValue(value) {
627
- return Array.isArray(value) ? value[0] : value;
628
- }
629
- function resolveTrustedProxyControlUiScopes(params) {
630
- const rawHeader = firstHeaderValue(params.upgradeReq.headers["x-daocore-scopes"]);
631
- if (rawHeader === void 0) return params.requestedScopes;
632
- const declaredScopes = new Set(rawHeader.split(",").map((scope) => scope.trim()).filter((scope) => scope.length > 0));
633
- if (declaredScopes.size === 0) return [];
634
- return params.requestedScopes.filter((scope) => declaredScopes.has(scope));
635
- }
636
- function resolvePinnedClientMetadata(params) {
637
- function normalizeLegacyNodeHostPlatformPin(value) {
638
- switch (value) {
639
- case "darwin":
640
- case "macos": return "macos";
641
- case "win32":
642
- case "windows": return "windows";
643
- default: return value;
644
- }
645
- }
646
- function normalizeMobileAppPlatformPin(clientId, value) {
647
- if (clientId === GATEWAY_CLIENT_IDS.IOS_APP && /^(?:ios|ipados)(?:\s|$)/.test(value)) return "ios-family";
648
- if (clientId === GATEWAY_CLIENT_IDS.ANDROID_APP && /^android(?:\s|$)/.test(value)) return "android";
649
- return value;
650
- }
651
- const claimedPlatform = normalizeDeviceMetadataForAuth(params.claimedPlatform);
652
- const claimedDeviceFamily = normalizeDeviceMetadataForAuth(params.claimedDeviceFamily);
653
- const pairedPlatform = normalizeDeviceMetadataForAuth(params.pairedPlatform);
654
- const pairedDeviceFamily = normalizeDeviceMetadataForAuth(params.pairedDeviceFamily);
655
- const hasPinnedPlatform = pairedPlatform !== "";
656
- const hasPinnedDeviceFamily = pairedDeviceFamily !== "";
657
- const isLegacyNodeHostPlatformPin = params.clientId === GATEWAY_CLIENT_IDS.NODE_HOST && params.clientMode === GATEWAY_CLIENT_MODES.NODE && hasPinnedPlatform && claimedPlatform !== "" && normalizeLegacyNodeHostPlatformPin(claimedPlatform) === normalizeLegacyNodeHostPlatformPin(pairedPlatform);
658
- const isMobileAppPlatformVersionRefresh = hasPinnedPlatform && claimedPlatform !== "" && claimedPlatform !== pairedPlatform && normalizeMobileAppPlatformPin(params.clientId, claimedPlatform) === normalizeMobileAppPlatformPin(params.clientId, pairedPlatform);
659
- const platformMismatch = hasPinnedPlatform && claimedPlatform !== pairedPlatform && !isLegacyNodeHostPlatformPin && !isMobileAppPlatformVersionRefresh;
660
- const deviceFamilyMismatch = hasPinnedDeviceFamily && claimedDeviceFamily !== pairedDeviceFamily;
661
- const pinnedPlatform = claimedPlatform === pairedPlatform ? params.pairedPlatform : isLegacyNodeHostPlatformPin ? normalizeLegacyNodeHostPlatformPin(pairedPlatform) : isMobileAppPlatformVersionRefresh ? params.claimedPlatform : void 0;
662
- return {
663
- platformMismatch,
664
- deviceFamilyMismatch,
665
- pinnedPlatform: hasPinnedPlatform ? pinnedPlatform : void 0,
666
- pinnedDeviceFamily: hasPinnedDeviceFamily ? params.pairedDeviceFamily : void 0,
667
- ...isMobileAppPlatformVersionRefresh ? { refreshPairedPlatform: params.claimedPlatform } : {}
668
- };
669
- }
670
- function attachGatewayWsMessageHandler(params) {
671
- const { socket, upgradeReq, connId, remoteAddr, remotePort, localAddr, localPort, endpoint, forwardedFor, realIp, requestHost, requestOrigin, requestUserAgent, pluginSurfaceBaseUrl, pluginNodeCapabilities = [], connectNonce, getResolvedAuth, getRequiredSharedGatewaySessionGeneration, rateLimiter, browserRateLimiter, isStartupPending, gatewayMethods, events, extraHandlers, getMethodRegistry, buildRequestContext, refreshHealthSnapshot, send, close, isClosed, clearHandshakeTimer, getClient, setClient, setHandshakeState, setCloseCause, setLastFrameMeta, originCheckMetrics, logGateway, logHealth, logWsControl } = params;
672
- const sendFrame = async (obj) => await new Promise((resolve, reject) => {
673
- socket.send(JSON.stringify(obj), (err) => {
674
- if (err) {
675
- reject(err);
676
- return;
677
- }
678
- resolve();
679
- });
680
- });
681
- const configSnapshot = getRuntimeConfig();
682
- const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
683
- const allowRealIpFallback = configSnapshot.gateway?.allowRealIpFallback === true;
684
- const clientIp = resolveClientIp({
685
- remoteAddr,
686
- forwardedFor,
687
- realIp,
688
- trustedProxies,
689
- allowRealIpFallback
690
- });
691
- const peerLabel = endpoint ?? remoteAddr ?? "n/a";
692
- const hasProxyHeaders = hasForwardedRequestHeaders(upgradeReq);
693
- const remoteIsTrustedProxy = isTrustedProxyAddress(remoteAddr, trustedProxies);
694
- const hasUntrustedProxyHeaders = hasProxyHeaders && !remoteIsTrustedProxy;
695
- const hostIsLocalish = isLocalishHost(requestHost);
696
- const isLocalClient = isLocalDirectRequest(upgradeReq, trustedProxies, allowRealIpFallback);
697
- const reportedClientIp = isLocalClient || hasUntrustedProxyHeaders ? void 0 : clientIp && !isLoopbackAddress(clientIp) ? clientIp : void 0;
698
- const reportedClientIpSource = resolveNodePairingClientIpSource({
699
- reportedClientIp,
700
- hasProxyHeaders,
701
- remoteIsTrustedProxy,
702
- remoteIsLoopback: isLoopbackAddress(remoteAddr)
703
- });
704
- if (hasUntrustedProxyHeaders) logWsControl.warn("Proxy headers detected from untrusted address. Connection will not be treated as local. Configure gateway.trustedProxies to restore local client detection behind your proxy.");
705
- if (!hostIsLocalish && isLoopbackAddress(remoteAddr) && !hasProxyHeaders) logWsControl.warn("Loopback connection with non-local Host header. Treating it as remote. If you're behind a reverse proxy, set gateway.trustedProxies and forward X-Forwarded-For/X-Real-IP.");
706
- const isWebchatConnect = (p) => isWebchatClient(p?.client);
707
- const unauthorizedFloodGuard = new UnauthorizedFloodGuard();
708
- const { hasBrowserOriginHeader, enforceOriginCheckForAnyClient, rateLimitClientIp: browserRateLimitClientIp, authRateLimiter } = resolveHandshakeBrowserSecurityContext({
709
- requestOrigin,
710
- clientIp,
711
- rateLimiter,
712
- browserRateLimiter
713
- });
714
- const handleMessage = async (data) => {
715
- if (isClosed()) return;
716
- const preauthPayloadBytes = !getClient() ? getRawDataByteLength(data) : void 0;
717
- if (preauthPayloadBytes !== void 0 && preauthPayloadBytes > 65536) {
718
- logRejectedLargePayload({
719
- surface: "gateway.ws.preauth",
720
- bytes: preauthPayloadBytes,
721
- limitBytes: MAX_PREAUTH_PAYLOAD_BYTES,
722
- reason: "preauth_frame_limit"
723
- });
724
- setHandshakeState("failed");
725
- setCloseCause("preauth-payload-too-large", {
726
- payloadBytes: preauthPayloadBytes,
727
- limitBytes: MAX_PREAUTH_PAYLOAD_BYTES
728
- });
729
- close(1009, "preauth payload too large");
730
- return;
731
- }
732
- const text = rawDataToString(data);
733
- try {
734
- const parsed = JSON.parse(text);
735
- const frameType = parsed && typeof parsed === "object" && "type" in parsed ? typeof parsed.type === "string" ? String(parsed.type) : void 0 : void 0;
736
- const frameMethod = parsed && typeof parsed === "object" && "method" in parsed ? typeof parsed.method === "string" ? String(parsed.method) : void 0 : void 0;
737
- const frameId = parsed && typeof parsed === "object" && "id" in parsed ? typeof parsed.id === "string" ? String(parsed.id) : void 0 : void 0;
738
- if (frameType || frameMethod || frameId) setLastFrameMeta({
739
- type: frameType,
740
- method: frameMethod,
741
- id: frameId
742
- });
743
- const client = getClient();
744
- if (!client) {
745
- const isRequestFrame = validateRequestFrame(parsed);
746
- if (!isRequestFrame || parsed.method !== "connect" || !validateConnectParams(parsed.params)) {
747
- const handshakeError = isRequestFrame ? parsed.method === "connect" ? `invalid connect params: ${formatValidationErrors(validateConnectParams.errors)}` : "invalid handshake: first request must be connect" : "invalid request frame";
748
- setHandshakeState("failed");
749
- setCloseCause("invalid-handshake", {
750
- frameType,
751
- frameMethod,
752
- frameId,
753
- handshakeError
754
- });
755
- if (isRequestFrame) send({
756
- type: "res",
757
- id: parsed.id,
758
- ok: false,
759
- error: errorShape(ErrorCodes.INVALID_REQUEST, handshakeError)
760
- });
761
- else logWsControl.warn(`invalid handshake conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} fwd=${formatForLog(forwardedFor ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")}`);
762
- const closeReason = truncateCloseReason(handshakeError || "invalid handshake");
763
- if (isRequestFrame) queueMicrotask(() => close(1008, closeReason));
764
- else close(1008, closeReason);
765
- return;
766
- }
767
- const frame = parsed;
768
- const connectParams = frame.params;
769
- const resolvedAuth = getResolvedAuth();
770
- const clientLabel = connectParams.client.displayName ?? connectParams.client.id;
771
- const clientMeta = {
772
- client: connectParams.client.id,
773
- clientDisplayName: connectParams.client.displayName,
774
- mode: connectParams.client.mode,
775
- version: connectParams.client.version,
776
- platform: connectParams.client.platform,
777
- deviceFamily: connectParams.client.deviceFamily,
778
- modelIdentifier: connectParams.client.modelIdentifier,
779
- instanceId: connectParams.client.instanceId
780
- };
781
- const markHandshakeFailure = (cause, meta) => {
782
- setHandshakeState("failed");
783
- setCloseCause(cause, {
784
- ...meta,
785
- ...clientMeta
786
- });
787
- };
788
- const sendHandshakeErrorResponse = (code, message, options) => {
789
- send({
790
- type: "res",
791
- id: frame.id,
792
- ok: false,
793
- error: errorShape(code, message, options)
794
- });
795
- };
796
- if (isStartupPending?.()) {
797
- markHandshakeFailure(GATEWAY_STARTUP_PENDING_CLOSE_CAUSE);
798
- await sendFrame({
799
- type: "res",
800
- id: frame.id,
801
- ok: false,
802
- error: errorShape(ErrorCodes.UNAVAILABLE, "gateway starting; retry shortly", {
803
- retryable: true,
804
- retryAfterMs: 500,
805
- details: gatewayStartupUnavailableDetails()
806
- })
807
- }).catch(() => {});
808
- queueMicrotask(() => close(GATEWAY_STARTUP_CLOSE_CODE, GATEWAY_STARTUP_CLOSE_REASON));
809
- return;
810
- }
811
- const { minProtocol, maxProtocol } = connectParams;
812
- const supportsCurrentProtocol = maxProtocol >= 4 && minProtocol <= 4;
813
- const supportsProbeRestartProtocol = connectParams.client.mode === GATEWAY_CLIENT_MODES.PROBE && maxProtocol >= 4 && minProtocol <= 4;
814
- if (!supportsCurrentProtocol && !supportsProbeRestartProtocol) {
815
- markHandshakeFailure("protocol-mismatch", {
816
- minProtocol,
817
- maxProtocol,
818
- expectedProtocol: 4,
819
- minimumProbeProtocol: 4
820
- });
821
- logWsControl.warn(`protocol mismatch conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} remotePort=${remotePort ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} min=${minProtocol} max=${maxProtocol} expected=4 probeMin=4 instance=${formatForLog(connectParams.client.instanceId ?? "n/a")}`);
822
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "protocol mismatch", { details: {
823
- code: ConnectErrorDetailCodes.PROTOCOL_MISMATCH,
824
- clientMinProtocol: minProtocol,
825
- clientMaxProtocol: maxProtocol,
826
- expectedProtocol: 4,
827
- minimumProbeProtocol: 4
828
- } });
829
- close(1002, "protocol mismatch");
830
- return;
831
- }
832
- const roleRaw = connectParams.role ?? "operator";
833
- const role = parseGatewayRole(roleRaw);
834
- if (!role) {
835
- markHandshakeFailure("invalid-role", { role: roleRaw });
836
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "invalid role");
837
- close(1008, "invalid role");
838
- return;
839
- }
840
- let scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
841
- connectParams.role = role;
842
- connectParams.scopes = scopes;
843
- const isControlUi = isOperatorUiClient(connectParams.client);
844
- const isBrowserOperatorUi = isBrowserOperatorUiClient(connectParams.client);
845
- const isWebchat = isWebchatConnect(connectParams);
846
- const isNativeAppUi = connectParams.client.mode === GATEWAY_CLIENT_MODES.UI && (connectParams.client.id === GATEWAY_CLIENT_IDS.MACOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.IOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.ANDROID_APP);
847
- if (enforceOriginCheckForAnyClient || isBrowserOperatorUi || isWebchat) {
848
- const hostHeaderOriginFallbackEnabled = configSnapshot.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true;
849
- const originCheck = checkBrowserOrigin({
850
- requestHost,
851
- origin: requestOrigin,
852
- allowedOrigins: configSnapshot.gateway?.controlUi?.allowedOrigins,
853
- allowHostHeaderOriginFallback: hostHeaderOriginFallbackEnabled,
854
- isLocalClient
855
- });
856
- if (!originCheck.ok) {
857
- const errorMessage = "origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)";
858
- markHandshakeFailure("origin-mismatch", {
859
- origin: requestOrigin ?? "n/a",
860
- host: requestHost ?? "n/a",
861
- reason: originCheck.reason
862
- });
863
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: {
864
- code: ConnectErrorDetailCodes.CONTROL_UI_ORIGIN_NOT_ALLOWED,
865
- reason: originCheck.reason
866
- } });
867
- close(1008, truncateCloseReason(errorMessage));
868
- return;
869
- }
870
- if (originCheck.matchedBy === "host-header-fallback") {
871
- originCheckMetrics.hostHeaderFallbackAccepted += 1;
872
- logWsControl.warn(`security warning: websocket origin accepted via Host-header fallback conn=${connId} count=${originCheckMetrics.hostHeaderFallbackAccepted} host=${requestHost ?? "n/a"} origin=${requestOrigin ?? "n/a"}`);
873
- if (hostHeaderOriginFallbackEnabled) logGateway.warn("security metric: gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback accepted a websocket connect request");
874
- }
875
- }
876
- const deviceRaw = connectParams.device;
877
- let devicePublicKey = null;
878
- let deviceAuthPayloadVersion = null;
879
- const hasTokenAuth = Boolean(connectParams.auth?.token);
880
- const hasPasswordAuth = Boolean(connectParams.auth?.password);
881
- const hasSharedAuth = hasTokenAuth || hasPasswordAuth;
882
- const controlUiAuthPolicy = resolveControlUiAuthPolicy({
883
- isControlUi,
884
- controlUiConfig: configSnapshot.gateway?.controlUi,
885
- deviceRaw
886
- });
887
- const device = controlUiAuthPolicy.device;
888
- let { authResult, authOk, authMethod, sharedAuthOk, bootstrapTokenCandidate, deviceTokenCandidate, deviceTokenCandidateSource } = await resolveConnectAuthState({
889
- resolvedAuth,
890
- connectAuth: connectParams.auth,
891
- hasDeviceIdentity: Boolean(device),
892
- req: upgradeReq,
893
- trustedProxies,
894
- allowRealIpFallback,
895
- rateLimiter: authRateLimiter,
896
- clientIp: browserRateLimitClientIp
897
- });
898
- const rejectUnauthorized = (failedAuth) => {
899
- const { authProvided, canRetryWithDeviceToken, recommendedNextStep } = resolveUnauthorizedHandshakeContext({
900
- connectAuth: connectParams.auth,
901
- failedAuth,
902
- hasDeviceIdentity: Boolean(device)
903
- });
904
- markHandshakeFailure("unauthorized", {
905
- authMode: resolvedAuth.mode,
906
- authProvided,
907
- authReason: failedAuth.reason,
908
- allowTailscale: resolvedAuth.allowTailscale,
909
- peer: peerLabel,
910
- remoteAddr,
911
- remotePort,
912
- localAddr,
913
- localPort,
914
- role,
915
- scopeCount: scopes.length,
916
- hasDeviceIdentity: Boolean(device)
917
- });
918
- logWsControl.warn(`unauthorized conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} role=${role} scopes=${scopes.length} auth=${authProvided} device=${device ? "yes" : "no"} platform=${formatForLog(connectParams.client.platform)} instance=${formatForLog(connectParams.client.instanceId ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")} reason=${failedAuth.reason ?? "unknown"}`);
919
- const authMessage = formatGatewayAuthFailureMessage({
920
- authMode: resolvedAuth.mode,
921
- authProvided,
922
- reason: failedAuth.reason,
923
- client: connectParams.client
924
- });
925
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, authMessage, { details: {
926
- code: resolveAuthConnectErrorDetailCode(failedAuth.reason),
927
- authReason: failedAuth.reason,
928
- canRetryWithDeviceToken,
929
- recommendedNextStep
930
- } });
931
- close(1008, truncateCloseReason(authMessage));
932
- };
933
- const clearUnboundScopes = () => {
934
- if (scopes.length > 0) {
935
- scopes = [];
936
- connectParams.scopes = scopes;
937
- }
938
- };
939
- let pairingLocality = resolvePairingLocality({
940
- connectParams,
941
- isLocalClient,
942
- requestHost,
943
- requestOrigin,
944
- remoteAddress: remoteAddr,
945
- hasProxyHeaders,
946
- hasBrowserOriginHeader,
947
- sharedAuthOk,
948
- authMethod
949
- });
950
- let skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
951
- connectParams,
952
- locality: pairingLocality,
953
- hasBrowserOriginHeader,
954
- sharedAuthOk,
955
- authMethod
956
- });
957
- const handleMissingDeviceIdentity = () => {
958
- const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
959
- isControlUi,
960
- role,
961
- authMode: resolvedAuth.mode,
962
- authOk,
963
- authMethod
964
- });
965
- const preserveInsecureLocalControlUiScopes = isControlUi && controlUiAuthPolicy.allowInsecureAuthConfigured && isLocalClient && (authMethod === "token" || authMethod === "password");
966
- const decision = evaluateMissingDeviceIdentity({
967
- hasDeviceIdentity: Boolean(device),
968
- role,
969
- isControlUi,
970
- controlUiAuthPolicy,
971
- trustedProxyAuthOk,
972
- localBackendSelfPairingOk: skipLocalBackendSelfPairing,
973
- sharedAuthOk,
974
- authOk,
975
- hasSharedAuth,
976
- isLocalClient
977
- });
978
- if (!device && !skipLocalBackendSelfPairing && shouldClearUnboundScopesForMissingDeviceIdentity({
979
- decision,
980
- controlUiAuthPolicy,
981
- preserveInsecureLocalControlUiScopes,
982
- authMethod,
983
- trustedProxyAuthOk
984
- })) clearUnboundScopes();
985
- if (decision.kind === "allow") return true;
986
- if (decision.kind === "reject-control-ui-insecure-auth") {
987
- const errorMessage = "control ui requires device identity (use HTTPS or localhost secure context)";
988
- markHandshakeFailure("control-ui-insecure-auth", { insecureAuthConfigured: controlUiAuthPolicy.allowInsecureAuthConfigured });
989
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: { code: ConnectErrorDetailCodes.CONTROL_UI_DEVICE_IDENTITY_REQUIRED } });
990
- close(1008, errorMessage);
991
- return false;
992
- }
993
- if (decision.kind === "reject-unauthorized") {
994
- rejectUnauthorized(authResult);
995
- return false;
996
- }
997
- markHandshakeFailure("device-required");
998
- sendHandshakeErrorResponse(ErrorCodes.NOT_PAIRED, "device identity required", { details: { code: ConnectErrorDetailCodes.DEVICE_IDENTITY_REQUIRED } });
999
- close(1008, "device identity required");
1000
- return false;
1001
- };
1002
- if (!handleMissingDeviceIdentity()) return;
1003
- if (device) {
1004
- const rejectDeviceAuthInvalid = (reason, message) => {
1005
- setHandshakeState("failed");
1006
- setCloseCause("device-auth-invalid", {
1007
- reason,
1008
- client: connectParams.client.id,
1009
- deviceId: device.id
1010
- });
1011
- send({
1012
- type: "res",
1013
- id: frame.id,
1014
- ok: false,
1015
- error: errorShape(ErrorCodes.INVALID_REQUEST, message, { details: {
1016
- code: resolveDeviceAuthConnectErrorDetailCode(reason),
1017
- reason
1018
- } })
1019
- });
1020
- close(1008, message);
1021
- };
1022
- const derivedId = deriveDeviceIdFromPublicKey(device.publicKey);
1023
- if (!derivedId || derivedId !== device.id) {
1024
- rejectDeviceAuthInvalid("device-id-mismatch", "device identity mismatch");
1025
- return;
1026
- }
1027
- const signedAt = device.signedAt;
1028
- if (typeof signedAt !== "number" || Math.abs(Date.now() - signedAt) > DEVICE_SIGNATURE_SKEW_MS) {
1029
- rejectDeviceAuthInvalid("device-signature-stale", "device signature expired");
1030
- return;
1031
- }
1032
- const providedNonce = typeof device.nonce === "string" ? device.nonce.trim() : "";
1033
- if (!providedNonce) {
1034
- rejectDeviceAuthInvalid("device-nonce-missing", "device nonce required");
1035
- return;
1036
- }
1037
- if (providedNonce !== connectNonce) {
1038
- rejectDeviceAuthInvalid("device-nonce-mismatch", "device nonce mismatch");
1039
- return;
1040
- }
1041
- const rejectDeviceSignatureInvalid = () => rejectDeviceAuthInvalid("device-signature", "device signature invalid");
1042
- const payloadVersion = resolveDeviceSignaturePayloadVersion({
1043
- device,
1044
- connectParams,
1045
- role,
1046
- scopes,
1047
- signedAtMs: signedAt,
1048
- nonce: providedNonce
1049
- });
1050
- if (!payloadVersion) {
1051
- rejectDeviceSignatureInvalid();
1052
- return;
1053
- }
1054
- deviceAuthPayloadVersion = payloadVersion;
1055
- devicePublicKey = normalizeDevicePublicKeyBase64Url(device.publicKey);
1056
- if (!devicePublicKey) {
1057
- rejectDeviceAuthInvalid("device-public-key", "device public key invalid");
1058
- return;
1059
- }
1060
- }
1061
- ({authResult, authOk, authMethod} = await resolveConnectAuthDecision({
1062
- state: {
1063
- authResult,
1064
- authOk,
1065
- authMethod,
1066
- sharedAuthOk,
1067
- sharedAuthProvided: hasSharedAuth,
1068
- bootstrapTokenCandidate,
1069
- deviceTokenCandidate,
1070
- deviceTokenCandidateSource
1071
- },
1072
- hasDeviceIdentity: Boolean(device),
1073
- deviceId: device?.id,
1074
- publicKey: device?.publicKey,
1075
- role,
1076
- scopes,
1077
- rateLimiter: authRateLimiter,
1078
- clientIp: browserRateLimitClientIp,
1079
- verifyBootstrapToken: async ({ deviceId, publicKey, token, role, scopes }) => await verifyDeviceBootstrapToken({
1080
- deviceId,
1081
- publicKey,
1082
- token,
1083
- role,
1084
- scopes
1085
- }),
1086
- verifyDeviceToken
1087
- }));
1088
- pairingLocality = resolvePairingLocality({
1089
- connectParams,
1090
- isLocalClient,
1091
- requestHost,
1092
- requestOrigin,
1093
- remoteAddress: remoteAddr,
1094
- hasProxyHeaders,
1095
- hasBrowserOriginHeader,
1096
- sharedAuthOk,
1097
- authMethod
1098
- });
1099
- skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
1100
- connectParams,
1101
- locality: pairingLocality,
1102
- hasBrowserOriginHeader,
1103
- sharedAuthOk,
1104
- authMethod
1105
- });
1106
- if (!authOk) {
1107
- rejectUnauthorized(authResult);
1108
- return;
1109
- }
1110
- if (authMethod === "token" || authMethod === "password" || authMethod === "trusted-proxy") {
1111
- const sharedGatewaySessionGeneration = resolveSharedGatewaySessionGeneration(resolvedAuth, trustedProxies);
1112
- const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
1113
- if (requiredSharedGatewaySessionGeneration !== void 0 && sharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
1114
- setCloseCause("gateway-auth-rotated", { authGenerationStale: true });
1115
- close(4001, "gateway auth changed");
1116
- return;
1117
- }
1118
- }
1119
- const issuedBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate ? await getDeviceBootstrapTokenProfile({ token: bootstrapTokenCandidate }) : null;
1120
- let handoffBootstrapProfile = null;
1121
- const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
1122
- isControlUi,
1123
- role,
1124
- authMode: resolvedAuth.mode,
1125
- authOk,
1126
- authMethod
1127
- });
1128
- if (trustedProxyAuthOk) {
1129
- scopes = resolveTrustedProxyControlUiScopes({
1130
- requestedScopes: scopes,
1131
- upgradeReq
1132
- });
1133
- connectParams.scopes = scopes;
1134
- }
1135
- const skipControlUiPairingForDevice = shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk, resolvedAuth.mode, authMethod);
1136
- let hasServerApprovedDeviceTokenBaseline = false;
1137
- if (device && devicePublicKey) {
1138
- const formatAuditList = (items) => {
1139
- if (!items || items.length === 0) return "<none>";
1140
- const out = /* @__PURE__ */ new Set();
1141
- for (const item of items) {
1142
- const trimmed = item.trim();
1143
- if (trimmed) out.add(trimmed);
1144
- }
1145
- if (out.size === 0) return "<none>";
1146
- return [...out].toSorted().join(",");
1147
- };
1148
- const logUpgradeAudit = (reason, currentRoles, currentScopes) => {
1149
- logGateway.warn(`security audit: device access upgrade requested reason=${reason} device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} roleFrom=${formatAuditList(currentRoles)} roleTo=${role} scopesFrom=${formatAuditList(currentScopes)} scopesTo=${formatAuditList(scopes)} client=${connectParams.client.id} conn=${connId}`);
1150
- };
1151
- const clientPairingMetadata = {
1152
- displayName: connectParams.client.displayName,
1153
- platform: connectParams.client.platform,
1154
- deviceFamily: connectParams.client.deviceFamily,
1155
- clientId: connectParams.client.id,
1156
- clientMode: connectParams.client.mode,
1157
- role,
1158
- scopes,
1159
- remoteIp: reportedClientIp
1160
- };
1161
- const clientAccessMetadata = {
1162
- displayName: connectParams.client.displayName,
1163
- remoteIp: reportedClientIp
1164
- };
1165
- const requirePairing = async (reason, existingPairedDevice = null) => {
1166
- const pairingStateAllowsRequestedAccess = (pairedCandidate) => {
1167
- if (!pairedCandidate || pairedCandidate.publicKey !== devicePublicKey) return false;
1168
- if (!hasEffectivePairedDeviceRole(pairedCandidate, role)) return false;
1169
- if (scopes.length === 0) return true;
1170
- const pairedScopes = Array.isArray(pairedCandidate.approvedScopes) ? pairedCandidate.approvedScopes : Array.isArray(pairedCandidate.scopes) ? pairedCandidate.scopes : [];
1171
- if (pairedScopes.length === 0) return false;
1172
- return roleScopesAllow({
1173
- role,
1174
- requestedScopes: scopes,
1175
- allowedScopes: pairedScopes
1176
- });
1177
- };
1178
- const allowSilentLocalPairing = !(existingPairedDevice && role !== "operator") && shouldAllowSilentLocalPairing({
1179
- locality: pairingLocality,
1180
- hasBrowserOriginHeader,
1181
- isControlUi,
1182
- isWebchat,
1183
- isNativeAppUi,
1184
- reason
1185
- });
1186
- const allowSilentTrustedCidrsNodePairing = shouldAutoApproveNodePairingFromTrustedCidrs({
1187
- existingPairedDevice: Boolean(existingPairedDevice),
1188
- role,
1189
- reason,
1190
- scopes,
1191
- hasBrowserOriginHeader,
1192
- isControlUi,
1193
- isWebchat,
1194
- reportedClientIpSource,
1195
- reportedClientIp,
1196
- autoApproveCidrs: configSnapshot.gateway?.nodes?.pairing?.autoApproveCidrs
1197
- });
1198
- const boundBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE ? await getBoundDeviceBootstrapProfile({
1199
- token: bootstrapTokenCandidate,
1200
- deviceId: device.id,
1201
- publicKey: devicePublicKey
1202
- }) : null;
1203
- const allowSilentBootstrapPairing = boundBootstrapProfile !== null && sameBootstrapProfile(boundBootstrapProfile, PAIRING_SETUP_BOOTSTRAP_PROFILE);
1204
- const bootstrapPairingRoles = allowSilentBootstrapPairing ? Array.from(new Set([role, ...boundBootstrapProfile.roles])) : void 0;
1205
- const pairing = await requestDevicePairing({
1206
- deviceId: device.id,
1207
- publicKey: devicePublicKey,
1208
- ...clientPairingMetadata,
1209
- ...bootstrapPairingRoles ? {
1210
- roles: bootstrapPairingRoles,
1211
- scopes: [...BOOTSTRAP_HANDOFF_OPERATOR_SCOPES]
1212
- } : {},
1213
- silent: reason === "scope-upgrade" ? false : allowSilentLocalPairing || allowSilentTrustedCidrsNodePairing || allowSilentBootstrapPairing
1214
- });
1215
- const context = buildRequestContext();
1216
- let approved;
1217
- let resolvedByConcurrentApproval = false;
1218
- let recoveryRequestId = pairing.request.requestId;
1219
- const resolveLivePendingRequestId = async () => {
1220
- const pendingList = await listDevicePairing();
1221
- const exactPending = pendingList.pending.find((pending) => pending.requestId === pairing.request.requestId);
1222
- if (exactPending) return exactPending.requestId;
1223
- return pendingList.pending.find((pending) => pending.deviceId === device.id && pending.publicKey === devicePublicKey)?.requestId;
1224
- };
1225
- if (pairing.request.silent === true) {
1226
- approved = allowSilentBootstrapPairing && boundBootstrapProfile ? await approveBootstrapDevicePairing(pairing.request.requestId, boundBootstrapProfile) : await approveDevicePairing(pairing.request.requestId, { callerScopes: scopes });
1227
- if (approved?.status === "approved") {
1228
- if (allowSilentBootstrapPairing && boundBootstrapProfile) handoffBootstrapProfile = boundBootstrapProfile;
1229
- logGateway.info(`device pairing auto-approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`);
1230
- context.broadcast("device.pair.resolved", {
1231
- requestId: pairing.request.requestId,
1232
- deviceId: approved.device.deviceId,
1233
- decision: "approved",
1234
- ts: Date.now()
1235
- }, { dropIfSlow: true });
1236
- } else {
1237
- resolvedByConcurrentApproval = pairingStateAllowsRequestedAccess(await getPairedDevice(device.id));
1238
- let requestStillPending = false;
1239
- if (!resolvedByConcurrentApproval) {
1240
- recoveryRequestId = await resolveLivePendingRequestId();
1241
- requestStillPending = recoveryRequestId === pairing.request.requestId;
1242
- }
1243
- if (requestStillPending) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
1244
- }
1245
- } else if (pairing.created) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
1246
- recoveryRequestId = await resolveLivePendingRequestId();
1247
- if (!(pairing.request.silent === true && (approved?.status === "approved" || resolvedByConcurrentApproval))) {
1248
- const exposeApprovedAccess = existingPairedDevice?.publicKey === devicePublicKey;
1249
- const approvedRoles = exposeApprovedAccess ? listApprovedPairedDeviceRoles(existingPairedDevice) : [];
1250
- const approvedScopes = exposeApprovedAccess ? Array.isArray(existingPairedDevice.approvedScopes) ? existingPairedDevice.approvedScopes : Array.isArray(existingPairedDevice.scopes) ? existingPairedDevice.scopes : [] : [];
1251
- const retryAfterBootstrapPairingApproval = authMethod === "bootstrap-token" && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice;
1252
- const pairingErrorDetails = buildPairingConnectErrorDetails({
1253
- reason,
1254
- requestId: recoveryRequestId,
1255
- ...retryAfterBootstrapPairingApproval ? {
1256
- recommendedNextStep: "wait_then_retry",
1257
- retryable: true,
1258
- pauseReconnect: false
1259
- } : {},
1260
- deviceId: device.id,
1261
- requestedRole: role,
1262
- requestedScopes: scopes,
1263
- ...approvedRoles.length > 0 ? { approvedRoles } : {},
1264
- ...approvedScopes.length > 0 ? { approvedScopes } : {}
1265
- });
1266
- const pairingErrorMessage = buildPairingConnectErrorMessage(reason);
1267
- setHandshakeState("failed");
1268
- setCloseCause("pairing-required", {
1269
- deviceId: device.id,
1270
- ...recoveryRequestId ? { requestId: recoveryRequestId } : {},
1271
- reason
1272
- });
1273
- send({
1274
- type: "res",
1275
- id: frame.id,
1276
- ok: false,
1277
- error: errorShape(ErrorCodes.NOT_PAIRED, pairingErrorMessage, { details: pairingErrorDetails })
1278
- });
1279
- close(1008, truncateCloseReason(buildPairingConnectCloseReason({
1280
- reason,
1281
- requestId: recoveryRequestId
1282
- })));
1283
- return false;
1284
- }
1285
- return true;
1286
- };
1287
- const paired = await getPairedDevice(device.id);
1288
- if (!(paired?.publicKey === devicePublicKey)) {
1289
- if (!(skipLocalBackendSelfPairing || skipControlUiPairingForDevice)) {
1290
- if (!await requirePairing("not-paired", paired)) return;
1291
- hasServerApprovedDeviceTokenBaseline = true;
1292
- } else if (skipControlUiPairingForDevice || skipLocalBackendSelfPairing && authMethod !== "device-token") hasServerApprovedDeviceTokenBaseline = true;
1293
- } else {
1294
- hasServerApprovedDeviceTokenBaseline = true;
1295
- const claimedPlatform = connectParams.client.platform;
1296
- const pairedPlatform = paired.platform;
1297
- const claimedDeviceFamily = connectParams.client.deviceFamily;
1298
- const pairedDeviceFamily = paired.deviceFamily;
1299
- const metadataPinning = resolvePinnedClientMetadata({
1300
- clientId: connectParams.client.id,
1301
- clientMode: connectParams.client.mode,
1302
- claimedPlatform,
1303
- claimedDeviceFamily,
1304
- pairedPlatform,
1305
- pairedDeviceFamily
1306
- });
1307
- const { platformMismatch, deviceFamilyMismatch } = metadataPinning;
1308
- if (platformMismatch || deviceFamilyMismatch) {
1309
- if (!shouldAllowSilentLocalPairing({
1310
- locality: pairingLocality,
1311
- hasBrowserOriginHeader,
1312
- isControlUi,
1313
- isWebchat,
1314
- isNativeAppUi,
1315
- reason: "metadata-upgrade"
1316
- })) logGateway.warn(`security audit: device metadata upgrade requested reason=metadata-upgrade device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} payload=${deviceAuthPayloadVersion ?? "unknown"} claimedPlatform=${claimedPlatform ?? "<none>"} pinnedPlatform=${pairedPlatform ?? "<none>"} claimedDeviceFamily=${claimedDeviceFamily ?? "<none>"} pinnedDeviceFamily=${pairedDeviceFamily ?? "<none>"} client=${connectParams.client.id} conn=${connId}`);
1317
- if (!await requirePairing("metadata-upgrade", paired)) return;
1318
- } else {
1319
- if (metadataPinning.pinnedPlatform) connectParams.client.platform = metadataPinning.pinnedPlatform;
1320
- if (metadataPinning.pinnedDeviceFamily) connectParams.client.deviceFamily = metadataPinning.pinnedDeviceFamily;
1321
- }
1322
- const pairedRoles = listEffectivePairedDeviceRoles(paired);
1323
- const pairedScopes = Array.isArray(paired.approvedScopes) ? paired.approvedScopes : Array.isArray(paired.scopes) ? paired.scopes : [];
1324
- const allowedRoles = new Set(pairedRoles);
1325
- if (allowedRoles.size === 0) {
1326
- logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
1327
- if (!await requirePairing("role-upgrade", paired)) return;
1328
- } else if (!allowedRoles.has(role)) {
1329
- logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
1330
- if (!await requirePairing("role-upgrade", paired)) return;
1331
- }
1332
- if (scopes.length > 0) {
1333
- if (pairedScopes.length === 0) {
1334
- logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
1335
- if (!await requirePairing("scope-upgrade", paired)) return;
1336
- } else if (!roleScopesAllow({
1337
- role,
1338
- requestedScopes: scopes,
1339
- allowedScopes: pairedScopes
1340
- })) {
1341
- logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
1342
- if (!await requirePairing("scope-upgrade", paired)) return;
1343
- }
1344
- }
1345
- const retryBootstrapHandoffProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && role === "node" && scopes.length === 0 && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE && pairedRoles.includes("operator") && roleScopesAllow({
1346
- role: "operator",
1347
- requestedScopes: BOOTSTRAP_HANDOFF_OPERATOR_SCOPES,
1348
- allowedScopes: pairedScopes
1349
- }) ? await getBoundDeviceBootstrapProfile({
1350
- token: bootstrapTokenCandidate,
1351
- deviceId: device.id,
1352
- publicKey: devicePublicKey
1353
- }) : null;
1354
- if (retryBootstrapHandoffProfile && sameBootstrapProfile(retryBootstrapHandoffProfile, PAIRING_SETUP_BOOTSTRAP_PROFILE)) handoffBootstrapProfile = retryBootstrapHandoffProfile;
1355
- await updatePairedDeviceMetadata(device.id, {
1356
- ...clientAccessMetadata,
1357
- ...metadataPinning.refreshPairedPlatform ? { platform: metadataPinning.refreshPairedPlatform } : {}
1358
- });
1359
- }
1360
- }
1361
- const deviceToken = !trustedProxyAuthOk && device && hasServerApprovedDeviceTokenBaseline ? await ensureDeviceToken({
1362
- deviceId: device.id,
1363
- role,
1364
- scopes
1365
- }) : null;
1366
- const bootstrapDeviceTokens = [];
1367
- if (deviceToken) bootstrapDeviceTokens.push({
1368
- deviceToken: deviceToken.token,
1369
- role: deviceToken.role,
1370
- scopes: deviceToken.scopes,
1371
- issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs
1372
- });
1373
- const approvedHandoffBootstrapProfile = handoffBootstrapProfile;
1374
- if (device && approvedHandoffBootstrapProfile) for (const bootstrapRole of approvedHandoffBootstrapProfile.roles) {
1375
- if (bootstrapDeviceTokens.some((entry) => entry.role === bootstrapRole)) continue;
1376
- const bootstrapRoleScopes = bootstrapRole === "operator" ? resolveBootstrapProfileScopesForRole(bootstrapRole, approvedHandoffBootstrapProfile.scopes) : [];
1377
- const extraToken = await ensureDeviceToken({
1378
- deviceId: device.id,
1379
- role: bootstrapRole,
1380
- scopes: bootstrapRoleScopes
1381
- });
1382
- if (!extraToken) continue;
1383
- bootstrapDeviceTokens.push({
1384
- deviceToken: extraToken.token,
1385
- role: extraToken.role,
1386
- scopes: extraToken.scopes,
1387
- issuedAtMs: extraToken.rotatedAtMs ?? extraToken.createdAtMs
1388
- });
1389
- }
1390
- if (role === "node") {
1391
- const reconciliation = await reconcileNodePairingOnConnect({
1392
- cfg: getRuntimeConfig(),
1393
- connectParams,
1394
- pairedNode: await getPairedNode(connectParams.device?.id ?? connectParams.client.id),
1395
- reportedClientIp,
1396
- requestPairing: async (input) => await requestNodePairing(input)
1397
- });
1398
- if (reconciliation.pendingPairing?.created) {
1399
- const requestContext = buildRequestContext();
1400
- const resolvedAt = Date.now();
1401
- for (const superseded of reconciliation.pendingPairing.superseded ?? []) requestContext.broadcast("node.pair.resolved", {
1402
- requestId: superseded.requestId,
1403
- nodeId: superseded.nodeId,
1404
- decision: "rejected",
1405
- ts: resolvedAt
1406
- }, { dropIfSlow: true });
1407
- requestContext.broadcast("node.pair.requested", reconciliation.pendingPairing.request, { dropIfSlow: true });
1408
- }
1409
- const nodeConnectParams = connectParams;
1410
- nodeConnectParams.declaredCaps = reconciliation.declaredCaps;
1411
- nodeConnectParams.declaredCommands = reconciliation.declaredCommands;
1412
- nodeConnectParams.declaredPermissions = reconciliation.declaredPermissions;
1413
- connectParams.caps = reconciliation.effectiveCaps;
1414
- connectParams.commands = reconciliation.effectiveCommands;
1415
- connectParams.permissions = reconciliation.effectivePermissions;
1416
- }
1417
- const shouldTrackPresence = !isGatewayCliClient(connectParams.client);
1418
- const clientId = connectParams.client.id;
1419
- const instanceId = connectParams.client.instanceId;
1420
- const presenceKey = shouldTrackPresence ? device?.id ?? instanceId ?? connId : void 0;
1421
- if (isClosed()) {
1422
- setCloseCause("connect-aborted-before-register", {
1423
- ...clientMeta,
1424
- auth: authMethod
1425
- });
1426
- return;
1427
- }
1428
- const pluginSurfaceUrls = {};
1429
- const pluginNodeCapabilitySurfaces = indexPluginNodeCapabilitySurfaces(pluginNodeCapabilities);
1430
- const pendingPluginNodeCapabilities = [];
1431
- if (pluginSurfaceBaseUrl) for (const pluginCapabilitySurface of Object.values(pluginNodeCapabilitySurfaces)) {
1432
- const capability = mintPluginNodeCapabilityToken();
1433
- const expiresAtMs = Date.now() + resolvePluginNodeCapabilityTtlMs(pluginCapabilitySurface);
1434
- const scopedUrl = buildPluginNodeCapabilityScopedHostUrl(pluginSurfaceBaseUrl, capability) ?? pluginSurfaceBaseUrl;
1435
- pluginSurfaceUrls[pluginCapabilitySurface.surface] = scopedUrl;
1436
- pendingPluginNodeCapabilities.push({
1437
- surface: pluginCapabilitySurface,
1438
- capability,
1439
- expiresAtMs
1440
- });
1441
- }
1442
- const usesSharedGatewayAuth = authMethod === "token" || authMethod === "password" || authMethod === "trusted-proxy";
1443
- const sharedGatewaySessionGeneration = usesSharedGatewayAuth ? resolveSharedGatewaySessionGeneration(resolvedAuth, trustedProxies) : void 0;
1444
- const isTrustedApprovalRuntime = scopes.includes("operator.approvals") && connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND && isOperatorApprovalRuntimeToken(connectParams.auth?.approvalRuntimeToken);
1445
- clearHandshakeTimer();
1446
- const nextClient = {
1447
- socket,
1448
- connect: connectParams,
1449
- connId,
1450
- isDeviceTokenAuth: authMethod === "device-token",
1451
- usesSharedGatewayAuth,
1452
- sharedGatewaySessionGeneration,
1453
- presenceKey,
1454
- clientIp: reportedClientIp,
1455
- ...isTrustedApprovalRuntime ? { internal: { approvalRuntime: true } } : {},
1456
- ...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
1457
- ...Object.keys(pluginNodeCapabilitySurfaces).length > 0 ? { pluginNodeCapabilitySurfaces } : {}
1458
- };
1459
- for (const entry of pendingPluginNodeCapabilities) setClientPluginNodeCapability({
1460
- client: nextClient,
1461
- surface: entry.surface,
1462
- capability: entry.capability,
1463
- expiresAtMs: entry.expiresAtMs
1464
- });
1465
- setSocketMaxPayload(socket, MAX_PAYLOAD_BYTES);
1466
- if (!setClient(nextClient)) {
1467
- setCloseCause("connect-aborted-before-register", {
1468
- ...clientMeta,
1469
- auth: authMethod
1470
- });
1471
- return;
1472
- }
1473
- setHandshakeState("connected");
1474
- logWs("in", "connect", {
1475
- connId,
1476
- client: connectParams.client.id,
1477
- clientDisplayName: connectParams.client.displayName,
1478
- version: connectParams.client.version,
1479
- mode: connectParams.client.mode,
1480
- clientId,
1481
- platform: connectParams.client.platform,
1482
- auth: authMethod
1483
- });
1484
- if (isWebchatConnect(connectParams)) logWsControl.info(`webchat connected conn=${connId} remote=${remoteAddr ?? "?"} client=${clientLabel} ${connectParams.client.mode} v${connectParams.client.version}`);
1485
- if (presenceKey) {
1486
- upsertPresence(presenceKey, {
1487
- host: connectParams.client.displayName ?? connectParams.client.id ?? os.hostname(),
1488
- ip: isLocalClient ? void 0 : reportedClientIp,
1489
- version: connectParams.client.version,
1490
- platform: connectParams.client.platform,
1491
- deviceFamily: connectParams.client.deviceFamily,
1492
- modelIdentifier: connectParams.client.modelIdentifier,
1493
- mode: connectParams.client.mode,
1494
- deviceId: device?.id,
1495
- roles: [role],
1496
- scopes,
1497
- instanceId: device?.id ?? instanceId,
1498
- reason: "connect"
1499
- });
1500
- incrementPresenceVersion();
1501
- }
1502
- if (role === "node") {
1503
- const context = buildRequestContext();
1504
- const nodeSession = context.nodeRegistry.register(nextClient, { remoteIp: reportedClientIp });
1505
- const instanceIdRaw = connectParams.client.instanceId;
1506
- const instanceId = typeof instanceIdRaw === "string" ? instanceIdRaw.trim() : "";
1507
- const nodeIdsForPairing = new Set([nodeSession.nodeId]);
1508
- if (instanceId) nodeIdsForPairing.add(instanceId);
1509
- for (const nodeId of nodeIdsForPairing) updatePairedNodeMetadata(nodeId, { lastConnectedAtMs: nodeSession.connectedAtMs }).catch((err) => logGateway.warn(`failed to record last connect for ${nodeId}: ${formatForLog(err)}`));
1510
- recordRemoteNodeInfo({
1511
- nodeId: nodeSession.nodeId,
1512
- displayName: nodeSession.displayName,
1513
- platform: nodeSession.platform,
1514
- deviceFamily: nodeSession.deviceFamily,
1515
- commands: nodeSession.commands,
1516
- remoteIp: nodeSession.remoteIp
1517
- });
1518
- refreshRemoteNodeBins({
1519
- nodeId: nodeSession.nodeId,
1520
- platform: nodeSession.platform,
1521
- deviceFamily: nodeSession.deviceFamily,
1522
- commands: nodeSession.commands,
1523
- cfg: getRuntimeConfig()
1524
- }).catch((err) => logGateway.warn(`remote bin probe failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1525
- loadVoiceWakeConfig().then((cfg) => {
1526
- context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.changed", { triggers: cfg.triggers });
1527
- }).catch((err) => logGateway.warn(`voicewake snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1528
- loadVoiceWakeRoutingConfig().then((routing) => {
1529
- context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.routing.changed", { config: routing });
1530
- }).catch((err) => logGateway.warn(`voicewake routing snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1531
- }
1532
- const snapshot = buildGatewaySnapshot({ includeSensitive: scopes.includes(ADMIN_SCOPE) });
1533
- const cachedHealth = getHealthCache();
1534
- if (cachedHealth) {
1535
- snapshot.health = cachedHealth;
1536
- snapshot.stateVersion.health = getHealthVersion();
1537
- }
1538
- const helloOkAuthScopes = deviceToken ? deviceToken.scopes : scopes;
1539
- const helloOk = {
1540
- type: "hello-ok",
1541
- protocol: 4,
1542
- server: {
1543
- version: resolveRuntimeServiceVersion(process.env),
1544
- connId
1545
- },
1546
- features: {
1547
- methods: gatewayMethods,
1548
- events
1549
- },
1550
- snapshot,
1551
- ...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
1552
- auth: {
1553
- role,
1554
- scopes: helloOkAuthScopes,
1555
- ...deviceToken ? {
1556
- deviceToken: deviceToken.token,
1557
- issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs,
1558
- ...bootstrapDeviceTokens.length > 1 ? { deviceTokens: bootstrapDeviceTokens.slice(1) } : {}
1559
- } : {}
1560
- },
1561
- policy: {
1562
- maxPayload: MAX_PAYLOAD_BYTES,
1563
- maxBufferedBytes: MAX_BUFFERED_BYTES,
1564
- tickIntervalMs: TICK_INTERVAL_MS
1565
- }
1566
- };
1567
- let revokedBootstrapTokenRecord;
1568
- if (authMethod === "bootstrap-token" && bootstrapTokenCandidate && device) try {
1569
- if (handoffBootstrapProfile || issuedBootstrapProfile) {
1570
- const redemption = await redeemDeviceBootstrapTokenProfile({
1571
- token: bootstrapTokenCandidate,
1572
- role,
1573
- scopes
1574
- });
1575
- if (handoffBootstrapProfile || redemption.fullyRedeemed) {
1576
- const revoked = await revokeDeviceBootstrapToken({ token: bootstrapTokenCandidate });
1577
- if (!revoked.removed) logGateway.warn(`bootstrap token revoke skipped after profile redemption device=${device.id}`);
1578
- else revokedBootstrapTokenRecord = revoked.record;
1579
- }
1580
- }
1581
- } catch (err) {
1582
- logGateway.warn(`bootstrap token post-connect bookkeeping failed device=${device.id}: ${formatForLog(err)}`);
1583
- }
1584
- try {
1585
- await sendFrame({
1586
- type: "res",
1587
- id: frame.id,
1588
- ok: true,
1589
- payload: helloOk
1590
- });
1591
- } catch (err) {
1592
- if (revokedBootstrapTokenRecord) try {
1593
- await restoreDeviceBootstrapToken({ record: revokedBootstrapTokenRecord });
1594
- } catch (restoreErr) {
1595
- logGateway.warn(`bootstrap token restore after hello-send failure failed device=${device?.id ?? "unknown"}: ${formatForLog(restoreErr)}`);
1596
- }
1597
- setCloseCause("hello-send-failed", { error: formatForLog(err) });
1598
- close();
1599
- return;
1600
- }
1601
- logWs("out", "hello-ok", {
1602
- connId,
1603
- methods: gatewayMethods.length,
1604
- events: events.length,
1605
- presence: snapshot.presence.length,
1606
- stateVersion: snapshot.stateVersion.presence
1607
- });
1608
- refreshHealthSnapshot({ probe: true }).catch((err) => logHealth.error(`post-connect health refresh failed: ${formatError(err)}`));
1609
- return;
1610
- }
1611
- if (!validateRequestFrame(parsed)) {
1612
- send({
1613
- type: "res",
1614
- id: parsed?.id ?? "invalid",
1615
- ok: false,
1616
- error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid request frame: ${formatValidationErrors(validateRequestFrame.errors)}`)
1617
- });
1618
- return;
1619
- }
1620
- const req = parsed;
1621
- logWs("in", "req", {
1622
- connId,
1623
- id: req.id,
1624
- method: req.method
1625
- });
1626
- if (client.usesSharedGatewayAuth) {
1627
- const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
1628
- if (requiredSharedGatewaySessionGeneration !== void 0 && client.sharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
1629
- setCloseCause("gateway-auth-rotated", {
1630
- authGenerationStale: true,
1631
- method: req.method
1632
- });
1633
- close(4001, "gateway auth changed");
1634
- return;
1635
- }
1636
- }
1637
- const respond = (ok, payload, error, meta) => {
1638
- send({
1639
- type: "res",
1640
- id: req.id,
1641
- ok,
1642
- payload,
1643
- error
1644
- });
1645
- const unauthorizedRoleError = isUnauthorizedRoleError(error);
1646
- let logMeta = meta;
1647
- if (unauthorizedRoleError) {
1648
- const unauthorizedDecision = unauthorizedFloodGuard.registerUnauthorized();
1649
- if (unauthorizedDecision.suppressedSinceLastLog > 0) logMeta = {
1650
- ...logMeta,
1651
- suppressedUnauthorizedResponses: unauthorizedDecision.suppressedSinceLastLog
1652
- };
1653
- if (!unauthorizedDecision.shouldLog) return;
1654
- if (unauthorizedDecision.shouldClose) {
1655
- setCloseCause("repeated-unauthorized-requests", {
1656
- unauthorizedCount: unauthorizedDecision.count,
1657
- method: req.method
1658
- });
1659
- queueMicrotask(() => close(1008, "repeated unauthorized calls"));
1660
- }
1661
- logMeta = {
1662
- ...logMeta,
1663
- unauthorizedCount: unauthorizedDecision.count
1664
- };
1665
- } else unauthorizedFloodGuard.reset();
1666
- logWs("out", "res", {
1667
- connId,
1668
- id: req.id,
1669
- ok,
1670
- method: req.method,
1671
- errorCode: error?.code,
1672
- errorMessage: error?.message,
1673
- ...logMeta
1674
- });
1675
- };
1676
- (async () => {
1677
- const { handleGatewayRequest } = await import("./server-methods-CVgaE49L.js");
1678
- await handleGatewayRequest({
1679
- req,
1680
- respond,
1681
- client,
1682
- isWebchatConnect,
1683
- extraHandlers,
1684
- methodRegistry: getMethodRegistry?.(),
1685
- context: buildRequestContext()
1686
- });
1687
- })().catch((err) => {
1688
- logGateway.error(`request handler failed: ${formatForLog(err)}`);
1689
- respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
1690
- });
1691
- } catch (err) {
1692
- logGateway.error(`parse/handle error: ${String(err)}`);
1693
- logWs("out", "parse-error", {
1694
- connId,
1695
- error: formatForLog(err)
1696
- });
1697
- if (!getClient()) close();
1698
- }
1699
- };
1700
- socket.on("message", (data) => {
1701
- runWithDiagnosticTraceContext(createDiagnosticTraceContext(), () => handleMessage(data));
1702
- });
1703
- }
1704
- function getRawDataByteLength(data) {
1705
- if (Buffer.isBuffer(data)) return data.byteLength;
1706
- if (Array.isArray(data)) return data.reduce((total, chunk) => total + chunk.byteLength, 0);
1707
- if (data instanceof ArrayBuffer) return data.byteLength;
1708
- return Buffer.byteLength(String(data));
1709
- }
1710
- function setSocketMaxPayload(socket, maxPayload) {
1711
- const receiver = socket["_receiver"];
1712
- if (receiver) receiver["_maxPayload"] = maxPayload;
1713
- }
1714
- //#endregion
1715
- export { attachGatewayWsMessageHandler };