@noxsoft/anima 2.0.0

package/dist/auth-profiles-Cz2rxrav.js

@@ -0,0 +1,2690 @@
+import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
+import { $ as resolveStateDir, Q as resolveOAuthPath, n as isTruthyEnvValue, o as createSubsystemLogger } from "./entry.js";
+import { t as formatCliCommand } from "./command-format-Clp46jkj.js";
+import { n as DEFAULT_AGENT_ID } from "./session-key-BGiG_JcT.js";
+import { y as resolveUserPath } from "./utils-C9sj30YY.js";
+import { a as resolveAgentModelPrimary } from "./agent-scope-OZi7lb8S.js";
+import { execFileSync, execSync } from "node:child_process";
+import path from "node:path";
+import fs from "node:fs";
+import fs$1 from "node:fs/promises";
+import "@aws-sdk/client-bedrock";
+import { getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
+import { createHash, randomBytes, randomUUID } from "node:crypto";
+
+//#region src/agents/auth-profiles/constants.ts
+const AUTH_STORE_VERSION = 1;
+const AUTH_PROFILE_FILENAME = "auth-profiles.json";
+const LEGACY_AUTH_FILENAME = "auth.json";
+const CLAUDE_CLI_PROFILE_ID = "anthropic:claude-cli";
+const CODEX_CLI_PROFILE_ID = "openai-codex:codex-cli";
+const QWEN_CLI_PROFILE_ID = "qwen-portal:qwen-cli";
+const MINIMAX_CLI_PROFILE_ID = "minimax-portal:minimax-cli";
+const AUTH_STORE_LOCK_OPTIONS = {
+	retries: {
+		retries: 10,
+		factor: 2,
+		minTimeout: 100,
+		maxTimeout: 1e4,
+		randomize: true
+	},
+	stale: 3e4
+};
+const EXTERNAL_CLI_SYNC_TTL_MS = 900 * 1e3;
+const EXTERNAL_CLI_NEAR_EXPIRY_MS = 600 * 1e3;
+const log$1 = createSubsystemLogger("agents/auth-profiles");
+
+//#endregion
+//#region src/agents/auth-profiles/display.ts
+function resolveAuthProfileDisplayLabel(params) {
+	const { cfg, store, profileId } = params;
+	const profile = store.profiles[profileId];
+	const email = cfg?.auth?.profiles?.[profileId]?.email?.trim() || (profile && "email" in profile ? profile.email?.trim() : void 0);
+	if (email) return `${profileId} (${email})`;
+	return profileId;
+}
+
+//#endregion
+//#region src/agents/defaults.ts
+const DEFAULT_PROVIDER = "anthropic";
+const DEFAULT_MODEL = "claude-opus-4-6";
+const DEFAULT_CONTEXT_TOKENS = 2e5;
+
+//#endregion
+//#region src/agents/cloudflare-ai-gateway.ts
+const CLOUDFLARE_AI_GATEWAY_PROVIDER_ID = "cloudflare-ai-gateway";
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID = "claude-sonnet-4-5";
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF = `${CLOUDFLARE_AI_GATEWAY_PROVIDER_ID}/${CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID}`;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_CONTEXT_WINDOW = 2e5;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MAX_TOKENS = 64e3;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_COST = {
+	input: 3,
+	output: 15,
+	cacheRead: .3,
+	cacheWrite: 3.75
+};
+function buildCloudflareAiGatewayModelDefinition(params) {
+	return {
+		id: params?.id?.trim() || CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID,
+		name: params?.name ?? "Claude Sonnet 4.5",
+		reasoning: params?.reasoning ?? true,
+		input: params?.input ?? ["text", "image"],
+		cost: CLOUDFLARE_AI_GATEWAY_DEFAULT_COST,
+		contextWindow: CLOUDFLARE_AI_GATEWAY_DEFAULT_CONTEXT_WINDOW,
+		maxTokens: CLOUDFLARE_AI_GATEWAY_DEFAULT_MAX_TOKENS
+	};
+}
+function resolveCloudflareAiGatewayBaseUrl(params) {
+	const accountId = params.accountId.trim();
+	const gatewayId = params.gatewayId.trim();
+	if (!accountId || !gatewayId) return "";
+	return `https://gateway.ai.cloudflare.com/v1/${accountId}/${gatewayId}/anthropic`;
+}
+
+//#endregion
+//#region src/agents/huggingface-models.ts
+/** Hugging Face Inference Providers (router) — OpenAI-compatible chat completions. */
+const HUGGINGFACE_BASE_URL = "https://router.huggingface.co/v1";
+/** Router policy suffixes: router picks backend by cost or speed; no specific provider selection. */
+const HUGGINGFACE_POLICY_SUFFIXES = ["cheapest", "fastest"];
+/**
+* True when the model ref uses :cheapest or :fastest. When true, provider choice is locked
+* (router decides); do not show an interactive "prefer specific backend" option.
+*/
+function isHuggingfacePolicyLocked(modelRef) {
+	const ref = String(modelRef).trim();
+	return HUGGINGFACE_POLICY_SUFFIXES.some((s) => ref.endsWith(`:${s}`) || ref === s);
+}
+/** Default cost when not in static catalog (HF pricing varies by provider). */
+const HUGGINGFACE_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+/** Defaults for models discovered from GET /v1/models. */
+const HUGGINGFACE_DEFAULT_CONTEXT_WINDOW = 131072;
+const HUGGINGFACE_DEFAULT_MAX_TOKENS = 8192;
+const HUGGINGFACE_MODEL_CATALOG = [
+	{
+		id: "deepseek-ai/DeepSeek-R1",
+		name: "DeepSeek R1",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: 3,
+			output: 7,
+			cacheRead: 3,
+			cacheWrite: 3
+		}
+	},
+	{
+		id: "deepseek-ai/DeepSeek-V3.1",
+		name: "DeepSeek V3.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: .6,
+			output: 1.25,
+			cacheRead: .6,
+			cacheWrite: .6
+		}
+	},
+	{
+		id: "meta-llama/Llama-3.3-70B-Instruct-Turbo",
+		name: "Llama 3.3 70B Instruct Turbo",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: .88,
+			output: .88,
+			cacheRead: .88,
+			cacheWrite: .88
+		}
+	},
+	{
+		id: "openai/gpt-oss-120b",
+		name: "GPT-OSS 120B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: 0,
+			output: 0,
+			cacheRead: 0,
+			cacheWrite: 0
+		}
+	}
+];
+function buildHuggingfaceModelDefinition(model) {
+	return {
+		id: model.id,
+		name: model.name,
+		reasoning: model.reasoning,
+		input: model.input,
+		cost: model.cost,
+		contextWindow: model.contextWindow,
+		maxTokens: model.maxTokens
+	};
+}
+/**
+* Infer reasoning and display name from Hub-style model id (e.g. "deepseek-ai/DeepSeek-R1").
+*/
+function inferredMetaFromModelId(id) {
+	const base = id.split("/").pop() ?? id;
+	const reasoning = /r1|reasoning|thinking|reason/i.test(id) || /-\d+[tb]?-thinking/i.test(base);
+	return {
+		name: base.replace(/-/g, " ").replace(/\b(\w)/g, (c) => c.toUpperCase()),
+		reasoning
+	};
+}
+/** Prefer API-supplied display name, then owned_by/id, then inferred from id. */
+function displayNameFromApiEntry(entry, inferredName) {
+	const fromApi = typeof entry.name === "string" && entry.name.trim() || typeof entry.title === "string" && entry.title.trim() || typeof entry.display_name === "string" && entry.display_name.trim();
+	if (fromApi) return fromApi;
+	if (typeof entry.owned_by === "string" && entry.owned_by.trim()) {
+		const base = entry.id.split("/").pop() ?? entry.id;
+		return `${entry.owned_by.trim()}/${base}`;
+	}
+	return inferredName;
+}
+/**
+* Discover chat-completion models from Hugging Face Inference Providers (GET /v1/models).
+* Requires a valid HF token. Falls back to static catalog on failure or in test env.
+*/
+async function discoverHuggingfaceModels(apiKey) {
+	if (process.env.VITEST === "true" || false) return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+	const trimmedKey = apiKey?.trim();
+	if (!trimmedKey) return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+	try {
+		const response = await fetch(`${HUGGINGFACE_BASE_URL}/models`, {
+			signal: AbortSignal.timeout(1e4),
+			headers: {
+				Authorization: `Bearer ${trimmedKey}`,
+				"Content-Type": "application/json"
+			}
+		});
+		if (!response.ok) {
+			console.warn(`[huggingface-models] GET /v1/models failed: HTTP ${response.status}, using static catalog`);
+			return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+		}
+		const data = (await response.json())?.data;
+		if (!Array.isArray(data) || data.length === 0) {
+			console.warn("[huggingface-models] No models in response, using static catalog");
+			return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+		}
+		const catalogById = new Map(HUGGINGFACE_MODEL_CATALOG.map((m) => [m.id, m]));
+		const seen = /* @__PURE__ */ new Set();
+		const models = [];
+		for (const entry of data) {
+			const id = typeof entry?.id === "string" ? entry.id.trim() : "";
+			if (!id || seen.has(id)) continue;
+			seen.add(id);
+			const catalogEntry = catalogById.get(id);
+			if (catalogEntry) models.push(buildHuggingfaceModelDefinition(catalogEntry));
+			else {
+				const inferred = inferredMetaFromModelId(id);
+				const name = displayNameFromApiEntry(entry, inferred.name);
+				const modalities = entry.architecture?.input_modalities;
+				const input = Array.isArray(modalities) && modalities.includes("image") ? ["text", "image"] : ["text"];
+				const contextLength = (Array.isArray(entry.providers) ? entry.providers : []).find((p) => typeof p?.context_length === "number" && p.context_length > 0)?.context_length ?? HUGGINGFACE_DEFAULT_CONTEXT_WINDOW;
+				models.push({
+					id,
+					name,
+					reasoning: inferred.reasoning,
+					input,
+					cost: HUGGINGFACE_DEFAULT_COST,
+					contextWindow: contextLength,
+					maxTokens: HUGGINGFACE_DEFAULT_MAX_TOKENS
+				});
+			}
+		}
+		return models.length > 0 ? models : HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+	} catch (error) {
+		console.warn(`[huggingface-models] Discovery failed: ${String(error)}, using static catalog`);
+		return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
+	}
+}
+
+//#endregion
+//#region src/infra/shell-env.ts
+const DEFAULT_TIMEOUT_MS = 15e3;
+const DEFAULT_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
+let lastAppliedKeys = [];
+let cachedShellPath;
+function resolveShell(env) {
+	const shell = env.SHELL?.trim();
+	return shell && shell.length > 0 ? shell : "/bin/sh";
+}
+function parseShellEnv(stdout) {
+	const shellEnv = /* @__PURE__ */ new Map();
+	const parts = stdout.toString("utf8").split("\0");
+	for (const part of parts) {
+		if (!part) continue;
+		const eq = part.indexOf("=");
+		if (eq <= 0) continue;
+		const key = part.slice(0, eq);
+		const value = part.slice(eq + 1);
+		if (!key) continue;
+		shellEnv.set(key, value);
+	}
+	return shellEnv;
+}
+function loadShellEnvFallback(opts) {
+	const logger = opts.logger ?? console;
+	const exec = opts.exec ?? execFileSync;
+	if (!opts.enabled) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "disabled"
+		};
+	}
+	if (opts.expectedKeys.some((key) => Boolean(opts.env[key]?.trim()))) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "already-has-keys"
+		};
+	}
+	const timeoutMs = typeof opts.timeoutMs === "number" && Number.isFinite(opts.timeoutMs) ? Math.max(0, opts.timeoutMs) : DEFAULT_TIMEOUT_MS;
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = exec(shell, [
+			"-l",
+			"-c",
+			"env -0"
+		], {
+			encoding: "buffer",
+			timeout: timeoutMs,
+			maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
+			env: opts.env,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		logger.warn(`[anima] shell env fallback failed: ${msg}`);
+		lastAppliedKeys = [];
+		return {
+			ok: false,
+			error: msg,
+			applied: []
+		};
+	}
+	const shellEnv = parseShellEnv(stdout);
+	const applied = [];
+	for (const key of opts.expectedKeys) {
+		if (opts.env[key]?.trim()) continue;
+		const value = shellEnv.get(key);
+		if (!value?.trim()) continue;
+		opts.env[key] = value;
+		applied.push(key);
+	}
+	lastAppliedKeys = applied;
+	return {
+		ok: true,
+		applied
+	};
+}
+function shouldEnableShellEnvFallback(env) {
+	return isTruthyEnvValue(env.ANIMA_LOAD_SHELL_ENV);
+}
+function shouldDeferShellEnvFallback(env) {
+	return isTruthyEnvValue(env.ANIMA_DEFER_SHELL_ENV_FALLBACK);
+}
+function resolveShellEnvFallbackTimeoutMs(env) {
+	const raw = env.ANIMA_SHELL_ENV_TIMEOUT_MS?.trim();
+	if (!raw) return DEFAULT_TIMEOUT_MS;
+	const parsed = Number.parseInt(raw, 10);
+	if (!Number.isFinite(parsed)) return DEFAULT_TIMEOUT_MS;
+	return Math.max(0, parsed);
+}
+function getShellPathFromLoginShell(opts) {
+	if (cachedShellPath !== void 0) return cachedShellPath;
+	if (process.platform === "win32") {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const exec = opts.exec ?? execFileSync;
+	const timeoutMs = typeof opts.timeoutMs === "number" && Number.isFinite(opts.timeoutMs) ? Math.max(0, opts.timeoutMs) : DEFAULT_TIMEOUT_MS;
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = exec(shell, [
+			"-l",
+			"-c",
+			"env -0"
+		], {
+			encoding: "buffer",
+			timeout: timeoutMs,
+			maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
+			env: opts.env,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const shellPath = parseShellEnv(stdout).get("PATH")?.trim();
+	cachedShellPath = shellPath && shellPath.length > 0 ? shellPath : null;
+	return cachedShellPath;
+}
+function getShellEnvAppliedKeys() {
+	return [...lastAppliedKeys];
+}
+
+//#endregion
+//#region src/utils/normalize-secret-input.ts
+/**
+* Secret normalization for copy/pasted credentials.
+*
+* Common footgun: line breaks (especially `\r`) embedded in API keys/tokens.
+* We strip line breaks anywhere, then trim whitespace at the ends.
+*
+* Intentionally does NOT remove ordinary spaces inside the string to avoid
+* silently altering "Bearer <token>" style values.
+*/
+function normalizeSecretInput(value) {
+	if (typeof value !== "string") return "";
+	return value.replace(/[\r\n\u2028\u2029]+/g, "").trim();
+}
+function normalizeOptionalSecretInput(value) {
+	const normalized = normalizeSecretInput(value);
+	return normalized ? normalized : void 0;
+}
+
+//#endregion
+//#region src/agents/model-auth.ts
+const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
+const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
+const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
+const AWS_PROFILE_ENV = "AWS_PROFILE";
+function resolveProviderConfig(cfg, provider) {
+	const providers = cfg?.models?.providers ?? {};
+	const direct = providers[provider];
+	if (direct) return direct;
+	const normalized = normalizeProviderId(provider);
+	if (normalized === provider) return Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+	return providers[normalized] ?? Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+}
+function getCustomProviderApiKey(cfg, provider) {
+	return normalizeOptionalSecretInput(resolveProviderConfig(cfg, provider)?.apiKey);
+}
+function resolveProviderAuthOverride(cfg, provider) {
+	const auth = resolveProviderConfig(cfg, provider)?.auth;
+	if (auth === "api-key" || auth === "aws-sdk" || auth === "oauth" || auth === "token") return auth;
+}
+function resolveEnvSourceLabel(params) {
+	return `${params.envVars.some((envVar) => params.applied.has(envVar)) ? "shell env: " : "env: "}${params.label}`;
+}
+function resolveAwsSdkEnvVarName(env = process.env) {
+	if (env[AWS_BEARER_ENV]?.trim()) return AWS_BEARER_ENV;
+	if (env[AWS_ACCESS_KEY_ENV]?.trim() && env[AWS_SECRET_KEY_ENV]?.trim()) return AWS_ACCESS_KEY_ENV;
+	if (env[AWS_PROFILE_ENV]?.trim()) return AWS_PROFILE_ENV;
+}
+function resolveAwsSdkAuthInfo() {
+	const applied = new Set(getShellEnvAppliedKeys());
+	if (process.env[AWS_BEARER_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_BEARER_ENV],
+			label: AWS_BEARER_ENV
+		})
+	};
+	if (process.env[AWS_ACCESS_KEY_ENV]?.trim() && process.env[AWS_SECRET_KEY_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_ACCESS_KEY_ENV, AWS_SECRET_KEY_ENV],
+			label: `${AWS_ACCESS_KEY_ENV} + ${AWS_SECRET_KEY_ENV}`
+		})
+	};
+	if (process.env[AWS_PROFILE_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_PROFILE_ENV],
+			label: AWS_PROFILE_ENV
+		})
+	};
+	return {
+		mode: "aws-sdk",
+		source: "aws-sdk default chain"
+	};
+}
+async function resolveApiKeyForProvider(params) {
+	const { provider, cfg, profileId, preferredProfile } = params;
+	const store = params.store ?? ensureAuthProfileStore(params.agentDir);
+	if (profileId) {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!resolved) throw new Error(`No credentials found for profile "${profileId}".`);
+		const mode = store.profiles[profileId]?.type;
+		return {
+			apiKey: resolved.apiKey,
+			profileId,
+			source: `profile:${profileId}`,
+			mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+		};
+	}
+	const authOverride = resolveProviderAuthOverride(cfg, provider);
+	if (authOverride === "aws-sdk") return resolveAwsSdkAuthInfo();
+	const order = resolveAuthProfileOrder({
+		cfg,
+		store,
+		provider,
+		preferredProfile
+	});
+	for (const candidate of order) try {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId: candidate,
+			agentDir: params.agentDir
+		});
+		if (resolved) {
+			const mode = store.profiles[candidate]?.type;
+			return {
+				apiKey: resolved.apiKey,
+				profileId: candidate,
+				source: `profile:${candidate}`,
+				mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+			};
+		}
+	} catch {}
+	const envResolved = resolveEnvApiKey(provider);
+	if (envResolved) return {
+		apiKey: envResolved.apiKey,
+		source: envResolved.source,
+		mode: envResolved.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key"
+	};
+	const customKey = getCustomProviderApiKey(cfg, provider);
+	if (customKey) return {
+		apiKey: customKey,
+		source: "models.json",
+		mode: "api-key"
+	};
+	const normalized = normalizeProviderId(provider);
+	if (authOverride === void 0 && normalized === "amazon-bedrock") return resolveAwsSdkAuthInfo();
+	if (provider === "openai") {
+		if (listProfilesForProvider(store, "openai-codex").length > 0) throw new Error("No API key found for provider \"openai\". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.3-codex (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.1-codex.");
+	}
+	const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
+	const resolvedAgentDir = path.dirname(authStorePath);
+	throw new Error([
+		`No API key found for provider "${provider}".`,
+		`Auth store: ${authStorePath} (agentDir: ${resolvedAgentDir}).`,
+		`Configure auth for this agent (${formatCliCommand("anima agents add <id>")}) or copy auth-profiles.json from the main agentDir.`
+	].join(" "));
+}
+function resolveEnvApiKey(provider) {
+	const normalized = normalizeProviderId(provider);
+	const applied = new Set(getShellEnvAppliedKeys());
+	const pick = (envVar) => {
+		const value = normalizeOptionalSecretInput(process.env[envVar]);
+		if (!value) return null;
+		return {
+			apiKey: value,
+			source: applied.has(envVar) ? `shell env: ${envVar}` : `env: ${envVar}`
+		};
+	};
+	if (normalized === "github-copilot") return pick("COPILOT_GITHUB_TOKEN") ?? pick("GH_TOKEN") ?? pick("GITHUB_TOKEN");
+	if (normalized === "anthropic") return pick("ANTHROPIC_OAUTH_TOKEN") ?? pick("ANTHROPIC_API_KEY");
+	if (normalized === "chutes") return pick("CHUTES_OAUTH_TOKEN") ?? pick("CHUTES_API_KEY");
+	if (normalized === "zai") return pick("ZAI_API_KEY") ?? pick("Z_AI_API_KEY");
+	if (normalized === "google-vertex") {
+		const envKey = getEnvApiKey(normalized);
+		if (!envKey) return null;
+		return {
+			apiKey: envKey,
+			source: "gcloud adc"
+		};
+	}
+	if (normalized === "opencode") return pick("OPENCODE_API_KEY") ?? pick("OPENCODE_ZEN_API_KEY");
+	if (normalized === "qwen-portal") return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
+	if (normalized === "minimax-portal") return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
+	if (normalized === "kimi-coding") return pick("KIMI_API_KEY") ?? pick("KIMICODE_API_KEY");
+	if (normalized === "huggingface") return pick("HUGGINGFACE_HUB_TOKEN") ?? pick("HF_TOKEN");
+	const envVar = {
+		openai: "OPENAI_API_KEY",
+		google: "GEMINI_API_KEY",
+		voyage: "VOYAGE_API_KEY",
+		groq: "GROQ_API_KEY",
+		deepgram: "DEEPGRAM_API_KEY",
+		cerebras: "CEREBRAS_API_KEY",
+		xai: "XAI_API_KEY",
+		openrouter: "OPENROUTER_API_KEY",
+		litellm: "LITELLM_API_KEY",
+		"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
+		"cloudflare-ai-gateway": "CLOUDFLARE_AI_GATEWAY_API_KEY",
+		moonshot: "MOONSHOT_API_KEY",
+		minimax: "MINIMAX_API_KEY",
+		nvidia: "NVIDIA_API_KEY",
+		xiaomi: "XIAOMI_API_KEY",
+		synthetic: "SYNTHETIC_API_KEY",
+		venice: "VENICE_API_KEY",
+		mistral: "MISTRAL_API_KEY",
+		opencode: "OPENCODE_API_KEY",
+		together: "TOGETHER_API_KEY",
+		qianfan: "QIANFAN_API_KEY",
+		ollama: "OLLAMA_API_KEY",
+		vllm: "VLLM_API_KEY"
+	}[normalized];
+	if (!envVar) return null;
+	return pick(envVar);
+}
+function resolveModelAuthMode(provider, cfg, store) {
+	const resolved = provider?.trim();
+	if (!resolved) return;
+	const authOverride = resolveProviderAuthOverride(cfg, resolved);
+	if (authOverride === "aws-sdk") return "aws-sdk";
+	const authStore = store ?? ensureAuthProfileStore();
+	const profiles = listProfilesForProvider(authStore, resolved);
+	if (profiles.length > 0) {
+		const modes = new Set(profiles.map((id) => authStore.profiles[id]?.type).filter((mode) => Boolean(mode)));
+		if ([
+			"oauth",
+			"token",
+			"api_key"
+		].filter((k) => modes.has(k)).length >= 2) return "mixed";
+		if (modes.has("oauth")) return "oauth";
+		if (modes.has("token")) return "token";
+		if (modes.has("api_key")) return "api-key";
+	}
+	if (authOverride === void 0 && normalizeProviderId(resolved) === "amazon-bedrock") return "aws-sdk";
+	const envKey = resolveEnvApiKey(resolved);
+	if (envKey?.apiKey) return envKey.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key";
+	if (getCustomProviderApiKey(cfg, resolved)) return "api-key";
+	return "unknown";
+}
+async function getApiKeyForModel(params) {
+	return resolveApiKeyForProvider({
+		provider: params.model.provider,
+		cfg: params.cfg,
+		profileId: params.profileId,
+		preferredProfile: params.preferredProfile,
+		store: params.store,
+		agentDir: params.agentDir
+	});
+}
+function requireApiKey(auth, provider) {
+	const key = normalizeSecretInput(auth.apiKey);
+	if (key) return key;
+	throw new Error(`No API key resolved for provider "${provider}" (auth mode: ${auth.mode}).`);
+}
+
+//#endregion
+//#region src/agents/synthetic-models.ts
+const SYNTHETIC_BASE_URL = "https://api.synthetic.new/anthropic";
+const SYNTHETIC_DEFAULT_MODEL_ID = "hf:MiniMaxAI/MiniMax-M2.1";
+const SYNTHETIC_DEFAULT_MODEL_REF = `synthetic/${SYNTHETIC_DEFAULT_MODEL_ID}`;
+const SYNTHETIC_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const SYNTHETIC_MODEL_CATALOG = [
+	{
+		id: SYNTHETIC_DEFAULT_MODEL_ID,
+		name: "MiniMax M2.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 192e3,
+		maxTokens: 65536
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2-Thinking",
+		name: "Kimi K2 Thinking",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:zai-org/GLM-4.7",
+		name: "GLM-4.7",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 198e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-R1-0528",
+		name: "DeepSeek R1 0528",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3-0324",
+		name: "DeepSeek V3 0324",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.1",
+		name: "DeepSeek V3.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.1-Terminus",
+		name: "DeepSeek V3.1 Terminus",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.2",
+		name: "DeepSeek V3.2",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 159e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:meta-llama/Llama-3.3-70B-Instruct",
+		name: "Llama 3.3 70B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8",
+		name: "Llama 4 Maverick 17B 128E Instruct FP8",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 524e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2-Instruct-0905",
+		name: "Kimi K2 Instruct 0905",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2.5",
+		name: "Kimi K2.5",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:openai/gpt-oss-120b",
+		name: "GPT OSS 120B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-235B-A22B-Instruct-2507",
+		name: "Qwen3 235B A22B Instruct 2507",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-Coder-480B-A35B-Instruct",
+		name: "Qwen3 Coder 480B A35B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-VL-235B-A22B-Instruct",
+		name: "Qwen3 VL 235B A22B Instruct",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 25e4,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:zai-org/GLM-4.5",
+		name: "GLM-4.5",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:zai-org/GLM-4.6",
+		name: "GLM-4.6",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 198e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:zai-org/GLM-5",
+		name: "GLM-5",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 256e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3",
+		name: "DeepSeek V3",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-235B-A22B-Thinking-2507",
+		name: "Qwen3 235B A22B Thinking 2507",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	}
+];
+function buildSyntheticModelDefinition(entry) {
+	return {
+		id: entry.id,
+		name: entry.name,
+		reasoning: entry.reasoning,
+		input: [...entry.input],
+		cost: SYNTHETIC_DEFAULT_COST,
+		contextWindow: entry.contextWindow,
+		maxTokens: entry.maxTokens
+	};
+}
+
+//#endregion
+//#region src/agents/together-models.ts
+const TOGETHER_BASE_URL = "https://api.together.xyz/v1";
+const TOGETHER_MODEL_CATALOG = [
+	{
+		id: "zai-org/GLM-4.7",
+		name: "GLM 4.7 Fp8",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		cost: {
+			input: .45,
+			output: 2,
+			cacheRead: .45,
+			cacheWrite: 2
+		}
+	},
+	{
+		id: "moonshotai/Kimi-K2.5",
+		name: "Kimi K2.5",
+		reasoning: true,
+		input: ["text", "image"],
+		cost: {
+			input: .5,
+			output: 2.8,
+			cacheRead: .5,
+			cacheWrite: 2.8
+		},
+		contextWindow: 262144,
+		maxTokens: 32768
+	},
+	{
+		id: "meta-llama/Llama-3.3-70B-Instruct-Turbo",
+		name: "Llama 3.3 70B Instruct Turbo",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: .88,
+			output: .88,
+			cacheRead: .88,
+			cacheWrite: .88
+		}
+	},
+	{
+		id: "meta-llama/Llama-4-Scout-17B-16E-Instruct",
+		name: "Llama 4 Scout 17B 16E Instruct",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 1e7,
+		maxTokens: 32768,
+		cost: {
+			input: .18,
+			output: .59,
+			cacheRead: .18,
+			cacheWrite: .18
+		}
+	},
+	{
+		id: "meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8",
+		name: "Llama 4 Maverick 17B 128E Instruct FP8",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 2e7,
+		maxTokens: 32768,
+		cost: {
+			input: .27,
+			output: .85,
+			cacheRead: .27,
+			cacheWrite: .27
+		}
+	},
+	{
+		id: "deepseek-ai/DeepSeek-V3.1",
+		name: "DeepSeek V3.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: .6,
+			output: 1.25,
+			cacheRead: .6,
+			cacheWrite: .6
+		}
+	},
+	{
+		id: "deepseek-ai/DeepSeek-R1",
+		name: "DeepSeek R1",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		cost: {
+			input: 3,
+			output: 7,
+			cacheRead: 3,
+			cacheWrite: 3
+		}
+	},
+	{
+		id: "moonshotai/Kimi-K2-Instruct-0905",
+		name: "Kimi K2-Instruct 0905",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		cost: {
+			input: 1,
+			output: 3,
+			cacheRead: 1,
+			cacheWrite: 3
+		}
+	}
+];
+function buildTogetherModelDefinition(model) {
+	return {
+		id: model.id,
+		name: model.name,
+		api: "openai-completions",
+		reasoning: model.reasoning,
+		input: model.input,
+		cost: model.cost,
+		contextWindow: model.contextWindow,
+		maxTokens: model.maxTokens
+	};
+}
+
+//#endregion
+//#region src/agents/venice-models.ts
+const VENICE_BASE_URL = "https://api.venice.ai/api/v1";
+const VENICE_DEFAULT_MODEL_ID = "llama-3.3-70b";
+const VENICE_DEFAULT_MODEL_REF = `venice/${VENICE_DEFAULT_MODEL_ID}`;
+const VENICE_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+/**
+* Complete catalog of Venice AI models.
+*
+* Venice provides two privacy modes:
+* - "private": Fully private inference, no logging, ephemeral
+* - "anonymized": Proxied through Venice with metadata stripped (for proprietary models)
+*
+* Note: The `privacy` field is included for documentation purposes but is not
+* propagated to ModelDefinitionConfig as it's not part of the core model schema.
+* Privacy mode is determined by the model itself, not configurable at runtime.
+*
+* This catalog serves as a fallback when the Venice API is unreachable.
+*/
+const VENICE_MODEL_CATALOG = [
+	{
+		id: "llama-3.3-70b",
+		name: "Llama 3.3 70B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "llama-3.2-3b",
+		name: "Llama 3.2 3B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "hermes-3-llama-3.1-405b",
+		name: "Hermes 3 Llama 3.1 405B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-235b-a22b-thinking-2507",
+		name: "Qwen3 235B Thinking",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-235b-a22b-instruct-2507",
+		name: "Qwen3 235B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-coder-480b-a35b-instruct",
+		name: "Qwen3 Coder 480B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-next-80b",
+		name: "Qwen3 Next 80B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-vl-235b-a22b",
+		name: "Qwen3 VL 235B (Vision)",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-4b",
+		name: "Venice Small (Qwen3 4B)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 32768,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "deepseek-v3.2",
+		name: "DeepSeek V3.2",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 163840,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "venice-uncensored",
+		name: "Venice Uncensored (Dolphin-Mistral)",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 32768,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "mistral-31-24b",
+		name: "Venice Medium (Mistral)",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "google-gemma-3-27b-it",
+		name: "Google Gemma 3 27B Instruct",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "openai-gpt-oss-120b",
+		name: "OpenAI GPT OSS 120B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "zai-org-glm-4.7",
+		name: "GLM 4.7",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "claude-opus-45",
+		name: "Claude Opus 4.5 (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "claude-sonnet-45",
+		name: "Claude Sonnet 4.5 (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "openai-gpt-52",
+		name: "GPT-5.2 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "openai-gpt-52-codex",
+		name: "GPT-5.2 Codex (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "gemini-3-pro-preview",
+		name: "Gemini 3 Pro (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "gemini-3-flash-preview",
+		name: "Gemini 3 Flash (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "grok-41-fast",
+		name: "Grok 4.1 Fast (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "grok-code-fast-1",
+		name: "Grok Code Fast 1 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "kimi-k2-thinking",
+		name: "Kimi K2 Thinking (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "minimax-m21",
+		name: "MiniMax M2.1 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	}
+];
+/**
+* Build a ModelDefinitionConfig from a Venice catalog entry.
+*
+* Note: The `privacy` field from the catalog is not included in the output
+* as ModelDefinitionConfig doesn't support custom metadata fields. Privacy
+* mode is inherent to each model and documented in the catalog/docs.
+*/
+function buildVeniceModelDefinition(entry) {
+	return {
+		id: entry.id,
+		name: entry.name,
+		reasoning: entry.reasoning,
+		input: [...entry.input],
+		cost: VENICE_DEFAULT_COST,
+		contextWindow: entry.contextWindow,
+		maxTokens: entry.maxTokens,
+		compat: { supportsUsageInStreaming: false }
+	};
+}
+
+//#endregion
+//#region src/agents/models-config.providers.ts
+const XIAOMI_BASE_URL = "https://api.xiaomimimo.com/anthropic";
+const XIAOMI_DEFAULT_MODEL_ID = "mimo-v2-flash";
+const XIAOMI_DEFAULT_CONTEXT_WINDOW = 262144;
+const XIAOMI_DEFAULT_MAX_TOKENS = 8192;
+const XIAOMI_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const QIANFAN_BASE_URL = "https://qianfan.baidubce.com/v2";
+const QIANFAN_DEFAULT_MODEL_ID = "deepseek-v3.2";
+const QIANFAN_DEFAULT_CONTEXT_WINDOW = 98304;
+const QIANFAN_DEFAULT_MAX_TOKENS = 32768;
+const QIANFAN_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+function normalizeGoogleModelId(id) {
+	if (id === "gemini-3-pro") return "gemini-3-pro-preview";
+	if (id === "gemini-3-flash") return "gemini-3-flash-preview";
+	return id;
+}
+function buildXiaomiProvider() {
+	return {
+		baseUrl: XIAOMI_BASE_URL,
+		api: "anthropic-messages",
+		models: [{
+			id: XIAOMI_DEFAULT_MODEL_ID,
+			name: "Xiaomi MiMo V2 Flash",
+			reasoning: false,
+			input: ["text"],
+			cost: XIAOMI_DEFAULT_COST,
+			contextWindow: XIAOMI_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: XIAOMI_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+function buildQianfanProvider() {
+	return {
+		baseUrl: QIANFAN_BASE_URL,
+		api: "openai-completions",
+		models: [{
+			id: QIANFAN_DEFAULT_MODEL_ID,
+			name: "DEEPSEEK V3.2",
+			reasoning: true,
+			input: ["text"],
+			cost: QIANFAN_DEFAULT_COST,
+			contextWindow: QIANFAN_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: QIANFAN_DEFAULT_MAX_TOKENS
+		}, {
+			id: "ernie-5.0-thinking-preview",
+			name: "ERNIE-5.0-Thinking-Preview",
+			reasoning: true,
+			input: ["text", "image"],
+			cost: QIANFAN_DEFAULT_COST,
+			contextWindow: 119e3,
+			maxTokens: 64e3
+		}]
+	};
+}
+
+//#endregion
+//#region src/agents/model-selection.ts
+const ANTHROPIC_MODEL_ALIASES = {
+	"opus-4.6": "claude-opus-4-6",
+	"opus-4.5": "claude-opus-4-5",
+	"sonnet-4.5": "claude-sonnet-4-5"
+};
+const OPENAI_CODEX_OAUTH_MODEL_PREFIXES = ["gpt-5.3-codex"];
+function normalizeAliasKey(value) {
+	return value.trim().toLowerCase();
+}
+function modelKey(provider, model) {
+	return `${provider}/${model}`;
+}
+function normalizeProviderId(provider) {
+	const normalized = provider.trim().toLowerCase();
+	if (normalized === "z.ai" || normalized === "z-ai") return "zai";
+	if (normalized === "opencode-zen") return "opencode";
+	if (normalized === "qwen") return "qwen-portal";
+	if (normalized === "kimi-code") return "kimi-coding";
+	return normalized;
+}
+function isCliProvider(provider, cfg) {
+	const normalized = normalizeProviderId(provider);
+	if (normalized === "claude-cli") return true;
+	if (normalized === "codex-cli") return true;
+	const backends = cfg?.agents?.defaults?.cliBackends ?? {};
+	return Object.keys(backends).some((key) => normalizeProviderId(key) === normalized);
+}
+function normalizeAnthropicModelId(model) {
+	const trimmed = model.trim();
+	if (!trimmed) return trimmed;
+	return ANTHROPIC_MODEL_ALIASES[trimmed.toLowerCase()] ?? trimmed;
+}
+function normalizeProviderModelId(provider, model) {
+	if (provider === "anthropic") return normalizeAnthropicModelId(model);
+	if (provider === "google") return normalizeGoogleModelId(model);
+	return model;
+}
+function shouldUseOpenAICodexProvider(provider, model) {
+	if (provider !== "openai") return false;
+	const normalized = model.trim().toLowerCase();
+	if (!normalized) return false;
+	return OPENAI_CODEX_OAUTH_MODEL_PREFIXES.some((prefix) => normalized === prefix || normalized.startsWith(`${prefix}-`));
+}
+function normalizeModelRef(provider, model) {
+	const normalizedProvider = normalizeProviderId(provider);
+	const normalizedModel = normalizeProviderModelId(normalizedProvider, model.trim());
+	if (shouldUseOpenAICodexProvider(normalizedProvider, normalizedModel)) return {
+		provider: "openai-codex",
+		model: normalizedModel
+	};
+	return {
+		provider: normalizedProvider,
+		model: normalizedModel
+	};
+}
+function parseModelRef(raw, defaultProvider) {
+	const trimmed = raw.trim();
+	if (!trimmed) return null;
+	const slash = trimmed.indexOf("/");
+	if (slash === -1) return normalizeModelRef(defaultProvider, trimmed);
+	const providerRaw = trimmed.slice(0, slash).trim();
+	const model = trimmed.slice(slash + 1).trim();
+	if (!providerRaw || !model) return null;
+	return normalizeModelRef(providerRaw, model);
+}
+function resolveAllowlistModelKey(raw, defaultProvider) {
+	const parsed = parseModelRef(raw, defaultProvider);
+	if (!parsed) return null;
+	return modelKey(parsed.provider, parsed.model);
+}
+function buildConfiguredAllowlistKeys(params) {
+	const rawAllowlist = Object.keys(params.cfg?.agents?.defaults?.models ?? {});
+	if (rawAllowlist.length === 0) return null;
+	const keys = /* @__PURE__ */ new Set();
+	for (const raw of rawAllowlist) {
+		const key = resolveAllowlistModelKey(String(raw ?? ""), params.defaultProvider);
+		if (key) keys.add(key);
+	}
+	return keys.size > 0 ? keys : null;
+}
+function buildModelAliasIndex(params) {
+	const byAlias = /* @__PURE__ */ new Map();
+	const byKey = /* @__PURE__ */ new Map();
+	const rawModels = params.cfg.agents?.defaults?.models ?? {};
+	for (const [keyRaw, entryRaw] of Object.entries(rawModels)) {
+		const parsed = parseModelRef(String(keyRaw ?? ""), params.defaultProvider);
+		if (!parsed) continue;
+		const alias = String(entryRaw?.alias ?? "").trim();
+		if (!alias) continue;
+		const aliasKey = normalizeAliasKey(alias);
+		byAlias.set(aliasKey, {
+			alias,
+			ref: parsed
+		});
+		const key = modelKey(parsed.provider, parsed.model);
+		const existing = byKey.get(key) ?? [];
+		existing.push(alias);
+		byKey.set(key, existing);
+	}
+	return {
+		byAlias,
+		byKey
+	};
+}
+function resolveModelRefFromString(params) {
+	const trimmed = params.raw.trim();
+	if (!trimmed) return null;
+	if (!trimmed.includes("/")) {
+		const aliasKey = normalizeAliasKey(trimmed);
+		const aliasMatch = params.aliasIndex?.byAlias.get(aliasKey);
+		if (aliasMatch) return {
+			ref: aliasMatch.ref,
+			alias: aliasMatch.alias
+		};
+	}
+	const parsed = parseModelRef(trimmed, params.defaultProvider);
+	if (!parsed) return null;
+	return { ref: parsed };
+}
+function resolveConfiguredModelRef(params) {
+	const rawModel = (() => {
+		const raw = params.cfg.agents?.defaults?.model;
+		if (typeof raw === "string") return raw.trim();
+		return raw?.primary?.trim() ?? "";
+	})();
+	if (rawModel) {
+		const trimmed = rawModel.trim();
+		const aliasIndex = buildModelAliasIndex({
+			cfg: params.cfg,
+			defaultProvider: params.defaultProvider
+		});
+		if (!trimmed.includes("/")) {
+			const aliasKey = normalizeAliasKey(trimmed);
+			const aliasMatch = aliasIndex.byAlias.get(aliasKey);
+			if (aliasMatch) return aliasMatch.ref;
+			console.warn(`[anima] Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
+			return {
+				provider: "anthropic",
+				model: trimmed
+			};
+		}
+		const resolved = resolveModelRefFromString({
+			raw: trimmed,
+			defaultProvider: params.defaultProvider,
+			aliasIndex
+		});
+		if (resolved) return resolved.ref;
+	}
+	return {
+		provider: params.defaultProvider,
+		model: params.defaultModel
+	};
+}
+function resolveDefaultModelForAgent(params) {
+	const agentModelOverride = params.agentId ? resolveAgentModelPrimary(params.cfg, params.agentId) : void 0;
+	return resolveConfiguredModelRef({
+		cfg: agentModelOverride && agentModelOverride.length > 0 ? {
+			...params.cfg,
+			agents: {
+				...params.cfg.agents,
+				defaults: {
+					...params.cfg.agents?.defaults,
+					model: {
+						...typeof params.cfg.agents?.defaults?.model === "object" ? params.cfg.agents.defaults.model : void 0,
+						primary: agentModelOverride
+					}
+				}
+			}
+		} : params.cfg,
+		defaultProvider: DEFAULT_PROVIDER,
+		defaultModel: DEFAULT_MODEL
+	});
+}
+function buildAllowedModelSet(params) {
+	const rawAllowlist = (() => {
+		const modelMap = params.cfg.agents?.defaults?.models ?? {};
+		return Object.keys(modelMap);
+	})();
+	const allowAny = rawAllowlist.length === 0;
+	const defaultModel = params.defaultModel?.trim();
+	const defaultKey = defaultModel && params.defaultProvider ? modelKey(params.defaultProvider, defaultModel) : void 0;
+	const catalogKeys = new Set(params.catalog.map((entry) => modelKey(entry.provider, entry.id)));
+	if (allowAny) {
+		if (defaultKey) catalogKeys.add(defaultKey);
+		return {
+			allowAny: true,
+			allowedCatalog: params.catalog,
+			allowedKeys: catalogKeys
+		};
+	}
+	const allowedKeys = /* @__PURE__ */ new Set();
+	const configuredProviders = params.cfg.models?.providers ?? {};
+	for (const raw of rawAllowlist) {
+		const parsed = parseModelRef(String(raw), params.defaultProvider);
+		if (!parsed) continue;
+		const key = modelKey(parsed.provider, parsed.model);
+		const providerKey = normalizeProviderId(parsed.provider);
+		if (isCliProvider(parsed.provider, params.cfg)) allowedKeys.add(key);
+		else if (catalogKeys.has(key)) allowedKeys.add(key);
+		else if (configuredProviders[providerKey] != null) allowedKeys.add(key);
+	}
+	if (defaultKey) allowedKeys.add(defaultKey);
+	const allowedCatalog = params.catalog.filter((entry) => allowedKeys.has(modelKey(entry.provider, entry.id)));
+	if (allowedCatalog.length === 0 && allowedKeys.size === 0) {
+		if (defaultKey) catalogKeys.add(defaultKey);
+		return {
+			allowAny: true,
+			allowedCatalog: params.catalog,
+			allowedKeys: catalogKeys
+		};
+	}
+	return {
+		allowAny: false,
+		allowedCatalog,
+		allowedKeys
+	};
+}
+function getModelRefStatus(params) {
+	const allowed = buildAllowedModelSet({
+		cfg: params.cfg,
+		catalog: params.catalog,
+		defaultProvider: params.defaultProvider,
+		defaultModel: params.defaultModel
+	});
+	const key = modelKey(params.ref.provider, params.ref.model);
+	return {
+		key,
+		inCatalog: params.catalog.some((entry) => modelKey(entry.provider, entry.id) === key),
+		allowAny: allowed.allowAny,
+		allowed: allowed.allowAny || allowed.allowedKeys.has(key)
+	};
+}
+function resolveAllowedModelRef(params) {
+	const trimmed = params.raw.trim();
+	if (!trimmed) return { error: "invalid model: empty" };
+	const aliasIndex = buildModelAliasIndex({
+		cfg: params.cfg,
+		defaultProvider: params.defaultProvider
+	});
+	const resolved = resolveModelRefFromString({
+		raw: trimmed,
+		defaultProvider: params.defaultProvider,
+		aliasIndex
+	});
+	if (!resolved) return { error: `invalid model: ${trimmed}` };
+	const status = getModelRefStatus({
+		cfg: params.cfg,
+		catalog: params.catalog,
+		ref: resolved.ref,
+		defaultProvider: params.defaultProvider,
+		defaultModel: params.defaultModel
+	});
+	if (!status.allowed) return { error: `model not allowed: ${status.key}` };
+	return {
+		ref: resolved.ref,
+		key: status.key
+	};
+}
+function resolveThinkingDefault(params) {
+	const configured = params.cfg.agents?.defaults?.thinkingDefault;
+	if (configured) return configured;
+	if ((params.catalog?.find((entry) => entry.provider === params.provider && entry.id === params.model))?.reasoning) return "low";
+	return "off";
+}
+/**
+* Resolve the model configured for Gmail hook processing.
+* Returns null if hooks.gmail.model is not set.
+*/
+function resolveHooksGmailModel(params) {
+	const hooksModel = params.cfg.hooks?.gmail?.model;
+	if (!hooksModel?.trim()) return null;
+	const aliasIndex = buildModelAliasIndex({
+		cfg: params.cfg,
+		defaultProvider: params.defaultProvider
+	});
+	return resolveModelRefFromString({
+		raw: hooksModel,
+		defaultProvider: params.defaultProvider,
+		aliasIndex
+	})?.ref ?? null;
+}
+
+//#endregion
+//#region src/plugin-sdk/file-lock.ts
+const HELD_LOCKS_KEY = Symbol.for("anima.fileLockHeldLocks");
+function resolveHeldLocks() {
+	const proc = process;
+	if (!proc[HELD_LOCKS_KEY]) proc[HELD_LOCKS_KEY] = /* @__PURE__ */ new Map();
+	return proc[HELD_LOCKS_KEY];
+}
+const HELD_LOCKS = resolveHeldLocks();
+function isAlive(pid) {
+	if (!Number.isFinite(pid) || pid <= 0) return false;
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function computeDelayMs(retries, attempt) {
+	const base = Math.min(retries.maxTimeout, Math.max(retries.minTimeout, retries.minTimeout * retries.factor ** attempt));
+	const jitter = retries.randomize ? 1 + Math.random() : 1;
+	return Math.min(retries.maxTimeout, Math.round(base * jitter));
+}
+async function readLockPayload(lockPath) {
+	try {
+		const raw = await fs$1.readFile(lockPath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.pid !== "number" || typeof parsed.createdAt !== "string") return null;
+		return {
+			pid: parsed.pid,
+			createdAt: parsed.createdAt
+		};
+	} catch {
+		return null;
+	}
+}
+async function resolveNormalizedFilePath(filePath) {
+	const resolved = path.resolve(filePath);
+	const dir = path.dirname(resolved);
+	await fs$1.mkdir(dir, { recursive: true });
+	try {
+		const realDir = await fs$1.realpath(dir);
+		return path.join(realDir, path.basename(resolved));
+	} catch {
+		return resolved;
+	}
+}
+async function isStaleLock(lockPath, staleMs) {
+	const payload = await readLockPayload(lockPath);
+	if (payload?.pid && !isAlive(payload.pid)) return true;
+	if (payload?.createdAt) {
+		const createdAt = Date.parse(payload.createdAt);
+		if (!Number.isFinite(createdAt) || Date.now() - createdAt > staleMs) return true;
+	}
+	try {
+		const stat = await fs$1.stat(lockPath);
+		return Date.now() - stat.mtimeMs > staleMs;
+	} catch {
+		return true;
+	}
+}
+async function acquireFileLock(filePath, options) {
+	const normalizedFile = await resolveNormalizedFilePath(filePath);
+	const lockPath = `${normalizedFile}.lock`;
+	const held = HELD_LOCKS.get(normalizedFile);
+	if (held) {
+		held.count += 1;
+		return {
+			lockPath,
+			release: async () => {
+				const current = HELD_LOCKS.get(normalizedFile);
+				if (!current) return;
+				current.count -= 1;
+				if (current.count > 0) return;
+				HELD_LOCKS.delete(normalizedFile);
+				await current.handle.close().catch(() => void 0);
+				await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
+			}
+		};
+	}
+	const attempts = Math.max(1, options.retries.retries + 1);
+	for (let attempt = 0; attempt < attempts; attempt += 1) try {
+		const handle = await fs$1.open(lockPath, "wx");
+		await handle.writeFile(JSON.stringify({
+			pid: process.pid,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2), "utf8");
+		HELD_LOCKS.set(normalizedFile, {
+			count: 1,
+			handle,
+			lockPath
+		});
+		return {
+			lockPath,
+			release: async () => {
+				const current = HELD_LOCKS.get(normalizedFile);
+				if (!current) return;
+				current.count -= 1;
+				if (current.count > 0) return;
+				HELD_LOCKS.delete(normalizedFile);
+				await current.handle.close().catch(() => void 0);
+				await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
+			}
+		};
+	} catch (err) {
+		if (err.code !== "EEXIST") throw err;
+		if (await isStaleLock(lockPath, options.stale)) {
+			await fs$1.rm(lockPath, { force: true }).catch(() => void 0);
+			continue;
+		}
+		if (attempt >= attempts - 1) break;
+		await new Promise((resolve) => setTimeout(resolve, computeDelayMs(options.retries, attempt)));
+	}
+	throw new Error(`file lock timeout for ${normalizedFile}`);
+}
+async function withFileLock(filePath, options, fn) {
+	const lock = await acquireFileLock(filePath, options);
+	try {
+		return await fn();
+	} finally {
+		await lock.release();
+	}
+}
+
+//#endregion
+//#region src/infra/json-file.ts
+function loadJsonFile(pathname) {
+	try {
+		if (!fs.existsSync(pathname)) return;
+		const raw = fs.readFileSync(pathname, "utf8");
+		return JSON.parse(raw);
+	} catch {
+		return;
+	}
+}
+function saveJsonFile(pathname, data) {
+	const dir = path.dirname(pathname);
+	if (!fs.existsSync(dir)) fs.mkdirSync(dir, {
+		recursive: true,
+		mode: 448
+	});
+	fs.writeFileSync(pathname, `${JSON.stringify(data, null, 2)}\n`, "utf8");
+	fs.chmodSync(pathname, 384);
+}
+
+//#endregion
+//#region src/agents/cli-credentials.ts
+const log = createSubsystemLogger("agents/auth-profiles");
+const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
+const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
+let qwenCliCache = null;
+let minimaxCliCache = null;
+function resolveQwenCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, QWEN_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function resolveMiniMaxCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function readQwenCliCredentials(options) {
+	return readPortalCliOauthCredentials(resolveQwenCliCredentialsPath(options?.homeDir), "qwen-portal");
+}
+function readPortalCliOauthCredentials(credPath, provider) {
+	const raw = loadJsonFile(credPath);
+	if (!raw || typeof raw !== "object") return null;
+	const data = raw;
+	const accessToken = data.access_token;
+	const refreshToken = data.refresh_token;
+	const expiresAt = data.expiry_date;
+	if (typeof accessToken !== "string" || !accessToken) return null;
+	if (typeof refreshToken !== "string" || !refreshToken) return null;
+	if (typeof expiresAt !== "number" || !Number.isFinite(expiresAt)) return null;
+	return {
+		type: "oauth",
+		provider,
+		access: accessToken,
+		refresh: refreshToken,
+		expires: expiresAt
+	};
+}
+function readMiniMaxCliCredentials(options) {
+	return readPortalCliOauthCredentials(resolveMiniMaxCliCredentialsPath(options?.homeDir), "minimax-portal");
+}
+function readQwenCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveQwenCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && qwenCliCache && qwenCliCache.cacheKey === cacheKey && now - qwenCliCache.readAt < ttlMs) return qwenCliCache.value;
+	const value = readQwenCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) qwenCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+function readMiniMaxCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveMiniMaxCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && minimaxCliCache && minimaxCliCache.cacheKey === cacheKey && now - minimaxCliCache.readAt < ttlMs) return minimaxCliCache.value;
+	const value = readMiniMaxCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) minimaxCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+
+//#endregion
+//#region src/agents/auth-profiles/external-cli-sync.ts
+function shallowEqualOAuthCredentials(a, b) {
+	if (!a) return false;
+	if (a.type !== "oauth") return false;
+	return a.provider === b.provider && a.access === b.access && a.refresh === b.refresh && a.expires === b.expires && a.email === b.email && a.enterpriseUrl === b.enterpriseUrl && a.projectId === b.projectId && a.accountId === b.accountId;
+}
+function isExternalProfileFresh(cred, now) {
+	if (!cred) return false;
+	if (cred.type !== "oauth" && cred.type !== "token") return false;
+	if (cred.provider !== "qwen-portal" && cred.provider !== "minimax-portal") return false;
+	if (typeof cred.expires !== "number") return true;
+	return cred.expires > now + EXTERNAL_CLI_NEAR_EXPIRY_MS;
+}
+/** Sync external CLI credentials into the store for a given provider. */
+function syncExternalCliCredentialsForProvider(store, profileId, provider, readCredentials, now) {
+	const existing = store.profiles[profileId];
+	const creds = !existing || existing.provider !== provider || !isExternalProfileFresh(existing, now) ? readCredentials() : null;
+	if (!creds) return false;
+	const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+	if ((!existingOAuth || existingOAuth.provider !== provider || existingOAuth.expires <= now || creds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, creds)) {
+		store.profiles[profileId] = creds;
+		log$1.info(`synced ${provider} credentials from external cli`, {
+			profileId,
+			expires: new Date(creds.expires).toISOString()
+		});
+		return true;
+	}
+	return false;
+}
+/**
+* Sync OAuth credentials from external CLI tools (Qwen Code CLI, MiniMax CLI) into the store.
+*
+* Returns true if any credentials were updated.
+*/
+function syncExternalCliCredentials(store) {
+	let mutated = false;
+	const now = Date.now();
+	const existingQwen = store.profiles[QWEN_CLI_PROFILE_ID];
+	const qwenCreds = !existingQwen || existingQwen.provider !== "qwen-portal" || !isExternalProfileFresh(existingQwen, now) ? readQwenCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }) : null;
+	if (qwenCreds) {
+		const existing = store.profiles[QWEN_CLI_PROFILE_ID];
+		const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+		if ((!existingOAuth || existingOAuth.provider !== "qwen-portal" || existingOAuth.expires <= now || qwenCreds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, qwenCreds)) {
+			store.profiles[QWEN_CLI_PROFILE_ID] = qwenCreds;
+			mutated = true;
+			log$1.info("synced qwen credentials from qwen cli", {
+				profileId: QWEN_CLI_PROFILE_ID,
+				expires: new Date(qwenCreds.expires).toISOString()
+			});
+		}
+	}
+	if (syncExternalCliCredentialsForProvider(store, MINIMAX_CLI_PROFILE_ID, "minimax-portal", () => readMiniMaxCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }), now)) mutated = true;
+	return mutated;
+}
+
+//#endregion
+//#region src/agents/agent-paths.ts
+function resolveAnimaAgentDir() {
+	const override = process.env.ANIMA_AGENT_DIR?.trim() || process.env.OPENCLAW_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
+	if (override) return resolveUserPath(override);
+	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
+}
+
+//#endregion
+//#region src/agents/auth-profiles/paths.ts
+function resolveAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveAnimaAgentDir());
+	return path.join(resolved, AUTH_PROFILE_FILENAME);
+}
+function resolveLegacyAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveAnimaAgentDir());
+	return path.join(resolved, LEGACY_AUTH_FILENAME);
+}
+function resolveAuthStorePathForDisplay(agentDir) {
+	const pathname = resolveAuthStorePath(agentDir);
+	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
+}
+function ensureAuthStoreFile(pathname) {
+	if (fs.existsSync(pathname)) return;
+	saveJsonFile(pathname, {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	});
+}
+
+//#endregion
+//#region src/agents/auth-profiles/store.ts
+async function updateAuthProfileStoreWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	try {
+		return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
+			const store = ensureAuthProfileStore(params.agentDir);
+			if (params.updater(store)) saveAuthProfileStore(store, params.agentDir);
+			return store;
+		});
+	} catch {
+		return null;
+	}
+}
+function coerceLegacyStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if ("profiles" in record) return null;
+	const entries = {};
+	for (const [key, value] of Object.entries(record)) {
+		if (!value || typeof value !== "object") continue;
+		const typed = value;
+		if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") continue;
+		entries[key] = {
+			...typed,
+			provider: String(typed.provider ?? key)
+		};
+	}
+	return Object.keys(entries).length > 0 ? entries : null;
+}
+function coerceAuthStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if (!record.profiles || typeof record.profiles !== "object") return null;
+	const profiles = record.profiles;
+	const normalized = {};
+	for (const [key, value] of Object.entries(profiles)) {
+		if (!value || typeof value !== "object") continue;
+		const typed = value;
+		if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") continue;
+		if (!typed.provider) continue;
+		normalized[key] = typed;
+	}
+	const order = record.order && typeof record.order === "object" ? Object.entries(record.order).reduce((acc, [provider, value]) => {
+		if (!Array.isArray(value)) return acc;
+		const list = value.map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
+		if (list.length === 0) return acc;
+		acc[provider] = list;
+		return acc;
+	}, {}) : void 0;
+	return {
+		version: Number(record.version ?? AUTH_STORE_VERSION),
+		profiles: normalized,
+		order,
+		lastGood: record.lastGood && typeof record.lastGood === "object" ? record.lastGood : void 0,
+		usageStats: record.usageStats && typeof record.usageStats === "object" ? record.usageStats : void 0
+	};
+}
+function mergeRecord(base, override) {
+	if (!base && !override) return;
+	if (!base) return { ...override };
+	if (!override) return { ...base };
+	return {
+		...base,
+		...override
+	};
+}
+function mergeAuthProfileStores(base, override) {
+	if (Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats) return base;
+	return {
+		version: Math.max(base.version, override.version ?? base.version),
+		profiles: {
+			...base.profiles,
+			...override.profiles
+		},
+		order: mergeRecord(base.order, override.order),
+		lastGood: mergeRecord(base.lastGood, override.lastGood),
+		usageStats: mergeRecord(base.usageStats, override.usageStats)
+	};
+}
+function mergeOAuthFileIntoStore(store) {
+	const oauthRaw = loadJsonFile(resolveOAuthPath());
+	if (!oauthRaw || typeof oauthRaw !== "object") return false;
+	const oauthEntries = oauthRaw;
+	let mutated = false;
+	for (const [provider, creds] of Object.entries(oauthEntries)) {
+		if (!creds || typeof creds !== "object") continue;
+		const profileId = `${provider}:default`;
+		if (store.profiles[profileId]) continue;
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider,
+			...creds
+		};
+		mutated = true;
+	}
+	return mutated;
+}
+function applyLegacyStore(store, legacy) {
+	for (const [provider, cred] of Object.entries(legacy)) {
+		const profileId = `${provider}:default`;
+		if (cred.type === "api_key") {
+			store.profiles[profileId] = {
+				type: "api_key",
+				provider: String(cred.provider ?? provider),
+				key: cred.key,
+				...cred.email ? { email: cred.email } : {}
+			};
+			continue;
+		}
+		if (cred.type === "token") {
+			store.profiles[profileId] = {
+				type: "token",
+				provider: String(cred.provider ?? provider),
+				token: cred.token,
+				...typeof cred.expires === "number" ? { expires: cred.expires } : {},
+				...cred.email ? { email: cred.email } : {}
+			};
+			continue;
+		}
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider: String(cred.provider ?? provider),
+			access: cred.access,
+			refresh: cred.refresh,
+			expires: cred.expires,
+			...cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {},
+			...cred.projectId ? { projectId: cred.projectId } : {},
+			...cred.accountId ? { accountId: cred.accountId } : {},
+			...cred.email ? { email: cred.email } : {}
+		};
+	}
+}
+function loadAuthProfileStore() {
+	const authPath = resolveAuthStorePath();
+	const asStore = coerceAuthStore(loadJsonFile(authPath));
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath()));
+	if (legacy) {
+		const store = {
+			version: AUTH_STORE_VERSION,
+			profiles: {}
+		};
+		applyLegacyStore(store, legacy);
+		syncExternalCliCredentials(store);
+		return store;
+	}
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	syncExternalCliCredentials(store);
+	return store;
+}
+function loadAuthProfileStoreForAgent(agentDir, _options) {
+	const authPath = resolveAuthStorePath(agentDir);
+	const asStore = coerceAuthStore(loadJsonFile(authPath));
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	if (agentDir) {
+		const mainStore = coerceAuthStore(loadJsonFile(resolveAuthStorePath()));
+		if (mainStore && Object.keys(mainStore.profiles).length > 0) {
+			saveJsonFile(authPath, mainStore);
+			log$1.info("inherited auth-profiles from main agent", { agentDir });
+			return mainStore;
+		}
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir)));
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	if (legacy) applyLegacyStore(store, legacy);
+	const mergedOAuth = mergeOAuthFileIntoStore(store);
+	const syncedCli = syncExternalCliCredentials(store);
+	const shouldWrite = legacy !== null || mergedOAuth || syncedCli;
+	if (shouldWrite) saveJsonFile(authPath, store);
+	if (shouldWrite && legacy !== null) {
+		const legacyPath = resolveLegacyAuthStorePath(agentDir);
+		try {
+			fs.unlinkSync(legacyPath);
+		} catch (err) {
+			if (err?.code !== "ENOENT") log$1.warn("failed to delete legacy auth.json after migration", {
+				err,
+				legacyPath
+			});
+		}
+	}
+	return store;
+}
+function ensureAuthProfileStore(agentDir, options) {
+	const store = loadAuthProfileStoreForAgent(agentDir, options);
+	const authPath = resolveAuthStorePath(agentDir);
+	const mainAuthPath = resolveAuthStorePath();
+	if (!agentDir || authPath === mainAuthPath) return store;
+	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
+}
+function saveAuthProfileStore(store, agentDir) {
+	saveJsonFile(resolveAuthStorePath(agentDir), {
+		version: AUTH_STORE_VERSION,
+		profiles: store.profiles,
+		order: store.order ?? void 0,
+		lastGood: store.lastGood ?? void 0,
+		usageStats: store.usageStats ?? void 0
+	});
+}
+
+//#endregion
+//#region src/agents/auth-profiles/profiles.ts
+async function setAuthProfileOrder(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	const sanitized = params.order && Array.isArray(params.order) ? params.order.map((entry) => String(entry).trim()).filter(Boolean) : [];
+	const deduped = [];
+	for (const entry of sanitized) if (!deduped.includes(entry)) deduped.push(entry);
+	return await updateAuthProfileStoreWithLock({
+		agentDir: params.agentDir,
+		updater: (store) => {
+			store.order = store.order ?? {};
+			if (deduped.length === 0) {
+				if (!store.order[providerKey]) return false;
+				delete store.order[providerKey];
+				if (Object.keys(store.order).length === 0) store.order = void 0;
+				return true;
+			}
+			store.order[providerKey] = deduped;
+			return true;
+		}
+	});
+}
+function upsertAuthProfile(params) {
+	const credential = params.credential.type === "api_key" ? {
+		...params.credential,
+		...typeof params.credential.key === "string" ? { key: normalizeSecretInput(params.credential.key) } : {}
+	} : params.credential.type === "token" ? {
+		...params.credential,
+		token: normalizeSecretInput(params.credential.token)
+	} : params.credential;
+	const store = ensureAuthProfileStore(params.agentDir);
+	store.profiles[params.profileId] = credential;
+	saveAuthProfileStore(store, params.agentDir);
+}
+async function upsertAuthProfileWithLock(params) {
+	return await updateAuthProfileStoreWithLock({
+		agentDir: params.agentDir,
+		updater: (store) => {
+			store.profiles[params.profileId] = params.credential;
+			return true;
+		}
+	});
+}
+function listProfilesForProvider(store, provider) {
+	const providerKey = normalizeProviderId(provider);
+	return Object.entries(store.profiles).filter(([, cred]) => normalizeProviderId(cred.provider) === providerKey).map(([id]) => id);
+}
+
+//#endregion
+//#region src/agents/auth-profiles/repair.ts
+function getProfileSuffix(profileId) {
+	const idx = profileId.indexOf(":");
+	if (idx < 0) return "";
+	return profileId.slice(idx + 1);
+}
+function isEmailLike(value) {
+	const trimmed = value.trim();
+	if (!trimmed) return false;
+	return trimmed.includes("@") && trimmed.includes(".");
+}
+function suggestOAuthProfileIdForLegacyDefault(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (getProfileSuffix(params.legacyProfileId) !== "default") return null;
+	const legacyCfg = params.cfg?.auth?.profiles?.[params.legacyProfileId];
+	if (legacyCfg && normalizeProviderId(legacyCfg.provider) === providerKey && legacyCfg.mode !== "oauth") return null;
+	const oauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth");
+	if (oauthProfiles.length === 0) return null;
+	const configuredEmail = legacyCfg?.email?.trim();
+	if (configuredEmail) {
+		const byEmail = oauthProfiles.find((id) => {
+			const cred = params.store.profiles[id];
+			if (!cred || cred.type !== "oauth") return false;
+			return cred.email?.trim() === configuredEmail || id === `${providerKey}:${configuredEmail}`;
+		});
+		if (byEmail) return byEmail;
+	}
+	const lastGood = params.store.lastGood?.[providerKey] ?? params.store.lastGood?.[params.provider];
+	if (lastGood && oauthProfiles.includes(lastGood)) return lastGood;
+	const nonLegacy = oauthProfiles.filter((id) => id !== params.legacyProfileId);
+	if (nonLegacy.length === 1) return nonLegacy[0] ?? null;
+	const emailLike = nonLegacy.filter((id) => isEmailLike(getProfileSuffix(id)));
+	if (emailLike.length === 1) return emailLike[0] ?? null;
+	return null;
+}
+function repairOAuthProfileIdMismatch(params) {
+	const legacyProfileId = params.legacyProfileId ?? `${normalizeProviderId(params.provider)}:default`;
+	const legacyCfg = params.cfg.auth?.profiles?.[legacyProfileId];
+	if (!legacyCfg) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	if (legacyCfg.mode !== "oauth") return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	if (normalizeProviderId(legacyCfg.provider) !== normalizeProviderId(params.provider)) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	const toProfileId = suggestOAuthProfileIdForLegacyDefault({
+		cfg: params.cfg,
+		store: params.store,
+		provider: params.provider,
+		legacyProfileId
+	});
+	if (!toProfileId || toProfileId === legacyProfileId) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	const toCred = params.store.profiles[toProfileId];
+	const toEmail = toCred?.type === "oauth" ? toCred.email?.trim() : void 0;
+	const nextProfiles = { ...params.cfg.auth?.profiles };
+	delete nextProfiles[legacyProfileId];
+	nextProfiles[toProfileId] = {
+		...legacyCfg,
+		...toEmail ? { email: toEmail } : {}
+	};
+	const providerKey = normalizeProviderId(params.provider);
+	const nextOrder = (() => {
+		const order = params.cfg.auth?.order;
+		if (!order) return;
+		const resolvedKey = Object.keys(order).find((key) => normalizeProviderId(key) === providerKey);
+		if (!resolvedKey) return order;
+		const existing = order[resolvedKey];
+		if (!Array.isArray(existing)) return order;
+		const replaced = existing.map((id) => id === legacyProfileId ? toProfileId : id).filter((id) => typeof id === "string" && id.trim().length > 0);
+		const deduped = [];
+		for (const entry of replaced) if (!deduped.includes(entry)) deduped.push(entry);
+		return {
+			...order,
+			[resolvedKey]: deduped
+		};
+	})();
+	return {
+		config: {
+			...params.cfg,
+			auth: {
+				...params.cfg.auth,
+				profiles: nextProfiles,
+				...nextOrder ? { order: nextOrder } : {}
+			}
+		},
+		changes: [`Auth: migrate ${legacyProfileId} → ${toProfileId} (OAuth profile id)`],
+		migrated: true,
+		fromProfileId: legacyProfileId,
+		toProfileId
+	};
+}
+
+//#endregion
+//#region src/agents/auth-profiles/doctor.ts
+function formatAuthDoctorHint(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (providerKey !== "anthropic") return "";
+	const legacyProfileId = params.profileId ?? "anthropic:default";
+	const suggested = suggestOAuthProfileIdForLegacyDefault({
+		cfg: params.cfg,
+		store: params.store,
+		provider: providerKey,
+		legacyProfileId
+	});
+	if (!suggested || suggested === legacyProfileId) return "";
+	const storeOauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth").join(", ");
+	const cfgMode = params.cfg?.auth?.profiles?.[legacyProfileId]?.mode;
+	const cfgProvider = params.cfg?.auth?.profiles?.[legacyProfileId]?.provider;
+	return [
+		"Doctor hint (for GitHub issue):",
+		`- provider: ${providerKey}`,
+		`- config: ${legacyProfileId}${cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""}`,
+		`- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
+		`- suggested profile: ${suggested}`,
+		`Fix: run "${formatCliCommand("anima doctor --yes")}"`
+	].join("\n");
+}
+
+//#endregion
+//#region src/providers/qwen-portal-oauth.ts
+async function refreshQwenPortalCredentials(_opts) {
+	return null;
+}
+
+//#endregion
+//#region src/agents/chutes-oauth.ts
+const CHUTES_OAUTH_ISSUER = "https://api.chutes.ai";
+const CHUTES_AUTHORIZE_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/authorize`;
+const CHUTES_TOKEN_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/token`;
+const CHUTES_USERINFO_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/userinfo`;
+const DEFAULT_EXPIRES_BUFFER_MS = 300 * 1e3;
+function generateChutesPkce() {
+	const verifier = randomBytes(32).toString("hex");
+	return {
+		verifier,
+		challenge: createHash("sha256").update(verifier).digest("base64url")
+	};
+}
+function parseOAuthCallbackInput(input, expectedState) {
+	const trimmed = input.trim();
+	if (!trimmed) return { error: "No input provided" };
+	let url;
+	try {
+		url = new URL(trimmed);
+	} catch {
+		if (!/\s/.test(trimmed) && !trimmed.includes("://") && !trimmed.includes("?") && !trimmed.includes("=")) return { error: "Paste the full redirect URL (must include code + state)." };
+		const qs = trimmed.startsWith("?") ? trimmed : `?${trimmed}`;
+		try {
+			url = new URL(`http://localhost/${qs}`);
+		} catch {
+			return { error: "Paste the full redirect URL (must include code + state)." };
+		}
+	}
+	const code = url.searchParams.get("code")?.trim();
+	const state = url.searchParams.get("state")?.trim();
+	if (!code) return { error: "Missing 'code' parameter in URL" };
+	if (!state) return { error: "Missing 'state' parameter. Paste the full redirect URL." };
+	if (state !== expectedState) return { error: "OAuth state mismatch - possible CSRF attack. Please retry login." };
+	return {
+		code,
+		state
+	};
+}
+function coerceExpiresAt(expiresInSeconds, now) {
+	const value = now + Math.max(0, Math.floor(expiresInSeconds)) * 1e3 - DEFAULT_EXPIRES_BUFFER_MS;
+	return Math.max(value, now + 3e4);
+}
+async function fetchChutesUserInfo(params) {
+	const response = await (params.fetchFn ?? fetch)(CHUTES_USERINFO_ENDPOINT, { headers: { Authorization: `Bearer ${params.accessToken}` } });
+	if (!response.ok) return null;
+	const data = await response.json();
+	if (!data || typeof data !== "object") return null;
+	return data;
+}
+async function exchangeChutesCodeForTokens(params) {
+	const fetchFn = params.fetchFn ?? fetch;
+	const now = params.now ?? Date.now();
+	const body = new URLSearchParams({
+		grant_type: "authorization_code",
+		client_id: params.app.clientId,
+		code: params.code,
+		redirect_uri: params.app.redirectUri,
+		code_verifier: params.codeVerifier
+	});
+	if (params.app.clientSecret) body.set("client_secret", params.app.clientSecret);
+	const response = await fetchFn(CHUTES_TOKEN_ENDPOINT, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body
+	});
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Chutes token exchange failed: ${text}`);
+	}
+	const data = await response.json();
+	const access = data.access_token?.trim();
+	const refresh = data.refresh_token?.trim();
+	const expiresIn = data.expires_in ?? 0;
+	if (!access) throw new Error("Chutes token exchange returned no access_token");
+	if (!refresh) throw new Error("Chutes token exchange returned no refresh_token");
+	const info = await fetchChutesUserInfo({
+		accessToken: access,
+		fetchFn
+	});
+	return {
+		access,
+		refresh,
+		expires: coerceExpiresAt(expiresIn, now),
+		email: info?.username,
+		accountId: info?.sub,
+		clientId: params.app.clientId
+	};
+}
+async function refreshChutesTokens(params) {
+	const fetchFn = params.fetchFn ?? fetch;
+	const now = params.now ?? Date.now();
+	const refreshToken = params.credential.refresh?.trim();
+	if (!refreshToken) throw new Error("Chutes OAuth credential is missing refresh token");
+	const clientId = params.credential.clientId?.trim() ?? process.env.CHUTES_CLIENT_ID?.trim();
+	if (!clientId) throw new Error("Missing CHUTES_CLIENT_ID for Chutes OAuth refresh (set env var or re-auth).");
+	const clientSecret = process.env.CHUTES_CLIENT_SECRET?.trim() || void 0;
+	const body = new URLSearchParams({
+		grant_type: "refresh_token",
+		client_id: clientId,
+		refresh_token: refreshToken
+	});
+	if (clientSecret) body.set("client_secret", clientSecret);
+	const response = await fetchFn(CHUTES_TOKEN_ENDPOINT, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body
+	});
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Chutes token refresh failed: ${text}`);
+	}
+	const data = await response.json();
+	const access = data.access_token?.trim();
+	const newRefresh = data.refresh_token?.trim();
+	const expiresIn = data.expires_in ?? 0;
+	if (!access) throw new Error("Chutes token refresh returned no access_token");
+	return {
+		...params.credential,
+		access,
+		refresh: newRefresh || refreshToken,
+		expires: coerceExpiresAt(expiresIn, now),
+		clientId
+	};
+}
+
+//#endregion
+//#region src/agents/auth-profiles/oauth.ts
+const OAUTH_PROVIDER_IDS = new Set(getOAuthProviders().map((provider) => provider.id));
+const isOAuthProvider = (provider) => OAUTH_PROVIDER_IDS.has(provider);
+const resolveOAuthProvider = (provider) => isOAuthProvider(provider) ? provider : null;
+function buildOAuthApiKey(provider, credentials) {
+	return provider === "google-gemini-cli" || provider === "google-antigravity" ? JSON.stringify({
+		token: credentials.access,
+		projectId: credentials.projectId
+	}) : credentials.access;
+}
+async function refreshOAuthTokenWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
+		const store = ensureAuthProfileStore(params.agentDir);
+		const cred = store.profiles[params.profileId];
+		if (!cred || cred.type !== "oauth") return null;
+		if (Date.now() < cred.expires) return {
+			apiKey: buildOAuthApiKey(cred.provider, cred),
+			newCredentials: cred
+		};
+		const oauthCreds = { [cred.provider]: cred };
+		const result = String(cred.provider) === "chutes" ? await (async () => {
+			const newCredentials = await refreshChutesTokens({ credential: cred });
+			return {
+				apiKey: newCredentials.access,
+				newCredentials
+			};
+		})() : String(cred.provider) === "qwen-portal" ? await (async () => {
+			const newCredentials = await refreshQwenPortalCredentials(cred);
+			return {
+				apiKey: newCredentials.access,
+				newCredentials
+			};
+		})() : await (async () => {
+			const oauthProvider = resolveOAuthProvider(cred.provider);
+			if (!oauthProvider) return null;
+			return await getOAuthApiKey(oauthProvider, oauthCreds);
+		})();
+		if (!result) return null;
+		store.profiles[params.profileId] = {
+			...cred,
+			...result.newCredentials,
+			type: "oauth"
+		};
+		saveAuthProfileStore(store, params.agentDir);
+		return result;
+	});
+}
+async function tryResolveOAuthProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred || cred.type !== "oauth") return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) return null;
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	const refreshed = await refreshOAuthTokenWithLock({
+		profileId,
+		agentDir: params.agentDir
+	});
+	if (!refreshed) return null;
+	return {
+		apiKey: refreshed.apiKey,
+		provider: cred.provider,
+		email: cred.email
+	};
+}
+async function resolveApiKeyForProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred) return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) {
+		if (!(profileConfig.mode === "oauth" && cred.type === "token")) return null;
+	}
+	if (cred.type === "api_key") {
+		const key = cred.key?.trim();
+		if (!key) return null;
+		return {
+			apiKey: key,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (cred.type === "token") {
+		const token = cred.token?.trim();
+		if (!token) return null;
+		if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && Date.now() >= cred.expires) return null;
+		return {
+			apiKey: token,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	try {
+		const result = await refreshOAuthTokenWithLock({
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!result) return null;
+		return {
+			apiKey: result.apiKey,
+			provider: cred.provider,
+			email: cred.email
+		};
+	} catch (error) {
+		const refreshedStore = ensureAuthProfileStore(params.agentDir);
+		const refreshed = refreshedStore.profiles[profileId];
+		if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) return {
+			apiKey: buildOAuthApiKey(refreshed.provider, refreshed),
+			provider: refreshed.provider,
+			email: refreshed.email ?? cred.email
+		};
+		const fallbackProfileId = suggestOAuthProfileIdForLegacyDefault({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			legacyProfileId: profileId
+		});
+		if (fallbackProfileId && fallbackProfileId !== profileId) try {
+			const fallbackResolved = await tryResolveOAuthProfile({
+				cfg,
+				store: refreshedStore,
+				profileId: fallbackProfileId,
+				agentDir: params.agentDir
+			});
+			if (fallbackResolved) return fallbackResolved;
+		} catch {}
+		if (params.agentDir) try {
+			const mainCred = ensureAuthProfileStore(void 0).profiles[profileId];
+			if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
+				refreshedStore.profiles[profileId] = { ...mainCred };
+				saveAuthProfileStore(refreshedStore, params.agentDir);
+				log$1.info("inherited fresh OAuth credentials from main agent", {
+					profileId,
+					agentDir: params.agentDir,
+					expires: new Date(mainCred.expires).toISOString()
+				});
+				return {
+					apiKey: buildOAuthApiKey(mainCred.provider, mainCred),
+					provider: mainCred.provider,
+					email: mainCred.email
+				};
+			}
+		} catch {}
+		const message = error instanceof Error ? error.message : String(error);
+		const hint = formatAuthDoctorHint({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			profileId
+		});
+		throw new Error(`OAuth token refresh failed for ${cred.provider}: ${message}. Please try again or re-authenticate.` + (hint ? `\n\n${hint}` : ""), { cause: error });
+	}
+}
+
+//#endregion
+//#region src/agents/auth-profiles/usage.ts
+function resolveProfileUnusableUntil$1(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+/**
+* Check if a profile is currently in cooldown (due to rate limiting or errors).
+*/
+function isProfileInCooldown(store, profileId) {
+	const stats = store.usageStats?.[profileId];
+	if (!stats) return false;
+	const unusableUntil = resolveProfileUnusableUntil$1(stats);
+	return unusableUntil ? Date.now() < unusableUntil : false;
+}
+function resolveProfileUnusableUntilForDisplay(store, profileId) {
+	const stats = store.usageStats?.[profileId];
+	if (!stats) return null;
+	return resolveProfileUnusableUntil$1(stats);
+}
+
+//#endregion
+//#region src/agents/auth-profiles/order.ts
+function resolveProfileUnusableUntil(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+function resolveAuthProfileOrder(params) {
+	const { cfg, store, provider, preferredProfile } = params;
+	const providerKey = normalizeProviderId(provider);
+	const now = Date.now();
+	const storedOrder = (() => {
+		const order = store.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const configuredOrder = (() => {
+		const order = cfg?.auth?.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const explicitOrder = storedOrder ?? configuredOrder;
+	const explicitProfiles = cfg?.auth?.profiles ? Object.entries(cfg.auth.profiles).filter(([, profile]) => normalizeProviderId(profile.provider) === providerKey).map(([profileId]) => profileId) : [];
+	const baseOrder = explicitOrder ?? (explicitProfiles.length > 0 ? explicitProfiles : listProfilesForProvider(store, providerKey));
+	if (baseOrder.length === 0) return [];
+	const filtered = baseOrder.filter((profileId) => {
+		const cred = store.profiles[profileId];
+		if (!cred) return false;
+		if (normalizeProviderId(cred.provider) !== providerKey) return false;
+		const profileConfig = cfg?.auth?.profiles?.[profileId];
+		if (profileConfig) {
+			if (normalizeProviderId(profileConfig.provider) !== providerKey) return false;
+			if (profileConfig.mode !== cred.type) {
+				if (!(profileConfig.mode === "oauth" && cred.type === "token")) return false;
+			}
+		}
+		if (cred.type === "api_key") return Boolean(cred.key?.trim());
+		if (cred.type === "token") {
+			if (!cred.token?.trim()) return false;
+			if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && now >= cred.expires) return false;
+			return true;
+		}
+		if (cred.type === "oauth") return Boolean(cred.access?.trim() || cred.refresh?.trim());
+		return false;
+	});
+	const deduped = [];
+	for (const entry of filtered) if (!deduped.includes(entry)) deduped.push(entry);
+	if (explicitOrder && explicitOrder.length > 0) {
+		const available = [];
+		const inCooldown = [];
+		for (const profileId of deduped) {
+			const cooldownUntil = resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? 0;
+			if (typeof cooldownUntil === "number" && Number.isFinite(cooldownUntil) && cooldownUntil > 0 && now < cooldownUntil) inCooldown.push({
+				profileId,
+				cooldownUntil
+			});
+			else available.push(profileId);
+		}
+		const cooldownSorted = inCooldown.toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+		const ordered = [...available, ...cooldownSorted];
+		if (preferredProfile && ordered.includes(preferredProfile)) return [preferredProfile, ...ordered.filter((e) => e !== preferredProfile)];
+		return ordered;
+	}
+	const sorted = orderProfilesByMode(deduped, store);
+	if (preferredProfile && sorted.includes(preferredProfile)) return [preferredProfile, ...sorted.filter((e) => e !== preferredProfile)];
+	return sorted;
+}
+function orderProfilesByMode(order, store) {
+	const now = Date.now();
+	const available = [];
+	const inCooldown = [];
+	for (const profileId of order) if (isProfileInCooldown(store, profileId)) inCooldown.push(profileId);
+	else available.push(profileId);
+	const sorted = available.map((profileId) => {
+		const type = store.profiles[profileId]?.type;
+		return {
+			profileId,
+			typeScore: type === "oauth" ? 0 : type === "token" ? 1 : type === "api_key" ? 2 : 3,
+			lastUsed: store.usageStats?.[profileId]?.lastUsed ?? 0
+		};
+	}).toSorted((a, b) => {
+		if (a.typeScore !== b.typeScore) return a.typeScore - b.typeScore;
+		return a.lastUsed - b.lastUsed;
+	}).map((entry) => entry.profileId);
+	const cooldownSorted = inCooldown.map((profileId) => ({
+		profileId,
+		cooldownUntil: resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? now
+	})).toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+	return [...sorted, ...cooldownSorted];
+}
+
+//#endregion
+//#region src/agents/auth-profiles.ts
+var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
+
+//#endregion
+export { SYNTHETIC_DEFAULT_MODEL_REF as $, normalizeModelRef as A, CODEX_CLI_PROFILE_ID as At, QIANFAN_BASE_URL as B, withFileLock as C, buildCloudflareAiGatewayModelDefinition as Ct, getModelRefStatus as D, DEFAULT_PROVIDER as Dt, buildModelAliasIndex as E, DEFAULT_MODEL as Et, resolveConfiguredModelRef as F, VENICE_BASE_URL as G, XIAOMI_DEFAULT_MODEL_ID as H, resolveDefaultModelForAgent as I, buildVeniceModelDefinition as J, VENICE_DEFAULT_MODEL_REF as K, resolveHooksGmailModel as L, parseModelRef as M, resolveAllowedModelRef as N, isCliProvider as O, resolveAuthProfileDisplayLabel as Ot, resolveAllowlistModelKey as P, SYNTHETIC_BASE_URL as Q, resolveModelRefFromString as R, saveJsonFile as S, CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF as St, buildConfiguredAllowlistKeys as T, DEFAULT_CONTEXT_TOKENS as Tt, buildQianfanProvider as U, QIANFAN_DEFAULT_MODEL_ID as V, buildXiaomiProvider as W, TOGETHER_MODEL_CATALOG as X, TOGETHER_BASE_URL as Y, buildTogetherModelDefinition as Z, updateAuthProfileStoreWithLock as _, HUGGINGFACE_BASE_URL as _t, resolveApiKeyForProfile as a, resolveApiKeyForProvider as at, resolveAnimaAgentDir as b, discoverHuggingfaceModels as bt, generateChutesPkce as c, resolveModelAuthMode as ct, listProfilesForProvider as d, getShellEnvAppliedKeys as dt, SYNTHETIC_MODEL_CATALOG as et, setAuthProfileOrder as f, getShellPathFromLoginShell as ft, loadAuthProfileStore as g, shouldEnableShellEnvFallback as gt, ensureAuthProfileStore as h, shouldDeferShellEnvFallback as ht, resolveProfileUnusableUntilForDisplay as i, requireApiKey as it, normalizeProviderId as j, modelKey as k, CLAUDE_CLI_PROFILE_ID as kt, parseOAuthCallbackInput as l, normalizeOptionalSecretInput as lt, upsertAuthProfileWithLock as m, resolveShellEnvFallbackTimeoutMs as mt, resolveAuthProfileOrder as n, getApiKeyForModel as nt, CHUTES_AUTHORIZE_ENDPOINT as o, resolveAwsSdkEnvVarName as ot, upsertAuthProfile as p, loadShellEnvFallback as pt, VENICE_MODEL_CATALOG as q, isProfileInCooldown as r, getCustomProviderApiKey as rt, exchangeChutesCodeForTokens as s, resolveEnvApiKey as st, auth_profiles_exports as t, buildSyntheticModelDefinition as tt, repairOAuthProfileIdMismatch as u, normalizeSecretInput as ut, resolveAuthStorePath as v, HUGGINGFACE_MODEL_CATALOG as vt, buildAllowedModelSet as w, resolveCloudflareAiGatewayBaseUrl as wt, loadJsonFile as x, isHuggingfacePolicyLocked as xt, resolveAuthStorePathForDisplay as y, buildHuggingfaceModelDefinition as yt, resolveThinkingDefault as z };