@mulmoclaude/spotify-plugin 0.1.0

package/dist/index.js

@@ -0,0 +1,1364 @@
+import { i as TokensSchema, n as ClientConfigSchema, r as DispatchArgsSchema, t as TOOL_DEFINITION } from "./definition-CfBmxEFr.js";
+//#region ../../../node_modules/gui-chat-protocol/dist/index.js
+function definePlugin(setup) {
+	return setup;
+}
+//#endregion
+//#region src/oauth.ts
+/** Maximum age before a pending authorization is considered stale.
+*  Spotify's authorize page typically redirects back within a
+*  minute; 10 minutes covers slow users without leaking entries
+*  forever. The runtime is sandboxed (no `runtime.now`), so this
+*  uses `Date.now()` directly — pure number, not external state. */
+var PENDING_TTL_MS = 600 * 1e3;
+var _pendingAuthorizations = /* @__PURE__ */ new Map();
+/** Generate 32 bytes of random entropy as a base64url string.
+*  Used both for `code_verifier` (PKCE) and `state` (CSRF). */
+function generateRandomToken() {
+	const bytes = new Uint8Array(32);
+	globalThis.crypto.getRandomValues(bytes);
+	return base64UrlEncode(bytes);
+}
+/** Derive `code_challenge` from `code_verifier`: SHA-256 then
+*  base64url. Spotify's authorize URL carries this; the token
+*  endpoint receives the verifier and re-derives. */
+async function deriveCodeChallenge(codeVerifier) {
+	const buffer = await globalThis.crypto.subtle.digest("SHA-256", new TextEncoder().encode(codeVerifier));
+	return base64UrlEncode(new Uint8Array(buffer));
+}
+/** Encode bytes as RFC 4648 base64url (no padding). The standard
+*  `btoa` produces base64; we replace the URL-unsafe characters and
+*  strip padding to match what Spotify's authorize / token
+*  endpoints expect. */
+function base64UrlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/, "");
+}
+/** Register a fresh pending authorization. Returns the `state` the
+*  caller embeds on the authorize URL. Sweeps stale entries on
+*  every call so the map can't grow unbounded across abandoned
+*  attempts. */
+function registerPendingAuthorization(codeVerifier, redirectUri, now = /* @__PURE__ */ new Date()) {
+	sweepStaleAuthorizations(now);
+	const state = generateRandomToken();
+	_pendingAuthorizations.set(state, {
+		codeVerifier,
+		redirectUri,
+		createdAtMs: now.getTime()
+	});
+	return state;
+}
+/** Look up + consume a pending authorization by `state`. Single-
+*  use: a successful lookup deletes the record so the same state
+*  can't be replayed. Returns null when the state is unknown
+*  (CSRF / stale / replayed). */
+function consumePendingAuthorization(state, now = /* @__PURE__ */ new Date()) {
+	sweepStaleAuthorizations(now);
+	const entry = _pendingAuthorizations.get(state);
+	if (!entry) return null;
+	_pendingAuthorizations.delete(state);
+	return entry;
+}
+function sweepStaleAuthorizations(now) {
+	const cutoff = now.getTime() - PENDING_TTL_MS;
+	for (const [state, entry] of _pendingAuthorizations) if (entry.createdAtMs < cutoff) _pendingAuthorizations.delete(state);
+}
+/** Build the Spotify authorize URL. Pure — no side effects, no
+*  randomness; `state` and `codeChallenge` are passed in so the
+*  caller controls them (for replay registration and tests). */
+function buildAuthorizeUrl(params) {
+	return `https://accounts.spotify.com/authorize?${new URLSearchParams({
+		response_type: "code",
+		client_id: params.clientId,
+		redirect_uri: params.redirectUri,
+		scope: params.scopes.join(" "),
+		state: params.state,
+		code_challenge_method: "S256",
+		code_challenge: params.codeChallenge
+	}).toString()}`;
+}
+//#endregion
+//#region src/time.ts
+var ONE_SECOND_MS = 1e3;
+60 * ONE_SECOND_MS;
+//#endregion
+//#region src/tokens.ts
+var TOKENS_FILE = "tokens.json";
+var CLIENT_CONFIG_FILE = "client.json";
+/** Read persisted tokens. Returns null on absent / malformed (=
+*  caller treats as "not_connected" and walks the user back to the
+*  connect button). Throws only on the read I/O itself. */
+async function readTokens(files) {
+	if (!await files.exists(TOKENS_FILE)) return null;
+	try {
+		const raw = await files.read(TOKENS_FILE);
+		const parsed = TokensSchema.safeParse(JSON.parse(raw));
+		return parsed.success ? parsed.data : null;
+	} catch {
+		return null;
+	}
+}
+/** Write the full token record. */
+async function writeTokens(files, tokens) {
+	await files.write(TOKENS_FILE, JSON.stringify(tokens, null, 2));
+}
+/** Read the user-provided Client ID. Returns null when the file is
+*  absent / malformed (caller treats as "client_id_missing" and
+*  surfaces the setup guide). */
+async function readClientConfig(files) {
+	if (!await files.exists(CLIENT_CONFIG_FILE)) return null;
+	try {
+		const raw = await files.read(CLIENT_CONFIG_FILE);
+		const parsed = ClientConfigSchema.safeParse(JSON.parse(raw));
+		return parsed.success ? parsed.data : null;
+	} catch {
+		return null;
+	}
+}
+/** Write the Client ID. The View's "Configure" form posts here
+*  via `runtime.dispatch({ kind: "configure", clientId })` (PR 2). */
+async function writeClientConfig(files, config) {
+	await files.write(CLIENT_CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+/** Apply a refresh response to the persisted tokens, preserving the
+*  prior `refreshToken` when Spotify omits a fresh one (the common
+*  case). Pure — caller persists. */
+function mergeRefreshResponse(prior, response, now = /* @__PURE__ */ new Date()) {
+	return {
+		accessToken: response.accessToken,
+		refreshToken: response.refreshToken ?? prior.refreshToken,
+		expiresAt: new Date(now.getTime() + response.expiresInSec * ONE_SECOND_MS).toISOString(),
+		scopes: response.scopes !== void 0 ? [...response.scopes] : prior.scopes
+	};
+}
+//#endregion
+//#region src/client.ts
+var SPOTIFY_API_BASE = "https://api.spotify.com";
+var SPOTIFY_TOKEN_URL$1 = "https://accounts.spotify.com/api/token";
+var SPOTIFY_API_HOST = "api.spotify.com";
+var SPOTIFY_TOKEN_HOST$1 = "accounts.spotify.com";
+var FETCH_TIMEOUT_MS = 15 * ONE_SECOND_MS;
+/** Treat tokens within this window of expiry as already expired so
+*  a request that races the boundary refreshes proactively instead
+*  of waiting for the 401. */
+var EXPIRY_LEEWAY_MS = 30 * ONE_SECOND_MS;
+var RETRY_AFTER_FALLBACK_SEC = 60;
+/** Make an authenticated Spotify API call. Path is relative to
+*  `https://api.spotify.com` (e.g. `/v1/me/player/recently-played`). */
+async function spotifyApi(runtime, clientId, initialTokens, method, apiPath, init = {}, now = () => /* @__PURE__ */ new Date()) {
+	let tokens = initialTokens;
+	if (needsProactiveRefresh(tokens, now())) {
+		const refreshed = await refreshTokens(runtime, clientId, tokens, now);
+		if (!refreshed.ok) return {
+			ok: false,
+			error: refreshed.error
+		};
+		tokens = refreshed.tokens;
+	}
+	const firstAttempt = await callOnce(runtime, method, apiPath, init, tokens);
+	if (firstAttempt.ok || firstAttempt.error.kind !== "auth_expired") return firstAttempt;
+	const refreshed = await refreshTokens(runtime, clientId, tokens, now);
+	if (!refreshed.ok) return {
+		ok: false,
+		error: refreshed.error
+	};
+	return callOnce(runtime, method, apiPath, init, refreshed.tokens);
+}
+function needsProactiveRefresh(tokens, now) {
+	const expiresAtMs = Date.parse(tokens.expiresAt);
+	if (Number.isNaN(expiresAtMs)) return true;
+	return expiresAtMs - now.getTime() <= EXPIRY_LEEWAY_MS;
+}
+async function callOnce(runtime, method, apiPath, init, tokens) {
+	let response;
+	try {
+		response = await runtime.fetch(`${SPOTIFY_API_BASE}${apiPath}`, {
+			method,
+			headers: {
+				Authorization: `Bearer ${tokens.accessToken}`,
+				...init.body !== void 0 ? { "Content-Type": "application/json" } : {}
+			},
+			body: init.body !== void 0 ? JSON.stringify(init.body) : void 0,
+			timeoutMs: FETCH_TIMEOUT_MS,
+			allowedHosts: [SPOTIFY_API_HOST]
+		});
+	} catch (err) {
+		return {
+			ok: false,
+			error: {
+				kind: "spotify_api_error",
+				status: 0,
+				body: errorMessage$1(err)
+			}
+		};
+	}
+	if (response.status === 401) return {
+		ok: false,
+		error: {
+			kind: "auth_expired",
+			detail: "Spotify returned 401"
+		}
+	};
+	if (response.status === 429) return {
+		ok: false,
+		error: {
+			kind: "rate_limited",
+			retryAfterSec: parseRetryAfterSec(response.headers.get("Retry-After"))
+		}
+	};
+	if (!response.ok) {
+		const body = await response.text().catch(() => "");
+		return {
+			ok: false,
+			error: {
+				kind: "spotify_api_error",
+				status: response.status,
+				body: body.slice(0, 500)
+			}
+		};
+	}
+	if (response.status === 204) return {
+		ok: true,
+		data: null
+	};
+	try {
+		return {
+			ok: true,
+			data: await response.json()
+		};
+	} catch (err) {
+		return {
+			ok: false,
+			error: {
+				kind: "spotify_api_error",
+				status: response.status,
+				body: errorMessage$1(err)
+			}
+		};
+	}
+}
+/** Refresh the access token using the persisted refreshToken and
+*  persist the merged result. */
+async function refreshTokens(runtime, clientId, tokens, now) {
+	let response;
+	try {
+		response = await runtime.fetch(SPOTIFY_TOKEN_URL$1, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "refresh_token",
+				refresh_token: tokens.refreshToken,
+				client_id: clientId
+			}).toString(),
+			timeoutMs: FETCH_TIMEOUT_MS,
+			allowedHosts: [SPOTIFY_TOKEN_HOST$1]
+		});
+	} catch (err) {
+		return {
+			ok: false,
+			error: {
+				kind: "transient_error",
+				detail: `refresh fetch failed: ${errorMessage$1(err)}`
+			}
+		};
+	}
+	if (!response.ok) {
+		const body = await response.text().catch(() => "");
+		runtime.log.warn("refresh failed", {
+			status: response.status,
+			body: body.slice(0, 200)
+		});
+		const status = response.status;
+		return {
+			ok: false,
+			error: {
+				kind: status >= 500 || status === 408 || status === 429 ? "transient_error" : "auth_expired",
+				detail: `refresh returned ${status}`
+			}
+		};
+	}
+	let parsed;
+	try {
+		parsed = await response.json();
+	} catch (err) {
+		return {
+			ok: false,
+			error: {
+				kind: "transient_error",
+				detail: `refresh response parse failed: ${errorMessage$1(err)}`
+			}
+		};
+	}
+	const refreshFields = parseRefreshResponse(parsed);
+	if (!refreshFields) return {
+		ok: false,
+		error: {
+			kind: "auth_expired",
+			detail: "refresh response missing access_token / expires_in"
+		}
+	};
+	const merged = mergeRefreshResponse(tokens, refreshFields, now());
+	await writeTokens(runtime.files.config, merged);
+	return {
+		ok: true,
+		tokens: merged
+	};
+}
+function parseRefreshResponse(raw) {
+	if (typeof raw.access_token !== "string" || raw.access_token.length === 0) return null;
+	if (typeof raw.expires_in !== "number" || !Number.isFinite(raw.expires_in)) return null;
+	return {
+		accessToken: raw.access_token,
+		refreshToken: typeof raw.refresh_token === "string" && raw.refresh_token.length > 0 ? raw.refresh_token : void 0,
+		expiresInSec: raw.expires_in,
+		scopes: typeof raw.scope === "string" ? raw.scope.split(" ").filter(Boolean) : void 0
+	};
+}
+/** Parse a `Retry-After` header. Spotify normally returns delta-
+*  seconds (an integer) but the RFC also allows HTTP-date format.
+*  Anything non-finite or non-positive collapses to a safe 60s
+*  fallback so callers never propagate `NaN` (Codex review on
+*  PR #1164 caught this). */
+function parseRetryAfterSec(headerValue) {
+	if (headerValue === null) return RETRY_AFTER_FALLBACK_SEC;
+	const trimmed = headerValue.trim();
+	if (trimmed === "") return RETRY_AFTER_FALLBACK_SEC;
+	const asInt = Number.parseInt(trimmed, 10);
+	if (Number.isFinite(asInt) && asInt > 0 && String(asInt) === trimmed) return asInt;
+	const asDateMs = Date.parse(trimmed);
+	if (Number.isFinite(asDateMs)) {
+		const deltaSec = Math.ceil((asDateMs - Date.now()) / ONE_SECOND_MS);
+		if (deltaSec > 0) return deltaSec;
+	}
+	return RETRY_AFTER_FALLBACK_SEC;
+}
+function errorMessage$1(err) {
+	return err instanceof Error ? err.message : String(err);
+}
+//#endregion
+//#region src/normalize.ts
+var isRecord = (value) => typeof value === "object" && value !== null;
+function smallestImageUrl(images) {
+	if (!Array.isArray(images) || images.length === 0) return void 0;
+	for (let i = images.length - 1; i >= 0; i -= 1) {
+		const candidate = images[i];
+		if (typeof candidate?.url === "string" && candidate.url.length > 0) return candidate.url;
+	}
+}
+function spotifyUrl(externalUrls) {
+	if (!isRecord(externalUrls)) return void 0;
+	const candidate = externalUrls.spotify;
+	return typeof candidate === "string" && candidate.length > 0 ? candidate : void 0;
+}
+function artistNames(artists) {
+	if (!Array.isArray(artists)) return [];
+	return artists.map((a) => isRecord(a) && typeof a.name === "string" ? a.name : "").filter((n) => n.length > 0);
+}
+/** Normalise one Spotify track. Returns null when the response is
+*  missing required scalar fields — caller should drop it from the
+*  list rather than render a half-broken row. */
+function normaliseTrack(raw) {
+	if (!isRecord(raw)) return null;
+	const track = raw;
+	if (typeof track.id !== "string" || track.id.length === 0) return null;
+	if (typeof track.name !== "string") return null;
+	const album = isRecord(track.album) ? track.album : null;
+	const url = spotifyUrl(track.external_urls);
+	const imageUrl = smallestImageUrl(album?.images);
+	return {
+		id: track.id,
+		name: track.name,
+		artists: artistNames(track.artists),
+		album: typeof album?.name === "string" ? album.name : "",
+		durationMs: typeof track.duration_ms === "number" && Number.isFinite(track.duration_ms) ? track.duration_ms : 0,
+		...url !== void 0 ? { url } : {},
+		...imageUrl !== void 0 ? { imageUrl } : {}
+	};
+}
+/** Walk a paginated `items[]` response, normalise each entry's
+*  nested track, and drop entries that fail validation. */
+function normaliseTrackList(raw, trackPath) {
+	if (!isRecord(raw)) return [];
+	const items = raw.items;
+	if (!Array.isArray(items)) return [];
+	const out = [];
+	for (const item of items) {
+		if (!isRecord(item)) continue;
+		const normalised = normaliseTrack(trackPath === "track" ? item.track : item);
+		if (normalised) out.push(normalised);
+	}
+	return out;
+}
+/** `recently-played` items wrap the track in an object that carries
+*  the `played_at` timestamp. The View renders timestamps so we
+*  preserve them at this layer. */
+function normaliseRecentlyPlayed(raw) {
+	if (!isRecord(raw)) return [];
+	const items = raw.items;
+	if (!Array.isArray(items)) return [];
+	const out = [];
+	for (const item of items) {
+		if (!isRecord(item)) continue;
+		const track = normaliseTrack(item.track);
+		if (!track) continue;
+		const playedAt = typeof item.played_at === "string" ? item.played_at : "";
+		out.push({
+			track,
+			playedAt
+		});
+	}
+	return out;
+}
+function readPlaylistTotal(playlist) {
+	const candidates = [playlist.items, playlist.tracks];
+	for (const candidate of candidates) {
+		if (!isRecord(candidate)) continue;
+		const total = candidate.total;
+		if (typeof total === "number" && Number.isFinite(total)) return total;
+	}
+	return 0;
+}
+function normalisePlaylist(raw) {
+	if (!isRecord(raw)) return null;
+	const playlist = raw;
+	if (typeof playlist.id !== "string" || playlist.id.length === 0) return null;
+	if (typeof playlist.name !== "string") return null;
+	const url = spotifyUrl(playlist.external_urls);
+	const imageUrl = smallestImageUrl(playlist.images);
+	return {
+		id: playlist.id,
+		name: playlist.name,
+		description: typeof playlist.description === "string" ? playlist.description : "",
+		trackCount: readPlaylistTotal(playlist),
+		...url !== void 0 ? { url } : {},
+		...imageUrl !== void 0 ? { imageUrl } : {}
+	};
+}
+function normalisePlaylistList(raw) {
+	if (!isRecord(raw)) return [];
+	const items = raw.items;
+	if (!Array.isArray(items)) return [];
+	const out = [];
+	for (const item of items) {
+		const normalised = normalisePlaylist(item);
+		if (normalised) out.push(normalised);
+	}
+	return out;
+}
+function normaliseArtist(raw) {
+	if (!isRecord(raw)) return null;
+	const artist = raw;
+	if (typeof artist.id !== "string" || artist.id.length === 0) return null;
+	if (typeof artist.name !== "string") return null;
+	const url = spotifyUrl(artist.external_urls);
+	const imageUrl = smallestImageUrl(artist.images);
+	const popularity = typeof artist.popularity === "number" && Number.isFinite(artist.popularity) ? artist.popularity : void 0;
+	return {
+		id: artist.id,
+		name: artist.name,
+		genres: Array.isArray(artist.genres) ? artist.genres.filter((g) => typeof g === "string") : [],
+		...popularity !== void 0 ? { popularity } : {},
+		...url !== void 0 ? { url } : {},
+		...imageUrl !== void 0 ? { imageUrl } : {}
+	};
+}
+function normaliseArtistList(raw) {
+	if (!isRecord(raw)) return [];
+	const items = raw.items;
+	if (!Array.isArray(items)) return [];
+	const out = [];
+	for (const item of items) {
+		const normalised = normaliseArtist(item);
+		if (normalised) out.push(normalised);
+	}
+	return out;
+}
+function normaliseAlbum(raw) {
+	if (!isRecord(raw)) return null;
+	const album = raw;
+	if (typeof album.id !== "string" || album.id.length === 0) return null;
+	if (typeof album.name !== "string") return null;
+	const url = spotifyUrl(album.external_urls);
+	const imageUrl = smallestImageUrl(album.images);
+	return {
+		id: album.id,
+		name: album.name,
+		artists: artistNames(album.artists),
+		releaseDate: typeof album.release_date === "string" ? album.release_date : "",
+		totalTracks: typeof album.total_tracks === "number" && Number.isFinite(album.total_tracks) ? album.total_tracks : 0,
+		...url !== void 0 ? { url } : {},
+		...imageUrl !== void 0 ? { imageUrl } : {}
+	};
+}
+function normaliseAlbumList(raw) {
+	if (!isRecord(raw)) return [];
+	const items = raw.items;
+	if (!Array.isArray(items)) return [];
+	const out = [];
+	for (const item of items) {
+		const normalised = normaliseAlbum(item);
+		if (normalised) out.push(normalised);
+	}
+	return out;
+}
+//#endregion
+//#region src/listening.ts
+async function fetchLiked(deps, limit) {
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", `/v1/me/tracks?limit=${limit}`, {}, deps.now);
+	if (!result.ok) return result;
+	return {
+		ok: true,
+		data: normaliseTrackList(result.data, "track")
+	};
+}
+/** Spotify's `/v1/me/playlists` caps at 50 items per page. Walk
+*  pages until exhausted (`next === null`) or a hard cap is hit, so
+*  users with a large library don't silently lose playlists
+*  (CodeRabbit review on PR #1166). Cap at 500 so a runaway
+*  account-with-thousands-of-playlists doesn't blow the LLM context
+*  window or hammer the API. */
+var PLAYLISTS_PAGE_SIZE = 50;
+var PLAYLISTS_HARD_CAP = 500;
+async function fetchPlaylists(deps) {
+	const collected = [];
+	let offset = 0;
+	while (collected.length < PLAYLISTS_HARD_CAP) {
+		const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", `/v1/me/playlists?limit=${PLAYLISTS_PAGE_SIZE}&offset=${offset}`, {}, deps.now);
+		if (!result.ok) return result;
+		logPlaylistsPageDebug(deps, result.data, offset);
+		collected.push(...normalisePlaylistList(result.data));
+		if (!hasNextPage(result.data)) break;
+		offset += PLAYLISTS_PAGE_SIZE;
+	}
+	return {
+		ok: true,
+		data: collected
+	};
+}
+function hasNextPage(raw) {
+	return typeof raw === "object" && raw !== null && typeof raw.next === "string";
+}
+function logPlaylistsPageDebug(deps, raw, offset) {
+	if (typeof raw !== "object" || raw === null) return;
+	const items = raw.items;
+	if (!Array.isArray(items) || items.length === 0) return;
+	if (typeof items[0] !== "object" || items[0] === null) return;
+	const sample = items[0];
+	deps.runtime.log.debug("playlists page", {
+		offset,
+		count: items.length,
+		sample: {
+			id: sample.id,
+			name: sample.name,
+			tracks: sample.tracks
+		}
+	});
+}
+async function fetchPlaylistTracks(deps, playlistId, limit) {
+	const path = `/v1/playlists/${encodeURIComponent(playlistId)}/tracks?limit=${limit}`;
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", path, {}, deps.now);
+	if (!result.ok) return result;
+	return {
+		ok: true,
+		data: normaliseTrackList(result.data, "track")
+	};
+}
+async function fetchRecent(deps, limit) {
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", `/v1/me/player/recently-played?limit=${limit}`, {}, deps.now);
+	if (!result.ok) return result;
+	return {
+		ok: true,
+		data: normaliseRecentlyPlayed(result.data)
+	};
+}
+/** `nowPlaying` returns null when nothing is currently playing
+*  (Spotify returns 204). The View shows an empty state. */
+async function fetchNowPlaying(deps) {
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", "/v1/me/player/currently-playing", {}, deps.now);
+	if (!result.ok) return result;
+	if (result.data === null) return {
+		ok: true,
+		data: null
+	};
+	if (typeof result.data === "object" && result.data !== null && "item" in result.data) return {
+		ok: true,
+		data: normaliseTrack(result.data.item)
+	};
+	return {
+		ok: true,
+		data: null
+	};
+}
+//#endregion
+//#region src/search.ts
+var DEFAULT_SEARCH_TYPES = [
+	"track",
+	"artist",
+	"album",
+	"playlist"
+];
+var DEFAULT_SEARCH_LIMIT = 10;
+async function searchSpotify(deps, query, types, limit) {
+	const requested = types && types.length > 0 ? types : DEFAULT_SEARCH_TYPES;
+	const url = buildSearchUrl(query, requested, limit ?? DEFAULT_SEARCH_LIMIT);
+	const response = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", url, {}, deps.now);
+	if (!response.ok) return response;
+	return {
+		ok: true,
+		data: assembleSearchResult(response.data, requested)
+	};
+}
+function buildSearchUrl(query, types, limit) {
+	return `/v1/search?${new URLSearchParams({
+		q: query,
+		limit: String(limit)
+	}).toString()}&type=${types.join(",")}`;
+}
+function assembleSearchResult(raw, requested) {
+	if (typeof raw !== "object" || raw === null) return {};
+	const root = raw;
+	const out = {};
+	if (requested.includes("track")) out.tracks = normaliseTrackList(root.tracks, "self");
+	if (requested.includes("artist")) out.artists = normaliseArtistList(root.artists);
+	if (requested.includes("album")) out.albums = normaliseAlbumList(root.albums);
+	if (requested.includes("playlist")) out.playlists = normalisePlaylistList(root.playlists);
+	return out;
+}
+//#endregion
+//#region src/searchSummary.ts
+/** Build the LLM-facing message string for a search result. The
+*  plain text mirrors the View's grouped sections, one entity per
+*  line.
+*
+*  `query` is user-influenced on the tool path — both the LLM and
+*  a manual View submission can put arbitrary strings in there.
+*  Embedding it raw lets a hostile query smuggle line breaks and
+*  control characters into the LLM's context window (a
+*  prompt-injection vector via tool output: `query: "x\n\nIgnore
+*  all previous instructions and …"`). Strip control chars and
+*  bound the length before interpolating (Codex review on PR
+*  #1168). */
+function summariseSearch(query, result) {
+	const safeQuery = sanitiseQueryForSummary(query);
+	const sections = [];
+	if (result.tracks?.length) sections.push(formatSearchSection("Tracks", result.tracks, formatTrackLine));
+	if (result.artists?.length) sections.push(formatSearchSection("Artists", result.artists, formatArtistLine));
+	if (result.albums?.length) sections.push(formatSearchSection("Albums", result.albums, formatAlbumLine));
+	if (result.playlists?.length) sections.push(formatSearchSection("Playlists", result.playlists, formatPlaylistLine));
+	if (sections.length === 0) return `Search "${safeQuery}": no results.`;
+	return `Search "${safeQuery}":\n${sections.join("\n\n")}`;
+}
+/** Cap and strip control characters so a hostile or accidentally
+*  multi-line query can't break out of the `Search "..."` quoting
+*  or smuggle `\n\nIgnore previous instructions ...` into the
+*  LLM-facing text. Exported for tests.
+*
+*  Coverage: C0 (0x00-0x1F), DEL (0x7F), C1 (0x80-0x9F), and the
+*  Unicode line/paragraph separators (U+2028, U+2029). Each maps
+*  to a single space so adjacent words don't fuse together; runs
+*  of whitespace then collapse to one space. */
+var SUMMARY_QUERY_MAX_LEN = 100;
+function isControlCodepoint(code) {
+	if (code <= 31) return true;
+	if (code >= 127 && code <= 159) return true;
+	if (code === 8232 || code === 8233) return true;
+	return false;
+}
+function sanitiseQueryForSummary(query) {
+	let cleaned = "";
+	for (const char of query) {
+		const code = char.codePointAt(0) ?? 0;
+		cleaned += isControlCodepoint(code) ? " " : char;
+	}
+	const collapsed = cleaned.replace(/\s+/g, " ").trim();
+	if (collapsed.length <= SUMMARY_QUERY_MAX_LEN) return collapsed;
+	return `${collapsed.slice(0, SUMMARY_QUERY_MAX_LEN)}…`;
+}
+function formatSearchSection(label, items, formatter) {
+	return `${label} (${items.length}):\n${items.map(formatter).join("\n")}`;
+}
+function formatTrackLine(track, idx) {
+	return `${idx + 1}. ${track.name} — ${track.artists.join(", ")}`;
+}
+function formatArtistLine(artist, idx) {
+	const genres = artist.genres.length > 0 ? ` [${artist.genres.slice(0, 3).join(", ")}]` : "";
+	return `${idx + 1}. ${artist.name}${genres}`;
+}
+function formatAlbumLine(album, idx) {
+	const year = album.releaseDate ? album.releaseDate.slice(0, 4) : "?";
+	return `${idx + 1}. ${album.name} — ${album.artists.join(", ")} (${year})`;
+}
+function formatPlaylistLine(playlist, idx) {
+	return `${idx + 1}. ${playlist.name} (${playlist.trackCount} tracks)`;
+}
+//#endregion
+//#region src/profile.ts
+var PROFILE_FILE = "profile.json";
+var PROFILE_TTL_MS = 1440 * 60 * ONE_SECOND_MS;
+var PREMIUM_PRODUCT = "premium";
+async function readProfile(files) {
+	if (!await files.exists(PROFILE_FILE)) return null;
+	try {
+		const raw = await files.read(PROFILE_FILE);
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.product !== "string") return null;
+		if (typeof parsed.fetchedAtMs !== "number" || !Number.isFinite(parsed.fetchedAtMs)) return null;
+		return {
+			userId: typeof parsed.userId === "string" ? parsed.userId : "",
+			product: parsed.product,
+			displayName: typeof parsed.displayName === "string" ? parsed.displayName : "",
+			fetchedAtMs: parsed.fetchedAtMs
+		};
+	} catch {
+		return null;
+	}
+}
+async function writeProfile(files, profile) {
+	await files.write(PROFILE_FILE, JSON.stringify(profile, null, 2));
+}
+function isCacheFresh(profile, now) {
+	return now.getTime() - profile.fetchedAtMs < PROFILE_TTL_MS;
+}
+/** Get the cached profile if fresh; otherwise fetch + persist a
+*  new snapshot. On API failure with a stale cache we keep the
+*  stale value (better than locking the user out — a network blip
+*  shouldn't break playback).
+*
+*  Account scoping: cache is invalidated by `clearProfileCache`
+*  whenever new tokens are written (i.e. after `oauthCallback`),
+*  so reconnecting with a different Spotify account starts with a
+*  fresh fetch and never serves the previous account's `product`
+*  (Codex review on PR #1171). */
+async function getProfile(deps) {
+	const now = deps.now ?? (() => /* @__PURE__ */ new Date());
+	const cached = await readProfile(deps.runtime.files.config);
+	if (cached && isCacheFresh(cached, now())) return {
+		ok: true,
+		profile: cached
+	};
+	const fresh = await fetchProfile(deps);
+	if (fresh.ok) {
+		await writeProfile(deps.runtime.files.config, fresh.profile);
+		return {
+			ok: true,
+			profile: fresh.profile
+		};
+	}
+	if (cached) {
+		deps.runtime.log.warn("profile fetch failed; serving stale cache", { detail: errorMessage(fresh.error) });
+		return {
+			ok: true,
+			profile: cached
+		};
+	}
+	return fresh;
+}
+async function fetchProfile(deps) {
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", "/v1/me", {}, deps.now);
+	if (!result.ok) return result;
+	const raw = result.data;
+	return {
+		ok: true,
+		profile: {
+			userId: typeof raw.id === "string" ? raw.id : "",
+			product: typeof raw.product === "string" ? raw.product : "free",
+			displayName: typeof raw.display_name === "string" ? raw.display_name : "",
+			fetchedAtMs: (deps.now ?? (() => /* @__PURE__ */ new Date()))().getTime()
+		}
+	};
+}
+function isPremium(profile) {
+	return profile.product === PREMIUM_PRODUCT;
+}
+function errorMessage(error) {
+	switch (error.kind) {
+		case "auth_expired": return error.detail;
+		case "transient_error": return error.detail;
+		case "rate_limited": return `rate limited (retry ${error.retryAfterSec}s)`;
+		case "spotify_api_error": return `${error.status}: ${error.body}`;
+		case "not_connected": return "not connected";
+	}
+}
+/** Test-only: clear the cache. Production callers should not need
+*  this — the TTL handles it. */
+async function clearProfileCache(files) {
+	if (await files.exists(PROFILE_FILE)) await files.unlink(PROFILE_FILE);
+}
+//#endregion
+//#region src/playback.ts
+async function playerPlay(deps, args) {
+	const body = {};
+	if (args.contextUri) body.context_uri = args.contextUri;
+	if (args.trackUris) body.uris = args.trackUris;
+	const path = withDeviceId("/v1/me/player/play", args.deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "PUT", path, Object.keys(body).length > 0 ? { body } : {}, deps.now));
+}
+async function playerPause(deps, deviceId) {
+	const path = withDeviceId("/v1/me/player/pause", deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "PUT", path, {}, deps.now));
+}
+async function playerNext(deps, deviceId) {
+	const path = withDeviceId("/v1/me/player/next", deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "POST", path, {}, deps.now));
+}
+async function playerPrevious(deps, deviceId) {
+	const path = withDeviceId("/v1/me/player/previous", deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "POST", path, {}, deps.now));
+}
+async function playerSeek(deps, positionMs, deviceId) {
+	const path = appendQueryParam(`/v1/me/player/seek?${new URLSearchParams({ position_ms: String(positionMs) }).toString()}`, "device_id", deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "PUT", path, {}, deps.now));
+}
+async function playerSetVolume(deps, volumePercent, deviceId) {
+	const path = appendQueryParam(`/v1/me/player/volume?${new URLSearchParams({ volume_percent: String(volumePercent) }).toString()}`, "device_id", deviceId);
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "PUT", path, {}, deps.now));
+}
+async function playerTransfer(deps, deviceId, play) {
+	const body = { device_ids: [deviceId] };
+	if (play !== void 0) body.play = play;
+	return mapVoidResult(await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "PUT", "/v1/me/player", { body }, deps.now));
+}
+async function playerGetDevices(deps) {
+	const result = await spotifyApi(deps.runtime, deps.clientId, deps.tokens, "GET", "/v1/me/player/devices", {}, deps.now);
+	if (!result.ok) return result;
+	return {
+		ok: true,
+		data: normaliseDevices(result.data)
+	};
+}
+function withDeviceId(basePath, deviceId) {
+	if (!deviceId) return basePath;
+	return `${basePath}?${new URLSearchParams({ device_id: deviceId }).toString()}`;
+}
+function appendQueryParam(path, key, value) {
+	if (!value) return path;
+	return `${path}&${new URLSearchParams({ [key]: value }).toString()}`;
+}
+/** Player API success responses are 204 No Content; `data` is null
+*  in our client wrapper. Normalise so the dispatcher can use a
+*  uniform `{ ok, message }` shape. */
+function mapVoidResult(result) {
+	if (!result.ok) return result;
+	return {
+		ok: true,
+		data: null
+	};
+}
+function normaliseDevices(raw) {
+	if (typeof raw !== "object" || raw === null) return [];
+	const devices = raw.devices;
+	if (!Array.isArray(devices)) return [];
+	const out = [];
+	for (const candidate of devices) {
+		const normalised = normaliseDevice(candidate);
+		if (normalised) out.push(normalised);
+	}
+	return out;
+}
+function normaliseDevice(raw) {
+	if (typeof raw !== "object" || raw === null) return null;
+	const device = raw;
+	if (typeof device.name !== "string") return null;
+	const id = typeof device.id === "string" && device.id.length > 0 ? device.id : null;
+	const volumePercent = typeof device.volume_percent === "number" && Number.isFinite(device.volume_percent) ? device.volume_percent : void 0;
+	return {
+		id,
+		name: device.name,
+		type: typeof device.type === "string" ? device.type : "",
+		isActive: device.is_active === true,
+		...volumePercent !== void 0 ? { volumePercent } : {}
+	};
+}
+//#endregion
+//#region src/index.ts
+var OAUTH_CALLBACK_ALIAS = "spotify";
+/** Scope set requested at OAuth time. Two extra scopes were added
+*  in PR 3 for Player Controls: `user-read-playback-state` (read
+*  active device + playback state) and `user-modify-playback-state`
+*  (play/pause/next/seek/volume/transfer). Existing users from
+*  PR 1/2 will hit `403 Insufficient client scope` on the new
+*  player kinds and need to reconnect. */
+var SPOTIFY_SCOPES = [
+	"playlist-read-private",
+	"user-library-read",
+	"user-modify-playback-state",
+	"user-read-currently-playing",
+	"user-read-playback-state",
+	"user-read-recently-played"
+];
+var SPOTIFY_TOKEN_URL = "https://accounts.spotify.com/api/token";
+var SPOTIFY_TOKEN_HOST = "accounts.spotify.com";
+var TOKEN_EXCHANGE_TIMEOUT_MS = 15 * ONE_SECOND_MS;
+var CLIENT_ID_MISSING_INSTRUCTIONS = [
+	"Spotify の Client ID が未設定です。",
+	"",
+	"1. https://developer.spotify.com/dashboard を開いて Spotify アカウントでログイン",
+	"2. 「Create app」 → Redirect URIs に http://127.0.0.1:<PORT>/api/plugins/runtime/oauth-callback/spotify を追加 (PORT は mulmoclaude が動いているポート)",
+	"3. Web API をチェックして保存",
+	"4. Client ID をコピー",
+	"5. plugin View の「Configure」で貼り付ける",
+	"",
+	"詳細: docs/tips/spotify-setup.md"
+].join("\n");
+var src_default = definePlugin((pluginRuntime) => {
+	const { files, log, fetch: runtimeFetch, pubsub } = pluginRuntime;
+	return {
+		TOOL_DEFINITION,
+		async manageSpotify(rawArgs) {
+			const parsed = DispatchArgsSchema.safeParse(rawArgs);
+			if (!parsed.success) return {
+				ok: false,
+				error: "invalid_args",
+				message: `Invalid arguments: ${parsed.error.issues[0]?.message ?? "unknown"}`
+			};
+			const args = parsed.data;
+			switch (args.kind) {
+				case "connect": return handleConnect(args.redirectUri);
+				case "oauthCallback": return handleOauthCallback({
+					code: args.code,
+					state: args.state,
+					error: args.error
+				});
+				case "status": return handleStatus();
+				case "diagnose": return handleDiagnose();
+				case "configure": return handleConfigure({ clientId: args.clientId });
+				case "liked": return handleListening("liked", args);
+				case "playlists": return handleListening("playlists", args);
+				case "playlistTracks": return handleListening("playlistTracks", args);
+				case "recent": return handleListening("recent", args);
+				case "nowPlaying": return handleListening("nowPlaying", args);
+				case "search": return handleSearch(args);
+				case "play":
+				case "pause":
+				case "next":
+				case "previous":
+				case "seek":
+				case "setVolume":
+				case "transferPlayback":
+				case "getDevices": return handlePlayer(args);
+				default: throw new Error(`Unhandled kind: ${JSON.stringify(args)}`);
+			}
+		}
+	};
+	async function handleConnect(redirectUri) {
+		const clientConfig = await readClientConfig(files.config);
+		if (!clientConfig) return {
+			ok: false,
+			error: "client_id_missing",
+			message: "Spotify Client ID が未設定です。詳細は instructions を参照してください。",
+			instructions: CLIENT_ID_MISSING_INSTRUCTIONS
+		};
+		const codeVerifier = generateRandomToken();
+		const codeChallenge = await deriveCodeChallenge(codeVerifier);
+		const state = registerPendingAuthorization(codeVerifier, redirectUri);
+		return {
+			ok: true,
+			message: "Spotify の同意画面の URL を生成しました。ブラウザで開いてください。",
+			data: { authorizeUrl: buildAuthorizeUrl({
+				clientId: clientConfig.clientId,
+				redirectUri,
+				scopes: SPOTIFY_SCOPES,
+				state,
+				codeChallenge
+			}) }
+		};
+	}
+	async function handleOauthCallback(input) {
+		if (input.error) {
+			log.info("user denied authorization", { error: input.error });
+			return {
+				ok: false,
+				error: "auth_denied",
+				message: `Spotify からの認可が拒否されました: ${input.error}`,
+				html: renderCallbackHtml({
+					title: "Spotify authorization denied",
+					body: `Spotify returned: ${input.error}`
+				})
+			};
+		}
+		if (!input.code || !input.state) return {
+			ok: false,
+			error: "invalid_callback",
+			message: "Callback request was missing `code` or `state`.",
+			html: renderCallbackHtml({
+				title: "Invalid callback",
+				body: "Missing `code` or `state` query parameter."
+			})
+		};
+		const pending = consumePendingAuthorization(input.state);
+		if (!pending) return {
+			ok: false,
+			error: "unknown_state",
+			message: "この認可リクエストは mulmoclaude から開始されたものではない、または期限切れです。",
+			instructions: "plugin View の「Connect」を再度押してください。",
+			html: renderCallbackHtml({
+				title: "Unknown state",
+				body: "This authorization request was not initiated by mulmoclaude (or it expired). Please retry from the plugin View."
+			})
+		};
+		const clientConfig = await readClientConfig(files.config);
+		if (!clientConfig) return {
+			ok: false,
+			error: "client_id_missing",
+			message: "Spotify Client ID が未設定です。",
+			instructions: CLIENT_ID_MISSING_INSTRUCTIONS,
+			html: renderCallbackHtml({
+				title: "Spotify client ID not configured",
+				body: CLIENT_ID_MISSING_INSTRUCTIONS
+			})
+		};
+		try {
+			const tokens = await exchangeCodeForTokens({
+				code: input.code,
+				clientId: clientConfig.clientId,
+				codeVerifier: pending.codeVerifier,
+				redirectUri: pending.redirectUri
+			});
+			await writeTokens(files.config, tokens);
+			await clearProfileCache(files.config);
+			pubsub.publish("connected", { scopes: tokens.scopes });
+			log.info("tokens written", { scopes: tokens.scopes });
+			return {
+				ok: true,
+				message: "Spotify を接続しました。",
+				html: renderCallbackHtml({
+					title: "Spotify connected",
+					body: "You can close this window and return to mulmoclaude."
+				})
+			};
+		} catch (err) {
+			const detail = err instanceof Error ? err.message : String(err);
+			log.error("token exchange failed", { error: detail });
+			const instructions = `Token exchange failed: ${detail}\n\nThis usually means the Redirect URI registered in your Spotify Developer Dashboard does not match the URL mulmoclaude is using:\n${pending.redirectUri}`;
+			return {
+				ok: false,
+				error: "token_exchange_failed",
+				message: detail,
+				instructions,
+				html: renderCallbackHtml({
+					title: "Token exchange failed",
+					body: instructions
+				})
+			};
+		}
+	}
+	async function handleStatus() {
+		const clientConfig = await readClientConfig(files.config);
+		const tokens = await readTokens(files.config);
+		let premium = null;
+		let displayName = "";
+		if (tokens && clientConfig) {
+			const profileResult = await getProfile({
+				runtime: pluginRuntime,
+				clientId: clientConfig.clientId,
+				tokens
+			});
+			if (profileResult.ok) {
+				premium = isPremium(profileResult.profile);
+				displayName = profileResult.profile.displayName;
+			}
+		}
+		return {
+			ok: true,
+			message: tokens ? "Connected." : clientConfig ? "Client ID is configured but you haven't connected yet." : "Client ID is not configured.",
+			data: {
+				clientIdConfigured: clientConfig !== null,
+				connected: tokens !== null,
+				expiresAt: tokens?.expiresAt ?? null,
+				scopes: tokens?.scopes ?? [],
+				isPremium: premium,
+				displayName
+			}
+		};
+	}
+	async function handleDiagnose() {
+		const clientConfig = await readClientConfig(files.config);
+		const tokens = await readTokens(files.config);
+		return {
+			ok: true,
+			message: "See `data` for the connection diagnostics.",
+			data: {
+				clientIdConfigured: clientConfig !== null,
+				tokensPresent: tokens !== null,
+				expiresAt: tokens?.expiresAt ?? null,
+				scopes: tokens?.scopes ?? []
+			}
+		};
+	}
+	async function exchangeCodeForTokens(params) {
+		const response = await runtimeFetch(SPOTIFY_TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "authorization_code",
+				code: params.code,
+				redirect_uri: params.redirectUri,
+				client_id: params.clientId,
+				code_verifier: params.codeVerifier
+			}).toString(),
+			timeoutMs: TOKEN_EXCHANGE_TIMEOUT_MS,
+			allowedHosts: [SPOTIFY_TOKEN_HOST]
+		});
+		if (!response.ok) {
+			const body = await response.text().catch(() => "");
+			throw new Error(`Spotify token endpoint returned ${response.status}: ${body.slice(0, 300)}`);
+		}
+		const raw = await response.json();
+		if (typeof raw.access_token !== "string" || raw.access_token.length === 0) throw new Error("Spotify response missing access_token");
+		if (typeof raw.refresh_token !== "string" || raw.refresh_token.length === 0) throw new Error("Spotify response missing refresh_token");
+		if (typeof raw.expires_in !== "number" || !Number.isFinite(raw.expires_in)) throw new Error("Spotify response missing expires_in");
+		return {
+			accessToken: raw.access_token,
+			refreshToken: raw.refresh_token,
+			expiresAt: new Date(Date.now() + raw.expires_in * ONE_SECOND_MS).toISOString(),
+			scopes: typeof raw.scope === "string" ? raw.scope.split(" ").filter(Boolean) : [...SPOTIFY_SCOPES]
+		};
+	}
+	async function handleConfigure(args) {
+		const trimmed = args.clientId.trim();
+		if (trimmed.length === 0) return {
+			ok: false,
+			error: "invalid_client_id",
+			message: "Client ID が空です。Spotify Developer Dashboard からコピーした文字列を貼り付けてください。"
+		};
+		const config = { clientId: trimmed };
+		await writeClientConfig(files.config, config);
+		log.info("client id configured");
+		return {
+			ok: true,
+			message: "Spotify Client ID を保存しました。"
+		};
+	}
+	async function handleListening(kind, args) {
+		const ready = await loadCredentials();
+		if (!ready.ok) return ready.errorResponse;
+		const result = await invokeListening(kind, args, {
+			runtime: pluginRuntime,
+			clientId: ready.clientConfig.clientId,
+			tokens: ready.tokens
+		});
+		if (!result.ok) return mapClientError(result.error);
+		return {
+			ok: true,
+			message: summariseListening(kind, result.data),
+			data: result.data
+		};
+	}
+	async function handleSearch(args) {
+		const ready = await loadCredentials();
+		if (!ready.ok) return ready.errorResponse;
+		const result = await searchSpotify({
+			runtime: pluginRuntime,
+			clientId: ready.clientConfig.clientId,
+			tokens: ready.tokens
+		}, args.query, args.types, args.limit);
+		if (!result.ok) return mapClientError(result.error);
+		return {
+			ok: true,
+			message: summariseSearch(args.query, result.data),
+			data: result.data
+		};
+	}
+	async function handlePlayer(args) {
+		if (args.kind === "play" && args.contextUri && args.trackUris) return {
+			ok: false,
+			error: "invalid_args",
+			message: "play: `contextUri` と `trackUris` は同時に指定できません。どちらか一方を選んでください。"
+		};
+		const ready = await loadCredentials();
+		if (!ready.ok) return ready.errorResponse;
+		const deps = {
+			runtime: pluginRuntime,
+			clientId: ready.clientConfig.clientId,
+			tokens: ready.tokens
+		};
+		if (args.kind !== "getDevices") {
+			const gate = await premiumGate(deps);
+			if (gate) return gate;
+		}
+		const result = await invokePlayer(args, deps);
+		if (!result.ok) return mapPlayerError(result.error, args.kind);
+		return summarisePlayerResult(args.kind, result.data);
+	}
+	async function loadCredentials() {
+		const clientConfig = await readClientConfig(files.config);
+		if (!clientConfig) return {
+			ok: false,
+			errorResponse: {
+				ok: false,
+				error: "client_id_missing",
+				message: "Spotify Client ID が未設定です。",
+				instructions: CLIENT_ID_MISSING_INSTRUCTIONS
+			}
+		};
+		const tokens = await readTokens(files.config);
+		if (!tokens) return {
+			ok: false,
+			errorResponse: {
+				ok: false,
+				error: "not_connected",
+				message: "Spotify に未接続です。「Connect」を実行してください。"
+			}
+		};
+		return {
+			ok: true,
+			clientConfig,
+			tokens
+		};
+	}
+});
+async function invokePlayer(args, deps) {
+	switch (args.kind) {
+		case "play": return playerPlay(deps, {
+			deviceId: args.deviceId,
+			contextUri: args.contextUri,
+			trackUris: args.trackUris
+		});
+		case "pause": return playerPause(deps, args.deviceId);
+		case "next": return playerNext(deps, args.deviceId);
+		case "previous": return playerPrevious(deps, args.deviceId);
+		case "seek": return playerSeek(deps, args.positionMs, args.deviceId);
+		case "setVolume": return playerSetVolume(deps, args.volumePercent, args.deviceId);
+		case "transferPlayback": return playerTransfer(deps, args.deviceId, args.play);
+		case "getDevices": return playerGetDevices(deps);
+	}
+}
+async function invokeListening(kind, args, deps) {
+	switch (kind) {
+		case "liked": return fetchLiked(deps, args.kind === "liked" ? args.limit ?? 50 : 50);
+		case "playlists": return fetchPlaylists(deps);
+		case "playlistTracks":
+			if (args.kind !== "playlistTracks") throw new Error("kind/args mismatch");
+			return fetchPlaylistTracks(deps, args.playlistId, args.limit ?? 100);
+		case "recent": return fetchRecent(deps, args.kind === "recent" ? args.limit ?? 50 : 50);
+		case "nowPlaying": return fetchNowPlaying(deps);
+	}
+}
+/** Build the LLM-facing message string for a listening result.
+*  The plain text mirrors the View's grid: title + artists, one per
+*  line. Length-capped per kind so the LLM context window doesn't
+*  blow up on a 50-track Liked Songs response. */
+function summariseListening(kind, data) {
+	if (kind === "nowPlaying") {
+		if (!data || typeof data !== "object" || !("name" in data)) return "Nothing is currently playing.";
+		const track = data;
+		return `Now playing: ${track.name} — ${track.artists.join(", ")} (${track.album})`;
+	}
+	if (!Array.isArray(data) || data.length === 0) return `No ${kind} items.`;
+	if (kind === "playlists") {
+		const lines = data.map((p, i) => `${i + 1}. ${p.name} (${p.trackCount} tracks)`);
+		return `Playlists (${data.length}):\n${lines.join("\n")}`;
+	}
+	if (kind === "recent") {
+		const lines = data.map((item, i) => {
+			const when = item.playedAt ? new Date(item.playedAt).toISOString().slice(0, 16).replace("T", " ") : "?";
+			return `${i + 1}. [${when}] ${item.track.name} — ${item.track.artists.join(", ")}`;
+		});
+		return `Recently played (${data.length}):\n${lines.join("\n")}`;
+	}
+	const lines = data.map((t, i) => `${i + 1}. ${t.name} — ${t.artists.join(", ")}`);
+	return `${kind === "liked" ? "Liked Songs" : "Playlist tracks"} (${data.length}):\n${lines.join("\n")}`;
+}
+async function premiumGate(deps) {
+	const profileResult = await getProfile(deps);
+	if (!profileResult.ok) return mapClientError(profileResult.error);
+	if (isPremium(profileResult.profile)) return null;
+	return {
+		ok: false,
+		error: "premium_required",
+		message: "Spotify Premium が必要な操作です。Free アカウントでは再生制御は使えません。",
+		instructions: "Spotify Premium にアップグレードしてください。再生制御以外 (Liked / Playlists / Recent / Search) は Free でも引き続き利用できます。"
+	};
+}
+function summarisePlayerResult(kind, data) {
+	if (kind === "getDevices") {
+		const devices = data ?? [];
+		if (devices.length === 0) return {
+			ok: true,
+			message: "アクティブな Spotify デバイスがありません。Spotify アプリを起動してから再度お試しください。",
+			data: devices
+		};
+		const lines = devices.map((d, i) => `${i + 1}. ${d.name} (${d.type})${d.isActive ? " — active" : ""}`);
+		return {
+			ok: true,
+			message: `Devices (${devices.length}):\n${lines.join("\n")}`,
+			data: devices
+		};
+	}
+	return {
+		ok: true,
+		message: PLAYER_SUCCESS_MESSAGES[kind]
+	};
+}
+var PLAYER_SUCCESS_MESSAGES = {
+	play: "再生を開始しました。",
+	pause: "再生を一時停止しました。",
+	next: "次の曲に進みました。",
+	previous: "前の曲に戻りました。",
+	seek: "位置をシークしました。",
+	setVolume: "音量を変更しました。",
+	transferPlayback: "再生をデバイスに移しました。"
+};
+function mapPlayerError(error, kind) {
+	if (error.kind === "spotify_api_error" && error.status === 404 && kind !== "getDevices") return {
+		ok: false,
+		error: "no_active_device",
+		message: "アクティブな Spotify デバイスがありません。Spotify アプリ (デスクトップ / モバイル / Web) を起動してから再度お試しください。",
+		instructions: "View の Player タブから対象デバイスを選んで「Transfer」を押すか、Spotify アプリ側で何か再生してから再試行してください。"
+	};
+	if (error.kind === "spotify_api_error" && error.status === 403 && error.body.includes("scope")) return {
+		ok: false,
+		error: "scope_missing",
+		message: "新しい権限の追加が必要です。Spotify View ヘッダの「Reconnect」ボタンを押して再認可してください。",
+		instructions: "PR 3 で追加された Player 制御は新しい OAuth scope を要求します。View 右上の「Reconnect」ボタンで Spotify の同意画面を開き直すと scope が更新されます。"
+	};
+	return mapClientError(error);
+}
+function mapClientError(error) {
+	switch (error.kind) {
+		case "auth_expired": return {
+			ok: false,
+			error: "auth_expired",
+			message: "認可が無効化されました。「Connect」をやり直してください。",
+			detail: error.detail
+		};
+		case "transient_error": return {
+			ok: false,
+			error: "transient_error",
+			message: "Spotify に一時的に接続できませんでした。しばらくしてから再試行してください。",
+			detail: error.detail
+		};
+		case "rate_limited": return {
+			ok: false,
+			error: "rate_limited",
+			message: `Spotify から rate limit を返されました。${error.retryAfterSec} 秒後に再試行してください。`,
+			retryAfterSec: error.retryAfterSec
+		};
+		case "spotify_api_error": return {
+			ok: false,
+			error: "spotify_api_error",
+			message: `Spotify API がエラーを返しました (${error.status})`,
+			detail: error.body
+		};
+		case "not_connected": return {
+			ok: false,
+			error: "not_connected",
+			message: "Spotify に未接続です。"
+		};
+	}
+}
+function renderCallbackHtml(params) {
+	return `<!doctype html><html lang="en"><meta charset="utf-8"><title>${escapeHtml(params.title)}</title>
+<style>body{font-family:system-ui,sans-serif;max-width:40rem;margin:4rem auto;padding:0 1rem;color:#111}h1{margin-bottom:1rem}pre{white-space:pre-wrap;background:#f5f5f5;padding:1rem;border-radius:.5rem}</style>
+<h1>${escapeHtml(params.title)}</h1>
+<pre>${escapeHtml(params.body)}</pre>
+</html>`;
+}
+function escapeHtml(value) {
+	return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&#39;");
+}
+//#endregion
+export { OAUTH_CALLBACK_ALIAS, TOOL_DEFINITION, src_default as default };
+
+//# sourceMappingURL=index.js.map