npm - @google/gemini-cli-a2a-server - Versions diffs - 0.36.0-preview.3 → 0.36.0-preview.4 - Mend

@google/gemini-cli-a2a-server 0.36.0-preview.3 → 0.36.0-preview.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/a2a-server.mjs CHANGED Viewed

@@ -33152,14 +33152,14 @@ var require_etag = __commonJS({
   "node_modules/etag/index.js"(exports2, module2) {
     "use strict";
     module2.exports = etag;
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var Stats = __require("fs").Stats;
     var toString3 = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto24.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto25.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -36582,17 +36582,17 @@ var require_content_disposition = __commonJS({
 // node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "node_modules/cookie-signature/index.js"(exports2) {
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     exports2.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto24.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto25.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports2.unsign = function(input, secret) {
       if ("string" != typeof input) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input.slice(0, input.lastIndexOf(".")), expectedInput = exports2.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input);
-      return expectedBuffer.length === inputBuffer.length && crypto24.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto25.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -45558,22 +45558,22 @@ var require_crypto2 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.NodeCrypto = void 0;
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var NodeCrypto = class {
       async sha256DigestBase64(str2) {
-        return crypto24.createHash("sha256").update(str2).digest("base64");
+        return crypto25.createHash("sha256").update(str2).digest("base64");
       }
       randomBytesBase64(count2) {
-        return crypto24.randomBytes(count2).toString("base64");
+        return crypto25.randomBytes(count2).toString("base64");
       }
       async verify(pubkey, data, signature) {
-        const verifier = crypto24.createVerify("RSA-SHA256");
+        const verifier = crypto25.createVerify("RSA-SHA256");
         verifier.update(data);
         verifier.end();
         return verifier.verify(pubkey, signature, "base64");
       }
       async sign(privateKey, data) {
-        const signer = crypto24.createSign("RSA-SHA256");
+        const signer = crypto25.createSign("RSA-SHA256");
         signer.update(data);
         signer.end();
         return signer.sign(privateKey, "base64");
@@ -45591,7 +45591,7 @@ var require_crypto2 = __commonJS({
        *   string in hexadecimal encoding.
        */
       async sha256DigestHex(str2) {
-        return crypto24.createHash("sha256").update(str2).digest("hex");
+        return crypto25.createHash("sha256").update(str2).digest("hex");
       }
       /**
        * Computes the HMAC hash of a message using the provided crypto key and the
@@ -45603,7 +45603,7 @@ var require_crypto2 = __commonJS({
        */
       async signWithHmacSha256(key, msg) {
         const cryptoKey = typeof key === "string" ? key : toBuffer(key);
-        return toArrayBuffer(crypto24.createHmac("sha256", cryptoKey).update(msg).digest());
+        return toArrayBuffer(crypto25.createHmac("sha256", cryptoKey).update(msg).digest());
       }
     };
     exports2.NodeCrypto = NodeCrypto;
@@ -46323,10 +46323,10 @@ var require_oauth2client = __commonJS({
        * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
        */
       async generateCodeVerifierAsync() {
-        const crypto24 = (0, crypto_1.createCrypto)();
-        const randomString2 = crypto24.randomBytesBase64(96);
+        const crypto25 = (0, crypto_1.createCrypto)();
+        const randomString2 = crypto25.randomBytesBase64(96);
         const codeVerifier = randomString2.replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
-        const unencodedCodeChallenge = await crypto24.sha256DigestBase64(codeVerifier);
+        const unencodedCodeChallenge = await crypto25.sha256DigestBase64(codeVerifier);
         const codeChallenge = unencodedCodeChallenge.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
         return { codeVerifier, codeChallenge };
       }
@@ -46770,7 +46770,7 @@ var require_oauth2client = __commonJS({
        * @return Returns a promise resolving to LoginTicket on verification.
        */
       async verifySignedJwtWithCertsAsync(jwt, certs, requiredAudience, issuers, maxExpiry) {
-        const crypto24 = (0, crypto_1.createCrypto)();
+        const crypto25 = (0, crypto_1.createCrypto)();
         if (!maxExpiry) {
           maxExpiry = _OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_;
         }
@@ -46783,7 +46783,7 @@ var require_oauth2client = __commonJS({
         let envelope;
         let payload;
         try {
-          envelope = JSON.parse(crypto24.decodeBase64StringUtf8(segments[0]));
+          envelope = JSON.parse(crypto25.decodeBase64StringUtf8(segments[0]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token envelope: ${segments[0]}': ${err2.message}`;
@@ -46794,7 +46794,7 @@ var require_oauth2client = __commonJS({
           throw new Error("Can't parse token envelope: " + segments[0]);
         }
         try {
-          payload = JSON.parse(crypto24.decodeBase64StringUtf8(segments[1]));
+          payload = JSON.parse(crypto25.decodeBase64StringUtf8(segments[1]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token payload '${segments[0]}`;
@@ -46811,7 +46811,7 @@ var require_oauth2client = __commonJS({
         if (envelope.alg === "ES256") {
           signature = formatEcdsa.joseToDer(signature, "ES256").toString("base64");
         }
-        const verified = await crypto24.verify(cert, signed, signature);
+        const verified = await crypto25.verify(cert, signed, signature);
         if (!verified) {
           throw new Error("Invalid token signature: " + jwt);
         }
@@ -47179,14 +47179,14 @@ var require_buffer_equal_constant_time = __commonJS({
 var require_jwa = __commonJS({
   "node_modules/jwa/index.js"(exports2, module2) {
     var Buffer10 = require_safe_buffer().Buffer;
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var formatEcdsa = require_ecdsa_sig_formatter();
     var util5 = __require("util");
     var MSG_INVALID_ALGORITHM = '"%s" is not a valid algorithm.\n  Supported algorithms are:\n  "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".';
     var MSG_INVALID_SECRET = "secret must be a string or buffer";
     var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
     var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-    var supportsKeyObjects = typeof crypto24.createPublicKey === "function";
+    var supportsKeyObjects = typeof crypto25.createPublicKey === "function";
     if (supportsKeyObjects) {
       MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
       MSG_INVALID_SECRET += "or a KeyObject";
@@ -47276,17 +47276,17 @@ var require_jwa = __commonJS({
       return function sign(thing, secret) {
         checkIsSecretKey(secret);
         thing = normalizeInput(thing);
-        var hmac = crypto24.createHmac("sha" + bits, secret);
+        var hmac = crypto25.createHmac("sha" + bits, secret);
         var sig = (hmac.update(thing), hmac.digest("base64"));
         return fromBase64(sig);
       };
     }
     var bufferEqual;
-    var timingSafeEqual = "timingSafeEqual" in crypto24 ? function timingSafeEqual2(a2, b2) {
+    var timingSafeEqual = "timingSafeEqual" in crypto25 ? function timingSafeEqual2(a2, b2) {
       if (a2.byteLength !== b2.byteLength) {
         return false;
       }
-      return crypto24.timingSafeEqual(a2, b2);
+      return crypto25.timingSafeEqual(a2, b2);
     } : function timingSafeEqual2(a2, b2) {
       if (!bufferEqual) {
         bufferEqual = require_buffer_equal_constant_time();
@@ -47303,7 +47303,7 @@ var require_jwa = __commonJS({
       return function sign(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto24.createSign("RSA-SHA" + bits);
+        var signer = crypto25.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign(privateKey, "base64"));
         return fromBase64(sig);
       };
@@ -47313,7 +47313,7 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto24.createVerify("RSA-SHA" + bits);
+        var verifier = crypto25.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify(publicKey, signature, "base64");
       };
@@ -47322,11 +47322,11 @@ var require_jwa = __commonJS({
       return function sign(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto24.createSign("RSA-SHA" + bits);
+        var signer = crypto25.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign({
           key: privateKey,
-          padding: crypto24.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto24.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto25.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto25.constants.RSA_PSS_SALTLEN_DIGEST
         }, "base64"));
         return fromBase64(sig);
       };
@@ -47336,12 +47336,12 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto24.createVerify("RSA-SHA" + bits);
+        var verifier = crypto25.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify({
           key: publicKey,
-          padding: crypto24.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto24.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto25.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto25.constants.RSA_PSS_SALTLEN_DIGEST
         }, signature, "base64");
       };
     }
@@ -49499,14 +49499,14 @@ var require_awsrequestsigner = __commonJS({
       }
     };
     exports2.AwsRequestSigner = AwsRequestSigner;
-    async function sign(crypto24, key, msg) {
-      return await crypto24.signWithHmacSha256(key, msg);
-    }
-    async function getSigningKey(crypto24, key, dateStamp, region, serviceName) {
-      const kDate = await sign(crypto24, `AWS4${key}`, dateStamp);
-      const kRegion = await sign(crypto24, kDate, region);
-      const kService = await sign(crypto24, kRegion, serviceName);
-      const kSigning = await sign(crypto24, kService, "aws4_request");
+    async function sign(crypto25, key, msg) {
+      return await crypto25.signWithHmacSha256(key, msg);
+    }
+    async function getSigningKey(crypto25, key, dateStamp, region, serviceName) {
+      const kDate = await sign(crypto25, `AWS4${key}`, dateStamp);
+      const kRegion = await sign(crypto25, kDate, region);
+      const kService = await sign(crypto25, kRegion, serviceName);
+      const kSigning = await sign(crypto25, kService, "aws4_request");
       return kSigning;
     }
     async function generateAuthenticationHeaderMap(options) {
@@ -51091,24 +51091,24 @@ var require_googleauth = __commonJS({
           const signed = await client.sign(data);
           return signed.signedBlob;
         }
-        const crypto24 = (0, crypto_1.createCrypto)();
+        const crypto25 = (0, crypto_1.createCrypto)();
         if (client instanceof jwtclient_1.JWT && client.key) {
-          const sign = await crypto24.sign(client.key, data);
+          const sign = await crypto25.sign(client.key, data);
           return sign;
         }
         const creds = await this.getCredentials();
         if (!creds.client_email) {
           throw new Error("Cannot sign data without `client_email`.");
         }
-        return this.signBlob(crypto24, creds.client_email, data, endpoint);
+        return this.signBlob(crypto25, creds.client_email, data, endpoint);
       }
-      async signBlob(crypto24, emailOrUniqueId, data, endpoint) {
+      async signBlob(crypto25, emailOrUniqueId, data, endpoint) {
         const url5 = new URL(endpoint + `${emailOrUniqueId}:signBlob`);
         const res = await this.request({
           method: "POST",
           url: url5.href,
           data: {
-            payload: crypto24.encodeBase64StringUtf8(data)
+            payload: crypto25.encodeBase64StringUtf8(data)
           },
           retry: true,
           retryConfig: {
@@ -90139,22 +90139,22 @@ var require_crypto5 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.NodeCrypto = void 0;
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var NodeCrypto = class {
       async sha256DigestBase64(str2) {
-        return crypto24.createHash("sha256").update(str2).digest("base64");
+        return crypto25.createHash("sha256").update(str2).digest("base64");
       }
       randomBytesBase64(count2) {
-        return crypto24.randomBytes(count2).toString("base64");
+        return crypto25.randomBytes(count2).toString("base64");
       }
       async verify(pubkey, data, signature) {
-        const verifier = crypto24.createVerify("RSA-SHA256");
+        const verifier = crypto25.createVerify("RSA-SHA256");
         verifier.update(data);
         verifier.end();
         return verifier.verify(pubkey, signature, "base64");
       }
       async sign(privateKey, data) {
-        const signer = crypto24.createSign("RSA-SHA256");
+        const signer = crypto25.createSign("RSA-SHA256");
         signer.update(data);
         signer.end();
         return signer.sign(privateKey, "base64");
@@ -90172,7 +90172,7 @@ var require_crypto5 = __commonJS({
        *   string in hexadecimal encoding.
        */
       async sha256DigestHex(str2) {
-        return crypto24.createHash("sha256").update(str2).digest("hex");
+        return crypto25.createHash("sha256").update(str2).digest("hex");
       }
       /**
        * Computes the HMAC hash of a message using the provided crypto key and the
@@ -90184,7 +90184,7 @@ var require_crypto5 = __commonJS({
        */
       async signWithHmacSha256(key, msg) {
         const cryptoKey = typeof key === "string" ? key : toBuffer(key);
-        return toArrayBuffer(crypto24.createHmac("sha256", cryptoKey).update(msg).digest());
+        return toArrayBuffer(crypto25.createHmac("sha256", cryptoKey).update(msg).digest());
       }
     };
     exports2.NodeCrypto = NodeCrypto;
@@ -90868,10 +90868,10 @@ var require_oauth2client2 = __commonJS({
        * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
        */
       async generateCodeVerifierAsync() {
-        const crypto24 = (0, crypto_1.createCrypto)();
-        const randomString2 = crypto24.randomBytesBase64(96);
+        const crypto25 = (0, crypto_1.createCrypto)();
+        const randomString2 = crypto25.randomBytesBase64(96);
         const codeVerifier = randomString2.replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
-        const unencodedCodeChallenge = await crypto24.sha256DigestBase64(codeVerifier);
+        const unencodedCodeChallenge = await crypto25.sha256DigestBase64(codeVerifier);
         const codeChallenge = unencodedCodeChallenge.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
         return { codeVerifier, codeChallenge };
       }
@@ -91312,7 +91312,7 @@ var require_oauth2client2 = __commonJS({
        * @return Returns a promise resolving to LoginTicket on verification.
        */
       async verifySignedJwtWithCertsAsync(jwt, certs, requiredAudience, issuers, maxExpiry) {
-        const crypto24 = (0, crypto_1.createCrypto)();
+        const crypto25 = (0, crypto_1.createCrypto)();
         if (!maxExpiry) {
           maxExpiry = _OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_;
         }
@@ -91325,7 +91325,7 @@ var require_oauth2client2 = __commonJS({
         let envelope;
         let payload;
         try {
-          envelope = JSON.parse(crypto24.decodeBase64StringUtf8(segments[0]));
+          envelope = JSON.parse(crypto25.decodeBase64StringUtf8(segments[0]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token envelope: ${segments[0]}': ${err2.message}`;
@@ -91336,7 +91336,7 @@ var require_oauth2client2 = __commonJS({
           throw new Error("Can't parse token envelope: " + segments[0]);
         }
         try {
-          payload = JSON.parse(crypto24.decodeBase64StringUtf8(segments[1]));
+          payload = JSON.parse(crypto25.decodeBase64StringUtf8(segments[1]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token payload '${segments[0]}`;
@@ -91353,7 +91353,7 @@ var require_oauth2client2 = __commonJS({
         if (envelope.alg === "ES256") {
           signature = formatEcdsa.joseToDer(signature, "ES256").toString("base64");
         }
-        const verified = await crypto24.verify(cert, signed, signature);
+        const verified = await crypto25.verify(cert, signed, signature);
         if (!verified) {
           throw new Error("Invalid token signature: " + jwt);
         }
@@ -94145,14 +94145,14 @@ var require_awsrequestsigner2 = __commonJS({
       }
     };
     exports2.AwsRequestSigner = AwsRequestSigner;
-    async function sign(crypto24, key, msg) {
-      return await crypto24.signWithHmacSha256(key, msg);
-    }
-    async function getSigningKey(crypto24, key, dateStamp, region, serviceName) {
-      const kDate = await sign(crypto24, `AWS4${key}`, dateStamp);
-      const kRegion = await sign(crypto24, kDate, region);
-      const kService = await sign(crypto24, kRegion, serviceName);
-      const kSigning = await sign(crypto24, kService, "aws4_request");
+    async function sign(crypto25, key, msg) {
+      return await crypto25.signWithHmacSha256(key, msg);
+    }
+    async function getSigningKey(crypto25, key, dateStamp, region, serviceName) {
+      const kDate = await sign(crypto25, `AWS4${key}`, dateStamp);
+      const kRegion = await sign(crypto25, kDate, region);
+      const kService = await sign(crypto25, kRegion, serviceName);
+      const kSigning = await sign(crypto25, kService, "aws4_request");
       return kSigning;
     }
     async function generateAuthenticationHeaderMap(options) {
@@ -95866,24 +95866,24 @@ var require_googleauth2 = __commonJS({
           const signed = await client.sign(data);
           return signed.signedBlob;
         }
-        const crypto24 = (0, crypto_1.createCrypto)();
+        const crypto25 = (0, crypto_1.createCrypto)();
         if (client instanceof jwtclient_1.JWT && client.key) {
-          const sign = await crypto24.sign(client.key, data);
+          const sign = await crypto25.sign(client.key, data);
           return sign;
         }
         const creds = await this.getCredentials();
         if (!creds.client_email) {
           throw new Error("Cannot sign data without `client_email`.");
         }
-        return this.signBlob(crypto24, creds.client_email, data, endpoint);
+        return this.signBlob(crypto25, creds.client_email, data, endpoint);
       }
-      async signBlob(crypto24, emailOrUniqueId, data, endpoint) {
+      async signBlob(crypto25, emailOrUniqueId, data, endpoint) {
         const url5 = new URL(endpoint + `${emailOrUniqueId}:signBlob`);
         const res = await this.request({
           method: "POST",
           url: url5.href,
           data: {
-            payload: crypto24.encodeBase64StringUtf8(data)
+            payload: crypto25.encodeBase64StringUtf8(data)
           },
           retry: true,
           retryConfig: {
@@ -98477,7 +98477,7 @@ var require_websocket = __commonJS({
     var http7 = __require("http");
     var net3 = __require("net");
     var tls = __require("tls");
-    var { randomBytes: randomBytes5, createHash: createHash15 } = __require("crypto");
+    var { randomBytes: randomBytes5, createHash: createHash16 } = __require("crypto");
     var { Duplex: Duplex5, Readable: Readable10 } = __require("stream");
     var { URL: URL10 } = __require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -99134,7 +99134,7 @@ var require_websocket = __commonJS({
           abortHandshake(websocket, socket, "Invalid Upgrade header");
           return;
         }
-        const digest = createHash15("sha1").update(key + GUID).digest("base64");
+        const digest = createHash16("sha1").update(key + GUID).digest("base64");
         if (res.headers["sec-websocket-accept"] !== digest) {
           abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
           return;
@@ -99501,7 +99501,7 @@ var require_websocket_server = __commonJS({
     var EventEmitter12 = __require("events");
     var http7 = __require("http");
     var { Duplex: Duplex5 } = __require("stream");
-    var { createHash: createHash15 } = __require("crypto");
+    var { createHash: createHash16 } = __require("crypto");
     var extension = require_extension();
     var PerMessageDeflate = require_permessage_deflate();
     var subprotocol = require_subprotocol();
@@ -99798,7 +99798,7 @@ var require_websocket_server = __commonJS({
           );
         }
         if (this._state > RUNNING) return abortHandshake(socket, 503);
-        const digest = createHash15("sha1").update(key + GUID).digest("base64");
+        const digest = createHash16("sha1").update(key + GUID).digest("base64");
         const headers = [
           "HTTP/1.1 101 Switching Protocols",
           "Upgrade: websocket",
@@ -209115,8 +209115,8 @@ var GIT_COMMIT_INFO, CLI_VERSION;
 var init_git_commit = __esm({
   "packages/core/dist/src/generated/git-commit.js"() {
     "use strict";
-    GIT_COMMIT_INFO = "146442f2a";
-    CLI_VERSION = "0.36.0-preview.3";
+    GIT_COMMIT_INFO = "38c706dbb";
+    CLI_VERSION = "0.36.0-preview.4";
   }
 });
@@ -220524,7 +220524,7 @@ var require_src53 = __commonJS({
 var require_object_hash = __commonJS({
   "node_modules/object-hash/index.js"(exports2, module2) {
     "use strict";
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     exports2 = module2.exports = objectHash;
     function objectHash(object3, options) {
       options = applyDefaults(object3, options);
@@ -220542,7 +220542,7 @@ var require_object_hash = __commonJS({
     exports2.keysMD5 = function(object3) {
       return objectHash(object3, { algorithm: "md5", encoding: "hex", excludeValues: true });
     };
-    var hashes = crypto24.getHashes ? crypto24.getHashes().slice() : ["sha1", "md5"];
+    var hashes = crypto25.getHashes ? crypto25.getHashes().slice() : ["sha1", "md5"];
     hashes.push("passthrough");
     var encodings = ["buffer", "hex", "binary", "base64"];
     function applyDefaults(object3, sourceOptions) {
@@ -220588,7 +220588,7 @@ var require_object_hash = __commonJS({
     function hash(object3, options) {
       var hashingStream;
       if (options.algorithm !== "passthrough") {
-        hashingStream = crypto24.createHash(options.algorithm);
+        hashingStream = crypto25.createHash(options.algorithm);
       } else {
         hashingStream = new PassThrough6();
       }
@@ -236247,13 +236247,13 @@ var require_context = __commonJS({
     exports2.parseXCloudTraceHeader = parseXCloudTraceHeader;
     exports2.parseTraceParentHeader = parseTraceParentHeader;
     var uuid2 = (init_esm_node(), __toCommonJS(esm_node_exports));
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var api_1 = (init_esm2(), __toCommonJS(esm_exports2));
     exports2.X_CLOUD_TRACE_HEADER = "x-cloud-trace-context";
     var SPAN_ID_RANDOM_BYTES = 8;
     var spanIdBuffer = Buffer.alloc(SPAN_ID_RANDOM_BYTES);
-    var randomFillSync4 = crypto24.randomFillSync;
-    var randomBytes5 = crypto24.randomBytes;
+    var randomFillSync4 = crypto25.randomFillSync;
+    var randomBytes5 = crypto25.randomBytes;
     var spanRandomBuffer = randomFillSync4 ? () => randomFillSync4(spanIdBuffer) : () => randomBytes5(SPAN_ID_RANDOM_BYTES);
     exports2.W3C_TRACE_PARENT_HEADER = "traceparent";
     function makeHeaderWrapper(req) {
@@ -311956,8 +311956,8 @@ var require_snapshot_utils = __commonJS({
         match: new Set(matchHeaders.map((header) => caseSensitive ? header : header.toLowerCase()))
       };
     }
-    var crypto24 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
-    var hashId = crypto24?.hash ? (value) => crypto24.hash("sha256", value, "base64url") : (value) => Buffer.from(value).toString("base64url");
+    var crypto25 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
+    var hashId = crypto25?.hash ? (value) => crypto25.hash("sha256", value, "base64url") : (value) => Buffer.from(value).toString("base64url");
     function isUndiciHeaders(headers) {
       return Array.isArray(headers) && (headers.length & 1) === 0;
     }
@@ -318012,10 +318012,10 @@ var require_subresource_integrity = __commonJS({
     var assert4 = __require("node:assert");
     var { runtimeFeatures } = require_runtime_features();
     var validSRIHashAlgorithmTokenSet = /* @__PURE__ */ new Map([["sha256", 0], ["sha384", 1], ["sha512", 2]]);
-    var crypto24;
+    var crypto25;
     if (runtimeFeatures.has("crypto")) {
-      crypto24 = __require("node:crypto");
-      const cryptoHashes = crypto24.getHashes();
+      crypto25 = __require("node:crypto");
+      const cryptoHashes = crypto25.getHashes();
       if (cryptoHashes.length === 0) {
         validSRIHashAlgorithmTokenSet.clear();
       }
@@ -318105,7 +318105,7 @@ var require_subresource_integrity = __commonJS({
       return result2;
     }
     var applyAlgorithmToBytes = (algorithm, bytes) => {
-      return crypto24.hash(algorithm, bytes, "base64");
+      return crypto25.hash(algorithm, bytes, "base64");
     };
     function caseSensitiveMatch(actualValue, expectedValue) {
       let actualValueLength = actualValue.length;
@@ -321039,7 +321039,7 @@ var require_connection = __commonJS({
     var { WebsocketFrameSend } = require_frame();
     var assert4 = __require("node:assert");
     var { runtimeFeatures } = require_runtime_features();
-    var crypto24 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
+    var crypto25 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
     var warningEmitted = false;
     function establishWebSocketConnection(url5, protocols, client, handler, options) {
       const requestURL = url5;
@@ -321059,7 +321059,7 @@ var require_connection = __commonJS({
         const headersList = getHeadersList(new Headers3(options.headers));
         request.headersList = headersList;
       }
-      const keyValue = crypto24.randomBytes(16).toString("base64");
+      const keyValue = crypto25.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue, true);
       request.headersList.append("sec-websocket-version", "13", true);
       for (const protocol of protocols) {
@@ -321099,7 +321099,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto24.hash("sha1", keyValue + uid, "base64");
+          const digest = crypto25.hash("sha1", keyValue + uid, "base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(handler, 1002, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -332048,7 +332048,7 @@ function getVersion() {
   }
   versionPromise = (async () => {
     const pkgJson = await getPackageJson(__dirname4);
-    return "0.36.0-preview.3";
+    return "0.36.0-preview.4";
   })();
   return versionPromise;
 }
@@ -396383,6 +396383,63 @@ var init_experiments = __esm({
   }
 });
+// packages/core/dist/src/agents/types.js
+function isSubagentProgress(obj) {
+  return typeof obj === "object" && obj !== null && "isSubagentProgress" in obj && obj.isSubagentProgress === true;
+}
+function isToolActivityError(data) {
+  return data !== null && typeof data === "object" && "isError" in data && data.isError === true;
+}
+function getAgentCardLoadOptions(def) {
+  if (def.agentCardJson) {
+    return { type: "json", json: def.agentCardJson };
+  }
+  if (def.agentCardUrl) {
+    return { type: "url", url: def.agentCardUrl };
+  }
+  throw new Error(`Remote agent '${def.name}' has neither agentCardUrl nor agentCardJson`);
+}
+function getRemoteAgentTargetUrl(def) {
+  if (def.agentCardUrl) {
+    return def.agentCardUrl;
+  }
+  if (def.agentCardJson) {
+    try {
+      const parsed = JSON.parse(def.agentCardJson);
+      const card = parsed;
+      if (card.url) {
+        return card.url;
+      }
+    } catch {
+    }
+  }
+  return void 0;
+}
+var AgentTerminateMode, DEFAULT_QUERY_STRING, DEFAULT_MAX_TURNS, DEFAULT_MAX_TIME_MINUTES, SubagentActivityErrorType, SUBAGENT_REJECTED_ERROR_PREFIX, SUBAGENT_CANCELLED_ERROR_MESSAGE;
+var init_types18 = __esm({
+  "packages/core/dist/src/agents/types.js"() {
+    "use strict";
+    (function(AgentTerminateMode2) {
+      AgentTerminateMode2["ERROR"] = "ERROR";
+      AgentTerminateMode2["TIMEOUT"] = "TIMEOUT";
+      AgentTerminateMode2["GOAL"] = "GOAL";
+      AgentTerminateMode2["MAX_TURNS"] = "MAX_TURNS";
+      AgentTerminateMode2["ABORTED"] = "ABORTED";
+      AgentTerminateMode2["ERROR_NO_COMPLETE_TASK_CALL"] = "ERROR_NO_COMPLETE_TASK_CALL";
+    })(AgentTerminateMode || (AgentTerminateMode = {}));
+    DEFAULT_QUERY_STRING = "Get Started!";
+    DEFAULT_MAX_TURNS = 30;
+    DEFAULT_MAX_TIME_MINUTES = 10;
+    (function(SubagentActivityErrorType2) {
+      SubagentActivityErrorType2["REJECTED"] = "REJECTED";
+      SubagentActivityErrorType2["CANCELLED"] = "CANCELLED";
+      SubagentActivityErrorType2["GENERIC"] = "GENERIC";
+    })(SubagentActivityErrorType || (SubagentActivityErrorType = {}));
+    SUBAGENT_REJECTED_ERROR_PREFIX = "User rejected this operation.";
+    SUBAGENT_CANCELLED_ERROR_MESSAGE = "Request cancelled.";
+  }
+});
 // node_modules/js-yaml/dist/js-yaml.mjs
 function isNothing(subject) {
   return typeof subject === "undefined" || subject === null;
@@ -398973,38 +399030,6 @@ var init_js_yaml = __esm({
   }
 });
-// packages/core/dist/src/agents/types.js
-function isSubagentProgress(obj) {
-  return typeof obj === "object" && obj !== null && "isSubagentProgress" in obj && obj.isSubagentProgress === true;
-}
-function isToolActivityError(data) {
-  return data !== null && typeof data === "object" && "isError" in data && data.isError === true;
-}
-var AgentTerminateMode, DEFAULT_QUERY_STRING, DEFAULT_MAX_TURNS, DEFAULT_MAX_TIME_MINUTES, SubagentActivityErrorType, SUBAGENT_REJECTED_ERROR_PREFIX, SUBAGENT_CANCELLED_ERROR_MESSAGE;
-var init_types18 = __esm({
-  "packages/core/dist/src/agents/types.js"() {
-    "use strict";
-    (function(AgentTerminateMode2) {
-      AgentTerminateMode2["ERROR"] = "ERROR";
-      AgentTerminateMode2["TIMEOUT"] = "TIMEOUT";
-      AgentTerminateMode2["GOAL"] = "GOAL";
-      AgentTerminateMode2["MAX_TURNS"] = "MAX_TURNS";
-      AgentTerminateMode2["ABORTED"] = "ABORTED";
-      AgentTerminateMode2["ERROR_NO_COMPLETE_TASK_CALL"] = "ERROR_NO_COMPLETE_TASK_CALL";
-    })(AgentTerminateMode || (AgentTerminateMode = {}));
-    DEFAULT_QUERY_STRING = "Get Started!";
-    DEFAULT_MAX_TURNS = 30;
-    DEFAULT_MAX_TIME_MINUTES = 10;
-    (function(SubagentActivityErrorType2) {
-      SubagentActivityErrorType2["REJECTED"] = "REJECTED";
-      SubagentActivityErrorType2["CANCELLED"] = "CANCELLED";
-      SubagentActivityErrorType2["GENERIC"] = "GENERIC";
-    })(SubagentActivityErrorType || (SubagentActivityErrorType = {}));
-    SUBAGENT_REJECTED_ERROR_PREFIX = "User rejected this operation.";
-    SUBAGENT_CANCELLED_ERROR_MESSAGE = "Request cancelled.";
-  }
-});
 // packages/core/dist/src/skills/skillLoader.js
 import * as fs59 from "node:fs/promises";
 import * as path70 from "node:path";
@@ -399125,19 +399150,42 @@ var init_skillLoader = __esm({
 import * as fs60 from "node:fs/promises";
 import * as path71 from "node:path";
 import * as crypto21 from "node:crypto";
-function formatZodError(error2, context2) {
-  const issues = error2.issues.map((i4) => {
+function guessIntendedKind(rawInput) {
+  if (typeof rawInput !== "object" || rawInput === null)
+    return void 0;
+  const input = rawInput;
+  if (input.kind === "local")
+    return "local";
+  if (input.kind === "remote")
+    return "remote";
+  const hasLocalKeys = "tools" in input || "mcp_servers" in input || "model" in input || "temperature" in input || "max_turns" in input || "timeout_mins" in input;
+  const hasRemoteKeys = "agent_card_url" in input || "auth" in input || "agent_card_json" in input;
+  if (hasLocalKeys && !hasRemoteKeys)
+    return "local";
+  if (hasRemoteKeys && !hasLocalKeys)
+    return "remote";
+  return void 0;
+}
+function formatZodError(error2, context2, rawInput) {
+  const intendedKind = rawInput ? guessIntendedKind(rawInput) : void 0;
+  const formatIssues = (issues, unionPrefix) => issues.flatMap((i4) => {
     if (i4.code === external_exports.ZodIssueCode.invalid_union) {
-      return i4.unionErrors.map((unionError, index) => {
-        const label = agentUnionOptions[index]?.label ?? `Agent type #${index + 1}`;
-        const unionIssues = unionError.issues.map((u3) => `${u3.path.join(".")}: ${u3.message}`).join(", ");
-        return `(${label}) ${unionIssues}`;
-      }).join("\n");
+      return i4.unionErrors.flatMap((unionError, index) => {
+        const label = unionPrefix ? unionPrefix : agentUnionOptions[index]?.label ?? `Branch #${index + 1}`;
+        if (intendedKind === "local" && label === "Remote Agent")
+          return [];
+        if (intendedKind === "remote" && label === "Local Agent")
+          return [];
+        return formatIssues(unionError.issues, label);
+      });
     }
-    return `${i4.path.join(".")}: ${i4.message}`;
-  }).join("\n");
+    const prefix = unionPrefix ? `(${unionPrefix}) ` : "";
+    const path91 = i4.path.length > 0 ? `${i4.path.join(".")}: ` : "";
+    return `${prefix}${path91}${i4.message}`;
+  });
+  const formatted = Array.from(new Set(formatIssues(error2.issues))).join("\n");
   return `${context2}:
-${issues}`;
+${formatted}`;
 }
 async function parseAgentMarkdown(filePath, content) {
   let fileContent;
@@ -399160,11 +399208,7 @@ async function parseAgentMarkdown(filePath, content) {
   try {
     rawFrontmatter = load2(frontmatterStr);
   } catch (error2) {
-    throw new AgentLoadError(
-      filePath,
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-      `YAML frontmatter parsing failed: ${error2.message}`
-    );
+    throw new AgentLoadError(filePath, `YAML frontmatter parsing failed: ${getErrorMessage(error2)}`);
   }
   if (Array.isArray(rawFrontmatter)) {
     const result3 = remoteAgentsListSchema.safeParse(rawFrontmatter);
@@ -399178,7 +399222,7 @@ async function parseAgentMarkdown(filePath, content) {
   }
   const result2 = markdownFrontmatterSchema.safeParse(rawFrontmatter);
   if (!result2.success) {
-    throw new AgentLoadError(filePath, `Validation failed: ${formatZodError(result2.error, "Agent Definition")}`);
+    throw new AgentLoadError(filePath, `Validation failed: ${formatZodError(result2.error, "Agent Definition", rawFrontmatter)}`);
   }
   const frontmatter = result2.data;
   if (frontmatter.kind === "remote") {
@@ -399189,39 +399233,30 @@ async function parseAgentMarkdown(filePath, content) {
       }
     ];
   }
-  const agentDef = {
-    ...frontmatter,
-    kind: "local",
-    system_prompt: body2.trim()
-  };
-  return [agentDef];
+  return [
+    {
+      ...frontmatter,
+      kind: "local",
+      system_prompt: body2.trim()
+    }
+  ];
 }
 function convertFrontmatterAuthToConfig(frontmatter) {
-  const base = {};
   switch (frontmatter.type) {
     case "apiKey":
-      if (!frontmatter.key) {
-        throw new Error("Internal error: API key missing after validation.");
-      }
       return {
-        ...base,
         type: "apiKey",
         key: frontmatter.key,
         name: frontmatter.name
       };
     case "google-credentials":
       return {
-        ...base,
         type: "google-credentials",
         scopes: frontmatter.scopes
       };
-    case "http": {
-      if (!frontmatter.scheme) {
-        throw new Error("Internal error: HTTP scheme missing after validation.");
-      }
+    case "http":
       if (frontmatter.value) {
         return {
-          ...base,
           type: "http",
           scheme: frontmatter.scheme,
           value: frontmatter.value
@@ -399229,34 +399264,23 @@ function convertFrontmatterAuthToConfig(frontmatter) {
       }
       switch (frontmatter.scheme) {
         case "Bearer":
-          if (!frontmatter.token) {
-            throw new Error("Internal error: Bearer token missing after validation.");
-          }
           return {
-            ...base,
             type: "http",
             scheme: "Bearer",
             token: frontmatter.token
           };
         case "Basic":
-          if (!frontmatter.username || !frontmatter.password) {
-            throw new Error("Internal error: Basic auth credentials missing after validation.");
-          }
           return {
-            ...base,
             type: "http",
             scheme: "Basic",
             username: frontmatter.username,
             password: frontmatter.password
           };
-        default: {
+        default:
           throw new Error(`Unknown HTTP scheme: ${frontmatter.scheme}`);
-        }
       }
-    }
     case "oauth":
       return {
-        ...base,
         type: "oauth2",
         client_id: frontmatter.client_id,
         client_secret: frontmatter.client_secret,
@@ -399265,8 +399289,12 @@ function convertFrontmatterAuthToConfig(frontmatter) {
         token_url: frontmatter.token_url
       };
     default: {
-      const exhaustive = frontmatter.type;
-      throw new Error(`Unknown auth type: ${exhaustive}`);
+      const exhaustive = frontmatter;
+      const raw = exhaustive;
+      if (typeof raw === "object" && raw !== null && "type" in raw) {
+        throw new Error(`Unknown auth type: ${String(raw["type"])}`);
+      }
+      throw new Error("Unknown auth type");
     }
   }
 }
@@ -399285,20 +399313,28 @@ function markdownToAgentDefinition(markdown, metadata2) {
     }
   };
   if (markdown.kind === "remote") {
-    return {
+    const base = {
       kind: "remote",
       name: markdown.name,
       description: markdown.description || "",
       displayName: markdown.display_name,
-      agentCardUrl: markdown.agent_card_url,
       auth: markdown.auth ? convertFrontmatterAuthToConfig(markdown.auth) : void 0,
       inputConfig,
       metadata: metadata2
     };
+    if ("agent_card_json" in markdown && markdown.agent_card_json !== void 0) {
+      base.agentCardJson = markdown.agent_card_json;
+      return base;
+    }
+    if ("agent_card_url" in markdown && markdown.agent_card_url !== void 0) {
+      base.agentCardUrl = markdown.agent_card_url;
+      return base;
+    }
+    throw new AgentLoadError(metadata2?.filePath || "unknown", "Unexpected state: neither agent_card_json nor agent_card_url present on remote agent");
   }
   const modelName = markdown.model || "inherit";
   const mcpServers = {};
-  if (markdown.kind === "local" && markdown.mcp_servers) {
+  if (markdown.mcp_servers) {
     for (const [name3, config3] of Object.entries(markdown.mcp_servers)) {
       mcpServers[name3] = new MCPServerConfig(config3.command, config3.args, config3.env, config3.cwd, config3.url, config3.http_url, config3.headers, config3.tcp, config3.type, config3.timeout, config3.trust, config3.description, config3.include_tools, config3.exclude_tools);
     }
@@ -399340,14 +399376,10 @@ async function loadAgentsFromDirectory(dir) {
   try {
     dirEntries = await fs60.readdir(dir, { withFileTypes: true });
   } catch (error2) {
-    if (error2.code === "ENOENT") {
+    if (error2 instanceof Error && "code" in error2 && error2.code === "ENOENT") {
       return result2;
     }
-    result2.errors.push(new AgentLoadError(
-      dir,
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-      `Could not list directory: ${error2.message}`
-    ));
+    result2.errors.push(new AgentLoadError(dir, `Could not list directory: ${getErrorMessage(error2)}`));
     return result2;
   }
   const files = dirEntries.filter((entry) => entry.isFile() && !entry.name.startsWith("_") && entry.name.endsWith(".md"));
@@ -399365,17 +399397,13 @@ async function loadAgentsFromDirectory(dir) {
       if (error2 instanceof AgentLoadError) {
         result2.errors.push(error2);
       } else {
-        result2.errors.push(new AgentLoadError(
-          filePath,
-          // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-          `Unexpected error: ${error2.message}`
-        ));
+        result2.errors.push(new AgentLoadError(filePath, `Unexpected error: ${getErrorMessage(error2)}`));
       }
     }
   }
   return result2;
 }
-var AgentLoadError, nameSchema, mcpServerSchema, localAgentSchema, baseAuthFields, apiKeyAuthSchema, httpAuthSchema, googleCredentialsAuthSchema, oauth2AuthSchema, authConfigSchema, remoteAgentSchema, agentUnionOptions, remoteAgentsListSchema, markdownFrontmatterSchema;
+var AgentLoadError, nameSchema, mcpServerSchema, localAgentSchema, baseAuthFields, apiKeyAuthSchema, httpAuthSchema, googleCredentialsAuthSchema, oauth2AuthSchema, authConfigSchema, baseRemoteAgentSchema, remoteAgentUrlSchema, remoteAgentJsonSchema, remoteAgentSchema, agentUnionOptions, remoteAgentsListSchema, markdownFrontmatterSchema;
 var init_agentLoader = __esm({
   "packages/core/dist/src/agents/agentLoader.js"() {
     "use strict";
@@ -399462,17 +399490,17 @@ var init_agentLoader = __esm({
       oauth2AuthSchema
     ]).superRefine((data, ctx) => {
       if (data.type === "http") {
-        if (data.value) {
+        if (data.value)
           return;
-        }
-        if (data.scheme === "Bearer" && !data.token) {
-          ctx.addIssue({
-            code: external_exports.ZodIssueCode.custom,
-            message: 'Bearer scheme requires "token"',
-            path: ["token"]
-          });
-        }
-        if (data.scheme === "Basic") {
+        if (data.scheme === "Bearer") {
+          if (!data.token) {
+            ctx.addIssue({
+              code: external_exports.ZodIssueCode.custom,
+              message: 'Bearer scheme requires "token"',
+              path: ["token"]
+            });
+          }
+        } else if (data.scheme === "Basic") {
           if (!data.username) {
             ctx.addIssue({
               code: external_exports.ZodIssueCode.custom,
@@ -399487,25 +399515,51 @@ var init_agentLoader = __esm({
               path: ["password"]
             });
           }
+        } else {
+          ctx.addIssue({
+            code: external_exports.ZodIssueCode.custom,
+            message: `HTTP scheme "${data.scheme}" requires "value"`,
+            path: ["value"]
+          });
         }
       }
     });
-    remoteAgentSchema = external_exports.object({
+    baseRemoteAgentSchema = external_exports.object({
       kind: external_exports.literal("remote").optional().default("remote"),
       name: nameSchema,
       description: external_exports.string().optional(),
       display_name: external_exports.string().optional(),
-      agent_card_url: external_exports.string().url(),
       auth: authConfigSchema.optional()
+    });
+    remoteAgentUrlSchema = baseRemoteAgentSchema.extend({
+      agent_card_url: external_exports.string().url(),
+      agent_card_json: external_exports.undefined().optional()
+    }).strict();
+    remoteAgentJsonSchema = baseRemoteAgentSchema.extend({
+      agent_card_url: external_exports.undefined().optional(),
+      agent_card_json: external_exports.string().refine((val) => {
+        try {
+          JSON.parse(val);
+          return true;
+        } catch {
+          return false;
+        }
+      }, { message: "agent_card_json must be valid JSON" })
     }).strict();
+    remoteAgentSchema = external_exports.union([
+      remoteAgentUrlSchema,
+      remoteAgentJsonSchema
+    ]);
     agentUnionOptions = [
-      { schema: localAgentSchema, label: "Local Agent" },
-      { schema: remoteAgentSchema, label: "Remote Agent" }
+      { label: "Local Agent" },
+      { label: "Remote Agent" },
+      { label: "Remote Agent" }
     ];
     remoteAgentsListSchema = external_exports.array(remoteAgentSchema);
     markdownFrontmatterSchema = external_exports.union([
-      agentUnionOptions[0].schema,
-      agentUnionOptions[1].schema
+      localAgentSchema,
+      remoteAgentUrlSchema,
+      remoteAgentJsonSchema
     ]);
   }
 });
@@ -404827,6 +404881,7 @@ var init_a2a_errors = __esm({
 });
 // packages/core/dist/src/agents/registry.js
+import * as crypto23 from "node:crypto";
 function getModelConfigAlias(definition) {
   return `${definition.name}-config`;
 }
@@ -404836,6 +404891,7 @@ var init_registry = __esm({
     "use strict";
     init_storage();
     init_events();
+    init_types18();
     init_agentLoader();
     init_codebase_investigator();
     init_cli_help_agent();
@@ -404936,7 +404992,7 @@ var init_registry = __esm({
               if (!agent.metadata) {
                 agent.metadata = {};
               }
-              agent.metadata.hash = agent.agentCardUrl;
+              agent.metadata.hash = agent.agentCardUrl ?? (agent.agentCardJson ? crypto23.createHash("sha256").update(agent.agentCardJson).digest("hex") : void 0);
             }
             if (!agent.metadata?.hash) {
               agentsToRegister.push(agent);
@@ -405106,12 +405162,13 @@ var init_registry = __esm({
             debugLogger.warn(`[AgentRegistry] Skipping remote agent '${definition.name}': A2AClientManager is not available.`);
             return;
           }
+          const targetUrl = getRemoteAgentTargetUrl(remoteDef);
           let authHandler;
           if (definition.auth) {
             const provider = await A2AAuthProviderFactory.create({
               authConfig: definition.auth,
               agentName: definition.name,
-              targetUrl: definition.agentCardUrl,
+              targetUrl,
               agentCardUrl: remoteDef.agentCardUrl
             });
             if (!provider) {
@@ -405119,7 +405176,7 @@ var init_registry = __esm({
             }
             authHandler = provider;
           }
-          const agentCard = await clientManager.loadAgent(remoteDef.name, remoteDef.agentCardUrl, authHandler);
+          const agentCard = await clientManager.loadAgent(remoteDef.name, getAgentCardLoadOptions(remoteDef), authHandler);
           if (agentCard.securitySchemes) {
             const validation = A2AAuthProviderFactory.validateAuthConfig(definition.auth, agentCard.securitySchemes);
             if (!validation.valid && validation.diff) {
@@ -405147,7 +405204,7 @@ ${skillsList}`);
             definition.description = descriptions.join("\n");
           }
           if (this.config.getDebugMode()) {
-            debugLogger.log(`[AgentRegistry] Registered remote agent '${definition.name}' with card: ${definition.agentCardUrl}`);
+            debugLogger.log(`[AgentRegistry] Registered remote agent '${definition.name}' with card: ${definition.agentCardUrl ?? "inline JSON"}`);
           }
           this.agents.set(definition.name, definition);
           this.addAgentPolicy(definition);
@@ -408850,10 +408907,11 @@ var init_remote_invocation = __esm({
           return this.authHandler;
         }
         if (this.definition.auth) {
+          const targetUrl = getRemoteAgentTargetUrl(this.definition);
           const provider = await A2AAuthProviderFactory.create({
             authConfig: this.definition.auth,
             agentName: this.definition.name,
-            targetUrl: this.definition.agentCardUrl,
+            targetUrl,
             agentCardUrl: this.definition.agentCardUrl
           });
           if (!provider) {
@@ -408898,7 +408956,7 @@ var init_remote_invocation = __esm({
           }
           const authHandler = await this.getAuthHandler();
           if (!this.clientManager.getClient(this.definition.name)) {
-            await this.clientManager.loadAgent(this.definition.name, this.definition.agentCardUrl, authHandler);
+            await this.clientManager.loadAgent(this.definition.name, getAgentCardLoadOptions(this.definition), authHandler);
           }
           const message = this.params.query;
           const stream3 = this.clientManager.sendMessageStream(this.definition.name, message, {
@@ -413366,7 +413424,7 @@ var init_xcode_mcp_fix_transport = __esm({
 });
 // packages/core/dist/src/mcp/oauth-provider.js
-import * as crypto23 from "node:crypto";
+import * as crypto24 from "node:crypto";
 import { URL as URL9 } from "node:url";
 var MCPOAuthProvider;
 var init_oauth_provider = __esm({
@@ -413652,7 +413710,7 @@ ${authUrl}
           debugLogger.debug("\u2713 Authentication successful! Token saved.");
           const savedToken = await this.tokenStorage.getCredentials(serverName);
           if (savedToken && savedToken.token && savedToken.token.accessToken) {
-            const tokenFingerprint = crypto23.createHash("sha256").update(savedToken.token.accessToken).digest("hex").slice(0, 8);
+            const tokenFingerprint = crypto24.createHash("sha256").update(savedToken.token.accessToken).digest("hex").slice(0, 8);
             debugLogger.debug(`\u2713 Token verification successful (fingerprint: ${tokenFingerprint})`);
           } else {
             debugLogger.warn("Token verification failed: token not found or invalid after save");
@@ -414940,7 +414998,7 @@ var init_mcp_client = __esm({
 });
 // packages/core/dist/src/tools/mcp-client-manager.js
-import { createHash as createHash14 } from "node:crypto";
+import { createHash as createHash15 } from "node:crypto";
 var McpClientManager;
 var init_mcp_client_manager = __esm({
   "packages/core/dist/src/tools/mcp-client-manager.js"() {
@@ -415137,7 +415195,7 @@ var init_mcp_client_manager = __esm({
           config: rest,
           extensionId: extension?.id
         };
-        return createHash14("sha256").update(stableStringify(keyData)).digest("hex");
+        return createHash15("sha256").update(stableStringify(keyData)).digest("hex");
       }
       /**
        * Merges two MCP configurations. The second configuration (override)
@@ -434011,7 +434069,7 @@ var init_a2a_client_manager = __esm({
        * @param authHandler Optional authentication handler to use for this agent.
        * @returns The loaded AgentCard.
        */
-      async loadAgent(name3, agentCardUrl, authHandler) {
+      async loadAgent(name3, options, authHandler) {
         if (this.clients.has(name3) && this.agentCards.has(name3)) {
           throw new Error(`Agent with name '${name3}' is already loaded.`);
         }
@@ -434027,7 +434085,19 @@ var init_a2a_client_manager = __esm({
           return response;
         };
         const resolver = new DefaultAgentCardResolver({ fetchImpl: cardFetch });
-        const rawCard = await resolver.resolve(agentCardUrl, "");
+        let rawCard;
+        let urlIdentifier = "inline JSON";
+        if (options.type === "json") {
+          try {
+            rawCard = JSON.parse(options.json);
+          } catch (error2) {
+            const msg = error2 instanceof Error ? error2.message : String(error2);
+            throw new Error(`Failed to parse inline agent card JSON for agent '${name3}': ${msg}`);
+          }
+        } else {
+          urlIdentifier = options.url;
+          rawCard = await resolver.resolve(options.url, "");
+        }
         const agentCard = normalizeAgentCard(rawCard);
         const grpcUrl = agentCard.additionalInterfaces?.find((i4) => i4.transport === "GRPC")?.url ?? agentCard.url;
         const clientOptions = ClientFactoryOptions.createFrom(ClientFactoryOptions.default, {
@@ -434045,10 +434115,10 @@ var init_a2a_client_manager = __esm({
           const client = await factory.createFromAgentCard(agentCard);
           this.clients.set(name3, client);
           this.agentCards.set(name3, agentCard);
-          debugLogger.debug(`[A2AClientManager] Loaded agent '${name3}' from ${agentCardUrl}`);
+          debugLogger.debug(`[A2AClientManager] Loaded agent '${name3}' from ${urlIdentifier}`);
           return agentCard;
         } catch (error2) {
-          throw classifyAgentError(name3, agentCardUrl, error2);
+          throw classifyAgentError(name3, urlIdentifier, error2);
         }
       }
       /**
@@ -440543,7 +440613,7 @@ var require_main2 = __commonJS({
     var fs76 = __require("fs");
     var path91 = __require("path");
     var os32 = __require("os");
-    var crypto24 = __require("crypto");
+    var crypto25 = __require("crypto");
     var packageJson4 = require_package14();
     var version4 = packageJson4.version;
     var LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
@@ -440762,7 +440832,7 @@ var require_main2 = __commonJS({
       const authTag = ciphertext.subarray(-16);
       ciphertext = ciphertext.subarray(12, -16);
       try {
-        const aesgcm = crypto24.createDecipheriv("aes-256-gcm", key, nonce);
+        const aesgcm = crypto25.createDecipheriv("aes-256-gcm", key, nonce);
         aesgcm.setAuthTag(authTag);
         return `${aesgcm.update(ciphertext)}${aesgcm.final()}`;
       } catch (error2) {