@hanzo/bot 2026.3.7 → 2026.3.8

package/dist/{auth-profiles-BCHBDrea.js → auth-profiles-BtxyXCZY.js}

@@ -1,20 +1,23 @@
 import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
 import { _ as expandHomePrefix, a as resolveCanonicalConfigPath, c as resolveDefaultConfigCandidates, d as resolveIsNixMode, f as resolveLegacyStateDirs, g as resolveStateDir, h as resolveOAuthPath, i as isNixMode, l as resolveGatewayLockDir, m as resolveOAuthDir, n as DEFAULT_GATEWAY_PORT, o as resolveConfigPath, p as resolveNewStateDir, r as STATE_DIR, s as resolveConfigPathCandidate, t as CONFIG_PATH, u as resolveGatewayPort, y as resolveRequiredHomeDir } from "./paths-BMo6kTge.js";
-import { c as stripAnsi, t as createSubsystemLogger } from "./subsystem-Cfn2Pryx.js";
+import { c as stripAnsi, t as createSubsystemLogger } from "./subsystem-C6poMade.js";
 import { r as isTruthyEnvValue } from "./entry.js";
-import { t as formatCliCommand } from "./command-format-CLEQe4bk.js";
-import { N as resolveAgentModelPrimaryValue, P as toAgentModelListLike, d as resolveDefaultAgentId, i as resolveAgentConfig, o as resolveAgentEffectiveModelPrimary, u as resolveAgentWorkspaceDir } from "./agent-scope-C5bklqr1.js";
-import { c as normalizeAgentId, t as DEFAULT_AGENT_ID, y as isBlockedObjectKey } from "./session-key-k6urs9r-.js";
-import { E as isPlainObject$2, S as sleep, h as resolveConfigDir, u as isRecord$2, v as resolveUserPath } from "./utils-cwpAMi-t.js";
-import { a as openBoundaryFileSync, r as canUseBoundaryFileOpen } from "./openclaw-root-BFfBQ6FD.js";
-import { n as runExec } from "./exec-B45rafWZ.js";
-import { B as parseEnvTemplateSecretRef, F as hasConfiguredSecretInput, I as isSecretRef, L as isValidEnvSecretRefId, M as ENV_SECRET_REF_ID_RE, N as assertSecretInputResolved, P as coerceSecretRef, R as normalizeResolvedSecretInputString, V as resolveSecretInputRef, j as DEFAULT_SECRET_PROVIDER_ALIAS, l as normalizeChatChannelId, t as CHANNEL_IDS, z as normalizeSecretInputString } from "./registry-CxLUHPLp.js";
-import { a as saveJsonFile, i as loadJsonFile, r as resolveCopilotApiToken, t as DEFAULT_COPILOT_API_BASE_URL } from "./github-copilot-token-Byc_YVYE.js";
-import { _ as sanitizeHostExecEnv, d as normalizePluginsConfig, f as resolveEffectiveEnableState, g as normalizeEnvVarKey, h as isDangerousHostEnvVarName, m as isDangerousHostEnvOverrideVarName, n as loadPluginManifestRegistry, p as resolveMemorySlotDecision } from "./manifest-registry-9oWnIuht.js";
-import { t as VERSION } from "./version-DdJhsIqk.js";
-import { i as isPathInside } from "./legacy-names-D3aIn6ij.js";
-import { d as TOOLS_BY_SENDER_KEY_TYPES, f as parseToolsBySenderTypedKey } from "./dock-D1Nz-RwP.js";
-import { t as runTasksWithConcurrency } from "./run-with-concurrency-CzLnwXXV.js";
+import { _ as AUTH_STORE_LOCK_OPTIONS, c as updateAuthProfileStoreWithLock, d as resolveAuthStorePathForDisplay, l as ensureAuthStoreFile, n as ensureAuthProfileStore, o as saveAuthProfileStore, p as withFileLock, u as resolveAuthStorePath, x as log$6 } from "./store-D8F_4CRR.js";
+import { t as formatCliCommand } from "./command-format-MESnUO9S.js";
+import { N as resolveAgentModelPrimaryValue, P as toAgentModelListLike, d as resolveDefaultAgentId, i as resolveAgentConfig, o as resolveAgentEffectiveModelPrimary, u as resolveAgentWorkspaceDir } from "./agent-scope-BcruZHHR.js";
+import { c as normalizeAgentId, t as DEFAULT_AGENT_ID, y as isBlockedObjectKey } from "./session-key-CC77ya0a.js";
+import { E as isPlainObject$2, S as sleep, h as resolveConfigDir, u as isRecord$2, v as resolveUserPath } from "./utils-BnC3HGtm.js";
+import { a as openBoundaryFileSync, r as canUseBoundaryFileOpen } from "./openclaw-root-T5G2ldGE.js";
+import { n as runExec } from "./exec-B8Hv4Nkd.js";
+import { a as hasConfiguredSecretInput, c as normalizeResolvedSecretInputString, d as resolveSecretInputRef, i as coerceSecretRef, l as normalizeSecretInputString, n as ENV_SECRET_REF_ID_RE, o as isSecretRef, r as assertSecretInputResolved, s as isValidEnvSecretRefId, t as DEFAULT_SECRET_PROVIDER_ALIAS, u as parseEnvTemplateSecretRef } from "./types.secrets-CpVqMFti.js";
+import { r as resolveCopilotApiToken, t as DEFAULT_COPILOT_API_BASE_URL } from "./github-copilot-token-BKQ4nXAw.js";
+import { _ as sanitizeHostExecEnv, d as normalizePluginsConfig, f as resolveEffectiveEnableState, g as normalizeEnvVarKey, h as isDangerousHostEnvVarName, m as isDangerousHostEnvOverrideVarName, n as loadPluginManifestRegistry, p as resolveMemorySlotDecision } from "./manifest-registry-m_hXBIk-.js";
+import { t as VERSION } from "./version-DT-JIO28.js";
+import { i as isPathInside } from "./legacy-names-DV-6rguu.js";
+import { t as CHANNEL_IDS, u as normalizeChatChannelId } from "./registry-DnJ84ILp.js";
+import { i as isCanonicalDottedDecimalIPv4, u as isLoopbackIpAddress } from "./ip-C7WWCRN7.js";
+import { d as TOOLS_BY_SENDER_KEY_TYPES, f as parseToolsBySenderTypedKey } from "./dock-nMBfeGKa.js";
+import { t as runTasksWithConcurrency } from "./run-with-concurrency-CLARJMM7.js";
 import { createRequire } from "node:module";
 import { execFileSync, spawn } from "node:child_process";
 import os from "node:os";
@@ -27,32 +30,8 @@ import { BedrockClient, ListFoundationModelsCommand } from "@aws-sdk/client-bedr
 import { createAssistantMessageEventStream, getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
 import crypto, { createHash, randomBytes, randomUUID } from "node:crypto";
 import dotenv from "dotenv";
-import ipaddr from "ipaddr.js";
 import { z } from "zod";
 
-//#region src/agents/auth-profiles/constants.ts
-const AUTH_STORE_VERSION = 1;
-const AUTH_PROFILE_FILENAME = "auth-profiles.json";
-const LEGACY_AUTH_FILENAME = "auth.json";
-const CLAUDE_CLI_PROFILE_ID = "anthropic:claude-cli";
-const CODEX_CLI_PROFILE_ID = "openai-codex:codex-cli";
-const QWEN_CLI_PROFILE_ID = "qwen-portal:qwen-cli";
-const MINIMAX_CLI_PROFILE_ID = "minimax-portal:minimax-cli";
-const AUTH_STORE_LOCK_OPTIONS = {
-	retries: {
-		retries: 10,
-		factor: 2,
-		minTimeout: 100,
-		maxTimeout: 1e4,
-		randomize: true
-	},
-	stale: 3e4
-};
-const EXTERNAL_CLI_SYNC_TTL_MS = 900 * 1e3;
-const EXTERNAL_CLI_NEAR_EXPIRY_MS = 600 * 1e3;
-const log$7 = createSubsystemLogger("agents/auth-profiles");
-
-//#endregion
 //#region src/agents/auth-profiles/display.ts
 function resolveAuthProfileDisplayLabel(params) {
 	const { cfg, store, profileId } = params;
@@ -208,7 +187,7 @@ function normalizeOptionalSecretInput(value) {
 
 //#endregion
 //#region src/agents/bedrock-discovery.ts
-const log$6 = createSubsystemLogger("bedrock-discovery");
+const log$5 = createSubsystemLogger("bedrock-discovery");
 const DEFAULT_REFRESH_INTERVAL_SECONDS = 3600;
 const DEFAULT_CONTEXT_WINDOW = 32e3;
 const DEFAULT_MAX_TOKENS = 4096;
@@ -330,7 +309,7 @@ async function discoverBedrockModels(params) {
 		if (refreshIntervalSeconds > 0) discoveryCache.delete(cacheKey);
 		if (!hasLoggedBedrockError) {
 			hasLoggedBedrockError = true;
-			log$6.warn(`Failed to list models: ${String(error)}`);
+			log$5.warn(`Failed to list models: ${String(error)}`);
 		}
 		return [];
 	}
@@ -534,7 +513,7 @@ const DOUBAO_CODING_MODEL_CATALOG = [...VOLC_SHARED_CODING_MODEL_CATALOG, {
 
 //#endregion
 //#region src/agents/huggingface-models.ts
-const log$5 = createSubsystemLogger("huggingface-models");
+const log$4 = createSubsystemLogger("huggingface-models");
 /** Hugging Face Inference Providers (router) — OpenAI-compatible chat completions. */
 const HUGGINGFACE_BASE_URL = "https://router.huggingface.co/v1";
 /** Router policy suffixes: router picks backend by cost or speed; no specific provider selection. */
@@ -664,12 +643,12 @@ async function discoverHuggingfaceModels(apiKey) {
 			}
 		});
 		if (!response.ok) {
-			log$5.warn(`GET /v1/models failed: HTTP ${response.status}, using static catalog`);
+			log$4.warn(`GET /v1/models failed: HTTP ${response.status}, using static catalog`);
 			return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
 		}
 		const data = (await response.json())?.data;
 		if (!Array.isArray(data) || data.length === 0) {
-			log$5.warn("No models in response, using static catalog");
+			log$4.warn("No models in response, using static catalog");
 			return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
 		}
 		const catalogById = new Map(HUGGINGFACE_MODEL_CATALOG.map((m) => [m.id, m]));
@@ -700,7 +679,7 @@ async function discoverHuggingfaceModels(apiKey) {
 		}
 		return models.length > 0 ? models : HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
 	} catch (error) {
-		log$5.warn(`Discovery failed: ${String(error)}, using static catalog`);
+		log$4.warn(`Discovery failed: ${String(error)}, using static catalog`);
 		return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
 	}
 }
@@ -1196,7 +1175,7 @@ function buildStreamErrorAssistantMessage(params) {
 
 //#endregion
 //#region src/agents/ollama-stream.ts
-const log$4 = createSubsystemLogger("ollama-stream");
+const log$3 = createSubsystemLogger("ollama-stream");
 const OLLAMA_NATIVE_BASE_URL = "http://127.0.0.1:11434";
 const MAX_SAFE_INTEGER_ABS_STR = String(Number.MAX_SAFE_INTEGER);
 function isAsciiDigit(ch) {
@@ -1387,14 +1366,14 @@ async function* parseNdjsonStream(reader) {
 			try {
 				yield parseJsonPreservingUnsafeIntegers(trimmed);
 			} catch {
-				log$4.warn(`Skipping malformed NDJSON line: ${trimmed.slice(0, 120)}`);
+				log$3.warn(`Skipping malformed NDJSON line: ${trimmed.slice(0, 120)}`);
 			}
 		}
 	}
 	if (buffer.trim()) try {
 		yield parseJsonPreservingUnsafeIntegers(buffer.trim());
 	} catch {
-		log$4.warn(`Skipping malformed trailing data: ${buffer.trim().slice(0, 120)}`);
+		log$3.warn(`Skipping malformed trailing data: ${buffer.trim().slice(0, 120)}`);
 	}
 }
 function resolveOllamaChatUrl(baseUrl) {
@@ -1880,7 +1859,7 @@ async function retryAsync(fn, attemptsOrOptions = 3, initialDelayMs = 300) {
 
 //#endregion
 //#region src/agents/venice-models.ts
-const log$3 = createSubsystemLogger("venice-models");
+const log$2 = createSubsystemLogger("venice-models");
 const VENICE_BASE_URL = "https://api.venice.ai/api/v1";
 const VENICE_DEFAULT_MODEL_ID = "llama-3.3-70b";
 const VENICE_DEFAULT_MODEL_REF = `venice/${VENICE_DEFAULT_MODEL_ID}`;
@@ -2228,12 +2207,12 @@ async function discoverVeniceModels() {
 			shouldRetry: isRetryableVeniceDiscoveryError
 		});
 		if (!response.ok) {
-			log$3.warn(`Failed to discover models: HTTP ${response.status}, using static catalog`);
+			log$2.warn(`Failed to discover models: HTTP ${response.status}, using static catalog`);
 			return staticVeniceModelDefinitions();
 		}
 		const data = await response.json();
 		if (!Array.isArray(data.data) || data.data.length === 0) {
-			log$3.warn("No models found from API, using static catalog");
+			log$2.warn("No models found from API, using static catalog");
 			return staticVeniceModelDefinitions();
 		}
 		const catalogById = new Map(VENICE_MODEL_CATALOG.map((m) => [m.id, m]));
@@ -2259,10 +2238,10 @@ async function discoverVeniceModels() {
 		return models.length > 0 ? models : staticVeniceModelDefinitions();
 	} catch (error) {
 		if (error instanceof VeniceDiscoveryHttpError) {
-			log$3.warn(`Failed to discover models: HTTP ${error.status}, using static catalog`);
+			log$2.warn(`Failed to discover models: HTTP ${error.status}, using static catalog`);
 			return staticVeniceModelDefinitions();
 		}
-		log$3.warn(`Discovery failed: ${String(error)}, using static catalog`);
+		log$2.warn(`Discovery failed: ${String(error)}, using static catalog`);
 		return staticVeniceModelDefinitions();
 	}
 }
@@ -2388,7 +2367,7 @@ const NVIDIA_DEFAULT_COST = {
 	cacheRead: 0,
 	cacheWrite: 0
 };
-const log$2 = createSubsystemLogger("agents/model-providers");
+const log$1 = createSubsystemLogger("agents/model-providers");
 /**
 * Derive the Ollama native API base URL from a configured base URL.
 *
@@ -2427,16 +2406,16 @@ async function discoverOllamaModels(baseUrl, opts) {
 		const apiBase = resolveOllamaApiBase(baseUrl);
 		const response = await fetch(`${apiBase}/api/tags`, { signal: AbortSignal.timeout(5e3) });
 		if (!response.ok) {
-			if (!opts?.quiet) log$2.warn(`Failed to discover Ollama models: ${response.status}`);
+			if (!opts?.quiet) log$1.warn(`Failed to discover Ollama models: ${response.status}`);
 			return [];
 		}
 		const data = await response.json();
 		if (!data.models || data.models.length === 0) {
-			log$2.debug("No Ollama models found on local instance");
+			log$1.debug("No Ollama models found on local instance");
 			return [];
 		}
 		const modelsToInspect = data.models.slice(0, OLLAMA_SHOW_MAX_MODELS);
-		if (modelsToInspect.length < data.models.length && !opts?.quiet) log$2.warn(`Capping Ollama /api/show inspection to ${OLLAMA_SHOW_MAX_MODELS} models (received ${data.models.length})`);
+		if (modelsToInspect.length < data.models.length && !opts?.quiet) log$1.warn(`Capping Ollama /api/show inspection to ${OLLAMA_SHOW_MAX_MODELS} models (received ${data.models.length})`);
 		const discovered = [];
 		for (let index = 0; index < modelsToInspect.length; index += OLLAMA_SHOW_CONCURRENCY) {
 			const batch = modelsToInspect.slice(index, index + OLLAMA_SHOW_CONCURRENCY);
@@ -2457,7 +2436,7 @@ async function discoverOllamaModels(baseUrl, opts) {
 		}
 		return discovered;
 	} catch (error) {
-		if (!opts?.quiet) log$2.warn(`Failed to discover Ollama models: ${String(error)}`);
+		if (!opts?.quiet) log$1.warn(`Failed to discover Ollama models: ${String(error)}`);
 		return [];
 	}
 }
@@ -2471,12 +2450,12 @@ async function discoverVllmModels(baseUrl, apiKey) {
 			signal: AbortSignal.timeout(5e3)
 		});
 		if (!response.ok) {
-			log$2.warn(`Failed to discover vLLM models: ${response.status}`);
+			log$1.warn(`Failed to discover vLLM models: ${response.status}`);
 			return [];
 		}
 		const models = (await response.json()).data ?? [];
 		if (models.length === 0) {
-			log$2.warn("No vLLM models found on local instance");
+			log$1.warn("No vLLM models found on local instance");
 			return [];
 		}
 		return models.map((m) => ({ id: typeof m.id === "string" ? m.id.trim() : "" })).filter((m) => Boolean(m.id)).map((m) => {
@@ -2493,7 +2472,7 @@ async function discoverVllmModels(baseUrl, apiKey) {
 			};
 		});
 	} catch (error) {
-		log$2.warn(`Failed to discover vLLM models: ${String(error)}`);
+		log$1.warn(`Failed to discover vLLM models: ${String(error)}`);
 		return [];
 	}
 }
@@ -3164,7 +3143,7 @@ async function resolveImplicitBedrockProvider(params) {
 
 //#endregion
 //#region src/agents/model-selection.ts
-const log$1 = createSubsystemLogger("model-selection");
+const log = createSubsystemLogger("model-selection");
 const ANTHROPIC_MODEL_ALIASES = {
 	"opus-4.6": "claude-opus-4-6",
 	"opus-4.5": "claude-opus-4-5",
@@ -3330,7 +3309,7 @@ function resolveConfiguredModelRef(params) {
 			const aliasKey = normalizeAliasKey(trimmed);
 			const aliasMatch = aliasIndex.byAlias.get(aliasKey);
 			if (aliasMatch) return aliasMatch.ref;
-			log$1.warn(`Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
+			log.warn(`Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
 			return {
 				provider: "anthropic",
 				model: trimmed
@@ -3515,661 +3494,6 @@ function normalizeModelSelection(value) {
 	if (typeof primary === "string" && primary.trim()) return primary.trim();
 }
 
-//#endregion
-//#region src/shared/pid-alive.ts
-function isValidPid(pid) {
-	return Number.isInteger(pid) && pid > 0;
-}
-/**
-* Check if a process is a zombie on Linux by reading /proc/<pid>/status.
-* Returns false on non-Linux platforms or if the proc file can't be read.
-*/
-function isZombieProcess(pid) {
-	if (process.platform !== "linux") return false;
-	try {
-		return fs.readFileSync(`/proc/${pid}/status`, "utf8").match(/^State:\s+(\S)/m)?.[1] === "Z";
-	} catch {
-		return false;
-	}
-}
-function isPidAlive(pid) {
-	if (!isValidPid(pid)) return false;
-	try {
-		process.kill(pid, 0);
-	} catch {
-		return false;
-	}
-	if (isZombieProcess(pid)) return false;
-	return true;
-}
-/**
-* Read the process start time (field 22 "starttime") from /proc/<pid>/stat.
-* Returns the value in clock ticks since system boot, or null on non-Linux
-* platforms or if the proc file can't be read.
-*
-* This is used to detect PID recycling: if two readings for the same PID
-* return different starttimes, the PID has been reused by a different process.
-*/
-function getProcessStartTime(pid) {
-	if (process.platform !== "linux") return null;
-	if (!isValidPid(pid)) return null;
-	try {
-		const stat = fs.readFileSync(`/proc/${pid}/stat`, "utf8");
-		const commEndIndex = stat.lastIndexOf(")");
-		if (commEndIndex < 0) return null;
-		const fields = stat.slice(commEndIndex + 1).trimStart().split(/\s+/);
-		const starttime = Number(fields[19]);
-		return Number.isInteger(starttime) && starttime >= 0 ? starttime : null;
-	} catch {
-		return null;
-	}
-}
-
-//#endregion
-//#region src/shared/process-scoped-map.ts
-function resolveProcessScopedMap(key) {
-	const proc = process;
-	const existing = proc[key];
-	if (existing) return existing;
-	const created = /* @__PURE__ */ new Map();
-	proc[key] = created;
-	return created;
-}
-
-//#endregion
-//#region src/plugin-sdk/file-lock.ts
-const HELD_LOCKS = resolveProcessScopedMap(Symbol.for("openclaw.fileLockHeldLocks"));
-function computeDelayMs(retries, attempt) {
-	const base = Math.min(retries.maxTimeout, Math.max(retries.minTimeout, retries.minTimeout * retries.factor ** attempt));
-	const jitter = retries.randomize ? 1 + Math.random() : 1;
-	return Math.min(retries.maxTimeout, Math.round(base * jitter));
-}
-async function readLockPayload(lockPath) {
-	try {
-		const raw = await fs$1.readFile(lockPath, "utf8");
-		const parsed = JSON.parse(raw);
-		if (typeof parsed.pid !== "number" || typeof parsed.createdAt !== "string") return null;
-		return {
-			pid: parsed.pid,
-			createdAt: parsed.createdAt
-		};
-	} catch {
-		return null;
-	}
-}
-async function resolveNormalizedFilePath(filePath) {
-	const resolved = path.resolve(filePath);
-	const dir = path.dirname(resolved);
-	await fs$1.mkdir(dir, { recursive: true });
-	try {
-		const realDir = await fs$1.realpath(dir);
-		return path.join(realDir, path.basename(resolved));
-	} catch {
-		return resolved;
-	}
-}
-async function isStaleLock(lockPath, staleMs) {
-	const payload = await readLockPayload(lockPath);
-	if (payload?.pid && !isPidAlive(payload.pid)) return true;
-	if (payload?.createdAt) {
-		const createdAt = Date.parse(payload.createdAt);
-		if (!Number.isFinite(createdAt) || Date.now() - createdAt > staleMs) return true;
-	}
-	try {
-		const stat = await fs$1.stat(lockPath);
-		return Date.now() - stat.mtimeMs > staleMs;
-	} catch {
-		return true;
-	}
-}
-async function releaseHeldLock(normalizedFile) {
-	const current = HELD_LOCKS.get(normalizedFile);
-	if (!current) return;
-	current.count -= 1;
-	if (current.count > 0) return;
-	HELD_LOCKS.delete(normalizedFile);
-	await current.handle.close().catch(() => void 0);
-	await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
-}
-async function acquireFileLock(filePath, options) {
-	const normalizedFile = await resolveNormalizedFilePath(filePath);
-	const lockPath = `${normalizedFile}.lock`;
-	const held = HELD_LOCKS.get(normalizedFile);
-	if (held) {
-		held.count += 1;
-		return {
-			lockPath,
-			release: () => releaseHeldLock(normalizedFile)
-		};
-	}
-	const attempts = Math.max(1, options.retries.retries + 1);
-	for (let attempt = 0; attempt < attempts; attempt += 1) try {
-		const handle = await fs$1.open(lockPath, "wx");
-		await handle.writeFile(JSON.stringify({
-			pid: process.pid,
-			createdAt: (/* @__PURE__ */ new Date()).toISOString()
-		}, null, 2), "utf8");
-		HELD_LOCKS.set(normalizedFile, {
-			count: 1,
-			handle,
-			lockPath
-		});
-		return {
-			lockPath,
-			release: () => releaseHeldLock(normalizedFile)
-		};
-	} catch (err) {
-		if (err.code !== "EEXIST") throw err;
-		if (await isStaleLock(lockPath, options.stale)) {
-			await fs$1.rm(lockPath, { force: true }).catch(() => void 0);
-			continue;
-		}
-		if (attempt >= attempts - 1) break;
-		await new Promise((resolve) => setTimeout(resolve, computeDelayMs(options.retries, attempt)));
-	}
-	throw new Error(`file lock timeout for ${normalizedFile}`);
-}
-async function withFileLock(filePath, options, fn) {
-	const lock = await acquireFileLock(filePath, options);
-	try {
-		return await fn();
-	} finally {
-		await lock.release();
-	}
-}
-
-//#endregion
-//#region src/agents/cli-credentials.ts
-const log = createSubsystemLogger("agents/auth-profiles");
-const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
-const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
-let qwenCliCache = null;
-let minimaxCliCache = null;
-function resolveQwenCliCredentialsPath(homeDir) {
-	const baseDir = homeDir ?? resolveUserPath("~");
-	return path.join(baseDir, QWEN_CLI_CREDENTIALS_RELATIVE_PATH);
-}
-function resolveMiniMaxCliCredentialsPath(homeDir) {
-	const baseDir = homeDir ?? resolveUserPath("~");
-	return path.join(baseDir, MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH);
-}
-function readQwenCliCredentials(options) {
-	return readPortalCliOauthCredentials(resolveQwenCliCredentialsPath(options?.homeDir), "qwen-portal");
-}
-function readPortalCliOauthCredentials(credPath, provider) {
-	const raw = loadJsonFile(credPath);
-	if (!raw || typeof raw !== "object") return null;
-	const data = raw;
-	const accessToken = data.access_token;
-	const refreshToken = data.refresh_token;
-	const expiresAt = data.expiry_date;
-	if (typeof accessToken !== "string" || !accessToken) return null;
-	if (typeof refreshToken !== "string" || !refreshToken) return null;
-	if (typeof expiresAt !== "number" || !Number.isFinite(expiresAt)) return null;
-	return {
-		type: "oauth",
-		provider,
-		access: accessToken,
-		refresh: refreshToken,
-		expires: expiresAt
-	};
-}
-function readMiniMaxCliCredentials(options) {
-	return readPortalCliOauthCredentials(resolveMiniMaxCliCredentialsPath(options?.homeDir), "minimax-portal");
-}
-function readQwenCliCredentialsCached(options) {
-	const ttlMs = options?.ttlMs ?? 0;
-	const now = Date.now();
-	const cacheKey = resolveQwenCliCredentialsPath(options?.homeDir);
-	if (ttlMs > 0 && qwenCliCache && qwenCliCache.cacheKey === cacheKey && now - qwenCliCache.readAt < ttlMs) return qwenCliCache.value;
-	const value = readQwenCliCredentials({ homeDir: options?.homeDir });
-	if (ttlMs > 0) qwenCliCache = {
-		value,
-		readAt: now,
-		cacheKey
-	};
-	return value;
-}
-function readMiniMaxCliCredentialsCached(options) {
-	const ttlMs = options?.ttlMs ?? 0;
-	const now = Date.now();
-	const cacheKey = resolveMiniMaxCliCredentialsPath(options?.homeDir);
-	if (ttlMs > 0 && minimaxCliCache && minimaxCliCache.cacheKey === cacheKey && now - minimaxCliCache.readAt < ttlMs) return minimaxCliCache.value;
-	const value = readMiniMaxCliCredentials({ homeDir: options?.homeDir });
-	if (ttlMs > 0) minimaxCliCache = {
-		value,
-		readAt: now,
-		cacheKey
-	};
-	return value;
-}
-
-//#endregion
-//#region src/agents/auth-profiles/external-cli-sync.ts
-function shallowEqualOAuthCredentials(a, b) {
-	if (!a) return false;
-	if (a.type !== "oauth") return false;
-	return a.provider === b.provider && a.access === b.access && a.refresh === b.refresh && a.expires === b.expires && a.email === b.email && a.enterpriseUrl === b.enterpriseUrl && a.projectId === b.projectId && a.accountId === b.accountId;
-}
-function isExternalProfileFresh(cred, now) {
-	if (!cred) return false;
-	if (cred.type !== "oauth" && cred.type !== "token") return false;
-	if (cred.provider !== "qwen-portal" && cred.provider !== "minimax-portal") return false;
-	if (typeof cred.expires !== "number") return true;
-	return cred.expires > now + EXTERNAL_CLI_NEAR_EXPIRY_MS;
-}
-/** Sync external CLI credentials into the store for a given provider. */
-function syncExternalCliCredentialsForProvider(store, profileId, provider, readCredentials, now) {
-	const existing = store.profiles[profileId];
-	const creds = !existing || existing.provider !== provider || !isExternalProfileFresh(existing, now) ? readCredentials() : null;
-	if (!creds) return false;
-	const existingOAuth = existing?.type === "oauth" ? existing : void 0;
-	if ((!existingOAuth || existingOAuth.provider !== provider || existingOAuth.expires <= now || creds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, creds)) {
-		store.profiles[profileId] = creds;
-		log$7.info(`synced ${provider} credentials from external cli`, {
-			profileId,
-			expires: new Date(creds.expires).toISOString()
-		});
-		return true;
-	}
-	return false;
-}
-/**
-* Sync OAuth credentials from external CLI tools (Qwen Code CLI, MiniMax CLI) into the store.
-*
-* Returns true if any credentials were updated.
-*/
-function syncExternalCliCredentials(store) {
-	let mutated = false;
-	const now = Date.now();
-	const existingQwen = store.profiles[QWEN_CLI_PROFILE_ID];
-	const qwenCreds = !existingQwen || existingQwen.provider !== "qwen-portal" || !isExternalProfileFresh(existingQwen, now) ? readQwenCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }) : null;
-	if (qwenCreds) {
-		const existing = store.profiles[QWEN_CLI_PROFILE_ID];
-		const existingOAuth = existing?.type === "oauth" ? existing : void 0;
-		if ((!existingOAuth || existingOAuth.provider !== "qwen-portal" || existingOAuth.expires <= now || qwenCreds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, qwenCreds)) {
-			store.profiles[QWEN_CLI_PROFILE_ID] = qwenCreds;
-			mutated = true;
-			log$7.info("synced qwen credentials from qwen cli", {
-				profileId: QWEN_CLI_PROFILE_ID,
-				expires: new Date(qwenCreds.expires).toISOString()
-			});
-		}
-	}
-	if (syncExternalCliCredentialsForProvider(store, MINIMAX_CLI_PROFILE_ID, "minimax-portal", () => readMiniMaxCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }), now)) mutated = true;
-	return mutated;
-}
-
-//#endregion
-//#region src/agents/agent-paths.ts
-function resolveOpenClawAgentDir() {
-	const override = process.env.OPENCLAW_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
-	if (override) return resolveUserPath(override);
-	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
-}
-
-//#endregion
-//#region src/agents/auth-profiles/paths.ts
-function resolveAuthStorePath(agentDir) {
-	const resolved = resolveUserPath(agentDir ?? resolveOpenClawAgentDir());
-	return path.join(resolved, AUTH_PROFILE_FILENAME);
-}
-function resolveLegacyAuthStorePath(agentDir) {
-	const resolved = resolveUserPath(agentDir ?? resolveOpenClawAgentDir());
-	return path.join(resolved, LEGACY_AUTH_FILENAME);
-}
-function resolveAuthStorePathForDisplay(agentDir) {
-	const pathname = resolveAuthStorePath(agentDir);
-	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
-}
-function ensureAuthStoreFile(pathname) {
-	if (fs.existsSync(pathname)) return;
-	saveJsonFile(pathname, {
-		version: AUTH_STORE_VERSION,
-		profiles: {}
-	});
-}
-
-//#endregion
-//#region src/agents/auth-profiles/store.ts
-const AUTH_PROFILE_TYPES = new Set([
-	"api_key",
-	"oauth",
-	"token"
-]);
-const runtimeAuthStoreSnapshots = /* @__PURE__ */ new Map();
-function resolveRuntimeStoreKey(agentDir) {
-	return resolveAuthStorePath(agentDir);
-}
-function cloneAuthProfileStore(store) {
-	return structuredClone(store);
-}
-function resolveRuntimeAuthProfileStore(agentDir) {
-	if (runtimeAuthStoreSnapshots.size === 0) return null;
-	const mainKey = resolveRuntimeStoreKey(void 0);
-	const requestedKey = resolveRuntimeStoreKey(agentDir);
-	const mainStore = runtimeAuthStoreSnapshots.get(mainKey);
-	const requestedStore = runtimeAuthStoreSnapshots.get(requestedKey);
-	if (!agentDir || requestedKey === mainKey) {
-		if (!mainStore) return null;
-		return cloneAuthProfileStore(mainStore);
-	}
-	if (mainStore && requestedStore) return mergeAuthProfileStores(cloneAuthProfileStore(mainStore), cloneAuthProfileStore(requestedStore));
-	if (requestedStore) return cloneAuthProfileStore(requestedStore);
-	if (mainStore) return cloneAuthProfileStore(mainStore);
-	return null;
-}
-function replaceRuntimeAuthProfileStoreSnapshots(entries) {
-	runtimeAuthStoreSnapshots.clear();
-	for (const entry of entries) runtimeAuthStoreSnapshots.set(resolveRuntimeStoreKey(entry.agentDir), cloneAuthProfileStore(entry.store));
-}
-function clearRuntimeAuthProfileStoreSnapshots() {
-	runtimeAuthStoreSnapshots.clear();
-}
-async function updateAuthProfileStoreWithLock(params) {
-	const authPath = resolveAuthStorePath(params.agentDir);
-	ensureAuthStoreFile(authPath);
-	try {
-		return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
-			const store = ensureAuthProfileStore(params.agentDir);
-			if (params.updater(store)) saveAuthProfileStore(store, params.agentDir);
-			return store;
-		});
-	} catch {
-		return null;
-	}
-}
-/**
-* Normalise a raw auth-profiles.json credential entry.
-*
-* The official format uses `type` and (for api_key credentials) `key`.
-* A common mistake — caused by the similarity with the `openclaw.json`
-* `auth.profiles` section which uses `mode` — is to write `mode` instead of
-* `type` and `apiKey` instead of `key`.  Accept both spellings so users don't
-* silently lose their credentials.
-*/
-function normalizeRawCredentialEntry(raw) {
-	const entry = { ...raw };
-	if (!("type" in entry) && typeof entry["mode"] === "string") entry["type"] = entry["mode"];
-	if (!("key" in entry) && typeof entry["apiKey"] === "string") entry["key"] = entry["apiKey"];
-	return entry;
-}
-function parseCredentialEntry(raw, fallbackProvider) {
-	if (!raw || typeof raw !== "object") return {
-		ok: false,
-		reason: "non_object"
-	};
-	const typed = normalizeRawCredentialEntry(raw);
-	if (!AUTH_PROFILE_TYPES.has(typed.type)) return {
-		ok: false,
-		reason: "invalid_type"
-	};
-	const provider = typed.provider ?? fallbackProvider;
-	if (typeof provider !== "string" || provider.trim().length === 0) return {
-		ok: false,
-		reason: "missing_provider"
-	};
-	return {
-		ok: true,
-		credential: {
-			...typed,
-			provider
-		}
-	};
-}
-function warnRejectedCredentialEntries(source, rejected) {
-	if (rejected.length === 0) return;
-	const reasons = rejected.reduce((acc, current) => {
-		acc[current.reason] = (acc[current.reason] ?? 0) + 1;
-		return acc;
-	}, {});
-	log$7.warn("ignored invalid auth profile entries during store load", {
-		source,
-		dropped: rejected.length,
-		reasons,
-		keys: rejected.slice(0, 10).map((entry) => entry.key)
-	});
-}
-function coerceLegacyStore(raw) {
-	if (!raw || typeof raw !== "object") return null;
-	const record = raw;
-	if ("profiles" in record) return null;
-	const entries = {};
-	const rejected = [];
-	for (const [key, value] of Object.entries(record)) {
-		const parsed = parseCredentialEntry(value, key);
-		if (!parsed.ok) {
-			rejected.push({
-				key,
-				reason: parsed.reason
-			});
-			continue;
-		}
-		entries[key] = parsed.credential;
-	}
-	warnRejectedCredentialEntries("auth.json", rejected);
-	return Object.keys(entries).length > 0 ? entries : null;
-}
-function coerceAuthStore(raw) {
-	if (!raw || typeof raw !== "object") return null;
-	const record = raw;
-	if (!record.profiles || typeof record.profiles !== "object") return null;
-	const profiles = record.profiles;
-	const normalized = {};
-	const rejected = [];
-	for (const [key, value] of Object.entries(profiles)) {
-		const parsed = parseCredentialEntry(value);
-		if (!parsed.ok) {
-			rejected.push({
-				key,
-				reason: parsed.reason
-			});
-			continue;
-		}
-		normalized[key] = parsed.credential;
-	}
-	warnRejectedCredentialEntries("auth-profiles.json", rejected);
-	const order = record.order && typeof record.order === "object" ? Object.entries(record.order).reduce((acc, [provider, value]) => {
-		if (!Array.isArray(value)) return acc;
-		const list = value.map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
-		if (list.length === 0) return acc;
-		acc[provider] = list;
-		return acc;
-	}, {}) : void 0;
-	return {
-		version: Number(record.version ?? AUTH_STORE_VERSION),
-		profiles: normalized,
-		order,
-		lastGood: record.lastGood && typeof record.lastGood === "object" ? record.lastGood : void 0,
-		usageStats: record.usageStats && typeof record.usageStats === "object" ? record.usageStats : void 0
-	};
-}
-function mergeRecord(base, override) {
-	if (!base && !override) return;
-	if (!base) return { ...override };
-	if (!override) return { ...base };
-	return {
-		...base,
-		...override
-	};
-}
-function mergeAuthProfileStores(base, override) {
-	if (Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats) return base;
-	return {
-		version: Math.max(base.version, override.version ?? base.version),
-		profiles: {
-			...base.profiles,
-			...override.profiles
-		},
-		order: mergeRecord(base.order, override.order),
-		lastGood: mergeRecord(base.lastGood, override.lastGood),
-		usageStats: mergeRecord(base.usageStats, override.usageStats)
-	};
-}
-function mergeOAuthFileIntoStore(store) {
-	const oauthRaw = loadJsonFile(resolveOAuthPath());
-	if (!oauthRaw || typeof oauthRaw !== "object") return false;
-	const oauthEntries = oauthRaw;
-	let mutated = false;
-	for (const [provider, creds] of Object.entries(oauthEntries)) {
-		if (!creds || typeof creds !== "object") continue;
-		const profileId = `${provider}:default`;
-		if (store.profiles[profileId]) continue;
-		store.profiles[profileId] = {
-			type: "oauth",
-			provider,
-			...creds
-		};
-		mutated = true;
-	}
-	return mutated;
-}
-function applyLegacyStore(store, legacy) {
-	for (const [provider, cred] of Object.entries(legacy)) {
-		const profileId = `${provider}:default`;
-		if (cred.type === "api_key") {
-			store.profiles[profileId] = {
-				type: "api_key",
-				provider: String(cred.provider ?? provider),
-				key: cred.key,
-				...cred.email ? { email: cred.email } : {}
-			};
-			continue;
-		}
-		if (cred.type === "token") {
-			store.profiles[profileId] = {
-				type: "token",
-				provider: String(cred.provider ?? provider),
-				token: cred.token,
-				...typeof cred.expires === "number" ? { expires: cred.expires } : {},
-				...cred.email ? { email: cred.email } : {}
-			};
-			continue;
-		}
-		store.profiles[profileId] = {
-			type: "oauth",
-			provider: String(cred.provider ?? provider),
-			access: cred.access,
-			refresh: cred.refresh,
-			expires: cred.expires,
-			...cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {},
-			...cred.projectId ? { projectId: cred.projectId } : {},
-			...cred.accountId ? { accountId: cred.accountId } : {},
-			...cred.email ? { email: cred.email } : {}
-		};
-	}
-}
-function loadCoercedStore(authPath) {
-	return coerceAuthStore(loadJsonFile(authPath));
-}
-function loadAuthProfileStore() {
-	const authPath = resolveAuthStorePath();
-	const asStore = loadCoercedStore(authPath);
-	if (asStore) {
-		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
-		return asStore;
-	}
-	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath()));
-	if (legacy) {
-		const store = {
-			version: AUTH_STORE_VERSION,
-			profiles: {}
-		};
-		applyLegacyStore(store, legacy);
-		syncExternalCliCredentials(store);
-		return store;
-	}
-	const store = {
-		version: AUTH_STORE_VERSION,
-		profiles: {}
-	};
-	syncExternalCliCredentials(store);
-	return store;
-}
-function loadAuthProfileStoreForAgent(agentDir, options) {
-	const readOnly = options?.readOnly === true;
-	const authPath = resolveAuthStorePath(agentDir);
-	const asStore = loadCoercedStore(authPath);
-	if (asStore) {
-		if (syncExternalCliCredentials(asStore) && !readOnly) saveJsonFile(authPath, asStore);
-		return asStore;
-	}
-	if (agentDir && !readOnly) {
-		const mainStore = coerceAuthStore(loadJsonFile(resolveAuthStorePath()));
-		if (mainStore && Object.keys(mainStore.profiles).length > 0) {
-			saveJsonFile(authPath, mainStore);
-			log$7.info("inherited auth-profiles from main agent", { agentDir });
-			return mainStore;
-		}
-	}
-	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir)));
-	const store = {
-		version: AUTH_STORE_VERSION,
-		profiles: {}
-	};
-	if (legacy) applyLegacyStore(store, legacy);
-	const mergedOAuth = mergeOAuthFileIntoStore(store);
-	const syncedCli = syncExternalCliCredentials(store);
-	const forceReadOnly = process.env.OPENCLAW_AUTH_STORE_READONLY === "1";
-	const shouldWrite = !readOnly && !forceReadOnly && (legacy !== null || mergedOAuth || syncedCli);
-	if (shouldWrite) saveJsonFile(authPath, store);
-	if (shouldWrite && legacy !== null) {
-		const legacyPath = resolveLegacyAuthStorePath(agentDir);
-		try {
-			fs.unlinkSync(legacyPath);
-		} catch (err) {
-			if (err?.code !== "ENOENT") log$7.warn("failed to delete legacy auth.json after migration", {
-				err,
-				legacyPath
-			});
-		}
-	}
-	return store;
-}
-function loadAuthProfileStoreForRuntime(agentDir, options) {
-	const store = loadAuthProfileStoreForAgent(agentDir, options);
-	const authPath = resolveAuthStorePath(agentDir);
-	const mainAuthPath = resolveAuthStorePath();
-	if (!agentDir || authPath === mainAuthPath) return store;
-	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
-}
-function loadAuthProfileStoreForSecretsRuntime(agentDir) {
-	return loadAuthProfileStoreForRuntime(agentDir, {
-		readOnly: true,
-		allowKeychainPrompt: false
-	});
-}
-function ensureAuthProfileStore(agentDir, options) {
-	const runtimeStore = resolveRuntimeAuthProfileStore(agentDir);
-	if (runtimeStore) return runtimeStore;
-	const store = loadAuthProfileStoreForAgent(agentDir, options);
-	const authPath = resolveAuthStorePath(agentDir);
-	const mainAuthPath = resolveAuthStorePath();
-	if (!agentDir || authPath === mainAuthPath) return store;
-	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
-}
-function saveAuthProfileStore(store, agentDir) {
-	saveJsonFile(resolveAuthStorePath(agentDir), {
-		version: AUTH_STORE_VERSION,
-		profiles: Object.fromEntries(Object.entries(store.profiles).map(([profileId, credential]) => {
-			if (credential.type === "api_key" && credential.keyRef && credential.key !== void 0) {
-				const sanitized = { ...credential };
-				delete sanitized.key;
-				return [profileId, sanitized];
-			}
-			if (credential.type === "token" && credential.tokenRef && credential.token !== void 0) {
-				const sanitized = { ...credential };
-				delete sanitized.token;
-				return [profileId, sanitized];
-			}
-			return [profileId, credential];
-		})),
-		order: store.order ?? void 0,
-		lastGood: store.lastGood ?? void 0,
-		usageStats: store.usageStats ?? void 0
-	});
-}
-
 //#endregion
 //#region src/agents/auth-profiles/profiles.ts
 function dedupeProfileIds(profileIds) {
@@ -9186,207 +8510,6 @@ function isSupportedLocalAvatarExtension(filePath) {
 	return LOCAL_AVATAR_EXTENSIONS.has(ext);
 }
 
-//#endregion
-//#region src/shared/net/ip.ts
-const BLOCKED_IPV4_SPECIAL_USE_RANGES = new Set([
-	"unspecified",
-	"broadcast",
-	"multicast",
-	"linkLocal",
-	"loopback",
-	"carrierGradeNat",
-	"private",
-	"reserved"
-]);
-const PRIVATE_OR_LOOPBACK_IPV4_RANGES = new Set([
-	"loopback",
-	"private",
-	"linkLocal",
-	"carrierGradeNat"
-]);
-const BLOCKED_IPV6_SPECIAL_USE_RANGES = new Set([
-	"unspecified",
-	"loopback",
-	"linkLocal",
-	"uniqueLocal",
-	"multicast"
-]);
-const RFC2544_BENCHMARK_PREFIX = [ipaddr.IPv4.parse("198.18.0.0"), 15];
-const EMBEDDED_IPV4_SENTINEL_RULES = [
-	{
-		matches: (parts) => parts[0] === 0 && parts[1] === 0 && parts[2] === 0 && parts[3] === 0 && parts[4] === 0 && parts[5] === 0,
-		toHextets: (parts) => [parts[6], parts[7]]
-	},
-	{
-		matches: (parts) => parts[0] === 100 && parts[1] === 65435 && parts[2] === 1 && parts[3] === 0 && parts[4] === 0 && parts[5] === 0,
-		toHextets: (parts) => [parts[6], parts[7]]
-	},
-	{
-		matches: (parts) => parts[0] === 8194,
-		toHextets: (parts) => [parts[1], parts[2]]
-	},
-	{
-		matches: (parts) => parts[0] === 8193 && parts[1] === 0,
-		toHextets: (parts) => [parts[6] ^ 65535, parts[7] ^ 65535]
-	},
-	{
-		matches: (parts) => (parts[4] & 64767) === 0 && parts[5] === 24318,
-		toHextets: (parts) => [parts[6], parts[7]]
-	}
-];
-function stripIpv6Brackets(value) {
-	if (value.startsWith("[") && value.endsWith("]")) return value.slice(1, -1);
-	return value;
-}
-function isNumericIpv4LiteralPart(value) {
-	return /^[0-9]+$/.test(value) || /^0x[0-9a-f]+$/i.test(value);
-}
-function parseIpv6WithEmbeddedIpv4(raw) {
-	if (!raw.includes(":") || !raw.includes(".")) return;
-	const match = /^(.*:)([^:%]+(?:\.[^:%]+){3})(%[0-9A-Za-z]+)?$/i.exec(raw);
-	if (!match) return;
-	const [, prefix, embeddedIpv4, zoneSuffix = ""] = match;
-	if (!ipaddr.IPv4.isValidFourPartDecimal(embeddedIpv4)) return;
-	const octets = embeddedIpv4.split(".").map((part) => Number.parseInt(part, 10));
-	const normalizedIpv6 = `${prefix}${(octets[0] << 8 | octets[1]).toString(16)}:${(octets[2] << 8 | octets[3]).toString(16)}${zoneSuffix}`;
-	if (!ipaddr.IPv6.isValid(normalizedIpv6)) return;
-	return ipaddr.IPv6.parse(normalizedIpv6);
-}
-function isIpv4Address(address) {
-	return address.kind() === "ipv4";
-}
-function isIpv6Address(address) {
-	return address.kind() === "ipv6";
-}
-function normalizeIpv4MappedAddress(address) {
-	if (!isIpv6Address(address)) return address;
-	if (!address.isIPv4MappedAddress()) return address;
-	return address.toIPv4Address();
-}
-function parseCanonicalIpAddress(raw) {
-	const trimmed = raw?.trim();
-	if (!trimmed) return;
-	const normalized = stripIpv6Brackets(trimmed);
-	if (!normalized) return;
-	if (ipaddr.IPv4.isValid(normalized)) {
-		if (!ipaddr.IPv4.isValidFourPartDecimal(normalized)) return;
-		return ipaddr.IPv4.parse(normalized);
-	}
-	if (ipaddr.IPv6.isValid(normalized)) return ipaddr.IPv6.parse(normalized);
-	return parseIpv6WithEmbeddedIpv4(normalized);
-}
-function parseLooseIpAddress(raw) {
-	const trimmed = raw?.trim();
-	if (!trimmed) return;
-	const normalized = stripIpv6Brackets(trimmed);
-	if (!normalized) return;
-	if (ipaddr.isValid(normalized)) return ipaddr.parse(normalized);
-	return parseIpv6WithEmbeddedIpv4(normalized);
-}
-function normalizeIpAddress(raw) {
-	const parsed = parseCanonicalIpAddress(raw);
-	if (!parsed) return;
-	return normalizeIpv4MappedAddress(parsed).toString().toLowerCase();
-}
-function isCanonicalDottedDecimalIPv4(raw) {
-	const trimmed = raw?.trim();
-	if (!trimmed) return false;
-	const normalized = stripIpv6Brackets(trimmed);
-	if (!normalized) return false;
-	return ipaddr.IPv4.isValidFourPartDecimal(normalized);
-}
-function isLegacyIpv4Literal(raw) {
-	const trimmed = raw?.trim();
-	if (!trimmed) return false;
-	const normalized = stripIpv6Brackets(trimmed);
-	if (!normalized || normalized.includes(":")) return false;
-	if (isCanonicalDottedDecimalIPv4(normalized)) return false;
-	const parts = normalized.split(".");
-	if (parts.length === 0 || parts.length > 4) return false;
-	if (parts.some((part) => part.length === 0)) return false;
-	if (!parts.every((part) => isNumericIpv4LiteralPart(part))) return false;
-	return true;
-}
-function isLoopbackIpAddress(raw) {
-	const parsed = parseCanonicalIpAddress(raw);
-	if (!parsed) return false;
-	return normalizeIpv4MappedAddress(parsed).range() === "loopback";
-}
-function isPrivateOrLoopbackIpAddress(raw) {
-	const parsed = parseCanonicalIpAddress(raw);
-	if (!parsed) return false;
-	const normalized = normalizeIpv4MappedAddress(parsed);
-	if (isIpv4Address(normalized)) return PRIVATE_OR_LOOPBACK_IPV4_RANGES.has(normalized.range());
-	return isBlockedSpecialUseIpv6Address(normalized);
-}
-function isBlockedSpecialUseIpv6Address(address) {
-	if (BLOCKED_IPV6_SPECIAL_USE_RANGES.has(address.range())) return true;
-	return (address.parts[0] & 65472) === 65216;
-}
-function isRfc1918Ipv4Address(raw) {
-	const parsed = parseCanonicalIpAddress(raw);
-	if (!parsed || !isIpv4Address(parsed)) return false;
-	return parsed.range() === "private";
-}
-function isCarrierGradeNatIpv4Address(raw) {
-	const parsed = parseCanonicalIpAddress(raw);
-	if (!parsed || !isIpv4Address(parsed)) return false;
-	return parsed.range() === "carrierGradeNat";
-}
-function isBlockedSpecialUseIpv4Address(address, options = {}) {
-	const inRfc2544BenchmarkRange = address.match(RFC2544_BENCHMARK_PREFIX);
-	if (inRfc2544BenchmarkRange && options.allowRfc2544BenchmarkRange === true) return false;
-	return BLOCKED_IPV4_SPECIAL_USE_RANGES.has(address.range()) || inRfc2544BenchmarkRange;
-}
-function decodeIpv4FromHextets(high, low) {
-	const octets = [
-		high >>> 8 & 255,
-		high & 255,
-		low >>> 8 & 255,
-		low & 255
-	];
-	return ipaddr.IPv4.parse(octets.join("."));
-}
-function extractEmbeddedIpv4FromIpv6(address) {
-	if (address.isIPv4MappedAddress()) return address.toIPv4Address();
-	if (address.range() === "rfc6145") return decodeIpv4FromHextets(address.parts[6], address.parts[7]);
-	if (address.range() === "rfc6052") return decodeIpv4FromHextets(address.parts[6], address.parts[7]);
-	for (const rule of EMBEDDED_IPV4_SENTINEL_RULES) {
-		if (!rule.matches(address.parts)) continue;
-		const [high, low] = rule.toHextets(address.parts);
-		return decodeIpv4FromHextets(high, low);
-	}
-}
-function isIpInCidr(ip, cidr) {
-	const normalizedIp = parseCanonicalIpAddress(ip);
-	if (!normalizedIp) return false;
-	const candidate = cidr.trim();
-	if (!candidate) return false;
-	const comparableIp = normalizeIpv4MappedAddress(normalizedIp);
-	if (!candidate.includes("/")) {
-		const exact = parseCanonicalIpAddress(candidate);
-		if (!exact) return false;
-		const comparableExact = normalizeIpv4MappedAddress(exact);
-		return comparableIp.kind() === comparableExact.kind() && comparableIp.toString() === comparableExact.toString();
-	}
-	let parsedCidr;
-	try {
-		parsedCidr = ipaddr.parseCIDR(candidate);
-	} catch {
-		return false;
-	}
-	const [baseAddress, prefixLength] = parsedCidr;
-	const comparableBase = normalizeIpv4MappedAddress(baseAddress);
-	if (comparableIp.kind() !== comparableBase.kind()) return false;
-	try {
-		if (isIpv4Address(comparableIp) && isIpv4Address(comparableBase)) return comparableIp.match([comparableBase, prefixLength]);
-		if (isIpv6Address(comparableIp) && isIpv6Address(comparableBase)) return comparableIp.match([comparableBase, prefixLength]);
-		return false;
-	} catch {
-		return false;
-	}
-}
-
 //#endregion
 //#region src/cli/parse-bytes.ts
 const UNIT_MULTIPLIERS = {
@@ -16022,7 +15145,7 @@ function adoptNewerMainOAuthCredential(params) {
 		if (mainCred?.type === "oauth" && mainCred.provider === params.cred.provider && Number.isFinite(mainCred.expires) && (!Number.isFinite(params.cred.expires) || mainCred.expires > params.cred.expires)) {
 			params.store.profiles[params.profileId] = { ...mainCred };
 			saveAuthProfileStore(params.store, params.agentDir);
-			log$7.info("adopted newer OAuth credentials from main agent", {
+			log$6.info("adopted newer OAuth credentials from main agent", {
 				profileId: params.profileId,
 				agentDir: params.agentDir,
 				expires: new Date(mainCred.expires).toISOString()
@@ -16030,7 +15153,7 @@ function adoptNewerMainOAuthCredential(params) {
 			return mainCred;
 		}
 	} catch (err) {
-		log$7.debug("adoptNewerMainOAuthCredential failed", {
+		log$6.debug("adoptNewerMainOAuthCredential failed", {
 			profileId: params.profileId,
 			error: err instanceof Error ? err.message : String(err)
 		});
@@ -16113,7 +15236,7 @@ async function resolveProfileSecretString(params) {
 				cache: params.cache
 			});
 		} catch (err) {
-			log$7.debug(params.inlineFailureMessage, {
+			log$6.debug(params.inlineFailureMessage, {
 				profileId: params.profileId,
 				provider: params.provider,
 				error: err instanceof Error ? err.message : String(err)
@@ -16128,7 +15251,7 @@ async function resolveProfileSecretString(params) {
 			cache: params.cache
 		});
 	} catch (err) {
-		log$7.debug(params.refFailureMessage, {
+		log$6.debug(params.refFailureMessage, {
 			profileId: params.profileId,
 			provider: params.provider,
 			error: err instanceof Error ? err.message : String(err)
@@ -16240,7 +15363,7 @@ async function resolveApiKeyForProfile(params) {
 			if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
 				refreshedStore.profiles[profileId] = { ...mainCred };
 				saveAuthProfileStore(refreshedStore, params.agentDir);
-				log$7.info("inherited fresh OAuth credentials from main agent", {
+				log$6.info("inherited fresh OAuth credentials from main agent", {
 					profileId,
 					agentDir: params.agentDir,
 					expires: new Date(mainCred.expires).toISOString()
@@ -16257,7 +15380,7 @@ async function resolveApiKeyForProfile(params) {
 			credentials: cred,
 			error
 		})) {
-			log$7.warn("openai-codex oauth refresh failed; using cached access token fallback", {
+			log$6.warn("openai-codex oauth refresh failed; using cached access token fallback", {
 				profileId,
 				provider: cred.provider
 			});
@@ -16690,4 +15813,4 @@ function orderProfilesByMode(order, store) {
 var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
 
 //#endregion
-export { mergeInboundPathRoots as $, upsertAuthProfile as $n, retryAsync as $r, validateSafeBinArgv as $t, formatPermissionRemediation as A, buildCloudflareAiGatewayModelDefinition as Ai, isSafeExecutableValue as An, resolveHooksGmailModel as Ar, AVATAR_MAX_BYTES as At, parseConfigJson5 as B, resolveAuthProfileDisplayLabel as Bi, applyConfigEnvVars as Bn, buildKimiCodingProvider as Br, sanitizeTerminalText as Bt, isNonEmptyString as C, shouldEnableShellEnvFallback as Ci, splitShellArgs as Cn, normalizeModelSelection as Cr, isLegacyIpv4Literal as Ct, writeTextFileAtomic as D, discoverHuggingfaceModels as Di, applyMergePatch as Dn, resolveAllowlistModelKey as Dr, normalizeIpAddress as Dt, toDotPath as E, buildHuggingfaceModelDefinition as Ei, resolveSafeBinProfiles as En, resolveAllowedModelRef as Er, isRfc1918Ipv4Address as Et, config_exports as F, KILOCODE_DEFAULT_MODEL_REF as Fi, resolveSlackNativeStreaming as Fn, resolveThinkingDefault as Fr, isSupportedLocalAvatarExtension as Ft, writeConfigFile as G, resolveSubagentMaxConcurrent as Gn, resolveImplicitBedrockProvider as Gr, getConfigValueAtPath as Gt, readConfigFileSnapshotForWrite as H, CLAUDE_CLI_PROFILE_ID as Hi, buildTalkConfigResponse as Hn, buildXiaomiProvider as Hr, resetConfigOverrides as Ht, migrateLegacyConfig as I, splitTrailingAuthProfile as Ii, resolveSlackStreamingMode as In, QIANFAN_BASE_URL as Ir, isWorkspaceRelativeAvatarPath as It, TELEGRAM_COMMAND_NAME_PATTERN as J, repairOAuthProfileIdMismatch as Jn, VENICE_BASE_URL as Jr, unsetConfigValueAtPath as Jt, validateConfigObjectWithPlugins as K, loadDotEnv as Kn, resolveImplicitCopilotProvider as Kr, parseConfigPath as Kt, clearRuntimeConfigSnapshot as L, DEFAULT_CONTEXT_TOKENS as Li, resolveTelegramPreviewStreamMode as Ln, QIANFAN_DEFAULT_MODEL_ID as Lr, looksLikeAvatarPath as Lt, safeStat as M, normalizeOptionalSecretInput as Mi, formatSlackStreamingBooleanMigrationMessage as Mn, resolveReasoningDefault as Mr, isAvatarHttpUrl as Mt, createIcaclsResetCommand as N, normalizeSecretInput as Ni, mapStreamingModeToSlackLegacyDraftStreamMode as Nn, resolveSubagentConfiguredModelSelection as Nr, isAvatarImageDataUrl as Nt, encodeJsonPointerToken as O, isHuggingfacePolicyLocked as Oi, applyLegacyMigrations as On, resolveConfiguredModelRef as Or, parseCanonicalIpAddress as Ot, formatIcaclsResetCommand as P, KILOCODE_BASE_URL as Pi, resolveDiscordPreviewStreamMode as Pn, resolveSubagentSpawnModelSelection as Pr, isPathWithinRoot as Pt, isInboundPathAllowed as Q, setAuthProfileOrder as Qn, resolveRetryConfig as Qr, normalizeTrustedSafeBinDirs as Qt, createConfigIO as R, DEFAULT_MODEL as Ri, INCLUDE_KEY as Rn, XIAOMI_DEFAULT_MODEL_ID as Rr, resolveAvatarMime as Rt, describeUnknownError as S, resolveShellEnvFallbackTimeoutMs as Si, resolveInlineCommandMatch as Sn, normalizeModelRef as Sr, isIpv6Address as St, parseDotPath as T, HUGGINGFACE_MODEL_CATALOG as Ti, normalizeSafeBinProfileFixtures as Tn, parseModelRef as Tr, isPrivateOrLoopbackIpAddress as Tt, resolveConfigSnapshotHash as U, CODEX_CLI_PROFILE_ID as Ui, DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH as Un, normalizeGoogleModelId as Ur, setConfigOverride as Ut, readConfigFileSnapshot as V, AUTH_STORE_VERSION as Vi, collectConfigServiceEnvVars as Vn, buildQianfanProvider as Vr, getConfigOverrides as Vt, setRuntimeConfigSnapshot as W, resolveAgentMaxConcurrent as Wn, normalizeProviders as Wr, unsetConfigOverride as Wt, resolveTelegramCustomCommands as X, listProfilesForProvider as Xn, VENICE_MODEL_CATALOG as Xr, isTrustedSafeBinPath as Xt, normalizeTelegramCommandName as Y, dedupeProfileIds as Yn, VENICE_DEFAULT_MODEL_REF as Yr, getTrustedSafeBinDirs as Yt, DEFAULT_IMESSAGE_ATTACHMENT_ROOTS as Z, markAuthProfileGood as Zn, buildVeniceModelDefinition as Zr, listWritableExplicitTrustedSafeBinDirs as Zt, parseOAuthCallbackInput as _, resolveAwsSdkEnvVarName as _i, unwrapDispatchWrappersForResolution as _n, findNormalizedProviderValue as _r, isBlockedSpecialUseIpv6Address as _t, getSoonestCooldownExpiry as a, SYNTHETIC_MODEL_CATALOG as ai, splitCommandChain as an, replaceRuntimeAuthProfileStoreSnapshots as ar, sensitive as at, resolveSecretRefValue as b, getShellEnvAppliedKeys as bi, POSIX_INLINE_COMMAND_FLAGS as bn, isCliProvider as br, isIpInCidr as bt, markAuthProfileUsed as c, createOllamaStreamFn as ci, resolveAllowlistCandidatePath as cn, resolveAuthStorePathForDisplay as cr, resolveDefaultSecretProviderAlias as ct, resolveApiKeyForProfile as d, buildStreamErrorAssistantMessage as di, extractShellWrapperCommand as dn, resolveProcessScopedMap as dr, isDangerousNetworkMode as dt, TOGETHER_BASE_URL as ei, analyzeArgvCommand as en, upsertAuthProfileWithLock as er, resolveIMessageAttachmentRoots as et, evaluateStoredCredentialEligibility as f, buildUsageWithNoCost as fi, extractShellWrapperInlineCommand as fn, getProcessStartTime as fr, normalizeNetworkMode as ft, generateChutesPkce as g, resolveApiKeyForProvider as gi, normalizeExecutableToken as gn, buildModelAliasIndex as gr, isBlockedSpecialUseIpv4Address as gt, exchangeChutesCodeForTokens as h, requireApiKey as hi, isShellWrapperExecutable as hn, buildConfiguredAllowlistKeys as hr, extractEmbeddedIpv4FromIpv6 as ht, clearExpiredCooldowns as i, SYNTHETIC_DEFAULT_MODEL_REF as ii, resolvePlannedSegmentArgv as in, loadAuthProfileStoreForSecretsRuntime as ir, SecretProviderSchema as it, inspectPathPermissions as j, resolveCloudflareAiGatewayBaseUrl as ji, formatSlackStreamModeMigrationMessage as jn, resolveModelRefFromString as jr, isAvatarDataUrl as jt, formatPermissionDetail as k, CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF as ki, ensureControlUiAllowedOriginsForNonLoopbackBind as kn, resolveDefaultModelForAgent as kr, parseLooseIpAddress as kt, resolveProfileUnusableUntilForDisplay as l, buildAssistantMessage$1 as li, resolveCommandResolutionFromArgv as ln, resolveOpenClawAgentDir as lr, secretRefKey as lt, CHUTES_AUTHORIZE_ENDPOINT as m, getCustomProviderApiKey as mi, isDispatchWrapperExecutable as mn, buildAllowedModelSet as mr, parseByteSize as mt, resolveAuthProfileEligibility as n, buildTogetherModelDefinition as ni, buildEnforcedShellCommand as nn, ensureAuthProfileStore as nr, normalizeScpRemoteHost as nt, isProfileInCooldown as o, buildSyntheticModelDefinition as oi, DEFAULT_SAFE_BINS as on, updateAuthProfileStoreWithLock as or, isValidFileSecretRefId as ot, resolveTokenExpiryState as p, getApiKeyForModel as pi, hasEnvManipulationBeforeShellWrapper as pn, isPidAlive as pr, parseDurationMs as pt, BotSchema as q, resolveOwnerDisplaySetting as qn, resolveImplicitProviders as qr, setConfigValueAtPath as qt, resolveAuthProfileOrder as r, SYNTHETIC_BASE_URL as ri, isWindowsPlatform as rn, loadAuthProfileStore as rr, parseNonNegativeByteSize as rt, markAuthProfileFailure as s, OLLAMA_NATIVE_BASE_URL as si, matchAllowlist as sn, resolveAuthStorePath as sr, isValidSecretProviderAlias as st, auth_profiles_exports as t, TOGETHER_MODEL_CATALOG as ti, analyzeShellCommand as tn, clearRuntimeAuthProfileStoreSnapshots as tr, resolveIMessageRemoteAttachmentRoots as tt, resolveProfilesUnavailableReason as u, buildAssistantMessageWithZeroUsage as ui, resolveExecutableFromPathEnv as un, withFileLock as ur, getBlockedNetworkModeReason as ut, isProviderScopedSecretResolutionError as v, resolveEnvApiKey as vi, unwrapKnownDispatchWrapperInvocation as vn, getModelRefStatus as vr, isCanonicalDottedDecimalIPv4 as vt, isRecord as w, HUGGINGFACE_BASE_URL as wi, SAFE_BIN_PROFILES as wn, normalizeProviderId as wr, isLoopbackIpAddress as wt, resolveSecretRefValues as x, getShellPathFromLoginShell as xi, POWERSHELL_INLINE_COMMAND_FLAGS as xn, modelKey as xr, isIpv4Address as xt, resolveSecretRefString as y, resolveModelAuthMode as yi, unwrapKnownShellMultiplexerInvocation as yn, inferUniqueProviderFromConfiguredModels as yr, isCarrierGradeNatIpv4Address as yt, loadConfig as z, DEFAULT_PROVIDER as zi, MAX_INCLUDE_DEPTH as zn, buildKilocodeProvider as zr, validateJsonSchemaValue as zt };
+export { mergeInboundPathRoots as $, resolveAllowlistModelKey as $n, discoverHuggingfaceModels as $r, isDispatchWrapperExecutable as $t, formatPermissionRemediation as A, resolveSubagentMaxConcurrent as An, SYNTHETIC_DEFAULT_MODEL_REF as Ar, getConfigValueAtPath as At, parseConfigJson5 as B, buildAllowedModelSet as Bn, getCustomProviderApiKey as Br, analyzeShellCommand as Bt, isNonEmptyString as C, INCLUDE_KEY as Cn, buildVeniceModelDefinition as Cr, resolveAvatarMime as Ct, writeTextFileAtomic as D, buildTalkConfigResponse as Dn, TOGETHER_MODEL_CATALOG as Dr, resetConfigOverrides as Dt, toDotPath as E, collectConfigServiceEnvVars as En, TOGETHER_BASE_URL as Er, getConfigOverrides as Et, config_exports as F, listProfilesForProvider as Fn, buildAssistantMessage$1 as Fr, isTrustedSafeBinPath as Ft, writeConfigFile as G, inferUniqueProviderFromConfiguredModels as Gn, resolveModelAuthMode as Gr, DEFAULT_SAFE_BINS as Gt, readConfigFileSnapshotForWrite as H, buildModelAliasIndex as Hn, resolveApiKeyForProvider as Hr, isWindowsPlatform as Ht, migrateLegacyConfig as I, markAuthProfileGood as In, buildAssistantMessageWithZeroUsage as Ir, listWritableExplicitTrustedSafeBinDirs as It, TELEGRAM_COMMAND_NAME_PATTERN as J, normalizeModelRef as Jn, resolveShellEnvFallbackTimeoutMs as Jr, resolveCommandResolutionFromArgv as Jt, validateConfigObjectWithPlugins as K, isCliProvider as Kn, getShellEnvAppliedKeys as Kr, matchAllowlist as Kt, clearRuntimeConfigSnapshot as L, setAuthProfileOrder as Ln, buildStreamErrorAssistantMessage as Lr, normalizeTrustedSafeBinDirs as Lt, safeStat as M, resolveOwnerDisplaySetting as Mn, buildSyntheticModelDefinition as Mr, setConfigValueAtPath as Mt, createIcaclsResetCommand as N, repairOAuthProfileIdMismatch as Nn, OLLAMA_NATIVE_BASE_URL as Nr, unsetConfigValueAtPath as Nt, encodeJsonPointerToken as O, DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH as On, buildTogetherModelDefinition as Or, setConfigOverride as Ot, formatIcaclsResetCommand as P, dedupeProfileIds as Pn, createOllamaStreamFn as Pr, getTrustedSafeBinDirs as Pt, isInboundPathAllowed as Q, resolveAllowedModelRef as Qn, buildHuggingfaceModelDefinition as Qr, hasEnvManipulationBeforeShellWrapper as Qt, createConfigIO as R, upsertAuthProfile as Rn, buildUsageWithNoCost as Rr, validateSafeBinArgv as Rt, describeUnknownError as S, resolveTelegramPreviewStreamMode as Sn, VENICE_MODEL_CATALOG as Sr, looksLikeAvatarPath as St, parseDotPath as T, applyConfigEnvVars as Tn, retryAsync as Tr, sanitizeTerminalText as Tt, resolveConfigSnapshotHash as U, findNormalizedProviderValue as Un, resolveAwsSdkEnvVarName as Ur, resolvePlannedSegmentArgv as Ut, readConfigFileSnapshot as V, buildConfiguredAllowlistKeys as Vn, requireApiKey as Vr, buildEnforcedShellCommand as Vt, setRuntimeConfigSnapshot as W, getModelRefStatus as Wn, resolveEnvApiKey as Wr, splitCommandChain as Wt, resolveTelegramCustomCommands as X, normalizeProviderId as Xn, HUGGINGFACE_BASE_URL as Xr, extractShellWrapperCommand as Xt, normalizeTelegramCommandName as Y, normalizeModelSelection as Yn, shouldEnableShellEnvFallback as Yr, resolveExecutableFromPathEnv as Yt, DEFAULT_IMESSAGE_ATTACHMENT_ROOTS as Z, parseModelRef as Zn, HUGGINGFACE_MODEL_CATALOG as Zr, extractShellWrapperInlineCommand as Zt, parseOAuthCallbackInput as _, formatSlackStreamingBooleanMigrationMessage as _n, resolveImplicitBedrockProvider as _r, isAvatarHttpUrl as _t, getSoonestCooldownExpiry as a, normalizeSecretInput as ai, POSIX_INLINE_COMMAND_FLAGS as an, resolveSubagentConfiguredModelSelection as ar, sensitive as at, resolveSecretRefValue as b, resolveSlackNativeStreaming as bn, VENICE_BASE_URL as br, isSupportedLocalAvatarExtension as bt, markAuthProfileUsed as c, splitTrailingAuthProfile as ci, splitShellArgs as cn, QIANFAN_BASE_URL as cr, resolveDefaultSecretProviderAlias as ct, resolveApiKeyForProfile as d, DEFAULT_PROVIDER as di, resolveSafeBinProfiles as dn, buildKilocodeProvider as dr, isDangerousNetworkMode as dt, isHuggingfacePolicyLocked as ei, isShellWrapperExecutable as en, resolveConfiguredModelRef as er, resolveIMessageAttachmentRoots as et, evaluateStoredCredentialEligibility as f, resolveAuthProfileDisplayLabel as fi, applyMergePatch as fn, buildKimiCodingProvider as fr, normalizeNetworkMode as ft, generateChutesPkce as g, formatSlackStreamModeMigrationMessage as gn, normalizeProviders as gr, isAvatarDataUrl as gt, exchangeChutesCodeForTokens as h, isSafeExecutableValue as hn, normalizeGoogleModelId as hr, AVATAR_MAX_BYTES as ht, clearExpiredCooldowns as i, normalizeOptionalSecretInput as ii, unwrapKnownShellMultiplexerInvocation as in, resolveReasoningDefault as ir, SecretProviderSchema as it, inspectPathPermissions as j, loadDotEnv as jn, SYNTHETIC_MODEL_CATALOG as jr, parseConfigPath as jt, formatPermissionDetail as k, resolveAgentMaxConcurrent as kn, SYNTHETIC_BASE_URL as kr, unsetConfigOverride as kt, resolveProfileUnusableUntilForDisplay as l, DEFAULT_CONTEXT_TOKENS as li, SAFE_BIN_PROFILES as ln, QIANFAN_DEFAULT_MODEL_ID as lr, secretRefKey as lt, CHUTES_AUTHORIZE_ENDPOINT as m, ensureControlUiAllowedOriginsForNonLoopbackBind as mn, buildXiaomiProvider as mr, parseByteSize as mt, resolveAuthProfileEligibility as n, buildCloudflareAiGatewayModelDefinition as ni, unwrapDispatchWrappersForResolution as nn, resolveHooksGmailModel as nr, normalizeScpRemoteHost as nt, isProfileInCooldown as o, KILOCODE_BASE_URL as oi, POWERSHELL_INLINE_COMMAND_FLAGS as on, resolveSubagentSpawnModelSelection as or, isValidFileSecretRefId as ot, resolveTokenExpiryState as p, applyLegacyMigrations as pn, buildQianfanProvider as pr, parseDurationMs as pt, BotSchema as q, modelKey as qn, getShellPathFromLoginShell as qr, resolveAllowlistCandidatePath as qt, resolveAuthProfileOrder as r, resolveCloudflareAiGatewayBaseUrl as ri, unwrapKnownDispatchWrapperInvocation as rn, resolveModelRefFromString as rr, parseNonNegativeByteSize as rt, markAuthProfileFailure as s, KILOCODE_DEFAULT_MODEL_REF as si, resolveInlineCommandMatch as sn, resolveThinkingDefault as sr, isValidSecretProviderAlias as st, auth_profiles_exports as t, CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF as ti, normalizeExecutableToken as tn, resolveDefaultModelForAgent as tr, resolveIMessageRemoteAttachmentRoots as tt, resolveProfilesUnavailableReason as u, DEFAULT_MODEL as ui, normalizeSafeBinProfileFixtures as un, XIAOMI_DEFAULT_MODEL_ID as ur, getBlockedNetworkModeReason as ut, isProviderScopedSecretResolutionError as v, mapStreamingModeToSlackLegacyDraftStreamMode as vn, resolveImplicitCopilotProvider as vr, isAvatarImageDataUrl as vt, isRecord as w, MAX_INCLUDE_DEPTH as wn, resolveRetryConfig as wr, validateJsonSchemaValue as wt, resolveSecretRefValues as x, resolveSlackStreamingMode as xn, VENICE_DEFAULT_MODEL_REF as xr, isWorkspaceRelativeAvatarPath as xt, resolveSecretRefString as y, resolveDiscordPreviewStreamMode as yn, resolveImplicitProviders as yr, isPathWithinRoot as yt, loadConfig as z, upsertAuthProfileWithLock as zn, getApiKeyForModel as zr, analyzeArgvCommand as zt };