@ouro.bot/cli 0.1.0-alpha.55 → 0.1.0-alpha.550

package/dist/heart/providers/anthropic.js

@@ -1,9 +1,43 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.toAnthropicMessages = toAnthropicMessages;
+exports.classifyAnthropicError = classifyAnthropicError;
 exports.createAnthropicProviderRuntime = createAnthropicProviderRuntime;
 const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
 const config_1 = require("../config");
@@ -11,12 +45,10 @@ const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
 const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
 const ANTHROPIC_OAUTH_BETA_HEADER = "claude-code-20250219,oauth-2025-04-20,fine-grained-tool-streaming-2025-05-14,interleaved-thinking-2025-05-14";
-function getAnthropicSecretsPathForGuidance() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
 function getAnthropicAgentNameForGuidance() {
     return (0, identity_1.getAgentName)();
 }
@@ -24,10 +56,8 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`npm run auth:claude-setup-token -- --agent ${agentName}\``,
-        "     (or run `claude setup-token` and paste the token manually)",
-        `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
-        "  3. Confirm providers.anthropic.setupToken is set",
+        `  1. Run \`ouro auth --agent ${agentName} --provider anthropic\``,
+        "  2. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {
@@ -37,8 +67,7 @@ function getAnthropicReauthGuidance(reason) {
         getAnthropicSetupTokenInstructions(),
     ].join("\n");
 }
-function resolveAnthropicSetupTokenCredential() {
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
+function resolveAnthropicSetupTokenCredential(anthropicConfig) {
     const token = anthropicConfig.setupToken?.trim();
     if (!token) {
         throw new Error(getAnthropicReauthGuidance("Anthropic provider is selected but no setup-token credential was found."));
@@ -187,25 +216,19 @@ function mergeAnthropicToolArguments(current, partial) {
     }
     return current + partial;
 }
+function classifyAnthropicError(error) {
+    return (0, error_classification_1.classifyHttpError)(error, {
+        isAuthFailure: isAnthropicAuthFailure,
+        isServerError: (e) => e.status === 529,
+    });
+}
 function isAnthropicAuthFailure(error) {
-    if (!(error instanceof Error))
-        return false;
-    const status = error.status;
-    if (status === 401 || status === 403)
-        return true;
     const lower = error.message.toLowerCase();
     return (lower.includes("oauth authentication") ||
         lower.includes("authentication failed") ||
         lower.includes("unauthorized") ||
         lower.includes("invalid api key"));
 }
-function withAnthropicAuthGuidance(error) {
-    const base = error instanceof Error ? error.message : String(error);
-    if (isAnthropicAuthFailure(error)) {
-        return new Error(getAnthropicReauthGuidance(`Anthropic authentication failed (${base}).`));
-    }
-    return error instanceof Error ? error : new Error(String(error));
-}
 async function streamAnthropicMessages(client, model, request) {
     const { system, messages } = toAnthropicMessages(request.messages);
     const anthropicTools = toAnthropicTools(request.activeTools);
@@ -216,21 +239,49 @@ async function streamAnthropicMessages(client, model, request) {
         max_tokens: maxTokens,
         messages,
         stream: true,
-        thinking: { type: "adaptive", effort: request.reasoningEffort ?? "medium" },
+        thinking: { type: "adaptive" },
+        output_config: { effort: request.reasoningEffort ?? "medium" },
     };
-    if (system)
-        params.system = system;
+    // The Anthropic API requires a Claude Code identification block in the system
+    // prompt when using OAuth setup tokens (sk-ant-oat01). Without it, Opus/Sonnet
+    // 4.6 requests are rejected with 400. This is the API's validation that the
+    // token is being used by a Claude Code client.
+    const preambleText = "You are Claude Code, Anthropic's official CLI for Claude.";
+    if (request.systemPrompt) {
+        // Structured SystemPrompt: merge preamble + stable prefix into one cached block,
+        // volatile suffix as a separate uncached block.
+        const stableBlock = {
+            type: "text",
+            text: preambleText + "\n\n" + request.systemPrompt.stable,
+            cache_control: { type: "ephemeral" },
+        };
+        if (request.systemPrompt.volatile) {
+            params.system = [stableBlock, { type: "text", text: request.systemPrompt.volatile }];
+        }
+        else {
+            params.system = [stableBlock];
+        }
+    }
+    else if (system) {
+        // Fallback: no structured prompt, extract from messages (legacy path)
+        params.system = [{ type: "text", text: preambleText }, { type: "text", text: system }];
+    }
+    else {
+        params.system = [{ type: "text", text: preambleText }];
+    }
     if (anthropicTools.length > 0)
         params.tools = anthropicTools;
     if (request.toolChoiceRequired && anthropicTools.length > 0) {
-        params.tool_choice = { type: "any" };
+        // Thinking (adaptive or enabled) only supports tool_choice "auto" or "none".
+        // "any" forces tool use which is incompatible with extended thinking.
+        params.tool_choice = params.thinking ? { type: "auto" } : /* v8 ignore next -- no-thinking path: thinking always set for 4.6 models @preserve */ { type: "any" };
     }
     let response;
     try {
         response = await client.messages.create(params, request.signal ? { signal: request.signal } : {});
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : new Error(String(error));
     }
     let content = "";
     let streamStarted = false;
@@ -238,7 +289,7 @@ async function streamAnthropicMessages(client, model, request) {
     const toolCalls = new Map();
     const thinkingBlocks = new Map();
     const redactedBlocks = new Map();
-    const answerStreamer = new streaming_1.FinalAnswerStreamer(request.callbacks);
+    const answerStreamer = new streaming_1.SettleStreamer(request.callbacks, request.eagerSettleStreaming);
     try {
         for await (const event of response) {
             if (request.signal?.aborted)
@@ -264,9 +315,9 @@ async function streamAnthropicMessages(client, model, request) {
                         name,
                         arguments: input,
                     });
-                    // Activate eager streaming for sole final_answer tool call
-                    /* v8 ignore next -- final_answer streaming activation, tested via FinalAnswerStreamer unit tests @preserve */
-                    if (name === "final_answer" && toolCalls.size === 1) {
+                    // Activate eager streaming for sole settle tool call
+                    /* v8 ignore next -- settle streaming activation, tested via SettleStreamer unit tests @preserve */
+                    if (name === "settle" && toolCalls.size === 1) {
                         answerStreamer.activate();
                     }
                 }
@@ -311,8 +362,8 @@ async function streamAnthropicMessages(client, model, request) {
                     if (existing) {
                         const partialJson = String(delta?.partial_json ?? "");
                         existing.arguments = mergeAnthropicToolArguments(existing.arguments, partialJson);
-                        /* v8 ignore next -- final_answer delta streaming, tested via FinalAnswerStreamer unit tests @preserve */
-                        if (existing.name === "final_answer" && toolCalls.size === 1) {
+                        /* v8 ignore next -- settle delta streaming, tested via SettleStreamer unit tests @preserve */
+                        if (existing.name === "settle" && toolCalls.size === 1) {
                             answerStreamer.processDelta(partialJson);
                         }
                     }
@@ -336,7 +387,7 @@ async function streamAnthropicMessages(client, model, request) {
         }
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : /* v8 ignore next -- defensive: stream errors are always Error @preserve */ new Error(String(error));
     }
     // Collect all thinking blocks (regular + redacted) sorted by index to preserve ordering
     const allThinkingIndices = [...thinkingBlocks.keys(), ...redactedBlocks.keys()].sort((a, b) => a - b);
@@ -351,37 +402,62 @@ async function streamAnthropicMessages(client, model, request) {
         toolCalls: [...toolCalls.values()],
         outputItems,
         usage,
-        finalAnswerStreamed: answerStreamer.streamed,
+        settleStreamed: answerStreamer.streamed,
     };
 }
-function createAnthropicProviderRuntime() {
+function createAnthropicProviderRuntime(model, anthropicConfig = (0, config_1.getAnthropicConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "anthropic provider init",
         meta: { provider: "anthropic" },
     });
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
-    if (!(anthropicConfig.model && anthropicConfig.setupToken)) {
-        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.model/setupToken is incomplete in secrets.json."));
+    if (!anthropicConfig.setupToken) {
+        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected but anthropic.setupToken is missing in the agent vault."));
     }
-    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(anthropicConfig.model);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
-    const credential = resolveAnthropicSetupTokenCredential();
-    const client = new sdk_1.default({
-        authToken: credential.token,
-        timeout: 30000,
-        maxRetries: 0,
-        defaultHeaders: {
-            "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
-        },
-    });
+    const credential = resolveAnthropicSetupTokenCredential(anthropicConfig);
+    const refreshToken = anthropicConfig.refreshToken;
+    const expiresAt = anthropicConfig.expiresAt;
+    function createClient(token) {
+        return new sdk_1.default({
+            authToken: token,
+            maxRetries: 0,
+            defaultHeaders: {
+                "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
+                "anthropic-dangerous-direct-browser-access": "true",
+                "user-agent": "claude-cli/2.1.2 (external, cli)",
+                "x-app": "cli",
+            },
+        });
+    }
+    let currentToken = credential.token;
+    let client = createClient(currentToken);
+    /* v8 ignore start -- token refresh: dynamic import + ensureFreshToken, tested via integration @preserve */
+    async function ensureClient() {
+        try {
+            const { ensureFreshToken } = await Promise.resolve().then(() => __importStar(require("./anthropic-token")));
+            const { getAgentName } = await Promise.resolve().then(() => __importStar(require("../identity")));
+            const freshToken = await ensureFreshToken(currentToken, refreshToken, expiresAt, getAgentName());
+            if (freshToken !== currentToken) {
+                currentToken = freshToken;
+                client = createClient(freshToken);
+            }
+        }
+        catch {
+            // refresh failed — use existing client
+        }
+        return client;
+    }
+    /* v8 ignore stop */
     return {
         id: "anthropic",
-        model: anthropicConfig.model,
-        client,
+        model,
+        /* v8 ignore next -- getter: returns mutable client ref @preserve */
+        get client() { return client; },
         capabilities,
         supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(_messages) {
@@ -390,8 +466,19 @@ function createAnthropicProviderRuntime() {
         appendToolOutput(_callId, _output) {
             // Anthropic uses canonical messages for tool_result tracking.
         },
-        streamTurn(request) {
-            return streamAnthropicMessages(client, anthropicConfig.model, request);
+        async streamTurn(request) {
+            const freshClient = await ensureClient();
+            return streamAnthropicMessages(freshClient, model, request);
+        },
+        /* v8 ignore start -- ping: tested via provider-ping.test.ts @preserve */
+        async ping(signal) {
+            const freshClient = await ensureClient();
+            await freshClient.messages.create({ model: "claude-haiku-4-5-20251001", max_tokens: 1, messages: [{ role: "user", content: "ping" }] }, { signal, headers: { "anthropic-beta": "claude-code-20250219,oauth-2025-04-20" } });
+        },
+        /* v8 ignore stop */
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAnthropicError @preserve */
+        classifyError(error) {
+            return classifyAnthropicError(error);
         },
     };
 }

package/dist/heart/providers/azure.js

@@ -1,39 +1,114 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyAzureError = classifyAzureError;
+exports.createAzureTokenProvider = createAzureTokenProvider;
 exports.createAzureProviderRuntime = createAzureProviderRuntime;
 const openai_1 = require("openai");
 const config_1 = require("../config");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
 const model_capabilities_1 = require("../model-capabilities");
-function createAzureProviderRuntime() {
+const error_classification_1 = require("./error-classification");
+const COGNITIVE_SERVICES_SCOPE = "https://cognitiveservices.azure.com/.default";
+function classifyAzureError(error) {
+    return (0, error_classification_1.classifyHttpError)(error);
+}
+// @azure/identity is imported dynamically (below) rather than at the top level
+// because it's a heavy package (~30+ transitive deps) and we only need it when
+// using the managed-identity auth path. API-key users and other providers
+// shouldn't pay the cold-start cost.
+function createAzureTokenProvider(managedIdentityClientId) {
+    let credential = null;
+    return async () => {
+        try {
+            if (!credential) {
+                const { DefaultAzureCredential } = await Promise.resolve().then(() => __importStar(require("@azure/identity")));
+                const credentialOptions = managedIdentityClientId
+                    ? { managedIdentityClientId }
+                    : undefined;
+                credential = new DefaultAzureCredential(credentialOptions);
+            }
+            const tokenResponse = await credential.getToken(COGNITIVE_SERVICES_SCOPE);
+            return tokenResponse.token;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            throw new Error(`Azure OpenAI authentication failed: ${detail}\n` +
+                "To fix this, either:\n" +
+                "  1. Run `ouro auth --agent <agent> --provider azure`, or\n" +
+                "  2. Run 'az login' to authenticate with your Azure account (for local dev), or\n" +
+                "  3. Attach a managed identity to your App Service and store azure.managedIdentityClientId in the agent vault.");
+        }
+    };
+}
+function createAzureProviderRuntime(model, azureConfig = (0, config_1.getAzureConfig)()) {
+    const useApiKey = !!azureConfig.apiKey;
+    const authMethod = useApiKey ? "key" : "managed-identity";
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "azure provider init",
-        meta: { provider: "azure" },
+        meta: { provider: "azure", authMethod },
     });
-    const azureConfig = (0, config_1.getAzureConfig)();
-    if (!(azureConfig.apiKey && azureConfig.endpoint && azureConfig.deployment && azureConfig.modelName)) {
-        throw new Error("provider 'azure' is selected in agent.json but providers.azure is incomplete in secrets.json.");
+    if (!(azureConfig.endpoint && azureConfig.deployment)) {
+        throw new Error("provider 'azure' is selected but azure endpoint/deployment is incomplete in the agent vault. Run `ouro auth --agent <agent> --provider azure`.");
     }
-    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(azureConfig.modelName);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
-    const client = new openai_1.AzureOpenAI({
-        apiKey: azureConfig.apiKey,
+    const clientOptions = {
         endpoint: azureConfig.endpoint.replace(/\/openai.*$/, ""),
         deployment: azureConfig.deployment,
         apiVersion: azureConfig.apiVersion,
-        timeout: 30000,
         maxRetries: 0,
-    });
+    };
+    if (useApiKey) {
+        clientOptions.apiKey = azureConfig.apiKey;
+    }
+    else {
+        const managedIdentityClientId = azureConfig.managedIdentityClientId || undefined;
+        clientOptions.azureADTokenProvider = createAzureTokenProvider(managedIdentityClientId);
+    }
+    const client = new openai_1.AzureOpenAI(clientOptions);
     let nativeInput = null;
     let nativeInstructions = "";
     return {
         id: "azure",
-        model: azureConfig.modelName,
+        model,
         client,
         capabilities,
         supportedReasoningEfforts: modelCaps.reasoningEffort,
@@ -45,7 +120,7 @@ function createAzureProviderRuntime() {
         appendToolOutput(callId, output) {
             if (!nativeInput)
                 return;
-            nativeInput.push({ type: "function_call_output", call_id: callId, output });
+            nativeInput.push({ type: "function_call_output", call_id: callId, output: (0, streaming_1.truncateResponsesFunctionCallOutput)(output) });
         },
         async streamTurn(request) {
             if (!nativeInput)
@@ -64,10 +139,19 @@ function createAzureProviderRuntime() {
                 params.metadata = { trace_id: request.traceId };
             if (request.toolChoiceRequired)
                 params.tool_choice = "required";
-            const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal);
+            const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal, request.eagerSettleStreaming);
             for (const item of result.outputItems)
                 nativeInput.push(item);
             return result;
         },
+        /* v8 ignore start -- ping: tested via provider-ping.test.ts @preserve */
+        async ping(signal) {
+            await this.client.responses.create({ model: this.model, input: "ping", max_output_tokens: 16 }, { signal });
+        },
+        /* v8 ignore stop */
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAzureError @preserve */
+        classifyError(error) {
+            return classifyAzureError(error);
+        },
     };
 }

package/dist/heart/providers/error-classification.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNetworkError = isNetworkError;
+exports.classifyHttpError = classifyHttpError;
+exports.extractProviderErrorDetails = extractProviderErrorDetails;
+exports.summarizeProviderError = summarizeProviderError;
+const runtime_1 = require("../../nerves/runtime");
+// Node socket / DNS error codes that indicate a transient network failure.
+const NETWORK_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ETIMEDOUT",
+    "EPIPE",
+    "EAI_AGAIN",
+    "EHOSTUNREACH",
+    "ENETUNREACH",
+    "ECONNABORTED",
+]);
+// Substrings the OpenAI/Anthropic SDKs use when wrapping fetch/socket failures
+// into Error.message instead of an err.code.
+const NETWORK_ERROR_MESSAGE_PATTERNS = [
+    "fetch failed",
+    "socket hang up",
+    "getaddrinfo",
+    "request timed out", // OpenAI SDK timeout — see SDK source
+    "request timeout",
+    "connection error",
+];
+// True if the error looks like a transient network issue (no HTTP status, just
+// a socket/DNS/timeout failure from the underlying transport).
+function isNetworkError(error) {
+    const code = error.code || "";
+    if (NETWORK_ERROR_CODES.has(code))
+        return true;
+    const msg = (error.message || "").toLowerCase();
+    return NETWORK_ERROR_MESSAGE_PATTERNS.some((pat) => msg.includes(pat));
+}
+// Standard HTTP error → ProviderErrorClassification mapping. Providers wrap
+// this with their own overrides.
+function classifyHttpError(error, overrides) {
+    const status = error.status;
+    if (overrides?.isAuthFailure?.(error) || status === 401 || status === 403) {
+        return "auth-failure";
+    }
+    if (status === 429) {
+        if (overrides?.isUsageLimit?.(error))
+            return "usage-limit";
+        return "rate-limit";
+    }
+    if (overrides?.isServerError?.(error) || (status !== undefined && status >= 500)) {
+        return "server-error";
+    }
+    if (isNetworkError(error))
+        return "network-error";
+    return "unknown";
+}
+// Pull HTTP status and a redacted body excerpt off a provider error if
+// either is present. SDK shapes: OpenAI puts `status` on the error, body
+// often on `error.error` or `error.response`. Keep this purely defensive —
+// any missing field returns undefined so callers can decide whether to
+// include it. The body excerpt is capped to 240 chars and stripped of
+// known auth-token-looking substrings.
+const ERROR_BODY_EXCERPT_MAX = 240;
+const TOKEN_PATTERN = /[A-Za-z0-9_\-]{32,}/g;
+function shorten(value) {
+    const collapsed = value.replace(/\s+/g, " ").trim();
+    if (collapsed.length === 0)
+        return "";
+    const redacted = collapsed.replace(TOKEN_PATTERN, "[redacted]");
+    return redacted.length > ERROR_BODY_EXCERPT_MAX
+        ? `${redacted.slice(0, ERROR_BODY_EXCERPT_MAX - 3)}...`
+        : redacted;
+}
+function extractProviderErrorDetails(error) {
+    const details = {};
+    const status = error.status;
+    if (typeof status === "number" && Number.isFinite(status))
+        details.status = status;
+    const errorAsRecord = error;
+    const candidates = [
+        errorAsRecord.error,
+        errorAsRecord.response,
+        errorAsRecord.body,
+        error.message,
+    ];
+    /* v8 ignore start -- candidate-shape branches: production provider errors expose string messages; object-shaped error.body and the string-false fall-through are fallbacks for non-OpenAI SDK shapes @preserve */
+    for (const candidate of candidates) {
+        if (!candidate)
+            continue;
+        if (typeof candidate === "string") {
+            const excerpt = shorten(candidate);
+            if (excerpt) {
+                details.bodyExcerpt = excerpt;
+                break;
+            }
+        }
+        else if (typeof candidate === "object") {
+            try {
+                const excerpt = shorten(JSON.stringify(candidate));
+                if (excerpt) {
+                    details.bodyExcerpt = excerpt;
+                    break;
+                }
+            }
+            catch {
+                // Circular structure or otherwise unstringifyable; skip.
+            }
+        }
+    }
+    /* v8 ignore stop */
+    return details;
+}
+function summarizeProviderError(error, classification, providerId, model) {
+    const details = extractProviderErrorDetails(error);
+    const statusPart = details.status !== undefined ? ` HTTP ${details.status}` : "";
+    const excerptPart = details.bodyExcerpt ? ` — ${details.bodyExcerpt}` : "";
+    return `provider ${providerId}/${model}: ${classification}${statusPart}${excerptPart}`;
+}
+/* v8 ignore start — module-level observability event */
+(0, runtime_1.emitNervesEvent)({
+    component: "engine",
+    event: "engine.error_classification_loaded",
+    message: "shared provider error classification loaded",
+    meta: {},
+});
+/* v8 ignore stop */