@google/gemini-cli 0.36.0-preview.3 → 0.36.0-preview.4

package/bundle/{chunk-2RPVSGOE.js → chunk-GCWRR5FX.js}

@@ -7649,22 +7649,22 @@ var require_crypto2 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.NodeCrypto = void 0;
-    var crypto22 = __require("crypto");
+    var crypto23 = __require("crypto");
     var NodeCrypto = class {
       async sha256DigestBase64(str2) {
-        return crypto22.createHash("sha256").update(str2).digest("base64");
+        return crypto23.createHash("sha256").update(str2).digest("base64");
       }
       randomBytesBase64(count2) {
-        return crypto22.randomBytes(count2).toString("base64");
+        return crypto23.randomBytes(count2).toString("base64");
       }
       async verify(pubkey, data, signature) {
-        const verifier = crypto22.createVerify("RSA-SHA256");
+        const verifier = crypto23.createVerify("RSA-SHA256");
         verifier.update(data);
         verifier.end();
         return verifier.verify(pubkey, signature, "base64");
       }
       async sign(privateKey, data) {
-        const signer = crypto22.createSign("RSA-SHA256");
+        const signer = crypto23.createSign("RSA-SHA256");
         signer.update(data);
         signer.end();
         return signer.sign(privateKey, "base64");
@@ -7682,7 +7682,7 @@ var require_crypto2 = __commonJS({
        *   string in hexadecimal encoding.
        */
       async sha256DigestHex(str2) {
-        return crypto22.createHash("sha256").update(str2).digest("hex");
+        return crypto23.createHash("sha256").update(str2).digest("hex");
       }
       /**
        * Computes the HMAC hash of a message using the provided crypto key and the
@@ -7694,7 +7694,7 @@ var require_crypto2 = __commonJS({
        */
       async signWithHmacSha256(key, msg) {
         const cryptoKey = typeof key === "string" ? key : toBuffer(key);
-        return toArrayBuffer(crypto22.createHmac("sha256", cryptoKey).update(msg).digest());
+        return toArrayBuffer(crypto23.createHmac("sha256", cryptoKey).update(msg).digest());
       }
     };
     exports2.NodeCrypto = NodeCrypto;
@@ -8250,10 +8250,10 @@ var require_oauth2client = __commonJS({
        * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
        */
       async generateCodeVerifierAsync() {
-        const crypto22 = (0, crypto_1.createCrypto)();
-        const randomString2 = crypto22.randomBytesBase64(96);
+        const crypto23 = (0, crypto_1.createCrypto)();
+        const randomString2 = crypto23.randomBytesBase64(96);
         const codeVerifier = randomString2.replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
-        const unencodedCodeChallenge = await crypto22.sha256DigestBase64(codeVerifier);
+        const unencodedCodeChallenge = await crypto23.sha256DigestBase64(codeVerifier);
         const codeChallenge = unencodedCodeChallenge.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
         return { codeVerifier, codeChallenge };
       }
@@ -8697,7 +8697,7 @@ var require_oauth2client = __commonJS({
        * @return Returns a promise resolving to LoginTicket on verification.
        */
       async verifySignedJwtWithCertsAsync(jwt2, certs, requiredAudience, issuers, maxExpiry) {
-        const crypto22 = (0, crypto_1.createCrypto)();
+        const crypto23 = (0, crypto_1.createCrypto)();
         if (!maxExpiry) {
           maxExpiry = _OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_;
         }
@@ -8710,7 +8710,7 @@ var require_oauth2client = __commonJS({
         let envelope;
         let payload;
         try {
-          envelope = JSON.parse(crypto22.decodeBase64StringUtf8(segments[0]));
+          envelope = JSON.parse(crypto23.decodeBase64StringUtf8(segments[0]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token envelope: ${segments[0]}': ${err2.message}`;
@@ -8721,7 +8721,7 @@ var require_oauth2client = __commonJS({
           throw new Error("Can't parse token envelope: " + segments[0]);
         }
         try {
-          payload = JSON.parse(crypto22.decodeBase64StringUtf8(segments[1]));
+          payload = JSON.parse(crypto23.decodeBase64StringUtf8(segments[1]));
         } catch (err2) {
           if (err2 instanceof Error) {
             err2.message = `Can't parse token payload '${segments[0]}`;
@@ -8738,7 +8738,7 @@ var require_oauth2client = __commonJS({
         if (envelope.alg === "ES256") {
           signature = formatEcdsa.joseToDer(signature, "ES256").toString("base64");
         }
-        const verified = await crypto22.verify(cert, signed, signature);
+        const verified = await crypto23.verify(cert, signed, signature);
         if (!verified) {
           throw new Error("Invalid token signature: " + jwt2);
         }
@@ -10883,14 +10883,14 @@ var require_awsrequestsigner = __commonJS({
       }
     };
     exports2.AwsRequestSigner = AwsRequestSigner;
-    async function sign(crypto22, key, msg) {
-      return await crypto22.signWithHmacSha256(key, msg);
-    }
-    async function getSigningKey(crypto22, key, dateStamp, region, serviceName) {
-      const kDate = await sign(crypto22, `AWS4${key}`, dateStamp);
-      const kRegion = await sign(crypto22, kDate, region);
-      const kService = await sign(crypto22, kRegion, serviceName);
-      const kSigning = await sign(crypto22, kService, "aws4_request");
+    async function sign(crypto23, key, msg) {
+      return await crypto23.signWithHmacSha256(key, msg);
+    }
+    async function getSigningKey(crypto23, key, dateStamp, region, serviceName) {
+      const kDate = await sign(crypto23, `AWS4${key}`, dateStamp);
+      const kRegion = await sign(crypto23, kDate, region);
+      const kService = await sign(crypto23, kRegion, serviceName);
+      const kSigning = await sign(crypto23, kService, "aws4_request");
       return kSigning;
     }
     async function generateAuthenticationHeaderMap(options) {
@@ -12475,24 +12475,24 @@ var require_googleauth = __commonJS({
           const signed = await client.sign(data);
           return signed.signedBlob;
         }
-        const crypto22 = (0, crypto_1.createCrypto)();
+        const crypto23 = (0, crypto_1.createCrypto)();
         if (client instanceof jwtclient_1.JWT && client.key) {
-          const sign = await crypto22.sign(client.key, data);
+          const sign = await crypto23.sign(client.key, data);
           return sign;
         }
         const creds = await this.getCredentials();
         if (!creds.client_email) {
           throw new Error("Cannot sign data without `client_email`.");
         }
-        return this.signBlob(crypto22, creds.client_email, data, endpoint);
+        return this.signBlob(crypto23, creds.client_email, data, endpoint);
       }
-      async signBlob(crypto22, emailOrUniqueId, data, endpoint) {
+      async signBlob(crypto23, emailOrUniqueId, data, endpoint) {
         const url3 = new URL(endpoint + `${emailOrUniqueId}:signBlob`);
         const res = await this.request({
           method: "POST",
           url: url3.href,
           data: {
-            payload: crypto22.encodeBase64StringUtf8(data)
+            payload: crypto23.encodeBase64StringUtf8(data)
           },
           retry: true,
           retryConfig: {
@@ -108730,7 +108730,7 @@ var require_src48 = __commonJS({
 var require_object_hash = __commonJS({
   "node_modules/object-hash/index.js"(exports2, module2) {
     "use strict";
-    var crypto22 = __require("crypto");
+    var crypto23 = __require("crypto");
     exports2 = module2.exports = objectHash;
     function objectHash(object3, options) {
       options = applyDefaults(object3, options);
@@ -108748,7 +108748,7 @@ var require_object_hash = __commonJS({
     exports2.keysMD5 = function(object3) {
       return objectHash(object3, { algorithm: "md5", encoding: "hex", excludeValues: true });
     };
-    var hashes = crypto22.getHashes ? crypto22.getHashes().slice() : ["sha1", "md5"];
+    var hashes = crypto23.getHashes ? crypto23.getHashes().slice() : ["sha1", "md5"];
     hashes.push("passthrough");
     var encodings = ["buffer", "hex", "binary", "base64"];
     function applyDefaults(object3, sourceOptions) {
@@ -108794,7 +108794,7 @@ var require_object_hash = __commonJS({
     function hash(object3, options) {
       var hashingStream;
       if (options.algorithm !== "passthrough") {
-        hashingStream = crypto22.createHash(options.algorithm);
+        hashingStream = crypto23.createHash(options.algorithm);
       } else {
         hashingStream = new PassThrough3();
       }
@@ -125281,13 +125281,13 @@ var require_context = __commonJS({
     exports2.parseXCloudTraceHeader = parseXCloudTraceHeader;
     exports2.parseTraceParentHeader = parseTraceParentHeader;
     var uuid3 = (init_esm_node(), __toCommonJS(esm_node_exports));
-    var crypto22 = __require("crypto");
+    var crypto23 = __require("crypto");
     var api_1 = (init_esm(), __toCommonJS(esm_exports));
     exports2.X_CLOUD_TRACE_HEADER = "x-cloud-trace-context";
     var SPAN_ID_RANDOM_BYTES = 8;
     var spanIdBuffer = Buffer.alloc(SPAN_ID_RANDOM_BYTES);
-    var randomFillSync2 = crypto22.randomFillSync;
-    var randomBytes7 = crypto22.randomBytes;
+    var randomFillSync2 = crypto23.randomFillSync;
+    var randomBytes7 = crypto23.randomBytes;
     var spanRandomBuffer = randomFillSync2 ? () => randomFillSync2(spanIdBuffer) : () => randomBytes7(SPAN_ID_RANDOM_BYTES);
     exports2.W3C_TRACE_PARENT_HEADER = "traceparent";
     function makeHeaderWrapper(req) {
@@ -187690,8 +187690,8 @@ var require_snapshot_utils = __commonJS({
         match: new Set(matchHeaders.map((header) => caseSensitive ? header : header.toLowerCase()))
       };
     }
-    var crypto22 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
-    var hashId = crypto22?.hash ? (value) => crypto22.hash("sha256", value, "base64url") : (value) => Buffer.from(value).toString("base64url");
+    var crypto23 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
+    var hashId = crypto23?.hash ? (value) => crypto23.hash("sha256", value, "base64url") : (value) => Buffer.from(value).toString("base64url");
     function isUndiciHeaders(headers) {
       return Array.isArray(headers) && (headers.length & 1) === 0;
     }
@@ -193746,10 +193746,10 @@ var require_subresource_integrity = __commonJS({
     var assert4 = __require("node:assert");
     var { runtimeFeatures } = require_runtime_features();
     var validSRIHashAlgorithmTokenSet = /* @__PURE__ */ new Map([["sha256", 0], ["sha384", 1], ["sha512", 2]]);
-    var crypto22;
+    var crypto23;
     if (runtimeFeatures.has("crypto")) {
-      crypto22 = __require("node:crypto");
-      const cryptoHashes = crypto22.getHashes();
+      crypto23 = __require("node:crypto");
+      const cryptoHashes = crypto23.getHashes();
       if (cryptoHashes.length === 0) {
         validSRIHashAlgorithmTokenSet.clear();
       }
@@ -193839,7 +193839,7 @@ var require_subresource_integrity = __commonJS({
       return result2;
     }
     var applyAlgorithmToBytes = (algorithm, bytes) => {
-      return crypto22.hash(algorithm, bytes, "base64");
+      return crypto23.hash(algorithm, bytes, "base64");
     };
     function caseSensitiveMatch(actualValue, expectedValue) {
       let actualValueLength = actualValue.length;
@@ -196773,7 +196773,7 @@ var require_connection = __commonJS({
     var { WebsocketFrameSend } = require_frame();
     var assert4 = __require("node:assert");
     var { runtimeFeatures } = require_runtime_features();
-    var crypto22 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
+    var crypto23 = runtimeFeatures.has("crypto") ? __require("node:crypto") : null;
     var warningEmitted = false;
     function establishWebSocketConnection(url3, protocols, client, handler, options) {
       const requestURL = url3;
@@ -196793,7 +196793,7 @@ var require_connection = __commonJS({
         const headersList = getHeadersList(new Headers2(options.headers));
         request.headersList = headersList;
       }
-      const keyValue = crypto22.randomBytes(16).toString("base64");
+      const keyValue = crypto23.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue, true);
       request.headersList.append("sec-websocket-version", "13", true);
       for (const protocol of protocols) {
@@ -196833,7 +196833,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto22.hash("sha1", keyValue + uid, "base64");
+          const digest = crypto23.hash("sha1", keyValue + uid, "base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(handler, 1002, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -249986,7 +249986,7 @@ var Float64Vector = import_vector.default.Float64Vector;
 var PointerVector = import_vector.default.PointerVector;
 
 // packages/core/dist/src/generated/git-commit.js
-var GIT_COMMIT_INFO = "146442f2a";
+var GIT_COMMIT_INFO = "38c706dbb";
 var CLI_VERSION = "0.36.0-preview.3";
 
 // packages/core/dist/src/ide/detect-ide.js
@@ -322903,6 +322903,62 @@ function parseExperiments(response) {
   };
 }
 
+// packages/core/dist/src/agents/registry.js
+import * as crypto17 from "node:crypto";
+
+// packages/core/dist/src/agents/types.js
+var AgentTerminateMode;
+(function(AgentTerminateMode2) {
+  AgentTerminateMode2["ERROR"] = "ERROR";
+  AgentTerminateMode2["TIMEOUT"] = "TIMEOUT";
+  AgentTerminateMode2["GOAL"] = "GOAL";
+  AgentTerminateMode2["MAX_TURNS"] = "MAX_TURNS";
+  AgentTerminateMode2["ABORTED"] = "ABORTED";
+  AgentTerminateMode2["ERROR_NO_COMPLETE_TASK_CALL"] = "ERROR_NO_COMPLETE_TASK_CALL";
+})(AgentTerminateMode || (AgentTerminateMode = {}));
+var DEFAULT_QUERY_STRING = "Get Started!";
+var DEFAULT_MAX_TURNS = 30;
+var DEFAULT_MAX_TIME_MINUTES = 10;
+var SubagentActivityErrorType;
+(function(SubagentActivityErrorType2) {
+  SubagentActivityErrorType2["REJECTED"] = "REJECTED";
+  SubagentActivityErrorType2["CANCELLED"] = "CANCELLED";
+  SubagentActivityErrorType2["GENERIC"] = "GENERIC";
+})(SubagentActivityErrorType || (SubagentActivityErrorType = {}));
+var SUBAGENT_REJECTED_ERROR_PREFIX = "User rejected this operation.";
+var SUBAGENT_CANCELLED_ERROR_MESSAGE = "Request cancelled.";
+function isSubagentProgress(obj) {
+  return typeof obj === "object" && obj !== null && "isSubagentProgress" in obj && obj.isSubagentProgress === true;
+}
+function isToolActivityError(data) {
+  return data !== null && typeof data === "object" && "isError" in data && data.isError === true;
+}
+function getAgentCardLoadOptions(def) {
+  if (def.agentCardJson) {
+    return { type: "json", json: def.agentCardJson };
+  }
+  if (def.agentCardUrl) {
+    return { type: "url", url: def.agentCardUrl };
+  }
+  throw new Error(`Remote agent '${def.name}' has neither agentCardUrl nor agentCardJson`);
+}
+function getRemoteAgentTargetUrl(def) {
+  if (def.agentCardUrl) {
+    return def.agentCardUrl;
+  }
+  if (def.agentCardJson) {
+    try {
+      const parsed = JSON.parse(def.agentCardJson);
+      const card = parsed;
+      if (card.url) {
+        return card.url;
+      }
+    } catch {
+    }
+  }
+  return void 0;
+}
+
 // node_modules/js-yaml/dist/js-yaml.mjs
 function isNothing(subject) {
   return typeof subject === "undefined" || subject === null;
@@ -325494,34 +325550,6 @@ import * as fs46 from "node:fs/promises";
 import * as path61 from "node:path";
 import * as crypto16 from "node:crypto";
 
-// packages/core/dist/src/agents/types.js
-var AgentTerminateMode;
-(function(AgentTerminateMode2) {
-  AgentTerminateMode2["ERROR"] = "ERROR";
-  AgentTerminateMode2["TIMEOUT"] = "TIMEOUT";
-  AgentTerminateMode2["GOAL"] = "GOAL";
-  AgentTerminateMode2["MAX_TURNS"] = "MAX_TURNS";
-  AgentTerminateMode2["ABORTED"] = "ABORTED";
-  AgentTerminateMode2["ERROR_NO_COMPLETE_TASK_CALL"] = "ERROR_NO_COMPLETE_TASK_CALL";
-})(AgentTerminateMode || (AgentTerminateMode = {}));
-var DEFAULT_QUERY_STRING = "Get Started!";
-var DEFAULT_MAX_TURNS = 30;
-var DEFAULT_MAX_TIME_MINUTES = 10;
-var SubagentActivityErrorType;
-(function(SubagentActivityErrorType2) {
-  SubagentActivityErrorType2["REJECTED"] = "REJECTED";
-  SubagentActivityErrorType2["CANCELLED"] = "CANCELLED";
-  SubagentActivityErrorType2["GENERIC"] = "GENERIC";
-})(SubagentActivityErrorType || (SubagentActivityErrorType = {}));
-var SUBAGENT_REJECTED_ERROR_PREFIX = "User rejected this operation.";
-var SUBAGENT_CANCELLED_ERROR_MESSAGE = "Request cancelled.";
-function isSubagentProgress(obj) {
-  return typeof obj === "object" && obj !== null && "isSubagentProgress" in obj && obj.isSubagentProgress === true;
-}
-function isToolActivityError(data) {
-  return data !== null && typeof data === "object" && "isError" in data && data.isError === true;
-}
-
 // packages/core/dist/src/skills/skillLoader.js
 import * as fs45 from "node:fs/promises";
 import * as path60 from "node:path";
@@ -325705,17 +325733,17 @@ var authConfigSchema = external_exports.discriminatedUnion("type", [
   oauth2AuthSchema
 ]).superRefine((data, ctx) => {
   if (data.type === "http") {
-    if (data.value) {
+    if (data.value)
       return;
-    }
-    if (data.scheme === "Bearer" && !data.token) {
-      ctx.addIssue({
-        code: external_exports.ZodIssueCode.custom,
-        message: 'Bearer scheme requires "token"',
-        path: ["token"]
-      });
-    }
-    if (data.scheme === "Basic") {
+    if (data.scheme === "Bearer") {
+      if (!data.token) {
+        ctx.addIssue({
+          code: external_exports.ZodIssueCode.custom,
+          message: 'Bearer scheme requires "token"',
+          path: ["token"]
+        });
+      }
+    } else if (data.scheme === "Basic") {
       if (!data.username) {
         ctx.addIssue({
           code: external_exports.ZodIssueCode.custom,
@@ -325730,39 +325758,88 @@ var authConfigSchema = external_exports.discriminatedUnion("type", [
           path: ["password"]
         });
       }
+    } else {
+      ctx.addIssue({
+        code: external_exports.ZodIssueCode.custom,
+        message: `HTTP scheme "${data.scheme}" requires "value"`,
+        path: ["value"]
+      });
     }
   }
 });
-var remoteAgentSchema = external_exports.object({
+var baseRemoteAgentSchema = external_exports.object({
   kind: external_exports.literal("remote").optional().default("remote"),
   name: nameSchema,
   description: external_exports.string().optional(),
   display_name: external_exports.string().optional(),
-  agent_card_url: external_exports.string().url(),
   auth: authConfigSchema.optional()
+});
+var remoteAgentUrlSchema = baseRemoteAgentSchema.extend({
+  agent_card_url: external_exports.string().url(),
+  agent_card_json: external_exports.undefined().optional()
 }).strict();
+var remoteAgentJsonSchema = baseRemoteAgentSchema.extend({
+  agent_card_url: external_exports.undefined().optional(),
+  agent_card_json: external_exports.string().refine((val) => {
+    try {
+      JSON.parse(val);
+      return true;
+    } catch {
+      return false;
+    }
+  }, { message: "agent_card_json must be valid JSON" })
+}).strict();
+var remoteAgentSchema = external_exports.union([
+  remoteAgentUrlSchema,
+  remoteAgentJsonSchema
+]);
 var agentUnionOptions = [
-  { schema: localAgentSchema, label: "Local Agent" },
-  { schema: remoteAgentSchema, label: "Remote Agent" }
+  { label: "Local Agent" },
+  { label: "Remote Agent" },
+  { label: "Remote Agent" }
 ];
 var remoteAgentsListSchema = external_exports.array(remoteAgentSchema);
 var markdownFrontmatterSchema = external_exports.union([
-  agentUnionOptions[0].schema,
-  agentUnionOptions[1].schema
+  localAgentSchema,
+  remoteAgentUrlSchema,
+  remoteAgentJsonSchema
 ]);
-function formatZodError(error40, context2) {
-  const issues = error40.issues.map((i3) => {
+function guessIntendedKind(rawInput) {
+  if (typeof rawInput !== "object" || rawInput === null)
+    return void 0;
+  const input = rawInput;
+  if (input.kind === "local")
+    return "local";
+  if (input.kind === "remote")
+    return "remote";
+  const hasLocalKeys = "tools" in input || "mcp_servers" in input || "model" in input || "temperature" in input || "max_turns" in input || "timeout_mins" in input;
+  const hasRemoteKeys = "agent_card_url" in input || "auth" in input || "agent_card_json" in input;
+  if (hasLocalKeys && !hasRemoteKeys)
+    return "local";
+  if (hasRemoteKeys && !hasLocalKeys)
+    return "remote";
+  return void 0;
+}
+function formatZodError(error40, context2, rawInput) {
+  const intendedKind = rawInput ? guessIntendedKind(rawInput) : void 0;
+  const formatIssues = (issues, unionPrefix) => issues.flatMap((i3) => {
     if (i3.code === external_exports.ZodIssueCode.invalid_union) {
-      return i3.unionErrors.map((unionError, index) => {
-        const label = agentUnionOptions[index]?.label ?? `Agent type #${index + 1}`;
-        const unionIssues = unionError.issues.map((u2) => `${u2.path.join(".")}: ${u2.message}`).join(", ");
-        return `(${label}) ${unionIssues}`;
-      }).join("\n");
+      return i3.unionErrors.flatMap((unionError, index) => {
+        const label = unionPrefix ? unionPrefix : agentUnionOptions[index]?.label ?? `Branch #${index + 1}`;
+        if (intendedKind === "local" && label === "Remote Agent")
+          return [];
+        if (intendedKind === "remote" && label === "Local Agent")
+          return [];
+        return formatIssues(unionError.issues, label);
+      });
     }
-    return `${i3.path.join(".")}: ${i3.message}`;
-  }).join("\n");
+    const prefix = unionPrefix ? `(${unionPrefix}) ` : "";
+    const path85 = i3.path.length > 0 ? `${i3.path.join(".")}: ` : "";
+    return `${prefix}${path85}${i3.message}`;
+  });
+  const formatted = Array.from(new Set(formatIssues(error40.issues))).join("\n");
   return `${context2}:
-${issues}`;
+${formatted}`;
 }
 async function parseAgentMarkdown(filePath, content) {
   let fileContent;
@@ -325785,11 +325862,7 @@ async function parseAgentMarkdown(filePath, content) {
   try {
     rawFrontmatter = load2(frontmatterStr);
   } catch (error40) {
-    throw new AgentLoadError(
-      filePath,
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-      `YAML frontmatter parsing failed: ${error40.message}`
-    );
+    throw new AgentLoadError(filePath, `YAML frontmatter parsing failed: ${getErrorMessage(error40)}`);
   }
   if (Array.isArray(rawFrontmatter)) {
     const result3 = remoteAgentsListSchema.safeParse(rawFrontmatter);
@@ -325803,7 +325876,7 @@ async function parseAgentMarkdown(filePath, content) {
   }
   const result2 = markdownFrontmatterSchema.safeParse(rawFrontmatter);
   if (!result2.success) {
-    throw new AgentLoadError(filePath, `Validation failed: ${formatZodError(result2.error, "Agent Definition")}`);
+    throw new AgentLoadError(filePath, `Validation failed: ${formatZodError(result2.error, "Agent Definition", rawFrontmatter)}`);
   }
   const frontmatter = result2.data;
   if (frontmatter.kind === "remote") {
@@ -325814,39 +325887,30 @@ async function parseAgentMarkdown(filePath, content) {
       }
     ];
   }
-  const agentDef = {
-    ...frontmatter,
-    kind: "local",
-    system_prompt: body2.trim()
-  };
-  return [agentDef];
+  return [
+    {
+      ...frontmatter,
+      kind: "local",
+      system_prompt: body2.trim()
+    }
+  ];
 }
 function convertFrontmatterAuthToConfig(frontmatter) {
-  const base = {};
   switch (frontmatter.type) {
     case "apiKey":
-      if (!frontmatter.key) {
-        throw new Error("Internal error: API key missing after validation.");
-      }
       return {
-        ...base,
         type: "apiKey",
         key: frontmatter.key,
         name: frontmatter.name
       };
     case "google-credentials":
       return {
-        ...base,
         type: "google-credentials",
         scopes: frontmatter.scopes
       };
-    case "http": {
-      if (!frontmatter.scheme) {
-        throw new Error("Internal error: HTTP scheme missing after validation.");
-      }
+    case "http":
       if (frontmatter.value) {
         return {
-          ...base,
           type: "http",
           scheme: frontmatter.scheme,
           value: frontmatter.value
@@ -325854,34 +325918,23 @@ function convertFrontmatterAuthToConfig(frontmatter) {
       }
       switch (frontmatter.scheme) {
         case "Bearer":
-          if (!frontmatter.token) {
-            throw new Error("Internal error: Bearer token missing after validation.");
-          }
           return {
-            ...base,
             type: "http",
             scheme: "Bearer",
             token: frontmatter.token
           };
         case "Basic":
-          if (!frontmatter.username || !frontmatter.password) {
-            throw new Error("Internal error: Basic auth credentials missing after validation.");
-          }
           return {
-            ...base,
             type: "http",
             scheme: "Basic",
             username: frontmatter.username,
             password: frontmatter.password
           };
-        default: {
+        default:
           throw new Error(`Unknown HTTP scheme: ${frontmatter.scheme}`);
-        }
       }
-    }
     case "oauth":
       return {
-        ...base,
         type: "oauth2",
         client_id: frontmatter.client_id,
         client_secret: frontmatter.client_secret,
@@ -325890,8 +325943,12 @@ function convertFrontmatterAuthToConfig(frontmatter) {
         token_url: frontmatter.token_url
       };
     default: {
-      const exhaustive = frontmatter.type;
-      throw new Error(`Unknown auth type: ${exhaustive}`);
+      const exhaustive = frontmatter;
+      const raw = exhaustive;
+      if (typeof raw === "object" && raw !== null && "type" in raw) {
+        throw new Error(`Unknown auth type: ${String(raw["type"])}`);
+      }
+      throw new Error("Unknown auth type");
     }
   }
 }
@@ -325910,20 +325967,28 @@ function markdownToAgentDefinition(markdown, metadata2) {
     }
   };
   if (markdown.kind === "remote") {
-    return {
+    const base = {
       kind: "remote",
       name: markdown.name,
       description: markdown.description || "",
       displayName: markdown.display_name,
-      agentCardUrl: markdown.agent_card_url,
       auth: markdown.auth ? convertFrontmatterAuthToConfig(markdown.auth) : void 0,
       inputConfig,
       metadata: metadata2
     };
+    if ("agent_card_json" in markdown && markdown.agent_card_json !== void 0) {
+      base.agentCardJson = markdown.agent_card_json;
+      return base;
+    }
+    if ("agent_card_url" in markdown && markdown.agent_card_url !== void 0) {
+      base.agentCardUrl = markdown.agent_card_url;
+      return base;
+    }
+    throw new AgentLoadError(metadata2?.filePath || "unknown", "Unexpected state: neither agent_card_json nor agent_card_url present on remote agent");
   }
   const modelName = markdown.model || "inherit";
   const mcpServers = {};
-  if (markdown.kind === "local" && markdown.mcp_servers) {
+  if (markdown.mcp_servers) {
     for (const [name3, config2] of Object.entries(markdown.mcp_servers)) {
       mcpServers[name3] = new MCPServerConfig(config2.command, config2.args, config2.env, config2.cwd, config2.url, config2.http_url, config2.headers, config2.tcp, config2.type, config2.timeout, config2.trust, config2.description, config2.include_tools, config2.exclude_tools);
     }
@@ -325965,14 +326030,10 @@ async function loadAgentsFromDirectory(dir) {
   try {
     dirEntries = await fs46.readdir(dir, { withFileTypes: true });
   } catch (error40) {
-    if (error40.code === "ENOENT") {
+    if (error40 instanceof Error && "code" in error40 && error40.code === "ENOENT") {
       return result2;
     }
-    result2.errors.push(new AgentLoadError(
-      dir,
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-      `Could not list directory: ${error40.message}`
-    ));
+    result2.errors.push(new AgentLoadError(dir, `Could not list directory: ${getErrorMessage(error40)}`));
     return result2;
   }
   const files = dirEntries.filter((entry) => entry.isFile() && !entry.name.startsWith("_") && entry.name.endsWith(".md"));
@@ -325990,11 +326051,7 @@ async function loadAgentsFromDirectory(dir) {
       if (error40 instanceof AgentLoadError) {
         result2.errors.push(error40);
       } else {
-        result2.errors.push(new AgentLoadError(
-          filePath,
-          // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-          `Unexpected error: ${error40.message}`
-        ));
+        result2.errors.push(new AgentLoadError(filePath, `Unexpected error: ${getErrorMessage(error40)}`));
       }
     }
   }
@@ -327038,7 +327095,7 @@ var A2AAuthProviderFactory = class _A2AAuthProviderFactory {
         return provider;
       }
       case "oauth2": {
-        const { OAuth2AuthProvider } = await import("./oauth2-provider-VAAF5BS7.js");
+        const { OAuth2AuthProvider } = await import("./oauth2-provider-U2Y3KMJH.js");
         const provider = new OAuth2AuthProvider(authConfig, options.agentName ?? "unknown", agentCard, options.agentCardUrl);
         await provider.initialize();
         return provider;
@@ -327364,7 +327421,7 @@ var AgentRegistry = class {
           if (!agent.metadata) {
             agent.metadata = {};
           }
-          agent.metadata.hash = agent.agentCardUrl;
+          agent.metadata.hash = agent.agentCardUrl ?? (agent.agentCardJson ? crypto17.createHash("sha256").update(agent.agentCardJson).digest("hex") : void 0);
         }
         if (!agent.metadata?.hash) {
           agentsToRegister.push(agent);
@@ -327534,12 +327591,13 @@ var AgentRegistry = class {
         debugLogger.warn(`[AgentRegistry] Skipping remote agent '${definition.name}': A2AClientManager is not available.`);
         return;
       }
+      const targetUrl = getRemoteAgentTargetUrl(remoteDef);
       let authHandler;
       if (definition.auth) {
         const provider = await A2AAuthProviderFactory.create({
           authConfig: definition.auth,
           agentName: definition.name,
-          targetUrl: definition.agentCardUrl,
+          targetUrl,
           agentCardUrl: remoteDef.agentCardUrl
         });
         if (!provider) {
@@ -327547,7 +327605,7 @@ var AgentRegistry = class {
         }
         authHandler = provider;
       }
-      const agentCard = await clientManager.loadAgent(remoteDef.name, remoteDef.agentCardUrl, authHandler);
+      const agentCard = await clientManager.loadAgent(remoteDef.name, getAgentCardLoadOptions(remoteDef), authHandler);
       if (agentCard.securitySchemes) {
         const validation = A2AAuthProviderFactory.validateAuthConfig(definition.auth, agentCard.securitySchemes);
         if (!validation.valid && validation.diff) {
@@ -327575,7 +327633,7 @@ ${skillsList}`);
         definition.description = descriptions.join("\n");
       }
       if (this.config.getDebugMode()) {
-        debugLogger.log(`[AgentRegistry] Registered remote agent '${definition.name}' with card: ${definition.agentCardUrl}`);
+        debugLogger.log(`[AgentRegistry] Registered remote agent '${definition.name}' with card: ${definition.agentCardUrl ?? "inline JSON"}`);
       }
       this.agents.set(definition.name, definition);
       this.addAgentPolicy(definition);
@@ -331227,10 +331285,11 @@ var RemoteAgentInvocation = class _RemoteAgentInvocation extends BaseToolInvocat
       return this.authHandler;
     }
     if (this.definition.auth) {
+      const targetUrl = getRemoteAgentTargetUrl(this.definition);
       const provider = await A2AAuthProviderFactory.create({
         authConfig: this.definition.auth,
         agentName: this.definition.name,
-        targetUrl: this.definition.agentCardUrl,
+        targetUrl,
         agentCardUrl: this.definition.agentCardUrl
       });
       if (!provider) {
@@ -331275,7 +331334,7 @@ var RemoteAgentInvocation = class _RemoteAgentInvocation extends BaseToolInvocat
       }
       const authHandler = await this.getAuthHandler();
       if (!this.clientManager.getClient(this.definition.name)) {
-        await this.clientManager.loadAgent(this.definition.name, this.definition.agentCardUrl, authHandler);
+        await this.clientManager.loadAgent(this.definition.name, getAgentCardLoadOptions(this.definition), authHandler);
       }
       const message = this.params.query;
       const stream3 = this.clientManager.sendMessageStream(this.definition.name, message, {
@@ -333316,7 +333375,7 @@ var InjectionService = class {
 // packages/core/dist/src/policy/config.js
 import * as fs53 from "node:fs/promises";
 import * as path68 from "node:path";
-import * as crypto17 from "node:crypto";
+import * as crypto18 from "node:crypto";
 import { fileURLToPath as fileURLToPath17 } from "node:url";
 
 // packages/core/dist/src/policy/toml-loader.js
@@ -334191,7 +334250,7 @@ function createPolicyUpdater(policyEngine, messageBus, storage2) {
           }
           existingData.rule.push(newRule);
           const newContent = import_toml3.default.stringify(existingData);
-          const tmpSuffix = crypto17.randomBytes(8).toString("hex");
+          const tmpSuffix = crypto18.randomBytes(8).toString("hex");
           const tmpFile = `${policyFile}.${tmpSuffix}.tmp`;
           let handle2;
           try {
@@ -335918,7 +335977,7 @@ import { pathToFileURL } from "node:url";
 import { randomUUID as randomUUID8 } from "node:crypto";
 
 // packages/core/dist/src/mcp/oauth-provider.js
-import * as crypto19 from "node:crypto";
+import * as crypto20 from "node:crypto";
 import { URL as URL7 } from "node:url";
 
 // packages/core/dist/src/mcp/oauth-token-storage.js
@@ -336089,14 +336148,14 @@ var MCPOAuthTokenStorage = class {
 
 // packages/core/dist/src/utils/oauth-flow.js
 import * as http4 from "node:http";
-import * as crypto18 from "node:crypto";
+import * as crypto19 from "node:crypto";
 import { URL as URL6 } from "node:url";
 var REDIRECT_PATH = "/oauth/callback";
 var HTTP_OK = 200;
 function generatePKCEParams() {
-  const codeVerifier = crypto18.randomBytes(64).toString("base64url");
-  const codeChallenge = crypto18.createHash("sha256").update(codeVerifier).digest("base64url");
-  const state = crypto18.randomBytes(16).toString("base64url");
+  const codeVerifier = crypto19.randomBytes(64).toString("base64url");
+  const codeChallenge = crypto19.createHash("sha256").update(codeVerifier).digest("base64url");
+  const state = crypto19.randomBytes(16).toString("base64url");
   return { codeVerifier, codeChallenge, state };
 }
 function startCallbackServer(expectedState, port) {
@@ -336630,7 +336689,7 @@ ${authUrl}
       debugLogger.debug("\u2713 Authentication successful! Token saved.");
       const savedToken = await this.tokenStorage.getCredentials(serverName);
       if (savedToken && savedToken.token && savedToken.token.accessToken) {
-        const tokenFingerprint = crypto19.createHash("sha256").update(savedToken.token.accessToken).digest("hex").slice(0, 8);
+        const tokenFingerprint = crypto20.createHash("sha256").update(savedToken.token.accessToken).digest("hex").slice(0, 8);
         debugLogger.debug(`\u2713 Token verification successful (fingerprint: ${tokenFingerprint})`);
       } else {
         debugLogger.warn("Token verification failed: token not found or invalid after save");
@@ -337861,7 +337920,7 @@ function isEnabled(funcDecl, mcpServerName, mcpServerConfig) {
 }
 
 // packages/core/dist/src/tools/mcp-client-manager.js
-import { createHash as createHash8 } from "node:crypto";
+import { createHash as createHash9 } from "node:crypto";
 var McpClientManager = class {
   clients = /* @__PURE__ */ new Map();
   // Track all configured servers (including disabled ones) for UI display
@@ -338049,7 +338108,7 @@ var McpClientManager = class {
       config: rest,
       extensionId: extension?.id
     };
-    return createHash8("sha256").update(stableStringify(keyData)).digest("hex");
+    return createHash9("sha256").update(stableStringify(keyData)).digest("hex");
   }
   /**
    * Merges two MCP configurations. The second configuration (override)
@@ -345920,7 +345979,7 @@ var A2AClientManager = class {
    * @param authHandler Optional authentication handler to use for this agent.
    * @returns The loaded AgentCard.
    */
-  async loadAgent(name3, agentCardUrl, authHandler) {
+  async loadAgent(name3, options, authHandler) {
     if (this.clients.has(name3) && this.agentCards.has(name3)) {
       throw new Error(`Agent with name '${name3}' is already loaded.`);
     }
@@ -345936,7 +345995,19 @@ var A2AClientManager = class {
       return response;
     };
     const resolver = new DefaultAgentCardResolver({ fetchImpl: cardFetch });
-    const rawCard = await resolver.resolve(agentCardUrl, "");
+    let rawCard;
+    let urlIdentifier = "inline JSON";
+    if (options.type === "json") {
+      try {
+        rawCard = JSON.parse(options.json);
+      } catch (error40) {
+        const msg = error40 instanceof Error ? error40.message : String(error40);
+        throw new Error(`Failed to parse inline agent card JSON for agent '${name3}': ${msg}`);
+      }
+    } else {
+      urlIdentifier = options.url;
+      rawCard = await resolver.resolve(options.url, "");
+    }
     const agentCard = normalizeAgentCard(rawCard);
     const grpcUrl = agentCard.additionalInterfaces?.find((i3) => i3.transport === "GRPC")?.url ?? agentCard.url;
     const clientOptions = ClientFactoryOptions.createFrom(ClientFactoryOptions.default, {
@@ -345954,10 +346025,10 @@ var A2AClientManager = class {
       const client = await factory.createFromAgentCard(agentCard);
       this.clients.set(name3, client);
       this.agentCards.set(name3, agentCard);
-      debugLogger.debug(`[A2AClientManager] Loaded agent '${name3}' from ${agentCardUrl}`);
+      debugLogger.debug(`[A2AClientManager] Loaded agent '${name3}' from ${urlIdentifier}`);
       return agentCard;
     } catch (error40) {
-      throw classifyAgentError(name3, agentCardUrl, error40);
+      throw classifyAgentError(name3, urlIdentifier, error40);
     }
   }
   /**
@@ -348245,7 +348316,7 @@ var StreamJsonFormatter = class {
 };
 
 // packages/core/dist/src/policy/integrity.js
-import * as crypto20 from "node:crypto";
+import * as crypto21 from "node:crypto";
 import * as fs58 from "node:fs/promises";
 import * as path73 from "node:path";
 var IntegrityStatus;
@@ -348300,7 +348371,7 @@ var PolicyIntegrityManager = class _PolicyIntegrityManager {
     try {
       const files = await readPolicyFiles(policyDir);
       files.sort((a2, b) => a2.path.localeCompare(b.path));
-      const hash = crypto20.createHash("sha256");
+      const hash = crypto21.createHash("sha256");
       for (const file2 of files) {
         const relativePath = path73.relative(policyDir, file2.path);
         hash.update(relativePath);
@@ -348350,7 +348421,7 @@ var PolicyIntegrityManager = class _PolicyIntegrityManager {
 // packages/core/dist/src/config/extensions/integrity.js
 import * as fs59 from "node:fs";
 import * as path74 from "node:path";
-import { createHash as createHash10, createHmac, randomBytes as randomBytes6, timingSafeEqual } from "node:crypto";
+import { createHash as createHash11, createHmac, randomBytes as randomBytes6, timingSafeEqual } from "node:crypto";
 var import_json_stable_stringify = __toESM(require_json_stable_stringify(), 1);
 
 // packages/core/dist/src/config/extensions/integrityTypes.js
@@ -348481,7 +348552,7 @@ var ExtensionIntegrityStore = class {
    */
   generateHash(metadata2) {
     const content = (0, import_json_stable_stringify.default)(metadata2) ?? "";
-    return createHash10("sha256").update(content).digest("hex");
+    return createHash11("sha256").update(content).digest("hex");
   }
   /**
    * Generates an HMAC-SHA256 signature using the master secret key.
@@ -349385,11 +349456,11 @@ var import_fdir = __toESM(require_dist9(), 1);
 import path77 from "node:path";
 
 // packages/core/dist/src/utils/filesearch/crawlCache.js
-import crypto21 from "node:crypto";
+import crypto22 from "node:crypto";
 var crawlCache = /* @__PURE__ */ new Map();
 var cacheTimers = /* @__PURE__ */ new Map();
 var getCacheKey = (directory, ignoreContent, maxDepth) => {
-  const hash = crypto21.createHash("sha256");
+  const hash = crypto22.createHash("sha256");
   hash.update(directory);
   hash.update(ignoreContent);
   if (maxDepth !== void 0) {
@@ -353489,6 +353560,8 @@ export {
   SUBAGENT_CANCELLED_ERROR_MESSAGE,
   isSubagentProgress,
   isToolActivityError,
+  getAgentCardLoadOptions,
+  getRemoteAgentTargetUrl,
   FRONTMATTER_REGEX,
   loadSkillsFromDir,
   loadSkillFromFile,